Operational Risk 101: Roles and Responsibilities

In the four previous articles, we proposed a comprehensive framework to express, measure, and monitor operational risk in terms of the operational performance. Previous articles in this series were: Operational Risk 101: The Basic Definitions; Operational Risk and the Basel II Accords; Operational Risk in Terms of Operational Performance; Operational Risk 101: Tackling Basel II. Using a few simple propositions, we were able to:

1. Express operational performance and risk using systematically defined Key performance indicator (KPI) and Key risk indicator (KRI). Importantly, we were able to tie these indicators directly to the overall corporate goals and objectives.
2. Estimate the operational risk associated which each indicator by measuring the likelihood of it falling outside of its stated error tolerance and the potential impact of such an event.
3. Compute the operational risk exposure by simply summing up operational risk associated with each indicator^1.
4. Show that our approach was fully compliant with Basel II.

Not bad work for just four short articles! However, this is just theory. We left the hard problem of showing that this can actually be put into practice until now.

Is This Really a Scavenger Hunt?

So, to summarize the task before us, we need to show that we can implement our theory within the typical financial institution, within a reasonable amount of time and for a reasonable amount of money and without major changes to the operations or turning the organization on its head. Ok, where to begin?

Without doubt, the biggest challenge we face is data. Where are we going to get all the KPI and KRI data we need without materially reengineering the operations?

Well, we can’t implement new transaction systems – way too expensive and too much trouble. No to automated workflow management software, again too expensive and we would have to reengineer all the legacy systems and operations to boot. We can’t even hire new staff to manually gather the information – too costly since this is not a one-time task, but one that must be performed on a continual basis. Offshoring to India, no, that’s out too, well, unless you are willing to move the entire operation lock, stock and barrel. Seems pretty bleak doesn’t it?

Before you give up all hope, remember that financial institutions are among the most regulated companies of all. How regulated? Well, a large US nationally-chartered bank can be regulated by more than 100 local, state, and federal agencies. Don’t believe it?

As a large nationally-chartered bank, it will most likely be regulated and/or supervised by the Federal Reserve Bank, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Financial Institutions Examination Council, plus the state regulators for each state in which it operates. But that is just the beginning.

If it is publicly traded, throw in the Securities and Exchange Commission and the New York Stock Exchange. If it has a registered broker/dealer, add the National Association of Securities Dealers plus the appropriate state securities regulators. If the bank underwrites municipal securities, well there is the Municipal Securities Rulemaking Board. If it has a futures broker, we can’t forget the Commodity Futures Trading Commission.

And if that isn’t enough, there are the myriad work place safety regulations, health care regulations, anti-discrimination regulations, ad infinitum, that are supervised by various local, state, and federal agencies. On top of all this, there are a growing number of agencies within the Department of Homeland Security that also want a piece of the action. And of course, we can’t leave out the ever present Internal Revenue Service.

Ok, ok, financial institutions are heavily regulated, so what? How does this help us find KPI and KRI data?

Well, as a result of all of these regulations, there are loads of internal controls and, most importantly, lots of associated data at our disposal that may be a good source for KPI and KRI data. We only need to show that the KPI and KRI, or at least the ones with the most explanatory power, are somehow captured by these controls and that the information we need is already being generated.

Fortunately, we have one last trick up our sleeves to help us here, the “Integrated System of Controls”. But before we head down that path, we need to take another little detour.

Everything You Wanted to Know About Internal Controls, but Were Afraid to Ask

All of you know what an internal control is. They are everywhere. Therefore, it’s pretty surprising that a generally accepted definition of an internal control doesn’t exist, especially with all the regulations that demand the existence of effective internal controls.

The closest thing to an industry-wide definition of an internal control is one proposed by COSO,² which, when placed in our context of operational performance, states:

An internal control is process, implemented by an institution, designed to provide reasonable assurance that a given component(s) of the operation is performing within expected error tolerances

Now, it is probably pretty obvious to you that there are a number of problems with this definition since it limits internal controls to processes. Not the least of which is the fact the most common internal control, the segregation of duties, is not a control at all under this definition. However, let’s just accept it for the moment and deal with the problems a little later.

From this definition, we see there is a natural relationship between internal controls and operations, or more precisely, specific operational components – the processes and the people, technology, information, procedures, and infrastructure supporting these processes. Further, this definition links internal controls directly to the performance of individual components of the operations, or in our terms, their KPI and KRI. We can also see that internal controls are intended to prevent errors from occurring and should they occur, limit the damage.

