In the milieu of various risks that banks encounter in financial intermediation, the broadly classified risks are (i) Credit risk (ii) Market Risk and (iii) Operational risk. Despite sufficient regulatory rigor and bank’s own integrated risk management policies, the operational risk management (ORM) tends to relegate to background in the order of prioritisation.
According to the Basel Committee, operational risk is the probability of loss resulting from inadequate or failed internal processes, people and systems or from external events.
It encompasses a huge set of other associated risks including legal risk. But in practice, banks have enough tools to manage credit and market risks but except systemic controls, there are not many tools for improving the efficiency of ORM, more so, viable benchmarks to measure it.
Banks are under the glare of analysts and peer banks to test if the credit and market risk is well managed. Many of the performance parameters including non-performing assets (NPAs), provisioning standards forms the basis of market positioning of banks.
Tools for risk management
In order to mitigate credit risk there are external rating agencies who provide the assistance. The elaborate credit appraisal techniques, evaluation of balance sheets and financials of underlying entities supported by internal rating system provides some concrete basis to assess credit risk as part of credit appraisal system. In the spree of managing credit risk and market risk, some banks may not be very particular to manage ORM, a voiceless tool. The efficiency of ORM has no immediate connect with stake holders.
No direct market index in ORM is yet developed except that it has a distant connect with profitability indicators only when a major loss on account of fraud is written off.
Moreover advanced tools are available from external rating agencies and risk analysts to ring fence the credit and market risk. Sophisticated mathematical algorithms are used to arrive at ‘value at risk’ that provides fair idea on choosing appropriate risk mitigation strategies for them. But in a bid to achieve business goals and target chase, ORM tends to slip in priority at implementation stage. There is no clear means to arrive at value at risk in ORM except collection of loss data and capturing of events that influence it.
Transparency and disclosure standards prescribed by the central bank and notes to accounts are some indicators which usually misses the public glare. That precisely is the reason, regulators have intensified follow up of ORM with off-site tools. ORM is mostly a bank driven surveillance tool and consequences of compromising it may not impact business in the short term but can have dire consequences whenever loss devolves. Hence it is essential for banks to strengthen ORM in the long term interest.
Rising significance of ORM
The most discussed experience of fraud of Indian Rupees 114 billion in Punjab National Bank, the second largest state owned banks in India is a classic example of how lack of focus on ORM can ransack even the best managed credit and market risk management system. Thus the failure of ORM has the potentiality to erode other well managed forms of risk.
Therefore a clear appreciation and understanding of what is meant by operational risk is critical to the effective management and control of this risk category. Sensitisation towards ORM among the line functionaries is important to avert any devolvement. It is also important to consider the full range of operational risks facing the bank and capture all significant causes of severe operational losses to take preventive measures. Operational risk is pervasive, complex and dynamic. Unlike market and credit risk, which tend to be in specific areas of business, operational risk is inherent in all business processes. Operational risk may manifest in a variety of ways in the banking industry.
Factors to be monitored in ORM
Looking to the changing dimensions of operational risks and increasing global appetite for digitisation, specific watch of banks is essential for robust ORM. The significant among them could be: (i) Internal fraud. For example, intentional misreporting of positions, employee theft, and insider trading on an employee’s own account. (ii) External fraud. For example, robbery, forgery, cheque kiting, and damage from computer hacking. (iii) Employment practices, job rotations, promotions and career growth and workplace safety. For example, workers compensation claims, violation of employee health and safety rules, organised labor-activities, discrimination claims, and general liability.
(iv) Clients, products and business practices. For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering, and sale of unauthorised products, misspelling and more. (v) Damage to physical assets. For example, terrorism, vandalism, earthquakes, fires and floods. (vi) Business disruption and system failures. For example, hardware and software failures, telecommunication problems, and utility outages. (vii) Execution, delivery and process management. For example, data entry errors, collateral management failures, incomplete legal documentation, and unauthorised access given to client accounts, non-client counterparty non-performance, and vendor disputes. These aspects need to be tackled to better manage ORM.
Aligning ORM strategies
Though it is well established that the approach for rigorous ORM that may be chosen by an individual bank will depend on a range of factors, including size and sophistication, nature and complexity of its activities, it is necessary to take a holistic view. However, despite these differences, clear strategies and oversight by the Board of Directors and senior management; a strong operational risk culture, that is, the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a bank’s commitment to and style of operational risk management; internal control culture (including clear lines of responsibility and segregation of duties); effective internal reporting; and contingency planning are all crucial elements of an effective operational risk management framework.
Moreover, the Financial Stability Institute suggests enhanced cyber security measures as part of ORM to ring fence the banks.
In view of the increasing vulnerability, banks should have a documented cyber-security programme and a documented policy which should be well disseminated to the line management. Banks are expected to identify critical information assets that need to be protected. Testing banks’ vulnerability and resilience to cyber-risk (such as through penetration testing) is a common requirement, as well as the reporting of cyber-events.
Another common requirement relates to having clear responsibilities and accountabilities at banks as a key component of their cyber-security framework. Less common regulatory requirements include cyber-threat intelligence-sharing (although it is generally encouraged). The security capabilities of third-party providers are a critical element of any cyber-security framework but the specific supervisory approaches depend on the extent to which third parties are engaged with bank’s internal systems.
Hence, on the way forward, banks will need to work to insulate the systemic controls, procedures, checks and balances and ensure robustness of technology against vulnerabilities by a well-defined internal ORM system to prevent losses to banks. Compliance standards of ORM and test check of its efficiency need to be such that it is made impossible to compromise them.
(The author is National Institute of Banking Studies and Corporate Management (NIBSCOM) Director in Noida, India. The views are his own)
