Financial companies are still trying to get a grip on the amorphous concept of “operational risk,” but big ones are making more progress, the latest Executive Forum, American Banker’s quarterly online survey of leaders of financial companies, suggests.
Regulators differ on how to define this risk, but it clearly excludes credit and interest rate risk and includes the risk of losses from failed internal processes and systems, from human error, and from external events.
Despite the uncertainty, many larger financial companies continue to enhance such procedures and re-jigger their organizations to deal with such risks, under pressure from Sarbanes-Oxley regulations and the proposed new Basel II requirements.
Smaller companies (the survey’s dividing line is $10 billion of assets) seem to be under less pressure, and in many areas where large banks have made significant strides since last year’s survey — such as the appointment of a chief risk officer — small banks have shown little progress.
However, significantly more smaller companies said they had plans in place to enhance their operational risk management effort this year (58% versus 45%).
Financial firms of all sizes are still puzzling over such basics as how to allocate capital for operational risk and what role the board of directors should play in gauging and monitoring it.
“There seems to be no standard way for how it is managed,” said Rita D. Shrader, the operational risk manager at Irwin Union Bank in Columbus, Ind., and a senior vice president.
Nevertheless, many of the nearly 400 respondents to this year’s first-quarter survey said improvements in operational risk management not only mollify regulators, but also provide real benefits for their companies.
As one respondent put it: “Our focus on operational risk management has been very helpful in ... ensuring accountability at all levels.” Another said the practice had become “essential in avoiding a number of pitfalls in our industry.”’
And while respondents in both this and last year’s surveys complained that risk management requirements have become too burdensome, the substance of the complaints seemed to deepen this time around, with some executives challenging the concept of operational risk management.
“I fear that, post-Enron, the pendulum has swung too far in the direction of risk overmanagement,” one executive wrote. “I do not believe this is helpful. Business should be expected to take risks, and to fail in their attempts from time to time. It sometimes seems today that many businesses attempt to prevent all risk instead of managing it.”
Another wrote: “The idea that we can become totally risk-free is absurd. Everyone seems to believe that if we have the right systems and audits, we can eliminate risk. We spend entirely to much time on risk aversion in areas where the risk was minimal to start with.”
Only 42% of the respondents from smaller companies said they have a chief risk officer, versus 41% last year. But the figure at large companies jumped from 68% to 82% — and 62% of the large-company respondents said a chief risk officer or an equivalent is responsible for the operational risk function, up from 41%.
Behind these increases, experts said, was increasing pressure from regulators to coordinate risk management companywide and growing interest in qualifying for the most sophisticated capital management structure proposed in the planned revision to the Basel accord.
A large bank “had better have a really good reason” for failing to have a chief risk officer, said Karen Shaw Petrou, the managing director of Federal Financial Analytics, a Washington consulting firm. “I know from our practice that the regulators are very serious about this.”
“I think the reason is probably twofold,” said Marty Blaauw, a senior vice president and the operational risk manager at Union Bank of California in San Francisco. Firstly, “we’ve had some encouragement from regulators in the direction of at least having centralized oversight of the risk management function,” she said. Secondly, “I also think that many of the banks could be considering opting in to Basel — and Basel requires so much coordination between operational, credit, and market risk, they may be putting that under one person.”
One survey respondent wrote, “We are contemplating adding this position before yearend. Regulatory bodies appear to be spending a great deal of time focusing on bank operations and processes ... including regulatory compliance.”
Another respondent wrote: “A risk management officer facilitates the uniformity of documentation of the risk management process across all areas of risk. Therefore, it becomes easier for management, the board of directors, and regulators to evaluate the effectiveness of overall risk management.”
A chief risk officer “gives us a different perspective … and another view that causes us to improve key controls,” another wrote. “Our view is to have a resident ‘anal cynic’ as part of the team.”
A curiosity in the survey results was a drop, to 35% from 41%, in the proportion of large-company respondents who said their board of directors is “involved in all aspects” or “significantly involved” in “identifying, monitoring, and controlling” operational risk.
Why the drop? Ms. Blaauw said the biggest reason is probably that risk managers, overwhelmed with mountains of newly available data, are having trouble deciding what to present to their directors.
“A lot of people are still struggling with what is the right information to give the board,” said Ms. Blaauw, whose company is mostly owned by Mitsubishi UFJ Financial Group Inc. “People are struggling with implementation of new systems and what information to pull out of them and present to the board.”
The decline in another figure — large-company respondents reporting plans to enhance operational risk management — may also, paradoxically, signal progress. That number slipped to 66%, from 71% a year earlier.
Furthermore, the reasons for such planning changed.
Only 29% of those reporting the plans cited Sarbanes-Oxley, down from 43%, while the percentage citing Basel II compliance jumped from 19% to 31%.
Why these changes? Experts were divided.
“A lot of people now have SOX under their belt; it’s starting to become an ongoing process, rather than one requiring dedicated staff,” Ms. Blaauw said. “So there is more time to devote to operational risk.”
But others said the change means that Basel II and Sarbanes-Oxley have essentially become part of the same compliance regime.
“The sense is that Sarbanes-Oxley is being subsumed into Basel II,” said Ani Sanyal, the director of research and development for Sungard BancWare in Boston. “The Basel II requirements are seen as a superset of the Sarbanes-Oxley requirements.”
More of the smaller financial companies than a year earlier plan to upgrade their op-risk management capabilities and their reasons for doing so are quite different from the larger companies’.
A scant 1% cited the Basel accord. Twenty-six percent cited their own internal audit function, 25% Sarbanes-Oxley, and 27% reasons not listed among the multiple choices.
The two groups agreed that the main benefits of better op-risk management systems are efficiency and avoiding legal or regulatory action.
Sixty-seven percent of the respondents from large companies cited both; 79% from the smaller companies checked off penalty avoidance, 56% operational efficiencies.
Part of the difficulty in managing operational risk has always been in defining exactly what it is.
The ongoing creation of an accepted definition of operational risk continued this year, as reputation risk came to be seen as a form of exposure separate from operational risk.
The Basel Committee this year scrapped a proposed capital charge for reputation risk, but that decision seems mostly to have influenced larger financial companies.
Fifty-two percent of the respondents from such companies said they treat reputation risk as a component of operational risk management, down from 70% a year earlier.
But the figure rose at the smaller companies, from 62% to 68%.
Ms. Shrader of Irwin Union Bank said the difference may be that small banks worry that operational problems can directly affect reputation.
“One of the ways to look at it is that an error you make with a customer can be publicized — especially in small communities — to the point where it is damaging to the reputation of the bank as well,” she said. “Many operational losses are attributable to human error, and many times when there are reputation-risk losses, it is related to human error as well.”
Despite the evidence that financial companies are paying more attention to op risk, the percentage explicitly allocating capital against it barely moved.
Only 18% of the respondents from small companies said their employer is doing so, the same as a year earlier, and the figure for large companies was 40%, up slightly from the year-earlier 37%.
“It’s not surprising, because it is an extremely difficult process,” said Ms. Petrou of Federal Financial Analytics. “People are stumped by the differences between the economic capital models that banks are developing and the regulatory capital charges in Basel II.”
Mr. Sanyal of Sungard said he expects more banks to begin allocating capital for op risk in the next few years.
“The regional and superregional banks beyond a certain size will begin to see the benefit in it,” he said. “And there is a certain ratings effect as well. I think the ratings firms are going to start taking operational risk management into account — I would not be surprised to see an operational risk component to … [bond ratings] in the future.”
Ms. Shrader said more banks will make explicit capital allocations for such risks when they “are more comfortable that they have captured operation losses.”
“I think it is a challenge sometimes for organizations to capture their operational losses in the right categories,” she said. “The employees making the entries may not think of it as an operational loss.”
Mr. Garver, who covered regulatory issues as an American Banker reporter from 1999 to 2003, is a freelance writer in Springfield, Va.
