Article Detail

Waking the Sleeping Giant – Maximizing the Potential of Operational Risk Management for Banks

Journal 33: Technical Finance

Simon Ashby, David Clark, John Thirlwell

Within the banking sector, operational risk is often perceived to be of less importance than financial risks such as market or credit risk. Such a view is typically reinforced by the observation that banks are in the business of taking these financial risks and must lend large amounts of money and/or take significant market positions if they are to make an acceptable profit for their owners. Events such as the global financial crisis would also seem to reinforce this view of the pre-eminence of financial risks. Taken at face value, the crisis might appear to have been caused by a combination of excessive lending, leverage, and derivatives trading – activities which fall within the realm of financial risk.

Yet deeper investigations into the crisis have revealed that other more complex forces were at work, forces, such as failures in people, processes, and systems, which have more in common with the field of operational risk. In this paper, we argue that banks must do more to wake the sleeping giant of operational risk management in their activities. We demonstrate how operational risk-related failures in people, processes, and systems lay at the heart of the global financial crisis, leading to disastrous consequences not only for individual banks, but also for the financial sector as a whole and the domestic economies that are supported by it. We also highlight three key barriers that we believe are preventing the discipline of operational risk management from reaching its full potential in the banking sector. Finally, we identify a number of themes that we believe should be embraced by banks and their regulators to help overcome the three barriers and enhance the management of operational risk across the sector.

The concept of Operational Risk (OR), at least in the financial markets, is a relatively recent invention [Power (2007)], with the term entering into common use in 1999 when the Basel II proposals were first published. These proposals were important for two reasons. Firstly, they were, in 2001, accompanied by a definition of what OR is – the risk of loss associated with inadequate or failed internal processes, people, and systems or from external events [Basel (2001)] – rather than what it was not. Previously, many banks had thought of OR, if it was mentioned at all, as the “other” risk that was left after banks’ financial risks had been taken out. Secondly, these proposals made it clear that supervisors would be adding an OR charge on to the more traditional capital charges for market and credit risk. This galvanized banks, and many other financial institutions, into divining what types of OR they were exposed to and how to measure them. In most other disciplines, such as space travel, the military, and science/medicine (penicillin was discovered as the result of an OR event), OR had for generations been placed at the heart of their risk management activities, constantly learning from past events and developing appropriate cultures and organizational characteristics to manage them. But now, rather belatedly, OR had arrived in the world of banking.

At the same time that OR was being discovered by banks, significant strides were being made in the measurement of credit and market risks. Models of credit metrics refined and increased the accuracy of the measurement of credit exposure. In parallel, models for market risk exposure blossomed as computing power enabled huge amounts of price data to churn out risk variables, exposures, and prices for new products. There was good reason to feel that the increasingly complex credit and trading products that banks were competing to deliver to their customers could be policed by a phalanx of analytical tools that would enable financial controllers, auditors, middle offices, and senior management to keep their finger on the pulse of the risks they were running.

Banks politely suggested to supervisors that they now had a much better grasp of their risks and hinted at lower capital requirements. Supervisors acknowledged these improvements and offered lower capital requirements for recognized risk models used by the more sophisticated banks, but by this stage they had pushed the minimum requirements higher and risk-based supervision had become the way forward. Basel II, and the promise of more risk sensitive supervision, was what banks had been waiting for. It was into this more sophisticated laboratory that OR was annexed to credit and market risk with great expectations.

Losing money with credit or market risk exposures comes with the positions that are taken. Getting it wrong occasionally has to be lived with. But it was becoming apparent, to some bankers at least, that the underlying causes of many so-called market or credit risk events fell within the definition of OR, being related to failures in people, processes, and systems, or external events. However, to complicate matters, there were inevitable difficulties associated with quantifying OR, especially in comparison with credit and market risk, where the required hard numeric data are generally more plentiful. It is the nature of OR that events may share common causes, but the effects of each large OR event often differ and, likewise, apparently similar events or effects may derive from different causes. This will not change.


Leave a comment

Comments are moderated and will be posted if they are on-topic and not abusive. For more information, please see our Comments FAQ
This question is for testing whether you are a human visitor and to prevent automated spam submissions.