Chapter 7 Back Up Book for Printing.pdf

Transcript

7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

Chapter 7 Back Up Book for Printing

Chapter 7: Operational Risk Tools – Events and Losses

Learning outcomes and assessment criteria

7. Understand the role of events and losses in the management of operational risk.

7.1 Differentiate between the types of events.

7.2 Describe the attributes of event data and their use.

7.3 Explain the importance of root cause analysis.

7.4 Describe the role and implication of thresholds in relation to reporting event data.

7.5 Describe issues, roles and responsibilities in relation to reporting event data.

7.6 Explain the uses and limitations of internal event data.

7.7 Describe the benefits and limitations of sources of external loss event data.

7.8 Explain the uses of external loss event data.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 1/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

Key themes

The key themes of this chapter are as follows:

The different types of risk events including loss events, near misses and gains/offsets.
The attributes of event data.
Root cause analysis.
Issues and parties involved in reporting event data.
Sources of external loss event data.
The uses, benefits and limitations of internal and external events data.

Introduction to Chapter 7

Events and losses are a fundamental part of operational risk management because they are the evidence or manifestation that an operational
risk event has materialised.

Loss events are the quantitative building blocks with which to model operational risk capital and to validate other operational risk tools such
as risk and control self-assessment and scenario analysis. They may also, either in their size or number, be useful risk indicators, especially in
relation to monitoring risk appetite and tolerance. Whilst past events do not provide a guide to future risk exposure, recording and analysing
these events provides opportunities for both learning and risk mitigation.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 2/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.1 Differentiate between the types of events

7.1.1 Direct and indirect events

A direct risk event is one which results in a direct impact as a result of an operational risk failure. As an example, in the case of product mis-
selling, it could be:

The need for customer compensation.
The cost of a regulatory fine.
The direct costs involved in any investigation.

Other direct event impacts include:

Loss of income relating to transaction fees, direct fees, commissions or interest.
Reduction in the value of assets.
Loss of assets or cash through unenforceable contracts.
Loss of assets as a result of fire or theft.

Direct event impacts are quantifiable and identifiable in the profit and loss account.

An indirect risk event is an event which is ancillary to a direct event. In a product mis-selling case, it could be reputational damage to the
firm’s business due to the mis-selling, with all the long-term costs that come with that, including the loss of future business.

Other indirect event impacts include:

Failure to reach expected or desired levels of customer service.
Costs incurred in any official investigation of an event – such as accommodation costs of staff or others involved in the investigation.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 3/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.1.3 Near misses

There is no standard definition of what constitutes a ‘near miss’. The definition will be different from firm to firm, as will the way they are
reported and treated. Here are a few examples of some generally accepted definitions of a ‘near miss’:

1. An event happened but it did not result in a loss because of fortuitous circumstances.
2. An event would have occurred had the final preventative control not operated successfully. No loss has occurred, but analysis is
required to understand which intermediate controls did not operate as they should.
3. A situation which would have led to one or more operational risk events if it had not been detected by an additional, non-systematic
control.

An example of the first definition is where a payment is made, which is either for the wrong amount or is sent to the wrong counterparty. The
recipient notices the error and arranges for the payment to be reversed and corrected. However, the causes should nevertheless be
investigated to see why the process and controls failed in the first place.

In the third case above, management will consider whether additional controls should be built into the process. In both the first and third
examples no financial loss is suffered, but there is the potential for financial losses to be incurred.

Near misses are as valuable as loss events in analysing whether controls have failed to perform as they should, or whether appropriate
controls were not in place.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 4/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.1.4 Gains and offsets

Operational risk events do not necessarily result in losses. In some cases, there is no financial loss, even where there has been an event or
control failure, such as in the case of near misses above.

In other cases, there may even be a gain or offset. On the trading floor, a ‘fat finger’ error by a trader – buying when they should have sold or
vice-versa, or buying 1,000,000 of a currency rather than 100,000 – could result in either a loss or a gain, depending on the movements in
markets between the time of the original error and its discovery and reversal. In fact, given the volatility of markets, errors of this sort are
equally likely to generate a gain as a loss. However, the gains are frequently not reported as errors and instead add to the trader’s profits,
whereas losses are more likely to be reported.

Operational risk management is not, therefore, solely concerned with losses. It concerns the causes of events, whatever their outcome.

