Events of the last several years have led financial institutions to reconsider both the conceptualization and practice of operational risk. It’s no longer enough to just describe your business model and a few potential risks and say you have a firm grip on your operational risks. In today’s world, you have to have detailed metrics on various scenarios (including worst cases) to convince regulators you are in full compliance with all current regulatory standards.
In a December 2015 article from McKinsey&Company, authors Saptarshi Ganguly and Daniel Mikkelsen argue that financial firms need to “…establish a structured and calibrated approach to operational-risk stress testing. Establishing such an approach will help them avoid supervisory objections (matters requiring immediate attention and matters requiring attention) by suitably addressing rising regulatory expectations. It will also benefit the institution through the establishment of strong foundational risk and business practices, for example, loss-data capture and loss-reduction actions, scenario analysis and risks/controls assessments and corresponding risk-mitigation actions, and getting a dynamic understanding of the true risk profile, including sensitivities of losses and capital to key events and drivers.”
Measuring operational risk through stress testing
U.S. regulators today require strong operational-risk-management practices and require bank holding companies to undertake comprehensive operational-risk stress testing as a part of the overall comprehensive capital analysis and review process. Keep in mind that projections of losses arising from inadequate or failed internal processes or from external events must be reported as operational-risk losses, a part of pre-provision net revenues.
Ganguly and Mikkelsen highlight that because practices in operational-risk stress testing are still evolving today, “banks are faced with a range of questions on methodological choices and the corresponding trade-offs. These questions primarily are centered on the challenge in correlating operational-risk losses with macroeconomic factors and business environment and external control factors; the handling of large historical losses in internal loss data sets; stressing historical, current, and future legal losses; and incorporating large plausible events that might occur during the nine-quarter forecast period for stress-testing purposes.”
Hybrid approach to stress testing of operational risk
U.S. banks have tried a variety of approaches for operational-risk stress testing over the last few years. The most common methods have been regression models, loss-distribution-approach models, historical averages and scenario analysis. Ganguly and Mikkelsen say that “experience has shown that on its own, any one of these approaches is not sufficient to address the challenges described earlier.” The pair go on to argue the need for a multi-model, hybrid approach: “Our view is that BHCs need to have a hybrid approach that combines the power of these individual approaches to build up to the total stressed losses for operational risk in a stepwise manner.”
Finally, Ganguly and Mikkelsen argue that financial institutions need to make investments now to build up capabilities for strong operational-risk stress testing, which can then eventually become a business-as-usual activity for the institution. Reaching this stage in the process requires developing and executing on a plan to improve the quality of internal loss data being collected, complete capture of operational-risk events and near misses, launching a scenario-analysis program with maximum business involvement, and maintaining ongoing involvement with key stakeholders such as legal and compliance.
