Operational risk: a disciplined approach

If you take even as much as a cursory look on the corporate agenda for any business in any industry these days, you are sure to come across the words ‘risk management’. They are likely to appear quite high up the list of priorities, underlined and, in all probability, in bold type. Risk management’s stock is higher than ever before in the business world but for financial institutions, risk has always been the epicenter of their environment. Indeed, perhaps more any other economic sector, the financial services industry can be seen as one that makes money by taking risks.

“One way to look at the business of financial intermediation around different kinds of capital market is that the financial services institutions that play in these marketplaces are matching up different resource availabilities with different needs across the economy and absorbing, redistributing and managing risks – on behalf of themselves and on behalf of those with whom they deal – that are specific to particular places and times and activities so that the economy can work better,” suggests Charles Taylor, Director of Operational Risk at The Risk Management Association (RMA). “So risk management is very much at the heart of what financial services firms do.”

You can trace risk management as a formal discipline in the financial service industry back at least a century, for instance, in terms of the credit risk side. The sector is an old hand at this game. Operational risk is similarly synonymous with the financial industry. But its particular presence has arguably become more apparent as regulators have shown more interest in consumer protection and issues regarding the integrity of the financial system.

As Managing Director and Global Head of Operational Risk at JPMorgan Chase, Joe Sabatini has pedigree in this field, responsible for managing the firm's framework for the measurement and management of operational risk as well as serving as a board member for the Risk Management Association. Sabatini distinguishes operational risk from its siblings in the context of financial services: “Unlike credit risk or market risk, where – by intention and design – we take that risk, try to manage it well and successfully earn a return, operational risk is a byproduct of our normal business processes,” he explains.

“The regulatory initiatives – whether they are Basel II or Sarbanes-Oxley or some of the other more specialized compliance requirements we find ourselves operating under – have obviously raised the profile and urgency around operational risk management. These external pressures, along with a few significant events, have taken operational risk from the back and mid-office to the front office and executive office.”

No surprises

Operational risk management may be nothing new to the world inhabited by financial institutions, but it wasn’t until the end of the 1990s that the formal approach so apparent today started to take shape. With more than a little impetus from certain regulatory developments and financial losses, the industry has subsequently made impressive progress in terms of improving the visibility, measurement and reporting of operational risk. For JPMorgan Chase, year zero was 2000, the point at which there was a shift from managing operational risk on a ‘cell-by-cell’ or ‘subject-matter expert’ basis, to a more integrated and coordinated effort across all business and support functions.

“People use 2000 as a benchmark time period in which some major financial institutions like our own began to think about operational risk as a risk discipline,” says Sabatini. “We’re not trying to replace the subject-matter expert, because operational risk is best managed where it is generated: in the individual businesses, in the individual product lines and in the individual locations, with people who understand the businesses that they are conducting and are best situated to manage that risk. What we’re trying to do now is add to that a portfolio approach, borrowing some of the lessons that we learned from credit and market risk. We want to complement that subject-matter expert approach with better information, analysis and understanding of where we (or others) have lost money, and how we can then be more forward looking and preventative in our approach to operational risks. There is an opportunity at hand to improve our financial performance in this manner.”

When JPMorgan Chase’s corporate operational risk management team was established in 2000 to create an integrated, consistent approach to operational risk management, one of its priorities was to establish a common way of identifying, measuring and monitoring operational risk throughout the organization, and then ensure that this framework is maintained across the enterprise. The beating heart of the framework is JPMorgan Chase’s control self-assessment process, which Sabatini has variously referred to as “the most important element in our operational risk framework” and one that creates better awareness and ownership of risks.

The process consists of subject-matter experts from each of the business lines initially meeting to identify the key risks in their businesses, usually specific areas where something is most likely to go wrong. These are then divided down into smaller, sub-risk segments, processes and control functions that would be affected should the risk materialize. In essence, the system has induced a beneficial move from a ‘blame culture’ to a ‘risk-orientation’ regarding operational risk losses.

“A very noble goal for operational risk management is to create a ‘no surprise’ environment, and that is the backbone of the self-assessment effort,” Sabatini explains. “If it is done well, you have identified the key risks, you have identified the controls that you have in place, you know what gaps exist, and business managers can therefore make informed decisions as to what resources to dedicate against those risks and any control gaps that exist.”

There is an axiom of credit risk managers: they don’t mind losses – they mind surprises. History has paid this old adage little respect however, and when the industry has suffered large losses in the past, too often they have indeed proven to be a surprise. For Sabatini, this emphasizes why operational risk is an area for focus. “The industry loses money every day in credit risk and market risk, and we’re not bothered by that when we take those risks and we incur those losses on an informed basis. I think that there is a great deal of wisdom that we should aspirationally apply to operational risk management so that someday we will be operating in an environment in which there are fewer and fewer surprises around control breakdowns.”

The million-dollar question

Of course, as a discipline that is still relatively ‘fresh’ compared to credit risk and market risk, and there are growing pains for many firms still grappling with operational risk. In particular, operational risk is tricky because the scope and number of people involved is broad. Because market risk and credit risk have such a narrow population, the relevant individuals are keenly aware of their individual responsibilities around those risk disciplines. “We say that operational risk runs from the mail room through to the executive suite, and every one of our employees in some fashion is a generator – and, necessarily, a manager – of operational risk,” says Sabatini. “Operational risk is so much broader [than credit risk and market risk] in terms of the people involved, the types of risks that we incur, and potentially the financial implications of those risks. So awareness and tracking and monitoring data around that is a bigger challenge.”

Wrestling with awareness and data issues relating to integrity is one thing. But there is also the million-dollar question: how can managers turn operational risk from a high-level measurement into an actionable benefit? This is a far more fundamental issue. Operational risk management may now be firmly on the financial services radar, but its value to the business can all too often be lost in a fog of redundant reporting. Firms can easily be left querying what the incremental value of this more organized approach to risk management is. Certainly, it is difficult to know what losses you would have incurred if your organization hadn’t set off down the path of trying to improve operational risk management.

Sabatini believes that the key for any operational risk manager is to work with the business managers to ensure that what you are doing is in reaction to demand-pull rather than supply-push. “There is no doubt that business managers want to understand their operational risk better,” he stresses. “If we have timely and accurate information – whether that is information regarding losses or issues arising from the control self assessment process – and we can feed their need for good information around the control environment, then I think we can easily answer that value question.”

“Why are we doing this? We are doing it in response to what you are demanding as good business managers – that is to really understand what is driving your financial performance around operational risk and the financial implications of operational risk. So as long as we hold ourselves to a standard and move at a pace that is really driven by this demand-pull as opposed to some glorified corporate initiative then I think we’ll be successful.”

Considering the financial service industry’s relationship with this new risk discipline, Sabatini concludes: “Recent history has shown us that operational risk is real and can be expensive. But if well-managed, I think we can maintain a good financial performance within normal boundaries.”

Prior to his role as Managing Director and Head of the Corporate Operational Risk Team for JPMorgan Chase, Joe Sabatini held a variety of positions within the company. These included serving as the firm’s Senior Credit Officer, General Manager of the Singapore Office and Regional Head of Credit for Asia Pacific. He also was the Global Head of Credit Research and served for a time in Tokyo as the Head of the firm’s M&A Advisory function. Before joining JPMorgan Chase in 1982, Sabatini had spent time in the Bank Supervision and Regulation Division of the Federal Reserve Bank of Cleveland and the Fitch Investors Service. He is a member of a number of industry forums related to operational risk, currently serving as Chairman of ORX, the Operational Risk DataExchenage Association, as well as serving as a board member for the Risk Management Association.