Another example concerns offsets. At their simplest they involve recoveries, perhaps through a successful insurance claim or the recovery of
an amount which was mistakenly paid to a third party. In other cases, they may involve a fortuitous outcome. If, for example, the IT system
goes down and a trader is unable to close her position until, perhaps, the following day, it may be that the result is a gain. This could be offset
against other losses incurred by the IT system failure, whether direct or indirect.

Offsets and gains should be either recorded and reported as separate events, so that the true cost of the failure can be assessed; or at least
noted against the record of any associated loss event, without corrupting the gross loss.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 5/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.1.5 Boundary risk events

Another important concept when dealing with risk events is that of boundary risk. A firm must be able to distinguish between operational risk
events and those caused by other risk types, most notably Credit, Liquidity, Market and Insurance (See section 1.1 for definitions).

On occasion it is likely that losses within other risk types will occur which have been caused by an underlying operational failing. For example,
a credit risk loss which arises as a result of an operational risk event e.g. a mortgage customer is repossessed at a loss (a credit risk) however,
it is discovered the loan was outside credit policy and granted as a result of human error (operational risk). In such instances the loss will be
recorded as credit for measurement purposes, but earmarked as operational for lessons learnt and management purposes.

Market, Liquidity and Insurance risk losses are generally treated and recorded as operational risk events. See section 1.3 for further discussion.

Workplace reflection

When your firm identifies the loss or impact of an operational risk event, to what extent does it include indirect costs? How does your firm
treat 'near misses'? Does it collect and analyse 'gains'?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 6/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2 Describe the attributes of event data and their use

This section aims to build on concepts introduced earlier in the Workbook but in particular in Chapters 2, The Regulatory Treatment of
Operational Risk, and 5, Operational Risk Tools - Categorisation).

7.2.1 Event description and type

Risk is about cause. So, operational risks should be described in causal language, with words such as ‘failure of...’, ‘lack of...’, ‘inadequate...’,
‘ineffective...’, and ‘inability to...’. Events are the manifestation of a risk materialising. Only true environmental or other events outside the
control of the firm – such as fire or a natural hazard such as flood or earthquake – can acceptably be described as risk events with no other
qualifying causal word.

A major issue for effective operational risk management is for firms to decide on the taxonomy of risk events they use, and the level of detail
which they wish to use in recording events, near misses and gains or offsets. A balance has to be struck between a level of detail which aids
operational risk management and too great a level of granularity, which may confuse and which will probably lead to errors in reporting and
loss categorisation. Another aspect of deciding on the level of detail is the fact that this event taxonomy must be consistent and
understandable, especially in the operational risk management framework, but also more widely across the firm.

As set out in earlier chapters of this Workbook (notably Chapters 2 and 5) the following are the main operational risk event types detailed for
firms monitored by regulations under the Basel Capital Accord (for banks) and the Solvency II Directive (for EU insurers).

BASEL II SOLVENCY II
Internal fraud. Intentional misconduct (internal fraud).

External fraud. Unauthorised activities by external parties (external fraud).

Employment practices and workplace safety. Employment practices and workplace safety.

Clients, product and business practices. Clients, product and business practices.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 7/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2 Describe the attributes of event data and their use
BASEL II SOLVENCY II
Damage to physical assets. External events that cause damage to physical assets.

Business disruption and system failures. Business disruption and system failures.

Execution, delivery and process management. Business process risks.

In each case, the regulatory text provides more granularity by giving lower levels and examples of risks which relate to each of the main
categories. So that, for instance, employment practices and workplace safety, at the next level down, are divided into:

Employee relations.
Safe environment.
Diversity and discrimination.

Each of these is further sub-divided at a further level. In the case of employee relations:

Harassment.
Terminations, including tribunals.
Industrial activity.
Management.
Loss of key personnel.

As set out in Chapter 4, firms subject to these regulations may well have their own operational risk event taxonomy, but are also required to
map their event categories to the relevant regulatory event category.

The issue for firms is that they should create a taxonomy which does not slavishly follow the regulatory template. They should identify their
own risks which are clearly understood and experienced by the business in its day to day activity. There is no point handing out an event
taxonomy which the business does not recognise as reflecting the risks it runs. There is also a balance to be struck between being too high
level – reporting only at level 1 as in the table above – or going into too granular a level of detail, which will discourage risk reporting and
understanding.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 8/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2 Describe the attributes of event data and their use
The other important point is that the risk event taxonomy should be clear and consistent across the business. Unless that happens, it becomes
impossible to aggregate and report the results so that they are useful for business line management as well as to the governing body and
result in action.

