7.12 Different Definitions of Operational Risk 7.12.1 Crime Risk
Internal and external fraud, discussed in Sections 7.11.1 and 7.11.2 could together be said to fall under the alternative definition of ‘crime risk’. Losses due to crime risks could be defined as those resulting from the dishonest behaviour of individu- als in relation to a firm. As such, it could include theft, fraud and computer hacking.
Crime risk could also include risks such as arson, which cause physical dam- age and disrupt a firm’s business. Even though the effects are the same as any other physical damage or business continuity risk, as discussed in Sections 7.11.5 and 7.11.6, the measures taken to guard against criminal acts and the circumstances in which such acts might occur are quite different.
7.12.2 Technology Risk
This could be defined as the risk of failures in technology, including unintended loss or disclosure of confidential information, data corruption and computer sys- tem failure. The latter is particularly important if a business transacts a significant proportion of business electronically, or if a large number of employees work re- motely. There is clearly an overlap between technology risk and crime risk, covered in Section 7.12.1, if the failure in technology is deliberate. This overlapping area is discussed further in Section 7.12.3.
Another aspect of technology risk is the risk that there are undiscovered errors in software used in an organisation. Such errors might result in losses from mis- pricing, or in incorrect payments being made. The results could be direct financial loss together with a loss of business resulting from a lack of confidence. This aspect of technology risk overlaps with execution, delivery and process management risks covered in Section 7.11.7.
Technology risks often increase exponentially with the number of systems an organisation has. Getting different systems to be able to communicate effectively and consistently can be difficult, and data errors can occur. This issue can arise particularly when firms using different systems merge.
7.12.3 Cyber Risk
Cyber risk can be broadly defined as the failure of information technology systems, typically where there is online activity and the storage of personal data. Financial companies are at increasing risk of crimes that involve technological infrastructure.
Such crimes can be internal and external. They can also involve external parties using unsuspecting internal parties.
A common type of internal cyber risk is data theft. For example, client lists and contact details can be stolen, or internal models copied. However, it can also in- volve unauthorised access to data, such as colleagues’ personnel files. There is also a risk that disgruntled employees can sabotage computer systems or maliciously change data.
The higher profile form of cyber risk is that which arises from external sources.
This is often thought of as hacking – gaining unauthorised access to systems. This again can result in the theft of data that is either commercially sensitive or sensitive to a firm’s clients. However, it can also be done simply for malice rather than profit, either with data being destroyed or a website being replaced with a propaganda message.
As well as hacking, though, there are issues such as denial-of-service (‘DoS’) attacks, where a firm’s computer links, typically to the internet, are disrupted in or- der to make its systems unavailable to users. There is a range of techniques that can be used, many of which rely on vulnerabilities in the firm’s software or hardware.
However, some techniques simply involve bombarding a server with requests, ren- dering it unable to deal with legitimate users. Such an attack can be carried out by a network of computers that have been hijacked using malware. This is known as a distributed denial-of-service (‘DDoS’) attack. Whilst such attacks are often targeted at a firm’s websites, they can also be directed at other services including telephone systems.
Some external attacks rely on internal parties. However, as well as collusion between insiders and outsiders, there is a risk that employees may unwittingly facilitate cyber crime. For example, if an employee opens an email attachment that contains a virus, malware may be installed on that employee’s computer. This can provide hackers with access to the network, allow them to log an employee’s keystrokes, or even install ‘ransomware’ – software that encrypts a company’s data, permanently, unless a ransom is paid. Similarly, employees can inadvertently fol- low links to apparently-legitimate websites that give a hacker access to or control over a network. Hiding malicious links in seemingly genuine emails is known as
‘phishing’.
It is also worth noting that whilst cyber crime typically involves malicious intent, it does not necessarily require special tools – if a firm has flaws in its information
7.12 Different Definitions of Operational Risk 119 technology systems, then it is feasible that anyone could gain access to information that should have remained private.
7.12.4 Regulatory Risk
Regulatory risk covers the risk that an organisation will be negatively impacted by a change in legislation or regulation, or will fall foul of legislation or regula- tions that are already in place. Such changes might result in additional compliance costs being faced, existing activities being prohibited, or sales of business units being required. Some regulatory risks are discussed under employment, client and execution risks, in Sections 7.11.3, 7.11.4 and 7.11.7. A failure to comply with existing rules might bring fines or even expensive litigation. Even if this does not occur, there might be a loss of business due to a failure of confidence.
As well as regulations and legislation from governments, any firms quoted on stock exchanges must also follow the listing rules of those markets, or face censure from the exchange.
The large number of regulatory issues have been discussed in Chapter 5, and a lack of compliance in any of the areas covered can be costly.
7.12.5 People Risk
People are a factor in a large number of risks faced by organisations, including of course in the risk of criminal actions. However, the term ‘people risk’ could be reserved for non-criminal actions that can adversely affect an enterprise.
Indirect Employment-related Risks
Section 7.11.3 covers employment-related risks that can result in direct costs for a firm. However, employment-related risks can be much broader than this.
