Managing operational riskUnderstanding the sources and minimising the impacts
Operational riskOperational risk impacts all of yourorganisation all of the time and isunavoidable.It does not depend on the size or nature of the business, but itcan bring even the biggest organisations to their knees.Understanding the causes of operational risk is a real challengesince these causes can be complex and subtle – or blunt andbrutal. There are internal sources of operational risk and thesecan be understood in detail and managed. But there areexternal sources of risks too – as we have seen many times inthe headlines. These external risks are uncontrollable and oftenunpredictable.History has shown us that the impacts arising when operationalrisks materialise will always exceed the bare cost of theoperational loss event itself – often very substantially.If you can’t avoid the risks, you can limit their impact onyour business. To do that requires the classic elements of riskmeasurement and management. But it needs more. You musthave the right tools and talent to fully understand the risks, toallocate your control resources, and to prepare for the worst.And that’s where we can help Operational losses cause reputational losses.2 Managing operational riskOperational risk —everywhere, alwaysWe have the tools and the talent to help you manage andmitigate operational risks and avoid the losses they leadto. We have a market-leading breadth of experience in allaspects of operational risk management that allows us toprovide our clients with true insight and innovation.Our ability to deliver the current best in risk managementadvice and support, together with a far-reaching view ofthe road ahead has proven itself invaluable to all cornersof the financial services industry.
Avoiding lossesOrganisations underestimate theimportance of operational riskmanagement, and poor operationalrisk management can lead to threetypes of damage to a business:1. Outright loss – the complete direct cost of a loss event,such as from loss of assets or processing errors2. Regulatory overhead – operational losses are a criticalconsideration when regulators and external assessors takea view of an organisation. Operational risk events may leadto greater scrutiny and expensive mandated investigations(such as Section 166 reviews)3. Reputational damage – this is a risk of a risk. It arises fromoperational risks and its impact can be unquantifiablemaking it potentially fatal for your organisationSuch losses are a result of a failure to embed an effectiveoperational risk management framework in the business.For operational risk management to be effective there mustbe focus from all levels of management. But operationalrisk management – and accountability – can often becompartmentalised and assessed differently across businessfunctions, which in turn leads to critical inconsistenciesof treatment.To combat this, an organisation must have a risk frameworkthat translates the organisation’s strategy intotactical and operational objectives, assigning responsibilitythroughout the organisation with each manager and employeefully accountable for the identification and control of risk aspart of their job description.It is essential for such a framework to fully reflect theorganisation’s risk culture – the tone from the top – and to becomprehensive enough to ensure consistency in measurementand management. So, as operational risks arise from such awide variety of sources, risk management must be aligned andfully embedded within all parts of the business in order to beeffective, including: business strategy business plan risk appetite procedures and policies organisational culture.Check your accountOperational events that make the headlines are hard to miss. But the breadth of causes and consequences is telling.A major UK retail banking organisation suffered a majorcomputer meltdown that led to a failure in its network of cashmachines, online and phone services. A string of operationalrisks had crystallised and interacted and ended up lockingmillions of their customers out of their bank accounts. Onits own this was unacceptable, but it was the second majoroutage in 12 months, making it catastrophic.Following the crashes in its systems, the bank’s managementwere obliged to make an apology to their customers – andsettle 70 million of compensation claims, followed by a 56million fine levied by the Bank of England.Software upgrades were cited as a cause – which is true– but the failures led from a combination of operationalrisks including a lack of alignment between operationalrisk management and the group’s change, informationtechnology and customer conduct strategies. The riskfunctions had not gauged the risk and impact of the networkfailures and no-one joined the dots to be able to anticipatethe outcome.Managing operational risk 3
Why do we need operationalrisk management? Credit ratings are built on a keen analysis of an organisation’srisk management capabilities and demonstrating high qualityoperational risk governance provides for often substantiallymore favourable credit ratings and corresponding reductionsin overall financing costs Operating costs can be significantly reduced bysystematically identifying and mitigating potential risksbefore they can lead to a loss Operational risk management is necessary to prevent largeand unexpected spikes in costs and profits and is essentialfor avoiding major hurdles to meeting revenue targets Sophistication in measuring operational risk is vital to ensureaccurate and optimum capital is held Good operational risk management supports the overall riskculture which is a critical feature of modern and efficientorganisations. Furthermore, a strong sense of ownership ofrisk management fostered throughout your staff has beenshown to promote staff engagement and retention. Thebenefits extend further to the customer base who prefersafely controlled businesses Certain operational risks can be insured and a carefulidentification and quantification of these risks can help toprovide additional guards against the cost of operationalevents, as well as generating savings in insurance premiums The extent and pace of regulatory change is itself presentingrisks, not least from overloading all staff with changingprocesses and control objectives. A sound risk framework iscritical to absorbing the impacts of major regulatory andother change projects throughout the organisation.“ When it comes to operational risk, manyfirms only see the tip of the iceberg.”4 Managing operational risk
