Business disruption risk can cause a firm to lose a substantial amount of money – in many cases the loss of profits will be even greater than the cost of the physical damage causing the disruption.
One way in which impact can be limited is to have contingency plans for an alter- native business location. This can either be a property owned outright or an option to use a property at short notice. Many firms specialise in providing appropriate space, complete with computers, telephones and other office equipment.
It is also important to ensure that data are backed up regularly, preferably to a lo- cation away from the main site. This means that if the primary location is destroyed or damaged, records remain safe. If servers are run in parallel at a secondary loca- tion, then this also means that the disruption to business can be kept to a minimum.
If this is thought to be too extravagant, it is important at least to ensure that key personnel can work from home. This can be helpful if there is widespread disrup- tion to transport networks as a result of bad weather. If staff can access emails and a network server, then many organisations – particularly in the financial services sector – can still get a meaningful amount of business done through the period of disruption.
Whatever contingency plans are put in place, it is important that they are tested regularly to ensure that they do what they are supposed to.
If even these measures are impractical, then it is worth considering consequen- tial loss insurance cover on top of other business insurance. This compensates a policyholder for profits lost as a result of business disruption.
16.11.6 Execution, Delivery and Process Management
The technology aspects of execution, delivery and process management are in- cluded in Section 16.12.2. Beyond this, it is essential that all processes are com- prehensively documented and maintained. It is also important to keep an error log, so that any failures in process – particularly if they are repeated – can be identified and action taken. It can also be helpful to facilitate reporting, perhaps anonymously, of ‘near misses’ so that lessons can be learned from what might have gone wrong.
If a new process is introduced, it is important to stress test not only that process but the way it fits into the broader structure. The structure as a whole can best be managed by using risk-focussed process analysis, described in Section 8.2.7.
16.12 Different Definitions of Operational Risk 16.12.1 Crime Risk
Responses to crime risk are best addressed relative to the type of crime. For ex- ample, protection against hacking is an issue covered under technology risk in
Section 16.12.2, whilst issues of adverse selection and moral hazard can be dealt with as described in Section 16.12.5.
16.12.2 Technology Risk
Managing technology risk requires a coherent strategy considering the risk on an organisation-wide basis. One of the key decisions in this respect relates to how much work relating to technology to carry out in-house and how much to outsource.
Outsourcing can reduce the infrastructure that is required, but it also means relying on a resource over which there is only partial control.
To ensure that information technology (IT) is adequately managed, it is impor- tant to have a dedicated central IT resource. This itself can be internal or external (outsourced), but should provide a response to IT problems in a time scale appro- priate to the nature of the issue.
The importance of backing up data and running secondary servers has already been discussed in the context of business continuity in Section 16.11.5. However, these actions are also important to ensure that data corruption does not result in damage to a business.
It is also important to ensure that software is kept up-to-date. This is partly to ensure that there are no bugs that might result in calculation or administration er- rors. However, it can also leave a system vulnerable to hacking, which could also result in system failure or even data theft.
New software can also pose a problem in terms of its interaction with other sys- tems. This aspect of new software should be considered at the earliest opportunity, as it can have a big impact on the eventual cost and effectiveness of software.
More mundane IT issues can still have an impact on the smooth running of a firm. For example, an inability to access email can result in hours of lost work.
Another issue that many firms face is the question of whether to develop bespoke IT systems or to use an off-the-shelf solution. This involves balancing the relative costs with the differences in functionality. But when considering the cost, it is im- portant to recognise both the ongoing burden of maintenance faced when a system is developed in-house and also the lack of recourse to an external provider if any issues are discovered.
16.12.3 Cyber Risk
A key action taken to guard against cyber risk is covered in Section 16.12.2 – keeping software up-to-date. This includes implementing security patches as soon as they are available. However, this alone will not protect a firm from cyber risk.
Firewalls should be used to prevent unwanted external access to a firm’s network.
