The global news cycle, financial markets in turmoil and a seemingly upset weather pattern on "Planet Earth" has OPS Risk professionals on ready standby. It's 24 x 7 x 365 responding to new threats and a growing set of domino effects as incidents are more interconnected and have substantial new interdependent relationships.
Operational risk is a serious concern not only to traditional and alternative investment managers, but also to their clients and the organizations that regulate buy-side firms. In worst-case scenarios, an investment firm’s failure to identify and mitigate operational risk can result in significant direct costs and a devastating loss of reputation. It may take years to reassure investors, regulators, and trading partners that the firm is well-managed. So what exactly is operational risk? Castle Hall Alternatives calls it “risk without reward.” The Basel Committee on Banking Supervision (Basel II) defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events,” and states that the definition is intended to include legal risk but exclude reputational risk, and lists as examples events ranging from data entry errors to earthquakes.¹ But operational risk is not something that can be easily identified by a generic checklist, nor is there a single, universally applicable approach to mitigating the operational risks to which a given firm is exposed.
A generic check list is by all means not the way to approach most Operational Risks yet starting with a standard framework of controls and optimizing from there is a good start. Certainly the natural catastrophe risk mitigation exercise whether the tornado or earthquake has a foundation in the kinds of preparedness that can assist those caught in the vortex or the fault line of destruction. Yet how could a check list really help with a threat that is adapting to your environment on the fly and creating new obstacles to mitigate the risk before you?
Kerry Dewey was a finance officer for a small nonprofit in the Pacific Northwest. She was having a bad day, but it got worse when her local bank called her to inquire about the validity of a recent funds transfer for just under $10,000 from the nonprofit’s account to an account at an Alabama bank. Moments before, the Alabama bank had contacted Kerry’s bank because its policy is to investigate any transfer that’s close to, but less than, $10,000 – an amount that fraudsters commonly use to avoid currency transaction reporting.
Kerry’s bank stopped the transfer after she assured them that no one in her organization initiated the funds transfer. The episode prompted Kerry to review the nonprofit’s banking transactions in the past few days. She uncovered five other illegitimate transfers that totaled close to $50,000, and each transfer went to a different payee. Fortunately, her bank was able to contact the banks where the funds were transferred, and those banks were able to stop the transferred monies from being withdrawn by the fraudsters. Kerry had opened a very dangerous e-mail.
This case is fictional, but it’s representative of a relatively new “spear-phishing” e-mail scam that has recently emerged as a significant source of revenue for cyber criminals.
As you can see the Small-to-Medium-Enterprise (SME) and other businesses that might have a single person responsible for payroll, accounting and acting as corporate controller are just as vulnerable to the Operational Risks as the large hedge funds, Global Money Center institutions and Corporate Enterprises of the Fortune 500.
The pervasive and constantly evolving components of Operational Risk now require a substantial blend of people, software and management systems. Those savvy CxO's now realize that Operational Risk Management is something that is not being dealt with solely by the CFO, CRO, CIO or CSO in it's entirety. Therefore, the silo's of risk management within the organization are themselves a "substantial risk" to the overall enterprise risk management aspiration. The "Insider" who watches these silos manage their domains and fiefdoms with the goal of keeping it all within the unit or department or section realize that their scheme or attack will have little chance of detection for months, even years.
This is why the Office of Inspector General in government is so necessary and is so feared. This is why the outside auditors or independent investigators are so feared. This is why these two mechanisms for mitigating risks are typically too late and discover something that in the end, most people had a hunch was going on anyway. It's a perpetual cycle that won't end anytime soon and will keep our organizations searching for that eternal balance of a "Perfect Risk Appetite".