Global Perspective

Global Financial Services Industries

the risk within

In todays rapidly changing business climate, the relationship between opportunity and risk has never been more pronounced. As companies grow, every move forward embodies additional, and often new, risks. Operational risk is now on the agenda for increasing numbers of senior executives and directors. An exclusive brieng for executives in global nancial services.

GLOBAL PERSPECTIVE
This monograph series is provided by Deloitte Touche Tohmatsu as a forum for sharing our perspectives on current strategic issues facing senior executives of global nancial services rms. Topics are developed in consultation with senior decision makers from all sectors of the nancial services industry. The authors of these articles are drawn from our rms Global Financial Services Industries practice.

Contributors
The following professionals of Deloitte Touche Tohmatsu contributed to this edition of Global Perspective.

Mireille Berthelot, Partner Director, Enterprise Risk Management for the Financial Services Industries France +33 (1) 40 88 22 95 mberthelot@deloitte.fr Leon Bloom, Partner Global Leader, Risk Management and Control Services for the Global Financial Services Industries Canada +1 (416) 601 6244 lebloom@deloitte.ca Jocelyn Cunningham, Principal Deloitte Consulting Group United States +1 (212) 436 4788 jcunningham@dttus.com Duncan J. Galloway, Partner National Leader, Enterprise Risk Management Services United States +1 (212) 436 6858 dgalloway@dttus.com Jos-Luis Garcia, Partner National Leader, Banks and Financial Institutions France +33 (1) 40 88 28 15 jgarcia@deloitte.fr Malcolm McCaig, Principal Risk Management and Control Services Great Britain +44 (171) 303 5388 Malcolm_McCaig@deloitte.touche.co.uk Thomas F. Rollauer, Partner U.S. Leader, Risk Management and Control Services for the Global Financial Services Industries United States +1 (212) 436 4802 trollauer@dttus.com

the risk within

Fear of the unknown is a powerful and disturbing force for senior executives and their Boards of Directors. As they reect on their own organizations, questions like What risks are we overlooking? and What am I missing? can keep the most seasoned executive awake at night.

ertainly the stakes are high. Losses can be catastrophic, both to an organizations balance sheet and to its reputation. On a personal level, executives and directors increasingly must face concerns about their personal accountability and liability. Did we do enough to measure the risk? they are asking. How could we have known that parts of our organization were out of control? Today, operational risk has risen on the agenda of major nancial institutions, and it is not hard to see why. Financial institutions are often at the forefront of change and major growth trends. These range from globalization to forays into new markets. They include industry and product transformation, and the assimilation of complex information technologies. Along with new business opportunities, these trends can contribute to some of the greatest risks facing nancial institutions today. And unfortunately, among these risks are some of the least understood.

risk, there is a perception that operational risk is difcult to assess and manage. Businesses may even avoid dealing with it altogether. Awareness of operational risk, however, has increased among Boards of Directors, chief executive ofcers (CEOs), and other high-level executives and managers. Key drivers behind this heightened awareness include numerous highly publicized control failures occurring in the nancial industry in the 1990s, an important report on operational risk management published in late 1998 by the Risk Management Sub-group of the Basle Committee on Banking Supervision, and an onslaught of regulatory activity around the world.

Dening operational risk Operational risk encompasses a wide range of risks that can interfere signicantly with achieving business objectives. Operational risk is broader than the traditional credit and market risks facing nancial institutions. It often stems from deep within the heart of a business, in its systems, procedures, or management controls and practices. As such, this risk could be called the danger within. Unlike more commonly understood and quantiable risks, such as credit and market

Key questions Although awareness at the board level has increased, a gap often exists between it and the other layers of the organization. Asking the three questions below will reveal much about the progress an organization has, or has not, made in dealing with operational risk throughout the company: 1. Can the CEO and other top-level management clearly identify the portfolio of operational risks their enterprise faces, including those faced by each business unit? 2. For each of these identied risks, is there clear and accountable ownership within the organization? 3. Is the organization in control of these risks? Can senior executives and the front-line business unit managers clearly demonstrate this

Global Perspective Operational Risk 1

Sources of operational risk Strategic/enterprise risk Transaction processing/control error Information systems failure or error Breach of regulatory compliance Human resources risk Service quality risk Break of company policy Fraud Political risk Catastrophic risk

control at any given time in the context of the organizations business objectives? In our experience, answers to these questions do not come easily. Often it is because organizations have not clearly identied and claried specic elements of operational risk. Yet once an organization has done this, it is possible to categorize operational risks, attach potential costs, and set up effective controls to minimize the potential damage.

