Home > Risk > New guidance on operational risk

New guidance on operational risk

December 3, 2016 Leave a comment Go to comments

The Risk Management Association has published Key Principles of Operational Risk Management.

Designed by practitioners at financial services organizations, the document make a number of good points.

But let me start with what is missing: guidance on when to take risks.

When an organization is focused on avoiding failure, it is very hard to be successful.

Operational risk is basically about the things that can go wrong in day-to-day processes that can trip you up.

It is impossible to eliminate such risk.

The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful.

It’s not even about “balancing” risk and reward. The potential for reward should always be higher than the potential for loss – but the key is to use the same assessment methods to understand the potential range of positive effects or outcomes as is used to assess the potential harms.

Recognize that it’s not ‘either or’ reward or loss. It is highly likely that both will occur!

Anyway, the guidance makes some good points:

  • Risk management is an integral part of business management and should be incorporated into overall business and financial planning.
  • Business culture within institutions must embrace the value of risk escalation and welcome independent challenge of risk decisions. Soliciting multiple points of view and engaging in debate result in better, more informed decisions
  • Senior management should provide direct oversight of current and emerging exposures. Meanwhile, risk management should be part of the normal management process and governance, not be made a separate, adjunct function.
  • Risk teams should be established with qualified, high-performing professionals who are closely integrated with business operations and the decision-making processes.
  • Effective risk management is a basic responsibility of business leaders and managers.
  • Risk management activities dictated solely by remote oversight functions lacking detailed execution experience are highly prone to error and inefficiency.

But I have a problem with the traditional perspective in this section:

As part of sound business and strategic decision-making, operational risk implications must be assessed and considered in order to determine whether to

  • Manage the risk.
  • Tolerate the risk.
  • Transfer the risk (for example, by insuring against the risk).
  • Decline the risk.

To be successful, sometimes you need to take the risk, even to embrace the risk because of the potential for reward.

The attitude of tolerating or even accepting the risk is simply wrong. Take it happily!

If financial services organizations fail to take the right level of the right risks, they will fail and fade away.

I welcome your comments.

  1. GSosbee
    December 5, 2016 at 6:50 AM

    Norman’s comments are correct as respects the financial services industry. The industry is fixated on the micro effort of models instead of the macro effect on the business. Yes models have a larger use in the financial services industry than other industries, but until senior management [which should include the Chief Risk Executive (not the CRO] accept that models only produce data points and not answers or solutions, the industry will continue to make risk management mistakes.

  2. December 5, 2016 at 12:14 PM

    Fortunes Formula and the Kelly Criteria would have use look closely at the following.
    – Odds_Win (Odds between 0 and 1)
    – Potential_Gain (Positive number, zero of greater)
    – Odds_Loss (Odds between 0 and 1)
    – Potenital_Loss (Positive number, zero or greater)

    Is the Kelly Criteria true?

    Kelly Criteria > 0 = Odds_Win * Potential_Gain – Odds_Loss * Potential_Loss

    If not, then the longer one plays the more money one loses on the average. The only use of Risk Management is to minimize the losses or to quit playing such a game early.

    Once the Odds of a win and been improved, the potential of loss shrunk to the average gain vs average loss favors gain. Then the real work of Risk Management begins, getting after variation.

    Consider a game structured after the odds of breach per system and the potential business gain and business loss for using that system to do business.

    – Odds_Win = 99.9%/yr
    – Potential_Gain = A years worth of transaction, $20/each, 12/hr, 2000 hours/yr, 3 yrs= $480,000 in a year
    – Odds_Loss = 0.1%/yr
    – Potential_Loss = A single breach $3,000,000 fixed costs + $7.25 * 24,000 records = $3,174,000/breach

    Kelly Criteria > 0 = 0.999 * $480,000 – 0.001 * $3,174,000 = +$476,346/yr

    So, yes, I want to play this game. But what about variation on these dice over the years?

    For example,
    Over 20 years, on average one could win $9,526,920.
    Yet, 98% of the time the maximum loss per year will be less that $5,946,000.

