by : Lawrence Richter Quinn
The concept is so simple; so why
are so many people, including shareholders, having such a hard time getting
their heads around the phrase "operational risk" or "op
risk" - the risk of loss from any operational failure at a company?
Not only are they having a hard
time understanding it, the vast majority of stakeholders have never heard the
term - even though a great a great number of finance specialists say
extraordinarily poor management of operational risk (not other categories of
risk, such as market, liquidity or credit) is exactly what led to the collapse
of global financial markets starting in 2007. (Read about the financial crisis
that struck in 2007 in The 2007-08 Financial Crisis In Review.)
That is exactly why investors and
other stakeholders need to get up to snuff on operational risk as quickly as
possible. If they don't, there's every reason to expect other financial
implosions to follow.
The Impact Of Op Risk
What may surprise stakeholders is
that a number of financial experts say poor operational risk management has
been the underlying cause of every major financial services loss over the past
two decades - including this past year's $180 billion-plus bailout of American
Insurance Group (AIG) and well-publicized fiascoes such as those at Barings,
Long Term Capital Management (LTCM), Allied Irish Bank-All First, Societe
Generale, Bear Stearns and Lehman Brothers.
Even more surprisingly, the
finger pointing doesn't stop there. Any number of additional significant upsets
at "non-financial" companies - everything from Union Carbide's
chemical leak in Bhopal, India years ago to JetBlue's massive ticketing and
route scheduling failures to accounting-related fraud at Cendant and Bausch
& Lomb - can be attributed to operational risk management failures.
"Until investors and all
stakeholders - John Q. Taxpayer, corporate board members, 'C-suite' executives,
shareholder activists, ratings agencies, analysts, regulators, even legislators
- understand this risk and how to measure and manage it, there is no way to
guarantee that we won't face future financial meltdowns as big as, or bigger,
than the most recent one," says Ali Samad-Khan, founder and president of
Stamford Risk Analysts (a recent rebranding of OpRisk Advisory) in Connecticut.
"Coming to terms now with
operational risk must become a strategic imperative for organizations in all
industries, not simply for financial services giants."
Bolstering the view that stakeholders
must understand the importance of operational risk is a just-released study
from the Society of Actuaries, the Casualty Actuary Society and the Canadian
Institute of Actuaries called A New Approach for Managing Operational Risk:
Addressing the Issues Underlying the 2008 Global Financial Crisis.
"Regulators and other key
stakeholders (e.g., rating agencies) need to take an active role in calling for
improved ORM practices," the report notes. "Historically, ORM has
taken a back seat to the management of the other major risks, which are often
defined as market, credit, insurance and strategic risk and sometimes include
'liquidity,' 'legal' and 'reputation' risk … This has not only caused
operational risk to be underestimated, but has also obscured the underlying
causes of many of the most significant financial losses."
Just What is "Operational
risk"?
So how do we define operational
risk? On its face, it sounds enormously simple: the risk of financial loss from
any operational failure. But "operational failure" encompasses a
dizzying array of possible events, actions and inactions - everything from
inadvertent execution errors, system failures and acts of nature to conscious
violations of policy, law and regulation. Of course, it also encompasses the
greatest of all faux pas: direct and indirect acts of excessive risk-taking.
It's exactly this depth and
breadth of issues and "cross-silo" concerns that has lead to ongoing
confusion about exactly what is and isn't an operational risk - and continuing
doubts about how to identify and manage it. For instance, too often op risk has
been misdiagnosed as other, relatively newer areas of recognized exposures such
as those involving IT security, supply chain and business interruptions.
As a result, some corporate managers
argue that op risk simply doesn't exist - that it is nothing more than existing
risks by a newly-invented name - or that, if in fact it is a legitimate,
separate exposure, the amount of operational risk they face isn't significant
enough to merit a specific and separate measurement and management system.
Typically, executives at non-financial organizations advance these views -
pointing out, for instance, that they don't run complex trading operations or
have the related balance sheet concerns faced daily by the world's banking,
energy and commodity firms.
Finally, that op risk has been
recognized formally by the regulatory community as a legitimate issue only
recently (and then, by financial services regulators exclusively), hasn't
helped encourage active recognition or management of it. That acknowledgment
came in 1999, when the Basel Committee on Banking Supervision, a global
financial services firm, highlighted operational risks as a distinct potential
bête noire..
Much Ado About Nothing?
Many stakeholders might view
discussions about whether op risk exists, what it is, how it differs from other
exposures, and if and how it can be managed as academic. It's easy to dismiss
the debate thinking that, whatever its merit, it has no bearing ultimately on shareholder
value, reputation, governance or related concerns.
But op risk proponents say it's
not so. Those who don't acknowledge their own op risks are simply setting
themselves up for future devastating material failures and losses.
Indeed, they say, the seeming
minutiae of operational issues can quickly spin out of control into a major
balance sheet and stakeholder concern. One example comes from Norm Parkerson,
executive director of advisory services at Grant Thornton in Atlanta, who
points to a recent unanticipated op risk loss suffered by one of his own
clients. In this case, a manufacturing company introduced a new product covered
by a warranty reserve based on its own historical data. Unexpectedly, a
manufacturing problem - an operationally-related risk - generated warranty
claims far exceeding the warranty reserve booked on its balance sheet. The
result: a loss of well over $100 million.
"This happened rapidly and
the impact was far reaching," says Parkerson. "Not only was there an
impact to the financial statement; there was an adverse impact on the
manufacturing process, the quality assurance process, the procurement of raw
materials, the ability or inability to fulfill customer orders, and the
company's reputation."
Managing Op Risk
Unfortunately for stakeholders,
no models exist where they can turn to management and boards and ask: "How
effectively are you managing op risk - for instance, against X, Y or Z?"
In fact, banks and insurers
acknowledge that they don't know if their op risk management endeavors to date
have been successful.
The SOA's report says "Many
financial firms have spent millions of dollars hoping to improve their
management of operational risk, but those initiatives do not appear to have
achieved their desired objectives. Developing an effective method of managing
operational risk is proving to be a daunting task."
Meanwhile, stakeholders remain
far more exposed than they realize.
"Organizations that choose
to remain blissfully ignorant of the importance of operational risk will continue
to operate under a false sense of security," says Samad-Khan. "They
will remain 'under-controlled' in areas where they have the most risk and
significantly 'over-controlled' in areas where they have the least risk. So
without addressing op risk head on, recognizing and understanding it and
acknowledging the crucial role it plays, we face the prospect another global
financial crisis in the not too distant future."
The Bottom Line
Operational risk remains a controversial topic, but by whatever name you call it, the risk will not dissipate by being ignored. While managing op risk may be a daunting task, it is one of utmost importance to companies and shareholders alike.