Risk Management Reports

Several years ago operational risk was called a “fairly poisonous cocktail,” an apt description that is as pertinent today as it was in 2000. The reasons are clear. Most financial organizations began their entry into risk management using models drawn from the credit, market, interest rate, and foreign exchange fields where they accumulated considerable credible data and experience. As enterprise risk management began to attract attention they lumped almost all remaining risks, many of which had to be treated on a qualitative basis because of the absence of data, into the catchall phrase “operational.”

This subject is on the top of the “rush” file these days because of the advent of the Basel 2 requirements that take effect in 2005, recent regulations on compliance and governance from the US Sarbanes-Oxley law, the Financial Services Authority in the UK, and stock exchanges in various countries, and from a realization that most of the major threats and opportunities for organizations come from the operational arena.

Three countries provide fresh perspectives on managing operational risk: Canada, Hungary and the US.

Canada. Just over eight years ago, I first wrote about the innovative program at Canada’s Royal Bank Financial Group, created under the leadership of Murray Corlett, now retired (see RMR December 1996). RBFG operated then in some 200 countries with a global staff of 425 supporting its integrated risk management function, started in 1993. Corlett established a “risk framework” that divided risk into three levels. At the top was systemic risk. Level 2 held political, reputational and regulatory/legislative risks. Level 3 included credit, market, people and “operating” risks. Last fall I listened to Sandra Odendahl, Senior Manager at RBFG, present a case study of her institution’s use of this framework for environmental problems. She described these as affecting all of the bank’s core businesses of lending, finance, purchasing, owned real estate, and operations. She started with an internal review of the effects of environmental risks, followed by a similar external review involving image and reputation, concluding with communication with key stakeholder groups. Communication of identified environmental situations and related responses was the primary action activity after completing analyses and developing prudent responses. Her case study was carbon risk, in which the initial analysis was based on the Kyoto Protocol (to which Canada is a signatory). It focused on both downside risks and upside opportunities (in the newly-developing greenhouse gas emissions trading market). It is significant that RBFG emphasized the potentials for both benefits and harms from this analysis. I was also impressed by the bank’s goal of enhancing its relationship with external stakeholders through education and information on environmental situations.

Sandra Odendahl launched her project in May of 2002 and completed it in September 2004 with a report to both internal and external audiences on key risk issues, the emissions of the bank itself, new market opportunities, a basic primer on climate control and a review of the Kyoto Protocol. She reported that the bank learned several important lessons from her project:

1. Communication can educate/inform stakeholders, show the bank’s appetite for risk, and enhance external relationships.
2. Key stakeholders for environmental risk communication are easily identified.
3. Communicate internally first, especially when there is a change in a risk or opportunity.
4. A common risk language facilitates internal risk communications
5. Use multiple methods of communication.

Her work echoes many of the precepts of the Global Reporting Initiative (GRI), a group formed in 1997 to encourage sustainability risk assessment and reporting. See the new “non-financial” reports from some corporations. Swiss Reinsurance Company issues one of the best I’ve seen to date. Others that have received acclaim include Novo Nordisk, BP, BAT, Rabobank, Rio Tinto, Hewlett-Packard and Unilever. I stress that organizations should listen to and understand the risk perceptions of external stakeholders, including shareholders, but they should continue to hold their primary focus on managing the firm well and prudently, not bending to external pressures unless they become serious.

Here is an area where exceptional operational risk analysis and response can be used to create improved public credibility and confidence.

Hungary. My second example is a recent paper prepared by three officers from Hungary’s Magyar Nemzeti Bank, Lászlo Baki, Dr. Péter Rajczy, and Márta Temesvári (a reader of RMR). In it (“Assessing and Managing Operational Risks at Magyar Nemzeti Bank,” October 2004, copy available from www.mnb.hu/Resource.apsx?ResourceID=mnbfile&resourcename+MT32en) the authors ask first “What is considered a risk? Generally and in a positive interpretation, risk is the chance of gain, while in a negative interpretation it is the danger of loss of value.” Unfortunately, they immediately compromise this clear and effective start by the allegation that “operational risk only involves the danger of loss (my italics).” Like Basel 2, they define operational risk as encompassing people, processes, systems and external events that cause “physical damages.” They correctly exclude strategic and reputational risk. After I first read their paper, I wrote them an email with an example of the ambiguous nature of any unexpected event. Many years ago, I learned of a branch bank in New York State that burned to the ground one day. Under normal circumstances, this would have been a major financial hit whose results might have been felt for two to three years. Yet this bank had a pre-tested emergency plan ready. Within 24 hours, it had installed a full equipped (and protected) trailer on the site, called its customers, placed full-page ads in the local papers and made sure that its customers would not have the slightest interruption of service. The result: this branch actually increased its deposits over the next year, the result of taking positive advantage of a negative event. We must study the dual positive and negative faces of risk.

