Operational risk management in banks

Banks lose these days more money out of operational lapses or failures than credit losses. It seems that clients, more importantly fraud stars and ill-motivated employees, run faster than the bank executives. Technology is deemed to be protecting the banks' interests, but at the same time it is being misused to take out money illegally or illegitimately from the banks' coffer. Global banks are, therefore, putting extraordinary focus on operational excellence, more precisely to put up a system, process and platform to make sure the clients and shareholders' money is safe with them and there is no slur on the banks name due to weak operational standards.
There are different kinds of risks in banking operations. Types of risks and their mitigants are discussed below:
Operational risk is usually defined as the risk of loss resulting from inadequate or failed internal processes, people and system, or from external events. Operational risk arises from potential disruptions of business processes associated with the delivery of products or services to the customers.
The Sources of Operational Risk are: i) poorly designed and supervised work flows, ii) inadequate processes, iii) facilities and equipment to support work volume and complexity, iv) manual processing of high volume transactions, v) inadequate continuity of business plan, vi) inadequate quality assurance process, vii) failure of payment systems (e.g., clearing house, exchange, depository, etc.), and viii) excessive dependency on vendor / outsourcing agency.
The control and mitigating factors of operational risks are: i) stable, well-integrated operating process, ii) effective internal control, iii) maker/checker controls, iv) adequate processes, facilities and equipment aligned with business strategy and work volume and complexity, v) independent reconciliation, vi) robust quality assurance programme and vii) strong customer complaint resolution process.
Strategic risk arises from potential adverse effect of high-level business decisions or the ineffective implementation of those decisions and from how well management identifies and addresses external factors that affect the strategic direction of the business.
THE SOURCES OF STRATEGIC RISK: i) lack of clearly defined business strategy and/or risk appetite, ii) the target market that is ambiguous, high risk or inconsistent with the business strategy or operating environment, iii) product mix is inconsistent with strategy, economic/competitive environment or business present or future resources and capabilities, iv) non-adherence to product programmes, business policies or procedures could be another source of strategic risk, and v) shifts in major markets or customer preferences.
CONTROL/MITIGATION FACTORS OF STRATEGIC RISK ARE: i) clear, well-documented business strategy, products and target market consistent with strategy, ii) strong awareness and commitment to risk management at every level, iii) well-coordinated, multi-layered management/supervision, iv) independent risk and capital market approval committees, and v) business strategy review (budget versus actual), scenario planning and stress testing and track record of timely and effective corrective action.
Compliance risk arises from violations of or failure to conform with laws, regulations or prescribed practices, and from ambiguous or untested laws or rules governing certain products or client activities.
SOURCES OF LEGAL/COMPLIANCE RISK ARE: i) inadequate monitoring, ii) large number of deals requiring exception approval, iii) activities requiring special disclosure, iv) fiduciary relationship and trust obligation, v) confidentiality obligation/firewalls, vi) shift in legal/regulatory climate, and v) potential for conflict of interest and suitability/appropriateness of products.
CONTROLS AND MITIGATING FACTORS OF LEGAL/COMPLIANCE RISK CAN BE: i) proper understanding of legal/regulatory issues, ii) rigorous compliance monitoring, iii) thorough documentation, iv) supervisory reviews and sound anti-money laundering (AML) programme and v) clear policies governing the crossing of firewalls.
Financial reporting risk arises from non-compliance with the accounting policies or reporting requirements of regulators, tax authorities and MIS (management information system).
THE SOURCES OF FINANCIAL REPORTING RISK  ARE: i) unclear accounting policies and procedures, ii) misapplication of accounting policies, iii) history of material errors, iv) inadequate loss provisions or reserves, v) failure to reconcile accounts and vi) non-compliance with established procedures.
CONTROL AND MITIGATION FACTORS FOR FINANCIAL REPORTING RISK ARE: i) clear, well-documented accounting policies, ii) strong MIS and management review process, iii) solid independent proof and verification process, iv) strong knowledge of internal and external reporting and v) regular review and approval of accounting adjustments
Credit risk arises from the failure of a borrower, counterparty or issuer to honour its obligations on time and in full as agreed or contracted, resulting in a financial loss to the company.
