A Guide to Understanding Operational Risk Management

Operational Risk Management has made some major strides since the official definition came to the forefront with the advent of Basel II.? Yet the prevalent focus is still the loss associated with People, Processes, Systems, and External factors as a direct definition. In some factions, there is still a more general definition of Operational risk being everything except Credit and Market Risk, but this definition is relatively elusive and doesn’t provide a good foundation for analysis.? As such to implement a comprehensive guide to operational risk that’s more specific, one needs to have People, Processes, Systems, and External Factors at the forefront of any analysis or implementation.??

People

To understand the potential failure associated with People, People Risk, one needs to isolate the people aspect from other aspects of operational risk to not double-count the risks.? As such, People Risk needs to focus on the failures that are not associated with the intersection of processes, systems, and external factors.? This leaves people risk that are associated with individuals from an internal perspective, specifically the attributes or characteristics of people that can cause loss.? These attributes and characteristics would include the presence of individuals, the adequacy of individuals, and the intent of the individuals (i.e., malicious intent).

The question of risk can be identified by understanding what could happen from a person's presence or lack thereof.? What happens when people are absent from activities and operations or what are the failures that could happen when people are absent?? How is the manifestation of risk evidenced in the absence of individuals, the adequacy of the individual, and the intent of that individual??

When dealing with the presence of an individual one must understand the actions or activities that individual is responsible for and how the absence impacts those activities.? This is relatively easy to identify as people tend to be the initiators and to some extent managers of operations or activities within an organization.? Without this initiating and managing activity, there is no existence of the activity or operation.? The quantification of this is relatively simple as well because the quantification would include the value of the activity or operation.? The absence of that operation is a risk that needs to be mitigated.? Therefore, is there a replacement for people?? ?

The adequacy of the individual is represented in the errors that the individual creates before, during, and after an activity.?? These errors represent the risk imposed on an activity when there are inadequate personnel initiating or managing the activity.? Inherently this risk can cause the demise of an organization through mistakes made by the individuals within critical processes and activities.? Trading mistakes, balance sheet management mistakes, and other errors have caused institutions to fail.? As such, the inherent risk associated with inadequate individuals varies between small risk and catastrophic risk.

Finally, there is risk associated with an individual's malicious intent.? Inherently this risk does not have true boundaries for an individual with malicious intent can cause an entire organization to fail.? Of course, this is contingent on the access to critical systems and processes.? There are several instances where individuals have caused the demise of organizations, sometimes maliciously but most of the time mistakenly through their actions.??

Process

The identification of losses associated with processes can be a daunting task.? The first step in understanding these losses is to understand and define a process.? A process can be different for different constituents. The key is to ensure everyone who works with the process has the same idea as to what a process may represent.? Some may decide to use Process Improvement methodologies (e.g., Six Sigma, Lean Manufacturing. Business Process Management, etc.) to help define a process, while others might use Business Process Model and Notation (BPMN) while others might use Process Classification Framework (PCF) from APQC.? Whatever method one uses, it needs to be the standard that everyone uses and understands.? Without a standard, a process doesn’t have consistent meaning or representation throughout the organization.?

Once the process has been defined, there needs to be some way to analyze and identify the risks associated with such a process.? One method that has been in use specifically within the process improvement realms is the Failure Modes and Effects Analysis (FMEA).? The FMEA is a systematic method for identifying probable issues, failures, and their impacts on the system or process prior to the occurrence of an adverse event.? The FMEA takes into account the specific steps associated with the process and analyzes each step in an effort to understand and document the risk and controls within the process.? The FMEA is useful for understanding the risk and in some way quantifying the risk through metrics built into the FMEA document.? Usually, an RPN is used which is a Risk Priority Number that helps one decide on how to rank and manage the risk.?

The FMEA is just one method for identifying and quantifying the risk associated with a process.? Other methods for quantifying risk range from qualitative, to quantitative to hybrid means.? For instance, the FMEA is hybrid since it has aspects of both qualitative and quantitative analysis.? Another hybrid approach would be the Bow-Tie Analysis.? More quantitative methods range from Monte Carlo Simulations, Bayesian Analysis, and VaR (Value at Risk).? More qualitative means would range from Delphi Method and Cause-and-Effect (Fishbone) diagram.?

Systems

Systems or Information Technology Systems is another component of Operational Risk Management.? Identifying the potential of loss associated with information technology systems is a complex activity that considers the multiple components of technology systems (i.e., Infrastructure, Applications, Database, Network, etc.).? There are many frameworks that assist in the identification of Information Technology risk.? Like Process methodologies, one needs to standard one method and use that method or a hybrid approach that might combine multiple methods.? COSO, COBIT, ITGC, ITIL, and NIST SP 800-53 R5 are all frameworks that can be used to identify Information Technology Risk and to some manner quantify that risk.? The key is consistency throughout the multiple phases of Operational Risk Management.?

External Factors

External factors are somewhat of a wildcard or catch-all for activities external to the organization that impacts its activities and operations. Many times, the focus is on regulatory changes, but in fact there could be any type of change that can impact the organization's operations.?? One of the tools that can be of benefit in analyzing external factors that impact a company’s operations would be the PESTEL analysis.? The PESTEL analysis examines the Political, Economic, Social, Technological, Environmental, and Legal factors in the external environment.? Another analysis that can be of benefit is the SWOT analysis which focuses on the Strengths, Weaknesses, Opportunities, and Threats.? Only half of the SWOT is applicable as the SWOT focuses on Internal and External analysis.? The Opportunities and Threats are the External analysis applicable to the External Factors of Operational Risk Management.?

In conclusion, Operational risk is a broad evolving term that encompasses a variety of potential hazards that may arise during the day-to-day operations of a financial institution. These risks can stem from internal processes, systems, external events, or people.? One needs to be vigilant in managing Operational Risk both at the strategic and at the component level.? The key to understanding Operational Risk is to view the risk holistically and ensure that each component is understood in a way that lends itself to practical application, quantification, and analysis.?

?

How do you approach understanding Operational Risk Management? Your thoughts and comments are welcome.