So much inspiration for articles in this blog seems to originate from reading what risk practitioners are writing about on the G31000 linked-In portal. One recent debate restarted an old angst on enterprise risk categories.
Personally I am a big believer in the categorisation of risk events and while this may not be popular among many of the non-banking members of the risk community, even more so with ISO 31000 practitioners it seems, I still believe it is an important exercise to carryout. Either way, I have taken to list ten reasons why causal event categorisation is crucial for the operation of a sound enterprise risk management framework.
Risk Categorisation
Before we look into the reasons why risk event categorisation is key to risk management, it is probably prudent to show what a risk event classification taxonomy may look like.
There are actually two levels of risk event classifications shown here. There is a top level categorisation which highlights the major risk areas. This is followed by the level 2 risk event classification taxonomy for operational risk specifically.
While I believe risk event classification is important, there are of course limits to how far a risk analyst should delineate what they are measuring. If we move further down in the detailing, say to a level 3 depth of categorisation, we might end up with hundreds of risk categories to choose from when we assign a risk event to a causal category.
So there are plenty of benefits for categorising risk as we shall see shortly but too granular the definition and it will become impossible to cleanly assign risk events to categories. Like all things in life, we can have too much of a good thing.
Importance of risk categorisation
Risk Classification Level 1 | Causal Capital [click to enlarge]
Risk Classification Level 2 | Causal Capital [click to enlarge]
There are actually two levels of risk event classifications shown here. There is a top level categorisation which highlights the major risk areas. This is followed by the level 2 risk event classification taxonomy for operational risk specifically.
While I believe risk event classification is important, there are of course limits to how far a risk analyst should delineate what they are measuring. If we move further down in the detailing, say to a level 3 depth of categorisation, we might end up with hundreds of risk categories to choose from when we assign a risk event to a causal category.
So there are plenty of benefits for categorising risk as we shall see shortly but too granular the definition and it will become impossible to cleanly assign risk events to categories. Like all things in life, we can have too much of a good thing.
Importance of risk categorisation
This inevitably brings us to why would anyone want to pigeonhole a risk event in the first place?
Surely the creation of the risk taxonomy with its various sorting or allotment rules just complicates the assessment of a risk event; it traps the risk analyst into a modus operandi of thinking inside a box.
Here is the top ten list for endorsing the risk event classification taxonomy:
[1] A homogeneous risk classification framework leads to cleaner statistical modelling of losses. Without tight definitions it becomes very difficult to stratify data and to project loss estimates in a parametric manner. Simply throwing all losses into one big bucket will actually make the statistical assessment of these losses heterogeneous and meaningless to a model.
This single reason for categorising losses should be enough and no other purpose stands out as much as our first benefit here. All this aside, we will carry on and list the other nine logical justifications for the creation of a risk event classification program.
[2] Classification of losses improves the financial reporting, budgeting of exposure and it assists with transfer pricing. This is also very important as it ensures that there are transparent accounting processes around the filing of loss events to keep staff honest. It allows for disclosure of risk exposures and losses to the shareholders and it fits nicely with general accounting practices.
[3] Threats are unique in nature and it is difficult to compare the management of fraud with weather catastrophes, we have to be real about this. This uniquely inherent risk complexion or attributes of a single specific event will have specific treatments that can't really be shared between risk categories. By categorising risk events, the management oversight of controls, control costs and treatment programs will rise to a greater level of governance once typecasting is in place.
[4] Ownership of risk improves when there is a clean delineation and assignment of accountability. For example, there may be a business unit that is responsible for physical security and a different business unit managing fraud. We wouldn't expect either of these risk control functions to be accountable for diversity & discrimination unless they were also heading up the human resources department. In reality, the treatment of risk events very much sits with specific account owners.
[5] Homogeneous capture of exposure values allows for external and internal benchmarking. If risks are simply thrown into one big bucket, comparable benchmarking is just about impossible to achieve.
[6] Educational campaigns improve when they target a specific contextual aliment within the risk framework. Without a campaign desideratum, risk education programs can become too big or too broad to be generally useful.
[7] In the world of banking, finance, brokerage, lending, underwriting and insurance, the categorisation of risk events under a causal classification framework is mandated. Those risk managers working in finance who have not established a risk taxonomy might just find that their risk frameworks are not compliant with regulation.
[8] Risk categorisation assists in fighting capital arbitrage, a serious disorder that allows staff to game the risk framework by hiding loss potential in provisions or by manipulating risk budgets to increase risk appetites.
A great example of capital arbitrage comes from the banking sector and presents itself when account managers write-off losses from their errors as credit impairments rather than operational risks that they caused.
Why would someone do this do you think?
In many cases it is so that the account manager can protect their bonus and while this is immoral, it also weakens the reliability of the credit scoring and back testing systems within the bank.
[9] Root Cause Analysis becomes more difficult to achieve when risk categories are dropped and this is an important activity to entertain. If the business is to improve the way it works as a whole, staff need to understand the sources of risk which are most prevalent. One would have thought that is obvious.
