Bankers, Regulators Embrace Fuzzy Science of Ops Risk

By Jeff Horwitz, AmericanBanker.com

Operational risk has become the flavor of the moment at industry risk management conferences and training sessions recently. Pioneering banks are developing new risk indicators, performing scenario analyses and grappling to quantify reputational risks.

Regulators are preaching the ops risk gospel, too, exhorting lenders of all sizes to embrace a risk-management culture. 

"Strong banks realize that the goal is not to avoid risk, but rather that they can understand it and earn an appropriate return for accepting it and managing it," Deputy Comptroller for Operational Risk Carolyn DuChene told an American Bankers Association conference last month in a keynote speech about the "5 E's of risk management."

If DuChene's message seems obvious, or a bit frothy, it might be because boiled down to its essentials ops risk is a mix of prudent management and contingency planning—ingredients that have been fundamental to the banking since its inception.

The Basel accords defined ops risk 15 years ago as "risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." Turning these very general concepts into quantifiable calculations became part of banks' regulatory requirements.

"Once there was a requirement associated with ops risk, it created a mini industry in trying to measure that," recalls Karen Shaw Petrou, who's skeptical that such risk can be rendered in useful numerical terms.

The early efforts proved of questionable benefit. More recently, chastened by failures ranging from the foreclosure documentation debacle to gaping anti-money laundering lapses, banks and regulators have redoubled their efforts to detect and quantify ops risks.

One result has been a new lexicon of jargon, vendors hawking color coded risk dashboards and specialty ops risk consultancies. All were on prominent display at the ABA's annual risk management forum last month in Baltimore.

Not yet apparent is whether banks will generate value by rebranding sound business judgment and contingency planning as a cutting-edge discipline. Research on ops risk losses suggests that such failures correlate to the level of complexity and credit risk an institutions assumes. As a result, treating ops risk as something that once quantified can be easily tamed may create a false sense of confidence.

Before the 2008 financial crisis, "a lot of the profession already had operational risk people in place," says Clifford Rossi, a former risk manager for Washington Mutual who now teaches at University of Maryland's School of Business and contributes to American Banker. "Did it save any of those institutions? Hell no."

Quantifying ops risk does appear to have had successes. In certain data and technology-heavy areas, like computer security, major banks have performed quite well. If ops risk simply involved extending similar rigor and data improvements to other departments, it would likely offer big benefits.

"Once you start tracking [operations losses] systemically, with standard definitions, a lot of times you'll be surprised by additional information you can glean from these metrics," says Jane Yao, the ABA's senior vice president of benchmarking and surveys. "I think we've come a long way" since Basel's early days, she adds.

But the dangers in the latest ops-risk boom were on display at the ABA's recent forum. Experts seemed bent on deputizing risk managers as the hall monitors of institutional culture, diverting responsibility from business managers. Moreover, the treatment of ops risk management as a budding scientific discipline populated by experts could end up shield its practitioners from outside, common-sense scrutiny.

The risk manager for a Midwestern bank indicated that she saw herself as a buffer between the line managers and the board, even if important messages get muted along the way.

"Making sure you don't get any unexpected surprises during the board meeting, I think that's what we don't like," she advised during a panel.

A prominent risk management consultant also advised conference room full of risk managers act like diplomats, softening bad news and delivering it in a way that's "culturally acceptable."

"Don't report the sky is falling," he advised. "Instead say that it's cloudy, and work your way up."

This doesn't sound liked the sort of aggressive self-scrutiny the industry should be encouraging.

"It works effectively when the operational risk organization is there to be the devil's advocate," says Rossi, whose unvarnished message to WaMu's senior managers about its shoddy mortgage underwriting practices led to his rapid departure in 2007.

The top executives who actually run banks are not about to let operations risk managers trump them. A more suitable role is for the ops risk experts to give managers and regulators a greater sense of comfort with complex businesses.

"Once you can measure [operational risks], you can try to quantify the acceptable level of risk you need to get the return you're seeking," the OCC's DuChene told the ABA forum.

Despite all the talk about advances in operational risk, recent research suggests that its high correlation to complexity and governance has changed little over the years.

"Firms suffering from different types of operational risk events tend to be younger, more complex and financially weaker," researchers wrote in "The Determinants of Operational Risk in U.S. Financial Institutions," an August 2012 paper in the Journal of Financial and Quantitative Analysis. Using 25 years of operational loss data compiled by Fitch, the authors found that operational risk was largely a function of a firm's structure and governance. Lapses were correlated with both each other and with the fundamental management.

"The common assumption of independence of [operational risk] events within the firm may be seriously flawed," they concluded.

In other words, banks would likely benefit from putting less effort into quantifying everything and more into improving their governance and internal controls. In the end, such changes would be of great value to the industry, Petrou says.

"The challenge is that the platitudes don't bite, and the regulators don't hold anyone responsible until after controls are deemed faulty," she says.