|
|
|
|
|
|
|
Print this page  |
Operational risk is not a new risk. Most successful firms have been effectively managing their operational risks since inception.
But are the traditional methods good enough to remain competitive in today’s complex global economy? Perhaps so for the average firm,
but most leading organizations recognize that by improving operational risk management (ORM) practices they can reduce losses, lower
costs associated with fixing problems and increase customer and employee satisfaction, all of which lead to improved financial
performance and enhanced shareholder value.
Why is a new approach necessary? To answer this question one only need look at the facts. Just one percent of the events cause 60-70%
of the losses in the financial services industry. While it is clear that very large operational losses can cause bankruptcy, even
moderately large operational losses can seriously impact financial performance.
Traditional methods generally focus on ordinary or routine events; modern ORM focuses on exposure to losses, particularly large losses.
Firms that follow traditional methods tend to focus on the "risks" they know about, which are typically the smaller exposures. Firms
that have adopted modern ORM use external data to get a more objective understanding of the "risks" they know less about, which are
typically the larger exposures. Firms that still follow traditional ORM methods are often over-controlled in the areas where they have
the least risk and under-controlled in the areas where they have the most risk.
Irrespective of regulatory compliance, for most leading institutions the question is not whether to establish an effective ORM program,
but how?
Well-managed organizations have long since discovered that effective ORM goes beyond simply building "awareness" in the hope that sound
risk management practices will emerge spontaneously. Pragmatists know that effectively managing operational risk involves creating the
right culture, or more specifically, a culture and framework designed to turn awareness into action. But getting managers to act
optimally requires the right set of incentives, because people do what they have an incentive to do and generally do not do what they don’t
have an incentive to do.
An effective ORM program requires a sound framework. The goal of such a framework should be to provide reliable information to key
decision makers so that they are aware of their most significant risks as well as the quality of their corresponding internal controls.
This information will allow them to make educated decisions when developing risk management, risk mitigation and risk transfer strategies.
Thus, managing operational risk fundamentally revolves around the process of optimizing the risk-control relationship in the context of
cost-benefit analysis. This, in turn, requires a process for accurately monitoring (measuring) each business’ changing risk and control
profile.
To accomplish this goal four things must be done correctly.
First, the risk management department must be able to provide managers with objective information to help them better understand where
their risks really are, and not just ask them to guess where their risks might be. Operational risks have to be identified before they
can be managed. And the process of identifying risks is complicated by the fact that it is hard to differentiate between major and minor
risks and real and phantom risks without being able to accurately measure these risks in the first place. And then once the risks have
been identified, unless those with the highest priority can be ascertained, it will be impossible to develop an effective risk management
program.
Second, one must help managers understand how well their real risks are being managed through their existing set of controls, so they can
know where they are over-controlled and where they are under-controlled in the context of their overall operational risk strategy and risk
(loss) tolerance. One cannot have a zero tolerance policy towards operational risk, just as one cannot institute perfect controls. An
organization has to be realistic in establishing a level of risk and loss tolerance.
Third, one needs to determine what level of controls is appropriate after having conducted a circumspect analysis of the associated costs
and benefits of each risk mitigation and transfer strategy.
Finally, one needs to institute a comprehensive and fully transparent monitoring and reporting process with built-in incentives to encourage
desired behavioral change.
It is difficult to think of ways one can even begin to manage operational risk without having these foundational elements in place. Best
practices calls for an integrated operational risk measurement-management program, where objective, transformed (normalized) measures are
used to identify levels of risk and internal control quality within a common analytic structure. But in order for these measures to be
meaningful they will need to be based on reliable information specifically, internal and external loss data, theoretically valid risk
measurement and assessment, objective control self-assessment, validated risk indicators, appropriate follow-up action results, disciplined
scenario analysis and well-founded VaR calculation.
Can this really be done and is it practical, or is this just pie-in-the-sky? Before one can answer this question one must first probe the
issues, such as: How can I accurately monitor my operational risks on an ongoing basis without unnecessarily burdening the businesses?
How can I transform the amalgam of raw operational risk data into consistent and credible information that can support managerial decision
making? If historical loss data is the most objective source of information on risk exposure, how can I possibly make use of such information
when internal data seems insufficient and external data appears irrelevant? How can I rely on the results of risk and control self-assessments,
when I’m not sure I’m asking the right questions, and even if I am, it’s not clear that the respondents know the right answers, and even if
they do, I can’t be sure they will tell the truth because it may not be in their interest to do so?
There are practical answers to all these difficult questions, but they need to be addressed logically and objectively, one issue at a time.
There are no shortcuts to developing a comprehensive framework for managing operational risk. And one cannot get on the right track without
confronting the difficult issues head on. If an organization’s ORM framework is not based on fundamentally sound reasoning the program will
eventually unravel at the seams. An ill-conceived ORM program is also likely to leave an organization vulnerable to major operational losses.
The damage from even one major loss could be far greater than the cost of establishing a state-of-the-art, integrated operational risk
measurement-management program. Just think how little a very simple global-early warning system would have cost to build and maintain relative
to the lives lost and property damage that resulted from the recent Asian tsunami.
In our view, turning operational risk management into operational risk compliance, where managers are simply asked to collect loss data and
given nothing in return other than a set of mundane tasks and follow-up actions, is not the optimal course.
Drawing upon our many years of experience advising the world’s leading banks and regulators on ORM, we strive to help our clients better
understand these and other critical issues so that they can address this challenging problem. We don’t pretend to have all the answers, but
we think we have hit upon some of the right questions. It is important to recognize that one can never arrive at the right answers without
coming up with the right questions. And only by analyzing and reanalyzing the issues can one begin to shed light on what may be the right
questions. Finding the answers is the easier part. Getting to the right questions is the major challenge.
|
|
|
