Chapter 7 Operational Risk Tools - Events and Losses PDF

Summary

This document details operational risk tools and events and losses. The chapter outlines the key themes, different types of risk events including loss events, near misses, and gains/offsets, and provides an introduction to operational risk management. It also includes sections that discuss direct and indirect events, near misses, the importance of root cause analysis, etc.

Full Transcript

7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing Chapter 7 Back Up Book for Printing Chapter 7: Operational Risk Tools – Events and Losses Learning outco...

7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing Chapter 7 Back Up Book for Printing Chapter 7: Operational Risk Tools – Events and Losses Learning outcomes and assessment criteria 7. Understand the role of events and losses in the management of operational risk. 7.1 Differentiate between the types of events. 7.2 Describe the attributes of event data and their use. 7.3 Explain the importance of root cause analysis. 7.4 Describe the role and implication of thresholds in relation to reporting event data. 7.5 Describe issues, roles and responsibilities in relation to reporting event data. 7.6 Explain the uses and limitations of internal event data. 7.7 Describe the benefits and limitations of sources of external loss event data. 7.8 Explain the uses of external loss event data. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 1/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing Key themes The key themes of this chapter are as follows: The different types of risk events including loss events, near misses and gains/offsets. The attributes of event data. Root cause analysis. Issues and parties involved in reporting event data. Sources of external loss event data. The uses, benefits and limitations of internal and external events data. Introduction to Chapter 7 Events and losses are a fundamental part of operational risk management because they are the evidence or manifestation that an operational risk event has materialised. Loss events are the quantitative building blocks with which to model operational risk capital and to validate other operational risk tools such as risk and control self-assessment and scenario analysis. They may also, either in their size or number, be useful risk indicators, especially in relation to monitoring risk appetite and tolerance. Whilst past events do not provide a guide to future risk exposure, recording and analysing these events provides opportunities for both learning and risk mitigation. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 2/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.1 Differentiate between the types of events 7.1.1 Direct and indirect events A direct risk event is one which results in a direct impact as a result of an operational risk failure. As an example, in the case of product mis- selling, it could be: The need for customer compensation. The cost of a regulatory fine. The direct costs involved in any investigation. Other direct event impacts include: Loss of income relating to transaction fees, direct fees, commissions or interest. Reduction in the value of assets. Loss of assets or cash through unenforceable contracts. Loss of assets as a result of fire or theft. Direct event impacts are quantifiable and identifiable in the profit and loss account. An indirect risk event is an event which is ancillary to a direct event. In a product mis-selling case, it could be reputational damage to the firm’s business due to the mis-selling, with all the long-term costs that come with that, including the loss of future business. Other indirect event impacts include: Failure to reach expected or desired levels of customer service. Costs incurred in any official investigation of an event – such as accommodation costs of staff or others involved in the investigation. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 3/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.1.3 Near misses There is no standard definition of what constitutes a ‘near miss’. The definition will be different from firm to firm, as will the way they are reported and treated. Here are a few examples of some generally accepted definitions of a ‘near miss’: 1. An event happened but it did not result in a loss because of fortuitous circumstances. 2. An event would have occurred had the final preventative control not operated successfully. No loss has occurred, but analysis is required to understand which intermediate controls did not operate as they should. 3. A situation which would have led to one or more operational risk events if it had not been detected by an additional, non-systematic control. An example of the first definition is where a payment is made, which is either for the wrong amount or is sent to the wrong counterparty. The recipient notices the error and arranges for the payment to be reversed and corrected. However, the causes should nevertheless be investigated to see why the process and controls failed in the first place. In the third case above, management will consider whether additional controls should be built into the process. In both the first and third examples no financial loss is suffered, but there is the potential for financial losses to be incurred. Near misses are as valuable as loss events in analysing whether controls have failed to perform as they should, or whether appropriate controls were not in place. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 4/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.1.4 Gains and offsets Operational risk events do not necessarily result in losses. In some cases, there is no financial loss, even where there has been an event or control failure, such as in the case of near misses above. In other cases, there may even be a gain or offset. On the trading floor, a ‘fat finger’ error by a trader – buying when they should have sold or vice-versa, or buying 1,000,000 of a currency rather than 100,000 – could result in either a loss or a gain, depending on the movements in markets between the time of the original error and its discovery and reversal. In fact, given the volatility of markets, errors of this sort are equally likely to generate a gain as a loss. However, the gains are frequently not reported as errors and instead add to the trader’s profits, whereas losses are more likely to be reported. Operational risk management is not, therefore, solely concerned with losses. It concerns the causes of events, whatever their outcome. Another example concerns offsets. At their simplest they involve recoveries, perhaps through a successful insurance claim or the recovery of an amount which was mistakenly paid to a third party. In other cases, they may involve a fortuitous outcome. If, for example, the IT system goes down and a trader is unable to close her position until, perhaps, the following day, it may be that the result is a gain. This could be offset against other losses incurred by the IT system failure, whether direct or indirect. Offsets and gains should be either recorded and reported as separate events, so that the true cost of the failure can be assessed; or at least noted against the record of any associated loss event, without corrupting the gross loss. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 5/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.1.5 Boundary risk events Another important concept when dealing with risk events is that of boundary risk. A firm must be able to distinguish between operational risk events and those caused by other risk types, most notably Credit, Liquidity, Market and Insurance (See section 1.1 for definitions). On occasion it is likely that losses within other risk types will occur which have been caused by an underlying operational failing. For example, a credit risk loss which arises as a result of an operational risk event e.g. a mortgage customer is repossessed at a loss (a credit risk) however, it is discovered the loan was outside credit policy and granted as a result of human error (operational risk). In such instances the loss will be recorded as credit for measurement purposes, but earmarked as operational for lessons learnt and management purposes. Market, Liquidity and Insurance risk losses are generally treated and recorded as operational risk events. See section 1.3 for further discussion. Workplace reflection When your firm identifies the loss or impact of an operational risk event, to what extent does it include indirect costs? How does your firm treat 'near misses'? Does it collect and analyse 'gains'? https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 6/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2 Describe the attributes of event data and their use This section aims to build on concepts introduced earlier in the Workbook but in particular in Chapters 2, The Regulatory Treatment of Operational Risk, and 5, Operational Risk Tools - Categorisation). 7.2.1 Event description and type Risk is about cause. So, operational risks should be described in causal language, with words such as ‘failure of...’, ‘lack of...’, ‘inadequate...’, ‘ineffective...’, and ‘inability to...’. Events are the manifestation of a risk materialising. Only true environmental or other events outside the control of the firm – such as fire or a natural hazard such as flood or earthquake – can acceptably be described as risk events with no other qualifying causal word. A major issue for effective operational risk management is for firms to decide on the taxonomy of risk events they use, and the level of detail which they wish to use in recording events, near misses and gains or offsets. A balance has to be struck between a level of detail which aids operational risk management and too great a level of granularity, which may confuse and which will probably lead to errors in reporting and loss categorisation. Another aspect of deciding on the level of detail is the fact that this event taxonomy must be consistent and understandable, especially in the operational risk management framework, but also more widely across the firm. As set out in earlier chapters of this Workbook (notably Chapters 2 and 5) the following are the main operational risk event types detailed for firms monitored by regulations under the Basel Capital Accord (for banks) and the Solvency II Directive (for EU insurers). BASEL II SOLVENCY II Internal fraud. Intentional misconduct (internal fraud). External fraud. Unauthorised activities by external parties (external fraud). Employment practices and workplace safety. Employment practices and workplace safety. Clients, product and business practices. Clients, product and business practices. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 7/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2 Describe the attributes of event data and their use BASEL II SOLVENCY II Damage to physical assets. External events that cause damage to physical assets. Business disruption and system failures. Business disruption and system failures. Execution, delivery and process management. Business process risks. In each case, the regulatory text provides more granularity by giving lower levels and examples of risks which relate to each of the main categories. So that, for instance, employment practices and workplace safety, at the next level down, are divided into: Employee relations. Safe environment. Diversity and discrimination. Each of these is further sub-divided at a further level. In the case of employee relations: Harassment. Terminations, including tribunals. Industrial activity. Management. Loss of key personnel. As set out in Chapter 4, firms subject to these regulations may well have their own operational risk event taxonomy, but are also required to map their event categories to the relevant regulatory event category. The issue for firms is that they should create a taxonomy which does not slavishly follow the regulatory template. They should identify their own risks which are clearly understood and experienced by the business in its day to day activity. There is no point handing out an event taxonomy which the business does not recognise as reflecting the risks it runs. There is also a balance to be struck between being too high level – reporting only at level 1 as in the table above – or going into too granular a level of detail, which will discourage risk reporting and understanding. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 8/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2 Describe the attributes of event data and their use The other important point is that the risk event taxonomy should be clear and consistent across the business. Unless that happens, it becomes impossible to aggregate and report the results so that they are useful for business line management as well as to the governing body and result in action. The final point about event taxonomies is that they concern events, rather than the causes of those events which, as indicated in the first sentence of this section, form the real basis of operational risk management as a discipline. 7.2.2 Amount The amount of a loss is easy to assess when the consequences of an event are financial, quantifiable and are debited to the profit and loss account. In the classification given at 7.1.1 above, these are ‘direct events’. As we have seen, some events are ‘indirect and may be difficult to quantify to any precision’. Again, it is for management to decide whether the costs of these indirect aspects are to be attributed to the event. As well as these uncertainties, there are two other considerations relating to amount. The first involves losses in a currency other than the home currency. These have to be converted to whatever is the reporting currency of the firm. However, a decision has to be made whether the currency rate at the time they are accounted for should remain as the cost of the loss, or whether they should be revalued at each accounting period. This becomes especially important where there are later recoveries. The second consideration concerns events which are made up of similar events, triggered by a single of similar causes, over a period of time, so-called ‘multiple events’. Good examples are ‘rogue trader’ events, including those which made international news, such as those involving Nick Leeson at Barings (1995), John Rusnak at Allfirst (2002) and Jérôme Kerviel at Société Générale (2008). In each case, their unauthorised trading involved numerous transactions over a period of years. It is again for management to decide whether the cumulative amount should be recorded as a single loss, because it reflects the same fundamental cause, the unauthorised and undetected trading of a single individual, or whether to record each individual event. This decision can have a considerable impact on assessments of operational risk exposure and the capital that is required against the exposure. If multiple events occur in different parts of a firm, it is important that they are aggregated so that lessons can be learned and common mitigants and controls can be implemented. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 9/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.3 Dates On the face of it, the date of an event is the date on which it occurs. In general, that will be true. However, in some cases it is difficult to be certain about the date of occurrence, particularly if a period of time elapses between the event and its detection. In many cases, the simplest date to record is the date of detection. A number of firm’s track both, as understanding how quickly events are discovered after occurrence can provide useful insight into the firm’s control environment. Similarly, an event may be identified in one accounting period yet actually have occurred in a previous accounting period. While it is unlikely that a retrospective adjustment will be made to the firm’s accounts, it is nevertheless important to record the event date for operational risk management purposes. It can also be true that an event starts on one date but continues for a period of time. An example is Payment Protection Insurance (PPI) mis- selling by banks in the UK, which dates back to the early 1990s, against which banks have been paying out compensation amounting to billions of pounds sterling since 2006, and continue to do so as claims are made against them. Or, as seen in section 7.2.2 above, in the case of rogue traders, multiple events with a common cause occur over a period of time. In either case, should the recorded date be the start date or the end date? The reason why this matters is that one of the core assessments made about operational loss events is their impact and their frequency or likelihood. Decisions about dates have a considerable effect on estimates of frequency or likelihood. 7.2.4 Recoveries It is often the case with operational risk events that, although a loss is incurred on the date the event occurred, recoveries are made later. This may be, for example, because an insurance policy claim proves to be successful. When a recovery is made, it is important to continue to record the original loss as well as the net loss following the recovery, since the original loss is the true amount which was lost as a result of the operational risk failure. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 10/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.5 Business entity In a group of companies, the name of the entity involved should be recorded so that its losses can be analysed separately. This may not be as simple as it seems, since it is possible in some groups for a transaction to be undertaken in one entity, a loss detected in another and the loss actually booked in a third. This may be an extreme case, but the main point of recording risk events is to undertake causal analysis, so that the entity which caused the event should be clearly identified. Furthermore, a clear understanding of which entity the event belongs to is also useful for trend analysis and peer to peer comparison. Learning activity Consider why knowledge of the business entity is important when analysing losses and describe what the limitations of the analysis would be without this information. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 11/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.6 Business activity For the same reason, it is important to identify the business activity in which the event actually happened. Activities can transcend geographical or company boundaries, so that a failure in one jurisdiction could point to similar failures in other jurisdictions or companies which undertake the same activity. Organisations will have their own descriptions of business activity. However, those regulated under the Basel Capital Accord are required to map their activities under the following headings: Basel II Business lines Level 1 Level 2 Examples of activity groups Corporate Finance Municipal/ Government finance Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, Corporate Finance high yield), equity, syndications, IPO, secondary private placements. Merchant banking Advisory services Sales Market making Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, Trading & sales lending and repos, brokerage, debt, prime brokerage. Proprietary positions Treasury https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 12/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.6 Business activity Level 1 Level 2 Examples of activity groups Retail banking Retail lending and deposits, banking services, trust and estates. Private banking Retail banking Private lending and deposits, banking services, trust and estates, investment advice. Merchant/commercial/corporate cards, private labels and retail. Private banking Commercial Project finance, real estate, export finance, trade finance, factoring, leasing, lends, guarantees, Commercial banking banking bills of exchange. Payment and External clients Payments and collections, funds transfer, clearing and settlement. settlement Escrow, depository receipts, securities lending (customers) corporate actions. Custody Issuer and paying agents. Agency services Corporate agency Corporate trust services https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 13/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.6 Business activity Level 1 Level 2 Examples of activity groups Discretionary fund Pooled, segregated, retail, institutional, closed, open, private equity. management Asset management Pooled, segregated, retail, institutional, closed, open. Non-discretionary fund management Retail brokerage Retail brokerage Execution and full service. In the case of Solvency 2, for EU insurers, the standard capital requirement for operational risk is based on the premiums and provisions divided in to the following types of insurance business: Health, Similar to Life Techniques (SLT) Health, non-SLT Life Non-life 7.2.7 Geographic location It is important also to record the geographical location of an event, since it may be that there is a particular control weakness, a different legal framework or a cultural difference which explains the cause of the failure. And, of course, there are other attributes of a location which can cause an event to occur, whether it is meteorological (e.g. hurricanes or typhoons), geological (earthquakes) or technological (the fragility of a location’s infrastructure). All are part of operational risk management and may well be peculiar to a particular location. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 14/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.2.8 Event description The main point of recording event data attributes is because they aid causal analysis. While an event type (see 7.2.1 above) is a helpful start- point, it does not tell the reader much about the cause or causes of an event. It is therefore important that a description, even a brief description, is added to focus management’s attention to the cause. Since a key component of risk management is getting information to where it is needed as quickly as possible, it is more important to provide a brief description immediately, than wait until a detailed description is available. That can come later, depending on the scale and nature of the event. Workplace reflection When your firm reports operational risk events, does it include all the elements included in this section? In particular, how does it handle the problems identified regarding amount and date? Learning activity Use press reports to find 10 examples of operational risk events and near miss events relevant to your industry. Be sure you understand the difference between the two types of event and the importance of capturing the elements included within this section. Consider in each instance what further information you would have liked to see to fully understand cause of the event. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 15/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.3 Explain the importance of root cause analysis In section 7.2, the various attributes of risk events were considered. However, the most important attribute to be recorded is the cause (or causes) of the risk event having occurred. Understanding the cause or causes of an event enables an analysis of whether controls or mitigants have failed and whether it is necessary to reassess risk exposure in the light of the events having occurred. In the case of operational risk, the risks can be categorised by the four root causes identified in the Basel II definition of operational risk (see Chapter 1, Fundamentals of Operational Risk): Failure of people. Failure of processes. Failure of systems. External events. The firm’s internal operating environment can also be a root cause. The internal environment is reflected in strategic business decisions, such as mergers or acquisitions, or in the risk culture and behaviours of the organisation. Failures which result from poor strategic business decisions or a poor risk culture, such as those involving conduct risk, are fundamentally failures of people and so fall within the basic root causes of operational risk. Identifying events and their costs and other impacts is a fundamental part of operational risk management and is the foundation for measuring operational risk exposure. There is little business benefit, however, in simply identifying events and their impacts unless there is also an analysis and understanding of why the event occurred. Root cause analysis is primarily interested in identifying control failure. It could be that either preventative controls or detective controls have failed. Whatever the cause, the analysis allows management to make an assessment and decide on an action plan. It may be that an event is triggered by a number of causes or control failures, just as an event can result in a number of different impacts. As an example, incorrect data could be the result of: Human error (people). Failure or lack of a control when data are input (process). Incompatibility of two systems (systems). Failure of an IT provider (external). However, it is also true that a single control may also control a number of different risks, so that understanding the cause of one risk event may help us to understand the likelihood of other risk events occurring and to develop risk indicators. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 16/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.3 Explain the importance of root cause analysis Causal analysis also enables management to assess the benefits of increasing controls, depending on the likely costs which might be saved. Risk management is about learning and continuous improvement. Causal analysis is a good way of supporting that effort. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 17/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.4 Describe the role and implication of thresholds in relation to reporting event data The Basel Committee has suggested a minimum loss threshold for banks of €10,000, but this is not mandatory. Many banks aim to report to a lower threshold and some claim to report all operational risk events down to zero. The decision for management will reflect the size of the firm and is one of cost/benefit, recognising the time and cost involved in reporting events of limited materiality which are likely to be within acceptable levels. There is also the issue, with a low threshold, of the difficulty and cost of reconciling losses to accounting ledger records to ensure their accuracy. Most ledgers will include a huge number of debit items, only a very few of which relate to an operational loss. Since reporting operational risk losses is generally a manual exercise, considerable cost can be spent in identifying and reporting very small losses. However, small losses, though they may each have a small impact in terms of loss, may point to a control failure which could lead to a much larger loss being sustained, sooner or later. Setting a relatively high reporting threshold, so that small losses are not reported, can encourage a culture which does not take risk management seriously and will also affect the quality of operational risk modelling. Setting a reporting threshold is therefore a significant issue and one which should be considered fully by senior management and the governing body. Thresholds should be reasonable and ensure they do not exclude loss event data that is material to the firm. In considering reporting thresholds, there are likely to be two levels: A ‘per event’ limit, and An aggregate over a period of time, say three or 12 months. In addition, escalation thresholds may be set which, when breached, ensure that the event is immediately reported to more senior levels of management and becomes the subject of thorough root cause analysis. These thresholds may be quantitative (financial or numeric) or qualitative, such as when an event causes significant disruption to service or affects a significant number of customers. Timely reporting is critical to data integrity and it is common to include timescales by when significant events are reported and escalated. Workplace reflection What reporting threshold does your firm use to decide whether to report events? If it does have a https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 18/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.5 Describe issues, roles and responsibilities in relation to reporting event data 7.5.1 Regulatory reporting requirements Reporting of loss events is also a regulatory requirement for banks and insurers. The Basel Committee on Banking Supervision’s Principles for the Sound Management of Operational Risk (2011). Principle 8, states: “Senior management should implement a process to regularly monitor operational risk profiles and material exposure to losses.” Similarly, for insurers, the European Insurance and Occupational Pensions Authority’s Guidelines on Systems and Governance (2014), Section 1.56, states: “The undertaking should have processes to identify, analyse and report on operational risk events. For this purpose, it should establish a process for collecting and monitoring operational risk events.” https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 19/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.5.2 Aims of reporting event data The aims of reporting operational risk events are: Completeness. Accuracy. Timeliness. Completeness, as has been indicated, is determined by a firm’s policy in relation to reporting thresholds (see section 7.4 above), as well as the culture of the firm. In a healthy risk culture, which wishes to continually improve its business, reporting events is part of an environment of learning, rather than of blame. It is unlikely that all operational risk events will be reported, even in a firm which has a zero loss threshold for reporting, but firms may nevertheless institute an attestation regime under which the first line of defence confirms that all reportable events have, in fact, been reported accurately and appropriately in accordance with policy. Whilst accuracy can be verified by reconciling reported events to accounting records, this is not possible if an event has not been reported in the first place. Some sources may indicate whether events are probably being reported, such as: Reviewing associated risk information in the form of risk, compliance or audit information. Identifying inconsistencies across business lines. Comparing external event data. Timeliness of reporting is critical if action is to be taken and future risk exposure prevented or reduced. There are a number of ways by which operational risk events are reported. Many organisations use an intranet reporting system. The question then is who is authorised to report an event? https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 20/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.5.3 Roles and responsibilities for reporting of event data Often, it is the person who detects a loss who is authorised to report to the central operational risk record, whatever their level in the organisation. In other cases, the person who detects the loss may be required to report to the department which originated the loss. It is then their responsibility to report. This, however, can lead to delay in a loss being reported, and potential for failure to report losses to avoid any perceived blame. In