01 Jan 2006, Ellen Davis, Jonathan Howitt, Jeremy Quick, Peter Poulos, Andrew Clark, Operational Risk & Regulation
The 'out of the box' thinking was partly an attempt to blend 'operational risk' and 'compliance' into a single phrase – and this proved impossible. But the mental exercise of considering all that these two disciplines had in common was a fascinating one to undertake.
Essentially, at the majority of financial services firms today, there is a recognition that most of the risks that op risk executives are spending their time attempting to measure and manage are the very same challenges that compliance officers have been grappling with for decades. Subjects such as fraud, insider trading and sex discrimination have been the traditional remit of compliance departments, but now they are part of Basel II's op risk framework for the advanced measurement approach.
Other risks are newer on the scene, but they spring out of the traditional lines of interest of compliance departments. Business continuity is a great example of this – an old risk that compliance departments used to manage as a matter of course, something that had to be done for the regulators. Since the various terrorist attacks of the past four years, it's now a hot topic for supervisors who want to be sure firms have adequate back-up resources in place. But it is also a genuine business risk that firms are recognising could substantially affect their revenues.
So – op risk and compliance executives are looking at the very same problems. But what prevented us from coming up with a snappier title was the fact that the two departments still approach the challenges they face from vastly different perspectives. Compliance departments are generally staffed with lawyers, who approach problem-solving in their own fashion. My husband is in the legal profession – he does criminal defence work – and so I've had the opportunity to observe lawyers at fairly close quarters in a variety of contexts. Outcomes in legal issues are binary – they are either guilty or innocent, correct or incorrect, right or wrong. While there are some shades of grey on the guilty/wrong side of the equation, it is precisely that side of the fence that lawyers spend most of the time trying to prevent their clients from landing on. And so their approach to problem-solving is geared toward ensuring that innocent/right is always the outcome. This is even more true in corporate law, where 'wrong' can mean a civil penalty or fines worth millions, or a contract that is unenforceable.
In contrast, risk managers are used to dealing in shades of grey – estimating exposure to risk is all about teasing out the various tones between black and white, and deciding just what that particular shade of 'charcoal' means, and what the impact of it might be. The philosophical underpinnings of op risk have grown out of credit and market risk, where chance is relished, gambling is good, and negative outcomes are inevitable some of the time. Indeed, negative outcomes are essential – without them no risk is being taken. But the point of being a good risk manager is to limit the number of negative outcomes – often by rolling the dice again.
So while compliance executives focus on preventing negative outcomes, op risk people tend to simply try to reduce the potential of them occurring, but generally accept that they are a potential consequence of the activities of their firm.
With many of the world's supervisors moving towards a 'risk-based' regulatory regime, it seems to me that compliance officers are going to be asked increasingly to look at problems the way risk managers do. Negative outcomes, in many circumstances, will now be considered to be a part of the cost of doing business – they will be an acceptable risk for the institution, the regulator or society at large to undertake.
I've made little secret of the fact that I'm a big fan of risk-based regulation – it makes sense in so many areas where the cost of absolute prevention is enormous, and the ability of most firms to deliver that standard of prevention is doubtful, even in the best of circumstances.
But at the same time, risk management executives should also try to view the world through the lens of a compliance officer. Are there op risks that firms should draw a line under, and say that a negative outcome is simply not to be tolerated? I would argue, yes, there are. A quick mental review of some of the court cases, regulatory penalties and other major transgressions by financial services firms over the past five years just reinforces my feelings on this.
Financial services firms form one of the core institutions of our society, and as such they have a profound responsibility to it. For society to operate fully and efficiently, firms must have the trust and respect of the people who use them. The negative consequences of certain risks may be difficult to quantify in a balance sheet for a risk/reward analysis, but the wider impact on society is costly indeed. One example that springs immediately to mind is the mis-selling scandals that have rocked the pensions industry in the UK – it is a case where abuse by a number of individuals working for widely known firms has created a more general climate in which consumers have substantially reduced the number of pension products they are now buying. More broadly, this has reduced savings levels in the UK and threatens social stability when a whole generation reaches retirement age.
So I hope, over the next few years, within the pages of this humble publication, to discuss and debate how firms should come to the challenges that they face – what tools they should use, what kinds of frameworks they should put in place, and even what philosophical approach they should take to answering the questions put to them by regulators, customers and the occasional journalist.
