“It’s people, process, and technology” – this is how Fusion Risk Management director of product management Alex Toews defined operational risk. A relatively young branch that has become more prevalent in the last two decades, operational risk has proven itself to be a very important factor across all business landscapes today. In conversation with Insurance Business’ Corporate Risk channel, Toews said that the financial crisis in 2008 really put operational risk into the perspective of everyone who wanted to survive.
“It's understanding what are the risks – both the known risks, the unknown risks, and the emerging risks – that we need to understand across our organization and what we are doing to make sure that we understand what those are, what the potential impact would be of those risks occurring, what is the likelihood of those risks occurring, and what we are doing to control our risk exposure in the right areas of our business when it comes again to people, process, and technology. It's a very broad kind of scope when we think about people, process, and technology,” Toews said.
“The Basel Committee on Banking Supervision, which is also shortly known as the BCBS, published a bunch of papers in the late 90s, early 2000s that started to create a lens on what operational risk even is and to try and create an approach that made it its own individual category of risk, as well as started to put forward tools that could be used to help do these things. Building out of that, it really focused on putting in the foundational elements that would start to eventually evolve into really developed operational risk models and programs and approaches,” he said.
Understanding this subset of risks is imperative for any burgeoning business, Toews said, although it’s almost always dependent on boards and senior leadership on what the most critical of these are. However, he added that it almost always comes down to the people aspect of the business if you are looking for the most common.
“I think, most broadly, the most common type of risks, and this goes back since the inception of the area, are really things like people risks; skill set, succession, wellbeing, fraud, behaviour, employee misconduct, other things that in our workforce – there's lots of risks with people. People are controllable to a certain extent, but people risk is a big part of the operational risk landscape,” he said.
On the technology side, it has more to do with information security and cyber risk, Toews said. The digital nature of today’s world means that almost every organization is a tech company first and foremost, and this means that your key risks will be related to operational impact stemming from cyber disruptions.
“It’s become kind of firmly seen as a business risk rather than an IT problem,” Toews said. “Technology is what enables organizations to move seamlessly. There's also change risk emanating from the need for different platforms and organizations to start being able to remain agile and revisiting things like business models and culture and the people that they hire, workload priorities, systems processes. There's situational awareness that's built into the operational risk piece that gets into change risk with people, process, and technology all around that.”
Recently, regulators in the US have proposed capital hikes of as much as 20% for banks to harmonize capital requirements. One of the effects of such developments is fee-based activities now being seen as operational risk – a proposition that was met with criticism from many in the financial industry. Fusion Risk Management’s own Rich Cooper, the firm’s global head of financial services, called it a “stretch” to tie fee-based activities to operational risk.
“Yeah, it's a very interesting approach when it comes to at least the initial expectation that they want to treat fee-based activities as an operational risk. I think in terms of both that lens as well as Rich's comment around it being a stretch to tie those activities to operational risks, it depends on how you look at and how you essentially translate that approach of saying we're expected to treat them as an operational risk,” Toews said.
The issue, Toews said, comes from the fact financial and non-financial risks have always been defined broadly; operational risk falls under the latter, as it is mostly a qualitative aspect that is tied to non-financial risks. Comparatively, financial risks can be clearly defined – credit risk, market risk, liquidity, risk, to name a few, and there are very specific domains that financial risk practitioners focus on approaching through very quantitative means.
“The non-financial risks are a little bit opaquer, have more qualitative approaches, and risk management programs attempt to get their hands around these things,” Toews said. “In general, operational risk is much less easily measured and managed through data, whereas financial risk is very manageable through data because it's what businesses and banks have always had; whether it's your general ledger or your balance sheet, they obsess over the data and the transactions, the money, where it's going, how much capital they have, how much buffer they have, especially post-financial crisis in the U.S.”
With that in mind, while he did agree that it made sense in some ways, Toews said that there are a lot of parts that did not make a lot of sense.
“I think the parts that make sense as far as tying fee-based activities to operational risk would be to look at, again, as I described earlier, the people, process and technology behind fee-based activities, and not necessarily the fee-based activities in and of themselves,” he said. “This means that we're not controlling the financial aspects of those activities, but we can control and understand more deeply the operational processes behind the eventual kind of fee-based financial aspects of those. They're very autonomous, they're very frequency based – for a fee-based activity, a very simple example would be like credit cards; every time you swipe a credit card there's a fee associated with that and that's income for a firm managing the card in and of itself. It's pretty rinse-and-repeat, and there may not be a great understanding of the people, the process of the tech, controlling, protecting and motivating those activities, which for most banks is just seen almost as passive income; we’re going to collect these fees, and all is well.
“As far as what's behind that, when we think about financial risk and fee-based activities and how it's controlled today, it's a part of the consideration when it comes to capital requirements for banks: do we have enough capital buffer in the hopper to make sure that given a catastrophic financial disruption to the market, interest rates, and liquidity, to A, survive, and B, make sure we can support our customers, both institutional and retail,” he said.
To that end, Toews said that fees are not a “huge part of that conversation,” and that it is a stretch to ask operational risk practitioners to manage the financial consequences of fee-based activities.
“I still think that needs to be a part of the very quantitative, data-driven, really robust programs that banks have in place to stress this type of stuff all the time,” he said. “So, I think there’s no way you can tie that together. I think it eventually needs to translate in a way that maybe operational risk programs should have a little bit more stake in how operationally fee-based activities are enabled and informed and how those things happen and make sure we're controlling them in the right way. But I don't think there's a lot of alignment between asking an operational risk practitioner to start taking on some of the financial risk associated with those activities.”
Part two of this interview will be published in the coming weeks. Stay tuned.
What are your thoughts on this story? Please feel free to share your comments below.