16 December 2009

Published in: Capital - models, Risk governance, Operational risk, Regulation - supervision

Operational risk management raises more questions than answers

Most economic losses have an operational component, yet insurers are still reluctant to commit resources to managing a risk where modelling techniques and management know-how are still in their early stages. Jessica Baylis reports

"If there's a one in six chance of it raining, what's the point of going out with one sixth of an umbrella?" Hiscox's CRO, Valerie Amos asks rhetorically. "Similarly, if there's a one in hundred chance of a £100m operational risk event occurring, what's the point of keeping a little bit of capital against that?"

Whether there is a capital solution to managing and regulating operational risk is a question the insurance industry seems no closer to answering than it was 20 years ago when the concept of operational risk emerged. Indeed, it's still regarded as one of newest areas of enterprise risk management. And not everyone even agrees on what operational risk is. The most commonly used definition is borrowed from the Basel II accord: a risk event occurring because of inadequate or failed internal processes, people and systems, or from external events. Some in the insurance industry just call it "management risk."

Not enough incentives to take it seriously

Getting operational risk taken seriously at the top of companies is one hindrance to the concept's slow development. Jonathan Ibbot, managing director of XL London Market says, "I don't think the industry is doing enough to address operational risks because there are other larger risks for insurers to focus on. The big losses have historically arisen out of insurance risk, credit risk and market risk, etc, and we still haven't perfected those bigger risks that affect the balance sheets."

But the risks are significant, stresses Gordon Scott, director of management consultant Scott Merritt, and formerly head of operational risk management within the reinsurance business functions at Swiss Re. Indeed, he points out that most company failures are likely to have an operational component.

There are regulatory incentives to focus on operational risk. In the UK, for example, insurers have to calculate their operational risk for their yearly individual capital assessment (ICA) submission and Solvency II will force all firms across Europe to address the risk.

Regulatory approaches to operational risk tend to focus on high severity, low frequency events. One of the focuses is therefore in setting capital aside for large operational risk events, thereby requiring insurers to calculate unexpected losses. There are two problems with this, however. Firstly, how do you come up with an unexpected loss figure for operational risk? And secondly, what use, beyond satisfying the regulator, is that number?

The data problem

The major difficulty in modelling the risk is the lack of loss data. Large operational risk events happen infrequently and can sometimes be beyond the control of the company. Companies relying on internal loss data have little to go on. The UK insurance industry, led by the Association of British Insurers (ABI), has created an external loss database under the name ORIC - the operational risk consortium - which collates data from 20 largely UK-based insurers.

Gordon Scott: "There's often a debate whether it is worthwhile developing something for management needs if it's not necessarily going to satisfy the regulator." 

The jury is out on whether ORIC-style databases are the way forward. ORIC has the strong backing of the UK Financial Service Authority (FSA) and its membership has many of the industry's big players. RSA is an active member of ORIC and Darren Munday, group operational risk manager, believes it is crucial for overcoming the data problem. "It is very important in terms of helping institutions and firms understand the tail-end exposures that they may not have actually been exposed to themselves," he says.

There are problems, though, and privately some in the industry doubt ORIC can be a success and think that without FSA backing many would pull out. XL London Market is not a member and, while surveying its progress carefully, it remains cautious. "We are reasonably sceptical at the moment," Ibbot notes. Firstly there is the boundary issue: "How can you make sure that what other people call operational risk, we call operational risk?" Secondly, because the data is anonymous, there is the problem of scaling: "How do we know the data is scaled correctly so it is relevant to our own company?" For now, XL London Market is happy to rely on its own internal loss data across the group.

Different numbers for the regulators and for the business

So why try to put a number on operational risk at all? The argument seems to be, says Amos, "If you have to hold capital against every other risk, why not against operational risk?" It is not clear, though, that businesses place value on this number. Munday says RSA is "very similar to other firms" in that it generates one number for ICA submissions and a separate number for use by the business.

Vicky Kubitscheck: "To apply operational risk properly is to link it back to what the business is about -- the business model -- and what the business wants to do -- the business strategy." 

