Operational Risk Management to the Rescue
May 26, 2008
In the current financial crisis, the capital reserves that financial institutions hold have become the way that an organization counts down to failure, not the system that proactively prevents it. Indeed, the bankruptcies and near-death experiences of a number of institutions is yet another egregious example of risk management controls gone awry that found no expression in escalating measures of exposure to risk.
The complexity of the modern financial services firm defies the once cherished risk management technique of the earlier-era partnerships--the predominant governance model only four short decades ago. Then the Monday-morning partner meeting was all the risk management that was needed. The partners would decide the week's allocation of the firm's capital and walk out onto the trading floor with their money, literally and figuratively, in their pocket and manage their own and their partners' capital.
Today, these investment and capital market partnerships are global in scope and many are embedded in multinational banking institutions, which are almost all publicly owned. Partners have been replaced by staff whose pay schemes reward them for taking big risks with shareholders' capital--the capital of "other people's money" fame. The real bets of the clients are left to "pay off" over a longer-term horizon, if the financial instrument or investment strategy ever performs as designed, or rather as marketed.
It is no wonder that we have turned to reporting mechanisms around a new mantra--risk management--to view and explain the complexity that can easily overwhelm us and has, at some level, already done so. Making this mantra, translated by regulators into a risk management framework, hold up is still a work in progress. Here, the yet-to-be-implemented operational risk framework, the final piece of Basel II, this first-ever truly global regulation intended to foster a risk-adjusted performance culture, has the greatest hope for preventing such crises in the future.
Does Capital Do It?
The question has to be asked: What is it that offers a financial institution its greatest protection against failure if not capital? Quite simply, it is the risk culture embedded in its people and processes. At the core of any risk culture are the incentives for individual compensation that balance risk and return with short-term self-interest and long-term stakeholder goals. And it is the embedded early-warning systems that highlight growing exposures to risk.
Indeed, the recent experiences of Societe Generale and Bear Stearns are glaring examples of risk management controls that found no visibility in the form of escalating risk exposure measures. But such escalating exposure is precisely what the Basel II architects envisaged for operational risk management when the accords were first proposed in 1999 and what still offers the greatest hope for preventing future crises.
Basel II defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." It includes risks arising from such recent headline-grabbing events as internal and external fraud, errant employment practices, faulty workplace safety rules and procedures, risks of improper clients, products and business practices, losses from damage to physical assets, business interruptions and systems failures, and failures in trade execution, delivery and process management.
Many recent events can be slotted into one or more of the above operational risk categories. Citigroup reported that its market value at risk does not include collateralized debt obligation (CDO) positions because they are hard to value since there are no prices or model inputs--a data problem. MF Global reported a $141 million trading loss due to a systems control issue that allowed a trader to avoid contract limits. Merrill Lynch has acknowledged that $43 billion of over-the-counter derivatives cash flow was improperly recorded on both sides of the balance sheet. Credit Suisse took a $2.8 billion write-down due to valuation model pricing errors and use of stale prices. Societe Generale reported a net $4.9 billion loss due to trader fraud. And Bear Stearns nearly collapsed because it couldn't price its mortgage portfolios, among other things.
