Recently, the Office of Comptroller of the Currency (OCC) levied a fine of $400 million at Citibank “based on the bank’s unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.” The OCC has followed that action up at USAA (an $85 million fine) and JPMorgan Chase ($250 million). When examining what that could mean for banks and insurers from around the world, and the operational risk discipline more widely, there are three key lessons:
Lesson 1: The focus needs to be proactive, not reactive
Rather than just fining financial institutions for large operational risk events, this penalty sets a precedent that regulators in the United States—but likely in other jurisdictions soon as well—will be more proactive to avoid the damaging consequences of an event by administering fines for more generalized poor risk management.
So as the OCC adjusts their regulation to be more proactive, the businesses and organizations it governs must be more proactive as well. There are a number of items the OCC has asked Citibank to include in its new ERM plan, many of which are key areas of focus for operational risk across banking and insurance.
For example, the OCC stated the need to revise “Enterprise-wide risk policies to improve the identification of growing, emerging or material concentrations and idiosyncratic risks.” This underlines the importance of identifying top and emerging risks across the sector. Research shows that the operational risk landscape is shifting rapidly and increasing in its scale and complexity, making it more challenging to manage. Additionally, specific material risks such as cyber and resilience require a detailed understanding and specialist approach to support their effective measurement and management.
Overall, there’s a lesson that proactive, forward-looking risk management with a robust framework is needed, rather than backward-looking measurement of what has happened. It is no longer acceptable to simply react and adapt when crisis hits, as our experience with the COVID-19 pandemic has shown repeatedly.
Lesson 2: Unity of systems and practices is vital
Regarding Citibank, the OCC repeatedly stressed the importance of consistent practices, systems and processes across the whole company. For example, in terms of data, the OCC highlighted the fact that Citibank had multiple systems housing data, which increased the risk of an information security incident.
On a very basic level, if your organisation lacks consistency in how it measures and records data from one department to the next, how can you expect to gain insight into the risks you face as a whole organization and make informed decisions on how to mitigate them? The “Umbrella function”—a lead function that sets the framework, the taxonomy and owns—is key to this.
Ensuring your organization’s systems, processes and practices are consistently implemented across the organization should be a priority. It is also worth thinking about the impact of the pandemic. Working from home has meant that many processes have been amended to make them workable. These changes were all made by necessity and tried to strike a balance between enabling productivity and minimizing risk. It is important to review these decisions now, ensuring that with more hindsight the balance between risk and productivity is still right.
Lesson 3: Operational risk should have a seat at the board table
The third and perhaps most important lesson is that operational risk needs to be on the agenda at the board level, with board members and senior managers being ultimately accountable for its oversight. As if to make the point, the Fed and OCC’s actions come less than a month after Citigroup announced that Michael Corbat, its chief executive since 2012, will retire in February. With the stakes this high, the case for operational risk having a seat at the table are compelling.
Providing board members and senior managers with the insight to in turn provide the oversight that the regulators want will require training, as well as improved data and better issue escalation processes.
As the ORX and McKinsey study The Future of Operational Risk stated, “Operational risk management needs to step forward and step up by engaging with the business and ensuring better coordination between different functions, such as operational risk, compliance and IT.” Without this, and with multiple areas all having their own reporting and escalation procedures, senior managers will find it hard to tell the wheat from the chaff when it comes to risk. Access to key decision makers is essential, as the shared insight with and between the business functions to support their decision making is invaluable.
The OCC intervention comes at an interesting time for operational risk managers. The changing business environment means that risk management needs to adapt, becoming quicker and more responsive, while financial pressures mean risk managers are being asked to do more with few additional resources. Risk professionals are looking at ways to simplify their frameworks and focus on the key material risks. Now they have added the implications of the Citibank fines into that mix.