The Choice Of Risk Mitigation

• Financial firms have inherent operational risk, which can be magnified by the products and services they provide. Transaction processing risks can be reduced through automation, planning, and controls. Proper investments in operational risk mitigation can enhance the risk-return trade-off, given that the benefits outweigh the costs.
• Firms can implement strong controls, obtain insurance, or eliminate certain activities to reduce operational risk. However, because operational risk can never be completely eliminated, all businesses require capital as a buffer against unexpected outcomes. Regulations require a minimum level of capital, while banks and insurance companies maintain additional capital to reflect their risk appetite.
• The type of response that financial firms choose in the face of operational risk is determined by their risk tolerance. For example, one bank may accept a medium level of residual risk, whereas another may expect to reduce residual risk even further. Furthermore, some banks may have varying appetites for various types of operational risks (e.g., a low-risk appetite for non-compliance but a medium-risk appetite for execution errors).
• There are four ways to address risks, or four types of “risk response”, labelled as the four Ts in the vocabulary of the international standards of enterprise risk management ISO 31000: tolerate, treat, transfer, and terminate.
  • Tolerate – This risk response is about accepting the risk without any action. It is a viable choice for either low inherent risks or for low residual risk exposures that are already well managed. This approach is frequently employed when the cost of risk mitigation is greater than the possible losses that may result, if the risk materializes.
  • Treat – This risk response covers all forms of risk mitigation, primarily through internal controls and action plans that aim to reduce uncertainty and volatility by improving planning, designing processes, or implementing automation. Risk-mitigation measures, such as internal controls, aim to decrease the likelihood or impact of a risk, and in some cases, they can accomplish both simultaneously.
  • Transfer – This risk response refers to the act of shifting the risk to another party. External insurance is the most common form of risk transfer, where an organisation transfers the consequences of risk (most commonly, financial losses) to an external insurer in exchange for payment of a premium. Outsourcing is another form of risk transfer where an organization transfers some operational risks related to a process to a third party. However, accountability cannot be transferred through outsourcing, and the bank remains responsible to its customers for the proper execution of its services. Risks like reputational damage are not easily transferable.
  • Terminate – This risk response involves eliminating all exposure to the risk. This approach is the most drastic and should only be considered when none of the other options are feasible. By eliminating all risk exposure, such as discontinuing a product or ceasing operations in certain countries, the organization also forfeits all the revenues associated with that risk. Thus, this option is only justifiable when the negative consequences of the risk outweigh its potential benefits.

Internal Controls: Types and Testing

• Out of the risk responses mentioned earlier, risk treatment through different types of controls is the most prevalent. Internal controls are fundamental to risk mitigation in organizations, and there are several classifications of controls. In this context, the Institute of Internal Auditors’ straightforward and practical control classification has been used, which includes preventive, detective, corrective, and directive controls.
• Preventive controls reduce the likelihood of an incident by addressing the causes before potential risk events occur.
  • Segregation of duties is a widely-known control measure for fraud prevention that involves different parties performing the processes of initiating, validating, and settling a transaction. This principle applies to various activities in organizations, including third- party management and financial market activities. For instance, invoices are generated by a supplier, validated by the recipient of the service, paid by the treasury or the accounts payable department, and accounted for by the accounting department. In financial market activities, trades are initiated by the front-office (trading desk), validated by the middle- office, and confirmed and settled in the back-office and treasury departments.
  • Other preventative controls encompass various measures such as verification of records, signature reconciliation, and access restriction. Retail banking’s notable control is the “know-your-customer” (KYC) in the US and India, or customer due diligence (CDD) in the EU. It helps identify financial crime and money laundering in the banking system and reduces operational errors in account management.
• Detective controls aim to detect and alert when an incident occurs, accelerate its resolution, and minimize its impact on the organization and stakeholders. Examples include smoke alarms, intrusion detectors, and cybersecurity systems that identify abnormal network activity. A common example of a detective control is credit card notifications of potentially fraudulent transactions triggered by algorithms identifying unusual activity. Detective controls can become preventive controls if they detect the cause of an event before it occurs. For example, file reconciliations can be either detective controls if the error is already recorded, or preventive controls if they detect and correct possible errors before transaction execution.
• Corrective controls are a type of mitigation measure aimed at reducing the impact of adverse events. They do not affect the likelihood of risk occurrence but instead help to lessen the damage caused by such events. Examples of corrective controls include IT system redundancies, backup plans, and crisis communication strategies. For instance, backing up the data on a computer won’t prevent it from crashing, but it will significantly reduce the harm caused by the crash. Seatbelts and airbags are everyday examples of effective corrective controls in case of a car accident.
• Directive controls encompass the guidelines, instructions and regulations necessary to execute a process, which consist of policies, procedures, training materials, governance structure, and assigned duties and responsibilities. Although these controls may not always be present in control taxonomies, they are ubiquitous in all organizations and have a substantial impact in reducing operational risk when they are exhaustive and implemented effectively throughout the company.

