Basel's Brush
The Basel Committee defines operational risk as: "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events".
Computerworld recently reported spiralling compliance costs were compounding the pressure on Australia's financial services sector to set a risk management methodology under the New Basel Capital Accord (Basel II) by the end of this year. "Australian Basel II experts estimate it will cost banks, insurers, trust fund managers, some commercial real estate providers and other financial institutions between $90 million and $140 million each over the next two to three years to establish a satisfactory risk profile under Basel II," the report says.
Banks, which must be compliant by 2007, will need to build up databases, reporting systems and integration technologies such as extraction, transformation and loading technologies to take advantage of proposed risk management standards.
Potential operational risks are many and varied, ranging from computer failures through lax procedures, human error to accounting mix-ups, IT systems failure to Trojan Horse attack. In fact, any risk that is not credit risk or market risk can be defined as an operating risk, and the potential hazards seem to be growing in complexity even as at least some organisations begin to buckle down and take the issue seriously.
In the IT area security breaches, piracy, fraud, major system failures and computer viruses can all be classified as operational risks. And although all organisations have always been subjected to political risks, the events of the past two years have forced a new appreciation of the need to assess and deal with geopolitical risks that are largely beyond their control. That need is fast becoming a necessity.
"The obligation from an operational risk standpoint is to make it very, very clear to your shareholders that the governance framework that you have in place gives you an opportunity not only to understand and measure the risk that you have, but you also have a framework for management of risk," Pleiter says.
B@nkFin Consulting managing director Bryan O'Connell says driven by - but no longer confined to - the financial industries, operational risk has grown in importance as banking has shifted over time to become a much more complex business. Managing a business today requires many more skills from both middle and senior management than were demanded in the past, and some organisations are rising to the challenge.
"I think there is a lot more sophistication applied to risk management," O'Connell says. "If you look for instance at the way in which banks look at their risk management profile, both their customers and also the industries that they operate in, they're using a lot more of their resources internally, both their economic resources and their credit resources, to focus on giving a much more sophisticated analysis of risk these days."
The increased focus has led to banks and other organisations closely examining their processes and systems and has encouraged them to categorise the various sectors of the economy and develop risk profiles and guidelines in relation to each vertical segment, O'Connell says.
That is a little bit easier in the banking industry than in some other industry sectors, because banks have a vast amount of historical data to turn to in developing risk profiles, but even so the problems in making progress can be huge. For instance, in 2002 the Operational Risk Loss Data Collection Exercise (LDCE) asked participating banks to provide information on individual operational losses during 2001, internal capital allocation for operational risk, expected operational losses, and a number of exposure indicators tied to specific business lines. Overall, the combined data for the 89 participating banks included more than 47,000 individual loss events. Yet gaps in data collection mean even this vast collection of data fails to give any comprehensive sense of the range of potential operational risk loss events experienced by banks.
Whatever the complexities, assessment of operational risk is becoming an important weapon in the CIO armoury, particularly in the US. The Kingson Group is experienced in assessing operational risk for large IT projects and is directly involved in the identification, measurement, prioritisation and management of all types of risk using enterprise risk management (ERM) tools and processes. At one corporation, president and CEO Gary Bierc used ERM processes to jump-start an SAP installation, assess the risks and develop strategies to manage them and ensure the SAP project was brought in on time and was effectively achieving its objectives.
"It is our perspective that risk is anything that will impact the achievement of objectives including in the operational area, both threats and opportunities," says Kingson Group managing director Mary Jean Herron. "A very effective way to handle risks is to use an enterprise risk management approach, which is an integrated process that enhances the ability to achieve objectives by identifying, measuring and responding to risk.
"Unless you understand the objectives of the CIO and of the corporation, you do not understand the risks that they are facing. Once you have identified the major risks, measured their potential impact and prioritised them based on how they will impact your objectives, you can then assess what is the best tool or process to mitigate the risk or take advantage of the opportunity."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.