As banks prepare for the implementation of Basel III, operational risk management needs to be a key area of focus.

Operational risk is defined as the risk of loss from inadequate or failed internal processes, controls, people, systems or external events including service suppliers and outsourcers. Operations risk management requires discipline of execution with proper governance at all levels of the organisation starting from the CEO and the board.

Basel II and Basel III requirements focus on comprehensive and dynamic capital, risk and liquidity management – requirements that cannot be met if operations risk is not well managed. IT plays a key role in daily operations. Clearly, if IT and major operations fail, then a bank fails.

Key immediate requirements in the operations risk management space include upgrading core financial institution application systems. Many application systems are outdated (often more than 50 years old), and built for a different regulatory and market environment. Risk management information to dynamically manage clients and related risk fundamentally does not exist, and a retrofit may be impossible. In other words, many core financial applications are no longer fit for purpose.

Banks also need to implement robust data architectures and governance. The lack of standard data definitions for financial institutions across the industry is a huge issue. Reference data management is an area that needs to be addressed urgently, and standardisation of product and services data is the starting point. Technology architectures need to be upgraded to handle the new business continuity, latency, security and data integrity requirements. 

Know your providers

Managing outsourcers and service suppliers is another area that needs a great deal of executive attention. Outsourcing can provide many benefits, such as business transformation and cost savings, but can also be a point of failure. Headline outsourcing risks that need to be managed include the political and legal risks of the country in which the operations of a financial institution are conducted. This also applies to the offshore captives of financial institutions.

Banks also need to manage the operational risks attached to the outsourced service providers themselves. This includes the difficulty of conducting information technology and business processing outsourcing operations, onshore or offshore, due to issues including the macroeconomic environment, infrastructure, skills availability and costs, regulation, the socio-economic and cultural environment, and corruption.

The data privacy and security risks of the outsourcer must be benchmarked to the best-in-class financial institution, measured by the number of errors and breaches that the outsourced financial institution has over a period of time. Banks should also assess the strategic risks that are rooted in the deliberate opportunistic behaviour of service providers. This includes theft of intellectual property, understaffing, and failing to staff with the right domain and process skills.

Finally, there are composite risks to a financial institution when it has outsourced a process or processes for so long that it can no longer implement and operate the process itself, and has little recourse if an outsourcer fails. 

The high cost of failure

The risk of business disruption and systems failures should be measured by the tested and proven ability of a financial institution to resume operations after a major outage, or natural or man-made disaster. Other potential risks include damage to the physical assets of the financial institution and/or to the assets of the third-party suppliers that support the business of the specific financial institution. Internal and external fraud should be measured by the number of incidents and losses, and includes financial institutions and their third-party suppliers.

Banks need to pay more attention to employment practices and workplace safety, including the stability and reliability of human resources, the management of key executives, and an assessment of the staff of the third-party suppliers. They should also take account of the products and business practices of their clients, and the degree to which a financial institution meets its obligations from the point of view of regulatory and client suitability. This is one of the higher-risk areas.

Finally, regulatory risk is specific to each financial institution, and relates to the risk of not meeting regulatory requirements, as measured by the amount of fines and regulatory intervention or capital infusion required.

When considering outsourcing contracts, banks should assess risk posed by third-party suppliers in all the categories above plus the specific risks of non-compliance, balance sheet risks that are not transparent, and non-performance on the major services or contract requirements that leads to major exposures.

Well-managed operations and related risk can be a strategic advantage for a bank, while not managing operational risk can result in regulatory intervention, increased reserves for operational risk, additional regulatory penalties and exposure to reputational risks that can be very expensive. In other words, bank CEOs have a limited window to decide whether they want their firm to survive and excel or, if they ignore the massive effort required and contemplate lagging the market, they may just put themselves and their firms at risk.

Gabriel David is the US senior partner of outsourcing brokerage Burnt Oak Partners, a former head of financial services business at Genpact, IBM and EDS, and an advisor to US and Organisation for Economic Co-operation and Development regulators on the Basel Committee on Banking Supervision.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter