Regional President Speech

I. Implementing an AMA for Operational Risk May 20, 2005 Cathy E. Minehan, President and Chief Executive Officer Federal Reserve Bank of Boston Welcome back to the second day of this Conference on operational risk measurement in the context of Basel II. Yesterday we heard from bank supervisors and academic experts on the progress being made on quantifying operational risk. Today the focus is on implementation. No doubt given the considerable work being done by regulators and the industry on operational risk capital charges, much of the focus today will still be on operational loss data and modeling. Both are key to quantifying operational risk exposure and determining the appropriate capital for that risk exposure. However, if we are not careful, operational risk management could end up being viewed as yet another episode in the "Star Wars" saga - "The Revenge of the Nerds" - all abstract models and reams of data. This might be a mathematical economist's dream, but it is surely a recipe for a line manager's nightmare. The implementation issues I want to focus on today are the practical rather than the abstract. How do we give the appropriate weight to the management in operations risk management? In considering this topic, let me start with the premise that financial institutions do not exist to take explicit operational risk. It is a by product of the business not a means to an end. While operational risk is, in some ways, the third leg of the risk measurement stool that supports calculations of capital for Basel II purposes, it is inherently different from both market and credit risk. Market and credit risk have tradeoffs in increased returns; such risks can be mitigated, of course, but in many ways they are integral to the business of financial intermediaries. Taking risks is what financial institutions do, and these risks are recognized and controlled explicitly through portfolio diversification and a wide array of increasingly sophisticated financial techniques. In contrast, in my many years in and around bank operations I have never heard anyone say let's implement a lousy system because the money saved will be worth it. Nor have I ever heard anyone suggest they would explicitly seek a diversified portfolio of well and poorly-controlled activities. Poorly run operations certainly do exist, but they are not the business model anyone starts out with. This is because operational risks are I- 2 I i often nonlinear in their impact. In market and credit risk, the size of the loss is related to the size of the position being taken. Thus, if the exposure is understood, limiting the I exposure limits the risk. For many types of operational loss, the size of the loss can dwarf the potential benefits of the activities being undertaken. As an example, in the area of potential legal losses, a variety of institutions have learned that failure to identify early, and promptly correct problems, can result in losses far in excess of the exposure that management would have initially assumed. Clearly, large financial institutions will always have operational risk. Given the number and complexity of the transactions they process, it is literally unavoidable. But reducing such risks to a minimum given their volatile nature - that is, by doing things right the first time through good systems design and strong controls -- ought to be the goal. So what does that tell us about managing operational risk? I want to suggest it tells us three things, and then spend a few minutes talking about each. First, I think it says that it's absolutely vital to properly measure ( either qualitatively or quantitatively) operational risk. Operational risks are not as obvious as either credit or market risks, but can result in significant losses if they are ignored. So identifying and measuring such risks is an important management process. Second, measuring operational risk not only provides information that is needed for Basel II capital calculations, but also, and more important, it provides management with additional information useful in reducing risks as new systems are designed and new technology is employed. Finally, while financial institutions may well develop a controlled but aggressive attitude toward taking credit and market risks to achieve higher returns, aggressive operational risk-taking provides no benefits. So, managing and limiting operational risk must be integral to the very fabric of a financial institution's corporate culture. Turning first to measurement, there's probably nothing I can add to what you know and have been or will be discussing at this Conference. Developing models and extensive statistical analysis is not my area of expertise, but it is clear to me that both senior and line managers can benefit from the array of techniques being developed. Let me raise at least one issue here. The expertise required to develop these sophisticated measurement schemes requires hiring and retaining qualified, and likely expensive, staff. 3 There is at least a chance that such expenditures might be seen as sufficient in terms of controlling operations risk, and take away from the key traditional mainstays of operational risk management -- such as maintaining an independent, credible and respected set of compliance and audit staff and paying them well. Given the attention to compliance and audit matters more generally these days, the probability that they would be shortchanged likely is small, I realize, but I do know that resources are not unlimited in this area. Will good measurement result in less operational risk? I would hope and expect so, as additional clarity about risks brings attention to systems and processes that are not optimal. One way to look at it is that a more focused operational risk measurement can be line management's best friend by identifying areas where additional time and money may be worthwhile in mitigating potential large operational problems. Good measurement also may well provide insight into how well pricing strategies intended to cover the expected cost of routine operational losses actually work. Finally, as I noted earlier, good operations risk management should be integral to the culture