[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Learning a new language: operational risk

Operational risk (OR) buzz word and fad?
Or an important topic where actuaries
need to deepen their thinking and test
their ability to apply a range of mathematical and other techniques? There are many aspects of the work on this (certainly not new) subject: process management, risk registers, corporate governance, quality management, audit, compliance a plethora of skills already focused on risk. Also, enterprise risk management, the actuarial control cycle, the risk management control cycle, and so on the general concept of operational risk is far from being a fad. The Financial Services Authority (FSA) has indicated that the insurance industry must improve its approach to operational risk management. It is clear the pieces of the jigsaw need assembling in a better way perhaps some extra pieces must be added, and maybe some existing pieces require renovation.
Operational risk is normally defined as the risk of unexpected losses arising as a result of people, processes, systems or external events. The Bank of International Settlements has contributed to current thinking on this topic, as has the British Bankers Association. There are already a range of relevant skills and contributions out there, and it is time actuaries liaised with other experts to develop their skills.

The framework
A typical framework for operational risk might look like that shown in figure 1.
Many insurance organisations are still at the early stages of embedding risk management into business processes. Their effort needs to be concentrated around raising awareness, ascribing responsibilities and generally trying to understand how OR affects other categories of risk (such as insurance risk, market risk, or credit risk). They may also need to consider whether risks arising from strategic decision taking or reputation are really separate risk headings, as suggested by the FSA, or whether they are important aspects of operational risk. As the thinking develops, so the monitoring, quantification, and development of a fully integrated risk management approach will become real and essential for a world-class company.
The natural inclination for actuaries is to measure risk to collect data, apply mathematical thinking, and improve understanding through quantification. This will happen, but before rushing down this well trodden path it is important to stop and think. There are new concepts we may need to embrace and we will probably have to learn more about some of the existing concepts other professionals already use. Process and quality management are examples. Do we understand enough about processes, how they are defined, what sorts of input, throughput and output measures are relevant and how they can be modelled? Do we understand how systems of control affect the variation in outcome (general predictability) of any given process? Or for that matter, why it is important to know about the consequences of defining roles and responsibilities, as well as about collecting data and developing statistical models?
Understanding operational risk means knowing the difference between cause, event and effect. It means developing logical, helpful frameworks for discussing and sharing risk insights. It means improving our practical knowledge about business management and being fluent in the categorisation of risk. The most commonly emerging set of categories has a hierarchical framework, with three levels of categorisation each one being a ‘drill down’ from the higher one. Bankers are increasingly talking about the six high-level categories as:
– internal fraud;
– external fraud;
– employment practices and work place safety;
– clients, products, and business practices;
– damage to physical assets;
– execution, delivery, and process management.
These categories may require new education and a new language to be adopted by actuaries. It is likely that new thinking is required about the methodology of risk assessment, so that risk assessment is based not only on past data, but can cope with looking at how risk may develop in the future as the organisation changes. This leads to the concept of developing risk indicators to use alongside other forms of analysis. Risk indicators, in some way related to changes in exposure, may be:
– ‘cause-related’ high staff turnover may cause loss of expertise or discontinuity;
– ‘loss-related’ number of complaints, which may be a direct measure of inadequate operations with direct losses as a result; or
– ‘exposure-related’ for example, sales or claims volumes each of which suggests a change in exposure through the volume of operations and related chances of things going wrong.
Finally the framework must incorporate ways to capture the issues around how individual personalities affect risk, as seen in the concept of dominance risk, or the consequences of (senior) management working without proper checks and balances.

The Institute paper covers different methods for quantifying risk in more detail. They are classed under headings such as:
– statistical curve fitting;
– frequency/severity analysis;
– causal or Bayesian statistical approaches;
– expert-based;
– practical.
These methodologies, covering the application of relatively known methods to new circumstance, should be the heartland of actuarial contributions to the current thinking. As such, we will not discuss them further here. Instead, we hope all actuaries will read the paper and attend the meeting!

Soft issues
Soft issues present a number of challenges for some in our profession, as it means getting away from mathematics to what some think of as ‘waffle’. We suggest an understanding of occupational psychology may be de rigueur for future actuaries!
Clearly the proper management of people, IT, outsourcing and management direction, and decision-taking leads us into areas where data may be difficult to acquire and not especially helpful. The whole framework of risk policies, risk management processes, risk mitigation, operational management, and organisational culture must be understood. Culture, or the ‘way we do things around here’ has a significant effect on operational risk. If an organisation’s values or belief systems reward high risk-taking and individual action, it seems reasonable to suggest the risk of operational loss is higher than if there is a performance management system which encourages people to follow processes properly and supports consensus building. It may be far-fetched to say our future exam system will need to include reference to Myers-Briggs, Belbin, or the European Quality Foundation framework, but who knows?
Strategic decisions and organisational direction emanate from senior management. While strong leadership is generally regarded as a good thing, unfettered reliance on strong personalities may not be good. Use of objective, or impersonal (even anonymous) assessments eg based on questionnaires probing a range of topics such as the amount of change, the experience of management, process quality, and top team personality profiles may help to uncover aspects of risk that would otherwise remain buried.
Strategic decisions are also important it may not be possible to foresee the consequences of any given decision, but the processes by which such decisions get taken are operational. Further operational processes need to be designed to capture the consequences when these decisions seem to be going wrong, to investigate what is going on, and to try to develop corrective action. This is why separating strategic decision from operational risk may be unhelpful in the long run.
Avoiding risk altogether is likely to lead to lack of success: it is highly unusual for businesses to prosper in a risk-free environment. We suggest that to keep the management of risk in some perspective requires an agreed view on risk tolerance, part of which would include consideration of capital adequacy.

Speculation about the future
It is possible that many actuaries will ignore operational risk and stick with more familiar insurance and market risks. This would be a shame. We, the profession, could take a small step forward by ensuring that capital adequacy models and internal capital assessments allow for operational risk. This would be a natural thing, with data collection and modelling used to ensure a cohesive view. However, the more challenging goal would be to extend our knowledge base and help lead the development of a fully integrated picture.
In the future a well-run organisation should have a clear, fully agreed statement about its ability to bear risk. This is the natural corollary of an internal capital assessment. To achieve this will mean enhancing our vocabulary and showing continued willingness to work with experts in many other disciplines. Our analytic skills and mathematical insights should allow us to pull the threads together and improve everyone’s understanding of risk.
There are many things we may have to do:
– Build a better understanding of some less commonly used techniques, such as causal modelling, as well as better use of the more common curve fitting or dynamic financial analyses techniques.
– Develop a shared view about the general level of operational risk, compared with insurance, market, liquidity or credit risk.
– Provide better and more consistent definitions of operational risk categories.
– Develop of exposure measures and generally accepted risk indicators.
– Thinking creatively about other methods.
– Review how assessment of soft issues can complement ‘hard analyses’.
– Provide more specific professional guidance.
Perhaps we should start by building a shared database of operational risk events. The banks have certainly found this has raised awareness and interest.
Our abilities to speak with a sense of independence and use mathematics in a practical way makes us well placed to develop a reputation as the people who can pull the threads together. A thorough understanding of operational risk is a vital part of making full financial sense of the future.