By Peter Hill
Whilst in Nigeria recently, at a risk conference for bankers sponsored by Oracle, I learnt there is clearly a change taking place amongst the banks in the country and one that the Central Bank is very obviously strongly encouraging. The number of banks that exist today is less than one third the number which previously existed. The number of rules and regulations that banks must respect is increasing.
The Central Bank wants banks under their jurisdiction to adopt best practices in order to strengthen the banking system overall as well as for the benefit of shareholders, and customers alike. In this process, two words assume great importance: ‘integrity’ and ‘reputation’.
In my own banking career, in the City of London, I have been involved with bank supervisors. I have seen a move away from invitations for meetings at the regulator’s offices, a friendly chat over a cup of tea and a conversation based along: “Well, how’s it going then”, to a much more detailed grilling by people who come to your offices and have real experience of banking and banking practices.
From this more direct involvement, they have seen different situations and things go wrong, and learnt lessons from them. They had been able to work out the cause of problems, and can look for the same situations at other institutions.
The UK’s FSA now expect boards of directors to really know what is what is going on in their bank. Directors have to demonstrate they understand and know all the risks in the business. It is no longer acceptable to be able to say you delegate this responsibility to other people in your employ.
It is easy to talk about the issues, but harder to do something about them. But why? Banks fail when they lose more than their capital, or when depositors are fearful of the future, and withdraw their money. It ought to be fairly simple. Lending money cannot be that difficult but history tells it is a process that is fraught with pitfalls and difficulties. Imperfect knowledge about the borrower at the time credit is granted, lack of monitoring during the life of the loan and faulty documentation to secure the asset against which the loan was secured are common issues. There are lessons that banks around the world are still learning.
How does a board of directors get confidence that the processes in their bank are well thought through, and operate both efficiently and effectively? How do directors know that all risks have been identified and that there are proper controls that will work in practice as well as in theory? What evidence is there that Central Bank regulations, best practices and internal policies have been recognised and applied throughout the branches and subsidiaries, something that is even more difficult for those banks that have spread their wings and expanded overseas.
This becomes a challenge that spreadsheets cannot hope to meet. They can be used to collect lots of information but, in consequence of lots of information, you get lots of spreadsheets. People around the world are recognising this problem and turning to Business Intelligence software to produce dashboards that can be viewed on a PC screen, and, by placing the cursor on a peak on a graph, for example, and clicking it, immediately find the actual data and reason that caused that peak.
In recent years, banking has become a much more dynamic business, particularly through the use of internet. The CEO and other directors need to know information about the state of the business, not just the state of the profit and loss account, at any time.
To have the ability to move the cursor on a screen, and click to see all the risks in each line of business, or in each process or risk category, is invaluable use of technology. To know that operational risk managers are working with internal auditors, compliance managers and business managers and section heads throughout the organisation to assess risks and control effectiveness is one thing, but to see it on the screen gives them the information that action is being taken to ensure the organisation delivers customers the best possible service, complaints and queries are dealt with quickly, and the bank’s reputation is continually being enhanced.
Reputation is something that is intangible and is difficult to measure. Customer surveys are a common way to gain some understanding of it; monitoring what is being said about your organisation in the press is another. Is the bank gaining or losing customers, how many current accounts have fallen silent with no activity? How many enquiries fail to be converted into a business gain? These statistics become valuable metrics that can be collected and recorded in an operational risk system, and that can be easily conveyed from all lines of business and shown in a single dashboard to the CEO who, with one click of the cursor, can drill into this information. How powerful is that?
Information in those dashboards and reports can be shared with business heads and line managers across the organisation. The information contained in those reports can be filtered using the facilities in our system so that branch mangers for example may see data that is specific to them and their branch, and not the equivalent data that is ‘owned’ by other branches.
It is possible to collect fraud data with out revealing how the fraud was constructed; that information should be considered by only those people who need to know in order that controls can be strengthened appropriately.
Causal analysis is a good way of learning from the experience of a loss event occurring. Linking the loss to the risk ensures the risk has already been identified, and linking the loss event to the failed control encourages action to re_assess the control for its design and effectiveness in preventing future loss events. The advantage of a web_based system is that all this can take place dynamically, across the organisation. People can update the system through a standard web browser.
Progress with action plans can be monitored through this system. It is always far easier to talk about the need to do something, to make some change in the organisation, but always far harder to take that action through to a proper conclusion.
And a powerful workflow engine brings alerts and approvals to the attention of various managers around the business, keeping them properly informed at all times of KRIs that have breached a threshold, a regulation that has changed that they should be aware of, a risk or control assessment that needs approval, or an action plan that is nearing its target completion date.
One system can bring all this knowledge in one place. It can tell you whether every part of the organisation has a Business Continuity Plan, and when it what last tested, or what it is doing about Information Security. It can tell you how many action plans were created in the last six months and how many are still outstanding. It can tell you the most significant causes of losses and what is being done to prevent their re_occurrence.
Is this an important investment for the future? Will it give the board of directors the confidence, and the evidence, that the bank is well_managed, at every level of the business and better positioned to tackle any risk scenario because these will have been examined in findings of a workshop already recorded in the system. Will it make meetings with the Central Bank a little easier because the Board can point out where every regulation is being applied, and who in the bank has attested it is being applied correctly?
And more importantly, will this mean your Bank can tangibly demonstrate it operates good practices and gain the confidence of its customers. Will this lead to a reduction in the cost of funds as well as a reduction in the number of losses? Anecdotal evidence tells us that a good operational risk strategy does lead to a reduction in losses as banks learn lessons and take steps to improve controls. Increasing the number of controls may not reduce the risk, but just make processes more complex. Improving the quality of controls and making investments in staff training may be much better for the business in the long term.
Even in medium sized business, there can be a lot of data to collect, and manage. It is not difficult to collect data with spreadsheets but to manage this data? To compare risk assessments from one date with another date to see whether the organisation is really improving? To create reports showing bar charts with history to show trends is obviously possible, but with how much time and effort.
Operational risk data is much more valuable and important, even critical to a business, that it demands a web_based system so that everybody in the business can easily and quickly contribute and access this single repository of knowledge. And as the old saying goes, ‘knowledge is power’.
Peter Hill is the Vice-President, Operational Risk and GRC at Oracle