Operational Risk Management – II: Incident reporting
Welcome. If you like us go get our RSS feed or email subscribe for updates. Thanks for visiting!
Print
Incident reporting: static analysis is the first step normally used to identify losses. Summary statistics first display frequency and severity data by event type and by business line, according to the regulatory categories. This report is of certainly needed for compliance purposes, however it might be not the best tool for the risk management of a financial institution, which has a different structure or nature of activities.
An example of a more useful set of summary statistics would match the organization chart of the financial institution, bank, or company that uses its database. With a capability in viewing the reports in dimension splits by department, by people in charge, or by geographical zone of activity.
For a bank retail network for instance, the reporting may be split by bank branch, and, or by type of client. Even before detailing the frequency and the severity of each type of loss, incident reporting in an organization or in a department should first display the total loss amount caused by operational events.
Several simple measures, long neglected and sometimes never measured in financial institutions in the past, may provide a powerful tool to raise awareness on operational risk within an organization
Next, the analysis can identify the “low severity, high frequency” losses and the “high severity, low frequency” losses, with the remaining events. Both need further investigation, since they can be the symptoms of serious breaches in control within the organization. One of the key criteria in operational risk management is whether a possible loss is capped or not. That is, in case of an operational event, the potential loss amount is limited by any type of control. Capping potential losses is, and should be, a main concern for senior management. To that extent, rare events of large amounts are the first candidates in the identification of uncapped risks.
Likewise, recurrent minor losses require further investigation, at least once. They might also be the consequence of an effective cap of losses in an activity highly exposed to operational risks. Operational losses due to processing errors are frequent but limited due to effective control procedures and systems design. But recurrent losses could also be a more worrying symptom of a systematic breach in control or in process that lead to systematic or frequent losses, with possibly very large amounts at stake.
An incident database is a view of the operational losses in an organization that can provide, if interpreted correctly, a list of priority controls and investigations to be performed. Database analysis provides the facts, but does not identify the risks.
Recent Comments