Recently, Thomas J. Curry, the new head of the OCC, stated that despite the improvement in asset quality, falling charge-off rates, and the highest capital levels in a decade, another type of risk is in fact gaining prominence: operational risk.
“Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge," Curry commented recently. "Rising operational risk concerns them, it concerns me, and it should concern you.”
Currently, the OCC considers it to be at the top of the list of safety and soundness issues for the institutions they supervise. Risk assessments have been one of the trending issues in compliance throughout 2012. Regulators are now asking about things like strategic risk, reputation risk and operational risk, while expecting that these risks are assessed alongside the more traditional categories like privacy and security.
How can financial institutions effectively address operational risk? The FFIEC defines it this way:
“Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk is present across all business lines.”
Furthermore, because the implications of operational risk extend to all other risks, “Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation,” says the FFIEC.
Because operational risk exists in all business lines and manifests itself in every other risk, it is one of the most difficult risks to assess. In other words, it’s everywhere…and affects everything. Most of the time, operational risk can be defined as a failure to adhere to your own internal policies and procedures. If you don’t do what you say you will do, or you don’t do it the way you say you’ll do it, something will fail as a result.
Whether it’s a process, a control, a system, or a risk model, if they are in place and operational but flawed or not followed, operational risk is the result. Even if your processes, procedures and models are flawless and followed exactly as proscribed, it may all boil down to proper documentation. If you can’t document that they are executed appropriately, you may still have a high operational risk finding in your next safety and soundness examination.
The best way to address operational risk is to implement an internal control self-assessment process to assure that risk management controls are adequate, in place, and functioning properly. Accurate reporting will document that day-to-day practices follow written procedures. Additionally, make sure all business decisions reflect the goals and objectives of the strategic plan, and report to the Board on a regular basis.
Integrate assessment of operational risk into the risk management process, and expect for this issue to stay on the regulator’s docket for some time. Even if you are not regulated by the OCC, you should expect to see this trend carried over into the other regulating bodies.
Tom Hinkel is chief compliance officer for Safe Systems, a provider of compliance-driven IT support and hosted services exclusively to financial institutions.