What's Hot

"Risk Dashboards should serve the stakeholder" | Advanced Risk Dashboards

Tuesday, October 30, 2012

Importance of risk categories

So much inspiration for articles in this blog seems to come from reading what risk practitioners are writing about on the G31000 linked-In portal. One recent debate restarted an old angst on enterprise risk categories.

Personally I am a big believer in the categorisation of risk events and while this may not be popular among many of the non-banking members of the risk community, even more so with ISO 31000 practitioners, I still believe it is an important exercise to carryout. Either way, I have taken to list ten reasons why causal event categorisation is crucial for the operation of a sound enterprise risk management framework.

Risk Categorisation
Before we look into the reasons why risk event categorisation is key to risk management, it is probably prudent to show what a risk event classification taxonomy may look like.
  
Risk Classification Level 1 | Causal Capital [click to enlarge]

Risk Classification Level 2 | Causal Capital [click to enlarge]

There are actually two levels of risk event classifications shown here. There is a top level categorisation which highlights the major risk areas. This is followed by the level 2 risk event classification taxonomy for operational risk.

While I believe risk event classification is important, there are of course limits to how far a risk analyst should delineate what they are measuring.  If we move further down in the detailing, say to a level 3 depth of categorisation, we might end up with hundreds of risk categories to choose from when we assign a risk event to a causal category. So there are plenty of benefits for categorising risk as we shall see shortly but too granular the definition and it will become impossible to assign cleanly risk events to categories. Like all things in life, we can have too much of a good thing.

Importance of risk categorisation
This inevitably brings us to why would anyone want to pigeonhole a risk event in the first place?

Surely the creation of the risk taxonomy with its various sorting or allotment rules just complicates the assessment of a risk event; it traps the risk analyst into a modus operandi of thinking inside a box.
ISO 31000 does not define operational risk, financial risk, strategic risk, etc
Risk Categorisation | G31000
When that argument is presented to me as a reason for abandoning risk classification, I am in relative agreement. However, there are several reasons why I still avidly vote for causal risk event classification rather than doing nothing at all.

Here is the top ten list for endorsing the risk event classification taxonomy:
  
[1] A homogeneous risk classification framework leads to cleaner statistical modelling of losses. Without tight definitions it becomes very difficult to stratify data and to project loss estimates in a parametric manner. Simply throwing all losses into one big bucket will actually make the statistical assessment of these losses heterogeneous and meaningless to a model.

This single reason for categorising losses should be enough and no other purpose stands out as much as our first benefit here. All this aside, we will carry on and list the other nine logical justifications for the creation of a risk event classification program. 

[2] Classification of losses improves the financial reporting, budgeting of exposure and it assists with transfer pricing. This is also very important as it ensures that there are transparent accounting processes around the filing of loss events to keep staff honest. It allows for disclosure of risk exposures and losses to the shareholders and it fits nicely with general accounting practices.

[3] Threats are unique in nature and it is difficult to compare the management of fraud with weather catastrophes, we have to be real about this. This uniquely inherent risk complexion or attributes of a single specific event will have specific treatments that can't really be shared between risk categories. By categorising risk events, the management of controls, control costs and treatment programs, will improve the process of embedding risk management into an organisation.

[4] Ownership of risk improves when there is a clean delineation and assignment of accountability. For example, there may be a unit that is responsible for physical security and a different business unit managing fraud control. We wouldn't expect either of these risk control functions to be accountable for human diversity unless they are also heading up the human resources department. In reality, the treatment of risk events very much sits with specific owners.

[5] Homogeneous capture of exposure values allows for external and internal benchmarking. If risks are simply thrown into one big bucket, comparable benchmarking is just about impossible to achieve.

[6] Educational campaigns are improved when they target a specific aliment within the risk framework. Without a campaign desideratum, risk education programs become too big or too broad and generally miss their mark.

[7] In the world of banking, finance, brokerage, lending, underwriting and insurance, the categorisation of risk events under a causal classification framework is mandated. Those risk analysts working in finance who are too lazy to categorise their losses, might just find that their risk frameworks are not compliant with regulation.

[8] Risk categorisation assists in fighting capital arbitrage, a disorder which has been discussed on this blog before but which might need a topic in its own right. When firms don't have a formal risk classification framework, staff can game the system.

A great example of capital arbitrage comes from banking where account managers write-off losses from their doing as credit impairments rather than operational risks.

Why would someone do this do you think?

In many cases it is so that the account manager can protect their bonus and while this is immoral, it also weakens the reliability of the credit scoring and back testing systems within the bank.

[9] Root Cause Analysis becomes more difficult to achieve when risk categories are dropped and this is an important activity to entertain. If the business as a whole is to improve the way it works and to become operationally more stable, staff need to understand the sources of risk which are most prevalent.

[10] Risk categorisation assists with reporting and the tracking of specific inherent risk factors. To understand how a business will be impacted from inherent hazards, especially as operations are scaled, a sound risk event or causal factor classification taxonomy needs to be established.

Where to find risk categories
As I posted in the Modelling Loss Data article which can be found at this [LINK], if you are a bank attempting to model loss data and perhaps if you are not, you can find an outstanding and recommended Operational Risk category list supplied in Annex VIII of the Basel II accord.

In my opinion, Annex VII is a great starting point for any risk department wishing to classify its loss events cleanly and there are so many banks using this taxonomy that it has become a bit of a standard.
  
Annex VII Basel II Accord | June 2004 (Click Image to Enlarge)

Good risk practitioners will create a unique classification list for event types they monitor and include a write up card for each risk category that describes how it should be treated internally within their institution.

As it stands, some industry practitioners are still writing fundamental risk articles on what operational risk actually is or is not. To me, this clearly shows that risk management in general is embryonic, it definitely has a long way to come and sadly there is still a lot of confusion over the definition aspects of the vocational goal in quantifying exposure. The recent paper on what operational risk is and isn't can be found here [LINK].

No comments:

Post a Comment