risk within

8/2/2019 Risk Within

http://slidepdf.com/reader/full/risk-within 1/12

Globa l Perspect iveGlobal Financial Services Industries

In today’s rapidly changing business climate,

the relationship between opportunity andrisk has never been more pronounced.

As companies grow, every move forward

embodies additional, and often new, risks.

Operational risk is now on the agenda

for increasing numbers of senior executives

and directors.

An exclusive briefing for executives

in global financial services.

the riskwithin



GLOBAL PERSPECTIVE This monograph series is provided by

Deloitte Touche Tohmatsu as a forum

for sharing our perspectives on current

strategic issues facing senior executives

of global financial services firms.

Topics are developed in consultation with

senior decision makers from all sectors

of the financial services industry.

The authors of these articles are drawn

from our firm’s Global Financial Services

Industries practice.

ContributorsThe following professionals of

Deloitte Touche Tohmatsu contributed

to this edition of Global Perspective .

Mirei l le Berthelot , Partner

Director, Enterprise Risk Management for the Financial

Services Ind ustriesFrance

+33 (1) 40 88 22 95 m berth elot@deloitt e.fr

Leon Bloom , Partner

Global Leader, Risk Management and Control Services

for the Global Financial Services Industries

Canada

+1 (416) 601 6244 lebloom @deloitt e.ca

Jocelyn Cun nin gham , Principal

Deloitte Consulting Group

United States

+1 (212) 436 4788 jcunn ingh am @dttu s.com

Dun can J. Gallow ay, Partner

National Leader, Enterprise Risk Management Services

United States

+1 (212) 436 6858 dgalloway@dt tu s.com

José-Lui s Garci a, Partner

National Leader, Banks an d Finan cial Institution s

France

+33 (1) 40 88 28 15 jgarcia@deloitt e.fr

Malcolm McCaig, Principal

Risk Man agemen t an d Co n trol Services

Great Britain+44 (171) 303 5388

Malcolm_McCaig@deloitt e.tou che.co.u k

Thom as F. Rol lau er, Partner

U.S. Leader, Risk Management and Control Services

for the Global Financial Services Industries

United States

+1 (212) 436 4802 trollauer@dt tu s.com



the risk within

risk, there is a perception that operational risk is

difficult to assess and manage. Businesses may

even avoid dealing with it altogether.

Awareness of operational risk, however, has

increased among Boards of Directors, chief

executive officers (CEOs), and oth er h igh-level

executives and managers. Key drivers behind

this heightened awareness include numerous

highly publicized control failures occurring in

the financial industry in the 1990s, an impor-

tant report on operational risk management

pu blish ed in late 1998 by th e Risk Managem entSub-group of the Basle Committee on Banking

Supervision, and an onslaught of regulatory

activity aroun d th e world.

Key questions

Although awareness at the board level has

increased, a gap often exists between it and th e

other layers of the organization. Asking the

three questions below will reveal much about

the progress an organization has, or has not,

m ade in dealin g with operational risk th rough-out the company:

1. Can th e CEO an d oth er top-level man age-

ment clearly identify the portfolio of opera-

tional risks their enterprise faces, including

those faced by each business unit?

2. For each of these identified risks, is there

clear and accountable ownership within the

organization?

3. Is the organization in control of these

risks? Can senior executives and the front-line

business un it m anagers clearly dem on strate th is

Global Perspective · Operational Risk 1

Certainly t h e stakes are h igh. Losses

can b e catastroph ic, both to an organization’s

balance sheet and to its reputation. On a per-

sonal level, execut ives an d d irectors in creasing-

ly must face concerns about their personal

accoun tability an d liability. “Did we d o en ough

to measure the risk?” they are asking. “How

could we have known th at parts of our organi-

zation were out of con trol?”

Today, operational risk has risen on the

agen da of m ajor finan cial in stitution s, and it is

n ot h ard to see wh y. Finan cial institution s areoften at the forefront of change and major

growth trends. These range from globalization

to forays into n ew markets. They include indu s-

try and produ ct tran sformation , an d th e assim-

ilation o f complex information techn ologies.

