Monday, August 12, 2013

ERM is more than Op Risk

If someone was to ask me what is the biggest hindrance holding back the evolution of Enterprise Risk Management today, I would probably have to say it's the over obsession risk analysts have with trying to squeeze the entire world of risk into the realm of operational risk.

Really, how important is operational risk in a typical company?

ERM is more than Op Risk
The types of risks that can effect any business may originate from an endless array of possibilities; storms, human error, fraud, system failure and so on. Nevertheless, this small list I have just created is all based on threats from the operational risk domain, while most companies spend much of their time in business as usual. The world of business as usual is dominated with a different set of priorities such as quality control, time of delivery and the struggle of bad debtors, late payers, commodity scarcity and market volatility.

So then, if enterprise risk teams are overly fascinated with assessing threats from the operational risk corner, aren't they missing the boat with these other prevalent concerns, one would have surely thought so?

If we take a look at banking, just as an example; we can actually see that operational risk is not as big a deal as some people would like to make out. This is especially the case when we compare operational risk as a capital number alongside other reserves for different classes of threats and we have done this comparison below:

Operational Risk in Capital Numbers | Causal Capital

The chart above was created by reviewing various Basel II-Pillar III reports from different financial institutions, with a focus on banks in Australia.

Bank Sample RWA Distribution | Causal Capital

By assessing Pillar III from the 'big four' in Australia, my claim on the importance of operational risk seems to hold true. Precisely, operational risk is about 10% of Risk Weighted Assets when reviewed as a capital number or to look at it from a financial perspective, operational risk generally only consumes 10% of a bank's risk budget. This is to be expected in the world of finance because traditional banking generates its revenue from entertaining chosen risks such as those found in lending.

Ironically though, Australian banks seemed to have suffered from a spurt business continuity problems of late but this aside; if we were to consider a typical business selling products to customers, expecting delivery of resources from suppliers or settling payments from sales, surely credit risk is also a major concern which needs attention.

Who would know what risk is the most serious?

Fortunately enterprise risk managers in other industry sectors don't often generate economic capital numbers, so risk teams can escape from having to deal with the business as usual problems in the realm of credit and market risk. I am not so sure that is such a good thing but as it stands, many risk teams aren't creating risk taxonomies either, so they probably aren't prioritising threats as a matter for considering what is most impacting to them.

What enterprise risk analysts have a tendency of doing is facilitating risk workshops that drive out specific risk scenarios that usually home-in on extreme catastrophes and again these scenario analysis exercises are normally targeted towards the operational risk domain. 

Transforming ERM
As this is, ERM is all starting to sound far from superbly covered for credit or market risk, so how can we fix this?

There are several ways to skin a cat as the saying goes and that definitely applies to fixing ERM. In the diagram below, I have taken to draw up a schematic on how an enterprise risk framework can be evolved so that it treats threats from credit or market risk proportionately.

ERM to Opportunities | Causal Capital  [ click image to enlarge ]

There are a couple of big, humongous hurdles that many enterprise risk teams will struggle with when they try to measure 'true' enterprise risk.

Primarily, if you want to compare risks side-by-side, you are going to need to do this in a parametric manner. IE; express risk as distributions not 'frequency x magnitude' spot estimates.

Let's say you do attempt a distribution approach to risk measurement, you are also likely to run into another nasty wall that is tied to data or specifically, the lack of it. If you can't capture homogeneous data in your risk framework, the distribution modelling won't really work. The solution to this next problem will lead an analyst into building a risk taxonomy for their business, a business driver's map and if they are complete with their work, they will connect all of this to the company's general ledger.

Quite a lot of effort isn't it, definitely a fair bit of research in some cases and probably the leading reason why enterprise risk teams remain prisoner to seeing the world of risk through an operational risk lens.

The big questions is, how long will this obsession with operational risk last?

5 comments:

  1. Martin, I think one needs to look at the specific circumstances of the organization being assessed. Certainly a corporate bank, with a class-A office space (rented) in a metropolitan area and no significant assets onsite other than furniture, laptops and paperwork, will have minimal operational risk. In fact, that is why we have metropolitan areas. To protect us from the dangers of the wild, and bring us closer to our customers.

    Contrast that with a manufacturing or production facility that works on the frontier (offshore or in remote areas) and the risk profile inverts or equalizes as the dangers of the wild return and protection afforded by the state diminishes.