The final point about event taxonomies is that they concern events, rather than the causes of those events which, as indicated in the first
sentence of this section, form the real basis of operational risk management as a discipline.

7.2.2 Amount

The amount of a loss is easy to assess when the consequences of an event are financial, quantifiable and are debited to the profit and loss
account. In the classification given at 7.1.1 above, these are ‘direct events’. As we have seen, some events are ‘indirect and may be difficult to
quantify to any precision’. Again, it is for management to decide whether the costs of these indirect aspects are to be attributed to the event.

As well as these uncertainties, there are two other considerations relating to amount. The first involves losses in a currency other than the
home currency. These have to be converted to whatever is the reporting currency of the firm. However, a decision has to be made whether the
currency rate at the time they are accounted for should remain as the cost of the loss, or whether they should be revalued at each accounting
period. This becomes especially important where there are later recoveries.

The second consideration concerns events which are made up of similar events, triggered by a single of similar causes, over a period of time,
so-called ‘multiple events’. Good examples are ‘rogue trader’ events, including those which made international news, such as those involving
Nick Leeson at Barings (1995), John Rusnak at Allfirst (2002) and Jérôme Kerviel at Société Générale (2008). In each case, their unauthorised
trading involved numerous transactions over a period of years. It is again for management to decide whether the cumulative amount should
be recorded as a single loss, because it reflects the same fundamental cause, the unauthorised and undetected trading of a single individual,
or whether to record each individual event. This decision can have a considerable impact on assessments of operational risk exposure and the
capital that is required against the exposure.

If multiple events occur in different parts of a firm, it is important that they are aggregated so that lessons can be learned and common
mitigants and controls can be implemented.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 9/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.3 Dates

On the face of it, the date of an event is the date on which it occurs. In general, that will be true. However, in some cases it is difficult to be
certain about the date of occurrence, particularly if a period of time elapses between the event and its detection. In many cases, the simplest
date to record is the date of detection. A number of firm’s track both, as understanding how quickly events are discovered after occurrence
can provide useful insight into the firm’s control environment.

Similarly, an event may be identified in one accounting period yet actually have occurred in a previous accounting period. While it is unlikely
that a retrospective adjustment will be made to the firm’s accounts, it is nevertheless important to record the event date for operational risk
management purposes.

It can also be true that an event starts on one date but continues for a period of time. An example is Payment Protection Insurance (PPI) mis-
selling by banks in the UK, which dates back to the early 1990s, against which banks have been paying out compensation amounting to
billions of pounds sterling since 2006, and continue to do so as claims are made against them. Or, as seen in section 7.2.2 above, in the case
of rogue traders, multiple events with a common cause occur over a period of time. In either case, should the recorded date be the start date
or the end date?

The reason why this matters is that one of the core assessments made about operational loss events is their impact and their frequency or
likelihood. Decisions about dates have a considerable effect on estimates of frequency or likelihood.

7.2.4 Recoveries

It is often the case with operational risk events that, although a loss is incurred on the date the event occurred, recoveries are made later. This
may be, for example, because an insurance policy claim proves to be successful. When a recovery is made, it is important to continue to
record the original loss as well as the net loss following the recovery, since the original loss is the true amount which was lost as a result of the
operational risk failure.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 10/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.5 Business entity

In a group of companies, the name of the entity involved should be recorded so that its losses can be analysed separately. This may not be as
simple as it seems, since it is possible in some groups for a transaction to be undertaken in one entity, a loss detected in another and the loss
actually booked in a third. This may be an extreme case, but the main point of recording risk events is to undertake causal analysis, so that the
entity which caused the event should be clearly identified. Furthermore, a clear understanding of which entity the event belongs to is also
useful for trend analysis and peer to peer comparison.

Learning activity

Consider why knowledge of the business entity is important when analysing losses and describe what the limitations of the analysis would be
without this information.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 11/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.6 Business activity

For the same reason, it is important to identify the business activity in which the event actually happened. Activities can transcend
geographical or company boundaries, so that a failure in one jurisdiction could point to similar failures in other jurisdictions or companies
which undertake the same activity.

Organisations will have their own descriptions of business activity. However, those regulated under the Basel Capital Accord are required to
map their activities under the following headings:

Basel II Business lines
Level 1 Level 2 Examples of activity groups
Corporate Finance

Municipal/ Government
finance
Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government,
Corporate Finance
high yield), equity, syndications, IPO, secondary private placements.
Merchant banking

Advisory services

Sales

Market making
Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities,
Trading & sales
lending and repos, brokerage, debt, prime brokerage.
Proprietary positions

Treasury

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 12/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.6 Business activity
Level 1 Level 2 Examples of activity groups
Retail banking
Retail lending and deposits, banking services, trust and estates.

