The Shortcuts Trap – Loss Events Reconsidered

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Ways in which some loss event approaches can be false economies

This is the third in a series of four blogs about the ways in which common shortcuts can undermine operational risk management success within financial services firms. You can view the other blogs here: The Shortcuts Trap – Risk and Control Self Assessments and The Shortcuts Trap – Key Indicators Under Fire

 

 

For financial services firms, capturing and analysing loss events correctly is vitally important. Loss events, properly understood, can help firms reduce their future levels of operational risk and enhance operational resiliency; a process made easier with risk management software. However, the capture and analysis of loss events has also been one of the most controversial aspects of operational risk, and within that controversy, best practices can get lost and shortcuts taken. Below are some common tricky timesavers that firms take when it comes to loss events:

  • Being comfortable with incomplete loss capture – It’s a big mistake to think that the data collection job is over, having captured 70% or 80% of the firm’s total operational risk loss events, and analysis can begin. Any analysis undertaken and conclusions drawn from such an incomplete data set would be inherently wrong – a significant chunk of the firm’s loss history is missing. The best way to ensure that all losses are captured is to reconcile the loss data to the general ledger. While this can take time – which is why abandoning this work is a popular shortcut – doing so is a big trap. It’s vitally important that the loss data set be as comprehensive as possible.
  • Demanding complete loss event information up front – Some firms insist that the business fill out a loss event capture form completely – all fields are mandatory – before it can be submitted. While it’s important to capture all of the information about a loss event eventually, requiring all fields to be filled in by the business before turning the form in can lead to delays in notifying the operational risk team that a loss event has occurred. The business may not know all of the information required by a form immediately – some information could take a month or more to track down. Instead, the business should be encouraged to submit the form as completely as possible, but also in a timely manner. Then there should be a process in place to ensure the form is completed within a reasonable period of time.
  • Setting thresholds too high for analysis – Most banks have a reporting threshold well below the Basel Committee on Banking Supervision’s (BCBS’s) level of €10,000 — €500 or €250 for example – which is good. However, for many banks, the loss size at which they undertake root cause analysis can be much higher than their reporting threshold — €5,000 and up. Naturally, the higher the threshold, the less analysis an operational risk team needs to do. But it could mean that the team is failing to do analysis on important loss events, which result in further losses. If an operational risk team is only doing root cause analysis on two or three losses each month, it has set its analysis threshold too high, and should lower it.

    Loss Events Reconsidered

  • Applying a monetary threshold to analysing reputational risk loss events – Most banks will perform root cause analysis on all reputational risk loss events, which is the right thing to do. However, some firms will apply a monetary threshold in the same way that a threshold is applied to other types of losses for analysis. This is a very bad shortcut – for financial services firms, reputation is everything. While there may be more reputation events today than there were 15 or 20 years ago, it’s a false economy to ignore events below a certain threshold because, without the insight provided by root cause analysis, future reputation events from the same causes could escalate significantly in both frequency and severity, creating real damage. 
  • Forgetting about corrective controls when analysing losses – There are many different kinds of root cause analysis that can be performed on operational risk loss events. A popular one is the Five Why’s, but this approach can often lead to the team just exploring preventative controls – the controls that prevent a loss event from happening. It can be far too easy to overlook corrective controls, which ask the question, “Could this loss have been smaller even though it happened?” Corrective controls are particularly important when thinking about operational resilience. A bow tie analysis of a loss event may take longer, but it is a better way to structure the team’s thinking, so that both preventative and corrective controls are examined.

In summary, operational risk teams at financial services firms should view loss events as an opportunity for a deeper understanding of the organization’s ecosystem, as well as a chance to improve both operational risk management and resilience. Firms need to consider the benefits that best practice can bring in this area, and avoid common shortcuts that can lead to significant increases in risk over the longer term.

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »