SlideShare a Scribd company logo

Operational Risk for practitioners v1.0

I
Ignacio Reclusa

The document provides an overview of operational risk for practitioners. It defines operational risk and outlines a framework called the "Operational Risk Triptych" to systematically approach operational risk. The framework includes examining an organization's timeline, business value chain, capabilities, and external factors, as well as improving risk-based decision making processes. It also discusses tools for assessing culture of risks and creating an operational risk balanced scorecard.

Related slideshows

Internal Environmental Analysis
Internal Environmental AnalysisInternal Environmental Analysis
Internal Environmental Analysis
 
External Environment
External EnvironmentExternal Environment
External Environment
 
Internal appraisal of the firm
Internal appraisal of the firmInternal appraisal of the firm
Internal appraisal of the firm
 
1 of 10
Download to read offline
Operational Risk Operational Risk for practitioners v1.0 Ignacio Reclusa Risk Management and Insurance July 2014
Operational Risk for practitioners v1.0 | July 2014 2 Index 1. Introduction  Beginnings and definition 2. Elements  Framework  Timeline  Pipeline  Decision-making process 3. Tools  Culture of Risks and Balance Scorecard
Operational Risk for practitioners v1.0 | July 2014 3 • Beginnings  Businesses have been aware for many years of hazards arising from IT, people, infrastructures, marketing, fraud, business disruption and many similar issues. However, the renewed visibility of these risks under the label of “operational risk” repositions their location and status for management decision-making purposes. Operational risk is a no self-evident category but a label for a diverse range of practices.  The generic term “operations risk” was officially coined in 1991 by the COSO Report, but did not widespread until the mid 90s when the “rogue trading” of Nick Leeson caused the collapse of Barings Bank and other scandals forced the Basel Committee on Banking Supervision within the Bank for International Settlements (BIS) to refresh the scope of their existing 1988 guidance and to publish in June 1999 a new proposal: Basel 2.  Basel 2 represents an evolution of the capital rules for banks extending an refining the basic idea of a capital cushion for risks, both measured (credit and market) and non-measured. Non-measured risks became more conspicuous supervisory issue and came to be problematised in terms of “operational risk” management.  The process of developing these rules for measuring OR capital has been and remains subject to considerable industry negotiation, featuring “road shows” and marketing of best practice by the Basel Committee. • Definition  In its early manifestations, OR was simply a residual category for “other risks” not covered by market risk and credit risk.  Later, in March 1997, a joint survey by the British Bankers Association and Coopers & Lybrand explored several definitions.  In 2001, Basel 2 defined OR as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events”. The definition was clarified to exclude reputational and strategic risks, and focuses on causes of loss.  This definition has been around for the latest almost 15 years. However, a fresh approach is required to embed Operational Risk Management within the organizations. 1 Introduction Beginnings and definition
Operational Risk for practitioners v1.0 | July 2014 4 • One of the major issues an Operational Risk practitioners faces is how to approach such a wide range of subjects covered under the umbrella of “Operational Risk”. • There are three common pitfalls when approaching Operational Risk Management: 1. Just focusing on the process approach rather than on the whole three risk factors (business functional value chain and its processes, capabilities and external factors); 2. Highly focused on qualitative assessment based in self-questionnaires and interviews; 3. Poor risk decision-making processes. • This limited analysis will lead to a misevaluation of the Operational Risk, and therefore, to a higher exposure than desired / communicate through the risk appetite. • This document aims to present a framework to systematically approach operational risk matters. The framework presented below is called the “Operational Risk Triptych”. A triptych is a piece of art made of three paintings connected to each other in a way that allows the two outer ones to fold in towards the larger central one. In this sense, the “timeline” and “decision making process” figuratively speaking fold in toward the “pipeline”. • As a very basic approach, this framework aims to correct common pitfalls and, at the same time, use a business functional language: 2 Elements Framework
