Op risk centre stage

Strict bank oversight and isolation from the global banking community means Brazilian banks are insulated from the worst of the crisis, but they are not immune. Domingos Figueiredo de Abreu, executive director at Bradesco, talks to John Rumsey about the operational risks his bank faces

Risk managers at Brazilian bank Bradesco, in line with many peers in developing countries, have been looking on at events in the developed world’s banks with some stupefaction. As the debate in the US and Europe rages over issues such as nationalization and the creation of bad banks to absorb dubious assets, Brazilian risk managers are, with hindsight, grateful for tight national supervision.

“For the first time in many years, Brazil’s strict bank oversight has proven to be a virtue rather than perceived as a hindrance,” says Domingos Figueiredo de Abreu, executive director at Bradesco.

Founded in the 1940s, Bradesco, headquartered in an extensive campus in Osasco, some 20 kilometres from Sao Paulo, was until recently the country’s largest private bank. It fell from first to second place on February 18, when the Central Bank gave the green light to the merger of two competitors, Itau and Unibanco. Bradesco closed 2008 with just over R$454 billion ($191 billion) in total assets.

Conservative regulation helped Bradesco ensure it was more of a spectator than an actor in the crisis, although it has been far from immune. The bank’s share price had almost halved at the end of February since peaking in May last year, but that still looks relatively strong compared with many US and European banks that have seen shares drop by as much as 90%, with prices see-sawing by more than 10% per day.

Brazilian bankers are now thinking hard about overlaps in credit, market, liquidity and operational risk, and what that means for future strategy on developing appropriate policies. De Abreu, 50, who wears other hats including head of investor relations at Bradesco, realised the benefits of Basel II early on, however, and the bank is currently working to develop its own models to meet the most advanced approaches in all three risks categories in Basel II, including the Advanced Measurement Approaches (AMA) for operational risk. Although the Central Bank of Brazil has not fixed a date for the implementation of Basel II, it is already inviting banks that want to register for the AMA to do so. The bank has been working with consultants KPMG for the past two years and has a committee in place to oversee implementation of Basel II.

De Abreu’s history at Bradesco dates back to 1981. A graduate in economics and accounting sciences, he has a background in managing tax planning, a fiendishly complex area in bureaucratic Brazil, and was appointed executive director in 2002. His background and experience of cost control and knowledge of financial instruments gleaned from working in different areas of the bank primed him for his risk management career. That was enhanced by a stint at Banco BCN, which was later acquired by Bradesco, where he was involved in risk mitigation and the back office. In his role as head of risk management, de Abreu reports directly to the president of the bank.

Day-to-day responsibilities for risk management are handled by Roberto Hollander, who reports to de Abreu. Hollander joined Banco BCN in 1996 in corporate banking and later became credit director. From 2003, he started co-ordinating risk management and compliance for Bradesco.

Hollander’s move to head the department marked a moment when Bradesco started to focus more closely on developing its risk functions. At that time, the designated risk team was purely involved with market risk and consisted of 18 people, but the bank recognised the transformational importance of Basel II and management saw it as an opportunity rather than a threat. “We managed to sell the idea internally that Basel II was not just a regulatory and legal necessity, but that it would also benefit the bank by tightening risk and process management and governance,” says Hollander. This was very well accepted from the start, and the bank never lacked budget or human resources, he says.

“Bradesco faced up to Basel II as an opportunity to fine-tune everything from corporate governance, through operational and credit risk,” says de Abreu. The 2002 passage of the Sarbanes-Oxley Act in the US, where Bradesco is listed on the New York Stock Exchange, was a second key element in the new thinking.

De Abreu and Hollander were given the mandate to grow the risk management area and integrate the different categories of risk under one roof. “We needed a more robust area and one that considered all risk functions, so we brought in people to develop market, operational risk and internal compliance. Most were brought from the inside, in keeping with Bradesco’s emphasis on training staff internally,” says de Abreu.

Internal transfers included staff from the internal auditing department and close to 115 people involved in credit risk. De Abreu also pushed for the compliance team to sit within the risk function. Although the legal department also deals with compliance, Bradesco sees compliance as an intrinsic part of the risk area. Today the team encompasses some 180 people.

In addition to the central risk and compliance area, each department has a director responsible for ensuring compliance in his sector. The central team has the right to change that director, if found wanting, although this has never happened. By implanting compliance within each department, the bank disseminates a risk and compliance culture throughout the organisation.

