OPERATIONAL RISK MANAGEMENT plays a key role in the strategic success of organizations, but it presents unique challenges compared to managing market and credit risks. During a recent panel on operational risk sponsored by RMA's New York Chapter, Joe Iraci, managing director, Operational Risk, TD Ameritrade, noted that it is still difficult to quantify operational risk, which makes it difficult to present a number to senior management.
Natural disasters, geopolitical events, and regulatory challenges must be managed so that their impacts on organizations are minimized. No less important are managing management's expectations and defining what successful operational risk management should look like. As noted by panel moderator Steven Vivola, controller, Fidelity Investments Institutional Businesses, "Operational risk management is not an 'easy' button from Staples."
Vivola lamented that many people view operational risk management only as a back-office function that evaluates processes and systems. In today's global market environment, however, managers of operational risk must prepare for a variety of business vulnerabilities facing organizations and their counterparties. "Impacts can be lessened by properly leveraging operational risk management within an organization," Vivola said.
Doug Hoffman, president, Operational Risk Advisors, noted that some types of occurrences, although catastrophic, have a history of erupting from time to time, and risk managers have an established way to respond to them. He pointed to recent events in Japan and political instability in the Middle East, as well as to recurring disasters such as oil spills, chemical contamination, and hurricanes. For newer types of events, however--such as the loss of a database containing sensitive client information--the industry needs to determine what its response should be.
"We need to think about the impacts from an organizational standpoint," Hoffman said. "We don't necessarily have to pinpoint the actual events."
Hoffman, who serves as facilitator of RMA's Advanced Measurement Approaches Group, said his company advocates a "business vulnerability analysis" that helps organizations understand the four "Rs" of impact that an operational risk event may produce:
1. Impact on revenue.
2. Associated risk of loss or expense.
3. Impact on reputation.
4. Regulatory and legal implications.
Strategic Views of Operational Risk
Strategic and tactical (execution) risk management functions are necessary if a firm wants to ensure that its risk principles are embedded throughout the organization. Iraci explained that the strategic element is best placed within the corporate center function, which establishes the tools and framework to align with the firm's strategic direction. The tactical element is best performed by the business risk managers who work within the business lines to implement practices set by the corporate center.
Jack Faer, senior vice president, Operational Risk Management, State Street Global Advisors, disagreed with Iraci. "I don't think the strategy always comes from the center. If you have either very strong business lines or a decentralized organization, strategy is set as much by the business-unit risk managers as by the corporate center. The corporate center focuses on common language and common tools, but the business-unit risk managers often drive the business."
Iraci explained further that the business model itself influences the organizational model. "If you have a strong holding company structure, there's one corporate center," he said. "But if you have a weak holding company structure, that may not be the case. The difference between strategic and tactical depends on the business model."
He also noted that all of the risk management disciplines--credit, market, and …