About operational risks

Incident identification, capture and review

Risk and control self-assessments

Risk and capital calculations

Risk, regulatory and capital reporting

The AQOpRisk solution brings together all relevant tasks related to professional operational risk management in one – easy to understand – framework.

Managing operational risks is of key importance in financial institutions. In most retail banks operational risks is the second (to credit risk) most important risk category. Not understanding and managing operational risks effectively has or will eventually have severe impacts.

Operational risk concerns the risk of losses due to people, systems, processes and external events. These are the risk factors of operational risks.

Some examples include:

  • People/employees make errors due to e.g. inappropriate behavior or lack of qualifications etc.
  • Systems have errors or are not available etc.
  • Processes do not exist, are outdated or difficult to understand etc.
  • External events like viruses, external fraud, infrastructure breakdowns etc.

Often the importance and benefit of managing of managing operational risks effectively is not properly understood or appreciated. Managing operational risks therefore also lack attention, framework and quality.

Operational risks are less tangible and effective management requires more diverse efforts than for credit and market risk management. Also, the data available for risk and capital modelling is more disperse, which requires applying different practices and approaches than used in traditional credit and market risk management.

AQOpRisk consists of four main modules, each targeting specific tasks that are essential in operational risk management.

  • Incident identification, reporting and review
  • Risk and control self-assessment
  • Risk and capital calculations
  • Risk, capital and regulatory reporting

Bringing these very diverse tasks together in one cockpit style framework, allows employees to easily report and follow incidents and for risk managers to monitor, quantify, manage and report the operational risks effectively.

It furthermore means that companies can do more with fewer risk resources, as AQOpRisk streamlines and automates many of the manual tasks normally associated with operational risk management.

Identifying, reporting and reviewing operational incidents from the business is one of the most basic and important tasks in operational risk management. It is a natural starting-point for companies and organizations that want to implement sound operational risk management.

The Basel Committee on Banking Supervision (BCBS) states:
“The tracking of internal loss event data is an essential prerequisite to the development and functioning of a credible operational risk measurement and management system”

It is of crucial importance because it provides direct and observed input of operational failures and thereby gives valuable information as it exposes root causes, organizational, people, system and process issues. It tells about loss types, levels and frequencies.

The Incident reporting module consists of a single web-form that is facing every employee with 1-click access via the company intra-net. It allows employees easy registration of incidents and only the required information is captured, yet it is assured that all relevant information and regulatory requirements are adhered to. The registration makes it possible to break down and report operational failures across business dimensions like business lines, organizational units and product types etc.

For registration of operational incidents to be successful with busy employees, it is of outmost importance that the incident capture process is as speedy and easy as possible. At AQRisk we understand and respect this, which is why registration in the capture form is pre-filled with employee information, dates and other required information to smooth the registration process and make it a pleasant user experience.

All incident reporting is easily available for review by Risk Management and others with an operational risk focus. The incident review shows the entire reporting form. Added information is provided by the reviewing risk manager to ensure that regulatory required information, such as Basel loss and cause categories and the Basel business line structure, is captured for each incident reported by the business.

The incident review form gives reviewers a real-time overview of incidents being reported by the business and allows for swift actions if serious systemic operational incidents arise. Furthermore, it gives Risk Management a standardized framework to review and validate the incidents reported. Misconceptions and errors may need to be straightened out with the reporting employee as part of the incident registration process.

When the registration is reviewed and in order, the incident registration can be approved.

The risk & control self-assessment (RCSA) module coupled with risk workshops contains all the functionality required for assessing potential operational events.

The RCSA includes three main components:

  • Potential events including underlying root causes
  • Controls
  • Insurance schemes

Besides specifying potential events, documenting and assessing the effectiveness of mitigators such as controls and insurance schemes is an integral part of the RCSA process.

Assessing potential operational events is not primarily driven by data, which is the case in market risk where data is in abundance, but to a high degree it depends on expert judgment, “soft” data and external loss experience.

To extract valuable input on operational weaknesses from the business, risk workshops should be run across the organization in a cyclical fashion. Risk workshops are facilitated and prepared by Risk Management in alignment with Management focus and priorities.

Workshops are open, honest, effective and stimulating conversations, where the business contributes actively in assessing potential events, mapping and estimating the effectiveness of the control environment and likelihoods of events materializing. Workshops are not about pointing fingers, passive participation, tabooed issues, silo and habit thinking.

Controls and insurance schemes
The figure below shows how causes, controls, insurance schemes, events and impacts are important components in understanding potential operational events. Notice how controls can be both preventive (reducing the likelihood of events occurring) and corrective (reducing impact if the events materialize).

AQOpRisk takes into account the consequences from both the preventive and corrective mitigation effectiveness when assessing the total portfolio risk and capital requirements from the operational risks. This allows financial institutions and companies to understand their total net operational risks and help price (in terms of reduced risk and capital) the value of controls/insurance programs.

Potential events
The potential events menu includes all information related to the potential events in a single form. The form holds for each potential event specific information about the potential event, risk owners, impacts and likelihoods, related controls and insurance schemes including their effectiveness and related causes, procedures and contingency plans. It also includes Basel categorization on cause and loss categories.

Much operational risk management concerns capturing individual incidents and identify large potential events.

Performing risk calculations makes it possible to have a complete portfolio assessment of the operational risks at hand and not just consider individual potential events and incidents.

The application performs calculations with three input levels – incidents only, potential events only and a full calculation including both incidents and potential events.

Calculated expected losses, risk and capital results are shown at bank or aggregated sublevels. Results are shown with and without mitigation from controls and insurance schemes and therefore quantifies the value of the mitigating environment.

The calculated capital consequences across modeltypes and stress tests, makes it possible to perform a rigorous internal capital adequacy assessment process for operational risks.

The application includes a comprehensive reporting module that allows for full breakdown of operational risks across the business. The reporting is highly flexible and dynamic with regard to user preferences. All graphs are easily exported.

Incidents
The reporting includes incidents reported from employees.

It shows the development in incident numbers and impacts across time and provides an extensive break down across the organizational units and across product types, products, business processes, impact and effecttypes, Basel loss and cause categories.

It also shows the largest incidents, the resources tied up in solving incidents and shows how many have been resolved.

Regulatory reporting
The regulators require two operational risk reports on an annual basis. The reports are required to show a number of regulatory defined keyratios across Basel loss categories and Basel business units.

One regulatory report focus on financial impacts, while the other concerns the number of incidents experienced.

Both reports are automatically generated in the application and easily exported for regulatory reporting.

Potential events
The potential events identified in the risk register - typically via risk workshops - are also available in the reporting. The reporting provides an overview of the potential events across the business and Basel loss and cause categories.

The largest potential losses are identified and shows where mitigating efforts are best spent.

Risk and capital measures
The reporting also shows the all the different calculation results. Results such as expected loss, value-at-risk and economic capital measures across confidence levels are available and broken into various reporting dimensions.