Technology and Operational Risks faced by banks - An Analysis
1. Synopsis<br />At present, technological innovation has gained attention of FIs. It is due to the technological innovation that Operational and Technological Risks surfaced. Technological and Operational Risks are partly associated with each other. Technological Risk refers to risks which are associated with the development, implementation and operation of the bank’s technology infrastructure and the technology solutions provided, or when there is a ‘technological deficiency’ or ‘irregularity’. On the other hand, Operational Risk is defined as the loss caused, directly or indirectly, on an account of an event happening, or an action resulting from failure of systems, processes, people and external events. Due to certain reasons, both the risks are becoming relevant to FIs nowadays.<br />“With the advance in Technology and with it the improvements in Reliability Technology and Operational Risk can now largely be ignored by banks.”<br />‘Technology is driving the innovation as well as the creativity. Both technology and the use of technology will determine our employees’ ability to compete in the 21st century global marketplace’ (Ron Kind, 2009). Basically technology comprises of computers, visual and audio communication systems, networks and other Information Technology (IT). Today technology has enabled Financial Institutions (FIs) to facilitate commerce and support the life style of consumers (Saulo, 2009). During the recent years, ‘technological innovation’ has become a major concern for FIs. A recent research into the banking sector has shown that the banks have achieved substantial returns and have improved their operational efficiency and productivity through an increased investment in Information Technology and Technological Infrastructure (Mashal, 2006:25). At present, the innovation in Technology and with it the emergence of Technological and Operational Risk cannot be overlooked by FIs.<br />Technological and Operational Risk are partly associated with each other, and have gained attention of FIs’ managers and regulators in the recent years. Apparently, technological risk is a source of operational risk. Technological Risk refers to risks which are associated with the development, implementation and operation of the bank’s technology infrastructure and the technology solutions provided, or when there is a ‘technological deficiency’ or ‘irregularity’ (Oriso, 2008). Technological risk facing FIs is becoming more relevant nowadays due to three major reasons. <br />The first reason is relying heavily upon Information Technology or Systems by FIs. Information Systems play a vital role in gathering, processing and storing data, and therefore firms have invested billions of dollars in applying internet technologies to develop their IOSs (i.e. Inter-organizational Information Systems) (Shi, 2007). It is a fact that various business processes, functions and people throughout a bank rely heavily on technology nowadays, and therefore the technological risk must be managed and assessed strategically. The reason being, that if the technological risk is not managed effectively and efficiently, a bank may incur huge financial losses, loses its reputation and above all heavy customer attrition.<br />The second reason for the technological risk to be relevant is that, if it is managed efficiently and effectively, it will allow a bank to reduce its transaction cost, which will in turn result into higher profitability. According to Richard H. Baker (Chairman of the Subcommittee on Capital Markets, Securities and Government Sponsored Enterprises) the cost of an over the counter transaction (transaction processed by a teller) is around $1.30 for a bank. However, when the same transaction is done through an ATM it drops to 0.6-0.65 dollar range. Furthermore, if the same transaction is done through an online real time computer system, the cost of transaction falls to about $0.04 (or 4 cents). Moreover, paper transactions are now being replaced by low margin electronic transaction, e.g. in Kenya, after the Kenya Communications (Amendment) Act 2008 comes into force, it will soon be possible for banker’s cheques to have the same day clearing as opposed to the current three working days. The law, which now legalizes digital signatures and email messages, will see banks move cheques online to the Clearing House. Before the law was introduced, cheques had to be moved physically to the Clearing House and then sent back to the paying banks for a transaction to be effected which in turn was increasing transaction costs for banks (Saulo, 2009). Banks that have achieved technological supremacy in transaction processing have been able to leverage in terms of improving their financial strength and in turn becoming the market leaders and influencing the market trends (Dobbins, 2006). <br />The third and the last reason due to which technological risk is becoming more relevant, is due to customer convenience and services such as ATM, CDM, SMS banking, Micro-Payment Schemes, T+1 transfer and settlement, Telegraphic Transfers, iBanking etc. which are now available to the customers 24X7, 365 days a year at their doorstep. These Payments and Settlement