Learning objectives
After studying this chapter, you should be able to:
1 Understand the evolution of operational risk management regulation and the four general components of an operational risk management framework
2 Understand the process of effective operational risk management and the five broad steps involved
3 Outline the best practice principles that underpin an effective operational risk management framework
4 Understand the different impacts of low and high frequency events and some initial strategies that may be universally applicable
Having broadly defined operational risk, its causes, and approaches to manage it, this chapter begins to delve deeper into the operational risk management process by discussing operational risk management frameworks and considering the regulatory backbone behind them.
This chapter starts by discussing the broad steps in the process, which include defining scope and objectives, identifying and assessing risks, mitigating and controlling risks, and monitoring and reporting. We then break down these steps into their component parts and start peeling the layers and considering best practices in their implementation.
Although later chapters will explore these concepts at greater length, here we will lay the foundations upon which operational risk managers can build a management framework for operational risk and how this framework fits into the operations of a bank or AI.
In 1997, the U.S. Federal Reserve issued its Framework for Risk-Focused Supervision of Large Complex Institutions. It was one of the earlier supervisory guidelines with an eye on developing a framework to manage operational risk. The BCBS put forth its first set of principles in 2001 and built on them in 2006. The HKMA has also issued guidelines on how banks or AIs should develop operational risk management frameworks. The HKMAs guidelines are based on the BCBS principles.
In its 2005 Supervisory Policy Manual for Operational Risk Management, the HKMA notes that operational risk management has evolved into a functional discipline with dedicated staff that set out formal policies, processes, and procedures. This change is “driven by a growing recognition by the Boards and senior management of the need to address operational risk as a distinct class of risk.” Every organisation has a unique operational risk profile that requires a tailored approach that fits within the size and scale of the institution.1
An appropriate operational risk management framework includes four general components2:
In broad strokes, the HKMA expects AIs to develop appropriate frameworks to manage operational risk to ensure that these risks are “consistently and comprehensively identified, assessed, mitigated/controlled, monitored and reported.”
The size, complexity, and resources of the organisation are important factors in making decisions about the scope and objectives of operational risk management. For example, it may not be worth the effort for smaller banks to estimate the probability of distribution of every possible loss. The area of focus is typically catastrophic loss, since small institutions do not have the large capital buffers or lines of credit to absorb such huge losses.
However, every organisation is different and so the scope and objectives of operational risk management must also take into account factors unique to the institution, such as the risk appetite of the board and senior management and the availability of skills and management structures to conduct effective operational risk management.
The agenda for operational risk management must first be clearly defined. This is a task that is not as simple as it sounds. Operational risk management covers all business areas and each one typically has its own agenda. This is one reason why the board of directors, as representatives of the shareholders, and senior management should set the risk management agenda. If the bank’s appetite for risk is set by the top of the organisation, everyone else down the chain would have to abide by it.
In general, the bank’s top leadership should align exposure to risks with the bank’s strategy and core competence. This does not mean that every unit has to have the same risk agenda. For example, business units regarded as reliable performers or “cash cows” should focus on curtailing expected losses to ensure they remain competitive. On the other hand, business units with high potential should focus on unexpected losses, which might derail their growth. Troubled business units should look for turnaround or exit strategies and make safeguarding of investor capital their priority. These alignments are illustrated in Exhibit 2.1.
Christopher Marshall, Measuring and Managing Operational Risks in Financial Institutions (Singapore: John Wiley & Sons, 2001), 129.
We can divide the process of operational risk management into the following broad steps:
There are several best practice principles to keep in mind when defining the scope of operational risk management activities.
Once the top leadership’s risk management agenda and the general scope of the risk management project are defined, senior managers develop high-level financial and operational risk targets for each business unit. Financial targets typically come first. For example, financial targets for business units with steady earnings potential will focus on optimising operating cashflow and reducing variation in the income statements. Business units with greater operational risks will require more balance-sheet protection and more careful management of scarce risk capital.
Following the principles above makes it easier to achieve these goals.
