Defining and Managing Operational Risk at Community Banks. (Operational Risk Management)
Beans, Kathleen M., The RMA Journal
If credit risk is one leg of enterprise-wide risk management, then operational risk and market risk are the second and third legs. Banks that want to join the ranks of best-practice institutions are in the process of implementing advanced risk management programs. That often begins with defining operational risk.
"Defining operational risk is not just about wordsmithing," said James Lam, president, James Lam and Associates, a Wellesley, Massachusetts-based risk advisory firm. "It's about having the right scope and purpose for operational risk management." Lam made his remarks during an RMA audioconference last fall that discussed how to define and manage operational risk at community banks. He is presently working with RMA in implementing its strategic initiative on operational risk management.
"A few years ago, banks defined operational risk as all risks other than credit risk or market risk," said Lam. "Today the industry is moving toward the Basel definition: Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events."
Calling the Basel definition "generic," Lam advised banks to create a definition useful for their own purposes. "One key issue is whether to include business risk and reputational risk as part of the operational risk definition. It's important, however, not to spend too much time in the definition stage," he cautioned. "You need to get into the more important phases of measuring and managing operational risk."
Lam pointed out that many interdependencies exist between risk factors. One is the interdependency between loan documentation (an operational risk) and credit losses. "You might discover your loan documentation is not good when you sustain a high number of defaults," said Lam. "Also, the severity of losses would be much greater if you didn't have the right loan documentation.
"Another example is the interdependencies between operational risk and interest rate risk. Banks that rely on asset liability management models to measure and manage their interest rate risk could be subject to greater interest rate risk losses if their spreadsheets are wrong or data and assumptions are wrong.
Managing operational risk is important for community banks because they have to deal with the Privacy Act and the Patriot Act, said Lam. He was joined in the audioconference by a panel of three senior-level bank executives:
Jeffrey W. Leeds, EVP and chief lending officer, Lawrence Savings Bank, a $435 million institution in North Andover, Massachusetts. Leeds is responsible for credit risk management as well as all regulatory compliance.
Diane L. Koehler, SVP, Univest, a $1.3 billion financial holding company that includes a national bank, a state-chartered bank, a broker-dealer, and an insurance company in Souderton, Pennsylvania. Her responsibilities include enterprise-wide risk management, compliance, community reinvestment, security, and contingency planning.
Joseph S. Calvaruso, EVP, Risk Management, Chemical Bank Shoreline, a $1.2 billion institution in Benton Harbor, Michigan. He has responsibility for loan administration, bank secrecy, compliance, and security.
The panelists answered questions about how their banks are implementing programs to manage operational risk. The questions and answers follow.
What do you consider a full range of operational risks facing your bank?
Diane Koehler: Some of the broad categories of operational risk affect payments and settlements, such as:
* Computer failures due to a power outage.
* Telecommunications failures due to a leased line outage or a Web site failure.
* Lost data or unauthorized access.
* Questions about data integrity and security due to processing and record-keeping errors resulting in incorrect statements.
* Documentation errors.
* Software quality.
* Programming bugs.
* Insufficient contingency planning.
For example, collateral could be released due to a documentation error and a loss could result. Improperly documented loan files could be cited by examiners, causing you to hire a temp to bring those files up-to-speed--an additional cost.
Some traditional risks include:
* A delay in notifying Treasury of a need to hedge a fixed-rate transaction results in increased costs.
* Inadequate internal audit procedures employed for a high-risk area can result in extra expense to outsource a new audit.
* Failure to properly file a UCC amendment.
More expanded risks today also include:
* Fiduciary liability.
* Monitoring conflicts of interest.
* Contractual liability.
* Disaster recovery.
* Shareholder suits due to inadequate disclosures.
* Compliance with Sarbanes-Oxley.
Jeff Leeds: I'll discuss a couple of recent experiences within the context of what Diane covered. A couple of years ago, our ISP provider suddenly failed, leaving us with about 30 days to acquire a new ISP provider and get everything up and running. We had to scramble. Although we had been watching them from a financial perspective, we didn't expect that they were going to tip over so quickly.
Shortly thereafter, we had an EDIC safety and soundness examination. We were criticized for not doing sufficient testing with the new ISP provider before hiring them. This example of operational risk shows that you have to be prepared to react quickly.
Another operational risk we were unprepared for occurred last August when an electric company power grid that operates our main office failed. We had done extensive contingency planning in the context of Y2K, but we hadn't thought about the possibility of a localized power outage.
How has your bank been handling operational risk? Who's responsible?
Joe Calvaruso: Focusing on operational risk has to become a culture in the organization. Our risk management committee, which does strategic planning, has the responsibility for managing operational risk. The committee consists of senior management and a member of internal audit. The committee is chaired by me as the risk manager for our organization. We meet every other month and, depending on the complexity of the topics, discuss one to three risk areas each time.
We've tried to break operational risk down into specific areas such as legal risk and fiduciary risk. When specific risks are discussed by the committee, we bring in players from various departments that are affected. For fiduciary risk, the head of the Trust Department joins us; for legal risk, our security officer comes in.
By the end of the year, we will have discussed all the risk categories. The committee, as it goes through the risk categories, reviews the risk indicators and makes a determination about each risk area as low, moderate, or high risk. We also determine if the risk is increasing, decreasing, or stable.
Since we've determined our operational risk to be moderate, we now discuss how to manage this risk. Our loss event data is not too helpful because, fortunately, we have nominal losses.
The existence of our committee indicates the bank's recognition of the importance of managing operational risk. Before we formed this committee, our approach was piecemeal, with various committees of the bank trying to cover it. But the effort sometimes got lost because it competed with other pressing issues, like sales, for attention.
After we've identified a list of challenges in each risk area, our risk management committee follows up in subsequent meetings to determine if we've improved or slipped further in those areas. The internal audit representative on our committee follows up between meetings on these risk areas so they don't get lost in the shuffle. Just keeping that level of awareness out there and focusing on it is something that's important, especially as the bank gets larger in size.
Diane Koehler: At Univest, each business unit is responsible for monitoring its operational risk through its own internal control process and its policies and procedures. Other units such as compliance, security, branch delivery systems, and audit take a second look at their processes. Risk management then drills down further with checklists and risk assessments.
This past year we enhanced our internal controls-assessment process. In addition to having supervisors look at the controls related to their particular area of responsibility, we developed questionnaires about the internal control process for the tellers and the customer service people. Sometimes the processes being followed by line people are not quite what the supervisors perceive them to be. This feedback raised the awareness. It told us exactly how the internal controls were being followed. We relayed that information to supervisors, enabling them to fix what needed to be fixed.
Jeff Leeds: Our approach is more informal and I think that's more of a function of size. Our business unit managers are responsible for the risk of their particular areas. At an institution of our size, the chief risk officer is the CEO. The board holds the CEO responsible for the overall risk management of the bank. Our CEO works with us individually or across disciplines through a management committee that oversees various risk areas.
Define the steps and the process you have put in place to address an operational risk problem you had.
Jeff Leeds: In the case of the power outage I mentioned earlier, we learned some important lessons. The event occurred in the evening and we were unaware of the outage because the head of maintenance, who was new to the organization, didn't report it to management immediately. The power company had assured him that the problem would be resolved before the bank opened for business in the morning. This was simply a case of him not knowing that our policy is to bring the executive management into the process as quickly as possible. The next morning the problem hadn't been resolved, so as personnel began to arrive at the bank we found a dead building, so to speak.
We put our contingency plan into operation. But as I mentioned earlier, the Y2K scenario did not prepare us for this circumstance. For example, our Y2K plan was to relocate departments to branch sites if our main office building could not be occupied. But when employees arrived at the branches, they filled up the parking lots and wandered into the lobbies, milling around without direction and taking up customer space.
As a result of this experience, we now tell employees to park in the street, leaving the parking lot for customers. Had we had earlier warning about the power outage, we would have determined who was critical to the operation and not had everybody come into branches, causing them to operate inefficiently.
Departments affected by the power outage were the obvious ones. Our wire room was down. We couldn't complete a couple of commitments to get money out and get money in. We had to patch that together throughout the day. Our telephone system was totally knocked out, which wasn't a surprise under the circumstance, but we had not planned well for that contingency. Afterwards, we modified the telephone system so that callers get a voice message advising them that the main office is without power and directing them to a branch site.
We also found out during this crisis that we weren't up-to-date on everyone's cell phone numbers. These seem like little obvious things that should go without saying, but it was the crisis that made us aware of that problem. The following day we asked all managers to file a written report about the lessons learned from this crisis and what impact it had on their operations. We're still sifting through those reports, but we've revised some procedures in the meantime.
