Operational risk management

Operational risk management is at a crucial point in its development. Numerous approaches have been developed across different industries, but many institutions are struggling to make these fully effective by really embedding them into the day-to-day management of their business.
In order to overcome this challenge, it is essential to define clearly the relationship between operational risk processes and the overall control environment.

Indeed, the effectiveness of operational risk management has been impeded by a common failure to truly embed operational risk into the overall management of risk and control. Group risk functions must demonstrate to business-unit staff the full potential of using operational risk processes, developed under the group framework to manage the actual risks in the business. Our experience is that, without this, business units resort to developing their own processes for managing operational risk and controls, while paying lip service to the group framework for internal compliance purposes. The principal reasons for this are:

• Key risk indicators are often insufficiently linked to underlying business objectives and risk assessment to provide effective risk monitoring;
• Risk-assessment processes often fail to provide either an effective means of understanding the operational risk profile, or a practical tool for driving control improvement action and consequent reductions in allocated capital;
• Loss-data collection often provides a one-way feed into an ‘invisible’ group model, rather than being used by the business to identify areas of control weakness;
• Operational risk quantification is often viewed as irrelevant to the day-to-day management of risk … itself stemming from an unclear responsibility allocation as to operational risks.

Crucial links

To make operational risk management effective within business units, it is essential to understand:

• Link 1 – Operational risk is often viewed in isolation from, rather than integral to, all other risk types, and especially the overlaps with credit and market risks are often understated;
• Link 2 – The important links between the key operational risk processes themselves. Clearly articulating these links is crucial to demonstrating that, when they work effectively, operational risk processes can provide a single-minded, coherent approach to managing risk and control, leading to the natural embedding of operational risk into management of the business

Link 1 – Operational risk and control environment

A key problem in separating operational risk from the rest of the business is that it is often viewed as a distinct risk type.
This leads to a perception by business staff that operational risk processes are an unnecessary duplication of existing control activities imposed by senior management, bearing little relation to reality. This is the principal reason for failure to embed operational risk management into day-to-day management of risk and control.

The key to solving this problem is to understand that operational risk exists across all risk categories, and that operational risk management is simply a vehicle for the continuous improvement of controls governing the management of all other risk types.
One potentially radical solution is to remove operational risk as a separate risk type and to recognise that it represents the ’execution-related’ aspect of all other risk types. Risk and control assessment are then positioned as a means to ensure that the effectiveness of these other risk-management processes, such as credit risk, fraud, HR, IT, etc., as implemented in the support functions, are continually assessed through a single framework.
In short, operational risk management is also a form of quality assurance over the management of risk and control at an enterprise-wide level.

Link 2 – Relationship between operational risk processes

Having established the role of operational risk processes in the context of your control environment, the next step is to make the processes themselves smarter. The most effective way to do this is to establish the links (that are often absent between risk processes in many current operational risk implementations), and to use them to enable a dynamic risk management cycle rather than as a series of separate processes (see Figure 1). This brings operational risk closer to the approach adopted in relation to credit and market risk, in which forward-looking assessments are used to develop metrics for monitoring, and in which back-testing against actual loss cases is possible. By creating these links, we can create a self-improving dynamic operational risk framework.