EXCHANGE RISK AND REPUTATION
Lightning, it is said, will only strike twice in the same place if it is induced to do so. Strange forces, then, must inhabit the Ohtemachi First Square Building, whose residents have fallen victim to yet another bolt from the blue.
The first visitation in December 2001 was thought at the time simply to be an extreme case of 'fat finger' syndrome, when UBS transposed price and quantity on a sell order for the new Dentsu issue. Despite acting promptly within a couple of minutes to buy back the order after it was clear that it could not be cancelled, the execution desk was still left nursing a loss rumoured to be well in excess of $100 million, just as the ink should have been drying on the team's year-end bonus accrual.
Last December, almost four years to the day later, Mizuho Securities found itself victim of an almost identical error with the J-com new issue. As panic ensued, the desk made three failed attempts to cancel the order and took several more minutes before realising that it must buy back the stock. It was a costly delay.
At Mizuho's expense, in little more than 10 minutes the Tokyo Stock Exchange dispensed its munificence of around $340 million across as many as 100 market participants, the lion's share purportedly going to Mizuho's neighbouring tenant in the building, UBS. New Year fortunes, it seemed, had been collected early.
Convenient as it may be, though, to dismiss December's happenings as simply the hand of fate, reality has painted a much less tidy picture, and the aftermath has left many parties to the transaction with somewhat tarnished reputations.
As an exchange member, Mizuho had certainly not signed up for this kind of exposure, and understandably wanted its money back. The bank's frustrations were quickly vocalised by the press, which challenged the ethics of the other market participants, in particular the foreign brokers. As transcripts of Mizuho's confusion in the heat of the moment surfaced a week later, though, the publicity was far from positive as the competence of management was called into question.
If such criticisms were valid for Mizuho, they were also valid for the Tokyo Stock Exchange. Clearly the exchange had not learned from UBS's error four years previously and had failed to implement improved systems or sufficiently enhanced controls. Suspending the stock for several days until after settlement was a poor response to its failure to cancel the trade immediately. It may yet have to shoulder some of Mizuho's loss due to 'technical glitches' with its systems.
Any initial euphoria at UBS must have been short-lived. Failure to announce promptly that it would refund its profit cast it in a poor light. No-one, though, had bailed them out in 2001, and they must have questioned why they suddenly had a unilateral obligation to cut a cheque to their neighbour Mizuho. The right thing to do – and the most palatable option – would have been to unwind the whole trade across the market, but with so many parties involved this could not be achieved cleanly several days later. UBS has since announced that it will return the funds.
Even for those brokers who also mooted the following week that they might return their share of the profit, motives could be construed as commercial. Offers were cheaper for those who had made less profit, and in the name of upholding the integrity of the exchange there was an opportunity to gain reciprocal leverage with the authorities and with Mizuho.
The unfortunate reality is that whatever recoveries Mizuho is eventually able to make to reduce the cost of the incident it is unlikely that many firms will be proud of their part in it. For the risk management community, act of god or otherwise, it has certainly provided a new perspective on the effects of an exchange risk scenario.
Jonathan Howitt is head of operational risk at The Man Group, based in London
OPERATIONAL RISK AND COMPLIANCE
One of the attractions of working on operational risk is the variety of the subject matter that is generally categorised under that heading. Op risk covers a series of diverse risk drivers. Examples are fraud, processing issues, and legal and regulatory risk. Some of these risk drivers may generally be seen to be low frequency/high impact; some are the opposite. Moreover, whatever the nature of a risk driver in terms of the threat to capital, it may have very different characteristics when considered in terms of, say, customer service or reputation impact.
The importance of each driver will vary significantly from firm to firm. However, in so far as op risk as a discipline emerged several years ago, it still bears the marks of its ancestry. Traditionally, op risk has had a close relationship with operations. For this reason, it continues to be linked with process improvement: for example Total Quality Management and Six Sigma. Similarly, op risk was originally seen as a response to the increasing control challenges in the late 1990s offered by the development and growing sophistication of IT, including systems outsourcing. A key motivator here was the series of 'processing' mishaps that emerged at that time. These included events involving fat fingers, custody mistakes, transaction errors and IT security breaches.