Operational Risk for practitioners v1.0 | July 2014 5 • It is important for operational risk practitioners assessing a business to understand the organization’s history and current status, in order to identify the present and future risks the organization is facing. • Past  When was the company founded?  Why was it founded?  What decisions we made in the past and what outcome they produced (accomplishments and failures)  How has its direction changed? • Present  What are its existing product lines?  How many employees does the company have?  Where does it stand in its industry and marketplace?  Are sales on an upswing, level, or in a decline?  Can a decision be made and what sources of information do we need in order to decide? • Future  What are its objectives and goals?  What does it plan for new markets and products?  To what extent past or present decisions constraint future one’s? 2 Elements Timeline
Operational Risk for practitioners v1.0 | July 2014 6 • Business Functional Value Chain  A value chain is a group of activities that an organization performs in order to deliver a valuable product or service for the market.  The concept was first described and popularized by Michael Porter in his 1985 best-seller, ”Competitive Advantage: Creating and Sustaining Superior Performance”.  In Porter's value chains, Inbound Logistics, Operations, Outbound Logistics, Marketing and Sales and Service are categorized as primary activities. Secondary activities include Procurement, Human Resource management, Technological Development and Infrastructure.  For gaining the competitive advantages, Porter suggested that going through the chain of organization activities will add more value to the product and services than the sum of added cost of these activities. And thus, the company will gain marginal value for that product or service.  For that it needs a combination of value chain activities and a synchronization among all the related activities. Most of the organizations set activities gathered around the processes of the following business functions: • Primary business functions: o Product o Marketing o Sales • Secondary business functions o Technical (Actuarial, Engineering, etc) o Finance o Human resources o Technology o Infrastructure • Capabilities  We understand by capabilities those that are the sources and competences of an organization needed for it to survive and grow.  We can divide them into: • Tangible: Physical assets, People, Systems, Financial; • Intangible: Intellectual capital 2 Elements Pipeline
Operational Risk for practitioners v1.0 | July 2014 7  Based on P. Moscoso’s categorization, when assessing Operational Risks we should look at least at the following attributes: • Capacity: Throughput rates, Processors employment rates • Flexibility: Product mix and system capacity • Agility: Throughput time • Efficiency: WIP, Direct labor • Quality: Errors rate, Wasted time  Some of the tools we could look at when identifying what capabilities the organization has could be: • Value chain: To achieve competitive advantage by delivering value to customers, we need to understand which activities are important in creating value. The value chain describes the categories of activities which together create a product or service. • Value network: it is the set of interoganizational links and relationships that are necessary to create a product or service. We need to understand the whole process and how they can manage these linkages and relationships to improve customer value. • Activity system maps: it shows the different activities of an organization that are linked together. • Benchmarking: it is useful to understand how an organization’s strategic capability, in terms of internal process, compare with those of other organizations. There are different approached to benchmarking(historical, industry or sector and best-in-class benchmarking). • SWOT: it summarizes the key issues from the business environment and the strategic capability of an organization that are most likely to impact on strategy development. This tool is really only useful if it is comparative, i.e. if it examines strengths, weaknesses, opportunities, and threats in relation to competitors. • External factors  Based on G. Johnson and K. Scholes business environment analysis, external factors can be classified as follows: • Macro-environment: a range of broad environmental factors that impacts to a greater or lesser extent to the company. One of the most popular tool is the PEST framework, which leads to key drivers of change and those ones to build scenarios of possible futures. • Industry: this environment is made up of companies producing the same product or services. Mickael Porter’s five forces analysis is a common tool to examine it. • Competitors: in each market there are different companies with different characteristics and competing on different basis. Analyzing the strategic groups (those with similar characteristics, following similar strategies of competing on similar basis) will lead to identify the risk the company is facing. Also customer experience analysis will help to identify opportunities to take into account. 2 Elements Pipeline