16.12 Different Definitions of Operational Risk 467 However, firewalls do not necessarily offer complete security. One service that firms might consider employing to test its network security is ‘ethical hacking’.
This involves employing a team of hackers to try to gain access to a firm’s systems – with the firm’s permission. The process can be used to highlight any security flaws, that can then be addressed.
However, it is important not just to avoid outside parties gaining access to a firm’s network; it is also important to control the access of employees as well.
They should be allowed to access only those directories and systems that they need for their roles. There should also be strict limits over who in a firm can connect peripheral devices such as external hard drives and memory sticks to computers.
This is as much about preventing viruses being introduced to the network as it is about data being extracted from it.
It is also important to avoid individuals inadvertently letting others gain access to systems. Anti-virus software should be used to monitor emails to limit the risk of viruses and phishing attacks. However, no software is perfect. It is therefore important to train employees to recognise suspicious emails, as well as suspicious links and attachments within those emails.
If there is a breach of cyber security, then there are specialist firms able to deal with problems. This can involve not only fixing vulnerabilities that have been dis- covered, but also dealing with ongoing issues such as denial-of-service (‘DoS’) attacks.
As an additional safeguard, cyber risk insurance policies are becoming increas- ingly available. These can not only offer compensation to companies that suffer losses due to cyber-attacks, but they can also offer insurance companies the oppor- tunity to work with their clients to mitigate cyber risks.
16.12.4 Regulatory Risk
It is important to keep abreast of regulatory changes since breaching regulations can have serious implications in terms of fines, reputation and even ongoing autho- risation. Many firms will have in-house departments whose role is to learn about imminent changes and to disseminate them around the firm. If this is impractical, then subscribing to alert services can be helpful. Many consultants will also of- fer this sort of information to their clients for free. Whatever the approach, there should also be a compliance function to ensure that these rules are being observed.
However, as well as keeping track of changes to regulations, it is also important to take action if any proposed changes are likely to have an adverse effect. This can be done by lobbying directly or by supporting an existing lobby group.
It is also important that obligations are communicated throughout the firm. This is partly a case of having the right culture, but regular training is also important.
16.12.5 People Risk
People risks are some of the most important in the financial services industry, where human capital is the main driver of profitability. This means that it is important to spend sufficient time considering how to respond to particular risks.
Indirect Employment-related Risks
Many issues relating to employment are covered in Sections 7.11.3, 16.12.4 and 16.12.6. However, the indirect costs can be just as important.
The first indirect employment-related risk to consider is the risk that the wrong people are employed. To ensure that this does not happen it is important to use good recruitment procedures, and the starting point here is to employ a sufficiently skilled human resources team. How to recruit good recruiters in the first place is clearly not straightforward, but investing in the training of the existing team can help.
The first stage in recruitment is finding the right candidates. This means ensur- ing that direct advertisements appear in the right publications, and sometimes in- volves using recruitment consultants or ‘head-hunters’. If recruitment consultants are used, then it is preferable that only one is put onto a particular assignment.
This can reduce the risk of being inundated with candidates, and can also mean a lower fee being agreed. It is helpful if a good relationship can be built up with the recruitment consultants as this can lead to a better understanding of what is needed in particular roles, which itself can lead to more suitable candidates being put forward.
Once candidates have been put forward, the next part of the process – which can include a number of interviews and aptitude tests – should be rigorous enough to distinguish between candidates but no more rigorous than that. Here again it is important that the money spent on the selection process is consistent with the value that each individual can add to the firm.
Once employees have been recruited, similar techniques should be employed when promotions or transfers are considered, although an element of ‘experience rating’ can be derived from the employee’s performance to date in the firm.
It is important that the right employees are retained, which means that pay and conditions should be sufficient, but also that good employees are given sufficient responsibility to keep them interested. It is also important to support good employ- ees by providing access to counselling, supporting flexible working and otherwise making it easier for them to stay with the firm.
Conversely, it is important that poorly performing employees are identified. Poor performance can be in terms of the quality of their work or in terms of absenteeism.
16.12 Different Definitions of Operational Risk 469 Having identified these employees, it is important to offer support where possible, with any disciplinary action being a last resort.
All employees should also be supported with training for their roles. This should include CPD to ensure that skills remain up-to-date. One way of ensuring that relevant CPD is undertaken is to encourage employees to undertake appropriate professional qualifications. In financial services firms, these will often be required to carry out certain roles anyway. Once a qualification has been obtained, it is likely that there will be a CPD requirement to ensure that the qualification does not lapse.
As well as dealing directly with individual employees, it is also important to maintain good relationships with any collective bodies such as trade unions. This is particularly true if any changes affecting large groups of members are planned – clear and open communication before any such changes are finalised can reduce the risk of industrial action.
Adverse Selection
A people risk that is particularly important in the context of underwriting is adverse selection. For example, if all life insurance companies except one charge a higher premium for people who smoke, then smokers will tend to use only the insurance company that does not differentiate. This is not necessarily an issue if the additional risk is reflected in the premium. In this example, one might expect the end result to be that all smokers would gravitate to the single insurer that did not ask them to disclose their smoking status, but that all would pay smoker rates; non-smokers would still pay non-smoker rates at the other insurers.
However, until an equilibrium such as this had been reached – an equilibrium that assumes a far more efficient transfer of information than is likely to exist in practice – the single insurer that fails to distinguish between policyholders will be selected against.
This suggests that adverse selection can be dealt with by underwriting, with several conditions:
• underwriting should not cost more than it saves;
• the premium for each risk category should be no less than the average premium required for each individual in that category; and
• the heterogeneity within each risk category should not be so great that lower-risk members of a category choose not to belong to that group.
Moral Hazard
Whilst adverse selection affects the decision of which insurance policy to buy or which loan to take out, moral hazard affects one’s actions once cover or financing
is in place. It can affect a range of actions, from the decision of whether to default on a debt to whether to falsely claim on a household contents policy.
There are a number of ways in which moral hazard can be limited. A key action is to make the consequences as unattractive as possible. For example, personal bankruptcy has a number of implications, including difficulties in obtaining future credit. Claiming for non-existent breakages is fraudulent and therefore a criminal offence.
However, whilst bankruptcy is self-evident, fraudulent insurance claims are more difficult to spot. However, a principle that has been mentioned already also applies here – namely that investigations should be made to the extent that they result in a net saving. This typically means that claims above a certain amount will need to be assessed by a loss adjuster. It might also be worth randomly investigating smaller claims – and advertising the fact that this happens – in order to discourage smaller frauds.
It is important to note that the levels of fraud do vary over time. In particular, they tend to rise when the economy suffers. This means that it is worth lowering the limit for which claims are assessed in times of economic stress.
Agency Risk
Agency risk has led to some of the biggest financial disasters in recent years, so it is important that appropriate responses exist. As with many responses, there are two types of response that can be categorised broadly as ‘sticks’ and ‘carrots’.
The sticks are generally rules requiring certain actions to be taken. Many aspects of the corporate governance codes include these types of responses in an attempt to limit agency costs, covering areas such as remuneration, experience, education and board composition. These are important, but if rules alone exist then agents will be tempted to find ways around them.
Carrots – in the form of incentives – can instead be used to encourage desirable behaviour. The best incentives are ones that align the interests of the agent with those of the principal. For example, if a firm’s directors are encouraged to buy shares in that firm, then their interests are aligned with those of the shareholders.
If directors’ shareholdings are publicised, then directors are further incentivised to become shareholders.
Bias
Both deliberate and unintentional bias are important to guard against, but it is dif- ficult to ensure that either is absent. One way of ensuring that reports, assessments and so on are balanced is by ensuring that they are checked by someone both com- petent and independent. If possible, the checking should use criteria that are as objective as possible.
