The losses in investment banking-related activities are becoming more frequent and the price of risk higher. Penny Cagan, managing director of Algorithmics that runs the First database of major historical events, notes that the US financial community ‘went through the whole of the 1990s with only a handful of losses greater than a billion dollars. We now have over 100. A billion dollar event isn’t even that unusual any more. And a large percentage of them tend to be investment-banking related.’

This is the context for the arrival of  operational risk on the Basel II agenda. That, combined with Sarbanes Oxley, Patriot, Turnbull, COSO, and a host of other legislative, legal,  and third party requirements is changing the operational risk environment in investment banks. JP Morgan’s managing director Veronique Weilll, says, ‘When you have to meet so many accounting and legislative obligations across the globe that are constantly changing, the regulatory and compliance environment for a vast organisation is very dynamic and challenging,’

Landmark events that have put investment banks on notice in the last five years include the big Wall Street settlement and WorldCom and Enron underwriting events. Cagan, ‘What’s acceptable market practice has changed. The way you did business yesterday is no longer satisfactory today. The regulators are on your back, the shareholders are on your back… The environment’s become much more difficult.’

Top investment bank managers have been remarkably resilient. Cagan: ‘The banks tend to be very well managed. They really have strong management cultures. They’re different, they have different risk appetites. They’ve had operational risk blow-ups and they’ve got hit quite hard. But they tend to be the high-severity, low-frequency type of events. Unlike commercial banks, investment banks didn’t approach the operational risk challenge as a quantitative capital exercise, but from the perspective of “what’s the best practice, how can we improve our management of risks.” It took the shock of Basel II to put operational risk on the investment bank’s radar screen. ‘Without Basel, frankly the big banks would have had a hard time getting budgets for OpRisk. It’s not the full story, it’s only part of it.’

Allan Cuttle, managing partner, Operational Risk Enterprise Inc, is less sangunine on banking management of risk. He says they have only had a limited history of implementing operational risk strategies.  'A lot of these (investment) banks haven’t had to focus on operational risk in the past. Now these investment banks – especially in the US – should really take stock of their OpRisk profile and say “let’s come up with a framework that’s going to work for us”.

‘The (commercial) banks have been way ahead of the curve for many years, so they’ve got frameworks built, they’ve got loss data databases built. The investment banks are just coming up the curve in the US, especially the top five  are mandated to go Basel II. Commercial banks learned along the way and they made some mistakes. They bought systems they shouldn’t have bought, they had frameworks that didn’t work. Now these investment banks are going to be able to see what mistakes the banks made, and ensure they do not make them. They should say to themselves, let’s make something that’s going to function correctly.’

Responses to legislative pressures from Basel and other third party initiatives take varying forms. Some banks have set up working parties to tackle each of the measures with specific rulebooks and other forms of bureaucracy. Others have embarked on cultural change, using organisational and employee perspectives to enforce value systems. Peyman Mestchian, managing director for risk at SAS. ‘If there’s a culture of high integrity in an organisation, and one or two people behaving strangely will be spotted.’

JP Morgan’s holistic view of operational risk follows the latter route. It has introduced  a quarterly self-assessment programme, called Control Self-Assessment (CSA) requiring each of the businesses, along with organisational risk management group, to  assess their control environment. Says Weill, ‘You declare your own weaknesses, and then you have an action plan to remedy the weaknesses. When audit comes in and identifies the weaknesses, the first thing they do is check the CSA to see if you have declared that weakness. We ask the business and the operations and the financial department to own the transaction cycle to be objective in terms of assessing the performance. That helps senior management to identify what are the top ten issues that they need to worry about.’

Cultural and organisational tools are also applied at UBS, in a very structured way, says Nick Bolton, head of operational risk at UBS. ‘We have a series of group-executive-board-sponsored operational risk excellence initiatives, some of which are peripheral to operational risk, some of which will be delivered via the framework training. Our goal is to ensure people understand their role within the organisation. We attempt to meet internal and external deliverables through the operational risk framework’

Cultural standards embrace different metrics to ensure a balance between pursuit of individual wealth and the risks of negligence of controls leading to collective failure. Mestchian: ‘If  the leadership and management. have the appetite for really being risky and they transfer that mood into the organisation, then everyone goes for it, and the number one criterion is how much profit and not set limits. The bank that wants to make profits above all else, risks exposing the shareholders to total collapse, in extreme case. No-one makes a profit where the company dies.

