Can any quantifiable value be derived from operational risk management [ORM]? The question resonates in the minds of bankers all over the world. And for good reason, with the New Basel Capital Accord [Basel II] initiative to bring order to international capital markets and level the playing field for banks becoming operational in 2007. It requires that banks thoroughly address operational risks and develop internal solutions.
Banks first developed operational risk management programs to build shareholder value. The inclusion of operational risk in Basel II came later. But according to financial analysts, because operational risk is now a compliance issue, many banks are approaching it with a compliance mentality.
In an effort to better understand why operational risk is high on the list of both challenges and opportunities for financial institutions, the American Bankers Association conducted the Operational Risk Management Forum last week in Tampa, Fla. There, several Fortune 500 financial institutions and financial consultants shared their ORM solutions as well as their vision for the future.
BB&T, a $97.9 billion dollar institution headquartered in Winston Salem, N.C., started its ORM development program back in 1999. It since developed a framework that includes an operational risk management committee as well as an ORM networking group, each incorporating ways to better understand and mitigate risks.
For instance, the ORM networking group has its people keep up-to-date on problems that have happened to other financial institutions, allowing BB&T to take a more proactive approach. And the ORM committee might focus on routinely checking outdated computer equipment, to prevent bottlenecks, which can cause risks, ultimately putting a strain on revenue.
"Our goal is for employees to look at ORM as a business stakeholder and a shareholder, involving them on all levels and bring stability into their jobs," said Rachel Floars, BB&T's senior vice president of Operational and Compliance Risk .
Fifth Third Bancorp on the other hand, views its ORM approach as a process not a committee, the company incorporates it as an extension of its business line and not a separate entity. Its philosophy is to publicize ORM success stories to gain respect and support of upper management as well as the board of directors.
The company has implemented an operational risk umbrella that encompasses all aspects of potential risks including, bank protection, fraud prevention, key risk indicators, capture of operational loss data, business line risk oversight, and new products and initiatives for data security.
"We utilize our ORM practices to gain respect and appreciation of all our business lines by really understanding their issues, and being part of the overall solution," said Greg Lutz, senior vice president and director of operational risk management for Fifth Third Bancorp in Cincinnati, Ohio.
Aside from best ORM practices and internal solutions, ORM also requires "self-assessment," according to several financial institution analysts. For a long time, business and operational units have looked to third parties -- auditors, consultants, regulators -- to tell them if they're doing the right [or wrong] thing. The idea of making managers even more accountable for their processes is just good business.