Operational and Cyber Risks in the Financial Sector | BIS

Starling Team
According to a new Bank for International Settlements (BIS) paper on operational risks (OpRisk) in the banking sector, major global banks take an average of 251 days to discover the occurrence of operational loss events.  The study uses data from 700,000 operational loss events that took place between 2002 and 2017.  The data came from ORX, a consortium of financial institutions that helps its members benchmark their operational risk management models.

The BIS study also shows that the average time between the occurrence of an OpRisk event, and recognition of related losses, is 435 days. Cyber-risk related losses represent a small portion of OpRisk losses, though cyber value-at-risk (VAR) can account for up to 33% of total operational VAR in banks’ risk models.

Notably, after studying OpRisk losses among 74 large global banks, the authors of the BIS paper finds that, “Internal fraud events and failures as a result of negligence or improper business practices are less likely to be discovered than other events.”   Indeed, the paper reports that it takes an average 448 days before internal fraud events are recognized and responded to as such — and 827 days in the case of improper business practices.Perhaps unsurprisingly, the BIS paper also finds that better supervision is associated with lower OpRisk losses. 

This finding will support arguments in favor of closer scrutiny of non-financial risk by bank regulators, and supervisory activities aimed at culture and conduct related risks. Firms wishing to avoid punitive enforcement actions should work to assure that the speed by which they are able to identify and mitigate such risks exceeds that of their regulators.

Read the paper here

Boeing Culture and Conduct Management

Starling Team

While misconduct scandals in the banking sector have tended to grab the headlines over much of the last year, the challenge of managing culture and conduct risk cuts across all industry sectors and, when the relevant risk governance processes fail, it can have devastating impacts on customers, reputation, and shareholder value. 

Consider Boeing, which has been reeling in response to breakdowns in safety oversight related to its 737 MAX aircraft.  What began as an isolated breakdown in product testing appears to have expanded to include fundamental questions about Boeing’s culture, and the degree to which it led to deeply harmful behavior.

A pair of articles in the Wall Street Journal recently described the challenges Boeing faces in restoring trust even as reports surfaced regarding the content of emails and chat exchanges among contractors and mid-level employees that criticized or even mocked Boeing’s lax safety standards.  The WSJ reports that a number of the senior executives who oversaw departments in which those communications took place have been disciplined or removed from their positions.

Awareness in the leadership ranks as to whether or not misconduct it taking place, “is not an excuse if it is happening,” said newly installed Boeing CEO David Calhoun, shortly after taking the helm.  “Disciplinary actions have to be taken.”   Culture and conduct risk management will no doubt be a focus among senior executives at Boeing for the foreseeable future, reflecting trends across many industries towards elevated expectations in this regard.  

Bank regulators across the globe have turned towards executive accountability regimes in an effort to promote closer attention to culture and conduct risk management.  US regulators have not followed in this trend.  But, it is worth noting, some of the most significant individual penalties ever seen were imposed by US regulators recently, against former Wells Fargo bank executives who did not live up to current expectations for culture and conduct risk management.

Regulators have made clear that the expected standard for executives does not turn on whether they knew misconduct had taken place – but rather whether they ought to have known.   Boeing’s recent disciplinary actions suggest that they have recognized this trend and are embracing the approach as the new normal.  We expect others will soon follow.

Read more here and here


COSO Warns of the Downside of Siloing Risk Managers | The Wall Street Journal

Starling Team

If an organization called “the Committee of Sponsoring Organizations of the Treadway Commission” fails to get the heart racing, you’re perhaps to be forgiven.  

But if you are an enterprise risk manager, “COSO” (as the body is mercifully abbreviated), then this is an organization to watch.  A joint initiative of five prominent bodies from the accounting field, COSO develops frameworks and guidance on enterprise risk management (ERM), internal controls and fraud deterrence.  

At a time when firms in just about every sector are increasingly concerned with enterprise-wide risk — and individual executive accountability when risk management failures appear and result in harm to customers, shareholders, and others — COSO’s just-released report, “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management,” may be something of a sleeper-hit.

Issued earlier this month, COSO’s new guidance appears aimed at risk managers who are looking to make their’s a value-creating role, rather than a mere cost-center that must be tolerated.  “The goal is to develop a momentum for ERM to expand and deepen the organization’s strategy-setting, performance, and risk-management processes in pursuit of creating and protecting value,” said COSO Chairman Paul Sobel.

