Overview of Operational Risk
Overview of Operational Risk
Overview of Operational Risk
From the definition given above, identify the major causes or sources of operational risk.
This definition, with slight variations have been widely adopted across financial services and here are
some of the definitions:
Solvency II defined operational risk as ‘the risk of change in value caused by the fact that actual losses
incurred for inadequate or failed internal processes, people and systems, or from external events
(including legal risk) differ from expected losses.
Deutsche Bank defines operational risk as the potential for failure (including the legal component) in
relation to employees, contractual specifications, documentation, technology infrastructure and disasters,
external influences and customer relationships.
REFLECTION
In the institution were you did your work related learning, how did they define operational risk? was
everyone aware of the definition?
Operational risk is at its core, a mistake, error, or hazard. Operational risk is embedded in how the
enterprise functions, and are often driven by people and IT systems that do produce errors. Contrary to
other risks like market and credit risks, operational risks are not willingly incurred and are not revenue
driven, rather, they are driven by the firm’s operations. Operational risk is often viewed as, “the cost of
doing business” as it directly impacts profitability and needed capital. In many ways that is true. It is not
separable from the act of doing business, as it is also embedded in other activities undertaken by the
enterprise.
Operational risk manifests through the complex web of employees, products, clients, systems, legal
judgments, regulation, and fines. Operational risk is never really predictable, but firms must be prepared
for it as part of an enterprise risk management strategy. Decisions that involve the implicit acceptance of
operational risk may not clearly expose the operational risk involved. This is especially dangerous, as a
business manager does not explicitly take on operational risk, as he or she would do for market risk or
credit risk. Instead it shows up in how the business is executed.
There is a huge variety of specific operational risks. By their nature, they are often less visible than other
risks and are often difficult to pin down precisely. Operational risks range from the very small, for example,
the risk of loss due to minor human mistakes, to the very large, such as the risk of bankruptcy due to
serious fraud. Operational risk can occur at every level in an organisation.
Operational risk is one of the misunderstood risk but it can lead to the collapse of an organisation when
not managed well. It can lead to additional regulatory and reputational harm and it has a dangerous
feature of contagion. It gives rise to new or additional risks. This is especially true when the operational
risk in question is left unattended by management.
ACTIVITY: Contextualise this to the insurance industry. Can these operational risk type be used for
insurance industry too? Which categories of operational risk are more common in the insurance
industry?
Management of such risks may involve support from specialist departments e.g. Business Continuity
Management department to deal with business continuity related risks. Such risks are usually managed
through capital reserves, insurance or investment in controls.
RELATIONSHIP BETWEEN OPERATIONAL RISK AND OTHER RISK TYPES
Operational risks arise in the presence of other risk types. It is interrelated with other risk types the size
and sometimes it can be difficult to draw a distinction between operational and other risk types. An
operational loss/event can be dramatically magnified by other risks and operational risks can also
dramatically magnify other risks. Consider the following examples:
Example 1 (operational risk and market risk)
You instruct your stock broker to buy Starnet shares but the broker erroneously places a sell order instead
of a buy order. This will result in losses and the losses will be magnified should the market move in
another direction rather than remaining stable.
Example 2 (Operational Risk and credit risk)
A bank issuing out loans forgets to get details of the client or incorrectly captures them or misplaces them.
In the event of a financial crises which triggers defaults, the loss will be magnified as the bank will fail to
collect the owed money even from those who could have paid since they will not have enough
documentation on clients so as to institute debt collection. The 2008 Financial Crisis has always been
seen as a credit risk event by a closer look shows that the event was magnified by operational risk. There
was a series of process failures which appeared as external event but was actually a product of poor or
failed processes; missing and incomplete loan documentation; misrepresentation of a personal financial
details of borrowers etc.
Example 3 (operational risk and legal risk)
When government banned the use of foreign currency, business models that were based on forex failed.
For example, many companies failed to process payments and salaries as old payment systems failed
to recognise the new currency.
ACTIVITY
Identify the other major categories of risks. How do they relate with operational risk?
The problem of ensuring clear boundaries between different risks is something that operational risk
managers face day-to-day. Operational risk managers often need to interact with risk managers dealing
with other risk types and have to justify why some risks should be considered as part of Operational Risk
Management. Even with clearly documented boundary conditions between risk types, from time to time
situations arise which are not covered by existing definitions and need resolution with other risk
disciplines.
Within this context, it is also important to consider the relationship between Enterprise Risk Management
and Operational Risk Management. Most companies today prefer to manage their risks exposures in an
integrated way, under an umbrella framework commonly referred to as Enterprise Risk Management
(ERM). This approach is based on the premise that risks are interconnected and need to be managed
together in a consistent and holistic approach, with clear differentiation of the boundaries between them.
ERM is concerned with management of risk at an enterprise level while ORM is concerned with
management of risks at program, function or operational levels. It is important that one understands the
differences between enterprise risk management and operational risk management and the benefits of
integrating ORM into ERM. Operational risks are best managed and measured if they are integrated into
the ERM program. ERM ensures that operational risks are elevated, they are considered in resource
allocation, there are fewer crises, there is improved organisational performance, shared solutions and
increased awareness of operational risks.
ACTIVITY
Explain, briefly the benefits of integrating operational risk management into operational risk
management
NB: Operational risk is a result of unpredictable, not fully understood failure mechanism. Managing
operational risk requires an engineering like understanding of systems, process and failure mechanisms
but most business do not invest enough to understand processes or systems especially if the systems
and processes are secondary to business models/goals.