of the institution--the so-called tone at the top. Here I would like to pose a question--how can one identify whether a corporate culture is truly supportive of good operational risk management? After all, virtually any management team will say they actively support compliance with all laws and regulations and advocate good business ethics. While there is no clear litmus test - otherwise we would need far fewer bank supervisors -- there are certainly signals of managerial behavior that help identify whether the appropriate risk culture is truly supported by senior management. I want to suggest four such signals today. The first is whether bad news moves up an organization as fast as good news. Organizations with good risk management emphasize early identification of problems, prompt recommendations for mitigation, and effective action plans to prevent recurring mistakes. Other organizations tend to shoot the messenger. This not only prevents problems from getting appropriate attention, but it also prevents others within the organization from learning from the mistake so it is not repeated elsewhere. This is particularly important for operational risk as problems that are allowed to fester for fear of exposure can often result in greater losses. .. 4 A second signal of whether senior management supports good operational risk management is whether learning occurs not only from the institution's own mistakes, but also from problems that other organizations suffer. When Allied Irish experienced severe losses from a rogue trader, many organizations spent time understanding where the control breakdowns occurred, and verifying that their control environment would prevent such incidents. If, instead, senior management and risk officers assume they are too well run to experience the problems of their competitors, they risk repeating their competitors' mistakes. As operations risk management takes on an increasingly quantitative bent, with statistical modeling and other mathematical techniques, there is a risk that its findings become less well understood by line and senior management. This creates a basic problem for the quantitative model builder, as good communication with line management regarding the types of problems that have been historically encountered is vital to model development. More importantly, institutions with a good operational risk management culture will realize that model results must be understood by line management if operations risk reduction is to occur. Indeed, they must be fully understood by senior management as well to ensure the necessary resources are directed to risk reduction. So one clear hallmark of a good operations risk management culture is the depth of understanding among management about how risks are measured. I have been known to say that one ought to wonder about the wisdom of an investment the logic of which cannot be explained to one's mother. Perhaps some variant of that caution is applicable here. Finally, does management view good risk measurement and control as purely a compliance exercise, or do they truly believe that better risk management is an important corporate goal even in the absence of regulatory requirements? Many organizations had significant operational risk management structures in place well before it became the focus in the Basel II process. In fact, much of the regulatory structure is adopting practices that were already well developed at some banking organizations. Organizations that have embraced operations risk management, often have driven it through the organization in a variety of ways by allocating investment dollars, tying compensation or 5 bonuses to risk adjusted returns, and /or finding other ways that risk is incorporated into how they run their business on a daily basis. In my view, what we have been seeing in supervisory reviews of the preparations institutions are making for measuring operations risk in a Basel II context, is that many of the elements I just mentioned related to good risk management are in good evidence. While many organizations were initially and appropriately skeptical of the value of quantifying operational risk, it has been encouraging to see that some institutions have made significant changes based on what they have learned. And it's encouraging to see all of you here learning from each other, and teaching us in the regulatory community what works and what doesn't, and where changes can be made in regulatory approaches. Over the last several years, the headlines have trumpeted what can happen when operational controls, accounting ethics and corporate cultures go awry. The resulting losses to shareholders and employees have been enormous, and even when problems did not result in organizational demise, they took a toll on the reputations of all involved. This experience has highlighted the need for strengthened operations risk management, both the old-fashioned type of strong controls, good systems and independent compliance and audit staff, and the use of the newer, more quantitative risk management tools. These tools help to align capital with the risks in the organization, and better align risk management practices throughout the organization. That management of operational risk and the development of risk management tools have made so much progress is a testament to the hard work of many of you in this room. Hopefully through the active engagement of many of you in the audience, whether banker, investment banker or bank supervisor, we will continue to make strides in better understanding operational risk and finding ways to manage it. While the challenges are daunting, there are considerable benefits and rewards as we address them.

Cathy E. Minehan (2005, May 19). Regional President Speech. Speeches, Federal Reserve. https://whenthefedspeaks.com/doc/regional_speeche_20050520_cathy_e_minehan

@misc{wtfs_regional_speeche_20050520_cathy_e_minehan,
  author = {Cathy E. Minehan},
  title = {Regional President Speech},
  year = {2005},
  month = {May},
  howpublished = {Speeches, Federal Reserve},
  url = {https://whenthefedspeaks.com/doc/regional_speeche_20050520_cathy_e_minehan},
  note = {Retrieved via When the Fed Speaks corpus}
}