After such extensive growth in the size of the risk department, the future is likely to see some shrinkage. “The team grew to this size to cope with Basel II and is probably larger than it needs to be for day-to-day work,” says Hollander. Departing staff will likely be attached to other groups. The operational risk nub will comprise 10 people.

At the core of Bradesco’s risk system is a series of committees. There are three operational sub-committees for issues related to credit, market, liquidity and operational risk, where risks are identified and evaluated. These sub-committees suggest tolerance limits and prepare mitigation plans to be submitted to an integrated risk management and capital allocation committee, a high-level, statutory body that advises the board of directors. Working through committees has worked very well, and allows a number of parties to contribute to discussions and ideas in drawing up plans, says de Abreu.

Cultivating a group-wide risk culture and balancing management of risk between individual departments and a central area that can look at the bigger picture is also key in de Abreu’s mind. “I don’t accept that there is just one person with whom the buck lies: the chief risk officer,” says de Abreu. “Scandals have shown that financial groups must develop and disseminate a culture of risk management throughout their organisation.”

One of the challenges for banks following the financial crisis caused by years of excessive leverage will be to consider in what ways risks placed in different categories are inter-dependent, according to de Abreu. “It is increasingly recognised that risks overlap, and there is the possibility of one type of risk catalysing another,” he says.

De Abreu points to the trading debacle at Societe Generale as an example of excess and a credit risk that was large enough to be considered operational risk. Last January, the French bank blamed a trader for EUR50 billion in unauthorised futures positions that cost it EUR4.9 billion euros to unravel. “We were asked here by management: ‘could that happen here?’ and we were able to give an emphatic ‘no’,” he says.

That ‘no’ testifies to Bradesco’s centralisation and tight internal controls. Rules for the investment bank were always strict. Initially, the bank had its own Treasury, but that was scrapped, and today the investment bank uses the centralized Treasury, which ensures consistency and aligns policies across the whole bank’s risk operations. Bradesco has been protected from transmission of risk from investment banking due to the small size of that business line, however.

It is not only rogue actions, but the subprime crisis that has blurred the lines between credit and operational risk, as downgrades and provisioning triggered bank-wide operational issues, says de Abreu.

“There was a certain inertia in the area of perception of risk and lack of communication between departments (at US and European banks),” he says. “The most significant problem has been a lack of control of positions across the whole bank and a failure to consider and analyse risks across total, pooled positions. This issue has come to the forefront in risk management circles today.”

Although subprime instruments are not intrinsically harmful, the exact components of these and other financial instruments were not fully understood, so banks had not correctly evaluated risks. This distorted the amount of reserves put aside, he says, and the effect of the crisis may well harm the future development of financial instruments.

For Brazil, issues related to exotic instruments are mostly academic, posing a concern for the future rather than a significant risk for today. Structured products represent a tiny fraction of credit markets, which themselves are relatively small: total credit accounts for some 40% of GDP compared with well over 60% in Chile, for example. The mortgage market is tiny by international standards at about 2% of GDP, too.

That’s because interest rates are high and Brazilian banks have proven conservative. Bradesco has always been selective about offering credit, and a slight increase in delinquencies has seen the bank strengthen lending standards recently, de Abreu says. Bradesco places limits on consumer lending per branch, with these individual risks kept separate from big corporate risks managed by a centralized back office.

Long-term credit products may not be important for Brazil today, but they are arriving, and the next few years should see Brazilian banks stepping up in areas such as mortgages. In the last few years, local banks have cracked the car financing market with loans of tenors of seven years and sometimes more. That means identifying and evaluating links and the mutual reinforcements between credit and operational risk will become increasingly important for Brazilian banks, says de Abreu.

Although international trends will shape the development of future thinking in Bradesco’s operational risk management, for now the bank is concerned with more bread-and-butter issues. In addition to compliance with Basel II, focuses for operational risk include business continuity planning, information technology and client education, as more retail and commercial business migrates to the internet, and building out corporate governance.

Brazilian banks have traditionally faced a different op risk challenge than banks in the developed world. The country is not prone to natural disasters, such as earthquakes and extreme weather conditions, and the threat of terrorism is significantly lower than in the US or UK. Bradesco does not therefore prioritise identification and contingency planning for such events; rather it looks to see if its systems would cope with whatever crisis made the campus or systems impossible to access.

