There are many activities within a fintech or bank that manage a specific operational risk or subset of operational risks. Each of these may have existed well before the operational risk corporate function was formed and may be owned by specialists in that field. In addition to meeting all operational risk regulatory and business requirements, these risk areas often have their own unique regulations and business drivers.

As discussed in Chapter 16, the operational risk department must forge strong relationships with these areas in order to ensure the success of the framework and to ensure consistency in reporting and escalation of operational risks throughout the firm.

In this chapter, we will learn some more about each of these unique areas and their best practices.

NEW-PRODUCT APPROVAL

One of the most effective weapons against Clients, Products, and Business Practices events is a robust new-product approval process. This control should be designed to ensure that all risks are considered when a new product is being proposed. The market and credit risks may be well understood by those involved in proposing the new product, but they may be unaware of the resulting operational risks that may arise. Therefore, a new-product proposal should be reviewed by the legal, compliance, tax, information technology (IT), information security, business continuity, model governance, third-party risk management, operations, and finance departments before it is approved. Each of these departments should carefully consider the possible operational risks that may arise in the development, implementation, and maintenance of the new product.

Conditions may be raised and documented during the process so that the product owner is aware of the constraints that need to be built into the product to ensure that the firm's risk appetite is not breached.

If the operational risks are beyond the appetite of the firm, then they must be mitigated before the product is launched or, if this is not possible, the product proposal must be shelved.

If a product is approved, it is important to ensure that there is also a mechanism to ensure that it is monitored. Many products that were at the heart of the recent economic crisis did pass through a new-product approval process. However, they then grew at a rate beyond the expectations of all involved, and the risks were not reassessed at any point.

In today's highly competitive digital banking environment, a bank or fintech may be under significant pressure to continue to rapidly roll out innovative new products to attract and retain customers. The importance of the new-product approval process is heightened in this environment and needs to act as an opportunity for the risk department, the business leaders, and the support functions to pause and consider whether the product that is proposed meets the operational, compliance, reputational, and strategic risk appetite of the firm.

Effective new-product approval processes can be embedded in agile development methodologies by ensuring transparency into product requirements and builds at each step of the agile development process. Effective testing of the final product to ensure that it has met any conditions that were set is essential.

Risk and control self-assessments (RCSAs) can be useful in monitoring operational risks that arise as a product evolves. Key risk indicators (KRIs) can be attached to products to trigger a reassessment when they reach a particular volume.

SUPPLIER AND THIRD-PARTY RISK MANAGEMENT

The use of vendors or suppliers and third parties raises unique challenges for operational risk management. While activities and controls may be outsourced, operational risks are not. The firm still owns the risk. Therefore, it is necessary to ensure that there is a robust due diligence process to monitor operational risk management in any third parties that are providing key services or processes.

This can be achieved by requiring vendors to complete RCSAs, to deliver KRI data, and to inform the firm of operational risk events that occur. However, it may be difficult to ensure that such data is being collected to the same standards as the firm is applying internally.

Most firms now require third parties to complete in-depth risk assessments prior to engaging their services and may require quarterly reviews for the most critical vendors.

Some firms have amended their service-level agreements (SLAs) with vendors and third parties to require them to provide minimum data to assist with monitoring operational risks. Other firms have determined that these risks cannot be accurately monitored and have focused instead on developing robust contingency plans that can be implemented if the vendor fails. Other firms have spread their operational risk exposure by moving away from a single supplier and engaging several vendors where possible.

For banks, the regulatory expectations are high in the area of supplier risk management today. The failures of mortgage servicing companies came as a painful reminder to firms that were using those services that they had not reduced their risks; in fact, by handing over the controls they may have increased their risks.

Some firms are electing to move activities back in-house when they feel that they cannot get sufficient assurances through an SLA that controls are being well-managed and that risk is not rising.

LEGAL RISK MANAGEMENT

There is often tension between the operational risk department and the legal department, as the operational risk department is promoting transparency, whereas the legal department is focused on protecting the firm from legal risk exposures.

REGULATORY RISK MANAGEMENT

The compliance department is sometimes surprised to find that the operational risk department is interested in its processes, procedures, reporting, and assessments. However, the regular monitoring and management of regulatory risks is an important element in operational risk management and a partnership between the two functions is mutually beneficial.

