Ways in which some loss event approaches can be false economies
This is the third in a series of four blogs about the ways in which common shortcuts can undermine operational risk management success within financial services firms. You can view the other blogs here: The Shortcuts Trap – Risk and Control Self Assessments and The Shortcuts Trap – Key Indicators Under Fire
For financial services firms, capturing and analysing loss events correctly is vitally important. Loss events, properly understood, can help firms reduce their future levels of operational risk and enhance operational resiliency; a process made easier with risk management software. However, the capture and analysis of loss events has also been one of the most controversial aspects of operational risk, and within that controversy, best practices can get lost and shortcuts taken. Below are some common tricky timesavers that firms take when it comes to loss events:
- Being comfortable with incomplete loss capture – It’s a big mistake to think that the data collection job is over, having captured 70% or 80% of the firm’s total operational risk loss events, and analysis can begin. Any analysis undertaken and conclusions drawn from such an incomplete data set would be inherently wrong – a significant chunk of the firm’s loss history is missing. The best way to ensure that all losses are captured is to reconcile the loss data to the general ledger. While this can take time – which is why abandoning this work is a popular shortcut – doing so is a big trap. It’s vitally important that the loss data set be as comprehensive as possible.
- Demanding complete loss event information up front – Some firms insist that the business fill out a loss event capture form completely – all fields are mandatory – before it can be submitted. While it’s important to capture all of the information about a loss event eventually, requiring all fields to be filled in by the business before turning the form in can lead to delays in notifying the operational risk team that a loss event has occurred. The business may not know all of the information required by a form immediately – some information could take a month or more to track down. Instead, the business should be encouraged to submit the form as completely as possible, but also in a timely manner. Then there should be a process in place to ensure the form is completed within a reasonable period of time.
- Setting thresholds too high for analysis – Most banks have a reporting threshold well below the Basel Committee on Banking Supervision’s (BCBS’s) level of €10,000 — €500 or €250 for example – which is good. However, for many banks, the loss size at which they undertake root cause analysis can be much higher than their reporting threshold — €5,000 and up. Naturally, the higher the threshold, the less analysis an operational risk team needs to do. But it could mean that the team is failing to do analysis on important loss events, which result in further losses. If an operational risk team is only doing root cause analysis on two or three losses each month, it has set its analysis threshold too high, and should lower it.
- Applying a monetary threshold to analysing reputational risk loss events – Most banks will perform root cause analysis on all reputational risk loss events, which is the right thing to do. However, some firms will apply a monetary threshold in the same way that a threshold is applied to other types of losses for analysis. This is a very bad shortcut – for financial services firms, reputation is everything. While there may be more reputation events today than there were 15 or 20 years ago, it’s a false economy to ignore events below a certain threshold because, without the insight provided by root cause analysis, future reputation events from the same causes could escalate significantly in both frequency and severity, creating real damage.
- Forgetting about corrective controls when analysing losses – There are many different kinds of root cause analysis that can be performed on operational risk loss events. A popular one is the Five Why’s, but this approach can often lead to the team just exploring preventative controls – the controls that prevent a loss event from happening. It can be far too easy to overlook corrective controls, which ask the question, “Could this loss have been smaller even though it happened?” Corrective controls are particularly important when thinking about operational resilience. A bow tie analysis of a loss event may take longer, but it is a better way to structure the team’s thinking, so that both preventative and corrective controls are examined.
In summary, operational risk teams at financial services firms should view loss events as an opportunity for a deeper understanding of the organization’s ecosystem, as well as a chance to improve both operational risk management and resilience. Firms need to consider the benefits that best practice can bring in this area, and avoid common shortcuts that can lead to significant increases in risk over the longer term.