Operational Risk Management — Beyond Compliance to Value Creation

Introduction

In the early 1990’s, operational risk management (ORM) initially entered the lexicon of risk professionals when corporate disasters — Barings, Kidder, Daiwa — were caused by factors that fell outside of the purview of traditional risk management functions (credit/market risk management). More recently, the rogue trader has been replaced by the rogue CEO, CFO, and others entrusted with shareholder money. While the titles have changed, the underlying issues — accounting fraud at Enron and WorldCom; market timing and late trading in mutual funds; kickbacks in insurance brokerage; and options back-dating — have continued to highlight the importance of ORM. Moreover, the consequences for the mismanagement of operational risk have become much more severe in terms of CEO/CFO firings, regulatory fines, and criminal investigations and jail sentences.

While companies have always needed to manage operational risks, the practice of ORM as a separate discipline is still evolving. In recent years, most risk professionals have considered ORM the “next frontier” in risk management. Relative to credit risk and market risk, operational risk is more difficult to define, quantify, and manage. Nonetheless, the imperative to improve governance, risk, and compliance processes at banks and other risk-intensive companies has never been greater. More than ever, corporate directors, business executives, and risk professionals realise that operational risk is critical not only for regulatory compliance but also for operational efficiency and effectiveness.

The ORM Maturity Model

The ORM Maturity Model shown below illustrates the four key stages of development. Based on our research and case study interviews, most banks are between Stage II and Stage III.

Roadmap to an Effective ORM Program

The further development of ORM is particularly important since the overwhelming majority of large banks and non-financial corporations have adopted enterprise risk management programs. Operational risk is a critical component of enterprise risk management, and it also has important interdependencies with other forms of risk. E.g. In banking a material portion of loan losses can be attributed to operational risk factors. In the hedge fund industry, the biggest single cause of failure is not market risk, but operational infrastructure and control.

While each company has unique challenges and requirements, ten recommendations based on common implementation challenges and industry best practices are discussed below. These recommendations are organised by the four stages of the ORM Maturity Model.

Stage I: Foundation Setting

Recommendation #1: Develop an overall framework for ORM. Given the complexities of ORM, an integrated ORM framework is critical during the early stages of development. This framework should include a definition for operational risk, governance structure and decision processes, ORM policies and requirements, roles and responsibilities, and risk taxonomy. Business units and operational functions should participate and review the development of the ORM framework.

Recommendation #2: Establish the ORM vision and business case. To establish consensus for the ORM program, a clear vision and compelling business case should be developed. The business case for ORM should include cost/benefit analyses, expected outcomes, and measures of success. A vision should also be developed that articulates the “goal state” for ORM at the company, including how ORM will be integrated into the key business decision processes within the company.

Recommendation #3: Develop an implementation plan. Developing a best-practice ORM program is a multi-year effort. The plan should provide key initiatives, interim milestones, resource requirements, and change management strategies. To support the implementation of ORM, an integrated technology platform is required. The technology platform for ORM should be flexible in order to model the organisation’s current business structure and processes. It should also be configurable in order to incorporate future business requirements on a cost-effective basis.

Stage II: Regulatory and Policy Compliance

Recommendation #4: Implement deep-dive risk mitigation strategies.

Development of corporate-wide processes is important to ensure a consistent approach to ORM, however the value of ORM should be demonstrated through deep dives in terms of specific business applications and/or risk mitigations strategies. E.g. ORM practices can be used to identify and resolve emerging regulatory issues, or an operational risk problem within a business unit. Or used to enhance or reinforce specific initiatives such as business contingency planning, anti-money laundering, and information security.

Recommendation #5: Develop an integrated ORM technology platform.

Many companies have developed various tools for ORM — risk and control assessments, KRIs, loss-event database, and scenario modeling. These tools are often developed independently based on manual processes and disparate systems, yet there are common components to all of these tools, including business entities, control processes, operational risk categories, and internal controls. These tools would be much more effective if they are supported by an integrated platform. The technology platform should support automation of risk and compliance workflows, as well as be accessible and easy to use to encourage business unit adoption and application.

Stage III: Integration and Rationalisation

Recommendation #6: Apply a top-down risk-based approach. In order to rationalise governance, risk, and compliance activities, a top-down risk-based approach must be adopted. Critics have argued that the regulatory requirements (e.g., SOX, Basel II) that companies must comply with are too complex, granular, and prescriptive. Simply stated, the general outcome of a bottom-up approach is too many activities and work products but not enough insights and value-added actions. In contrast, a top-down risk-based approach would focus attention and resources on the most important operational risk issues based on financial materiality, potential impact to business objectives, and management ability to influence.

Recommendation #7: Establish risk tolerance levels for ORM. One of the key tenets of best-practice risk management is the clear definition of risk tolerance levels, and ORM is no exception. In credit risk and market risk management, risk limits are established to ensure that financial exposures are not excessive. In ORM, risk tolerance levels can be established in terms of number/criticality of control weaknesses, timeliness in resolving outstanding ORM issues, risk assessments by internal oversight functions, and performance goals and minimum standards for KRIs.

Recommendation #8: Develop risk dashboard reporting. Given that operational risks are dispersed throughout an organisation, it has been said that ORM is everyone’s job. As such, an ORM program should provide useful role-based risk dashboard information to various levels of the organisation. An integrated technology platform would enhance risk visibility and support business decisions by synthesising and delivering risk information to each group based on their specific needs.

Stage IV: Business Value Creation

Recommendation #9: Develop risk-based pricing for operational risk.

In order to achieve the appropriate return on operational risk, companies must develop and implement risk-based pricing. E.g. The pricing of products and services should fully incorporate expected operational losses, allocated risk and compliance costs, and other administrative and operational expenses. Pricing should also include the cost of economic capital, which is a function of unexpected loss.

Recommendation #10: Apply ORM to support business decision making.

Beyond risk-based pricing at the transactional level, ORM can help support decision making in other critical business areas. To support revenue growth initiatives, ORM can reduce operational risk issues and time-to-market by establishing more efficient due diligence processes for new products and business acquisitions. ORM also supports real-time compliance and process improvements by integrating controls into business operations.

Summary

ORM has advanced significantly since the early 1990’s when large losses caused by rogue traders caught the attention of corporate boards and executives, risk professionals, and regulators. It is now a widely accepted discipline. However, ORM professionals are at an important crossroad. Beyond regulatory compliance, they must demonstrate that they can add tangible value to their companies. Only then can ORM evolve from a compliance cost to a value-added function.