In the pure idiomatic sense, “Banana Skin” refers to something which causes or is likely to cause embarrassing problems and that is what we as banks face each and every day in the, dynamic, extremely complex, technologically advanced, compliance-centric and extremely customer-focused new age of banking. Essentially, as a financial institution we are in the very business of Risk Management and reallocation so it’s at the core of anything and everything we do. Cultural inculcation of Operational risk management as a way to do business is a must. To quote Warren Buffet “Risk comes from not knowing what you are doing”
Understanding Operational Risk (OR)
Growing number of high-profile operational loss events worldwide and even in India have led banks and supervisors to increasingly view operational risk management as an inclusive discipline. OR is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Internal Process – Ever evolving, both with respect to external compliance, technical improvement and customer feedback, Internal Processes should be in larger compliance with the regulatory guidelines and land of law if there is a flaw unto that bank would stand to get penalised / censured e.g. RBI has been very active on KYC/AML compliance and they have penalised various banks on account of any breaches thereof.
People – The most dynamic productive asset prone to host of behavioural issues, Employee fraud, Information leakages, deviation to the laid down policies and procedures, Data privacy and all most all other areas of operation exposes a bank to host of operational risks with both financial and reputational ramifications. When we talk of OR about ‘People’, how can we forget Nick Leeson and the mighty Barings Bank.
Systems – They always have a scope of improvement and some lose ends. When the world is moving from internet banking to mobile banking, e-wallets to WIFI enabled Correspondent Banking model, having state of the art and utmost secure system is a pre-condition to the very existence of a bank. Similarly, it opens up the Pandora’s Box of operational risk events also. Banks’ vulnerability to cyber terrorism and hackers targeted action can jeopardise their very existence some time.
External Events – We live in a dynamic world. In today’s global village no one lives in isolation; be it a disturbance in the Gulf or FED rate hike. The Indian scenario is extremely complicated when it comes to external events which includes frequent natural calamity warranting effective business continuity/contingency plan, communal disturbances and standard operating procedure, or, RBI/SEBI responding to a scam like Multiple DMAT account scam in 2004-06 which led to a ban on branch network expansion for a whole host of leading banks. Financial institutions like banks are generally impacted in one way or the other. Even a natural or manmade catastrophe, say terrorism, warrants proven business continuity and disaster preparedness plan, to assure the immediate continuity of all essential operations in the aftermath of a disaster and the eventual continuity of all other operations. This plan has to be continuously updated and tested to assure ongoing readiness.
Practically the scope of Operational Risk Management (ORM) is exhaustive and not as simple as it sounds theoretically; it requires cultural and systemic updation as well as sophistication for Operating resource Management System (ORMS) to serve its purpose. But as is said, a stich in time saves nine, ORMS is the system which finds the place to put that one stich which would eventually save the nine (Catastrophic outcome of ORE).
What is Operational Risk Event (ORE)?
An operational risk event is an incident/experience that has caused or has the potential to cause material loss to the bank either directly or indirectly with other incidents. The following types of operational risk events has the potential to result in substantial losses:
Just like any early warning system, OREs can be identified or spotted by these three intellects working in close coordination with one another.
Human Intellect: Experience, judgment and intuition are the factors which can be judged by sharpness, foresight and experience of the human resources of the organization.
Artificial intellect: Linked Events, Systematic check and balances through state of the art tools and technology, Data mining, Analytics.
Regulatory Intellect: Regulatory requirement – regulator requires recognition of specified events or sequence of events leading to indication of a future risk event.
ORMS is the cost of doing business and hence an extensive Operational Risk Management System is a must. It requires good deal of sophistication and standardization, benchmarking, data mining and modeling so as to inculcate a continuous, exhaustive, measured, monitored, flexible and time bound response to the various events taking place.
Profiling Your Risk Appetite
- Benchmark acceptable risk by documenting Org.’s risk appetite
- Accept risk when benefits outweigh the cost and the risk is within acceptable organizational/regulatory limits by deciding on Org.’s risk trade off
- Accept no unnecessary risk or fixing Org.’s risk averseness
- Anticipate and manage risk by planning by putting a robust ORMS in place
- Make risk decisions at the right level and involve everyone in execution by making the ORMS structure a two way stream with policy flowing from the top management and continuous feedback from all the levels in the organization
The way forward….
OR profile of each institution is unique. Furthermore, it’s a constantly evolving discipline with advent of new technology, complex business model, applications and compliance guidelines but the broad framework should be firmly in place and flexible enough to be modified with the ever changing scenario.
In light of tailor made ORMS, banks can mitigate risk by insuring, hedging financial transaction or avoiding specific one, in tandem with the fully functional tech/telecom back up with live interconnected internal control mechanism.
Employee empowerment, enlightenment and ownership on OR issue is the way forward. It is ultimately the people who run processes and the system. So, if this primal variable is active and agile and has a clear line of sight on the issues and its response, things will be better. To quote Theodore Roosevelt, “Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”