Firms rise to the op risk data management challenge

But op risk requires different kinds of data from market and credit risk - the issues in its gathering and investigation are also different, and require their own methods and tools.

The main types of data required for operational risk management are data on internal losses, risk self-assessments and key risk indicators. The most problematic of these three types is the first. "One of the main difficulties [with internal loss data] arises because a lot of the data is not transaction related so does not spin automatically out of the bank’s general ledger and accounting systems," says John Thirlwell, executive director of the London-based Operational Risk Research Forum.

The diverse and dispersed nature of internal loss data is the key reason why data tools for market and credit risk have proved of little use. "The difference between operational risk and market and credit risk is that their systems sit on top of source systems, which provide the data direct to them whereas [operational risk systems] are reliant on identification of loss in sometimes obscure areas and for this to be input to the system," says Matt Kimber, head of operational risk at Halifax Royal Bank of Scotland (HBOS).

Because the data can be difficult to find and extract, it is impossible for a bank to know if it has all the relevant data, says Thirlwell. "So a massive education programme is required by the bank to make people aware of all these various risks and for them to be confident of reporting them because a lot of it requires manual reporting," he says. And the reporting must be consistent, so that everybody is reporting the same kinds of things in the same kinds of ways, he adds.

New op risk tools
Some of the new tools developed for operational risk are designed to help with these problems. HBOS worked with Toronto-based risk management technology supplier Algorithmics to develop Algo OpData for capturing internal losses and key risk indicators. "One of the benefits of the system is that it demands consistency of capture of fields, as well as gives the ability to capture data over the internet and to have one point of reference for all the loss data," says Kimber.

This centralisation and standardisation of data is important, says Craig Spielmann, business executive for the Horizon operational risk management system at JP Morgan Chase. The bank developed the application in 1999 for its internal use and now also sells it to third parties. "The information is usually in some shape or form in the institution already, they just don’t have it in one spot," says Spielmann. "Usually people have some kinds of definitions around risk and some kind of controls they believe should be operating, although they may have them in disparate places." The aim should be to put the definitions and controls all in one place, in a framework that aligns with the bank’s operational risk management policies. "And when you have this all in one place you can see if they make sense or not. And they will always be there, and you can update or change them as the world changes or as you get smarter," says Spielmann.

Self-assessment data and key risk indicators (KRIs) can be less problematic than internal loss data because they will be part of an operational risk management programme, says Thirlwell. KRIs are likely to be chosen because they are easy to measure or because there is readily available data - for example, staff turnover is a popular indicator of problems within a department because it is easy to get the data from the bank’s human resources system. However, Kimber says there are still a number of difficulties, such as the confusion engendered by the different terminology that is used - KRIs, key performance indicators, key risk drivers and so on. Then there is the matter of judging how much to collect.

"One of the potential pitfalls is that you can potentially capture an enormous amount of [KRI] information and very quickly get into the problem of not seeing the wood for the trees," says Kimber. "You have to ask is it really telling you something about whether a risk is occurring or not?"

Market and credit risk data tools can offer little in these situations. Meanwhile, the specialised tools currently being developed by banks and dedicated operational risk management technology suppliers are still somewhat experimental, says Thirlwell.

"The tools are very much in evolution because we still do not really know what we are doing with operational risk," says Thirlwell. "It may be that we suddenly realise in five years’ time that this information we have been gathering is of little relevance and we might stumble across a body of data that gives us the key to working out our exposures. The tools have to be capable of evolutionary development."Operational Risk
  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: