Running a smooth operation

Operational risk has come to the forefront of risk management – with energy firms the latest group to be held up as victims of operational failures. Governance of op risk and internal controls originated in banking and financial services, but is gaining momentum in the corporate sector (see box).

Management of op risk – the risk of loss resulting from inadequate or failed internal processes, people or systems or from external events – used to be qualitative at best. But stakeholders are demanding that it be monitored and controlled in the same way as other risk components, such as credit and market risk.

Even across diverse industries, the challenges for the op risk manager are similar, so the requirements of an effective op risk management framework share common elements.

Three components are necessary to establish an effective and ongoing system to manage op risk:

• measurement: companies need sophisticated analytical tools to quantify op risk exposures in order to make informed decisions, include op risk in risk-based performance figures, understand their sensitivity to key risk indicators (KRIs) and have a reference point against which to measure business progress;
• identification: companies need to be able to proactively identify scenarios that are likely to result in operational failures, which will allow timely management intervention; and
• stress-testing: companies must be able to perform what-if analyses that are vital to engineering internal processes to minimise the effects of operational failures.

Measurement
Any risk manager understands that, in order to manage risk effectively, he must first be able to measure risk exposure. Yet with regard to op risk, this has historically been an elusive goal that at best relied on qualitative assessments. Companies need new tools to quantify various granularities of op risks. For example, users will need to measure overall op risk exposure in order to assign capital for risk-based performance measures. However, to determine the most effective course of action and get feedback on their actions, they will also need to drill down to obtain individual KRI contributions to operational losses.

In terms of measuring overall op risk exposure, Monte Carlo value-at-risk, statistical and actuarial methodologies need to be extended to cover the impact of op risk. By quantifying the op risk exposures of various business units or activities, managers have an effective framework for assigning economic capital to assess performance versus risk. When assessing performance against risk, managers should quantify and include op risk. Business units or activities with a higher likelihood of operational losses will have a bigger capital weighting in their risk-based performance measures.

With regard to measuring the more granular sensitivities to KRIs, managers need to use advanced statistical methods, such as Bayesian decision theory to identify true causal relationships. Managers can then proactively take steps to reduce operational losses by focusing on KRIs that contribute the most to losses.

Once managers understand risk factors, they can implement controls to eliminate or reduce the impact of those risk factors. In addition, quantifying KRI contributions will mean managers can obtain feedback on the effect of improved control. Thegoal is to guide management to increase operational efficiency and thus profitability.

Identification
One of the greatest sources of op risk is a firm’s trading activities. Even with the advanced state of many of today’s trading, risk management and scheduling systems, opportunities for operational failures, scheduling errors, failed settlements and fraud still exist and have potentially disastrous consequences. An effective op risk framework must be able to identify either unusual trading activities or transactions similar to past undesirable trades.

For example, users may want to identify trades that do not fit the normal pattern of activity of a trader, business unit or business line. Similarly, users may want to flag trades that share common attributes with previously defined undesirable behaviour, such as round-trip trades or other unapproved off-balance-sheet special-purpose entities.

Companies should not only identify such trades at an early stage, but also why they are unusual. Such early identification allows more focused risk-based auditing of individual transactions and trading activities, which is vital in detecting errors and fraud. Similar tools have long been used by regulatory agencies to detect insider trading. These tools must be intelligent enough both to adjust to constantly changing environments and to easily ‘learn’ the trading activities as they evolve with time.

Stress-testing
One aspect that is often overlooked by traditional op risk management systems is the ability to generate plausible scenarios with a high likelihood of operational failure. An effective framework will help the risk manager define these high-risk scenarios in order to stress-test existing controls and procedures. For example, users should be able to simulate potential trades that have a high likelihood of operational loss, to allow them to stress-test how their existing front- or back-office systems would react to such a trade.

Over the past few years, increased focus on op risk has spurred research to develop op risk management methods to a level of sophistication equivalent to those used for credit and market risk. Such technologies and methods are now becoming available either as integrated components of advanced trading and risk management solutions or as stand-alone systems. However, many energy firms find themselves ill prepared to implement these frameworks.

To start managing their op risk exposures, energy firms must implement procedures to consolidate data such as historical operational loss events, historical and projected exposures, and transactional attributes.

In addition, software solutions must provide the capabilities for modelling KRIs, audit front- to back-office activities and implement effective controls in unique business environments. As a result, company managers can leverage these solutions to understand op risk exposures and continually assess and improve internal controls.

Philip Wang is the vice-president of product management at OpenLink.
e-mail: pwang@olf.com

Jack King is engaged in the research and development of advanced information systems in consumer, industrial and government organisations.
e-mail: king@genoauk.com