How sturdy can a bamboo bridge be? The front page of a new Guide from The Alternative Investment Management Association consists of a photo of a bamboo bridge, apparently on a beach, as seen from below. That is, this is the view of someone on whom the bridge would fall, if it were to fall at all. Yet, reassuringly, the bridge looks well-designed and secure.
The photo is an apt one for the new release, a Guide to Sound Practices for Operational Risk. Although earlier AIMA guides have discussed some of the specific risks that come under this broad umbrella, such as cyber security and business continuity management; this is the first guide from AIMA bringing all such risks under one heading.
The CEO of AIMA, Jack Inglis, said in a statement, “Operational risk is an increasing focus of investors and regulators alike. Both of these groups will expect managers to have sound operational risk frameworks and will also be expecting next generation managers to be progressing along the spectrum of increasingly sophisticated approaches as they grow.”
The Definition from Basel Tweaked
The Guide begins with a definition of operational risk taken from a 2012 publication of the Basel Committee on Banking Supervision. It is “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” Then AIMA modifies that a bit, including reputational risk under the ambit of this guide after all.
There are twelve ways that this particular bridge might collapse, that is, categories of operational risks, distinguishable despite the considerable overlap among them. Managers must face them all:
- Trading, execution and market manipulation;
- Post-trading processing – a “critical control function that begins with the verification of trade execution and continues on through … portfolio performance calculations and valuation calculations.” The section of the Guide devoted to this point also looks for example at how to deal with corporate actions and proxy voting;
- Counterparty – the section of the guide devoted to this point discusses how managers should detect and carry out due diligence with regard to a counterparty, the calculation and monitoring of credit exposures, the onboarding process for counterparties, and the inclusion of certain key terms in contracts;
- Business conduct and reputation – codes of ethics, issues as to the necessary skills and training for various posts, retention of valuable people, transitional concerns when they do leave, dealing in personal accounts, etc.;
- Technology and cyber security – this discussion includes model risk, data management, and systems risk;
- Business continuity and disaster recovery – this field represents a high priority for both regulators and investors, as the Guide warns, and it includes discussion of disasters that may leave the management team immediately unaffected but strike at a key service provider;
- Internal and external fraud and financial crime protection – nowadays this is a crowded subject matter with a lot of acronyms involved, such as AML, CFT, and KYC (respectively, anti-money laundering, combatting the financing of terrorism, and know your customer);
- Outsourcing risks – includes outsourcing of back office, middle office, and IT functions. In each case, the third party should be the subject of both initial and ongoing due diligence;
- Communications – a manager should be very clear in delegating who has what communications functions on behalf of the team, with regard to regulators and the press, and should have carefully formulated policies on marketing materials, performance advertising, social media, etc.;
- Legal, regulatory, and compliance – this section treats of the compliance infrastructure, registration and reporting requirements, compliance breaches and notifications, adherence to the terms of contracts, adapting to new regulatory requirements, etc.;
- Financial risks – financial management, regulatory requirements attaching thereto, and tax issues;
- Insurance – the final section discusses “the insurance inventory, types of insurance that may be available, and the related regulatory/reporting obligations.”
The new Guide is sponsored by Wells Fargo Securities. In the accompanying press release, Wells Fargo’s Daniel Johnson is quoted saying that small and medium sized AI firms must “stay abreast of best practices to enhance their operational risk management processes and procedures.”