Operational Risk for practitioners v1.0 | July 2014 8 • Risk based decision-making processes usually presents a very simplistic view. • For instance, whenever an organization is preparing the forecast for next year, there is always a risk deriving from predicting the future. This uncertainty over the benefits or cash-flows are called the business operational risks. • This risk is, therefore, the uncertainty over which will be the final output of the forecasts done. That is why many Board of Directors are more often willing to integrate the Risk Department within the financial annual forecast process. • This simplistic view is not because of a low capacity of the Directors to understand risks. Usually, the reason is on the own Operational Risk practitioner to use a common business language with them. • Based on this reality, here is presented a 6 decision-making process based on the business decision tools Directors are using to manage organizations: 2 Elements Decision-making process Threat / opportunity definition Facts’ identification Criteria and prioritization Alternatives’ setting Decision- making Monitoring
Operational Risk for practitioners v1.0 | July 2014 9 • First of all, we need to measure the tone of the organization towards risks; that is to say, the culture of risks within the company at all levels. Measuring culture of risk embeddedness is not an easy task for Operational Risk practitioners. A basic model based on professors'’ Vroom and Lawler Expectancy theory, to analyze the culture of risk within the organization is summarized in the following four steps’ process: • In order to manage Operational Risks, practitioners needs to focus Directors, attention to some metrics (controls, KRIs, Risk Maps, etc). All these will be presented at the Operational Risk Balance Scorecard, which requires four steps to create it:  In first place, we need to identify at least the three key variables that will allow the Chief Risk Officer to monitor the operational risk state of art within the organization, and to set the target values for the desired time-frame: 1. Mission of the department and internal client added value, 2. Most critical Dimensions (in our example, Financial performance, impact, Internal processes, Business Lines embeddedness and Learning and growth) and 3. Initiatives in place.  Then, we need to inform them from two different approaches: past experience and subject matter expert forecasts, both from a objective and subjective approach: • Past experience, we can gather the information from data bases of the deviations from previous years forecasts and reality. In addition, we will include in the analysis the subject matter expert forecast. • Subject matter expert forecasts, based on conducted interviews, it will be weight the different risk factors. This analysis could be improved with optimistic and pessimistic scenarios.  In order to set appropriate levels of target performances and trends, we can infer from previous data what values should be set in order to fulfill with the financial forecasts. Depending on the data available, the Chief Risk Officer could adopt two different approaches: • Qualitative approach, through the so called “strategic map”. • Quantitative approach, through the OpVar calculations.  Finally, last step is to integrate the result on the Risk Committees. The objective is to set adequate action plans, allocate enough resources to the initiatives and maintain aligned strategic workstream portfolio so the Risk Department is making risk management function a value-adding function in the boardroom. 3 Tools Culture of Risks and Balance Scorecards
Operational Risk for practitioners v1.0 | July 2014 10 Brief Bio International Risk Management and Insurance senior management expert, with over 13 years of experience in the industry. I have a broad experience in helping organizations step up to their true potential. Uniquely positioned to talk about operational risks and how to turn productivity into a healthier organization. I have lectured to professional groups and business audiences. Ignacio Reclusa Risk Management and Insurance M +34 677 023 800 www.ignacioreclusa.com ignacioreclusa@gmail.com

