Chief Operational Risk Officers Share Their Concerns, Experiences

Chief operational risk officers at four major banks shared their concerns and experiences during a panel discussion that wrapped up RMA’s GCOR VI conference. Panelists were Robin Phillips, managing director, corporate operational risk executive, Bank of America; Jodi Richard, EVP and regional head of Operational Risk and Control, HSBC North America; Beth Rudofker, managing director, Corporate Operational Risk, JPMorgan Chase; and Kevin Slane, EVP, Enterprise Risk Management, First Horizon.

Among the top-of-mind priorities described by the COROs are breaking out of risk discipline silos to provide a coordinated, enterprise-wide look at risk, managing increased operational risk demands in a cost-constrained time, making best use of senior management attention to risk, providing useful data and fostering dialogue with the business lines, and keeping staff fresh and engaged with risk priorities.

Phillips said his bank’s operational risk management efforts are at a mature stage, although the operational risk discipline is still at an immature point. Richard said her bank’s operational program has advanced to the point where they can focus on managing operational risk rather than putting in place metrics and tools to do so.

According to the COROs, operational risk plays a large role in new product development and approval, in some cases directing the process. Operational risk also has a voice in long-term planning and strategy.

Richard says HSBC includes two operational risk measures in scorecards used to determine compensation, including operational risk losses and operational risk effectiveness.

Banks are encouraging and monitoring business line managers to self-identify risks in their areas rather than having them discovered by the second or third line of defense—risk management and audit, respectively.

According to Richard, the biggest operational risk objective in the next two to three years is to reduce operational risk losses by inserting controls that will lower the number of events resulting in losses. Phillips and Slane are working on getting usable risk data to the business lines.

RMA would like to thank this year’s GCOR VI sponsors: Wolters Kluwer, AFS, Algorithmics, Centerprise Services, KPMG, MetricStream, and Protiviti; and exhibitors: BWise, IBM, and Logic Manager.

We look forward to seeing you next year for GCOR VII, April 17-18, 2013 at the Hyatt Regency Cambridge in Boston, MA.

Identifying Emerging Risks

Recognizing key external and internal issues which could develop into significant risks for an institution can prove a daunting task. J. David Thompson, Managing Director and Chief Operational Risk Officer at Bank of New York Mellon, offered attributes to help identify emerging risks: newly developing or changing; difficult to predict timing or magnitude; and potential for major impact. The sources of emerging risks can come from world events, economic events, technological events, industry events, as well as internal events.

Thompson offered tools that his group uses to help identify emerging risks. At the process level, RCSAs are employed; while at the business unit level, high level assessments are conducted quarterly. Additional tools include company-wide data studies, stress testing, scenario analysis, and a listing/discussion of top ten risks conducted twice a year.

Once identified, managing the risks involves prioritizing the highest impact areas, utilizing effective project management, coordinating actions across silos, and monitoring and making thoughtful adjustments when necessary.

Reputational Risk

Touching on the hot topic of reputational risk, Amy Jackson and Robin L. Phillips, Corporate Operational Risk Executives at Bank of America discussed how an institution should define reputational risk, how to develop a framework for managing it, and how to measure and monitor the risk once in place.

Today there are multiple considerations in managing reputational risk, i.e., Dodd-Frank, rating agency actions, political environment, regulator concerns, just to name a few. The anonymity of the Internet, blogs, and social media present a level of uncertainty. However, developing a framework that identifies internal risks and external events/risks, escalates emerging risks and discusses mitigation plans, and reviews and approves business activities that present elevated reputational risk, can help to manage potential exposures in our current environment.

A Current View of Operational Risk

As the necessity for identifying and managing operational risks increases and places greater demands on organizations’ business and control functions, it is important that operational risk management frameworks continue to evolve, said Beth Rudofker, Managing Director of Corporate Operational Risk, JP Morgan Chase.

Although Rudofker cited the positive development of many frameworks migrating to a three-line-of-defense structure regarding governance and risk and control ownership, she also identified areas for improvement. A challenge exists in understanding inherent risks – identifying what the key risks are, knowing how to mitigate them, and ensuring that RCSAs tell a significant story. RCSAs should also effectively validate where losses are originating for better understanding and mitigation of the root causes.

Frameworks are well established in many organizations today, but they need to include compliance and legal risks that are woven through every business activity. These risks also need to be linked into RCSAs.

