The other day I was chatting to an operational risk management executive in London. He looked - like a lot of risk managers these days - a bit sleep-deprived, and his Blackberry hummed continuously throughout our meeting.
What he had to say to me was this: now is the time for operational risk, as a discipline, to step up to the plate. If the discipline cannot be seen to be adding value during the current crisis, it is doomed to be relegated to being a mere compliance exercise, serving no practical purpose other than to please supervisors.
And he's right.
Over the past few weeks I've met a number of risk management executives from New York and London. All are struggling, trying to understand world events, and their impact on their firms, as they unfold. The crisis isn't over, and the outcome is a moving target.
But already the global crisis has raised a number of interesting operational risk issues and, dare I say, changed the way the discipline will be viewed in the future. It is up to the discipline to take that momentum and run with it.
For example, let's chat about credit-granting procedures at financial services firms (see also, OpRisk & Compliance, July 2007, page 36). Many people considered this a 'border' issue when Basel II's drafters were first thinking about what should be in the scope of the discipline and what should not. For the bulk of the industry, credit processes - including granting mortgages - were considered part of the credit risk universe.
Now, after dissecting the poor credit-granting procedures at many regulated and unregulated firms regarding subprime mortgages - for example, no documentation required to confirm income, address, or other essential details - many people are beginning to understand that a number of aspects of granting credit are operational risks.
This is a lesson that the Asia-Pacific region learned some time ago (see OpRisk & Compliance, June 2007, page 14). When the region suffered the effects of contagion in the late 1990s - a financial crisis originally brought on by problems in the foreign exchange markets of several currencies - banks found that loans made on a handshake, based on bank relationships rather than careful analysis of underlying credit fundamentals, were subject to a higher rate of default. Some of the region's top banks - including Singapore's DBS - now look at these credit-granting processes as operational risk issues.
And this makes sense. Credit risk is about analysing the data that supports a credit decision - it is about the credit data itself. The accumulation of this data is an operational process that in most firms has a variety of stakeholders, including compliance, IT, the credit risk department, the new product approval process committee, operational risk and the business line. Understanding how the process of accumulating data works - from the moment the customer walks into the branch to the final decision - is about getting to grips with how people interact with each other, and with systems and decision-trees.
In short, it is the kind of subject area that good operational risk managers should excel in. Now, I am certainly not saying that operational risk has a pat answer to the problems that have beset the US mortgage industry, but I think that, if the discipline took it upon itself to have a robust dialogue with its stakeholders inside firms, and also within the discipline itself, it could help develop concepts and implement them to help improve credit application processing - and reduce risk.
Another area that operational risk executives can roll up their sleeves and get stuck into is model risk. This is what is causing the real panic on Wall Street and in the City. Firms valued various structured products that packaged-up mortgages using only models - because there is no 'real world' basis on which to price many of these products. These products can be tailored to their investors' needs or simply unique in their composition. The models were stress-tested based on the last few financial crises.
The problem is, of course, that this is like planning a new strategy by simply re-fighting the last war. No-one expects any new crisis to be exactly like previous crises. So trying to say that pricing of a collateralised debt obligation is OK simply because it looks OK if run against the bond market crisis of 2003 is overly simplistic. And of course this is what the marketplace is owning up to at the moment. Why this wasn't acknowledged and built into operating assumptions over the past few years is an unanswered question.
If there is one area where operational risk executives have quite a bit of experience by now, it's in stress testing - otherwise known as scenario analysis. It's one of the core components of the advanced measurement approach under Basel II's operational risk framework. Op risk executives now routinely gather together senior management in business lines and ask them to think the unthinkable - top risks, business continuity issues and other 'big picture' challenges that could emerge.
Perhaps this kind of out-of-the-box thinking should be applied to credit risk modelling as well. Operational risk executives could review the procedures around valuation of securities through models and apply more unusual scenarios to the whole process - indeed, introduce an element of qualitative evaluation to credit risk modelling. Op risk executives should also look at processes and decision-trees around the pricing of securities for which market data is scarce. Who determines the pricing internally for these products, how is it double-checked or benchmarked? And how is liquidity risk modelled for these instruments?
Another area for operational risk executives to explore is the impact that the unusual levels of transaction processing have on their error levels internally. Almost every op risk executive that I've met over the past few weeks has mentioned that back-office processing rates have shown highly unusual activity. Adding even more pressure to the situation is that often at many firms, back-office staff are the first to be cut when there is a projected dip in revenues, leaving fewer people to cope with more work, and more unusual situations.
This, it seems to me, is bread-and-butter operational risk management. Executives could add real value by helping business heads make intelligent decisions about where to cut staff, and how to cope with increased and unusual work loads. Over the longer term, some op risk executives are already exploring business process improvement methodologies, which would enable firms to understand the processes they have in place, and the impact that reorganising those processes would have on their risk profile.
Another area where op risk executives are getting even more involved is the new product-approval process. Previously, many op risk heads would sit on this committee, but many had minimal political influence on whether or not a product was approved. Now at many firms op risk executives are taking ownership of the new product-approval scheme, instead of the market or credit risk executives, precisely because they have a wider perspective on issues such as reputational risk. One op risk executive I spoke to in September said he thought this was a key area in which the discipline could add value to the firm over the next 18 months, precisely because of the challenging operating environment that lies ahead.
The last area I mention is involvement in the lawsuits that the current market environment will no doubt generate - many operational risk executives say their firms are already beginning to see lawsuits arrive on their doorstep. While an op risk executive cannot go back and rewrite the history of what happened at their firm, they certainly need to keep track of the legal issues that arise for their loss database, and they should also try to learn from what has happened to help improve their systems and controls in the future. And, of course, monitor the impact the legal issues are having on the firm's reputation.
These are just some of the operational risk areas for consideration that executives have mentioned to me over the past few weeks. No doubt others will come up over the next few months, as the subprime crisis in the US continues to unwind and the global credit mood reacts to events. If there are issues or areas for further thought around the subprime/credit crisis that you are experiencing or have noticed in general, please feel free to email me at [email protected]. We will continue this dialogue over the coming months to try to gain a deeper understanding about how the op risk discipline can improve understanding of recent events and add value to firms in general.
The week on Risk.net,October 14-20, 2016Receive this by email