Diane Koehler: I have an operational example from within our Trust Department. We had file documentation deficiencies that were noted by Audit, but Audit never followed up on them. So when our examiners came in, they, of course, made recommendations. One was that a spreadsheet be created on files reviewed, documents that needed to be obtained, and the action that was taken to obtain them. The spreadsheet would be reviewed by the trust committee on a quarterly basis. They also recommended that the number of files reviewed be expanded. We did have to outsource part of this, so it was an additional expense for us.
Joe Calvaruso: We've had two problems at the main office. First, we had a carbon monoxide issue, but didn't recognize it. We all thought we were getting sick with the flu. Eventually, it reached a point where we had to evacuate the building and five people were treated and released at the hospital. We had to shut down our main office for half a day.
The second problem was with a title insurance company. Everybody complains the title insurance companies are slow with their refi's. Well, this company got farther and farther behind until we investigated the problem. It turned out that they weren't passing the premiums upward to the actual carrier underwriter. So we've tried to follow up more diligently on the title insurance in getting the final policies versus just relying on a commitment. The lesson learned is that you can't take anything for granted. You need to address the operational risks that occur with outside vendors. You've got to know who you're dealing with and follow up by getting financial statements and reviewing any contracts you have with the vendors.
We're also auditing the agency that's doing collections for us to verify that they are doing a good job and that we're getting the correct share of income from those efforts.
Are there some quick grids or questionnaires available that have been able to help you get a handle on your operational risks?
Joe Calvaruso: Chemical Bank Shoreline relies on RMA's 2000 study Operational Risk: the Next Frontier and also on Sheshunoff's Risk Management for Banks: A Guide for Regulatory Compliance. (Research for The Next Frontier was completed by PricewaterhouseCoopers and was done in conjunction with the International Swaps and Derivatives Association and the British Bankers' Association. It describes the best risk management techniques and identifies significant trends in risk management.)
The Sheshunoff publication provides annual updates of the 0CC risk categories, including a tool you can use to do a self-assessment of your risk. It has been helpful to us and the regulators think very highly of that process.
Diane Koehler: We also have used the Sheshunoff Risk Management Checklist. The questionnaires are lengthy and time consuming to complete. Some of the questions ask for checklists of required procedures used for the origination of loans. Another question asks for the procedure to monitor employee accounts for unusual activity or unexpected large transactions.
As an OCC bank, we look at the OCC publications and I developed my own checklist from that. Examples of questions on my list are: What are the qualifications of third-party internal auditors that are performing the IT audit? When was the last penetration test run against our system and our provider's system?
Jeff Leeds: As a much smaller bank, we have not subscribed to these particular checklists. We've relied on the individual business line managers to develop their own lists and a lot of that comes from general publications in their fields, such as Tue RMA Journal. The Massachusetts Bankers Association also provides us with educational programs. However, we will likely begin subscribing to the Sheshunoff service.
What's the largest potential impact for operational risk management on your bank?
Jeff Leeds: A major fraud could result in bank failure.
Joe Calvaruso: Without question, bank failure is the ultimate impact. When you think you've got all the bases covered, step back and take another look because the scary thing is you can get hit with something large and not even see it coming.
Diane Koehler: Reputation risk is the one that represents the largest potential impact. Damage to your reputation from bad publicity will certainly cause a loss of market share and impede your ability to expand in the future.
James Lam: I agree that severe consequences can result from not managing operational risk, but there are also clear benefits to be gained by doing it, such as:
* Providing better customer service.
* Achieving business objectives.
* Increasing efficiency.
* Having better loss experience.
Banks also must focus closely on operational risk because the regulators expect it. My discussions with senior banking regulators indicate that fraud is one of the biggest operational risks faced by community banks.
The regulators are also looking at the tools that banks use for operational risk management, such as their loss event database, control self-assessment, and key risk indicators. These are some very basic risk measurement and business management processes. They don't require a large investment in technology.
Community banks must focus on operational risk by putting in place these tools and by focusing on education, training and development for every employee. Operational risk is the job of everyone at the bank--not just the risk management department.
Contact Beans at email@example.com
Beans is senior writer and public relations manager at RMA-The Risk Management Association.…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Defining and Managing Operational Risk at Community Banks. (Operational Risk Management). Contributors: Beans, Kathleen M. - Author. Magazine title: The RMA Journal. Volume: 85. Issue: 5 Publication date: February 2003. Page number: 38+. © 2007 The Risk Management Association. COPYRIGHT 2003 Gale Group.