Operational Risk Management in Banks: the Way Forward

PERSPECTIVE

OPERATIONAL RISK MANAGEMENT IN BANKS: THE WAY FORWARD

Abstract Risk management has always been a complex function for banks. Today the scope of regulatory compliance and risk management has become much broader, and the potential impact of noncompliance is significantly high. The risk function at banks is evolving from being a number-crunching function to a more dynamic business enabler, focusing on risks arising from complex products, diversified operations, diverse workforce, multiple channels, and regulatory compliance at regional and global levels. The intent being on proactive risk management and mitigation rather than event-based response. Operational risk has come to the fore since 2001 when it was recognized as a distinct class of risk outside credit and market risk, by Basel II. Though the Basel committee proposed some approaches to measure operational risk, their level of sophistication varies across banks. This is also because operational risk is the most complicated risk type, when it comes to risk quantification, identification, and mitigation. Operational risk is highly dynamic in nature and is impacted by numerous factors such as internal business processes, regulatory landscape, business growth, customer preferences, and even factors external to the organization. Introduction

Risk management has always been a regionally and globally. The underlying because operational risk is the most complex function for banks. Today, the intent is proactive risk management complicated risk type when it comes scope of regulatory compliance and and mitigation rather than event- to risk quantification, identification, risk management has expanded and based response. and mitigation. In fact, operational the potential impact of noncompliance risk is highly dynamic in nature and has significantly risen. As a result, the Operational risk came to the forefront impacted by numerous factors such risk function at banks is evolving from in 2001 when it was recognized as as the internal business process, being a number cruncher to a more a distinct class of risk outside credit regulatory landscape, business growth, dynamic business enabler focusing on and market risk, by Basel II. Though customer preferences, and even risks arising from complex products, the Basel committee proposed some factors external to the organization. diversified operations, diverse approaches to measure operational Some factors are: workforce, multiple channels, and risk, their level of sophistication stricter regulatory compliance both varies across banks. This is mainly

• Complex internal process • Undue pressure on systems, people, and • Cross-functional teams / IT applications processes for achieving business growth • Con ict of interest for employees • Mis-selling of products `A loan was approved without the veri cation • Complex products of collaterals’ `In order to meet the sales targets, new accounts were opened without proper KYC’

Internal Business process growth

• Economic outlook Bank’s • Tighter regulatory requirements • Natural calamity operations • Increased number of regulations Regulatory • Financial instability landscape External `Malfunctioning of ATM , due to • Complex regulatory requirements factors `Unable to meet regulatory guidelines outage in the city’ due to disparate systems’

Customer preferences

• High customer expectations in terms of availability of services • Increase points-of-contact with end customers `Customers taking advantage of same service from two dierent POCs’

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited Key challenges in operational • No single aggregated view for the Infosys solution approach enterprise: Perhaps the biggest risk management (ORM) Using our experience of working with challenge in ORM is the lack of multiple customers, we have defined a • Inefficient risk identification centralized and synchronized data. This comprehensive, three-point approach parameters: The current KRIs, KCIs, can be further attributed to challenges towards managing ORM: and KPIs used for ORM reporting in around risk data aggregation. Most most banks are inefficient and do not banks have incomplete coverage of data • Enhance the risk coverage provide a holistic data view, leading to sources across business lines and hence, • Integrate operational risk incorrect risk identification. These KRIs are unable to extract the full potential of • Decentralize operational risks are assessed in silos and a correlation huge data warehouses. among them is not quantified. Further, • Lack of vision: It is a known fact there is inconsistent risk measurement that ORM is widely recognized as a across business lines. problem area within most banks but • Large data processing and complex not many have a defined strategy which logic: For ORM, the number of articulates how the bank intends to transactions that need to be monitored arrest operational risk. is growing at an exponential rate. This In this article, we attempt to define a directly puts pressure on the current unified strategy for ORM and components banking infrastructure and the existing of a futuristic ORM system. processing logic is unable to handle the steep increase.

