New techniques for identifying emergent operational risks
Techniques for assessing operational risk have come a long way in the past ten years. Today, many companies are going beyond the regulatory minimum to implement sophisticated models that contribute to better understanding and management of operational risk across the business.
One question that tends to push the limits of existing models, however, is identifying emerging operational risk before it produces a loss. Given that risk events are typically not entirely new but rather simply new combinations of known risks, an approach that enables us to analyze which risk drivers exhibit evolutionary change can identify which ones are most likely to create emergent risks. By borrowing a technique from biology—phylogenetics, the study of evolutionary relationships—we can understand how certain characteristics of risk drivers evolve over time to generate new risks. The success of such an approach is heavily dependent on the degree to which operational risk loss data is available, coherent, compatible, and comprehensive. A well-structured loss data collection (LDC) framework can be a key asset in attempting to understand and manage emergent risks.
Broadening the definition of operational risk
In the financial industry, where operational risk has been a significant target of regulators for more than a decade, operational risk is typically defined as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” However, this definition doesn’t consider all the productive inputs of an operation, and, more critically, does not account for the interaction between internal and external factors.
A broader, more useful definition is “the risk of loss resulting from inadequate or failed productive inputs used in an operational activity.” Operational risk includes a very broad range of occurrences, from fraud to human error to information technology failures. Different production factors can be more or less important among various industries and companies, and relationships among them—particularly where labor is concerned—are changing rapidly. To be effective as tools for managing operational risk day-to-day, models need to account for the specific risk characteristics of a given company as well as how those characteristics can change over time.
Examples productive inputs relevant for operational risk
|Natural resources||Land||The physical space used to carry out the production process that may be owned, rented, or otherwise utilized.|
|Natural resources||Raw materials||Naturally occurring goods such as water, air, minerals, flora, and fauna.|
|Labor||Physical labor||Physical work performed by people.|
|Labor||Human capital||The value that employees provide through the application of their personal skills that are not owned by an organization.|
|Labor||Intellectual capital||The supportive infrastructure, brand, patents, philosophies, processes, and databases that enable human capital to function.|
|Labor||Social capital||The stock of trust, mutual understanding, shared values, and socially held knowledge, commonly transmitted throughout an organization as part of its culture.|
|Capital||Working capital||The stock of intermediate goods and services used in the production process such as parts, machines, and buildings.|
|Capital||Public capital||The stock of public goods and services used but not owned by the organizations such as roads and the Internet.|
The need for an adaptive framework for understanding emergent operational risks
Productive inputs are extremely dynamic—and the pace of change continues to accelerate. Human labor is replaced with machines. Natural resource markets fluctuate as sources are discovered or exhausted. Computing platforms gain new capabilities and old approaches become outdated. Yet despite these shifts, it is common to measure risk based on criteria that are unrelated to factors of production, for example, product type, production volume, or business line revenue. Using static measurements that ignore production dynamics can render a risk model irrelevant, misleading, or even dangerous.
What is required is an operational risk framework that can evolve along with the factors of production. Only then can we answer the central questions of operational risk management:
• How much operational risk is the company currently exposed to, and what operational processes and factors of production is it sourced from?
• What is the company’s appetite for operational risk, and how does it set consistent risk limits for each granular operational production process across its business?
• How can the company effectively mitigate excess operational risk that it does not wish to bear?
• How can the company tactically optimize its operational risk budget as actual operational risk changes over time?
• What are the company’s emerging operational risks and how might it be able to manage them before they produce losses?
An evolutionary approach
A technique borrowed from biology shows significant promise for enhancing the ability to predict and manage emerging operational risk: phylogenetics, the study of evolutionary relationships. By applying phylogenetic techniques to operational risk drivers, we can see how those drivers combine and recombine to give rise to emergent risks. The technique is based on analysis of the characteristics that define each thing under consideration, and subsequent ordering into groups or “clades” based on combinations of those characteristics. Perhaps the most famous organizational schema developed in this fashion is the “tree of life” shown below.
To see how a similar approach can be transferred to the study of emerging operational risk, take the example of derivatives trading. Based on work by T. Coleman1, a number of large derivatives trading losses from the past 20 years have been mapped according to the following characteristics:
1. Involving fraud
2. Involving fraudulent trading
3. To cover up a problem
4. Normal trading activity gone wrong
5. Trading in excess of limits
6. Primary activity financial or investing
7. Failure to segregate functions
8. Lax management/risk control problem
9. Long-term accumulated losses in excess of three years
10. Single person
This is not a comprehensive list of characteristics, but it is complete enough to show how phylogenetics works in this context. Classifying the events into clades based on common characteristics produces the following cladogram.
There are three major clades: normal activity gone wrong, fraud, and simple events characterized by the use of derivatives. Each clade branches at a point defined by a split in characteristics leading to the end of a branch, which is a specific event. Longer branches have more characteristics along the “evolutionary” path.
The shortest branches are in the derivatives clade. This indicates relative stability and an area less likely to morph into emerging risks. The longer branches represent a greater number of bifurcations, meaning they are likely to be subject to stronger evolutionary forces than shorter branches and are worth of intensive study as they are more likely to evolve into emerging risks. If a company displays similar operational characteristics, it may be more vulnerable to emerging risks.
The frequency of characteristics and where they occur along a branch can also provide valuable information. For example, “lax management/control problem” appears in almost every branch, typically closely related to “trading in excess of limits. Additionally, “long-term accumulated losses in excess of three years” tends to appear at the end of branches, suggesting that it might cross over to other branches to create a new type of risk. Our paper Operational Risk Modeling Framework covers these topics in more detail.
Still, even in this brief analysis, the ability to identify emerging risks using phylogenetic techniques becomes clear. One of the key advantages of this approach is that the operational risk taxonomy can be determined objectively from the data, allowing us to map complex interrelationships among risk branches rather than simply defining linear structures. While human beings naturally tend to split risks up into silos, operational risk is highly dependent on other risk types and demonstrates the ability to change over time. Finding ways to look beyond simple risk categories is crucial to understanding emerging operational risks.
The importance of a rich classification dataset and implications for loss data collection
In order to use a phylogenetic risk model, it is important to capture multiple characteristics of past and potential events. To support such analysis of emergent operational risk—and to assist in operational risk management in general—the loss data collection (LDC) process needs to go beyond the simple recording of financial losses in a database. LDC should capture a wide range of data including both causes and effects of operational risk events. It should also incorporate non-financial effects (loss of life, reputational damage) in addition to financial losses.
More broadly, organizations should see LDC not as a single activity but as a process with multiple steps. A mature LDC process includes the following steps:
1. Definition and identification: Formalizing the logistics of the loss data collection process, including who is accountable, the nature of the loss data repository system, and thresholds such as the minimum loss required to be reported.
2. Loss data elements: Identifying quantitative and qualitative aspects to be captured in the event of a loss, such as magnitude, recoveries, and linked events.
3. Validation: Controlling the quality of data by verifying its accuracy and completeness.
4. Analysis: Modeling loss frequency and severity or other characteristics of the dataset.
5. Reporting: The development, production, and distribution of reports targeted to various internal and external stakeholders.
This is only a brief overview of LDC elements, a topic which is also covered in more detail in the Operational Risk Modeling Framework paper. Generally speaking, when developing an LDC framework, it is important to look at what the data is going to be used for. This can help define the types and granularity of data to be collected.
Even high-quality LDC processes inside a single organization face a significant challenge. It is difficult to collect enough data on the low-frequency, high-severity events that can represent the majority of operational risk losses. In part thanks to regulatory pressure, the global banking industry has worked to overcome this by creating a database known as ORX that includes data from more than 60 organizations. Hopefully, industries outside the financial sector will come to recognize the value of an industry-wide LDC database that can support the identification of emerging risks.
Staying ahead of the game
Of all risk types, operational risk may be one of the most complex, featuring interdependencies among internal and external risk drivers and a high degree of dependence on ever-evolving productive inputs. Because it is capable of significant change in a short period of time, static risk measurement frameworks are not sufficient for effectively managing operational risk. Phylogenetics, supported by effective LDC processes, can help companies in any industry identify emergent risks and develop approaches to reducing their likelihood and severity before a loss event—because afterward is too late.
1Coleman, T., A Practical Guide to Risk Management, Research Foundation of the CFA Institute.
This blog was first published at TheBusinessofRisk.com.