The recent investigation into allegations of money laundering involving Bank of New York underscores the enormity -- an estimated $10 billion -- of what can happen when operational risk management is weak or lacking.
The obvious question for financial institutions is, of course, "How could this happen?" After all, most institutions have accurate tools in place for measuring risk levels in almost all areas of business.
Nevertheless, many organizations still have a fragmented view of risk. They allow separate business units such as credit, finance, trading, legal, compliance, and business affairs to measure and report on risk within their own spheres of activity. Most important, many lack a perspective on operational risk within a firm's organizational and technological processes.
Granted, measuring operational risks is difficult because they may be unique to a given firm's management style and functions. But a mishandled transaction is an operational risk that can result in short- or long-term losses.
We recently asked risk managers at five major financial institutions whether they were spending more or less on risk management. Each said he did not know. We deliberately chose risk managers at merged institutions because they, in particular, are vulnerable to losing operational control.
Perhaps the most vivid example of operational risk at its most unchecked and dangerous is the fall of Barings Bank. Because no risk management oversight system was in place, a trader was in a position to approve his own trades and overages, and ultimately bet the bank.
In another example, in which technology played a large role, a major firm found that after years of using a specific formula to calculate accruals, the formula that was originally entered into the computer system was incorrect. This major misstep resulted in over $150 million of refunds to clients.
Though few accurate measures exist to determine operational risk, risk can be viewed and managed in a number of ways. But first, a holistic, enterprisewide plan for managing the process must be put into place. Such a plan might have spotted what allegedly happened at Bank of New York.
A holistic risk management plan allows the risk management process itself to be effectively managed and ultimately enables an organization to use risk for strategic advantage -- to prevent losses and increase gains.
The plan calls for a strict hierarchy. At the top, a risk strategy group determines a firm's risk appetite. That group creates a strategy that is then implemented by a risk management group, which then monitors the day-to-day functions of risk managers within the established strategic framework.
These groups identify and assess risk throughout the firm, develop an overall risk management strategy based on that assessment, use capital within a risk framework to manage quantifiable risks, control unquantifiable risks, define detailed risk management policies -- and only then implement risk strategies.
To be effective, the risk strategy group must be independent of day-to-day trading management and take responsibility for all risks taken within each unit. The group is also responsible for determining the adequacy of systems and controls and is supported by a full-time risk management group that activates and enforces the policies and procedures established by the strategy group.
A holistic risk management approach can be applied in a centralized or decentralized environment. The four major risk management models are policeman, controller, partner, and portfolio manager. Each differs in focus, depending on a company's risk culture or tolerance. A company must first determine whether it has a low tolerance for risk or an entrepreneurial spirit, or operates somewhere in between.
Those that allow business units a low degree of autonomy over risk decisions would benefit from the policeman model, which centralizes the corporate risk management function by strictly dictating policies and overseeing compliance from the top.
Slightly more autonomous business units would be more comfortable with the controller model, which centralizes decisions about risk management practices but leaves compliance to the business units.
The partner approach teams upper management with business units to manage risk-adjusted returns and works well for companies in which business units have even greater autonomy, because the risk management function is decentralized.
The portfolio manager would let extremely autonomous business units remain accountable to the corporate center for the creation of shareholder value with minimal supervision.
None of these models is absolute. A hybrid of two or more could also work, depending on a firm's needs and goals.
Many firms are so busy trying to avoid losses that they miss opportunities to use risk to create gains. Ideally, a holistic approach reaches beyond managing risk to leveraging it for strategic advantage. Firms need to ask themselves: "How can we use risk techniques to gain market share? How can we leverage what's working and remove what's obsolete?
Financial institutions today, for example, may need to adjust their technology systems in order to compete with on-line trading companies.
Risk-adjusted return on capital, or RAROC, is a measure that provides a statistical estimate of overall risk exposure. (It may also be referred to as REX, return on exposure, or VAR, value at risk.)
Once RAROC has been calculated, a firm determines how much it needs to earn -- beyond bottom-line targets -- to compensate for or "hold" that amount of exposure. In essence, a firm must be able to afford not only the amount it plans on investing for a specific gain, but also the amount it could lose. A willingness to regularly assess such risks in relation to each other is paramount to a firm's solvency -- and survival.
One very high-profile financial institution uses RAROC to monitor risks within and across business units. To this company, risk management is as important as bottom-line management, potential losses as important as potential gains. Employee performance is measured not only in terms of what an employee gains, but also in terms of how much that employee could have lost in a given transaction or set of transactions. In the process, employees learn to balance risk and return.
Consolidations will only increase as global financial services giants jockey for leading positions in the market. Though we have yet to see corporate catastrophes such as the Bank of New York debacle among merged institutions, the clock is surely ticking.
Merging organizations can avoid such catastrophes by adapting a holistic approach to risk management that keeps risks and assets in check, in relation to each other and to the business landscape.