Operational risk is defined by the Basel Committee as: “The risk of loss resulting from inadequate or failed internal process, people and systems, or from external events.” Once dismissed as the risks that didn’t fit in anywhere else, operational risk came into the public eye after events like the 9/11 attacks and the 2008 financial crisis, demonstrating that these risk areas not only matter, but are vastly under-catered for.
Deloitte’s 2017 report, ‘Operational risk management: The new differentiator’, stated that “in short, operational risk is the risk of doing business.” For treasurers, the failure to manage operational risk properly can have huge financial, regulatory and reputational ramifications.
According to the Global Risk Community, operational risk can be summarised as human risk, as it is the “risk of business operations failing due to human error.” As a result, businesses with a higher level of automation will theoretically have lower operational risk.
Too much technology?
Mark Lewis, Bloomberg’s Head of Product Corporate Treasury, recognises the benefits of technology. However, he also believes that with more technology come more risks. For example, Lewis notes that treasury management systems (TMSs) are becoming increasingly sophisticated – and this isn’t necessarily a good thing for operational risk.
“Instead of just having a package solution, TMS vendors have ended up having this huge variety of choices,” Lewis says. “So instead of implementing a system in two and a half days, you implement in six months. Or, in some cases it’s a three-year implementation project when you get to the really big systems.” It’s this flexibility that Lewis believes creates opportunity for operational risk. “No one person knows every piece of it and what’s going on and whether it’s actually going to work properly or not,” he adds.
A simple example, he says, is running a report, applying a filter to it, and saving it. “Then you forget you put that filter on. So next time, you think you’re running the report for all your payments for sterling, but it’s filtered out a bunch and you don’t know. And if it’s not highlighted properly that the filter is on, you’ve missed something important that you should be doing.”
Hackers abound
For Nor Adila Ismail, Chief Risk Officer at Petronas, the biggest operational risk in treasury is cyber-security, owing to the use of external systems such as SWIFT to process payments. “These external systems are in our treasury,” she explains. “For operational risk, we must learn from the Bangladesh Central Bank heist and consider the unauthorised access to certain payment systems.”
She continues: “Operational risk is always thought of as health, safety and environment, or security, but it’s never thought of as potential for theft or fraud. All of that needs to be looked at holistically so that we’re able to design the risk management accordingly, reflecting not only treasury but all the other aspects of our operations.”
Andreas Bohn, a partner at McKinsey, agrees that cyber-risk is one the most important factors in operational risk these days. He says this applies not only to internal areas such as data protection and/or manipulation of data sources, shadow accounts and cyber-fraud, but also to the risk of external cyber-attacks – such as distributed denial of service (DDoS) attacks and ransom demands – which can incapacitate a business for some time.
A 2016 report by Accenture and Chartis focused on “analysing the benefits of better alignment across operational risk management procedures with cyber-security.” The report argues that “cyber-attacks from external criminals or internally disgruntled employees” can fit the definition outlined by the Basel Committee, as they “become a problem only if the processes and people elements in an FI’s strategy are not sufficiently developed.” Additionally, the Basel Committee’s 2014 report on operational risk includes cyber-attacks as an example scenario. The report also points out the pressing need for firms to invest in cyber-security is only heightened by the regulators imposing retrospective fines and sanctions for past breaches.
Lewis agrees that cyber-security is more important than ever. With recent high-profile attacks on companies across the globe, he notes that having strong security around systems in place is imperative. “Having just a single password is insanity,” he says. “A user ID and password is just not good enough these days. We use biometrics and two-factor authentication.”
Human error
Operational risk can overlap with several other areas, says Bohn. For one, erroneous data entries, in particular when it comes to trade and payment entry – wrong signs, decimals, or currencies – can cause liquidity risks.
With human error often posing the biggest risk to any organisation, cyber-attacks coming from dangerous or phishing emails can fall under the operational risk umbrella. No amount of firewalls can protect against spam emails, and all it takes is one employee to unknowingly click on a link in an email for malware to infect the system.
However, human error doesn’t just mean clicking a malicious link. Instead, Lewis explains that the increased use of technology risks encourages basic errors like typing in the wrong account number. “I use the term ‘garbage in, garbage out’,” he says. “It’s so important that your starting point is putting the right data into a system, because once the data is in a system, people rely on it. And this is where things can easily go wrong from an operational risk perspective.” Bohn agrees, and notes that these erroneous data entries can cause operational risk to have overlaps with liquidity risks, particularly when it comes to trade and payment entry – for example, wrong signs, decimals or currencies.
As a result, Lewis says that having a four-eyes principle when capturing static data is a necessity. “People trust that the information in the system is correct and just press ‘send’ on payments because they’ve had a busy day,” he adds.
However, Lewis has seen high-tech solutions that flag changes on the transaction from the standard settlement instructions (SSIs) and automatically send those instructions to a second signatory for release of payment, highlighting the fact that it is not an SSI. Unfortunately, Lewis notes, this is often a costly feature and thus is often only affordable to larger corporations.
Mitigating the risks
Manu Taneja, Executive, Cash Management & Treasury Services, APAC, General Electric, believes that most of the treasuries he sees keep risks at a manageable level. “There’s a process to identify all the major risks and plug them,” he says, adding that the best way to do this is to have a strong operational risk framework in place.
The framework, according to Taneja, should be about finding the risk areas, building controls around them, offsetting the risks and then reviewing the cases that slip through the net. He believes there are three components: engaging the right stakeholders, building controls, and having a mechanism around them.
