Frontiers of Operational Risk Management
Ralph Nash
Barclays Business Banking
Ioanna Panayiotidou
Axa UK
Introduction: What Is Operational Risk Management?
The emergence of operational risk management as a separate discipline is somewhat murky. Its origins can be traced to a mixture of “operating risk” (back-office operations, payment systems), audit-style risk assessment, and specific risk management capability (business continuity planning (CBCP), fraud risk management). Several financial institutions started using the term in the 1990s, but it was given a huge impetus by the emergence of capital requirements for this nebulous group of risks under Basel II and subsequent EU legislation. Even under Basel II, however, the term “operational risk” emerged slowly and for reasons that are not entirely clear. Between the first and second consultation papers on the new capital framework, “other risks” (based on an open-ended definition of everything except credit, market, and liquidity risk) metamorphosed into operational risk (with a closed definition) that slowly developed into the current, fairly all-encompassing “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” This definition includes legal risk, but excludes certain other risks including liquidity, strategic, and reputational risk.
This regulatory wrapper covers a range of routine, low-severity issues and combines them with major losses and potentially systemic, or at least solvency-threatening, risks. But how does this definition match the day-to-day management of operational risk that happens across all staff and departments in a firm and what should operational risk managers do as a result? This chapter aims to explore these issues by taking stock of the implementation of operational risk in a post-Basel II, pre-Solvency II context and by considering how operational risk functions and resources may be best deployed to add value to the firm.
What Does Operational Risk Look Like in the Current Environment?
As noted in the preceding paragraphs, operational risk became a buzzword around banks as the growing pains of Basel II led to a range of approaches for the assessment of capital. There can be no doubt that the threat or promise of a capital charge for operational risk focused the mind of senior management across the banking industry and insurers are now in the same position with Solvency II on the horizon. The development of the operational risk discipline in the shadow of the emerging Basel II requirements meant the focus of effort was on certain aspects of risk management, particularly around data collection and the measurement of operational risk. A vicious or virtuous circle between the banks and supervisory agencies emerged, in which a focus on capital meant that effort focused on the components of capital assessment, perhaps to the detriment of “real” risk management. Furthermore, a few leading banks promised a lot in terms of the ability to measure capital and the supervisors responded with the birth of the concept of the advanced measurement approach (AMA).
The AMA is principle-based and allows a degree of flexibility that is not apparent under the credit equivalent in Basel II, the advanced internal ratings-based approach (AIRBA). This flexibility had some unexpected and possibly undesirable consequences; initially, there were many factions in the banking sector stressing the importance of different ways of assessing operational risk including loss data (loss distribution approach) versus self-assessment (risk driver approach) versus scenario analysis (scenario-based approach). Much discussion followed, but the ultimate outcome was that all data inputs have some kind of relevance. The arch quantifiers admitted that qualitative data could fill gaps in their distributions, while the qualitative factions saw the need to have some “factual” loss data to “validate” their findings. As a result, most AMAs now incorporate a range of data sources (internal and external loss data, scenario analysis, and risk and control self-assessment) in either the construction or validation of their capital numbers. More importantly, it seems that a number of banks have seen the need to revisit their approaches to AMA and to consider how data collection and analysis informs and is informed by “real” day-to-day risk management. It seems that following the rush to quantification there is now a pause for breath to consider what value, over and above a regulatory tick and a potential reduction in regulatory capital (not necessarily a binding constraint), is derived from the operational risk functions.
It is, however, all too easy to be critical of the attempts of firms to measure operational risk. There were few credible alternatives to the AMA-type approach and certainly the simpler regulatory approaches under Basel II (the basic indicator approach and the standardized approach), while generating a number for operational risk capital, do not in any way, shape or form “measure” operational risk. They are a top-down assessment based on the unproven, but intuitive, assumption that income or assets and operational risk are in some way directionally aligned. Banks using these approaches should be wary of placing weight on the capital numbers generated; they may not even be an upper threshold, let alone the “right” number. The further anomaly with the simpler approaches is that the entry criteria do not relate exclusively to the ability to perform that capital assessment, but rather to generic operational risk management standards.
The focus on operational risk measurement also has important implications on the requirement that the operational risk framework is embedded in day-to-day management and that the capital inputs and outputs are used in practice. This creates a number of issues for firms that have existing risk assessment models in place and in use. Either the regulatory-based assessment, which may be based on confidence intervals and definitions that the firm does not recognize, takes precedence and supersedes the existing internal measurement approach, or there is the need to juggle two sets of capital books. It is difficult to use the capital outputs in such a case. This issue is nothing, however, compared to those for firms that do not manage on a risk-adjusted capital basis where the outputs of the AMA are simply unrecognizable. The best that can be hoped for here is that the AMA inputs are the same as those that are used for management purposes and so the use test is achieved.
Lessons
The supervisory push toward a capital charge for operational risk and the emergence of AMA has been an important learning curve for banks and the authorities alike. There are some important lessons for Solvency II as a result and the EU, national authorities and individual firms may be able to save time, money and effort by considering the recent experience of Basel II. These issues can be grouped into four categories.
- Simplicity. A range of three approaches to the assessment of operational risk capital is unnecessary and overcomplicated. A simple metric to generate a capital charge (along the lines of the basic indicator approach) and a framework for the recognition of internal operational risk models (along the lines of AMA) is sufficient to allow innovation and development. The apparent stepping stone of the standardized approach need not be replicated in Solvency II. This avoids the scope for numerous (fairly fruitless) debates around partial use, arbitrage, and entry criteria. With a simple, permanent, partial-use regime between a basic approach and an advanced approach, firms could plot a reasonable trajectory for rolling out an advanced approach without undue burden and on a reasonable cost-benefit basis.
- Spurious precision. The breadth of risks captured in operational risk, ranging from small, routine processing losses, to systemic marketwide events, means that pinpoint accuracy in measurement is a false objective. Much debate has centered on the basis for a 1/1,000 year capital requirement. In practice, such debate is a likely recipe for business disengagement with operational risk and a more realistic time horizon might be beneficial in supporting operational risk teams in obtaining business buy-in and adding value. Similarly, regulatory obsession with gaming of capital numbers via dependency and correlation analysis has led to a protracted debate around the connection between different event types in different firm functions or locations. Again, a commonsense approach in recognizing the intuitive disconnections between the bundle of events that comprise operational risk would be a big win for firms and supervisors. With the backstop of other supervisory interventions and the sanction of requiring additional capital, fears of capital draining from the system as a result of advanced operational risk approaches can be abated and a long and fruitless debate on this matter avoided. Insurers’ experience in managing risk diversification should be recognized in Solvency II.
- Inputs. As referred to the preceding texts, there was a long debate in banks around the requirement to use different inputs to assess operational risk. It is evident that a range of data inputs is necessary to assess operational risk effectively, especially given the range of events covered under the operational risk umbrella and the differing severities and frequencies with which they occur. The main inputs are: internal loss data, external loss data, scenario analysis, and risk and control self-assessment. Internal loss data are a key component of any robust operational risk assessment approach. In the absence of such data, it is impossible to answer basic questions such as the current annual cost of operational risk (and hence how much resource it is worth expending on risk mitigation or transfer) or to learn from issues across an organization. Depending on the type of operational risk event concerned, data collection thresholds might sensibly vary. For instance, firms might have a strong interest in capturing fraud losses at a low level. Solvency II should copy Basel II flexibility in terms of thresholds, but should avoid the spurious pursuit of accuracy by “reconciling” losses to the general ledger.
External loss data fall into three main types: consortia data (shared losses between member firms, typically on an anonymous basis, e.g., ORX, ORiC, BBA GOLD); publicly known data (an enhanced press-cutting service in which public data are classified, packaged, and sold, e.g., Fitch FIRST); and inquiry data (detailed analysis of a particular loss event, typically by a quasi-governmental body, e.g., the Bank of England’s report on Barings, or the Ludwig report on AIB). The use of these data varies, but consortia data may be used for risk modeling or assessing the completeness of internal loss data, while publicly known data or inquiry reports might be used for “what if” analysis or to design and validate scenario analysis.
Scenario analysis is typically a structured opinion about rare but plausible events and can be used to identify control weaknesses or dependencies and to assess capital for rare events by creating “synthetic” loss data. Finally, risk and control assessment data are the most common form of information available and is useful in gauging current weaknesses and to flex loss histories.
It will be apparent from this quick review of data that the different sources of data inform different aspects of a comprehensive operational risk analysis and Solvency II should continue this focus on a range of data sources. Insurance firms should learn from the experience of banks and rather than waste energy on a fruitless debate about the ascendancy of particular data types, they should make preparations now for the forthcoming Solvency II requirements across a range of data sources, building on existing business management information that is used and recognized.
- Focus on risk management. While the focus of Basel II and Solvency II is understandably on capital, supervisors and especially firms should not omit to ensure that sufficient focus and funding is applied to “real” risk management. This may be manifested through the resourcing and prioritization of fraud risk management programmes, prioritization of IT improvement and (information) security initiatives, robust business continuity planning, disaster recovery (DR) planning and testing, and effective insurance purchasing. While the data collection and analysis inherent in the advanced approaches to operational risk assessment provide a context for this work, and should provide some parameters for resource allocation to mitigation initiatives, at times there can be a disconnection between the “risk measurement” driven under Basel II and the real risk management initiatives happening elsewhere in the business and operational areas of a firm. It is this “use test” that links risk measurement and mitigation that Solvency II should encourage and that firms themselves have an interest in pursuing.
In summary, it is clear that the overall direction of AMA is one that should be copied in Solvency II. There are, however, some key improvements that could be adopted to make the design and implementation smoother, while firms themselves should end the debate about the need to measure operational risk and the detailed way of doing it, and rather focus on linking risk measurement and risk mitigation into a coherent whole, cognizant of, but not driven by, the regulatory agenda.
Adding Value?
As discussed previously, many firms have typically focused on the development of operational risk practices in response to capital and regulatory pressure while enjoying different degrees of success in embedding them into the day-to-day operations of the business. The constant challenge around operational risk is how, over and above regulatory compliance, it adds value to an organization and, in particular, how this is manifested in bottom-line results.
In order for organizations to improve financial results they need to minimize operational inefficiencies and maximize the use of available resources, that is, people, processes, systems, and assets. Although compliance with capital regulations has been a key driver for the development of operational risk frameworks, organizations are now beginning to experience and focus on how sound operational risk practices can deliver direct bottom-line value benefits. For example, better operational risk capital management and supervisory capital relief can be achieved through the operation of an effective mechanism for the identification, measurement, reporting, and management of operational risks. This allows organizations to allocate capital more effectively across the business and, at the same time, may create additional value for shareholders or re-investment opportunities by either releasing operational risk capital held or minimizing the prospect of regulatory sanctions.
Operational risk promotes the structured consideration of the potential adverse impact as well as the opportunities inherent in all business decisions. By requiring management to consider the potential downside of their actions, operational risk focuses attention on the existing resource management practices and control environment effectiveness of an organization. This provides management with a comprehensive view of operational exposures across the organization, thereby allowing for integrated responses to undesirable risk exposures and process inefficiencies. Cost savings can, therefore, be achieved through process improvement and fewer unexpected operational failures and losses.
This environment of enhanced decision making also facilitates better management of projects or programmes across an organization to ensure the delivery of anticipated benefits. Project and programme management is a key business activity that is, however, often promoted by isolated departmental drivers and financial considerations. Operational risk ensures that the benefits of projects or programmes across an organization are balanced against the cost of implementation and considers the impact of any project outputs on the business-as-usual environment. Therefore, the risk of under-delivery, unexpected costs, or failures is limited.
