PHL:  Enhance Operational Risk Management

In  July 21 news, the value of shares in the Philippines’ second-largest bank fell Friday after it was hit by fraud, which reports said may amount to nearly $50 million. The newspaper Philippine Daily Inquirer quoted unnamed bank officials as saying one of Metropolitan Bank and Trust Co.’s vice presidents has been arrested for diverting between 900 million and 2.5 billion pesos (between $7.7 and 49.3 million) in bank funds. Last month,  a programmer’s error in Bank of the Philippine Islands (BPI), the oldest and 3rd largest,  resulted to erroneous credit &  debit of various customers which even lead to a senate hearing.  Prior to this, the largest bank, Banco de Oro (BDO) was accused by a city mayor for alleged tax fraud after the branch declared gross annual revenue of only Php 400K (US$8,163) in 2016, not even enough to pay the salary of a bank manager. In 1st quarter 2016,    RCBC’s  Bangladesh Bank US$81 million  heist happened  where funds hacked from the central  bank of Banghladesh was  remitted to RCBC,  laundered in casino and some are withdrawn. There was a recovery, but the bank was slapped with Php 1 Billion (US$20 Million) penalty.

While there are sufficient capitalization to absorb losses , the  banks need  to enhance their operational risk management. The four incidents are all operational risk,  which is defined  by Basel II Committee    as  the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Thus, improving the way they manage risk is a necessity.

More often banks are highly  focused on  Credit Risk,  the risk of non-payment and  non-recovery of loan and Market Risk, risk due to changes in interest rate, foreign exchange, etc. While  their corresponding management  disciplines are aimed  in  protecting assets and the  profit taking activities,  bank’s senior management  must provide the same attention and resources  to  Operational Risk Management.

Oftentimes, banks think of Operational Risk Management as a cost. These could be because Operational Risk Management is implemented for mere regulatory compliance purposes. Bank’s senior management must be advised that Operational Risk Management (ORM)  hastens, not slowdowns  business activities. The perspective that ORM is a cost and more often as a show stopper rather than steerer towards profit,  arise if the discipline is not being implemented properly.

What is a good operational risk management?

To name a few among several tools and processes, good operational risk management means  forward-looking  risks  are escalated and discussed  in an open & transparent environment.   More often risks incidents are discussed after it occured and the  damage – monetary or non-monetary has been done This what is called reactive risk management. What is needed is a proactive risk management.  Escalation and discussion  of forward-looking risk in a methodical manner  is a tool necessary for anticipating and preventing risks.

Another is  Know-your-employee (KYE)  program.  Knowing-your-client (KYC) and Knowing-your product (KYP)  are  important. Knowing your employee, not only during hiring, but as they live and work in the bank is far more important. It is not enough to know the employee upon hiring. It is a must to know the employees as their lives change. They spent more of their time in the office than at home. Any change will  affect the way they do their tasks. Significant change in employee’s behavior should be spotted before high impact risk incidents occur. With an implementation fitted to the culture of the organization, KYE program  is a very  dynamic risk management  tool which can pro-actively address the risks rooted from  personnel behavior.

Lastly,  Information  Technology and   Risk Governance Frameworks must be dynamic.  The Board of Directors of each institution has a designated committee for Information Technology as well as for  Risk Management.   Nevertheless, sometimes governance are purely on a boardroom-basis only.  Decisions are  based  on periodic  information technology and risk management reports .   The challenge is how often the board of directors rolled up their sleeves to meet the people who are actually doing the tasks.   One may rationalize that it can be delegated  to a unit, say quality team or a 3rd party survey. Likewise, it may be construed as managing instead of oversight. However, it has always been more effective if the members of Board of Directors Committee, really know what they govern beyond reports and documents. Board of Directors should know the intricacies of the product, processes and should be able to experience what their bank is offering to the public. Approval and notations by a committee member is not sufficient for governance. Committee members  should be able to ask pointed questions ,  then grill and challenge the management. Management are often focus on day to day tasks and the full year internal plan. Committee members could help by looking at the bank in the perspective of outsiders and how the bank is prepared for the future of banking and technology  and worst scenarios.

Overall, an  effective Operational Risk Management is asking the right institution-specific  and business-specific questions and implementing the right programs, which are  tantamount to preventing risk and finding the right solution. It has been said by 17th century thinker that a ship is not a ship if it remains in harbor. In similar manner, a bank is not a bank if it does not take risk.  However, given the technological changes where risk can arise in a click of a mouse, the Philippine  institutions must change its understanding and paradigm towards risk and controls and spend sufficient resources for Operational Risk Management.

Author (s)

Jorge Dioneda