How high are the stakes? Without these controls, how serious a problem is operational risk? Consider the 1995 collapse of Englands Barings Bank, an institution brought down by the actions of a single rogue trader. Hindsight has shown us that this was an operational risk that could have been anticipated and prevented through proper segregation of duties and appropriate supervisory approvals. In recent years, the Barings debacle and other similar incidents have raised operational risk from a secondary concern to primary status in the eyes of global nancial institutions, and their clients, shareholders, and regulators. If costly losses are to be avoided, nancial institutions must embrace operational risk management, making it an integral part of

their corporate culture, at all levels. This means resisting the temptation to do nothing more than comply with established and often outdated practices of risk control. Instead, leading global nancial institutions are developing and implementing the operational risk controls that will become the best practices in their industry. But these businesses have more to gain than simply being the standard bearers. Better risk management controls mean that these companies are less likely to experience major losses through error, fraud, or failure to deliver services in a timely manner. In the case of one leading bank, the sound management of operational risk is included as part of the selling proposition to new customers, to help differentiate the bank and establish competitive advantage. q

2 Deloitte Touche Tohmatsu, Global Financial Services Industries

the new priority

Given the magnitude and velocity of change in the nancial services industry, there is an urgent need for operational risk to be addressed in a clearly dened way.

any institutions have yet to bridge the gap between identifying key risks and putting in place an effective assessment and control structure. In the nancial services industry, this growing urgency for better operational risk management can be attributed to: Accelerated growth and change. Financial institutions now are handling a growing number of transaction types as well as increased volumes, not to mention new methods of distributing products and services. Organizational structures also are changing. These changes involve complex matrix structures or far-ung virtual organizations, increased centralization, or in many cases decentralization. Growth and change bring new risks. Industry consolidation. The wave of consolidation in the nancial services industry through mergers and buyouts underscores the mirror-image relationship of opportunity and risk. These high-opportunity endeavors enable an enterprise to achieve strategic objectives more quickly or cost-effectively than through internal expansion. But with these opportunities come the hazards that arise when assimilating the personnel, business practices, and control culture of another organization. Industry convergence. The distinction among the pillars of the nancial services industry (that is, banking, insurance, brokerage, and trust services) has become blurred. As a result of this convergence, more organizations are offering products and services that are new to them. These same organizations are expand-

ing their geographic reach, selling their services in new markets. Both these phenomena bring additional risks. Globalization. Financial institutions are expanding their geographic scope, conducting business in more countries and markets than ever before. With this expansion, new corporate cultures, processes, and non-traditional business relationships must be dealt with. Risks include new competitors, and differences among countries in areas such as ethics and corporate governance, laws and taxation, currency exchange, markets, and customers. Complex information systems. Dramatic advances in technology, such as the development of an entirely new distribution channel (the Internet), and the rapid assimilation of these technologies produce new and exaggerated risks. These innovations bring with them new risks, including everything from data and system security to new personnel requirements. Constantly evolving responses are required to manage and control the risks associated with these types of technical advances. The rate of change and growth in all these areas underlines the need for a pervasive approach to risk management that starts with the board and lters down through every level and business unit of an organization. Along with protecting a company from potential risk-related damage, effective risk management can contribute to the bottom line. Benets of effective risk management include

Global Perspective Operational Risk 3

An evolution of risk management practices

Integrated Risk Management

Organizational Financial Risk Management Credit Risk Management Market Credit 1970s Credit 1980s Business Operations Market Credit 1990s

Operational

protection of assets by preventing major nancial losses, protection of shareholder value, avoidance of regulatory censure, ability to render services without interruption, and maintenance of good reputation and public condence. Major operational failures can deal such a severe blow to a rms reputation that it never recovers. Clients are lost and prospects evaporate. In the U.K., the inappropriate selling of pension transfers and opt-outs caused a downturn and loss of condence in the entire personal pensions market.

co, Brazil, Argentina, Hungary, Greece, and Korea have more teeth. The penalties for noncompliance tend to be more severe than in developed countries.