"The regulatory capital looks at extreme events and is typically a one-in-200-year number," he explains. "Then there's also a number used for the business to demonstrate how the capital is allocated back to the business and how they use that on a day-to-day basis."

In this second approach, Scott notes that where companies are able to measure the changing risk exposures, and the operational risk reports become more informative and useful for business management, the potential for operational risk to gain a broad acceptance as a core risk management process by business managers is increased.

"What business managers are looking for is a model that gives exposures that change with the key risk factors involved, and which also reflect changes in the effectiveness of the operational risk mitigation measures," Scott explains. "This will then provide valuable information to help management make decisions that help them prioritize and focus their on-going efforts on protecting themselves from the most significant areas of potential operational risk exposure that could cause the greatest damage to their financial results, either directly or through damage to their reputation."

The ultimate challenge, he says, is finding a single method that will satisfy both needs. "There's often a debate whether it is worthwhile developing something for management needs if it's not necessarily going to satisfy the regulator."

Scott, while acknowledging operational risk is hard to model, nevertheless strongly believes it is important to try. "While the current operational risk models may not yet be considered as robust as those for insurance, market or credit risk, they will only become so through companies gaining experience by working with them and improving them. We have to recognize that, with operational risk measurement, we are still at a relatively early stage in the evolutionary process."

Valerie Amos: "A lot of companies have armies of people producing heat maps and that sort of thing but does anything concrete or useful come out of it? The answer is no." 

Vicky Kubitscheck, partner at strategic governance consultancy firm Independent Audit, agrees with Scott. Kubitscheck specializes in helping boards and their risk and audit committees gain a better risk oversight and was previously head of audit, risk and compliance at Aegon UK. "To apply operational risk properly is to link it back to what the business is about -- the business model -- and what the business wants to do -- the business strategy. It helps if they can try and think about operational risk as being defined by the business rather than purely by what the regulators say."

Finding a number is part of this process, Kubitscheck stresses, but she prefers to call it a quantitative "assessment" rather than measurement to avoid overreliance on the numbers. "For me it's more like an indicator of what it could be in terms of cost to the organization. Assessing some of the potential numbers helps to put the impact of operational risk into context: there is inherent uncertainty." She admits it is very hard to pin down a number, but even determining whether the number is very big or small is useful. "Determining whether the potential impact is in the range of half a million or 10 million is useful: it gives you a magnitude."

The Solvency II disincentive

Those who would like to see a greater focus on modelling operational risk have been looking to Solvency II as a means of propelling the industry in the right direction. But their optimism may not be fulfilled. The fourth quantitative impact study (QIS 4) calibration of operational risk allowed many insurers lower capital requirements through the standard formula, thus removing incentives to model it. The Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS) responded to this by notching up the standard formula but, after strong complaints from the industry, it has been reduced back to the QIS 4 level.

"The amount of time and effort required to look at operational risk from a business perspective and then to assess the capital requirements now outweighs the costs of using the standard approach," Kubitscheck complains. "From a regulatory perspective there's no incentive for modelling."

Regulatory needs aside, Amos does not see much value in trying to measure or model operational risk. She once took the view that imperfect measurement was better than nothing. Not any more. "We put a lot of effort into developing about 20 operational loss scenarios and attempting to quantify the likely loss over a range of probabilities or return periods. Whilst there is some value in going through this process, there is currently no reasonably accurate way of combining the resulting 60 loss estimates into a single operational risk capital charge."

"Every statistician you speak to can come up with 10 different ways of doing it which will give a hundred different results. So the capital charge could be anything from £1m to £100m!" Although the process Hiscox goes through to reach its regulatory capital is useful, Amos believes you simply cannot build meaningful models or scenarios. She thinks more emphasis should be on managing the risk.

Is better management the answer?

How to manage a risk that can range from a misplaced decimal point to the entire board being struck by a pandemic is not always clear. "There are some operational risks out there which are largely external and which we can't control," Ibbot is happy to admit. "You say ‘do we have an appetite at this level?' Well, actually no we don't. We can take some steps to mitigate the impact, but ultimately there is very little we can do about some of these external factors."

