Crossing the value chasm

Results from the third annual State of Operational Risk Management (ORM) global survey suggest that ORM programmes are nearing an impasse – a value chasm. As institutions begin to meet the minimum regulatory compliance mandates, the burden to deliver greater benefits has risen dramatically. This year's survey responses were submitted by more than 100 professionals, representing the full spectrum of financial services firms, both in terms of size and business activity.

The demographic profiles were similar to past surveys, with large number of responses from Europe and North America. Consistent with the concern over value, the survey revealed the maturity of foundational activities, such as loss event collection and risk control self-assessments (RCSA), but an immature state for areas that have the opportunity to add the greatest value, ie scenario analysis, capital modelling and key risk indicators. The current environment challenges ORM leaders to be more relevant to their business managers. The survey results can be summarised into three themes: (1) ORM is a maturing discipline, (2) the need to demonstrate greater value, and (3) challenges with capital modelling.

ORM strengthens position as a discipline

Operational risk has become an established discipline and a key element of a financial institution's overall risk management practice. A vast majority (90%) of the survey respondents indicate that their organisations have formal ORM programmes in place. Nearly 55% of the respondents have an ORM programme that is more than three years old, up from 30% in 2005. Respondents also indicated improved governance structures and higher levels of executive support. Nearly 50% of respondents believed their loss data and RCSA programmes are either mature or near maturity. Also, approximately 80% of the respondents have technology solutions for these programmes.

Driving for value

Survey results demonstrated that financial institutions are expecting more than regulatory compliance from their ORM initiatives. While the Basel II mandate continues to be the main stimulus, 23% of respondents cited internal control and 22% said operational loss reduction were their primary drivers in developing the programme. The shift of focus is also evidenced in the perception of the highest risks. While in 2005, respondents put regulatory compliance at the forefront of concerns, this year respondents cited external fraud (22%), transaction processing failures (14%) and IT failures (10%) as the top three risks. Only a scant 4% of respondents cited regulatory compliance as the top risk this time.

The industry is also striving to develop an integrated framework that eliminates redundancy and improves co-ordination among various risk initiatives. Notably, Basel II and Sarbanes-Oxley are becoming part of the same compliance regime, with 73% of respondents indicating that the two programmes are fully or partially integrated. Nearly 13% of the respondents ranked risk integration as the top priority for the coming year, pointing to increasing pressure from business management to improve process efficiency.

Organisations are putting more focus on instilling ORM into their organisational culture, apparently a daunting task. When asked about the major obstacles facing a successful ORM implementation, 48% respondents noted lack of commitment or buy-in from business units, second to cost of implementation (61%). The trend has not improved since the 2005 survey. This highlights the need for risk management to continue demonstrating value by putting effective risk analysis in place, reporting and employee communication programs. Key Risk Indicators (KRI) still seem to be an amorphous concept and not commonly used. But the KRI programme was named by 21% of respondents as the top priority over the next 12 months.

Capital model challenges

Behind successes in other initiatives, financial companies grapple with their approaches and techniques for capital modelling. More than 40% of the respondents rated their capital modelling initiative as the least mature (1 on a scale of 1–5). Despite the current and past focus on data collection, respondents cited the lack of data integrity (76%) as the most significant barrier for model development. While most respondents indicated they are using the Loss Data Distribution approach (58%), only 20% have more than five years of internal loss data. Other major challenges mentioned were a lack of qualitative factors (50%) and the need for staff with technical skills (35%). Also, while 71% of respondents plan to use scenario data in their capital calculation methodology, only 37% are in the advanced stages of scenario analysis development.

Model validation continues to be a challenging area with many inconsistencies. Respondents differed widely on who should carry out internal model validation. Some of the model validation functions included risk management committees, internal audit, consulting firms, business management and dedicated model teams. Also, 19% of the respondents indicated that their models have never been validated.

Conclusion

This year's global survey presents an overall state of industry of operational risk, and offers clear insights into areas of progress and continued improvement. With the regulatory deadlines coming to pass and shareholder pressure increasing, financial institutions must take action to enhance their ORM practices, with an eye on value.

Contact us: