LESSON 6: EVENTS AND LOSSES

Video Activity Text Additional reading and references

6.1 PURPOSE
Review events and losses and identify clear and explicit signals that an operational risk event has occurred, either due to the
failure or lack of a control or simply due to an unusual and unforeseen event.

6.2 KEY CONCEPTS

Events Losses Data attributes
Causes Actions Reporting threshold
Indicators Lost data Causal analysis and control
External loss Data completeness Risk and control assessment
Scaling Data consistency Scenarios and stress testing
Databases Major events Timeliness of data

6.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 define the concept of events and losses

 describe what is meant by an event
 categorise events into actual losses and near misses
 explain the importance of recording profits and gains as control failures
 identify comprehensive reporting as fundamental to risk management
 describe the minimum set of data attributes for event and loss information
 discuss the reporting of data in terms of processes and responsibilities
 explain the significance of a reporting threshold
 outline and discuss the various uses of events
 identify different external loss databases
 explain the potential problems associated with external loss databases
 argue the value and use of major events
 explain the importance of timeliness as it relates to data

6.4 LEARNING MATERIAL

Chapter 6 of the prescribed book: Events and Losses

6.4.1 Introduction

Operational risk management comprises three fundamental processes – risk and control assessments, risk and control
indicators, as well as events and losses. Events and losses provide evidence that an operational risk event has occurred,
resulting in some sort of loss. These events may occur due to either a lack or failure of controls or because of something
unforeseen happening. Events and losses are the objective counterparts to the subjective risk and control assessments and
are often used as risk and control indicators.
Study “Introduction” in chapter 6.

6.4.2 What is meant by an event

An event is the occurrence of a risk resulting in an actual or near loss. Events are categorised as either a hard (quantifiable)
direct or indirect event or a soft (difficult to quantify) direct or indirect event. Events can also be categorised into actual losses
or near misses. A near miss is either an event that would have occurred if the preventive control failed or an event that
occurred without resulting in any loss due to detective and/or corrective controls.

Unintended gains and offsets, as well as recoveries subsequent to an event, provide valuable information on control failures
and the effectiveness of corrective controls.

Operational risk management depends on the comprehensive reporting of events and losses, near misses, gains and offsets
as well as any recoveries to determine the scale of operational risk and effectiveness of controls. Uncaptured or lost data
distorts and devalues the information gathered on events and losses.

Study “What is meant by an event” in chapter 6.

6.4.3 Data attributes

A minimum set of data attributes needs to be collected for events and losses:

Name of the firm

 more than one company in a group of companies may be involved
 occurrence and detection of the event at different companies
 the company that actually suffered a loss from the event
 information on the booking, origination and processing of transaction(s)
Geographic location
 control culture and weaknesses inherent to a particular location
 understanding each location’s control ability
Business activity
 business activities or product lines across the group
 consistent reporting and implementation of improvements
 potential risk hotspots and control bottlenecks
Loss event type
 losses allocated to loss event types
 distinction between risk types and loss event types
Dates of the event
 start date, discovery date and end date (finished event)
 closure and resolution of ongoing events
 separate events linked to a single cause
Description of the event
 brief initial description of the event
 more detailed description based on sufficient information
Causes of the event
 essential for remedial action to know why an event occurred
 reporting on the causes of risk events facilitates the management of risks
 cause, event and effect identified separately
 loss event type identification not a substitute for causal analysis
  identification of the primary and secondary control failures
 a single event is often the result of a number of control failures
 a single cause can trigger a number of different risk events
 linked risks identified by recording causes and related risk indicators
 holistic analysis of events linking assessments, indicators and causes
Amount of loss and recovery components
 hard direct impact always recorded
 hard indirect, soft direct and soft indirect impacts may be recorded
 initial estimate and final amount of the loss
 aggregate amount of a number of events linked by a single cause
 record of smaller events representing individual control failures
Actions
 immediate actions – limiting damage
 correct or improve actions – adding, amending or reinforcing controls
Additional information
 risk owner allocated to assign responsibility for future prevention
 recording unique transaction or trade numbers and client details

Study “Data attributes” in chapter 6.

