How do scenarios help improve op risk management?
- 3 June 2019
We asked our Head of Research and Information, Dr Luke Carrivick, a few questions about using scenarios as a method for improving operational risk management. Here’s what he had to say.
Q1: Why are scenarios so popular at the moment?
“Their role in operational risk stress testing is partly why scenarios are popular. Scenarios are increasingly being used a lot in stress testing – particularly as a way of capturing the impact under extreme stresses. In this setting, scenarios are more probably useful than other types of modelling.
However, it’s important to note that we have previously seen the underlying trend swing from quantitative to qualitative measurement – many AMA models were very data driven. Qualitative is more popular at the moment, but it may well change in the future.”
Q2: How have scenarios changed?
“Compared to a few years ago there is now a lot more clarity around assumptions, around the drivers of a scenario and how they contribute to the impact, and more formal ways of running workshops.
These days, operational risk teams may have specialist second line individuals for specific risks, as well as other subject matter experts for different types of scenarios. After all, you can’t possibly have one scenario expert who knows everything about different areas, such as cyber, third party risk etc.”
Q3: What makes a good scenario?
“A scenario has to have a good use test and be action driven, i.e. asking, “what do I do with it now?” It can also be forward-looking. Most of all, it should allow you to challenge assumptions about what is possible.
This is where having access to data outside of your own firm’s really comes into its own. External information can plug the gaps in your internal data, and help you see what you might be missing. An example of this is making use of losses reported by services, such as ORX News, which help you see what events are happening elsewhere and their impact.
The recent Practice Benchmark from ORX Scenarios on risk identification for scenario selection showed that the vast majority of institutions use external sources to help inform which risks are assessed in a scenario.”
Q4: What are the emerging trends in scenario development?
"Resilience is definitely an emerging thematic focus for regulators. However, within this concept there are many different risks to be considered, and priorities differ from region to region. Resilience in Europe, for example, tends to centre on the ability for the organisation to withstand cyber attacks. In Asia, the priority is more about dealing with failures in outsourcing to third parties, while in Africa firms may focus on resilience to physical issues such as power cuts.
One particular challenge in this area is how to first articulate your tolerance for operational disruption, and then demonstrate you are resilient with respect to this. As a concept it is interesting as it signals a supervisory shift of interest from financial resilience to organisational resilience."
Q5: What other themes do you see in scenarios?
"ORX Scenarios offers access to a large library of high-quality contemporary scenarios submitted by the financial institutions subscribing to this service. From this library, we see that while not necessarily being emerging trends, rogue trading and AML failure are common themes globally. In the US, vendor failure and cyber are top priorities, while in Europe conduct scenarios remain popular.
ORX News is another one of our services that supports scenario development. It is a database that collates publicly reported loss data from around the world, summarised into a short piece by the specialist op risk researchers. The difference between this and the scenario library is that all the events are real, rather than hypothetical.
In ORX News, we see lots of cyber and conduct-related stories, as well as fraud. So, while they aren’t necessarily new risks, how events can manifest is evolving so they should definitely still remain high priority."