Even though he is a newcomer to op risk, Mike Chilton is already putting his own pragmatic and flexible imprint on Standard Chartereds (www.Standard Chartered.com). department. His willingness to look afresh at the area is the product of an energetic mind and an unusually diverse background, which has seen him analyse how businesses work and prosper. Mike has been a CFO for the banks African business, spent time in budgeting and planning, and was shaped by earlier roles in management consultancy where he looked at business process re-engineering and systems implementation. Its a relatively unusual background for an op risk manager and it shows.
He has clearly spent a lot of time pondering how to get the right balance between the costs of compliance and its benefits. His overall philosophy is quite simple: policies must make financial sense and be tailored for the wider organisation. The role of his department is not so much to predict every conceivable risk, but to be ready to react to events so that the bank can continue to serve customers seamlessly and be forward looking so events do not come as a complete surprise. Op risk should follow business needs not dictate them and it is vital to tailor the function to the company business. I want us to have our own distinctive flavour that fits our organisation.
The big picture is there, but he is still feeling his way in finalising specific policies in the group risk framework. He tends to pose as many questions as he answers: where does strategic risk lie, what is business risk and how does it fit in with the business structure, how does a bank manage reputation risk, and, most of all, how much is too much, he wonders. For example, should he produce a policy on policies? But it is this very flexibility that is most likely to prove an asset. After all, he reasons, op risk is a new discipline and one that is evolving so that all participants need to be adaptable and implement supple policies. Op risk should never be a means to an end. Theres always a temptation to over- or under-invest. You need to have consistent policy around that, he says.
Structure of the Bank
Standard Chartered is a relatively little known commodity in the market it calls home, although it is well known in Hong Kong. It does not have a significant clearing bank presence in the UK and its name hardly registers on the High Street and yet it is a component of the FTSE 25 and is celebrating its 150th anniversary this year.
Part of the reason for its relative lack of name recognition in the UK is its diversity, both geographically and in its business lines. The bank is focused heavily on Asia, Africa and the Middle East and covers a total of 55 countries with 30,000 staff. It has two divisions: Consumer and Wholesale Banking. The first provides credit cards, personal loans, mortgages, deposit taking and wealth management services to individuals and small to medium sized enterprises. The latter provides corporate and institutional clients with services in trade finance, cash management, lending, custody, foreign exchange, debt capital markets and corporate finance.
And, of course, the bank continues to evolve. Right now, it is tweaking its business proposition, emphasising its focus on sub-Saharan Africa, the Middle East and Asia. It is also keen to emphasise its role in exemplary governance in the markets it serves. This means that the bank has a very low tolerance for reputational and operational risk. Mike is keenly aware of this and knows it makes his job all the more important.
The Op Risk Function
When it comes time to talk about the structure of the division, Mike likes to draw a flow chart. Its large and pretty hard to decipher by the end. Essentially, the op risk function mirrors the wider organisation with its split between country, regional and global businesses and consumer and wholesale banking. The dual business/regional structure requires the department to seek the right fit between global and geographic businesses.
In the central op risk function, the team is split between London and Singapore. There are eight full-time members and a further 15 full timers are embedded in the business lines. In addition, there is a network of local office staff that have part-time op risk responsibilities. These individuals typically dedicate some 10-20% of their time and a core coordinator usually dedicates half their time to the function. In each office, however, the time put in by the part-timers constitutes anywhere between one and 10 full time equivalents. Each country has business managers who have dual reporting responsibilities: to the country CEO and to a functional department, for example, wholesale.
The op risk department structure mirrors that of the wider organisation. Mike is no revolutionary: he intends to develop, not re-build, this model. My aim is to build on what weve got rather than reinvent the wheel. He points to the Country Operational Risk Groups (CORGs) as evidence of the systems strengths. Each CORG runs a monthly meeting to discuss op risk; the back office and support functions are integral to this. Staff discuss the top five risks now and predict what issues are likely to make top billing in six months. They are a forum for open discussion and dictate what decisions are needed to fulfil the banks governance role on compliance and legal issues. The results are then forwarded to business lines, regional heads and the central risk management department where Mike and his team assess what needs to be escalated. This has been very successful and I havent met another bank that has this system, Mike says.
He is determined to enhance existing processes, too. One priority is the implementation of an issue tracking system. Simply put, this is a centralised database where any issues, for example relating to HR, are maintained, monitored and tracked on a country-by-country and business-by-business basis. The systematic collation of this data allows the op risk function to ensure matters raised are being resolved in a timely basis and that someone is appointed to oversee each issue. These might include an office that has fallen behind on the banks Know Your Customer (KYC) project. If that is raised through the issue tracking system, it will be captured and rectified. But it does depend on human input and a willingness for staff in local offices to admit mistakes. That means a culture of openness is key. You have got to have an honest, courageous approach from countries in the expectation that we will solve difficulties together.
Mikes other priority is compliance with the Integrated Prudential Sourcebook (IPSB) and Basel 2. He is adopting a wait-and-see approach on whether to take The Standardised Approach or the Advanced Measurement Approach as entry point. Much will depend on the quality of information he is able to collect.
For now, he is focused on updating and standardising information inputting in the loss database. Explanations for cause and effect will need to be aligned with Basel requirements. To ensure compliance with the IPSB, categorisation standards will be tighter. The level of analysis will be much higher and so when the data is in place, Mike and his team will be able to filter the data to look for any patterns that might have systemic impact. This approach will require Mike to start devising a system from scratch, although he will try and convert existing data to the new system.
When collected, the improved loss data will be shared across countries through web-enabling software. This information sharing is key to rectifying mistakes and Mike is convinced that it will help standardise procedures at the bank.
In other areas, Mike is making sure op risk procedures are not overly ambitious or onerous. In business continuity planning (BCP) and disaster recovery (DR), he is looking at tiering, by analysing the criticality of each location and process. And he realises the structure of op risk oversight needs to be carefully looked at. The delicate balance between regional and global functions and consumer and wholesale businesses has led to the number of committees proliferating. There are committees at the country level and the business level, as well as at the group level. And then there are specific committees, for example, one to assess reputational risk. Mike is keenly aware of the possibility for overlapping functions and bureaucratic overkill and says that there are critics of the current committee-heavy system. As he admits: You need to consider time efficiency. Otherwise you could spend your entire life in committees. Indeed, the bank is assessing this structure.
Mike appreciates that perhaps the biggest task is to educate all line managers that op risk is an integral part of their planning at all stages. The best way to do this is not to be coercive, but to show the managers the benefits of compliance and have them instigate procedures. They need to understand that op risk is all about business as usual. That will require him to constantly review procedures, to keep communication lines open and to offer appropriate training. It is lucky then that he has an open mind and a willingness to change. There are no right answers on how things are structured in op risk. Were all finding our way as we go.