You are currently browsing the category archive for the ‘Operational Risk’ category.
Sometimes I like to think that what I say here has at least some impact. This letter from APRA to the Advanced ADIs in Australia was sent out a month after my last piece on reviewing pandemic planning procedures. As I said – I like to think so.
That bit of auto-backslapping aside, the letter does make several worthwhile points about how hard this is to model. A pandemic is, almost by definition, a rare event with some pretty hefty costs and many effects – not all of them are likely to be reasonably foreseeable.
A read of the piece Jennifer wrote a few weeks back which touches on these sorts of events would also be useful.
Thanks to Langes+ for the pointer to the APRA letter.
As I was writing this I received an email on controlling the risk of the current H1N1 outbreak. Looks like I will not be going to Mexico, the USA, Canada, Panama or Japan any time soon. At least the UK is not on the list. Yet.
It is good to see that Westpac seem to have their reaction to the operational risk event they suffered in New Zealand about right.
…the employee responsible for their accidental windfall was so distressed by their error she was undergoing counselling, TVNZ reported.
Westpac said it was concerned at the attention the employee, who TVNZ said had more than 30 years of banking experience, was receiving and appealed for privacy.
“The impact of this episode is being felt by all of our employees, who are good people just doing their jobs,” a spokesman told TVNZ.
“What should be remembered is the loss from this episode did not happen because of the error, but because of the behaviour of individuals who have taken advantage of the error.”
The real cause of this problem is that the system allowed it to
happen. Where a system allows an error like this then someone,
somewhere, is going to suffer from it. Employees who make this sort of
error should be counselled, perhaps given some additional training and
then supported, if needed, when they get back.
A few pertinant questions. How can an employee, even one with 30 years’ experience, solely authorise the disbursement of $10m? Why did the bank’s systems not have a good sense check in there? Why did the system not add a further check when a service station owner asked to withdraw and/or transfer multi-millions of dollars?
I would expect the internal investigation to be a long one, focussing not on the employee but multiple failures in the core banking system.
It may well be time to pull out that pandemic plan and at least give it a good look over, ensure key staff are aware of what they should do etc. etc. etc. Also take a good look at how your systems may cope with something like 50 to 75% (or more) of your people working from home – which should be a part of any such plan.
The swine influenza outbreak may, as most of these do, turn out to be a tragic event with some loss of life but not one on the scale of 1918. All the same it would be better to have everything in order.
Points to look at:
- Website readiness – make sure it can be updated with the latest information on a regular basis. As BWA found out last time they had a major problem it was the lack of information that really annoyed people.
- Media plan – ditto. Make sure you have the numbers for relevant journalists handy.
- Staff planning – get as many of them vaccinated as possible and have some masks on hand at the branches. They may not be needed, but what is a $5 mask compared to your staff being sick? Do the staff that are not immediately needed know that they are the ones who will not be immediately needed and may stay at home?
- Systems – with most admin staff at home, will your systems cope? Are there enough laptops ready for all the ones you really need?
You did have all this ready a year or so ago, so it should not take much to make sure it is all there. You did have it ready, didn’t you?
I was going over an old(ish) copy of the Economist this morning and I came across an article that deserves more coverage.
The central point is easy to state – if you intend to do a spot of money laundering or tax evasion you do not need to go to somewhere sunny or somewhere in a recognised tax haven. It is more than easy enough to do in the US or the UK.
The most egregious examples of banking secrecy, money laundering and tax fraud are found not in remote alpine valleys or on sunny tropical isles but in the backyards of the world’s biggest economies…
Take Nevada, for example. Its official website touts its “limited reporting and disclosure requirements” and a speedy one-hour incorporation service. Nevada does not ask for the names of company shareholders, nor does it routinely share the little information it has with the federal government.
This makes it fairly obvious that much of the finger pointing at the usual tax havens is just to cover up the simple fact that the bigger economies are doing even less.
