The experiences (and resulting systems/processes) that banks have developed, in order to deal with Basel I and Basel II are of relevance to corporate treasurers today, as they attempt to manage the new, compliance/control requirement of Sarbanes-Oxley as well as broader scruitiny of earnings/results.

With this in mind, its useful to review how banks have handled the challenge, and are planning to utilize their know-how in the area of system and process management.

Case in point: Horizon

JPMorgan was in the right place at the right time with RiskMetrics (since spun off) to help firms deal with derivatives-related rules for disclosure and controls (value at risk).

Now as the disclosure and control focus has broadened, the bank wants to be there again with Horizon, its web-based tool for internal risk control and self-assessment.

Horizon appears tailor-made for the internal control rules mandated by Sarbanes-Oxley, especially if firms go beyond basic compliance to implement enterprise risk management frameworks, such as those suggested by the new COSO draft.

It is also in line with Basel II’s qualitative measurement prescriptions for operational risk management, which suggests corporates seeking internal control guidance have another source of best practice recommendations to draw upon.

Indeed, compliance is all about risk management. “If you look at Basel II or Sarbanes-Oxley, the point of the regulations is for firms to better manage risk,” notes Craig Spielmann, VP and Executive in charge of Horizon for JPMorgan Treasury Services. He notes, the aim is to create transparency for shareholders that senior people are identifying the firm’s key risks, showing what they are doing to mitigate these, and when these mitigation efforts are to be in place. “It’s about how effective you are at risk management, as much as about how you are managing risk.” Self-assessment is an important measure of risk management effectiveness.

Operational risk process automation

Horizon, like RiskMetrics, was born out of an internal bank tool to help JP Morgan assess operational risk across its businesses. It is also one of many operational risk tools out there oriented toward banks, or internally developed by banks, seeking to comply with Basel II’s internal ratings based approach (IRB)-- in particular the Advanced Measurement Approaches-- in order to reduce their regulatory capital requirements.

Control and risk self-assessment is a key component of the qualitative measurement requirements for operational risk under Basel II. These involve among other things:

(1) a review of risk management process goals;

(2) a review of the controls/procedures to meet these goals; and

(3) specification of corrective actions required and follow-up on implementation of such actions. This is the area of focus for Horizon.

Horizon uses the traffic light approach to self-assessment, common with internal control cum operational risk/enterprise risk applications offered by audit firms and consultancies, calling upon users to select their risk concern according to red (most dangerous), yellow, green, blue (not applicable).

However, where it seeks to differentiate itself from traditional internal audit tools is its orientation toward risk management ideals: effective, on-going risk mitigation in support of business goals. Clearly, though, traditional internal audit tools are moving in the same direction, guided by the new COSO draft, following the banks’ lead in their approaches to operational risk management.

According to Barry Macklin, head of Operational Risk Analytics/Financial Risk for JPMorgan’s Treasury & Securities Services (T&SS) business, Horizon helps to not only automate the operational risk and control self-assessment process but also provides opportunities to share risk expertise and best practices across T&SS’ global operations (with locations in 39 countries globally, with 14,500 employees).

Mr. Macklin was an early Horizon adopter outside JP Morgan: his group within Chase was in negotiation to purchase the product when the merger with JP Morgan was announced. 

Part of its appeal from his initial customer perspective was that it provided an automated solution taking a paper-based process and putting it on the bank’s intranet. It also has built-in algorithms to calculate a “score” for comparative purposes, based on how each risk is weighed (with the traffic light).

By automating the data-collection and “scoring” process, Mr. Macklin notes, senior risk and business managers have much more time to focus on analysis: “We are spending more time analyzing risks than compiling data”.

The automation facilitates continuous self-improvement of control processes, and sharing of best practices and improves the ability to monitor and resolve action items.  For example, for a particular risk, he may see that one unit indicates that a process has good controls while another unit with a similar process in another location needs to enhance controls.  Risk and business managers can now delve into how to ensure the procedures are effectively applied globally.

According to Mr. Macklin, the first step for his group was to sit down with the internal and external auditors, business managers, operational risk managers, and identify key processes.

“We then made sure we had the right operational process, with all the key risks and control procedures identified and then populated the risk and control procedures on the Horizon application.  Business Managers were integral in the development of the Horizon templates.  They know how their business processes work, and clearly take ownership. This team effort creates a great process,” Mr. Macklin notes.  General Audit also leverages the risk assessment templates and utilizes Horizon to record their recommendations.

These risk assessment and compliance process items are reviewed formally twice each year, along with continuous assessment of review triggers such as an acquisition or business relocation, which prompt immediate review of the templates. The self-assessment process also supports Management’s annual affirmation of the control environment as required by FDICIA.

The content for these self-assessment templates is key to this or any such application. A fact that highlights how adaptable bank operational risk applications like Horizon can be to any number of situations, including non-bank risks. 

Mr. Spielmann cites an example related to a business acquisition as follows:  For any new business acquired, a customized template can be developed on Horizon, identifying key business risks and control procedures.  An assessment can be performed to determine opportunities for improvement and develop action plans with accountable parties and resolution time frames in the early stages of integrating the acquired business.  The results can then be evaluated on a continuing basis to ensure timely remediation.

A corporation looking to manage risks specific to its business, notes Mr. Spielmann, could go through a similar process with senior management and the Board to construct a template for Horizon to conduct this sort of self-assessment. The latest version of Horizon has been optimized for Sarbanes-Oxley internal control compliance with this in mind.

RiskMetrics, a different approach

This, however, is corporate use of RiskMetrics in reverse. What made JPMorgan’s RiskMetrics so popular for corporates seeking to follow bank practice on value at risk disclosures for derivatives was that JPMorgan provided easily accessible, name brand data sets. These they could download and plug into their own spreadsheets or internal applications, creating a quick fix to comply with new SEC rules. 

Here corporates are getting an application, but limited content.  Indeed, they have to develop the templates to collect the data on their own. There is no quick fix for Sarbanes-Oxley.

Horizon competes not only with other bank and non-bank operational risk management applications, but also countless internally developed self-assessment/scorecard spreadsheets (e-mailed) or web-based database applications which provide less elegant solutions.  Corporates should consider the cost/benefit of applications such as Horizon before they build their own web applications.

With the stakes so much higher, name brand off-the-shelf solutions might provide more comfort than internally developed applications, especially for Corporate Boards and shareholders.  In today’s environment controls to prevent reputational risk and ensuring effective Corporate Governance standards are applied is certainly something Corporate Boards would be interested in. This clearly presents new opportunities to market the Horizon application.

Looking forward JPMorgan Chase is developing a process that will integrate the key Operational Risk Management tools they currently utilize, such as: Horizon self-assessment, operational loss data collection, capital allocation and key risk indicators.  Says Macklin, “Integrating these tools will further enhance and link the firm’s operational risk analysis, monitoring and reporting capabilities, which we believe will positively impact results.”