Bankers, Regulators Embrace Fuzzy Science of Ops Risk

Operational risk has become the flavor of the moment at industry risk management conferences and training sessions recently. Pioneering banks are developing new risk indicators, performing scenario analyses and grappling to quantify reputational risks.

Regulators are preaching the ops risk gospel, too, exhorting lenders of all sizes to embrace a risk-management culture.  

"Strong banks realize that the goal is not to avoid risk, but rather that they can understand it and earn an appropriate return for accepting it and managing it," Deputy Comptroller for Operational Risk Carolyn DuChene told an American Bankers Association conference last month in a keynote speech about the "5 E's of risk management."

If DuChene's message seems obvious, or a bit frothy, it might be because boiled down to its essentials ops risk is a mix of prudent management and contingency planning—ingredients that have been fundamental to the banking since its inception.

The Basel accords defined ops risk 15 years ago as "risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." Turning these very general concepts into quantifiable calculations became part of banks' regulatory requirements.

"Once there was a requirement associated with ops risk, it created a mini industry in trying to measure that," recalls Karen Shaw Petrou, who's skeptical that such risk can be rendered in useful numerical terms.

The early efforts proved of questionable benefit. More recently, chastened by failures ranging from the foreclosure documentation debacle to gaping anti-money laundering lapses, banks and regulators have redoubled their efforts to detect and quantify ops risks.

One result has been a new lexicon of jargon, vendors hawking color coded risk dashboards and specialty ops risk consultancies. All were on prominent display at the ABA's annual risk management forum last month in Baltimore.

Not yet apparent is whether banks will generate value by rebranding sound business judgment and contingency planning as a cutting-edge discipline. Research on ops risk losses suggests that such failures correlate to the level of complexity and credit risk an institutions assumes. As a result, treating ops risk as something that once quantified can be easily tamed may create a false sense of confidence.

Before the 2008 financial crisis, "a lot of the profession already had operational risk people in place," says Clifford Rossi, a former risk manager for Washington Mutual who now teaches at University of Maryland's School of Business and contributes to American Banker. "Did it save any of those institutions? Hell no."

Quantifying ops risk does appear to have had successes. In certain data and technology-heavy areas, like computer security, major banks have performed quite well. If ops risk simply involved extending similar rigor and data improvements to other departments, it would likely offer big benefits.

"Once you start tracking [operations losses] systemically, with standard definitions, a lot of times you'll be surprised by additional information you can glean from these metrics," says Jane Yao, the ABA's senior vice president of benchmarking and surveys. "I think we've come a long way" since Basel's early days, she adds.

But the dangers in the latest ops-risk boom were on display at the ABA's recent forum. Experts seemed bent on deputizing risk managers as the hall monitors of institutional culture, diverting responsibility from business managers. Moreover, the treatment of ops risk management as a budding scientific discipline populated by experts could end up shielding its practitioners from outside, common-sense scrutiny.

The risk manager for a Midwestern bank indicated that she saw herself as a buffer between the line managers and the board, even if important messages get muted along the way.