Operational and reputational risks have become areas of greater focus in recent times. There have been so many high profile operational risk events that it is clear how important operational risk management is for all companies – Anthem, Volkswagen and UBS are just a few examples of companies who have suffered significant losses due to operational risk events. In addition, for every publicly reported incident there are sure to be a host of smaller cases which have not been large enough to hit the headlines and which, of course, can have a cumulative detrimental effect over time. There is also a somewhat invisible aspect to operational risk given the damage does not always affect physical assets. Information can be stolen through a cyber breach, agents can act in their own interests, fraudulent activity can happen, and all of these events can go undetected.
Operational risk can also contribute to other risks undertakings face, particularly reputational risk – a risk we don’t always fully appreciate until the damage is done. There are many strategies and marketing campaigns aimed at ‘one brand’ and ‘one vision’ which show the value organisations place on their reputation. Yet reputational risk management is not always given the attention it deserves. It’s worth pausing for a moment to take a closer look at operational and reputational risk management.
The challenges of quantifying operational risk are numerous – these include the lack of data to properly calibrate models and there are also challenges in relation to the models themselves. For example, the major shortcomings of the Solvency II standard formula calculation of operational risk capital are highly topical at the moment. Under Solvency II operational risk capital must be held as part of the company’s Pillar 1 capital requirements. Criticism of this factor-based calculation includes its failure to capture many relevant elements of a company’s risk profile, such as the operating model and the specific processes within the company.
Interestingly, the solvency regime in Switzerland (known as the ‘Swiss Solvency Test’) does not require operational risk capital to be held. Rather, operational risk is considered as part of the company’s risk management, therefore treating it as a Pillar 2, as opposed to a Pillar 1, issue. Earlier this year, the Basel Committee on Banking Supervision imposed an outright ban on operational risk internal models for banks, acknowledging the widely differing approaches and complex modelling of this risk within the industry. Whether or not such developments will flow over to the EU (re)insurance solvency regime remains to be seen but regardless of where operational risk sits from a regulatory perspective it is nonetheless an area where there are increasingly sophisticated methods being used in companies’ own risk assessments, such as, for example, Bayesian Network modelling.
For those of you who may be unfamiliar with Bayesian Network modelling, it is a technique that is gaining more and more traction as companies continue to develop their understanding of their operational risk exposures. This technique aids the understanding of operational risk exposures through workshops with various experts within the business, in order to establish the key underlying drivers of operational exposure and the relationships between these drivers. These are often not obvious at first glance and tend to involve quite non-linear relationships. Once these exposures are well understood, the company can focus its attention on managing and mitigating the risks.
Once the key drivers of operational risk are understood, it is possible to build a model to simulate the risk exposure. A mix of expert judgment and empirical data enables immediate progress to be made in the calibration of models, even without perfect data. As more and more actual data is gathered over time, estimates based on expert judgement can then be improved. When it comes to empirical data, few companies have the breadth and depth of experience in order to fully calibrate a model with any degree of credibility using internal data alone. At least some external data may therefore be needed. Sources such as ORIC International (an operational risk consortium for the (re)insurance and asset management sector globally) and media publications may usefully supplement the company’s own operational risk loss data. Notwithstanding this, the challenges with acquiring credible operational risk data either from internal or external sources should not be underestimated.
I recently attended a European Actuarial Academy (EAA) seminar entitled “Modern Methods for Operational and Reputational Risks” (delivered by Dr. Gerrit Jan van den Brink) which provided cutting-edge insights into current perspectives regarding operational and reputational risks. Operational risk was explored from many angles throughout the seminar. Interesting ideas were presented regarding how to analyse and approach operational risk. For example, it was put to attendees that operational risk is about humans and to understand operational risk we must therefore understand human thought processes.
The seminar was on point with well-thought-out assertions such as the lack of accuracy in statements regarding companies having a ‘zero tolerance’ for fraud risk given it would be too expensive to organise the company such that it is not at all exposed. Referring to legal risk (typically included within the definition of operational risk), the seminar asserted that a Green Paper is often the first indicator of a future change in laws/regulations and by the time a consultation paper is released the change may already be in motion.
Reputational damage often takes the form of missed future revenue which is itself an unknown quantity and therefore sourcing loss data for this risk is a challenge. In addition, it would usually be inappropriate to include reputational risk in a company’s capital as this would not be the correct risk mitigation technique. A company is not only exposed to the risk of damage to its own reputation but it is also exposed to the risk of damage to the industry reputation as a whole which would affect its future prospects. In an era where information dissemination to vast numbers of people is instantaneous, bad press or negative social media commentary could potentially wipe out companies at a moment’s notice. Damage control is vital in a situation in which a company’s reputation is adversely impacted. Having procedures in place in order to rapidly respond to such events, actively monitoring threats to the company’s reputation and protecting this reputation through sound business practices may be the best approach to the management of this covert risk.
Samsung’s recent recall of its Galaxy Note7 devices due to concerns over reports of fires and overheating was surely a serious reputational event for the company. Yet within hours the company’s website has been updated to reassure customers that free exchanges, refunds and even a $100 discount on other smartphones are available to those affected. The media is not filled with fragmented or confusing comments from Samsung employees. All of which points to a single, coordinated strategy being pursued by the company in order to control the damage. Perhaps we should ask ourselves whether our organisations would be as ready and equipped to respond to such a reputational disaster if it were to hit us in the morning.
Bridget MacDonnell is a consulting actuary with Milliman Ltd and a member of the SAI's Enterprise Risk Management Committee.
The views of this article do not necessarily reflect the views of the Society of Actuaries in Ireland, the Enterprise Risk Management Committee, or the author’s employer. The article was edited by the Communications Subgroup of the Enterprise Risk Management Committee.