Regulatory Update – Positive Reinforcement and Ongoing Challenges

Despite a myriad of ongoing post-crisis issues creating complexity for organizations, the GCOR VI conference helps to reinforce positive happenings in the industry, said Kenneth Fulton, Analyst to Deputy Comptroller, OCC. Namely, risk appetite frameworks are being put into place in many banks as well as infrastructure projects addressing MIS deficiencies.

Joining Fulton on the regulatory panel were Eric Caban, Supervising Examiner, Federal Reserve Bank of New York and Evangelos Sekeris, AVP, Federal Reserve Board of Richmond. All agreed that over the next few years, the industry will be dealing with a changing landscape as regulators complete Dodd-Frank implementation. The foreclosure crisis will linger for a few more years with another million and a half loans over 90-day delinquency.

Regarding AMA implementation, the industry has learned that data collection and capital estimation and modeling are not enough. An integrated approach to operational risk systems is necessary as operational risk is embedded in every business function. Additional lessons learned that were echoed throughout the two-day conference include taking a closer look when dashboards are green, avoiding complacency by adopting a healthy dose of skepticism, as well as breaking down risk silos to effectively manage risk.

All three regulators recognized that agencies historically haven’t been specific with expectations, but a concerted effort to make improvements means a clearer direction for organizations going forward.

Operational Risk in Community Banks

Management of operational risk is a key feature of sound risk management in large and small institutions. In community banks, an operational risk framework must be tailored to the capacity of the staff dedicated to ORM, which in some cases is just one staff member. That was the case for Terri L. Hendrix, vice president and director of operational risk at EverBank, who spoke on “Developing and Implementing an Operational Risk Framework for Community Banks.”

Financial institutions should follow a framework specific to its own internal operating environment. A robust ORM framework should include the following core components: clear objectives, culture, and tone set by the board and senior management; a strategy that provides guidance on risk appetite, policies, and processes; a clearly defined risk appetite and policy; clear communication of risk policy across the entire organization; periodic evaluations based on internal and external changes; structure that ensures the ORM framework is handled consistently; and procedures to ensure execution and compliance with ORM policy.

An operational risk committee is crucial as part of the governance structure. Business units should conduct comprehensive risk and control self-assessments (RCSAs) to identify key operational risks in day-to-day business processes. Risk monitoring should include internal and external audit issues, regulatory issues, testing of RCSAs, identifying and reporting of key risk indicators, collecting operational risk loss data, and ensuring this data is used by the business units in assessing residual risk rating. Risk reporting should include the results of RCSAs by line of business and aggregate; the status of remediation measures; operational losses; third-party relationships; new products, processes, and services; and business continuity and disaster recovery testing results.

September 11, 2001: The Greatest Operational Risk Crisis in Financial History

The terrorist attack on the World Trade Center on September 11, 2001 was the greatest operational risk crisis in financial history, according to Jeff Ingber, author of Resurrecting the Street: How U.S. Markets Prevailed After 9/11. On that devastating day, Ingber worked as general counsel for the Government Securities Clearing Corporation, located several blocks from the World Trade Center in lower Manhattan. He is now a managing director, Policy Compliance and Control, Citigroup.

In addition to the human toll (three out of four killed in lower Manhattan worked in the financial services industry), 9/11 represented an enormous disruption in the financial markets. Buildings, communication lines, transportation, and utilities were disrupted or destroyed, and electronic and paper records were irretrievably lost. The priority became to reopen the markets as quickly as possible to show Al Qaeda and the world that the United States had the capacity and the will to rebound from the attacks.

Ingber’s book tells the story of the immediate aftermath of 9/11 as regulators, traders, and other financial services workers, some fierce competitors, worked together to reopen the markets and rebuild the system. For the audience at RMA’s GCOR VI conference, Ingber took a longer view.

The terrorist attacks had a revolutionary impact on operational risk concerns such as disaster recovery and contingency planning. Back-up sites were moved, updated, and expanded after many proved inadequate on 9/11. Operational risk as a separate discipline became more prominent in the financial services industry.

Because of these changes and technological innovations such as cloud computing, a 9/11-type attack will never again have the same massive impact on the financial services industry, Ingber said. The next war will be fought on the cyberterrorism front, he added, with hostile nations, terrorists, and “hacktivists” willing and, in some cases, able to disrupt the financial services industry and other industries. Measures such as the cybersecurity legislation now being considered in Congress are intended to address these concerns.