The operational risk function is often able to find strong KRIs that have been monitored regularly by the compliance department for many years, such as training and registration requirements. The compliance department is able to raise any concerns it has regarding regulatory compliance in a central operational risk forum, where they may be appreciated as risks that are beyond the risk appetite of the firm.

The governance structures around regulatory risk may need to evolve in order to ensure that the operational risk reporting and escalation processes and the compliance risk escalation processes are aligned.

PEOPLE RISK MANAGEMENT

People risk arises in all areas of operational risk management. Many controls are dependent on manual processes, and there can be some confusion as to how to capture the underlying people risks such as loss of key personnel, inadequate training, or inadequate cross-training.

These risks will often be raised by participants in an RCSA. However, the risk is not that people will leave or be untrained, but rather that this causes other risks to arise. Therefore, there may be a place in the operational risk framework for activities to protect the firm from people risks generally.

As a result, operational risk departments often engage with the human resources or training and development departments to develop programs that will help address firm-wide people risk themes. These themes may include:

• A need for training in nondiscriminatory behavior.
• A need for skills training in functional areas.
• A need for cross-training for critical activities.
• A staff survey to monitor KRIs regarding morale.
• Compensation surveys to ensure competitiveness.

The human resources department is understandably reluctant to share people-related data, as the data can be highly confidential and sensitive. It may take some time before the operational risk department can develop a relationship with human resources that will support the production of appropriate KRIs and activities that will mitigate people risks.

FRAUD RISK MANAGEMENT

There may be several activities in the firm that are designed to address fraud risks. The Sarbanes-Oxley Act (SOX) requires a firm-wide fraud risk assessment, compliance departments are tasked with monitoring trading to prevent unauthorized trading, and the operational risk department monitors Internal and External Fraud risk categories.

These activities can be combined to meet all needs. The compliance monitoring activities can be used as inputs into the operational risk RCSA program, and the SOX requirements can be met by that same RCSA program.

Many lessons were learned and controls improved as a result of the Société Générale event that was discussed at length earlier in Chapter 8. Since that event, however, there have been many other fraud scandals that were exposed during the economic crisis, and the UBS unauthorized trading scandal is discussed in Chapter 18. Hedge fund frauds, Ponzi schemes, insider trading scandals, and simple theft of funds have all occurred in the past few years. As a result, clients and regulators are raising their expectations regarding fraud risk controls, and firms are working to ensure that they have addressed internal and external fraud risks.

In addition, the level of external fraud in the banking and fintech sector has risen significantly in recent years. This may have been exacerbated by the online nature of banking that dominates the financial services industry today, by the economic pressures that many consumers have experienced, by the temptingly large volumes of stimulus and unemployment payments during the COVID-19 pandemic, and by the rise of organized fraud gangs that can globally access digital banking platforms.

There are best practices regarding fraud risk mitigation, including robust IT security, effective managerial supervision, and careful monitoring of activities. However, in addition to these controls, it is important to ensure that the culture of the firm is such that employees are aware of fraud risk and are comfortable with responding appropriately when faced with suspicious activity.

Whistle-blower hotlines, anonymous intranet sites, and annual training programs help to ensure that the firm's culture is strongly aligned to protect it against fraudulent activity. The operational risk department should work closely with the human resources department and legal and compliance departments to develop a framework for training, monitoring, and reporting that provides transparency and that supports a culture that resists fraudulent activities from within and from outside the firm.

TECHNOLOGY RISK MANAGEMENT

The current reliance of fintechs and banks on technology also exposes them to significant technology risks. The failure of a critical system, the loss of a network, or a programming error in a vital model can result in catastrophic losses to the firm. The case of Knight Capital, which suffered a technology glitch that wiped out the value of the firm, is discussed in Chapter 18.

The IT department will engage in technology risk management at a detailed level. They often collect metrics that monitor systems capacity, network outages, bug fixes, and security breaches. These metrics can be KRIs in the operational risk management framework, and the operational risk department will have a strong interest in understanding the underlying risks in the technology of the firm, as these represent the causes of events in many risk categories.

