The death of operational risk?

Recent reports on the 'death of operational risk' are greatly exaggerated. Not only did operational risk exist before Basel II, but it will continue to exist after Basel III. In a recent study, leading chief risk officers (CROs) were unanimous in agreeing that operational risk is both “important” and “increasing”.

The regulatory focus on operational risk provided a much-needed impetus for financial services institutions to invest in their frameworks and for the discipline to develop. Progress was undoubtedly accelerated following Basel II. A lot of extremely valuable work was done by simply collecting and categorising event data. For the first-time informed views on levels of actual operational risk loss could be given. 

However, by design the AMA was holistic. Operational risk was broadly defined, supported by an event driven taxonomy, and targeted an extreme outcome, sufficient to cover a 1/1000-year loss. For these reasons, and with hindsight, it was always going to be disconnected from the actual day to day management of specific risks, and to a very large extent it forced a focus onto risk measurement at the expense of risk management.

The widely criticised variability in Risk Weighted Asset calculations and outcomes that AMA frameworks produced were a natural consequence of broad regulatory guidelines, diverse supervisory interpretation and excessive extrapolation.

The new standardised approach

The new standardised approach is an attempt to simplify the capital calculation. Since its first publication many have argued the need for more not less operational risk measurement. We agree. Risk measurement and capital modelling address different problems, and a new Standardised Approach does not mean banks, and insurers, want to stop understanding their risks.

While the simplification of regulatory requirements is always welcome, many criticisms of the new Standardised Approach are valid. It is simple, loss – not risk – sensitive and has some perverse incentives (for example in only recognising risk transfer as a capital relief if a loss materialises), and can indeed be calculated by the finance department. But it is for this reason that it provides a great opportunity for the industry. Operational risk frameworks and practices can now be put to work where they are needed most, which is in managing risk.

Change is an opportunity

It is the sign of an immature discipline for its existence to rely on supervisory rules. Now is the time to move beyond capital, and start focusing on the management of risk.

Operational risk is now entering a phase of evolution where industry will look to leverage the investments and developments of the past and focus on improving operational risk management. It is emerging as the umbrella function which promotes the consistent management of the wide range of non-financial risks that institutions face. It is also being challenged to step forward and step up, to engage with the business and to ensure better coordination between different functions.

All the emerging themes in banking – AI, cyber-crime, digitalisation and fintech – will result in significant shifts in the operational risk profile of institutions. Identifying, measuring and managing the new risks that change brings is crucial for the future.

How can this be achieved?

In a period of rapid change and challenge to established business models, a close management of operational risk will become an enabler of success. There is a need for risk management to be more agile and dynamic, practice must be more responsive – as risks evolve the management of them needs to follow.

Many emerging risks are external in origin, and interconnected, prompting a greater need for sharing of expertise and knowledge. To achieve this, we observe a demand for a risk based taxonomy to describe them in a common way.

There is also a need for practical guidance, and the convergence of assessment practices. Operational risk management is not a science, and will always need innovation and improvement – but this is most effectively done collectively, not in isolation. There is a great opportunity for industry to now “claim the space” and set standards for the future.

Operational risk management is not dead, or even dying, it is in greater demand than ever before. However, the onus is now on the industry to push the discipline forward without reliance on regulatory rules, driven by the need to effectively and efficiently manage risk.