Chinese proverb: “If we don’t change direction soon, we will end up where we are going”…
The Basel Committee on Bank Supervision, and global regulatory momentum around the Basel Accords catalyzed an operational risk discipline by giving us a formal definition for it: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It also created a finite scope for the risk by laying down distinct event categories and descriptions of cause and effect. This meant that operational risk no longer needed to be described in the abstract or in residual terms such as “anything other than credit or market risk” (which, by the way, was never a meaningful statement at all, considering that the administration and management of credit and market risk are themselves fraught with operational risk).
Notwithstanding definitions and regulatory exhortations, operational risk has not evolved as a discipline in the last ten years since the Accords. There has been arguably material progress in measuring it (against losses, scenario and stress analysis, capital postulations), but managing it has been far from easy. Reasons include the fact that it is largely idiosyncratic (in credit and market risk debacles, you tend to sink and swim with everybody else) and asymmetric, since the risk is not passed on to your client and not priced into your products. Operational risk may also be called introspective, as likelihood and severity are both internally determined; and unbounded, as there is no upper limit to potential loss. Traditional belief has been that no portfolio view can be formed, as operational risk is not transactional. You don’t take on the risk or avoid it. It simply exists.
The basic construct of any operational risk program is as follows:
- Identify the major risks, as your taxonomy of risks (the Basel event categories should be fine)
- Position your internal control environment as a hedge or mitigation for these risks
- Through a regime of self-testing, reviews, audits, and risk/control indicators, establish if both the design and effectiveness of your control framework are good and fit for purpose
- Ask if your unmitigated risks (and control gaps) are acceptable, and within your appetite for risk
Do all this, and everybody is happy—even the regulator. Do too much, and you have wasted a lot of money, created a big bureaucracy and throttled the business. Do too little, and you have bet your whole business on one big accident.
The real key to managing operational risk lies in recognizing that it simply requires managing the business well, focusing on people, process and infrastructure optimization. This is where the risk-reward consideration, read cost-control, comes into play. A portfolio view of operational risk is in fact available, by looking at the process view of the organization, honing in on what risks arise in pursuing the business, how and where these risks arise in the process sequence, and what mix of people, process and infrastructure could optimally address these.
The implied focus therefore is in the structuring of the end-to-end control framework. This first requires you to clearly define your business objectives, service delivery standards, and compliance requirements. Next, identify the risks that arise in meeting or delivering those objectives, categorizing them along your taxonomy of risks. You can use the Basel framework. Then systematically identify which areas of your activity and processes are directly relevant to those objectives. This allows you to relate your operational risks to the specific processes and activities that carry those risks or are relevant to those risks. Focus then on defining controls where the risks are, specific to the process, in the optimal coverage amount and configuration. Maintain a dashboard of metrics that tell you if your residual (unmitigated) risks are within your risk-appetite and if the controls continue to be designed correctly and working properly. These might include some metrics of well being, similar to vital signs, that indicate business health. A second set of metrics might be smoke-detectors, by business, product, and process, with built-in lights that flash red, yellow, green against specific escalation triggers and trends.
Bottom-line, managing operational risk has never been more important than it is today, but never apparently has it been more conflicted between cost and control. It should not, and does not, need to be so!