Monday, February 15, 2010

Risk Appetite: Board of Directors Engage...

New management and faces around the Bank of America Board room are taking a new approach to Operational Risk Management. Compliance and other Operational Risk functions are being separated. Most importantly and perhaps a lesson for those institutions that are on the ropes, B of A is pushing the risk management debate from the Board Room to the associates on the front lines.

A Message from Brian Moynihan

Protect Our Company

To my Bank of America teammates:

Bank of America is in the business of taking risk and our goal is to make every good loan and transaction we can within our company’s overall risk appetite. Yet our recent performance demonstrates the need for enhancements. Our management, board and regulators have determined that our risk management practices must improve.

So we have updated our risk framework — or how we manage risk at Bank of America — with the following:

Risk Appetite - The senior team will recommend, and the Board of Directors will approve, an annual risk appetite that establishes how much we are willing to take as a company.


Debate - We’re requiring all associates to openly debate risk related issues…and we’re escalating issues and taking action based on those debates.


Roles - We’ve clarified risk management roles and responsibilities, and all associates will fall into one of three groups, each with specific accountabilities: Line of Business associates, Governance and Control associates (those in Global Risk and our other support groups) or Corporate Audit associates.


Governance - We strengthened the way we oversee risk with new committees at the board and management levels.


Operational Risk - We separated compliance and operational risk functions to have more targeted and focused attention on both.
For those of you who work in a line of business, your job is to serve the clients’ financial needs and to protect the company. You may take only those risk that are within our company’s overall risk appetite as established by the Board of Directors. Senior management will determine the risk appetite for your line of business and will communicate that to you. You will be assessed on your risk-taking results.


Managing risk within the confines of the corporate enterprise goes beyond the awareness building of risk appetite with front line associates. It requires getting the Board of Directors spending more time on the front lines and embedded in the business lines to better understand the operational risks that exist in that particular business. As an example, it would seem that in a rush to reduce expenses, call center operations are being moved offshore to India. Offshoring in itself brings to bear a whole new set of risk issues, especially when you are talking about "Call Center Operations."

Interacting with customers on the telephone subjects the caller and the service provider to the exchange of Personally Identifiable Information (PII). Utilizing new technologies to validate the geographic location of callers is available and the use of more sophisticated means for verifying the caller is who they say they are is being implemented with other technologies. Yet what about the people working in the call centers themselves. Whenever you have an outsourced provider in another country taking calls from US consumers and exchanging PII there are several other operational risks on the table.

Fraud associated with call centers is on the rise and is being facilitated by transnational criminal organizations. There are two primary types of fraud scenarios being perpetuated with call centers:

  • The use of phishing e-mails provides credentials for a criminal fraudster to log-in to your online banking account. However, because of certain online controls and security measures, the fraudster may need to make contact with call center for something as easy as a password reset to further their scheme.
  • In another use of a form of phishing e-mail, a consumer is asked to phone a fake 800 number that is routed to a fraudulent call center operation, where the banking customer is then asked for PII, mothers maiden name or other security credentials under the guise of an account problem or other account related issue.


Bank of America and other call center operations have integrated analytics with call centers that are specific to only the online banking inquiries. In addition, these integrated call centers should be utilizing the depth of data that exists for consumers from public records, credit and real estate records. Integrating the use of "Visual Analytics" and intelligence-led investigations can provide the institution with the insight and decision advantage to stem the growth of call center fraud across a myriad of industries beyond banking. RSA FraudAction Research Lab has this to say on the subject at hand:

Since the beginning of the year, RSA has uncovered several one-stop-shop call centers in the fraud underground that provide fraudsters with all the tools they need to commit fraud over the phone. These “tools” include:

  • “Professional callers”: fluent in numerous languages, both male and female
  • Caller-ID spoofing
  • Service availability during American and Western European business hours.
These comprehensive criminal services, to which we will refer as “fraudster call centers,” have proliferated in the underground economy over the past year.

As the likes of B of A and other organizations rely on the human factor on the other end of the telephone the operational risk factors increase dramatically. What would be an interesting question to the Board of Directors is this: When was the last time you visited your call center in "XYZ Country" and sat on the line with one of their offshore operators listening to consumer calls from the United States? This could be an eye opening exercise in better understanding Operational Risk Management on the front lines.