[10] Risk categorisation assists with reporting and the tracking of specific inherent risk factors. To understand how a business will be impacted when inherent hazards present themselves, especially as operations are scaled, a sound risk event or causal factor classification taxonomy needs to be established.
Surely the creation of the risk taxonomy with its various sorting or allotment rules just complicates the assessment of a risk event; it traps the risk analyst into a modus operandi of thinking inside a box.
ISO 31000 does not define operational risk, financial risk, strategic risk, etcWhen that argument is presented to me as a reason for abandoning risk classification, I am not convinced ... Why? Quite simply, you can always dress down or turn a taxonomy off to fulfill that purpose but you can conjure it from nothing to kick through the ten reasons I list below.
Risk Categorisation | G31000
Here is the top ten list for endorsing the risk event classification taxonomy:
This single reason for categorising losses should be enough and no other purpose stands out as much as our first benefit here. All this aside, we will carry on and list the other nine logical justifications for the creation of a risk event classification program.
[2] Classification of losses improves the financial reporting, budgeting of exposure and it assists with transfer pricing. This is also very important as it ensures that there are transparent accounting processes around the filing of loss events to keep staff honest. It allows for disclosure of risk exposures and losses to the shareholders and it fits nicely with general accounting practices.
[3] Threats are unique in nature and it is difficult to compare the management of fraud with weather catastrophes, we have to be real about this. This uniquely inherent risk complexion or attributes of a single specific event will have specific treatments that can't really be shared between risk categories. By categorising risk events, the management oversight of controls, control costs and treatment programs will rise to a greater level of governance once typecasting is in place.
[4] Ownership of risk improves when there is a clean delineation and assignment of accountability. For example, there may be a business unit that is responsible for physical security and a different business unit managing fraud. We wouldn't expect either of these risk control functions to be accountable for diversity & discrimination unless they were also heading up the human resources department. In reality, the treatment of risk events very much sits with specific account owners.
[5] Homogeneous capture of exposure values allows for external and internal benchmarking. If risks are simply thrown into one big bucket, comparable benchmarking is just about impossible to achieve.
[6] Educational campaigns improve when they target a specific contextual aliment within the risk framework. Without a campaign desideratum, risk education programs can become too big or too broad to be generally useful.
[7] In the world of banking, finance, brokerage, lending, underwriting and insurance, the categorisation of risk events under a causal classification framework is mandated. Those risk managers working in finance who have not established a risk taxonomy might just find that their risk frameworks are not compliant with regulation.
[8] Risk categorisation assists in fighting capital arbitrage, a serious disorder that allows staff to game the risk framework by hiding loss potential in provisions or by manipulating risk budgets to increase risk appetites.
A great example of capital arbitrage comes from the banking sector and presents itself when account managers write-off losses from their errors as credit impairments rather than operational risks that they caused.
Why would someone do this do you think?
In many cases it is so that the account manager can protect their bonus and while this is immoral, it also weakens the reliability of the credit scoring and back testing systems within the bank.
[9] Root Cause Analysis becomes more difficult to achieve when risk categories are dropped and this is an important activity to entertain. If the business is to improve the way it works as a whole, staff need to understand the sources of risk which are most prevalent. One would have thought that is obvious.
[10] Risk categorisation assists with reporting and the tracking of specific inherent risk factors. To understand how a business will be impacted when inherent hazards present themselves, especially as operations are scaled, a sound risk event or causal factor classification taxonomy needs to be established.
Where to find risk categories
We recently posted an article on the Modelling of Loss Data which can be found at this [LINK]. If you are a bank attempting to model loss data or capital, and perhaps if you are not, you can find an outstanding and recommended Operational Risk category list supplied in Annex VIII of the Basel II accord.
In my opinion, Annex VII is a great starting point for any risk department wishing to classify its loss events cleanly and there are so many banks using this taxonomy that it has become a bit of a standard.
As it stands, some industry practitioners are still writing fundamental risk articles on what risk management is and what it is not. To me and in general, this clearly demonstrates that risk management is embryonic as a corporate management function. Managing risk enterprise wide definitely has a long way to come and sadly there is still a lot of confusion over the definition aspects of the vocational goal of attempting to quantify uncertainty. The recent paper on what operational risk is and isn't can be found here [LINK].
In my opinion, Annex VII is a great starting point for any risk department wishing to classify its loss events cleanly and there are so many banks using this taxonomy that it has become a bit of a standard.
Annex VII Basel II Accord | June 2004 (Click Image to Enlarge)
Good risk practitioners will create a unique classification list for event types they monitor and that should include a description card for each risk category that establishes how managers should respond when the threat is experienced.
As it stands, some industry practitioners are still writing fundamental risk articles on what risk management is and what it is not. To me and in general, this clearly demonstrates that risk management is embryonic as a corporate management function. Managing risk enterprise wide definitely has a long way to come and sadly there is still a lot of confusion over the definition aspects of the vocational goal of attempting to quantify uncertainty. The recent paper on what operational risk is and isn't can be found here [LINK].
No comments:
Post a Comment