LESSON 2: THE BUSINESS CASE FOR OPERATIONAL RISK MANAGEMENT

Video Activity Text Additional reading and references

2.1 PURPOSE
Making the business case for operational risk management.

2.2 KEY CONCEPTS

Marketing tool Benefits Operational risk governance
Indicators Scenario analysis Operational risk appetite
Modelling Reporting Risk and control assessment
Business optimisation Beyond the framework Event and loss capture

2.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 identify the fundamental elements of informed decision-making

 recognise operational risk management as a marketing tool
 identify the benefits of getting operational risk governance right
 identify the benefits of getting operational risk appetite right
 identify the benefits of getting risk and control right
 identify the benefits of getting event and loss capture and analysis right
 identify the benefits of getting indicators right
 identify the benefits of getting scenario analysis right
 identify the benefits of getting modelling right
 identify the benefits of getting reporting right
 recognise a number of benefits beyond the framework
 identify operational risk management as fundamental to business optimisation

2.4 LEARNING MATERIAL

Chapter 2 of the prescribed book: Making the business case for operational risk management

2.4.1 Getting management’s attention

Organisations have to take risks to make a profit or to deliver services to clients or customers. It is impossible for the
management of the organisation to predict the future, with the result that what may appear to be a reasonable decision at a
specific point in time may prove to be inadequate at a later stage. In real life, management will never have all the information
required to take the right decision and even if they had, other factors may undermine the successful execution of the decision.

Management can take two approaches as far as risk is concerned. One approach is to deny or ignore the existence of a risk.
Leaving no time to build, finance and implement a risk management framework will leave more time to stumble from one
unforeseen crisis to the next. Stakeholders may, however, be frustrated with penalties imposed by regulators, unexpected
losses and lost opportunities.

The other approach is to put a risk management framework in place to identify, evaluate, finance and control risks and
improve the risk management and business processes continuously. By embedding risk management in the organisation, risks
can be management proactively and senior management can focus more on business strategy. Risks can thus be managed
and mitigated or even converted into business opportunities.

Study “Getting management’s attention” in chapter 2.

2.4.2 Operational risk management as a marketing tool

Many organisations go beyond the minimum standards or requirements imposed by rules and regulations or laws by
government agencies and professional or regulatory bodies. Organisations may gain a competitive advantage in advertising
or explaining to current and potential clients the extent to which they exceed industry standards in managing operational risk.

Study “Operational risk management as a marketing tool” in chapter 2.

2.4.3 Benefits of getting operational risk management right

The following table summarises the potential benefits derived from correctly implementing operational risk management and
groups these benefits under eight major topics involving operational risk.

Operational risk governance

 ensuring the effectiveness of controls
 developing an effective and consistent operational risk management framework
 clarifying the operational risk policy
 ensuring the alignment of risk appetite with business policy and objectives
 clarifying risk and control ownership and accountability
 reducing oversights and duplication of efforts
Operational risk appetite
 clearer understanding of operational risk
 accountability for operational risk by business lines or units
 considering risk profile versus risk appetite
 mitigating actions in line with operational risk appetite
Risk and control assessment
 awareness of operational risks and mitigating controls
 consistent treatment and reporting of risk across the organisation
 availability of comprehensive and consistent information on level of risk
 embedding an operational risk management culture in the organisation
 consistent and stable measurement of risk
 identification of potential risk hotspots and control bottlenecks
 early modelling of operational risk (pre-operational loss data)
Event and loss capture and analysis
 identifying failed controls and subsequent risk events
 identifying data gaps in risk and control assessments
 identifying and understanding causes (loss causal analysis)
Indicators
 monitoring risks and controls to identify trends and trigger actions
 measuring risk exposure against risk appetite
 setting targets to enhance controls and reduce risk
 identifying oversights and duplication of efforts
Scenario analysis
 evaluating risk and control sensitivities
  clarifying risk-control interactions and causal relationships
 testing likelihood and impact assumptions
 testing control design and performance assumptions
Modelling
 allocating operational risk capital on a risk-adjusted basis
 monitoring risk exposure against risk appetite
 forecasting future losses
 incorporating operational risk costs when pricing products or services
Reporting
 developing a common operational risk language
 prioritising detailed operational risk management activity
 driving ongoing identification, assessment and control of operational risk
 embedding the organisation’s approach to operational risk management
 clarifying risk ownership and control ownership

Study “Benefits of getting operational risk management right” in chapter 2.

2.4.4 Benefits beyond the framework

The following table summarises additional benefits (i.e. outside the framework processes) from correctly implementing
operational risk management:

Business continuity
 A business continuity plan is an essential tool of operational risk mitigation.
 Risk assessment, scenarios and indicators are used to create and activate the plan.
 The organisation gets back in business quickly to avoid excessive loss of income.
Insurance
 Risk is transferred to a third party at an affordable cost.
 Commercial insurance covers operational risk.
 Operational risk information facilitates decision and selection.
Outsourcing
 The activity and associated risks are transferred to a third party.
 Costs are reduced or efficiency is improved by contracting out.
 Opportunities as opposed to threats are identified.
People risk
 This is potentially the greatest source of operational risk liability.
 An environment is created for continuous learning and improvement.
  People are open to change and able to respond to business opportunities and threats.
Reputation risk
 This results from the occurrence of operational risk events.
 Preventing risk events from occurring is key to preserving reputation.
 Costs of failure and rewards of success are high.

Study “BENEFITS BEYOND THE FRAMEWORK” in chapter 2.

2.4.5 Business optimisation

Operational risk management is also about identifying opportunities for continuous improvement of processes. Labour-
intensive and complicated processes have the potential for more errors compared to streamlined and simplified processes.
Six Sigma is a method that provides organisations with tools to improve processes and each of the eight distinctive states
relates strongly to operational risk management.

Six Sigma process Operational risk management

Assess current state of strategic areas Identify and assess risks and controls
Identify problems and gaps Identify indicators and thresholds
Agree on process to be improved Compare risk appetite to current state
Document current performance Use risk and control assessment
Investigate root cause Analyse event causes
Collect and analyse data Identify events relating to process
Develop solutions Create action plans resulting from analysis
Link controls and other processes Analyse causes and appetite
Identify more relationships Assess risk and control
Test solutions Model action plans
Evaluate impact and validate change Model qualitative data
Design and implement improvement Fulfil action plans
Apply validated change Design new controls and indicators
Put permanent solution in place Verify expected benefits
Review learnings Embed methodology (governance)
Conduct debriefing Challenge methodology and tools
Identify next improvement Renew the cycle
Select from original list Assess new risk and control
Repeat stages if required Monitor and compare

Study “BUSINESS OPTIMISATION” in chapter 2.

2.5 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 2.5.

2.6 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 2 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?

2.7 CONCLUSION

Effective operational risk management has many potential benefits. These benefits are realised on a business level, from an
investor point of view, in terms of credit ratings as well as from a legal and regulatory perspective.

Blunden, T & Thirlwell, J. 2013. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. London: Pearson.