Technology solutions are often raised as mitigating actions where high residual risks have been identified in an RCSA or where an IT failure or inadequacy has resulted in a risk event. These mitigating actions can range from simple fixes to extensive firm-wide projects. The operational risk department can partner with the IT department to assist them in prioritizing these activities and assessing the cost benefit of large projects. The potential losses that are identified in the operational risk management program can be very helpful in understanding whether a major strategic IT project should be pursued by the firm.

CLIMATE RISK

A weather catastrophe can result in significant operational risk losses. The impact of global climate change has been felt in every region, with fires, floods, hurricanes, and tsunamis bringing disruption and danger to firms everywhere.

While weather cannot be controlled, it can be monitored, and the operational risk department should consider weather risks when working on RCSA and scenario analysis activities. The location of a branch or main office of a firm might significantly elevate the risk of a weather-related incident, and the assessment of those risks might lead to a residual risk level that requires mitigation or contingency plans.

Weather risks can impact employees as well as office locations, and some firms have travel tracking programs to ensure that they know the location of their employees, or at least their critical employees, at all times. In these programs, employees are required to log their business and personal travel plans in a central database.

For example, these systems resulted in some firms being able to quickly arrange for the retrieval of their personnel from Thailand following the tsunami in 2005 and are now often used to establish whether employees are accounted for after major hurricane events. Tracking systems can also be used to track whether there are any employees in areas that are subject to civil unrest and that may need to be extracted in an emergency.

The Basel Committee recently provided some guidance on the appropriate supervision of management of climate risk in its 2019 “Overview of Pillar 2 Supervisory Practices and Approaches.”

PANDEMIC PLANNING

Business continuity planning (BCP) functions were originally designed to provide controls and procedures that would protect the firm from downtime in the event of a loss of power, telecommunications, or access to buildings.

To respond to these risks, BCP plans were designed to provide robust data backup facilities, alternate work sites, and communications protocols to handle events such as a major power outage, terrorist attack, or weather catastrophe.

Over the past few years, concerns had arisen around the potential impact on the financial services industry of a pandemic, initially due to concerns over avian flu and swine flu and now the global spread of the COVID-19 coronavirus.

Traditional BCP contingency plans were often inadequate in a pandemic, as they relied heavily on the use of alternate sites. In a pandemic situation, there is a requirement for social distancing, where employees are unable to work together in close proximity. Also, there may be a high level of absenteeism in all industries and disruptions to the infrastructure and social norms as a result.

This called for a different approach to continuity planning, and operational risk departments have been involved in pandemic planning over the past few years. Pandemic flu exercises were held in the United Kingdom and in the U.S. financial services sectors in recent years, and the lessons learned from those exercises were implemented by operational risk teams and BCP teams across the industry.

In the first edition of this book, I noted that a pandemic flu would result in a truly global operational risk event, and the operational risk department in each region would need to address global as well as local considerations in its pandemic preparedness planning.

I noted that the following pandemic planning considerations were recommended by the U.S. government in the www.pandemicflu.gov website at that time:

1. Plan for the impact of a pandemic on your business.
2. Plan for the impact of a pandemic on your employees and customers.
3. Establish policies to be implemented during a pandemic.
4. Allocate resources to protect your employees and customers during a pandemic.
5. Communicate to and educate your employees.
6. Coordinate with external organizations and help your community.

In response to these guidelines, many firms developed sick leave, absenteeism, and travel policies that could be implemented should a serious pandemic occur. They also acquired medical and cleaning supplies that could be used as needed, including face masks, hand sanitizers, and, in some instances, antiviral medications.

The remote computing capabilities of many firms were upgraded to support remote log-on by all critical personnel, and calling trees and succession plans were updated. Critical vendors' pandemic plans were reviewed for completeness, and if they were found to be lacking, alternate vendors identified.

The arrival of the COVID-19 global pandemic tested all of these preparations, and it became clear that these plans had underestimated the length of the pandemic and some of the long-term supply chain impacts. Most firms assumed that a pandemic would be virulent and would burn out within a few months.

We have learned that it is possible for most fintechs and banks to operate completely remotely, and at the time of this writing, some firms have decided to remain fully or partially remote working permanently.

This global operational risk event has had a shocking death toll, and many more people are dealing with the long-term after-effects of having contracted the virus. Firms have now stress-tested their pandemic plans and have found ways to manage the complexities of occasional regional, national, or local shutdowns and rolling absenteeism across their own staff.

