|
I. Introduction
The Basel Committee on Banking Supervision defines OR as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” Examples of OR include: fraud either by external parties or employees; workplace safety and employment practices; client, product and business practices; damage to physical assets; business disruption and system failures; and losses from failed transaction processing or from trade with vendors.
Companies are becoming concerned about operational risk-related issues as never before for a number of reasons. The first is regulatory in nature. New U.S. and international regulations, such as the Sarbanes – Oxley Act and Basel II, establish much stricter standards that govern a wide spectrum of business functions, including operational risk. For example, Sarbanes – Oxley established new requirements for the accounting and reporting of a corporation’s financial information and has had far ranging consequences with regard to corporate governance in general, including various aspects of operational risk, such as information technology systems. Among other things, Basel II explicitly recognizes operational risk as a reason for financial institutions to hold capital in reserve and contains incentives for large banks to devote considerable resources to measure and quantify operational risks.
There are other factors as well. The operations of many companies have become increasingly complex in recent years, due to the trends of e-business, outsourcing and foreign operations. Also, technology has driven companies to change their business models and methods. Finally, boards of directors and stakeholders are growing increasingly impatient with “surprises” in the marketplace, whether internal or external in nature, and are demanding management take a much more proactive role in identifying and managing risk.
While there are various new incentives for companies to address operational risk-related issues, actually doing so is difficult for many companies. Insufficient loss data, the lack of established methods for quantifying risk, the fact that there are many different types of operational risk with multiple corresponding owners, and an unclear cause and effect of risk and actual incidents are some of the challenges to OR management. Because of the complexities surrounding operational risk, companies interested in addressing related issues often adopt a larger, enterprise-wide risk management (ERM) program. In fact, OR management is one of the primary motivations for companies to implement such an initiative.
II. OR’s Relationship to Enterprise Risk Management
ERM applies active risk management to all the risks facing an organization. It is a disciplined and integrated approach to risk that supports the alignment of strategy, process, people, and technology, and allows corporations to identify, prioritize, and effectively manage their critical risks. By understanding all risks in an integrated framework, companies can execute proper strategies to successfully achieve their objectives and to meet their performance goals. It allows companies to identify the risks they can:
- Transfer through insurance or hedging programs (transfer the risk);
- Accept as is (retain the risk);
- Reduce through rigorous management practices (mitigate the risk); or
- Simply reject by eliminating a process, product, or geographical zone (avoid the risk).
An ERM approach is anticipatory and proactive. After implementing an ERM approach, management fully understands all critical risks and how they can be proactively managed.
An ERM program involves a multi-step process that constantly seeks to upgrade an organization’s overall ability to manage risks. The stages include:
- Identifying, assessing, and prioritizing business risks
- Analyzing these risks and the organization’s current capabilities to manage them
- Determining strategies and design capabilities to address identified shortfalls
- Developing and executing action plans and establishing related performance metrics
- Measuring, monitoring and reporting on the newly implemented initiatives
- Aggregating results and integrating them into the overall decision making process
- Repeating the process to continually improve the organization’s risk management process
In the wake of corporate scandals, earnings surprises, and the loss of consumer confidence, more companies recognize the deficiencies of the traditional approach to managing risk. They now are turning to ERM solutions to better prepare them for the new challenges and uncertainties emerging in today’s changing environment.
As a natural by-product of implementing ERM, organizations will have a far better understanding of their operational risk issues and, based on that knowledge, will be able to proactively address related issues.
III. Building an Effective Operational Risk Management Program
As with ERM, operational risk management is a systematic, thorough, and objective means of identifying and managing risk. It can result in significant, organization-wide changes. However, these will only occur if the OR initiative enjoys the active support of the entire organization, most especially senior management. It is individuals in the C-suite who will have access to much of the pertinent data and who will be actively relied upon to implement any structural changes that may be necessary to proactively manage identified risks. Therefore, the first order of business needs to be lining up the support of senior management.
At the tactical level, there are three key building blocks to establishing an effective program; loss classification, risk assessment, and quantification. Each is discussed below.
