How learnings from Operational Loss Events can enrich your risk management framework

Sword GRC Blog

How learnings from Operational Loss Events can enrich your risk management framework

No one welcomes them, they’re disruptive and costly, but every operational loss event experience provides an opportunity to learn. Typically, such events are not isolated incidents, so by collecting and analysing loss event data, businesses can gain useful insights into the probability of future events.

“Data from real operational loss events – lessons learned – provides vital information on the likelihood of operational loss events re-occurring and the scope of their impact. This information is also useful for ensuring the objectivity of operational risk assessments,” says Jenny Ritson-Smith at Sword GRC.

Why collect internal event data?

Internal event data supports operational risk management in a number of ways:

  1. Through identification, new operational risk exposures may be uncovered
  2. The assessment provides information to evaluate probability and impact
  3. Via monitoring, exposure levels and control effectiveness can be examined
  4. Loss events put controls to the test and highlight areas for future improvement

Why use external data?

“It’s unlikely that organizations will succumb to the entire range of operational loss events to which they are exposed,” continues Ritson-Smith, “especially when it comes to low probability, high impact scenarios. External data can be useful in enabling businesses to learn from their peers’ events. This increases the sample size for data analysis, and the more comprehensive the data collection, the more accurate the picture to risk exposure will be.

“External data may be obtained via consortium-based sources, within which members report all data covered by the consortium agreement. Data obtained is likely to be comprehensive, accurate, and relevant however, members must adhere to strict reporting requirements and subscription costs can be high.

“Alternatively, public-sourced databases can be used. These extract data from specialist news and public sources and republish it in a form suited to operational risk analysis. Newsworthy, ‘high impact’ events will be featured, though the data available may be less accurate or relevant compared to that from a consortium-based source. Still, emerging operational risks – i.e., events that have occurred in peer organisations – may be exposed.”

What should be considered before implementing loss events data collection?

“Should a ‘near miss’ be counted as a loss, even if it didn’t result in any financial, reputational, human, or other damage?” questions Ritson-Smith. “Was an event avoided because of good luck or were certain controls particularly effective? Near-misses or narrow escapes can provide early warnings or signal a major operational loss on the horizon. They also draw attention to the effectiveness of controls.

“The date(s) and time(s) can also be revealing and enables a business to amass historical trend data. Operational risk events can be quite lengthy, and it’s worth considering that events can have started to make an impact and become apparent prior to their actual detection.  

“Risk professionals should also think about risk categorisation by operational risk type, as this will help them to see and assess their organization’s risk profile. This can assist in the identification of high-risk exposure areas and resources can be allocated to address these as appropriate.

“The ‘geography’ of events is also a factor. Data should include details of where an event took place in terms of the business unit, department, function in which it occurred and originated.”

Further considerations include the causes of operational risk events. Data may be collated on primary causal categories, such as processes or systems failure, human error, or external events. Or, for a more accurate picture of a causal ‘chain’, data can be collected on more granular cause categories. Either way, a good rule of thumb is to focus on the causal chains of larger-scale losses with less emphasis on lower-scale events.

Since many operational loss events will involve control failure in some shape or form, it can be useful to understand how or why controls failed in order to create plans to prevent future failures of a similar nature. Equally, effective controls can be highlighted – both detective, signaling that an event is underway and mitigative, reducing the event’s impact.

“Event impacts can be direct, as in penalties or fines, or indirect, such as loss of reputation or loss of sales,” adds Ritson-Smith. “Non-financial impacts, such as lack of customer confidence, can be more difficult to quantify, especially since they can occur some time after an event.”

Guidance is at hand

With so much to consider, the Institute of Operational Risk (IOR) has compiled an ‘Operational Loss Events: Internal and External Data’ white paper, aimed at steering risk professionals through both the design and implementation of processes for the collection and use of internal operational loss event data and external operational loss event data.

“These events are so multi-faceted that there are many concepts that should be understood before embarking upon implementing a loss event collection process. And importantly, the activity of this nature should be incorporated into a wider framework for managing operational risk,” says Ritson-Smith. “The IOR guidance gives recommendations for alignment with corporate governance arrangements, overall risk appetite or tolerance, and with due consideration for an organization’s risk culture.

“On top of this, the white paper provides guidance for the reporting of operational risk events, how the data should be utilized, and an outline of some of the challenges that might present themselves, often of a ‘cost versus the usefulness of data’ nature.

“Crucially,” she concludes, “the white paper helps build a deeper understanding of how data from past events can reveal controls in need of improvement and underpin more accurate foresight. As they say, prevention is always better than cure!”

Download your free copy of the Institute of Operational Risk’s Operational Loss Events: Internal and External Data, Operational Risk Sound Practice Guidance here.