A question of discipline

While the discipline of operational risk may be continuing to evolve, the pace of evolution is fairly slow, and substantial hurdles remain to full acceptance of the value that it can provide, according to a new OpRisk & Compliance Intelligence survey.

The survey, sponsored by risk consulting firm Protiviti, showed that firms have more operational risk resources in place, and that programmes are becoming increasingly mature. Responses also show that the focus is shifting away from regulatory compliance and more towards adding value to the firm. In spite of this, however, respondents also complain that operational risk isn't appreciated by senior management, that it is very difficult to demonstrate the value that the discipline delivers.

"Operational risk is maturing in some respects, but it is fighting to add value," says Jim Ryan, director at Protiviti. "The industry needs to address these challenges before it is too late."

Today, 25% of those surveyed have had an op risk framework in place for more than five years. Another 30% have had one in place for three to five years, and 26% acknowledge that their programme is between one and three years old. In contrast, in 2005, only 33% of firms had programmes in place for more than three years.

Operational risk teams are also growing in size. Today, 29% of respondents say they have a team of 20 or more people, and 15% say they have a team of at least 50. This contrasts with just 14% of respondents who said they had teams of 20 or more in 2005.

Firms also have more loss data, with 33% indicating that they have one to three years of data in their computers, while another 30% say they have three to five years of data. Some 20% of respondents say they have more than five years of data, with 3% claiming to have more than seven years in storage.

Firms consider risk control self-assessment (RCSA) and loss data collection to be the most mature aspects of their op risk programmes, followed closely by their op risk management governance structure. Scenario analysis programmes and economic capital modelling initiatives are the least mature areas.

However, RCSAs and loss data collection are also major focus areas for executives over the next 12 months, according to the research. "Respondents may feel their firms are mature in RCSA and loss data collection, but they are not where they want to be yet," says David Shu, senior manager at Protiviti. "This may be because of the pace at which RCSA and loss data collection – focused on data quality for modelling – are evolving, forcing firms to constantly focus on these areas to stay current." Economic capital modelling is also an area of significant focus for executives over the next 12 months, which is not a surprise, according to Ryan.

However, it was surprising to discover that only 8% of respondents said scenario analysis would be their primary focus, and 18% said it would be their second or third most important focus over the next 12 months. In some quarters, scenario analysis has proved to be a popular tool for generating operational risk models when loss data is sparse. The tool is also favoured by some as a way of generating discussion around real risks, which 'adds value' to the business lines. However, RCSAs and data also remain the primary focus of regulators, while scenario analysis is often regarded as a 'less scientific' way of generating op risk modelling results.

For op risk executives, their 'reason for being' is also shifting, with 23% saying the enhancement of their firm's internal controls culture was the primary reason for the development of their op risk framework, while 22% said reduction of operational losses was the top reason. Overall, 77% of respondents put either the enhancement of their control culture or reduction of operational losses as a top-three reason for the programme's development.

This is good news. While "compliance with Basel II and related domestic regulation" was a primary reason for 46% of firms, overall 71% of respondents ranked it as a top three reason – putting it into third place behind internal controls and reduction of losses. In contrast, 92% of respondents in 2005 ranked it as one of their top three reasons for implementing an ORM programme.

However, executives are running into challenges within their firms. "Op risk management programmes find it difficult to demonstrate cost/benefit and value," says Jim Ryan, director of Protiviti. "They must listen and align themselves with the line of business's goals and continuously – at least quarterly, if not more often – show how they are helping lines of business meet their goals. Not the op risk management department's goals. There are lots of value issues for several reasons – for example, the measurement piece of op risk measurement is immature, so companies back into the numbers. This can hurt the credibility of op risk management programmes."

At the top of the list of challenges is the cost and time of implementation – some 61% of respondents indicated this was an issue for them. Even more disturbingly, 48% said a lack of commitment and buy-in from business units was a difficulty. Some 48% say they are experiencing difficulty in getting quality loss data, while another 35% say they are experiencing problems with aligning their capital with risk. Only 9% said conflicting guidelines between home and host regulators was an issue.

The data quality issue came top of the list when respondents were asked specifically about the major challenges they face when attempting op risk modelling, with 82% citing it as one of their top three issues.

In second place is the difficulty in incorporating qualitative factors into models at 51%, while a lack of experienced staff with quantitative backgrounds ranked third with 38%.

In contrast, back in 2005, a lack of regulatory guidance and difficulty in
applying correlation and diversification effects were considered the most challenging factors.

Regulators have also tumbled as a potential risk area for respondents. While regulatory compliance was the top risk area in 2005, it has now fallen to fifth place in respondents' concerns. This year, external fraud and IT systems failure were tied for the top place in the survey with 44% each. More respondents – some 22% – ranked external fraud as their top concern, which may be in response to increased levels of internet fraud around the world, and gang-based fraud schemes in Europe.

Overall, says Ryan, op risk is showing signs of maturing, although there is still much work to be done by practitioners. He adds: "It's becoming a discipline, rather than something nice to have."