Posts

Don’t Forget To Manage Operational Risk

A major issue in the financial industry is due to institutions maintaining a narrow scope on operational risk management programs resulting in miscommunication and gaps in the process. In the past, the biggest focus of operational risk management was on business continuity, which became a job task for one particular employee. As the market place evolved, vendor management regulations became more prevalent and another person was designated into the responsibility of maintaining the vendors.

Featured Sponsors:

 

More recently, incident response regulations due to an escalation of cyber security threats increased resulting in another person taking on the task of maintaining incident response. Instead of consolidating all operational risk management tasks and looking at it as a bigger picture, the different areas of risk were delegated amongst a large span of people. Because of this, people don’t communicate and products don’t communicate with each other. As a result, these individuals rarely maintain a large focus on these operational risk management tasks and when they do they only focus on a small aspect of the larger picture.

Featured Sponsors:

Another issue in the financial industry is that operational risk management is often over looked if the institution isn’t under an auditor’s microscope. Their approach to operational risk management is reactive and defensive rather than proactive and going on the offensive to auditors and regulations. They look for systems after it is too late and they don’t have the resources to devote someone entirely to managing all areas of risk. They often panic and purchase one system covering a small part of the bigger problem. They devote the time and money into the system and then never use it to its full capabilities. The minimal amount of information input is just good enough to get that check mark from the auditor but will leave them scrambling when an actual event occurs due to an inefficient process.

Featured Sponsors:

RemoteComply is the solution for these industry frustrations. Our suite allows the financial industry to easily manage all areas of operational risk management under one platform. Instead of spreading the job tasks across departments, the suite allows complete communication throughout the risk management process. The suite will put institutions ahead of the game due to best practices and complete compliance built into the system. RemoteComply is cost effective and will eliminate the need to delegate different job tasks based on each area of operational risk management. These functionalities save valuable time and resources.

About The Author

Managing Operational Risk

website-pdf-download

A major issue in the financial industry is due to institutions maintaining a narrow scope on operational risk management programs resulting in miscommunication and gaps in the process. In the past, the biggest focus of operational risk management was on business continuity, which became a job task for one particular employee. As the market place evolved, vendor management regulations became more prevalent and another person was designated into the responsibility of maintaining the vendors.

Featured Sponsors:

 

 
More recently, incident response regulations due to an escalation of cyber security threats increased resulting in another person taking on the task of maintaining incident response. Instead of consolidating all operational risk management tasks and looking at it as a bigger picture, the different areas of risk were delegated amongst a large span of people. Because of this, people don’t communicate and products don’t communicate with each other. As a result, these individuals rarely maintain a large focus on these operational risk management tasks and when they do they only focus on a small aspect of the larger picture.

Featured Sponsors:

 
Another issue in the financial industry is that operational risk management is often over looked if the institution isn’t under an auditor’s microscope. Their approach to operational risk management is reactive and defensive rather than proactive and going on the offensive to auditors and regulations. They look for systems after it is too late and they don’t have the resources to devote someone entirely to managing all areas of risk. They often panic and purchase one system covering a small part of the bigger problem. They devote the time and money into the system and then never use it to its full capabilities. The minimal amount of information input is just good enough to get that check mark from the auditor but will leave them scrambling when an actual event occurs due to an inefficient process.

Featured Sponsors:

 
RemoteComply is the solution for these industry frustrations. Our suite allows the financial industry to easily manage all areas of operational risk management under one platform. Instead of spreading the job tasks across departments, the suite allows complete communication throughout the risk management process. The suite will put institutions ahead of the game due to best practices and complete compliance built into the system. RemoteComply is cost effective and will eliminate the need to delegate different job tasks based on each area of operational risk management. These functionalities save valuable time and resources.

About The Author

Pressure To Consolidate Operational Risk Management

By law, every financial institution in the United States is required to have efficient strategic plans to prepare for business continuity, third party management, and incident response. Traditionally, financial institutions tend to push these operational risk management tasks aside to allocate more time towards return on investment tasks. Resources are valuable and it is often difficult to justify investing them into something that isn’t needed every day. Because of this, financial institutions often throw operational risk management in as another job task in the already existing long list of duties of one busy employee. As a result business continuity plans, managing third party risk, and responding to incidents were recorded manually and left in a binder on the shelf to be forgotten. This binder may have been sufficient enough for regulators five years ago but today financial institutions could be in jeopardy of fines, penalties, or default.

Featured Sponsors:

 

Some institutions have prepared for this challenge by investing in nominal automated systems that make them look good for the regulators but are basically serving the same purpose as the binder. The information was put into the system at one point and remains sitting there for something to satisfy the auditors. The systems that are currently in the market are clunky, hard to use, difficult to maintain, and too expensive to justify which leads them to resort back to their manual process. Some financial institutions invest in several different systems from different vendors resulting in further complications. The problem leads back to the lack of resources to maintain the systems for their fully intended functionality.

Within the past 15 years, worldwide events have scared institutions into investing a greater focus into operational risk management. In 2001 the World Trade Center was attacked and in 2005 Hurricane Katrina devastated the entire southern region. More recently, terrorist attacks are occurring all over the world and cybersecurity threats are at an all-time high. Regulators are taking notice and are more vicious than ever. These institutions might have a plan or process that they can reference but will likely be insufficient when a disaster strikes in their back yard. These occurrences have left us wondering why financial institutions to this day still do not have sufficient systems to minimize these risks.

To alleviate the frustrations associated with maintaining an effective operational risk management program, we recommend consolidating your risk management needs into an all-in-one web based suite. A single solution for business continuity planning, vendor management, incident response, and alert notification will effectively and efficiently resolve the issues associated with maintaining operational risk management tasks. A suite with one centralized area to easily update and maintain all operational risk management criteria will satisfy the regulators and effectively prepare your IT and compliance personnel for any inevitable disruptions.

About The Author

Operational Stone Soup

website-pdf-download

becky-walzakIn the fable Stone Soup, a destitute woman makes a meal for her children by putting water and a stone in a pot over the fire. As people come by and see her stirring the contents of the pot, they ask what she is cooking and each time she tells them she is making stone soup. Upon hearing this the person inquiring is amazed at the idea of making soup from a stone and offers her a carrot or other item that they have available. This continues until she actually has a soup of sorts. While the story’s moral is the value of joint cooperation in achieving a desired result, no one ever says whether all of these individual add-ins actually make the soup taste good. More than likely the results have a horrid taste and do no one any good.

Operational Risk in this industry is just like stone soup. There are lots of people passing by with no knowledge about Operational Risk or what it takes to make it good, but they are willing to throw in whatever they have available and call it good Operational Risk. Unfortunately for us instead of something good, we have a mess that even the CFPB won’t swallow.

Why is that? When this concept first arrived on the scene as a result of Basel II standards, most people paid little attention to it until 9/11. Then suddenly business continuity was the name of the game. From this perspective implementing Operational Risk was making sure than your business could continue if any disaster befell the organization. Numerous consultants made millions of dollars telling people how to prioritize their processes and make sure they had back-ups to the system. Then the whole idea seemed to hibernate as the wild and crazy years of housing and mortgage lending took hold. Once the industry fell apart, like humpty-dumpty, the operational risk “experts” tried to put it back together again by helping people find the “holes” in their operations. None of these efforts created the focus on a sustainable Operational Risk Management program that is critical for today’s mortgage company.

Featured Sponsors:

[huge_it_gallery id=”2″]

So what really is operational risk? Operational risk is the risk of loss from inadequate or failed processes, people and/or systems as well as losses due to external events. The losses can be direct such as selling a loan at a loss due to unacceptable underwriting or they can be indirect such as failing to get waivers on agency guidelines due to poor loan performance.   The most important idea to remember about this risk is that it can be managed.

In order to effectively manage this risk, it is helpful to break it into three distinct areas. Global operational risk impacts the organization as a whole and includes such catastrophic events as total system failures or regulatory sanctions.   The second area of focus is the operational risk focused on the actual product or service provided. Operational issues here are those that relate directly to the revenue stream such as dissatisfied consumers or investors, excessive costs, inefficiencies and unacceptable products as well as the direct regulatory issues such as TRID and QRM.   Finally there should be an area of focus on ancillary and/or support issues. Among these are such items as indirect costs, inadequate and/or dissatisfied staff, inadequate technology, inadequate financial controls and regulatory issues such as Fair Lending. From this list it is easy to understand how the entire operation can be creating risk, impacting results and lowering profits if not effectively managed.

