In a recent speech to the Exchequer Club1, Thomas J. Curry, the new head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk.
“Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge. Rising operational risk concerns them, it concerns me, and it should concern you.“
In fact, the OCC considers it currently to be at the top of the list of safety and soundness issues for the institutions they supervise. Earlier this year I wrote about how risk assessments were one of the compliance trends of 2012, and how regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.
So the question is: What exactly is operational risk, and how can financial institutions effectively address it? The FFIEC defines it this way:
“Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk is present across all business lines.”
Furthermore, because the implications of operational risk extend to all other risks….
“Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation.“
If you are still a bit confused about exactly what operational risk looks like, you are not alone. Because it exists in all business lines and manifests itself in every other risk, it is one of the most difficult risks to assess. In other words, it’s everywhere…and affects everything!
Simply put (and assuming your policies and procedures are adequate), most of the time operational risk can be defined as a failure to adhere to your own internal policies and procedures. In other words, if you don’t do what you say you will do, or you don’t do it the way you say you’ll do it, something will fail as a result. Whether a it’s a process, a control, a system, or a risk model…if they are in place and operational, but either flawed or not followed, operational risk is the result.2 But here is the kicker, even if your processes/procedures/models, etc. are flawless and followed to the letter, if you can’t document that they are, you may still have a high operational risk finding in your next safety and soundness examination.
The best way to address operational risk is to implement an internal control self-assessment process to assure that risk management controls are adequate, in place, and functioning properly. Reporting will document that your day-to-day practices follow your written procedures. Finally, make sure all business decisions reflect the goals and objectives of the strategic plan, and report to the Board on a regular basis.
In summary, integrate assessment of operational risk into your risk management process, and expect to hear more about it from the regulators in the future. And don’t think that because you aren’t regulated by the OCC you won’t see this trend. After all, as Mr. Curry stated:
“As regulators, one of our most important jobs is to identify risk trends and bring them to the industry’s attention in a timely way. No issues loom larger today than operational risk in all its dimensions, the manner in which all risks interact, and the importance of managing those risks in an integrated fashion across the entire enterprise.”
1 The Exchequer Club is comprised of senior professionals from trade associations, federal regulatory agencies, law firms, congressional committees and national press with a primary interest in national economic and financial policy.
2 Business Continuity Planning uses a slightly different definition of operational risk. Since the basic assumption of a BCP is that your processes and systems have already failed because of a disaster, operational risk manifests itself in the additional overhead that the alternative recovery processes and procedures temporarily impose on your organization. Of course if your BCP is inadequate, failed processes will be the result.