A Bid for Operational-Risk Data Aggregation and Standardization

Paul Ford brings an engineering mindset to solving a longstanding problem in operational risk management. His strategy: Aggregate risk and control data for the entire banking sector in a large-scale data network.

His goal is to have that network managed by Acin, a London- and New York-based company that Ford, a former Barclays and Credit Suisse executive, founded in 2018 and serves as CEO.

“We aim to bring the same kind of engineering and quantitative discipline we see in the markets and credit risk areas of banks to the operational risk area,” Ford says.

To date, 13 banks have signed on to the Acin shared data platform - referred to as a risk defense network - including trading divisions of Credit Suisse, Standard Chartered and SociÉtÉ GÉnÉrale. Other participating banks, based in the U.S. and Asia, have not been disclosed.

Data on the network is anonymized and standardized for the purpose of establishing operational benchmarks. Monitoring of the data is aided by a unique identifier - akin to a barcode - which is where Acin gets its name. It is an acronym for advanced control identifying number.

The objective is to identify risk and control gaps or shortfalls as well as best practices among participating banks; share that data with bank clients on an ongoing basis; and continuously curate information on new risks and controls, based on customer inputs and market events.

“What we are aiming to provide is what highly trained airline pilots have - a whole collection of checklists they can refer to, if something goes wrong,” along with operational standards, Ford explains. For Acin's bank users, that means a centralized database of control designs that have been mapped to risks faced by individual businesses or functions and based on the Basel II framework.

There is power in numbers, overcoming the inherent limitations of banks working with their own, individually designed frameworks in what Ford calls an “artesian process.”

“People at one bank thinking about what can go wrong only get so far in identifying all of the operational and control risks,” he says, with gaps of 20% to 30% in terms of practices and knowledge in a firm's risk and control environment when they first sign up for Acin.

Rising Costs

The service comes at a time when operational and non-financial risks are of growing concern, as reflected in high-profile theft and fraud losses reported in 2018. They include $12 billion at Anbank Insurance in China, $5.5 billion at PrivatBank in Ukraine, and $2.2 billion at Punjab National Bank in India.

Other service providers are responding to the demand. Northern Trust, for example, recently expanded its Front Office Solutions product set to include operational risk management solutions, enabling asset owners to review and assess the operational strengths and risks of investment managers.

SAI Global says it has designed its SAI360 for Financial Services software to make it easier to detect and respond to operational and compliance risk across bank silos and “outpace the acceleration, complexity and connected nature of risk and regulations.”

Instead of selling a software suite, Acin profits by providing data “libraries” on operational risk as part of a subscription service with periodic updates. Acin does not provide consulting services.

Its data standardization and peer-to-peer matching process is facilitated through the use of an AI-powered neural network, Ford says. Early on, the matching was conducted by industry experts, but the artificial intelligence saves considerable time and effort.

Industry-Wide Benefit

Before starting Acin, Ford spent eight years running Anchura Partners, a consulting firm that advised on operational risk and control issues. He and other top Acin executives with investment banking backgrounds - Ford was COO of the ultra high net worth business at Barclays Wealth, and COO to the CEO in EMEA at Credit Suisse - came to the conclusion that a more engineered and quantifiable approach to non-financial risk management would benefit the entire banking system by allowing for peer-to-peer comparisons of practices, processes, and data.

“I saw how important reference data and standardization was, and the benefit of having one unique identifier for data,” Ford says. However, in the earlier days of electronic trading, he did not see this approach being applied more broadly across non-financial risks.

“Thus, the idea of a unique identifier affixed to the operational data we collect became the core of our solution,” Ford says. That allows for mapping of control designs to a range of risks, in turn allowing banks with access to the Acin network to compare and contrast these approaches internally.

ORX Database

Operational risk experts say that Acin's goals are admirable, though the company is not the first to pursue them.

“Every educated attempt to standardize and diffuse best practice in operational risk management is welcome,” says Ariane Chapelle, an operational risk consultant and author of Operational Risk Management: Best Practices in the Financial Services Industry. “Likewise, collaborative initiatives that encourage firms to exchange experience and expertise should be favored and appreciated.”

There are other data aggregators such as the Operational Riskdata eXchange Association (ORX), which was founded in 2002 and has more than 80 members “who gather and collate operational data from financial firms and provide lots of benchmarks,” Chapelle says.