Private banking
Retail banking Private lending and deposits, banking services, trust and estates, investment advice.

Merchant/commercial/corporate cards, private labels and retail.
Private banking
Commercial Project finance, real estate, export finance, trade finance, factoring, leasing, lends, guarantees,
Commercial banking
banking bills of exchange.
Payment and
External clients Payments and collections, funds transfer, clearing and settlement.
settlement
Escrow, depository receipts, securities lending (customers) corporate actions.
Custody

Issuer and paying agents.

Agency services Corporate agency

Corporate trust services

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 13/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.6 Business activity
Level 1 Level 2 Examples of activity groups
Discretionary fund
Pooled, segregated, retail, institutional, closed, open, private equity.
management
Asset
management Pooled, segregated, retail, institutional, closed, open.
Non-discretionary fund
management
Retail brokerage Retail brokerage Execution and full service.

In the case of Solvency 2, for EU insurers, the standard capital requirement for operational risk is based on the premiums and provisions
divided in to the following types of insurance business:

Health, Similar to Life Techniques (SLT)
Health, non-SLT
Life
Non-life

7.2.7 Geographic location

It is important also to record the geographical location of an event, since it may be that there is a particular control weakness, a different legal
framework or a cultural difference which explains the cause of the failure. And, of course, there are other attributes of a location which can
cause an event to occur, whether it is meteorological (e.g. hurricanes or typhoons), geological (earthquakes) or technological (the fragility of a
location’s infrastructure). All are part of operational risk management and may well be peculiar to a particular location.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 14/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.2.8 Event description

The main point of recording event data attributes is because they aid causal analysis. While an event type (see 7.2.1 above) is a helpful start-
point, it does not tell the reader much about the cause or causes of an event. It is therefore important that a description, even a brief
description, is added to focus management’s attention to the cause.

Since a key component of risk management is getting information to where it is needed as quickly as possible, it is more important to provide
a brief description immediately, than wait until a detailed description is available. That can come later, depending on the scale and nature of
the event.

Workplace reflection

When your firm reports operational risk events, does it include all the elements included in this section? In particular, how does it handle the
problems identified regarding amount and date?

Learning activity

Use press reports to find 10 examples of operational risk events and near miss events relevant to your industry. Be sure you understand the
difference between the two types of event and the importance of capturing the elements included within this section. Consider in each
instance what further information you would have liked to see to fully understand cause of the event.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 15/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.3 Explain the importance of root cause analysis

In section 7.2, the various attributes of risk events were considered. However, the most important attribute to be recorded is the cause (or
causes) of the risk event having occurred. Understanding the cause or causes of an event enables an analysis of whether controls or mitigants
have failed and whether it is necessary to reassess risk exposure in the light of the events having occurred.

In the case of operational risk, the risks can be categorised by the four root causes identified in the Basel II definition of operational risk (see
Chapter 1, Fundamentals of Operational Risk):

Failure of people.
Failure of processes.
Failure of systems.
External events.

The firm’s internal operating environment can also be a root cause. The internal environment is reflected in strategic business decisions, such
as mergers or acquisitions, or in the risk culture and behaviours of the organisation. Failures which result from poor strategic business
decisions or a poor risk culture, such as those involving conduct risk, are fundamentally failures of people and so fall within the basic root
causes of operational risk.

Identifying events and their costs and other impacts is a fundamental part of operational risk management and is the foundation for
measuring operational risk exposure. There is little business benefit, however, in simply identifying events and their impacts unless there is
also an analysis and understanding of why the event occurred. Root cause analysis is primarily interested in identifying control failure. It could
be that either preventative controls or detective controls have failed. Whatever the cause, the analysis allows management to make an
assessment and decide on an action plan.

It may be that an event is triggered by a number of causes or control failures, just as an event can result in a number of different impacts. As
an example, incorrect data could be the result of:

Human error (people).

Failure or lack of a control when data are input (process).
Incompatibility of two systems (systems).
Failure of an IT provider (external).

However, it is also true that a single control may also control a number of different risks, so that understanding the cause of one risk event
may help us to understand the likelihood of other risk events occurring and to develop risk indicators.
https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 16/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.3 Explain the importance of root cause analysis
Causal analysis also enables management to assess the benefits of increasing controls, depending on the likely costs which might be saved.

Risk management is about learning and continuous improvement. Causal analysis is a good way of supporting that effort.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 17/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.4 Describe the role and implication of thresholds in relation to reporting event data

The Basel Committee has suggested a minimum loss threshold for banks of €10,000, but this is not mandatory. Many banks aim to report to a
lower threshold and some claim to report all operational risk events down to zero.

The decision for management will reflect the size of the firm and is one of cost/benefit, recognising the time and cost involved in reporting
events of limited materiality which are likely to be within acceptable levels. There is also the issue, with a low threshold, of the difficulty and
cost of reconciling losses to accounting ledger records to ensure their accuracy. Most ledgers will include a huge number of debit items, only
a very few of which relate to an operational loss.

Since reporting operational risk losses is generally a manual exercise, considerable cost can be spent in identifying and reporting very small
losses. However, small losses, though they may each have a small impact in terms of loss, may point to a control failure which could lead to a
much larger loss being sustained, sooner or later.

Setting a relatively high reporting threshold, so that small losses are not reported, can encourage a culture which does not take risk
management seriously and will also affect the quality of operational risk modelling.

Setting a reporting threshold is therefore a significant issue and one which should be considered fully by senior management and the
governing body. Thresholds should be reasonable and ensure they do not exclude loss event data that is material to the firm. In considering
reporting thresholds, there are likely to be two levels:

A ‘per event’ limit, and
An aggregate over a period of time, say three or 12 months.

In addition, escalation thresholds may be set which, when breached, ensure that the event is immediately reported to more senior levels of
management and becomes the subject of thorough root cause analysis. These thresholds may be quantitative (financial or numeric) or
qualitative, such as when an event causes significant disruption to service or affects a significant number of customers.

Timely reporting is critical to data integrity and it is common to include timescales by when significant events are reported and escalated.

Workplace reflection

What reporting threshold does your firm use to decide whether to report events? If it does have a

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 18/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.5 Describe issues, roles and responsibilities in relation to reporting event data

7.5.1 Regulatory reporting requirements

Reporting of loss events is also a regulatory requirement for banks and insurers. The Basel Committee on Banking Supervision’s Principles for
the Sound Management of Operational Risk (2011). Principle 8, states:

“Senior management should implement a process to regularly monitor operational risk profiles and material exposure to losses.”

Similarly, for insurers, the European Insurance and Occupational Pensions Authority’s Guidelines on Systems and Governance (2014), Section
1.56, states:

“The undertaking should have processes to identify, analyse and report on operational risk events. For this purpose, it should establish a
process for collecting and monitoring operational risk events.”

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 19/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.5.2 Aims of reporting event data

The aims of reporting operational risk events are:

Completeness.
Accuracy.
Timeliness.

Completeness, as has been indicated, is determined by a firm’s policy in relation to reporting thresholds (see section 7.4 above), as well as the
culture of the firm. In a healthy risk culture, which wishes to continually improve its business, reporting events is part of an environment of
learning, rather than of blame. It is unlikely that all operational risk events will be reported, even in a firm which has a zero loss threshold for
reporting, but firms may nevertheless institute an attestation regime under which the first line of defence confirms that all reportable events
have, in fact, been reported accurately and appropriately in accordance with policy.

Whilst accuracy can be verified by reconciling reported events to accounting records, this is not possible if an event has not been reported in
the first place. Some sources may indicate whether events are probably being reported, such as:

Reviewing associated risk information in the form of risk, compliance or audit information.
Identifying inconsistencies across business lines.
Comparing external event data.

Timeliness of reporting is critical if action is to be taken and future risk exposure prevented or reduced. There are a number of ways by which
operational risk events are reported. Many organisations use an intranet reporting system.

The question then is who is authorised to report an event?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 20/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.5.3 Roles and responsibilities for reporting of event data

Often, it is the person who detects a loss who is authorised to report to the central operational risk record, whatever their level in the
organisation. In other cases, the person who detects the loss may be required to report to the department which originated the loss. It is then
their responsibility to report. This, however, can lead to delay in a loss being reported, and potential for failure to report losses to avoid any
perceived blame.

In either case, some organisations require that a copy of the report should be sent to the originating department’s manager for validation and
confirmation of the details of the report. While this should mean that reports are fuller and more accurate, it can discourage whistle-blowing.
For this reason, some firms allow anonymous reporting. In a healthy risk culture this should not be necessary, but it should ensure that
important risks are identified and dealt with speedily.

