OpRisk Benchmarking Survey 2012

"As important as we have ever been," is how one operational risk professional describes the current status of his peers in the banks they work for. After a decade as the upstart discipline in risk management, operational risk is winning the attention of senior management. While banks cut staffing in the traditionally dominant areas of risk (credit and market risk) they are hiring and training in operational risk. The discipline is "on the rise", says one head of operational risk at a leading US bank.

But there is still a lot of work to do in getting operational risk management accepted. A survey of the embedding of operational risk management in banks, carried out by Operational Risk & Regulation in July, shows that bank bosses are paying close attention to operational risk but suggests the front office is less engaged.

Risk managers are fond of saying that "the business owns the risk" so the active participation of front-office staff is an essential goal for operational risk managers and for the discipline as a whole. The ambition of practitioners is for operational risk management to evolve from tracking, reporting and controlling risks to anticipating and mitigating them. "The board and senior management want us to be a department that can help them see the things they can't see today," says one head of operational risk. But, the survey results suggest, this will need a greater level of front-office engagement than exists at present.

Any process of change must start with backing from the top, and the survey shows operational risk management has got that support. Seventy-nine per cent of respondents said operational risk is represented and discussed at board meetings, a figure they say would have been unthinkable five years ago. And 86% of respondents said senior management is regularly involved in operational risk management. Such regular involvement will most likely be supported by formal structures reaching the top of the organisation – such as committees, reports, and lines of responsibility. "This suggests the governance is in place," says one head of operational risk.

"Before 2008 the chance that operational risk would get to the board was pretty slim unless there was a problem," says the head of operational risk analytics at one bank. "You would be there to discuss a specific issue rather than how to avoid problems in future, which is what you do now." Banks adding operational risk to the board agenda shows how attitudes to the discipline have changed. For operational risk to be on the agenda, discussing it must be seen as a valuable use of time. This shows that boards are having to take operational risk seriously, says one respondent at a European bank.

Put your money where your mouth is

Meanwhile, against the backdrop of cost cutting, the willingness to spend money on operational risk management is a clear demonstration of support from management. Two-thirds of respondents expect to increase either headcount or the level of training for staff or both over the next 12 months. One European bank talked of doubling its op risk staff numbers over the past 12 months with plans to grow further.

Regulators in the UK and US are informally pressing banks to approach operational risk in the same way as they approach other areas of risk, say practitioners. "Historically operational risk departments have worked principally towards a credible capital number," says Mark D'Arcy, global head of operational risk at Goldman Sachs. "Regulators are starting to signal that this isn't necessarily how we should be engineered going forward." For credit and market risk teams, capital requirement numbers are a by-product of what they do day-to-day, he says.

Regulatory scrutiny extends to questioning banks about training budgets and staffing levels. At a local level, regulators are pushing for risk professionals based in their own jurisdiction with whom they can liaise. Several respondents to the survey say that recruitment will bring an influx of a new breed of operational risk managers with more analytical backgrounds rather than individuals steeped in an environment of risks and controls. "We see what we need to do, but we are not yet equipped to do it," says one.

Also encouraging is how far operational risk managers are taking part in banks' new business and change management processes, with fewer than one in 10 saying operational risk plays no role. At 67% of companies responding, operational risk has sign-off on this process – just two years ago, one respondent says, the figure might have been closer to 20%. "Organisations have understood that change is a major contributor to their operational risk profile," says another participant. The most forward-looking banks include operational risk management in change processes beyond new product approvals, he says, highlighting new systems and governance changes as areas they also cover.

Yet, tellingly, practitioners remain cautious about the true understanding of operational risk management even from senior management, despite these apparently positive results. Bosses receive operational risk management information but do they use it? And does "information" mean a status report on the work of the department, a mountain of raw data, or a report that contains actionable intelligence?

Survey respondents are saying that senior management "gets it" – yet, paradoxically, the last two years have also seen record operational risk losses. "It goes against the grain slightly," says one bank head of operational risk. And, although senior managers might be increasingly attentive to operational risk, it is generally the front office where mistakes happen, insider frauds take place and bad decisions get made.

Says Tariq Bokhari, head of enterprise and operational risk at technology company FIS in Charlotte, North Carolina, and previously operational risk manager at GE Capital: "The key here is whether the front office is operating in the spirit of good operational risk management or just fulfilling a checklist. Creating a checklist is more central to what compliance does. Operational risk is about the spirit."

Front and centre

Practitioners complain that operational risk managers are seldom part of front-office discussions in the same way market and credit risk managers are. Trades that go beyond value-at-risk limits will automatically require permission from market and credit risk teams at banks, for example, but operational risk is seldom part of that process. As a discipline, operational risk is yet to develop the quantitative tools to make this realistic, but as practitioners work to develop those tools, regulators want evidence that front-office employees are aware of operational risks day-to-day.

Here our survey gives a contradictory picture. Eighty-seven per cent of respondents said their front-office personnel understand their responsibilities with regard to operational risk "adequately" or "excellently". Eighty-three per cent said they have an operational risk committee including a front-office presence. Of those, 53% said the committee meets monthly. And yet fewer than half of respondents – 47% – said the front office receives operational risk management information. "If the risk is owned by the business, the business should be getting reports," comments one survey participant.

Likewise, the survey shows that front-office employees are receiving operational risk training (in 71% of cases, this is mandatory) but far fewer are able to track their performance and fewer still have their pay linked to that performance. Regulatory requirements in the UK and US stipulate that compensation of risk-taking staff must include an element based on risk management. But the difficulties of quantifying operational risk make its inclusion in this calculation possible only in a subjective way.

Only 36% of respondents said front-office compensation is linked to operational risk management information and risk limits. Practitioners say that, when bonuses are linked to operational risk management, this is usually based on qualitative criteria such as fulfilling objectives set out in job descriptions or appraisal processes – one respondent was sceptical about closer links between operational risk and compensation, describing the process as a "nightmare".

Meanwhile, the banks that fall outside some of the positive trends shown by the survey remain numerous. One op risk manager said it was "astounding" that 21% of banks have no mandatory operational risk training for front-office staff. The news that 27% of respondents said they have no operational risk committee surprised several practitioners. "If they don't have an operational risk committee, what do they do?" wondered one.

Meanwhile, privately, respondents say it is improbable that 85% of banks truly believe their front-office staff to be adequate or excellent in executing operational risk responsibilities. Perhaps those polled showed a bias towards optimism or were shy about revealing their shortcomings – the plans to increase hiring and training for operational risk across the sample of banks do not make sense if there is so little room for improvement, they argue.

Nevertheless, the survey results overall show operational risk management to be a discipline winning the attention of senior management and gaining influence in the day-to-day activities of the front office. Says one respondent: "Operational risk has always had a difficult case to make. The value proposition to the business is a bit like insurance. It is hard to say, ‘Look what didn't happen'." This survey suggests, at least in part, that the challenge of making that case is being met.

Click here to read the full results

METHODOLOGY
Operational Risk & Regulation spoke to heads of operational risk or equivalent at 15 banks globally to ask them about the embedding of operational risk management in their organisations. Eighty-seven per cent of respondents work at organisations with more than 10,000 employees. The survey was carried out using a confidential 15-question online questionnaire.
The aim of the survey is to give a snapshot of approaches to operational risk management rather than a comprehensive view. As such, it gives practitioners something against which to benchmark the approach taken within their own organisations. We plan to carry out similar research going forward including repeating this survey next year. Any suggestions from readers on areas to examine are welcome. Please contact the editor by email (alexander.campbell@incisivemedia.com).