|
Risk Mitigation
113
higher than, their average annual losses. They would rather face the limited volatility of
smaller losses but are ready to pay to avoid the larger swings in profit and loss caused
by significant events. In the December 2017 Basel III paper on the standardized mea-
surement approach for operational risk, insurance recoveries are deducted from gross
losses to calculate the net loss amounts, part of the loss multiplier of regulatory capital
that will influence – in some jurisdictions – the amount of capital held by banks. The
future will tell whether this is an incentive for banks to take operational insurance in
regulatory environments and enforce the loss multiplier.
CHAPTER
11
Root Cause Analysis
and Action Plans
G E N E R A L I T I E S A N D G O O D P R A C T I C E
Performing root cause analysis of significant operational risk events and near misses is
covered in
The Principles for the Sound Management of Operational Risk
by the Basel
Committee on Banking Supervision (BCBS) in its third edition of 2014.
1
BCBS states:
“A noteworthy practice identified by only a few banks was the establishment of
an internal threshold (eg $100,000 or €100,000) whereby any operational risk event
(ie losses, near-misses and profitable events) was subject to an exhaustive and stan-
dardised root cause analysis by the first line of defence, which in turn was subject to
independent review and challenge by the second line of defence. These banks noted
that the operational risk management function provides the business line with support-
ing guidance and a standardised template to ensure a consistent approach. Some banks
also noted that the process involved embedding the bank’s operational risk taxonomy
into the template, so that this information could inform the use of the other operational
risk management tools.
Additional noteworthy practices include the first line of defence leading the root
cause analysis and creating action items to address any identified control deficiencies,
the second line of defence closely monitoring and tracking those action items, and
escalating the details of the root cause analysis and resulting action plan for items above
a higher internal threshold to senior management or an operational risk committee for
review. Another noteworthy practice was the establishment of a common operational
risk event template and supporting guidance to ensure a consistent approach is taken
by the first line of defence across the bank’s divisions. In addition, some banks have
developed a process to share details of operational risk events across business lines
1
Bank for International Settlements, Basel Committee on Banking Supervision,
Review of the
Principles for the Sound Management of Operational Risk
, October 2014.
115
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.
116
RISK MITIGATION
and geographies and encourage a similar approach to remediation where applicable.
Also, one bank noted that it uses its operational loss data to assess the quality of other
operational risk tools such as the RCSA, and to review whether the associated risk or
control assessment may have been evaluated improperly.”
In short, good and recommended practices include consistent and systematic root
cause analysis performed by the first line following incidents or near misses above a
given materiality threshold and supported or challenged by the second line. Even better
practice is to draw links across incidents to generate a systematic solution across the
organization. The bow-tie analysis presented in this chapter is in my experience an
excellent tool for root cause analysis.
B O W- T I E T O O L A N D S Y S T E M I C P A T T E R N S
O F F A I L U R E
The bow tie is a root cause analysis tool commonly used in heavy industries, such as
oil and gas, and is now slowly making its way in the financial sector. It is a form of
“5-whys” analysis, encouraging investigators to identify several levels of causes for
operational failures.
In the bow-tie diagram, the risk or event to analyze lies at the center of the figure,
with the left-hand side detailing its direct and indirect causes until all roots are iden-
tified. The right-hand side of the figure expands into all direct and indirect losses and
impacts, forming the shape of a bow tie. Preventive controls are labeled in front of each
cause; detective and corrective controls are documented on the impact side to the left
(Figure 11.1).
Even today, many of the forms of root cause analysis employed by firms are lim-
ited to a first level of incident causation, often focusing on general “human error” and
“lack of training.” Bow-tie analysis for risks and events is a powerful way to help
organizations look beyond what meets the eye and to identify indirect and root causes
of their risks and incidents. It is also an effective method to reflect on and identify
leading key risk indicators. I will return to this particular application of the bow tie
in Chapter 14.
An obvious direct benefit of a root cause analysis is a deep understanding of the
causes of an incident, leading to recommended action plans in the form of improved
processes or better controls. In addition, there are even more powerful benefits to
unlock when performing systematic bow-tie analysis in firms. When you perform
bow-tie analysis of seemingly unrelated incidents in the same organization, you are
more likely to develop a structural risk profile of the business, with a clearer picture
of the recurrent types of control failures. Repeated incidents may be due to certain
features in the organizational culture – in other words, a business style that exposes
the firm to a pattern of causes leading to operational risk events. In my years of
experience in performing this type of analysis with firms, I almost always found
Do'stlaringiz bilan baham: |