It is also a good warning to others working with US and UK registered corporations – just because they come from an OECD country it does not remove, or even reduce, your obligations to check that the funds you are receiving or paying are from legitimate sources.
I have spent the last few days looking at a client’s Excel spreadsheet. They are using it to manage all of their treasury positions – amounting to several hundred million dollars.
Don’t get me wrong – Excel is a wonderful tool, but under normal circumstances this is probably not the optimal choice to make. In their case there are some exceptional circumstances that means that this may be a reasonable (if short-term) solution but it prompts me to ask if anyone has a favourite MS Excel story.
My personal favourite is of a former employer of mine in London. They are a major investment bank that is also one of the largest commercial banks in their home country. In short, a huge operation with assets in the hundreds of billions of pounds.
When I joined them in the late 1990s, they had acquired many other banks and trading operations over several years, including the one that I was formerly employed by. The problem was that each of those entities had their own general ledger and the bank had not taken steps to integrate or eliminate them at all.
The problem should be obvious – there was no one place where the bank’s general ledger was kept. The solution adopted was a classic one. At the end of every month a full ledger dump was taken from each GL and integrated using Excel – with all of the problems of GL account mapping and consolidation to deal with. The time taken to close off the GLs, get the dump, process it and then put put the management reports out meant that, at best, it took until mid-month to get the numbers. Control was effectively impossible.
After a year of this, it was decided that a better solution was needed – besides which the 65,536 row limit was being breached and the speadsheets took hours to recalculate. The solution? MS Access. When I left that had eventually moved on to SQL Server – but it was still taking nearly the same amount of time to get everything done.
Internal audit always paid close attention, but the risks were always just huge. There was also no real way to verify any of the numbers other than tracing each one back to the host systems and that could take hours per number.
Comparing the “Big Four” operational risk disclosures is fairly interesting, both in terms of the quantitative and the qualitative. Like the credit risk disclosures, there is a fair amount of divergences in both the quantity and quality of the disclosures, differences I expect to narrow over time. This is because (at least in theory) no one had a chance to look at anyone else’s before they were close enough to publication that no real changes could be made.
Firstly, the quantitative disclosures. As for credit risk, the CBA is carrying the lightest load, at $1.085bn in regulatory capital ,or 2.5% of total RWA. This should be no surprise, as it is historically the most risk adverse banking institution in Australia. It also had a strong Basel II program.
Partly because of its smaller size, Westpac has the next lowest burden, at $1.091bn – but it also (just) pips the ANZ as a proportion of RWA, with 3.1%, to the ANZ’s 3.2%. The ANZ’s capital requirement, though, is $1.441bn due to its greater size.
It should also come as no surprise that the NAB is lagging the field here, with $1.892bn in operational risk capital, representing 3.5% of credit RWA. NAB has had the most operational risk “events” over the last few years and is the only one of the Big 4 still using Standardised for a fair part of its portfolio – in this case their overseas subsidiaries. The proportion is a bit lower than you would have expected because credit RWA at the NAB is also higher. On the plus side, it does provide a fair bit of room for improvement…
To open with a general comment – as you would expect, most of them have used the Basel II definition of operational risk, where it
“…is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. It includes legal and regulatory risk but excludes strategic and reputation risk”.
I have always had problems with this definition ranging from the pedantic (it speaks of failed … people – how can you have a person that fails? It should be personal actions or something like that) to the nature of the exclusions. To me, the reputational failings from an operational risk point of view arise directly from the event. However they may be difficult to quantify so perhaps they have to be excluded for calculations.
The disclosures have to comply with APS 330, attachment A, paras 4 (like all other risk areas) and table 12. There is considerable weasel room in here and it looks like the banks have all chosen to interpret these slightly differently, but mostly in the direction of keeping the disclosures minimal and uninformative.