In other cases, it is for the professionals involved in the management of operational risk or leader in a department to make the report. This has
the advantage of reports being more consistent and probably more relevant, since a specialist operational risk executive will have been
trained to understand the elements of an operational loss failure and the processes surrounding it. The disadvantage of this approach is that it
may lead to a delay in reporting, so that management action is also delayed and the effects of a failure may be exacerbated.

Finally, there may be instances where normal protocols are not followed, for instance in cases of ‘whistleblowing’ or for legal reasons which
involve especially sensitive information and potential litigation. In these circumstances the recording and closure of loss events must still occur
and procedures continue to be followed, though it is accepted that some discretion can be shown with regard to the capture of event details.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 21/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.6 Explain the uses and limitations of internal event data

7.6.1 Risk and control self-assessments (RCSAs)

Please refer back to Chapter 5 for more detail on risk and control self-assessments. Losses and event data, through root cause analysis, will
point to control failures and the performance of controls. They are, therefore, an excellent way of challenging the scoring for the design and
performance of controls or the lack of appropriate controls.

Losses and event data are also useful for challenging both impact and likelihood assessments. In the case of impact, past events may point to
either overly optimistic or overly pessimistic assessments. Similarly with likelihood. Historic frequency data can be used to challenge likelihood
assessments, especially where a more optimistic assessment has been made on the basis that past experience has been ‘bad luck’. ‘Once in a
lifetime’ events have a nasty habit of occurring more than once in a lifetime.

RCSAs involve subjective judgements in assessing likelihood and impact. They are, therefore, subject to cognitive biases (see section 8.7). One
way of countering bias, making assessments more objective and of validating the outcomes of RCSAs, is to use historical loss data, which will
show distributions of both frequency and the impact of operational risk loss events and so improve assessments.

Using loss event data in this way underlines the benefit of causal analysis and raises its awareness.

7.6.2 Scenarios

Scenarios assess a firm’s ‘potential vulnerability to exceptional but plausible events’. In other words, ‘the nastiest event you can imagine
without being unrealistic’.

As with RCSAs, operational risk loss data can validate the results of scenario outcomes by challenging estimates of likelihood and impact. The
data can also counteract anchoring bias, in which assessments may be influenced by the nature of the question being asked. Once a
maximum impact has been identified from loss data, this can become a new anchor point for imagining exceptional outcomes of events.

Given that scenarios relate to multiple events occurring over time, event data can provide a basis for assessing scenario outcomes. Scenarios
are discussed in more detail in Chapter 8.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 22/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.6.3 Risk and control indicators

Please refer back to Chapter 6 for more detail on risk and control indicators. Event data can also validate indicators. If an indicator suggests
that a preventative control is starting to fail or a risk is more likely to happen, it is probable that an event will occur, which should eventually
show up in the loss event data. If it does not, it is worth reviewing the indicator to assess whether it is in fact a reliable risk indicator.

Events and losses can also be used to validate detective control indicators. The scale of events and losses is a guide to how well the detective
control indicators are performing and how effective are the targets and thresholds which have been set for those indicators.

As indicators themselves, losses can be used by individual amount, by aggregated amount over a period or simply by number over a period.
They can also form the basis for deciding on appropriate appetite and indicator thresholds.

7.6.4 Risk modelling

Loss events are the essential building blocks for operational risk modelling and capital calibrations, whether they are used for severity or
frequency assessments. Near miss data, if it is captured, can also inform frequency estimates.

However, loss data has its limitations, as outlined above:

Losses have to be actively reported by someone and so will often be incomplete and may not be consistently categorised.
Currency rates change over time so that impacts may have to be re-assessed, unless they are re-calibrated by the system.
Assessments of indirect impacts may not be consistent.
As a result of causal analysis, control failures may have been rectified, so that past performance is not a reliable guide to the future.
In any case, since the internal and external environment of a firm is constantly changing, past performance is not a reliable guide to the
future.

Given that some events, such as bank mis-selling of insurance and other products, have a long duration and are by necessity kept 'open', a
problem for modelling is how to treat open events, both as to their amount and their duration. Management has to decide how long 'open'
events are kept open. Modelling over a 12-month time horizon for capital purposes ignores the fact that some significant operational loss
events last a number of years from detection to final closure.

