How banks can prepare for the worst
By Thomas Olsen and Sebastian Fritz-MorgenthalWhy do banks in Asia and the rest of the world have so much trouble managing operational risk?
In recent years, the financial pages have been filled with examples of the many ways that operational risks can spin out of control: Traders make huge, unauthorised bets; sales people set up accounts without the consent of their customers; managers rig market benchmarks; internal systems and processes break down; computer systems fail; customer data is breached and compromised.
The consequences of these operational mishaps can be catastrophic—resulting in millions, and sometimes billions, of dollars in financial losses; fines and other regulatory sanctions; customer defections; management shakeups; shareholder discontent; and significant, if not irreparable, damage to a bank’s brand and reputation.
From 2011 to 2016, major banks suffered nearly $210 billion in losses from operational risk. Most of these losses stemmed from preventable mistakes made when employees and systems interacted with clients, flaws in the way transactions were processed or outright fraud.
Overall, banks have made some progress managing operational risks, but there is much room for improvement. Losses from operational risks at major banks worldwide have fallen from a peak of 6.2% of gross income in 2011 to 1.6% in 2016, according to ORX, an organisation that tracks operational risk. By taking steps to reduce those losses further, banks can have a direct and measurable impact on their bottom lines. Improving the 2016 loss ratio by 20%, for example, would be equivalent to a 32-basis-point increase in net profit margins.
Banks, in short, have every incentive to contain operational risk. Yet, they often find it hard to do. Compared with financial risk (which includes the risk that creditors will default on their loans and that assets will fluctuate in value), operational risk is more complex and more challenging to monitor, control, and manage.
Many banks have a tough time understanding and measuring the interconnected factors that contribute to operational risk, including human behavior, organisational processes and IT systems. They find it challenging to create cultural, governance and management structures that can systematically control these risks. Instead of taking a deeply integrated, proactive and long-term approach to operational risk management (ORM), they end up managing operational risk with reactive, short-term measures.
Banks that take a comprehensive approach to ORM recognise four broad areas that need attention. The first is people. Even in a digital age, employees (and the customers with whom they interact) can cause substantial damage when they do things wrong, either by accident or on purpose. Problems can arise from a combination of factors, including intentional and illegal violations of policies and rules, sloppy execution, lack of knowledge and training, and unclear and sometimes contradictory procedures.
The second area is IT. Systems can be hacked and breached; data can be corrupted or stolen. The risks banks face extend to the third-party IT providers that so many banks now rely on for cloud-based storage and other services. Systems can slow down or crash, leaving customers unable to access ATMs or mobile apps.
The third area is less tangible than the first two, but no less important: organisational culture. By setting aggressive sales targets and rewarding employees for how well they meet them, bank management can encourage, and, in some cases, explicitly condone inappropriate risk taking. Such activity, when exposed, can lead to management changes, shareholder losses and regulatory fines.
The fourth area that vexes ORM planners is regulation. Since the global financial crisis, regulators have increased the number and complexity of rules that banks must follow. Banks that operate in multiple jurisdictions can face overlapping, inconsistent and conflicting regulatory regimes. Lapses can be expensive and embarrassing, triggering regulatory sanctions and customer defections.
The key to effective ORM is training people to anticipate what could go wrong, especially when a business unit is about to do something new, such as introduce a product, change a customer interface, alter the way employees are compensated, or outsource part or all of a core business process.
As banks increasingly use Agile teams to innovate, they can make sure that ORM experts are part of the effort. One major European bank, for example, has ORM staffers as integral members of the Agile teams on its innovation campus, where the bank develops and tests new business practices and offerings. Another European bank has built up a dedicated cyber risk team that simulates realistic cyberattack scenarios and takes action to prevent them from happening.
Leading banks now use technology to supplement, and sometimes replace, audits. Using advanced analytics and machine learning, they leverage their tremendous trove of data to screen the entire bank’s operations continuously and automatically. They use insights from this ongoing surveillance to quickly develop and adapt Key Risk Indicators (KRIs) that serve as early warning signs of potential problems.
Banks that are integrated and proactive about the way they manage organisational risk can realise real financial benefits and, more important, help prevent the kind of catastrophe that can have consequences for years to come.