Managing operational risk, or rather failing to manage it correctly, can be a costly business. Look no further than recent newspaper headlines for proof of that.
In January 2014, J.P. Morgan agreed to pay $2 billion in penalties to settle charges relating to its involvement in the Bernard Madoff Ponzi scheme. Some of the oversights in operational risk management highlighted by the US federal prosecutors’ action against the bank were startling. In 2007, for example, the chief risk officer of J.P. Morgan’s investment bank agreed to increase its exposure to the Madoff entity to $250m, despite the fact that Madoff refused any further due diligence of Madoff securities.
Last year Chinese securities brokerage Everbright Securities triggered an investigation of stock trading systems at all brokerages in the country after a glitch in its trading system caused it to mistakenly make RMB 23.4 billion ($3.9 billion) of buy orders. This systems slip was the largest trading error in Chinese stock market history.
But it is not just financial services firms that are subject to operational risk – it is a huge concern for corporates, too. So what should treasurers be looking out for and how can they help the company to stay on top of its operational risk?
To answer these questions, it is important to first define and classify operational risk. In broad terms, it is the risk of loss resulting from inadequate or failed internal processes, human behaviour, systems or from external events. Examples can include fraud, by employees or outsiders, human error, and audit risk – where auditors may not understand the specificities of a company as well as an insider. External events that pose risks to corporates include movements like the Arab Spring that started in 2010, banking crises, such as the one that took place in Cyprus in 2013, and environmental risks, such as extreme weather.
What all these causes of operational risk have in common is their outcome: disruption to the company’s operations – which obviously carries the risk of financial loss. It can also create the less tangible risk of reputational damage. In some cases this may result in litigation from customers, suppliers or other stakeholders. Between 2009-2011, multiple recalls of Toyota cars over possible manufacturing faults were not only costly – forcing the Japanese carmaker to cut 750 jobs at its main UK factory – but also made a significant dent in the company’s previously decent reputation for safety.
With the economic shocks of the last few years making commercial life tough enough, it’s little surprise that corporates are intensifying their focus on operational risk and looking to plug any gaps. “Since the financial crisis, the majority of CFOs and treasurers have had greater responsibility for operational risk, which has led to more time and resources being devoted to its management. This is driving a need for greater automation through business-as-usual treasury processes, in order to give the treasurer the capacity to focus on these additional tasks. Operational risk needs to be dealt with in a long-term, strategic way – the best operational risk solutions balance efficiency with resiliency and sustainability,” says Mike Edwards, Head of Client Solution Design, Global Transaction Services, Latin America at Bank of America Merrill Lynch.
One way for corporates to assess their ability to manage certain operational risks is through stress testing. This is where companies explore what-if scenarios and try to predict their impact on the business using computer-generated simulation models.
Other technology can also help. Straight through processing (STP), whereby capital market and payment transactions are carried out electronically using a one-touch system, is one option. “From a technology perspective, straight through processing really does help reduce operational risk, as it eliminates the need to constantly re-key information into lots of different systems,” says Shen Lee, Senior Manager, Commodities specialist in Corporate Treasury Services at Deloitte.
STP reduces settlement risk, as well as allowing settlement and confirmation information to be drawn from the same source. It also reduces the risk of fraud. “There are various levels of authorisation on these systems that do not exist with traditional paper-based systems, with records of log in times and details of who is doing what. This obviously reduces the risk of fraud. If the systems are built in the right way, it creates the right segregation of duties that makes the whole process much more efficient – and it mitigates risk,” adds Dino Nicolaides, Director, Head of Treasury Advisory Services in Banking and Capital Markets at Deloitte.
Despite the technology now available to help treasurers manage operational risk, oversights do still take place. “No specific infrastructure or system can be perfect, and there’s always the risk of human error or something falling between the gaps,” says Nicolaides. “But now a lot of big corporates are taking this very seriously. Operational risk management systems and infrastructure need to be revisited at regular intervals to make sure you identify, as the business changes and moves, how the infrastructure and the mitigating factors you have in place are adapted accordingly,” he adds.
– corporate governance failures at several large US multinationals in the late 1990s and early 2000s, notably Enron and WorldCom, drove the passing of the Sarbanes-Oxley (SOX) Act, which regulates internal controls and the transparency of financial reporting.
– in the EU, listed companies are subject to a governance framework that is a combination of statute and ‘soft law’, a term that covers recommendations and corporate governance codes in member states.
– regulation around corporate governance and operational risk management varies from jurisdiction to jurisdiction. In China, for example, China SOX, or C-SOX, is the basic standard for enterprise internal control and has been adapted from US SOX.
Environmental risk is an area of operational risk that is becoming a much higher priority for corporate treasurers, particularly for those active in some Asian markets. We will therefore focus on environmental risk throughout the remainder of this article.
In a 2013 survey of weather-related risks in Japan, South Korea, China, Taiwan, Vietnam, Thailand, Indonesia and the Philippines, Munich Re said 45% of the major events in the 30-year period under consideration were floods. This was followed by storms (39%) and forest fires, heatwaves and droughts (16%). “There is no region of Eastern Asia that is immune to the threat of flooding,” commented Peter Höppe, Head of Munich Re’s Geo Risks Research unit, on the findings. The insurer said weather-related losses in the past three decades have caused losses of around $700 billion in Eastern Asia.
– in 1991 Typhoon Mireille caused a loss of $10 billion. Thirteen years later, in 2004, Typhoon Songda led to a loss of $9 billion.
– super Typhoon Maemi, which hit the country in 2003, caused a loss of $4.8 billion.
– flooding of the Yangtze and Songhua rivers in 1998 caused a loss of more than $30 billion.
– Typhoon Morakot in 2009 caused a loss of $3.4 billion.
– the 2011 flood led to a loss of $43 billion.
Source: Munich Re
Environmental risk covers more than just weather-related events, although this is one of the biggest risks. There are two broad ways of looking at environmental risks. The first is the impact a company can have on the environment. This can potentially damage a company’s reputation and may lead to fines or penalties being imposed on the company. In extreme cases it may even result in a corporate losing its social licence to operate in a certain territory. For example, oil and gas multinational BP is on course to pay over $7.8 billion in compensation payments as a result of the 2010 Deepwater Horizon disaster in the Gulf of Mexico.
There are also risks from the environment on a company. These risks include anything in the natural world – for example a loss of access to water, earthquakes or flooding – that could potentially affect corporate performance.
Awareness of environmental risks is coming to the fore for a number reasons. One is that companies are being forced to internalise more and more of the costs of their operations.
“Previously companies were allowed to pollute many parts of the world in which they operated relatively freely. However with rising concerns over the health impact, the social impact, and the environmental impact of pollution, we’re seeing increasing regulatory stringency on the ability of companies to externalise those costs,” says Dr James Allan, Head of Environment and Climate Change at risk analytics, research and strategic forecasting group Maplecroft. The externalisation of these costs can take the form of carbon policies or technical requirements for energy efficient equipment.
The international expansion of many companies into territories where they have no experience is also making the management of environmental risk more of a priority. “More and more businesses are now operating in parts of the world where there’s a greater exposure to environmental risks that are relatively unrecognised. There’s a real lack of understanding of the level of risk in certain locations – for example, of flood risks in some of the developing parts of China, South-East Asia or some of the other growth markets,” adds Allan. In addition to this uncertainty, a large number of corporates also lack understanding of resource scarcity and its implications, which can impact their ability to function without business disruption in the long term.
Environmental risk is becoming more of a Board-level issue. Previously seen as a technical or engineering challenge, it is now increasingly considered a strategic one, which can pose a problem for directors who are not familiar with this kind of risk. “It’s sometimes difficult for Boards to identify the environmental risks that they might be exposed to across their entire corporation, and to know what sort of information they might need, how they’re going to process it, and how they can then make decisions based on the information they have been able to collect,” comments Allan.
The making of environmental risk a Boardroom issue has been driven in part by pressure from stakeholders, including regulators and shareholders, who want a clearer understanding of how corporates are assessing and responding to these risks. As a result there has been a trend towards greater disclosure of companies’ environmental liabilities.
The management of environmental risk can be carried out using a three-step approach.
A company’s vulnerability to environmental risks may be linked to its direct operations or embedded in its supply chain. The company can collect historical information on this vulnerability or information on the current risk exposure.
Identifying the high-risk areas is the next step. This allows companies to develop approaches to mitigate the ones that pose the greatest danger to the business.
