February 2010 The RMA Journal

Operational Risk

52

California inventor edward Simmons once observed that the difference between failure and success is doing a thing nearly right and doing a thing exactly right. There is little room for error in banking. Operational risk sums up the risk to earnings stability, capital, or franchise value as a result of problems with service, product delivery, expected and unex-pected effects from the introduction of new technologies, the pace of technology advancement, and technological obso-lescence. Operational risk is further impacted by employee integrity, internal controls, and operating processes.

The Federal Reserve defines operational risk as the risk that unexpected losses will result from operational prob-lems; from technology failure, change, or obsolescence; from breaches in internal controls; from internal and external Re

ha M

aRk/

Shut

teRS

tock

by Marge Jaketic and dev StriSchek

Total Operating ExposureA Balancing Act

••Treasury management and demand deposit account products carry both operational risk and credit risk. Total operating exposure can help quantify, approve, and control the risks.

The RMA Journal February 2010 53

overdrafts are usually pre-approved either with a daily cus-tomer overdraft limit or on a per-transaction basis by a bank officer with sufficient DOD approval authority. Wire transfer pre-approved credit/daylight overdraft credit limits (lines) typically are approved through normal credit-approval channels because the customer often is also a borrower.

3. Overdraft pay codes (limits). A bank may decide to permit some overdraft activity to occur automatically up to a limit set by an overdraft pay code. However, overdrawn deposit account exposure is unsecured credit exposure, so the limit typically is set at the loan officer’s unsecured lending authority.

These codes are usually established each time a new demand deposit account is opened. Items presented against the DDA up to the approved overdraft pay code limit are processed without further approval, but overdrafts that exceed the limit set for the overdraft pay code have to be approved by someone with sufficient authority.

4. Renewable memo post credits (RMPC). This service temporarily increases the available balance in a customer’s DDA for a single business day until the renewal expiration date. The RMPC usually increases the available balance in the client’s DDA at the beginning of each business day, and it expires at the end of each business day until the RMPC is deleted or it expires, whichever comes first. This feature generally is restricted to creditworthy customers where funding is assured. Memo credits may be applied for a variety of acceptable reasons, such as avoiding check-cashing problems at teller lines or for clients possessing zero-balance accounts.

fraud; or from unforeseen catastrophes. Operational risk does not operate in a vacuum. In fact, it frequently overlaps with credit risk. A borrower with an overdraft is both an operational risk and a credit risk. Consequently, this article views the review, approval, and mitigation of the risks for several popular treasury management and demand deposit account products as both operational risk and credit risk. The tool used to quantify, approve, and control the risks is total operating exposure (TOE).

TOE DefinedTOE is the aggregate of all credit risk exposures associated with treasury management (TM) and demand deposit ac-count (DDA) products and services for a legal entity or bank customer. Certain TM and DDA products and services warrant credit risk evaluation because of the potential risk exposure that arises whenever bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. The following products and services generate both operational risk and credit risk:1. Automated Clearing House.2. Wire transfer pre-approved credit/daylight overdraft

limits. 3. Overdraft pay codes.4. Renewable memo post credits.5. Provisional credit/delayed debit—cash services.

Let’s examine each of these five components of TOE.

1. Automated Clearing House (ACH). Credit risk evalu-ation of ACH is necessary because incoming (debit) files and outgoing (credit) files are processed up to the approved credit and debit limits without further approval and without verifying that DDA funds are available to cover an outgo-ing file. A maximum total risk exposure (MTRE) amount for ACH can be calculated by adding the total expected exposure of all credit files/applications and of all debit files/applications. This exposure reflects all ACH activity for each relationship across some period—say, three business days. From this data, a single debit or single credit exposure limit can be established for each client.

2. Wire transfer pre-approved credit/daylight overdraft limits. A daylight overdraft (DOD) occurs when debit transactions processed against a deposit account exceed the account balance, causing a temporary negative balance (in-traday exposure) until anticipated daily credit transactions arrive to bring the account back to a positive balance before the end of the business day. The risk in a DOD is that the credit transactions will not occur on time or at all, leaving the account overdrawn at the end of the day.

Although many types of transactions can cause a daylight overdraft, the most common is a wire transfer. Daylight

The risk in a daylight overdraft is that the credit transactions

will not occur on time or at all, leaving the

account overdrawn at the end of the day.

