American Banker/InsightExpress Executive Forum 1Q '07 (Operational Risk) (Survey Participants)

American Banker   Friday, June 22, 2007
By Marian Raab

Just a few years ago many financial services firms struggled with what was then a nebulous concept: operational risk.Today, however, an increased number of banking companies have defined and gotten comfortable with operational risk management, finding that their efforts in this area are reaching new levels of maturity, according to the latest Executive Forum, American Banker's quarterly online survey of industry leaders.

The survey's results indicate that more small companies (those with less than $10 billion of assets) had implemented operational risk measures than a year earlier, and that many larger institutions were satisfied with plans they had executed.

Reputation risk is also becoming a critical component of operational risk management. Most of the companies surveyed reported having raised staffing levels and improved technology devoted to the task.

For the first time, more than half of the 327 respondents said their company had an operational risk management function — up from about 40% in previous surveys conducted on this topic.

Among small companies, 51% reported having such a function, versus 36% in the first quarter of last year, and 34% in the first quarter of 2005.

And a record percentage of survey participants — almost 62%, versus 50% last year — said their company has a chief risk officer or the equivalent. Among small companies, 58% said they had one, up from 42% last year. And more than 90% of respondents from large companies said the same, versus 82% last year.

The percentage of respondents who said their companies had an operational risk management chief rose 3 percentage points, to 39%. In this area, the sharpest increase was among small-company respondents (up 7 percentage points, to 31%). Among large companies, a record 67% said they have an ORM head, compared with 62% last year and 57% in 2005.

"The concept has matured," said Chris Maher, a principal in the risk management and regulatory practice of Ernst & Young in New York. "I think what you're seeing is more broad application of operational risk across organizations of varying sizes."

Yousef Valine, the head of institutional risk management at Wachovia Corp. of Charlotte, agreed that "we have come a very long way."

A recent Risk Management Association conference Mr. Valine attended in New York was packed, but five or six years ago such conferences were sparsely attended, he said.

Mr. Maher said that boards and senior managers have gotten more involved in operational risk management recently — an observation reflected in the survey results.

When asked how involved their boards were in identifying, monitoring, and controlling operational risk, 22% of respondents said their board was "significantly" involved, versus 16% last year. And 19% of large-company respondents their board was involved in "all aspects," compared with only 7% last year.

"Boards have always been concerned about levels of operational risk," Mr. Valine said, and he is not surprised they are beginning to ask for operational risk reports. "The emphasis has always been there," but the difference now may be in how the information is packaged and presented.

Status Quo

Because of the newfound maturity, fewer respondents said their firms plan to upgrade their operational risk management capabilities. Less than half (48%) of respondents from small companies had such plans, versus 58% last year, and 55% of respondents from large companies had such plans, versus 66% last year.

"The big banks may feel comfortable with where they are," said Peter Aceto, the chief risk officer at ING Bank, the ING Group NV unit that uses the ING Direct brand in the United States.

One respondent, when asked what is preventing his or her firm from enhancing its operational risk management, wrote that no enhancement was necessary. "We are satisfied with our current program."

But others stated that their companies were being held back. A participant offered these reasons: "Limited staff, wearing multiple hats already, means enhancements often take a back seat, unless there is a glaring weakness." Another wrote that his or her bank did not want "to create additional nonrevenue-generating overhead." (All respondents gave feedback anonymously.)

Among the companies that plan to enhance their operational risk management, their reasons for doing so varied. The single biggest one cited by respondents was internal audits (26%), followed by the Sarbanes-Oxley Act (22%) and competitive advantage (18%). That reflects a switch from last year, when Sarbanes-Oxley was the most popular reason, cited by a quarter of respondents, followed by internal audits (21%).

Eric C. Holmquist, a vice president and the director of operational risk management at the $2.4 billion-asset Advanta Corp. in Spring House, Pa., says a shifting focus toward internal audits is a good thing.

