by Michel Rochette
Operational risk is the new frontier in enterprise risk manage-ment within the financial community. It is a field that actuaries should certainly get involved with because it offers many new opportunities.
Operational risk exists in every industry. It is at the core of every human organization. It has always existed. It used to be said that operational risk is a risk to live with and a risk of doing business. The industrial sector decided to meet it head-on by devising the ISO standards more than 25 years ago, followed by certifications of compliance. Others have adopted the requirements of the Six Sigma approach to their organi-zation, from green to black belts, focusing on project manage-ment. In the 1980s, the concept of quality emerged as an integrated approach to improve organizations.
However, what is new within financial institutions is a specific recognition of this type of risk as a stand-alone risk. This is encouraged by both the implementation of enterprise risk management and recent high profile losses. Although operational losses have affected banks and investment companies greatly in the last few years (and it was catastrophic in some cases–Barings), insurance companies haven't been immune neither. Within the insurance and pension industries, some operational practices have resulted in major publicized losses and lawsuits. Examples of this include deceptive sales practices such as: sales illustrations, vanishing premiums lawsuits, misrepresentation of life insurance as retirement plans, churning or improper policy replacement and more recent investigations in some sales practices.
Other initiatives are contributing to create an interest in this field, like new risk-based regulatory approaches. The new Basel Accord II has created a momentum in this subject within the banking community. In Europe and the UK, regulators have taken a holistic approach to their new supervisory framework by completely redesigning their approach along a risk-based system–credit, market, liquidity, insurance, operational, group–that will ultimately apply to all regulated financial institutions. In the United States, the federal banking regulators will implement the new Basel Accord. In the mean-time, the NAIC has proposed to revise their supervisory framework based on a risk-based approach, which will include operational risk among other risks. Sarbanes-Oxley is considered a subset of the larger field of operational risk.
Also, for any company that is publicly rated, rating agencies are adding operational risk as part of their overall assessment of companies. For example, Standard & Poor's has created a Corporate Governance Score. And for those companies that are listed on exchanges, more requirements are being implemented to enhance corporate governance, including risk assessment and management.
The following definition, although elaborated for the Basel Accord for banks, has become the standard definition within the financial community. Operational risk is defined as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." 1 Legal risk is considered to be part of it, but it excludes the financial consequences of business or strategic decisions. Ultimately, the reputation of the firm is at stake, although this is not considered to be a risk category by itself. As you can see, the banking and investment community have decided to define operational risk more broadly than just operations risk.
Approaches and Methods to Identify, Assess, Quantify and Help Manage Operational Risk
Traditionally, operational risk has been taken care of by relying solely on insurance coverage. Some standard products have been marketed by the general insurance industry–like fidelity insurance, fiduciary insurance, directors and officers insurance, etc. However, these remain piecemeal and passive solutions to addressing this risk.
Within financial institutions, there is now an incentive to evaluate holistically the potential for loss that operational risk represents to an organization. In this regard, institutions are developing and implementing different approaches to become proactive instead of just relying on insurance as a tool to mitigate it.
Approaches can be broadly classified as qualitative or quantitative, either implemented from a bottom-up or from a top-down view within the organization. In fact, a combination of these approaches provides greater assurance that all operational risks are covered.
The most prevalent qualitative approaches are risk and control self-assessment, risk mapping, key risk indicators and scoreboards. The methods are used to gauge the effectiveness of controls at the business unit levels and allow the organization as a whole to develop a culture towards operational risk. In this field, other approaches like quality management, Six Sigma, COSO, ISO and COBIT, standards that have been developed in other fields over the years, are being adapted to the context of financial institutions.
Quantitative methods familiar to actuaries will be used by the majority of banks to establish their regulatory and economic capital, calculate a risk-adjusted return and assess the value of hedges like insurance. In order to use loss distributions, the gathering of internal and external operational loss data becomes essential. Individual major banks have started to develop their own database of operational risk losses. According to a recent survey by Mercer Oliver Wyman, more than 95 percent of major international banks are recording operational losses. 2
However, the data is scarce. This fact might constitute an interesting opportunity for the actuarial profession to become proactive in this regard. In fact, a recent survey by the Risk Waters Group and SAS of 250 financial institutions and regulators has "identified managing data quality as the number one issue, with respondents reporting difficulties in collating sufficient volumes of historical data and in ensuring reliable data." 3
In addition to regular loss distributions, other quantitative methods like extreme value theory, casual network, simulating systems dynamics, fuzzy logic, neural networks and predictive models are being developed.
Regulatory Banking Requirements–Basel Accord (II) 4
This accord has been designed along three pillars, which cover minimal capital requirements for market, credit and operational risks, as well as supervisory review, and market discipline through enhanced disclosure. Pillar 1 of the revised frame- work has been redesigned to allow banks to use their internal systems as inputs to capital calculations by giving them financial incentives in the form of reduced capital requirements to use the more advanced modeling approaches. Pillar 2 covers the principles that supervisors are expected to follow in order to verify how banks under their supervision assess their overall risk profile and mandate additional capital for risks not covered in Pillar 1. Pillar 3 covers the disclosure requirements, which will allow market participants to judge a bank's risk profile. It is anticipated that this new accord will be implemented in more than 100 countries. 5
Three approaches are mandated in the first pillar on capital requirements for operational risk: a basic indicator, a standardized and an advanced measurement approach.
The advanced measurement approach (AMA) is the most flexible. This approach allows banks to determine their required capital based on whatever method or model deemed appropriate, subject to regulatory review, to capture their operational risk profile over a one-year holding period at the 99.9 percent confidence level, in particular the "tails." Interestingly, at this time, only insurance and some forms of captives are allowed as hedges in the calculations.
European Union 6
Europe is moving ahead with a complete overhaul of its supervisory regime. At this time, a new capital adequacy directive, EU CAD3, has been adopted for the banking and investment communities. It is a carbon copy of the Basel II Accord, which will apply not only to internationally active banks, but also to smaller and specialized institutions, including investment firms, on a consolidated basis. Operational risk is explicitly defined, and must be dealt with. As in the Basel Accord, three approaches for operational risk, increasing in complexity, are available.
For the life, non-life and reinsurance fields, discussions are at the framework stage, called Solvency II. The intent is to move away from the fixed ratio, factor-based capital approach to a framework that would recognize all risks faced by insurers. Also, since there is a desire for uniformity between financial institutions and between the countries of Europe, the proposed framework in the banking field will have a direct impact on the insurance sector.
As in the banking field, the Solvency II framework aims at giving incentive to insurance companies to measure and manage all of their risks. Insurance companies will have to identify and manage a broad array of risks from the traditional risks associated with insurance to liquidity and operational risk.
The UK regulatory regime is following a similar approach to the rest of Europe. According to the Financial Services Authority, risk management is more than just a capital calculation. In fact, with the introduction of the Integrated Prudential Sourcebook (IPS), all financial firms including insurers will have to implement an overall prudential risk framework that should cover their governance structure, risk management systems, compliance, internal audit, outsourcing and business contin- uity. In addition, more specific systems and controls for operational risk starting in November 2004, as mentioned in PRU 6, will have to be implemented.
On the banking regulatory front, the three major federal banking regulators (FED, OCC, OTS) and the FDIC have announced that Basel II will apply only to major international banks for the time being. The SEC has announced that brokers and dealers will have their capital calculated similarly to Basel II.
In the insurance industry, the NAIC is rethinking its approach to solvency. It has recently published a document called Risk-Focused Surveillance Framework. This document de scribes a precise approach to assess the solvency of an insurer from a risk-based methodology instead of relying solely on the existing risk-based capital calculation. In essence, it follows the line of thinking of Basel II. It calls upon state examiners to perform a risk and control assessment of the insurance companies, and, depending on the results, focus their efforts and recommendations accordingly. Operational risk and reputation risks are part of the analysis as well as the other financial and insurance risks.
Since this is a risk-based approach, major insurance companies will have an incentive to review their corporate governance structure, establish a centralized risk management function that can implement this new regulatory framework and act as the central point of interaction with the regulators. Segregation of duties will be an important element of this new governance framework.
Operational risk management is part of the enterprise risk management framework that is being implemented in many financial institutions. Some have already calculated the contribution of this risk to their overall capital requirement. Operational risk represents about 12 to 15 percent of the economic capital of major banks, behind credit risk and market risk. In insurance companies, a similar comparison puts business risk as 13 percent of the total regulatory capital. Some studies and surveys have found that implementing an operational risk program can help reduce economic capital by about 10 to 25 percent and operational losses by about 17 percent, which result in improved business and performance management.
From an actuarial perspective, some might believe that this is the domain of the casualty actuary. However, operational risk is present in all financial institutions. So, actuaries from different domains should take an interest in this field, and help their companies preserve their most valuable asset, their reputation.
Figure 1 illustrates the relationship of operational risk to other risks faced by any financial organization.
Michel Rochette is an actuary working for an asset manager in operational risk.