e-Finance Trends: Business process controls and operational risk management

How do shareholders and investors gain comfort that their investment is sound?

The dividends and stock valuations show the present and projected financial health of organisations.

That is a visible number and tangible. What about soundness of business in terms of quality of assets, the checks and balances and the internal control environment? Is there a tangible way to measure these elements?

We have seen very many organisations in the past which crashed in spite of sound financial strength, clean audit reports and strong market outlook.

It was possible for a few individuals to exploit the weaknesses in the control system and that was sufficient for the organisation to collapse.

There was no second chance and banks considered sound for long were wiped out overnight.
They ended up becoming case studies in academic forums.

How do we guard our organisation against such risks? How do we sustain the quality of our risk management posture? Should we have multiple external audits? Should we have more frequent internal audits? Should every transaction be subjected to pre-audit? Will all these additional layers really help?

Unlikely, if the fundamentals are not in place. And the fundamental requirements are strong internal controls closely embedded into processes. Any risk control measure can never be external to business processes.

Talking about business processes, the processes must be efficient and effective in terms of service delivery.

If we are not competitive in terms of our turn around time, we will soon be history.

At the same time, if we do not provide adequate checks and balances in our transactions, in our zeal to maintain best turn around time, we are exposing ourselves to serious control failure risk.
There is serious business risk in leaning towards either extreme.

The issue is to find the right mix of caution and aggression so that we remain competitive in the market at an acceptable level of risk.

And the middle path cannot be the same at the organisation level. It must differ from product to product, location to location and market to market.

What should be the guiding principles of specifying controls in business processes? We must allow the tasks in processes to flow without interruption as far as possible.

We must identify key check-points in process flows where a control step is required for re-verification, where a supervisory check is required to validate that transactions do not violate our business norms.

It must provide adequate authority to stop a transaction from being completed if rules are flouted. These control steps could be in batch or online depending upon the associated risk.

When we design process control systems and risk analysis systems, we must ensure that the controls provide adequate transparency and compliance with any regulatory measure and any form of reporting is based on transparent data. We should be able to identify warning signals.

And all these should happen with minimum compromise on quality and turn around time of service delivery.

At apex level, operations must have enough teeth to enforce processing controls at the transaction initiation stage.

This can only happen by providing independent stature to operations in the organisation structure, where they cannot be influenced by business units.

We have seen banks compromising on fundamental controls like ensuring completeness of loan documentation, independent deal confirmation, facility limit monitoring, facility renewals, and recovery and so on.

Such a situation happens when operations cannot enforce the discipline on business managers to follow the guidelines, or if exception reporting is not taken with the level of seriousness it deserves. All these contribute to weaken the control system.

How do we handle this situation? We must design our processes in such a way that a transaction can never be completed by one unit alone, say the treasury or corporate business group.

The transaction must flow through multiple groups who validate and process the transaction to completeness. Operational transaction flow must be a machine model with no scope for discretion.

The first step is to document the process steps of all activities being performed in the bank. This will help in assessing that adequate controls are built in the system itself.

We need to introduce concepts like service standards, benchmarks, internal service level agreements; we need to be firm on quality of documentation and checking.

And, equally important, we then need to have a mechanism to measure the compliance with standards, and benchmarks.

Technology can greatly enhance processing control by introduction of end to end straight through processing and electronic approval. The disjointed processes between front offices, middle offices and back offices increases the number of transcriptions and associated risk.

Multiple systems, documents and entries result in a larger number of checking and reconciliation, since chances of slippage, error and frauds remaining undetected increase.

Operational risk management has become a subject of prominence due to many related developments in the last few decades - banks collapsing due to control failure and frauds, short term urgency of banks to be more profitable than stronger, and technology prominence increasing drastically in business models. How does all this impact our risk profile? We will continue our discussions next week.

The author is Assistant Ganeral Manager of Doha Bank.