More Related Content

Operational Risk for practitioners v1.0

  • 1. Operational Risk Operational Risk for practitioners v1.0 Ignacio Reclusa Risk Management and Insurance July 2014
  • 2. Operational Risk for practitioners v1.0 | July 2014 2 Index 1. Introduction  Beginnings and definition 2. Elements  Framework  Timeline  Pipeline  Decision-making process 3. Tools  Culture of Risks and Balance Scorecard
  • 3. Operational Risk for practitioners v1.0 | July 2014 3 • Beginnings  Businesses have been aware for many years of hazards arising from IT, people, infrastructures, marketing, fraud, business disruption and many similar issues. However, the renewed visibility of these risks under the label of “operational risk” repositions their location and status for management decision-making purposes. Operational risk is a no self-evident category but a label for a diverse range of practices.  The generic term “operations risk” was officially coined in 1991 by the COSO Report, but did not widespread until the mid 90s when the “rogue trading” of Nick Leeson caused the collapse of Barings Bank and other scandals forced the Basel Committee on Banking Supervision within the Bank for International Settlements (BIS) to refresh the scope of their existing 1988 guidance and to publish in June 1999 a new proposal: Basel 2.  Basel 2 represents an evolution of the capital rules for banks extending an refining the basic idea of a capital cushion for risks, both measured (credit and market) and non-measured. Non-measured risks became more conspicuous supervisory issue and came to be problematised in terms of “operational risk” management.  The process of developing these rules for measuring OR capital has been and remains subject to considerable industry negotiation, featuring “road shows” and marketing of best practice by the Basel Committee. • Definition  In its early manifestations, OR was simply a residual category for “other risks” not covered by market risk and credit risk.  Later, in March 1997, a joint survey by the British Bankers Association and Coopers & Lybrand explored several definitions.  In 2001, Basel 2 defined OR as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events”. The definition was clarified to exclude reputational and strategic risks, and focuses on causes of loss.  This definition has been around for the latest almost 15 years. However, a fresh approach is required to embed Operational Risk Management within the organizations. 1 Introduction Beginnings and definition
  • 4. Operational Risk for practitioners v1.0 | July 2014 4 • One of the major issues an Operational Risk practitioners faces is how to approach such a wide range of subjects covered under the umbrella of “Operational Risk”. • There are three common pitfalls when approaching Operational Risk Management: 1. Just focusing on the process approach rather than on the whole three risk factors (business functional value chain and its processes, capabilities and external factors); 2. Highly focused on qualitative assessment based in self-questionnaires and interviews; 3. Poor risk decision-making processes. • This limited analysis will lead to a misevaluation of the Operational Risk, and therefore, to a higher exposure than desired / communicate through the risk appetite. • This document aims to present a framework to systematically approach operational risk matters. The framework presented below is called the “Operational Risk Triptych”. A triptych is a piece of art made of three paintings connected to each other in a way that allows the two outer ones to fold in towards the larger central one. In this sense, the “timeline” and “decision making process” figuratively speaking fold in toward the “pipeline”. • As a very basic approach, this framework aims to correct common pitfalls and, at the same time, use a business functional language: 2 Elements Framework
  • 5. Operational Risk for practitioners v1.0 | July 2014 5 • It is important for operational risk practitioners assessing a business to understand the organization’s history and current status, in order to identify the present and future risks the organization is facing. • Past  When was the company founded?  Why was it founded?  What decisions we made in the past and what outcome they produced (accomplishments and failures)  How has its direction changed? • Present  What are its existing product lines?  How many employees does the company have?  Where does it stand in its industry and marketplace?  Are sales on an upswing, level, or in a decline?  Can a decision be made and what sources of information do we need in order to decide? • Future  What are its objectives and goals?  What does it plan for new markets and products?  To what extent past or present decisions constraint future one’s? 2 Elements Timeline
  • 6. Operational Risk for practitioners v1.0 | July 2014 6 • Business Functional Value Chain  A value chain is a group of activities that an organization performs in order to deliver a valuable product or service for the market.  The concept was first described and popularized by Michael Porter in his 1985 best-seller, ”Competitive Advantage: Creating and Sustaining Superior Performance”.  In Porter's value chains, Inbound Logistics, Operations, Outbound Logistics, Marketing and Sales and Service are categorized as primary activities. Secondary activities include Procurement, Human Resource management, Technological Development and Infrastructure.  For gaining the competitive advantages, Porter suggested that going through the chain of organization activities will add more value to the product and services than the sum of added cost of these activities. And thus, the company will gain marginal value for that product or service.  For that it needs a combination of value chain activities and a synchronization among all the related activities. Most of the organizations set activities gathered around the processes of the following business functions: • Primary business functions: o Product o Marketing o Sales • Secondary business functions o Technical (Actuarial, Engineering, etc) o Finance o Human resources o Technology o Infrastructure • Capabilities  We understand by capabilities those that are the sources and competences of an organization needed for it to survive and grow.  We can divide them into: • Tangible: Physical assets, People, Systems, Financial; • Intangible: Intellectual capital 2 Elements Pipeline