16.12 Different Definitions of Operational Risk 471 Comparisons are also helpful. For example, to see whether an underwriter is charging premiums that are too high or too low, it is worth considering the spread of quotations with the spread seen with similar underwriters. If the quotations require significant subjective input and claims amounts are volatile, it may be difficult to do anything more.
If a board is being asked to assess a particular proposal, one way of ensuring that there is as little bias as possible is by making sure that the board has the skills to ask the right questions.
For unintentional biases, it can also be helpful simply to make people aware that these biases exist – as the saying goes, forewarned is forearmed.
16.12.6 Legal Risk
In terms of responses, legal risk is similar to regulatory risk: the solution is to keep informed. However, legal risk can occur on a case-by-case basis. For example, there are often legal considerations when there is discretion over whether to pay a pen- sion benefit, or when considering non-standard clauses in relation to an insurance policy. In every case, the safest solution must be that if there is any doubt over the legal status of a particular course of action, then legal advice should be sought.
16.12.7 Model Risk
The risk that the model chosen has been incorrectly implemented is best minimised by having a rigorous, documented process for model coding, together with a clear audit trail. This is merely a way of avoiding a type of process risk. However, the more interesting issues arise in relation to the choice of model.
It is important to ensure that all models are actually designed for the use to which they are put, or that there is a sound reason for putting such a model to another use.
However, the biggest risk is that the results from a modelling exercise are driven disproportionally by the choice of model. This can be an issue if the choice of parameters has a negligible impact on the results compared with the choice of model. The presence of such a problem can be tested only by using a range of models to verify a set of results. Whilst this might sound daunting, crude models will often be sufficient to determine whether there is a problem.
16.12.8 Data Risk
Data risk is in part another type of execution, delivery and process management risk, in that it is important that the processes are designed such that the possibility of incorrect data being entered is as low as possible. As such, many process-related
points are included in Section 16.11.6. However, in relation to personal data there are particular issues. Errors can occur here if incorrect entries are made, or entries are omitted altogether.
The first stage to limiting data risk is to limit the data that can be input. This is most easily done if data are entered electronically. For example, if a date of birth field allows entries only in two blocks of two and one block of four digits, with only numerical entries being accepted, then only dates can be entered. Similarly, for gender it is sensible to allow only entries of ‘M’ or ‘F’, or even to have a tick box instead. It is also important to check that as well as being valid, dates are rea- sonable. For example, dates of birth must be in the past and dates of retirement must follow dates of commencing employment. Finally, there can be requirements that a page of data cannot be accepted unless all fields are completed using valid entries.
As well as checking data at the point of entry, it is also important to re-check it if it is transferred, particularly if the system from which data are transferred does not employ strict checks. All of the above checks should be carried out, as well as checks on suspected default entries. For example, if a date is not known it might be entered as 1 January 1901, or ‘1/1/1’. This might also be the date that a system interpreting numbers as dates would derive from a blank entry. If there is an unusually large frequency of a single date, this might merit further investigation.
If personal data are being used for analysis, particularly mortality investigations, then it is important to combine duplicate entries. If any individuals have more than one entry in a set of data, as might be the case if more than one insurance policy has been bought, then any resulting analysis will be biased towards these individ- uals. De-duplication is a complicated process. Whilst a unique identifier such as a National Insurance or Social Security number might exist, this will not necessarily be the case. It is possible to create such an identifier by combining information such as the surname, gender and date of birth into a single field. However, an in- dividual’s surname will sometimes be written more than one way, particularly if it is normally written in a non-western script. It is important therefore to standardise surnames with the same or similar sound before constructing a unique identifier.
16.12.9 Reputational Risk
Responding to reputational risk is difficult to do in advance, since damage to a reputation often arises from some other risk. It might be possible to scan every possible action for potential reputational damage, but such a strategy would make a firm slow to respond to challenges. Instituting a sound ERM framework offers the best way of realistically avoiding reputational risk.
Once an organisation’s reputation has been damaged it is important to rebuild it as quickly as possible. The public reputation can be rebuilt with the help of