Operational Risk

Themes: Operational Risk Risk management

See the list of related resources at the bottom of this page.

Operational risk is gaining an increasingly high profile. In the UK, the Turnbull report recommended that listed companies should manage their operational risk explicitly; and the FSA includes operational risk in its new ARROW framework for risk assessment.

Historically (though the history is admittedly rather short), operational risk has received most attention from the banking industry. This is still evident in much of the published literature; often the authors simply assume that the industry in question is banking, without explicitly saying so. This can be confusing.

Definition

The FSA, following Basel, defines operational risk:

Operational risk is the risk of loss, resulting from inadequate or failed internal processes, people and systems or from external events.

This definition gives a reasonable idea of operational risk, but is not detailed enough for operational use. For purposes of risk identification, assessment, control and mitigation the definition must be refined so that it is a clearcut decision as to which risks are included and which are not.

In addition, the final phrase or from external events must be interpreted appropriately for the organization in question. For example, for a general insurance company the losses due to paying out claims for an earthquake should not be counted as an operational loss, whereas the losses due to the destruction of head office by the same earthquake should.

Resources

Building a framework for operational risk management: the FSAs observations: The FSA published this document in July 2003, as they prepared to implement CP142, the consultation paper on operational risk systems and controls. The documument is the result of discussions the FSA held with 22 firms actively developing risk management systems for operational risk. It describes instances of good practice, and discusses the progress that has been made so far. The main conclusion is that although considerable progress has been made, the industry is still at an early stage of developing operational risk frameworks. The report is available at http://www.fsa.gov.uk/pubs/policy/ps142_2.pdf
Operational Risk, by Jack L King: This book concentrates on the measurement and modelling of operational risk. It presents the method developed by the author, based on a combination of the Delta method with Extreme Value theory (EVT). Some of the discussion is very specific to the banking industry. Visit the page for this book at Amazon.
Managing Operational Risk, by Douglas G. Hoffman: This is a major tome, giving "20 Firmwide Best Practice Strategies". Hoffman's background is in banking, and the book certainly concentrates on that industry. He does make an effort to extend the range, though. This is an extremely comprehensive book, a bit difficult to make one's way through at times. It contains many lists of key points, which are made slightly less useful because each list is so long. Visit the page for this book at Amazon.
Operational Risks in Financial Services: A presentation by Hans-Ulrich Doerig which gives an excellent overview with more detailed treatment of some aspects. Like so many others writing about operational risk (and indeed risk management in general), the author assumes that other financial services firms are just like banks. This report is available at http://www.credit-suisse.com/governance/doc/operational_risk.pdf
Quantifying operational risk in general insurance companies: A paper presented to the Institute of Actuaries in 2004. The paper is available online from my publications page.
PS142_2: Building a framework for operational risk management: the FSA's observations - Feedback on industry practice as we prepare to implement CP142: This Policy statement reports on the main issues arising from Consultation paper 142 ('Operational risk systems and controls') published in July 2002. It can be found at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2003/PS142_2.shtml.
Sound Practices for the Management and Supervision of Operational Risk: One of the reasons that operational risk is a hot topic nowadays is that the Basel 2 agreement will include capital requirements for operational risk for banks. The Basel committee have produced this paper, available from their site at http://www.bis.org/publ/bcbs91.htm.
Operational Risk Data Collection Exercise - 2002: The BIS have recently published the format they are using to collect operational risk data from banks in their Operational Risk Data Collection Exercise - 2002. The exercise is described at http://www.bis.org/bcbs/qis/oprdata.htm.
Managing the operational risks of user-developed software: This is a paper I wrote for a workshop at GIRO 2002. It is available from my publications page.
Operational Risk. Measurement or Bust!: A working party report presented at GIRO 2003. The report and slides for the presentation are both available online from my publications page.
Restructuring of prudential and systems and controls material in the FSA Handbook: The FSA is restructuring the prudential and systems and controls material in the Handbook, because of the implementation of the Capital Requirements Directive. The details of the restructuring are given in http://www.fsa.gov.uk/pages/About/What/International/PSB/pdf/stages.pdf
PS142: Operational risk systems and controls - Feedback on CP142: This Policy statement reports on the main issues arising from Consultation paper 142 ('Operational risk systems and controls') published in July 2002. It can be found at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2003/ps142.shtml.
Financial Services Authority: The FSA is the regulatory authority for the financial services industry in the UK. Its website at http://www.fsa.gov.uk contains all the public documents produced by the FSA, including consultation papers and the texts of speeches as well as the currently applicable Handbook of rules and guidance.
Turnbull Report: Internal Control: Guidance of Directors on the Combined Code. Published by the Institute of Chartered Accountants in England and Wales. See http://www.icaew.co.uk/internalcontrol for more information.