Control types and examples

Key Controls

• The concept of key control is another significant aspect of internal controls. Key control, also known as primary control, refers to a control measure that is adequate by itself to prevent the occurrence of a risk. The majority of the examples in the previous diagram represent key controls.
• A key control can also be corrective if it mitigates the negative impact. Backing up a laptop to the cloud, for example, is an important control that helps reduce the risk of accidental data loss. Any well-designed process or system must include key controls or significant risk- mitigation measures in their designs.
• Conversely, a non-key control, or secondary control, is a control that supports or supplements key controls but is incapable of mitigating a risk independently.

Control Automation

• Controls can be classified and explained based on whether they are automated or manual. Control automation can significantly improve control reliability, making risk mitigation much more effective. Some examples of automated controls are –
  • Automated system access control and access restrictions to maintain duty separation
  • Automated name and bank account reconciliation
  • System-generated reasonableness checks or data validation in data collection tools
  • Facial recognition software
  • Automated pricing calculations and invoicing
• Some bank risk managers view manual controls as unnecessary in light of modern technology, which allows companies to implement controls for processes that humans cannot efficiently or at all, like cyber surveillance and detecting fraudulent credit card transactions.
• Control automation replaces the risk of human error with technology risk and model risk. Organizations now face the risk of IT system control failure or incorrect or inadequate model code, especially with the use of artificial intelligence (AI) where the control is based on large data sets that could be biased. Automated controls can shift the high-likelihood/low-impact risks of manual errors into the low-likelihood/high-impact risk of a systemic control breakdown. Choosing risk mitigation options can be compared to applying pressure on a water mattress, where reducing one risk increases another. Examples of possible breakdowns in automated controls include –
  • False positives (Type 1 errors) and false negatives (Type 2 errors) in automated detection of abnormal activity or transactions in various systems such as bank accounts, credit card accounts, etc.
  • Disabling of automated controls due to system downtime
  • Data overflow and the lack of backup due to automated data backup processes happening on a full server.
  • Incorrect or outdated model code
  • Biased training data for AI-based controls
  • Backups over the prior year failing due to server’s storage being full
• Early detection and escalation of alerts are crucial for automated controls, particularly in fast- paced and high-risk business environments with large volumes of transactions and significant money flows. This is even more essential for automated controls than for manual controls.

Control Testing

• Control assessment is a crucial component of residual risk evaluation. Firms must assess the effectiveness of their risk mitigation measures through control testing, in order to assess their residual exposures to operational risk.
• The financial industry is increasingly shifting its focus to controls and control assessment as opposed to just risk assessment. Controls and control effectiveness can be seen and measured. Risks are frequently more difficult to detect, even though their consequences are not.
• Control testing should evaluate whether the controls are well-designed and consistently and accurately implemented.

