While many banks today are responding to the changing regulatory landscape, still-fragile global economy and changing customer demands, executives must be certain that they don't take their eye off the ball when it comes to operational risk.
In fact, the industry is at the dawn of an operational risk renaissance. Two major forces that require bankers to rethink their operational risk strategies are coming together:
1. Industry dynamics are creating a stronger demand from regulators, shareholders and other constituents to monitor risks associated with a bank's core business, changes to the existing business model, expansion into growth markets and new product innovation.
2. Simultaneously, new strategies and tools are emerging to help banks successfully manage these risks and achieve growth. These are focused primarily on actions banks can take immediately in three areas: enhancing corporate governance, investing in emerging risk mitigation, and meeting new capital and liquidity requirements.
Accordingly, there are three critical areas banks must address to comply effectively with emerging liquidity and regulatory requirements.
Enhancing Corporate Governance
The good news is that many organizations have made significant progress in reassessing risk at the highest levels. Board risk committees have adroitly shifted their focus to formalizing the organization's risk appetite and defining risk tolerance and risk positioning around issues such as market risk and credit risk (i.e., risk of loss of capital).
However, boards and risk committees are struggling with articulating and managing a more holistic view of risk, including clearer appetites around operational and reputational risks. From a governance standpoint, boards are having trouble ingraining a comprehensive risk-aware culture throughout their organizations. They need to identify and execute new business drivers for this cultural shift -- from setting the tone at the top and drawing effective reporting lines into governance areas to compensation schemes and recruiting programs. They also require practical frameworks for setting a baseline for overall risk awareness, and metrics for how that awareness changes over time.
Regulators and shareholders will be looking closely at how banks manage this shift to a more risk-aware culture.
Spotting Emerging Risks
Over the past few years, banks have invested tremendous resources in monitoring and measuring conventional risks -- much to their credit. But they haven't focused enough attention on identifying emerging risks and, in particular, how these risks threaten their market practices and even their business models. With such profound changes to the industry occurring, there's a high likelihood that the next systemic risk will be a new threat.
Today, banks are grappling with a rising tide of new risk: business model changes and renewed global market volatility, along with major shifts in customer behavior coupled with a significant focus on consumer protection. They are also facing new threats like cyber attacks. Risks such as these aren't necessarily addressed by the traditional frameworks banks have developed -- for example, reverse stress test models and risk control self-assessments designed for Basel or Sarbanes-Oxley.
[4 Things Banks Need To Know About DDoS Attacks]
Banks need to implement proven strategies and tools for identifying changes in their overall risk profile and the potential impact on operations, deal flow, market position, new product launches and even the business models of their various groups. It's especially important that the first line of defense be clearly identified as the business, and that the business takes full responsibility for "owning" these risks, including identifying and mitigating them throughout their life cycle.
Banks should keep in mind that the thousands of pages of new regulations that are being implemented were written in response to the last financial crisis. To be ready for the next one, banks need new and better ways to look around corners.
Meeting New Capital And Regulatory Requirements
In the past, complying with capital and regulatory requirements was a component of executing a business plan. Today, return on regulatory capital has largely replaced return on risk capital as a business performance return.
But now, capital and regulatory requirements are driving the business plan. For bankers, this requires them to understand and predict the complex relationship among new business models, their return on regulatory capital and their shareholders' value creation.
Whether a bank is "getting back to basics" and simplifying its operations or innovating new products and taking on new risks in the search for yield, executives need to take a fresh look at how various businesses on their platform are interconnected -- and how risks in one business can affect the performance of other businesses, or how exiting one business with a poor return on regulatory capital can impact another business and/or its customers.
Sooner rather than later, banks must determine how their new business models will evolve -- from individual business lines up to the enterprise as a whole -- in the face of new liquidity and regulatory requirements. The banks that master this puzzle will improve their chances of prospering in this altered landscape.
Winners and losers will emerge from this period of significant change. How well a bank manages its operational risk will be a key factor in determining its outcome.
Hank Prybylski is a partner in Ernst & Young LLP's Financial Services Office and is both EY's Americas financial services advisory leader and global financial services risk management leader.