Difference between revisions of "Operational Risk"
| Line 12: | Line 12: | ||
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure [[Statistical Analysis|statistical analysis]]. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks. | Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure [[Statistical Analysis|statistical analysis]]. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks. | ||
| + | |||
| + | |||
| + | '''Managing Operational Risk<ref>Managing Operational Risks [https://www.cimaglobal.com/Documents/ImportedDocuments/51_Operational_Risk.pdf CIMA Global]</ref'''><br /> | ||
| + | Risk evaluation is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks. | ||
| + | Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied: | ||
| + | *accepting the risk | ||
| + | *sharing or transferring the risk | ||
| + | *risk reduction | ||
| + | *risk avoidance. | ||
| + | |||
| + | Insurance is a long established control method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as [[Business Continuity Management (BCM)|business continuity management]]. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it | ||
| + | operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a process in place to monitor actively and to review and report regularly on the [[Risk Management Framework (RMF)|risk management framework]]. | ||
Revision as of 17:54, 4 March 2020
Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an Organization’s business functions (Basel Committee on Banking Supervision, 2004). Operational risk exists in every organization, regardless of size or complexity.[1]
Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems. However, operational risk is harder to quantify and model than market and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and capital budgeting.
Measuring Operational Risk[2]
A key component of risk management is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk.
Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division.
Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association.
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure statistical analysis. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks.
Managing Operational Risk<ref>Managing Operational Risks CIMA Global</ref>
Risk evaluation is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks.
Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied:
- accepting the risk
- sharing or transferring the risk
- risk reduction
- risk avoidance.
Insurance is a long established control method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as business continuity management. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a process in place to monitor actively and to review and report regularly on the risk management framework.