    ReplyDelete
  2. Morgan,

    Thank you for your comment and I agree with you in general that the complexity of operations and investment into physical capital in banks, would more than likely seem humble in comparison with a mining company, just as example.

    Banks do suffer from huge amount of fraud, they can have extensive branch networks scattered over large distances and their operating centers would come across as a factory to some people. They aren't free of operational risk.

    None the less you are probably right but one of my arguments is "who would really know?"

    One thing banking has done well with in risk management is to develop a framework that can measure RWA's in line with capital; a "Risk Adjusted Return on Risk Adjusted Capital" measure of risk. They also publish this information to the public as part of regulatory transparent disclosure and the charts in this blog were derived from such data.

    When we move to other industry sectors, economic capital models don't often feature, risk generally isn't measured in a parametric manner and understanding what is your largest threat is left up to operational risk assessment in a lot of cases. This doesn't resonate with me as being particularly profound but it is far from accurate.

    The second part of this blog is based on bringing in these other areas of risk management to allow enterprise risk management by the enterprise. If ERM is operational risk, we should call it that, not enterprise risk.

    ReplyDelete
  3. Martin, Thanks for the insight. I am learning. I only have experience with informal practical methods of risk assessment. Therefore my terminology is probably not as accurate as yours or in line with international frameworks. Of course that is why I am reading your blog, to learn about the frameworks outside of the narrow experiences that I have had with risk.

    My understanding of ERM is that there are two components of it, the operational vs. board level. They relate as tactical (operational) is to strategic (board level). For example, "information technology" is an operational risk area, whereas "information" is a board level risk.
    Though not all categories are as neatly related, or related to a separate level of risk at all.

    This segregation of risk makes sense to me since certain things must be handled by those on the ground, and other things by those at top management. I don't see either as any less important than the other. An organization can be destroyed just as easily by a poorly placed hedge, or failure to hedge, just as easily as it can be destroyed by a malfunctioning $7 valve which leads to a refinery explosion.

    ReplyDelete
  4. Morgan,

    I reckon we are all on a continual path of learning when it comes to risk management because it is such an absolutely massive field of work.

    The risk management community also comprises of many individuals with very diverse backgrounds; quants, risk analysts, framework designers, IT people, quality control experts, auditors, safety assessors, credit risk analysts, rating agencies, traders … The list is endless but that leaves us all talking risk from different perspectives.

    I personally try to keep a broad and open mind to the various alternate concepts that are discussed between the members of the risk community at large.

    Your remark on ERM being operational versus strategic is probably common consensus and generally accepted understanding in the ERM community. What I am saying with this posting is that I believe common practice is missing a huge part of risk management by ignoring the financial aspect of uncertainty.

    You are also correct in my opinion by stating operational risk isn’t more or less important than any other risk, what I am pressing at here is that ERM practitioners are missing great opportunities by ignoring these other areas of risk management.

    On your point with respect to the valve and the poor hedge, two examples come to mind. Cathay Pacific on the hedge and the BP Texas Oil Refinery explosion on the valve.

    Thanks for your comments, they are particularly useful, articulated well and I appreciate them.

    ReplyDelete
  5. As an example, I think that finance (where I've spent nearly all of my near-twenty year career) might be something of an outlier because its current form is still very new despite the fact that that industry now wags the dog of our economies. But point taken.

    I'm glad to see your comment that there's wide agreement on the distinction between strategic and operational risk. That's where operational risk addresses a question similar to "are we conducting our regular activities in a fashion with acceptable residual risk". To my mind this is a vastly different question than strategy thinkers talk about, in which risk is inherent (e.g. Porter's five forces are all risk areas), which might be phrased, "what might we suffer through the trade-offs we make in pursuing a given strategy". But to my mind there is a strong link between operations to strategic risk, and it's in the ability to execute, where the questions are "are we capitalizing on market opportunities the way we should?" and "our entire company consists of six business processes, why are three of them so immature?" I'm not sure whether that qualifies as "enterprise risk management" or just "management" (or "governance") but to take this back to your point I do see a lot more to what I take to be ERM than operations risk.

    I'm learning a lot from this blog and from your commentary on the ISO 31K forum on LinkedIn, thanks for keeping it up.

    ReplyDelete