THE SOURCES OF CREDIT RISK ARE: i) unclear or inconsistent portfolio strategy, ii) reliance of inaccurate information, iii) improper risk rating or classification, iv) excessive concentration, v) inadequate collateral and vi) rapid growth in new business.
THE CONTROL AND MITIGATION OF CREDIT RISK FROM OPERATIONS PERSPECTIVE ARE: i) consistent products and target market, ii) clear and appropriate risk acceptance criteria, iii) appropriate debt rating models, iv) rigorous monitoring of portfolio performance, and v)  timely and effective response to changes.
Market risk arises from changes in financial market conditions, including interest rates, liquidity, pricing and exchange rates that may cause the business to be unable to meet its obligations or to sustain a financial loss.
THE SOURCES OF MARKET RISK ARE: i) complex structured transactions, ii) highly leveraged positions, iii) large open positions, iv) aggressive trading practice, v) reliance on models, vi) potential for market manipulation and vii) limited funding sources.
Controls and mitigating factors of Market risk from operations perspective could be: i) daily monitoring and reporting of market risk limits, ii) clear position limits consistent with adequate risk diversification, iii) integration of market risk monitoring with other risk management discipline and iv) solid capitalisation and diverse sources of funding.
SYSTEMS AND TECHNOLOGY RISK ARISES FROM: i) inadequate or poorly controlled systems and software applications, and ii) deficient computer equipment and/or programmes may interfere with or reduce the efficiency of automated processes, resulting in service disruptions, privacy violations, inappropriate decisions, excessive operating costs or fraud.
THE SOURCES OF SYSTEMS AND  TECHNOLOGICAL RISK ARE: i) inconsistent system strategy, platform, architecture or applications with business plan, ii) inadequate system capability/functionality, iii) complex operating and database management, iv) weak project management, v) weak capacity planning or performance management, vi) inadequate change management and vii) inadequate testing, backup planning or problem/event management.
THE CONTROL AND MITIGATING FACTORS:  i) stable, well-integrated systems, equipment and application consistent with business strategy, ii) straightforward, well-designed, efficient system architecture, iii) low level of customisation or reliance on interfaces/networks and iv) strong project management.
A few operational risk and control measures in major operation areas are discussed below:
OPERATIONS RISK IN TRADE SERVICES:
1. Signature verification on all relevant documents. Signature must be cross checked with latest board resolution and signature cards.
2. All one time documents must be valid/renewed. IRC (import registration certificate), ERC (export registration certificate), VAT (value added tax) certificate, TIN certificate, membership of trade body, commencement certificate, RJSC (registrar of joint stock companies) certificate, etc. must be valid.
3. Compliance with Import/Export policy must be ensured.
4. Compliance with Bangladesh Bank Guideline for Foreign Exchange Transaction must be complied.
5. Credit limit availability must be checked before processing any transaction.
6. Credit report must be obtained before opening letter of credit (LC).
7. Price of goods must be cross verified to avoid over/under invoicing
8. Utmost care must be ensured while checking document.
9. Insurance premium payment must be ensured before opening LC.
10. Document discrepancy must be sent to the applicant within approved time limit.
11. Payment must be done on time.
12. All trade settlement must be reconciled with the respective nostro statement on time.
13. Discrepancies must be notified to the negotiating bank within the given time.
OPERATION RISKS IN REMITTANCE:
1. Purpose of the outward remittance must be approved.
2.    Amount of remittance must comply with Transaction Profile (TP).
3.    Necessary tax payment at the time of dividend/technical/air fare/profit remittance must be ensured before remitting the money.
4. Fund availability must be ensured before executing the remittance.
5. Remittance must be done for the account holders only.
6. Purpose of inward remittance must be checked before delivery
7. Beneficiary identification must be done against photo ID approved by government or government agencies before delivering money.
