Mastering operational risk

John Thirlwell

IRM Operational Risk SIG

2 December 2010
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
 Operational risk:
How to break it down?
• The Framework; putting the Framework to
work
• History; the Framework, putting the
Framework to work
• History; the Framework, putting the
Framework to work; business case;
mitigation
 Breaking it down
Part 1: Setting the scene
What is operational risk? The business case
Part 2: The Framework
Governance, RCA, Events and losses, indicators
Part 3: Advancing the Framework
Reporting, modelling, scenarios and stress testing
Part 4: Mitigation and assurance
Business continuity, insurance, internal audit
Part 5: Practical operational risk management
Outsourcing, people risk, reputation risk
ORM Framework
Governance

Key indicators Risk & Control Assessment Losses

Identify Specify Identify risk Identify control Identify and Analyse
risk and risk and owner and owner capture loss
control appetite Assess Assess design internal and causes
indicators likelihood and and external
impact performance losses
Action plans Action plans Action plans

Scenarios and Modelling

Reporting
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
 Defining operational risk
‘Operational risk is the risk of direct or indirect losses
resulting from inadequate or failed processes, people or
systems, or from external events.’ [Operational risk: the next
frontier. RMA/PriceWaterhouseCoopers, 1999]

‘The risk of loss resulting from inadequate or failed

internal processes, people or systems or from external
events’ [Basel II]
- includes legal risk; excludes strategic and reputational
risk
- regulatory risk?

‘The risk of loss arising from inadequate or failed

internal processes, or from personnel and systems,
or from external events.’ [Solvency II]
 Is operational risk different from
other risks?
Credit, market, Operational
commodity,
liquidity

Is the risk transaction-based?

Is the risk assumed proactively ?
Can it be identified from accounting information
e.g. the P&L?
Can audit confirm that every occurrence of the
risk has been captured?
Can its financial impact be capped or limited?

Can you trade the risk?

Is everybody in the firm responsible for the risk?

Does the risk affect every activity?

OperationalRisk
(includingStrategicRisk)
An attempt to frame the unframeable, to
assuage fears about the uncontrollable
‘rogue others’ and to tame the man-made
monsters [of the financial system].

Prof Michael Power, Organized uncertainty : designing a

world of risk management (OUP, 2007)
‘The world has never been so full of risk’
(Thomas Aquinas, 1245)
 National security strategy (Oct 2010)
TIER 1 TIER 2

International terrorism Chemical, biological, nuclear,

radioactive (CBNR) weapons

Cyber attacks and large scale Overseas insurgency creating

cyber crime environment for terrorism

Major accident or natural hazard, Organised crime

e.g. extensive coastal flooding,
pandemic
International military crisis Satellite communications disrupted
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
ORM Framework
Governance

Key indicators Risk & Control Assessment Losses

Identify Specify Identify risk Identify control Identify and Analyse
risk and risk and owner and owner capture loss
control appetite Assess Assess design internal and causes
indicators likelihood and and external
impact performance losses
Action plans Action plans Action plans

Scenarios and Modelling

Reporting
 The 3 lines of defence

B O A R D

Risk Committee Audit Committee

RISK RISK RISK

OWNERS OVERSIGHT ASSURANCE
Business Eg: Risk, Internal and
operations compliance, external audit
legal, health &
safety, IT
security, etc
 Board
• Leadership
– Culture
– Tone from the top / tune in the middle
• Strategy and objectives
• Appetite
• Reporting and communication
ORM Framework
Governance

Key indicators Risk & Control Assessment Losses

Identify Specify Identify risk Identify control Identify and Analyse
risk and risk and owner and owner capture loss
control appetite Assess Assess design internal and causes
indicators likelihood and and external
impact performance losses
Action plans Action plans Action plans

Scenarios and Modelling

Reporting
 Board
• Leadership
– Culture
– Tone from the top / tune in the middle
• Strategy and objectives
• Appetite
• Reporting and communication
• Risk, the Risk function and Risk
Committee
 Where does the
operational risk function sit?
B O A R D

