OpenLink

The primary concern for organizations looking to implement Basel II compliant systems is currently the acceptance of the capital figure by regulators. However, to be an effective model internally, the operational risk information will need to be integrated into the day-to-day business management of the firm. Operational risk should be quantified within the business units and product lines of an organization on as detailed a level as possible for managers to be able to make judgments on returns against operational risk capital requirements. It is critical that the model of operational risk chosen (and the software tools that report and measure it) provide sufficient detail that this risk can be reduced in a quantifiable fashion other than by closing profitable business lines. These internal considerations are all in addition to the obvious external benefits derived from improving public confidence in the firm's ability to avoid large losses.

Poor quality capital models simply transfer operational risk to model risk, and regulators may not initially agree to figures from unproven models unless they meet some aggregate expectation or benchmark. Business line managers are likely to be skeptical about qualitative implementations and shallow links to capital using control risk assessments, and may eventually ignore key risk indicators that do not prove useful in reducing losses and capital. The public will become aware of the lack of effectiveness of an operational risk regime only when a large loss occurs and its cause will be viewed as something for which the firm can be held accountable. In this event, all concerned would not be blamed for viewing the entire exercise as ineffective and futile.

Avoiding the transfer of operational risk to model risk

Standard risk management practice recognizes a concept of model risk as an integral part of market and credit risk. This can be loosely defined as possible losses arising from incorrect assumptions behind the (sometimes complex) models used to quantify these risks. Risk management is about measuring uncertainty. One can measure the uncertainty in a model as well as in a process, asset or transaction.

By measuring the amount of risk in the operational risk capital model, the firm and regulators are better able to assess the possibility that operational risk has been transferred into model risk. The procedure for measuring the risk in an operational risk model follows the fundamental of techniques commonly used for market and credit risk model assessment.

Advanced capital models are available that implement this technique and will provide a capital figure that includes the errors in the original loss data. One would expect this figure to be higher than a figure generated without errors, since it includes the model uncertainty, and the difference between the two can be used as a measure of the risk contained in the operational risk model. In the future, one would expect regulators to require an assessment of model risk using this technique.

Linking Key Risk Indicators to Loss Events

Many firms are collecting key risk indicators and some are collecting hundreds of indicators in order to determine later which of them are more useful for reducing loss events. Obviously each business line may have its specific set of indicators, but how will a firm determine if a specific indicator is useful? Most are relying on the business line manager because the specific loss event knowledge lies with them. Some are collecting associated classification and 'causal' information about the loss, but few are retaining transaction-related information.

Since businesses are transaction oriented, the lack of transaction-related information will severely restrict the ability of the business line manager to evaluate the effectiveness of key risk indicators over time, preventing them from reducing the resulting risks once they have been quantified. It is relatively easy to imagine two different product transactions that create the same sort of loss and yet require completely different control approaches in order to eliminate future recurrences. One effective way to generate key risk indicators is to analyze the loss event information together with transaction-related data in order to generate statistical feedback for business managers that is both consistent and reliable.

Advanced techniques (based on Bayesian networks) are now available in software products that can instantly provide this kind of feedback. This provides useful information to reduce risk, at a core level within the operational workflows of that organization. Without these techniques, organizations are in danger of implementing a risk measurement approach that will provide numbers that they cannot then reduce in a quantifiable fashion.

Extending ops risk regimes to cover specific events

Many operational risk regimes are trying to address the effectiveness of controls and use the key risk indicators and loss data to this end. Unfortunately, controls are applied to specific product types and the operations that affect them, so the link to loss data is unclear at best. A much more constructive approach is to use a transaction model to measure the effectiveness of control directly. Again, this requires access to transaction level information (as does the key risk indicator measurement described above), but provides an ability to measure the effectiveness of key controls across transactions and then 'complete the loop' by relating these to key risk indicators and, finally, to losses. Some firms are trying to accomplish this by recording control failures for loss events that have no losses associated with them (near misses). Others have attempted to extend rules-based exception systems to cover all cases. However, any realistic approach needs to be based on models that can respond over time due to the dynamics of operational processing and new business requirements.

Summary

To a large extent the purpose of Basel II is about providing assurance to the stakeholders that management understands and controls risks occurring in the business. The regulators will need to know that firms understand and can control the risk in capital models for operational risk. Business line managers need to know that key indicators of operational risk provide important useful information for reducing losses and associated capital. And the public needs to know that an effective operational risk regime can reduce the impact of large losses in a firm. Banks will need to work hard to overcome these challenges and the benefits of capital model error analysis, key risk indicator correlation, and transaction level risk control effectiveness measures will go a long way to providing the credibility and assurance that operational risk holds out as its promise.

About the author

Jean-Claude Riss has worked with OpenLink since 1995, first as a consultant with mpct Solutions, Ltd. marketing the company's integrated risk management systems. He joined OpenLink in 1998 as Managing Director of OpenLink International when the company opened its London office. During his tenure with mpct Solutions, formerly Internet Systems, Ltd., Riss also acted as General Manager, responsible for the product direction, sales activities and project management for Ceres/Transact Trading Systems. He co-founded and managed this software company, which developed a real-time risk management system for front office treasury trading. For the 15 years prior to founding Ceres/Transact Trading Systems, Riss was involved in a number of risk management trading areas for Manufacturers Hanover Trust, including Capital Markets, Treasury, Operations, Central Planning, Controllers and International Audit.

About the co-author

This article was co-authored by Dr. Jack King, managing director of Genoa (UK) Limited, a financial risk and software consulting firm near London. Dr. King has almost 30 years of experience in technology and its application to risk, and is the author of "Operational Risk: Measurement and Modelling," published by John Wiley & Sons Limited.

About OpenLink

OpenLink was founded in 1992 with the core conviction and far-reaching vision that trading, risk management and operations software that supports ever-changing marketplaces requires an adaptive and dynamic integration-enabling architecture. An architecture that addresses both technical and business requirements, while facilitating the conversion of labor-intensive front- through back-office tasks into highly efficient and automated processes. With this challenge as its charter, a group of key software engineers and business experts created OpenLink's Adaptive, Dynamic and Integration-enabling (ADI) Framework, a robust software environment that supports these requirements and the best practices of traders, risk managers, operations experts and technologists regardless of the instrument traded.

Copyright © 2004 GTNews. All rights reserved.
Used by permission. Reprinted from www.gtnews.com - May 2004

   Printer-friendly version of this article  ()