Financial-services firms are realizing that a solid disaster-recovery plan can help reduce capital charges set aside for operational risk, so firms like JPMorgan Chase are focusing on an enterprise-wide risk management plan. With the Basel Accord gearing up to release minimum capital requirements that financial institutions must set aside to cover operational risks and disaster recovery/business-continuity planning -- now being scrutinized as a result of the Sept. 11 attacks -- many firms are underscoring the importance of managing operational risk.
In addition, they are more closely aligning operational risk with disaster recovery, as they see a new correlation -- the better disaster recovery and business-continuity plan and the better operational-risk management a firm has, the lower its capital charges will be once the Basel Accord is implemented. JPMorgan Chase is one firm that has closely tied its disaster recovery/BCP with its integrated framework for operational risk.
JPMorgan Chase's corporate operational risk-management team was formed in early 2001 to create an integrated, consistent approach to operational-risk management and is actually taking advantage of the recent merger to further the firm-wide effort. "There are unique challenges because we're going through a sizable merger/integration here," explains Joe Sabatini, managing director and head of corporate operational risk management at JPMorgan Chase. "But that indeed has helped us because it's an environment in which people are open to changes and, in fact, we need to change things."
Deploying an Integrated Framework
Sabatini and his operational risk group of 12 oversee the integrity of the process to make sure it is correctly deployed and maintained across the firm. The goal being to establish an integrated framework, or a common way of identifying, measuring and monitoring operational risk throughout the enterprise. One area that has received much of the attention lately is the disaster recovery/BCP area. "Despite the fact that thinking of operational risk on a corporate basis is relatively new to our industry and to our firm, the fundamentals of operational-risk management and, in particular, business continuity is something that has been (aligned) with good risk-management practices for a long time," says Sabatini. "So in this integrated framework that we're trying to create and capture, we are focused at a fairly high level on all of the major risk components -- business recovery would be one of those."
The integrated framework relies heavily upon the firm's self-assessment process, which has been re-designed since the merger to account for all business lines within the combined entity. Subject-matter experts from each of the business lines first meet to identify the key risks in their businesses. These key risks are usually specific areas where something can go wrong. Those are then further broken down into sub-risk segments and control functions -- or other technology/ processes that are associated with the risk, meaning they would be affected if the risk was realized."The self-assessment process is designed to measure the effectiveness of those controls against each of those sub risks," says Sabatini. "Self assessment is done at a granular level across all groups -- front, middle and back office, as well as support groups and revenue groups within the firm."
The groups then identify what Sabatini calls "open issues" or the potential operational-risk areas that have not been properly mitigated. As a business-continuity group example, he explains, "If the current business-continuity plan identifies a building on the same power grid or within the same very close geographic location as a backup site," this would be a risk. This situation is then identified as an operational risk or an "open issue," as a result of lessons learned from the Sept. 11 events. An action plan would then be designed, identifying a director and potential date when the risk will addressed.
In some instances, operational risks that are identified as "open issues" are accepted as risks and no action plan is created to "close" them. "That is a key business judgment where business managers and others would say, 'I realize this risk exists, here's my action,' or, 'I'm willing to accept this risk as it's now described,'" says Sabatini. The open issues and the action plan to close the issue, or the decision to accept the risk, are the areas that are then scrutinized and reviewed by the business-line groups. The corporate operational-risk management group is responsible for overseeing this self-assessment process to maintain its integrity across the firm.
But the group is not charged with second-guessing the business-line decisions, says Sabatini. "For example if a business said they had no business-continuity plan and indicated that they were willing to accept the risk, our role would not be to say that's unacceptable. Our role would be to see that the decision is escalated up the chain of command sufficiently high enough relevant to the risk that's indicated," he explains.
Rather, the group is charged with ensuring consistency in the process and making sure it is understood throughout the firm. "So that when we talk about risk categories we're all using the same language and we're all using the same methodology and the same tools," adds Sabatini.
On the Horizon
In order to get a truly consistent view of operational risk across the enterprise, JPMorgan Chase has rolled out its Horizon system to automate the self-assessment program throughout the firm. "The value of the self assessments is significantly diminished if it is not done in an automated way that facilitates good analysis, good reporting and easy and frequent updates," says Sabatini. The Horizon platform is a fully automated set of controls and procedures to identify, articulate and understand the risks in the self-assessment process. Horizon was developed internally by JPMorgan Chase's IT Controls group, but is now made publicly available.
JPMorgan Chase has also begun to track its internal operational-risk losses and collect data, which is encouraged in working papers circulated on the Basel Accord. "There is presumably some correlation between the assessment of risks, the assessment of the control capabilities against those risks and the loss experiences that may occur," says Sabatini. "So there are metrics in place and the more metrics we can put in place the better."
The tool being implemented to track internal operational-risk-loss data was previously used within areas of JP Morgan prior to the merger, but was not consistent across the entire firm. Following the Chase merger, the two firms are in the process of rolling the tool out across the entire enterprise and training people to understand and use the reporting tool for operational losses, says Sabatini.
Another key component in the integrated framework is the KPIs or KRIs -- key-performance indicators or key-risk indicators. These include the metrics from the business lines that are correlated with the control measures or the risk levels. As an example, Sabatini points out that if processing capacity were monitored and found to be running at 99.9 percent of capacity, there would not be much room for business growth and that, in turn, would be a risk factor.
This factor would then be analyzed and information could be provided back to the business line for possible improvements. "The better we understand the nature of the risks we're taking, the trends that we have and the early warning signals, the better we can do root-cause analysis, which makes us better risk managers," says Sabatini. "That lowers our loss experience and lowers our need for capital while improving our financial performance and our efficiency."
Basel Capital Accord
The Basel Capital Accord's 2005 implementation date may be three years away, but it holds some major changes for the financial industry which already are starting to take shape. This year, the Basel Committee on Banking Supervision aims to finalize its recommendations on capital charges assessed for operational risk for the first time. The Committee has also recently refined the definition of operational risk as, "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."
The goal of the Basel Accord is to apply this definition of operational risk to financial institutions for industry-wide monitoring to help firms with their internal risk estimates and to create minimum capital requirement for those operational risks.