A. Loss classification
The first step in loss classification is to compile an inventory of all the different risks that could impact the organization. There is a wide array of external risks that companies need to account for and manage. External risks include natural hazards, financial markets, changing regulations, and technical innovation, to name a few. Internal risks exist at the strategic, operational, and financial levels. Strategic risk includes the company’s business model, product life cycles and brand reputational issues. Operational risks include issues related to process, management information, human capital, integrity, and technology. Financial risks include those related to interest rates, credit ratings, liquidity, and commodities.
After an inventory of all the risks has been compiled, the second step in loss classification is to compile information on all the operational losses sustained by the organization. Types of losses include write-downs, loss or damage to assets, regulatory actions, and legal liabilities. Operational risk losses are defined as: any direct loss, including external cost or write-down involved in the resolution of the operational loss event, net of any recoveries (such as insurance or recoveries from other third parties). When creating the classification system, remember there are differences between operational risks and operations risks. Operational risk might include a production facility located near an earthquake fault line; an operations risk would be the potential loss of production related to a seismic event.
The third step in loss classification is data collection. A data base needs to be created that includes event-specific information, such as type of event, its time and location, amount of recoveries (e.g. insurance), breakdown by effect type, location of loss and de minimus limit used for data reporting.
After properly categorizing all losses, it is important to identify the various risk indicators associated with each event. These include: relevance to the business, ability to predict its occurrence, ease of collecting relevant information, transparency of the incident, and quantitative and qualitative information.
B. Risk assessment
Once all the loss classification information has been compiled, it is possible to conduct a thorough risk assessment of all the organization’s operational risks. It is hard to estimate the impact and likelihood of any specific, hard to quantify risk. The challenge is that while management is the best source to estimate risk exposures, its judgement can be biased for any number of reasons, such as wanting to advance pet projects or placing unfair emphasis on one business unit versus another. Therefore, it is important to use a Business Risk Assessment (BRA) process to help objectify the process. A BRA has four steps, including:
Step 1 – Understand needs and objectives: Confirm the objectives of the assessment and develop a work plan outlining the steps. This includes analyzing needs and reviewing internal documentation and evaluating current risk practices. From this will be generated a preliminary analysis of the organization’s current state of risks.
Step 2 – Review and assess risk environment: Build risk awareness within the organization by interviewing and gathering feedback from key stakeholders at all levels. Then, adapt and finalize the organization’s risk inventory from the loss classification step. From this will be generated a customized business risk inventory and workshop agenda (detailed below).
Step 3 – Conduct a facilitated risk assessment workshop: Assess the impact and likelihood of key risks on the organization’s goals and objectives by prioritizing key risks and assessing management effectiveness at addressing each. Also during the workshop, assign management ownership for each of these risks. From the workshop, management will have a better understanding of the gap that exists between prioritized risks and management’s ability to effectively manage them.
Step 4 – Develop summary of results report: Summarize the results of the workshop, create a comprehensive risk profile, and determine the next steps. The summary should include a high-level action plan outlining how to address identified risk challenges.
C. Quantification
The next, and perhaps most difficult step in the overall process of building an effective operational risk management program is to actually quantify the different operational risks facing an organization. An operational risk is characterized by specific events occurring at random time intervals and of a random size. When insurance ramifications need to be accurately modeled, the Monte Carlo simulation often is the method of choice. This widely used form of spreadsheet simulation randomly generates values of uncertain variables. By generating enough of them – as many as 10,000 or more – the model can be helpful in ascertaining a range of financial risks.
It is important to accurately predict the frequency and severity of events so that management can then accurately assess the proper importance to each and dedicate the appropriate resources to either mitigate the risk, retain it, manage it and/or transfer it. Quantification of risk can bring objectivity to related management decisions.
IV. Conclusion
This is an environment when key stakeholders inside and outside of organizations – from government regulators and the media to shareholders and employees – are demanding more accountability from senior management to properly handle all aspects of operational risk. That cannot happen until there is a clear understanding of the different types of risk that could impact the company as well as their potential size and frequency. Once that information is in hand, management can take the steps necessary to adopt a proactive strategy. Operational risk management offers organizations the tools they need to effectively identify, quantify, mitigate and transfer all operational risks.
|