Managers should start small and avoid trying to tackle very single risk in one fell swoop. It makes sense to focus on high frequency exposures or large loss events. For retail banks, for example, customer transactions are likely to represent a significant portion of the business, so the focus should be there. Banks use this approach to their business on a regular basis. Starting small also means focusing the resources and energy of the organisation in what it is good at. Banks may, for example, divest themselves of units that generate little or no income relative to the risk or that are so far outside the remit of their business as to make risks difficult to understand and tackle. The same may be true of operations. Information technology needs, for example, may be outsourced to experts rather than handled in house. When it comes to operational risk, similar principles apply: Focus first on what you know best, which is generally the larger business operations. For example, in a commercial bank, a risk manager would likely pay more attention to transactions that represent the bulk of the bank’s business such as trade finance and less on operations of savings accounts that have less activity and generate less revenue. The goal is to mitigate risks that you can identify and actually deal with while prioritising the use of resources.
At the same time, risk managers should focus on where the resources are and work to focus the resources where the risks are greater. For an investment bank, for example, limiting exposures among traders may be a greater priority than controlling every aspect of transactions with retail customers. A couple of factors come into play here. First, risk managers should identify and focus their energy on the big areas. Second, senior management has to know where the risk is greater and, in turn, where to allocate limited resources for risk management operations. Some discretion is in order. For example, a bank’s call centre may generate little or no revenue for the bank, but its value in terms of limiting operational risk by tracking customer interactions and managing customer relations and transactions may be invaluable, limiting potential exposures and losses.
It is also important to focus on areas that are not covered by other risk control activities. In practical terms, this might mean focusing on new ventures, introducing new products, or launching operations in new jurisdictions, all of which might have lax, young, or ill-defined controls for a series of risks.
Finally, risk managers should seize opportunities that present themselves to improve risk controls or implement more effective ones. One such opportunity might be the adoption of a new system, for example, the move from a manual accounting system to an automated one within a particular function or the adoption of a new electronic banking system that complements a pre-existing telephone-based one. The process of adoption itself might generate an opportunity for better risk management by using lessons learned in the first system while designing or operating the second, more modern one.
Keeping the necessary components of an operational risk management framework in mind, the steps to develop the framework and best practice principles, organisations then outline operational targets that must be consistent with the financial targets. The aim of the operational risk management framework is to ensure that these operational targets are met and, in so doing, limit the risks to which the bank is exposed. Given the sheer breadth and depth of most banks today, this can be an extremely complex undertaking, one that can span myriad skill-sets and require input from risk managers in various fields. Balance-sheet protection, for example, implies targeting value-at-risk and an estimate of unexpected and catastrophic losses, while income statement management focuses on earnings-at-risk, particularly the expected and unexpected component of the risk.
In general, a single bank will have multiple operational risk management plans for its multiple units or divisions. Each one will go through a similar process and require a similar set of decisions at each stage. Often, the structure of the plan will be partly determined by the maturity of the division or unit and the level to which various factors that affect operational risk management are developed. For example, the focus of an ORM framework for a unit with a strong operational risk culture and well-developed processes is likely to be different from that of a new division with untested operations. At this stage, then, managers will likely determine whether the focus of the framework and associated goals should be on frequent and low-impact events or very infrequent but very large impact events. If the operational risk-management project is for a relatively low-level business unit whose strategic objectives are greater efficiency and cost control, concentrating on frequent low impact events may be the appropriate course. On the other hand, if the business unit has a capital management agenda and is looking at risk-based capital allocation to cover operational risk, a focus on very infrequent, very large impact events may be more appropriate.
Regardless of what risk management targets and area of focus a bank decides to adopt, some initiatives can be very effective across all organisations. These universally applicable initiatives include the following:
Hong Kong Monetary Authority. “Operational Risk Management” in Supervisory Policy Manual. Web. 28 November 2005. <http://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/OR-1.pdf>
US Federal Reserve, “Framework for Risk Focused Supervision of Large Complex Institutions”. Web. 8 August 1997 <http://www.federalreserve.gov/boarddocs/SRletters/1997/sr9724a1.pdf>
Marshall, Christopher. Measuring and Managing Operational Risks in Financial Institutions. Singapore: John Wiley & Sons (Asia) Pte Ltd, 2001. Print.
Taylor III, Bernard W.; and Russell, Roberta S. Operations Management. Singapore: John Wiley & Sons (Asia) Pte Ltd, 2009. Print.
1 Hong Kong Monetary Authority; Supervisory Policy Manual: Operational Risk Management; November 2005; Pg. 9 – Section 3.
2 Ibid; Section 3.2.1.
3.141.42.5