Risky business: Mitigating operational risk
Since the 2008 crisis, regulators (and therefore banks) have focussed on monitoring and understanding the risks in our financial system. This has led to the creation of a number of high profile regulations designed to create a more transparent, better-capitalised, and less risky industry.
Today, huge budgets and programmes are devoted to meeting regulatory obligations, implementing new technology and producing metrics and numbers, essentially for monitoring risk. The most commonly used measurement is Credit Risk or Market Risk, which is produced by dedicated departments within the bank. However, financial institutions are exposed to many other kinds of risk. Even the process by which operational risk statistics are produced can prove to be a key but often underestimated risk in its own right.
So, never mind creating a huge programme of work to implement a risk system, how about conducting a good old-fashioned review of the controls and processes that protect your business? If firms do not continually review and assess the risk associated with each control, they could be exposed to losses should it later transpire that a control wasn’t fit for purpose.
Let’s use the example of a standard control that will be found in any financial institution, namely the reconciliation between two data sources, such as a trading and a risk system.
The reconciliation is designed to highlight any differences between the two systems. It could perhaps include some detail about the breaks themselves and information about the piece of data that is causing the discrepancy, and there may also be some regular metrics about the total number of breaks and the categories they fall into.
This all seems great, but can you really trust what the reconciliation is telling you? It may indicate that there are few breaks or breaks of little monetary value, but is that actually the case? From the analyst reviewing the breaks to the senior manager of the department that owns the reconciliation, there needs to be some confidence in the quality of the result.
When the reconciliation was created and deployed, it would have been subject to rigorous analysis and testing before being signed off as a trusted source of information. However, the business may have changed since the signoff. For example, the firm may have expanded since the reconciliation was built, both in volume and in complexity. During the expansion, were new scenarios added to the reconciliation as part of the client and business on boarding process? It is possible that a manual process was put in place to reconcile the two sources.
In such a scenario the business could end up being unreconciled, leaving a dangerous control gap that could mask potential issues. In the worst case scenario, someone with knowledge of this control gap could exploit it for their own gains.
This is your operational risk, controls are either not working as they should, or concealing problems that will come back to haunt you.
In order to mitigate this risk, firms should ideally review their controls and procedures on a regular basis, and as a minimum, when any change is made that could impact the controls that are already in place. A regular review process typically requires less time and money than a big programme of work to implement a new risk system or control, and could provide visibility of any issues that have previously gone unnoticed.
This could help firms to avoid potential future problems and losses and therefore aid in safeguarding their revenue and reputation.
Having false confidence in unreliable data is dangerous and could leave firms exposed to hidden risks. In the post regulatory landscape where ever increasing emphasis is placed on financial institutions having a firm grasp on their overall risk exposures, it is more important than ever that firms regularly review and asses their controls and procedures. In taking a proactive rather than a reactionary approach to risk management firms can identify and rectify process flaws before they escalate. Organisations that fail to do this could face massive future losses and huge reputational damage. So ask yourselves, is it really worth the risk?
This blog appeared on Finextra. Click here to see the entry on the Finextra website