Why declare UDI?
Operational Risk - September 2005
It is truth universally acknowledged that the operational risk function shall be independent. And I've been asking myself - why? What does an operational risk manager do which requires independence? Is this yet another example of how approaches to other types of risk have simply been read across to operational risk without really analysing their relevance?
Operational risk, as we all know - and if we don't we should - is different in its nature from other types of risk. Risks involving credit, market or insurance are fundamentally about transactions. As a result they can be easily found and analysed from within a firm's management information; they can be fully audited; they can be capped or limited. In general, that doesn't apply to operational risk. But the other significant difference is that risks such as credit, market and insurance are there to be taken. That's the whole point of a firm involved in lending, trading or insurance. Whereas operational risk is there whether you like it or not. Apart from insourcing, it's a risk which you don't assume voluntarily. It's one which you manage as best you can. You may have an appetite for how much you'd like to accept but, for most classes of risk, you can do little to prevent that appetite being exceeded. The skill lies in what you do when it happens.
Which brings us all back to the nature of operational risk management? What, indeed, is it for? And just as operational risk itself is different from other risks, is its management also different from the management of other risks?
At a conference earlier this year, a number of heads of operational risk talked about the evolution of their jobs. Initially, once top management has decided that it wants to have an operational risk function, their job is fairly clear - to put in place an operational risk framework and the toolkits which go with it. All agreed, though, that the task was to move responsibility for implementing and using the methodology to the various business line functions, leaving the core team to act as consultants to the firm, to train people both in the fundamentals of operational risk as well as the specific of their own firm's systems and to provide reports to the Board and other interested parties. More of a policy role than an active management role. Indeed, at that and other conferences, many operational risk heads have made the point, with a wry smile, that they don't actually manage anything, so they'd rather that word wasn't in their title. Or, as one senior executive commented to me the other day about the operational risk function, "They seem to have more of an admin role".
Of course, in some firms, the job goes beyond that. It may involve two key aspects of operational risk mitigation - business continuity planning and insurance buying. (Sadly, it often doesn't have any responsibility for insurance, but that's another story.) It should involve some element of quality improvement.
But overall, there is no clear idea of what operational risk should do and, more importantly, how it adds value. The head of credit doesn't just set up a credit framework, but sanctions loans. He or she, like the person in charge of market risk and trading or the insurer, puts earning assets or liabilities on the balance sheet, and see that they are good. What they do is visible and easily understood in its effect on the balance sheet and bottom line. And because of the nature of their job and the importance of separating risk decisions from the sales function, it is right that these functions are 'independent'.
It's a different story with operational risk. Outsourcing and new products are legitimate areas involving operational risk. The head of operational risk or equivalent advises on them and other aspects of risk/reward decisions. But he or she doesn't make the outsourcing or new product decision. That's made by the line.
Of course, there's value in improving quality, in understanding better where you're risks lie and having a framework by which to assess those risks and, importantly, your controls over those risks. A good framework of monitoring and reporting will reduce the risk of surprises, both for management as well as for external stakeholders.
But operational risk is really another word for business risk. As such, it's essential that the business lines take ownership of it and that it's ingrained, dare I say embedded, within them. If, as Andrew Smith at HBOS suggests, it's merely treated as something of a regulatory construct, a rather arbitrary bringing together of various properly recognised risk categories, then it will be little recognised. By it's very nature, it's not only integral to the business, it considers the whole business. You don't expect the CEO to be 'independent' of the business - any more than you should expect the operational risk function to be.
John Thirlwell - Director, Operational Risk Research Forum. The views expressed in this article are those of the author.