Along with n ew business opportu n ities, these

trends can contribute to some of the greatest

risks facing financial institutions today. And

unfortunately, among these risks are some of

th e least un derstood.

Defining operational risk

Operational risk encompasses a wide range of

risks that can interfere significantly with achiev-

ing business objectives. Operational risk is

broader than the traditional credit and market

risks facing fin an cial institut ion s. It often stem s

from deep within th e heart of a business, in its

systems, procedures, or management controls

an d practices. As such, t h is risk could b e called

the danger within.

Unlike more commonly understood and

quantifiable risks, such as credit and market

Fear of the unknown is a powerful and disturbing force

for senior executives and their Boards of Directors.

As they reflect on their own organizations, questions like

“What risks are we overlooking?” and “What am I missing?”can keep the most seasoned executive awake at night.



control at any given time in the context of the

organization’s business objectives?

In ou r experience, answers to th ese questions

do not come easily. Often it is because organi-

zations have not clearly identified and clarified

specific elemen ts of op eration al risk. Yet o n ce

an organization h as don e th is, it is possible to

categorize operational risks, attach potential

costs, and set up effective con trols to m inim ize

the potential damage.

How high are the stakes?Withou t th ese cont rols, h ow serious a problem

is operational risk? Consider the 1995 collapse

of England’s Barings Bank, an institution

brought down by th e action s of a single rogue

trader. Hindsight has shown us th at th is was an

operation al risk that could h ave been anticipat-

ed and prevent ed th rough p roper segregation of

duties and appropriate supervisory approvals.

In recent years, the Barings debacle and other

similar incidents have raised operational risk

from a second ary con cern to p rimary status inthe eyes of global financial institutions, and

th eir clien ts, sh areho lders, an d regulators.

If costly losses are to be avoided, financial

institutions must embrace operational risk

management, making it an integral part of

th eir corpo rate culture, at all levels. Th is m eans

resisting the temptation to do nothing more

than comply with established and often out-

dated practices of risk con trol.

Instead, leading global finan cial institutions

are developing and implementing the opera-

tional risk controls that will become the best

practices in th eir in du stry. But th ese busin esses

have more to gain than simply being the stan-

dard bearers. Better risk management controls

mean that these companies are less likely to

experience m ajor losses th rough error, fraud, orfailure to deliver services in a timely manner. In

the case of one leading bank, the sound man-

agement of operational risk is included as part

of th e selling propo sition to n ew custom ers, to

help differentiate the bank and establish com-

petitive advantage. q

2 Deloitte Touche Tohmatsu, Global Financial Services Industries

Sources of operational risk

• Strategic/enterprise risk

• Transaction processing/control error

• Information systems failure or error

• Breach of regulatory compliance

• Human resources risk• Service quality risk

• Break of company policy

• Fraud

• Political risk

• Catastrophic risk



Many institutions have yet to

bridge the gap between identifying key risks

and putting in place an effective assessment

and control structure.

In the financial services industry, this grow-

ing urgency for better operational risk manage-

m ent can be attributed to:

Accelerated growth and change. Financial

institutions now are handling a growing num-

ber of tran saction t ypes as well as increased vol-

umes, not to mention new methods of

distributing products and services. Organiza-tional structures also are changing. These

changes involve complex matrix structures or

far-flun g “virtual” organizations, in creased cen -

tralization, or in many cases decentralization.

Growth and chan ge bring n ew risks.

Industry consolidation. The wave of con-

solidation in the financial services industry

through mergers and buyouts underscores the

mirror-image relationship of opportunity and

risk. These h igh -oppo rtun ity end eavors enable

an enterprise to achieve strategic objectivesmore quickly or cost-effectively than through

internal expansion. But with these opportuni-

ties com e th e hazards that arise when assimilat-

ing the personnel, business practices, and

control culture of anoth er organization .

Industry convergence. The distinction

among the pillars of the financial services

ind ustry (that is, ban king, insurance, brokerage,

and trust services) has become blurred. As a

result of this convergence, more organizations

are offering products and services that are new

to th em. These sam e organ izations are expan d-

ing t h eir geograph ic reach , sellin g th eir services

in n ew markets. Both these phenom ena bring

add ition al risks.