Control Design

• When controls are ineffective, they waste resources and provide a false sense of security, leaving the environment vulnerable. Types of weakly designed controls include the following –
• Optimistic controls – These are often brief rather than comprehensive and are hence referred to as “tick-box” controls. They require exceptional ability or motivation to be effective. Examples include –
  • sign-offs for large volumes of documents just before a deadline,
  • accepting online legal terms and conditions,
  • validating software access through printed lists of coded names without proper justification,
  • all approvals and validations where the authorizing party lacks adequate information or time to comprehend what is being approved.
• Collective controls – By distributing the accountability for quality assurance and verification across several people, these collective control weaken accountability for specific tasks. The most common type of collective control is the “maker-checker” or “four-eyes check”. Although widely used, having more than one person check the same information can dilute accountability and increase overall risk. Additionally, because too much faith may be placed in group controls, there may be laxer standards of individual focus and attention, which raises the overall risk. Four-eyes checks are more effective when carried out by a manager and a subordinate, or by people from different departments, and when accountability is clearly attributed to those performing the tasks.
• More of the same – This refers to the response to operational incidents caused by a control failure of adding more controls of the same design, even though the previous ones failed. For example, responding to a failure of collective controls by adding more controllers has the effect of diluting accountability even more, as does reinforcing an onboarding process that is already being bypassed by managers because it is too cumbersome and disproportionate.
• Poor control design can increase process vulnerability, so adding more controls does not necessarily reduce risk. Proper process design can reduce inherent risk simply by organizing tasks, without needing additional controls. After controls are deemed adequate in design, they should be tested for operating effectiveness to ensure that they are functioning as intended.

Control Effectiveness

There are four main types of control testing, presented in increasing levels of scrutiny. The higher the inherent risk, the stronger the control testing required.

1. Self-certification or inquiry – This kind of assessment should be restricted to secondary controls or to controls related to environments with low inherent risk because there isn’t enough evidence for it.
2. Examination – To ensure the effectiveness of this approach, written documentation and evidence of controls in the form of written processes and results are necessary. This provides moderate assurance and is most suitable for automated controls and manual control sampling.
3. Observation – This method involves real-time monitoring of control process execution to assess design and efficacy. It is a stricter testing type for key controls but relies on limited sampling because the observation (or audio and video recording) is typically limited in time.
4. Reperformance – This is also called reproduction or parallel testing. This is the strongest form of testing. It involves replicating the control process on a subset of transactions and comparing the outcomes with those previously obtained. Control reperformance can be used for various purposes, including mystery shopping to evaluate customer service quality and call center effectiveness. It can also be used to test the error detection effectiveness of control functions such as middle-office or back-office by inserting bogus data or fictitious transactions into trading systems or models. Model validation also employs reperformance testing by validating model output using diverse data sets or independently written code.

• Finally, different elements influence the effectiveness of control testing, such as the following –
  • Independence of the testing party – To avoid conflict of interest and bias in the assessment, the testing party should be independent from the owner of the control process, except in the case of self-certification.
  • Frequency of testing – The frequency of control assessment should be proportionate to the severity of risk, with more frequent assessments for higher risks or unstable risk environments.
  • Scope and sample – The size of the sample tested and the scope of testing clearly affect the test’s outcomes. The test sample should be as representative of the entire population as much as possible. The reliability of the results must be judged in relation to the time and effort committed to testing. Insufficient sampling or biased sample tests can present a false view of the control effectiveness.

Control Testing And Risk Governance

• In the past, internal audit was typically responsible for control testing, but many organizations now also rely on the first line of defense to regularly test their key internal controls, particularly due to the heightened operational risk.
• While the ORM function doesn’t usually conduct control testing, central operational risk managers need to ensure that the controls are appropriately designed and implemented to minimize risks within their risk tolerance levels. The ORM function must verify that control assessments have been performed and included in the qualitative and quantitative assessment of operational risk.
• Many resources from the Institute of Internal Auditors (IIA) and COSO offer literature on internal control design, setup, and testing. The Sarbanes-Oxley Act has also been instrumental in enhancing the organization of processes, internal controls, and control testing in financial firms. Operational risk managers governed by SOX can benefit from these practices when evaluating or providing guidance on internal controls.

Risk Mitigation Through Process Design

Operational risk and controls are linked to the design and operations of an organization. The main techniques and methods through which process design is leveraged to mitigate operational risks are –

• Prevention Through Design
• Typology and Mitigation of Human Error
• Lean Six Sigma
• Quality Improvement

Prevention Through Design

• The idea behind prevention through design (PtD), also known as safety by design, is to incorporate risk reduction methods and structures during the process design phase to minimize the likelihood of incidents. PtD may include measures such as checklists, communication protocols, standardization, and optimized work environments or system design.
• Within engineering, human error is viewed as an indication of a safety issue rather than the cause of it. Essentially, errors made by individuals are considered to be symptoms of flawed processes or a lack of adherence to procedures. Human error is not seen as an inherent problem; instead, the focus is on enhancing controls to improve processes and ensure compliance with them.

