A Usually Neglected But Quite Critical Topic for Modern State Treasuries: Operational Risk Management and Business Continuity Planning
Posted by Israel Fainboim
A new Technical Note and Manual (TNM 11/05) has been published by the Fiscal Affairs Department on a topic that is of utmost importance to treasuries and ministries of finance but usually neglected: operational risk management (ORM) and business continuity (including disaster recovery) planning. The author is Ian Storkey, a well known international expert on treasury and debt management, including ORM.
This TNM should have a profound effect on how treasuries operate. Developing an ORM framework and a BCP/DRP should become a priority for treasuries and ministries of finance (MoFs). Why is this? As Ian Storkey mentions, for the simple but very important reason that they are responsible for managing very substantial government assets and liabilities and handling many large value transactions and as a consequence any risk exposure can have damaging fiscal effects and in addition generate severe reputational and political damage. Operational risks are one category of risks that can produce these effects (as other risks can do as well). Operational risks are usually defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”
Despite their relevance, operational risks are not well known by most treasuries. They are familiarized with financial and business risks but not with operational risks. As Ian Storkey underscores, awareness of operational risks is low in the public sector, and very few MoFs have a business continuity and disaster recovery plan (BCP/DRP).
ORM is common practice, particularly by private financial institutions. Central banks should have good ORM and BCP/DRP due to their obligations under BIS and other regulatory requirements; but the same standards do not apply to the ministries of finance or treasuries. They normally do not face the same regulatory pressure to put in place adequate measures to monitor and control operational risks and maintain a BCP/DRP, as is the case with central banks.
Fortunately, this situation of neglect of ORM has started to change. In Latin America, for instance, Mexico, Colombia and Peru are developing (or starting to develop) ORM frameworks, including BCP/DRP. Chile has a well developed ORM but other countries in the region have yet to begin the process.
Ian Storkey TNM is an effort directed to promote and support changes in this area, including organizational (governance) and cultural changes. The TNM being published answers the following four key questions:
- What is ORM and how it should be applied to treasury operations?
- What is BCP/DRP and why it is important for treasury operations?
- How to develop and implement a BCP/DRP and how to have it imbedded into the day-to-day operations of the treasury?
- What is needed to activate and what are the key procedures when activating the DRP?
ORM aims to ensure the integrity and quality of the operations of ministry of finance and treasury using a variety of tools including audit, recruitment policies, system controls, and a fully implemented and regularly tested BCP/DRP. These are some of the tools that a government could use to assess, monitor and manage operational risks. Treasuries should have in place a BCP/DRP to ensure its ability to operate on an ongoing basis and limit losses in the event of any business disruption.
As Mr. Storkey mentions, an ORM framework provides a definition of operational risk and lays down the principles of how operational risks are to be identified, assessed, monitored, and controlled or mitigated.
As he underscores, unlike market or credit risk, operational risk is mainly endogenous to the ministry of finance. Apart from external events such as natural catastrophes, it is linked to the business environment, nature and complexity of treasury operations, the processes and systems in place, and the quality of the management and of the information flows.
Developing an ORM framework (including BCP/DRP) is a long and gradual process. It takes time and effort to not only identify and understand the risks but also the mitigation techniques in an environment that is constantly changing.
Mr. Storkey recommends as one of the first steps to implement an ORM that a “risk champion” be appointed to take overall responsibility for it. ORM is more effective if the “risk champion” is located in the risk management unit of the MoF. Once the organizational structure has been established, he recommends that the development and maintenance of an ORM framework for treasury should follow a six-step process:
- understand and document business activities;
- identify, assess and measure risks related to them;
- develop risk management strategies;
- implement risk management policies, limits and controls;
- monitor performance and compliance with policies, limits and controls; and,
- continuous improvement of the ORM framework through regular testing and updating.
Business continuity planning (or management) is the development, implementation and maintenance of policies, frameworks and programs to assist the treasury in managing a business disruption, as well as build treasury resilience. Business continuity planning assists in preventing, preparing for, responding to, managing, and recovering from the impacts of an incident or disruptive event; it is therefore that part of ORM that establishes cost-effective measures and suitable risk intervention approaches for each activity should an event occurs, using one or more of the following strategies: i) prevention or avoidance; ii) transference; iii) containment; and iv) acceptance and recovery.
A DRP documents the recovery component of the BCP. It facilitates the i) smooth transition to recovery operations following a major incident or event (or disaster); ii) escalation of recovery operations in the event of a prolonged disruption; and iii) return to normal operations as quickly as possible. Activating the disaster recovery plan will be necessary for major incidents or events that impact on the working environment of the treasury or ministry of finance and require relocation to an alternate site. An important part of the DRP is the structure of incident management and recovery teams along with the administration and IT support.
Should ORM by the MoF be the result of explicit and separate regulations? Even though Mr. Storkey does not discuss this issue in the TNM, he prefers an approach where the underlying government finance and fiscal transparency and responsibility regulations require the identification of fiscal risks and provide a statement on how the main fiscal risks identified will be managed. A number of governments have a risk statement in the budget and/or annual financial statements that outline the government’s risk management policies to address all the major financial risks – some now include statements on ORM (such as the UK). FAD has promoted the approach of preparing a statement on fiscal risks and operational risks should be part of that statement.
Mr. Storkey also thinks that government treasuries should adhere to international standards that are well documented – for example, the IMF Code of Good Practices on Fiscal Transparency (2007) and International Public Sector Accounting Standards such as IPSAS-15 and 19, which require disclosure of risk policies, although they do not explicitly include operational risk. While the code and standards need to be updated to explicitly include ORM, the principles of disclosure established by these standards are still relevant.
 Operational risks include: loss of key personnel; infrastructure and technology failures covering computer systems, power, telecommunications, data and physical records; failures of third party key service providers such as the commercial banks and internet providers, and other outsourced operations; human errors or failures, including theft; and building damage as a result of natural disasters or terrorism.
 Basel II “International Convergence of Capital Measurement and Capital Standards: A Revised Framework”, published by the Bank for International Settlements in June 2004.
 Even though further research needs to be done in this area (particularly in non-English speaking OECD countries), apparently only a few countries currently stand out regarding ORM: Australia, Chile, New Zealand, Turkey and the UK. In terms of BCP/DRP, the UK Debt-Management Office (DMO) leads the way, as their approach is well documented in the DMO annual report and accounts 2010-2011. The other countries mentioned do have a BCP/DRP, but this is not documented to the same extent. On the other hand, the Australian National Audit Office has developed the most comprehensive BCP/DRP guidelines for all of government, which explains why it is used by Ian Storkey as a benchmark.
 See for instance: Fiscal Risks: Sources, Disclosure, and Management, Aliona Cebotari, Jeffrey M. Davis, Lusine Lusinyan, Amine Mati, Paolo Mauro, Murray Petrie, and Ricardo Velloso, Fiscal Affairs Department, IMF, 2009; and Disclosing Fiscal Risks in the Post-Crisis World, Greetje Everaert, Manal Fouad, Edouard Martin, and Ricardo Velloso, Fiscal Affairs Department, IMF, 2009.
Note: The posts on the IMF PFM Blog should not be reported as representing the views of the IMF. The views expressed are those of the authors and do not necessarily represent those of the IMF or IMF policy.