Lessons and takeaways from 15 years of operational risk reporting
The first Basel II proposals, published in 1999 globalised the term ‘operational risk’, a phrase that, while it has been debated at the occasional conference and had attracted surplus risk management attention, had neither a standard definition nor phrasing. The Basel Committee anchored the definition of operational (rather than operations or business) risk to the risk of loss (to shareholders) arising from an organisation’s people, processes or systems.
In 2004, the Committee brought banks a step further by introducing the Advanced Measurement Approach (AMA), allowing banks with sophisticated operational risk management frameworks to use equally sophisticated measurement to determine the required regulatory capital for this risk class. While few banks pursued an AMA approach, the requirements set out in the Basel II capital framework set the language for operational risk management worldwide.
Despite the existence of a common language, there is no common design for operational risk reporting – a phrase to mean the way in which information about operational risk is shared within an organisation. Variation in operational risk reporting between organisations is far greater than the variation in reporting for credit or market risk and the amount of information shared publicly is limited. Banks, encouraged by the requirements set out in the 3rd Pillar of Basel II, have instead disclosed their operational risk management processes where there is considerable convergence in the use of anodyne clichés.
The paucity of external disclosure can, in part, be ascribed to the lack of status of internal operational risk reporting, which follows both from a lack of standardisation and an inability to mimic the qualities of good credit, market and liquidity risk reporting. Risk reporting is most successful when it allows business leaders to make informed decisions about whether to accept risks present in their business or change behaviour with the intent of reducing (hedging) them. For example, good credit risk reporting identifies trends in portfolio composition with enough foresight to allow for loan re-pricing or the resetting of exposure limits.
The fact that very little operational risk reporting satisfies this criterion 15 years after AMA concepts were introduced to global banking reflects the difficulty of the task as much as anything else. Over the last 15 years, operational risk management communities of practice have encountered similar themes in the evolution of their work.
These themes emerge from:
- Challenges to clean separation of 1st and 2nd line of defence in operational risk management
- The static nature of some operational risks
- A perceived lack of relevance to business decision- making
This article seeks to help banks overcome those barriers by setting out 5 questions related to those themes for CROs and Boards to consider in their design of operational risk reports.
Where’s the money?
One of the long-term challenges for operational risk in financial institutions has been to clarify the scope of financial impacts to which the definition applies. The clearest costs relate to incidents rather than risks. For example, the cost of a recent fraud is more likely to be reported than the cost of fraud controls (the actual risk mitigant). Banks need to decide how much effort to place into identifying the cost of their operational control environment and how best to calibrate responses to operational incidents without an awareness of the associated cost of control.
The emphasis on losses, rather than cost of controls, is consistent with regulatory requirements and it is not proposed that loss analysis be removed from operational risk reporting. However, additional information about the cost of the control environment helps banks make risk-reward trade-offs, since operational losses occur when controls fail. Over time, the operational risk community has found this information to be of greatest use if it is structured differently to other risk reports, which leads to the next question...
Should business be looked at differently in order to better understand and report operational risk?
Risk reporting traditionally follows management accounting or legal entity structures when presenting information for internal consumption. Credit risk is ascribed to either distribution or product; market risk to financial markets; structural interest rate risk to Treasury and so on. Operational risk does not, however, lend itself to a traditional business structure, with risks manifesting across processes or control families, neither of which respect business unit lines. Any design of operational risk reports should consider what their primary classification should be below Group level, and if they do follow process lines how closely they should map to internal cost allocation frameworks. Recent requirements under BCBS 239 for Boards to review material consistent with regulatory reporting may present an opportunity for banks to review the structure of their reports. Regulatory operational risk reporting losses must be aggregated in specific non-business ways.
A further challenge for operational risk reporting, and an opportunity for the 2nd line, is to set a standardised vocabulary for all operational reporting. It is not uncommon for leadership teams to receive reports on IT system health, compliance and financial crime prepared in different areas and using subtly different definitions. Early work on an operational risk taxonomy and minimum standards will simplify reporting and avoid the risk that the operational risk report repeats information described elsewhere.
In the early 2000s, risk measurers invested time and organisational goodwill in the idea that operational risk capital could be used to standardise all descriptions (at least of impact) across processes and systems. The complexity associated with operational risk capital models has meant that Key Risk Indicators have become a more widespread approach than capital, with the question of whether each indicator has equivalent tolerance or importance often left unanswered.
