ORR-1: Introduction to Operational Risk and Resilience

This is a summary of one of the reading in the GARP FRM Part II Syllabus, under the section “Operational Risk & Resilience”.

Operational Risk Management (ORM) Framework

An operational risk management (ORM) framework is a structured approach that organizations use to identify, assess, mitigate, and monitor operational risks. According to the Basel Committee on Banking Supervision (BCBS), operational risk is “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” The framework is designed to address the four main causes of operational risk: failed processes, people, systems, and external events.

An ORM framework uses a cyclical process involving risk identification, assessment, mitigation, and monitoring to manage these diverse risks. This process is supported by tools like key risk indicators (KRIs), scenario analysis, and risk appetite statements to ensure that organizations are prepared for potential disruptions. Furthermore, effective governance, risk culture, and resilience planning are essential to strengthen the framework’s efficiency and adaptability.

The types of risks falling within the scope of an ORM framework include:

  • Internal Fraud: This involves fraudulent activities or unauthorized actions conducted by employees, such as embezzlement or falsifying transactions.
  • External Fraud: Incidents include theft, hacking, and external phishing attacks that impact the organization.
  • Employment Practices and Workplace Safety: Risks in this category include discrimination lawsuits, wrongful termination, and unsafe working conditions.
  • Clients, Products, and Business Practices: Misrepresentation of products, errors in pricing, and failure to comply with client expectations are common risks.
  • Damage to Physical Assets: This encompasses events such as natural disasters, terrorism, and accidents that can damage property and infrastructure.
  • Business Disruption and System Failures: IT system breakdowns and service outages, which interrupt business operations, fall under this category.
  • Execution, Delivery, and Process Management: Errors in processing transactions, discrepancies in documentation, and supply chain issues are typical examples.

Characteristics of Operational Risk Exposures and Operational Loss Events

Operational risk encompasses the risk of loss stemming from inadequate or failed internal processes, people, and systems, or external events. Its defining characteristics, outlined below, influence the way risk professionals approach management:

  • Heterogeneous: Operational risk is broad, encompassing diverse causes such as fraud, cyberattacks, or natural disasters. This diversity means each event type presents unique challenges, requiring detailed identification and classification. Even within each risk category, there’s considerable variation in loss events.
  • Idiosyncratic: Many operational risks are unique to individual organizations due to differences in processes and systems. However, risks like physical damage from natural disasters can have broad external causes. Despite this, operational risk generally reflects an organization’s internal ability and willingness to mitigate it.
  • Heavy-Tailed: Operational risk events often result in numerous small losses and rare, large losses, creating a highly skewed distribution. This characteristic complicates modeling and prioritization since the few large losses tend to dominate overall risk.
  • Interconnected: Internal control weaknesses and external factors link different types of operational risk. These interdependencies mean an event in one area can trigger losses elsewhere. For instance, booking errors may cause credit or market losses.
  • Dynamic: Operational risks evolve alongside the organization’s activities and external conditions. New products, regulatory changes, or digitalization can introduce new exposures.

Challenges in Managing Operational Risk

These characteristics introduce unique challenges:

  • Measurement Complexity: Heavy-tailed distributions and heterogeneity make it difficult to model losses accurately. It’s challenging to forecast the likelihood and severity of large-scale events.
  • Interconnected Nature: Correlated risks across departments and external factors complicate identification and mitigation. Boundary events that affect multiple risk categories require holistic management approaches.
  • Inconsistent Definitions: Variability in definitions and categorizations across organizations complicates benchmarking and standardization.
  • Evolving Landscape: Rapid industry evolution, technological advances, and changing regulations mean organizations need agile frameworks that adapt to new exposures.
  • Decentralized Management: As operational risk arises from processes across the organization, centralized frameworks struggle with localized risk factors. Each employee must manage their respective risks.

Operational Resilience: Definition and Framework

Operational Resilience refers to a firm’s ability to anticipate, withstand, respond to, and recover from operational disruptions. It ensures continuity of critical business services during unexpected adverse events, providing stability to financial markets and consumers. This concept emerged due to growing dependence on IT systems and third-party services.

Elements of an Operational Resilience Framework

  • Continuity of Business Services: The ability to continue offering crucial services even amidst disruptions. Traditional business continuity planning helps mitigate the risk of disrupting these vital services.
  • Important Business Services: Identifying services that, if interrupted, could cause significant harm to market integrity or consumers. This service-based approach focuses on providing continuous support to key financial activities.
  • Impact Tolerance Levels: Firms need to quantify disruption tolerance levels for critical services, similar to recovery time objectives, ensuring continuity within predetermined parameters.
  • Management of Disruption: Effective response and communication plans to maintain trust during crises.
  • Lessons Learned: Incorporating insights from past incidents to enhance future resilience, ensuring continuous improvement.

Regulatory Expectations for Operational Resilience

Regulatory guidelines stress the importance of effective risk management practices for operational resilience:

  • Governance: Utilize existing governance frameworks to oversee and guide operational resilience strategies.
  • Operational Risk Management: Leverage current operational risk management functions to address resilience challenges effectively.
  • Business Continuity Planning and Testing: Have robust business continuity plans that are frequently tested for efficiency.
  • Mapping Interconnections: Identify internal and external interdependencies necessary for delivering critical operations to ensure their protection.
  • Third-Party Dependency Management: Actively manage relationships with third parties to minimize disruptions due to external dependencies.
  • Incident Management: Develop and implement comprehensive response plans for swift recovery from disruptive incidents.
  • ICT and Cybersecurity: Ensure information and communication technology, including cybersecurity systems, are resilient.