Sponsored by Keith Blacker – 28th June 2012 Systemic Operational Risk: A Financial Services Case Study Systemic Operational Risk - A Financial Services Case Study “Black Swan Event: An event or occurrence that deviates beyond what is normally expected of a situation and that would be extremely difficult to predict.” As described by Nassim Taleb IIA Webinar 28 June 2012 Systemic Operational Risk A few words about Keith Blacker Chartered Accountant - 30+ years in financial services Internal Audit (former Council Member IIA), Business Development, Operations Director, Consultant and Trainer, Finance Director, NED DBA (Henley Management College) – operational risk management in UK retail banks Recent papers on People Risk co-authored with Pat McConnell Currently Non-Executive Chairman of Protection & Investment (IFA) & Valley Leisure (Charity), Council member AIFA and Independent Consultant IIA Webinar 28 June 2012 Systemic Operational Risk The PPI Scandal The PPI scandal 1. 2. 3. 4. 5. 6. 7. Background What went wrong? Summary of risks in the PPI process Systemic operational risk Implications for operational risk management Organisational culture Organisational disasters IIA Webinar 28 June 2012 Systemic Operational Risk Background Distribution PPI Process Other Parties Borrower Underwriting & Claims Lender Broker/ Intermediary IIA Webinar 28 June 2012 Systemic Operational Risk Insurer Background 1. 2. Major types of PPI - PLPPI, CCPPI, MPPI, SMPPI Market statistics 2006 IIA Webinar 28 June 2012 Systemic Operational Risk Background Influence of the UK Government • All UK political parties promoted home ownership • 1999 Government, CML and ABI launch the “Sustainable Home Ownership Project” • Baseline set a minimum standard of cover for MPPI policies • ==> penetration rate up from 25% to 35% in just 4 years! • Risk of something going wrong increased unless rapid growth was controlled…… • More generally, economic climate changed the ‘attitude’ to debt • More debt = more opportunities for PPI • Was the traditional British value of thrift being undermined, whether deliberately or intentionally, by government policy? IIA Webinar 28 June 2012 Systemic Operational Riskc What went wrong? 1. 2. 3. 4. Grumblings by Which? back in 1998 “Protection Racket” report published by CAB in 2005 “Range of evidence suggests widespread failures of consumer protection in both the PPI selling process itself and in the wider regulation of PPI sales” • Inappropriate product • Insufficient documentation • Exclusions • Inappropriate bundling • Excessive cost • Delayed claims This report was the catalyst for further investigations IIA Webinar 28 June 2012 Systemic Operational Risk What went wrong? 1. FSA Report published in 2005 • • • • • • • Relatively complex product sold to vulnerable customers High risk of inappropriate sales due to inadequate control Poor quality advice Level and structure of inducements and targets Reliance on product documents Competence of sales staff Poor monitoring 2. BUT no evidence of high-pressure sales techniques 3. OFT study led to “super complaint” to the Competition Commission 4. Judicial Review - banks must design and sell products that are compliant with the general principles of ethical behaviour. IIA Webinar 28 June 2012 Systemic Operational Risk Summary of risks in the PPI process 1. 2. 3. 4. 5. 6. 7. 8. 9. Inappropriate product for the customer Inappropriate exclusions Inappropriate bundling Inappropriate sales practices Inappropriate incentives Insufficient staff knowledge Lack of due diligence (on the customer) Adverse selection Anti-selection IIA Webinar 28 June 2012 Systemic Operational Risk Systemic Operational Risk 1. Basel 2 Definition of Operational Risk (at the firm level): “The risk of loss resulting from inadequate or failed internal processes, people, systems or from external events” 2. Systemic: “Of or pertaining to a system” 3. Much of what went wrong (root cause) was people related = operational risk 4. The events that took place operated across the whole system/industry. IIA Webinar 28 June 2012 Systemic Operational Risk Systemic Operational Risk 1. 2. 3. BUT why did it become systemic? • Herding - identical firms/identical strategies/identical products • Groupthink - individuals supporting superiors • Naysayers (Internal Audit?) not welcome! • Universal banking model • Role of government • Role of the Regulator It’s happened before. • Pensions mis-selling • Global financial crisis Could it happen again? • Equity release (FOS, 2008) • Interest rate derivatives to businesses (FSA report due). IIA Webinar 28 June 2012 Systemic Operational Risk Implications for Operational Risk Management 1. 2. 3. 4. 5. 6. 7. 8. “A firm’s control functions should be involved in the firm’s product design and oversight arrangements” (FSA and OFT) New regulations ==> risk management actions Prohibited/restricted business practices ==> new risks Regulatory ‘input’ on products because of customer complaints KYC becomes KYCEB and demonstrate TCF More regulatory reporting Behaving ethically and finally…. Don’t forget the PPI scandal was not a black swan event. IIA Webinar 28 June 2012 Systemic Operational Risk Organisational Culture 1. 2. 3. 4. 5. 6. (Dominant) culture…... informs (shared) values……. leads to behaviours Really Treating Customers Fairly What a business stands for is just as important as what it sells Auditing Culture - the role of IA? Will it be a regulatory focus? More of the fairer sex in the boardroom? “We have to recognise that values go beyond “what we can get away with”, and that values are in the end critical to value. Better risk management, enhanced regulation, codification of director’s responsibilities in company law - all these things are necessary. But they are not, and cannot be, sufficient without a culture of values. As individuals, we do not govern our own behaviour simply by what is allowed by law or regulation. We have our won codes of conduct, and hold ourselves accountable. We take responsibility for our own actions.” Stephen Green, former Chairman HSBC IIA Webinar 28 June 2012 Systemic Operational Risk Organisational Disasters Like all major organisational disasters, this did not happen overnight………….. (Turner 1976) • Initial beliefs and norms • Incubation period Risk Management ………………………………………….………………. • Precipitating event • Onset • Rescue and Salvage Crisis Management Crisis Management • Full cultural adjustmentultural adjustment IIA Webinar 28 June 2012 Systemic Operational Risk Organisational Disasters Initial beliefs and norms • Culturally accepted beliefs and norms begin to fail Incubation period • Rigidity of beliefs • Decoy Phenomena • Disregard of complaints from outsiders • Information difficulties and noise • Involvement of strangers • Failure to comply with regulations • Minimising emergent danger IIA Webinar 28 June 2012 Systemic Operational Risk A final thought ……… “Too much competition and too little co-operation can cause intolerable inequities and instability. Insofar as there is a dominant belief in our society today, it is a belief in the magic of the marketplace. The doctrine of laissez-faire capitalism holds that the common good is best served by the uninhibited pursuit of self-interest. Unless it is tempered by the recognition of a common interest that ought to take precedence over particular interests, our present system is liable to break down” George Soros (1997) IIA Webinar 28 June 2012 Systemic Operational Risk