Globalization. Financial institutions are

expanding their geographic scope, conducting

business in more countries and markets than

ever before. With th is expansion, n ew corporate

cultures, processes, and non-traditional business

relationships must be dealt with. Risks include

n ew competitors, an d differen ces amo n g coun-

tries in areas such as ethics and corporate gov-

ernance, laws and taxation, currency exchange,m arkets, an d custom ers.

Complex information systems. Dramatic

advances in technology, such as the develop-

ment of an entirely new distribution channel

(the Internet), and the rapid assimilation of

th ese techn ologies produce n ew and exaggerat-

ed risks. These innovations bring with them

n ew risks, including everyth ing from data an d

system security to n ew person n el requiremen ts.

Constantly evolving responses are required

to m an age an d con trol th e risks associated withthese types of technical advances. The rate of

chan ge and growth in all these areas un derlines

th e n eed for a pervasive approach to risk m an-

agement that starts with the board and filters

down th rough every level and bu sin ess unit of

an organization .

Along with protecting a company from

potential risk-related damage, effective risk

m anagem ent can contribute to the bottom line.

Benefits of effective risk management include


the new priorityGiven the magnitude and velocity of change in the

financial services industry, there is an urgent need for

operational risk to be addressed in a clearly defined way.



protection of assets by preventin g m ajor finan -

cial losses, protection of shareholder value,

avoidance of regulatory censure, ability to ren der

services without interruption , and m ain tenan ce

of good reputation and p ublic confiden ce.

Major operational failures can deal such a

severe blow to a firm’s reputation that it never

recovers. Clients are lost and prospects evapo-

rate. In the U.K., the inappropriate selling of

pen sion transfers and opt-outs caused a down -

turn and loss of confidence in the entire per-

sonal pensions m arket.

The regulatory environment

Regulatory bodies around the world are begin-

ning to focus more closely on operational risk

and are developing policies and standards of

busin ess practice to deal with it. These gen eral-

ly involve capital adequacy requirements to

protect against insolvency and financial losses

to clients an d th e public.

Driving the regulatory actions are agencies

such as the Bank of Internation al Settlement s,who se m embers in clude th e cen tral bankers of

the G-10 countries, and the Federal Reserve

Board and Securities and Exchange Commis-

sion in the United States. But the movement

toward a stricter regulatory environment is

worldwide. Th ere has been a tidal wave of regu-

latory in itiatives in both developed and devel-

opin g coun tries. An d wh ile developed cou n tries

h ave had somewh at of a head start in establish -

ing operational risk management regulations,

those being introduced in countries like Mexi-

co, Brazil, Argentina, Hungary, Greece, and

Korea have m ore teeth. The pen alties for n on -

compliance tend to be more severe than in

developed coun tries.

Taking the lead

For th e global finan cial services in du stry, th ere

is a huge advantage to individual institutions

taking a leadersh ip role in d evelopin g best p rac-

tices. First, regulators are lookin g to th e ind ustry

for methodology — methodology that can be

“built in” rather than “built on.” Institutionsth at dem on strate a solid, disciplin ed app roach

to risk management are more likely to be

allowed to m aintain th eir own processes, rath er

than have standards imposed upon them .

Just as im portan t, institution s that are ah ead

of the gam e begin reaping ben efits soon er. On a

financial level, the avoidance of a major cata-

stroph e is a sup erior altern ative to dealing with

the impact of an operational failure. A risk-

con trol strategy is mu ch p referable to after-the-

fact questions such as: “Why didn’t manage-ment prevent this? Where were the board and

the audit committee while this was going on?

Why didn’t the auditors and regulators do

someth ing to preven t th is?” q


An evolution ofrisk management

practices

Organizational

Business

Operations

Market

Credit

Market

CreditCredit

1970s 1980s 1990s

Operational

Integrated RiskManagement

Financial Risk

Management

Credit RiskManagement }



Ateam of mountain climbers

with the goal of reaching the peak of Mount

Everest knows that cold temperatures are a

th reat to th eir goal and th eir lives. But m anag-

ing th e risks of hazardous tem peratures in volves

more than an acknowledgment that “cold” is

th e issue. Th e risk m ust be clarified an d assigned

specific values.