The regulatory environment Regulatory bodies around the world are beginning to focus more closely on operational risk and are developing policies and standards of business practice to deal with it. These generally involve capital adequacy requirements to protect against insolvency and nancial losses to clients and the public. Driving the regulatory actions are agencies such as the Bank of International Settlements, whose members include the central bankers of the G-10 countries, and the Federal Reserve Board and Securities and Exchange Commission in the United States. But the movement toward a stricter regulatory environment is worldwide. There has been a tidal wave of regulatory initiatives in both developed and developing countries. And while developed countries have had somewhat of a head start in establishing operational risk management regulations, those being introduced in countries like Mexi-

Taking the lead For the global nancial services industry, there is a huge advantage to individual institutions taking a leadership role in developing best practices. First, regulators are looking to the industry for methodology methodology that can be built in rather than built on. Institutions that demonstrate a solid, disciplined approach to risk management are more likely to be allowed to maintain their own processes, rather than have standards imposed upon them. Just as important, institutions that are ahead of the game begin reaping benets sooner. On a nancial level, the avoidance of a major catastrophe is a superior alternative to dealing with the impact of an operational failure. A riskcontrol strategy is much preferable to after-thefact questions such as: Why didnt management prevent this? Where were the board and the audit committee while this was going on? Why didnt the auditors and regulators do something to prevent this? q

4 Deloitte Touche Tohmatsu, Global Financial Services Industries

recognizing and controlling risk

team of mountain climbers with the goal of reaching the peak of Mount Everest knows that cold temperatures are a threat to their goal and their lives. But managing the risks of hazardous temperatures involves more than an acknowledgment that cold is the issue. The risk must be claried and assigned specic values. Climbers must know that cold in this case really means temperatures of 50 or below. Only then can adequate steps be taken to deal with the threat. Specic types of clothing and equipment are required to deal with cold of below 50, as opposed to the cold of a frosty winter day. And so it is for business. Operational risk comprises a wide spectrum of risks. How does an organization begin the categorizing process? Starting points include: Regulatory and legal issues. Regulatory requirements for nancial institutions are changing rapidly. Add these changes to the already extensive legal reporting requirements for things like derivative trading, and the need to abide by the highest standards of professional practice. New technology. The technology that allows nancial institutions to better conduct business is fraught with risks. System failures, hackers, data theft, and corruption all expose the organization to risk. The need for secure systems is crucial. Identifying cracks in the security of those systems is operational risk management.

The risk-assessment process varies from organization to organization. But basic principles apply universally: Risks must be clearly identied and precisely articulated before they can be controlled.

E-commerce and the Internet. Selling products and services through new, electronic channels exposes institutions to a multitude of risks. These involve everything from security breaches to theft of data, all of which can lead to loss of revenue. An increasing number of people with access to strategic information and systems also increases the possibility of loss. These threats come from within the organization and from outside including monetary and information theft, computer viruses, integrity of data, and sabotage of internal systems. Outsourcing. With a growing trend toward outsourcing of services including corporate services at home ofces and call centers organizations take on additional risk. A contract with a third-party supplier may involve risks inherent in the outside operation, which may not be immediately apparent. Yet from a regulatory point of view, the institution, not the supplier, is liable for any problems that result from this business relationship. Human resources. Personnel are not predictable. Employees may engage in practices that violate company policy through unintentional errors or through intentional illegal acts such as fraud or theft. They may exceed their authority, or engage in unethical or risky business practices. Controls must be in place to guard against these possibilities. For example, Daiwa Banks loss of $1.1 billion caused by an

Global Perspective Operational Risk 5

Managing risk to limit exposure

Risk Control = Exposure (RC=E) Impact Unacceptable exposure

Risk: Anything of variable uncertainty and signicance that interferes with achievement of business strategies and objectives. Control: Action to correct or reduce uncertainty or the signicance of outcomes to an acceptable level, through risk management, transfer, or avoidance. Exposure: Susceptibility of business strategies and objectives to risk remaining after control and mitigation activities.
Acceptable exposure Uncertainty

unethical bond trader could have been avoided through a healthier and stricter control culture.