Another way to envision this risk is by looking at what affects the risks we currently focus on; credit risk, interest rate risk and market risk. Each and everyone one of these risks are dependent on processes, people and some type of technology to form an operational system. Therefore operational failures associated with any of these known risks can become catastrophic for an individual lender.

So how does an organization manage these risks? As expected, it starts at the top. Executive management has the responsibility of putting the risk management process in place. This can be accomplished by assigning a specific individual or by taking on the responsibility themselves. Unfortunately all too often, management makes the assignment and unless some disaster befalls the organization, they tend to focus on other business issues. Instead, senior management should approve the specific tools and methods for managing this risk and be updated on a regular basis, preferably monthly, on the level of these risks. It is also senior management’s responsibility to make decisions on what risks are acceptable and how they should be managed. For example, if the production staff wishes to change processes and is not sure that the new procedure is acceptable from an agency or regulator prospective, management has to evaluate the risks associated with this and make a decision as whether to offer the product. A recent example of the cost of failing to consider these risks in the case of the penalties and fines paid by a company for an unacceptable loan officer compensation plan. Management evaluated the program and got legal advice before implementing it but failed to account for the risk that the CFPB would find it unacceptable. It ended up costing the company $20M.

Featured Sponsors:

[huge_it_gallery id=”3″]

The second level of an operational risk program are the risk controls (typically credit policy, process design and technology programs), assessments, monitoring and reporting. This is by far the lynchpin of the program because the design (or control) specifies how things are to be done and the assessment and monitoring evaluate whether the product/service expected is what is actually being produced. Without knowing whether or not the people, processes or systems are functioning properly, there can be no effective decision making by senior management. Yet in the majority of companies today, this function is either not in place, inadequately financed or outsourced to companies that are focused on their own efficiencies and not the risks of any particular company.

The most common of these monitoring programs is known as Quality Control. Overwhelmingly this function is based on Fannie Mae, Freddie Mac and FHA requirements. Unfortunately their requirements are based on their risks and not on each individual company’s risk. As a result this vital function does not address the operational risks that the company has designed into its programs and processes. This is evidenced by the sampling programs, which are not based on validating whether the process is working properly but on criteria that are believed to be “risks” by the agencies.

A second issue with the programs as they exist today is the failure to have it grounded in the actual risk faced by organizations; that of unacceptable performance. The recent requirement by these agencies calls for classifying variances in the process at a specific risk level. This has been done without any validation that these issues are related in any way to expected poor performance. If the senior staff and risk management executives want to effectively measure and monitor their operational risk, the program needs to be developed internally and focus on how effectively their operations are producing the products and/or services they have specified.

Reporting is also the responsibility of this level of Operational Risk. Once again, the monitoring process for each risk identified collects the data on the functioning of the process. Each company should ensure that the method for collecting this data actually reflects the risk. For example, there are many Quality Control questionnaires that ask numerous questions on the closing that are actually covered by the insured protection letters so there is little, if any risk. So why spend time and money evaluating these processes.

Once the data is collected it must be analyzed to determine if the process, including the people and the technology are performing as expected. One thing that must be isolated are the random variances that occur in any process. Any report must show the variances that occur are not random and have a high probability of causing loss to the company. When this occurs it is management’s responsibility to address that risk. Addressing the risk does not necessarily mean making changes to the process, but instead may result in deciding to accept the risk or to insure over it in some way. Making changes on issues that are random or ones that do not expose the company to operational risk losses is inefficient and costly.

The final level of an Operational Risk Management program is the design of the process and the company culture in which the processes reside. For way too long management has seen the primary risk of the company as a failure to originate a sufficient number of loans. All else was delegated to a back-end correction process. In other words, enough volume will cover any risk. As we have seen this philosophy does not always work as expected. Therefore it is critical to ensure that the processes, people and technology are in sync and the focus is on producing and/or servicing loans that are in conformance with the company’s expectations.

Of course, just like any effective risk management program, it requires expertise and experience. When looking to implement an operational risk program, organizations should seek out individuals who are trained to work in this area and have experience in building such as operation.

The operational risk management program is designed to provide the organization with a comprehensive look at how it is functioning. As such it can identify where processes are failing and prevent mistakes that can cost the company amounts far in excess of the program cost.

About The Author

[author_bio]