Operational risk: Cinderella or Prince Charming?

Back in the 13th century, Thomas Aquinas, the philosopher and later saint, famously declared that ‘the world has never been so full of risk’. He was thinking of plagues, wars and famine, which decimated populations and caused mediaeval banks to collapse - far more than through the capricious behaviour of borrowers, such as kings and Popes. The risks he was talking about were operational risks.

If you look at the recent banking crisis and events before that, not a lot has changed. Rogue traders, the Millennium Bug, 9/11, SARS, volcanic ash: all have formed the major threats to the financial system in the 20 years leading up to the banking crisis, and all are operational risks.

And when you look at the banking crisis itself, you will undoubtedly see appallingly poor mortgage lending, abdication of credit risk responsibility to credit rating agencies and stunning over-indulgence in derivatives, those ‘financial weapons of mass destruction’, as Warren Buffett so memorably called them back in 2003. But the root causes lay in human behaviours: the wild optimism of borrowers, lenders, politicians, regulators; the herd instinct which always drives a bubble; greed; and, of course, human failures of risk management and governance on a grand scale. When the US Financial Crisis Inquiry Commission reported in January this year, it naturally pointed to the causes at the beginning of this paragraph; but before going on to those, it was vituperative about ‘dramatic failures of corporate governance and risk management’ and a ‘systemic breakdown in accountability and ethics’. For me, those behaviours are fundamental elements of operational risk.

One final example to support where I think it fits in the hierarchy of risk management. In October last year, the UK government published its national security strategy. In the top tier of threats to the UK it cited international terrorism, cyber attacks and large-scale cyber crime, major accidents, natural disasters and an international military crisis. The second tier included organised crime and disruption of satellite communications. Every one an operational risk and practically all, together with people (or behavioural) risk – the major threats faced by banks today.

Banks and other financial institutions are in the business of managing risks. But that generally means managing credit risks, or market risks, or insurance risks, the stuff of their business. It’s all too easy to ignore the risks they have to manage if they wish to stay in business, the stuff of operational risk. And even when they consider the risks which they are in business to manage, do they seriously consider how much of them are operational – failures of process, systems and control, often caused by failures of their employees or those employed by third parties? They form a substantial part of what we call credit, market or other types of risk, over 50% by some measures.

Operational risk is inherent in all products, services and activities and involves everybody employed by the firm. That cannot be said of any other type of risk. Yet for some reason, despite its critical importance, operational risk management remains something of a Cinderella, the bit which is forgotten, or perhaps vaguely remembered, when everybody’s gone off to the ball.

So how can operational risk get itself invited to the top table and become the Prince Charming which I believe it should be? Perhaps the first thing is to set out the benefits of good operational risk management. The essential benefit is better informed decision-making. The basic tools of an operational risk management framework - event and loss analysis, risk and control assessment, monitoring risk indicators and scenario analysis – all contribute to better risk-based business decisions.

Intelligent operational risk management can produce clear financial benefits. Risk and control assessments enable control resource to be effectively deployed. Insurance-buying, which is all about insuring against operational risks, should be an integral part of the operational risk function, so that it can be properly targeted and optimise premium costs and maximise claims payments. Outsourcing should mean that customer service is improved and activity levels are increased. Proper project management should ensure that projects really do deliver what was intended, to time and to budget. They all lie in operational risk’s domain.

Then there are the threats to the business itself which, as I have argued, lie at the heart of operational risk management. Business continuity management will ensure that you are a survivor and will be back in business ahead of your competitors. And then there’s reputational risk management. Financial services organisations depend on trust. That trust can very quickly be lost through the actions of anybody in the firm – and of a failure to deal speedily and effectively with the problem when something does go wrong. The effects can be catastrophic. And reputational damage almost invariably results from operational risk events. So it needs to be properly assessed and managed by first assessing the risks on the risk register for their potential to cause reputational damage.

Reputation is the perception many people have of an organisation over time. Those people include customers, employees, suppliers, investors, regulators and opinion formers. Just as risk is not managed by the risk management function but by the business lines, so reputation is not managed by Press and Public Relations, but by everybody who manages those relationships, whether it’s the business lines, support functions, HR, compliance or investor relations. A firm’s reputation is in the hands of every employee – from public remarks or behaviour of the CEO to the junior on Facebook or Twitter.

Which brings us to the most critical part of operational risk management – managing people, one of the four elements of the Basel definition of operational risk. People are a service industry’s defining asset – and its greatest risk. That risk will be most effectively managed where there is good risk governance which ensures that a healthy risk culture is embedded throughout the organisation. In a speech to the Institute of Internal Auditors in 2008, Professor Mervyn King, chairman of the King Committee on corporate governance in South Africa, memorably said: ‘With buy-in, you can do extraordinary things. But without it, you won’t even achieve the ordinary. It’s alright to talk about the tone at the top, but I like to think about the tune in the middle.’ The tune in the middle is the test that the risk culture promoted by the Board and senior management is truly embedded.

That will partly depend on their own behaviour – walking the talk. But it will critically depend on the Board being clear about its strategy and objectives and effectively communicating them throughout the firm. Without clear strategy and objectives, there can be no context for effective risk management or an understanding of what is meant in a particular firm by excellent behaviours. Without an understanding of what is meant by excellent behaviours, there will be little coherence in staff selection, appraisal, promotion or, importantly, remuneration. Nor will it be risk-based.

Behaviours underpin the way in which the firm does business. Acknowledging that the tone at the top is where it all starts, let’s look at the CEO. It always intrigues me how little the CEO features in the risk register. And yet the CEO’s behaviour can destroy a firm. Is the CEO a dominant emperor, or perhaps and aspiring celebrity? Does he or she work openly with the Chairman and the Board, or are they seen as obstacles to getting on with the job, people to be provided minimum information, rather than people to whom issues can be brought for discussion? It’s one thing having a strategy, but can the CEO implement it effectively? How many and how good are the decisions the CEO makes?

And having asked all those questions about the CEO, repeat them down the management chain. In particular, is there a genuine succession plan, or is it something which might cope with an immediate crisis but not beyond that? Too often one person can is pencilled in as the replacement for a number of other senior executives. What happens if two or more of them disappear at the same time. Again, it’s not just a concern at Board level, but all the way down the chain.

Finally, a word about HR. How many HR Directors do little other than transactional HR – running the appraisal and training systems, hiring and firing – rather than act as true risk managers, which is what they ought to be. Understanding and predicting risk is highly dependent on understanding human and organisational behaviour, the root cause of the crisis. The HR Director should have a core role as senior management’s guide and be on the shortlist for COO or even CEO. But that’s rarely the case. And of course, the whole issue of people risk and behaviours is all operational risk.

Operational risk lies at the heart of all the risks we take and all the ones we’re exposed to. It involves everybody. Its management should not be left to a Cinderella, sitting away from the action by the fireside. It should be the responsibility of Prince Charming, up there at the top table, where the lights are blazing and all eyes are on him as he ousts the Ugly Sisters and rescues Cinderella from where she should never have been left.

John Thirlwell is an independent adviser on risk management to boards in financial services and co-author of Mastering operational risk (Financial Times Prentice Hall, 2010).

© John Thirlwell 2004-11. All rights reserved.
Any reuse in whole or part requires our consent
Design by