How to learn from risk events
In our third blog on the topic of risk events, Tony and John run through the different ways in which to analyse risk events and managing them using operational risk software in order to learn as much as possible from each event, and to reduce the risk of such events happening again in the future.
Taken from: Mastering Risk Management
Analysing Risk Events
Use of events
Causal analysis of events is critical for effective risk management. The analysis can be used to challenge risk assessments and control assessments, to validate indicators and to assist in the production of scenarios and stress tests. In addition, losses can be used in mathematical modelling for economic capital allocation.
Causal analysis and controls
The start of the causal analysis of an event is typically to determine which control or controls have failed. There are often a number of preventative controls whose combined failure has led to an event occurring; some detective controls may also have failed. It is important to determine the main controls which have failed as this aids the design and implementation of action plans to prevent the risk from occurring again.
Sometimes a risk has occurred because appropriate controls were not in place. This is relatively easy to fix. However, it may be that it is acceptable to the business for the risk to occur or that the implementation of controls to prevent the risk occurring is regarded as too expensive. If so, it is important that management understands and explicitly approves the acceptance of the risk which is of course the firm’s risk appetite.
Risk and control self-assessment
Once the failed controls have been identified, scoring the design and performance of the controls can be challenged with the objective data of the event. In particular, if the performance of the control has been rated as very effective, the frequency of failure for that control should be challenged, if it has failed more than once in an agreed period. Although the design of a control is more difficult to challenge directly through events, it is still possible to draw some tentative conclusions through causal analysis and therefore to challenge this rating, as well as the performance rating.
The analysis of an event, whether or not a financial loss has occurred, will also assist in challenging and validating the likely scoring of a risk in a risk and control self-assessment. Looking at impact, it may be that an event has occurred but there has been no apparent impact. A check should nevertheless be made to confirm both the impact and impact assessment shown in the risk and control self-assessment and the risk owner asked to justify their assessment.
By contrast, if there have been a series of impacts of similar value, that is a good indication that the impact of the risk should be assessed at that level. The risk owner may, however, feel that the firm has been fortunate in managing the impact of the risk well and that a higher value is justified; or that the firm has for a variety of reasons been poor at managing the risk recently and that a lower value remains appropriate because systems and controls have been tightened. Either way, the firm has challenged the subjective risk assessment scores and created greater awareness of the value of both event causal analysis and risk and control self-assessments. It should be noted that good fortune and luck rarely play a significant part in good risk management.
Turning to the frequency of likelihood assessment, if three events of a certain risk have occurred in the past five months and the likelihood of the risk has been assessed as low, it is important that the owner of the risk is challenged. It can often be easy simply to say that the firm, at least in relation to this particular risk, has been experiencing a period of bad luck. However, it is more likely that the assessment of likelihood has been unduly optimistic and that the scoring of the likelihood should be revised upward.
Luck is a seductive and dangerous concept, which has no place in the cold light of risk management. An event may be extremely random, and a concatenation of events even more so, but they nevertheless happened. That may feel as if the gods are against you, and its all unfair and unreasonable, but all events need to be recorded and our assessments adjusted. Don’t ignore an event because ‘it was a one in a thousand year event’ or a ‘once in a lifetime’ event. ‘Once in a lifetime’ events have a nasty habit of happening rather more often than that. Outliers may not in reality lie as far out as we would like them to.
Indicators
Events and losses can also be used to validate indicators. If an indicator shows that a control is starting to fail or that a risk is more likely to happen, some events will be expected to occur. If the events do not occur, the indicator must be challenged in case it is not as relevant to the risk as was originally thought. It should be borne in mind that a failure of one control will not necessarily cause a risk to occur, as other preventative controls may be in place and working. Whether or not this is the case can easily be seen from the risk and control self-assessment.
Equally, events and losses can be used to validate indicators of detective controls. In a similar way to the validation of preventative controls, the size of the events and losses is a guide to how well the detective control indicators are performing.
Scenarios and stress testing
A significant use of events and losses is in the creation and validation of scenarios and stress tests. The occurrence of real life events is a very useful pointer towards the construction of plausible but extreme scenarios and stress tests. By combining several events (each of which may occur on a reasonably regular basis) the more extreme event can be built. Developing a scenario in this way often leads to scenarios that are more easily accepted by management.
External loss databases
Up to now, we have been considering event information which is gathered from within the firm. However, there are three main sources of losses which are available for causal analysis. A firm’s own losses are inevitably the primary source of loss data. But there are two other sources of loss information which are external to a firm and which can yield valuable and different information to risk management.
Dealing first with information from competitors, a number of consortia exist which capture the internal losses of a number of firms, on a sectoral, national or international basis.
Competitors’ data are inevitably of a similar type to a firm’s own loss data in that they range from high frequency/low impact to medium frequency/medium impact events. As such, the data provide valuable validation and confirmation of a firm’s own loss data. In addition, the data can provide an early warning of losses which have occurred in a competitor but are not yet occurring to your firm. Given this warning, a firm is able to reassess its own controls in relation to the risks being suffered by its peers and possibly reduce or even eliminate the approaching losses relating to those risks. It should be noted that competitors’ data often has higher impacts if the competitors’ corrective control environments are less effective.
A different type of loss database captures publicly available loss and event data. These events are typically reported on the internet or in the media and are of such a size or consequence that they are impossible to hide. Such data are, by their nature, relatively rare, although they are the most valuable source of data as losses of this size will rarely appear in a firm’s own data but are of a size which could cause a firm to collapse.
Finally, government agencies such as the Health and Safety Executive, or industry bodies, provide industry-wide information on events. As with all the other external information, this is useful in helping firms to benchmark their own performance and the quality of their controls.
Gains and offsets
Event profits and gains are just as valuable for challenging likelihood and impact assessments as event losses. In many areas (such as the trading floor in a bank) gains and losses should be equal in number. A trader’s ‘fat finger’ is as likely to produce a gain as a loss. However, human nature being what it is, this is rarely seen in reports and is a reflection of a bias in reporting. Many profits are absorbed into the business line, whereas losses are usually identified explicitly.
Inevitably, most events and losses tend to be spoken of in the same breath. We are primarily concerned with negative impacts, whether they are financial or reputational. In risk management, however, events which produce gains are just as valuable a source of information because they also represent control failures. Risk management is not all about adverse consequences. It demands a different mindset.
As well as gains being realised when an event happens, sometimes an event will generate offsetting amounts to the actual loss. These may themselves be hard or soft and direct or indirect. For example, if the loss of an IT system prevents a trader in a bank from reducing a position which then results in an unexpected profit, there is a financial offset. From a risk management perspective, the offset should be separated from the costs involved in the loss of the IT system and both should be investigated.
Likewise, recoveries should be separately identified so that the gross loss is known, as well as the net loss. A typical recovery is a claim on an insurance policy. This may be viewed as the operation of a corrective control which transfers the financial loss to a third party outside the firm. Alternatively, recoveries may be obtained directly from a third party. An example of this will be the back-valuing of a payment by a counterparty who has paid late.
Summary
Events, being what has actually happened, are probably the only hard facts we have in risk to make judgements about the future. However, as we have seen, the information we gain from them comes with a number of health warnings. The data will never be complete. As events occur, they inevitably affect behaviour, whether individual or corporate, which means that even if we have captured information comprehensively and accurately, its usefulness degrades over time.
The information gained from events validates and supports risk and control self-assessments, the levels of indicators and scenarios, and is fundamental to assessing capital requirements. But we should be careful that it does not bear too great a load of expectation.
In our next series of blogs Tony and John discuss risk management and the use of scenarios.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information contact us today on sales@risklogix-solutions.com