"If you think your SOX program is your op risk management program, you've missed the picture," Mr. Holmquist said. "It's only part of it. You really need to be keeping a focus on what are those inherent risks that prompted you to build controls, and are those controls truly mitigating the risks."

When respondents whose companies plan to improve their ORM efforts were asked what benefits they expected, 78% said avoiding legal or regulatory action, 56% said increasing operational efficiency, and 18% said capital savings. (Respondents were asked to select all responses that applied.)

And in a new question for the first quarter survey, participants were asked to rate the degree to which their firms achieved the benefits they expected. More large-company respondents (15%) than small-company ones (2%) said they attained all of the benefits expected. Overall, only 5% of respondents to this question said they achieved all expected benefits from their ORM efforts.

Participants also were asked to name any new categories of operational risk that got their company's attention in the past year. Disaster recovery and business continuity planning were most frequently cited ones.

According to Mr. Holmquist, the responses are evidence that ORM projects are working, because they are encouraging organizations to consider these things in a new way.

"Business continuity planning is a business risk, not a technology risk," he said. "For too long, business continuity planning has been stuck in IT."

Expanding Scope

As a component of their operational risk management, more companies, especially large ones, are also addressing reputation risk. Overall, 67% of the survey's respondents said their firms do so, up from 65% last year. Among large-company participants, however, 60% said the same, compared with 52% last year.

Reputation risk is a "funny" area, Mr. Holmquist said, because bankers like to talk about it and throw the term around, but coming up with a quantified value is nearly impossible.

"The reality is that reputation risk is one component of thousands of other risks," he said. "We look at reputation risk as one factor of operational risk. It's a factor that influences our risk profile."

Half of all respondents said their firms are allocating capital for reputation or legal risk, versus 43% last year. The increase was especially sharp among big banks (up 14 percentage points, to 47%). When asked if their companies allocate capital explicitly for operational risk, 21% of respondents overall reported that their firms do, versus 23% last year. The percentage among big banks fell 8 points, to 32%, and among small banks, the figure was roughly flat, at 19%.

Experts said they were unsure about the reasons for these shifts.

"Allocating capital can be a good management incentive, Mr. Holmquist said. "But in terms of operational risk management, it never makes the bank inherently better."

Technology

This year's survey showed bankers were much more satisfied with the role technology plays in their companies' operational risk management. The percentage of respondents who said they were either very satisfied or satisfied rose 6 points, to about 62%.

The biggest jump in satisfaction was among respondents from large companies. Nearly 59% said they were very satisfied or satisfied, compared with 49% in 2006.

Industry insiders and analysts say one of the likely reasons for the increase is the rising number of products on the market suitable for operational risk.

"If you compare the number of vendor packages available today versus four years ago, the sheer number of solutions suggests that there's been a great interest [in this market] among vendors," said Wachovia's Mr. Valine.

Respondents also were happier with their vendors, according to this year's survey. Nearly 38% said that all their vendors or service providers had addressed ORM concerns to their company's satisfaction, versus 30% in 2006. When asked about the role technology plays in their overall operational risk framework, more respondents said specialized systems are central to their ORM efforts (20%, versus 18% last year). The percentage of respondents saying so rose among small banks (up 4 points, to 18%) but fell among big banks (down 9 points, to 26%).

Risks and Rewards

Has operational risk management changed the quality of decision-making at banking companies? Some respondents said it has increased the level of scrutiny.

"It has subjected decision-making, such as the launching of new products, to more scrutiny," one respondent wrote. Another wrote: "Risk analysis is a part of almost every decision. Problem is that everyone is trying to be risk-less, which of course is impossible."

Another respondent had a different take: "ORM appears to be evolving into the 800-pound gorilla. But from my vantage point, the outcomes can offer significant value in terms of operational efficiency and in management's ability to effectively monitor more aspects of the operation."

Ms. Raab, the former special reports editor for American Banker, is a freelance writer in Maplewood, N.J.