An operational risk focus area that has delivered considerable, quantifiable benefits to organizations is internal and external fraud risk management. The increased sophistication of fraudulent activity targeted at or existing within an organization requires the detailed understanding of the causes of fraud and its implications. It also requires careful analysis of the effectiveness of the control environment that operates to minimize exposure. Organizations that have established fraud risk investigation programmes have been able to experience the direct benefits of operational risk in terms of cost savings delivered through targeted action planning and control process improvements.
Similarly, operational risk can facilitate the improvement of processes that operate to mitigate risk exposure which typically focus on the consideration of financial management information, such as an organization’s insurance programme, product pricing methods, and investment decisions. Carefully monitoring and reporting changes in the operational risk profile of the business can provide such specialist teams an enhanced understanding of risk exposures, thereby allowing the delivery of cost efficiencies.
Another important area of business activity where operational risk has provided direct benefits is third party management. Traditionally, the cost saving potential of such arrangements has driven management action. As such arrangements in the financial services industry increased in complexity and number, it became apparent that the identification and management of operational uncertainties such as appropriate contractual and service level agreements, relationship management, and people and systems considerations are as critical to the success of the operation as financial considerations.
The importance of managing nonfinancial risk exposures and related controls has been highlighted by a number of corporate failures both in banking and insurance. Operational risk provides a framework for the consideration of nonfinancial factors present in every business activity, thereby promoting informed decision making and optimal resource management that can drive improvements in established practices such as insurance programmes, product pricing, and investment decisions. As operational risk management develops in sophistication and the quality and quantity of the data necessary for the meaningful analysis and reporting of operational risk exposures becomes increasingly available, the direct and indirect benefits of operational risk are becoming more apparent to organizations.
Specialism Versus Generalism?
Most financial services organizations have established a centralized operational risk management function with a degree of oversight and reporting responsibilities. At the same time, operational risk management remains the responsibility of business unit management where risk is often mitigated through a number of well-established specialist functions or teams, such as fraud management, BCP, insurance, security, IT, human resources, and finance. In addition, a number of management committees and fora, whose focus may not exclusively or principally be operational risk management, consider and act upon operational risk exposures on a day-to-day basis. Although this typical governance model for operational risk has developed primarily in response to regulatory requirements, alignment between the central risk functions and risk at business level is not always achieved, limiting the value-adding potential of effective operational risk management. In the following texts, we explore briefly how different governance models operated by firms affect the potential of operational risk management to add value to the business.
Some firms operate a governance model for operational risk, where risk managers are integrated within the business and risk management forms part of the day-to-day management. A benefit of this approach is that management is directly engaged in the management of operational risk and considers it as part of business planning, thereby removing one of the most significant obstacles of other governance models where policy and/or management of operational risk are the responsibility of specialist teams outside the business unit. It allows greater efficiency in operational risk reporting, escalating and action planning, while ensuring that business unit or product-related knowledge is inherent in and informs every part of the risk management process. As each business unit is able to manage operational risk to meet its own needs and reporting requirements, however, this model facilitates the creation of disparate and potentially misaligned operational risk management practices across a firm. These may operate effectively at local level, but can impede risk aggregation at a cross-functional level and result in the inefficient allocation of resources and capital across a firm’s operations. The decentralized model may operate successfully in organizations where the board and/or board’s risk committee and senior executives set a strong “tone from the Top” and a risk-aware culture is practised. It implies, however, that the same resources that set operational risk management standards also implement these and are responsible for business as usual management activities. This may prevent independence between standard-setting and the day-to-day management of operational risk in the business, which is a cornerstone of industry good practice and a regulatory requirement.
Other firms operate a centralized model for the management of operational risk where a specialist risk team is responsible both for developing the operational risk management framework and policies as well as for framework implementation in the business. The risk team has direct control over specialist functions such as fraud, BCP, and so on and business staff with risk responsibilities. This approach ensures that a common set of standards is developed by operational risk specialists and is applied consistently across the firm. It allows for improved understanding of the principles of operational risk management through the delivery of appropriate training to the organization. Operational risk is identified, measured, and reported by a dedicated resource using a defined set of methodologies and tools, thus facilitating risk exposure aggregation and the development of an accurate risk profile. This knowledge aids the efficient allocation of resources, and can inform strategic planning and executive decision making as well as capital allocation across the business.
