Operational risk:
So, who will kiss this frog?

Operational risk management is like the fairytale frog – the ugly little spectre from which executives instinctively recoil like so many fastidious princesses. How can we get bankers to kiss the frog, asks JOHN THIRLWELL, and transform operational risk into the Prince Charming he believes it should be?

Back in the 13th century, Thomas Aquinas, the philosopher and later saint, famously declared that “the world has never been so full of risk”. He was thinking of plagues, wars and famine, which decimated populations and caused mediaeval banks to collapse – far more than through the capricious behaviour of borrowers, such as kings and Popes. The risks he was talking about were operational risks.

If you look at the recent banking crisis and events before that, not a lot has changed. Rogue traders, the Millennium Bug, 9/11, SARS, volcanic ash: all these operational risks have formed the major threats to the financial system in the 20 years leading up to the banking crisis.

And when you look at the banking crisis itself, you’ll undoubtedly see appallingly poor mortgage lending, abdication of credit risk responsibility to credit rating agencies and stunning over-indulgence in derivatives, those “financial weapons of mass destruction”, as Warren Buffett so memorably called them back in 2003.

But the root causes lay in human behaviours: the wild optimism of borrowers, lenders, politicians, regulators; the herd instinct which always inflates a bubble; greed and, of course, human failures of risk management and governance on a grand scale.

When the US Financial Crisis Inquiry Commission reported in January, it naturally pointed to all these causes. But, before that, it was vituperative about “dramatic failures of corporate governance and risk management” and a “systemic breakdown in accountability and ethics”. For me, those behaviours are fundamental elements of operational risk.

One final example illustrates where I think operational risk fits in the hierarchy of risk management. Last October, the UK government published its national security strategy. In the top tier of threats to the UK it cited international terrorism, cyber attacks and large-scale cyber crime, major accidents, natural disasters and an international military crisis. The second tier included organised crime and disruption of satellite communications. Every one is an operational risk and practically all, together with people (or behavioural) risk, are major threats faced by banks today.

Banks and other financial institutions are in the business of managing risks. But that generally means managing credit risks, or market risks, or insurance risks, the stuff of their business. It’s all too easy to ignore the risks they have to manage if they wish to stay in business, the stuff of operational risk.

And, even when they consider the risks which they are in business to manage, do they seriously consider how many of them are operational – failures of process, systems and control, often caused by failures of their employees or those employed by third parties? They form a substantial part of what we call credit, market or other types of risk, over 50 per cent by some measures.

Operational risk is inherent in all products, services and activities and involves everybody employed by the firm. That cannot be said of any other type of risk. Yet for some reason, despite its critical importance, operational risk management remains like the fairytale frog – the ugly little spectre from which executives instinctively recoil like so many fastidious princesses.

So how can we get bankers to kiss the frog and transform operational risk into the Prince Charming which I believe it should be? Perhaps the first thing is to set out the benefits of good operational risk management. The essential benefit is better informed decision-making. The basic tools of an operational risk management framework – event and loss analysis, risk and control assessment, monitoring risk indicators and scenario analysis – all contribute to better risk-based business decisions. Intelligent operational risk management can produce clear financial benefits:

• Risk and control assessments enable control resource to be effectively deployed.
• Insurance-buying should be an integral part of the operational risk function, so that it can be properly targeted and optimise premium costs and maximise claims payments.
• Outsourcing should mean that customer service is improved and activity levels are increased.
• Proper project management should ensure that projects really do deliver what was intended, to time and to budget.

Then there are the threats to the business itself which lie at the heart of operational risk management. Business continuity management will ensure that you are a survivor and will be back in business ahead of your competitors.

And then there’s reputational risk management. Financial services organisations depend on trust. That trust can very quickly be lost through the actions of anybody in the firm – and through a failure to deal speedily and effectively with the problem when something does go wrong. The effects can be catastrophic.

And reputational damage almost invariably results from operational risk events. So it needs to be properly assessed and managed by first assessing the risks on the risk register for their potential to cause reputational damage.

Reputation is the perception many people have of an organisation over time. Those people include customers, employees, suppliers, investors, regulators and opinion formers. Just as risk is not managed by the risk management function but by the business lines, so reputation is not managed by press and public relations, but by everybody who manages those relationships, whether it’s the business lines, support functions, HR, compliance or investor relations. A firm’s reputation is in the hands of every employee – from public remarks or behaviour of the CEO to the junior on Facebook or Twitter.

That brings us to the most critical part of operational risk management – managing people, one of the four elements of the Basel definition of operational risk. People are a service industry’s defining asset – and its greatest risk. That risk will be most effectively managed where there is good risk governance which ensures that a healthy risk culture is embedded throughout the organisation.

In a speech to the Institute of Internal Auditors in 2008, Professor Mervyn King, chairman of the King Committee on corporate governance in South Africa, memorably said: “With buy-in, you can do extraordinary things. But without it, you won’t even achieve the ordinary. It’s alright to talk about the tone at the top, but I like to think about the tune in the middle.” The tune in the middle is the test that the risk culture promoted by the Board and senior management is truly embedded.

That will partly depend on their own behaviour – walking the talk. But it will critically depend on the Board being clear about its strategy and objectives and effectively communicating them throughout the firm. Without clear strategy and objectives, there can be no context for effective risk management or an understanding of what is meant in a particular firm by excellent behaviours. Without an understanding of what is meant by excellent behaviours, there will be little coherence in staff selection, appraisal, promotion or, importantly, remuneration. Nor will it be risk-based.

Behaviours underpin the way in which the firm does business. The tone at the top is where it all starts but it always intrigues me how little the CEO features in the risk register. And yet the CEO’s behaviour can destroy a firm. Is the CEO a dominant emperor, or perhaps an aspiring celebrity? Does he or she work openly with the Chairman and the Board, or are they seen as obstacles to getting on with the job, people to be provided minimum information, rather than people to whom issues can be brought for discussion? It’s one thing having a strategy, but can the CEO implement it effectively? How many and how good are the decisions the CEO makes?

And having asked all those questions about the CEO, repeat them down the management chain. In particular, is there a genuine succession plan, or is it something which might cope with an immediate crisis but not beyond that? Too often one person is pencilled in as the replacement for a number of other senior executives. What happens if two or more of them disappear at the same time? Again, it’s not just a concern at Board level, but all the way down the chain.

Finally, a word about HR. How many HR Directors do little other than transactional HR – running the appraisal and training systems, hiring and firing – rather than act as true risk managers, which is what they ought to be? Understanding and predicting risk are highly dependent on understanding human and organisational behaviour, the root cause of the crisis. The HR Director should have a core role as senior management’s guide and be on the shortlist for COO or even CEO. But that’s rarely the case. And of course, the whole issue of people risk and behaviours is all operational risk.

Operational risk lies at the heart of all the risks we take and all the ones we’re exposed to. It involves everybody. Its management should not be a matter from which executives shrink in disdain, like fainthearted princesses. It should be the responsibility of the top executive table: be courageous, kiss that frog, is what I suggest, and see it converted into the prince of management issues, which it deserves to be.

John Thirlwell is an independent adviser on risk management to boards in financial services and co-author of Mastering Operational Risk (Financial Times Prentice Hall, 2010).

Back to Special Report contents
Back to Magazine contents