Bank by Bank
In alphabetical order – the ANZ’s text looks like it has been pulled almost directly from the BCBS publication “Sound Practices for the Management and Supervision of Operational Risk“. This is a good basis and it (obviously) meets the regulatory minima, but I would have liked to see something a little less generic. The only area that actually looks like it is ANZ internal are the acronyms used. They are, however, the only ones to include an explicit statement of their risk appetite – as you may expect, it is “low”. It would be helpful if, like the NAB and WBC, they put the capital numbers here as well to reduce the need to hunt through the document to find them.
The CBA, as previously stated, has given the most full disclosures. They have also been a lot more specific than, for example, the ANZ. Interestingly, they have also not included the BCBS exceptions in their definition of operational risk – strategic and reputational risk are therefore included and strategic risk gets a whole section to itself. While I agree with this, it is not in compliance with APS 330 or the Accord. If you want to see how a good, full disclosure works, though, read through this one. I hope they all converge to here as the years progress. Well done CBA – just put in the capital numbers here as well next time, please.
The NAB sits in between the ANZ and CBA, with good use of diagrams and a workable description of internal processes – but is some way behind the CBA in the depth of content. They have though, actually copied the numbers here as well as in the capital section, making it easier to use.
Westpac’s disclosures are easily the shortest and with the most useless diagram, taking up half a page for the same diagram the NAB had in barely a tenth the size. While it may comply with APS 330, it is only just doing so. The numbers are here, though, so they are not a total loss.
This is a bit more subjective, but the CBA’s disclosures also just look better. While the diagrams tell you little of value (they look like they have come from one of their consultants – possibly KPMG as I recognise the process map) they have gone in for a lot of description and the layout works reasonably well. It is also 4 and a half pages in length.
Of the others, the NAB have made an effective use of diagrams while reducing the content as far as they think they could get away with – using a total of about one page of text and roughly 2/3rds of another of diagrams. The ones that are there, though, as small(ish) and do add tot he text, so good marks there.
Westpac is another one with very little text and they have added very little in the way of diagrams, the one that is in there seems to have been added to make the page break worthwhile. In this case the diagram could have been replaced with about two lines of text or a few bullet points.
The ANZ’s is the sole contribution without diagrams, using just text, headings and bullet points. A few diagrams may have improved the appearance – but they should avoid going down the Westpac route of putting one in for the sole reason of having a diagram.
Easy win here for the CBA, with NAB a distant second. The ANZ is next, a little more distant, with Westpac easily tail-end charlie. As I said earlier, I hope the others look to the CBA in the next round. If they had added in the capital numbers at the tail of the qualitative disclosures I would have said they were best practice – but at least it gives them a little room for improvement.
Very good piece in today’s “The Sheet” about the upcoming replacement of CBA’s core banking system. Correctly, it is entitled “Adventures with core systems: part I”. The belief that most banks in Australia need to replace their core systems reasonably soon is a strong one – and in most cases justified. The problem, of course, is also well known.
Core system replacement is expensive, risky and time-consuming. It is a huge change management task, with most of the bank’s staff well trained on the old one. For example – I dropped into my bank to close an account a few days ago. Sitting down with my “client adviser” she opened a web browser to check on my balances and see what I wanted to do. To do the bit she would need to show me she left it in the browser. However, as soon as she wanted to actually do anything she opened up a terminal emulator. I peered around and asked why she had not done it in the browser.
Her response was simple – the browser allowed her to do it but she was much faster on the terminal. Essentially, although the terminal emulator was lousy to look at it was effective and fast.
At that bank, and almost every one I have ever been into the story is the same – bank staff are comfortable with the old systems. Despite the fact they are built on technology that was outdated 20 years ago they still work. Staff are familiar with them. Anyone seeking to replace the system not only has to make it work from a technological viewpoint – but it also has to work in the organisation.
In comments, feel free to add in your favourite banking core system replacement story. Ones from Westpac are particularly invited – the one that was particularly successful a few years ago sounds good. Operational risk events can also be pretty funny – if you are not in the middle of one.
Give “The Sheet” a read too. if you are interested in banking activity in Australia it is worth it.
