News

Article

A guided tour of the complex world of operational risk management

Posted: 22nd June 2020   |   Share

By Natalie Murray, Senior Operational Risk Manager

Risk

Natalie Murray take us on a guided tour of the complex world of operational risk management to reveal what lies beyond the red tape and bureaucracy

A core element of a risk management framework that prevails across every business in every sector, is operational risk management (ORM). ORM emerged in the financial services sector in the 1990s as a way of identifying a specific group of risks prompted, in part, by several high-profile operational risk events, including the BCCI scandal in 1991 and the Barings collapse in 1995, the latter event underlining the importance of internal controls and corporate governance in managing financial losses associated with fraud, human errors and technical failures as well as other breakdowns in normal business processes and operations. As awareness of and the need for more robust ORM grew, a formal definition of operational risk was developed by the Basel Committee on Banking Supervision (BCBS) and remains the most widely accepted definition in financial services today:

“The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” (BCBS, 2002)

At the time of writing, the UK is currently in lockdown as a result of the Covid-19 pandemic that has engulfed the world.  A catastrophic yet rare external event which many did not foresee, let alone plan for and which will provide valuable lessons to all sectors including the financial services industry, when the eye of the storm has passed. It is my intention to write a follow up article to this one, which will explore the pandemic reflectively through an operational risk lens, to consider what lessons can be learnt at an entity and industry level.  The focus of this article, therefore, will consider the development of Operational Risk Management as a distinct risk discipline and its evolution since the last, albeit very different, crisis hit over a decade ago. 

Although it had been recognised as a formal risk class in 1999, joining the more established credit and market risk types, ORM really rose to prominence in the banking sector in the early 2000’s.  In 2003 a specific framework of “Principles” was defined for the industry and supervisors in the BCBS’s “Sound Practices for the Management and Supervision of Operational Risk”.  In 2006, the International Convergence of Capital Measurement and Capital Standards: A revised Framework (commonly referred to as “Basel II”) was published and implemented in the UK by the EU Capital Requirements Directive (CRD).  The primary objective of Basel II was to raise standards in banking by reinforcing the stability and soundness of the international banking system by strengthening risk management practices and developing significantly more risk-sensitive capital requirements.  The regulatory requirement stipulated that banks were to hold enough capital to cover unexpected losses arising from the combination of credit, market and operational risks, in a process described as “three pillars”.  In response, industry practitioners developed measurement and modelling methods to calculate operational risk capital, ranging in complexity in line with one of three approaches established under Pillar 1:  the Basic Indicator Approach (BIA), the Standardised Measurement Approach (SMA) and the Advanced Measurement Approach (AMA), the latter allowing for the greatest amount of capital relief to be achieved, which was believed to encourage better risk management. It’s worth noting that these three approaches will be replaced with one Standardised Approach in 2023.

ORM and the Global Financial Crisis fallout

It is widely acknowledged, however, that the systemic failings that occurred during the Global Financial Crisis (GFC) over a decade ago were attributable, in part, to deficiencies across the operational risk spectrum.  Systemic failings included weaknesses in overarching governance and senior management oversight, inappropriate risk culture governance and conduct issues leading to acts of excessive risk taking and poor methods of risk identification and communication.  These failings was exacerbated by the fact that at the time the GFC unfolded, the financial industry was still developing its ORM systems that focused on the methods to project capital requirements, rather than enterprise-wide systems and the organisational structures, processes and governance necessary to identify, assess and manage operational risk effectively.  The regulatory requirement to hold capital was originally the key driver in the development of firm-wide ORM approaches, but these approaches lacked insights in to how to implement and institutionalise ORM effectively to proactively manage operational risk events and prevent operational risk losses from occurring. Increased attention from regulators on the risk governance, oversight and management processes adopted by firms, prompted by analysis of the underlying causes of the GFC, raised critical questions about the way banks manage their risks generally and the role of ORM in establishing an effective risk culture. 

The challenges of effective ORM

A significant challenge of ORM continues to be the large number of risks and eventualities it covers, its universal nature and the fact it overlaps several other risks instead of being a discrete risk.  Despite the enhanced regulatory scrutiny in the years after the GFC, the steady stream of headline grabbing events reported across the operational risk spectrum – anti-money laundering failures, system disruptions and fraudulent activity for example - indicate that firms still struggle to implement effective ORM programmes.  Because it had evolved to become a siloed specialism with quantification of capital central to its modus operandi, and regulatory guidelines that actively encouraged disparities in ORM approaches, it developed a growing reputation as a compliance-based activity, which is often met with general apathy or simply a lack of understanding and frustration around what ‘good’ ORM should look like and how it can be deployed effectively across an organisation. The capability of organisations to innovate ORM varies significantly, particularly concerning an integrated ORM framework, knowledge management processes to dynamically identify, assess and manage operational risks, and how to address emerging operational risks that are new or have not, until recently, had regulatory focus. 

At its core, operational risk is a behavioral discipline that demands a response rooted in behavioral dynamics to determine causation before an event occurs, that results in measurable, unintended impacts.  Therefore implementing an effective system of ORM should not be treated as a compliance exercise, in isolation, or with such disparity.  Operational risk management is the responsibility of everyone across an organisation, but ultimate accountability of operational risks can be a problem.  Fundamentally, if a bank fails to see its operational risk exposure holistically across fragmented operations, it reduces its understanding and limits its ability to mitigate financial loss across all aspects of the business lifecycle.