Operational risks (OpRisk) have gained in importance in recent years. As a result of reports on spectacular losses, the technical progress, growing IT dependency as well as increasing automation and higher complexity of business processes, greater emphasis is placed on OpRisk in companies.
OpRisk can be defined as “the danger of losses, which occur as a result of inadequacy or failure of internal processes, humans and systems or as a result of external events”.
To manage and control these risks inherent in business operations and the business environment, as well as to identify current developments in time, a holistic and stringent OpRisk management is crucial. This requires the use of appropriate qualitative and quantitative tools.
Qualitative tools in OpRisk management
The qualitative consideration in OpRisk management is usually based on expert assessments such as e.g. self-assessments, scoring procedures or specific key figure analyses. These assessments are then classified accordingly in order to perform a differentiation of the risk potentials. The tools of qualitative OpRisk management include, among other things:
Business process analysis
Early warning system by means of KRIs
Internal control system (ICS)
Business process analysis
The business process analysis examines and optimizes business processes in the company. For this, classic business process analyses compare the actual status with the target status of a process, e.g. with benchmarking, referencing or weak points analyses. Process maps and process documentation serve as the starting point for the business process analyses. These should reflect the process-inherent OpRisk and control activities. Decisive from an OpRisk perspective, is the coherent view of process, risk and control. Process-inherent OpRisk primarily indicate potential risks and error potential in the processes. Functioning controls reduce these (gross) OpRisk to an acceptable net level.
The OpRisk inventory analyzes and assesses the OpRisk identified in the business processes. The risk assessment is usually carried out by means of self-assessments by the departments and contributes to similar OpRisk from multiple business areas being assessed from different perspectives. The risk assessment results in the identification of the main OpRisk and the associated controls (key controls). This requires the definition of appropriate quantitative and qualitative materiality criteria. The identification of the main OpRisk is controlled and monitored accordingly in an early warning system and ICS. Key controls are specified in detail and assessed in the ICS.
Early warning system by means of KRIs
Key risk indicators (KRIs) measure and signal, with prior lead time, the development of a significant OpRisk, thereby promoting the holistic risk perspective. They provide answers on the actual situation and OpRisk trends and thus are an early warning system. KRIs in an early warning systems can be both monetary (e.g. risk capital, loss of receivables) and non-monetary (e.g. share quota, sick days). The monitoring of KRIs is performed by means of appropriate limit and threshold values. The response time between exceeding a limit or threshold value and the actual occurrence of the risk must be set in such a way that there is sufficient time for initiating (counter) measures.
Internal control system (ICS)
The main OpRisk and key controls identified within the framework of the business process analysis and OpRisk inventory are systematically specified and assessed according to a uniform methodology in the ICS. Due to the risk-mitigating effect of the controls, the ICS is a systematic approach for reducing OpRisk. The evaluation of the key controls should consider the determination (target) and efficiency (actual) of the key controls. A company-wide consistent evaluation methodology supports the systematic identification and resolution of control weaknesses. An annual ICS control cycle with clearly defined responsibilities forms the systematic frame in the ICS. The ICS control cycle includes:
OpRisk inventory: Process-related identification of the OpRisk and controls
ICS assessments: Specification and assessment of the main OpRisk and key controls
ICS report: Reporting of the results of the ICS assessment
The results of the ICS assessments can point out weak points in the business processes and thus form the basis for a new business process analysis and optimization.
Quantitative tools in OpRisk management
In addition to the described qualitative consideration, a quantitative consideration of the OpRisk is required to transfer suitable risk parameters to the OpRisk. As for OpRisk – as with all other risk categories – the point in time and amount of damage is uncertain, one should also make use of stochastic modeling. The tools of quantitative OpRisk management include, among other things:
Data about the underlying damage events and characteristics, which can be collected by means of suitably structured loss data bases, form the basis for every stochastic modeling. Among other things, the parameters: amount of damage, damage category, damage description, damage cause, underlying controls, consequence and influence of risk mitigation techniques on the amount of damage, seem suitable for this purpose. In addition, the inclusion of near-damages seems to be fundamental for the successful capturing of OpRisk. These are de-facto risks which occurred, however did not turn into a loss, as a subsequent control action intervened. From a risk perspective, however, these still need to be modeled, as non-capture would ultimately result in an incomplete data situation.