A clear lesson-learned during the evolution of the ERM function in recent years is that risk related management activities “must be integrated into the organization’s culture and core strategy-setting,” the report notes.  Further, integration of ERM into the heart of core business processes is important to avoid the misconception that ERM is “just a separate compliance or regulatory driven staff function.”

COSO’s new guidance highlights the important role of the board in assuring that enterprise risk management is up to snuff, and positioned to be a value-creator for a firm.  “It is up to the board of directors and management to define the desired culture of the entity as a whole and of the individuals within it,” the report notes.  With institutional investors attending ever more so to “ESG” concerns, COSO’s advice should be heeded by boards wishing to satisfy them on governance questions.

COSO is correct: effective ERM is about far more than mere compliance, and nowhere is this more evident than in the misconduct scandals that have rocked firms as diverse as BoeingCommonwealth Bank of Australia, and KPMG, among many others.  Boards should take note, and maybe give the COSO guidelines a read.

Read more


APRA regulated entities to lift Governance, Culture, Remuneration and Accountability | KPMG

Starling Team

The Australian Prudential Regulation Authority (APRA) has set out its policy and supervision priorities for the next 12 to 18 months.  The regulator lists “transforming” governance, culture, remuneration and accountability (GCRA) across all APRA-regulated institutions as a core focus.  

Initiatives that aim to drive improvements in GCRA are listed as “key cross-industry policy priorities for 2020,” and include an updating of its prudential standards on governance and risk management.  APRA also notes that it will be conducting a range of GCRA-related supervisory reviews and “deep dives,” and that it will require supervised entities to conduct “self-assessments” in order to drive greater accountability.

“APRA is reviewing its governance and risk management standards to ensure that these remain fit for purpose,” the APRA report indicates. “Areas for review will include the clarity of board and senior management roles and expectations, the effectiveness of board obligations in relation to risk culture, the relative emphasis on financial and non-financial risks, and the clear need to strengthen the requirements in relation to compliance and audit functions.”

A related report from KMPG in Sydney argues that Australian financial institutions must work to design and conduct effective internal culture assessments, identify appropriate “culture indicators,” and develop reliable metrics through the use of data technologies.

An independent “Capability Review” conducted last summer criticized APRA harshly for a perceive failure to give adequate attention to GCRA matters.  “APRA appears to have developed a culture that is unwilling to challenge itself, slow to respond and tentative in addressing issues that do not entail traditional financial risks,” the review said.  News reports at the time indicted that APRA’s own “culture team” struggled to gain traction internally.  “We are good with the old school stuff, but not good with challenges like culture and governance,” an APRA employee reportedly told the review panel.

Read more


Regtech Market Could Become an Australian ‘High-Tech Fossil’ | Financial Review

Starling Team

As the Australian Senate Select Committee on Financial Technology and Regulatory Technology continues to process comments in response to their paper, there are a number of themes emerging that align very closely with Starling’s own views.  In particular, commenters have observed that regulators themselves may inadvertently be contributing to many of the challenges startups face.  

A recent article in the Australian Financial Review referenced one of these submissions to describe several ways in which the regulatory environment was felt to have delayed adoption of technologies which, ironically, might well provide greater safety for consumers than do current approaches.  Shifting regulatory positions introduce uncertainty, and bank risk managers lack assurance that regulators will not penalize banks that experiment with new technologies.  This discourages trialing of RegTech tools.

In the aftermath of the Hayne Commission, Australian regulators and firms alike face greater scrutiny regarding their practices.  Both also have an opportunity to reframe their role in society and to help promote trust across a greatly tarnished industry.

RegTech firms has emerged specifically to engage in these challenges.  And many RegTech firms have already demonstrated an ability to produce change for the better, to the benefit of customers and other stakeholders, as well as for the boards and C-suite management of the firms we seek to serve.  

But, as we argue in our own submission to the Senate Select Committee, our industry will struggle to deliver on its full potential without collaborative engagement with regulators who actively seek to promote RegTech innovation and who work directly to encourage RegTech trials and adoption among the financial institutions they oversee.

We look forward to continuing to actively engage in this process in the coming months.