Journal of Operational Risk

Welcome to the second issue of Volume 15 of The Journal of Operational Risk. In this issue, we are very excited to present two papers that nicely summarize the efforts being undertaken by the industry as a whole.

Our first industry paper shows how ORX has worked in partnership with a consortium of participating banks to update the operational risk taxonomy. The first operational risk taxonomy was introduced by Basel II in 2004 (ie, it was signed in 2004 but had been under discussion through the late 1990s and early in this century). Since then, the financial industry has gone through a major transformation, with, for example, the introduction of digital currencies and the move toward most client-driven operations being performed online. This introduced cyber risk and technology risk, neither of which existed when Basel II was first being discussed. Younger practitioners may even find it difficult to understand what “cheque kiting” (one of the level 3 taxonomies in Basel II) is in a world where payment methods are mostly digital. The ORX initiative is a great basis for discussion as Basel IV talks start, and our readers have an opportunity here to look at what the industry is thinking with regard to this new operational risk taxonomy.

Our second industry paper discusses the Comprehensive Capital Analysis and Review (CCAR) stress test that is performed by Federal Reserve (Fed) officers. As we know, CCAR exercises are confidential and contain sensitive information, so only the Fed is able to offer such insight to the industry. We are proud to be the publication in which the results of this benchmarking are presented.

We expect to receive more papers on cyber and IT risks in the future: not only on quantification of those risks but also on better ways to manage them. We would also like to publish more papers on important topics like enterprise risk management and everything this broad subject encompasses: establishing risk policies and procedures, implementing firm-wide controls, aggregating risk and revamping risk organization. As I have said before, we expect analytical papers on operational risk measurement will continue to be submitted, but they will now have a focus on stress testing and actually managing those risks. These are certainly exciting times!

The Journal of Operational Risk, as the leading publication in this area, aims to be at the forefront of these discussions. We welcome papers that can shed light on them.

In this issue, we have three research papers – two “industry papers” on risk taxonomy and stress test benchmarking, and one that deals with near misses – as well as one forum paper on strategic and technology risks.

 
RESEARCH PAPERS

In our first paper, “An emergent taxonomy for operational risk: capturing the wisdom of crowds”, Luke Carrivick, Steve Bishop, Tom Ivell, Valerie Wong and Ramy Farha bring, exclusively to The Journal of Operational Risk, the new operational risk taxonomy developed by ORX with its consortium of participating banks. Basel II, which established a taxonomy for operational risk for the first time, was brought to life in 2004. However, in the last sixteen years both the industry and the risks to which financial institutions are exposed have evolved dramatically. Risks such as conduct risk, cyber risk and third-party risk have risen in importance and now dominate boardroom agendas. How organizations think about this expanding portfolio of threats and how they manage them in a consistent way is underpinned by their risk taxonomy. This changing risk profile, combined with a recent shift of focus away from capital measurement toward risk management, means that many organizations are actively revising their operational risk taxonomies. In doing so, they are deviating from Basel Committee on Banking Supervision event types, but without a common standard to aim at. The authors of this paper take a data-driven approach and combine the individual active taxonomies of sixty large financial institutions (fifty-eight for construction and two for validation) to create a coherent new reference taxonomy: the ORX reference taxonomy for operational and nonfinancial risk. This combines both the theoretical and the practical wisdom of the crowd. The resultant taxonomy is a two-layered hierarchy of risks, with sixteen risks at level 1 and sixty-one risks at level 2. As part of this work, the authors look at some of the contemporary concerns that have shaped how institutions think about their risks. Constructing a mutually exclusive and collectively exhaustive taxonomy driven by data is not without its challenges, and careful narrowing of scope and separation of risks, in partnership with industry experts, was sometimes needed. This paper shows us what has been done by this large group of practitioners.

In this issue’s second paper, “Benchmarking operational risk stress testing models”, Filippo Curti, Marco Migueis and Robert Stewart, all Fed officers, perform the very interesting feat of benchmarking the Federal Reserve System’s CCAR, which requires large bank holding companies to project operational losses under stressed macroeconomic scenarios such as deep recessions characterized by high unemployment. The authors notice that the relationship between macroeconomic downturns and operational losses is influenced by innumerable factors that are challenging to quantify and difficult to forecast. Therefore, the models designed to measure stressed operational losses are simplifications of complex processes, which means that multiple benchmarks should be used to guide primary model development. When modeling highly uncertain processes, benchmarks provide different conceptions allowing for alternative perspectives and reasoned judgments. This paper outlines several approaches to benchmarking operational loss projections under stressed scenarios using both accounting metrics and historical loss experience. These benchmarks provide a tool for bankers, regulators and practitioners to gauge the reasonableness and conservatism inherent in stressed operational loss projections, thus bringing a concrete structure and a panoramic view to the operational risk CCAR process.

In our third paper, “What is essential is invisible to the eye: prioritizing near misses to prevent future disasters”, Andrea Giacchero and Jacopo Moretti, two industry practitioners, claim that a “near miss” is a great opportunity to improve a financial institution’s operational controls and should not be allowed to go to waste. The authors note that near misses represent a primary source of information for analyzing the operational risk exposure of a company, since these can reveal gaps in the control environment. They propose a model that aims to identify the most critical events that could happen in a financial institution using a near-miss data collection. The output of their model is a near-miss ranking, in a decreasing order of significance in terms of possible damages; this supports management in prioritizing mitigation actions, in line with the principles of parsimony and efficiency.

FORUM SECTION

In the issue’s forum paper, “Strategic and technology risks: the case of Co-operative Bank” by Patrick McConnell, one of The Journal of Operational Risk’s most prolific authors studies the growth-by-acquisition strategy embarked upon by a mid-sized UK bank. The author claims that this bank’s strategy was a disaster, leaving a hereto- fore successful enterprise in dire trouble and on the block for buyers at a substantial discount to its original value. For the author, this business case is an example of a board failing to manage its strategic risks and, in particular, its strategic technology risks. In 2008, the board of the Co-operative Bank, backed by its parent the large and profitable Co-operative Group, took the decision to acquire a larger competitor to increase its market penetration. However, despite being well capitalized, the execution of the strategy was botched, not least as regarded the replacement of the bank’s “core banking systems” to accommodate the larger, merged bank. This paper begins by providing some background about the bank as it embarked upon its growth strategy, before discussing the topics of strategic risk and strategic technology risks, and in particular the risks in so-called core systems replacement programs. The events that caused the Co-operative Bank to fail so disastrously are then described, and finally the lessons that can be drawn are discussed.

Marcelo Cruz