
Operational excellence is what the public deserves
Public sector institutions must learn from best practice in the private sector
Bangladesh Bank was the victim of an $81 million fraud
This month, we learnt what keeps John Scott, chief risk officer (CRO) of Zurich Global Corporate, awake at night. Perhaps betraying his background as a scientist, the insurance CRO's worries include the health effects of nanoparticles and the increasing prevalence and impact of cyber crime.
Ask most operational risk managers about their nightmares, and the answers are generally more prosaic. Some of them can be found in this article about op risk at US public pension plans, which amounts to a rogue's gallery of creaking processes, flawed systems and inadequate risk controls.
In one example, the Oregon State Treasury had no middle and back office until as recently as 2011, meaning it allowed trades to be initiated and settled by its traders. Similarly, Michigan's Office of Retirement Services has had recurring problems with IT, having suffered multiple daylong systems outages in the past couple of years.
Worst of all, the State Employees' Retirement System of Illinois used paper cheques to transfer billions of dollars between the state treasury and bank accounts used to pay retirement benefits. It also had no credible disaster recovery plan until 2008. "Our original backup plan was basically if we had a disaster and we had no backup equipment, they were going to buy equipment," explained Gerry Mitchell, the fund's chief information systems officer.
US pension funds are not the only public sector institutions that are behind the curve.
In February, cyber criminals managed to steal $81 million from Bangladesh Bank by hacking into its systems and requesting payments from a bank account held by the central bank with the Federal Reserve Bank of New York.
Although most of the requests were blocked, the New York Fed nonetheless transferred about $100 million to banks in the Philippines and Sri Lanka. The funds from Sri Lanka were later recovered, but $81 million transferred to the Philippines was smuggled out of the country and laundered through local casinos, which aren't subject to anti-money laundering (AML) legislation.
In a recent column for Risk.net, Megan van Ooyen of software vendor SAS described the theft as "a comedy of op risk errors". Authorities in the Philippines have since been considering whether to revise the scope of the country's AML laws, while the governor of Bangladesh Bank has resigned.
Fingers have also been pointed at weaknesses at the New York Fed – notably by Carolyn Maloney, a member of the US House of Representatives. On March 22, Maloney called for a "thorough investigation" of the "brazen heist", and released a letter to the New York Fed raising questions about how it was allowed to take place.
Every month, there are hundreds of millions of dollars in op risk losses at private sector firms. No doubt there are also shining examples of op risk management at public sector institutions. The State Employees' Retirement System of Illinois is among those trying to do better, including by enlisting the help of New York-based asset manager BlackRock and its Aladdin risk platform. But in general, it seems that factors such as stretched budgets, a lack of competition and an overly bureaucratic style often conspire to stifle robust op risk management in the public sector.
It is essential that this changes: public sector institutions must learn from best practice in the private sector and beyond. Otherwise, a comedy of op risk errors might easily turn into a tragedy.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…
Moving targets: the new rules of conduct risk
How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…
Building resilience into ESG risk management
Risk and resilience continue to play an important role in the navigation of an increasingly uncertain world. Fusion Risk Management explores why it is equally crucial for technology to support organisations in addressing pertinent environmental, social…
Operational resilience: charting evolution, strengthening impact
Arming a business in preparation for robust operational resilience measures is not a one-step solution – it continues to evolve. The key to strengthening defences against all events – especially the unlikely but plausible – is to build business agility…
Operational resilience – Driving excellence and effective measurement in financial services
This webinar explores how to build resilience across an organisation, discussing actions and measures companies are currently taking to become more agile, adaptable and able to future-proof their business growth
Unlocking the potential of a firm-wide and systematic approach to operational resilience
This webinar explores best practices in response to regulatory policy and supervisory guidance, offering practical approaches to achieve a mature and robust operational resilience programme