    Are you 98% sure you are wining as often as you think? The good news is that the margin of insurance one needs to buy while bigger than $3,174,000 is a whole lot smaller than $63,840,000 to cover a rare loss every year for 20 years.

    Does that kind of risk management help you take profitable risk? Know what kind of deductible your firm is likely to need? Or even help you size the risk you may be taking for one computer for 20 years or 20 computers for one year?

  3. December 5, 2016 at 12:16 PM

    Correction a gain of $480,000 for one years worth of transactions.

    • Norman Marks
      December 5, 2016 at 2:48 PM

      Don, thanks for the example.

      Complicating factors:
      – There is a range of possible gains, each with their own likelihood. Same for losses
      – You may not be able to accept the possibility of loss, even if the potential gain is more likely and greater. For example, if there is a possibility of death or such.

      • December 5, 2016 at 2:55 PM

        The Risk Management process itself does involve the evaluation of a specific risk, whether it is has an acceptable level, what kind of risk treatment is needed and what happens to treated risk as it may actually create other risks while avoiding an unacceptable risk. I have some solid material on how ISO 31000 Risk Management process can handle the protection of human life forms of Risk Management which are actually found in other ISO standards. http://www.iso.org/iso/home/standards/iso31000.htm

  4. Chris Baker
    December 6, 2016 at 3:21 AM

    I’ve yet to work with many (or even any?) Organisations that have any reliable or consistent method of measuring or quantifying risk! How the hell they prioritise spending on controls remains a mystery! 🙄

  5. December 6, 2016 at 3:47 AM

    You are correct Norman, and though I hate to sound like a “scratched record” in my comments, it is back to changing our mindsets – and by “our” I mean risk practioners.

    Risk is good and there is zero potential for income where risk is not embraced. Risk does not mean danger – the two terms cannot be interchanged to mean the same. This is where our mindsets need to change. Risk is chance.

    As you have rightly mentioned Norman, it is not either reward or loss as it is both likely that both will occur. We only try to increase our chances of getting more of the reward. Period!

    Operational risk is what it is and there to stay. Most of the risks that can be “tolerated” is already catered for in our procedures (where ironically we don’t really “tolerate” but try to ensure these risks do not crystallize!). However, our risk assessments should never be in isolation as it should not only focus on “what can go wrong” as you have mentioned.

    As discussed in your last post, the starting point is first knowing the firm’s objectives and we consider how to increase our chances of meeting the objectives. Risk assessment should always be seen vis-a-vis the orgnaisation’s SWOT with the questions being how do we capitalize on our strengths to convert external opportunities to income or convert or reduce external threats? how do we capitalize on our strengths to convert weaknesses to strengths and better take advantage of opportunities? can we find opportunities in the threats? how do we further build on our strengths?

    Indeed as you also mentioned, this is within the context of already having estimated the level of risk that is appropriate to the business (risk appetite).

    The challenge for risk practitioners should be how to ensure the business takes enough risk to maximise opportunities rather than shying away from risks.

  6. December 6, 2016 at 6:52 PM

    You insist on taking risk and also if taken, you criticise tolerating or accepting the risk.
    What response do you appreciate then for all taken risks.? Only Transfer is left out as Avoid is not possible.

    In the end, you say take “right level of the right risks”.
    A bit confusing.
    Can you give an “operational definition” for “right level” and “right risks”.


  7. Stephen Leckie
    December 8, 2016 at 12:57 AM

    This is not a case of who is right or wrong, both are right. But history tells us that there is no problem with financial institutions taking a risk to make a profit! However, the risk management frameworks within those firms was not capable of managing those risks and the cost to the nation was significant. Therefore, financial institutions need to build their risk management frameworks first, then go out to take risks and make a profit. After all, you would not drive a car at 100 mph if you had not designed, built and tested the brakes.


  8. Sanja
    December 9, 2016 at 11:11 PM

    IMHO operational risk is not the risk you want to take to make profit… How could you possibly benefit from failed processes, people, systems or natural disasters?!
    OpR is that part of other risks you take (that bring you profit) which can mess up your plans.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: