January 22, 2013

The profile of operational risk has been greater than ever in 2012 with record fines imposed by regulators for anti-money laundering (AML) and Libor rate manipulations, coupled with stunning losses from risk management and technology failures and insider trading prosecutions unabated. So the question must be asked: what exactly is the job of operational risk departments on Wall Street and are they doing it?

There have historically been two drivers behind establishment of operational risk functions: major operational risk events and the regulators, themselves responding to those events. Operational risk management really got started with Nick Leeson and his unchecked trading that led to the collapse of Barings investment bank in 1995. Following this watershed event, the Basel Committee on Banking Supervision, an internationally recognized body by global banks, took action, ultimately introducing a capital charge and a framework for operational risk management under the Basel II accord. Key components of this framework included requirements for banks to report internal events, assess and improve internal controls and estimate worst case risk scenarios.

Though it has been a decade since Basel II's implementation, there has been no let up, and maybe even an increase in the flow of large operational risk incidents. While this may be in part due to increased awareness and reporting, it is also clear that a check the box approach to meeting the needs of regulators is far from sufficient if banks are to manage their operational risks effectively.

There are signs that help is on its way. CEOs finally after seeing their peers lose their footing at Barclays and UBS due to operational risk events, are getting the message. Boards are demanding to know if their business could suffer in similar ways to peers who have suffered operational risk losses. Both are demanding of chief risk officers (CROs) greater fluency with operational risk issues. CROs, though primarily still from the market risk discipline, are in turn seeking greater detail and understanding of risk events and risk mitigation plans. They are also seeking more seasoned executives and greater resources for the operational risk function. However, still more is needed to bring operational risk under control.

Organizations that are open to discussing their flaws are generally much better equipped to deal with operational risk. Imagine the harm where the fact pattern and scenario of a rogue trading incident in one division and region are not shared with other divisions' and regions’ risk managers. Could it not more easily reoccur elsewhere within the bank? Effective operational risk management cannot flourish in the closed societies that are so often the case on Wall Street.

By being honest about weaknesses, an organization gives itself an opportunity to address them before they lead to large losses. Operational risk departments have an important role in promoting such a culture. First, they can help their firms to learn more about their operational risks internally by ensuring lessons learnt from operational risk events are spread across silos. Second, they can help to ensure events that have taken place at their peers are discussed within their own organization and establish whether any pertinent control gaps or exposures exist. Finally, they can act as an important independent voice able to report upwards any issue they see without fear of reprisal.

With such a strengthened mandate and operating within an open society, Operational Risk Managers can help stem the flow of these losses and incidents and get some respect on the Street. To be fully effective, however, they need to build better tools. How to do so will be the subject of a follow-up article.

Andrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are ...