By Meredith Gibson, head of legal
risk, Santander UK and Helen Pykhova, director, The Op Risk
As operational risk practitioners, we tend
to complain that the regulation is not prescriptive enough. Can
the regulators provide the definition of conduct? What are the
expectations on operational risk Appetite and Tolerance? What
is Emerging risk?
The reader may agree that our well known,
well-read regulatory guidelines on operational risk are mostly
of a high-level nature. The Mifid discussion paper is radically
different. While essentially aiming to address the management
of operational risk associated with algorithmic trading and
making a reference to the high level EBA/CEBS "Guidelines on
the management of operational risks in market-related
activities", it is very prescriptive.
For example, article 48(12) establishes a
requirement for trading venues to conduct a
'self-assessment’, which 'should be subject to
sign-off by the management body and is to be reviewed at least
Listed further on are elements that should
be taken into consideration in undertaking the self-assessment,
including the extent to which the firm relies on third parties,
its ownership and governance structure, level of experience of
its personnel, etc.
Is this 'self-assessment’ in
fact our RCSA, Risk and Control Self-Assessment? Can we then
rely and build on the existing RCSA process?
Most of the firms already have to live
with at least two risk assessment methodologies, one designed
by the Operational Risk department and another one, by internal
audit. It is quite rare that these two functions are fully
aligned, so in majority of cases business units have to tune
into two different approaches. It is not uncommon to have a
third one introduced by the Compliance department.
Are we running a risk of generating an
industry of inconsistent assessments, which would be impossible
for the firms to follow? If a firm has already decided on the
frequency of the operational risk assessment, for example
annually or upon trigger, this will create an obligation to
have a two-stroke system: one cycle for its trading and
associated systems; and, another for all other processes.
Presumably this will also have a knock-on effect on resourcing
Another interesting point is the emergence
of the somewhat new profile of the 'risk and
The risk control function is required to
run a validation process of all systems and algorithms and
report back to senior management.
Risk control personnel may be involved in
approving exceptional deals, blocked by the firms’
pre-trading controls, still to be confirmed whether these are
the same risk control staff or a different risk management
Furthermore there is an expectation that
there will be someone in a risk control function monitoring
algorithmic trading in real time, who will be accessible to
both trading venues and the regulator.
The question arises on a rather unusual
profile of these risk control employees – what type of
a person are we looking for, to be able to understand and
monitor the algorithms, sign off on exceptions and at the same
time possess necessary communication skills to be accessible to
It is worthwhile noting that compliance is
expected to be 'kept aware’ of the results of the
validation, exceptional deals, etc, rather than approve and
sign-off. The inference is that our new risk control
function may take over some of the responsibilities currently
sitting with compliance. The national competent authority
will want to see the risk controls in place for algorithmic
trading and direct market access and the internal policies
covering a broader range of trading activity.
A final point is on the further guidance
yet to come. Central counterparties (CCPs) and trading venues
will be required to manage their operational risk in line with
yet to be developed regulatory technical standards and their
own risk management frameworks.
The principal concern is around the
granting of access to firms and specifically defining the
circumstances under which a CCP or trading venue might wish to
deny access on the grounds of excessive operational risk.
One presumes that some considerable
knowledge of an applicant’s employees, processes
and systems might be required in order to fully assess the
potential risk to the CCP or the trading venue. That
knowledge is likely to encompass the ability to operationalise
the tracing of margin and collateral along the entire supply
chain as well as the contractual coverage of these
Can we be more consistent even in
language? While addressing this topic, the discussion paper
refers to 'the anticipated operational risk…exceeding
its operational risk design’. We are used to
appetite and tolerance concepts and are yet to understand what
monitoring of operational risk against the design means and how
is it different.
The concern also arises in the clearing
relationship between clearing member and client where Esma
expects the clearing member to "make a proper initial
assessment of any prospective clearing client according to the
nature, scale and complexity of the prospective
client’s business". This assessment includes
the client’s internal risk control systems.
It is unclear whether a contractual representation would
suffice or whether there is an expectation by ESMA of some kind
of audit but one would suspect the latter given the kind of
In short, Esma has an expectation that any
firm engaging in "risky" activity – algorithmic
trading, allowing a firm’s systems to be employed
for direct electronic access, engaging in clearing and
provision of a trading venue – will need to control
operational risk in a granular fashion with new risk controls
There will need to be new documentation,
both legal and internal policies/procedures, new resource
functions and new identification of algorithms and
strategies. This will be difficult to implement
operationally both in terms of current resourcing constraints
and in current systems. Will we see the same increased
resourcing of Operational Risk functions as we saw with
At the time of writing the article, we
reached out to several operational risk colleagues in the
industry to enquire whether anyone has read the document.
Unanimously, the answer was 'No’.
While the time to respond to the
consultation has now run out, we urge operational risk
practitioners to read the paper, understand the implications as
well as actively join in the implementation when the final
document comes out – to align existing operational
risk practices to the extent possible with the new requirements
introduced by the paper.
Content belongs to RegTechFS. For the original please