Based on Daniel Butler's presentation at RMA's Third Annual Operational Risk Forum, this article presents Aon's five-step approach to risk mitigation and shows what a financial institution needs to know before attempting to integrate insurance into its capital framework.
It does sound fearsome: "...loss resulting from inadequate or failed internal processes, people, and systems or from external events." The Basel Committee's Revised Working Paper of September 2002 makes operational risk sound like loss and failure. No one wants to be labeled "inadequate" or a "failure." Of course, that also means everyone wants to have a handle on mitigating operational risks. And that's where the challenges begin.
Banks have developed a range of risk management techniques for credit and market risk. It is on these risks that banks have traditionally focused their risk management resources. Although not new, operational risk management in banking is an evolving and challenging discipline. Operational risks can come from practically anywhere within the organization. The nature of these risks makes them hard to measure as well; so while we may insure against a certain risk, we really don't know if we're underinsured or overinsured. It's hard even to tell exactly what certain insurances cover. Anyone attempting to deal with operational risk management will agree that the data just isn't there...yet. Add to that its evolving nature and the fat-tail tendencies toward highly unlikely but highly disastrous events, and operational risk begins to look as formidable as the Basel Committee has painted it.
Aon takes a five-step approach to effective operational risk mitigation for institutions:
1. Identification and risk mapping, which begins with setting forth the framework for implementation and formalizing an overall operational risk strategy. Definitions help everyone get on the same page; for example, just how does the organization as a whole define a loss? Data capturing mechanisms must then be set up, and losses must be mapped into risk categories communicated to the entire organization.
2. Quantification, which is where technology steps in as we select and apply modelling techniques. Aoa enhances its ability to provide banks with external benchmarking, modeling, and forecasting by using its own operational risk database. A risk profile is set up by first identifying the organization.
3. A risk profile is set up by first identifying the organization's risk appetite overall and then the risk appetites of individual businesses. This is benchmarked against the risk appetites of peer firms as well as the organization's own actuarial trends, and analyzed further by including geographical factors. The organization's strategic vision must overlay the identified risk appetite, aggregation issues are taken into account, as well as the benefits of market and credit risk diversification.
4. Risk solutions are divided into those can be handled internally--through captive analysis, risk financing analysis, of risk retention--and those that are mitigated externally through insurance or capital markets. When considering insurance, Aon maps available insurances against identified risks, next reaches an accord with the organization concerning appropriate retention levels and limits, and then designs an insurance program that provides alternative game plans in conjunction with the organization's business goals.
5. Monitoring and updating is important in ensuring that the organization's operational risk management strategy is implemented and maintained. Aon also provides updates on operational risk developments.
Integrating Risk Finance into Capital Framework
Historically, banks buy insurance on a case-by-case basis, rather than holistically. Insurances may include those against employee fidelity, external computer crime, professional indemnity, directors' and …