Sign In

 
Go Search
 

Operational Risk Management during Bank Mergers

Bank mergers are characterized succinctly by change and uncertainty. During a transition, uncertainty in the organization’s strategies, processes, business relationships, and culture can over-stress the combined bank’s ability to operate safely and soundly within the business environment, subjecting it to enormous operational risks. Thus, establishing key components of a robust risk management program is critical to the long-term viability of the franchise.

 In simple terms, risk management is the function within a bank where risks are identified, assessed, controlled, monitored, and reported. Note that risks do not necessarily imply “bad” outcomes; when managed properly, risks can generate good outcomes as well. To mitigate operational risk during a merger, several risk principles must be established within the organization. 

  1. Governance
    1. Establish board level/ management committee level Operational Risk Committee
    2. Establish clearly defined management roles and responsibilities
    3. Define and implement the risk culture appropriate for the risk profile of the Bank
    4. Establish two-way communication channels
  2.  Framework
    1. Basel II
    2. COSO
    3. COSO ERM 
  3. Management Information
    1. Monitoring methodologies
    2. Reporting

 Governance

Under normal circumstances, good governance is essential to the success of an operational risk program, but becomes critical during bank mergers. Since risk culture is established at the top of an organization, management must create a board-level or management committee level Operational Risk Committee (“ORC”) that will set the standards of the program, oversee it’s implementation, and make decisions from the results. The ORC must have the full support and endorsement of the Board in order to maximize its effectiveness, since the culture established by the committee will permeate throughout the organization. The greatest governance challenge during a bank merger is making sure that executive managers agree on the culture going forward, since this can vary. “Rules-based” cultures which are strict and conservative (though somewhat restrictive on innovation) cannot co-exist with more lenient cultures that delegate risk responsibility further down the organizational structure to individuals who are expected to “do the right thing”. Another critical challenge is establishing the appropriate communication channels so that information can flow easily up, down, and across the organization, ensuring that the risk culture is absorbed by everyone throughout the bank, and that actionable risk information is reported to the ORC.

 Framework

Examples of operational risk frameworks include Basel II, COSO, and COSO ERM. Though many financial organizations have adopted COSO and COSO ERM, most globally-oriented banking institutions are in the process of implementing Basel II. Within the Basel II risk framework, critical requirements for an effective risk management program are defined. These include:

       a.    Risk and Control Self Assessment

       b.    Issue Tracking

       c.    Collection/analysis of key indicators

      d.    Collection/analysis of loss data, both internal and external

       It’s highly likely that some form of operational risk framework already exists in the merging institutions, which is either loosely or tightly related to Basel II. Thus it is    incumbent on executive management to choose a framework that best fits the organization’s risk profile.

Risk and Control Self Assessment (“RCSA”)

In order to understand the risk profile of the organization, the merging banks should perform a RCSA. Such transparency will not only identify the risks inherent within the bank, but will also assess the likelihood and impact of a risk event if it occurs within the internal processes of the organization. Review and analysis of the controls already established to manage the risks is also performed to determine if immediate action is required.

 Robust RCSA’s incorporate the following elements.

a.    Process mapping using CoolMaps: Before identifying risks, the existing processes must be clearly defined and understood from end-to-end. CoolMaps will not only highlight the risk areas and control weaknesses, but will reveal opportunities for process improvements as well.

b.    Review of the maps and the internal processes will identify the risks, as well as the likelihood and impact of risk events.

c.    Risk Mapping: Once risks are identified, they must be mapped to specific risk categories. During mergers, executive management must decide on the nature and scope of the risk map, such that a common risk “language” can be developed. The common risk map can then be understood by everyone within the merged Bank.

d.    The controls that have been established to mitigate the inherent risks of the activity are reviewed for adequacy. Any deficiencies must be highlighted so that they can be corrected. Thoughts on additional controls should be considered. Opportunities to reduce controls deemed unnecessary relative to the risks of a specific process are also studied for implementation.

 Issue Tracking

All issues raised by auditors, regulators, and other examiners should be placed in a common database and identified by risk type. Any existing databases for tracking issues should be evaluated for consolidation. Beyond identifying control weaknesses and process inefficiencies, issues help to validate management’s risk assessment reported in the RCSA. Issues also reveal thematic problems needing attention during the integration of policies/procedures in the merging banks.

Key Indicators

Identifying risk and performance indicators for the merging processes, allows management to monitor the processes for heightened levels of risk, changing risk profiles of activities, and monitor the accuracy of management’s original risk assessment reported in the RCSA. Management will need to be as efficient with indicators as possible – data from too many indicators is difficult to manage.

Internal/ External Loss Data

Internal losses help to validate RCSA results in the same way that the key indicators and unresolved issues can. Data from internal losses also helps to validate management’s perception of the current risk profile. External losses are superb training tools, as they illustrate the errors made by other banks that may be relevant to the merging institutions. External losses can help point to weaknesses in the merging processes that may not have been noticeable in the RCS

Management Information

The communication channels established by the ORC are the “glue” that hold the merged organization together, and connect risk framework activities with governance.               Data collected via the framework, such as self-assessment, risk indicator, and internal losses, must be reported succinctly to management and the ORC. Unless risk information     is communicated to the appropriate persons, uninformed and potentially dangerous decisions will be made.

 

      Please see the appendix for other areas that need to be addressed and managed during transition.

 

 

 

Appendix

 

In addition to the development of an effective governance, risk, and management reporting framework, the following activities should be addressed when managing transitions within a banking organization.

 

 

  • Outsourcing opportunities and/or threats

 

  • Business Continuity Planning

 

  • Policy integration

 

  • System integration

 

  • Market Risks

 

  • Credit Risks

 

  • Understand resources available (human, technical, time, money)

 

  • Scenario Analysis (evolving from Self-Assessment, internal loss, and risk indicator results)

 

  • Thorough review all audit/regulatory reports, compare to CSA results

 

  • SOX implications, if any
 
©2011 IMAG NY Privacy and Security Site Map 90 Park Avenue Suite 1700 New York City, NY 10016   (212)430 0389