Let’s formalize this last statement by making the following claim about internal controls in terms of Basel II:

The purpose of internal control is to prevent unexpected losses, i.e. lower operational risk

While this may not seem overly profound, this proposition has the important consequence that we can measure the operational risk simply by:

1. Measuring the potential effectiveness of the internal controls – what is the best that we can do?
2. Measuring their actual effectiveness – how well are we actually performing?

Now, we know the answer to the second question – we can use the Modified Balanced Scorecard to identify KPI and KRI for each internal control and measure them like any other component of the operation.

To answer the first question, we need to delve a bit into the drivers that spawn internal controls.

The Drivers of Internal Controls

Earlier, we saw that internal controls serve one of two purposes: a) prevent errors from occurring and/or b) lessening their impact should they occur. However, internal controls also serve another important function. They articulate and enforce management’s rules and directives governing the operations of the firm. In short, the set procedural and behavior models, boundaries, and constraints for all aspects of the operation.

To better understand this, remember that executive management is responsible for establishing the firm’s overall business model. At a general level, they also determine which products and services that the firm will sell, the channels it will use, the type of clients it will sell to, vendors it will use, its risk tolerance, etc. Of course, with each decision there typically comes some sort of regulation or some other operational requirement, and along with these, the need for an internal control or two.

For instance, if management decides that the firm will execute transactions involving US Treasuries, the firm must be able to settle these transactions at the Fed either directly or through a clearing bank such as the Bank of New York. In the case of the former, the firm must meet all Fed regulations. In the latter case, the firm must execute and comply with a formal clearing agreement. In either case, internal controls are required.

Using corporate governance, we can link internal controls to the business model and, at least intuitively, summarize their drivers as:

1. Applicable statutes, regulations, standards, and regulatory guidelines.
2. Corporate directives stated by management.
3. Accepted industry practices.
4. Third-party relationships determined by management.

More importantly, these drivers also give us the answer as to how we can measure the potential effectiveness of the internal controls. It lies in our ability to determine the degree of alignment between the controls with the overall business model as defined by the internal control drivers. And this is where the Integrated System of Controls comes in.

So What is the “Integrated System of Controls”?

The Integrated System of Controls is a simple construct that places the three key elements of operational integrity and performance – Corporate Governance, Internal Controls, and Operational Risk Management – in the proper context of the overall operations. As we shall see, it is the balance of these three elements and the operations which ultimately determines a financial institution’s operational integrity and performance.³

To better understand this key relationship, we will rely on the following graphic – yes, in this case, a picture is really worth a thousand words, especially given my word count limit for this article.

At the top of the graphic, we see that corporate governance is aligned with its two primary functions: setting the direction of the firm and monitor its performance against those directives. Specifically, management first establishes the rules and constraints under which the institution will conduct its business (hence perform its operations). Management is then subsequently responsible for monitoring the degree to which the firm complied with those directives.

It is important to note that management normally issues it various edicts through common control elements,⁴ such as policies, procedures, budgets, contracts, and project plans, any or all of which can be syndicated in written form or given verbally. In many cases, these control elements are tied directly to particular regulations and other internal control drivers discussed above. In all cases, they are brought to life via specific internal controls. Hence, management’s rules and directives are reflected through specific internal controls as well as incorporated into the fabric of the operations itself.

In the middle layer of the graphic, we see that there is an explicit relationship between the internal controls and the operations. This shouldn’t be too great a surprise given our definition of internal controls above. However, to underscore the importance of this relationship, we coin the term, “Points-of-Control” (or “PoC” for short) to identify the various steps in the processing streams that are, in reality, internal controls.

While this may sound a bit complicated, if we look at the trader’s end-of-day check with the back-office, for example, we see that this is a common PoC in the overall trade processing process, one that enforces the management’s rule of the segregation of duties as well as reduces the chances of fraud and the chances of downstream processing errors.

While PoC may not sound too earth shattering, in fact, the PoC will provide us with the all data we need to compute operational performance, hence operational risk. But lets finish describing all of the Integrated System of Control first and get back to this a little later.

At the bottom of the graphic, we see that all the operational and internal control failures are captured by the operational risk management function. These are used to estimate operational performance as well as operational risk exposure and are then fed back into the corporate governance function so that management can assess the degree to which the operations are meeting expectations and complying with all rules and directives.

Now this is pretty neat. Through this simple graphic, we have been able to capture the means to both measure the structural integrity of the operations – i.e. the potential effectiveness of the operational controls – as well as the measure performance of the internal controls. Moreover, we haven’t had to invent anything new.

