Over the past few years, operational risk management activities in many sectors have evolved from information-gathering to a functional discipline with dedicated staff, using established formal policies and both quantitative and qualitative procedures.

Initially triggered by the perception that increased operational risks are inherent in the increasing global pace of change, operational risk management has been widely adopted as a result of the trend toward enterprise-wide risk management, legislative and regulatory changes, year 2000 risks, corporate governance compliance and a growing belief by management that it is possible to manage risks, save money and increase business resilience. The creation and maintenance of stakeholder value is now the most common goal for operational risk management.

There is no universally accepted definition of operational risk. The financial services sector has a definition with slightly smaller and better defined scope than other sectors because of future requirements, as defined by the Basle committee for banking supervision. The Financial Services Authority (FSA) defines it as: "The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events."

Other sectors may not agree with this, as definitions vary widely depending on the enterprise, its environment and perceived level of exposure. The US Navy says it is "the uncertainty of attaining and maintaining a standard or threshold" and other definitions include "the variability inherent in operations management, investment, speculative or trading activities" or "the risk of loss arising from various types of human or technical error".

There is considerable debate as to whether operational risk should be viewed solely as connected to processes, or whether it is something bigger and includes, under various headings, all types of risk other than market and credit. The finance sector is currently investigating the robustness and suitability of various internal methodologies for capital adequacy requirements, and is debating the extent to which insurance and insurance-type ART products should be considered as part of the overall operational risk picture of an organisation. The Basle committee proposes three separate philosophies for determining an indicator of the overall operational risk of a bank.

A good operational risk management system has all the aspects of an internal control system as indicated by the combined code of corporate governance. As it evolves, its challenges change from the creation of a satisfactory outline and set of unstructured risk management activities to the development of a refined framework and structured, quantitative methodology for all stages of the risk management life cycle.

Some organisations consider strategic and reputational risk to be an aspect of operational risk and others do not, putting it into the larger `enterprise risk' bucket.

The FSA suggests reputational risk comprises two parts: those risks resulting from external factors (largely beyond the control of a bank) and those risks "caused by a bank's own mistakes". The FSA also defines liquidity risk as an aspect of operational risk. The former case is difficult to quantify or manage proactively, but the latter can be considered a result or consequence rather than a risk in itself.

It has further been suggested that business risk is an aspect of operational risk since a business plan itself may not be realistic. The FSA states that the most important causes of operational risk are people, technology and external factors, with systems and controls seen as mitigating factors which, if inadequate, result in risk.

Analytical approaches for managing this broad category of risk are currently in the early stages of development and, although the financial sector seems to be leading, most banks have just started collecting data and many are still considering what data should be collected and how it should be stored. Both banking and insurance sectors are considering what new insurance products may be viable to help mitigate aspects of operational risk or onerous capital adequacy requirements.

Different organisations define operational risk in different ways because they exist in different environments and are at different stages of development. Whether listed or not, it makes sense for an organisation to manage its operational risks in a structured, proactive and pragmatic fashion, but there
is still a considerable way to go before definitions, data, processes or controls are uniform and there are consistent, agreed methods of quantification or metrics.

Question 1Which of the following statements is false?

a Operational risk does not impact on market and credit risk measurement

b There is no relationship between operational risk and ART products

c Operational risk and enterprise risk can sometimes mean the same thing

d There may be many definitions and interpretations of the meaning of operational risk

e Many organisations are still working out what operational risk data should be stored

Question 2What is a bank's principal area of focus with regards to operational risk management?

a The data and how it should be recorded

b Operational risk data sources

c Validating existing data

d Data warehouse management

e Making sure they are not charged foroperational risk

Question 3
The following statements can all be applied to producing viable capital adequacy charges for operational risk for banks. Which is the exception?

a The basic indicator approach, which uses a single indicator to arrive at a charge for operational risk

b The standardised approach, which splits the institutions' activities into standardised business units and lines to reflect differing risk profiles from different activities

c The standardised measurement approach, which enables a single charge for all kinds of capital adequacy to be levied based on the institutions' financial rating and irrespective of individual operational risk exposures

d The internal measurement approach, which enables the regulator to use its own methods to calculate a charge for operational risk based on its own loss data

e The advanced measurement approach which enables the institution to gather its own data and calculate its own capital charge for operational risk. n

  • Carole Edrich is a principal at Kai Corporation (Risk). She can be reached at cedrich@kaicorporation.com

    How to use CPD
    This free Insurance Times reader service is intended to help you improve your skills and understanding from the comfort of your office or home. All you have to do is read the text and answer the
    multiple-choice questions. The answers will appear in next week's issue.

    Why CPD is important
    The Financial Services National Training Organisation (FSNTO)'s mission is to improve the quality and skills of the workforce as a fundamental requirement for the sustainable competitiveness of the industry. We fully support the practice of continuing professional development (CPD) as a major contributor to achieving this aim. Many people across the sector are required to undertake CPD by virtue of the work they do or the professional body to which they belong, but everyone can benefit from continuing to develop their knowledge and skills.