External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited External Document © 2018 Infosys Limited Enhance the risk coverage • Uniform monitoring of all potential • Clear definition of accountability at risk exposure sources such as each level within the risk plan The `three lines of defense’ model is customer onboarding, portfolio widely used to define and manage • Clearly established lines of management, employee tracking, or operational risk. To complement the three communication and feedback with even disaster management lines of the defense model, we propose various levels of management, a solution framework which works at • Product fitment based on the including business sponsors customer profile and risk appetite to a more granular level to help identify The key objective here is to move minimize potential defaults in future and control operational risk incidents. beyond the traditional risk types and The target framework should include • Inclusion of non-customer-facing focus on all business processes and the following risk sources, which in our functions / processes under the interactions to ensure they are well experience, is lacking in most banks purview of the first line of defense covered. today:

Integration of operational risk • Integrated risk management regulations such as BCBS239, and to platform: We propose integration of send all risk-related regulatory reports Each risk classification – credit risk, market these independent risk management to regulators from a single source. risk, and operational risk – differs widely in systems under a composite umbrella its assessment, on-ground execution, and • Enterprise case management for for a more effective risk management quantification. It is highly recommended risk: A `case’ typically is an instance strategy. This integrated risk platform to have a holistic view of all of these of operational risk. We propose an created on top of a data lake can be risk classifications. Basel III reporting enterprise case management system requirements need capital reporting further leveraged for a one–stop shop to manage alerts across different risk for each risk classification to be done of all data requirements for trend types. This will help to create a common separately. The approach to address this analysis, scenario analysis, and to risk catalog within the enterprise. in most banks today is to have disjointed enable an equally powerful dashboard Further, it will reduce operational and systems which work like watertight and on-demand analysis. This would technology costs of managing such compartments that result in duplication of help reduce the costs of platform systems separately. costs as well as effort. maintenance, faster compliance with

Risk Risk Risk Risk Risk integration quanti cation analysis reporting governance

Relevant data Centralized risk Risk analysis based Regulatory Enterprise-wide risk aggregation from quanti cation, on Basel compliance analytics, reporting, and all lines of business monitoring, and framework framework governance strategy / and functions control decision support

• Corporate and • KRIs, KCIs, KPIs • Capital modeling Analytics • Regulatory institutional • Loss data • Regulatory risk • Scenario reporting banking measures • Risk and control analysis • Uni ed MIS • Personal and self-assessment • Regulatory • Forecasting reporting business banking reporting • Risk appetite • Alerts and • Treasury back • Audit issues noti cation oce • Control and • External loss governance database

Target operational risk process

ORM is not just a function of the operational risk team. It should be embedded in roles across the organization. We propose a thin dedicated team to ensure overall compliance and participation of all units and business functions on the ground to ensure 100% coverage. This will help serve the twin purpose of decentralizing the ORM function at banks and cut costs to a great extent by reducing the dedicated ORM system and personnel.

The risk team can focus on overall regulatory compliance and the business functions can work on the ground to close gaps in business processes and operations. For example, the retail banking LOB manager can access, monitor, and mitigate the possible risks in the current customer onboarding process and the operational risk manager can define policies and standards for customer onboarding based on risk modeling, audit results, and past data analysis.

Most banks are approaching ORM reactively. As a result, solutions are tactical and costs and effort are duplicated. Given that ORM compliance and reporting is mandatory for all banks, we recommend having a central and holistic view of compliance across the bank. The objective should be to look beyond the short-term regulatory milestones and focus on re- engineering redundant processes. It is also essential to develop the right `risk culture’ across the enterprise to achieve the desired return on compliance investment.

Venkatesha N. Vysya Sr. Industry Principal, Risk and Compliance Practice, Financial Services Domain Consulting Group, Infosys

Venkatesha has over 20 years of industry experience leading several large and complex IT consulting, process re-engineering, system integration, and business transformation programs across marquee clients globally. Over the years he has built teams and multiple COEs to address business needs across industry domains.

He can be reached at [email protected]

Navdeep Gill Lead Consultant, Risk and Compliance Practice, Financial Services Domain Consulting Group, Infosys

Navdeep has nearly nine years of experience. She has worked on large transformational programs in risk areas, for leading financial service providers, and has extensive experience in defining the strategy and roadmap of such programs. She has an MBA degree with a specialization in finance. Her areas of interest include liquidity risk and regulatory reporting.

She can be reached at [email protected]

or more information contact asusinfosyscom

© 2018 Infosys Limited enaluru India ll its esered Infosys eliees te information in tis document is accurate as of its ulication date suc information is suect to cane itout notice Infosys acnoledes te rorietary rits of oter comanies to te trademars roduct names and suc oter intellectual roerty rits mentioned in tis document Excet as exressly ermitted neiter tis documentation nor any art of it may e reroduced stored in a retrieal system or transmitted in any form or y any means electronic mecanical rintin otocoyin recordin or oterise itout te rior ermission of Infosys Limited and or any named intellectual roerty rits olders under tis document

Infosyscom E I tay onnected