Typology And Mitigation Of Human Error

Skill-based (SB): Slips

• Involuntary/unintentional
• Caused by inattention, distraction, environment, tiredness, etc.
• Examples –
  • accidental processing errors,
  • so-called “fat finger” mistakes: reversing a number in a transaction or entering a trade for a put option instead of a call option.
• Choice of response should consider the root cause of the slip
• Controls for SB errors –
  • Improved, supportive environment, re-engineered processes, adjusted pace, etc.

Rule-based (RB): Mistakes

• Voluntary action: “Strong, but wrong”
• Wrong action based on flawed rules
• Caused by wrong incentives, flawed products, misleading instructions, etc.
• Examples –
• mis-selling to customers due to aggressive commercial incentives.
• Controls for RB errors – change the rules.

Knowledge-based (KB): Mistakes

• Wrong choice of action when confronted by a new situation
• Caused by lack of training, knowledge of the environment, causes and/or consequences of actions
• Controls for KB errors: training, documented procedures, help file, escalation rules.

A fourth type of human action that results in an operational risk event is a violation. Unlike an error, the perpetrator deliberately chooses to deviate from the correct course of action, rule, or process. Supervisory controls, such as hierarchy, cameras, or automated recordings, are effective in mitigating violations. Improving the risk and compliance culture to encourage adherence to rules and processes can also help reduce violations.

Lean Six Sigma

• Lean Six Sigma is a managerial concept that combines Lean and Six Sigma techniques to optimize workflow and improve performance. This method systematically removes waste and reduces variation through the analysis of processes and collaborative tasks. Lean techniques aim to eliminate eight types of “waste”, which refer to process inefficiencies related to underutilization of resources, time loss, or unnecessary tasks. These types of waste are represented by the acronym DOWNTIME –
  • defects,
  • over-production,
  • waiting,
  • non-usedtalent,
  • transportation,
  • inventory,
  • motion, and
  • extraprocessing.
• Six Sigma is concerned with improving process output quality by identifying and eliminating the causes of defects or errors, as well as minimizing variability in manufacturing and business processes. The DMAIC (define, measure, analyze, improve, and control) cycle is used by both Six Sigma and Lean Six Sigma. In terms of scope, the DMAIC method (as given in this figure) seeks to identify the root-cause(s) of inefficiencies in any given process, product, or service. It works best in activities with a large amount of data or measurable characteristics.

DMAIC cycle in six sigma and lean six sigma

Quality Improvement

• This approach mainly applies to the manufacturing and production sectors. The model for improvement addresses three questions –
  • What is the goal?
  • What makes a change an improvement?
  • What changes will result in improvement?
• It is usually represented by the plan, do, study, act (PDSA) cycle or
  “Dr. Deming cycle”
  • Plan-Define goals, outcomes, metrics, and logistics.
  • Do – Execute plan and collect data for improvement or progress
  • Study-Analyze data, compare out comes, and identify opportunities for improvement
  • Act – Learn from the process and adjust the desired outcomes, the success metrics, and the process for the next cycle.
• This cycle is repeated to improve products or services.

New Product And New Initiative Approval Process

• New business ventures, projects and products involve novelty, uncertainty, and risks. To mitigate such risks, businesses typically implement the New Product Approval Process (NPAP) or its counterpart for new initiatives, the New Initiative Risk Assessment Process (NIRAP).
• New initiatives include any new plan or process to achieve a business objective or solve a problem and that modifies or affects the current course of business. New initiatives might include the following –
  • New financial products, services, or activities for customers, which fall under the NPAP policy.
  • New outsourcing arrangements, or modifications to existing outsourcing arrangements, that should be addressed by the outsourcing risk management and outsourcing policy.
  • New projects and restructuring of activities that are often also linked to the project management policy, whether or not IT-based.
• A best practice is for initiative owners to present a business case to justify resource allocation. The case should address at least five key topics – objective, alternatives, expected benefits, commercial aspects, and risks. An illustration is given in the table on the next page.