Based on loss databases, stochastic models in the form of distribution of damage frequencies and damage amounts can thereafter be derived by OpRisk, just as for all other risk classes. As is the case in insuretech, it is recommended to model the various OpRisk categories differently, and if necessary, to model major claims separately. Furthermore, distributions also allow for the derivation of risk parameters such as value-at-risk (VaR) or expected shortfall (ES). This is the loss which will not be exceeded with a given probability of x (VaR), or the average loss in cases where this threshold is exceeded (ES). The determination of such risk parameters is desirable as these are parameters which are also common in other risk types and this way comparability is ensured. Furthermore, various supervisory regimes are based on these risk parameters.
Scenario analyses are another important technique for quantification. In this case, a risk event is a concrete potential event, where the loss is quantifiable and the occurrence of is random. Within the framework of scenario analyses, various realizations of the unknown variables (time of damage, amount of damage), are performed e.g. with a Monte Carlo simulation. With the help of different realization possibilities, the impact of the risk event can then be analyzed. This can be done, e.g. with regard to dependencies to other risk events, the consequences of certain damage amounts or the effectiveness of certain risk mitigation techniques. For this reason, scenario analyses often focus on complex risks and worst-case examinations. In company practice, however, scenario analyses are generally not once-off considerations, but rather recurring examinations. Therefore, scenario analyses should be embedded in a structured process, which in addition to the implementation steps, includes quality assurance and validation as well as updates of the underlying parameters.
Optimal linking of qualitative and quantitative tools
The quantitative and qualitative tools of OpRisk management should never be viewed in isolation of each other. In practice, an effective and efficient OpRisk management is characterized by the optimal linking of the quantitative and qualitative tools used. For example, the results of the OpRisk inventory can serve as a validation for the loss database. In reverse, based on past loss data, a future, not yet occurred risk can be identified and assessed in the OpRisk inventory. The loss database should also be closely linked to the KRIs of the early warning system. If a KRI limit is exceeded, the damage category which is related to the KRI can then be analyzed and new KRIs including limit and threshold values can be derived based on the loss data. In addition, it is possible to check whether an increase of damage events is associated with an increase of the relevant KRIs. The results of the ICS and the OpRisk inventory should be used to identify weak points in the business processes and to optimize these. In turn, individual process optimizations can lead to comprehensive business process analyses and scenario analyses. Data from the loss database, results of the OpRisk inventory, current developments of the KRIs and, if applicable, external loss data, are used as input for the scenario analyses. The results of the scenario analyses flow into the stochastic models. Further input for stochastic models are e.g. data from the loss database and, if applicable, external loss data as well as data on the development of the KRIs.
Benefit potentials and solution approaches of Q_PERIOR
A targeted use and optimal linking of the applied qualitative and quantitative tools and taking into account consistent and stringent methods, helps to create transparency of the own OpRisk profile and to promote the risk culture in the company. An effective and efficient OpRisk management also offers the possibility of reducing the risk capital and error costs as well as to protecting the company’s reputation. We will gladly assist you with the individual design of your OpRisk management. Our experts accompany you in all implementation phases with methodological and technical know-how. Our proven approach model includes, among other things:
Actual analysis of the OpRisk management including existing tools
Conceptual design and specification of future OpRisk methodology and tools
Implementation of the newly defined OpRisk methodology and tools
If applicable, technical system implementation of the OpRisk methodology and tools
Coaching and support in the regular operation of the OpRisk management.
We rely on our functional competence and technical expertise in the implementation of a holistic OpRisk management. In addition to our many years of experience gained in various OpRisk projects, we also offer software-based options for implementation with our risk management and control system “Q_Riskmanager”. For more information, please contact us.