Risk Committee Audit Committee

RISK RISK RISK

OWNERS OVERSIGHT ASSURANCE
Business Eg: Risk, HR, Internal and
operations compliance, external audit
legal, health &
safety, IT
security, etc
 Risk assurance
• Independent
• Internal audit
– Objectives
– Status and position in the firm
• Audit Committee
– Priorities
• External audit – financial reporting
• Internal audit as consultant
• Internal audit as investigator
ORM Framework
Governance

Key indicators Risk & Control Assessment Losses

Identify Specify Identify risk Identify control Identify and Analyse
risk and risk and owner and owner capture loss
control appetite Assess Assess design internal and causes
indicators likelihood and and external
impact performance losses
Action plans Action plans Action plans

Scenarios and Modelling

Reporting
 The risk register

or ‘What needs to go right?

 Issues and decisions
concerning event data
• Which events?
– Reporting threshold
– Near misses
– “Boundary” losses
– Gains
• The data
– Amount (the basis of severity)
– Date (the basis of frequency)
– Loss category
 Realities of risk event data
• It will be incomplete, scarce and patchy, even
allowing for external data – the ‘tail’ problem.
Lognormal and bimodal distributions
 Realities of risk event data
• It will be incomplete, scarce and patchy, even allowing
for external data – the ‘tail’ problem.
• It will be inconsistently reported although, once reported,
it is auditable.
• It is historic and backward looking. Major events will
probably have led to tighter controls, change of policy
etc. The external environment will change.
However
• It can validate indicators, risk and control assessments
and scenarios
• It is the beginning of the essential chain of:
Data informationknowledgeunderstanding

BUT THAT ONLY COMES WITH . . .

Felix qui potuit rerum cognoscere causas
(Vergil, Georgics)
Felix qui potuit rerum cognoscere causas
(Vergil, Georgics)

It is the cause, it is the cause, my soul.

(Shakespeare, Othello)
Felix qui potuit rerum cognoscere causas
(Vergil, Georgics)

It is the cause, it is the cause, my soul.

(Shakespeare, Othello)

CAUSE EVENT EFFECT

 A Typical Crisis Model

Organisational
Cultural and Design
Human and Structure
Factors
Trigger
Event
Loss

Economic and
Strategic
Imperatives

Dr Simon Ashby, The 6 C’s of the financial crisis, (Financial Services

Research Forum, Nottingham University Business School: April 2010)
Unlike the position that exists in the physical
sciences, in economics and other disciplines that
deal with essentially complex phenomena, the
aspects of the events to be accounted for about
which we can get quantitative data are
necessarily limited and may not include the
important ones.
Friedrich von Hayek, Pretence of Knowledge, Nobel acceptance
speech 1974.

Our knowledge of the way things work, in society

or in nature, comes trailing clouds of vagueness.
Vast ills have followed belief in certainty.
Kenneth Arrow, I know a hawk from a handsaw (CUP 1992)
ORM Framework
Governance

Key indicators Risk & Control Assessment Losses

Identify Specify Identify risk Identify control Identify and Analyse
risk and risk and owner and owner capture loss
control appetite Assess Assess design internal and causes
indicators likelihood and and external
impact performance losses
Action plans Action plans Action plans

Scenarios and Modelling

Reporting
 Modelling operational risk
- a qualitative approach
• Use existing risk and control assessments
• No need to wait for adequate loss history
• How it might work:
– Set up ranges
– Assess impact and likelihood of risks
– Assess failure probabilities of controls
– Correlate risks (if possible)
– Challenge input
– Run Monte Carlo simulations
– Assimilate results and reports
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
 Operational risk appetite
• Risk of loss a firm is willing to accept for a given
risk-reward ratio [over a specified time horizon at
a given level of confidence]
• Some examples
– No/minimal appetite for losses arising from financial
crime, reputation, legal, regulatory events
– Unmitigated losses no more than x% of PBT in any 3-
year period
– No individual OR losses above £x or cumulative
losses above y over 12 month period. Losses above
£z to be reported to Risk or Audit Committees.
• But do these mean anything in the world of op
risk?
Whose appetite is it anyway?
Risk appetite – some principles
• Requires well-defined business objectives
and well-defined objectives of appetite
• Should inform business decisions
• Will be defined in quantitative and
qualitative terms; requires multi-criteria
components
• Tied in to business performance and
reward
Risk appetite in relation to loss
experience
 Risk appetite using risk
assessment scores (1)
Annual Loss Thresholds
Low 25,000
Acceptable 100,000
Warning 450,000
Catastrophic 1,500,000

