You can search for articles in back issues of Contingencies from July/August 2000 to March/April 2009 using the search box to the right. Simply type in subject words, author's name, or article title and click search. To search for articles from May/June 2009 to the present, go to the current digital issue of the magazine and use the search function on the left of the top navigation bar.
The New Frontier
by Michel Rochette
OPERATIONAL RISK MANAGEMENT is becoming a major component of a well-structured corporate governance framework that starts at the board level and drills down to the different business units. Like the whole field of risk management, it’s more than a calculation of an economic capital requirement, more than satisfying a regulator, and more than just buying an insurance policy to hedge it.
Operational risk management aims at identifying, assessing, and managing risk proactively. Managing risk in this way improves the organization’s transparency and adds shareholder value by increasing operational efficiency, reducing direct and indirect losses, better allocating economic capital, and protecting the firm’s reputation.
Recently, the whole financial sector, including many insurance companies, has been subject to enhanced regulatory oversight. Some companies have had to pay huge fines to settle investigations. These fines reflect operational risk incidents that should have been better managed up-front.
Operational Risk Defined
In the past few years, the banking and investment worlds have agreed to define operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. This definition includes legal and compliance risk, but it excludes the financial consequences of business or strategic decisions.
In the insurance world, an agreed-upon definition doesn’t exist yet. A recent paper by the Solvency Working Party of the International Actuarial Association Insurance Regulation Committee has proposed a definition similar to that used in the banking world but has classified risks somewhat differently.
It has created two categories of risks, a more restrictive operational risk and another category called event risk, including, in particular, legal and disaster risks. The committee created these two smaller categories to recognize that while firms can control operational risk, they normally can’t control event risk, though they can hedge against it by using new approaches such as business continuity planning.
The Risk Assessment Working Group of the NAIC has devised its own definition, which reads: “Operational problems such as inadequate information systems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses.” Compared with the definitions used in the rest of the financial community, the NAIC’s seems narrower.
Thus, though it’s possible to classify operational risk in many different ways, the insurance industry should consider aligning its definition closer to the one used elsewhere. Actuaries would be in a stronger position to develop a common expertise with the rest of the financial community and be able to communicate with other risk professionals on common ground.
A New Governance Paradigm
To be effective and credible, any operational risk management framework must be independent of the existing business management structure. There must be checks and balances in the framework and clear segregation of duties.
The risk governance framework the financial community has implemented to satisfy these requirements is composed of different constituents. First, the board of directors sets up an enterprise risk management committee that oversees the risk management process within the organization. They’re supported daily by a dedicated risk management unit. In larger firms, risk members may also be present within the business units and report to the risk management unit.
Operational risk is the new frontier in the enterprise risk management framework, and actuaries, individually and as a profession, are well suited to lead the way.
The audit group, which reports directly to the board, is complementary to the risk management framework. It focuses more on the effectiveness of the control environment. A separate compliance group centralizes all internal and external compliance matters, such as laws, regulations, and actuarial standards.
Contrary to the banking industry, where this framework exists in more than 80 percent of internationally active banks, most insurance companies have not fully implemented this kind of risk management framework. They seem to rely more on actuaries as their de facto risk managers. This can be an effective framework as long as the role of actuaries is well defined and includes a clear segregation of duties between management and risk responsibilities.
Above is an example of an operational risk group’s responsibilities:
Operational Risk Tolerance
Once a definition has been agreed upon, a governance framework has been set up, and roles and responsibilities have been clearly delimited, the organization must define its tolerance to operational risk. The risk tolerance will determine management responses to this risk. An organization should also be transparent about its financial communications.
Actuaries, with their financial background, are in a better position than other professionals to help management set an appropriate quantitative operational risk tolerance. They can evaluate different risk profiles in relation to the economic capital of the firm, and propose management responses accordingly. This is similar to an efficient frontier analysis in finance.
Other professionals usually limit their analysis to one dimension, and they express their risk tolerance in qualitative terms. For example, accountants usually talk in terms of reasonable assurance or residual risk while Six Sigma professionals target zero defects in processes. Sarbanes-Oxley personnel try to function within the requirements of the remote likelihood of a material misstatement.
The following matrix is an example of such an analysis and possible management responses to operational risk.
Internal and External Operational Data
An integral part of evaluating operational risk is the gathering of data from different sources. Data can come from self- assessments by experts, internal or external historic loss data, or scenarios based on other companies’ incidents. In this context, an actuary is well positioned to help the organization gather, interpret, and use these data.
Actuaries, with their financial background, are in a better position than other professionals to help management set an appropriate quantitative operational risk tolerance.
Also, data will make management more sensitive to the issue of operational risk and motivate staff to implement better controls to reduce risk. Data can also be used to model future losses and allocate economic capital.
The previous tables give an indication of the types of internal operational risk incidents that a financial organization can be exposed to. They are based on a study done for the banking industry, and some examples of similar events for an insurance company were added in each category. Also, a summary of the major intercompany operational loss databases is shown above.
Assessing and Managing Operational Risk
Actuaries are well positioned to contribute positively to the development and implementation of the many qualitative and quantitative operational risk methods.
The choice of a particular set of methods and tools will depend on the financial institution’s overall philosophy, the objectives of the operational risk policy, the availability of people to implement them, time, budget, operational constraints, and regulatory requirements. In fact, we observe that a majority of financial institutions are implementing a group of methods within their institutions.
Qualitative methods, as the name implies, are based on the knowledge of experts within the organization. Contrary to financial and insurance risks that are based on observed and somewhat objective values, major aspects of operational risk lie in the heads of the people involved. Even for actuaries who are naturally oriented toward numbers, the U.K. Institute of Actuaries recognized it and phrased it elegantly
According to a report of the Operational Risk Working Party of the U.K. Institute of Actuaries, August 2002, “The most concentrated source of information on operational risk within an organization is likely to be found in the heads of management.
Contrary to traditional actuarial work, actuaries must be willing to work with a diverse group of people, be imaginative in adapting existing insurance approaches to this new environment, and be willing to learn and enhance their tool set.
It is important to mine this information to provide context and calibration to the more objective loss databases. ... This process can add value in building a consensus on the risks and risk tolerances of the business.”
On the quantitative side, financial institutions are enhancing their loss modeling using extreme-value loss distributions and generating scenarios. Some of these methods are listed in the chart below.
Operational risk is becoming more prevalent in the financial community due to both regulatory requirements and enhanced new corporate governance initiatives.
In the banking field, the Basel II Capital Accord has created an incentive to move forward. In the insurance field, similar initiatives are underway, such as the NAIC’s proposed risk regulatory framework, Europe’s Solvency II project, and the United Kingdom’s Integrated Prudential SourceBook.
Financial institutions are also implementing operational risk frameworks in order to benchmark themselves with best practices; to satisfy increased pressure from their shareholders, regulators, and rating agencies; and to respond proactively to recent scandals in order to reduce their future recurrence.
Actuaries should be part of the development of this new risk management field, in part because of its similarities to insurance expertise. However, contrary to traditional actuarial work, actuaries must be willing to work with a diverse group of people, be imaginative in adapting existing insurance approaches to this new environment, and be willing to learn and enhance their tool set, in particular, the more qualitative operational risk approaches.
MICHEL ROCHETTE is an actuary specializing in risk management for CDP Capital in Montreal, Quebec, Canada.
Contingencies (ISSN 1048-9851) is published by the American Academy of Actuaries, 1100 17th St. NW, 7th floor, Washington, DC 20036. The basic annual subscription rate is included in Academy dues. The nonmember rate is $24. Periodicals postage paid at Washington, DC, and at additional mailing offices. BPA circulation audited.
This article may not be reproduced in whole or in part without written permission of the publisher. Opinions expressed in signed articles are those of the author and do not necessarily reflect official policy of the American Academy of Actuaries.