‘It is a case of setting the boundaries in a way that reflects the mood and attitudes of share holders in the organisation, while still keeping people motivated in terms of profit maximalisation. ‘Most banks have a good balance but 5% or 10% are trying to get to places too quickly. They are exposing share holders and employees to excessive risk.’

On this basis, individual incentives are tied to risk-adjusted metrics. Capital allocation algorithms show how well a trader has used risk to make a return on capital. Most money goes to the one using least risk. Market and credit risk professionals are familiar with this effort at a quantitative approach to risk measurement . Mestchian:  ‘It sends  a signal that if they have put risk into the human resources policy and into the performance measures of individuals, they should put aside sufficient capital so that when a disaster happens they don’t go bust, they can absorb the shock. You need to model all the risk.’

Segregation of  market risk from credit and operational risk is steadily discredited as events show how quickly risk in one category quickly spreads into another. Mestchian, ‘People need to take a holistic view. There is  a tendency to put these risks in silos, so you look after operational risk, someone else looks after credit risk and a third looks after market risk.. But the real risk is the overlap between the three areas. This is Enterprise Risk Management.  The risks need to be looked at in combined way and overlaps.

‘There were operational issues in the way Nick Leeson was doing the trades and hiding things. There was also market risk because there was an earthquake and the markets went against him. If the markets had gone in a different direction, he would have made a huge profit, and no-one would have heard about how he was trading.’

Kamat Aashish, a managing director at JP Morgan, says. ‘We think of risk holistically, across market risk, credit risk and operational risk. Market risk is due to adverse price changes, the amount we can lose. Credit risk occurs when a counter-party or borrower defaults on his obligations to us. Operational risk is the catchall bucket for everything else. Operational risk is driven by internal and external events. Internal events consist of systems, processes, people, and training and a skill-set. A very big part of operational risk, which is hard to define, is execution risk.’

The application of market and credit risk techniques to operational risk has had a chequered history. Ali Samad-Khan, the president of OpRisk Advisory, tells how Bankers Trust sought to transfer Risk Adjusted Return on Capital (RAROC) across from credit and market risk areas to operational areas with very mixed results. ‘Bankers Trust made such a mess that it was a horrible failure. They calculated capital at the top level and they allocated that capital to business lines based on inherent risk metrics and controllable metrics and audit scores. Many of these metrics had nothing to do with actual risk they faced. By allocating capital, we were using variables that were beyond the control of the business and also had nothing to do with the risk.’

If risk models are to be applicable to operational systems, they need to take much greater account of the risk-reward relationship, says Samad-Khan. ‘If you have two businesses, and one works in treasury bonds and has zero risk, and the other works in derivatives and can lose lots of money, you have to make sure you have lots more profit to take the additional risk.’  This lesson was lost on management at Kidder Peabody which failed to question how Joseph Jett, a trader in government bond strips,  made inexplicably high profits in a low risk, low return trading area. Jett’s quest for short term profits exposed the firm to the ultimate risk of failure.

The problems at Bankers Trust and Kidder underline the need for close technical understanding of complex markets and products, at a senior management .  This is particularly the case as products get more complex, in particular structured derivatives and swaps, traders and economists who devise and implement them routinely fail to see all the consequences of a product failure. So observers question the chances that an operational risk expert will be equipped to understand the risk of a complex product, let alone seek to put a limit round it.

Mestchian, ‘The growing complexity of investment banking products has been a catalyst for quantification of risk. Products like derivatives and swaps are often not understood by the compliance people who are supposed to supervise trading. They don’t understand the complexity, they don’t know how to price the product, they don’t know where the risk is in that product.  That was a factor in both Barings and Enron. Most of the people  on the board of Barings didn’t understand what this guy was selling. They could just see a nice profit coming in. It is difficult for them to challenge the trader if they don’t understand the product.’

JP Morgan’s Weilll says complexity of product risk tests an organisation’s discipline and staff selection and training. ‘You need to control every step of the transaction cycle, making sure you have the right skills, in terms of management and people. You need to make sure you manage out your low performers and that you have people who understand the transactions and the complexity of the product. We are entering an increasingly complex area. Disciplined programme management is absolutely essential for the future.’

