Regulators first started talking about “other risks” in the 1990s after events such as Barings, BCCI and Sumitomo highlighted the fact that financial securities institutions are subjected to risks other than market risk and credit risk. Over several years of debate (sometimes passionate and sometimes irrelevant), the industry settled at first uneasily on a definition of operational risk: “The risk of [direct or indirect] loss resulting from inadequate or failed internal processes, people and systems or from external events”.
The reference to “direct or indirect” loss survived for only a short time before being dropped. That it crept into the definition at all was testimony to the early efforts of operational risk managers to identify operational risk through a focus on loss events. It was also unfortunate that there was an early over-emphasis by the regulators on losses.
Today the identification, measurement, monitoring and management of operational risk is widely recognised to comprise of six main processes. These are:
- Governance – encompasses the direction and review by senior management of operational risk within the institution.
- Risk and control assessment – involves the identification and subjective measurement of operational risks and their mitigators.
- Losses – includes the identification, capture and analysis of both internal and external events arising from the occurrence of operational risks.
- Key indicators – contains the process of identification, capture and analysis of metrics of key risks (and controls).
- Modelling – concerns the mathematical analysis of the effects of operational risks on an organisation.
- Reporting – allows the immediate above four processes (i.e. risk and control assessment, losses, key indicators and modelling) to be brought together in a coherent manner for use by all levels of management to supervise and control operational risk.
The first step in operational risk management is to ensure that the governance structures are in place and understood by all staff. A Board approved operational risk policy together with terms of reference for the relevant bodies is essential. These ensure that the Board of Directors and all staff have a clear view of their responsibilities and of the Board’s strategy. As such, they are also useful documents from a perspective of managing your regulatory relationships as they can be used as a reference for the documentation of senior management responsibilities around operational risk.
A framework is also often developed during this initial period of operational risk management. This is a term of art and many different frameworks exist. However, they all have in common a description (whether pictorial or in words) of how the identification, measurement, monitoring and management of operational risk will occur within the organisation.
An example of an operational risk management framework is given below (click to see enlarged view):
A timeline that indicates the intermediate milestones for the progression of each of the processes is also often drawn up during the governance phase of operational risk management. This, of course, allows senior management to manage and review the development of operational risk processes within the organisation and to set and influence the speed of the development.
It is interesting that the FSA noted earlier this year (in its Operational risk management practices paper, February 2005) with regard to governance in firms “… this activity was sometimes inhibited by the lack of clear direction on risk strategy from the Board of Directors …”.
Risk and Control Assessment
This is often the first process of operational risk management that is carried out by an organisation. Most firms have performed some form of risk assessment or control assessment, although many have not yet progressed it to a state where business benefit can be derived from it. Although a first risk and control assessment is almost always subjective, it can be of significant business value if it is linked to the strategic objectives of the business. As risk assessments progress and the links between losses and key indicators are established, the assessments become more influenced by objective data. However, a continued focus on the business objectives will help to ensure buy-in and use at the most senior levels of management.
Much has already been written (by regulators and other commentators) of the use of losses in operational risk management. Regrettably, a great deal of this writing has been focussed on the modelling of operational risk using losses. Much less attention has been paid to the benefits from understanding the causes of the losses and to linking the causes to the strategic risks already identified by the firm in its risk and control assessment. Both internal and external losses can be used by firms in causal analysis, although inevitably the external loss analysis will be more difficult as the control environment that failed will be less understood. The use of this analysis of objective data to challenge the subjective nature of the risk and control assessment is vital to coherent and comprehensive operational risk management.
There is currently significant industry scepticism around the advantages of the use of indicators for operational risk management. This appears to stem from a wish by many in the industry to start the identification of appropriate indicators with a blank sheet of paper and with little or no reference to previous work performed in other operational risk processes. Those who are making headway in the use of indicators have invariably linked their metric identification process to the risks and controls already identified by the firm in previous risk assessments. This automatically enables a focus on the key risks (as identified by the risk and control assessment) and provides clear assistance in easily recognising predictive indicators. Given a link of risks to the business objectives, the key risk indicators allow senior management to assess the likelihood (or otherwise) of meeting its own strategic plan. Such devices are excellent for embedding operational risk management within a firm.
As noted above, too much focus has been placed (until recently) on the use of losses in operational risk modelling. It is very helpful that Basel (in its International convergence on capital measurement and capital standards, June 2004) and the FSA (in its CP05/3, January 2005) finally acknowledged that the internal control environment of a firm and scenario analysis are both valuable components of an operational risk model. [For the sake of completeness, the other two components of a model are internal loses and external losses.]
Both risk and control assessments and key indicators can be used in modelling operational risk and can add significantly to the business benefits that can be derived from such modelling. As well as a capital figure that can be used for capital allocation to business lines, a model that uses risk and control assessments can assist in a cost benefit analysis of the controls used by a firm. Challenges can be made to the effectiveness of the controls, given the size of a particular risk, and to the allocation of resources for each control.
Many organisations have increased the amount of operational risk reporting carried out in the last few years. Unfortunately, often this increased reporting has simply resulted in a greater amount of paper containing ever more detailed analysis. In practice, reporting must be tailored to the needs of the receiver. The Board of Directors generally are interested in operational risk reports that address their interests, i.e. strategic risks (and controls) and significant exceptions to lower levels of risk across the entire organisation. Department heads, on the other hand, are relatively tightly focused on their own risks but often require considerable detail on those risks.
Much reporting often also focuses on the risks, without thought for the linked controls and action plans that can demonstrate a firm’s commitment to using operational risk management to enhance the firm’s business decisions.
The six main operational risk management processes of governance, risk and control assessment, losses, key indicators, modelling and reporting are fundamentally entwined with each other. In future articles in this series, I will look at each process in more detail and this will allow the reader to build a broad high-quality understanding of operational risk.