文章基本信息

标题：The decade of operational risk
作者：Charles Taylor
期刊名称：The RMA Journal
印刷版ISSN：1531-0558
出版年度：2003
卷号：July-August 2003
出版社：Risk Management Association

The decade of operational risk

Charles Taylor

An Interview with Federal Reserve Board Governor Susan Bies

"This is the decade of operation risk," says Susan Bies, drawing parallels to previous initiatives in financial services. What will operational risk look like in 2010? That's hard to say, because to be effective, operational risk management must remain dynamic, making specific definitions and guidelines into a moving, and sometimes elusive, target. As she says, "In such a world of change, growth, and acceleration, it is essential that line managers think about operational risks systematically as something they have to manage continuously." Yet we are beginning to get a clearer picture of operational risk and institutions, and their regulators already have come a long way in measuring and monitoring these risks. Charles Taylor, RMA's director of Operational Risk Management, interviewed Governor Bies in April and asked for her perspectives on this broad and growing risk area.

Taylor: Perhaps a good place to start would be if you told our readers what your role is as a governor of the Federal Reserve.

Bies: The Federal Reserve Board operates through various committees; each governor serves on several and also chairs at least one (I chair the Committee on Supervisory and Regulatory Affairs). I also serve on the Committee on Reserve Bank Affairs and the Committee on Consumer and Community Affairs. For the international part of the Fed's work, I serve on the Financial Stability Forum--the group of central bank governors, finance ministers, and securities regulators that worries about preserving the stability of the international financial system. Finally, as all the governors do, I serve on the Federal Open Market Committee (FOMC).

Taylor: So when do you get time to think about operational risk?

Bies: Operational risk is one of the central subjects we are tackling in the Committee on Supervisory and Regulatory Affairs. After credit and market risk, operational risk is the third leg of risk management that we address in all aspects of supervision and regulation. In addition, capital allocations for operational risk are a significant part of the new Basel II proposals. And, of course, compliance issues in general are a component of operational risk from the perspective of the banks we oversee.

Taylor: Operational risk management is a broad subject, and the industry is still struggling to understand exactly what is meant by the standard definition: the risk of loss from failures of people, systems, and processes and external events. Some small banks in particular ask how operational risk management is different from good controls and procedures. How would you answer them? And why is operational risk management so important?

Bies: First of all, I agree that internal controls and procedures are an important part of operational risk management. But operational risk management is also a key element of general management. It reminds line management that, as part of long-term planning as well as day-to-day responsibilities, they must identify risk exposures, determine the amount of risk that is acceptable, and ensure that mitigating controls effectively limit risk to the desired level.

Operational risk management is in a process of evolution. Today it is comparable to where asset liability management was in the early 1980s. Reg Q had ended so that banks could compete for deposits, and we had just lived through a period of significant market volatility as the Fed under Chairman Paul Volcker used interest rates to fight inflation. In March 1980 bankers were paying 15.8% on six-month CDs and when the prime rate dropped to 11% in August we maintained those high-rate CDs. So we began to develop asset liability models to predict when loans and deposits were going to reprice and mature. By the early 1990s, a good Asset Liability Management Committee (ALCO) process had been widely accepted as a normal part of bank management. And today everyone clearly understands its benefits.

We started down the same road in the 1990s with credit. Previously, our main concern was to train individual loan officers to underwrite well. We tended to look at credit loan by loan. To mitigate risk, we would increase training or modify underwriting policies where we detected weaknesses. Then we began securitizing consumer loans, which required adherence to uniform standards. We moved to centralized underwriting and managing credit risks at the portfolio level. A quiet revolution in methods and practices took place and, just as it took about a decade for ALCO to be accepted, the 1990s saw credit management models become widely understood, accepted, and used.

This is the decade of operational risk. Although banks have always been subject to operational risks, a lot is changing. Loan closings, check clearing, and a multitude of other processes are going electronic. Acceptance and use of check imaging are increasing. Timeliness is more important to customers, so processes are speeding up. We're relying more and more on models to manage greater volumes of varied transactions at greater speed, so that model risk has become material. And systems that were once housed in a single mainframe computer are now distributed--no doubt with great gains in economy, but with the side effect of creating a more complicated computer environment to manage.

In such a world of change, growth, and acceleration, it is essential that line managers think about operational risks systematically as something they have to manage continuously. They have to step back and ask themselves:

* What critical steps must I take to be successful strategically?

* What risks do those steps present?

* How much of that risk am I willing to accept? Sometimes the desired risk level can be achieved through controls and procedures. But in addition, the manager has to think about the tradeoff between costs and risk controls, and about risk mitigation through insurance and risk absorption through capital allocation. And then a monitoring system has to be put in place to ensure that risks remain within the institution's comfort level. That way, risk management is part of the management process-looking at risk and reward and designing and implementing business processes accordingly.

Taylor: Recently, the Bank for International oaf Settlements published a report covering 47,000 operational losses in 89 large banks in 2001. How should we use it?

Bies: That study marks a starting point and it has helped both the Fed and the bankers involved in it confirm broadly where operational risks are concentrated. However, I would not read too much into the results. Although it is improving, data collection in banks is uneven right now. Some types of losses get recorded individually in the general ledger, and banks are able to track them relatively consistently. Others are intrinsically harder to capture--such as opportunity costs and losses that may be subsumed into other costs in the accounts. We have some way to go to ensure we are comparing and adding up apples and apples. So, looking at the results of this study, we're not quite sure whether the distributions of risk we see reflect the types of data being collected or--as we would hope--where the real risks are.

Still, even partial data can be very useful in individual institutions. Reported losses in one area can highlight risks in another. For example, losses around posting payments in an auto loan business may well point up the risk of losses in payment posting in a mortgage banking subsidiary. Asking questions about differences in loss rates and severity among businesses and processes can lead to better management reporting and improvements in efficiency. Because operational risk management is enterprise wide, it breaks through business silos, facilitating better communication and sharing of best practices.

The fact is that it takes a while to realize the full gains from data collection because you don't know initially where or how to look for risks. In some areas where you don't see many loss events, you come to realize nonetheless that there are significant risks that need managing. Or you improve your understanding of a risk and realize that a different metric or indicator would track it better. Right now, different banks are approaching data collection in different ways, and we are learning a lot from their various perspectives.

Taylor: Let's talk about capital for a second. What about the Basel II Accord? Who in the U.S. is likely to be estimating regulatory capital for operational risks under Basel II?

Bies: We're guessing that there might be 10 banks volunteering for Basel II in addition to the 10 or so we are likely to require to follow it. For all other banks in the United States, the regulatory capital standard is not changing: The old Basel standard applies where operational risk is not explicitly measured.

This may be a good time to talk about the risk of extreme loss events since, among other things, they have a large impact on how much capital an institution needs to have. The issue here is, most banks don't have many of these events in their past. Models of capital based on their own past experience tend to be very sensitive to the particulars of specific extreme events and often are unable to capture likely future events. This is a reason why other banks' experiences can be so useful. Models based on more observations are generally more reliable.

Of course, from a management perspective it is important to try to understand extreme events. Often they have many causes, and the first mistake to avoid is to think that there is just one. An individual, a failed process, and a lack of oversight may all contribute to a large loss. Just firing a person and hiring another won necessarily prevent future losses on the same scale.

Small and large losses can be related. What if you lost $30,000 when a wire for that amount was sent in error? Could the same thing happen to a $1 million wire? Some of the causal factors--the incompetence of the people involved, for example--may very well be the same.

The probability (or frequency) of a particular kind of loss and the severity of the loss when it occurs are two different things. That is something you must remember when using external data. All things being equal, a large institution with a large number of transactions a year will have more instances of loss than a small one. But it is not so clear that loss size will depend as simply on institution size. Scaling other institutions' experiences to make it relevant to your risk management context raises thorny issues.

Taylor: Your case for operational risk has involved changes that are technology driven. But the standard definition of operational risk also emphasizes human weaknesses. When operational risk managers worry about people risks, should they be looking into subjects such as compensation and training?

Bies: Yes, they should. People risk can be found in faulty compensation programs, education failures, and failures to successfully implement change, and these are all related. Situations of rapid change are especially fertile ground for people-related operational risks. For this reason as much as any other, major projects-new investments, systems changes, mergers and acquisitions, new products, reorganizations--must have sufficient resources dedicated to managing them. People often try to manage change in between everything else, and that's when they get surprises.

Training is one of the most important risk mitigators to implement in the face of change. And that, too, has to be carefully planned. Once again, enough time must be allowed so that the training does not lead to current duties being neglected and yet is completed in time to facilitate the smooth introduction of new products, processes, responsibilities, and structures. As an auditor, I learned that most blowouts occur when an organization is going through change. That's when controls fail.

