The Operational Risk Handbook for Financial Companies: A guide to the new world of performance-oriented operational risk

By Brian Barnier

The Operational Risk Handbook for Financial Companies is a groundbreaking new book. It seeks to apply for the first time a range of proven operational risk techniques from other industries and disciplines to the troubled territory of financial services.
Operational risk expert Brian Barnier introduces a range of sophisticated, dependable and - crucially - approachable tools for risk evaluation, risk response and risk governance. He provides a more robust way of gaining a better picture of risks, shows how to build risk-return awareness into decision making, and how to fix (and not just report) risks.
The practical importance of fully understanding and acting on risk to the business begins in the foreword on plan-B thinking, penned by Marshall Carter, chairman of the NYSE and deputy chairman of NYSE Euronext.
The book is unique because:
- It is not just about modeling and a few basic tools derived from regulatory requirements. Instead, it looks at management of risk to operations across industries, professional disciplines and history to help ops risk leaders become aware of the entire landscape of proven experience, not just their own conference room.
- It is not just about compliance. Instead, it looks to operations as part of performance - managing risk to return for shareholders and other interests (e.g. guarantee funds).
- It is not content to look at risk in stand-alone segments or silos; instead it takes a systems approach.
- It is not just about ops risk leaders sharing war stories at a conference. Instead, it introduces a panel of six financial institution board members who get risk management and provide their perspectives throughout the book to encourage/demand more from ops risk to meet the needs of the institution in the world.
- It is not a semi-random collection of tips and tricks. Instead, it is grounded in a risk-management process flow tailored to financial companies from a range of proven experience, providing tools to help at each step.
Suitable for companies of all sizes, this book is of direct relevance and use to all business managers, practitioners, boards and senior executives. Key insights from and for each are built into every chapter, including unique contributions from board members of a range of companies.
The Operational Risk Handbook for Financial Companies is an essential book for making better decisions at every level of a financial company; ones that measurably improve outcomes for boards, managers, employees and shareholders alike.

• Language: English
• Publisher: Harriman House
• Release date: Jul 8, 2011
• ISBN: 9780857191564

Brian Barnier

US-based Brian Barnier uses his practical cross-discipline, cross-country and cross-industry experience to help leaders improve their personal and operational risk programme efficiency and effectiveness. In addition, he has been honoured to serve on several industry and professional practice committees, contributing risk management approaches to improve business performance and demonstrate compliance. He was named one of the exclusive fellows of the Open Compliance and Ethics Group (OCEG). Mr Barnier is a contributor to Risk Management in Finance (2009) by Wiley & Sons. He has served as a co-author of ISACA's Risk IT based on COBIT Framework and Practitioner's Guide; a member of the review committee for OCEG's Redbook 2.0, guidance for using governance, risk and compliance to improve principled business performance; and a member of several committees of the BITS/Financial Services Roundtable. He teaches professional education in risk management and audit of risk management, has taught operations and finance at the graduate level, has presented popular webinars, podcasts, been quoted in the risk and financial press, and has over 100 published articles for business operations, finance, technology, audit, risk, security and business continuity audiences. He serves on the editorial panels of the Taylor & Francis EDPACS Newsletter, ISACA Journal and the Association for Financial Professionals Risk newsletter. www.valuebridgeadvisors.com www.twitter.com/brian_barnier

Book preview

2011

Introduction

Touchstones to Keep Focus on Efficiency and Effectiveness

We all manage risk; it’s part of life.

Risk management is simple.

Life and business are complex.

Use risk management approaches to make business simpler as one way to reduce risk.

Use risk management to provide clarity and logic, not emotion and bias.

Use the right tools to make the job easier.

This book describes an approach to help financial companies shift to a more business performance-oriented, systematic approach to risk management. To this end, it is helpful to be focused by a set of touchstones.

The following will be elaborated and borne out over the coming chapters, but they are collected here in preview for ease of reference and to set out, as it were in blueprint, the practical implications of this book.

Overall

The best risk management is about managing risk to business performance against specific outcomes or objectives.

Changing situations may bring gain or loss.

Risk management is not a paperwork exercise for compliance. Compliance will always leave gaps and exposures to real business risk that can harm customers, partners and shareholders. Look at the litter of companies over the years who have been compliant and still suffered loss.

Risk management should improve agility, making it safer to move in a changing environment.

Risk evaluation

Root cause is the key to finding and fixing risks to performance—especially to finding problems early and fixing them fast.

A systems view of risk is needed to understand the dependencies of products on processes, people and technology.

An ‘event’ is not isolated. Potential and realized risks are chains of events that cascade in time, triggered by causes in dependencies or other related events.

Thus, risks must be analyzed in robust scenarios that consider environments, systems and cascades to understand how situations might be prevented and, when they arise, contained.

Scenarios are therefore the central feature of risk evaluation.

Little is truly new in the world. This is especially true of root causes, although consequences play out differently due to different environments. After each situation arises, people often emerge who have already tried to call attention to the problem.

A key role of the operational risk manager in conducting scenario analysis workshops is simply to ensure that the right people are in the room to bring their insight to the discussion of how products and processes work in systems—the dependencies, the timing, the gaps and what is already broken or likely to break under stress.

You must push to see enough to understand potential problems and opportunities in a changing environment.

Understand the business value of your options: the value of knowing now, rather than later; the value of acting now, rather than later—having more time to act; and the value of having a range of options, rather than being forced into one.

Risk response

Always have a plan B. Use this not only to prevent and prepare, but also to test the quality of your risk evaluation.

Base responses on root-cause data, which can provide early warnings and point to what to fix, not proximate-cause data.