Today’s BIS email was an interesting one in the light of recent events. It has a speech
by Christian Noyer, the Governor of the Bank of France, regarding Basel
II’s implementation in France. Remember while you read it that a
certain trader’s activities would have been classified as an operational
This passage is interesting in the light of the problems at SocGen:
By 31 December 2007, over 30 on-site inspections will have been conducted in 20 institutions, involving at times up to 100 inspectors at a time. These on-site inspections examined IRB systems for credit risk and advanced operational risk measurement approaches.
As SocGen is one of the largest banks in Europe I am presuming that
they were one of the banks visited – I think this a safe assumption.
This means that SocGen was assessed for operational risk issues while
all of the rogue trading activities was going on – the trading that was
risking much more than the capital of the bank.
He goes on to say:
…and 5 institutions (accounting for almost 60% of the total assets in the French banking system) are expected to adopt an advanced operational risk measurement approach. As institutions have the possibility under Basel II of using their IRB approaches to calculate regulatory capital requirements, supervisors must ensure that these approaches are reliable.
I really wonder how reliable the regulators found SocGen’s risk
management to be in their supervisory visit? How closely did they look?
You would have thought that the trading arm, where most, if not all of
these events have historically happened, would have been a primary focus
of that review. What did they see?
At the very least, SocGen will probably have to carry a much heavier operational risk capital burden now than they would have originally calculated less than a month ago. I think the BoF will have to have a bit more to say on this in the not too distant future. Who is next in line to resign over this? They may not be at SocGen.
[Update]In the light of the latest revelations – see here it looks like a lot more than a single trader should lose his job. It looks like senior management were turning a blind eye to the trading while it was making a profit and only got concerned once it was making a loss. If so, it would make the criminal charge hard to sustain.
There is a lot more to come from this one…[/Update]
A quick reminder, if any were needed, that it is not just banks that can suffer from an operational risk event. Governments can too. The difference, of course, is that you can change your bank at any time.
As noted in my last post on this area, working out who to deal with in some countries is very difficult. Trying to use the do not deal lists in any form of modern banking practice is very tricky and error prone at best.
A truly risk-based system, though, is going to need to apply differing weights to the differing circumstances of each deal.
Operating on the principle that no deal should be banned unless explicitly forbidden by legislation (a truly risk based system must deal on this basis) a possible, if very simple, way to organise this would be to assign differing risk weights to each deal, with the countries involved being allocated percentages.
As the risk percentage increases then higher and higher approval levels should be sought (and the regulators kept informed).
Under this system, dealing with a counterparty that the bank has been dealing with for decades, and the bank well understands the business and there have been no recent changes to cash flow may attract only a nominal risk weight – say 1%. Dealing with a new counterparty in the US would be, say, 10% and a new counterparty in a known tax haven 50%. Dealing with, say, North Korea, would attract an automatic 70%, with any North Korean government enterprises attracting an additional 30%, placing them in the highest-risk category.
Combine this with percentages based on information on other aspects of the deal and you have a system.
Deals with a total risk weight of under (say) 20% would get the usual process, with between 20 and 50% needing the sign-off of the head of risk management, deals between 50% and 75% needing CFO sign-off (and AUSTRAC notification) and deals over 75% needing Risk, CFO, CEO sign-off and AUSTRAC notification.
This sort of system would be easy to automate – at the simplest level put into a spreadsheet or simple database and could be implemented in a few days. Provided it is done on as part of the initiation of every new deal with the counterparty and updated on a regular basis (say quarterly) this should allow you to claim compliance with the relevant parts of the AUSTRAC requirements.
This is obviously going to slow down the deal process, though. Getting this into your primary databases, along with some further KYC work, will be needed for business reasons.
It is not too late to get this done by 12 December, as required under the regulations. Better hurry, though – AUSTRAC is already sounding annoyed with the apparent lack of progress. You do not want to be the one they choose to make an example of.