Impacts
Financial loss
Reputation da
m
age
Regulatory breach
Custo
m
er detri
m
ent
Causes
People
Process
Syste
m
s
External events
Controls
Preventive
Detective
Corrective
Directive
Risks
The re
m
aining
eventualities
are operational
risks
F I G U R E 3 . 2
Mutually exclusive collectively comprehensive taxonomy
T A B L E 3 . 3
Examples of risk categories – level 1 and level 2
Risk categories
Code L1
Risk level 1
Code L2
Risk level 2
5
Operations risk
5.1
Unavailability/disruption of services Delivery
5.3
Capacity gap (leading to underperformance)
5.4
Maintenance incident (change management)
5.5
Operational support errors (slips and mistakes)
5.6
Customer support errors (slips and mistakes)
5.7
Reporting inaccuracy
5.10
Damage to building and facilities
5.11
Supplier failures (utilities or others)
6
Information
security risk
6.1
Accidental data corruption (integrity)
6.2
Confidentiality breach
6.3
Cyber threats (external)
6.4
Malicious act (internal)
6.5
Accidental data loss
Risk Definition and Taxonomy
27
C A S E S T U D Y : M A R K E T I N F R A S T R U C T U R E
C O M P A N Y – B U I L D I N G A R I S K T A X O N O M Y
When I first arrived in this company, the risk register was a 27-page Excel spread-
sheet, printed in a small font. This is what a lack of standardized risk categories
leads to. There was no agreement on the risk types, and all risk identification and
assessments were performed on an ad hoc basis. Many lines in this very long
register expressed similar risks in slightly different ways. And many risk iden-
tification and assessment exercises were carried out in various departments and
in various projects, without anyone taking the time to order the results into fixed
categories. This company needed a risk taxonomy badly.
The level 1 risk categories turned out to be easy to establish and to tie in with
an existing governance structure. A handful of committees took charge of differ-
ent risk types, around which it was sensible to build the main risk categories.
The definition of risk categories at level 2 required a few more iterations.
The first version was drafted by the enterprise risk management department and
was based on the knowledge of the business and on the existing risk register. Each
risk category was then presented to each risk owner or specialist department for
review and comments. The comments were collated and refined until we reached
a consensus. The exercises took about four weeks.
CHAPTER
4
Risk Connectivity and Risk
Networks
T
he trouble with risk lists and risk registers is that all the risks appear indepen-
dent of each other. However, in the same way that causes lead to risks and then
to impacts, risks are interrelated and interdependent. The segmentation described in
the last chapter between causes, risks and impacts is purely for convenience. The dis-
tinction between people, processes, systems and external events is a way to order the
causes of operational risks, in keeping with the Basel definition. Similarly, for conve-
nience, the impacts of operational risks are defined as financial loss, reputation damage,
compliance breach, customer detriment and sometimes disruption of services. But risks
transcend categories, and it is a mistake to assume they behave independently. In real-
ity, everything is connected, which is why so many firms are confused when it comes
to defining causes, risks and impacts.
Risk networks are a promising and growing resource in firms with more mature
operational risk management. Also known as risk connectivity and sometimes risk
visualization, these networks provide risk managers with useful insights. They high-
light the dependencies and other connections between different risks, and are not just
tools for risk modelers and quantitative analysts.
The best-known user of risk networks is probably the World Economic Forum
(WEF). Every year, in its global risk report, published on its website (weforum.org),
WEF presents a network view of global risks. Diamonds represent individual risks,
and they are joined by lines of different thickness that denote the strength and inten-
sity of the connection. The more lines that connect with a diamond, the larger the
diamond is to reflect the significance of that risk. In recent years, risks such as gover-
nance failures (2015) or large-scale involuntary migration (2017) have gained the most
connections, while interdependence is strongest among ecology risk groups, such as
extreme weather events, climate change, water and food crises.
This last example highlights one of the main benefits of a risk network represen-
tation: the identification of clusters. Risk clusters are types of risks that are linked to
each other and should be considered holistically. For WEF, climate change, weather
and food crises constitute a cluster, mostly triggered by climate change. Identifying a
trigger risk for a group of other subsequent risks is a second important benefit of this
29
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.
30
RISK IDENTIFICATION
type of approach, as it gives risk managers clear indications of where to prioritize risk
management after focusing on the first trigger. The following sections illustrate these
benefits by applying networks to top risks and by using case studies.
M A N A G I N G R I S K S I N C L U S T E R S
Investment in risky financial assets such as shares or bonds is managed through port-
folios, not independent lines. Financial theory demonstrates that in a portfolio of ten
assets, the risk and return are nearly solely determined by the correlations between
those assets (known as the portfolio covariance). The risk and return of each individual
asset is insignificant (10% of the total in the case of a portfolio with ten assets). The
same applies to a portfolio of non-financial risks; what matters are the interconnections.
Besides the modeling aspect, the interconnection between risks has important
lessons for management. Even if the connections are based on intuition and business
experience, which is sometimes more reliable anyway than complex or questionable
data, these links allow us to apply risk management resources and mitigation efforts
more efficiently. They highlight clusters or trigger risks that need attention, possibly
before isolated risks. A large mining company experienced it the hard way, as illus-
trated in the case study.
C A S E S T U D Y : L E S S O N S F O R T H E F I N A N C I A L
S E C T O R F R O M A M I N I N G C O M P A N Y
A large mining company decided to move from a risk list to a connectivity view
after experiencing an incident that turned out to be far more damaging than antic-
ipated. The risk related to that incident had been assessed as minor in the risk
register and so was not strongly mitigated. What the register failed to show was
that this supposedly small risk was actually connected to a number of much larger
risks to the business, resulting in a cumulative impact that took everyone by sur-
prise. Since then, the company has established a risk connectivity view, with the
help of the firm Systemic Consult (see Figure 4.1).
Understandably, the company did not reveal publicly what this apparently
small risk was. We can easily find equivalents in the financial sector, however – an
example is obsolete human resources applications. Would you be concerned if
some HR applications in your firm were not up-to-date? You should be. Applica-
tion obsolescence is typically associated with performance, but it also increases
vulnerability to cyberattacks. Furthermore, HR departments are natural back-
doors for cybercriminals as they hold all the personal and banking information
on staff. Watch for interconnections.
Do'stlaringiz bilan baham: |