Article | Managing treasury risk: Operational risk (Part VII) by Lionel Pavey

| 21-3-2017 | Lionel Pavey |

There are lots of discussions concerning risk, but let us start by trying to define what we mean by risk. In my last article on how to manage treasury risk I will write something about operational risk. The Bank for International Settlements (BIS) defines this as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. If you want to read my earlier articles on managing the different treasury risks please refer to the complete list at the end of today’s article.

Whilst this is the last article in this series, it is actually – potentially – the most significant risk that a company can face, as there are many different ways that a loss could occur, together with the fact that when it happens the amount lost can be very large. Even if the size of the loss could be considered small, there is always the threat of reputation risk which, once identified, is very difficult to erase from the memory.

While it is possible to insure against rogue trading for a company (the risk present in the Treasury function can be quantified and qualified) it is very rare that damage is caused by just one individual – a financial version of the lone wolf theory. Operational risks tend to be interlinked – a fraudulent payment could be initiated by human involvement (either as fraud or human error) and facilitated by weak processes together with insecure technological systems.

There are 2 main areas of operational risk within treasury for a company

Internal
External

There are 3 main categories of operational risk within treasury for a company:

Computer System, Information Technology
Theft and Fraud
Unauthorised Activity

Computer System, Information Technology

A lack of robustness and deficiencies in the technology and systems contribute to circumstances for failures, errors, data losses, corruption and fraud. Internally considerable care and attention should be given to the protocol for Static Data. This encompasses all the relevant reference data for a counterparty and should be subject to at least an input and verification procedure before entering the computer system. Changes to Static Data have to be recorded, together with the proper paper trail and authorization matrix. Externally the risks relate mainly to illegal entry (hacking), together with the complete theft of data.

Theft and Fraud

Both internally and externally main areas include:

Theft – both physical and electronic
Extortion
Embezzlement
Forgery
Misappropriation
Willful destruction
Bribes
Kickbacks
Insider Trading

Unauthorised Activity

From the Treasury point of view, this is an internal activity and mainly relates to 2 types of transactions – unauthorized by transaction and or type; transactions that are not captured in the system and reported. These can lead to monetary losses (though a gain is possible – at the price of an operational risk), together with loss of reputation.
The last category clearly shows where the biggest risk occurs within a company – at the human level. Generally speaking, these are caused by incompetence, lack of knowledge, misuse of power or compulsion to act caused by external factors – extortion.
It is clear therefore that whilst the electronic systems employed by a company can be a liability if not properly programmed or safeguarded, even here, most of the errors can be traced by to human intervention.

So why are the human risks so often underestimated? Naturally a company wishes to have the feeling that its staff can be trusted (within reason). After all, the company felt that the staff were the right people to employ. It is not my intention to formulate the reasoning and thinking of people who perform illegal acts. However certain areas that can be considered include how staff are treated; the demand placed on them; the rewards given; the levels of transparency and inequity within the company; a closed-off attitude (problems in one department are kept within that department and not discussed throughout the company); the role model set by owners, directors and managers; loss of personnel, reduction in morale; disinterested and unmotivated staff.

Solutions

An effective framework of operational risk management needs to be designed and implemented within the business. This requires input and commitment from all departments within the company, meeting one agreed standard and not being shaped to every individual department’s wishes. The framework has to run and meet the requirements for all different strategies within the company.

I wish to finish with 2 examples of operational risk to illustrate how large they can be.

In 1995 the world’s second oldest merchant bank (Barings Bank) collapsed due to the actions of a rogue trader. Corruption and a lack of internal control led to a loss of GBP 827 million.

Around the same time I was employed as an international money broker working in the interbank market and travelled every day from The Hague to Amsterdam via train. As I knew the route off by heart, I read all the time – magazines, papers, books – anything. I purchased a book called “The Cuckoo’s Egg” as it seemed interesting and would pass the time away sitting on the train.
The synopsis told me that an unreconciled accounting discrepancy of just 75 cents would lead to a world of computer espionage and spies. I highly recommend reading the book to understand how a simple error can grow to show the dangers of ignoring operational risks. If you like acronyms then you will enjoy reading about the FBI, CIA, NSA and KGB – all hacked via a UNIX server at a laboratory linked to the University of California.The story is true and threatened national security.

Trust people – but do not place temptation in their way.