ORX says its platform provides for the anonymous and secure exchange of high-quality data in the banking and insurance industries. It maintains a database of more than 600,000 loss events and has devised reporting standards that, ORX says, are freely available and support operational-risk event collection. The system “ensures our members receive data of a comparable standard and in an agreed format,” according to ORX, which in October plans to introduce a new, standardized taxonomy for easier benchmarking and peer comparisons.

Statistical Requirement

Michael Pinedo, Julius Schlesinger Professor of Operations Management at New York University's Stern School of Business, says the aggregation and standardization of banks' data “is a valid approach,” but any such effort needs to be assessed regarding the technical details and the degree of statistical expertise employed.

“Statistical expertise is critical when you analyze operational data and have to do comparisons,” he says. “Some of the people involved should be very good statisticians.”

Pinedo points out that when banks participate in a data sharing consortium, it is not so much to assess “everyday” events, but rather to study tail events, those of high severity and low probability.

“If you are a large bank, you have enough data to understand the regular mishaps,” he adds. “The problem with tail events is that even the big banks do not have enough data to effectively assess” their probability or nature.

Pinedo notes that many large foreign exchange departments already exchange operational data to a certain extent to ensure smooth, glitch-free trading, because it is in their mutual interest to avoid “serious operational problems.”

Key Indicators

Bernard Donefer, an adjunct associate professor of information systems at the NYU Stern School who has consulted and taught classes on risk management for financial firms, says Acin will face challenges in collecting operational data and growing its business, in that “if you are a bank or financial institution, you do not want anyone to know that there is or might be a problem in your operational and risk controls.”

To him, Acin's effort resembles RiskBusiness KRIex, a membership service for libraries of key risk, performance and control indicators (KRIs, KPIs and KCIs).

“There are lots of sources for the comparison of operational data, but the real challenge for banks is in getting employees to act quickly when problems do come to light,” Donefer says. He points out that the big Equifax, SWIFT and Target security breaches were attributed to vulnerabilities that were known but were not addressed in a timely fashion.

The key, Donefer asserts, is in identifying risks that are not easily discernible in the data, do not have a history, and thus are not readily predictable. “What are the indicators that will tell you if you have a rogue trader or not?” he says. “And what precisely is the Acin benchmark based on?”

Curation and Comparison

According to Ford, Acin's is a curated benchmark based on a combination of factors. It includes the high standard of operational practices acquired by his previous firm over eight years, as well as input from external experts. These sources have helped to build the first version of the benchmark in what he terms “a top-down process.”

It is then compared to the aggregated data from the client banks, allowing Acin to assess and note any lapses or best practices for inclusion in the final benchmark, but allowing for adjustments as more data is collected and compared.

“We curate the data on an ongoing basis,” says Gaspard Biosse Duplan, head of technical sales at Acin, also formerly of Barclays.

Also critical, Duplan says, is Acin's unique identifier's ability to map a considerable number of data points applicable to specific risks and controls. Thus, a firm can respond authoritatively when a regulator asks it to show the controls for a specific type of risk, and can do so for various jurisdictions within the firm.

“The benefit that firms get up front from Acin is that they get a benchmark of all their risks and all of their controls, based against their peer group,” Ford says. “They can see what they have and what they are missing.

“But we don't just give them a score. We also give them the answer and the data that they are missing, so that if you are missing 10 controls, we give firms those 10 controls and the 10 risks they may not be aware of, with information about what they need to implement.”

New risk and control data would go to subscribers as regulations change, or as best practices in the market shift.

Expansion Plans

Ford says that Acin is currently focused on gathering data in foreign exchange and algorithmic trading and plans to move on to the asset management business later this year. Wealth management, retail banking and corporate banking are to follow.

As the operational data network grows, Ford foresees a time when outside credit agencies might develop a control rating for banks. They could gain leverage in their dealings with regulators and perhaps ultimately reduce their capital requirements. In 2018, for example, JPMorgan Chase & Co. chairman and CEO Jamie Dimon noted that the bank was holding nearly $400 billion in operational risk-weighted assets.

Ford says, “This is all about having a common set of standards and a common unique identifier that allows everyone across the banking industry to compare and contrast, employ a quantitative approach, and have a complete understanding of their risk environment.”

Katherine Heires is a freelance business and technology journalist and founder of MediaKat llc.