Clearing a path for operational risk management

Suzanne Labarge, vice chairman and chief risk officer of RBC Financial Group, related RBC's experiences on implementing an operational risk management process during her keynote address at RMA's Third Annual Global Operational Risk Forum, held in New York City in November 2002. Bringing a consistent approach to risk throughout a complex institution can feel like clearing a path through a jungle. But the rewards are great.

The management of operational risks is not new--banks have been doing it for years and, in fact, it is a core competency for most institutions. Formalizing the process, however, involves putting more discipline around assessing the risks, identifying the gaps in current practices, and setting out action plans to close those gaps in a consistent way across an organization.

Most PopularCBS MoneyWatch.com Articles

Freeman Teague Jr. said, "Nothing is so simple that it cannot be misunderstood." And our industry becomes more complex by the day. New markets, new products, new delivery channels, new technologies, and numerous high-profile and highly publicized incidents all point toward the need for more integrated risk management in today's institutions. Boards of directors are becoming more and more critical of internal audit reports.

The growing regulatory interest in operational risk is another motivator for institutions. This includes the capital reform efforts of the Basel Committee, as well as initiatives such as the Sarbanes-Oxley Act, which requires CEOs to sign off on a company's financials, and numerous guidelines issued by regulatory and related agencies.

Implementing system-wide operational risk management (ORM) within a complex institution can feel a bit like trailblazing in a jungle. But it is also a rewarding and enlightening experience, and for RBC it has led to some substantial gains. In developing its approach to operational risk, RBC learned five lessons that can be particularly useful for other institutions pursuing ORM:

(1.) ORM must be part of a much larger risk culture and approach.

(2.) Senior management must be totally committed and offer broad-based sponsorship to risk management if the function to be at all effective.

(3.) ORM must be implemented with the right team of people possessing the right mix of skills. There is no easy, off-the-shelf methodology for effective operational risk management.

(4.) It's absolutely critical to develop an approach that works for your business. Organizations need a mix of assessment and measurement tools that reinforce one another.

5. Resistance and frustration arc almost inevitable. ORM is a difficult and intensive process that will require a commitment from everyone involved. Common language and concepts across the organization are essential when thinking and talking about risk. Everyone must agree on what is meant by risk appetite, operating risk, reputational risk, and so on. If ORM is to move forward and work efficiently, there must be a clear understanding of what is being discussed. Corporate and commercial bankers talk about credit risk, traders deal in market risk, and operations and IT people talk about process risk. It's a challenge for any institution to get the different disciplines talking to each other in terms that each can understand. For that reason, operational risk and other forms of risk management at RBC are part of a much larger, enterprise-wide risk management framework. Our approach is designed to integrate all areas of the business into an overall process and framework that aligns strategies, processes, people, and technology.

One way to illustrate this integration is through a risk pyramid, which can be used to assess risk at both the business unit level and the product level. The pyramid groups risks into four broad areas according to the level of control and influence that we have in mitigating and managing them. From bottom to top, beginning with controllable risks:

* We can control and manage credit, market, liquidity, insurance, and operational risks.

* We can manage but not fully control strategic and reputational risk.

* We can influence but not control directly competitive and regulatory and legal risk.

* We may be aware of but we cannot control systemic risks. RBC uses the pyramid to achieve a common set of concepts, terminology, and understanding around risk generally as well as operational risk in particular. The pyramid also serves as a basis for subdividing risks into component parts and providing a definition for each. To date, we have defined 30 types of operational risk for our control self-assessments and for analyzing loss events.

Each business unit identifies and measures each risk, determines mitigation techniques, and determines how best to manage the residual risks.

Building an Effective Approach to Managing Operational Risk

RBC's effort began about three years ago when we established a centralized operational risk function whose mandate was to establish a risk and control self-assessment process (RCSA--this concept is explained later under a subcategory of the same name). Our primary goal was to encourage the business units to manage operational risk more proactively.