Once the responsibility for environmental risk has been assigned and awareness has been increased in the organisation, the company can start to manage the risk on an ongoing basis.
Financial risk transfer methods, such as weather derivatives, can prove an effective way of hedging against some environmental risks, particularly in emerging countries. The Chicago Mercantile Exchange (CME) lists more than 60 options and futures contracts on precipitation and temperature. The pricing of these derivatives is complicated by the fact that the asset underlying the contracts is not a saleable commodity itself. High yield catastrophe bonds, which pay out in the event of certain extreme weather events, such as hurricanes, are also available, though little used by corporates.
Technological advances have contributed to the monitoring of environmental risk. The Gravity Recovery and Climate Experiment (GRACE), carried out jointly by NASA and Deutsches Zentrum für Luft- und Raumfahrt (DLR, the German Aerospace Centre) is a case in point. GRACE satellites collect climate change data across the world, monitoring minute changes in groundwater levels. Information from GRACE is publicly available.
“Technologically there’s been a real advancement in the information available and in the science underpinning it. In particular the information available on climate change is developing all the time,” says Allan.
Indeed, climate change looks set to become one of the biggest environmental risks to corporates in the near future. Statistics from Maplecroft suggest that by 2025, 31% of world economic output will come from countries that are considered a high or extreme climate change risk – that is 50% greater than the current output of such countries. Maplecroft publishes a climate change vulnerability index every year, ranking countries and cities according to their resilience to climate change risk. Companies operating in Asian growth economies in particular are set to face rising environmental risks over the coming decades, with Dhaka in Bangladesh, Mumbai and Kolkata in India, Manila in the Philippines, and Bangkok in Thailand ranked as the most at-risk cities in the 2014 ratings. Bangladesh was ranked as the most at-risk country.
The index is based not just on physical exposure to climate change, such as changes in temperature and precipitation, but also on vulnerability, including population sensitivity and the ability of countries to adapt to the impacts of climate change. “A lot of the growth markets are highly vulnerable to climate change, because they’re more prone to extreme weather events than some western European and north American markets, but also because they sometimes lack the same level of socio-economic resiliency to manage those impacts,” says Allan.
Though not in the top ten, Pakistan and Vietnam are considered at extreme risk to climate change, and Indonesia, Thailand, Kenya and China are considered at high risk. India was also highlighted in the 2014 study as vulnerable to climate change events. Maplecroft drew particular attention to Cyclone Phailin, which caused $4.15 billion of damage and wiped out key infrastructure in the country’s key mining region.
The United States on the other hand, though still subject to natural risks, is considered less vulnerable. In the 2013 rankings, New York was ranked 41 out of 50 cities in terms of its vulnerability to environmental risk and was considered medium risk – Maplecroft cited the city’s ability to cope with Superstorm Sandy in October 2012 as proof of this.
The Chinese cities of Shenzhen, Guangzhou, Dongguan and Foshan, the last three of which are located in the Pearl River Delta – the core of China’s manufacturing heartland – are said to be among the most exposed to physical risks from extreme climate-related events in the 2014 rankings. The inclusion of these cities may well be of concern to companies that use China as a manufacturing base. London and Paris were the only cities considered as low risk in the 2014 rankings.
Democratic Republic of the Congo
Manila (The Philippines)
As environmental risk becomes more of a strategic issue, corporates need to size up the threats they face. Even those operating in territories considered relatively low risk could be up against what are sometimes called ‘unknown unknowns’. To assess the risks, there are several steps corporates can take:
– what are the biggest threats? Which natural hazards and environmental risks could hit your region? These risks include floods, mudflows, droughts, mass movements, avalanches, forest fires, earthquakes and tsunamis, volcanoes, air pollution and water pollution.
– this is often in the form of insurance. Derivatives can also be useful in hedging against certain weather risks, and in some extreme cases catastrophe bonds may be an option. Corporates can also speak to the national meteorological agency in their country and familiarise themselves with the latest data collection technology.
– corporates also have obligations in terms of their impact on the environment. In China, for example, the Ministry of Environmental Protection (MEP) and the China Insurance Regulatory Commission (CIRC) require compulsory purchase of pollution liability insurance by companies with high environmental risks.