They start with the risk that the wrong people are employed. It is important that the people employed have the skills an organisation needs to run its business. Once employees have been recruited, it is important that the right ones are promoted, and that such promotions are good for the organisation. Similarly, it is important that the right employees are retained. Losing employees can result in a loss of valuable intellectual capital and can damage the morale of remaining employees.
It can also be expensive – recruitment costs time and money, and every time a new recruit is taken on there is the risk that the employee is not right for the role or the organisation. At its most extreme, this can be another case of adverse selection against an organisation by an employee.
Employment-related risks can also include the risk of disruption caused by em- ployees. As well as absence through industrial action mentioned in Section 7.11.3,
this can be as a result of sickness – possibly due to stress. Whilst the negative pub- licity and widespread disruption caused by the former make it an important issue, the long-term damage to an institution caused by persistently absent employees can also be significant – as well as the direct financial cost involved, morale can suffer.
As in Section 7.11.3, employment-related risks also include various aspects re- lating to contracts, dismissal, diversity, discrimination, and health and safety. As such, it could also be said to incorporate the legal aspects of employment covered in Section 7.12.6.
Adverse Selection
Adverse selection is a particular issue relating to underwriting risk in both life and non-life insurance. It is the risk that the demand for insurance is positively correlated with the risk of loss. For example, unhealthy people might be more likely to buy life insurance if they are charged the same premiums as healthy people.
Adverse selection arises as a result of asymmetry of information and the inability to differentiate between different risks when pricing. In extreme cases, it can lead to market failure, as with ‘Akerlof’s lemons’ (Akerlof, 1970)1.
Adverse selection is also an issue for banks, where those with poor credit ratings will be more likely to apply for loans with banks that do not charge higher rates to reflect the higher risks. It can even be an issue for defined benefit pension schemes if pension can be commuted to a tax-free cash lump sum at an actuarially-calculated rate, with those having shorter expectations of life being more likely to commute pension.
If adverse selection involves failing to disclose information that could alter the terms of an agreement – for example, the level of insurance cover or the price of that cover – then it could be classed as fraud. This is covered in Section 7.11.2.
Whilst adverse selection is included here under operational risk, it could just as easily be thought of as being part of underwriting risk.
Moral Hazard
This is the risk that behaviour will depend on the level of their exposure to a par- ticular risk. In particular, if there is insurance in place, the incentive to avoid risk is reduced. An example of this is the potential incentive for pension scheme trustees to take more investment risk after the introduction of an industry-wide insurance scheme for pension scheme members. As with adverse selection, moral hazard is linked to the asymmetry of information, but it is more about the inability of an insurer to control the behaviour of the insured once the insurance is in place. In simplistic terms, if someone is more likely to juggle a set of lead crystal glasses
1 This article shows that if a buyer cannot distinguish between good cars (‘peaches’) and bad cars (‘lemons’) then those owning peaches will not wish to sell at the price offered, so only lemons will be sold.
7.12 Different Definitions of Operational Risk 121 because he has household contents insurance in place, then this is moral hazard; if someone who enjoys juggling lead crystal glasses is more likely to buy household contents insurance, then this is adverse selection.
If the moral hazard results in potentially criminal behaviour – for example, tak- ing out insurance such that the lead crystal glasses can be smashed and the insur- ance payout claimed – then this counts as fraud, as discussed in Section 7.11.2.
Agency Risk
Agency risk is the risk that one party appointed to act on behalf of another will instead act on its own behalf. Company managers acting for themselves rather than the shareholders whose interests they are supposed to protect are the prime exam- ple. In banks, a key agency risk occurs if bonus systems create perverse incentives for traders – for example, if good results can give unlimited bonus potential but the downside from poor results is limited, then this can create an incentive for traders to take too much risk. Within insurance companies, the fact that the actuaries respon- sible for regulatory reporting are remunerated by the firms, which might be more focussed on shareholder value than policyholder security, gives another example of agency risk. For pension schemes, conflicts of interest are the main sources of agency risk, examples being company-appointed trustees and actuaries acting on behalf of both the employer and the trustees. However, another key agency risk for pension schemes relates to the views of company management on investment policy. There is a risk that managers will aim to increase pension scheme equity weightings in order to improve apparent profitability (through the effect of the impact on the expected return on assets) and to reduce transparency (through the opportunity to use opaque actuarial techniques).
The costs arising from agency risks are agency costs. There are two main sources for these costs. The first is the loss associated with the action of the agents, whilst the second is the cost of any action taken to modify the behaviour of agents. A clear principle here is that the cost of any action should not exceed any savings made – in other words, action should only be taken if it reduces the total agency cost.
Bias
A systemic risk which can be deliberate or subconscious is bias. This is often the manifestation of a form of agency risk, where a project will be given too opti- mistic an appraisal because approval will result in greater rewards for a proponent.
Similarly, insurance or pension reserves might be understated in order to increase apparent profits, or to improve the standing (and maintain the appointment) of the professional adviser providing the valuation.
Deliberate bias can arise if key risks are intentionally omitted or down-played, or their consequences misrepresented. Similarly, the links between different risks
might be understated, as might the impact of the business or underwriting cycles.