Building the frameworkEnabling better decisions comes from having a two-way view.ForwardTo the type of control framework that properly fits anorganisation’s risk appetite and risk culture, and to the typesof scenarios that the organisation may face tomorrow.BackwardTo ensure the lessons from the organisation’s past have beendigested and controlled for. To fail once is perhaps unfortunateand your shareholders might have some tolerance; to fail twiceis unforgiveable. Similarly, risk managers should look not onlyto the loss event history from their own organisation, but mustconsider the events that have affected their peers both nearand far. To fail to learn from the mistakes of others might also beconsidered unforgiveable when it comes to operational losses.One of the functions of a well-embedded risk managementframework is to ensure the right information is delivered tothe right people at the right time so managers are in a betterposition to make educated decisions.To support this, the risk manager must have a range of toolsand data sources at their disposal, including:A comprehensive risk register The foundation of the risk control environment is the riskregister. Here we can build a picture of the challenges facingthe organisation and ensure that the right managers areaccountable for the controls set against them. It also formsthe basis for the self-assessment of the effectiveness of theoperational control structures.Loss data To build a true cost of operational losses and to anticipatethe likely impact of current risks to the organisation requiresa well-structured and complete record of the organisation’sloss events. But beyond internal losses, the organisationmust cast a wide net across the sector it operates in tocollect and digest loss data from other organisations.Only with a view of internal and external event data canwe begin to build meaningful risk assessment models andtailor a control framework around them.Management information The management information (MI) must work for theorganisation. It must have sufficient breadth to capture allthe risks of interest and this requires sophisticated analysisof correlations and dependencies to describe emergent risksarising from staff behaviours. A well-planned data analyticsapproach is critical to ensure the subtleties of complexoperational risks are not overlooked. For instance, a fraudmay be detected only by linking hordes of correlated datapoints. And for a data-analytics approach to surveillanceto work, there must be a full consideration of the pros andcons of delegated and retained authority models. Do weopt for centralised support teams to collate data, operatecontrols, and pass exceptions to accountable supervisors, oris a distributed model more appropriate where control andmonitoring functions are performed by supervisors themselves?Managing operational risk 5
Building the frameworkcontinuedFinally, all of the organisation’s risk management functions must have an eye to thefuture. What is the next challenge facing a function or process, the organisation as awhole, the sector it operates in, or beyond?PastPresentLoss events / External dataKey risk indicators / Deep divesFutureScenario analysis / Horizon scanningRisk registerRisk MIFraudulent ETF trading leadsto 2.3 billion lossWhat’s next?Poor documentation and policysetting causes 410 million lossTsunami in Japan leads tounrecoverable losses of 378 millionCustomer data losses lead to redfaces and finesManipulation of market ratesleads to billions in losses and fines6 Managing operational risk
How do you grasp a cloud?The scope of operational risk is enormous and as the risk management frameworkevolves, the volume of information that the organisation can provide becomes evermore immense.There is a real danger that those tasked with identifying andpreventing the next risk event are swamped and begin to losesight of real risk events. The board will always want to knowwhat is important, what is next, and what are we doing aboutit. So one of the priorities for risk management framework isto have a careful definition of what operational risk is for theorganisation and how to filter all of the data it can collect thatdescribes those risks and the controls against them.There are many ways to classify operational risks and thismight be the first step in understanding the sources for yourorganisation. One of the most straightforward and henceconsistently used classifications of operational risk has beenprovided by the Basel Committee on Banking Supervision(BCBS). The committee defines operational risk as ‘resultingfrom inadequate or failed internal processes, people andsystems, or from external events.’ This includes legal risks, whichgreatly expand the scope of an operational risk managementframework, but importantly they exclude reputational andfranchise risks, which has led to gaps in quantifying operationalrisk impacts.BCBS goes on to present seven categories of operational risksand for each one there are a number of contributory factors.This approach leads to a common pitfall encountered byoperational risk managers across the financial services sectorwhich is the tendency to ‘box up’ operational risk and ignorethe individual risk components. This can leave an organisationexposed to unforeseen risks and furthermore can introduce asense of blinkered complacency throughout the organisation:‘all the KPIs are green – we’re doing fine!’Managing operational risk 7
Risk typesInternal fraudExternal fraudEmployment practices andworkplace safetyEvents intended to defraud,misappropriate property, orcircumvent regulations or companypolicy, involving at least one internalparty, categorised into unauthorizedactivity and internal theft and fraud.Events intended to defraud,misappropriate property, orcircumvent the law, by a third party,categorised into theft, fraud, andbreach of system security.Acts inconsistent with employment,health and safety laws or agreements,categorised into employee relations,safety of the environment, anddiversity and discrimination.Clients, products, andbusiness practicesExecution, delivery, andprocess managementDamage to physical assetsEvents due to failures to comply witha professional obligation to clients, orarising from the nature or design of aproduct, which include disclosure andfiduciary rules, improper business andmarket practices, product laws, andadvisory activities.Events due to failed transactionprocessing or process managementthat occur from relations with tradecounterparties and vendors, classifiedinto categories such as transactionexecution and maintenance, customerintake and documentation andaccount management.8 Managing operational riskEvents leading to loss or damage tophysical assets from natural disastersor other events such as terrorism.Business disruption andsystem failuresEvents causing disruption of businessor system failures.
