Operational risk management originated in the industrial sector and became vital to the financial sector following losses caused by failures of internal controls (Barings, Sumitumo, etc.). Since 2004 the Basel Committee has included operational risk in its calculation of capital requirements. In addition, under the pressure of banking regulations, financial institutions have implemented “active management” mechanisms for operational risk.
Operational risk according to Basel
_____________________________
The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people or systems or from external events.”
The Basel Committee classifies operational risks according into seven categories:
1. Internal fraud (misappropriation of assets, etc.)
2. Extern fraud (theft, forged checks, etc.)
3. Employment practices and workplace safety (discrimination, etc.)
4. Clients, products, and business practices
5. Damage to physical assets (fires, etc.)
6. Business disruption and systems failures (utility disruptions, computer hacking, etc.)
7. Execution, delivery, and process management (processes malfunctions, human error, etc.)
The complexity of banking activities, the growing diversity of forms of financial transactions and the proliferation of outsourcing practices have greatly contributed to the rise in operational risks to which financial institutions are exposed.
Regulatory requirement
___________________
As soon as we start talking about risk, the regulatory issue is never far behind, and it affects all sectors of business.
Indeed, at a time of growing risk aversion, the regulator is increasingly prompted to protect third parties from “collateral damage” due to a disaster. It is not by chance that new regulations emerged due to major catastrophes (the Enron bankruptcy, the Seveso disaster1, etc.).
The increase in bank exposure to operational risk should therefore necessarily translate into more and more stringent regulation (CRBF2, adaptation of Basel II accords, etc.), prompting implementation of an active risk-management system.
1 July 1976: a cloud containing dioxin leaked from a reactor at the ICMESA chemical plant and spread over the Lombard plain in Italy. Four communities, among which Seveso, were affected. The name of this accident has since been used to denote all at-risk manufacturing sites in Europe.
2 CRBF: Comité de la Réglementation Bancaire et Financière
Risk Management approaches
_________________________
“Risk Management” can be defined as a set of management processes whose goal is to control risks that prevent a firm from attaining its objectives. A Risk Manager deals with Risk Management.
Risk Management originated in the US in the 1960s and was then imported to Europe. At first, the Risk Manager was content simply managing the insurance contracts covering the business activity, that is, the ways of securing compensation against disaster damage.
Risk Management then became more sophisticated as new technologies were introduced and new associated risks arose. As a consequence, since the 1990s risk cartographies and pro-active risk-prevention and -monitoring approaches have appeared.
The recent ISO 31000 standard offers a uniform version of these approaches:
> Establishing the context of the business (risk policy, cartography of business activities, etc.);
> Identifying risk (risk mapping);
> Evaluating risk (seriousness, frequency, etc.);
> Defining risk response, with four types of measurements (see diagram3):
- Transfer (insurance or outsourcing);
- Avoidance (stoppage of business activity);
- Reduction (through adapted controls, among other measures);
- Acceptance of risk;
> Continually evaluating residual risk (risk evaluated after the implementation of the risk response) until the residual risk is judged “acceptable.”
> Permanent monitoring of the plan.
EXEMPLE: PROCESSING CHECKS
The risk of “check processing errors” is identified within the context of “check processing” activities.
This risk is considered frequent but not serious. It can be reduced by revising the processing chain and by adding controls at the end of the chain4. The cost of implementing this measure is acceptable, and it should reduce the frequency of occurrence to a “low” level. In this case we accept the “residual” risk.
3 To these four types of response is often added “self-financing” of risk
4 From the standpoint of operational efficiency, adding controls at the end of the chain offers a less than satisfactory solution because, in addition to being costly, it only detects errors in the process without addressing the underlying causes.
Furthermore, most processes that are part of optimization measures are subject to few controls at the end of the chain, controls being implemented gradually beforehand all along the process. We mention the example just as a reminder that the controls envisioned to address the identified risks are not always the most appropriate.
Approaches to improving performance
_______________________________
Parallel to Risk Management approaches, since the 1970s businesses have implemented approaches aimed at improving quality and/or performance (ISO 90005, TQM6, Lean, Six Sigma, BPR7, etc.).
The aim in this case is to reduce costs, processing errors and delays.
The link between these approaches to improvement and operational risk reduction is not so easy to identify, but it does exist: reducing errors and malfunctions obviously contributes to reducing operational risk.
Nonetheless, there is a slight difference between these approaches and that of Risk Management.
In a Risk Management approach, we start from a risk identified in advance (“check processing error,” cf. the inset example) and we try to find an acceptable solution to reduce it. Risk Management approaches tell us very little, though, about how to find the most suitable control and we must therefore trust to industry expertise.
In an approach to improving “Lean”-type processes, we tackle the problem from a somewhat different perspective. The idea is to start from a process whose malfunctions need to be fixed, particularly through streamlining.
With check processing, we review the processing chain with a view to reducing costs, delays, and errors. Certain tools (value analysis, flow charts, FMECA8) allow us to detect the weak points and find solutions. Reducing the risk of “check processing error” is therefore one of the by-products of this approach, and quite often the reduction is made without identifying or measuring this risk.
In the Six Sigma approach, we start with a problem to which a figure has already been attached and aim to make an improvement (“There were 5% errors on checks this month and we want to reduce the rate to 1%”). On the basis of analyses of substantiated data, we look for the “real cause” of the problem so that we can strike on the most appropriate solution. Again, the risk reduction is one of the by-products of the approach.
5 ISO 9000: set of standards relative to the quality management published by the International Organization for Standardization (ISO)
6 TQM: Total Quality Management
7 BPR: Business Process Reengineering
8 FMECA: Failure Modes, Effects and Criticality Analysis
Two complementary approaches
___________________________
The possible drawback of a poorly-handled Risk Management approach may be an accumulation of controls that certainly reduce losses but at the same time weigh down the processes and may end up leading to a loss in the firm’s competiveness.
As for approaches to improving performance, they risk missing “potential” risks, which have never taken place in the past but would prove catastrophic should they happen (extreme risks). The visibility of these extreme risks helps ensure the survival of the business.
Considering the above, OTC Conseil and Kairos Management have worked together to find the best way to harmoniously combine the advantages of the two approaches. Our thinking falls within the scope of Basel II, but can easily be extrapolated to any type of service or industry.
Print
back to articles list