either case, some organisations require that a copy of the report should be sent to the originating department’s manager for validation and confirmation of the details of the report. While this should mean that reports are fuller and more accurate, it can discourage whistle-blowing. For this reason, some firms allow anonymous reporting. In a healthy risk culture this should not be necessary, but it should ensure that important risks are identified and dealt with speedily. In other cases, it is for the professionals involved in the management of operational risk or leader in a department to make the report. This has the advantage of reports being more consistent and probably more relevant, since a specialist operational risk executive will have been trained to understand the elements of an operational loss failure and the processes surrounding it. The disadvantage of this approach is that it may lead to a delay in reporting, so that management action is also delayed and the effects of a failure may be exacerbated. Finally, there may be instances where normal protocols are not followed, for instance in cases of ‘whistleblowing’ or for legal reasons which involve especially sensitive information and potential litigation. In these circumstances the recording and closure of loss events must still occur and procedures continue to be followed, though it is accepted that some discretion can be shown with regard to the capture of event details. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 21/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.6 Explain the uses and limitations of internal event data 7.6.1 Risk and control self-assessments (RCSAs) Please refer back to Chapter 5 for more detail on risk and control self-assessments. Losses and event data, through root cause analysis, will point to control failures and the performance of controls. They are, therefore, an excellent way of challenging the scoring for the design and performance of controls or the lack of appropriate controls. Losses and event data are also useful for challenging both impact and likelihood assessments. In the case of impact, past events may point to either overly optimistic or overly pessimistic assessments. Similarly with likelihood. Historic frequency data can be used to challenge likelihood assessments, especially where a more optimistic assessment has been made on the basis that past experience has been ‘bad luck’. ‘Once in a lifetime’ events have a nasty habit of occurring more than once in a lifetime. RCSAs involve subjective judgements in assessing likelihood and impact. They are, therefore, subject to cognitive biases (see section 8.7). One way of countering bias, making assessments more objective and of validating the outcomes of RCSAs, is to use historical loss data, which will show distributions of both frequency and the impact of operational risk loss events and so improve assessments. Using loss event data in this way underlines the benefit of causal analysis and raises its awareness. 7.6.2 Scenarios Scenarios assess a firm’s ‘potential vulnerability to exceptional but plausible events’. In other words, ‘the nastiest event you can imagine without being unrealistic’. As with RCSAs, operational risk loss data can validate the results of scenario outcomes by challenging estimates of likelihood and impact. The data can also counteract anchoring bias, in which assessments may be influenced by the nature of the question being asked. Once a maximum impact has been identified from loss data, this can become a new anchor point for imagining exceptional outcomes of events. Given that scenarios relate to multiple events occurring over time, event data can provide a basis for assessing scenario outcomes. Scenarios are discussed in more detail in Chapter 8. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 22/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.6.3 Risk and control indicators Please refer back to Chapter 6 for more detail on risk and control indicators. Event data can also validate indicators. If an indicator suggests that a preventative control is starting to fail or a risk is more likely to happen, it is probable that an event will occur, which should eventually show up in the loss event data. If it does not, it is worth reviewing the indicator to assess whether it is in fact a reliable risk indicator. Events and losses can also be used to validate detective control indicators. The scale of events and losses is a guide to how well the detective control indicators are performing and how effective are the targets and thresholds which have been set for those indicators. As indicators themselves, losses can be used by individual amount, by aggregated amount over a period or simply by number over a period. They can also form the basis for deciding on appropriate appetite and indicator thresholds. 7.6.4 Risk modelling Loss events are the essential building blocks for operational risk modelling and capital calibrations, whether they are used for severity or frequency assessments. Near miss data, if it is captured, can also inform frequency estimates. However, loss data has its limitations, as outlined above: Losses have to be actively reported by someone and so will often be incomplete and may not be consistently categorised. Currency rates change over time so that impacts may have to be re-assessed, unless they are re-calibrated by the system. Assessments of indirect impacts may not be consistent. As a result of causal analysis, control failures may have been rectified, so that past performance is not a reliable guide to the future. In any case, since the internal and external environment of a firm is constantly changing, past performance is not a reliable guide to the future. Given that some events, such as bank mis-selling of insurance and other products, have a long duration and are by necessity kept 'open', a problem for modelling is how to treat open events, both as to their amount and their duration. Management has to decide how long 'open' events are kept open. Modelling over a 12-month time horizon for capital purposes ignores the fact that some significant operational loss events last a number of years from detection to final closure. In addition, loss data, of itself, can only represent ‘expected’ outcomes and so, in modelling, needs to be supplemented by external data and scenario analysis. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 23/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.6.4 Risk modelling 7.6.5 Accounting treatment Pending losses with a definitive financial impact, meeting relevant accounting standard definitions, may require a provision to be raised in financial accounts. Furthermore, assigning loss events to appropriate business units can help to identify to which cost centre the loss amount belongs. 7.6.6 Risk appetite Please refer back to Chapter 3 for more detail on risk appetite. Understanding event data provides a useful basis for deciding on risk appetite as well as either challenging or validating targets or triggers relating to risk appetite. Reviewing the previous 12 months’ loss data can enable assessment of a ‘mean’ (or average) which can then be adopted as the threshold for moving from Green/acceptable to Amber/tolerable on the basis that level represents a variation from the norm. Similarly, the worst recorded position could suggest a level from Amber/tolerable to Red/unacceptable, especially if action had been taken to reduce exposure to below that level. Loss data can also be used to monitor actual experience against expected or desired levels. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 24/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing Other uses Action plans: Reporting and analysing the causes of operational loss events is essential for designing and implementing action plans to make sure a risk does not occur again and to improve operational risk management. Training and awareness: Risk event data, when collated and analysed, provides valuable insights which can then form the basis of training and awareness for staff. Those insights include understanding control failures, the costs of events themselves and the costs of remediating them. They also provide evidence that an event in one part of the business could occur in another. Collating and using small events can also provide valuable lessons about the potential aggregated impact of exposures. Finally, root cause analysis provides examples of why an event happened and helps firms to review and strengthen the control environment. External reporting: Risk event data may be reported to the regulator on either an ad hoc or regular basis. The specific requirements for this may vary from regulator to regulator, however, this is often based on the event types standards described in section 7.2.1 and business line standards in section 7.2.7. Firms may choose to become part of a data sharing consortium (discussed further in section 7.7.2). Where this is the case data will also be reported externally to the relevant organisation in line with their prescribed requirements. 7.6.8 Limitations Unlike financial risk events, operational risk events do not lend themselves easily to being identified and reported directly from the organisation's accounting or management information systems. They generally have to be reported by individuals, so it is likely that not all events will be captured. Actual losses may well be reported, but may still be incomplete; near misses are reported less frequently and gains may be rarely reported at all. As a result, the limitations of incomplete event data should be acknowledged and understood when the data is used for calculating operational risk exposure or capital. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 25/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.7 Describe the benefits and limitations of sources of external loss event data 7.7.1 Media reports, social media and public data Some events are so sizeable, or of such consequence, that they are reported in the media. They can range from pandemics (for example, Ebola in West Africa, 2014), natural disasters such as earthquakes or hurricanes (Hurricane Katrina, 2005), man-made disasters (Deepwater Horizon oil well, Gulf of Mexico, 2010), civil disturbances and wars, or corporate risk events (Banking Crisis, 2008-10; product mis-selling by UK banks; LIBOR and FX market rigging). Since individual firms suffer few – if any – major risk events, media reporting can be helpful in understanding the scale of risk to which a firm may be exposed. If events are well-reported, they can provide helpful causal analysis which can inform firms in reviewing their controls, their likely exposure to such events and their business continuity plans. They can also be useful in testing assumptions made in firms’ scenario analyses and assessments. However, press and media reports are often incomplete or biased and should thus be treated with caution in terms of drawing conclusions about the relevance of the reported event for the firm. The increasing use of social media may provide a further source for data. This is often more ‘real time’ and detailed than published media articles and may provide further insight into the event itself and causal information. Caution must be applied when using social media as contents are often not validated and can be based on hearsay. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 26/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.7.2 Competitors’ internal losses and consortia databases A number of firms subscribe to databases which provide information of large risk events which members have suffered, mostly below the level of the more headline-grabbing events. Most of such databases provide a brief causal analysis of the event, so that other members can compare their own experiences and the assumptions they have used in their own risk and self-control assessments and scenarios. However, it is difficult to make a direct comparison with another firm’s experience due to differences in that firm’s risk culture, strategy and control environment. Apart from the usual problem of data completeness which affects all risk event reporting, firms may also well be precluded, for legal reasons, from divulging the costs of settlements. In addition, given different classification approaches, different collection thresholds and practices, different stages in data collection maturity and different regulatory requirements in different jurisdictions – in spite of the best efforts of the members and the consortia themselves – the data quality will be variable. External data is useful in understanding events which are unlikely to have occurred in an individual firm, but the data should be used with a clear understanding of its limitations. 