Operational Risk is not new to financial institutions. In fact, it is the first risk that banks must manage, even before they make their first loan or execute their first trade. What is new is the idea that operational risk management is a discipline with its own management structure, tools, and processes, much like credit risk or market risk.
With this in mind, in 1999 the British Bankers Association, the International Swaps and Derivatives Association, and the RMA jointly commissioned PricewaterhouseCoopers to conduct a global survey on current practices in operational risk in the financial services industry. The survey collected responses from 55 financial institutions, including 37% of the top 100 global banks.
The survey found that financial institutions have developed their operational risk management practices in a variety of ways, depending on the culture and the organisation's past experience of operational risks. Although the surveyed organisations had different experiences, after synthesizing the results, it became apparent that there are five general stages in the evolution of operational risk management. It is hoped that companies beginning the development of their operational risk initiatives will find the following descriptions of each stage helpful.
Stage I û Traditional baseline: Operational risks have always existed and are managed by focusing primarily on internal controls. It is the responsibility of individual managers in the business and specialist functions, with periodic objective review by Internal Audit. Traditionally, there is no formal operational risk management procedures or framework.
Stage II û Awareness: Senior management takes an active role in increasing the understanding of operational risk in the organisation, and appoints someone to be responsible for it. To gain awareness, a common understanding and assessment of operational risks is created.
The assessment begins with the formulation of an operational risk policy, a definition, and development of common tools. The tools in this stage usually include a self-assessment and risk process map. In addition, early indicators of operational risk levels and collection of loss events are developed. These provide a common framework for risk identification, definition of controls, and prioritization of issues and mitigation programs. However, the most important factor in this stage is gaining senior management commitment and the buy-in of ownership of operational risk at the business unit level.
Stage III û Monitor: After identifying all the operational risks, it is important that management understand their implications for the business. At this stage, the focus becomes tracking the current level of operational risk and the effectiveness of the management functions. Risk indicators, set as goals or limits (both quantitative and qualitative) and escalation criteria are established to monitor performance. Measures are consolidated into an operational risk scorecard along with other relevant issues for senior management.
About this time, it becomes increasingly apparent to the business that the operational risk management process is valuable. Management assign dedicated staff to analyze processes and monitor activity. An operational risk management program may be introduced.
Stage IV û Quantify: With a better understanding of the current situation, organisations at this stage begin to focus on quantifying the relative risks and predict what will happen. More analytic tools, based on actual data, are developed to determine the financial impact of operational risk on the organization and provide data to conduct empirical analysis on causes and mitigating factors.
The loss event database, initiated in Stage II, now has sufficient information across businesses and risk types to provide insight into causes and more predictive models. There may be a significant investment in developing capital models and establishment of a new committee to evaluate the results.
Stage V û Integrate: Recognizing the value of the lessons learned by each business unit and the complementary nature of the individual operational risk tools, management now focuses on integrating and implementing processes and solutions. It balances business and corporate values, qualitative versus quantitative, and different levels of management needs. Risk quantification is now fully integrated into the economic capital processes and linked to compensation. Quantification is also applied to make better cost/benefit decisions on investments and insurance programs.
However, this integration goes beyond the processes and tools. In leading companies, operational risk management is being linked to the strategic planning process and quality initiatives. When this linkage is established, the relationship between operational risk management and shareholder value is more directly understood.
Conclusion: It is apparent from the results of the operational risk survey that, although progress is being made in operational risk management, few think the development is mature. The most advanced areas are definitions, the link to business strategy, and management reporting, yet progress is still needed in these areas. The least mature processes are capital and insurance.
Tim Janes is Senior Manager, Global Risk Management Solutions at PricewaterhouseCoopers in Hong Kong [email protected]. Andrew Watkins is Partner, Global Risk Management Solutions at PricewaterhouseCoopers in Hong Kong [email protected].