All these issues continue to be highly relevant for op risk. However, in recent years, other drivers have also emerged as being of central concern. In particular, anything to do with the treatment of customers has become a significant area of risk for many firms. This is primarily in the retail sphere, but there are signs that the wholesale side is also being affected. There are many reasons for this. In recent years, many financial firms have become even bigger than before, operating as major retail institutions in host countries. The downturn in global equity markets has created losses in market-related products. Some might suggest that regulators and governments have become more active. There is no sign that these issues will become less relevant in the near future. Indeed, there are signs that retail markets are becoming more internationalised and complex, while savings needs are intensifying.
What does this mean to those who deal with op risk? In one sense, it is important to keep sight of the wide nature of the subject, not least as key risks mutate in importance over the years (terrorism is an example). In addition, the conventional process-related risk drivers remain vital. Even recently we had another important fat finger instance, and many firms are struggling to improve their IT and operations processes. However, the challenge of legal and regulatory risk also needs to be met.
Few believe there is a single off-the-shelf solution to this challenge. Some firms have seen a significant growth in the importance of their legal department. Others have set up regulatory functions. Others have developed their understanding of reputation risk. However, traditional, legal and regulatory risk has been tackled by the compliance function, and any response must include this function.
This poses the question of how the compliance function can relate to that of the op risk function? The relationship must be mutually supportive. Traditionally, compliance has taken its cue from the implementation of regulatory requirements. In contrast, these days, compliance functions are equally interested in adding value to the business function, not least in the correct treatment of customers. Op risk experts can help here in the following ways:
• The op risk framework that is emerging in many firms can be used by compliance to analyse compliance-related risks and controls. This should be simple.
• The framework should be of particular use to the compliance function in that it concentrates on looking forward to big risk events.
• In many cases, the framework will have been designed to include some analysis of the impact of such events on reputation and customers.
• The framework is already being used as the basis for a co-operative relationship between the business owners and the op risk function. Copying this will enable compliance experts to work with the business in handling the risks.
• The framework, at least for an advanced measurement approach firm, is all about the measurement of risk and the knowing acceptance of a certain amount of risk. This mechanism should help compliance progress further towards a risk/reward approach, albeit within the confines of what society deems to be acceptable.
Quite how the relationship between compliance and op risk is configured in each firm will differ, and still needs to be worked out in many firms. Nevertheless, there should be a possibility, at least on the ground, of considering how efficiencies between the two functions can be secured.
In conclusion, there are solid business reasons for the op risk and compliance functions getting to know each other better!
Jeremy Quick is head of op risk at Lloyds TSB. The views expressed here are his alone and should not be taken to be those of the group
BUSINESS CONTINUITY IN FINANCIAL SERVICES FIRMS
We were reminded in 2005 that significant business disruptions continue to occur in varying forms and levels of intensity. The London bombings of July 7, the devastation caused by Hurricanes Katrina and Rita in the late summer and the New York City transit strike in December were all examples of events in which some measures of business continuity management response were taken by financial services firms. Despite the headlines, business continuity remains a challenge for many financial institutions in terms of: regulatory compliance, its misperception as an insurance policy rather than a risk discipline, approval of costs for risk mitigation, corporate governance, accurate assessment of business and technology resiliency and contingency plan effectiveness, improvement of staff training and awareness for multiple emergency scenarios and ensuring an optimal, enterprise-wide and business-oriented approach. Outlined below are seven areas of focus for 2006 that are formulated to address the immediate challenges I see over the next 12 to 18 months, while strategically positioning the business continuity function for the next step on its evolutionary journey as an op risk discipline within financial institutions. These seven key areas of focus are to:
• Pre-empt difficult global regulatory compliance reviews. There is increasing global regulation and scrutiny during examinations from most financial services regulators, world-wide, including in: the US (Federal Reserve Bank, SEC, NASD, NFA, OCC), the UK (FSA, Bank of England, HMS Treasury), Singapore (Monetary Authority of Singapore) and Japan (Bank of Japan, FSA). Prepare and issue, as a matter of course, comprehensive PowerPoint presentations with supporting materials through your internal compliance department to your regulatory contact on a recurring basis agreed in advance or upon request. This will pre-empt the hard, time-consuming examination sessions and challenges associated with responding to questions such as evidencing the ability to restore mission critical settlement and clearing functions within a specified recovery time frame or testing with key market participants, exchanges and utilities.
• Routinely demonstrate incremental business value. Providing clearly developed and tested recovery and resiliency plans must be our principal focus; however, I advocate a number of additional ways to regularly participate in the overall business that begins to cast the business continuity function in a new important light. Some specific actions should include: a) revenue enhancement – help in preparing bids for new business to assure prospective clients of your firm's resiliency and contingency preparedness in order to better position your firm's offerings against increasingly competitive peers; b) expense reduction – demonstrate your firm's effective business continuity planning programme as the means to reduce insurance premium costs for business interruption coverage; c) due diligence – conduct business continuity risk assessments of key business process and technology interdependencies (internal and external) and develop and test contingency plans to mitigate any associated gaps; and d) risk mitigation – maintain an effective business-resilient operating environment while deploying critical business functions offshore or onshore.
• Minimise business continuity and disaster recovery costs by maximising utilisation of company assets (that is, people, real estate and technology). The trend to spend is down – we need to advance with less. Develop alternative recovery and resiliency strategies such as displacement (whereby business-critical staff temporarily displace less critical staff from their office space), multi-purpose space like a training room, cafeteria or auditorium into a disaster recovery site, transfer functions to other locations (for example, between New York and London trading desks), remote compute (virtual recovery from home or hotel), 'split' or 'shared' production whereby critical systems are load-balanced across multiple data centres and staff performing critical business functions are disbursed across multiple geographic locations.
• Ensure both business line and executive ownership now. There is just too much ground for any dedicated business continuity function to cover if it has to own it all – the lines of business must be responsible for their own business recovery plans and contingency procedures. Having business lines own the plans and procedures ensures their accountability for the risk and commitment of resources. It also positions business continuity and disaster recovery to be business-as-usual. Furthermore, many business continuity decisions that are critically important to the overall firm must be mandated by executives that have the larger corporate view and enterprise level of responsibility – as individual business owners cannot justify cross-business expenditures alone. Establishing a strong corporate governance structure headed by executives with the appropriate level of cross-divisional and/or regional responsibility for risk management and complemented with senior level business line representatives responsible for risk management and/or business administration will naturally develop both business line and executive ownership.
• Implement transparent measurement and reporting mechanisms for business continuity and disaster recovery. Have the right planning, testing and review metrics, risk assessments, infrastructure and tools in place to always know how recoverable or resilient a business is on a product and/or service basis – firm-wide. Develop and use business-oriented criticality weightings, environmental threat and vulnerability assessments and standardised business impacting scenario assumptions in your firm's approach. This will help avoid misrepresentation, inconsistency and/or ambiguity across businesses and geographic regions.
• Train for multiple and simultaneous crisis events in different locations. Assume business-affecting scenarios that vary in effect and location. An organisation's ability to effectively respond to inclement weather, civil unrest, communicable diseases, natural disasters, or partial or total utility service and system outages may vary significantly due to its resource constraints, thus requiring the development of alternate plans to prioritise and allocate resources more appropriately. Ensure that both business line managers and staff are well prepared and trained to respond, utilising online web resources, table-top workshops and proprietary tools that would provide an accurate picture of today's business processes and enable 'what-if scenario' impact analysis and response plans to be developed on-the-fly.
• Adopt a top-down and front-to-back business process perspective. Far too often, business continuity and/or disaster recovery are narrowly viewed and addressed only as internal technology and/or facilities problems. In fact, there is a people and business process dimension to business continuity that can be overlooked. Coming up with a contingency plan whereby manual workarounds could be just as effective in the first few hours/days following a disaster may prove to be the difference of millions instead of thousands of dollars in terms of a traditional technology and facility recovery solution. To ensure a business-oriented approach that incorporates critical internal and external interdependencies and opportunities for alternative recovery strategies, analyse the business vertically or top-down by location and horizontally or front-to-back across multiple locations.
It is not expected that all major financial services firms will be able to fully address each of these seven areas of focus over the coming year. However, sufficient resources applied to each means that they will be able to address today's business continuity management challenges while evolving into the global business continuity risk function of tomorrow.
Peter Poulos is a director in Credit Suisse's operational risk management group in New York. Email: [email protected].