8. Reporting to central bank must be done on time with the relevant forms.
9. Timely notification to treasury must be done so that positions are updated properly.
10. Inward remittance must not be processed before sitting the fund in Nostro account.
OPERATIONS RISKS IN ACCOUNT OPENING:
1. Account opening form must be filled in properly.
2. Signatures in all the forms must match with the signature card.
3. Authorised signatory must be approved by the Board resolution and MOA.
4. MOA must be authenticated by the RJSC.
5. TP must be filled in properly.
6. KYC (know your client) must be done by the respective RM (relationship manager).
7.    Signature capture in system must be done carefully against their signing limit.
8. Necessary documents as per checklist must be obtained.
9. Address changes and other changes must be done in system on time.
10. Changes in signatory list must be done carefully and timely.
OPERATIONS RISKS IN LOAN DOCUMENTATION:
1. One-time loan documents must be checked at a certain interval and renewed after every three years.
2. Loan documents must be obtained on legally vetted format.
3. All documents must be reviewed annually.
4. Documents must be signature verified against the board resolution.
5. Documents must be kept under safe custody in the fore proof cabinet under dual control.
6. Document movement must be recorded in safe in and safe out register properly.
7. Reconciliation of document against the outstanding customer list must be done annually.
8. Loan outstanding amount must be reconciled with loan document amount to safeguard the legal interest of the bank.
9. Any change in the loan document must be validated by the legal adviser of the bank.
10. Security document for hypothecation, mortgage, and syndication, etc. must be checked carefully.
OPERATIONS RISKS IN TREASURY OPERATIONS:
1. Deal must be approved through the product programme.
2. Dealer must have authority before booking any deal. Check dealer limit before processing the deal.
3. Dealer memo must be valid and renewed annually.
4. Deal must be confirmed with the counter party confirmation.
5. Confirmation must be sent to the counter-party on the transaction day.
6. Counter-party signature on deal confirmation must be verified against dealing mandate/signature booklet.
7. Signature booklet must be current.
8. Number of deal booked during the day must be reconciled before day end.
9. Local currency payment must be reconciled well before the central bank cut off time.
10. All check collection must be reconciled and ensure before leaving the counter of central bank.
11. Deal maturity must be reconciled at the beginning of the day.
12. Payment release against the matured deal must be reconciled during day end.
13. All payment messages must have maker checker control.
14. Payment over nostro account must be reconciled as soon as the statement is received.
15. Any delay in settlement must be informed to the head of treasury.
16. Limit availability must be ensured before processing the deal.
17. Regulatory reporting must be done on time.
18. Daily checking must be done to ensure the maintenance of CRR (cash reserve ratio) balance.
19. SSI (standard settlement instruction) must be reviewed periodically and ensure latest version maintenance in the system.
20.    All modification at operations level must be maker checker controlled.
OPERATIONS RISK IN CLEARING:
1. Log must be maintained for received cheques.
2. All cheques received must be checked through UV (ultra-violet) detector to avoid any alteration on the cheques.
3. Reconciliation of outgoing cheques must be ensured before sending the file to central bank.
4. Inward cheques must be scrutinised carefully to avoid alteration/forgery.
5. Signature verification must be done before authorising any payment through inward clearing.
6. All cheques received for outward clearing must be placed to central bank on time.
7. Availability of fund against the received cheques must be done carefully
8. Return of cheques must be ensured before central bank cut-off time.
9. Positive pay confirmation must be done as per central bank guideline.
10. System monitoring must be done for successful sending and receiving of BACH (Bangladesh automated clearing house) files.
11. Maintain register for all outward clearing cheque.
12. Ensure cheque details are correct while receiving.
13. Ensure beneficiary details and account number is correct on the deposit slip.
14. Ensure cheques are signed and properly dated.
15. Reconcile total number and amount of cheque before sending the file for clearing.
16. Establish threshold for call back.
17. Call back must be done by independent person from recorded phone.
 It has been always said that, prevention is better than cure. It is always better to build a robust risk management culture in the banks and financial institutions, as these primarily deal with depositors' money and work as a catalyst for building confidence in the economic or financial value chain. We, therefore, need highest attention and commitment from the highest authority in this regard. By all means, we should try to avoid surprises in banking transaction through building a strong operational procedure in banks and financial institutions.
Mamun Rashid is the chairman of ICC Bangladesh standing committee on banking techniques and practices. mrashid1961@gmail.com