TransConstellation was established in December 2003 as a not-for-profit entity, aimed at promoting Belgium as a centre of excellence in financial transaction processing. The members – Atos Worldline SA/NV, Euroclear, Fin-Force, Swift and The Bank of New York (Brussels office) – have joined with PricewaterhouseCoopers to benchmark best practices in operational risk management (ORM).
Its most recent research work has resulted in reference material benchmarking ORM maturity, published in June 2007. This step-by-step roadmap will help companies develop an ORM framework or validate existing ORM business practices through practical benchmarking and gap analysis.
The consequences of financial loss and damage to reputation can be severe without the requisite level of ORM maturity. This is of concern to most companies but is particularly important in the financial sector, where high-value, high-volume transfers of money and securities are involved.
New tools
TransConstellation provides two complementary tools: the ORM Maturity Benchmark – a concise, practical document enabling qualitative assessment of current ORM business practices and how to improve them; and the ORM Reference Guide – a detailed study on the different ORM concepts and practices employed by top companies.
Ignace R Combes, chairman of TransConstellation and deputy CEO of Euroclear, says: “We aim to address the void in providing companies in the financial sector with practical means of determining where they stand compared with established ORM industry standards. In addition, we want to offer our industry colleagues useful and pragmatic advice on how to achieve higher levels of ORM maturity across all relevant areas.”
Research was conducted among leading firms in the financial-transaction processing industry specifically, and among risk managers in other areas of the finance industry. To maximise synergies among different risk management related initiatives already under way, the best practices are linked explicitly to the COSO II Enterprise Risk Management (COSO ERM) framework.
In view of Sarbanes-Oxley (US) and other regulations to increase the strength of governance structures, COSO ERM has been adopted as the de facto standard for understanding and evaluating internal control structures. COSO ERM envisages eight interrelated and interdependent facets to the way in which management conducts its business. The guidelines outline how these components of the COSO ERM lifecycle are equally applicable for ORM.
Joint research projects
| Olivier Nagelmackers, chief operational risk management spokesperson at TransConstellation and head of risk management at Atos Worldline Belgium, says that TransConstellation will continue to exchange experiences between the founding companies and undertake joint research projects. The membership comprises a cross-section of five financial companies based in Belgium. |
While firms digested the guidelines and discussed the implementation of the best practices, the next steps for the group were being considered. Mr Nagelmackers says: “There are certain steps we will look to take in the future. We will look to enlarge the discussion forum on operational risk. We could extend the guidelines on business continuity and I feel we could develop more of the guidelines on the communication in times of crisis and the exchange of information between companies. Perhaps these extensions will take the form of new formal projects within the TransConstellation Academy.”
Business continuity
These areas, such as business continuity, were intentionally toned down in the initial guide because of the scope of the project (the end document tallies more than 200 pages) – it would command a similar sized work on this topic alone. Managing and developing the different scenarios in a business continuity programme, and recognising when it no longer becomes manageable, could also be taken on as an extensive project in its own right.
Mr Nagelmackers says that while centralised databases recording operational failures within banks and companies already exist, one suggestion from a TransConstellation Academy project has been to enable such information to be exchanged between TransConstellation members. “It may not be useful for all activities but there may be some points where we can learn from each other’s errors,” he says.
The steering committee of the benchmarking project will meet in the same month as the quarterly board meeting to discuss the next steps. In the past, research has been carried out on knowledge management and the results of this research shared across the TransConstellation member companies. In partnership with the Solvay Business School in
Belgium, TransConstellation is running an operational risk management seminar for selected Mortgage Bankers Association students.
The benchmarking tool for operational risk management maturity was originally designated for the financial sector but it is equally applicable for a company in any industry where operational risk management and risk mitigation is found.
Basel II
The last chapter of the ORM guidelines focuses wholly on Basel II. Some banks have decided to take a minimalist approach to capital adequacy under Basel II while some have taken a more advanced approach, enabling them to calculate their own necessary capital and reap the true rewards of well-managed operations.
“As banks are ‘obliged’ to implement operational risk management, if they comply at the minimum level it will not improve revenue,” says Mr Nagelmackers. “If a bank wants to be more effective it needs to invest and recoup that investment through efficient operational risk management. This needs to be embedded in the company’s culture in order to actually reduce losses and potential risk, and bring about economical value.”
The TransConstellation ‘Roadmap to Operational Risk Management Success’ points out that the advanced measurement approach to Basel II is the ability of the regulator to evaluate the bank’s methodology and measurement systems, and to confirm that these provide reasonable estimates of its operational losses. A ‘foundation’ level in ORM maturity, in terms of the internal environment and monitoring, would provide the basis for such ability.
In addition, the requirement explicitly points to allocation of regulatory capital to different business lines from an ORM perspective. Such allocation presupposes a relatively high ORM maturity level for objective setting, and advanced data-collection practices.
Taken on a stand-alone basis, this requirement could be achieved without explicit attention to the risk identification, assessment, response and control activities’ ORM stages (clear objective setting and highly effective loss-data collection are the actual requirements implied in the Bank for International Settlements criteria). In practice, however, it would be impossible to achieve the requirement without at least ‘foundation’ ORM maturity levels being practised in these areas.
Mr Nagelmackers says: “Regulation around capital adequacy is likely to be further tightened, so that implementing the benchmark from day one will mean that banks will be ready for any increased regulation.”
Different levels
The ORM research guide outlines three levels of operational risk management – foundation, intermediate and best practice. “Some banks are at different levels, in different areas,” says Mr Nagelmackers.
Fundamentally, the idea is to get out of the foundation level and in to the intermediate level, and then invest in best practice. It is really a question of the company’s culture and orientation. The target should be intermediate and then select areas to push and invest in best practice.”
Once the corporate objectives have been set, the firm can derive its risk appetite. A financial-transaction processing firm with a low risk appetite may decide to take on relatively high system and application investments with an initially low revenue stream, for a particular service, if it believes this investment will increase the stability of its business process, thus enabling long-term growth of the service.
Of all the COSO ERM framework components, this stage is often the most immature. TransConstellation’s analysis of the current industry position highlights that organisations have not implemented a comprehensive and formal mapping of corporate and business objectives against their risk appetites within an ORM framework. It advises that organisations should take time to challenge their repository of risks to confirm that they are appropriate, considering their corporate and business objectives.
