The experiences (and resulting systems/processes)
that banks have developed, in order to deal with Basel I
and Basel II are of relevance to corporate treasurers
today, as they attempt to manage the new,
compliance/control requirement of Sarbanes-Oxley as well
as broader scruitiny of earnings/results.
With this in mind, its useful to review how banks
have handled the challenge, and are planning to utilize
their know-how in the area of system and process
management.
JPMorgan was in the right place at the right time
with RiskMetrics (since spun off) to help firms deal
with derivatives-related rules for disclosure and
controls (value at risk).
Now as the disclosure and control focus has
broadened, the bank wants to be there again with
Horizon, its web-based tool for internal risk control
and self-assessment.
Horizon appears tailor-made for the internal control
rules mandated by Sarbanes-Oxley, especially if firms go
beyond basic compliance to implement enterprise risk
management frameworks, such as those suggested by the
new COSO draft.
It is also in line with Basel II’s qualitative
measurement prescriptions for operational risk
management, which suggests corporates seeking internal
control guidance have another source of best practice
recommendations to draw upon.
Indeed, compliance is all about risk
management. “If you look at Basel II or
Sarbanes-Oxley, the point of the regulations is for
firms to better manage risk,” notes Craig Spielmann, VP
and Executive in charge of Horizon for JPMorgan Treasury
Services. He notes, the aim is to create transparency
for shareholders that senior people are identifying the
firm’s key risks, showing what they are doing to
mitigate these, and when these mitigation efforts are to
be in place. “It’s about how effective you are at risk
management, as much as about how you are managing risk.”
Self-assessment is an important measure of risk
management effectiveness.
Horizon, like RiskMetrics, was born out of an
internal bank tool to help JP Morgan assess operational
risk across its businesses. It is also one of many
operational risk tools out there oriented toward banks,
or internally developed by banks, seeking to comply with
Basel II’s internal ratings based approach (IRB)-- in
particular the Advanced Measurement Approaches-- in
order to reduce their regulatory capital
requirements.
Control and risk self-assessment is a key component
of the qualitative measurement requirements for
operational risk under Basel II. These involve among
other things:
(1) a review of risk management process goals;
(2) a review of the controls/procedures to meet these
goals; and
(3) specification of corrective actions required and
follow-up on implementation of such actions. This is the
area of focus for Horizon.
Horizon uses the traffic light approach to
self-assessment, common with internal control cum
operational risk/enterprise risk applications offered by
audit firms and consultancies, calling upon users to
select their risk concern according to red (most
dangerous), yellow, green, blue (not applicable).
However, where it seeks to differentiate itself from
traditional internal audit tools is its orientation
toward risk management ideals: effective, on-going risk
mitigation in support of business goals. Clearly,
though, traditional internal audit tools are moving in
the same direction, guided by the new
COSO draft, following the banks’ lead in their
approaches to operational risk management.
According to Barry Macklin, head of Operational Risk
Analytics/Financial Risk for JPMorgan’s Treasury &
Securities Services (T&SS) business, Horizon helps
to not only automate the operational risk and control
self-assessment process but also provides opportunities
to share risk expertise and best practices across
T&SS’ global operations (with locations in 39
countries globally, with 14,500 employees).
Mr. Macklin was an early Horizon adopter outside JP
Morgan: his group within Chase was in negotiation to
purchase the product when the merger with JP Morgan was
announced.
Part of its appeal from his initial customer
perspective was that it provided an automated solution
taking a paper-based process and putting it on the
bank’s intranet. It also has built-in algorithms to
calculate a “score” for comparative purposes, based on
how each risk is weighed (with the traffic light).
By automating the data-collection and “scoring”
process, Mr. Macklin notes, senior risk and business
managers have much more time to focus on analysis: “We
are spending more time analyzing risks than compiling
data”.
The automation facilitates continuous
self-improvement of control processes, and sharing of
best practices and improves the ability to monitor and
resolve action items. For example, for a
particular risk, he may see that one unit indicates that
a process has good controls while another unit with a
similar process in another location needs to enhance
controls. Risk and business managers can now delve
into how to ensure the procedures are effectively
applied globally.
According to Mr. Macklin, the first step for his
group was to sit down with the internal and external
auditors, business managers, operational risk managers,
and identify key processes.
“We then made sure we had the right operational
process, with all the key risks and control procedures
identified and then populated the risk and control
procedures on the Horizon application. Business
Managers were integral in the development of the Horizon
templates. They know how their business processes
work, and clearly take ownership. This team effort
creates a great process,” Mr. Macklin notes.
General Audit also leverages the risk assessment
templates and utilizes Horizon to record their
recommendations.
These risk assessment and compliance process items
are reviewed formally twice each year, along with
continuous assessment of review triggers such as an
acquisition or business relocation, which prompt
immediate review of the templates. The self-assessment
process also supports Management’s annual affirmation of
the control environment as required by FDICIA.
The content for these self-assessment templates is
key to this or any such application. A fact that
highlights how adaptable bank operational risk
applications like Horizon can be to any number of
situations, including non-bank risks.
Mr. Spielmann cites an example related to a business
acquisition as follows: For any new business
acquired, a customized template can be developed on
Horizon, identifying key business risks and control
procedures. An assessment can be performed to
determine opportunities for improvement and develop
action plans with accountable parties and resolution
time frames in the early stages of integrating the
acquired business. The results can then be
evaluated on a continuing basis to ensure timely
remediation.
A corporation looking to manage risks specific to its
business, notes Mr. Spielmann, could go through a
similar process with senior management and the Board to
construct a template for Horizon to conduct this sort of
self-assessment. The latest version of Horizon has been
optimized for Sarbanes-Oxley internal control compliance
with this in mind.
This, however, is corporate use of RiskMetrics in
reverse. What made JPMorgan’s RiskMetrics so popular for
corporates seeking to follow bank practice on value at
risk disclosures for derivatives was that JPMorgan
provided easily accessible, name brand data sets. These
they could download and plug into their own spreadsheets
or internal applications, creating a quick fix to comply
with new SEC rules.
Here corporates are getting an application, but
limited content. Indeed, they have to develop the
templates to collect the data on their own. There is no
quick fix for Sarbanes-Oxley.
Horizon competes not only with other bank and
non-bank operational risk management applications, but
also countless internally developed
self-assessment/scorecard spreadsheets (e-mailed) or
web-based database applications which provide less
elegant solutions. Corporates should consider the
cost/benefit of applications such as Horizon before they
build their own web applications.
With the stakes so much higher, name brand
off-the-shelf solutions might provide more comfort than
internally developed applications, especially for
Corporate Boards and shareholders. In today’s
environment controls to prevent reputational risk and
ensuring effective Corporate Governance standards are
applied is certainly something Corporate Boards would be
interested in. This clearly presents new opportunities
to market the Horizon application.
Looking forward JPMorgan Chase is developing a
process that will integrate the key Operational Risk
Management tools they currently utilize, such as:
Horizon self-assessment, operational loss data
collection, capital allocation and key risk
indicators. Says Macklin, “Integrating these tools
will further enhance and link the firm’s operational
risk analysis, monitoring and reporting capabilities,
which we believe will positively impact
results.”