Founded in 1807, JohnWiley & Sons is the oldest independent publishing company in

Download 5,45 Mb.

Pdf ko'rish

bet	14/114
Sana	23.07.2022
Hajmi	5,45 Mb.
	#845333

1 ... 10 11 12 13 14 15 16 17 ... 114

Bog'liq
chapelle a operational risk management best practices in the

Scenario Identiﬁcation Process
17
well into the structure of the firm. However, you should not confuse the organization
of scenarios with their comprehensiveness. A common flaw in many immature orga-
nizations is analyzing just one scenario for each risk type, often simply matching the
seven risk categories identified by Basel II. I recommend moving away from this rigid
framework, as risks and exposure rarely fall neatly one into each box. In some busi-
nesses, there will be many disruption scenarios, while internal fraud remains negligible;
and in others, compliance scenarios (for clients, products and business practices) may
dominate, while scenarios for damage to physical assets are very limited.
The generation phase may produce a long list of scenarios, possibly too unstruc-
tured to be presented for assessment. Scenario selection is an intermediary phase where
some scenarios are consolidated and others eliminated or added, in order to obtain a
list relevant enough to be fully assessed. Examples of consolidated scenarios are those
relating to the same internal impact but different external causes, such as damage
to physical assets; indeed, building damage due to extreme weather events, politi-
cal unrest or terrorist attacks has the same effect on the firm and can be seen as the
same event with various possible causes. Scenarios that quickly appear as negligible
in impact can be excluded during the selection phase, in order to spare time for big-
ger scenarios during the assessment phase. Tail risks scenarios can be eliminated if the
risk owner can convincingly demonstrate that the maximum loss is moderate enough
to be absorbed by normal operating margin and without significant disruption to the
business. For instance, if the HR director credibly demonstrates that all the key peo-
ple in the firm are identified, have a back-up or substitute worker and a succession
plan in place, the “key man risk” scenario is likely to drop out of the list before the
assessment phase.
Some scenarios may generate a great deal of debate and strong opinions, but the
required levels of knowledge do not always back the views expressed. Cyberattacks
and information security are prime examples of operational risk topics where misin-
formation, or incomplete knowledge, is dangerous. This underlines the importance of
involving true experts in the scenario assessment phase when necessary.
In some particular cases, scenarios relate to risks that have already materialized
and firms have made provisions but the settlement loss is uncertain. This is typically the
case in litigation. These are more risk events than scenarios in the strict sense, although
the uncertainty of outcome may be large enough to be considered as a scenario. An
example is BNP Paribas’ record fine of $8.9 billion in 2015 for sanctions violations:
the fine was expected, but the amount was much larger than the firm had provisioned
initially.
Comparisons with other internal and external evidence can also help with selecting
more scenarios from the initial list generated. For this, support documents detailing
similar events in peer firms, examples of past internal incidents and near misses, key
risk indicators and organizational changes are useful.
Finally, a firm may find it useful to compare its generated scenarios with an
industry list of scenarios, to check whether it has missed anything relevant. The
Operational Risk Consortium (ORIC) and the Operational Riskdata eXchange

18
RISK IDENTIFICATION
Association (ORX) are examples of industry bodies that provide ready-made scenario
lists to their members. However, I would recommend doing this check only
after
the
scenario generation exercise, not before, so it won’t influence or bias the generation
process. You should avoid a practice still widespread in the industry whereby all
scenarios are evaluated in a benchmark list and those that don’t appear to apply are
excluded. This method makes the dangerous assumption that the benchmark list (from
an industry body, a consultant, or last year’s list) is the full risk universe, whereas
it can only be representative of risks at a given time. I know a sizeable financial
institution that used this type of benchmarking, but its largest exposure scenario was
not on the list. Thankfully, the missing scenario did not materialize and the financial
institution has now revised its scenario identification process.

CHAPTER
3
Risk Deﬁnition and Taxonomy
D E F I N I N G R I S K S
Defining a risk is less straightforward than you may think. The following examples
illustrate some of the common inaccuracies that occur in risk identification exercises.
Technology is not a risk; it’s a resource. All firms rely on technology, and risks
linked to technology are best defined as potential incidents and accidents due to fail-
ures, such as systems interruption, model error, wrong pricing calculation, overcapacity
and application crashes.
Manual processing is also not a risk; it’s a cause or a risk driver. It increases the
probability of another risk occurring, such as input errors and omissions. Risks due to
manual processing may include errors in the valuation of funds, errors in accounting
records, omitting to send reports to clients, etc.
Compliance and regulatory change is a priority for every regulated financial entity.
It’s an obligation and a constraint, but once again, not a risk in itself. Rather, it brings
risks such as compliance breach, mostly through oversight due to the sheer number and
complexity of regulations that must be followed. However, it can also be deliberate,
perhaps temporarily when adjusting to new regulatory requirements.
Inadequate supervision or insufficient training are also commonly cited as risk fac-
tors, but they are not risks per se; they are control failures. The answer to a control failure
is simple: fix the control. Or add a secondary control. If that sounds all too familiar, you
are not alone. I know a very large financial institution whose entire risk categorization is
expressed as failed controls. Although not an industry leader in operational risk manage-
ment, it is nonetheless a household name, which shows that no business is immune from
weaknesses. Inadequate supervision can lead to the risk of internal fraud, errors and
omissions, and sub-standard productivity resulting in customer dissatisfaction or loss.
Risks should be defined as much as possible as negative events, uncertainties, inci-
dents or accidents. They should be specific and concrete. “
What could go wrong?
” is
a simple, jargon-free question that can help to define risks. The more specific you are,
the easier it will be to assess risks and to find the relevant mitigating actions. Later on,
you will categorize information into different levels of detail in a similar way to the
Basel categories in Table 3.1.
19
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.

Trim Size: 152mm x 229mm
Chapelle549048
c03.tex
V1 - 10/30/2018
2:53pm
Page 20
k
k
k
k
20
T A B L E 3 . 1
Examples of defined risks – Basel categories Levels 1, 2 and 3

Download 5,45 Mb.

Do'stlaringiz bilan baham:

1 ... 10 11 12 13 14 15 16 17 ... 114