News & Commentary

09:15 AM
Hank Prybylski, Ernst & Young
Hank Prybylski, Ernst & Young

3 Keys To Success For Banks Amid An Operational Risk Renaissance

New tools are helping banks respond to regulators' demands for better risk management practices. But are they prepared for a host of new capital and regulatory requirements, not to mention emerging risks?

While many banks today are responding to the changing regulatory landscape, still-fragile global economy and changing customer demands, executives must be certain that they don't take their eye off the ball when it comes to operational risk.

Digital BankingThe July/August 2013 digital issue of Bank Systems & Technology examines trends in enterprise risk management, with a special focus on the IT challenges and lessons learned from the initial round of Fed-mandated stress testing. July/August 2013 digital issue now.

In fact, the industry is at the dawn of an operational risk renaissance. Two major forces that require bankers to rethink their operational risk strategies are coming together:

1. Industry dynamics are creating a stronger demand from regulators, shareholders and other constituents to monitor risks associated with a bank's core business, changes to the existing business model, expansion into growth markets and new product innovation.

2. Simultaneously, new strategies and tools are emerging to help banks successfully manage these risks and achieve growth. These are focused primarily on actions banks can take immediately in three areas: enhancing corporate governance, investing in emerging risk mitigation, and meeting new capital and liquidity requirements.

Accordingly, there are three critical areas banks must address to comply effectively with emerging liquidity and regulatory requirements.

Enhancing Corporate Governance

The good news is that many organizations have made significant progress in reassessing risk at the highest levels. Board risk committees have adroitly shifted their focus to formalizing the organization's risk appetite and defining risk tolerance and risk positioning around issues such as market risk and credit risk (i.e., risk of loss of capital).

However, boards and risk committees are struggling with articulating and managing a more holistic view of risk, including clearer appetites around operational and reputational risks. From a governance standpoint, boards are having trouble ingraining a comprehensive risk-aware culture throughout their organizations. They need to identify and execute new business drivers for this cultural shift -- from setting the tone at the top and drawing effective reporting lines into governance areas to compensation schemes and recruiting programs. They also require practical frameworks for setting a baseline for overall risk awareness, and metrics for how that awareness changes over time.

Regulators and shareholders will be looking closely at how banks manage this shift to a more risk-aware culture.

Spotting Emerging Risks

Over the past few years, banks have invested tremendous resources in monitoring and measuring conventional risks -- much to their credit. But they haven't focused enough attention on identifying emerging risks and, in particular, how these risks threaten their market practices and even their business models. With such profound changes to the industry occurring, there's a high likelihood that the next systemic risk will be a new threat.

Today, banks are grappling with a rising tide of new risk: business model changes and renewed global market volatility, along with major shifts in customer behavior coupled with a significant focus on consumer protection. They are also facing new threats like cyber attacks. Risks such as these aren't necessarily addressed by the traditional frameworks banks have developed -- for example, reverse stress test models and risk control self-assessments designed for Basel or Sarbanes-Oxley.

[4 Things Banks Need To Know About DDoS Attacks]

Banks need to implement proven strategies and tools for identifying changes in their overall risk profile and the potential impact on operations, deal flow, market position, new product launches and even the business models of their various groups. It's especially important that the first line of defense be clearly identified as the business, and that the business takes full responsibility for "owning" these risks, including identifying and mitigating them throughout their life cycle.

Banks should keep in mind that the thousands of pages of new regulations that are being implemented were written in response to the last financial crisis. To be ready for the next one, banks need new and better ways to look around corners.

Meeting New Capital And Regulatory Requirements

In the past, complying with capital and regulatory requirements was a component of executing a business plan. Today, return on regulatory capital has largely replaced return on risk capital as a business performance return.

But now, capital and regulatory requirements are driving the business plan. For bankers, this requires them to understand and predict the complex relationship among new business models, their return on regulatory capital and their shareholders' value creation.

Whether a bank is "getting back to basics" and simplifying its operations or innovating new products and taking on new risks in the search for yield, executives need to take a fresh look at how various businesses on their platform are interconnected -- and how risks in one business can affect the performance of other businesses, or how exiting one business with a poor return on regulatory capital can impact another business and/or its customers.

Sooner rather than later, banks must determine how their new business models will evolve -- from individual business lines up to the enterprise as a whole -- in the face of new liquidity and regulatory requirements. The banks that master this puzzle will improve their chances of prospering in this altered landscape.

Winners and losers will emerge from this period of significant change. How well a bank manages its operational risk will be a key factor in determining its outcome.

Hank Prybylski is a partner in Ernst & Young LLP's Financial Services Office and is both EY's Americas financial services advisory leader and global financial services risk management leader.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/22/2013 | 3:06:11 PM
re: 3 Keys To Success For Banks Amid An Operational Risk Renaissance
The point that boards are having a hard time managing a more holistic view of risk is one that has come up often. I wonder if its just because banks are so siloed and, in some cases, massive that it's hard to do this. Or is there a certain way of thinking about risk that is ingrained in the culture that needs to be changed?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Here is what the client expects us to develop...
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.