6.4.4 Who reports the data?

Alternatives to reporting losses include

 anonymous reporting of losses

 loss reporting form on the intranet of a company available to all staff
 reporting by the operational risk leader within the detecting department or business line

Reconciling losses to the general ledger or an audit provides valuable confirmation and validation of the accuracy of reporting.
However, events without any financial impact or unreported events (i.e. lost data) will be excluded.

Study “Who reports the data?” in chapter 6.

6.4.5 Reporting threshold

Setting the reporting threshold is a significant issue. The reporting threshold sets a minimum level or size before a risk event
needs to be captured. Setting a reporting threshold above zero may prevent a significant number of control failures being
captured, including the majority of operational loss events which, in fact, have a zero financial impact.

Losses should therefore be monitored down to a level below the size limit to account for several smaller losses adding add up
to one large loss above the reporting threshold. This would prevent recurrent small control failures from potentially turning
into a much larger failure.

6.4.6 Use of events

Causal analysis of events is critical for effective operational risk management and can be used to

 challenge risk and control assessments

 validate indicators of preventive and detective controls
 assist in the production of scenarios and stress tests
 model economic and regulatory capital
 Causal analysis and controls
 Determine which preventive and detective controls failed or were lacking, to improve on the design and
implementation of action plans and prevent the recurrence of a risk event.
 Management should explicitly approve the acceptance of a risk if certain controls are not implemented due to
excessive costs.
Risk and control assessments
 Score the design and performance of the controls.
 Challenge the subjective risk assessment scores.
 Challenge the frequency or likelihood assessment.
 Account for once-in-a-lifetime events.
Indicators
 Validate the effectiveness of indicators to signal risk events.
 Establish whether a preventive control indicator is, in fact, relevant to a particular risk.
 The size of events and losses is indicative of how well detective control indicators are performing.
Scenario and stress testing
 The occurrence of actual events facilitates the construction of plausible scenario and stress tests.
 Combining several events allows for building more extreme scenarios.

Study “Use of events” in chapter 6.

6.4.7 External loss databases

There are three main sources of losses available for causal analysis: a firm’s own losses (primary source), information from
competitors and publicly available loss and event data.

Internal loss data on a sectoral, national and international basis are distributed to members of consortiums that collect and
manage the data. This type of data is similar to and provides validation as well as confirmation of a firm’s own loss data. It
may provide early warning to a firm of the risks and losses suffered by its peers and possibly reduce or eliminate similar losses.

Publicly available loss and event data is reported on the internet or in the media. Government agencies or industry bodies
also provide industry-wide information on events.

Some issues related to external data

Cultural differences – controls and risk appetite

 Different risk cultures and risk appetites can distort data.
 External data is more difficult to analyse.
Data completeness
 Completeness and quality of data in an external database are a major challenge.
 The temptation is to reduce the size of a loss or only report public knowledge.
 Court and insurance settlements often prohibit publication of loss data.
Data consistency
 Data consistency is vital to meaningful analysis of causes or assessments.
 Data may require cleaning or enhancement.
 There is variable knowledge of the control environment related to each loss.
Scaling
 Loss data is scaled to adjust for different sized firms.
 Each loss is scaled with regard to factors that influenced the loss.
 Knowledge of the risk event is applied to a firm’s own risk and control profile.
Study “External loss databases” in chapter 6.

6.4.8 Using major events

Major internal or external events have the potential to cause the loss of an entire firm. Historical data relating to a major
event is of use to conceptual, rather than numeric, analysis in an attempt to determine the true causes of these events.

Study “Using major events” in chapter 6.

6.4.9 Timelines of data

Any analysis of loss data must consider the current control environment because event data degrades over time as control
environments change.

Study “Timelines of data” in chapter 6.

6.4.10 Summary

Risk events provide the actual detail to be used in operational risk management for making judgements about the future.
However, loss data is mostly incomplete and its usefulness degrades over time. The information provided by risk events

 validates and supports risk and control assessments

 evaluates the effectiveness of preventive and detective controls
 enables scenario analysis and stress testing
 assesses economic and regulatory capital requirements

Study “Summary” in chapter 6.

6.5 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 6.5.

6.6 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now, or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 6 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?
6.7 CONCLUSION

Effective operational risk management has many potential benefits. These benefits are realised on a business level, from an
investor point of view, in terms of credit ratings as well as from a legal and regulatory perspective.

Blunden, T & Thirlwell, J. 2013. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. London: Pearson