By Brian Barnier, OCEG Fellow
The news headlines keep coming -- Mortgage melt-down, massive data breach, foreclosure robo-signings, trading fraud, client portfolio risk matching errors, ATM and payments system outages, liquidity traps, money laundering through mobile networks. These are just some of the recent sinkholes in operational risk land. The question is, Why? Why do they keep coming, despite the efforts of financial institutions to improve and reduce their occurrence?
At the same time, board members, shareholders, policy-makers and consumers all need financial companies to better manage risk relative to return in order to improve business performance and aid economic recovery. Standing still is not an option.
Operational risk leaders face a mountain of challenges. In trying to improve the process of risk management, they ask, “Is there a consistent basis for ‘risk appetite?’ What information needs to be in a scenario? To what depth do we need to document policies? What key risk indicators (KRIs) matter most? How can risk and control self-assessments (RCSAs) be more cost-effective? How can I better engage ‘the business?’” Such questions are asked by leaders seeking to do more with less. Increasingly, doing “more” includes more business value, not just more RCSAs.
Douglas Webster is a former CFO of the U.S. Department of Labor, and now a Partner at CSC and board member of the third largest U.S. credit union, Pentagon Federal. From the boardroom, he sees the challenges, “Managing to achieve performance against organizational objectives is the ultimate goal of management. I have yet to meet the person who does not understand that achieving performance objectives is subject to risk. Yet people frequently ignore risk unless it is blatant. It is as if any plan deemed feasible at first glance could be managed with fire-fighting--responding to risks after they are unfolding. It is quicker to get started this way, but there can be costly--even disastrous--consequences to performance in the end.”
Amidst this mountain (“mountain range” is probably more appropriate) of challenges, leaders want to know the critical steps needed to climb these mountains and overcome these challenges. In analyzing problems at financial institutions, it turns out there are similar underlying causes to these challenges. This is good news. It suggests there is a potential path through the mountains. In seeking this path, we can turn to lessons learned in overcoming similar challenges in other risk disciplines (including in financial institutions) and other industries.
Operational risk managers are frequently frustrated in their efforts when compliance is the driver of risk management programs. Focusing primarily on compliance has a host of negative effects that structurally leave operational risk management bogged down in fixing yesterday’s problems, excessive paperwork and churn. Operational risk managers are left without a clear touchstone for decisions on everything from risk appetite to scenarios to KRIs to reporting.
A huge lesson learned from decades of success elsewhere is the need to shift to a more performance-driven approach. A race car driver doesn’t buckle a seatbelt to avoid a traffic ticket – it’s to avoid injury or death in pursuit of the prize. Consider medical practice. Jim Bagian, professor of engineering practice at The University of Michigan, is an engineer who is a medical doctor, an astronaut, and a member of the National Academy of Engineering and the Institute of Medicine. He is also the co-author of a 2010 study on methods for improving outcomes in medical care at Department of Veterans Affairs (VA) hospitals. With great passion, Professor Bagian describes the need to understand sources of risk and what really works to improve performance:
“In our VA study, we found that understanding what is better and turning that into decision guides, checklists in some cases, for evaluating conditions and structuring responses clearly improves communication among health care providers and results in better outcomes. This was part of a program called Medical Team Training. The 74 facilities in the training program experienced an 18% reduction in annual mortality, compared with a 7% decrease among the 34 facilities that had not yet undergone training.” He found a few key features that created big benefits in reducing risk and enhancing performance at the same time. Combined with efficient communication, the results have proven very noteworthy.
Similarly, risk of theft at bank branches must be managed so those branches can earn return. Property & casualty insurance marketing leaders must manage risk of customer turnover. Financial company CFOs must manage risk to earnings and share price. And, whether inside or outside of financial institutions, the performance-focused approach is vital to success at such tasks. In a competitive world, risk management that aims mostly at box-ticking or damage control is doomed.
Douglas Webster continues, “Fortunately, not everyone went to the fire-fighting school of performance management. Yet, even those who recognize risk to performance often succumb to two failures. First, they take an ad hoc, non-systematic approach to risk management, so their ability to identify and manage risks is itself risky and dependent on luck. Second, they tend to address risks in silos instead of an integrated view of risk to the performance of the enterprise.”
In looking at lessons learned that apply to operational risk management in financial companies, key insights emerge:
- Speed of change and complexity are key drivers of operational risk anywhere. Both of these are increasing in today’s financial companies, especially given the global economy, regulatory environment, mergers and acquisitions, new markets and technology.
- This demands viewing operations as a system – similar to supply chains, air travel, electric utilities, sporting events, telecommunications or even fast food restaurants, not just as isolated events and controls.
- The heart of evaluating risk in a system is scenario analysis -- a thorough understanding of how events can unfold in business product processes given an environment and a set of capabilities in action.
- Scenarios – life-like, realistic stories of how situations unfold cannot be sufficiently described unless people actually know the business – how products and processes work in everyday life.
- To manage risk in a system, systems must be designed with margin to be forgiving -- with “plan b” back-ups ready for when problems arise.
- Preparing and reacting with back-up plans is all about understanding the costs and benefits of your options in time – if you delay, your options will narrow, costs go up and benefits go down.
For each of these insights, there are specific tools, connected in a highly usable process, to help leaders translate learning into actions to make risk management more efficient and effective, and improve business performance.
Marshall Carter, Chair of the NYSE Group and Vice Chair of NYSE Euronext, summarizes clearly: “This change and growing importance of operations in the performance of an institution means that boards and CEOs are more concerned than ever with risk to operations that would hurt performance. This is why the role of operational risk leader has never been more important. And it’s why operational risk leaders need to be smart in using the right approaches and techniques to help business leaders manage that risk. For operational risk leaders in our changing and complex environment, mastering the Plan B is your opportunity to make a difference in your institution.”
Brian Barnier, of ValueBridge Advisors, is an OCEG Fellow and the author of The Operational Risk Handbook for Financial Companies (Harriman House, London, 2011). He shares he practical insight widely through his writing, speaking and teaching. He can be reached at email@example.com.