As a committed operational risk professional, I cannot help but stare in amazement amidst all the financial ruin and desolation that surrounds us. There has been a lot of hand-wringing and pronouncements about credit risk, liquidity problems, lack of trust
and the like. However to my mind these are all smoke. And this smoke conceals the fundamental cause, in my view, of all the current problems. It all points to massive failure in operational risk management.
The Basel II definition of operational risk is “…risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. (Paragraph 644 of the Basel II Accord).
Building yet further on the Basel II theme, not only does the Basel Committee encourage the use of their “Sound Practices for the Management and Supervision of Operational Risk” for the “Basic Indicator Approach”, the criteria for both the “Standardised
Approach” and the “Advanced Measurement Approaches” are that “at a minimum” (1) the bank’s board and senior management must be actively involved in the overseeing it’s operational risk management framework, (2) the bank must have an operational risk management
system that is sound and (3) that the bank sufficient resources to use this approach in its main business lines plus its control and internal audit areas.
Now let’s take a step back to “Sound Practices for the Management and Supervision of Operational Risk” which was first published in February 2003. If we look at the section “Risk Management: Identification, Assessment, Monitoring, and Mitigation/Control”
we find that it contains three principles. Principle 4 clearly states “Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities,
processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures”.
And it is as simple as that! Before new products, activities, processes or systems are introduced or undertaken, the operational risk innate in them must be subject ed to adequate assessment procedures. It could not be plainer.
The regulators don’t get off the hook that easily either. Principle 8 of this selfsame document is pretty clear on what supervisors should be doing.
Added vigilance does not mean that we should be waving good-bye to financial innovation. No, we should simply sit down an honestly examine how the risk profile changes and what potentially could go wrong.
If these weird and wonderful products, schemes and processes had been correctly examined in the first place we would not be in the predicament we now find ourselves in.
Unless banks are truly committed to managing operational risk we are going to see this problem repeated, in one guise or another, again and again.