Clim bers m ust know th at “cold” in th is case

really mean s tem peratures of –50° or below.

Only then can adequate steps be taken to deal

with th e th reat. Specific types of clothin g and

equipment are required to deal with “cold” of below –50°, as oppo sed t o th e “cold” of a frosty

wint er day.

And so it is for business. Operational risk

comprises a wide spectrum of risks. How does

an organization begin th e categorizin g process?

Starting points include:

Regulatory and legal issues. Regulatory

requirements for financial institutions are

changing rapidly. Add these changes to the

already extensive legal reporting requirements

for thin gs like derivative trading, an d t h e n eedto abide by the highest standards of profes-

sion al practice.

New techno logy. The tech no logy th at allows

finan cial institution s to better cond uct bu sin ess

is fraught with risks. System failures, hackers,

data theft, and corruption all expose the orga-

n ization to risk. Th e n eed for secure system s is

crucial. Identifying cracks in the security of

th ose system s is operational risk m anagemen t.

E-com m erce and the Internet. Sellin g prod -

ucts and services th rough n ew, electron ic chan -

n els exposes institut ion s to a m ultitud e of risks.

These invo lve everythin g from security breach-

es to theft of data, all of which can lead to loss

of revenue. An increasing number of people

with access to strategic information and sys-

tem s also in creases th e possibility of loss. Th ese

th reats come from with in th e organization an d

from outside — including m on etary and infor-

mation theft, computer viruses, integrity of

data, and sabotage of internal systems.

Outsourcing. With a growing trend towardoutsourcing of services — including corporate

services at home offices and call centers —

organization s take on addition al risk. A cont ract

with a third-party supplier may involve risks

inh erent in the ou tside operation, which m ay

n ot b e imm ediately apparent. Yet from a regu-

latory point of view, the institution, not the

supplier, is liable for any problems that result

from this business relationship.

Human resources. Personnel are not pre-

dictable. Employees may engage in practicesthat violate company p olicy through un inten-

tional errors or throu gh inten tional illegal acts

such as fraud or theft. They may exceed their

authority, or engage in unethical or risky busi-

ness practices. Controls must be in place to

guard against these possibilities. For example,

Daiwa Bank’s loss of $1.1 billion caused by an


The risk-assessment process varies from organizationto organization. But basic principles apply universally:

Risks must be clearly identified and precisely

articulated before they can be controlled.

recognizing andcontrolling risk



un ethical bon d trader could have been avoided

th rough a h ealth ier and stricter control culture.

How to assess risk

The next step in avoiding potential risk-related

losses is to d ecide which of th e above areas (or

other areas) are of greatest concern. This

invo lves exam inin g business objectives, ident i-

fying and articulating key business risks, and

assessin g the likelihood an d pot ent ial imp act of

the risk occurring. Approaches to identifying

an d assessing risk in clude:

Identifying risks. Details of past losses andproblems associated with operational risk

should be assembled. All financial institutions

have some history of operational losses,

wheth er they stem from fraud, comp uter break-

downs, regulatory penalties, or other sources.

Unfortunately, this type of information is not

always readily available. But historical data are

not the only recourse. And historical data are

not useful in identifying new sources of risk.

Instead of putting too much emphasis on sta-

tistical mo dels that predict frequen cy or severi-ty of problems, the focus really should be on

un derstan ding why th e problems occurred.

Assignin g valu es to th ose risks. It is essen-

tial to know which operational risks are most

critical to the firm’s capital and future. The

more important they are, the greater the need

for control.

There are num erous ways of categorizin g th e

magnitude of risk — for example, on a scale of

1 to 10, or as high, m edium , and low p riority.

On ce th e risks have been specified an d values

assigned, th e organization sho uld first set prior-

ities. Th en it can direct attent ion t o con trolling

those risks that could do the most damage to

the business.

This type of risk assessmen t m ay even lead a

company to abandon a business area or prod-

uct, particularly if the cost of controlling risk

cann ot be justified by th e potent ial return.

In other words, an organization must becom fortable with th e degree of risk it takes. For

example, a major insurance company wanted

to t riple th e volum e of busin ess throu gh its call

centers over a period of four months. When it

realized that the new operational risk profile

was beyond the risk appetite of the organiza-

tion , it recon sidered its strategy.

Con versely, some risks m ay be so slight th ey

aren’t worth controlling. In these cases, an

institution m igh t say: “Th is could hap pen , but

if it d oes we can afford th e loss.”

Financial implications

Assigning a financial value to risk can be

achieved through a number of means. Some

organizations use statistical models, while oth-

ers use a qualitative assessment approach. The

type of risk and the availability of historical

data would determine which approach makes

the most sense. Then the process works in


Acceptableexposure

Unacceptableexposure

Impact

Uncertainty

Managing risk to limit exposure

Risk – Control = Exposure (R–C=E)

Risk: Anything of variable uncertainty and significance that interferes

with achievement of business strategies and objectives.

Control: Action to correct or reduce uncertainty or the significance of

outcomes to an acceptable level, through risk management, transfer,

or avoidance.

Exposure: Susceptibility of business strategies and objectives to risk

remaining after control and mitigation activities.



much the same way that an insurer decides

h ow m uch to charge a car own er for insurance:

Start with a basic assessmen t an d refin e.

For a car insurer, the first step might be to

determin e the m ake and m odel of car, then u se

actuarial tables to determine a basic insurance

am oun t. Factors such as the d river’s age, drivin g

record, and city of residence then come into

play to further qualify the insurer’s risk. In

addition, the insurer makes risk more specific

by determining how the car will be used —

weekend d rivin g, com m utin g to work each day,

or traveling long d istan ces. Th en an insurancepremium is set, based n ot on ly on p ast experi-

ence, but future expectation s.

Experiences and expectations may differ

amo n g busin ess un its with in a sin gle organ iza-

tion. A un it with m ore inh eren t risk in its sys-

tem s and busin ess practices will require a larger

allocation of capital or insurance to protect

against risks. The cost of allocating this eco-

nomic capital will make it a greater challenge

for these units to achieve profitability targets.

Nevertheless, employees who help manage risk will lower the risk-adjusted economic capital

costs, and should be recognized and rewarded

for doin g so. q


wheredoes your organization stand?

Here are the key questions to ask when assessing

an organization’s current operational risk

management structure and future strategy:

• How does the Board of Directors receive

information on operational risk? What type of

information do members receive, and through

which committees? How does the board monitor

operational risk?

• What level of accountability does the board

assume over operational risk?

• What risk management infrastructure is in place?

• How does operational risk management interface

with other risk management activities, such as credit and market risk?

• Can established risk management methodologies,

including self-assessment of risks, be described?

• How are economic capital allocations adjusted to

reflect potential and previously experienced

operational risk?

• How is operational risk leveraged for competitive

advantage?

• How is product pricing affected by risk

adjustments based on past experience and future

expectations?

• What technologies are used to support

operational risk management?

• What methods are used to create awareness of

and identify operational risk throughout the

organization?

• How is operational risk “owned” in the

organization?

• Can operational risk ownership be described and

accounted for at every level within the

organization?

• What is Internal Audit’s role in operational risk

management?

• What groups are involved in operational risk

management (for example, Corporate

Compliance, Corporate Risk and Insurance,

Internal Audit, the Legal Department)?

• What impact has operational risk had on

insurance decisions?



For risk m anagemen t to be effective, a con tinu-

ous, self-sustaining process for risk identifica-

tion, assessment, and management must

permeate all levels of the organization, driven

by the board an d th e CEO.

Many institution s seek outside h elp in assess-

ing an d d eveloping th eir operational risk con-

trols. A third party brings the benefit of

previous experience in developing and imple-

menting methodologies, and a knowledge of

what works for different types of organizations

and indu stries.

Effective implementation of an operationalrisk management process must encompass all

aspects of an organization. It requires an orga-

nizational model. Dedicated risk management

resources in business units are needed, and

they n eed th e support of senior m anagem ent.

Operation al risk man agemen t is m ost effective-

ly implemented when key stakeholders work

together — for instance, risk management,

internal audit, information technology, and

business unit m anagem ent.

A new discipline

Th e disciplin e of operational risk m anagemen t

must be formalized, within a clearly identified

structure. Th ere is n o single approach . For som e

organ izations, an o peration al risk man agem ent

unit is the best solution. For others, it may be

prudent to assign responsibilities for the risk

management function to a risk manager and

comm ittee, or the internal audit departm ent.

Regardless of the approach, all levels of man-

agem ent m ust be in dividually and collectively

responsible. Ownership of risk at all levels of

the organization is critical. A major fraud

attempt was halted at a leading international

bank, for example, because the staff member

h and lin g th e transaction was “risk aware” and

becam e suspiciou s.

People within an organization succeed and

create value through achieving objectives. The

better they manage the risks standing in the

way of those objectives, the more value they

create. Incentives must be in place for linem anagers. Th e ramifications of not adh erin g to

risk management practices must also be clear.

For example, the opportunity and financial

value of risk management and its potential

contribution to a bu sin ess unit’s bottom lin e

should be clear. This can involve tying risk

management to salaries, bonuses, and perfor-

mance reviews. Operational losses should be

charged to t h e related bu sin ess or produ ct area.

The rapid rate of change in the financial

services industry offers both challenges andoppo rtun ities. Those fin ancial in stitution s with

enterprise-wide operational risk awareness and

own ersh ip, and clear processes to m on itor and

manage it, will be best equipped to embrace

change and profit from it. q


from a problemto a process

Organizations must move away from a reactiveapproach to risk-related problems. Instead, they require

a systematic, disciplined, and proactive methodology

that identifies potential problems before they appear.



settingthe foundationfor a process

Here are seven operational risk management

“best practices” to consider when designing an

operational risk management strategy:

• Establish accountability for risk management with

appropriate operational managers.

• Engage operations management and others in

processes that provide sound business value for

their efforts, with control assurance as a byproduct.

• Ensure that controls can be applied across the entire

organization, with enterprise-wide consistency but

still allowing for local customization.

• Enable management to optimize and control

investments by carefully weighing costs and benefits.

• Provide a process that can be reviewed and self-

sustained by the organization on an annual or more

frequent basis.

• Engage, educate, enthuse, and enable the people

in the organization, at all levels, to embrace risk

management responsibilities.

• Provide quantitative and qualitative measurements

of risk throughout the organization.

While these principles form the basic platform of

an effective strategy, they are not written in stone.

The management of operational risk remains an

evolving science. Today’s best practices may not be

suitable five years, or even one year, down the road.

Organizations, their structure, and the business

and regulatory environment will change.



© 1

9 9 9 D e

l o i t t e T o u c h e T o h m a t s u .

P r i n t e d i n C a n a d a .

Global Financial Services Industries

Deloitte Touche Tohmatsu serves financial services

firms globally through our Global Financial Services

Industries group. GFSI’s industry specialists

represent every major financial center in the world

and bring decades of experience and leadership

in banking, securities, insurance, and investment

management to each client assignment.

GFSI teams develop value-added services to address

the issues and trends facing the financial services

industry, and apply them to the specific needs of

our clients. Complex global assignments are carriedout by industry specialists who bring the full scope

of Deloitte Touche Tohmatsu expertise to client

operations around the world. The oversight provided

by global practice leaders means that our clients

receive uniform, quality service wherever they do

business, anywhere in the world.

Deloitte Touche Tohmatsu is one of the world’s

leading professional services firms, delivering world-

class assurance and advisory, tax, and consulting

services. More than 82,000 people in over 130

countries serve nearly one-fifth of the world’s largest

companies as well as large national enterprises,

public institutions, and successful fast-growing

companies. Our internationally experienced

professionals deliver seamless, consistent services

wherever our clients operate. Our mission is tohelp our clients and our people excel.

risk within

Documents