New Initiative Business Case: Sections
Objective	Alternatives	Expected Benefits	Commercial Aspects	Risks
Context and objectives, what we want the firm to achieve and the rationale for the project	Other options considered and reasons for selecting the current project	Expected benefits and synergies from the project, and possible drawbacks	The costs, investment needs, and funding arrangements	Main risks and their possible impact on the business case and on the rest of the business, with their mitigation
Project – The content of the business case to be adapted to reflect each initiative’s requirements

Illustration of NIRAP Business Case

Involvement Of Operational Risk Function

• The degree of involvement of the risk function and the level of mitigation required for a project is determined by the project’s risk level. Typically, a risk-based approach that follows a risk-rating methodology used for non-financial risks can be employed.
• Without intervention from the risk function, the project team is responsible for managing common project risks such as time, budget, and delivery quality. However, all stakeholders, including the risk function, receive regular project reports that address both execution risks and project risks.
• Mature organizations and sectors conduct post-delivery reviews, quality evaluations, and debriefings. Certain firms keep a record of post-project evaluations, debriefings, and lessons learned to avoid repeating past mistakes and capitalize on past successes. The risk function may also be responsible for initiating the collection of lessons learned or ensuring that they are effectively utilized.
• New initiatives can create or modify existing risks by disrupting the state of “business as usual”, such as introducing new products, IT software, or processes. These initiatives may shift some process responsibilities to the operations team. In addition to the traditional risks to project delivery, the ORM function should identify, assess, and mitigate all direct and indirect risks that may arise from a new undertaking and support the team involved in the initiative.
• This table summarizes the stages and nature of involvement of the risk function during a project’s life. “Critical” and “important” projects or initiatives are those materially affecting the main functions in the organizations. These are the projects and initiatives with the highest risk rating and are typically given top priority.

Initial stage (before kick-off)
Risk identification and assessment: workshop facilitation, for important and critical projects
Mitigation and monitoring plans: assurance that plans exist to address the risk exposures identified, relative to their materiality
Project life: monitoring and risk update
Regular project reporting both for operational risks and project risks
Regular meetings with the risk team and the project team to update risk identification and assessment findings for important and critical projects
Project closure
Debriefing, evaluations of project deliverables, analysis and documentation of the risks that materialized and those that were avoided, lessons learned, applicable to all projects

Special Case Of Mergers And Acquisitions

• Mergers and acquisitions are the most significant and complex projects, with the acquiring firm inheriting credit, market, and operational risks from the acquired assets.
• Assessing credit risks can be done accurately if the obligors, collateral, and terms and conditions data are available. However, operational risks are not as transparent and can be difficult to assess as they result from people, systems, and processes built over time. These risks may resemble “skeletons in the closet” that may be discovered long after the acquisition.
• If the bank is acquiring assets in new geographies or businesses, more care is required to assess operational risks. The ORM function can help by using available data to create a risk profile that familiarizes management with potential operational risks in the new business.
• When a firm is acquired, the integration process can introduce additional operational risks related to integrating customer and account platforms, payroll and management systems, and inter-company communications. To identify these risks, operational risk management can conduct risk identification workshops and work with the integration team to establish mitigation measures that address potential failures during the complex acquisition process.

Mitigating Measures And Resilience

• Even with a rigorous underwriting process, financial institutions understand that loan defaults are likely. Thus, managing loan recoveries through collection and collateral sales is crucial for minimizing credit losses.
• Similarly, despite having preventive and detective controls, operational events can still happen, making corrective controls and other mitigating measures crucial to minimizing their effects. The key measures of impact reduction are –
  • Contingency planning,
  • Resilience measurement, and
  • Event and crisis management.

Contingency Planning

• A contingency plan is a backup strategy that an organization can use in case a significant event or situation does not go as expected. Essentially, it’s a “Plan B” that allows the organization to respond effectively to unforeseen circumstances.
• Contingency planning is essential for business continuity and disaster recovery. It involves preparing for potential incidents by clearly defining roles and responsibilities. This can range from having a spare laptop to a disaster recovery site. Contingency planning provides a buffer and alternative options for systems, people, and processes. It is considered costly in good times, but necessary for resilience during bad events, similar to insurance.
• BCM and DRP are specific forms of contingency planning that enhance operational resilience, the ability to adjust and recover critical operations following an adverse event. BCM and DRP have long been in use in vital infrastructure sectors such as healthcare, public services, and energy and water supplies. In the financial sector, regulators have turned their attention to operational resilience, which is of particular importance for systematically important financial institutions (SIFIs) since disruptions to their services can have far-reaching consequences for the entire financial system.