Additionally, as the risk team has direct access to specialist knowledge, this model allows for timely and accurate identification and reporting of changes to the risk profile, efficient action planning, and the development of a system of internal control that is informed by business needs and is applied uniformly across the organization. The effective operation of this approach in larger firms requires the availability of a significant number of operational risk resources and a risk-aware culture both at senior executive management and functional levels. Without these, it may result in the isolation of the operational risk team from the day-to-day running of the business and create a negative perception in terms of the business benefits of operational risk management.
In response to regulatory and capital requirements, as mentioned previously, and partially due to the shortcomings related to each of the governance models discussed previously, many firms have implemented a hybrid model, where a specialist risk function provides oversight and guidance for the management of operational risk while risk is managed in the business by specialist functions (such as BCP, fraud, etc.) and business managers. This approach ensures that while responsibility for the management of operational risk lives with the business, the management of operational risk is set by a specialist team and is therefore consistent across the organization. Operational risk is consistently identified, measured, and reported, allowing for aggregation and informed decision making with regard to risk mitigation and strategic planning. The hybrid governance model should combine the best elements of the former two models and limit their shortcomings.
Considering the operating environment complexity of most large financial institutions and the corresponding multitude of reporting lines and potentially misaligned business objectives of different business units and individuals, however, the operational risk framework and associated reporting requirements may not be consistently implemented by the business. This is especially likely in governance models where the central risk team only has indirect control of risk management resources in the business. As a result, aggregation and analysis of risk exposures, capital allocation, the ability to agree and implement control environment improvements and, ultimately, strategic action planning may be impeded. Additionally, the boundaries and crossover between the operational risk team and other risk management and assurance functions may not be clear, resulting in duplication of effort and frustration in the business. Therefore, as with the models described previously, senior executive and business management commitment and the practice of a risk-aware culture that ensures any inherent weaknesses are removed by day-to-day practices are fundamental to the successful operation of this approach.
The Rebirth of Operational Risk
Firms’ experience in the management of operational risk has demonstrated that risk culture and senior management commitment are essential for successful implementation. Where culture and “tone from the top” are right, however, does operational risk need to exist? Is it simply a regulatory wrapper to a series of disparate and unconnected functions that gained credence under a particular capital regime, but from a management point of view do not necessarily connect?
As long as communication and working practices between operational risk teams, other risk management functions and the business do not facilitate knowledge sharing, effort leveraging, or delivery of the tangible business benefits, management will continue to view operational risk as a regulatory requirement that adds little value to the running of the business. On the other hand, where synergies and benefits are demonstrated through mutually beneficial working practices, a successful partnership may be created that allows the development of an approach to operational risk management that is appropriate for the business and operates to assist the firms to achieve their strategic objectives in a well-controlled operating environment.
Alternatively, a genuine risk-shared service, where senior management relies on an operational risk service provider, might be beneficial. An emerging role of the group operational risk function is to provide assurance that processes are implemented and followed but is the expertise typically in place to allow this? Most group operational risk functions are resource-constrained and therefore have to rely on subjective assessments of implementation effectiveness. As firms progress from the development of operational risk approaches to their practical implementation, these considerations require immediate management attention. Firms need to consider and clarify the objectives of their risk management programmes in their operating environment and their strategic direction in order to ensure that their investment in operational risk processes is not only a regulatory and capital tick-box exercise, but also a business enabler that gives rise to demonstrable benefits.
Basel III in its current version will increase the capital charge for operational risk based on the size of the institution. This is to some extent counterintuitive in that larger firms are able to introduce better systems and hire higher quality staff reducing loss incidence. However, these changes have put Operational Risk back into the forefront of the risk agenda again which renders consideration of the issues raised by this chapter as being of key importance. It is perhaps disappointing that so many firms have worked so hard in these areas but achieved so little value. Generally, we see this as being due to a failure to fully embed operational risk into the business and also to get business units to realize that it is their responsibility.