Often, however, it is possible to reduce the risk, Ibbot argues. Operational risk management at XL London Market focuses on pure operational risks, thereby leaving the operational component of, say, underwriting risk to be incorporated into the underwriting models. XL London Market places an emphasis on scenario analysis for the qualitative management of operational risk. But how do you actually get from scenarios to a better managed company?

Jonathan Ibbot: "There are some operational risks out there which are largely external and which we can't control." 

Ibbot describes the example of one of the risk categories failing to manage significant organizational change: "We might ask, ‘could parts of the business become disillusioned because we're not communicating effectively?' And we take a hands-on-heart view and, if we don't think we're doing this right, then we need to put in more protocols about more effective communication."

"Part of doing the scenario analysis," adds his colleague, Vanisha Patel, risk officer at XL Insurance, "is that you need to think through the qualitative part first. So what is the inherent risk? What are your controls? What is the residual risk? Is it within your appetite? And, if not, that's when we implement action plans."

A new approach

Hiscox has recently gone back to the drawing board having had a thorough examination of its operational risk management. In the past, Hiscox employed the industry approach of identifying the operational risks, documenting the controls in place and running scenarios to see if more controls are needed. "I think there is a question-mark over just how useful it is. A lot of companies have armies of people producing heat maps and that sort of thing but does anything concrete or useful come out of it? The answer is no," Amos says.

The main problem with the approach, she says, is that it looks at operational risks in isolation. In reality, the impact of an operational loss event depends on the underlying process which it is related to.

"Take people risk, which is one of our operational risk categories. How do you assess your people risk other than in the context of other risks?" For example, she explains, in order to assess what the potential loss is if a key employee leaves the company, you need to look at the context of the job they're doing and the risks that they're managing. "If they're underwriters, you're looking at an underwriting loss. If they're on the trading floor, it's a potential investment loss. It's pushing back operational risk into underlying risk categories."

Hiscox, therefore, is moving away from asking "what are our operational risks?" Rather it asks "what influences our catastrophe risk?", for example. The company then identifies the related causes -- both traditional insurance causes such as underwriting, and related operational causes such as IT and legal. From there, measures can be put in place to reduce the chance of the loss occurring, within the context of the core functions of the business. There are, of course, still residual operational risks such as business continuity.

Not all companies take operational risk management so seriously, however. Few companies contacted during the research for this article had a head of operational risk, for example. Encouraging firms to do more than just pay lip service to operational risk management is problematic - the economic benefits of spending the necessary money are not clear.

Misinterpreting the regulators?

Kubitscheck argues that part of the problem is a misinterpretation of what the regulators want. Regulators do not see the solution only in capital terms she says, but nevertheless, "firms get the impression that they are focused purely on the numbers. In the financial services industry there's still an over-focus on getting the compliance angle of operational risk right for regulatory capital purposes. The management of it then becomes secondary. Regulation has this unintended consequence."

Vicky Kubitscheck: "The amount of time and effort required to look at operational risk from a business perspective and then to assess the capital requirements now outweighs the costs of using the standard approach." 

This perception will only have been strengthened by the omission of the "ladder" mechanism from Solvency II. This was an idea proposed for debate by CEIOPS during QIS 4 in which insurers' regulatory capital for operational risk would be reduced if they could demonstrate strong operational risk management. In consultation paper 53 on operational risk published in July and the subsequent final advice, CEIOPS said the idea should not be included in the standard formula and instead "undertakings wishing to take this further may use a partial internal model."

There is nevertheless no conflict between what the regulators want and best management practice, Kubitscheck says: "Regulators need two things." They need the firms to have assessed the number for their "capital cushion" as a best estimate. They also want to see that the number has been calculated and assessed on a sound basis and that it is based on elements that can be measured, as well as those that cannot so easily be measured.

Regulators do want to know there is a robust process of management decision-making behind the capital number. But for the industry to view risk management in this way, she believes, "they need more guidance to ensure companies do the right thing rather than focusing on doing things right."

Back to top