New on the Horizon

Tough new regulations like the Sarbanes-Oxley Act and Basel Capital Accord mean that companies simply cannot afford to mismanage operational risk. JPMorgan thinks it has just the solution. Craig Spielmann explains how the Horizon risk-management tool can help companies improve corporate governance and satisfy regulators.

The new Sarbanes-Oxley Act of 2002 and the proposed Basel Capital Accord (Basel II) reflect heightened regulatory concerns over operating risk. Implicit in this concern is recognition that operating-risk exposure has been a key element in recent headlines, including corporate governance and the increased threat of business disruption from terrorism.

Sarbanes-Oxley, which applies to all public corporations in the United States, and Basel II, which covers banks in more than 100 countries, are part of a new wave of regulations mandating that the financial and corporate communities regularly assess their processes to ensure transparency and protect shareholder value.

Heavy fines and even imprisonment for senior executives provide a strong incentive to satisfy the Sarbanes-Oxley regulations. In addition, banks face higher capital reserves under Basel II if they do not use an advanced measurement approach. But beyond this, the severe impact to businesses – and even economies – from recent events impacted by operational-risk exposure and loss has created a new sense of urgency within the business community. As a result, institutions are scrambling to find solutions to better understand, manage and mitigate their operational risk.

Changing culture, defining criteria and creating transparency

The most challenging part of implementing a successful risk-management process is changing the corporate culture to be open and mature. Some people worry about their images and want to hide the fact that their corporation is in danger from an activity in their area. They are able to do this because their corporate culture does not have a robust assessment and risk-management process. Also, they may not have a vehicle to understand truly how to communicate concerns to senior management.

Defining risk implies that one has an idea of where to take his or her corporation. This challenges people to face up to the real risk of doing business, setting criteria to performance expectation, which is not always easy. In addition, having good criteria to judge risk-management effectiveness requires some hard thinking about the business. The criteria defined must be relevant to focus senior executives on tractor-trailers heading their way rather than tricycles. This means an organisation needs to have a cohesive process to focus management on critical risk whereby it only invests in gaps that could have a substantial impact on the business. Often this necessitates a cultural change from reaction and blame to a level of true proactive risk-management and transparency.

Creating risk transparency in an organisation is a critical goal. An organisation must create a common understanding of strategy and action at all levels. Employees must understand where management is placing emphasis so that they can focus their priorities. By the same token, management must understand where the weak links are in the chain of operational risk so that appropriate actions can occur at the right level to address gaps. Lastly, as an organisation comes to terms with the need to create better risk managers and to have a defined risk framework, it needs to deal with the execution. How does it manage data across the enterprise? This can be a daunting task. The goal is to enable management to act on factual information, rather than anecdotal evidence, in the most efficient way possible.

JPMorgan has developed a web-based solution that addresses these challenges. Aptly named JPMorgan HorizonSM, the operational-risk management tool can help transform a corporation’s culture and create transparency to improve corporate governance and risk management. Horizon is based on business self-assessments and audit review, which helps management and staff better understand their gaps and the commitment they should make jointly to achieve excellence. It also helps perform self-assessments that identify gaps, set action plans with assigned responsibility to address those gaps, and monitor progress.

A triangular approach

JPMorgan Horizon approaches risk management from three angles. First, self-assessment enables individual departments to test control procedures against an established template, rate their own level of compliance, develop action plans to address gaps, and monitor progress. Next, auditors test the validity of the self-assessment to ensure accuracy. Finally, key performance indicators act as a management control by quantifying and tracking the organisation’s risk-management performance.

As a web-based system, Horizon enables universal access to, and sharing of, information. The tool enables all appropriate staff to gain access to the same fact-based information and lets management view information concerning remote locations. This promotes decision-making based on fact. It also facilitates sharing of risk expertise and best practices across an organisation.

Horizon creates transparency by enabling senior management to get an organisation-wide view of operational risk. It also delivers flexibility to view the information from different perspectives, including regionally, globally and functionally. Management can even drill down to the level of a specific individual. This ensures accountability by helping managers to understand the status of operational-risk management for each key activity globally and to monitor progress against action plans. It can facilitate a clear understanding of priorities and strategy, which helps to align strategy with execution.

Finally, Horizon presents a streamlined approach to understanding corporate governance and managing operational risk. The process is easy to adopt, exceptionally user-friendly and efficient. As a result, Horizon can reduce drastically the time involved in making assessments. This aids staff in finding a balance between meeting commitments to address risk issues and reporting to management with current information and, at the same time, maintaining focus on revenue-generating activities.

Horizon also gives businesses the ability to measure risk in new ways. For example, organisations can use it to quantify the cost of potential losses should risks fail to be mitigated. They can also use it to support activities related to business growth, such as the due-diligence process for a merger or acquisition. Through efficiency gains and attention to operational risk, Horizon can position an organisation to gain a competitive advantage. It is also a practical tool for allaying concerns of regulators and addressing their requirements. For example, JPMorgan plans to use Horizon internally to satisfy requirements under Basel II, following the advanced management approach for allocating capital.

By facilitating the efficient integration of operational-risk management into daily business activities, Horizon promotes a consistency and discipline that enables cultural change. It provides cost-effective and sustainable processes that help ingrain proactive risk management at all levels of an organisation. This supports an institution in focusing appropriate resources on strategic, risk-related priorities, such as business-continuity readiness and disaster-recovery planning. Managing operational risk has become a normal part of conducting business day-to-day. Today’s realities demand nothing less.

Craig Spielmann is Horizon business executive for JPMorgan Treasury Services in New York.