Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
Quick links:
  • Home
  • The Actuary Issues
  • December 2015
12

Getting to grips with risk

Open-access content 1st December 2015

It is difficult to assess all sources of enterprise risk, says Brenda Boultwood, but it is vital if a company wants to demonstrate sound decision-making

2


During the course of the past two decades, the financial sector has shown great progress in understanding and quantifying credit and market risk. But operational risk - which some experts estimate may be 70%-80% of a regional bank's total risk capital - is still not well understood or quantified. Operational risks are qualitative, inconsistently defined and often poorly identified. New techniques are emerging that allow operational risk appetite to be monitored and effectively reflected in the strategy and business plans of a company. These techniques include complete risk identification, conversion of qualitative risks into measurable units, predictive risk analytics that provide early warning signals on loss events, and metrics thresholds that trigger notifications and actions, including changing the level of risk-taking.

Qualitative risk: the new frontier
Regulators require banks to develop operational risk frameworks, just as banks have to do for market risk and credit risk. The expected levels of operational risk should be established, and consistent with strategic objectives. Organisations must specify the type of data and the frequency with which they will assess their risk events.

A great deal of work is being done now to make qualitative risk more quantitative, but it is still more art than science. For example, if a bank's deposit system is down, this leads to customer or business disruptions, and there is the financial loss of incomplete transactions on that particular day. There is also a more subtle loss of reputation when the customer chooses to negotiate their next loan with a bank whose systems are more reliable. Banks are starting to collect information about these kinds of risk events. They are doing more risk assessments and are asking people in the field: how do we assess the quality of our risk and control environment?

Companies are also thinking about risk metrics because they want more rigour as they establish a more quantitative basis for qualitative risks. Management should decide on a set of metrics, which will then be monitored for breach of pre-assigned levels.

Take an example
Consider the risk of employee attrition. Part of mitigating this operational risk requires having strong human resources, involving how to attract, train and motivate employees with valuable skills. The risk of employee attrition can be quantified as the percentage of unintended employee turnover, transforming something once qualitative into something measurable.

The first stage of mitigating this risk is to start with a baseline to normalise observations. This can help the company measure the impact of loss owing to lack of well-trained employees. Although 'employee turnover' can be calculated and modelled, how can its actual impact be measured? If departing employees know the internal processes intimately and have forged connections with customers, the amount of monetary loss is rather difficult to quantify. Additionally, we must keep in mind the costs required to recruit and train new employees.

A quantitative risk such as market risk is understood in terms of value-at-risk (VaR). When a certain VaR level is breached during trading, this triggers a message to senior management, who decide what response is needed - accept the higher risk, liquidate the position, or buy a hedge - and then report that to the board. For a qualitative risk such as employee attrition, the company would choose as its baseline an expected level based on history - for example, 2.5% employee turnover.

Then things change. Perhaps a new competitor starts poaching staff, and turnover jumps to 10%. The dashboard that used to show green at 2.5% now shows red at 10%. When a certain level is breached, this triggers a message to senior management, who - just as in the market risk case - have a discussion. Important questions must be considered, such as: "Is this an anomaly?"
"Is this the new norm?". If 10% is the new norm, what is the correct response; more training, better policies and procedures, or more documentation of the skills required for that particular role? Perhaps more IT systems are the answer, because that would help automate much redundant work, and would also reduce dependence on what people are expected to remember.

The discussion around measuring this qualitative risk - establishing an operational risk tolerance metric for employee attrition - has now begun, and some tactical decision-making occurs. The board will eventually examine the breach, and the response thereto, in order to understand the impact on the organisation's overall strategy.

A window into enterprise risk
As companies grow and amass data, they become better at anticipating risk events. As a result, they can focus on better controlling their exposure, thereby limiting the potential for loss - both financial and reputational. There's a silver lining to risk events: fresh data points. Information before, during, and after risk events can and must be captured for use by your organisation's risk management, modelling, and analytics teams.

The data aggregation currently carried out by organisations is largely quantitative. It looks at values around revenue, profits, products produced, expenditures and more. Data aggregation around new metrics - especially around qualitative risks - is more difficult to establish.

Quality data can permit operational risk-based capital modelling, which ties into determining risk and regulatory capital adequacy. In addition to economic risk capital, senior management is also interested in regulatory capital, balance-sheet capital, and rating agency capital. Stress testing and scenario analysis of key risks can also reveal any potential Achilles' heel in desired capital levels.

Risk appetite linked to strategy
Ultimately, the board has accountability to a company's shareholders. Senior management is well aware that if a risk metric exceeds a threshold perceived to be normal, which is in line with past observations, management need an explanation. Is this a one-time event, or does this signal a trend?

With input from the risk management team, management will want to understand various risk implications that such data provides: does the organisation need a temporary plaster, or does it require a new blueprint? More controls might be needed, or the organisation might need to accept a new risk tolerance as part of its risk appetite. Risk data, and the insights that come from it, can provide management with the real-time knowledge needed to continuously fine-tune the organisation's strategy.

Use test analysis
Regulators require that banks perform use test analysis of their day-to-day risk appetite. A great way to assess your organisation's risk framework is to try it out on a new situation. Regulators want banks to be asking themselves what new risks are occurring, and how much extra risk capital those new risks could absorb.

Use test analysis should also be performed on potential mergers and acquisitions. Although both parties have a legal contract, do they know exactly how the partnership is going to work? Do they know exactly how each partner is going to deliver?

Use test analysis also feeds into stress testing. Analysts should ask themselves: "If we introduce a new product/deal/acquisition, what are all the new risks that we introduce?" The company can stress test different scenarios and estimate the level of confidence for what current levels of risk capital it could safely absorb if things went wrong.

A company has a risk appetite for both quantitative and qualitative risks, and both are needed to define an organisation's overall risk tolerances and boundaries. Metrics such as employee attrition, the number of network security penetrations, the length of system down-time or the number of process failures are critical data points. These can help a company calculate its operational risk capital and compare that to its risk appetite, as ultimately reflected in a company's capital and ability to absorb large losses.

No matter the industry, every organisation wants to invest in opportunities where the risk-adjusted return on capital is the highest. Every organisation also wants to avoid those rare, once-in-a-decade, black swan risk events that have the potential to destroy their business. It is only by having access to quality risk data that organisations can be in a position to thrive on risk.

Brenda Boultwood is senior vice-president at MetricStream
This article appeared in our December 2015 issue of The Actuary.
Click here to view this issue
Filed in:
12
Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Reinsurance Pricing Lead

England, London
£40000 - £75000 per annum
Reference
118905

Senior Pricing Actuary

London, England
£60000 - £110000 per annum
Reference
118904

Pricing Actuary (Casualty)

England, London
£60000 - £80000 per annum
Reference
118903
See all jobs »
 
 
 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2020 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited, Level 5, 78 Chamber Street, London, E1 8BL. Tel: 020 7880 6200