Is your companies operational risk framework up to the mark?
If you ask a risk analyst about their impression of their companies operational risk systems, which one has to admit is a relatively unframed question, but either way, if you did; the typical responses seem to range between: We're totally sorted or it's kind of there, perhaps we are not really sure.
Then of course how do we really know whether a company is good at managing operational risk or not. The final test of course comes when a business experiences a severe problem that puts its operations under threat and its controls to the test.
In this article we are going to review a check list for an operational risk framework that should be considered by risk management in all businesses. The aim here is to move towards best practice.
What is a framework?
Before we look at the check list itself, we need to firstly define what a risk framework actually is.
If I was to ask you to think of a car, a boat or any vehicle, you usually see the exterior in completeness. When asked to imagine what a car actually looks like, you see its color and shape, you might picture it whizzing across a road or simply sitting there on your driveway. A car like most complex objects is the sum of many moving parts (breaks, engine, indicators, seat belts, exhaust manifold, spark plugs, cylinders etc) all working in harmony. Do you think about these components when you picture your car?
Like the car, an operational risk framework is an entire circuit or system which takes in policy, processes, controls, measurement tools, definitions and many other aspects of a firm wide risk assessment program that we will review shortly.
Figure 1: Integrated Risk Framework [access it here]
One quality that is prevalent in a good operational risk framework is that it is integrated. To be concise, each element is interconnected with other components to create a final Risk Event Categorization, Policy Capture, Event Tracking and Exposure Reporting System. Each element is in fact working as a single part of the total sum.
Let's explain this with an example.
When a loss event is recorded in the loss database, the cause of the event can be assigned to a specific control failure and that control should already be registered in the same relational database. Information on the control is likely to include a departmental owner and it should already have an established assessment or test procedure designed for it. By following the causal route I have explained here, an audit team would be able to test the control is operating as designed and understand why it failed when a loss occurs.
It would follow then, that a solid operational risk reporting system can slice and dice specific event data in many different contexts. A senior risk analyst might want to see all controls owned by a department, all losses which are being resolved by a specific manager and so on. All of this "Slicing and Dicing" only works when metadata is integrated and many early operational risk systems deployed a decade or so ago, simply failed because the elements were lost in "silos".
With the picture of our risk framework in mind, if I was to ask you how sound operational risk program looks like then, you'd probably want to know which framework elements are in place, which ones are functioning correctly.
You would also want to know what is missing and what components are present but perhaps need additional development work.
In the link below, there are fifty or so specific elements which need to feature in some form or another in a solid operational risk framework.
Figure 2: Operational Risk Framework Checklist [access it here]
This list can never be complete, no list ever is and someone can always say; have you thought about this or that. Then of course, I pulled this table together in about twenty minutes and after a late night, so there might be an accidental oversight here or there. All this aside, a prudent risk manager should know what is in place to control operational risk and what needs more work.
If you are an operational risk manager, take a look at the list and ask yourself how many items you can flag as: We do this or alternatively we don't really do this.
For what it's worth, I haven't discovered an organisation that can tick more than about 60% or 70% of what is itemised here. You have to honestly with yourself and say you do this and it is part of the professional operational risk system, not it is to be planned or we are working on this element in some respect.
So we accept each component is part of the integrated risk engine and risk managers like all people often give more biased to their systems than they sometimes should be. Having a Risk Control Assessment Process in place without it being sensitive to change, means the service is flawed. Likewise, a Scenario Analysis function which dimensions loss but doesn't describe response is also a half-baked solution and so on.
No one system is ever going to be perfect but I find the best systems list their imperfections.
Martin Davies | Causal Capital
If we glance at some of the major loss events just over the last three months, several poignant headlines come to mind: We have Westpac collapsing its entire ATM network because an air conditioning unit failed, a nuclear reactor meltdown at the Fukushima power station because diesel generators used for cooling pumps were in a flooded basement, a breach in the security of Sony's data centre that resulted in the release of confidential information, Nonghyup dropped its payment system in a cyber-attack and the list just seems to carry on in this fragile commercial world that we seem to inhabit.
Robustness conceptually is an effective planned reaction to an outage, a response that works as if it was business as usual, rather than an exception. Organisations really need to improve their appreciation of business related dependencies as well as redundancies in their enterprise models before they are able to fight risk
Martin Davies |Causal Capital
Operational risk preparedness is a proof in the pudding "intellection" as the saying goes. We also have to be honest with ourselves as disappointing as that is sometimes and the risk-responses from the institutions I have listed above, really need addressing.
Hazards and crisis potentials are presented to organisations relatively frequently and banks are prone to systemic failures due to their size and complexity. We are also able to see how competent staff are treating these events by watching the way in which these firms recover from each catastrophe. A quick resolution, with high levels of communication and speedy cause/treatment identification program is the sign of a well-greased risk system. Yet, our example case studies above and many others out there clearly have a lot of work to do before they can really say they are on top of it.