Managing Operational Risk: 20 Firmwide Best Practice Strategies / Edition 1

Read an Excerpt

Managing Operational Risk

John Wiley & Sons

Chapter One

An Executive Summary

THE ACCELERATED DEVELOPMENT OF OPERATIONAL RISK MANAGEMENT

Operational risk has been a challenge for financial service firms for years, but because of the infrequency of losses, it has not been recognized for its full potential until recently. Large loss events had occurred before. One-off events had caused both mass embarrassment and/or collapse, but they were widely considered to be extremely remote and perhaps even aberrations. Thus, operational risk didn't attract such significant attention until the 1990s, when a series of life threatening or fatal operational loss events at a number of different financial firms caused reorganization, management shakeup or a refocus on control environments, and a new focus on operational risk. Even more noteworthy was that operational losses were occurring at high profile and respected firms in the United States and Europe (i.e., Barings, Prudential, Kidder Peabody), thus further underscoring the danger of ignoring this area.

This series of loss events, coupled with a changing risk landscape, has perhaps forever changed management's perceptions and priorities. At one time, operational risk could be defined as an area characterized by frequent small and predictable events such as processing errors,reconciliation breaks, or system glitches, accompanied by the one-in-five-or-ten-year large system failure and loss, defalcation, or customer dispute. More recently, however, these larger loss events have become far too commonplace and visible in the industry news for management's comfort. Couple this with the advent of increased management and directorship accountability forced by legal actions against officers and directors and a chain reaction has been set in motion.

Recent trends in business complexity, highly visible operational losses, and the need to manage risks associated with them have given rise to a new field called operational risk management (ORM). Many of its underlying component parts, like the existence of various control functions, have been in place for years. There is a new recognition, however, of the importance of identifying, understanding, and measuring operational risks more intelligently, as well as weaving an effective web of approaches to managing them given their complexity and potentially devastating impact on firms today.

Management, bank boards, and regulators have been forced to ask questions like, "What else besides credit and market losses can put our firm at substantial risk? What is operational risk? How do we define, measure, and best manage it? Can we hedge it? Perhaps we should be thinking more holistically about risk on a truly enterprise-wide basis so we are not blindsided in the future."

This chapter is an overview-an executive summary, focused on key trends in operational risk management, as well as on the changes in the underlying risk factors that could well serve to increase the focus even further. It covers executive management needs and perspectives, ORM trends to date, the ORM upside opportunity, risk assessment, performance measures and risk finance. Last, it includes a brief overview of Bankers Trust's early work on operational risk measurement, including our advancements on operational risk-based capital, and in the general implementation of operational risk management. As a credited pioneer in operational risk management, the work of Bankers Trust (BT) on risk measurement and risk financing still remains a beacon of insight and innovation even today.

EXECUTIVE MANAGEMENT NEEDS AND PERSPECTIVES

In the wake of headline losses and business and technology changes, chief executives and senior managers at the best firms have concluded that they must:

* Understand more fully the extent of the impact of operational risk (i.e., risk identification and risk capital measurement).

* Obtain management information about operational risk: its sources and causative factors.

* Determine capital adequacy for operational risk just as they have done for market, credit, and liquidity risks.

* Effect risk response through clearly assigned ownership and responsibility for risk management.

* Provide incentives for risk management through performance measures such as risk capital attribution and links to incentive compensation.

* Make better-informed decisions about hedging or risk financing (e.g., risk reserves, insurance, and other financing techniques).

* Combine the net impact of operational risk with credit and market risk potential for a firmwide view of risk and aggregated risk capital adequacy.

* Balance risk management investment against upside from operational risk management efforts.

Before we begin to discuss the practical details of operational risk management, it is important that we dispel a common myth. (ORM Myth: "Risk Measurement = Risk Management."). No one actually makes this statement, of course, but it is often implied. Many risk practitioners and consultants say risk management, when they are actually practicing risk measurement. Risk measurement is a subset, of course, of risk management (i.e., once you identify risk, you should evaluate, analyze, and measure it, before mitigating it through risk controls, and financing or hedging it). Although measuring risk adds much value in drawing attention for mitigation and management purposes, in isolation the measurement process does not have much value until the numbers are integrated back into management, for instance, and used in a performance management or behavior modification sense. Without a doubt, the most effective methods are those that have a direct impact on incentive compensation. For instance, quantifying the possible loss costs of weak controls in sales or trading systems is all well and good, but you haven't achieved much unless you reduce or withhold a manager's bonus until such time as the controls are strengthened.

What are we actually going to do about the risk once we have identified it, understand it, and have dimensioned it? Here we want to look into the various types of control measures, behavioral modifications, and other means of mitigating risks that we are looking to minimize-or shed altogether -from the organization. The primary objective of risk mitigation is simple enough: to reduce the risk of operational losses. It's the strategies, methods, tools, and style of implementation that make up the complex part.

It is also important to clarify a few key points about operational risk mitigation. Few, if any, have suggested that operational risk management subsume existing control infrastructures. So, a key part of the risk mitigation challenge will be to provide support and enhance the existing risk-control environment. To do this we need to do two things: First, create incentives for the business manager to improve upon control and behavioral risk-indicator results, thus improving the overall state of operational risk management in the firm; second, provide incentives to support existing functions, such as policy and procedures and internal audit, and link those to the numbers in operational risk management.

