Ops risk goal: Never having to say "sorry"

You’re a community banker, perhaps blessed with the CRO title, in charge of overseeing operational risk. In many ways, this facet of your ERM program is one of the toughest you will confront.

Nearly all banks have had credit and market risk reporting and metrics in place for many years, but they did not have analogous systems regarding operational risk. Let’s look at a particular challenge you may encounter in constructing such a system for your bank.

Administering Operational Risk

How to construct a system of reporting and metrics for operational risk, of course, depends on what the goal of your program is.

Does it center on compliance? Financial reporting? Reduction of fraud? IT risk—including general controls and information security? Vendor management?

All of the above?  Or even more?

Consider a single focus instead: Never having to say you’re sorry!

As CRO, or other senior person in charge of managing operational risk, you never want to walk into a board meeting and be obliged to inform directors that a quarter or more in earnings is gone, or that capital has been impaired. And all because of the failure of one or two detailed controls, perhaps in the wire transfer room, or the treasury function, or a fraudulent loan scheme.

Yet some of the ways in common use to measure and report on operational risk in the community bank leave you vulnerable to such outcomes.

Exposures you may be missing

Here’s how:

Many systems for assessing risk rely on a calculation of Impact multiplied by Likelihood, resulting in a single number to measure what we most often focus on—the residual risk.

One common scale in use runs from 1 to 5, but even with a more expansive scale, the vulnerability exists. The results of all this are often depicted in the form of a heat map in the standard red to green color scheme.

We all recognize there are certain outcomes that should be considered of such significance as to drastically impair business activity, liquidity, solvency, or stockholder value that, even if highly unlikely, should be the focus of great management attention. Simply put, this highly unlikely but what I’ll call devastating potential outcome, is what has become known as “tail risk.”

Think of the value at risk (VAR) focus of the major banks, before the collapse of Lehman. That sophisticated, but single, measure led to a lack of management focus on the highly unlikely events that left firms vulnerable to the devastating outcomes we all experienced or observed.

Let’s look at two hypothetical risk measurements using the 1 to 5 scale for Impact and Likelihood.

Check clearing issues. The first evaluates the risk in the check clearing system that an item presented is honored despite the fact that the account will eventually prove to have insufficient funds. This may arise from compliance with regulations or adherence with ACH rules.

So, you assess the inherent risk as having an Impact rating of 3 and Likelihood of 4. The Residual Risk rating you assign is 2 for Impact and 3 for Likelihood. Residual Risk, when the two factors are multiplied, yields 6.

Wire issues. Then you evaluate the risk in your wire transfer operation that one or more apparently authorized transfer instructions were not actually authorized.

For the Inherent Risk rating you assign a 5 Impact and 3 Likelihood, and Residual Risk you rate 4 and 1 respectively. Residual Risk, when the factors are multiplied, yields 4.

Now, think about how you feel about each of the hypotheticals.

In the first one, you expect the bank to absorb some losses in the process of clearing payments. It’s a cost of doing business, and one that you will work to reduce.

In the second hypothetical, the potential loss is one that could significantly affect the bank’s earnings and even its solvency. You will focus significant effort to reduce both impact and likelihood to the lowest practical possibility. Even then, you will also likely consider shifting some of the risk to a third party, via insurance.

There’s a lesson here. You can extend the reach of your number system, of course. But in the end you are making judgments regarding where on the scale you rate a particular item, and it leads to confusion and wasted effort on the more routine matters.

Alternatively, you can recognize the limits of the measurement system and in a more forthright manner apply your judgment.

Potential devastating effects should be the subject of significant management attention—even if the numbers don’t show it!

Tale of two big banks

This article is aimed at community banks because large banks assess operational risk in a far more quantified manner. But the approach of applying judgment to manage the most serious risks a bank faces proved highly effective for the major banks in the 2008 financial crisis.

Let me tell you the story of two banks, each of which did not seem to have a concern when each viewed its primary risk measurements, which included VAR.

• One of them, consistent with the measurement, relied to a very large degree on overnight funding for its liquidity.

• Another, applying judgment based on general principles, favored funding with daily fluctuating term financing.

The first is no longer with us; the other is doing just fine.

When it comes to risk management, we recommend using more than one measurement system. Impact/Likelihood measurements work well to help form an overall view of inherent and residual risk levels, which are apparent at a glance.

We also recommend measurement systems that use more judgment, and do not indicate acceptable levels of controls unless those events that can lead to devastating consequences are controlled to the greatest degree practical—and consideration is given to risk transfer through insurance, if available. Reports can be structured simply, but should be used in tandem.

So as the senior member in charge of managing operational risk, avoid having the tail (risk) wag your dog. With any luck, you won’t have to say you’re sorry.