  • 7. Operational Risk for practitioners v1.0 | July 2014 7  Based on P. Moscoso’s categorization, when assessing Operational Risks we should look at least at the following attributes: • Capacity: Throughput rates, Processors employment rates • Flexibility: Product mix and system capacity • Agility: Throughput time • Efficiency: WIP, Direct labor • Quality: Errors rate, Wasted time  Some of the tools we could look at when identifying what capabilities the organization has could be: • Value chain: To achieve competitive advantage by delivering value to customers, we need to understand which activities are important in creating value. The value chain describes the categories of activities which together create a product or service. • Value network: it is the set of interoganizational links and relationships that are necessary to create a product or service. We need to understand the whole process and how they can manage these linkages and relationships to improve customer value. • Activity system maps: it shows the different activities of an organization that are linked together. • Benchmarking: it is useful to understand how an organization’s strategic capability, in terms of internal process, compare with those of other organizations. There are different approached to benchmarking(historical, industry or sector and best-in-class benchmarking). • SWOT: it summarizes the key issues from the business environment and the strategic capability of an organization that are most likely to impact on strategy development. This tool is really only useful if it is comparative, i.e. if it examines strengths, weaknesses, opportunities, and threats in relation to competitors. • External factors  Based on G. Johnson and K. Scholes business environment analysis, external factors can be classified as follows: • Macro-environment: a range of broad environmental factors that impacts to a greater or lesser extent to the company. One of the most popular tool is the PEST framework, which leads to key drivers of change and those ones to build scenarios of possible futures. • Industry: this environment is made up of companies producing the same product or services. Mickael Porter’s five forces analysis is a common tool to examine it. • Competitors: in each market there are different companies with different characteristics and competing on different basis. Analyzing the strategic groups (those with similar characteristics, following similar strategies of competing on similar basis) will lead to identify the risk the company is facing. Also customer experience analysis will help to identify opportunities to take into account. 2 Elements Pipeline
  • 8. Operational Risk for practitioners v1.0 | July 2014 8 • Risk based decision-making processes usually presents a very simplistic view. • For instance, whenever an organization is preparing the forecast for next year, there is always a risk deriving from predicting the future. This uncertainty over the benefits or cash-flows are called the business operational risks. • This risk is, therefore, the uncertainty over which will be the final output of the forecasts done. That is why many Board of Directors are more often willing to integrate the Risk Department within the financial annual forecast process. • This simplistic view is not because of a low capacity of the Directors to understand risks. Usually, the reason is on the own Operational Risk practitioner to use a common business language with them. • Based on this reality, here is presented a 6 decision-making process based on the business decision tools Directors are using to manage organizations: 2 Elements Decision-making process Threat / opportunity definition Facts’ identification Criteria and prioritization Alternatives’ setting Decision- making Monitoring
  • 9. Operational Risk for practitioners v1.0 | July 2014 9 • First of all, we need to measure the tone of the organization towards risks; that is to say, the culture of risks within the company at all levels. Measuring culture of risk embeddedness is not an easy task for Operational Risk practitioners. A basic model based on professors'’ Vroom and Lawler Expectancy theory, to analyze the culture of risk within the organization is summarized in the following four steps’ process: • In order to manage Operational Risks, practitioners needs to focus Directors, attention to some metrics (controls, KRIs, Risk Maps, etc). All these will be presented at the Operational Risk Balance Scorecard, which requires four steps to create it:  In first place, we need to identify at least the three key variables that will allow the Chief Risk Officer to monitor the operational risk state of art within the organization, and to set the target values for the desired time-frame: 1. Mission of the department and internal client added value, 2. Most critical Dimensions (in our example, Financial performance, impact, Internal processes, Business Lines embeddedness and Learning and growth) and 3. Initiatives in place.  Then, we need to inform them from two different approaches: past experience and subject matter expert forecasts, both from a objective and subjective approach: • Past experience, we can gather the information from data bases of the deviations from previous years forecasts and reality. In addition, we will include in the analysis the subject matter expert forecast. • Subject matter expert forecasts, based on conducted interviews, it will be weight the different risk factors. This analysis could be improved with optimistic and pessimistic scenarios.  In order to set appropriate levels of target performances and trends, we can infer from previous data what values should be set in order to fulfill with the financial forecasts. Depending on the data available, the Chief Risk Officer could adopt two different approaches: • Qualitative approach, through the so called “strategic map”. • Quantitative approach, through the OpVar calculations.  Finally, last step is to integrate the result on the Risk Committees. The objective is to set adequate action plans, allocate enough resources to the initiatives and maintain aligned strategic workstream portfolio so the Risk Department is making risk management function a value-adding function in the boardroom. 3 Tools Culture of Risks and Balance Scorecards
  • 10. Operational Risk for practitioners v1.0 | July 2014 10 Brief Bio International Risk Management and Insurance senior management expert, with over 13 years of experience in the industry. I have a broad experience in helping organizations step up to their true potential. Uniquely positioned to talk about operational risks and how to turn productivity into a healthier organization. I have lectured to professional groups and business audiences. Ignacio Reclusa Risk Management and Insurance M +34 677 023 800 www.ignacioreclusa.com ignacioreclusa@gmail.com