Business Continuity Management

• BCM is a continuous process that involves a series of tasks aimed at ensuring business continuity in the event of a crisis. It helps identify vulnerabilities to possible disasters and focuses on critical areas of the business, ensuring its survival even in the face of catastrophic events.
• A BCM process can vary, but it typically involves a BCM structure which is a dynamic version of the business continuity plan (BCP) that requires regular testing to ensure practicality and speed of implementation during an emergency. BCM governance is also important, with a key owner responsible for designing and executing actions and communicating with outside parties. In a crisis, senior management takes center stage. This diagram outlines the stages of developing a BCM.

• Steps to develop a BCM –
  • Ensure senior-level commitment to provide top-down direction, support, and ownership to both the BCM process and the rapid implementation of the BCP in the event of a crisis.
  • Initiate management process and form a team that will own the project as an ongoing initiative rather than a one-time occurrence.
  • Agree on key deliverables, budget, regulatory obligations, specialists to consult, and members of the crisis management team.
• BCM identifies and manages threats and risks that could cause corporate catastrophes, such as technological, environmental, or reputational issues, whether caused by internal or external factors. These threats and risks should be linked to key operational risks in the organization.
• Risk management response depends on the threat level and available options. The response strategy includes the business impact analysis (BIA), determining the recovery time objective (RTO), and external insurance or contractual arrangements with crisis-management specialists. Smaller organizations can benefit from hiring external providers to limit damage by providing financial support, technical assistance, or managing external communication.

Event And Crisis Management

• Disruptive events to the business will require the activation of the BCP. To manage disruptive events, organizations need to demonstrate three essential qualities –
  • Speed – In the case of a crisis spreading rapidly, a swift, decisive and appropriate response is crucial (for instance, in case of a cyberattack).
  • Competence – It’s important to have qualified specialists for each job, even if it is required to use the services of external experts to handle the communication, or the technicalities of the recovery.
  • Transparency – Firms must maintain transparency even in the case of large operational loss events, as trust is critical to maintaining a strong reputation. Concealment and dishonesty can have negative impacts on stakeholders and lead to damaging media coverage.
• To react quickly in a crisis, firms should have two incident response teams –
  • Technical team – includes specialists focused on restoring normal processes (IT/security for tech disruptions, and business continuity for supply chain and business issues).
  • Communication team – deals with media and stakeholders, including employees. They have specialized training and strategies.
• These two teams should be overseen by a dedicated member of senior management.
• In an emergency, following the BCP will help to control emotions that cloud judgment and can lead to bad decisions.
• BCP testing is commonplace and mandatory. It is most useful when it includes sufficient stakeholder management and communication to manage the reputational aspects of an incident, rather than just the technical aspects of operational recovery. A “war room” simulation – simulating an extreme operational event to test the firm’s response and recovery process, provides valuable, real-world mitigation practice. Such simulations are typically facilitated by operational resilience specialists.

Phases Of Operational Risk Event

Four phases of a major operational risk event are – Crisis, Emergency Response, Recovery, and Restoration.

• During the crisis phase, the scale and type of the problem become known.
• The emergency response phase involves assessing the situation and deciding on a plan of action.
• In the recovery phase, essential operations restart, and recovery measures include
  • Recovery Point Objective (RPO) – This indicates the data lost or requiring re-entry after an outage, determined by data back-up frequency (unless lost or corrupted)
  • Recovery Time Objective (RTO) – This is the maximum time of disruption for a process, system, or service that a business can tolerate. Regulators impose max RTOs on financial key players.
• Restoration is the final phase and involves returning to normal operations, which can take a long time in the case of physical damage or external disruptions (e.g., two years after the first lockdown due to the COVID-19 pandemic, many financial firms had still not reopened their offices and continued to work remotely).