In addition, loss data, of itself, can only represent ‘expected’ outcomes and so, in modelling, needs to be supplemented by external data and
scenario analysis.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 23/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.6.4 Risk modelling

7.6.5 Accounting treatment

Pending losses with a definitive financial impact, meeting relevant accounting standard definitions, may require a provision to be raised in
financial accounts. Furthermore, assigning loss events to appropriate business units can help to identify to which cost centre the loss amount
belongs.

7.6.6 Risk appetite

Please refer back to Chapter 3 for more detail on risk appetite. Understanding event data provides a useful basis for deciding on risk appetite
as well as either challenging or validating targets or triggers relating to risk appetite.

Reviewing the previous 12 months’ loss data can enable assessment of a ‘mean’ (or average) which can then be adopted as the threshold for
moving from Green/acceptable to Amber/tolerable on the basis that level represents a variation from the norm. Similarly, the worst recorded
position could suggest a level from Amber/tolerable to Red/unacceptable, especially if action had been taken to reduce exposure to below
that level.

Loss data can also be used to monitor actual experience against expected or desired levels.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 24/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

Other uses

Action plans: Reporting and analysing the causes of operational loss events is essential for designing and implementing action plans to make
sure a risk does not occur again and to improve operational risk management.

Training and awareness: Risk event data, when collated and analysed, provides valuable insights which can then form the basis of training and
awareness for staff. Those insights include understanding control failures, the costs of events themselves and the costs of remediating them.
They also provide evidence that an event in one part of the business could occur in another. Collating and using small events can also provide
valuable lessons about the potential aggregated impact of exposures. Finally, root cause analysis provides examples of why an event
happened and helps firms to review and strengthen the control environment.

External reporting: Risk event data may be reported to the regulator on either an ad hoc or regular basis. The specific requirements for this
may vary from regulator to regulator, however, this is often based on the event types standards described in section 7.2.1 and business line
standards in section 7.2.7.

Firms may choose to become part of a data sharing consortium (discussed further in section 7.7.2). Where this is the case data will also be
reported externally to the relevant organisation in line with their prescribed requirements.

7.6.8 Limitations

Unlike financial risk events, operational risk events do not lend themselves easily to being identified and reported directly from the
organisation's accounting or management information systems. They generally have to be reported by individuals, so it is likely that not all
events will be captured. Actual losses may well be reported, but may still be incomplete; near misses are reported less frequently and gains
may be rarely reported at all. As a result, the limitations of incomplete event data should be acknowledged and understood when the data is
used for calculating operational risk exposure or capital.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 25/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.7 Describe the benefits and limitations of sources of external loss event data

7.7.1 Media reports, social media and public data

Some events are so sizeable, or of such consequence, that they are reported in the media. They can range from pandemics (for example, Ebola
in West Africa, 2014), natural disasters such as earthquakes or hurricanes (Hurricane Katrina, 2005), man-made disasters (Deepwater Horizon
oil well, Gulf of Mexico, 2010), civil disturbances and wars, or corporate risk events (Banking Crisis, 2008-10; product mis-selling by UK banks;
LIBOR and FX market rigging).

Since individual firms suffer few – if any – major risk events, media reporting can be helpful in understanding the scale of risk to which a firm
may be exposed. If events are well-reported, they can provide helpful causal analysis which can inform firms in reviewing their controls, their
likely exposure to such events and their business continuity plans. They can also be useful in testing assumptions made in firms’ scenario
analyses and assessments. However, press and media reports are often incomplete or biased and should thus be treated with caution in terms
of drawing conclusions about the relevance of the reported event for the firm.

The increasing use of social media may provide a further source for data. This is often more ‘real time’ and detailed than published media
articles and may provide further insight into the event itself and causal information. Caution must be applied when using social media as
contents are often not validated and can be based on hearsay.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 26/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.7.2 Competitors’ internal losses and consortia databases

A number of firms subscribe to databases which provide information of large risk events which members have suffered, mostly below the level
of the more headline-grabbing events.

Most of such databases provide a brief causal analysis of the event, so that other members can compare their own experiences and the
assumptions they have used in their own risk and self-control assessments and scenarios.

However, it is difficult to make a direct comparison with another firm’s experience due to differences in that firm’s risk culture, strategy and
control environment.

Apart from the usual problem of data completeness which affects all risk event reporting, firms may also well be precluded, for legal reasons,
from divulging the costs of settlements.

In addition, given different classification approaches, different collection thresholds and practices, different stages in data collection maturity
and different regulatory requirements in different jurisdictions – in spite of the best efforts of the members and the consortia themselves – the
data quality will be variable. External data is useful in understanding events which are unlikely to have occurred in an individual firm, but the
data should be used with a clear understanding of its limitations.

