These "Expected" external events the likes of Katrina and Rita have impacted about 280 financial institutions in the Gulf Coast of the U.S.. These institutions represented around $270B. in assets and many are now looking to the insurance industry for payouts on those policies that transfered some of their risks.
Looking into the crystal ball, let's consider the public testimony of Steven G. Elliott, Senior Vice Chairman Mellon Financial Corporation before the Subcommittee on Financial Institutions and Consumer Credit Committee on Financial Services - U.S. House of Representatives in 2004:
"Banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognize and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk)."
"Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high-frequency, low-severity losses into low-frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank’s immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardize an institution’s ability to conduct key business activities."
While overall the Fed and the institutions resilience is to be commended compared with other major critical infrastructures such as the Energy sector, we still have a long way to go with contingency planning. The regulators and insurance industry is looking at Business Crisis and Continuity Management with a new found diligence especially with the institutions outsourcing and supply chain partners.
Outsourcing of activities can reduce the institution’s risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialized business activities. However, a bank’s use of third parties does not diminish the responsibility of management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.
Beyond the impact of Katrina, talking and listening to the OCC, FDIC and the Federal Reserve this week at the Risk Management Association (RMA) Annual Conference in Washington, DC produced some additional views and questions in the operational risk crystal ball:
1. Regulators are reinforcing the need for a comprehensive risk framework.
2. Does the amount of capital that I hold support the risks that we are engaged in?
3. Does our institution have excess capital?
4. How do I differentiate our risks by industry or geography to address concentrations and impact from cycles?
5. How do I integrate risk management into the Strategic Planning Process to make sure the methodology is understood and objectives are being communicated from the Board?
There must be the development of new risk management models that allow for the addition of new risk events and the elimination of those factors that may no longer be relevant.