This past summer, Zions Bancorporation in Salt Lake City deployed its new risk assessment system. The standardized, Web-based approach is an effort to create a risk management culture where the entire company identifies, assesses and manages its risk in order to ensure excellent customer service and consistent returns to shareholders. What follows is a step-by-step guide to how we put our program together.
Risk Assessment Goals and Early Technology
The purpose of enterprise risk management (ERM) is to create a standard means of assessing risk across an organization. One of its goals is to roll up different types of risk (operational, compliance, credit, market, strategic, reputation) into an organizational risk profile. This way, whatever the organization (bank, hospital, government agency), key exposures can be viewed down to control issues and action plans. In Zions' case, another goal was to create a more risk-focused culture, where business groups had greater ownership of risk and could more effectively manage its identification, measurement, monitoring and control.
Initially, enterprise risk assessment created a paperwork nightmare. Business units completed paper documents that were manually combined into reports Covering risks at the department and corporate levels. Risk assessment was limited to an annual activity, which did not significantly affect corporate culture or business line behavior.
The paper challenge was somewhat alleviated in the late 1990s when automated solutions for risk assessment were created. Systems based on MS Access, Lotus Notes and more advanced platforms were developed to allow the user to enter risk information locally and then roll up those results electronically across the organization.
Regulatory Focus and Payback
Interest in risk assessment increased after the Basel Committee on Banking Supervision issued statements providing criteria on effective operational risk management. Banks around the world that meet this criteria--Advanced Measurement Approach (AMA)--under the second Basel Accord (Basel II), should be able to maintain less capital for operational risk.
Basel's December 2001 statement on the "Sound Practices for the Management and Supervision of Operational Risk" lists risk self-assessment as an approach that can be used to support internal capital allocation--the process by which economic capital is distributed within an organization. The December statement also lists risk assessment and key risk indicators (measures that highlight the increase or decrease of an organization's risks) as more "forward-looking" determinants of a company's risk profile than exclusively quantitative approaches that rely on historical loss data.
Specifically, the December statement asks banks to:
* Implement an ongoing system to identify, measure, monitor and control risk across all key business lines, processes and products
* Provide risk reporting at all levels, from the board to senior and line management
* Ensure internal audit's independence to validate risk management processes and levels
* Publicly disclose operational risk management practices and results
Under Basel II, banks that follow AMA will be able to maintain capital based on their internal assessment of risk. (Right now, banks are regulated by prescribed guidelines.) Consider the potential opportunity for Zions:
On December 31, 2001, Zions had $2.3 billion in total regulatory capital. Let us project that when Basel II goes into effect in 2006, Zions' internal assessment of its capital stays at $2.3 billion, and its operational risk capital is 12 percent of that figure. If it can demonstrate effective operational risk management (i.e., meet AMA guidelines), Zions could be in a position to reduce its operational risk capital by 25 percent, or $69 million. Assuming no other binding capital constraints (e. …