7.8 Explain the uses of external loss event data

The uses of external loss event data are similar to those outlined in section 8.7 above. However, some additional points should be made:

7.8.1 Scenarios

External data is a useful input to creating realistic scenarios since it will generally reflect events which have not been experienced by an
individual firm. These events are also useful to highlight or understand new or emerging risks which can then be included in scenarios.

To be most useful in scenarios, external data reports should provide:

The background to the event.
Information about the governance and control structures in which the event occurred.
The manner in which the event unfolded.
The aftermath of the event – the consequences, management of the event and any remedial action taken by the firm.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 27/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.8 Explain the uses of external loss event data

7.8.2 Benchmarking

Experience of peer organisations in relation to similar risk events enables firms to benchmark their own severity and frequency assessments.
External event data may also identify consequences, such as settlement costs, regulatory fines and penalties, ratings downgrades or
reputational damage, which may not or may not fully have been considered.

External data can also be used by firms to benchmark their own internal reporting processes and the quality of information which they provide
to management. If external data is detailed enough, it may also be possible to benchmark the time taken from an incident to occur and its
detection. From all of these, useful lessons can be learnt.

7.8.3 Risk identification

Risk identification is considered in Chapter 5. In considering risk identification, it is tempting to rely on events which have already happened or
are in the firm’s risk register. External events provide a different perspective and, if they are accompanied by some form of causal analysis,
prompt a reappraisal and prioritisation of risks.

7.8.4 New product analysis

External events and competitors’ experiences are important when bringing a new product to market. This is particularly true where the
product is being launched in a new geographical market or is an entirely new product for the firm.

This information will supplement management understanding of the nature and quantum of risks associated with the new product, and helps
to produce a more informed business case. It will also help to develop a framework of mitigating controls and indicators to ensure that the
risks are contained within the firm’s risk appetite.

So far as possible, external data relating to the new product should be sought which covers the whole of an economic cycle. A rising market
may otherwise mask risks which manifest themselves when the economic cycle deteriorates.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 28/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

7.8.5 Setting risk appetite

Information about competitors’ experience is a useful test of a firm’s risk appetite in that it may reveal possible risks which could take a
product outside that appetite. The information is also helpful for firms in considering their own risk appetite.

7.8.6 Risk education and awareness

External data provides information which is not available from internal sources and so extends a firm’s understanding and awareness of
possible risks.

This in turn will aid training in alerting staff to risks, to appropriate warning signs for those risks and how they may best be mitigated.

Workplace reflection

Does your firm use external data in all the ways identified in this section? If so, how does it ensure that external data is relevant to your firm?

Summary

Events and losses are the basic building blocks for reporting, analysing and managing operational risk. Their impact forms the basis for
modelling and understanding the financial consequence of operational risks materialising. Events also inform other process such as risk and
control assessments, risk indicators and scenario analysis as well as operational risk modelling.

As is explained in the chapter, ensuring consistent identification and reporting of events is important for events to fulfil these functions,
however, it is not easy. Differences can arise in ascribing event categories, the amount of an event's impact, or even its date. So clarity and
consistency across the firm about the attributes of an event is vital. And there is a trade-off between recording and reporting events down to
the tiniest amount of granularity and being able to turn them into useful management information which will lead to action.

Events, in themselves, are not enough for effective operational risk management. Their cause or causes must be analysed. Again, a decision
has to be made as to how far back to identify a root cause. But cause is what we manage when we seek to manage operational risk
successfully. Recording events without their causes is a sterile exercise which will not provide business benefit.

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 29/30
7/29/24, 10:05 AM Chapter 7 Back Up Book for Printing

Key learning

You will be ready to move to the next chapter when you can confidently answer the following questions:

1. How does a near miss event differ from a loss?
2. In what situation could a risk event result in a gain?
3. What is the difference between direct and indirect losses?
4. What key information should a firm record in relation to risk events?
5. Why is it important to undertake root cause analysis of risk events?
6. What should a firm consider when setting a risk event data collection threshold?
7. How can risk event data be used to validate RCSAs?
8. What else can risk event data be used for?
9. Who should be responsible for reporting a risk event?
10. What is external loss event data and where can this be obtained?
11. Why would a firm consider obtaining external loss event data?

https://www.irmvle.org/mod/book/tool/print/index.php?id=4165&chapterid=2324 30/30