In-depth Interview with Edward Sankey

Written by: Fleming. Team

1) What is the take by regulators around the world on RCSA after the 2007/08 financial crisis?

For your information, though you probably already know, there is an international regulatory body which looks after this area of risk management and financial resilience – the Basel Committee of the Bank of International Settlements, or the Basel Committee for short. There is also a Financial Stability Board (set up in 2009), which provides guidance in this area. After the financial crisis, the Basel Committee, along with national regulators, looked closely at the levels of quality in Operational Risk Management in banks. One of the general conclusions was that risk assessment was still not well developed in very many banks. While, of course, some banks were found to do it well, the large majority were found to be at elementary levels. It has been inferred from some observations by the Committee that some regulators have not been requiring high enough standards in operational risk management in the banks they supervise. This is generally due to the regulatory body not having a high and broad-based level of knowledge of the discipline required of an operational risk manager. As a consequence, when the banks look to the regulator for guidance about standards, this guidance may be very limited. In such cases where banks take their standards from the regulator, they are vulnerable to suddenly increased expectations by the regulator if it upgrades its knowledge and resources in operational risk management supervision. Banks need to use approaches and standards at the international level to ensure their operational risk management is truly effective and worthwhile, and to protect themselves against a rapid change in the regulator's requirements.

2) What are the strengths and weaknesses of the current RCSA implementation? In your opinion, where do you see the gap?

[I've listed some here in approximate order of importance – use as many as you like] While RCSA has been helpful in improving wide understanding of operational risks, implementations in firms still have had many weaknesses compared to Good Practice. For example, there is not enough use of loss event data, either from the bank's own experience or from external sources. In the absence of data, too little use is made of expert opinion, instead relying too much on line managers' views. Many firms do not have the confidence or knowledge to use quantitative modeling techniques. The course provides instruction to improve the use of loss event data. Poor data collection discipline leads to lack of confidence in the data and a reluctance to rely on it for risk assessments. The design of loss event databases and the consistent recording of loss events are covered in the course. The implementation of an RCSA frequently does not involve enough training and briefing of local staff and managers, affecting the quality of the Assessments. Some units and risks are not covered because of lack of confidence to undertake them. These RCSAs are too local in scope, and the full effects across the bank of a risk event are not recognized, leading to serious underestimation of the risks. Solutions to this will be presented in the course. Often no consideration is given to the potential extreme losses that can come from a risk. This leads to underestimation of the risk, and Stress Testing/Scenario Analysis work is weaker. The result is inadequate controls and response plans – a key part of risk management. The assessment of extreme events is an important part of this course. There is poor governance around RCSAs, particularly in regard to who is responsible for the management of the risk, monitoring the action plans to improve controls, and ensuring that reviews of the assessment are done frequently enough and to a high standard. The RCSA do not include identification of the risk indicators to monitor the risk. Poor use is made of the results of these RCSAs. In particular, little is done to use the assessment to compare the exposures and control performance of a risk in different locations, over the course of time, or with other banks through external databases.

3) What's the difference between quantitative and qualitative risk assessment? What is the best approach out of the two?

If a bank has been able to collect good quality data about the risk events they have experienced, and have access to external databases, they have the potential to use good statistical and other modeling techniques to assess the frequency and impact of the risks. Measuring interrelationships between risks is better, as is understanding the worst cases that can arise. These approaches are Quantitative Assessments and enable the highest quality of risk management. In the absence of such historical data, an operational risk team has to use other data such as expert opinions. Precision in the assessments is lost and rankings and categorizations have to be used. This is the qualitative approach. Although the qualitative approach is more approximate and the results are less verifiable, it can be a quicker method. The course will cover how to make the very important choice between the two approaches for different risks.

4) Can you share a case from your experience which shows the success of an effective RCSA program?

Success is in the completion of a set of good quality Assessments. Because risk management is about reducing the losses from unplanned and random events over the course of a few years, it is impossible to say after the completion of a program "Yes, there is improved profitability compared to if we had done nothing." You never know what might have happened and at what cost if you had not set out to improve your risk management. Before embarking on a RCSA program, the risk manager should identify the activities, risks and business units where he/she wants to see improved techniques, use of data, use of expert opinion and validation of the outcomes. Then, after the program, the risk manager should review the actual quality of the assessment process against those criteria. If RCSA is being implemented for the first time, it should be done according to a policy for how such assessments should be done, previously agreed with the Risk Committee and endorsed by the Board. This will set minimum standards for the performance of the Assessments. It needs to be introduced by a good training program for all Line 1 OR coordinators/managers/officers, and local management needs good briefings about the process. Then the results of the RCSA can be reviewed by the Operational Risk Director for the achievement of those standards, or the out-performance of them. That provides a measure of success. One particular measure of success is that the regulator is satisfied, but this is a minimum level of success.

5) Is it necessary for each bank to have its own RCSA program, or can an external consultant's services suffice for regulatory compliance?

The most important issue is accountability and management responsibility for the management of risks rather than technique. Effective risk management requires clear line management responsibility for the control of exposures. This includes the assessment of risks as well as the quality of control. When the RCSA program is done by local management with expertise from the central Risk Team, this clarifies risk ownership, accountability and responsibility. However, a consultant can provide valuable process design to a firm, as well as training, support and facilitation to a unit and the central Op Risk team, but ultimately the local manager must be required to take responsibility for the risk. A regulator's test is whether the firm's management understands the risk and its controls, and has taken responsibility for the assessment and risk management. This knowledge band accountability cannot be contracted out.

6) How does RCSA assess major exposures?

There are a number of means. Loss data on own events and from external databases provide the means for using statistical techniques for estimating severe exposures of identified risks. Monitoring major events from public sources should be used and expert opinions from outsiders are valuable. A combination of modeling techniques – which will be introduced in the course – and workshops produce valuable results.

Asia Finance

Risk and Control Assessment Masterclass for Financial Institutions: Quantitative and Qualitative Methods

Visit event website