The personal mental, emotional, and physical toll on the workforce has required many operational risk, BCP, and human resource teams to develop programs to ensure that their employees have access to support to reduce the burnout that has pervaded the industry.

ORX reported that losses directly associated with COVID-19 in 2020 accounted for €2.1 billion (12.5 percent) of all operational risk losses among its members.²

The COVID-19 pandemic is the largest operational risk event in recent history and has underscored the need for effective preparation in the face of disaster, monitoring of risk during and after an event, and the importance of clear and effective communication across the firm.

STRATEGIC RISK

Strategic risk is specifically excluded from the Basel II definition of operational risk, but that does not mean that it is excluded from Basel II consideration nor from operational risk management programs. Managing strategic risk is critical in all fintechs and banks, and the operational risk framework offers support for that management.

Basel II has three pillars. Pillar 1 concerns the appropriate calculation of capital for market, credit, and operational risk and outlines some qualitative minimum standards for these risk management categories. Pillar 2 concerns the regulatory oversight that should be put in place to ensure compliance with Pillar 1, and also adds additional requirements to ensure that the firm is protected from risks that may not have been captured in Pillar 1. Pillar 3 refers to the disclosure requirements that firms need to adopt; for example, it outlines how to report on risk management practices and capital in the annual report.

Strategic risk is specifically mentioned in Pillar 2:

There are three main areas that might be particularly suited to treatment under Pillar 2: risks considered under Pillar 1 that are not fully captured by the Pillar 1 process (e.g. credit concentration risk); those factors not taken into account by the Pillar 1 process (e.g. interest rate risk in the banking book, business and strategic risk); and factors external to the bank (e.g., business cycle effects).³

Other risks: Although the Committee recognizes that “other” risks, such as reputational and strategic risk, are not easily measurable, it expects industry to further develop techniques for managing all aspects of these risks.⁴ [emphasis added]

In December 2019, the Bank of International Settlements (BIS) provided further clarification of its view of the importance of effective strategic risk management:

Senior management should establish a risk management process that is not limited to credit, market, liquidity and operational risks, but incorporates all material risks. This includes reputational, legal and strategic risks, as well as risks that do not appear to be significant in isolation, but when combined with other risks could lead to material losses.⁵ [emphasis added]

Therefore, a firm that wishes to meet Basel II standards is required to consider business and strategic risk in its Pillar 2 framework. A weakness in the Pillar 2 framework can lead to capital penalties (or capital charges) from the firm's regulator. For this reason, some operational risk managers also consider business and strategic risks in their framework, so as to be able to demonstrate to regulators that these risks have been included in the risk management framework. For example, scenario analysis may be used to address both operational and strategic risks.

They may also use tools from the operational risk framework to help quantify appropriate capital additions for strategic risk, so preempting any regulatory suggestions for additions.

It is difficult to find an agreed upon definition of strategic or business risk, although the Committee of European Banking Supervisors (CEBS) has provided the following:

Strategic risk: the current or prospective risk to earnings and capital arising from changes in the business environment and from adverse business decisions, improper implementation of decisions or lack of responsiveness to changes in the business environment.⁶

The U.S. Office of the Comptroller of the Currency's most recent definition is:

Strategic risk is the risk to current or projected financial condition and resilience arising from adverse business decisions, poor implementation of business decisions, or lack of responsiveness to changes in the banking industry and operating environment. The board and senior management, collectively, are the key decision makers that drive the strategic direction of the bank and establish governance principles. The absence of appropriate governance in the bank's decision-making process and implementation of decisions can have wide-ranging consequences. The consequences may include missed business opportunities, losses, failure to comply with laws and regulations resulting in civil money penalties (CMP), and unsafe or unsound bank operations that could lead to enforcement actions or inadequate capital.⁷

Managing such risks is challenging and requires a qualitative approach. Because the operational risk program contains tools that are designed for managing and measuring qualitative as well as quantitative risk exposures, these tools can be very effective for managing and measuring strategic risk as well.

KEY POINTS

• Operational risk management often requires partnership with many related areas in the firm including those that own:
  • New product approval
  • Vendor, supplier, or third-party management
  • Legal risk
  • Regulatory risk
  • People risk
  • Fraud risk
  • Technology risk
  • Weather risk
  • Pandemic risk
  • Strategic risk

REVIEW QUESTION