| Staying abreast of the operational risk landscape |
Back |
| Richard Pike looks at how Schroders has dealt with the task of incorporating increasingly sophisticated risk management tools across its business systems. |
The subject of operational risk is becoming increasingly important to the board members of financial institutions and large corporations. With recent industry wide initiatives such as the Turnbull report and the latest BIS capital adequacy proposals, the once ad-hoc and shrouded area is being forced into the light. This statement is particularly valid in the financial services sector as clients, investors and regulators increasingly require evidence that the business is being run correctly with full management control over operations and their inherent risks.
In the last number of years mathematicians, software developers and risk experts have sought the holy grails of group-wide market and credit risk. In both cases a lot of progress has been made with many financial institutions now having a much better understanding of their risks in these areas than they did five years ago. Operational risk has, until now, baffled these experts due to its lack of meaningful mathematical models, complex data requirements and the broad range of areas in which it occurs.
The recent European Union capital adequacy proposals (that closely mirror the Basle II documents) suggest all financial institutions should maintain a capital charge for operational risk. They recommend that institutions manage operational risk on a group-wide and proactive basis. They suggest that while detailed mathematical models are not yet agreed, proof that an organisation is managing and reporting on operational risks will be rewarded by a lower capital charge. This regulatory push coupled with the increased outsourcing and insourcing activity in financial institutions (which in itself requires higher levels of operational reporting) means that operational risk methodologies and systems are set to become increasingly important over the coming years.
The business methodology
An example of how one company has taken the issue of dealing with operation risk on board is Schroders. With an eye to the future Schroders embarked upon a project in late 1999 to tackle the issue of operational risk management. They had a clear understanding that to remain competitive in the areas of fund management, retail, private banking and hedged fund services in the new century they had to clearly understand the operational risk landscape. The risk profile is constantly changing to embrace new technologies and operational procedures. With the assistance of PricewaterhouseCoopers, Schroders devised a methodology to support all the business processes across their entire worldwide organisation. By the middle of 2000 Schroders had developed a robust risk management framework that:
• Records risks, controls and responsibilities throughout their organisation;
• Standardises the method of risk management throughout the organisation;
• Provides assurance to management, regulators and clients of the positive operation of internal controls (‘Positive Assurance’) or failure of those controls with recommendations to resolve them and, indeed, track the implementation of those recommendations.
The methodology takes into account the fact that complex mathematical models do not currently exist but might be developed in the future. It allows the organisation and its processes to change dynamically over time without denigrating the effectiveness of the system.
The next task was to ascertain and map all the important business processes within the organisation and describe the risks inherent in each of the processes and the controls that are, or should be, in place to mitigate these risks. Schroders staff undertook this project over an extended period of time across the operations. The functional areas of the business were described and each business process was outlined and the inherent risks understood. The descriptions were taken to each business unit, the processes carried out by a unit were chosen and the controls currently in place for the relevant risks were detailed. This resulted in a detailed map of the organisation and its processes that includes risks and controls allocated throughout the institution.
After the detailed mapping exercise a task of measuring the levels of each risk and the effectiveness of the controls was commenced. Every risk was given three ratings:
• Risk Impact: This unit measures the effect if the risk occurs.
• Risk Probability: This unit measures the likelihood of the risk occurring. Risk Impact and Risk Probability are
manipulated to produce a Risk Assessment for each risk.
• Combined Control Rating: This unit is a measure of the efficiency of the controls environment put in place to counter each risk.
Based upon the above measures a residual risk level could be calculated for each risk after the successful operation of all controls.
Other measurements were decided upon for individual processes which were placed under a standard heading of Key Performance Indicators (‘KPIs’). Business line managers are in the process of establishing KPI benchmarks which are to be held by the risk management unit. Actual KPI data will be compared to benchmarks.
The IT system
Upon agreement of this framework and the mapping of all major processes and risks, it was decided that an IT system should be developed to implement the requirements and allow the ideas to ‘live’. Schroders employed specialist financial IT company, COMIT Gruppe to implement the system. The COMIT brief laid out the business requirements and some general objectives.
The Risk Management System must provide:
• Repositories of information about the activities in the organisation, the risks that attend those activities and the controls that have been attached to those risks.
• A tool for reporting control performance.
• A consolidation facility for ‘escalating’ high-risk items to senior management.
• A flexible operational risk report - by function, region, risk category, process, etc.
• An Issues log
From a technical standpoint the system was required to offer a single database of all information and also be securely accessible from anywhere in the Schroders operation throughout the world.
The first phase of the project was that of producing a functional and technical specification. A team made up of Schroders and COMIT staff undertook these tasks in the month of September 2000. The results of this stage were a detailed explanation of the business requirements and a technical architecture based upon Microsoft Internet technologies such as SQL Server, Internet Information Server, Windows NT security and Internet Explorer. The technical design made use of the Schroders Intranet to offer access, via web browsers, by all Schroders managers to a central risk database maintained in London.
Upon sign-off of the specifications COMIT offered Schroders a fixed price development contract for the system. This contract was agreed in early October and the development commenced at the COMIT offices in Dublin. Throughout the development stage Schroders were given access to the growing system via COMIT’s Internet site and were kept up to date on project management issues with weekly status reports.
The system was delivered to Schroders, a day early, on the 22nd November 2000 and immediately went into User Acceptance Testing on site. This testing was completed by the middle of January. The delivery included a complete set of on-line help files that were complemented by Schroders’ in-house preparation of training and user manuals.
The system is currently being rolled out to organisational units within the Schroders.
The future
The direct benefits of the system include:
• There is now a consistent framework for the measurement and reporting of operational risk across the business globally;
• Senior management can receive positive assurance that controls are being operated and issues are being followed up;
• The system can be accessed from anywhere within the entire group;
• Functionality includes the escalation of ‘very high and high risk’ findings to senior management;
• Flexible report writing;
• The system can be rolled out to insource and outsource partners (if required) to provide real-time proof of compliance and operational risk control.
The system has now been developed as a product by COMIT Gruppe under the name ‘SWORD’ and, with the full support of Schroders, is being made available to other institutions that wish to manage operational risk in a groupwide manner. It will enable compliance with the future Basle II regulations and the proposed European Union CAD framework. |
Richard Pike is director of COMIT (Ireland) Gruppe.
|
| Article appeared in the June 2001 issue.
|
|
|
