Home

The Challenges of Operational Risk

 

Operational Risk has come a long way over the past few decades, it got a lot more structured with standard frameworks and metrics.  It's been trying very hard to catch up with Market Risk and Credit Risk but there are still two significant differences between Op Risk and the other two;

 

1)         Its ability to frame the expected loss of an activity is very weak, with the exception of fraud or error losses in statistically large populations such as fraud in retail credit card and mortgage businesses.

 

2)         The availability of tools to hedge the risks identified.  Not that Market Risk or Credit Risk are perfect in this respect but they have more tools and it's easier to measure the impact of some of the less direct methods of hedging the risk.

 

A few illustrations of the issues faced and the responses commonly seen;

 

 

Area

Market Risk

Credit Risk

Operational Risk

General Expected Losses

Well covered by VaR and ES models. I've always seen VaR as a good measure of a "Bad Day in the Markets" metric, mistakenly viewed as a stress measure.

Expected loss models are now mature and like VaR and ES can be backtested.

The lack of statistically significant populations of data has hampered use.  Even sharing of loss data across the industry has not helped much as firms' true control effectiveness is idiosyncratic.

Unexpected, Stress Losses

Stress tests and stressed VaR can give practical metrics for the impact of extreme moves.

Stress tests also give metrics for extreme economic and other triggers.

Fitting extreme distributions to thin data populations has failed.  The billions of dollars (>$300bn) of fines for mis-selling and conduct issues have now lead the BCBS to propose the withdrawal of model approval for operational risk.

Direct Risk Hedging (without closing the activity)  

Proxies





Diversification

Many liquid market hedges exist although often if all the risk is hedged there is no final profit from the transaction.  

Proxy hedges using liquid products can be used, e.g.




Diversification and structural hedges can be made, e.g. Equity derivative businesses are often short equity volatility while Converts businesses are naturally long it.

Hedges tend to be restricted to the better known names within credit indexes or with credit default swap markets.

Proxies exist particularly in using say sovereign credit risk hedges.  Not strictly a proxy but collateral terms also act as hedges.



Diversification is one of the largest traditional credit risk management techniques and still valid.

Insurance policies can protect against some risks, but insurers are not keen to issue cover against risks they cannot estimate.


Very difficult to conceive of an effective proxy.  Compensating controls might be possible, for example a strong central validation for retail products sold by a weakly trained sales team (but one would really expect management to fix the sales team!).

This is credible, particularly for firms operating in many countries and markets although centralisation and off-shoring work against this.

Organisational measures

The trickiest market risks are usually segregated into specialist exotic or hybrid desks.  

In other cases risk managers can be given explicit increased authority to demand the reduction of risks they regard as too dangerous for the reward anticipated.

"Bad Bank" segregation is well practiced regime now with specialist teams mandated to negotiate resolution.

Similar to market risk, credit risk managers can be given the authority to demand hedging and to also limit future business to securitised or collateralised exposures.

It's normal for firms to move their most talented professionals to manage their trickiest risks, so one often finds the best traders, risk managers, middle office and finance staff covering the exotic and hybrid desks.  But this is a good example of the operational risk mitigation being unmeasurable and this limits the firm's ability to compute its impact.

 

Again, a firm could give its operational risk managers the authority to limit certain aspects of the operational risk environment such as restricting business in countries with difficult regulatory or legal environments.

 

The difficulties in estimating the expected losses from operational risk make risk appetite setting and prioritisation extremely difficult.  In a perfect world it would be great for management to authorise a new trading desk with a VaR limit of $2m say and an operational loss limit of $250k.  Whilst the former is a practical market risk limit the latter is just a wish.  The operational controls debate would descend into minutiae of "how stringently does this rec' have to operate?" with no statistical assistance and the operational risk framework is constructed with huge subjective input into its control standards.  One of the advantages of risk models is that they limit the amount of subjective input the user can make and also concentrate it in areas that can be at least debated if not validated.  (Compare modelled impairment provisions with subjective provisions for example.)

 

I think the way forward for operational risk is to;

·         Recognise that some risks, particularly in the tails cannot be modelled effectively (just as earthquakes cannot be predicted with any certainty).

·         Define and enforce minimum control standards that must be applied put some boundaries on the loss envelope.

·         Promote a culture that everyone is responsible for the firm's operational risk.

·         Measure what you can.  Conduct related failures have caused the largest operational losses of the last decade, some conduct behaviour can be measured even if the extreme losses from it are too difficult to estimate.

·         Continue to run effective loss models where the populations support it (credit card fraud et cetera).

·         Continue to collect data on losses from medium frequency control lapses to better predict the leading indicators.

 

Home Top