Mastering Risk Volume 1: Concepts: Edited by James Pickford, this book is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality, but most are useful to some degree. Some chapters in the book tend to assume a banking background. There are five chapters on operational risk, somewhat less banking oriented than many of the other chapters. It has a useful overview chapter on credit risk, Lenders and borrowers demand a creditable system by Suresh M. Sundaresan. There is a useful chapter on enterprise risk management, Total strategies for company-wide risk control by Lisa Meulbroek. Visit the page for this book on Amazon.
Operational Risk in General Insurance: A working party (of which I was a member) presented a report on operational risk in general insurance to GIRO 2002. The report and slides for the presentation are both available online from my publications page.
Mastering Risk Volume 2: Applications: This book, edited by Carol Alexander, is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality: some of them are rather more useful than others. There is an unstated bias towards banking. It has four chapters on operational risk, covering measurement and modelling as well as an overview chapter. There are several chapters on different aspects of modelling credit risk. Visit its page at Amazon.
PS04/16: Integrated Prudential sourcebook for insurers: This Policy Statement reports on the main issues arising from Consultation Paper 190 (Enhanced capital requirements and individual capital assessments for non-life insurers), Consultation Paper 195 (Enhanced capital requirements and individual capital assessments for life insurers) and the audit and reviewing actuary proposals in Consultation Paper 202 (Insurance regulatory reporting � changes to the publicly available annual return for insurers) and publishes the associated rules and guidance. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2004/04_16.shtml.
Risk Management, by Andrew Holmes: A book in the ExpressExec series. It gives a brief overview of several aspects of risk management, rather less biased towards banking than many other books (and also much shorter). It covers a somewhat eclectic range of topics, and has a useful list of resources. Visit its page at Amazon.
Risk Management, by Michel Crouhy, Dan Galai, Robert Mark: This is another book written primarily from a banking viewpoint. It has a whole chapter on risk management in nonbank corporations, and mentions the issues in some of the other chapters. Its treatment of credit risk covers credit rating systems, and distinguishes several different measurement approaches. It has a chapter on operational risk. This book emphasises the need for risk management systems. Visit its page at Amazon.
CP 142: Operational risk systems and controls: Consultation paper 142 from the FSA contains feedback on the operational risk and systems and controls sections of CP97, and contains new draft guidance. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2002/142.shtml. It was issued in July 2002 and the consultation period ended on 31st October 2002.
CP140: The Interim Prudential Sourcebooks for Insurers and Friendly Societies and the Lloyd's Sourcebook: Guidance on Systems and Controls: Consultation paper 140 from the FSA sets out guidance on •high-level controls; • risk assessment; • legal risk; • internal audit; • management information; • outsourcing; and • group risk. This guidance will take effect before the Prudential Sourcebook is implemented in 2004. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2002/140.shtml. It was issued in July 2002 and the consultation period ended on 3rd October 2002. PS140 is the result of the consultation.
PS140: The Interim Prudential sourcebooks for Insurers and Friendly Societies and the Lloyd's sourcebook: Guidance on Systems and controls - Feedback on CP140 and 'made' text: Policy statement 140 from the FSA sets out guidance on •high-level controls; • risk assessment; • legal risk; • internal audit; • management information; • outsourcing; and • group risk. This guidance was issued in December 2002 and is available at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2002/ps140.shtml. It takes effect from 1st February 2003.
Paul Embrechts: A useful set of resources, including some on operational risk, is at http://www.math.ethz.ch/~kaufmann/RM.html, which has course material for lectures on Risk Management given by Prof. Dr. Paul Embrechts at ETH Zurich.
CP190: Enhanced capital requirements and individual capital assessments for non-life insurers: Consultation paper 190 from the FSA discusses how capitial requirements will be determined for non-life insurers. It was issued in July 2003, and the consultation period ended on 30 November 2003. The overall effect of the proposals will be to introduce a new risk-based minimum requirement, the ECR (Enhanced Capital Requirement), and the concept of ICG (Individual Capital Guidance) which will take into account both the ECR and the systems and controls that firms have in place. CP190 is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2003/190.shtml
CP195: Enhanced capital requirements and individual capital assessments for life insurers: Consultation paper 195 from the FSA discusses how capitial requirements will be determined for non-life insurers. It was issued in August 2003, and the consultation period ended on 30 November 2003. The overall effect of the proposals will be to introduce a new risk-based minimum requirement, the ECR (Enhanced Capital Requirement), and the concept of ICG (Individual Capital Guidance) which will take into account both the ECR and the systems and controls that firms have in place. CP195 is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2003/195.shtml
Report on Enterprise Risk Management: The Casualty Actuarial Society presents a process for ERM. The primary purpose of the report is to consider the role of actuaries in risk management, but it gives a useful general overview too. It includes a risk classification meant for general use, rather than limited to a specific industry. The report is available from the CAS site at http://casact.org/research/erm/.
CP97: Integrated Prudential Sourcebook: Consultation paper 97 from the FSA is a massive document, presenting the draft Integrated Prudential Sourcebook. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2001/97.shtml. It was issued in June 2001 and the consultation period ended on 31st December 2001. CP115 was a supplementary CP to CP97. CP97 has been superseded by its feedback documents: PS97_115, CP142, CP143.

