HSBC’s radical turnaround through its Operational Risk Transformation Programme (ORTP) is a testament to its risk team and leadership, delivering greater efficiency and oversight in risk management, and winning it the OpRisk Bank of the Year award.

“In 2015, the business community here recognised a need to greatly improve how we go about identifying and managing risk,” says Mark Cooke, group head of operational risk at HSBC. “They said ‘we can’t see what is important to our business, what the big risks are, what we need to fix, and what we need to prioritise’.”

At the time, HSBC was still under a five-year Deferred Prosecution Agreement, imposed by the US Department of Justice in December 2012, for money laundering offences involving Mexican drug cartels. The bank had paid US$S1.9 billion to US authorities for these transgressions, and been labelled in the US Senate as a conduit for “drug kingpins and rogue nations”, making controls an existential issue as far as its US-dollar business went.

Shortly after January 2014, when Cooke had just taken on his new job at HSBC, having formerly been chief risk officer at Barclays Wealth Management, the Prudential Regulatory Authority (PRA) made a routine regular inspection – and the verdict was far from a ringing endorsement.

“We were aware that we needed a more robust approach to operational risk management and it was what our regulators expected, so that was the catalyst for transformation[al] change,” he says.

The challenge was compounded by the breadth of the banks’ business: a franchise spread across more than 65 countries with four different business groups and littered with siloed developments. At the time, some 21 different risk control self-assessments (RCSAs) were in place.

We now have an activity-based three lines of defence… The biggest change we’ve seen is that we are able to be much more precise about who is accountable
Mark Cooke, HSBC

The improvements made under the ORTP are tangible, such as in the alignment of staff roles. In 2015, 80,000 people out of a total workforce of 235,000 said they were employed in the second line of defence; today, 5,000 staff acknowledge that’s where they sit.

“We now have an activity-based three lines of defence (3LOD)[framework],” says Cooke. “If your role is to set policy, provide oversight, challenge any gaps and provide independent assurance, then you’re second line. If your role is delivering products and services to customers, you’re in the first line. The biggest change we’ve seen is that we are able to be much more precise about who is accountable, either for ensuring risk is being well managed or for making sure a control activity worksand delivers proper outcomes.

”The ultimate purpose of these new definitions and the restructuring ofthe 3LOD is to change behaviour and attitude. One of the most significant battles in this crusade was won by moving the concept of risk ownership to the foremost position on the trading floor and in the frontoffice, where the businesses actually live. This was a first for HSBC. Until the reform programme, perhaps two-thirds of risk was owned in alocation far away from the business.

In effect this meant that cost centres such as operations and technology took the risk, giving business heads little incentive to feel responsible for the results of their business decisions, Cooke explains.

“The awareness and ownership of risk within the business was not where it needed to be. Business leaders are expected to be P&L owners in addition to being fully accountable for risk management. That, for example, meant making sure they could get the insights they needed to find potential cases of money laundering and not thinking that was the job of the financial crime team.”

Controls that work

To this end, roles within the 3LOD have been redefined and articulated far more clearly, but those responsible for making sure the controls are working well in the business are named within the risk-management system. This, says Cooke, has brought about a fundamental shift in behaviour. There is a new sense of ownership and awareness of what risk management failures may bring.

Cultural change is supported by new systems and controls. For example, HSBC now has a standardised risk-control library, used across the bank in every location and every business. The same categories of control and risk are used by a rates desk head in Singapore, a rates desk head in New York and a rates desk in London. This allows a read across the entire institution in every operation, notes Cooke.

HSBC’s new governance, risk management and compliance (GRC) platform, Helios, which cost an estimated US$40 million, contains some 50,000 linked controls. To manage risk effectively on this scale, it is critical to be able to discriminate between the run-of-the-mill controls and what Cooke calls the ‘killer controls”, by which he means those that will materially increase the level of risk to dangerous levels if they fail to operate correctly.

The breadth and uniformity of the controls library has allowed the development of one standard, dynamic risk control self-assessment (RCSA) approach.

“We have a live, real-time RCSA environment now,” Cooke says. “This allows us to view, at any given time, the top risks and how they split into businesses and taxonomies. You can easily produce a report that is relevant to your area.”

These functions lie within Helios, which is underpinned by the IBM OpenPages operational risk management software, described by the technology firm as a product that “automates the process of identifying, analysing and managing operational risk, and it enables businesses to integrate risk data into a single environment”.

Buy, not build

At the very outset of its root-and-branch reform programme, HSBC made two crucial decisions when it came to the installation of a new platform. Firstly, it was to buy and not build, as it is, says Cooke, “clearly not effective for HSBC to build bespoke GRC systems in-house and, secondly, to not customise the vendor package, so we can easily benefit from vendor upgrades”.

HSBC determined that the pros of a standard product considerably outweighed the cons. On a previous occasion, a purchase of a customised product by a major software supplier had not turned out well and this experience informed the decision to go down a separate path this time. Instead, the bank forced itself to change its processes and methodologies to suit the OpenPages, rather than the other way round, even when it would have been easier to customise.

We now have the right approach, but there is no room for complacency
Marc Moses, HSBC

Overall GRC platform expenditure by HSBC has been in the region of $100 million. But given its improved performance in stress tests, the bank has been able to make capital savings, with the blessing of prudential regulators. Putting capital back into the business is a significant win, and puts the expenditure into context.“Because the stress tests are now more robust and credible, we can better explain to regulators how much capital is required, and that is helping us put capital back into productive use within our business,” says Cooke.

Marc Moses, chief risk officer at HSBC, says: “We now have the right approach, but there is no room for complacency. Just like the rest of the industry, we know there is more to do to strengthen our non-financial risk management.”

Although HSBC strove to condense the complexity of its organisation when buying an off-the-peg software suite, this is not always possible. The heterogeneous vastness of the bank will inevitably mean that some things are done differently here than elsewhere. No less than 24 separate risk committees have been put in place since the reforms. Each national subsidiary, region and business, and most product lines all have their own risk committee.

Each of the four businesses – global banking and markets, commercial banking, retail banking, and wealth management and global private banking – has its own chief control officer. These roles incorporate a considerable remit and very few banks on the Street echo this structure.

HSBC has also appointed a new head of operational new head of operational resilience, Professor Cameron ‘Buck’ Rogers, who joined from the Bank of England, where he was chief information security officer, in May.

The bank’s journey is far from complete, says Cooke.

“Hearts and minds are paramount to all this,” he says. “We talk about systems, and framework and approach, but at the end of the day it comes down to prudent risk management on a day-to-day basis, where colleagues are doing the right things to protect our business, customers and society.”