United States: Op Risk Meets HealthCheck

Op risk - or operational risk to the uninitiated - has garnered quite a bit of ink in the past couple years, particularly in these pages. In one way or another, the ever-increasing complexities of the market and the new breed of systems that now enable the market have both raised the profile of operational risk and made it a moving target. A few short years ago, if you ever heard the term, it was a usually a soft-pedaling away from the more common, "rogue trader." Those days are long gone. Today the list of categories that falls under the broad header of operational risk is long indeed. From Internet fire walls to deal confirmation procedures to risk controls and system interoperability to, yes, rogue traders, managing such risk calls for a barrage of sophisticated policies and procedures that heretofore many energy companies have all but ignored.

Earlier this week we hooked up with PricewaterhouseCoopers' Tim Schutt and David Chung, both experts in operational risk management at PwC's Global Risk Management Solutions Group for a quick take on current issues and trends as well as some detail on one of the practice's leading services, the Energy Marketing and Trading Healthcheck. It's a comprehensive assessment of financial, operational and technological risks within a trading group.

"These days the big issues in operational risk are pointing to the internet and security. That's not to say that reporting, controls and other transaction and business process flow-related issues aren't important, but the rise of Web-enabled applications and the rapid adoption of these technologies has certainly brought Internet and security issues to the forefront," Schutt says. "That and the huge wave of M&As we've seen in the past few years," Chung says. "Mergers tend to compound op risk, more so than most officers realize. When mergers occur, we find that senior management often gets a bit further removed from the trading operations, because the company is now that much bigger, which means further removed from the risks within the company."

Schutt tells us that one of the primary drivers of the assessment is the uneasiness upper level execs feel about how well they understand the trading group's activities and the adequacy of controls around those activities.

The process varies based on the size of the desk and the overall organization and how many aspects of the operation clients want to have assessed. For say a ,mid-sized desk, 30 or so traders, for a midsized utility, a front-to-back assessment might run six to eight weeks.

Chung tells us that apart from a heavy influx of Web and Internet-related issues, basic deal confirmation issues continue to be a perennial op risk problem.

"The confirmation process among energy trading companies, for instance, tends to be a bit lackluster. There is a certain trust in this sector that when you send out a confirmation, if it's not sent back it's an implied acceptance. In the financial sector, this is unheard of. It's a small point perhaps, but a key one."

Briefly, the Trading Healthcheck process begins with an assessment of business objectives in the trading environment, looks at board oversight, the risk management committee (if there is such a thing, if not they will advise you on how to create one), assess whether or not the infrastructure has been aligned to achieve the business objectives, and finally dig down to the business process level. A full critique on the front, middle and back office ops.

Out of the long laundry list of areas the Healthcheck framework assesses - risk policies and procedures to financial accounting to technical infrastructure Chung tells us the one area he can't stress enough to companies is that the confirmation process must be performed by a party which is independent from trading or strategy development. Whether risk control or other mid-officer control, it must be independent. He's seen various instances where the confirmation personnel are reporting to the head of trading. Read massive conflict of interest.

In the emerging issues category, that is operational risk related to integrated solutions or the Internet, these guys have a virtual ace in the hole.

"We have a group within the practice called Information Resource Protection. You hear all the war stories about companies being hacked. The opportunity is so much more prevalent because these trading groups are using the Web so regularly for just about everything they do. If IT controls aren't in line, from a security standpoint, their operational risk profile goes way up. Consider what might happen to your trading group if some of your Web applications or internal networks were hacked. Think of how it might be an advantage for your competitors. These issues do come up," Schutt says.

When it comes to technology assessment, Schutt focuses on what he describes as "program change control process." What sort of modifications are being tested and what sort of new software is being brought online.

"In order to provide them a feel for how secure their trading environment is, we might look at the logical security on their network, and we'll run scripts that evaluate weaknesses on an NT or UNIX server. Both from an internal and external perspective, to fill in the holes. When we do these reviews we run "penetration tests" against a company's fire wall, which can ascertain about 500 vulnerabilities that hackers usually manipulate to get in. It's a fully automated tool."

Chung says they also run a similar program on the internal systems, that once a hacker is in, what sort of damage can they do?

"We come back with a deliverable that details the findings. It says, in theory this is what a hacker could do to you. We think of the hacker issue as just one more category in the operational risk list. It's become a very long list," Schutt says.

Fortunately for most of you, Chung tells us that the Marketing and Trading HealthCheck can be scoped out in any number of ways, it's not just a service for the big boys.