By Judith Graham, Optial Uk Limited
The definition of operational risk management is changing. Financial institutions must look for systems - and vendors - that can keep abreast of a fast changing regulatory landscape. This article examines how regulatory pressures are forcing treasury departments to see corporate operational risk management as a dynamic process.
The scope of operational risk has certainly changed since Basel II put it on the map. Stakeholder losses from high profile corporate collapses have also served to illustrate the impact that operational risk failures can have on a company's bottom line.
What is Operational Risk?
But what exactly is operational risk and how should corporate treasurers approach operational risk management (ORM)? The expanded scope of operational risk has led analysts, businesses and vendors alike to highlight the strategic business benefits of a good ORM system, rather than viewing ORM merely as a 'tick the box' requirement. Current business thinking aside, it is worth defining what we mean by operational risk.
At its simplest, operational risk within treasury is any risk posed to a company's liquidity or solvency by its own internal systems, processes, people, or external events. This can include a wide range of individual actions and malpractice. What is more, case law and jurisprudence in both Common Law and European Law jurisdictions are progressively widening the scope for interpreting individual malfeasance as a legally liable failure of corporate processes and systems.
In general, operational risk includes internal and external fraud, employment practices, workplace safety, discrimination and workplace harassment, fiduciary breach, misuse of customer information, improper trading, or use of financial or debt instruments. Significantly for treasury operations, operational risk also covers failed transaction processing and process management, incomplete documentation on transactions or other legal requirements, collateral management failures, unapproved access to vendor and supplier data, as well as inappropriate use of internal company data.
With this breadth of possible failures, and the serious consequences they can engender, it follows that treasurers need to take a structured approach to achieving real clarity about what these risks are and how they are being genuinely addressed.
Operational Risk Spreads its Wings
Moreover, the responsibility of corporate entities for operational risk is being increasingly extended and made subject to both supra territorial and, more recently, to extra territorial jurisdiction and regulation. Case law, statutory regulation and interpretation by territorial authorities, such as the Advocate General of the European Court of Justice, are increasingly defining corporate liability to include failure to implement current best practice - to prevent individual actions of staff or even third parties.
Operational risk liability is also becoming more complex and diffused by the increasing extension of extra territorial corporate regulation and law. The US, in particular, has been active in extending its extra territorial regulatory reach in matters of corporate failure. This includes pursuing foreign third parties to domestically liable treasury operational risk, as in the case of Enron and the NatWest Three.
Germany is another country that has pursued an active regulatory operational risk agenda beyond its national frontiers, especially in Scandinavia and in the other German-speaking nations of Europe, although its preferred route has been through supra territorial institutions, such as the European Council of Ministers and the European Court of Justice. Germany's stance on operational risk has been significantly intensified by the recent Siemens corruption cases, where operational failures at treasury level can be seen as playing a part. Recent US actions and changes to domestic legislation have opened the door for other countries, such as Germany, to pursue similar extra territorial actions over operational failures.
Corporate treasury is vulnerable to failure in a number of specific operational functions. Integration and unification of processes- and automation of these- are common-sense ways to reduce the probability or occurrences of operational failures. Interestingly, however, the impact of operational failures, errors and frauds may actually be increased in those circumstances. For example, the adoption of more highly automated and globally centralised processes has the ability to transform one-off manual errors into systems-wide failures. Similarly, the creation of increasingly integrated cash management and payments systems creates new risks in external fraud and systems security, as well as in internal fraud. Corporate mergers, consolidations and regional expansion are significant areas of operational risk in treasury, as processes proven in one environment or region are transferred into new environments or legal settings. Outsourcing of cash management or settlement also represents a significant area of operational risk, because treasurers need to properly define, manage and monitor service level agreements and other contractual frameworks with their suppliers, and ensure ongoing due diligence into the processes and practices within such third-party firms.
Reducing Risk in Cash Management
Managing liquidity and cash positions has particular operational risk implications. These implications have been intensified by recent changes in financial regulation that have significant knock-on implications for corporate treasury. The advent of Basel II in the banking world alters aspects of the competitive environment, as uncommitted credit lines become more difficult to maintain and as banks assess and maintain capital reserves for client operational risk. These effects are not uniform. They are dependent on either a standard credit rating assessment, or internally developed client operational risk assessment systems. The standard credit rating system has come under increasing criticism since the credit crisis, and can affect both banking competitiveness and operational risk exposure. As a result, more and more banks are likely to move towards implementing their own internal client operational risk systems. For the corporate client, the simpler standardised system provides a clear market advantage for those with above A- credit rating. With the more sophisticated internal bank risk assessment systems, the resilience and compliance of the client treasury function is likely to play a significant role in the operational liquidity that it will be granted by the bank.
