AGERS operational risk handbook

The presentation of the Operational Risk Handbook of AGERS (the Spanish Insurance and Risk Management Association) took place in September 2022, a manual written by the members that make up the Committee of Larger Companies Risk Experts, on which sits María Nuche, the Risk Management Director representing the Consorcio de Compensación de Seguros.

This committee of experts comprises risk officers at larger companies who operate in different sectors yet share the task in common of contending daily with managing uncertainty to help add value within organisations and bed down a robust corporate governance system. 

The document seeks to provide a practical handbook to identify and manage operational risk, which is a kind of risk that is inherent to all the activities, products, services, systems and processes at any type of company regardless of its size and legal form.

To this end, the handbook contains different sections which examine aspects such as the concept of operational risk; integrating operational risk management into corporate activities; analysing, evaluating and quantifying operational risks; mitigating them, and the regulatory frameworks currently in place to manage this type of risk.

The concept of operational risk is examined from the perspective of the various definitions of it which different institutions and regulations have determined over the course of time. Generally speaking, it is defined as the risk of losses derived from inadequate or failed internal processes, personnel or systems, as well as that which stems from external factors. It embraces legal risk, though not strategic or reputational risk. 

The definition embodies a set of characteristics in common, such as heterogeneity, and the breadth and complexity of evaluation, representing a genuine challenge for companies, who are aware that operational risk management is a key component of any organisation’s strategy if it is to achieve its objectives.

Operational risk management has to be built into the activities of organisations. To do this, it must be properly identified within all areas of the organisation, evaluated according to impact and probability parameters, prioritised in line with the company’s risk appetite policy, and lastly monitored by overseeing the risk actions that have been identified.

The strategic tool for operational risk management is risk analysis. Such analysis includes recognising risk by identifying and evaluating it, the methodology that applies to measuring it (including qualitative, and semi-quantitative and quantitative methods), monitoring it and tracking it via indicators, and developing methodologies and techniques to quantify operational risks.

Identifying an organisation’s operational risks involves using various different sources of information, both in-house and external. One could start with the operational risk classification of the Operational Risk Insurance Consortium (ORIC), an institution comprising the UK’s leading insurers. According to this classification, operational risks can pertain to any one of these groups: internal or external fraud, customers, business products and practices, harm to physical assets, business interruption or system crashes, and risks within business processes. The identification process includes analysing the causes and origins of risks, their exposure and their impact on goals.

Implicit to measuring operational risks is determining their impact and probability, while other factors can also be taken into account, such as the speed or swiftness of the impact and how long it persists or lasts once the risk has materialised.

Methodologies for measuring operational risks can be qualitative, semi-quantitative or quantitative:

• Qualitative analysis looks at words, description and scaling to define risk probability and impact. It is mainly performed via interviews, workshops, surveys and similar techniques.
• Semi-quantitative methods work with qualitative scales expanded by assigning categories with which to make a numerical classification. This allows heat matrices to be made and risks to be prioritised.
• Quantitative methods are based on probabilistic or non-probabilistic techniques to prioritise exposure to risks in numerical terms. Such analysis is complex and expensive, so it is generally confined to evaluating key risks. 

Once operational risks have been identified, the organisation must take a decision on how to deal with them. The most common response in the case of operational risks is their mitigation or control, which will be framed after making a due cost-benefit analysis of the measures taken. Even so, there is the possible alternative of transferring them to the insurance market, which will only be possible for those risks which satisfy a set of characteristics that make them insurable.

This whole process of analysing operational risks must be performed within current frames of reference and regulatory frameworks that apply depending on the type and activities of organisations.

Prominent among the regulations applying to operational risk management are the Corporate Enterprises Act, the recommendations of the Spanish National Securities Market Commission (CNMV), the Solvency II regulatory framework and the rules and regulations that apply to the banking sector. As regards methodology frames of reference, we might cite ISO 31000, the Three Lines (of Defence) Model (M3L), the Federation of European Risk Management Associations (FERMA) or the international framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

In closing, it is worthwhile giving consideration to the future of operational risk management, particularly bearing in mind the influence of the new technologies. Companies face five key challenges:

• Reshaping the role of risk officers.
• Developing a culture of risk awareness at the organisation.
• Developing swifter and more flexible risk management practices at the organisation.
• Adapting risk management to big data and the analytical tools which AI offers.
• Developing and adapting talent and the right skill-set in risk management for what the future will call for.

Working on these goals will allow organisations to integrate risk management into the business and corporate processes, thereby ensuring more effective risk management.