	:: About :: Blog :: Notes :: All topics :: All links :: Publications :: Downloads :: Contact Related topics: The FSA and operational risk Financial Services Authority Risk management process The FSA and risk based capital Risk maps Risk identification Enterprise risk management ARROW risk assessment framework Software Risk Risk indicators Risk classification Future regulation of insurance briefing User-developed software The true significance of bugs in spreadsheets Maintainability Correctness Read my blog. Is your software use Competent, Complacent or Compromised? Take my 30 second quiz now, and find out! Read past issues of my newsletter. Tools download a simple code profiler for Excel VBA. Automated spreadsheet testing, documentation and more. Download now, or find out more at http://www.xlsior.com. Search WWW Search louisepryor.com
Operational Risk Themes: Operational Risk Risk management See the list of related resources at the bottom of this page. Operational risk is gaining an increasingly high profile. In the UK, the Turnbull report recommended that listed companies should manage their operational risk explicitly; and the FSA includes operational risk in its new ARROW framework for risk assessment. Historically (though the history is admittedly rather short), operational risk has received most attention from the banking industry. This is still evident in much of the published literature; often the authors simply assume that the industry in question is banking, without explicitly saying so. This can be confusing. Definition The FSA, following Basel, defines operational risk: Operational risk is the risk of loss, resulting from inadequate or failed internal processes, people and systems or from external events. This definition gives a reasonable idea of operational risk, but is not detailed enough for operational use. For purposes of risk identification, assessment, control and mitigation the definition must be refined so that it is a clearcut decision as to which risks are included and which are not. In addition, the final phrase or from external events must be interpreted appropriately for the organization in question. For example, for a general insurance company the losses due to paying out claims for an earthquake should not be counted as an operational loss, whereas the losses due to the destruction of head office by the same earthquake should. Resources Building a framework for operational risk management: the FSAs observations The FSA published this document in July 2003, as they prepared to implement CP142, the consultation paper on operational risk systems and controls. The documument is the result of discussions the FSA held with 22 firms actively developing risk management systems for operational risk. It describes instances of good practice, and discusses the progress that has been made so far. The main conclusion is that although considerable progress has been made, the industry is still at an early stage of developing operational risk frameworks. The report is available at http://www.fsa.gov.uk/pubs/policy/ps142_2.pdf Operational Risk, by Jack L King This book concentrates on the measurement and modelling of operational risk. It presents the method developed by the author, based on a combination of the Delta method with Extreme Value theory (EVT). Some of the discussion is very specific to the banking industry. Visit the page for this book at Amazon. Managing Operational Risk, by Douglas G. Hoffman This is a major tome, giving "20 Firmwide Best Practice Strategies". Hoffman's background is in banking, and the book certainly concentrates on that industry. He does make an effort to extend the range, though. This is an extremely comprehensive book, a bit difficult to make one's way through at times. It contains many lists of key points, which are made slightly less useful because each list is so long. Visit the page for this book at Amazon. Operational Risks in Financial Services A presentation by Hans-Ulrich Doerig which gives an excellent overview with more detailed treatment of some aspects. Like so many others writing about operational risk (and indeed risk management in general), the author assumes that other financial services firms are just like banks. This report is available at http://www.credit-suisse.com/governance/doc/operational_risk.pdf Quantifying operational risk in general insurance companies A paper presented to the Institute of Actuaries in 2004. The paper is available online from my publications page. PS142_2: Building a framework for operational risk management: the FSA's observations - Feedback on industry