How to assess risk The next step in avoiding potential risk-related losses is to decide which of the above areas (or other areas) are of greatest concern. This involves examining business objectives, identifying and articulating key business risks, and assessing the likelihood and potential impact of the risk occurring. Approaches to identifying and assessing risk include: Identifying risks. Details of past losses and problems associated with operational risk should be assembled. All nancial institutions have some history of operational losses, whether they stem from fraud, computer breakdowns, regulatory penalties, or other sources. Unfortunately, this type of information is not always readily available. But historical data are not the only recourse. And historical data are not useful in identifying new sources of risk. Instead of putting too much emphasis on statistical models that predict frequency or severity of problems, the focus really should be on understanding why the problems occurred. Assigning values to those risks. It is essential to know which operational risks are most critical to the rms capital and future. The more important they are, the greater the need for control.

There are numerous ways of categorizing the magnitude of risk for example, on a scale of 1 to 10, or as high, medium, and low priority. Once the risks have been specied and values assigned, the organization should rst set priorities. Then it can direct attention to controlling those risks that could do the most damage to the business. This type of risk assessment may even lead a company to abandon a business area or product, particularly if the cost of controlling risk cannot be justied by the potential return. In other words, an organization must be comfortable with the degree of risk it takes. For example, a major insurance company wanted to triple the volume of business through its call centers over a period of four months. When it realized that the new operational risk prole was beyond the risk appetite of the organization, it reconsidered its strategy. Conversely, some risks may be so slight they arent worth controlling. In these cases, an institution might say: This could happen, but if it does we can afford the loss.

Financial implications Assigning a nancial value to risk can be achieved through a number of means. Some organizations use statistical models, while others use a qualitative assessment approach. The type of risk and the availability of historical data would determine which approach makes the most sense. Then the process works in

6 Deloitte Touche Tohmatsu, Global Financial Services Industries

where

does your organization stand?

Here are the key questions to ask when assessing an organizations current operational risk management structure and future strategy: How does the Board of Directors receive information on operational risk? What type of information do members receive, and through which committees? How does the board monitor operational risk? What level of accountability does the board assume over operational risk?

much the same way that an insurer decides how much to charge a car owner for insurance: Start with a basic assessment and rene. For a car insurer, the rst step might be to determine the make and model of car, then use actuarial tables to determine a basic insurance amount. Factors such as the drivers age, driving record, and city of residence then come into play to further qualify the insurers risk. In addition, the insurer makes risk more specic by determining how the car will be used weekend driving, commuting to work each day, or traveling long distances. Then an insurance premium is set, based not only on past experience, but future expectations. Experiences and expectations may differ among business units within a single organization. A unit with more inherent risk in its systems and business practices will require a larger allocation of capital or insurance to protect against risks. The cost of allocating this economic capital will make it a greater challenge for these units to achieve protability targets. Nevertheless, employees who help manage risk will lower the risk-adjusted economic capital costs, and should be recognized and rewarded for doing so. q

What risk management infrastructure is in place? How does operational risk management interface with other risk management activities, such as credit and market risk? Can established risk management methodologies, including self-assessment of risks, be described? How are economic capital allocations adjusted to reect potential and previously experienced operational risk? How is operational risk leveraged for competitive advantage? How is product pricing affected by risk adjustments based on past experience and future expectations? What technologies are used to support operational risk management? What methods are used to create awareness of and identify operational risk throughout the organization? How is operational risk owned in the organization? Can operational risk ownership be described and accounted for at every level within the organization? What is Internal Audits role in operational risk management? What groups are involved in operational risk management (for example, Corporate Compliance, Corporate Risk and Insurance, Internal Audit, the Legal Department)? What impact has operational risk had on insurance decisions?
Global Perspective Operational Risk 7

from a problem to a process

Organizations must move away from a reactive approach to risk-related problems. Instead, they require a systematic, disciplined, and proactive methodology that identies potential problems before they appear.