There might also be deliberate optimism around positive outcomes, such as growth in future business or returns on assets, or simply a failure to allow for the true level of uncertainty. These events can be compounded if the assumptions underlying the down-playing of downside risks are inconsistent with those underlying the over- statement of upside potential.
Many of the above biases can also arise unintentionally. Risks can be forgotten accidentally, or underestimated due to a lack of data. However, it is difficult to determine the extent to which many of these accidents are true oversights.
A particular unintentional bias to which those working in finance are susceptible is overconfidence. In particular, it has been said that overconfidence is greatest for difficult tasks with low predictability which lack fast clear feedback (Jones et al., 2006). These criteria could be applied to most financial work. Other aspects of overconfidence such as the illusion of knowledge (the belief that more information improves forecast accuracy) or the illusion of control (the belief that greater control improves results) have wide-ranging implications for all areas of finance, particu- larly as the volume of information that is readily available is growing rapidly all the time.
Anchoring is another behavioural bias with clear implications in the world of finance. This occurs when decisions are made relative to an existing position rather than based solely on the relevant facts – the question asked is ‘given where we are, where should we be?’; it should be ‘given the relevant facts, where should we be?’.
This bias can clearly be seen when, for example, insurance reserves change only gradually in response to rapidly changing information.
Representativeness (making the assumption that things with similar properties are alike) and heuristic simplification (using rules-of-thumb) can also be a source of problems in all financial organisations where the eventual level of risk might turn out to be very different to an initial estimation or approximation.
7.12.6 Legal Risk
Legal risk is sometimes used to describe the regulatory risks covered in Section 7.12.4; however, here it is used to describe the risk arising from poorly-drafted legal documents within an organisation. This extends to policy documents, which form legal agreements between firms and policyholders. Legal risk can also be linked to regulatory risk, since ambiguities in legal contract may ultimately be dealt with by courts. It also includes exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements. As such, it cuts across a range of risks including employment and client risks covered in Sections 7.11.3 and 7.11.4.
7.12 Different Definitions of Operational Risk 123 7.12.7 Model Risk
This can be thought of as a type of process risk, covered in Section 7.11.7. It might also be regarded as a client risk, under Section 7.11.4, as errors in a model could result in losses for a client. However, because of its importance to financial institu- tions, it is worth considering separately. Model risk is the risk that financial models used to assess risk, to determine trades or otherwise to help make financial deci- sions are flawed. The flaws can be in the structure of a model, which may be overly simplistic or otherwise unrealistic, or it can be in the choice of parameters used for an otherwise sound model.
Model risk might also relate to the incorrect translation of model from theory into code although this can also be thought of as an aspect of technology risk, covered in Section 7.12.2, since it assumes that the model itself is sound.
Model risk also occurs if models are put to uses other than those for which they were intended. For example, a model may give reasonable estimates of the expected returns from a particular strategy, and the range of results that might be expected in normal market conditions, but it might be very poor at predicting the range of adverse outcomes that might occur in stressed markets. In other words, model risk is present if models are put to inappropriate uses. An example is the Black–Scholes model for option pricing (Black and Scholes, 1973). This is good for giving the approximate value of a financial option for, say, accounting for stock options granted to directors, but is entirely inappropriate for determining tactical options trades.
7.12.8 Data Risk
Another risk that cuts across execution, delivery and process risk, covered in Sec- tion 7.11.7 and client risk, under Section 7.11.4, is the risk of using poor data.
It relates to execution risk inasmuch as there is a risk that incorrect data will be fed into a decision-making process.
This is also a particular issue in relation to personal data. Even if there is no deliberate misreporting, data can be entered incorrectly, or fill-in codes can be used when information is not available. A separate issue arises when data are being analysed, in that a single individual may have a number of records in his or her name. This can skew any analysis carried out if duplicates are not removed or consolidated.
7.12.9 Reputational Risk
Reputational risk is essentially a risk that arises from other operational risks. For example, the loss of data – potentially a technology risk – can result in a loss
of confidence in an organisation due to reputational damage. Similarly, repeated delays in claim payments by an insurance company is likely to be a process risk, but the subsequent loss of business due to a loss of confidence in the firm is a reputational issue.
What this means is that when considering the direct cost that might arise from particular operational risks, it is important also to consider any potential subsequent costs arising from loss of business due to reputational damage.
7.12.10 Project Risk
Project risk is an umbrella term covering all of the various operational risks in the context of a particular project. In the case of financial institutions such projects may include the creation of physical assets such as property development for investment purposes, or a new head-office building or computer system for the institution itself.
However, they may also include projects of a less tangible nature associated with the launch of a new product, expansion overseas, winding up or downsizing. The inclusion of this term is really a reminder that operational risks occur not just in the day-to-day running of an organisation but also in the approach to each project carried out.
7.12.11 Strategic Risk
Strategic risk is similar to project risk, in that it includes many of the opera- tional risks covered previously. However, it covers a more fundamental subject:
the achievement of the organisation’s core objectives.
The most basic strategic risk is that no coherent strategy for future development exists; however, assuming that this risk is overcome, it is important that an organ- isation makes a conscious decision of what its strategy is and how it intends to implement it.