PHL: Enhance Operational Risk Management
In July 21 news, the value of shares in the Philippines’ second-largest bank fell Friday after it was hit by fraud, which reports said may amount to nearly $50 million. The newspaper Philippine Daily Inquirer quoted unnamed bank officials as saying one of Metropolitan Bank and Trust Co.’s vice presidents has been arrested for diverting between 900 million and 2.5 billion pesos (between $7.7 and 49.3 million) in bank funds. Last month, a programmer’s error in Bank of the Philippine Islands (BPI), the oldest and 3rd largest, resulted to erroneous credit & debit of various customers which even lead to a senate hearing. Prior to this, the largest bank, Banco de Oro (BDO) was accused by a city mayor for alleged tax fraud after the branch declared gross annual revenue of only Php 400K (US$8,163) in 2016, not even enough to pay the salary of a bank manager. In 1st quarter 2016, RCBC’s Bangladesh Bank US$81 million heist happened where funds hacked from the central bank of Banghladesh was remitted to RCBC, laundered in casino and some are withdrawn. There was a recovery, but the bank was slapped with Php 1 Billion (US$20 Million) penalty.
While there are sufficient capitalization to absorb losses , the banks need to enhance their operational risk management. The four incidents are all operational risk, which is defined by Basel II Committee as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Thus, improving the way they manage risk is a necessity.
More often banks are highly focused on Credit Risk, the risk of non-payment and non-recovery of loan and Market Risk, risk due to changes in interest rate, foreign exchange, etc. While their corresponding management disciplines are aimed in protecting assets and the profit taking activities, bank’s senior management must provide the same attention and resources to Operational Risk Management.
Oftentimes, banks think of Operational Risk Management as a cost. These could be because Operational Risk Management is implemented for mere regulatory compliance purposes. Bank’s senior management must be advised that Operational Risk Management (ORM) hastens, not slowdowns business activities. The perspective that ORM is a cost and more often as a show stopper rather than steerer towards profit, arise if the discipline is not being implemented properly.
What is a good operational risk management?
To name a few among several tools and processes, good operational risk management means forward-looking risks are escalated and discussed in an open & transparent environment. More often risks incidents are discussed after it occured and the damage – monetary or non-monetary has been done This what is called reactive risk management. What is needed is a proactive risk management. Escalation and discussion of forward-looking risk in a methodical manner is a tool necessary for anticipating and preventing risks.
Another is Know-your-employee (KYE) program. Knowing-your-client (KYC) and Knowing-your product (KYP) are important. Knowing your employee, not only during hiring, but as they live and work in the bank is far more important. It is not enough to know the employee upon hiring. It is a must to know the employees as their lives change. They spent more of their time in the office than at home. Any change will affect the way they do their tasks. Significant change in employee’s behavior should be spotted before high impact risk incidents occur. With an implementation fitted to the culture of the organization, KYE program is a very dynamic risk management tool which can pro-actively address the risks rooted from personnel behavior.
Lastly, Information Technology and Risk Governance Frameworks must be dynamic. The Board of Directors of each institution has a designated committee for Information Technology as well as for Risk Management. Nevertheless, sometimes governance are purely on a boardroom-basis only. Decisions are based on periodic information technology and risk management reports . The challenge is how often the board of directors rolled up their sleeves to meet the people who are actually doing the tasks. One may rationalize that it can be delegated to a unit, say quality team or a 3rd party survey. Likewise, it may be construed as managing instead of oversight. However, it has always been more effective if the members of Board of Directors Committee, really know what they govern beyond reports and documents. Board of Directors should know the intricacies of the product, processes and should be able to experience what their bank is offering to the public. Approval and notations by a committee member is not sufficient for governance. Committee members should be able to ask pointed questions , then grill and challenge the management. Management are often focus on day to day tasks and the full year internal plan. Committee members could help by looking at the bank in the perspective of outsiders and how the bank is prepared for the future of banking and technology and worst scenarios.
Overall, an effective Operational Risk Management is asking the right institution-specific and business-specific questions and implementing the right programs, which are tantamount to preventing risk and finding the right solution. It has been said by 17th century thinker that a ship is not a ship if it remains in harbor. In similar manner, a bank is not a bank if it does not take risk. However, given the technological changes where risk can arise in a click of a mouse, the Philippine institutions must change its understanding and paradigm towards risk and controls and spend sufficient resources for Operational Risk Management.