Everything has its place

Based on business consultants PricewaterhouseCoopers’ recent six-month benchmarking study of seven leading banks*, Hans-Kristian Bryn and Michael Grimwade discuss the formal organisational structures being developed by financial institutions to support and manage operational risk.

* ABN Amro, Barclays, Chase Manhattan, Deutsche, ING Group, JP Morgan and UBS

Banks are increasingly aware of the commercial significance of operational risk. Combined with interest from regulators and a desire to assess performance on a truly risk-adjusted basis, this has prompted them to invest in the development and implementation of new risk management practices. These practices are making an impact on all levels of the organisation.

There are three key factors banks must master to ensure successful implementation of operational risk management organisational structures. The first is effective communication of the commercial imperative for establishing these new operational risk management resources. This is vital to overcome business scepticism, and can be achieved by highlighting examples of high-profile losses in the banking industry.

The second is outlining clear business responsibilities for managing operational risk. Leading banks formally include operational risk in the objectives of senior management and are increasingly allowing business managers the flexibility to determine the level of operational risk management resources within their sector. This supports the development of tailored organisational structures appropriate to different businesses. The development of enterprise-wide risk management processes must be led by corporate level resources, although joint working with business level operational risk management resources can lead to more effective processes and can smooth business acceptance.

The third key factor is incentives. Leading banks have started to link business managers’ appraisal, and pay or bonuses to quantitative and verifiable operational risk metrics, providing a strong incentive to create an effective operational risk management environment.

While there is no single organisational model for dedicated operational risk management resources, there are some key principles to guide institutions. To manage operational risk more effectively, banks have created separate operational risk management units, altered their committee structures and mandates, and expanded the responsibilities taken on by existing business functions. This has led to widespread debate on issues such as differentiating between operational risk and internal audit, the long-term optimal organisation model and the cost-benefit of moving to such a model.

It is clear that dedicating resources to operational risk management can prove its worth. Although banks are adopting different organisational models for their operational risk management, each has components in common.

These start from the top, with the board of directors. Making a board member responsible for operational risk provides greater focus and gives sponsorship for the activities of dedicated resources. Many banks have a single board member responsible for operational risk, and these directors are actively involved in approving policy statements, communicating the bank’s risk management approach (internally and externally) and sponsoring key projects and initiatives. Directors may receive information on operational risk from a range of sources, including operations, internal audit and security. The effectiveness of board members is enhanced if operational risk management reports are also available. Such reports allow the board to assess the relative levels of operational risk across the business, and the major exposures and total losses resulting from operational risk breakdowns. This enables board members to take strategic decisions on resource allocation, acceptable levels of risk and priorities for improvement.

All the banks in the study have established committees with specific mandates for operational risk at corporate or business unit levels, although their use is still at an embryonic stage. On a corporate level these are either stand-alone committees that focus solely on operational risk, or integrated risk management committees that look at market, credit and operational risks. Although all are chaired by a board-level director, these committees are not currently considered a key element of the risk management structure, unlike market or credit risk committees. Corporate committees concentrate on sponsorship of operational risk initiatives, policy initiation and approval, assessment of capital allocation and reviewing current risk issues.

Business level committees looking at operational risk have also been set up at all the banks. These may also be dedicated operational risk committees or integrated risk management committees,or could also be line operations committees. Their main task is reviewing operational risk information, and they may additionally sponsor operational risk initiatives and instruct or approve policy.

Banks have additionally established dedicated operational risk management units at both corporate and business unit levels. Although many of these are relatively new, one has been in place for 15 years.

Establishing these formal organisation structures tends to follow a common development path. This starts with the application of resources to specific operational risk initiatives, and moves on to the deployment of dedicated operational risk management resources with permanent responsibilities, and the implementation of a target organisational model. This extends across the group and involves dedicated resources closely aligned with the businesses. In leading banks, second and third generation models may be developed as the effectiveness of the target model is challenged.

Operational risk management units formulate policy, develop methodologies and co-ordinate operational risk activities. They usually have less than 10 staff and may be responsible for collating operational risk information and preparing dedicated risk reports to support decision making by business management risk committees and the board. The heads of these operational risk management units have diverse backgrounds and are highly experienced (see figure 1). Most banks also have either full- or part-time operational risk managers. Their tasks involve tailoring and implementing the processes developed by operational risk management units, supporting businesses to identify and resolve operational risk issues, raising awareness of these issues and training staff on operational risk processes. The largest number of operational risk managers in a single business unit is 70.

Compared with market and credit risk, there are obviously few operational risk practitioners with experience of developing processes and structures (see figure 2), so banks are focusing on training existing employees and recruiting new staff, often targeting skills from outside the financial services sector.

The location and reporting lines of operational risk management units and managers differ, depending on the bank’s initial priorities for operational risk management and its overall management philosophy, in particular its level of decentralised management authority. Another factor is where in the organisation sponsorship for operational risk management resides.

Changing boundaries

Dedicated operational risk functions can lead to boundary issues with other support functions, such as internal audit and operational control. Internal audit groups have traditionally been responsible for assessing the control environment, but in many banks the distinction between the roles of operational risk and internal audit has not been clearly defined.

While most banks have established dedicated resources for managing operational risk, none has positioned these resources within internal audit. But in several banks, internal audit departments are undertaking some operational risk management responsibilities. The separation may reflect the desire to avoid conflicts between internal audit’s independent review role and the operational responsibility for developing risk management policies, methodologies and risk reporting. It may also reflect the broader range of skill sets of operational risk managers.

But the relationship between these two areas can have positive effects. There is scope to create incremental value from the interaction between internal audit and operational risk management. For example, operational risk managers use internal audit scores as proxies for the level of operational risk in a business, and monitor and report on the progress of businesses in resolving internal audit issues. At the same time, internal audit departments use the results of operational risk self-assessments as an input to prioritise the focus of internal audits and review the effectiveness of operational risk management practices.

According to boards of directors, capital measurement is the single most important operational risk priority. Combined with the drive for performance measurement on a truly risk-adjusted basis, this is leading to more organisational changes. Banks have, for example, established integrated risk management committees looking at market, credit, and operational risk; undertaken joint working on risk measurement initiatives and capital allocation; and appointed a single head of risk responsible for all three risk categories.

Over the next two or three years, leading banks will increasingly move to integrated risk management organisation structures. In the course of the study, one bank realigned the reporting lines of its risk management units to appoint a single head of risk, to whom the heads of market, credit and operational risk all report.

It is clear that the dedication of resources to operational risk management has led to significant benefits. These include:
demonstrable reductions in losses, errors and incidents, resulting from an ability to identify potential problems earlier and faster, and to communicate these through better defined escalation channels, and enhanced core processes, such as rectifying recurrent causes of loss;
improved understanding and awareness, through operational risk training initiatives, facilitated workshops and communication programmes; and
better decision-making, as information produced on operational risk has enabled senior executives to understand more clearly where key exposures lie and what the priorities for improvement are.

Such benefits will ensure that investment in operational risk management will continue to increase significantly. Banks will both build on their organisational models and look to implement operational risk organisational structures, to ensure consistent implementation across a wide range of businesses and locations.