RMA’s Operational Risk Management Discussion Group (“ORMDG” or the “Group”) met in Philadelphia, February 29-March 1, and was attended by 29 people representing 16 institutions. On February 29, the Group addressed the intersection between operational risk and social media in a session facilitated by Edward J. DeMarco, Jr., RMA’s General Counsel and Director of Operational Risk. Areas of focus were reputational risk from employee postings, citing the experience of Virgin Atlantic Airlines; possible loss of patent protection due to inadvertent public disclosures through social media sites such as LinkedIn; and dangers in using social media sites in connection with the hiring process.
RMA’s AMA Group has focused extensively on scenario analysis in recent months. Read the AMA Group’s industry position paper on scenario analysis here. ORMDG featured a session on scenario analysis, highlighting use of scenarios as both a capital estimation tool and a risk management tool. The Group generally supported the view that while scenario analysis is required under Basel, its greatest utility is as a risk management tool to fully engage business managers and the Board in connection with risk taking and risk appetite.
Vendor management was discussed at length, including due diligence, vendor selection, contract review, and ongoing monitoring of the vendor relationship up to and including the termination of the relationship. Vendor management is a centralized function at all 19 institutions participating in the ORMDG meeting. However, the participating institutions were evenly divided between having a unified legal and procurement team versus having separate legal and procurement functions.
In the afternoon on the 29th, the Group discussed payments and payment risk. Approximately one-third of the participating institutions now offer a remote deposit capture product. The Group’s discussion focused on the pressure to innovate versus risk management. Clear policies, procedures, training and monitoring tools should be required before launching a new product, with the understanding that not all risks associated with a new product are known or knowable at launch. The Group noted that the financial services industry could learn from digital media companies, which tend to roll out new products through frequent, low volume beta tests which allow innovation while confining risk. The Group also considered the question of whether the strategic risk of not innovating trumps the operational risk associated with new products.
On March 1, ORMDG started with the session on aligning operational risk with insurance. The Group focused on the importance of mapping prospective risks with particular insurance components to ensure that the policy will cover all of the potential risk. The key to do it successfully is to have adequate communication between operational risk managers and insurance brokers, especially when re-evaluating insurance premiums and benefits. At the end, the Group reviewed a sample scenario on “Applying Cyber Coverage”.
The last session at ORMDG was on RCSAs. Representatives from DTCC gave an overview of their ORM Framework concentrating mainly on RCSAs and KRIs. During this session, attendees exchanged information on frequency of conducting RCSAs, ways of successfully running interactive RCSA sessions, engaging business lines and senior management in RCSA process to increase efficiency. In regard to KRIs, participants discussed KRIs being one of the metric for RCSAs and how to select relevant KRIs/KPIs.
The next meeting of ORMDG is in Charlotte in June. The date will be announced on RMA’s website, www.rmahq.org. Participation in ORMDG is open to any financial institution regardless of size and the maturity of its operational risk framework. Discussions are facilitated by bankers and other industry participants, with a heavy emphasis on peer sharing and limited lecturing so that multiple perspectives may be considered.