The Magyar Nemzeti authors correctly acknowledge that the “value” exposed to unexpected operational events cannot always be measured in money, that “goodwill” and “reputation” may be more important than cash. They see “reputation as a value exposed to risk,” not as a risk itself. This is an important distinction that many organizations in North America miss. They also recognize that risk likelihoods and consequences are changing over time: they suggest that their “risk matrix” be monitored and adjusted by “repeated surveys.” In addition they rate the quality of their risk analysis/response process in terms of five factors: level of control strategies and practices, human factors, effects of changes, level of IT/infrastructural support, and level or preparedness for emergencies. They collect historical data for their operational risk database but acknowledge the inherent problems in its credibility. Managing emergency situations warrants a separate section in their paper, as it should! I noted to them that the primary focus of any continuity planning should be not simply recovering or returning to the preevent status quo, but rather trying to take advantage of the unexpected event to improve a market, cost, income or reputation position, witness the bank example above. Be aggressive about risk, not neutral!

Finally, Ali Samad-Khan, another of those knowledgeable expatriates from Bankers Trust, has written a scathing critique of the application of the new COSO framework (see RMR December 2004 and October 2003) to operational risk. “Why COSO is Flawed” is required reading for those interested in the practical application of operational risk analyses and responses. It’s from the January 2005 issue of OperationalRisk and is available at www.operationalriskonline.com.

Samad-Khan agrees with the insight of Murray Corlett from almost a decade ago: operational risks are the most significant facing organizations today. A consensus framework is needed, but, he argues, the new COSO guide “is completely inappropriate for use in operational risk management.” He finds its logic “specious” and its definition of risk “wholly inconsistent with the definition of risk used in the risk management industry and by the BIS.” He goes on: “The method COSO prescribes . . . is highly subjective, overly simplistic and conceptually flawed” and “likely to do more harm than good” if applied.

He proceeds to dissect COSO’s “likelihood-impact” framework (using an actuarial approach), suggesting that it can produce both false positives and false negatives. He argues that adoption of COSO will result in greater control of areas already overcontrolled and excessive use of resources and concludes with four recommendations:

1. “Risk management must provide managers with objective information to help them understand where their risks really are, not ask them to guess where their risks might be.” (I have some concern about this apparent over-emphasis on past experience, to the exclusion of scenario analyses of possible future unexpected events. The Royal-Dutch Shell experience over the past twenty years proves the value of intelligent guesses about the future.)
2. “Risk Management must help managers understand how well their real risks are being managed through their existing . . . controls. . . . One cannot have a zerotolerance policy towards operational risk.”
3. “Risk Management needs to determine what level of control is appropriate after having conducted a circumspect analysis of associated costs and benefits (my italics) of each risk mitigation and transfer strategy.”
4. “Risk Management needs to institute a comprehensive and fully transparent monitoring and reporting process with built-in incentives to encourage desired behavioral change. (my italics).”

This is a thoughtful though disturbing paper, given the pre-eminence of all those who participated in the creation of the new COSO guideline. I agree with much that he says, but I suggest that each reader of RMR read it carefully.

After re-reading these remarks, I remain concerned that many of our processes for identifying and analyzing the chances of unexpected events are too narrow. Do they really challenge operating managers and their risk management counterparts to imagine events that have not yet occurred? My flippant mind goes immediately to two “risks” that I suspect neither bank considered seriously. Could a guest of RBFG in its skybox at Maple Leaf Gardens (no, I refuse to use its new and correct name!) in Toronto be accidentally hit by a flying puck? I grant that the skybox is well above the ice surface, but I noted last year that the slap shots of some of the more elderly Leafs had enormous parabolas! Has risk management considered that risk?

And have our Magyar friends considered the results of one Transylvanian vampire bite repeated through their entire staff at the next full moon?

I thought not!