Impact per event (£)

L'bound U'bound Mid point

Low 0 50,000 25,000
Med-low 50,000 150,000 100,000
Med-high 150,000 500,000 325,000

High 500,000 1,500,000 1,000,000

Likelihood of event (per annum)

L'bound U'bound Alternative label Mid point

Low 0.04 0.10 10% likely in next year 0.07

Med-low 0.10 0.33 30% likely in next year 0.22

Med-high 0.33 1.00 Very likely in next year 0.67

High 1.00 12.00 Several times in next year 6.50

 Risk appetite using risk
assessment scores (2)
High 70,000 220,000 670,000 6,500,000

Med-high 22,750 71,500 217,750 2,112,500

IMPACT
Med-low 7,000 22,000 67,000 650,000

Low 1,750 5,500 16,750 162,500

10% likely 30% likely Very likely Severe

LIKELIHOOD
Optimising resource through risk
and control assessments
 Risk appetite using Key Risk Indicator
thresholds for ‘Number of help desk queries’
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
Benefits of an effective operational
risk management framework
Informed decision making
• Placing [operational] risk decisions in the right
context (governance)
• Distinguishing your operational risks and
optimising control resource (RCA)
• Assessing past problems (losses)
• Knowing where you are now (indicators) . . .
• . . . and where you may be heading (scenarios)
• Allocating capital (modelling)
• Getting the right information (reporting)
Interaction of operational risk management and
Six Sigma and Lean
 Other benefits of operational risk
management
• Business continuity planning
– Will you be a survivor?
– Will you be back in business first?
• Insurance buying
• Outsourcing
– Managing the core
– Better customer service
– Higher activity levels
• Project management
• Reputational risk
– Preventing it
– What to do if it happens
• People risk management
• Writing the book
• What’s so special about operational risk?
• The operational risk framework
– Governance
– Losses and measurement
• Operational risk appetite
• The benefits of getting it right
• People risk
 People risk
• Operational risk is the risk of loss from
inadequate or failed internal processes,
people and systems or from external
events.

• ‘80% of operational risk is down to human

error or management failure.’
(Jonathan Howitt, ex Head of operational risk, Dresdner
Kleinwort Benson, 2004)
 People risk –
the financial crisis

Financial crisis
– Asset bubble
– Politicians, regulators, central banks
– Failure to apply good risk management
– Failure to apply good risk governance
– Human behaviour (greed, herd instinct)
 People risk essentials

• Leadership and culture

– Openness and transparency
– Communication
• Corporate strategy and objectives
– Excellent behaviours defined
• Change and flexibility
 Senior people risk

• The people risk of the CEO

• The people risk role of the CEO
– Instilling the risk culture enterprise-wide
– The CEO’s behaviour
• Tone from the top
• Walk the talk
• The people risk of risk management
People risk controls and indicators
• Objectives and, through them, behaviours
are the drivers for key people risk controls:
– Selection
– Appraisal and performance management
– Training
– Reward
– Succession planning
• People risk and reputation risk
• People risk indicators
 People risk and HR
• Is HR a transactional or a risk function?
• Much risk is managed by good HR. How
much is managed by a good HR
department?
• Understanding and predicting risk is highly
dependent on understanding human and
organisational behaviour. HR has a role
as senior management’s guide.
• Would the HR Director be on the
short-list for CEO or COO?
• All risks should be viewed through a
people lens and all people issues viewed
through a risk lens

• Good people management

is good risk management
is good operational risk
management
 Contact details

John Thirlwell

Tel: +44 (0) 208 386 8019

Mob:+44 (0) 781 382 9362
e-mail: info@johnthirlwell.co.uk
Web: www.johnthirlwell.co.uk

www.masteringoperationalrisk.com