or risk management to be effective, a continuous, self-sustaining process for risk identication, assessment, and management must permeate all levels of the organization, driven by the board and the CEO. Many institutions seek outside help in assessing and developing their operational risk controls. A third party brings the benet of previous experience in developing and implementing methodologies, and a knowledge of what works for different types of organizations and industries. Effective implementation of an operational risk management process must encompass all aspects of an organization. It requires an organizational model. Dedicated risk management resources in business units are needed, and they need the support of senior management. Operational risk management is most effectively implemented when key stakeholders work together for instance, risk management, internal audit, information technology, and business unit management.

A new discipline The discipline of operational risk management must be formalized, within a clearly identied structure. There is no single approach. For some organizations, an operational risk management unit is the best solution. For others, it may be prudent to assign responsibilities for the risk management function to a risk manager and committee, or the internal audit department.

Regardless of the approach, all levels of management must be individually and collectively responsible. Ownership of risk at all levels of the organization is critical. A major fraud attempt was halted at a leading international bank, for example, because the staff member handling the transaction was risk aware and became suspicious. People within an organization succeed and create value through achieving objectives. The better they manage the risks standing in the way of those objectives, the more value they create. Incentives must be in place for line managers. The ramications of not adhering to risk management practices must also be clear. For example, the opportunity and nancial value of risk management and its potential contribution to a business units bottom line should be clear. This can involve tying risk management to salaries, bonuses, and performance reviews. Operational losses should be charged to the related business or product area. The rapid rate of change in the nancial services industry offers both challenges and opportunities. Those nancial institutions with enterprise-wide operational risk awareness and ownership, and clear processes to monitor and manage it, will be best equipped to embrace change and prot from it. q

8 Deloitte Touche Tohmatsu, Global Financial Services Industries

setting
the foundation for a process
Here are seven operational risk management best practices to consider when designing an operational risk management strategy:

Establish accountability for risk management with

appropriate operational managers.

Engage operations management and others in

processes that provide sound business value for their efforts, with control assurance as a byproduct.

Ensure that controls can be applied across the entire

organization, with enterprise-wide consistency but still allowing for local customization.

Enable management to optimize and control

investments by carefully weighing costs and benets.

Provide a process that can be reviewed and selfsustained by the organization on an annual or more frequent basis.

Engage, educate, enthuse, and enable the people

in the organization, at all levels, to embrace risk management responsibilities.

Provide quantitative and qualitative measurements

of risk throughout the organization. While these principles form the basic platform of an effective strategy, they are not written in stone. The management of operational risk remains an evolving science. Todays best practices may not be suitable ve years, or even one year, down the road. Organizations, their structure, and the business and regulatory environment will change.

Global Financial Services Industries

Deloitte Touche Tohmatsu serves nancial services rms globally through our Global Financial Services Industries group. GFSIs industry specialists represent every major nancial center in the world and bring decades of experience and leadership in banking, securities, insurance, and investment management to each client assignment. GFSI teams develop value-added services to address the issues and trends facing the nancial services industry, and apply them to the specic needs of our clients. Complex global assignments are carried out by industry specialists who bring the full scope of Deloitte Touche Tohmatsu expertise to client operations around the world. The oversight provided by global practice leaders means that our clients receive uniform, quality service wherever they do business, anywhere in the world. Deloitte Touche Tohmatsu is one of the worlds leading professional services rms, delivering worldclass assurance and advisory, tax, and consulting services. More than 82,000 people in over 130 countries serve nearly one-fth of the worlds largest companies as well as large national enterprises, public institutions, and successful fast-growing companies. Our internationally experienced
1999 Deloitte Touche Tohmatsu. Printed in Canada.

professionals deliver seamless, consistent services wherever our clients operate. Our mission is to help our clients and our people excel.