In mid-June, Acin – a data standards firm for operational risk and controls – announced that Credit Suisse, Standard Chartered Bank and Société Générale had joined its collaboration community, the Operational Risk Defence Network Model. Their arrival brings the total number of tier one banks working with Acin to 12.
The name of the company, Acin, derives from the unique identifier that it assigns to each risk and control combination, the ‘advanced control identifying number’. “That’s how we get to the network defence model,” says Paul Ford, CEO of the London-based company. “Each bank on its own has unknowns at an organizational level, because they are thinking about [risks and controls] in a unilateral way. We allow banks, as part of the network powered by the Acin code, to be able to effectively collaborate through us with their peers, and share that data through a central hub. What then happens is when they first synchronise, the banks improve the quality of their risk identification and all their controls.”
Ford goes on to explain: “On an ongoing basis, if Bank A finds a new risk that no one has ever thought of before and a control, they’ll send that to us. We will evaluate it, and if we agree we will make sure it’s the right quality and so on and then we’ll publish out to the rest of the network, which means Banks B, C, D and E will all benefit from the network effect. The unknown unknowns are all driven out at the individual bank level to the network level. As we bring more banks on board, the probability of the member banks or the regulator not having thought of something decreases further.”
Ford talks about turning the process of identifying and monitoring risks and controls from an ‘artesian’ process in which each financial firm would have to create a framework for itself, to an ‘engineered’ one, where best practices are adopted by all member firms. The company is building out risks and controls with its member firms for investment banking, and work is beginning on asset management. Next on the list are other business lines, such as wealth management, retail banking, and corporate banking.
Returning to collaboration
The early days of the operational risk discipline, back in the 2000s, were marked by high levels of collaboration within the industry and with regulators. All parties were trying to understand what operational risk was, and how it should be managed as well as regulated. Operational risk loss databases emerged out of this era, for example.
Today, banks are turning to new solutions to manage both operational risk and resiliency in the face of a fresh crop of challenges. Since the financial crisis of 2008, levels of op risk capital have risen significantly. For example, in his 2018 letter to shareholders, JP Morgan Chase CEO Jamie Dimon noted that the bank was holding nearly $400 billion in operational risk-weighted assets, which translates into more than $40 billion of equity for ‘assets that do not exist’. Firms are also having to deal with the accelerating pace of change in both emerging risks, such as cyber risk, as well as new regulations.
Bank supervisors are becoming supportive of more industry collaboration. Regulators from the Bank of England’s (BoE’s) Prudential Supervisory Authority (PRA) spoke in glowing terms about the potential for more collaboration within the op risk discipline at a recent industry event, says Ford. At the conference, PRA deputy CEO Lyndon Nelson also announced that the BoE would be publishing a report that emphasises how valuable collaboration could be for firms seeking to improve their operational resilience.