The Challenges of Operational Risk
Operational Risk has come a long way over the past few decades, it got a lot more structured with standard frameworks and metrics. It's been trying very hard to catch up with Market Risk and Credit Risk but there are still two significant differences between Op Risk and the other two;
1) Its ability to frame the expected loss of an activity is very weak, with the exception of fraud or error losses in statistically large populations such as fraud in retail credit card and mortgage businesses.
2) The availability of tools to hedge the risks identified. Not that Market Risk or Credit Risk are perfect in this respect but they have more tools and it's easier to measure the impact of some of the less direct methods of hedging the risk.
A few illustrations of the issues faced and the responses commonly seen;
Area |
Market Risk |
Credit Risk |
Operational Risk |
General Expected Losses |
Well covered by VaR and ES models. I've always seen VaR as a good measure of a "Bad Day in the Markets" metric, mistakenly viewed as a stress measure. |
Expected loss models are now mature and like VaR and ES can be backtested. |
The
lack of statistically significant populations of data has hampered use. Even sharing of loss data across the
industry has not helped much as firms' true control effectiveness is
idiosyncratic. |
Unexpected, Stress Losses |
Stress tests and stressed VaR can give practical metrics for the impact of extreme moves. |
Stress tests also give metrics for extreme economic and other triggers. |
Fitting
extreme distributions to thin data populations has failed. The billions of dollars (>$300bn) of
fines for mis-selling and conduct issues have now
lead the BCBS to propose the withdrawal of model approval for operational
risk. |
Direct Risk Hedging (without closing the
activity) |
Many
liquid market hedges exist although often if all the risk is hedged there is
no final profit from the transaction. |
Hedges
tend to be restricted to the better known names within credit indexes or with
credit default swap markets. |
Insurance
policies can protect against some risks, but insurers are not keen to issue
cover against risks they cannot estimate. |
Organisational measures |
The
trickiest market risks are usually segregated into specialist exotic or hybrid
desks. |
"Bad
Bank" segregation is well practiced regime now with specialist teams mandated
to negotiate resolution. |
It's normal for firms to move their most talented professionals to manage their trickiest risks, so one often finds the best traders, risk managers, middle office and finance staff covering the exotic and hybrid desks. But this is a good example of the operational risk mitigation being unmeasurable and this limits the firm's ability to compute its impact. Again,
a firm could give its operational risk managers the authority to limit
certain aspects of the operational risk environment such as restricting
business in countries with difficult regulatory or legal environments. |
The difficulties in estimating the expected losses from operational risk make risk appetite setting and prioritisation extremely difficult. In a perfect world it would be great for management to authorise a new trading desk with a VaR limit of $2m say and an operational loss limit of $250k. Whilst the former is a practical market risk limit the latter is just a wish. The operational controls debate would descend into minutiae of "how stringently does this rec' have to operate?" with no statistical assistance and the operational risk framework is constructed with huge subjective input into its control standards. One of the advantages of risk models is that they limit the amount of subjective input the user can make and also concentrate it in areas that can be at least debated if not validated. (Compare modelled impairment provisions with subjective provisions for example.)
I think the way forward for operational risk is to;
· Recognise that some risks, particularly in the tails cannot be modelled effectively (just as earthquakes cannot be predicted with any certainty).
· Define and enforce minimum control standards that must be applied put some boundaries on the loss envelope.
· Promote a culture that everyone is responsible for the firm's operational risk.
· Measure what you can. Conduct related failures have caused the largest operational losses of the last decade, some conduct behaviour can be measured even if the extreme losses from it are too difficult to estimate.
· Continue to run effective loss models where the populations support it (credit card fraud et cetera).
· Continue to collect data on losses from medium frequency control lapses to better predict the leading indicators.