February 2010 The RMA Journal54

Memo credits for short periods—say, six calendar days—might be approved by branch or line staff, but longer memo credits warrant approval of a credit officer with sufficient lending authority. The credit exposure ought to be under-written and approved commensurate with the level of credit risk assumed by the bank.

5. Provisional credit/delayed debit—cash services. Provi-sional credit occurs when a bank credits a client’s deposit ac-count prior to receiving the client’s deposit. For example, the

bank’s armored truck picks up currency from a supermarket chain’s stores around the city. The bank credits the supermarket chain’s ac-count when the funds are inside the truck rather than waiting until the truck delivers the funds to the bank’s

vault. In effect, the armored truck is treated as if it were the bank’s vault. The bank makes the funds available to the client in anticipation of collection. The process typically is done at a cash vault or branch. The risks associated with provisional credit are that:• Thedepositmaybelostintransit.• Theclientmayfailtodepositthefundsbutthenwithdraws

them after provisional credit is made to the account.If granted one or more business days before the bank

receives the deposit, the provisional credit is really more of a non-interest-earning, short-term loan. This service is vulnerable to abuse and warrants close monitoring and management, including consideration of interest or fees.

Delayed debit usually occurs when a bank delays debiting a client’s account. The bank loads cash and currency into its armored truck for delivery to the supermarket chain’s stores, but does not debit the supermarket chain’s account until the currency is received by the stores. The bank releases funds in anticipation of receiving a company check or cash in exchange for a change order. The risks associated with the delay are that: • Thechangeordermaybelostintransit.• Thechangeorderpaymentmaybelostintransit.• Adisputewithaclientmaydelaythebank’sreceiptof

funds to cover the change order.If there is a delay in the bank debiting the client’s account

by one or more business days after releasing funds to the client, or in the truck picking up funds on behalf of the client, the delayed debit is a short-term, interest-free loan. As with the provisional credit, delayed debit warrants close monitoring, management, and appropriate interest penalties or service charges to discourage abuse.

TOE Calculation and ApprovalNow that we know and understand the components of total operating exposure, let’s calculate TOE, evaluate the degree of scrutiny needed at various levels of TOE, and consider approval options. Consider the example of Tekchek.

TOE calculation. Tekchek has ACH maximum total risk exposure of $1 million, wire transfer pre-approved credit/overdraft limits of $500,000 for each of two DDA accounts, overdraft pay code limits of $100,000 on one DDA account, and a provisional credit/delayed debit limit of $50,000. Tekchek’s TOE for all these products’ credit risk exposures adds up to $2.15 million:TOE = $1,000,000 (ACH MTRE)

+ $1,000,000 (wire transfer limits of $500,000 for two DDA accounts)+ $100,000 (overdraft pay code limit on one DDA account)+ $50,000 (provisional credit/delayed debit on one DDA account)

$2,150,000 total

When assessing TOE risk, the relationship manager (RM) is evaluating the client’s ability to generate sufficient cash to maintain a viable business over the business cycle and to effectively manage this cash through appropriate back-office controls. In general, the approach to underwriting TOE risk is the same as that taken to assess other bank credit facilities. Through financial, risk rating, and other analysis, the RM considers the purpose of the TM/DDA product or service and how much unsecured credit to extend to the client. The level of risk underwriting is commensurate with the amount of TOE taken by the bank; as TOE increases, the degree of underwriting increases.

Underwriting guidelines for small TOEs. For new re-quests involving small TOEs—say, less than $250,000—financial statements may not be necessary. Instead, financial information can be gathered from credit agencies’ credit scores and DDA activity reports. Some minimum underwrit-ing guidelines might include:• Satisfactorybusinesscredithistory.• Noevidenceofrecurringorchronicslow-payactivity.• NomorethanthreeoccurrencesofDDAoverdraftsin

the past 12 months; no overdrafts resulting in losses to the financial institution.At annual review and renewal, a satisfactory DDA activity

history over the past 12 months may be sufficient evalua-tion. However, it is prudent to require financial statements, at credit approver discretion, in addition to the DDA activ-ity and credit agency reports. DDA activities suggested for review include:• Reviewofoverdraftactivityoverthepast12months.

The level of risk underwriting is commensurate with the amount of TOE taken by the bank; as TOE increases, the degree of underwriting increases.

