Defining and Managing Operational Risk at Community Banks. (Operational Risk Management)
Beans, Kathleen M., The RMA Journal
If credit risk is one leg of enterprise-wide risk management, then operational risk and market risk are the second and third legs. Banks that want to join the ranks of best-practice institutions are in the process of implementing advanced risk management programs. That often begins with defining operational risk.
"Defining operational risk is not just about wordsmithing," said James Lam, president, James Lam and Associates, a Wellesley, Massachusetts-based risk advisory firm. "It's about having the right scope and purpose for operational risk management." Lam made his remarks during an RMA audioconference last fall that discussed how to define and manage operational risk at community banks. He is presently working with RMA in implementing its strategic initiative on operational risk management.
"A few years ago, banks defined operational risk as all risks other than credit risk or market risk," said Lam. "Today the industry is moving toward the Basel definition: Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events."
Calling the Basel definition "generic," Lam advised banks to create a definition useful for their own purposes. "One key issue is whether to include business risk and reputational risk as part of the operational risk definition. It's important, however, not to spend too much time in the definition stage," he cautioned. "You need to get into the more important phases of measuring and managing operational risk."
Lam pointed out that many interdependencies exist between risk factors. One is the interdependency between loan documentation (an operational risk) and credit losses. "You might discover your loan documentation is not good when you sustain a high number of defaults," said Lam. "Also, the severity of losses would be much greater if you didn't have the right loan documentation.
"Another example is the interdependencies between operational risk and interest rate risk. Banks that rely on asset liability management models to measure and manage their interest rate risk could be subject to greater interest rate risk losses if their spreadsheets are wrong or data and assumptions are wrong.
Managing operational risk is important for community banks because they have to deal with the Privacy Act and the Patriot Act, said Lam. He was joined in the audioconference by a panel of three senior-level bank executives:
Jeffrey W. Leeds, EVP and chief lending officer, Lawrence Savings Bank, a $435 million institution in North Andover, Massachusetts. Leeds is responsible for credit risk management as well as all regulatory compliance.
Diane L. Koehler, SVP, Univest, a $1.3 billion financial holding company that includes a national bank, a state-chartered bank, a broker-dealer, and an insurance company in Souderton, Pennsylvania. Her responsibilities include enterprise-wide risk management, compliance, community reinvestment, security, and contingency planning.
Joseph S. Calvaruso, EVP, Risk Management, Chemical Bank Shoreline, a $1.2 billion institution in Benton Harbor, Michigan. He has responsibility for loan administration, bank secrecy, compliance, and security.
The panelists answered questions about how their banks are implementing programs to manage operational risk. The questions and answers follow.
What do you consider a full range of operational risks facing your bank?
Diane Koehler: Some of the broad categories of operational risk affect payments and settlements, such as:
* Computer failures due to a power outage.
* Telecommunications failures due to a leased line outage or a Web site failure.
* Lost data or unauthorized access.
* Questions about data integrity and security due to processing and record-keeping errors resulting in incorrect statements.
* Documentation errors. …