Operational Risk
Operational risk is perhaps the most significant risk financial services face. In the last two decades, virtually every major loss in the financial industry (e.g., Enron, Baring Banks, Madoff, subprime credit crisis) has been driven by operational failure.
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, according to Basel II, recommendations on banking laws and regulations defined by the Basel Committee on Banking Supervision (BCBS, a group that encourages common approaches and standards among country members). Any of the following events are categorized as operational risks:
◈ Internal fraud
◈ External fraud
◈ Violation of employment practices and workplace safety
◈ Breach of client, product or business protocols
◈ Damage to physical asset
◈ Business disruption and system failure
◈ Execution, delivery and process management failure
Challenges in Managing Operational Risk
Variation, whether it is seen as portfolio returns, transaction outcomes or KPI (key performance indicator) performance, is interpreted as risk within the world of financial services. Financial processes are inherently complex; they often cut across multiple functions and geographies. They are susceptible to multiple failure points. It is hard for risk managers to identify the few critical events within a daily data deluge. Once those critical points are identified, monitoring these risk triggers is another bane in the life of a risk manager.
Six Sigma and Operational Risk Management
There are significant opportunities to apply Six Sigma to managing risk in financial services. Failure mode and effects analysis (FMEA) and control charts are two Six Sigma tools that have proven successful in this task.
FMEA: Identify and Prioritize Risk
FMEA is an excellent tool for managing operational risk within financial services. Risk managers can use FMEA to list the failure points of a process then subsequently prioritize risks based on the severity of financial impact, frequency of the occurrence and the ability to detect failure events. Beyond those uses, FMEA also can help managers in developing a mitigation plan for high-priority risk events.
The three key benefits of using FMEA in managing operational risk follow:
1. Listing the failure points of a process
2. Defining uniform criteria for the prioritization of risk events
3. Developing mitigation plans for high priority risk events
Table 1 demonstrates an FMEA for a bank’s ATM operations. Only two key process steps of ATM operation (“ATM pin authentication” and “dispense cash”) are shown here, but this approach can be scaled across most of the banking processes.
Table 1: FMEA Round 1 (Click to Enlarge)
In a typical ATM operation, the ATM pin authentication step can fail in two ways: unauthorized access and authentication failure. While an unauthorized access event might lead to a highly dissatisfied customer, an authentication failure event will typically result in a mildly annoyed customer. Based on the severity of impact (SEV), frequency of occurrence (OCC) and detection ability (DET) of a failure event, a risk manager determines the risk priority number (RPN) of different failure points.
Similarly, the dispense cash process steps may have failure points such as cash not disbursed, amount debited but no cash disbursed, and extra cash dispensed. These examples illustrate that among the failure events listed, the cash not disbursed event has the highest RPN of 196. Based on this assessment, a risk manager may decide to take action such as increasing the minimum cash threshold limit of heavily used ATMs to mitigate the high-priority risk of an out-of-cash situation. Hence, by utilizing the FMEA tool a risk manager is able to determine critical failure events within the ATM operation and take suitable risk mitigation actions against these key failure events. Table 2 shows the FMEA updated with the recommended risk mitigation actions.
Table 2: FMEA Round 2 (Click to Enlarge)
Control Charts: Monitor Risks
Financial services companies use KRI (key risk indicators) to determine the level of exposure to a given operational risk at any particular point in time. KRI reporting and escalation is typically based on trigger levels set by an expert assessment. But in addition to the trigger level set by such assessment, the monitoring of KRIs can be enhanced by plotting KRI data points in control charts. KRIs plotted in control charts will reveal the following supplementary insights:
◈ Indication of any special pattern or trend observed in performance of the process. This will act as a warning signal for any impending risk events.
◈ Indication of whether existing controls are sufficient for keeping the current process in a stable state and within expected tolerance levels.
For example, consider the check-clearing operation within a retail bank. Management has mandated the maximum number of checks that can be processed beyond one week as 60. The financial organization tracks the KRI, number of checks processed after one week, to estimate the level of potential liability arising from customer complaints and to manage the execution, delivery and process failure risk against BCBS standards. The figure below shows a control chart in which that KRI is plotted.
At first glance the KRI seems to be performing well as it has never breached the upper threshold level (specification limit) of 60 check-clearing requests pending beyond one week set by the management. But upon closer scrutiny, the control chart highlights a trend from Week 22 through Week 28 of an increasing number of check-clearing requests pending beyond the stipulated one-week timeframe. This trend acts as a warning that the KRI may breach the upper threshold level in the near future, which in turn could make the bank vulnerable to litigation for the late processing of checks or for a delayed payment from the customers. This indicator suggests the bank should immediately review its check processing operation and take the necessary steps to bring this KRI in control.
0 comments:
Post a Comment