CHECK UP TIME FOR OPERATIONAL RISK

Regulators want to be sure bankers have a good handle on operational risk. They are not referring to doctors and medical procedures in hospitals, but rather are focused on the risk of unexpected loss that a bank might experience as a result of inadequate information systems, operational problems, breaches in internal controls, fraud or other unforeseen catastrophes. That is a pretty broad categorization, but make no mistake regulators are serious about the precautions bankers are taking to address such operational risks. Areas of particular regulatory interest include pandemic preparedness and IT security. While the odds that a pandemic (an outbreak of an infectious disease that spreads across a large region) will occur may be considered small, regulators expect bankers to be prepared. The risk of avian flu has heightened focus on operational risk and regulators want to be sure bankers have considered actions appropriate for their particular situation in the event of an outbreak (as well as incorporating such actions into contingency strategies). While this may sound a bit far out for many bankers, rest assured regulators will be examining whether bankers have conducted a risk assessment that considers employee safety and business continuity, among other risks. In particular, bankers can address pandemic risk by establishing infection control procedures for the workplace, reinforcing inoculation, providing options for employees to work offsite while ill, increasing worker education, establishing contingency systems to support sustained worker absenteeism and working with outside vendors to ensure essential services are maintained. While a pandemic may never occur, bankers should nonetheless address the risk. In addition to pandemic preparedness, bankers will also need to review IT security as part of operational risk. With so many customers moving online, regulators want to be sure banks have added multi-factor authentication, limit access to sensitive customer information and ensure procedures are enhanced to protect the transfer of funds to unauthorized third parties. In short, banks will need to ensure they have the risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. While regulators do not endorse any specific technology, banks should conduct a risk assessment, increase customer awareness and implement risk mitigation strategies to ensure reliable authentication of customers. Operational risk is a broad category that goes well beyond pandemic and IT security risk preparation. While we have highlighted these (because the regulators have done so), bankers should also note there are many other activities as well. For instance, operational risk includes the possibility that newly integrated computer systems won't work after a merger or acquisition; back-up system capabilities; outsourcing arrangements; employment practices; misuse of customer information; damage to physical assets due to earthquake, fire or flood; data entry errors; collateral management; incomplete legal documentation; workplace safety; employee theft; and fraud, among others. To be sure, bankers should make the board aware of major operational risks and put in place processes to ensure it is identified, measured, monitored and controlled. As the old saying goes, an ounce of prevention is worth a pound of cure, so be sure to include operational risk within the bank's overall risk management processes.