Line of defense

Challenging financial markets mean extra attention to risk management. By Nick Jayanetti, SVP for Operational Risk at Bank of America.

“Fundamentally, you need to understand all the activities within the organization and then be able to look at those individual activities and come up with potential failures”
-Nick Jayanetti, Bank of America

Let me start off by talking about the operational risk model that we have for the bank. Within Bank of America we have three lines of defense. The first line of defense is that risk management is everyone’s responsibility.

The second line of defense is comprised of operational risk and compliance that builds the enterprise risk program and works with the first line to implement those risk management practices. They work with the individual lines of businesses to look for deficiencies and control risk and also look at emerging risk. This line reports to the enterprise risk function and to the risk officer.

The third line of defense is internal audit: an independent group that provides the oversight for the entire risk management program and assesses the control environment for the bank. This line reports to the audit committee.

My function is to build the risk governance process controls that are aligned to the enterprise risk function. What risk management means to me and to our business is fundamentally to make sure that we protect our customers, that we comply with the laws and regulations and that all the customer information is protected. We aim to ensure that as a Bank of America customer you have a very secure environment in which to conduct your financial business.

The need for structure
We have a very structured program around policies and procedures, the elements within the risk and compliance program and related training. We have certain training sessions in which all associates are required to do some risk related training – for example, on ethics and money laundering.

We at Bank of America touch about 50 percent of the US population in some fashion. So the customer experience and customer satisfaction are fundamental to us. We want to make sure that we care about our customers, that we know them and act for them in everything we do. With a model like that we have to not only look at within the financial industry, we also have to look at some of the other best practices and benchmarks that are outstanding.

For example, Ritz-Carlton is known for their customer satisfaction, and we do look at the level of service they provide. It doesn’t mean that we have to operate like a hotel, but there are certain key aspects that we can learn from a company like that in servicing and how we could deal with customers that are appealing to our clients.

During the past few years we have become increasingly customer-centric and customer-focused. If you look at most of the recent products that we’ve come out with – for example, Keep the Change, No Fee Mortgage, Zero Dollar Trades – they’re all based on customer feedback and aimed at providing better solutions to our customers. We wanted to make sure that a customer who goes through the Bank of America experience walks away delighted.

From a customer experience to an activity that a Bank of America associate performs in a backend operation, we had to make sure we had that link. I may never interact with a customer, but the work that I do in some form or fashion impacts the customer. Everything I do today looks at, “How is my work going to impact the customer and how are we going to improve that customer experience?”

Measuring success
There are several different measures of success. We look at customer experience, at surveys that are conducted in industry, and then more locally and personally there are certain performance metrics that I look for within my group and they are more around risk controls – the time it takes to resolve certain issues and how many problems we are identifying internally.

We consider that as a success metric. If we encourage our associates to identify problems and if we can get those problems resolved in a very quick and efficient way, that’s a success metric that we look for. We also look for associate satisfaction. Almost all of our associates are also customers and we do look at associate experience, not only as a customer but also as an associate.

In terms of possibilities for improvement, we look for some key indicators and we measure that almost on a weekly basis. If you think of what we do, we are primarily a consumer bank and we also have a lot of different areas – for example, investment banking, commercial banking and so on. The way each area looks at and measures customer experience could be quite different.

Within each business there are certain indicators that we look for. Depending on how those indicators are performing we change our initiatives, keeping in mind that by the time we see a change in an indicator it may be somewhat lagging. We change the way we do things to make sure that they are supporting a move in the right direction or a customer expectation.

These changes can be bi-directional. We follow a top-down plan. The CEO, Ken Lewis, has a plan for the year that encompasses his goals at a very high level, and then each one of the businesses support those goals. For example, the activities I carry out in my function as well as those of the associates in my group eventually support the plan for our company. It’s a tiered approach – everything flows up. The work we do on a day-and-day basis needs to support the overall objectives of the company.

Managing through turbulence
In challenging times there’s a danger of becoming risk-averse. The way I look at risk, it’s something we always have to keep in the forefront of our business. It’s not something that you need to keep changing depending on the market commissions or the environment. You always have to make a risk/reward tradeoff. Publicly traded companies have certain responsibilities to our shareholders, and in everything we do we have to make certain risk/reward tradeoffs.

Considering the current market environment, there are certain types of risk that you may need to pay more attention to. For example, if you look at the current market conditions you would probably see more fraudulent activities, so you may want to strengthen your controls in fraud detection. Also, if you look at historically what’s happened with the credit crunch and the mortgage industry there are obviously lessons to be learned.

I don’t think you necessarily need to change your risk practices, but you may need to be more in tune with some of you risk practices and also pay more attention to existing controls that you perhaps haven’t examined closely in the past. The mortgage industry is a good example. If you were to look at the control environment for some of the financial organizations that are in trouble on the mortgage side, you would probably say, “We wish we had paid more attention to them, from a risk perspective. We wish we had guided and influenced those organizations a little differently.” Maybe this is one case where the risk/reward tradeoff didn’t pay off. It’s not necessarily a matter of changing but paying more attention to certain controls and practices.

One of the things I’m building is proactive monitoring. With risk management, you’re trying to prevent something from occurring. If you’re very successful at it, you prevent potential problems or breakdowns or issues. If you have a very effective risk management program, obviously you have the right tools, and you would have the right people looking at the right areas.

Fundamentally, you need to understand all the activities within the organization and then be able to look at those individual activities and come up with potential failures. If you have the right people with the right risk mindset and then you have the people that understand the process, you can mesh the two and say, “What can go wrong here? What are all the different potential failure modes?” Based on those potential failure modes, you need to ask yourself, “Do I have the right controls to mitigate those failures?”

If you do, then you need to see how effective they are. If you don’t, then you have a potential gap and you need to build a control to mitigate that particular risk. That’s how you can insulate yourself from potential breakdowns and potential risk. Coupled with this, you need to have a monitoring program to monitor the existing controls to make sure that the people are doing what they’re supposed to do: monitoring the processes and making sure that the controls are effective. If you have those two components, you should be able to prevent 99.999 percent of risk and potential failures.

Technology advantage
Technology is the way to go to limit variation. Wherever you have people involved, obviously there’s a lot more variation. You need to look at the controls you have in a business and try to use technology as much as possible to monitor and assess your controls. That’s a very efficient method and is obviously cost effective.

Of course there are areas where you don’t have the luxury of using technology, and  that’s where you’re depending on the associates or the human element. Having the right people, providing people with the right training and having the right oversight and a dual level of control to make sure people are doing what they’re supposed to be doing is the correct approach. In a way, technology is the easy part. The real challenge comes when you are dealing with operations in which you have a lot of associates and you’re depending on the variation in what they do, and then you multiply that by thousands.

It can be difficult to control risk without stifling it. If you look at some of the risk we have today, it’s very different from the types of risk we had a year ago or five years ago or 10 years ago. As technology changes, risk changes. You can look at risk as a cat and mouse game, where you’re upgrading certain controls to mitigate certain risk.

We will always need risk management. We will never be able to say, “I’ve mitigated all the risk and I can now sit back and relax.” Unfortunately that won’t be the case. It’s the nature of things; things are always going to change.

As technology changes, as people change, as the landscape changes, risk changes, and we have to continuously go after it. We have to have the right people, the tools and the technology to continuously look for emerging risk. One of the key components is to make sure that you’re not reacting to what’s happening today but that you’re looking at the environment and you’re looking at future trends. The differentiating factor between a risk mindset company and one that is not would be a company that looks for emerging risk and puts controls in place today to mitigate future risk.