John Cyriac’s Blog

Operational Risk Management (ORM) is undergoing a transformation and it is widely getting recognised as a major area of risk for financial organisations. Major high street banks in the UK have already implemented BASEL II requirements for Operational Risk (OR) and now they are looking to reap more from their investments. There is a great emphasis on coordinated risk management and organisations have started adopting Enterprise Risk Management (ERM). The main objective for financial institutions in these efforts is to grow beyond compliance requirements and reap business benefits from their investments in OR. One such concept associated with reaping business benefits which is often considered as part of ERM is Risk Appetite. However, there is very little guidance available in the industry for applying the concept of Risk Appetite for OR. This study was conducted as an Action Research to provide a thought leadership in the area of Operational Risk Appetite (ORA). During this study, we initially analysed the regulatory landscape for OR and studied the way it is implemented in a major UK bank. We then conducted several interviews with senior decision makers to understand their views about ORA. Further to that, we conducted an industry-wide survey on the concept. We then supplemented these inputs with the study of existing research and academic articles in this area. The result of this study identifies the unique nature of ORA in comparison to Risk Appetite for credit or market risks. Therefore, we created a more appropriate definition for ORA. We then created an implementation framework for ORA.

John Cyriac’s article on Operational Risk Appetite in November 2008 Oprisk & Compliance

Technorati Profile

The initial sections of this paper define Operational Risk (OR), discuss the rational for measuring OR and details of Basel II recommendations for OR mitigation. The case study section of this paper considers a sample UK financial institution and its existing initiatives and recommends certain changes for best practice OR Management implementation by leveraging the existing compliance function.

Click this link for the report
How to use Compliance Data for ORM

The compliance monitoring department of an FSA regulated institution is normally labelled as a “tick in the box” function. The true function of the compliance team is to minimize operational failures which can be as a result of fraud and mismanagement and can lead to financial loss for customers. Regulation is created to protect consumers and investors. With minor modifications in the process of data collection, the compliance monitoring can provide efficient data for operational risk management and CRD/Basel II compliance.

The compliance monitoring nexus: compliance and operational risk function in a financial institution

“The risks that blew up in the faces of boards at companies such as WorldCom, Enron, and Parmalat all come under the general category of operational risk.”

Most of the banking regulations are proposed to mitigate such operational failures. For example, “the Sarbanes-Oxley Act of 2002 (often shortened to SOX) is a legislation enacted in response to the high profile Enron and WorldCom financial scandals to protect shareholders and the public from accounting errors and fraudulent practices in the enterprise.”

The duty of compliance departments in financial institutions is to report adherence to various regulatory requirements to the corresponding regional regulator. However, as we see from the above example, most of the regulatory requirements came as a measure for institutions to mitigate operational risks.

Based on the above analysis, we can say that the underlying function of the compliance department in a financial institution is to mitigate operational risk. However, in most organisations, the compliance function is used for just “tick in the box” regulatory reporting.

Rational behind measuring Operational Risk - It could be meaningless to measure OR as per CAPM

The relationship between risk and return or downside and upside can be said as the yin and yang of the financial markets. So while considering to invest in the stock of a financial institution, its value is nothing but the “present value of its future cash flows adjusted for risk and that operational risk is a major source of earnings volatility for financial institutions”.

The Capital Asset Pricing Model (CAPM) is used as a standard to calculate the required return of an asset, which considers only the systematic risks. The risks, which are specific to a firm (unsystematic risks), are not considered in calculating the required return in the CAPM calculations as it is assumed that a diversified portfolio can nullify the effect of such risks.

Therefore, it is natural to question the logic behind measuring Operational Risk and assuming a capital charge, if the entire risk can be nullified by the shareholders by holding a diversified portfolio.

In addition, if we look at the first Basel Accord of 1988, it considered capital allocation by measuring market risk and credit risk alone.

So, why do we bother to measure Operational Risk?

“Operational loss events may serve as signals of poor management quality and operational controls, leading the market to reduce expectations of future cash flows.”

As per Basel II or Capital Requirement Directive(CRD), financial institutions need to assume a capital charge in relation to their Operational Risk. In addition, managing operational risk is good business judgement as it reduces the losses created by operational issues.

“Large operational risk-related financial services losses have averaged well in excess of $15B annually for the past 20 years, but this reflects only the large public and visible losses.” A major operational loss in a financial institution is endemic and affects investor’s confidence in markets.

Compliance Monitoring an integrated approach

Compliance monitoring is meant to be both proactive and reactive. It should collect data to prove the availability of controls and validations and it should also collect data relating to failure. In Operational Risk terminology, one could say that a compliance monitoring programme is collecting Key Risk Indicator and Loss Data.

So with minor changes in the presentation and the way data is collected by the Compliance Officer, it is possible to comply with the CRD/Basel II requirements and in doing so, create a meaningful programme to create an effective operational risk management programme.