JP Morgan says that it hires people in the operations and finance area ‘who are qualified to understand the transactions and can raise issues and explain discrepancies. The risk that traders may collude to distort prices and bluff their way through risk procedures is neutralised by the use of independent and outside sources for checking prices. Independent sources are used to check quotes on swap curves. It takes quotes for the euro-dollar curve from stock brokers specialising in the field. Aashish admits some areas test even the most sophisticated market professional. ‘It gets hairy in the more exotic transactions which are highly illiquid , and we rely on models. We get quantitative research involved in validating the models and the analytics involved in driving the model. We look at the output, back-test the output, to the extent we can, the finance group verifies the imputs into the model.  Those imputs can be corroborated with market data.

‘Whenever a trade unwinds, we go back and back-test to what the model said, the price was, against the price that was settled for. We make sure that the price that was realised was very close to what the model said it would be. That gives you validation of your model.’

Weill takes a more cultural stance towards the role of risk and the trading environment. ‘We are another conscience for the trader. In most cases we work with the traders to make sure the business gets everything done correctly. We try and further the goals and objectives for the business. We try to make sure we don’t cross any fiduciary lines and responsibilities to shareholders and to other people like regulators. We work with the business to make sure that if a trader comes to us and says, we want to do this transaction, can you review it for us, for accounting, for a valuation perspective.. we work with the trader to make sure, given the accounting rules, we do the best job to structure the deal the best way we can. But we don’t cross the line. But we must make sure we don’t subject the company to reputational risk, or risk from the regulators.. we have to make sure objectivity is maintained. We have the power of saying no if we see things that are not accurate.’

Says Mestchian, ‘Humans are extremely difficult to predict, they are also not visible what we do. We are very intelligent in hiding what we do. Leeson was very intelligent in hiding what he did.’ Samad-Khan calls the Barings experience  ‘unauthorised trading risk’. He says that it established a model for all subsequent risk analysis in investment banking. However not all management accepted the Barings lesson, and one paid the price. He tells how he found inadequate segregation of responsibilities in one Australian bank.

The problem was potentially so hazardous that he drew it to management’s attention, outlining the possible consequences. ‘Our recommendation was: make sure that your procedures for segregation of duties are beefed up. We came up with some high level recommendations from our study, based on our external data and our assessment of the risks in different business lines. We were drawing on the Barings experience. Management told us that that kind of behaviour only occurs in bad banks and we are a good bank.’ Shortly after Samad-Khan’s warning, the bank was hit by a major loss in the trading room, caused specifically by failure to segregate duties. ‘They had a huge loss, when four traders got together, colluded, and avoided reporting information correctly and ran up losses of several hundred million dollars.’

The way the Barings case might have influence the Australian management demonstrates the value of using the mistakes of history -- what Khan terms ‘Historical Loss Data’ -- to ensure one does not repeat them and join the ranks of the future losers.

Investment banks might also benefit from the use of historical loss data in apportioning their investment on anti-fraud protection. Samad-Khan says banks are advised to spend more heavily on their internal controls against fraud, as analysis of historical evidence of fraud shows that abuse by an insider is much more costly and insidious than that perpetrated by those outside the bank. ‘The Barings case also shows that remote outposts of a bank are more vulnerable than those closer to headquarters. Many of the places where big losses take place happen in far-off branches. Just because you’re a small organisation doesn’t mean you have small risk.’

Controls against human failure inside an organisation range from simple physical devices like locking doors, through procedural restrictions like the requirement for sign-offs from a second manager to technical  controls like passwords. The key control to corrupt collusion between individuals is the segregation of their duties. Given that the probability of four people making a mistake is measurably less than when one person has responsibility for validating it,  intelligent organisations require trades to be signed off. The value of systems and controls in curbing fraud and human failure is far from foolproof. It only takes one ingenious and malicious employee to crack the code or see an opportunity for the system to collapse.

The JP Morgan way

Value at Risk. Every part of the firm discloses a VAR at end of quarter. That shows the amount of risk they took in their trading books at the end of the quarter to generate the trading P&L. We examine how well we perform in terms of competition and market opportunity.

We also look at balance sheet and risk-weighted assets, what sort of assets or capital are we putting at use to generate the revenue. In connecting the dots all the way through, we always look at the operational environment, metrics about the capacity perspective, in terms of volumes, and people. Capacity means having enough people, and having  a system to book all the trades daily, but also to be able to anticipate issues looking nine months ahead. We make sure we have the right structure to support the business, to absorb transactions and trades. If you are short of people or the technology is not well-designed or the capacity of the boxes, then you will have issues.

We look  at the following three areas with particular care: