Worth the operational risk

Nicole Pang looks at emerging trends in operational risk modelling, and how firms are improving their operational risk models

The broad nature of operational risk, as well as the lack of data available, means that operational risk modelling is an area of specific challenge for many firms. Given the lack of data, firms have resorted to modelling operational risk using a frequency severity model, relying on a scenario workshop process to set the underlying parameters based on expert judgment.

However, in a world where we are constantly facing changes and significant external factors that are out of our control, is the current process sufficient for determining a firm’s operational risk? Based on an insurance industry operational risk survey carried out in 2019, a third of firms had received regulatory feedback with respect to their operational risk models during the previous 12 months, and two-thirds were planning to make improvements to their operational risk models.

The methodology of modelling

The frequency severity model is used by a majority of insurance firms, with separate distributions of the frequency and severity of losses for each operational risk type. Generally, a scenario-based approach is used to derive parameters for these distributions. Subject matter experts attend scenario workshops facilitated by the operational risk team. These workshops generate estimates for the frequency of an operational risk, the average cost where the scenario occurs, and an extreme cost of a severe event. In these workshops, subject matter experts tend to be provided with data and information to help produce these estimates. These estimates are then used to calibrate the distributions of different operational risk types, which the operational risk model aggregates using either variance-covariance or copula approaches.

Another direction is to use a loss distribution approach (LDA) to calibrate either the frequency and/or severity distribution. This approach is more commonly seen in the banking sector. An LDA’s key shortcoming is the lack of low-frequency, high-impact events in the data. Some firms overcome this by overlaying an LDA with scenario analysis results as part of a hybrid approach.

There is also an increased focus on supplementing firms’ internal loss data with external loss data, such as ORIC and ORX. This is important in order to capture any relevant events based on the experience of others. The key to this is to ensure the external data used is adjusted so that it is proportionate to the firm – for example scaling the losses based on the size of the firm and filtering the type of events that are relevant.

As an alternative to modelling each risk type separately, some firms are considering a Bayesian network approach. This uses a causal structure and a conditional probability table to build up a full joint probability distribution of all losses, removing the need for separate aggregation. The causal structure allows the model to be linked to the underlying exposures and business drivers, and may be more aligned to business-as-usual risk management and management information. However, it may also be more difficult to implement or validate, given the current lack of use among firms.

In the banking sector, Basel III replaces the use of internal models (advanced measurement approach) with a standardised measurement approach. This calculates Pillar I operational risk capital using business indicators relating to income and expenses and a multiplier based on historic loss experience. However, banks may still use internal models for their Pillar II ICAAP assessments of economic capital requirements, and regulators may consider the results of these and scenario analysis exercises when setting regulatory capital add-ons.

“In a world where we are constantly facing changes and significant external factors that are out of our control, is the current process sufficient to determine a firm’s operational risk?”

Parameterising frequencies and severities

Firms will need to consider the impacts of COVID-19, particularly on claim procedures. Where general insurers have rejected COVID-19-related claims, conduct risk issues could arise over whether this is consistent with the principle of treating customers fairly. Additionally, remote working may lead to errors in actuarial modelling, given reduced speeds in the systems, and could also lead to a potential surge in cyber attacks. Firms may not have directly relevant past data to rely on when assessing the impacts of these events, so the Operational Risk Working Party envisages that this will be an area of challenge for firms during the next workshop cycle.

Regulatory focus on operational resilience has increased senior stakeholders’ engagement with operational risk frameworks and quantification. Operational resilience refers to firms’ ability to prevent, respond to, recover and learn from operational disruptions. This has obvious resonance in the current pandemic situation. The requirements on operational resilience have prompted some firms to review their risks and controls on an end-to-end basis, but there is no clear evidence to show how it will change a firm’s operational risk profile.

A continuing area of development is that of allowances for insurance recoveries when quantifying operational 
risk capital. This could be taken into account when setting the parameters for the frequency severity model, or when applying a haircut in the overall operational risk capital. However, a number of factors should be considered, such as any limitations and exclusions, sum insured limits across a number of operational risk scenarios, and the counterparty default risk of the insurer. The exclusion of COVID-19-related claims under business disruption policies as a result of pandemic exclusion clauses has highlighted the importance of coverage limitations.

Operational risk dependencies

Dependencies between operational risks and between these and non-operational risks is another area in which practice continues to develop. This is discussed in more detail in the operational risk dependencies paper issued by our working party earlier this year, and was discussed by Patrick Kelliher in the July issue of The Actuary (bit.ly/ActOpRisk).

The approach to setting correlation assumptions varies among firms. Some use a direct expert judgment approach, for example by discussing the strength of correlations and converting them to correlations assumptions (eg high = 75%, medium = 50%, low = 25%). Some more advanced firms have moved to use a causal driver analysis, where underlying root causes of operational risks are mapped to individual operational risks. When two operational risks have a large number of common underlying causes, it is implied they will have higher correlations. While this approach still relies on expert judgment, it provides a better structure in which to set these correlations, and also ensures better documentation of the underlying rationale.

Validation and sensitivity testing

Firms are also looking to strengthen the validation and sensitivity testing of their operational risk models. The 2019 insurance industry survey found that a quarter of firms were planning to introduce further sensitivity testing. The most common sensitivity test involves testing the impact of changing the frequency and severity parameters, but firms are also increasingly testing the impact on the capital result of changing the correlation factors.

The key here is how the result from sensitivity testing is used to inform the expert judgment process. Some firms use it to ensure the most sensitive parameters are given the most focus during scenario workshops, while some decide to keep the workshop independent to ensure there is no bias in the resulting operational risk capital.

The emerging trends in modelling operational risk have prompted some firms to consider validating the appropriateness of their current methodology. We continue to observe developments in this area and look forward to seeing how operational risk modelling will change during the coming months and years.

Nicole Pang is a senior manager at KPMG and a member of the Operational Risk Working Party

Image credit | Shutterstock