Banking StandardsWritten evidence from The Institute of Operational Risk

The Institute of Operational Risk (IOR) welcomes the opportunity to submit its views to the Commission. As an independent professional institute that is unfettered by sectional self interest, we can offer a balanced, objective and risk based perspective on the important issues raised.

The IOR seeks to promote the discipline of managing Operational Risks, and to foster its development and to disseminate and promote knowledge, education and training.

Operational risks derive from failures of people, business processes and systems. Much of what we have seen damaging banks, including the roots of the financial crisis starting in 2007 with the collapse of Northern Rock, derive from operational risk causes, usually either because of individuals or business units acting (at the least) improperly, or because banks have instituted faulty business practices and processes.

We welcome the setting up of the Commission following recent high profile incidents, including the LIBOR debacle. It is vital that the Commission recognise that the recent incidents are rooted in manifest operational risk events inadequately anticipated or responded to and it is vital that proposals for reform are properly targeted to reduce the possibility that failures by people, processes and systems will again threaten banks and their clients.

We would like to comment and make proposals on two aspects:

(1)Culture and Conduct.

(2)Regulation and Reform.

1. Culture and Conduct

As a professional institute we have a strong belief in the value of personal codes of conduct providing more awareness of how wrong attitudes can lead to the damaging consequences.

Professional codes can play an important role in improving industry standards, reducing the risks arising from misconduct, and helping to restore the public’s trust in the industry. Professional codes can help to promote greater mindfulness, in other words ensuring that management pay greater attention to risk and the potential for failures in their people, processes and systems.

This should be associated with improvements in risk reporting and with measures to enhance the risk cultures of banks, ensuring that they behave in more sustainable ways in the future. Of course, codes of conduct alone are not sufficient to change risk cultures, and the role and leadership of senior management—“tone from the top”—is absolutely crucial here, with the most senior management in regulated firms exhibiting behaviours that demonstrate their integrity, fitness, propriety and suitability for their roles. We believe that training and competence and a broadening of the UKFSA approved persons regime also have important parts to play in improving professionalism in the industry.

Remuneration practices also have a part to play, in ensuring that variable remuneration does not create incentives for uncontrolled risk taking. However, we do not believe that arbitrary limits, ratios or formulaic approaches are helpful, and may indeed create risks rather than reduce them.

2. Regulation and Reform

We wish to make two points in relation to Regulation and Reform. First, the IOR believes that the large volume of regulatory reforms already in train (many of which are not yet implemented) are sufficient, provided they are implemented in a timely and effective way. The reforms have addressed an enormously diverse range of topics including industry structure, capital and liquidity, remuneration, governance, derivatives markets reform, and conduct of business. Effective implementation will be critical, and it would be disastrous to repeat the failures of the past where regulation was either implemented unevenly or not implemented at all, for instance as in the case of Basel 2 implementation in the USA.

In addition to effective implementation, we believe strongly that the success of reforms in practice will require a sophisticated approach to supervision, which places greater emphasis on a comprehensive risk based approach which is focused on challenging the judgements about management and the business models of regulated firms, and which is focused on the issues highlighted above in on training and competence, professionalism and so forth. To this end, we urge regulators, both the new ones in the UK and those internationally to collaborate effectively on providing a consistent and joined up approach to supervision via global colleges that is consistent with the G20 commitments that reforms should be international coordinated.

Second, it should not be assumed that regulation is a free good just because the costs are not transparent and dispersed widely over the regulated industry. Regulation in detail tends to increase costs of banking, reduce diversity of sound banking services and products, and reduce the ability of UK banking to compete internationally. The IOR is firmly of the view that detailed rule-based regulation leads to an emphasis on meeting the micro letter of regulation (“box ticking”) rather than recognising and ensuring appropriate attitudes, cultures and risk control. A risk or principles based approach is more likely to bring about the cultural and behavioural changes that are necessary.

Not only are there significant costs of compliance and dangers of regulatory capture, but the sheer volume of regulatory change is also a major source of operational risk for regulated firms which must be managed. The volume of policy combined with changes to regulatory frameworks (eg break up of the UKFSA, creation of the ESAs and so forth) creates in itself a significant increase in complexity and risk, and any further proposals for either policy or changes to frameworks will need to be careful weighed against potential benefits.

The Institute of Operational Risk

The Institute was formed in 2004 and has an international membership of managers and practitioners. It works in the field of non-financial risks, generally called Operational Risks, but including other areas of risk sometimes referred to as strategic risk, reputational risk, regulatory and compliance risk and legal risk. It is a professional Institute recognised at its inception by the then Department of Trade and Industry.

Admittance to membership is based on an appraisal of a candidate’s expertise and experience. As a result, membership of the Institute is an independent accreditation of the person’s competences in this discipline and provides the Institute with a membership of great practical and theoretical knowledge at all levels in banking.

Among its activities, probably the most notable and best known outside the membership are a set of Sound Practice Guideline Papers in Operational Risk Management. Thousands of copies of these have been down loaded by people around the world.

The Institute has a website at

21 September 2012

Prepared 19th June 2013