The Payment Services Directive (PSD), which is coming into force across the European Union from 1 November 2009, will have a considerable change management impact on cash and payments management systems within the treasury function. But while implementation of the PSD will change the payments regime in all EU countries, it will by no means amount to a single uniform regime. Each country is likely to implement the Directive in different ways, with national exceptions and derogations. The result will be a changed payments regime across Europe, but the continuation of nationally individual systems. The new payments regime is also likely to create new opportunities for fraud, as methods of account identification and authentication change. The Directive therefore presents corporate treasuries with two immediate operational risk challenges: transitioning 27 different national payment regimes into new, more convergent but still separate national payment systems, without operational process failure or major error; and managing and controlling any new opportunities for fraud that the new regimes may provide.
Foreign Exchange and Pensions
The recognition of the operational risk implications of foreign exchange activities within treasury has grown considerably over the last year. To a great extent, this is due to the impact that the dollar's volatility is having on company bottom lines; while this is a classic market risk effect, the bottom line is focused and the underlying causes may be shown to be operational in nature. For example, foreign exchange (FX) is a considerable operational risk for treasury on account of the disparate nature of the FX function, with corporate treasury often reliant on regional controllers in processing, as well as special accounting functions, to prevent invalid reporting on transactions. This can make it difficult for corporate treasuries to accurately calculate their exposure to FX fluctuations.
Pensions are another area of operational risk within treasury that has been under the spotlight recently. One reason is that companies have faced new legislation or guidance on corporate pensions in many key economies, including the US, Germany and the UK. Another is that the operational risk posed by pensions has been starkly demonstrated by the problems suffered by both General Motors and Chrysler.
Using IT to Drive Down the Cost of Compliance
Aside from regulatory challenges, compliance officers will face increasing pressures from within their own organisations to mitigate the increasing burden and cost of future (expanded) operational risk compliance.
The cost of complying with the growing tide of risk management requirements has been steadily rising throughout the last decade. It could rise much faster in the near future. The first generation of compliance imposed a heavy cost on institutions. Regulations such as Sarbanes Oxley (SOX), anti-money laundering (AML) and the Markets in Financial Instruments Directive (MiFID) cost European financial institutions on average almost US$2.5bn in 2007 in compliance IT spending alone (with MIFID accounting for over half the total). This figure was up from just over US$1bn in 2005 and US$1.5bn dollars in 2006 (source: 'The Future of Regulatory Compliance', March 2007, Business Insights). Predictions for 2008 and 2009 IT spend on these same compliance initiatives are in line with the 2007 figure, according to the same report. Current compliance initiatives already under way are likely to prove even more expensive, as firms continue to respond to Basel II and embed IFRS/IAS into business processes. In addition, now that the European Union's single euro payments area (SEPA) initiative has begun, banks will be preparing to be compliant by the end of 2010, and are also keeping a close watch on the potential impact of the Regulation National Market System (Reg NMS) in the US.
In the case of Basel II, firms are likely to face further changes, with a tightening of risk management likely to be mandated as a response to the credit crisis. The Basel Committee on Banking Supervision (BCBS) is proposing expanding the scope of the regulatory capital charge, adding a new incremental risk charge (IRC) aimed at capturing defaults, credit migrations, liquidity risks and significant changes in credit spreads and equity prices.
The US authorities have revised their Pillar II guidance, in line with their policy of pushing for faster implementation of the advanced capital framework by the largest financial institutions. At the same time, a more cautious approach has been taken to the use of operational risk mitigants such as insurance and capital market securities. All the signs are that operational risk requirements will be tightened further as a safeguard against a wider range of possible 'rare events'. In any case, financial institutions face a far more complex task in calculating operational risk in the aftermath of all the turmoil in the credit, SUV, mortgage, US sub-prime, and CDO markets.
These regulatory and industry developments will put increasing pressure on corporate compliance departments, to find innovative ways to reduce the impact on margins and operational flexibility, while not compromising the central task of compliance.
Some of this cost will be consumed by developing and modifying IT systems so that they can handle the new risk management requirements. But corporate compliance IT systems can incur potentially greater costs, if they do not incorporate the necessary agility and functionality that allows them to adapt to new or adjusted business products or processes within the timescales required. The wider impact could be to delay time to market and potentially lose market share.
In general, firms that adopt applications that are lightweight, simple to set up, highly configurable, adaptable to change, and open to other business systems have the best chance of achieving both a successful solution at the fastest rate and keeping costs firmly down.
Addressing Future Treasury Risk Management
The task of operational risk compliance within corporate treasury is likely to become increasingly challenging. External regulatory and internal corporate pressures will combine to demand the delivery of new levels of compliance management, with minimal impact on business flexibility and operating margins.
and adaptability of compliance IT systems. Fulfilling current compliance requirements and scope is only half the challenge: systems must also be able to scale and adapt intelligently and rapidly to both regulatory and business change, without imposing overhead on either business platforms or operating flexibility.
Judith Graham is COO of Optial (www.optial.com), a UK technology company delivering operational risk managementsystems to financial services companies around the globe.
Published by GT News in October 2008.