Operational risk: ignore it at your peril |
Back |
Chris Karow explains that while operational risk is not new, changes in the business, regulatory and operating environment are creating increased recognition of such risks. |
Operational risk can be defined as the risk of loss caused by deficiencies in information systems, business processes or internal controls as a result of either internal or external events. This definition is much broader than ‘operations‚ risk’ which relates to the back office activities generally performed by operations departments. Operational risk encompasses risks emanating from all areas of the organisation, from the front office to the back office and support areas. Examples include systems failures, the faulty execution of a transaction, incorrect data entry, fraud, natural disasters and regulatory changes.
Over $7 billion in operational risk losses by financial services firms was reported in the press last year. This figure represents only reported losses; actual losses are a multiple of that amount. Capital market/trading activities account for many of the well publicised losses, which can run in the millions for rogue trader events. More frequently operational risk exposures are related to factors such as transaction volumes, changing products or markets, systems or business processes that do not support business activities, or changes resulting from mergers and acquisitions.
In recent years leading organisations have made progress by developing a more holistic approach to managing operational risk. This approach blends traditional qualitative risk assessment approaches with a new breed of key risk indicators and quantitative, probabilistic methods that can be used to monitor risk and make more informed management decisions.
Qualitative approaches refer to a group of methodologies and tools that are used to identify, assess and mitigate the level of operational risk and determine how effectively risk is being managed. Many leading companies have shifted the responsibility for risk evaluation from the internal audit department to the business units that create and manage the risk. The business line manager, who faces the issues daily, is in a better position to understand and influence the full range of risks.
Key risk indicators are a new breed of financial, operational and business process indicators that provide continuous insight into the level of risk in the business. Advances in technology are fuelling the development of new methodologies for identifying and tracking key risk indicators. The challenges that remain include the need to access data from legacy systems and manual processes, to sort through large volumes of data to find the most relevant information, to develop indicators at the right level of detail and to create common views or meaningful ways to aggregate different types of data.
Quantitative, probabilistic approaches include the use of methodologies to quantify operational risk in cash terms, similar to value-at-risk measures of market risk. Quantifying operational risk requires developing measurement methods that produce results that are relevant for capital allocation and business decisions, without being mired in excessive detail. Recently efforts have focused on combining qualitative risk assessment results and key risk indicators with traditional quantitative approaches to determine a probabilistic measure of operational risk.
Organisations that adopt a complete risk management framework, encompassing operational as well as market and credit risk, will be better positioned to price products, find new and profitable fee-based business and to thrive in the new financial services environment. |
Chris Karow is a partner at the risk management and regulatory services practice of Arthur Anderson.
|
Article appeared in the January 2002 issue.
|
|
|