There's hardly a financial institutional director who isn't familiar with the general nature of operational risk or hasn't taken part in conversations about fraud, data security, processing breakdowns and the like. As a formally managed process, however, operational risk often gives way to the many other priorities pressing on bank directors.
Given the steep costs of operational risk failures (just think of recent data security breaches), and the deepening interest by regulatory agencies in overseeing improvements in this area, board involvement in matters of operational risk is becoming essential. More rigor in operational risk management, however, involves some special challenges. Among them:
Selecting the Right Risks
A myriad of operational risks can be identified. To manage all of them will only drown the board in minutia. The trick is to isolate those risks that carry significant downside potential and can be managed in a meaningful way. For most banks, six to nine operational risks bear monitoring at the board level—for example, data security, external and internal fraud, customer errors, processing breakdowns, business interruptions and data quality are common candidates. Basel II banks are being encouraged to add a few more topics to the list. In any case, the aim should be to manage the important risks more deeply rather than trying to manage everything.
Separating Strategic Elements from the Transactional
Many operational risks have both a transactional and a strategic aspect. In processing, for example, reducing customer errors and maintaining data security are key transactional concerns—while the functionality, reliability and efficiency of the operating platform is of strategic interest because the competitiveness of an organization is highly influenced by the strength of its underlying architecture.
Execution breakdowns should be tracked precisely, noting the number and cost of transactional incidents. Otherwise, it's impossible to determine whether a fraud event is a one-off occurrence or part of a systemic breakdown. Knowing the costs of failures also can help determine the value of mitigation efforts, such as investing more in electronic detection systems. The strategic elements in each area can be addressed under the heading of "Operational Framework," which evaluates the efficacy of the processes, technologies, controls, reporting and people frameworks underlying how risk is managed.
Managing Mitigation Efforts
Protecting against the costs of transactional risk starts with ensuring that strong management processes are installed in every unit where activities generate such risks. This is the area where Internal Audit plays an important role in judging compliance to the objectives set out in the Operational Framework. To do that, the units involved in a particular transactional risk ought to closely map to the designation of units being audited. Achieving alignment in this regard should be a management priority.
Developing Effective Reporting
When it comes to reporting, effectiveness and efficiency are worthy objectives, but they can be devilishly hard to achieve. Reporting at each organizational level should follow a common format and build directly on lower-level reports. The objective should be to report to the board on given operational risk in one page. That page should cover 1) the organization's appetite or tolerance for the risk, 2) recent history of failures and costs, 3) plans for—and progress on—mitigation strategies, and 4) a list of accountable executives. The board should be able to review a single deck of one-page summaries on the array of operational risks every quarter.
Based on past experience, it takes active board encouragement to shape a workable approach and reporting framework in operational risk management. But it's definitely worth the effort.