Operational risk is as old as the banking industry itself; it was the primary cause of some financial disasters. It is one of the first risks that organisations must manage, even before they make their first transaction and yet, the industry has only recently arrived at a definition of what it is.
More recently, there is a growing consensus that operational risk management is a discipline in its own right with its own management structure, tools and processes.
Four approaches have been used to define operation risk. The first approach defines operational risk as any financial risk, other than market and credit risk, but also includes business risk. A second, much narrower approach, defines operational risk as arising from operations, which involves transactions processing and systems failures.
A third approach, which is slightly broader, describes operational risk as any risk over which the institution has control. A fourth approach, which is more accepted by industry, views the risk of direct and indirect loss resulting from failed or inefficient processes, systems, people, or from external events.
This excludes business risk but includes external events such as political or regulatory risk, disaster risk, counter party risk, security breaches, and so on.
Discipline in the past had been reactive and responsive to risks as they arose, rather than managing operational risk in a pro-active manner. The approach of managing operational risk was focused on "cost of doing business".
Exposures which were managed by standard controls designed to reduce the frequency and severity of expected losses, by adopting this method, major operational losses resulting from processing errors, frauds or accidents were dealt with as they occurred, and stronger risk management policies and procedures were put in place after the event.
However, in following such an approach, operational risk management tends to be perfunctory, and provides limited insight into anticipation and prevention of catastrophic losses. Over the last few years, a number of high profile IT failures have highlighted the potential cost of operational risks.
In April 2000, a failure in the IT system at the London Stock Exchange left investors unable to trade for eight hours on the last day of the tax year and another incident was dramatically illustrated in 1995, with the watershed event of the collapse of Barings.
Around the same time that Barings suffered one of the major unauthorised trading debacles of the century, the confluence of the collapse of Barings and the derivatives blow-ups in the mid-1990s was one among several factors that led to the revision of the original 1988 Basel Accord.
The Basel Committee proposed in the late 1990s a more risk sensitive treatment for credit risk that will remove the implicit capital buffer for operational risk that had previously existed.
The new capital accord (known as Basel II) will, among many other things, require banking organisations to compute an explicit capital charge for operational risk once it is adopted and it is expected from financial institutions, in their response to both regulatory and management requirements, to adopt a balanced approach to operational risk.
This includes an emphasis on tools and techniques designed to assist the management of a financial institution in the prioritisation of its risk budgets and in which area focus its efforts. Sophisticated financial institutions use the full arsenal of operational risk methodologies and approaches that are currently available.
A few international banks that had adopted a Risk Adjusted Return on Capital (RAROC) approach were beginning to realise the need to manage operational risk on a more proactive basis. This need was further accentuated by the greater use of financial mechanisms such as derivatives, which while reducing some types of risk, such as market risk and interest rate sensitivities, increased others, such as counterparty and documentation risk.
It suddenly became urgent for the banks to adopt more pro-active and sophisticated responses to the management of operational risk.
As management responsibilities for operational risk stretch beyond regulatory requirements, institutions may need to adopt definitions for management purposes that are broad enough to encompass the range of risks that it faces and should typically include the risk of both direct (provided for by provisions and capital) and indirect losses (management processes) resulting from inadequate or failed internal processes, people, systems, legal processes and external events.
After establishing a specific and working definition, risk identification is the next step in the process for any bank that wants to implement a comprehensive operational risk framework.
Banks will need to adopt a variety of approaches to identify risks within their institutions; following represents a sampling from industry best practices:
(a) The collection, analysis and mapping of operational risk loss data from internal sources and the determination of loss frequency and severity.
(b) The use of key risk indicators derived from aggregated internal data and from assigned threshold values which provide a top-level risk profile of the health of an institution.
(c) Scorecards which provide a means of translating qualitative assessments collected from the business units into quantitative metrics.
(d) The use of self-assessment methodology that collects internal feedback from employees reflecting risks that reside within the organisation.
After identification, its incorporation in Organisation Structure and Culture is the next step in the process. It is important that the operational risk management framework be integrated into the overall organisational structure as part of an enterprise-wide risk management system.
The framework should aid and assist business units in meeting their strategic objectives rather than being the objective itself. In order to be effective, an operational risk management framework requires both senior management and business unit buy-in and support.
The ultimate goal is to establish a fluid "lessons learned" culture that seeks to analyse and learn from the mistakes of the past, rather than hide them from management.
After incorporation in organisation structure and culture, data collection is the next step in the process, once robust processes are in place to identify risks; the next logical progression involves tracking of internal losses within the organisation, linked to standard business and event types.
Although internal loss data are one of the most objective risk indicators available, and reflect the unique risk profile of an institution.
After data collection, its measurement is the next step in the process. The measurement of operational risk, which was once considered impossible and has evolved remarkably during the past few years, and the industry is adopting innovative approaches for creating models that integrate both quantitative and qualitative inputs from data sources, expert opinion, self assessments and scenario generation exercises.
After its measurement, its management is the next step once identified and measured operational risks need to be managed. This can be accomplished by using a variety of techniques, including a close examination of an organisation's control environment, the development of procedures to measure and implement those controls, and the use of insurance programmes as risk transfer mechanisms.
In Pakistan also, with passing days focus on operational risk management is increasing, financial institutions under the risk management guidelines of SBP, focusing on operational risk to avoid the potentially far-reaching and devastating effects of an operational breakdown.
Comments
Comments are closed.