Workshop 3

Operational Risk Management Workshop

Operational risk has been defined as "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events." Examples of operational risks include information technology, business continuity, fraud, and reputation risk, among others. This has long been acknowledged as a risk that should be included in any enterprise risk management model; however, it has not always been embraced as a measurable, quantifiable risk. This workshop will provide insightful guidance from industry leaders who will address:

  • What is the state of the art today in the management of operational risk?
  • Where are the gaps between where the practice is now and where it needs to go?
  • What steps are necessary to close the gaps?
  • What are the implications of failing to close the gaps and advance the practice?

Highlights of the workshop include the opportunity to:

  • Get hands-on experience developing operational risk strategies through an interactive exercise.
  • Communicate with a panel of experts during a town hall meeting-style question and answer session.

Workshop Faculty:

  • Thomas Hettinger, Managing Director, EMB America
  • Robert Mark, Chief Executive Officer, Black Diamond Risk Enterprises
  • Andrew McLennan, Senior Consultant, EMB America
  • Ali Samad-Khan, Head of Operational Risk Management Consulting, Towers Perrin
  • Alexander Shipilov, Associate Vice President, TD Bank Financial Group
  • Jan Voights, Supervising Examiner, Federal Reserve Bank of New York

Session 1: What is the state of the art today in the management of operational risk?

Operational risk management (ORM) is still an evolving science; there is not yet a standard for best practices. One important reason is that many senior executives at major corporations do not fully appreciate the difference between operational risk and operations risk. This has adversely impacted resourcing and constrained consensus development across the industry.

Operations risk and operational risk sound alike, but represent two very different types of exposures. Operations risk is a subset of operational risk. Operations risk is characterized by unconscious execution errors and processing failures. Because these risks are generally well known, they also tend to be well managed. In addition, because these events stem from “normal” operational failures, the consequential single-event losses are relatively small – rarely in excess of a million dollars.

Operational risk, by contrast, is driven by “non-normal” operational failures, particularly, conscious and deliberate acts of wrongdoing. The largest such losses occur ironically when the perpetrators nominally intend to benefit their respective firms. These events have the potential to cause multi-billion dollar losses (e.g., the US sub-prime crisis and Société Générale event). Virtually all the major losses in the financial services industry have been caused by operational failure. In fact, in the absence of operational failure, the other risks (such as market risk, credit risk, liquidity risk and underwriting risk) are revealed to be less significant.

Operations risk can often be managed exclusively through tactical methods, which include six sigma, system driven key risk indicators (“KRIs”), management dashboards, identification of “key risks” through management interviews and traditional risk and control self-assessment. However, when it comes to managing the major operational risks, these traditional methods prove not to be very useful.

Operational risk addresses an entirely different business problem and should be managed first strategically, then tactically. The modern portfolio based approach to ORM follows a process where one first identifies the largest classes of risk (e.g., business practice failures – which caused the US sub-prime crisis), the magnitude of these risks and then the corresponding KRIs and controls (all of which must be validated against loss data). The modern approach also allows for appropriate incentives to be built into the business decision making process – which is critical for aligning the interests of principals and agents.

In the wake of the catastrophic losses that have recently impacted the financial services industry many organizations are reevaluating their risk management programs. And the move from traditional to modern ORM is leading to a paradigm shift in risk management thinking across all classes of risk.

In this session we will discuss the steps one must take to establish an ORM program consistent with the principles of modern ORM and the evolving standard for industry best practices. We will also discuss findings from our latest research on risk taxonomy and the impact this may have on the management of risk across all classes of exposure (market risk, credit risk, hazard risk, strategic risk, operational risks, etc).

Ali Samad-Khan, Global Practice Leader for Operational Risk Management at Towers Perrin, will lead this discussion.

Session 2: What does it take to build an operational risk strategy?

This is an opportunity for participants to get hands-on experience handling operational risk procedures. Tom Hettinger and Andrew McLennan of EMB America will lead an interactive exercise as participants work through various drills and maneuver through the operational risk landscape.

Session 3: Where are the gaps between where the practice is now to where it needs to go and what are the steps to close those gaps?

There are striking contrasts between how operational risk is handled and how other types of risks are handled. The quantification of operational risk has not advanced to the degree that financial risks are being measured and assessed. Operational risk management programs need to focus on improving the management process, and not simply be in place due to external pressures.

In assessing an operational risk strategy, there are policies, methodologies and infrastructures to be considered. What are the policies for an effective operational risk program? What different approaches and methods are used to implement those policies? How should those measures be back-tested? What should a strong operational risk management program include, and what should it not include?

This session will also cover existing market practices and issues in managing Model Risk through a holistic approach that involves validation of pricing and risk measurement models and data inputs, independent price verification, estimation of valuation adjustments, and methods used for pricing hard-to-price and illiquid assets.

This part of the workshop will explore the differences in definitions of operational risk and different approaches and methods used in an advanced measurement and management framework. Bob Mark, CEO of Black Diamond Risk Enterprises, and Alexander Shipilov, Associate Vice President at TD Bank Financial Group, will lead this session.

Session 4: What are the implications of failing to close the gaps and advance the practice?

This is the most critical part of the workshop – what are the implications of an inadequate operational risk management program? A panel of experts representing various industries (banking, insurance, securities) and various perspectives (regulation, consultancy, academic) will wrap up the workshop with their views on how gaps have been and can be closed, as well as how to implement an operational risk management program. In a town hall meeting format, participants will be encouraged to ask questions of the panel and interact with each other to share ideas and implementation strategies.

    Panelists include:
  • Ali Samad-Khan, Head of Operational Risk Management Consulting at Towers Perrin
  • Alfred Seivold, FDIC
  • Alexander Shipilov, Associate Vice President at TD Bank Financial Group

< all workshops   |   next workshop >