The RMA Journal February 2010 55

More than three occurrences of DDA overdrafts indicate higher risk activity and should be reviewed carefully to ensure that no overdrafts resulted in bank losses.

• Reviewofoverdraftpaycodelimitsandrenewablememopost credit limits to decide if the limits are still appropriate for the client; if not, they should be revised as needed.

• Reviewoftheaveragecollectedandbookbalancesfromthepast three months and 12 months to determine whether the level of balances merits the extension of operational credit risk. This is particularly important if the bank is not being compensated for TM/DDA products, especially renewable memo post credits, higher OD pay code limits, and provisional credit/delayed debit limits.

For clients with ACH exposure:• ReviewthelargestACHdebitandcreditexposuresfrom

the past 12 months and compare them to the existing exposure limits to determine if the existing limits are enough to accommodate the historical activity levels from the past year.

• LookatthenumberofACHrisksuspensionsfromthepast three months and 12 months. If the number of suspensions is increasing or appears too high, consider higher risk exposure limits to accommodate the increased activity.

• Reviewtheunauthorizeddebititemreturnrateandunau-thorized debit dollar return rate from the past 12 months. Unauthorized return rates of 1% and higher may indicate riskier behavior on the part of the client. For example, a telemarketing client engaged in fraudulently debiting individual accounts is likely to generate a high level of unauthorized debit returns, often in excess of 25%. If return rates are greater than 1%, the account officer should contact the appropriate treasury management officer or op-erations risk officer to investigate the cause and legitimacy of the higher activity and determine whether the activity warrants suspension or curtailment of ACH privileges.

Underwriting guidelines for large TOEs. For large TOEs—say, $250,000 or greater—in addition to review-ing credit bureau and DDA activity reports, banks review financial statements to determine if:• Thebusinessoritsownergeneratescashfloworprof-

its sufficient to operate and reinvest in the business as necessary. (The bank would use appropriate cash flow or debt service coverage measures to make this determination.)

• Thebusinessoritsownerhassufficientliquidityorac-cess to lines of credit to weather the ebbs and flows of business cycles.Further, at much larger TOE levels, such as $25 million,

it is prudent to request and review some or all of the rec-ommended additional information on the client’s internal controls and operating processes. An operational risk officer

with the appropriate experience and skills should be able to document that the internal controls and operating processes have been reviewed and that operational risks appear to be sufficiently mitigated. Once the TOE level is approved, all underwriting and risk-rating documentation, financial statements, and related information are retained by the relationship manager in the client credit file.

TOE approval. RMs generally are authorized to approve TOE commensurate with their lending authority. However, large TOE exposure, such as $25 million or more, may require additional credit approval authority. Further, the appropriate operational risk officer may need to confirm that a review of the client’s internal processes and controls has been completed and that operational risks appear to be sufficiently mitigated.

If the TOE exceeds the bank’s internal house limit, some banks require a high-level committee to approve it. An enterprise risk committee (ERC) might be one alternative, and its members should represent the major risks of the bank. Chaired by the bank president, the ERC might have members that include the bank’s chief credit officer, chief financial officer, and chief operational risk officer to cover credit, market, and operational risks, respectively.

ConclusionThe Roman lawyer and politician Cicero advised his fol-lowers that to stumble twice against the same stone is a proverbial disgrace. Operational risk is a serious risk because it is perhaps the most unforgiving of all the en-terprise risks. Worse, some depository products pose both operational risk and credit risk to a bank. One way to size up this kind of overlapping risk is to employ the TOE tool to sum up the exposures that the bank has assumed on various TM and DDA products and services. Banks are expected to underwrite operational risk as they do credit risk. This ar-ticle offers guidance on what to include in TOE, how to calculate it, and how to evaluate and underwrite it.

As Confucius said, the cautious seldom err, and TOE is a prudent tool for measuring, monitoring, and managing treasury and depository operational and credit risk. v

••Marge Jaketic is first vice president and credit policy officer, SunTrust Banks, Atlanta, Georgia. Contact her at marge.jaketic@suntrust.com. Dev Strischek is senior vice president and senior credit policy officer, SunTrust Banks, Atlanta. He also is a member of The RMA Journal editorial advisory board. Contact him at dev.strischek@suntrust.com.

Operational risk is a serious risk because it is perhaps the most unforgiving of all the enterprise risks.