systems are the mission critical for any banking system. According to Boston Consulting Group (BCG), the payments business is core to bank's profitability as it forms major part of their revenues, approximately up to 35% and on the other hand up to 40% of their costs. If managed efficiently and strategically, payments can be a real source of competitive advantage and consistent profitability (Khanna, 2005). At present, the focus is on online real time ‘T+1’ transfer and settlement that is essential to aid liquidity and meet consumer demands (Dobbins, 2006). The “T” in the T+1 transfer refers to the number of working days for a transaction to “settle”. For e.g. if a payment/ installment is due on a certain day, the customers can arrange funds by doing transfer of funds either between their own accounts or to a third party account through iBanking using Account to Account transfer and or Telegraphic Transfer (TT). Account to Account transfer is in a way T+0 while TT can be referred as T+1 as it takes at least one day when the funds from customers’ accounts get transferred to the third party account. There is no need for customers to visit the bank and do paper transaction for arranging funds in their accounts for payments to be made or arranging payments to third party. Moreover, several banks have also introduced Mobile Banking. Standard Chartered and mobile phone operator Zain-Kenya launched a product known as “Zap” that allows registered users to pay for transaction and transfer virtual money using their mobile phones. It will probably be the cheapest and the best chance for millions of Kenyans who do not have access to normal banking services (Saulo, 2009). The major disadvantage of the above mentioned services is the ‘Single Point of Failure’ which increases technological as well as operational risk. Hence the IT systems and technologies that support these services should be extensively reviewed and future-proofed (Dobbins, 2006). <br />All the above mentioned services do provide convenience to customers, but on the contrary they have also given rise to technological and operational risk. If a bank wants to overcome its weaknesses relating to these services, it should aggressively review its computer infrastructure, networks and applications and should effectively manage its technological risk (Bonnette, 2002). Managing Technological Risk is not an easy task for a bank nowadays. However, it can manage its technological risk in various steps. The first step in managing technological risk is to determine where the critical data is located, and how it travels the various bank systems. Once the data flows and system designs are defined, we move on to the second step, i.e. evaluating the sufficiency of existing controls and security programs. The evaluation can be done through ‘Outsourcing’. Outsourcing takes place when an organization transfers the ownership of a business process to a supplier (Samuel, 2009). Outsourcing is probably the best way to make sure that appropriate security and controls are in place to protect information systems and data, provided if the bank lacks the ability to establish and support these controls (Bonnette, 2002). Particularly when outsourced functions involve the transmission, storage and processing of critical or sensitive data, appropriate measures must be taken by bank to ensure that appropriate controls are in place at the service provider (or supplier). The third step is to determine whether the outsourced relationship helps fulfill the bank’s risk management needs, because if the relationship does not satisfy risk management needs, the bank can consider other service providers. The fourth step involves evaluation of financial condition, because weaknesses in a bank’s financial condition may lead to a loss of its staff and other resources that will in turn result in loosened controls. And lastly, the bank should closely monitor the service provider’s performance relative to contract terms (Bonnette, 2002).<br />Operational Risk is defined as the loss caused, directly or indirectly, on an account of an event happening, or an action resulting from failure of systems, processes and people. Operational risks are also caused because of external events. Furthermore, the increased usage of technology nowadays has also given rise to operational risk. Most of the time operational risk arises on account of internal business decisions. In 1998 the Basle Committee stated on its paper about operational risk management, that most big losses in the banking industry resulted from internal control weaknesses or lack of compliance with existing internal control procedures (Balestra, 1999:1). Operational Risk facing FIs is becoming relevant due to four areas of impact which are Regulatory, Reputational, Employees, and Systems.<br />The first area of impact is the Regulatory Risk. It is the risk of loss arising due to a failure being noncompliant with the laws, regulations or codes of conduct pertaining to the financial services and industry. To mitigate the regulatory risks, banks form risk committees for developing and maintaining an appropriate framework insuring regulatory compliance policies and procedures. Compliance to such policies and procedures is the responsibilities of all the employees and the committee formed monitors this. The committee is responsible to review, revise and approve regulatory compliance standards and monitors key regulatory risks across the bank (Standard Chartered Annual Report and Accounts, 2008).