View risk-status data in the context of cascading events in time created earlier in scenario analysis. This gives meaning to ‘What could happen next?’ and provides insight for action. This is situational awareness. Look for changes and patterns that create the need to act.

Use plan Bs to guide you under pressure to take the right action, instead of making the situation worse. Consider the cost/benefit of each of the range of options.

Risk oversight

More risk-return-aware decisions form the best path to reducing risk to performance.

Ensure board-level (especially independent member) engagement in operational risk:

First, make certain that the board risk committee has skill in risk management and a wide range of risk types.

Second, make sure that the chief risk officer has clear authority and ‘voice’ to the board.

Lastly, ensure that levels of assurance are matched to the nature of risks. ‘Reasonable assurance’ used for risk to financial statement preparation (and audit committees) is not sufficient for managing risk to a business initiative or to human safety.

Continually improve maturity of risk management capability:

Stress a culture of ‘find early, fix fast’, with a mandate for open communications (full disclosure, no defensiveness). Become time-sensitive.

Deeply build risk awareness and risk response into your organization. Everyone has a role in preventing and responding.

Be humble. Realize limitations. Understand bias. Seek people, training and past lessons to overcome blind spots.

Demand an end-to-end view of risk by business activity/product/process—cross the silos.

Keeping these thoughts in mind, let’s see how these points have been reflected in the past in managing risk to operations. [¹] We’ll take a whirlwind trip through history and then get some practical insights from other industries with similar challenges: insights which are then fleshed out and applied to financial services throughout the rest of the book.

‘Been There, Done That’—the Voice of Experience

Marsh Carter opened this book with a view of lessons he learned fixing problems at Chase Manhattan Bank and transforming State Street Corp. Some of his instincts in finding and fixing risk root causes trace back to his experience in the US Marine Corps and his operations research degree from the Naval Postgraduate School. For thousands of years, militaries have been concerned about the science of logistics—the study of moving and quartering troops. [²]

In this same spirit, it is helpful for us to learn from those who have ‘been there, done that’ over the years in managing risk to operations. As several notables have observed: Those who don’t know history are destined to repeat it. [³]

In the ancient world

Looking back on the lessons of history, we see that success or failure in operations has led to the rise and fall of civilizations. Alexander the Great (356–323 BC) faced this in the expansion of his empire. This enlargement required him to quickly create government operations that communicated from Greece in the northwest to Egypt in the southwest, as well as to what is now western India in the East. Hannibal, the military leader from Carthage (248–183/2 BC), also managed severe and extensive risk to operations when he successfully crossed the Alps with war elephants into northern Italy in 218 BC. The Romans recognized the need for effective operations to hold their empire together by building good roads and a postal system. Almost 2000 years later, Napoleon’s failure to learn about risk to operations contributed to his disastrous march on Moscow during 1812 and 1813.

Rulers in the ancient world also had to evaluate the likelihood of success or failure as they shifted their alliances and tribute. After Alexander the Great’s death and the division of his kingdom among his four leading generals, a period of shifts and conflicts ensued until the Romans gained control (with operations management success playing a non-trivial role on both the military and civilian construction fronts). The success or failure of operations is seen even in Biblical history. In the Book of Luke, a civil engineering failure is reported. Eighteen people were killed when the Tower of Siloam collapsed. [⁴] In the Book of Acts, it is reported that St Paul is forced to winter on Malta after his shipwreck. We learn why from Roman maritime law. Navigation was allowed (secura navigatio) from March 10 through October. Then, after an interim period, navigation was closed (mare clausum) [⁵] from late November through February.

Two lessons to learn from these early considerations in logistics and operations are that:

The approach addressed both finding and fixing problems more quickly than adversaries (owing to serious competitive time pressure, and not just for market share).

It was all ‘qualitative’ by our standards today.

According to several histories, probability theory didn’t arise formally until the mid-1600s with the work of Blaise Pascal and Pierre de Fermat, which focused largely on probabilities in games, such as dice. Christian Huygens wrote a key formalized work in 1657. The first insurance arrangement at Edward Lloyd’s coffeehouse began in about 1688. Pierre de Laplace penned a broader view of the subject entitled Théorie Analytique des Probabilités in 1812. Too bad Napoleon was busy marching to Moscow; maybe he should have been reading de Laplace’s book. This is a powerful learning point for us today in managing risk to operations. Amidst the checklist culture, there is a risk of losing sight of our essential objectives; businesses do not exist simply to exist or get by, but to excel and outperform. Could the risk management processes in our institutions get Alexander to India, Hannibal over the mountains, or build and operate the Roman road and postal systems? Honestly answering this question can be sobering. The good news is that there is much in history from which to learn.

In the past century

Looking back over the past century, we see several advances in operations research and risk management that continue to shape financial companies’ approach to operational risk. These include the development of:

the control chart by Walter A. Shewhart (1891–1967) at Bell Labs in the 1920s

the option discussion in the Theory of Interest by Irving Fisher (1867–1947) in 1930

the Plan-Do-Check-Act cycle also developed by Shewhart and later termed the Plan-Do-Study-Act cycle by W. Edwards Deming (1900–1993)

a wide range of statistical risk reduction and quality- and performance-improvement methods driven by Deming in post-WWII Japan, for which he received many honors

root-cause analysis and quality improvement by Kaoru Ishikawa (1915–1989) at Toyota

quality improvement by Philip Crosby (1926–2001)

project management techniques such as the program evaluation review technique developed by Booz Allen Hamilton and the US Navy in 1957 for the Polaris nuclear submarine project, and the critical path method formalized in the late 1950s (based on earlier work by DuPont for the Manhattan