Friday, January 09, 2009
News and Announcements
Products and Services
Event Info and Registration
Membership in RMA
Knowledge and Training Center
Community Banks
Councils & Committees
Quick Links
Login
Event Search
Event Listing
Products and Services
The RMA Journal
Annual Statement Studies
RMA-Credit Risk Certification
Membership
Members Only
eMentor
Shopping Cart
Search
 

Operational Risk Management—The Next Frontier

Executive Summary

Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first loan or execute their first trade. What is new is the idea that operational risk management is a discipline with its own management structure, tools, and processes, much like credit or market risk.

In the 55 financial institutions surveyed, there has been a significant focus on development of risk management for market and credit risks over the past ten to 20 years. Yet, the recognition of operational risk management as a separate discipline has occurred primarily during the past three years. Although a great deal of progress has been made, many areas are yet to be explored. Consequently, we have titled this survey Operational Risk Management—The New Frontier.

The key conclusions of the research are:

  • Operational risk management programs protect and enhance shareholder value.
  • The creation of operational risk management programs has been driven by: (1) management commitment, (2) the need for an understanding of enterprise-wide risks, (3) a perceived increase in exposure to operational risk and risk events, and (4) regulatory interest.
  • A new organizational model is emerging with a new position—a Head of Operational Risk, reporting to the Chief Risk Officer. The role is to develop and implement the operational risk framework and consult to the lines of business.
  • There is consensus on the core definition of operational risk: The risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events.
  • Methodologies are evolving to quantify Operational Risk Capital. While progress is being made, there is no consensus on approach, and methodologies are not yet used as a basis for decision making.
  • A framework for operational risk management is emerging, consisting of a set of integrated processes, tools, and mitigation strategies.
  • There are five stages of development of an operational risk management framework. Understanding these stages will aid companies to benchmark progress and identify priorities.

Operational risk management initiatives protect and enhance shareholder value. Operational risk management protects and enhances shareholder value. Senior managers surveyed most frequently cited enhanced shareholder value as a primary benefit of operational risk management. Also cited were internal awareness of operational risk, protection of reputation, and lower levels of operational losses.

Respondents are convinced that effective operational risk management can add value by improving competitive advantage and reducing the level of losses from large events that can imperil financial condition and smaller, more frequent incidents.

Operational risk management programs were created for five reasons. During the past three years, senior management has taken a more active role and demonstrated interest in operational risk. Five key reasons for this increased attention are:

  1. Senior management commitment.
  2. Perceived increase in operational risk.
  3. Reaction to major loss events that have occurred internally or to others.
  4. Focus on enterprise-wide risk management.
  5. Regulatory attention.

A common definition for operational risk is emerging. The debate on how to define operational risk has at times overshadowed the debate on how to manage it.

The study found, however, perhaps not surprisingly, that many banks have an internal definition of operational risk and most banks are satisfied with that definition.

In reviewing those definitions, analyzing common classifications, and eliminating the linguistic, cultural and organizational differences, it became clear that there is a common core operational risk definition, specifically:

Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events.

Each firm can modify this definition with additions, deletions, or emphases that reflect its individual circumstances. But at an industry level, this definition expresses the core operational risk factors to most firms and can facilitate exchange of information. This definition is not intended to include defaults or changes to financial markets that are otherwise covered in the scope of market and credit risks.

This definition excludes business/strategic (business) risk because there was not a consensus view on whether to include it or not. The remainder of this report does not address management of business risk.

Firms are structuring a new position: Head of Operational Risk. The business units are primarily responsible for managing operational risk on a day-to-day basis. While the trend for market risk and credit risk is towards increasing centralization, operational risk, by its nature, is decentralized. In operational risk there is no position to report, few approvals to request, or hard policy limits to measure against. The businesses have this risk whether they like it or not, and cannot transfer the responsibility for management of it.

Survey findings identify three generic organizational models for operational risk management. The culture of the organization, rather than the type of institution, determine the selection of any one of these three models. One model has a head office operational risk function, the second has a dedicated but decentralized support, and the third has Internal Audit playing a lead role in operational risk management.

The Head Office operational risk approach is the trend gaining widest acceptance. (See Figure 1.) Often led by a head of operational risk who reports to the chief risk officer (Figure 2), the model typically includes a small Head Office staff of less than five. It is complemented by staff dedicated to supporting individual business units, as part of either the business units or the corporate function, but in either case, operating under a common framework.

Other aspects of the model and additional organizational units that play important roles are:

  • The Board of Directors is taking a more active interest in reviewing operational risk policies and major issues.
  • Operational Risk Committees are being established to heighten awareness and prioritize resources.
  • Other Risk-Related functions (e.g., Information Technology, Legal, Compliance, Human Resources) have responsibility for specific operational risk issues.

The Head Office operational risk function is responsible for development of firm-wide operational risk policies, framework and methodologies, and advising the business units. In this emerging model, the most common responsibilities are to:

  • Determine operational risk policies and definition.
  • Develop and deploy common tools.
  • Establish indicators.
  • Assess benefits of programs.
  • Analyze linkages to credit and market risk.
  • Consolidate cross-enterprise information.

In addition, this function focuses on cross-enterprise operational risk management initiatives such as developing economic capital methodologies and building loss databases. It also can be charged with the management of the firm's portfolio of operational risks.

Depending on the relationship with the business units, they may also consult or participate in operational risk management projects with business units.

Companies use a variety of stand-alone tools to help manage operational risk. Operational risk management is developing a comprehensive set of tools for the identification and assessment of operational risk. Individual firms use a wide variety of techniques. This study concentrated on five techniques:

  • Self and risk assessment.
  • Risk mapping.
  • Risk indicators.
  • Escalation triggers.
  • Loss event database.

Seventy-one percent of survey respondents use or plan to use all five tools. Currently, the most valued and most used tool is self and risk assessment. However, the tool that most firms are looking to develop next is the internal loss event database.

Methodologies to quantify operational risk capital are improving, but firms are not satisfied with the results so far. The majority of firms that responded (31of 55) are trying to develop a measure of economic capital for Operational Risk. However, the gap between what most firms want to achieve and what they are able to achieve remains significant. Most report that they are not satisfied with their approach or with the behavioral incentives that they create. As a consequence, operational risk capital measures are not used to drive economic decision making.

Considerable progress is being made within the industry; however, a healthy diversity of approaches is being applied along a continuum of top-down and more risk-based, bottom-up approaches. These risk-based, bottom-up methodologies often rely on actual loss event data. They can quantify the level of exposure to each type of risk at the business line level, and react to changes in the control environment and actual operational risk results. Since no single approach is satisfactory, most firms currently use multiple methodologies to bound a result. Overall, if one trend does exist it is the movement toward risk-based, bottom-up methodologies. To go further, the industry will need to overcome three major obstacles: data, measurement, and management acceptance.

A framework for operational risk is emerging, consisting of a set of integrated processes, tools, and