, Singapore

How banks can prepare for the worst

By Thomas Olsen and Sebastian Fritz-Morgenthal

Why do banks in Asia and the rest of the world have so much trouble managing operational risk?

In recent years, the financial pages have been filled with examples of the many ways that operational risks can spin out of control: Traders make huge, unauthorised bets; sales people set up accounts without the consent of their customers; managers rig market benchmarks; internal systems and processes break down; computer systems fail; customer data is breached and compromised.

The consequences of these operational mishaps can be catastrophic—resulting in millions, and sometimes billions, of dollars in financial losses; fines and other regulatory sanctions; customer defections; management shakeups; shareholder discontent; and significant, if not irreparable, damage to a bank’s brand and reputation.

From 2011 to 2016, major banks suffered nearly $210 billion in losses from operational risk. Most of these losses stemmed from preventable mistakes made when employees and systems interacted with clients, flaws in the way transactions were processed or outright fraud.

Overall, banks have made some progress managing operational risks, but there is much room for improvement. Losses from operational risks at major banks worldwide have fallen from a peak of 6.2% of gross income in 2011 to 1.6% in 2016, according to ORX, an organisation that tracks operational risk. By taking steps to reduce those losses further, banks can have a direct and measurable impact on their bottom lines. Improving the 2016 loss ratio by 20%, for example, would be equivalent to a 32-basis-point increase in net profit margins.

Banks, in short, have every incentive to contain operational risk. Yet, they often find it hard to do. Compared with financial risk (which includes the risk that creditors will default on their loans and that assets will fluctuate in value), operational risk is more complex and more challenging to monitor, control, and manage.

Many banks have a tough time understanding and measuring the interconnected factors that contribute to operational risk, including human behavior, organisational processes and IT systems. They find it challenging to create cultural, governance and management structures that can systematically control these risks. Instead of taking a deeply integrated, proactive and long-term approach to operational risk management (ORM), they end up managing operational risk with reactive, short-term measures.

Banks that take a comprehensive approach to ORM recognise four broad areas that need attention. The first is people. Even in a digital age, employees (and the customers with whom they interact) can cause substantial damage when they do things wrong, either by accident or on purpose. Problems can arise from a combination of factors, including intentional and illegal violations of policies and rules, sloppy execution, lack of knowledge and training, and unclear and sometimes contradictory procedures.

The second area is IT. Systems can be hacked and breached; data can be corrupted or stolen. The risks banks face extend to the third-party IT providers that so many banks now rely on for cloud-based storage and other services. Systems can slow down or crash, leaving customers unable to access ATMs or mobile apps.

The third area is less tangible than the first two, but no less important: organisational culture. By setting aggressive sales targets and rewarding employees for how well they meet them, bank management can encourage, and, in some cases, explicitly condone inappropriate risk taking. Such activity, when exposed, can lead to management changes, shareholder losses and regulatory fines.

The fourth area that vexes ORM planners is regulation. Since the global financial crisis, regulators have increased the number and complexity of rules that banks must follow. Banks that operate in multiple jurisdictions can face overlapping, inconsistent and conflicting regulatory regimes. Lapses can be expensive and embarrassing, triggering regulatory sanctions and customer defections.

The key to effective ORM is training people to anticipate what could go wrong, especially when a business unit is about to do something new, such as introduce a product, change a customer interface, alter the way employees are compensated, or outsource part or all of a core business process.

As banks increasingly use Agile teams to innovate, they can make sure that ORM experts are part of the effort. One major European bank, for example, has ORM staffers as integral members of the Agile teams on its innovation campus, where the bank develops and tests new business practices and offerings. Another European bank has built up a dedicated cyber risk team that simulates realistic cyberattack scenarios and takes action to prevent them from happening.

Leading banks now use technology to supplement, and sometimes replace, audits. Using advanced analytics and machine learning, they leverage their tremendous trove of data to screen the entire bank’s operations continuously and automatically. They use insights from this ongoing surveillance to quickly develop and adapt Key Risk Indicators (KRIs) that serve as early warning signs of potential problems.

Banks that are integrated and proactive about the way they manage organisational risk can realise real financial benefits and, more important, help prevent the kind of catastrophe that can have consequences for years to come.

Join Asian Banking & Finance community
Since you're here...

...there are many ways you can work with us to advertise your company and connect to your customers. Our team can help you dight and create an advertising campaign, in print and digital, on this website and in print magazine.

We can also organize a real life or digital event for you and find thought leader speakers as well as industry leaders, who could be your potential partners, to join the event. We also run some awards programmes which give you an opportunity to be recognized for your achievements during the year and you can join this as a participant or a sponsor.

Let us help you drive your business forward with a good partnership!

Exclusives

Private fund tokens may be the future of investing
Kinexys seeks to keep a token’s sensitive financial information from prying eyes.
More tax perks could drive Philippine SMEs to go ‘green’
The Southeast Asian nation’s 1.1 million small businesses can be a target for green loans. 
Asia struggles with G20 payment targets
The ultimate goal is for cross-border payments to achieve “the speed of the internet.”