In other words, by marrying corporate governance, internal controls, and operational risk management with the operations, three well established functions within every financial institution, we have the means to accurately measure and manage operational risk.

However, is the Integrated System of Controls really our Rosetta Stone to measuring and managing operational risk without costly changes to legacy systems, the organization, and the operations in general? You betcha. We only need to connect the dots.

Connecting the Dots

Let’s start with corporate governance. Remember that a key aspect of corporate governance is management’s role in setting the rules that govern the firm’s overall operations. In order to meet our needs, we simply require that management also set specific operational goals and objectives at the same time they establish their procedural and behavioral rules. Of course, we give them our Modified Balanced Scorecard to make it easier. Of course, this, in turn, magically generates KPI and KRI targets and their error tolerances for us. This shouldn’t cause management too much extra work.

Now you might be thinking that it’s not reasonable, or even wise for executive management to get involved at the level of detail needed to define all the necessary KPI and KRI through the enterprise. And you are quite right. However, through the common act of the delegation of duties, this function can be easily extended to all levels of organization.

Executive management’s rules can be refined and expanded by each successive level of management via the delegation of duties. Additionally, various operating parameters associated with the rules can then be incorporated directly into the operations and the internal controls by the very groups most capable of understanding the operational details and their impact. And yet, through our old friends, The Fundamental Operational Objective and The Efficient Operations Hypothesis, these will retain a direct connection to executive management overall rules and directives.

As a by product of the delegation of duties, each level of management must establish internal controls to ensure that their operations meet expectations. This is done by associating an internal control with one or more operational components, or creating a PoC. Given the fear of operational failures, PoC are littered quite literally throughout the operations of a financial institution.

Where a manufacturer might be willing to live with a broken widget in every 100,000, given the impact of a failed financial transaction, financial institutions can’t afford even one failure, even if they process millions of the transactions daily. As such they expect every process to be successful every time. Hence, they typically verify every transaction, every movement, every posting, every balance, etc. to ensure that nothing went wrong. And each one of the verifications is a PoC.

Yep, there are a lot PoC around and, importantly for us, there is normally a great deal readily available performance data at each of the PoC. Therefore, PoC gives us the means to measure the effectiveness of the internal controls and the performance of the operations. We simply need to align the PoC data with our KPI and KRI and presto, instant performance and risk measurement.

Given the Integrated System of Controls, we can easily establish a practical means of computing operational risk as follows:

1. As part of its annual planning process, executive management assesses its current rules to ensure that they are aligned with the business model and proposes to change rules as necessary. Importantly, they also use the Modified Balance Scorecard to define specific goals and objectives, i.e. KPI and KRI, for each rule.
2. As part of its annual planning process, line-management assesses its current rules, operations, and internal controls to ensure that they are aligned with those of upper management. Line-management also proposes new rules, operational changes, and changes to the internal controls as necessary. Again, they use the Modified Balance Scorecard to define specific goals and objectives, i.e. KPI and KRI, for each change. Importantly, KPI and KRI are defined by each PoC.
3. As part of the daily operations, performance data is gathered at each PoC from existing operational reports by each operational area whether that is a business or control organization.
4. Independent control organizations, such as investigations, financial control, operational control, verify all PoC failures and assign a cause and loss.
5. On a daily basis, operational risk management gathers the KPI, KRI, and baseline operational data to compute operational risk exposure. This data is then communicated back to management.
6. As part of the annual controlled self assessment under the direction of internal audit or operational risk management, the rules, operational components, and internal controls are assess by the staff to ensure that meet their stated goals and objectives. This information is included management’s annual planning process.
7. As part of its annual audit process, internal audit ensures the overall integrity of the Internal System of Controls.

While we haven’t actually implemented our theory, we definitely laid out a clear plan that only requires integrating and existing processes, data, and organizations as very little additional technology. Of course, to implement such an approach in a large firm will take time and dedication, it still is achievable by focusing on the major risks as reflected in the PoC, the KPI, and KRI.

So we have accomplished what we set out to do five months back. So, in the final article in the series, we bring it all together and describe an emerging paradigm in financial institutions, management by fact.

¹ Of course, we had to account for the covariance.

² “Internal Control – Integrated Framework”, Committee of Sponsoring Organizations of the Treadway Commission, September 1992 (a.k.a. COSO).

³ At PVA, we have dubbed this the “Feng Shui” of risk management.

⁴ Given our adaptation of the COSO definition, these are not internal controls themselves since they are not processes. Don’t worry, it will all work out in the end.