by Richard Marulanda
DTCC recently appointed Andrew Leonard, a longtime financial industry veteran, to the position of managing director and head of Operational Risk, reporting to Donald F. Donahue, DTCC chairman and CEO. Leonard spoke to @dtcc, explaining how operational risk has evolved over the last decade and how DTCC is enhancing its focus on operational risk in the wake of the global financial crisis.
How would you characterize operational risk as it relates to the current state of the industry?
Operational risk is an extension of your business and a critical element for understanding it. In running a business, it is essential to know and manage your market and credit risk implications. Until the last decade, too many firms were blind to operational risk. Now, as the financial industry begins to better understand the recent financial crisis and looks for ways to strengthen our market infrastructure, it is critical for an organization like DTCC to re-examine the role it plays in mitigating all risks for its customers and the financial system at large.
DTCC has a proud tradition for prudent management of operational risk. In your experience, how has operational risk evolved over the years?
While operational risk has always existed in business, it didn’t come to the forefront as a discipline until the early 2000s during the advent of Basel II, which re-configured capital requirements to help manage market and credit risk. At that time, many banks and firms focused solely on capital and the importance of calculating capital requirements to help manage risk. But by mid-decade, an industry dialogue began, setting the stage to better understand operational risk and the role it plays in the capital requirements equation. To that end, the elements of an operational risk framework took shape, outlining the need to initiate an assessment process to determine potential risks, as well as the need to capture and analyze data – both of which are essential for calculating, managing and mitigating risk.
What actions has DTCC taken to strengthen its focus on operational risk?
Driven and shaped by lessons learned from the recent financial crisis, we are in the midst of a transformation at DTCC that will enhance our approach to operational risk and build on our existing operational risk structure. Working with regulators, partners and employees, we are improving our risk management operations – overhauling how we think about, oversee and manage risk.
To accomplish this, we are working closely with Ernst & Young to formulate a detailed vision of our upgraded operational risk capability. We have vetted this vision with our Management Risk Committee and additional working groups, and it serves as the basis for a detailed action plan that is already underway. The plan builds on our past efforts, and also ensures that we are more systematic and disciplined in carrying out all of DTCC’s operational risk activities. The work ahead will enable us to put a new process in place and have a dialogue with the senior management and the business areas. This dialogue will help them better understand the risks and make the most informed business decisions.
What will DTCC’s new risk model look like?
We are bringing more structure to our risk model and sharpening our approach to risk. The model takes a “three-lines-ofdefense” structure, which is used by many large financial firms.
Could you walk us through this model and explain how it applies to DTCC?
Our individual business lines are the first line of defense. This includes Product Management, Operations, Information Technology and other business areas that own and manage operational risk. It is their responsibility to identify and measure risks that affect their businesses, and judge how effectively the risks are being controlled. In order for this first line of defense to be successful, it needs a clear view of the risks and an operating mechanism that measures and assesses those risks. Our strategy aims to put together an operational risk framework that helps the business areas identify, measure, mitigate and ultimately manage their operational risks, which is essential in helping them make the best business decisions. Therefore, we are putting a great deal of emphasis on the first line of defense in the coming months.
Our second line of defense rests with specific risk control areas – the enterprise and operational risk management areas of DTCC. To that end, one of my primary responsibilities since joining the company has been making sure we have an appropriate process in place to identify those risks, and having frank conversations with members of the business areas to determine which risks we can accept and which risks we need to mitigate more effectively.
The third line of defense is internal audit. We are actively working with the Internal Audit department to help create an environment that is better able to self-identify risk issues, further strengthening our first line of defense and our overall risk management program.
What will be your primary focus as you lead DTCC’s enhanced operational risk initiative?
My priority is to oversee myriad enhancements that will help DTCC achieve the highest standard of excellence in operational risk management. A key to having a highly effective operational risk capability requires that we get the right technology and database in place so we can more efficiently capture and centralize all the operational incidents we track and collect. The right technology will enable us to standardize and streamline the data collection and assessment process, making it easier to evaluate the risk profiles of the business units. Another priority is making sure our teams are prepared to execute the framework. It takes a talented group of individuals to assess the data and work with the business areas to help identify potential risks. I’m also focused on getting policies and processes in place for incidents, issue tracking and assessments.
When do you expect the new framework to be in place?
DTCC started implementing the framework before I joined the company and I anticipate that the entire framework will be in place by the latter part of 2011. However, that will not signal the finish line; rather, it’s the starting point. I’m very aware that this is a project with no end point. This timeline for implementing the framework just sets the foundation. The real work is yet to come and will begin when we engage the employees of the organization to transform DTCC’s operational risk management program. The framework will help us identify the data that we need to collect, and the technology will allow us to efficiently analyze that data, but it is the employees’ industry knowledge, expertise, creative thinking and determination that will ultimately lead to our success. @