A unified management and capital framework for operational risk

James Lam discusses the attributes of a unified ORM framework and how those attributes can underpin a seven-factor economic capital model.

When operational risk management (ORM) first came on the scene a few years ago, there were basically two distinct schools of thought. One school subscribed to the notion that you cannot manage what you cannot measure and so focused on quantitative tools, such as loss distributions, risk indicators, and economic capital models. Thc other school believed that operational risk cannot be quantified effectively and focused on more humanistic, qualitative approaches, such as self-assessments, risk maps, and audit findings. It was a classic battle between man and machine.

Today, ORM practitioners recognize the pitfalls of using any one approach without the other and that best-practice ORM incorporates elements of both.

Key Attributes

A unified ORM framework should satisfy two basic requirements. First, it should support both the measurement and management of operational risks. Second, the ORM framework should incorporate the interdependencies across credit, market, and operational risks as part of an overall enterprise-wide risk management (EWRM) program. Based on these two requirements, an ORM framework has five key attributes.

1. Balances qualitative and quantitative tools. The nature of operational risk--the risk of loss due to people, processes, systems, and external events (1)--is complex and dynamic. Qualitative tools are able to incorporate human experience and judgment to capture subjective risks, consider, for example, the operational risks associated with a new product. On the other hand, quantitative tools provide objective indicators that can show aggregate losses, exposures, and trends against established targets. A unified ORM framework should incorporate the advantages of each set of tools and also integrate such risk management and oversight activities as ORM, audit, compliance, quality, and insurance.

2. Provides early warnings and escalations. Operational risk cannot be managed effectively based only on backward-looking indicators, such as losses, error rates, and incidents. The ORM framework should provide early warning indicators of emerging risk issues. A quantitative example is a spike in employee absenteeism that may be an early warning for increasing turnover and human errors. A qualitative example is competitive intelligence that indicates significant investments in a new technology by a key competitor that, if successful, would render the firm's existing technology obsolete.

An ORM framework also should establish effective escalation processes so that management can take the appropriate actions.

3. Influences business activities. One of the most important attributes of an ORM framework is that it influences business actions and decisions. Such influence can be asserted through the following:

1) Corporate policies with respect to guidelines for, and restrictions on, business activities.

2) Teamwork between the line units and ORM in new business and product development processes.

3) Risk response plans based on ORM indicators and escalations.

4) Adjustments in economic capital given operational risk performance and risk mitigation strategies.

5) Positive and negative incentives to motivate appropriate business behavior.

This attribute ensures that operational risks are managed on an ongoing basis, and that specific consequences are in place to provide organizational reinforcements.

4. Reflects environmental changes. Just as credit risk and market risk frameworks reflect volatility changes in underlying default rates and market prices, an ORM framework should reflect changes in the operational risk environment. For example, increases in industry-wide operational risk losses and incidents may indicate an increase in systemic risk. A number of industry loss-event databases are being developed that can provide this type of information. Other environment changes include new legal and regulatory requirements, such as those established by the Sarbanes-Oxley Act, the USA Patriot Act, and the Basel II proposals. A company that lacks the processes and systems to comply with these new requirements will likely face greater operational risk with respect to regulatory scrutiny and legal penalties.

5. Incorporates risk interdependencies. There are important interdependencies within and across risk types. For example, credit risk is the primary concern for most banks, but inadequate loan documentation (an operational risk) will likely increase loss severity in the event of a borrower default. An EWRM program should address such interdependencies in the design of risk indicators and reports, the development of scenario analysis, and the implementation of risk response plans. As we will see in the next section, these interdependencies should also affect the determination of economic capital, and in ways that might not be obvious.

Economic Capital Model

Given the five attributes of a unified ORM framework, what factors should determine economic capital for operational risk? Figure 1 shows a seven-factor model for operational risk capital. While this is a conceptual model, it can he adapted to a firm's specific business mix, size, and risk parameters.

1. Revenue multiplier. This is a top-down estimate of the amount of operational risk capital required by a business or operating unit. Such an estimate can be derived from observing analogs of publicly traded companies in the same or similar businesses, while adjusting for market risk and credit risk. For example, Capital One may be a credit card company analog, while First Nationwide may be one for mortgage companies. Outsourcing firms, such as IBM or EDS, may be analogs for internal IT functions. The central question is, "If the business or operating unit were a stand-alone, how much capital would it need for operational risk capital?" The revenue multiplier (2) assumes an average operational risk profile, which can then be adjusted upwards or downwards by factors 2 through 6.

2. Operating margin. This factor incorporates the degree to which the firm's operating margin is more volatile or less volatile than average and is often referred to as "business risk." A firm's inability to generate sufficient revenue to cover expenses (net of unexpected credit and market risk losses) is a major reason why it needs to hold operational risk capital. For example, business variables that can increase the required operational risk capital include greater volatility in business volume, weak power to set prices, and higher fixed-versus-variable expenses.

3. Internal indicators. This factor reflects the effectiveness of internal controls. A scorecard with individual weightings should be developed for the internal quantitative and qualitative indicators to provide an overall adjustment to operational risk capital. Internal indicators would include losses, incidents, risk metrics (for example, error rates, unreconciled items), early warnings, internal audit ratings, risk maps, and so forth. The economic impact of contingency plans and insurance programs should also be factored in. Each key indicator also should be associated with specific goals and MAPs (minimum acceptable performance).

4. External indicators. As with internal indicators, a scorecard of external indicators should be developed. External indicators would include customer satisfaction scores and complaints, external audit ratings, and regulatory exam findings. This scorecard would also track exposures to external events, such as fires, earthquakes, and terrorist acts. Firms that rely on external vendors should also incorporate vendor performance relative to service-level agreements. Goals and MAPs for external indicators should also be established.

5. Model risk. This factor reflects the degree to which a firm relies on models and the quality of such models. The primary input is back-testing results against predetermined criteria. A firm should include all models that drive management decisions and actions, such as pricing and valuation models, scenario and simulation models, and risk management models. For firms that do not rely on models, this may simply be one of the internal indicators.

6. Systemic risk. This factor adjusts for dramatic shocks in the business environment, such as industry-wide losses and incidents as well as banking and settlement failures. Systemic risk is especially important for highly interconnected industries, such as financial services and energy services, for which trading activities and counterparty exposures within the industry are significant. Recent examples include the Long-Term Capital Management collapse, Y2K readiness, and the Enron bankruptcy. In each of these situations, companies were concerned about not only their direct exposures, but also the exposures of their business partners and counterparties.

7. Financial risk multiplier. This factor is meant to capture the compounding effects between operational, credit, and market risks. It is not portfolio diversification, which may lead to a reduction in aggregate economic capital at the enterprise-wide level. In fact, it is an offsetting factor that many risk managers ignore. Regulators refer to this compounding factor as "spillover effects." Gumming and Hirtle (3) (2001) argued that the confluence of variables, including market liquidity problems, lack of corporate limberness, and reputational and contagion effects, could result in the aggregate risk of a firm exceeding the sum of its individual risks. The financial risk multiplier is meant to capture such spillover effects. An argument can also be made that a variety of operational risk exposures (for example, a rogue trader, inadequate loan documentation, and unsavory sales practices) are compounded in a firm with significant market risk and credit risk exposures. After all, a rogue trader can do much more damage at a hedge fund than at a retail bank.

Summary

The practice of ORM has come a long way in the past several years, but still has a long way to go. At a recent conference organized by RMA, Eric Rosengren of the Federal Reserve Bank of Boston said that only three of the largest 20 U.S. banks qualify for the "advanced management approach" for operational risk under Basel II, which would likely lead to reduced capital charges. However, the development of ORM is more than a regulatory compliance issue. Early adopters of more sophisticated ORM have reported significant business benefits, including improved customer service, greater operating efficiency, and reduced losses. To fully realize these benefits, it is clear that the further development of ORM practices must integrate quantitative and qualitative tools. In other words, man and machine should coexist.

Contact Lam at jameslam@attbi.com

Notes

(1.) The definition of operational risk in this article includes business risk, which is notably absent in Pillar I of the Basal II proposals.

(2.) For certain businesses, a top-down proxy based on activity or volume might be more appropriate.

(3.) Christine M. Cumming and Beverly J. Hirtle, "The Challenges of Risk Management in Diversified Financial Companies," Economic Policy Review, Federal Reserve Bank of New York, March 2001.

James Lam is president of James Lam & Associates, a risk advisory firm based in Wellesley, Massachusetts.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group