|
Operational Risk and Regulation
, July.
Risk Appetite
39
large, and a regulatory burden in every case. Most financial organizations, even today,
simply ignore or choose to ignore the revenues generated by operational risk.
When a risk is presented with no indication of potential returns, the rational
reaction is to reduce the risk as much as possible. And this will remain so as long
as risk managers keep presenting operational risk assessments to the board without
highlighting the benefits of taking those risks
in pursuit of strategic objectives
. The
risk appetite (for operational risk, fraud risk, regulatory risk, people risk, etc.) will
be “low” or “zero” by default. However, one could argue that all the non-financial
revenues of banks and insurance companies, particularly fee revenues, are the visible
returns of operational risk. Industrial companies and technological companies have
very little revenue from financial activities; they do not allocate credit, nor do they
manage a trading room or underwrite insurance policies. All their revenues come from
operational activities. Risk management is called
operational
risk management only
in the financial sector, to distinguish it from credit and market risks.
I argue that operational risks have a visible return for financial firms: the fee
income and, less visibly, the return from gaining new revenues with new products and
new operations. By increasing the size and complexity of a business, you also increase
operational risk from, among other things, processing errors, IT failures and regulatory
non-compliance. So how much risk is acceptable and for which reward?
Of course, operational risk, like every risk, has downsides and indeed very large
ones; these are the so-called tail risks. The vast majority of operational risk incidents
are minor or negligible, but once in a while things go very wrong. The worst operational
risk incidents can wipe out a firm, as happened to Barings, Arthur Andersen, MF Global
and Knight Capital. Other risks are large enough to cancel more than a year’s operating
revenues, like the embargo fines of BNP Paribas (18 months of gross revenues lost) and
the rogue trading at Société Générale (a loss of one year’s operating revenues). There
are also reputation risks that are embarrassing enough to stain a firm’s image for a
very long time, such as the LIBOR rigging scandals at Barclays and elsewhere, the tax
evasion scandal at UBS and the fake client accounts at Wells Fargo.
The benefits of operational risk must always be balanced with the potential for
damage or even devastation, as in the examples above. Managing risk is like heating a
pan of milk: you must keep your eye on it or it will boil over. Or, to use a better analogy,
it’s like handling a rebellious child. It’s not enough to say you won’t tolerate a child’s
bad behavior; you must also educate the child, provide guidelines and boundaries for
behavior, and apply appropriate sanctions when required. The next section details how
comprehensive risk appetite structures should be tied to exposure limits, controls, KRIs
and governance of the firm.
R I S K A P P E T I T E S T R U C T U R E
When defining risk appetite, the natural tendency is to express what we do
not
want. For
instance: no major data breach, no incidents causing more than
x
million of losses, no
40
RISK ASSESSMENT
regulatory breach. What many risk appetite statements fail to specify is
how
to avoid
these events. You must link these statements to the corresponding risk management
measures and controls, otherwise risk appetite fails in its primary objective: to guide
the level of risk-taking and necessary controls within the organization.
Using a funnel analogy, Figure 5.1 expresses the various steps and actions between
the strategic objectives of an organization and its tolerance for adverse events. First,
the mission and strategy of the organization determine its risk exposure and therefore
its inherent risks, either by choice or by constraint. For example, a European bank may
choose to expand to the United States and willingly take on the operational risks gen-
erated by international growth, such as a different regulatory environment, new labor
laws, and increased complexity of processes and communication. For those operating
in the U.S., complying with the U.S. legal and regulatory environments is not a matter
of choice: it’s a given. Risk exposure and inherent risks are therefore a result both of
choices and of compliance. Next, to reduce these inherent risks to a level of tolerable
loss, the multiple activities of risk management need to take place: preventive controls,
allocation of limits, and guidance and policies to limit residual risks (post controls) to
an acceptable level for the firm. Then, if accidents happen, you need early detection
and rapid reaction using agreed steps to reduce, as far as possible, the net impact of
Events
Inherent risk: exposure and
threats
Internal controls:
prevention and
guidance
Residual
risk
Mission, strategy and exposure
Net
da
m
age
Appetite for exposure/
exposure
m
andate
Appetite for controls:
costs and ti
m
e i
m
plications
Residual risks resulting fro
m
exposure + prevention
Corrective controls;
m
itigation procedure
Loss tolerance
Incident
m
anage
m
ent
F I G U R E 5 . 1
The risk appetite funnel
Do'stlaringiz bilan baham: |