ECONOMIC CRIME: THE ONGOING CHALLENGE FOR COMPLIANCE AND RISK PROFESSIONALS
Economic crime remains a significant and growing threat to organisations across the globe. The results of PricewaterhouseCooper's 2005 global economic crime survey revealed that 45% of organisations worldwide have been a victim of economic crime over the past two years, with that figure rising to 55% in the UK. Historically, the public shame associated with being a victim of fraud ensured that the issue was pushed into the shadows. This lack of transparency has hindered the development of fraud awareness, understanding and, consequently, effective anti-fraud policies within organisations. For compliance and risk professionals, combating economic crime remains critical in the protection of the financial stability of a company.
So, what are the key threats companies are facing? Taking the UK as an example, our research found that for those who suffered economic crime, asset misappropriation (73%) was the most common incident, and false pretences was the second most widely reported offence, affecting 54% of respondents. Notably, financial misrepresentation was third, having affected 35% of UK respondents – a substantial increase from 12% in 2003, and placing its reported prevalence in the UK well above the rest of the world (24%).
In the UK, financial misrepresentation was also the offence with the highest average number of incidents (7.1) over the past two years. This is likely to be influenced both by the broad definition of financial misrepresentation (which encompasses, for example, inappropriate provisioning, write-offs and revenue recognition procedures), and by the high level of fraud awareness and fraud detection measures in the UK, which leads to greater reporting. Nonetheless, while not all of Enron proportions, these reported incidents of financial misrepresentation are still significant issues and should not be disregarded. Companies that do not consider financial misrepresentation a risk should be asking themselves whether they are genuinely unaffected by the occurrence of such offences or whether they are simply turning a blind eye.
Our 2005 survey also found that the average cost of tangible fraud (asset misappropriation, counterfeiting and false pretences) to companies around the world was an average $1.7 million. Chance detection is the single most common means by which fraud was discovered (34%), although internal audit is the single most effective control against fraud. It is therefore crucial that internal audit departments have comprehensive fraud awareness training to ensure that they perform their work with an appreciation of the risks posed by economic crime. Another significant detection measure was shown to be the whistle-blowing hotline. According to our survey results, 57% of UK companies have a whistle-blowing system in place, and these systems accounted for 11% of frauds discovered – more than three times the global equivalent.
So, who are the perpetrators of economic crime? Although many companies have historically perceived economic crime as a third-party threat, about half of all frauds suffered by companies were perpetrated by internal staff, with almost one in four perpetrators in senior management positions, rising to one in three in smaller companies. Accordingly, for any system of anti-fraud controls to be robust, the issue of senior management override must be taken into account.
Profiling in terms of age, sex and educational background revealed that there is very little to distinguish fraudsters from regular members of staff at any given management level. Typically, the fraudster is male, aged 31–40 years, and is educated to degree level or higher. Distinct patterns, however, emerge with regard to the type of frauds committed at different management levels, and regarding the subsequent treatment of those offenders. In the UK, senior management were more likely to be involved with financial misrepresentation (35%) – an offence with potentially more serious repercussions for a company's future, and one for which greater access and authority are often required.
While the most common response by companies around the world to discovery of fraud was to inform the board of directors (76%), it appears that all too often a fraud must actually occur before the issue of economic crime appears on a board meeting agenda. The board of any organisation relies heavily on the provision of management information, and this extends to receiving information and advice on the prevention, detection and investigation of economic crime. Current levels of knowledge, however, remain poor: in the UK, only 9% of companies claimed that their senior management had a very good knowledge of the causes of economic crime, and only 7% made this claim regarding their knowledge of crime prevention measures.
Clearly, senior management need to ensure they have up-to-date knowledge in the area of economic crime, and in particular that they are knowledgeable about the effect of the legislation and its application to their companies. The involvement of a company's board of directors is a key factor in the battle against economic crime and must include an ongoing commitment of resources to ensure a substantial impact on economic crime.
The threat of fraud is an inevitable part of corporate life. But while this is something that companies must accept, reducing exposure to this risk is not impossible. Companies need to ensure that sufficient resources are employed both to develop creative internal controls and improve those already in place. Keeping pace with increasingly sophisticated fraudsters who threaten the survival of your organisation is vital.
Andrew Clark is a partner, forensic services at PricewaterhouseCoopers. A full copy of the PwC report can be found at www.pwc.com/crimesurveywwww