What emphasis should be given to changing risk profiles versus reporting operational risk incidents and their mitigation?
The next difficult question for operational risk reporting is the distinction between forward-looking reporting of changes in risk profile and historical reporting of operational risk incidents and their associated mitigation. Most publicly disclosed metrics for operational risk are backwards looking, with the view that historical trends can be extrapolated to present a credible picture of the future. The highly-skewed nature of operational risk impacts challenges this assumption – the statistical process control principles underpinning such an idea stem from analysis of finite systems (few unknown unknowns) with better behaved loss distributions than those observed in operational risk.
Indeed, discussion of operational incidents is perhaps better left to 1st line, particularly 1st line process management, rather than occupying time in a risk report. However, in order to build a genuine operational risk report with lower reference to incident management, consideration must be given to drivers of change in operational risk profile, which classically manifest in changes in the control environment, typically an area of limited data.
Deciding how much emphasis to place on forward-looking operational risk reporting aligns to deciding how much investment to make in operational risk mitigation, that is, the avoidance of operational risk losses before they occur. The signals being followed in guiding that investment become the critical reporting metrics. Such an approach can be challenged on the grounds of relevance – the ongoing difficulty organisations have with collecting data on near misses being the clearest example – and therefore it may make sense to align operational risk reporting to critical business decision-making processes, such as the direction of investment spend.
Trading off impact for familiarity – the frequency of operational risk reporting
Some of the best story-tellers in banking work in operational risk departments. The narratives associated with operational risk losses are often compelling enough to engage a wide audience, with the primary intent of
the author often being to ensure a judicious reaction to
the incident ( judicious being very much in the mind of the author). No matter how charming or shocking the writing, operational risk reports seem to lose executive attention faster than most, to judge by the frequency of their redesign. One problem may be the static nature of most organisation’s operational risk profiles. The risks embedded in an organisation’s culture, processes and systems do not remediate themselves as quickly as a market risk position, nor is their deterioration as obvious or as fast as for an equivalently significant loan portfolio.
There is an argument to be made for restricting significant operational risk reports to no more than twice yearly, so that progress on material risks can be observed and assessed. Many organisations instead adopt a rolling approach to risk reporting (for instance addressing technology risk in May and November; people risk in June and December) so that leaders receive a constant supply of information. Rolling approaches are often excused by the need to maintain operational risk management accountabilities but risk achieving the opposite by allowing familiarity to erode impact. This is especially true if a significant fraction of the report is taken up with descriptions of the process used to assess each risk.
Putting the ‘risk’ back in – maintaining relevance when considering low likelihood high impact events
The final challenge for an operational risk report is to present information about low likelihood but high impact events in a way that allows for a meaningful conversation about risk mitigation. The Basel II framework requires banks to consider external loss data and scenario analysis in the hopes of fomenting such debates, but this information is more usually reduced to a review of recent peer incidents to help Boards answer the question ‘could that happen here?’
The risks associated with extending the analysis of low likelihood events are well known. Chief among them is the perception that operational risk management will be perceived as a hand-brake on business activity, rather than an advocate. The second risk can be attributed to the long-tailed distribution of operational risk impacts. It is more challenging to assess the cost of a 1% likely operational risk event than estimating the equivalent 99% Value-at-Risk from liquid markets. Care must be taken to avoid a convergence of impacts to either implausibly large or implausibly small outcomes.
Conclusion: Operational risk reporting in an ideal world
An operational risk reporter’s ideal organisation is one with fully mapped processes with controls and control owners identified for each process step. All operational risks could be described in a common language of control failures, with historical data, control concentrations and costs all cleanly classified. That environment exists today for credit, market and liquidity risk in many financial institutions, but it remains an ambition rather than a reality for operational risk – despite the regulatory emphasis and history of loss over the last 10 years.
In the absence of perfection, operational risk reporting can best support business decision-making if it is prepared to complement rather than mimic other forms of management reporting. To do so effectively, reports will need to be redesigned and new controls, particularly over reconciliation, standardisation and translation of operational risk information, will need to be introduced.
An article by Paul Lowrie, Head of Governance, Risk & Control at TORI Global, an international management consultancy.