Sources and causesSourcesInternal fraudCredit fraudInsider tradingTheft, embezzlement, robberyMisappropriation of assetsUnauthorised transactionsIntentional mismarking of positionCausesBribery and corruptionLack of controlOmissions (eg failure to supervise employees, inadequate due diligence efforts)Employee action/inactionOrganisational structure - excessive concentration of powerManagement action/inactionChanges in market conditionsPoor corporate governance, flawed corporate strategyCausesSourcesExternal fraudTheft, forgery, and robberyCyber crime - system security and hackingLax securityEmployee inaction/inactionLack of internal controlChanges in market conditionsManagement action/inactionCausesSourcesEmployment practices and workplace safetyEmployment discriminationSafety of environmentCompensation, benefit, termination issuesOrganised labor activityManagement action/inactionStaff selection and compensationLack of control, insufficient policy and guidance,weak compliance oversight, etcCorporate governanceEmployee action/inactionOther or unspecifiedSourcesClients, products and business practicesSuitability, disclosure, and fiduciary(eg disclosure issues, lender liability, fiduciary breaches)Other (eg misuse of confidential information, advisory activities)Omissions (eg lack of proper training procedures, inadequate dueCausesImproper business and market practices (eg unlicensed activity,money laundering, market manipulation, improper trade, antitrust)diligence efforts, failure to supervise employees)Changes in market conditionsManagement (or employee) action/inactionEmployee action/inactionOrganisation structure, excessive concentration of powerFailure to correctly respond to new technologyManaging operational risk 9
Sources and causescontinuedCausesSourcesDamage to physical assetsTerrorism, vandalismNatural disastersChanges in market conditionsStrategy flawsEmployment action/inactionCausesSourcesBusiness disruptions and system failuresSoftware failuresTelecommunicationsHardware failuresUtility outage/disruptionsPoor management oversight including inadequatetechnology planningLack of internal controlEmployee inaction/inactionChanges in market conditionsManagement action/inactionCausesSourcesExecution, delivery and process managementTransaction execution and maintenance(eg accounting error, data entry error)Customer/client account mismanagementFailed or inaccurate mandatory reportingOther (eg losses due to new market regulations, strategy failures,mergers and acquisitions)Lack of control (eg poor documentation, lax security, insufficientcompliance measures, failure to test for data accuracy)Changes in market conditionsOmissions (eg failure to supervise employees, inadequate duediligence efforts)Strategy flawsManagement action/inaction, poor executionLack of controlEmployee action/inaction, misdeeds, errorsManagement action/inactionChange in market conditions (eg mergers and acquisitions,regulatory pressure, financial reporting)10 Managing operational risk
What we doWe have expertise that extends right across all aspects of operational riskmanagement. Our team have market-leading experience gained from leading rolesthroughout the financial services sector.We can help with all stages of the operational risk lifecycle from building and developing frameworks from first principals, tohelping optimise the business as usual management of operational risks, and facilitating your business to interpret and respond tothe many changes in the market and the rules that govern it. We have helped some of the largest and most complex organisationsin the world understand and deal with the operational risks they face and we have consistently helped our clients to avoid the costsof risk. Our credentials extend across three broad categories:Advisory andconsultationHelping firms to decode newlegislation and the causes oftheir operational risks, thendeveloping and embeddingcommercially effective riskcontrol structures.ComprehensiveassuranceWork to fully describe theeffectiveness of existing riskmanagement structures andprovide an organisation’svarious stakeholders with theconfidence that operational riskis understood and managed.ResourcesupportBringing our staff to supportorganisations during periods ofpeak demand or in the wake ofrisk events. Our team consistsof industry experts who haveworked in risk managementroles so can begin adding valueright from the start.“ We have helped some of the largest and most complex organisations in the worldunderstand and deal with the operational risks they face and we have consistentlyhelped our clients to avoid the costs of risk.”Managing operational risk 11
Contact usSandy KumarChair of Financial Services GroupHead of Business Risk Services UKT 44 (0)20 7865 2193E [email protected] YoungManaging DirectorBusiness Risk ServicesT 44 (0)20 7865 2781E [email protected] MaSenior ManagerBusiness Risk ServicesT 44 (0)20 7184 4796E [email protected] 2017 Grant Thornton UK LLP. All rights reserved.‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance,tax and advisory services to their clients and/or refers to one or more member firms, as the context requires.Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms arenot a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by themember firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do notobligate, one another and are not liable for one another’s acts or omissions. This publication has been preparedonly as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refrainingfrom acting as a result of any material in this publication.grantthornton.co.ukGRT106816
the headlines. These external risks are uncontrollable and often unpredictable. History has shown us that the impacts arising when operational risks materialise will always exceed the bare cost of the operational loss event itself - often very substantially. If you can't avoid the risks, you can limit their impact on your business.