Strategies for Operational Risk Management
EA documentation simplifies management of operational risks.
by Vineet S. Rajput
September 15, 2004
In the uncertain world of business, every organization finds itself in a state of continuous risk management. This involves all kind of risks, including credit risk, market risk, and operational risk. The credit and market risks have long been the key evaluating factors for corporations' financial positions. Recently though, operational risk has started getting the attention it deserves.
Operational risk can be defined as the amount of exposure an organization has as a result of its operational structure. This includes risk due to processes, organizations, and technologies. The operational risks expose an organization's business. These might arise from natural catastrophes such as floods and earthquakes, man-made catastrophes such as 9/11, or minor events such as a fraudulent transaction or system failure. Any time an organization's operations can fail, an operational risk exists.
Businesses as well as regulatory bodies and governments are focusing on managing operational risk. The Bank for International Settlements (Basel) Committee on risk management has made operational risk a factor in determining capital adequacy. In a way, the Sarbanes-Oxley Act (see Resources) is aimed at ensuring against operational inadequacies that result in false financial reporting. The Health Insurance Portability and Accountability Act (HIPAA) aims to ensure the operational practices to protect patients' information. The Graham-Leach-Bliley Act (GLBA) and the Patriot Act also attempt to ensure the operational practices that reduce operational risks for financial institutions.
Managing operational risk is not only a regulatory need—the organization that demonstrates a sound practice of risk management will also achieve greater shareholder value through superior capital efficiency, data and risk management uniformity, enhanced credit ratings, reduced operational losses, and an improved credit risk-return profile. These organizations are also more likely to be rewarded by customers with higher confidence and more of their business.
The regulatory needs and current business environment have prompted a slew of technology products, all of which claim to help with compliance with the regulations. Although some technology will eventually be necessary, these are essentially business issues and need a business solution. Enterprise architecture (EA) at its fullest is about defining a comprehensive business and technology strategy to achieve organizational goals. You can apply this approach and related tools to operational risk management.
Operational Risk Defined
The Basel committee has defined operational risk in detail for financial institutions, but much of the definition applies to other institutions as well. Other organizations might not be susceptible to all the operational risks identified by the new Basel Accord (also called Basel II), or might have some additional operational risk exposures. But for the purpose of this article, I will concentrate only on the operational risk aspects of Basel II.
Basel II defines operational risk as "risk of loss due to inadequate or failed internal processes, people, or systems, or from external events. This definition includes legal events but excludes strategic and reputational risk."
The Basel Capital Accord emphasizes active risk management and suggests three approaches. One of the approaches, the Advanced Measurement Approach (AMA), provides institutions with maximum flexibility and benefits. However, to qualify for AMA, institutions must demonstrate an active and adequate risk management practice in all areas of operational risk. These areas include internal fraud, external fraud, employment practices, customer practices and product design, system failure, physical damage to assets, and execution processes.
The management of risk involves accurate measurement or assessment of existing risks along with a well-defined mitigation approach commensurate with the risk exposure. Unfortunately, there has been precious little work done in the area of quantifying and mitigating operational risks.
Back to top
|