As the dust settles on high-profile fines and losses, firms continue to work on developing a unified, enterprise-wide approach to operational risk.
As fines are settled and regulatory requirements evolve, operational risk continues to be a key component to any comprehensive, enterprise-wide risk-management strategy.
And as definitions and operational-risk concepts become more commonplace, the quantitative and qualitative approaches for measuring risks have also been changing to keep up with the times as a unified approach becomes key.
Joe Sabatini, managing director and head of corporate operational risk at JPMorgan Chase, says that, over the last 12 to 18 months, the financial-services industry has migrated to embrace operational risk as a risk discipline.
He says that many large institutions are now investing in this migration which sees focus moving from a business-unit-by-business-unit control question to an established, unified approach to operational risk.
From the 10,000-foot level, Sabatini says that the firms in the industry span the spectrum of this migration, from just starting the process to having a reasonably well-developed, unified approach in place.
The distinguishing factor between firms on the migration path? Sabatini says this lies in whether the financial institution views the move as the "right thing to do from a risk-management and commercial-incentive basis or whether they see this as the next iteration of regulatory guidance or requirements."
In other words, those who are further along in the migration have generally taken the perspective that investing the effort and resources will result in a competitive or financial advantage. These firms are working in order to understand operational risk better and improve overall shareholder value, rather than simply preparing for regulatory requirements.
Sabatini does not discount the regulatory requirements as a major catalyst though, in addition to the business-related drivers. "Some banks began this migration because they saw the regulatory requirements coming but, as they spend more time on it, they see the advantages and are embracing both tracks now," says Sabatini.
How does technology fit in?
Sabatini explains that a lot of the technology work on the operational-risk front falls into three main areas: self-assessment, collection of operational-loss data and capital calculation.
"I think that tracking internal information is, first and foremost, the most important thing," he says. "External-loss data is informative and can help you understand what's going on in the industry, but it iscurrently a challenge from an analytical standpoint as to what you do with the data once it's available."
Debbie Williams, group vice president, capital markets and corporate banking at Financial Insights agrees, "If you can't identify losses as they occur, you can't manage them," says Williams. She adds that these internal-loss databases, which are already being built by firms, may prove more useful than an industry utility or database of publicly available loss data.
"The issue with publicly available data is applicability," says Williams. "You can look at the loss event, but you don't know whether it's really relevant to your business unit or geography without some information on that organization's business practices. You don't know if it's something you might be exposed to or not."
In order to combat this, there are several initiatives underway to collect more firm-specific internal-loss data in a standard, secure fashion for wider-spread use. One of these initiatives is the Operational Riskdata eXchange Association (ORX), which was scheduled to begin beta testing software for the collection of data in February. JPMorgan Chase is one of the founding members of the group and is joined by a number of firms, including ABN Amro, BNP Paribas, Deutsche Bank, Euroclear Bank, ING, and Fortis.
"The benefit of a more disciplined and voluntary-submission approach is that the data is submitted on the basis of common definitions with some level of confidence that the completeness and accuracy of the data is there," says Sabatini.
He adds that this type of data repository is important because it will enable institutions to benchmark themselves against the marketplace. "Everybody thinks they're reasonably well-controlled, but that's just a perception - we don't have any concrete information."
He explains that once a database, such as ORX, is up and running, members would be able to look at loss levels in different activity areas and benchmark their performance by seeing if they are losing more or less than other institutions. "Or, if your trend of losses is spiking up or down in a particular area, you could see if that was an industry trend or cyclical or if there's a problem," says Sabatini.
In addition, this risk-loss data could help institutions understand loss patterns and causes of losses in order to help develop new products for risk mitigation such as insurance, capital-markets or derivative products.
Williams adds that a lot of effort is being spent in identifying what operational risk is going to be defined as and how it will be managed, or who will be responsible for managing it, within firms. She foresees that, in many cases, firms will have one enterprise-wide-focused individual who will be responsible for collecting the loss data, setting the standards, etc, across many business units.
In general, Williams says that when it comes to dedicated technology spending in the operational-risk area, it will not be anywhere near the scale spent on technology by other risk areas. "It's so much a part of each individual business process in the business units that the vast majority of spending will be done by each unit," she says. Using credit- and market-risk management as an example, Williams adds that there is a heavy-analysis component with simulation, limits management and other areas that she doesn't foresee as being as important in the operational-risk world.
But while she does not project heavy spending, Williams says there will be money spent on technology such as databases for loss-collection data and analytical tools to analyze and report on the operational-risk front.
"Technology itself is a double-edged sword because every system is a potential point of failure," she points out. "You can use the system to gather data, but you rely on the system and therefore it's a risk." Overall, Williams says that work will continue to focus on more unified definitions in areas such as key risk indicators, which can then be used across business lines.
The other main area for work will then be in the database area, with a central facility for collecting, gathering and storing that information. "But, on an ongoing basis, managing operational risks and losses will be done at the business-unit level," she says.
JPMorgan Chase's Strategy
Sabatini explains that JPMorgan Chase is undertaking a significant project over the next 18 months to re-platform its underlying operational-risk architecture. "This has been the result of over a year of a very detailed and quite disciplined architectural review of what the underlying components are today and what the end-user requirements are of ourselves and our stakeholders," says Sabatini. He adds that while vendors do have quality offerings, to date he was unable to find one package in which all of the necessary tools were integrated, so the firm will continue with a build-rather-than-buy strategy.
This architectural redesign will integrate capabilities on a firm-wide basis, says Sabatini. "We have the self-assessment process, we have the data and the analytics, our next challenge is to create a common-data warehouse for all of the data so that we can have efficient and user-friendly reporting," he says.
One goal of this process will be to create a single, integrated Web site for operational-risk-data collection and reporting across the firm. Sabatini envisions the site with drop-down menus and data options, where users can get information depending on their needs. In addition, users can see relationships between self-assessments, where losses are being incurred, and the capital associated with those.