7.8 Explain the uses of external loss event data The uses of external loss event data are similar to those outlined in section 8.7 above. However, some additional points should be made: 7.8.1 Scenarios External data is a useful input to creating realistic scenarios since it will generally reflect events which have not been experienced by an individual firm. These events are also useful to highlight or understand new or emerging risks which can then be included in scenarios. To be most useful in scenarios, external data reports should provide: The background to the event. Information about the governance and control structures in which the event occurred. The manner in which the event unfolded. The aftermath of the event – the consequences, management of the event and any remedial action taken by the firm. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 27/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.8 Explain the uses of external loss event data 7.8.2 Benchmarking Experience of peer organisations in relation to similar risk events enables firms to benchmark their own severity and frequency assessments. External event data may also identify consequences, such as settlement costs, regulatory fines and penalties, ratings downgrades or reputational damage, which may not or may not fully have been considered. External data can also be used by firms to benchmark their own internal reporting processes and the quality of information which they provide to management. If external data is detailed enough, it may also be possible to benchmark the time taken from an incident to occur and its detection. From all of these, useful lessons can be learnt. 7.8.3 Risk identification Risk identification is considered in Chapter 5. In considering risk identification, it is tempting to rely on events which have already happened or are in the firm’s risk register. External events provide a different perspective and, if they are accompanied by some form of causal analysis, prompt a reappraisal and prioritisation of risks. 7.8.4 New product analysis External events and competitors’ experiences are important when bringing a new product to market. This is particularly true where the product is being launched in a new geographical market or is an entirely new product for the firm. This information will supplement management understanding of the nature and quantum of risks associated with the new product, and helps to produce a more informed business case. It will also help to develop a framework of mitigating controls and indicators to ensure that the risks are contained within the firm’s risk appetite. So far as possible, external data relating to the new product should be sought which covers the whole of an economic cycle. A rising market may otherwise mask risks which manifest themselves when the economic cycle deteriorates. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 28/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing 7.8.5 Setting risk appetite Information about competitors’ experience is a useful test of a firm’s risk appetite in that it may reveal possible risks which could take a product outside that appetite. The information is also helpful for firms in considering their own risk appetite. 7.8.6 Risk education and awareness External data provides information which is not available from internal sources and so extends a firm’s understanding and awareness of possible risks. This in turn will aid training in alerting staff to risks, to appropriate warning signs for those risks and how they may best be mitigated. Workplace reflection Does your firm use external data in all the ways identified in this section? If so, how does it ensure that external data is relevant to your firm? Summary Events and losses are the basic building blocks for reporting, analysing and managing operational risk. Their impact forms the basis for modelling and understanding the financial consequence of operational risks materialising. Events also inform other process such as risk and control assessments, risk indicators and scenario analysis as well as operational risk modelling. As is explained in the chapter, ensuring consistent identification and reporting of events is important for events to fulfil these functions, however, it is not easy. Differences can arise in ascribing event categories, the amount of an event's impact, or even its date. So clarity and consistency across the firm about the attributes of an event is vital. And there is a trade-off between recording and reporting events down to the tiniest amount of granularity and being able to turn them into useful management information which will lead to action. Events, in themselves, are not enough for effective operational risk management. Their cause or causes must be analysed. Again, a decision has to be made as to how far back to identify a root cause. But cause is what we manage when we seek to manage operational risk successfully. Recording events without their causes is a sterile exercise which will not provide business benefit. https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 29/30 7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing Key learning You will be ready to move to the next chapter when you can confidently answer the following questions: 1. How does a near miss event differ from a loss? 2. In what situation could a risk event result in a gain? 3. What is the difference between direct and indirect losses? 4. What key information should a firm record in relation to risk events? 5. Why is it important to undertake root cause analysis of risk events? 6. What should a firm consider when setting a risk event data collection threshold? 7. How can risk event data be used to validate RCSAs? 8. What else can risk event data be used for? 9. Who should be responsible for reporting a risk event? 10. What is external loss event data and where can this be obtained? 11. Why would a firm consider obtaining external loss event data? https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 30/30

Use Quizgecko on...
Browser
Browser