Bohn has a similar view, believing that a strong operational risk management has three lines of defence. “Appropriate policies, appropriate oversights, account validation and so on, is the first line – basically, the treasury itself,” he says. “The second line of defence looks at the control figures, defining the risk identification, the variations of the risks and setting limits and breakage points to get the key operational risks first of all under supervision, and then control. The third line of defence is the audit function, which then looks at the first and second lines to ensure they work properly.”
Putting the fire out
When operational risks arise and aren’t dealt with, there are usually procedures to follow. For Taneja, the first thing to do is “firefighting”. After that, it’s imperative to do a root cause analysis (RCA), plug the risk, figure out what happened, how it happened and how the right controls can be put in place moving forward. “Who did it is probably the last thing to be wondering and squabbling about,” he adds.
Who should be involved?
In Ismail’s experience, when it comes to managing and mitigating operational risk in a treasury context, the best results come from a dedicated financial risk management and operational risk management team working hand-in-hand with the operations team in treasury. This allows all the teams to communicate and design something that’s workable for the treasury function of that specific company.
Taneja agrees that there should be cross-functional teams engaged throughout the process, as does the Accenture and Chartis report, which states “operation and cyber-security employees need lines of communication and a coordinated pre-planned response.”
The report continues, specifying that job titles such as chief information security, technology or information officer (CISO/CTO/CIO) “tend to have a strong understanding of IT, but… limited formal risk management understanding”. Meanwhile, “risk managers have a strong understanding of the business and risk concepts needed for a good cyber-security response in the event of an attack, but a relatively weak understanding of the complex IT issues involved.”
“Treasurers have been talking about segregation of duties since back in the 80s,” says Lewis. Indeed, it’s still just as relevant today. “You have someone trading who can’t actually make the settlement instructions, someone who’s releasing the payment but can’t do the confirmation, and so on. You get this triangulation of validation, so you know what’s being paid, because it’s usually around the payments that the fraud happens if it’s going to.”
For Lewis, a key figure in the management and mitigation of operational risk is the middle office. He explains: “Middle office function, in my view, is not part of the workflow, but is monitoring and managing the risk of the group. You’ve got a trader who’s got to stay within his limits and controls, but there is this second team that’s looking at the risk of the treasury department and making sure that all the players in that space are doing the job that they’re meant to be doing and they’re not breaking any of the Group’s policies.”
The fallout risks
The consequences of failing to mitigate and manage operational risk can be severe. Financial consequences and reputational damage can cripple a company. As Ismail explains, it’s sometimes not through any fault of the company, but could be in relation to a payment that is made which seems harmless on the surface but results in accounts being frozen. “It’s not necessarily third party anymore, now we talk about fourth party risk,” she says.
Bohn recommends that institutions should have a framework in place to manage third and fourth-party risk from the sharing of confidential data. “Such a framework may require specific contract provisions, professional indemnity insurance or comparable guarantees and other minimum requirements for the supplier,” he explains.
The reputational damage that comes with poor operational risk management has the potential to be catastrophic. Consumer trust is essential for any business to function effectively, and Bohn explains that any breach “can undermine your franchise, your customer base, your investor base and your counterparty base for trading”. There are an estimated 2.65 billion social media users in the world, and with platforms capable of spreading news immediately, the results can be much harsher than they were 20 years ago.
The end goal
For Bohn, the end goal depends on the type of operational risk being managed. There may be operational errors which have limited impact, meaning you can reverse them – such as a wrong payment – or there could be problems related to fraud which may be irreversible and require more effort to manage the impact. But, he adds, the focus should be on controlling the risk, then reversing the impact with a mitigation or crisis plan – learning from the mistakes so that they hopefully don’t happen again.
Ismail has a similar outlook: “Realistically, can we mitigate all risk? Especially the ones that involve the external environment, especially when there’s a fourth-party risk?” she asks. If not, she adds, it becomes about mitigating the risk to an acceptable level.
Taneja agrees that it’s unrealistic to expect a zero-risk environment. “Realistically speaking, some residue of risk will remain at all times, and that generally emanates from people-related issues,” he notes. For example, this could be finding that the expertise is not there, or that there are new employees joining and they have a learning curve ahead of them.
He continues: “I think the goal should be to keep risk at a manageable level, which means the framework should be robust enough not to have any major risks uncovered. Blind spots do exist and do come up once in a while, but by covering all the major bases you should be mostly protected.”
Going back to basics
For Lewis, the end goal of operational risk management comes back down to the basic function of a treasury department. “Your job as a treasurer is to make sure the company has got sufficient funds,” he explains. “You’ve got to ensure that all the risks you’re mitigating, all the items that could impact the liquidity of the business, is looked at very carefully.” It’s important to have a holistic view, he adds, and to learn to prioritise the risks. “You work out which ones you’ve got spot on, and then you work down from there onto the smaller ones that are operational related but that won’t have severe consequences like the company collapsing in a heap.”
Building a business case for implementing enhanced risk management – which often comes at a cost – can be a struggle for some treasurers. Lewis notes that it’s no different to insuring a home and urges businesses to recognise that. “Explain that these systems are necessary to protect the business and that it needs to be something that is secure, controlled, and part of your remit,” he says. Using high-profile examples, such as the Bangladesh Bank heist, as a starting point is useful too, as you can then build on it from a cost savings perspective. “Cash seems to be the easiest way of justifying a risk system,” he concludes.
The Bangladesh Bank heist
The Bangladesh Bank heist happened in February 2016, when hackers used the SWIFT network to illegally transfer almost US$1bn from an account belonging to Bangladesh Bank. Most of the transactions were stopped or reversed, but the hackers still got away with US$81m. According to the governor of the bank at the time, he had hired a cyber-security firm a year before the event, but “bureaucratic tangles” in Bangladesh prevented the firm from starting work until after the incident.