The very low probability of a large-scale natural disaster mitigates the need to construct a back-up site at considerable distance from the main site. Bradesco has developed a totally replicated system, but it is just some 15 kilometres from its headquarters, in another suburb of Sao Paulo, Alphaville. In addition to the back-up site in Alphaville, certain departments, mostly client-facing ones, have back-up systems. They include the bank’s brokerage arm, human resources, custody, Treasury and the Central Bank payment system.

Even so, the bank is having discussions on whether it is sufficient to have just one back-up site and whether a third site, at a greater distance, is needed.

Even though natural disasters are considered low probabilities, the bank continues to emphasise contingency planning mainly because Brazil is prone to strikes and worker actions, which can cause a temporary lack of access to the campus or its systems. And because the bank’s decision-making processes are highly centralised at the Osasco campus, the headquarters are critical to its functioning.

Worker action is a particular concern in Brazil, which has a strong history of union activism. Current president Luiz Inacio Lula da Silva’s career was forged in the metalworkers’ union. Strikes are common, and there are occasional invasions of land and buildings by disgruntled groups that see themselves as excluded, such as the landless movement.

There are two principal blocks to the bank’s business continuity planning, says Hollander. The first stems from individual departments and defines the minimum amount of people needed, and who is key, as well as what services must be continued and which systems need to be available. From this starting point, plans develop on where to locate these people in the event of an emergency. To ensure flexibility, the plan places workers not just in the Alphaville replica site, but in multiple locations to ensure workers are placed as conveniently as possible and minimise disruption. It also envisages workers logging on at home.

Another prime operational issue is online security. The prevalence of fraud in Brazil, which was once dubbed the world’s most prolific hacking centre by the BBC, makes information technology security one of the bank’s most pressing issues.

Bradesco has never had a site successfully hacked into, but numerous attempts have been made, says de Abreu. The weakest part of the chain is the client, says Hollander. Because individuals don’t have the same level of protection as the bank, they are more susceptible to deceptive approaches, and may give out sensitive information such as passwords. The explosion of internet banking and subsequent rise in risk is mitigated through individual limits on transfers and withdrawals, as well as increased client education.

Regulatory risk also permeates banking operations, and there are recent signs of a resurgence of government meddling. Although the economic slowdown is milder in Brazil than in most other parts of the world, there has been a rapid deterioration since November. The Central Bank publishes a range of forecasts for the economy, which at the end of February suggested growth of some 1%. Weaker employment prospects and a general perception of greater risk have slowed credit growth and spreads have risen. The government has reacted with a carrot and stick approach: it has reduced reserve requirements but in return has been pushing large banks to buy credit portfolios of smaller peers and lend more.

But de Abreu’s team is not just focused on mitigating risks and worrying about the spillover from the international crisis. Over the longer-term, the team is concerned with building strong internal corporate governance, which falls largely to the risk and compliance function. Governance needs to be discussed widely and championed, says de Abreu. The bank has a governance structure that is conceptually good, with the big challenge being to make it work in practice, as it does on paper. Although one long-standing accusation levelled against Brazilian banks is too great a dependence on founding families, with all the conflicts and strategy confusion that can cause. That no longer applies to Bradesco, says de Abreu. The founders set about professionalising the bank through management and oversight.

Bradesco is controlled by a holding company and a foundation, and internal rules prioritise bank professionals in these controlling institutions. The family has two seats on the board but cannot change policies, he says. “This system makes Bradesco a bankers’ bank, and encourages continuity and managers are professionals who have been raised in the bank.”

BIOGRAPHY

Domingos Figueiredo de Abreu graduated in economics from the University of Mogi das Cruzes and in accounting from the Faculty of Economic and Administrative Sciences of Osasco, with a post-graduate degree in financial administration from the Fundacao Getulio Vargas and an MBA in finance from the Brazilian Institute of Capital Markets. He started his banking career in 1981, becoming departmental director in 2001 and managing executive director in 2002. He is a member of the Fundacao Bradesco Ruler Table. He has also been a substitute member of the board of CPM Holdings since 2006. He was director of Banco BCN SA from 1997 to 2001 and substitute member of the board of administration of CPM Braxis from October 2001 to March 2007, having occupied the position of member of the Technical Administration Council from 1998 to 1999.

This entry was posted in Articles, Operational Risk & Regulation. Bookmark the permalink.

Comments are closed.