As operational risk measurement remains in its infancy, need to focus on improving management of operational risk • Operational risk management (ORM) more focused on measurement and capital vs. proactive identification and management of risk • Market events in recent years make have shifted Board and executive attention away from operational risk, towards market, credit and liquidity risk • Greater levels of operational risk from recent increases in: Demand on staffing levels and infrastructure Transaction volumes
• Measurement challenges: No single standard methodology has emerged for risk measurement, impact quantification, and capital attribution The use of external data poses a number of questions Historical data is not necessarily a good indicator of future events
3
Managing Operational Risk - Focusing on What's Practical
Industry observations • Many institutions focus on risk avoidance and/or measurement vs. risk management • Focus generally at process level vs. business and strategic level • Leading institutions have ORM objectives clearly defined, and robust data collection analysis processes, triggering update of risk assessment as events occur • Some have moved from a centralized to a more decentralized approach in assessing risk and controls • Most common inputs to operational risk capital models include internal loss data and risk and control self assessment Wider range of inputs being considered • Majority provide risk reports to the Board of Directors and designated board risk committee for operational risk
8
Managing Operational Risk - Focusing on What's Practical
Scenario analysis and stress testing • Develop a set of practical scenarios – Should be based around the key drivers of each of the significant risks facing the entity • Demonstrate that the process of selecting the scenarios represents a reasonable evaluation of the potential „unknown unknowns‟ • Carefully consider basis for determining the strength of correlations between operational / non financial risk and diversification benefits • Establish a process to consider the extent to which the outcomes of the scenario and stress testing undertaken should be reflected in the maintenance of capital levels and the degree to which this can be mitigated
12
Managing Operational Risk - Focusing on What's Practical
Key Risk Indicators (KRIs) • KRIs are parameters which can act as indicators and which can be seen to be predictive regarding changes in the risk profile of a business • Ideally determined for many of the significant risks identified in the RCSA process • Some indicators are meaningless on their own and need to be combined with other KRIs • Risk Appetite setting - among the methods which can help in articulating risk appetite is the setting of tolerance and escalation levels for KRIs • Regulatory Compliance - identification and management of KRIs is an area of regulatory focus • Capital Calculation – data from established KRIs can be used as a source of input for OR capital calculations
13
Managing Operational Risk - Focusing on What's Practical
Final thoughts • Regulatory-driven operational risk efforts are typically focused on measurement and capital vs. proactive identification and management of risk • Measurement of operational risk lacks precision of other major risk types • As organizations can budget for expected losses but not for expected losses… Increase robustness of analytical tools and systems to better manage operational risk and facilitate capital allocation decisions Improve integration with related risk and control programs
15
Managing Operational Risk - Focusing on What's Practical