On February 25, 2015, I sat among a crowd of risk managers, bankers, consultants, technology vendors, and academics at the Global Association of Risk Processionals (GARP) 16th Annual Risk Management Conference in New York. Julian Fry, Managing Director, Head of Monitoring & Surveillance – Americas, UBS, provided his thoughts on validating the operational risk framework.
Fines and sanctions have grown exponentially (BCP, cross border tax evasion, etc)
Size of operational RWAs has grown as well
Julian provided a great analogy between operational risk practices in the airline industry and the financial services industry
- Alignment of Interest
- Airlines – Pilots are more exposed to risk than customers
- Banks – Risk taker designation and evaluation, deferred compensation
- Strong First Line Controls
- Airlines- Have pilot and co-pilot
- Banks – Have requirement for 1st line to own the risk (typically by COOs)
- Stress Testing & Training
- Airlines – Flight simulators to test critical scenarios and train appropriate responses
- Banks – Risk scenario identification and analysis, stress testing, reverse stress testing
The view is that there is not enough time spent on thinking what could go wrong in banks
- Lessons Learned
- Airlines – Black box data systems record near misses and losses
- Banks – Event back testing
Question we need to ask ourselves here is “are we more lucky than good?” At times, miss-booked trades can get you a profit. Relying on luck is not a good risk mitigant!
The Second Line of Defense (air traffic control that provides continuous monitoring at critical junctions) is compared with operational risk core oversight functions within banks
Overview of Three Lines of Defense
- ORM – Not someone else’s job, starts with 2nd line; just as airplane safety starts with the pilot
- OR Control – challenge and review and give guidelines to 1st line; like air traffic control
- Internal audit – Evaluate, review, and improve ORM framework. Like Federal Aviation Administration in airline industry
Something to keep in mind is that a catastrophic loss is a failure of all 3 lines of defense
Operational risk metrics are viewed as more useful than RCSA’s (as those can be time consuming); firms that don’t leverage metrics are missing opportunities to manage risk
Emerging risks – validating ORM Framework can be done by assessing how dynamic the framework is to new risks. Having a static risk taxonomy (committed to fighting last year’s war) is ineffective risk management
Risk radar is one way to engage senior management in identification of potential emerging risks
Risk radar has four quadrants:
- Strategy & business risks
- Market & product performance
- Regulatory & external
Radar allows management to have one piece of paper that highlights key risks
Operational risk has become so broad that no one individual can manage it. Need for a strong team and ability to adapt to new disciplines
How to know if ORM Framework is working properly?
- ORM taxonomy captures risks and responds to emerging risks
- Risk appetite exists – action is taken when limits are breached or are close to breach
- Respective of each line of defense; and everyone does their job
- Avoid risks that are significant in the industry; idiosyncratically good firm!
KSENIYA (KATE) STRACHNYI is an advisory consultant focused on risk management, governance, and regulatory response solutions for financial services institutions. Areas of expertise include governance frameworks, enterprise risk management programs, ICAAP, compliance risk management, operational risk management, Foreign Enhanced Prudential Standards, Basel II/III, and the Dodd-Frank Act.