This post first appeared on Risk Management Magazine. Read the original article.
Recently,
the Office of Comptroller of the Currency (OCC) levied a fine
of $400 million at Citibank “based on the bank’s
unsafe or unsound banking practices for its long-standing failure to establish
effective risk management and data governance programs and internal controls.” The
OCC has followed that action up at USAA (an $85 million
fine) and JPMorgan Chase ($250 million). When examining what that could mean
for banks and insurers from around the world, and the operational risk
discipline more widely, there are three key lessons:
Lesson 1: The focus needs to be proactive,
not reactive
Rather than just fining financial
institutions for large operational risk events, this penalty sets a precedent
that regulators in the United States—but likely in other jurisdictions soon as
well—will be more proactive to avoid the damaging consequences of an event by
administering fines for more generalized poor risk management.
So as the OCC adjusts their regulation to be
more proactive, the businesses and organizations it governs must be more proactive
as well. There are a number of items the OCC has asked Citibank to include in
its new ERM plan, many of which are key areas of focus for operational risk across
banking and insurance.
For example, the OCC stated the need to revise
“Enterprise-wide risk policies to improve the identification of growing,
emerging or material concentrations and idiosyncratic risks.” This underlines
the importance of identifying top and emerging risks across the sector. Research
shows that the operational risk landscape is shifting rapidly and increasing in
its scale and complexity, making it more challenging to manage. Additionally,
specific material risks such as cyber and resilience require a detailed
understanding and specialist approach to support their effective measurement
and management.
Overall, there’s a lesson that proactive,
forward-looking risk management with a robust framework is needed, rather than
backward-looking measurement of what has happened. It is no longer acceptable
to simply react and adapt when crisis hits, as our experience with the COVID-19
pandemic has shown repeatedly.
Lesson 2: Unity of systems and practices is
vital
Regarding Citibank, the OCC repeatedly
stressed the importance of consistent practices, systems and processes across
the whole company. For example, in terms of data, the OCC highlighted the fact
that Citibank had multiple systems housing data, which increased the risk of an
information security incident.
On a very basic level, if your organisation
lacks consistency in how it measures and records data from one department to
the next, how can you expect to gain insight into the risks you face as a whole
organization and make informed decisions on how to mitigate them? The “Umbrella
function”—a lead function that sets the framework, the taxonomy and owns—is key
to this.
Ensuring your organization’s systems, processes
and practices are consistently implemented across the organization should be a
priority. It is also worth thinking about the impact of the pandemic. Working
from home has meant that many processes have been amended to make them
workable. These changes were all made by necessity and tried
to strike a balance between enabling productivity and minimizing risk. It is
important to review these decisions now, ensuring that with more hindsight the
balance between risk and productivity is still right.
Lesson 3: Operational risk
should have a seat at the board table
The third and perhaps most
important lesson is that operational risk needs to be on the agenda at the board
level, with board members and senior managers being ultimately accountable for
its oversight. As if to make the point, the Fed and OCC’s actions come less
than a month after Citigroup announced that Michael Corbat, its chief executive
since 2012, will retire in
February. With the stakes this high,
the case for operational risk having a seat at the table are compelling.
Providing board members and
senior managers with the insight to in turn provide the oversight that the
regulators want will require training, as well as improved data and better
issue escalation processes.
As the ORX and McKinsey study
The Future of Operational Risk stated, “Operational risk management
needs to step forward and step up by engaging with the business and ensuring
better coordination between different functions, such as operational risk,
compliance and IT.” Without this, and with multiple areas all having their own
reporting and escalation procedures, senior managers will find it hard to tell
the wheat from the chaff when it comes to risk. Access to key decision makers is
essential, as the shared insight with and between the business functions to
support their decision making is invaluable.
The OCC intervention comes
at an interesting time for operational risk managers. The changing business
environment means that risk management needs to adapt, becoming quicker and
more responsive, while financial pressures mean risk managers are being asked
to do more with few additional resources. Risk professionals are looking at
ways to simplify their frameworks and focus on the key material risks. Now they
have added the implications of the Citibank fines into that mix.