However, we want to go even one better than that. The logical objective argument from a business manager's perspective will be even more progressive, and perhaps seem a bit radical relative to the traditional risk management perspective. Thus, armed with information, incentives, and leverage, we will support strategic decision making and strategic advantage. As such, we will be seeking to "turn" the firm's risk profile into a competitive advantage.

THE REAL OPPORTUNITY: BUILDING MORE EFFECTIVE ORGANIZATIONS

Many people believe that operational risk only consists of a downside. That is unfortunate. The position goes something like, "If we can simply limit the losses caused by operational risk, then we will have fulfilled our mission and will be in a much better position overall." Or, another perspective limits its sights on finding the most technically correct calculation of risk in order to minimize the impact of prospective regulatory capital charges by the financial service regulatory community. Although both are noble goals in and of themselves, and will contribute, there is a far greater cause here.

The opportunity is to propel the new strategies, tools and techniques forward to transform not just a part of risk management, but to fill an important gap in the management of business strategy and day-to-day business operations for an upside: enhanced shareholder value. We have arrived at a point in time that corporate strategy and shareholder value initiatives are in need of the very tools that are emerging in the operational risk management discipline. This direction is far more than just some grand scheme to elevate the stature and importance of operational risk professionals. In order to be successful, operational risk management needs to hold the attention of senior executives, managers, and staff alike if it is to achieve its own goals of risk mitigation. One might do so by focusing on critically important targets like shareholder value.

Throughout this book we will be seeking to take all of this operational risk management effort to yet another level, to lobby for the real endgame: to link with broader enterprise-wide strategies that are seeking to build shareholder value through more effective organizations. Few would argue against the notion that General Electric has created real shareholder value with its management and control initiatives grounded in its Six Sigma quality approach. Similarly, few would argue with the statement that J.P. Morgan enjoyed a stellar reputation for quality and integrity during the course of most of its storied history in financial services, or that firms like HSBC (Hong Kong Shanghai Banking Corporation) and The Bank of New York have created value for their shareholders through their own unique control-oriented styles. In the broadest sense, these cases are all examples of the optimizing benefits of operational risk management.

RISK-ADJUSTED PERFORMANCE MEASURES (RAPM)

Peter Drucker introduced the world to results-oriented business and performance measures as early as the 1960s. Over time the best firms have continued to excel using performance measures. As risk management has matured, firms have begun to harness the power of risk-adjusted performance measures. And now, the challenge has become finding ways to leverage the risk-reward possibilities from more effective management of operational risks.

Some firms, particularly corporate entities, are already using Economic Value-Added (EVA) measures to determine true economic benefits. These can provide a foundation. For financial firms, Daily Price Volatility (DPV) or Value at Risk (VAR) have become common measures of risk and might seem like an obvious place to start. But when it comes to operational risk, daily or short-term variations would be extremely difficult to measure because many types of operational losses occur so infrequently. The basic idea of calculating exposure to operational risk makes good sense. Thus, the underlying concept of VAR over a longer term, of say one year, is much more relevant and compelling.

These measures become most useful for managing risk and influencing behavior, however, when linked to performance measures and incentives. It is only at this point in which we move from measuring risk to begin the process of managing risk.

At Bankers Trust, Risk-Adjusted Return on Capital (RAROC) was our primary risk-adjusted performance measure for many years. We completely overhauled our approach to Operational RAROC during 1991 through 1995 and reintroduced these models into production during and following the banks leveraged derivative transaction troubles during the first quarter of 1996. The models were based on long-term Value-at-Risk calculations in our risk measurement model (one-year time horizon, 99% confidence level).

The decision to develop measurement tools was an easy one. RAROC had been an applied concept at BT since the 1970s. And since its time horizon and confidence level characteristics are far more relevant to operational risk's more gradual evolutionary tendencies, it served as an appropriate basis for our new operational risk models.

Our next challenge was to find an analogue for market price volatility. After some deliberation, we concluded that actual operational loss experience, and the variance of loss experience from expected ranges, would fit the bill. Observing actual losses at all firms in the global marketplace at large painted a valuable picture. The variance of losses from small routine errors, reworks, and claims, to larger scale failures, redesigns, and legal costs provided operational risk's own unique picture of volatility.

One of our previously noted objectives was to confirm capital adequacy. Thus, we reintroduced our risk measurement model in a significantly upgraded analytical format. Another objective was to support our risk-control environment. To meet this second objective we needed an incentive-based system. The concept of Operational RAROC seemed perfectly aligned with this objective. Under our system, operational risk capital was attributed to business units based on model measures of their operational risk profiles, thereby raising the performance hurdle for the business, and engineering operational risk management into the business managers' agendas. A third objective was to support strategic decision making.

EMERGING OPERATIONAL RISK MANAGEMENT FUNCTIONS

There are at least five perspectives on operational risk management organizational structures emerging in the financial services community today. They include focus from that of risk management analytics and risk measurement, the control group focus, business line management teams, insurance risk management, and enterprise-wide multidisciplined operational risk management functions.

In this latter and broadest enterprise-wide risk management group, practitioners believe that the most effective operational risk management programs will select the most effective tools of all four of the analytics, control group, insurance risk management, and business risk measurement groups. They intend to apply those tools to dimensioning the size of the operational risk challenge, applying the most effective risk management and risk control tools, and also monitoring risk drivers and indicators.

Continues...

---

Excerpted from Managing Operational Risk by Douglas G. Hoffman Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---