Costs of Operational Risk Mismanagement
Causes of Operational Risk
The Basel Committee on Banking Supervision (BCBS) defines operational risk “as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputation risk.” Operational risk occurs in all day-to-day bank activities and its losses are unpredictable most of the time. Unfortunately, organizations are often affected by substantial losses due to events they fail to foresee or to mitigate. These disastrous financial effects are usually caused by the lack of an effective operational risk management within the company.
There are many causes of operational risks. Broadly, most operational risks arise from one of three sources.
- People: Incompetency of personnel and misuse of powers
- Processes: Possibilities of errors in information processing, data transmission, data retrieval, and inaccuracy of result or output
- Information Technology / Systems: The failure of the information technology system, the hacking of the computer network by outsiders, and the programming errors that can take place any time and can cause loss to the bank
Impact of Increased Operational Risks on Operational Risk-Weighted-Assets (RWAs)
Operational risk-weighted assets is a measure devised by regulators that determines how much capital a bank needs to hold against potential losses from human error, external threats, fraud and litigation. Operational RWAs are on the rise, as noted in some examples below:
- Bank of America said a $26 billion increase in its total RWAs as of June 30 was driven by an increase in operational risk-weighted assets. About 26% of its total is tied to operational risk, meaning the bank had more than $330 billion of such assets
- Citigroup said it was forced by the Fed to add $56 billion to its operational RWAs earlier this year, which reduced its capital-ratio target, citing the “the overall operating environment for the banking industry.” The bank had $288 billion of such assets as of June 30, or 23% of its total, up from $177 billion in the third quarter of 2013
- Goldman Sachs had $93.8 billion of operational risk-weighted assets at the end of June, 16%of its total
- Credit Suisse said in February that its regulator ordered the firm to boost its operational RWAs by $6 billion to 53.1 billion Swiss francs ($58 billion).
- UBS AG was ordered to bolster its figure by more than 27 billion francs before the regulator agreed to use a different way to assess risks, leading to a 22.5 billion-franc increase. The expectation is that operational risk-weighted assets will continue to rise in the future
- JPMorgan Chase CEO Jamie Dimon has pledged billions of dollars to improve compliance and cybersecurity. The firm’s operational RWAs rose 6.7% in the 2Q to $400 billion, according to an August filing. Wall Street firms including Citigroup Inc. and Bank of America Corp. that together racked up more than $100 billion in post-financial crisis legal costs are facing similar pressures.
More Stringent Regulations
Operational risk entered the global regulatory debate after the 1995 collapse of U.K. bank Barings Plc following a rogue trader’s losing bets on derivatives. Under Basel II guidelines, banks had wide leeway in how they calculated possible losses for operational mistakes using their own internal models. When the Basel committee revised the rules after the 2008 financial crisis, policy makers tightened the calculations, requiring past losses be taken into account and increasing the power of regulators to demand changes.
US regulators have become more aggressive in making sure banks’ internal models are appropriately measuring the operational hazards firms face. The push has been accelerated by legal disputes involving mortgage lending during the housing boom, alleged market-rigging and sanctions violations. “One of the central lessons coming out of the financial crisis was that supervisory expectations for risk management” needs to be much higher, Thomas Curry, the US Comptroller of the Currency, said in May. He previously said that operational risk is the biggest safety concern for banks, citing threats including cyber-attacks and failure to comply with anti-money-laundering rules.
Approaches to Managing Operational Risk
Varying business types require different approaches to managing operational risk. As Steve Bhatti (Chief Operational Risk Officer at Santander North America) states, “a retail business can naturally have lots of one-off small losses, while an investment bank can have a one-off rogue trade with a large loss; meanwhile your corporate business can have very low, nominal losses and also one-off large losses. So those different businesses have different loss profiles and what that means is that, even though you have a standard operational risk framework, you need to tailor it to each business in order to understand where the breakdowns are occurring in line with the losses and where the risks are. That’s the key thing that needs to be undertaken. It’s not taking a standard discipline and just applying it in blanket form across different business types.” When managing operational risk, it is important to “look at each one of the businesses and working out how do you integrate and engineer an operational risk framework so it’s embedded in the day-to-day business activities of your business.”
Future of Operational Risk
While the future is unpredictable, it is a common notion and expectation that the costs and impacts of operational risk will continue to increase in the next few years, as banks continue to establish effective frameworks and controls around operational risk management. A few areas of focus for risk managers are listed below:
- Establish and implement a comprehensive and flexible enterprise risk management framework to ensure risk is managed appropriately across the entire firm
- Embed risk management at all levels of the firm (establish common risk terminology that will facilitate communication across businesses and functions)
- Establish and implement an effective control framework
- Invest in technologies, systems, data analytics to deliver insightful information and customized valuation tools for improved decision making
KSENIYA (KATE) STRACHNYI is an advisory consultant focused on risk management, governance, and regulatory response solutions for financial services institutions. Areas of expertise include governance frameworks, enterprise risk management programs, ICAAP, compliance risk management, operational risk management, Foreign Enhanced Prudential Standards, Basel II/III, and the Dodd-Frank Act.