practice as we prepare to implement CP142 This Policy statement reports on the main issues arising from Consultation paper 142 ('Operational risk systems and controls') published in July 2002. It can be found at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2003/PS142_2.shtml. Sound Practices for the Management and Supervision of Operational Risk One of the reasons that operational risk is a hot topic nowadays is that the Basel 2 agreement will include capital requirements for operational risk for banks. The Basel committee have produced this paper, available from their site at http://www.bis.org/publ/bcbs91.htm. Operational Risk Data Collection Exercise - 2002 The BIS have recently published the format they are using to collect operational risk data from banks in their Operational Risk Data Collection Exercise - 2002. The exercise is described at http://www.bis.org/bcbs/qis/oprdata.htm. Managing the operational risks of user-developed software This is a paper I wrote for a workshop at GIRO 2002. It is available from my publications page. Operational Risk. Measurement or Bust! A working party report presented at GIRO 2003. The report and slides for the presentation are both available online from my publications page. Restructuring of prudential and systems and controls material in the FSA Handbook The FSA is restructuring the prudential and systems and controls material in the Handbook, because of the implementation of the Capital Requirements Directive. The details of the restructuring are given in http://www.fsa.gov.uk/pages/About/What/International/PSB/pdf/stages.pdf PS142: Operational risk systems and controls - Feedback on CP142 This Policy statement reports on the main issues arising from Consultation paper 142 ('Operational risk systems and controls') published in July 2002. It can be found at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2003/ps142.shtml. Financial Services Authority The FSA is the regulatory authority for the financial services industry in the UK. Its website at http://www.fsa.gov.uk contains all the public documents produced by the FSA, including consultation papers and the texts of speeches as well as the currently applicable Handbook of rules and guidance. Turnbull Report Internal Control: Guidance of Directors on the Combined Code. Published by the Institute of Chartered Accountants in England and Wales. See http://www.icaew.co.uk/internalcontrol for more information. Mastering Risk Volume 1: Concepts Edited by James Pickford, this book is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality, but most are useful to some degree. Some chapters in the book tend to assume a banking background. There are five chapters on operational risk, somewhat less banking oriented than many of the other chapters. It has a useful overview chapter on credit risk, Lenders and borrowers demand a creditable system by Suresh M. Sundaresan. There is a useful chapter on enterprise risk management, Total strategies for company-wide risk control by Lisa Meulbroek. Visit the page for this book on Amazon. Operational Risk in General Insurance A working party (of which I was a member) presented a report on operational risk in general insurance to GIRO 2002. The report and slides for the presentation are both available online from my publications page. Mastering Risk Volume 2: Applications This book, edited by Carol Alexander, is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality: some of them are rather more useful than others. There is an unstated bias towards banking. It has four chapters on operational risk, covering measurement and modelling as well as an overview chapter. There are several chapters on different aspects of modelling credit risk. Visit its page at Amazon. PS04/16: Integrated Prudential sourcebook for insurers This Policy Statement reports on the main issues arising from Consultation Paper 190 (Enhanced capital requirements and individual capital assessments for non-life insurers), Consultation Paper 195 (Enhanced capital requirements and individual capital assessments for life insurers) and the audit and reviewing actuary proposals in Consultation Paper 202 (Insurance regulatory reporting � changes to the publicly available annual return for insurers) and publishes the associated rules and guidance. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2004/04_16.shtml. Risk Management, by Andrew Holmes A book in the ExpressExec series. It gives a brief overview of several aspects of risk management, rather less biased towards banking than many other books (and also much shorter). It covers a somewhat eclectic range of topics, and has a useful list of resources. Visit its page at Amazon. Risk Management, by Michel Crouhy, Dan Galai, Robert Mark This is another book written primarily from a banking viewpoint. It has a whole chapter on risk management in nonbank corporations, and mentions the issues in some of the other chapters. Its treatment of credit risk covers credit rating systems, and distinguishes several different measurement approaches. It has a chapter on operational risk. This book emphasises the need for risk management systems. Visit its page at Amazon. CP 142: Operational risk systems and controls Consultation paper 142 from the FSA contains feedback on the operational risk and systems and controls sections of CP97, and contains new draft guidance. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2002/142.shtml. It was issued in July 2002 and the consultation period ended on 31st October 2002. CP140: The Interim Prudential Sourcebooks for Insurers and Friendly Societies and the Lloyd's Sourcebook: Guidance on Systems and Controls Consultation paper 140 from the FSA sets out guidance on •high-level controls; • risk assessment; • legal risk; • internal audit; • management information; • outsourcing; and • group risk. This guidance will take effect before the Prudential Sourcebook is implemented in 2004. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2002/140.shtml. It was issued in July 2002 and the consultation period ended on 3rd October 2002. PS140 is the result of the consultation. PS140: The Interim Prudential sourcebooks for Insurers and Friendly Societies and the Lloyd's sourcebook: Guidance on Systems and controls - Feedback on CP140 and 'made' text Policy statement 140 from the FSA sets out guidance on •high-level controls; • risk assessment; • legal risk; • internal audit; • management information; • outsourcing; and • group risk. This guidance was issued in December 2002 and is available at http://www.fsa.gov.uk/Pages/Library/Policy/Policy/2002/ps140.shtml. It takes effect from 1st February 2003. Paul Embrechts A useful set of resources, including some on operational risk, is at http://www.math.ethz.ch/~kaufmann/RM.html, which has course material for lectures on Risk Management given by Prof. Dr. Paul Embrechts at ETH Zurich. CP190: Enhanced capital requirements and individual capital assessments for non-life insurers Consultation paper 190 from the FSA discusses how capitial requirements will be determined for non-life insurers. It was issued in July 2003, and the consultation period ended on 30 November 2003. The overall effect of the proposals will be to introduce a new risk-based minimum requirement, the ECR (Enhanced Capital Requirement), and the concept of ICG (Individual Capital Guidance) which will take into account both the ECR and the systems and controls that firms have in place. CP190 is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2003/190.shtml CP195: Enhanced capital requirements and individual capital assessments for life insurers Consultation paper 195 from the FSA discusses how capitial requirements will be determined for non-life insurers. It was issued in August 2003, and the consultation period ended on 30 November 2003. The overall effect of the proposals will be to introduce a new risk-based minimum requirement, the ECR (Enhanced Capital Requirement), and the concept of ICG (Individual Capital Guidance) which will take into account both the ECR and the systems and controls that firms have in place. CP195 is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2003/195.shtml Report on Enterprise Risk Management The Casualty Actuarial Society presents a process for ERM. The primary purpose of the report is to consider the role of actuaries in risk management, but it gives a useful general overview too. It includes a risk classification meant for general use, rather than limited to a specific industry. The report is available from the CAS site at http://casact.org/research/erm/. CP97: Integrated Prudential Sourcebook Consultation paper 97 from the FSA is a massive document, presenting the draft Integrated Prudential Sourcebook. It is available at http://www.fsa.gov.uk/Pages/Library/Policy/CP/2001/97.shtml. It was issued in June 2001 and the consultation period ended on 31st December 2001. CP115 was a supplementary CP to CP97. CP97 has been superseded by its feedback documents: PS97_115, CP142, CP143.
Copyright © 2003-2008 Louise Pryor. All rights reserved. Site developed by Louise Pryor. Louise Pryor is no longer practising as a consultant — the site is maintained as an archive, and is not updated.