Taylor: Speaking of human failings, should fraud be a particular priority for operational risk managers?

Bies: People tend to focus on external fraud because they see it every day, whether it's fraudulent checking activity or fraudulent loan applications. But the fact of the matter is that the most unfortunate events of the past 18 months have been caused by internal fraud, because of abuses of executive authority by CEOs, CFOs, and others high up in their organizations. We've seen that happen in both banks and nonbanks, in organizations both large and small. An executive who knows how the control structure works can circumvent it, however good it is.

Banks of different sizes have different problems. Smaller banks cannot segregate responsibilities as well as larger banks for the simple reason that there are fewer people to share the work, making certain types of fraud more likely to happen. Bigger, more decentralized firms--Arthur Andersen was a prime example--may be more at risk of corrupting their culture in pursuit of revenues. In Andersen's case, when engagement partners were compensated for revenue generation via cross-selling nonaudit work, they became reluctant to draw critical conclusions in the audit, compromising the basic integrity of the firm. There was corruption of values, cover-ups, and deceit at the expense of stakeholders whose interests should have been foremost in the minds of Andersen's leadership.

Taylor: Shouldn't the industry be working to define best practices in operational risk, even we know they will have to evolve going forward?

Bies: I totally agree, and that's why I use the parallel of the asset and liability management process. We all knew we had to do something in 1980, but exactly where we were going with it and how we were going to get there wasn't exactly clear. Then, the ideas of VaR and duration, the kinds of scenario planning we now run, and our understanding of things like the prepayment risk embedded in our mortgage loans came together to form a body of best practices for asset liability management.

We will know operational risk has evolved fully when line management can address operational risks as comfortably as they address asset liability management today. In the meantime, it's going to take people who are very good at thinking outside of the box to take ideas from different disciplines and pull together operational risk guidelines for the industry at large--as we did with the first asset liability models.

One of the things that I found interesting as I started doing risk management work at First Tennessee, before I took this job, is that you can learn a lot by talking to nonfinancial firms. For many of them, the most important risks are operational risks, and we learned a lesson or two from some of these companies. Going forward, other banks might want to ask some of their customers what they do about operational risk.

It takes time to really identify best practices. Think of consumer credit. The models built in the 1990s have never been fully stress tested. We've just been through a recession, but consumer disposable income never really fell. The trouble is that the extreme movements we were really worried about didn't occur. In the same way, when we get really good at measuring and managing the small, normal, day-to-day operational risk it won't necessarily mean we will be well prepared for the unusual events that can destroy an institution.

Developing and sharing best practices is an area where RMA can play an important role.

Taylor: Let's turn to Sarbanes-Oxley. Is it sensible for banks to try to create a single system that meets operational risk management reporting requirements, Sarbanes-Oxley, and FDICIA requirements all at once?

Bies: Yes, all of these can be worked on simultaneously because they are so interrelated. Most banks do a good job on FDICIA, and those annual internal control reports can make a good basis for Sarbanes-Oxley reporting as well as identify areas where operational risk management reporting is most needed. However, there are exceptions: Some of the banks that had significant losses this past year had grown lazy about FDICIA reporting, reducing it to a paper-pushing exercise. And some of their outside auditors were lax about their attestation responsibilities. They should have been identifying areas where line managers didn't have a grip on their risk or their risk monitoring, or on the quality of their controls.

People need to understand that Sarbanes-Oxley is not a one-time event. This is a new process that you've got to keep robust year to year if it's going to have value. Moreover, this is not just a problem for the operational risk management specialist. Line management is responsible for operational risk and we need line managers in every institution to focus on it, and that's what both FDICIA and Sarbanes-Oxley require.

Taylor: Any concluding thoughts?

Bies: I think the U.S. banking industry is off to a good start on the development of operational risk management.

We need to keep in mind that this is a learning process. Our job at the Fed is to encourage bankers to look at risk in more robust ways. And bankers lip and down the line and in every function throughout the industry now have to apply themselves to operational risk management and understand how it can improve efficiencies and effectiveness.

I am confident that we'll look back in a few years and see in the best practices of operational risk management what we see today in asset liability management and credit portfolio management. We will be amazed that we ever lived without them.