Of all the forms of operational risk, compliance officers are most concerned with regulatory risk. Why? Because the consequences of getting it wrong can be so severe, writes Michael Imeson.
The definition of operational risk is simple – it’s the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In other words, it covers every conceivable type of risk, although in practice, in the banking world at least, it excludes credit and market risk, which have long been categorised separately.
So operational risk covers, among many other things, staff errors, IT system failures, fires, floods, terrorist attacks, fraud (both internal and external) and regulatory non-compliance. It is this last risk that is arguably the most frightening risk of all – ironically, because regulations are supposed to make the world a safer place, for customers, staff, the financial institutions themselves and other “stakeholders”.
Yet the burden of regulation has become so great, and the penalties for non-compliance so severe (regulatory censure, fines, civil action, criminal prosecution, reputational damage and corporate failure) that in many cases the world is becoming a more hazardous place for banks and bankers. Regulation has certainly brought many benefits to customers and shareholders – but if banks are regulated out of business, in the long term, everyone will lose.
The necessity of compliance
Andrew Cherriman, director of operational risk, Europe, Middle East and Africa, at Merrill Lynch, says: “Regulatory non-compliance is going to be one of the most important areas of operational risk management. Most firms have entire departments dedicated to it – by which I mean compliance departments and regulatory relationship departments. Compliance with regulations, and the relationship with our regulators, are essential to our ability to do business in all markets.”
The wide-ranging nature of regulation, and the associated risks of non-compliance, were brought into sharp focus by a recent survey. The Operational Risk and Compliance Survey, was published in November 2005 by Lawlex, the Australian provider of automated governance, risk and compliance systems and regulatory content to major financial institutions and government agencies. Respondents to the survey, co-sponsored by Operational Risk magazine, were compliance and risk executives from more than 300 companies worldwide, covering all areas of banking, asset management, insurance and brokerage, and ranging in total asset size from below $500m to more than $250bn.
“The challenges facing risk and compliance professionals are intensifying,” according to the report. “The array of compliance programmes is substantial; keeping abreast of regulatory changes continues to overwhelm; and effectively monitoring the control environment remains a daunting task.”
As well as these long-standing challenges, a new threat to the successful management of operational risk and compliance has emerged – the need to embed and maintain a culture of compliance. The survey showed that only 8% of respondents felt they had completely embedded such a culture. Asked to rate their company’s state of compliance, only 14% felt able to say they were completely compliant.
What are the specific regulations that concern them? The usual suspects are there: Basel II, the Directive on Markets in Financial Instruments (MiFID), accounting rule changes (such as international financial reporting standards – IFRS), corporate governance, anti-money laundering, business continuity, the US Patriot Act, data protection and complex structured product rules.
Asked to rate each of these in relation to their importance to their company, audit and accounting rules came top with 74%, followed by corporate governance (72%), anti-money laundering (70%) and data protection (70%). The least important were complex structured product rules (17%), the Patriot Act (31%) and MiFID (40%).
However, when asked what motivated them to roll out operational risk and compliance programmes, only 28% said “just because we had to meet our compliance obligations”. The two most highly rated motivators were the achievement of improved internal controls and reducing reputational and regulatory risk. In other words, it is not generally seen as a box-ticking exercise, but as a genuine desire to get to grips with the issue.
Looking ahead, the survey found that planned expenditure on technology to help implement compliance programmes was set to increase significantly over the next 18 months: 55% of respondents expect to spend up to $500,000, 20% expect to spend between $0.5m and $3m; and 8% expect to spend as much as $10m. These levels of investment suggest that there is still a long way to go before operational risk and compliance frameworks are fully implemented.
Risk responsibilities
Most regulations are not explicit about what a bank’s operational risk policies and processes should be. Banks are left to set up their own risk management structures, but if they fail and a non-compliance event occurs, the regulator will step in to investigate the causes.
However, the Basel II capital accord is different in that it is explicit about a bank’s operational risk responsibilities. The accord requires banks to set a capital charge for exposures to the risk of loss caused by operational failures. Banks are free to choose one of three approaches to measuring these exposures. In the EU, Basel II will be transposed into law by the Capital Requirements Directive, and this will also allow supervisors in all member states some flexibility in how they draft their national regulations, although regular discussions through the Committee of European Banking Supervisors is ensuring convergent views and a level playing field.
There is much complexity for banks in applying to use the more advanced credit risk and operational risk measurement approaches, as these require the use of sophisticated modelling techniques and clear demonstration that these models are put to use to make business decisions, not merely to calculate capital numbers. Although the UK’s Financial Services Authority, for example, has been open for applications from July 2005, to date (early December) only two applications have been received, and they have been for credit risk approaches.
Rosemary Hilary, head of the Risk Review Department at the FSA, told delegates at a conference organised by The Banker in October that “these applications will be among the most complex that we have ever had to deal with”. She said she is expecting fewer than 20 applications for the advanced measurement approach (AMA) to operational risk.
The FSA has been clear about the deadlines for applying for the advanced Basel II approaches: the AMA is available for first use from January 1, 2008, and firms thinking about applying for a model waiver to use the AMA have been encouraged to submit early applications in order to avoid a “bunching up” of applications. Most firms have already been the subject of pre-application visits that allow for a fruitful and early dialogue on areas they are focusing on, which will help reduce the amount of time needed once a formal application is received. The deadline for applications to guarantee a decision in good time for first use January 1, 2008, has been set at end-December 2006.
Brendon Young, chief executive of the Operational Risk Research Forum, and founding president of the Institute of Operational Risk, says that although allocating capital against operational risk is important, it is only one defence. “An increase in capital will not in itself reduce risk,” he says. “Only management action can achieve that.”
The control of operational risk is fundamentally concerned with good management and continuous improvement, says Mr Young. Managers need therefore need to take into account:
- How the overall risk profile of the bank is determined.
- How the main risks are identified, and how they affect profitability.
- How the risk-reward relationship can be optimised.
- How underlying factors can be verified.
Reputational risk
“Operational risk events lead to an increase in the volatility of earnings and a consequent increase in the cost of capital,” says Mr Young. “Reputational risk through regulatory non-compliance is increasing as the regulatory burden increases. The growing sophistication of operational risk management is manifesting itself in the form of risk-disaggregation and increasing complexity.
“However, an excessive concentration on detail can result in a loss of relevance. Multi-discriminate operational risk models contain an increasing number of elements, but correlations are extremely difficult to determine and may not hold up in times of stress,” he adds.
The complexity of these advanced approaches, such as the Basel II AMA, may, paradoxically, increase systemic risk, says Mr Young, since they may not give the correct answers, thus negating one of the regulator’s key objectives.
The Banker and FT Business, in association with the Operational Risk Research Forum, are organising Operational Risk: Reality Check, a one-day conference, in London on 7 February. For more details contact Andy Clark on +44 (0)20 7382 8423 or andy.clarke@ft.com