<br />Secondly, it is the Reputational Risk which refers to the inability of meeting the standards of performance or behaviors expected by the key stock holders. Protection of bank’s reputation should take priority over all activities performed by the bank, including profit/income generation. Noncompliance with social, environmental and ethical standards give rise to reputational risk. Reputational risk also arises from the failure to manage effectively credit, liquidity, market, regulatory, and operational risk. Reputational risk is to be managed by all employees and it is their responsibility to identify such risks in their normal course of business. Banks manage reputational risk through forming a reputational risk and responsibility committee, which is responsible for alerting the bank to emerging or expected reputational risk, ensuring that effective risk monitoring is in place for reputational risk and providing plan to counter any significant reputational risk that arises. It is also the responsibility of the chief executive officer to ensure that the bank’s reputation is protected. To do this, the CEO and the risk management committee must first actively enhance the awareness and application of the bank’s policies and procedures regarding reputational risk. Secondly they should advice all business units and functions to consider bank’s reputation in taking decisions and in dealing with customers and suppliers. Thirdly, CEO and the committee should implement effective risk reporting systems in order to be aware of any reputational risk potential issues. And lastly promote and effective and proactive stake holder management (Standard Chartered Annual Report and Accounts, 2008).<br />Thirdly because of employees, operational risk has become relevant in the sense that, quite a few studies have shown that most of the frauds and errors are done by the employees. These can be classified as human processing errors resulting into financial/reputation loss for e.g. a payment order has been charged to a wrong account. Another example for a human processing error resulting into financial loss is that, a funds transfer order has been processed too late, and the bank is liable to pay an interest claim, if any (Brink, 2002:65). Since operations are automated, which includes signature verification, employees at times do leak out the confidential data to an outside, for example an image of customer signature account detail which can be used withdraw funds from customers accounts. This results in both financial and reputational loss to the bank.<br />Lastly, Systems Failure has been the reason for operational risk. System error results into financial/reputational loss for e.g. due to a system error, the account statements are not available. Another example is that, the standing instructions are not executed due to system error. Customers can then ask the bank to pay interest for any late payments. In order to correct the system errors at times, many manual corrections need to be done. Since these corrections are need to be done within a limited time frame – time pressure results into new errors, which in turn cause financial loss/damage (Brink, 2002:65).<br />In conclusion, the banks must see to ensure that key operational risks are managed in a timely and effective manner through a framework of policies, procedures and tools to identify, assess, monitor, control and report such risks. <br />Reference List:<br />BIS. 2001, ‘Operational Risk’, BIS, Available: http://www.bis.org/publ/bcbsca07.pdf [Accessed 3 March, 2009].<br />ORISO. 2008, ‘Reducing Technological Risk’, ORISO, Available: http://www.oriso.com/english/reducing.htm [Accessed 4 March, 2009].<br />Brainy. 2009, ‘not sure’, Brainy, Available: http://www.brainyquote.com/quotes/quotes/r/ronkind259127.html [Accessed 4 March, 2009].<br />Bonnette, C. 2002, ‘Managing Technology Risk When You Outsource’, Bankers, Available: http://www.ask.com/bar?q=Technological+Risk+for+banks&page=2&qsrc=2106&ab=1&u=http%3A%2F%2Fwww.bankersonline.com%2Ftechnology%2Fmone_risk.html [Accessed 6 March, 2009].<br />Mashal, A. 2006, ’Impact of information technology investment on productivity and profitability: the case of leading a Jordanian bank,’ Journal of Information Technology Case and Application Research, Vol. 8, No. 4, pp 1-22.<br />Outsourcing. 2009, ‘What is outsourcing’, Outsourcing, Available: http://www.ask.com/bar?q=outsourcing&page=1&qsrc=0&ab=0&u=http%3A%2F%2Fwww.outsourcing-faq.com%2F1.html [Accessed 12 March, 2009].<br />Comm. 1999, ‘Technology and Banking,’ Comm, Available: http://commdocs.house.gov/committees/bank/hba55919.000/hba55919_0f.htm [Accessed 12 March, 2009].<br />BCS. 2009, ‘The future of banking technology’, BCS, Available: http://www.bcs.org/server.php?show=ConWebDoc.5851 [Accessed 14 March, 2009].<br />Saulo, M. 2009, ‘How banks can gain from global crisis’, Eastandard, Available: http://www.eastandard.net/InsidePage.php?id=1144007841&cid=456& [Accessed 16 March].<br />