Risk Transfer

• Risk transfer is an effective method of mitigating operational risk, but it comes at a cost and occasionally introduces new risks. Some risks are relatively simple to transfer whereas others (or their consequences) are much more difficult. It is important to understand the characteristics and feasibility of risk transfer.
• Two common methods of operational risk transfer are –
  • External Insurance
  • Outsourcing

Risk Transfer Through External Insurance

• External insurance reduces an organization’s profit and loss volatility by compensating them financially for certain risks that may materialize. This is done by paying regular premiums in exchange for coverage, usually for “errors and omissions” made by operatives, such as typing errors or information loss. The financial consequences of these risks are easier to compensate for than qualitative impacts like reputational damage or client detriment.
• External insurance policies for operational risk are usually suitable for risks that meet two criteria – a) They have a predictable likelihood and impact distribution, which allows them to be appropriately priced and underwritten for the policyholder. b) They are readily transferable, meaning that the risk exposure and consequences can be effectively mitigated through insurance.
• There is a trade-off decision of the insurance premium versus the volatility. The insurance premium is usually greater than or equal to the expected losses of the insured risk, especially over extended periods. Hence, large institutions often self-insure minor losses through subsidiaries or simply accept volatility, and only purchase external insurance for extreme operational risk “tail” events, such as cyber risks, business discontinuity, or major class action lawsuits. Any large potential materialization with significant financial losses is a good candidate for external insurance policies.
• Under the Basel Standardized Approach for operational risk, net loss amounts are determined by subtracting insurance recoveries from gross losses when those losses are factored into the loss multiplier.
• Although external insurance is a way to transfer risk, it is not foolproof because the organization is still vulnerable to the insurer’s ability and willingness to provide compensation in the aftermath of the event. Additionally, even if the compensation is eventually received, it may take several months, leaving the insured firm exposed to liquidity risk in the interim.

Risk Transfer Through Outsourcing

• Outsourcing is when a company contracts a third party to handle some of its tasks. Small businesses often outsource accounting, digital marketing, ICT management, or legal and HR administration. Banks and insurance companies may outsource non-core tasks, like IT server management, cloud computing, data centers, or call centers.
• Some automatic risk transfer takes place every time an activity is outsourced. However, the risk to an organization can either rise or fall depending on what activity is outsourced, why it is outsourced, and to whom it is outsourced. For example –
  • If a bank outsources its call centers to a cheaper labor market, it could face new risks and less control, despite saving money. This kind of outsourcing is a way to take on more risk for potentially higher profits.
  • Alternatively, a company might outsource non-core activities to more experienced third- party specialists, like payment and settlement systems, data center storage, or maintenance. This may cost more, but the outsourcing strategy should reduce operational risk exposure.
• Improving technology has led to the rise of specialized FinTech firms. While traditional banks outsource some ICT activities and keep credit decisions in-house, FinTech banks manage their own technology platforms and excel at digital banking, but often outsource credit risk decisions to specialists.
• Outsourcing can lead to higher operational risk, also known as “third-party risk”, because the company is exposed to the possibility of inadequate controls at the third party. The transfer itself comes with risks and makes it harder to shift the responsibility of the risk. Nowadays, outsourcing is viewed as a “risk sharing” approach rather than solely a risk transfer strategy.
• Just as external insurance, outsourcing allows companies to transfer certain operational risks, but not all of them. For instance, reputational damage is not something that can be outsourced or repaired through insurance.

Management Of Reputational Damage

• The definition of operational risk excludes reputational risk since damage to a company’s reputation can be caused by factors beyond operational risk. It can be damaged by internal and external operational events. Prevention and mitigation strategies are necessary to build a strong reputation and respond effectively to limit reputational damage following operational risk incidents.
• Preventive controls and strategies can build and maintain customer confidence. Detective controls, such as monitoring customer complaints on social media and tracking trends in refund requests or system downtimes, are designed to identify operational failures but also reduce their reputational impact. Corrective risk controls and mitigation strategies are also crucial in protecting a company’s reputation and responding to operational events that harm customers and communities.
• Maintaining a good reputation requires embedding reputation management into a firm’s everyday activities. It is a good practice to reward staff for actions that protect and improve the firm’s reputation. This can include giving gift vouchers to teams with high customer satisfaction ratings, positive media profiles, or smooth transaction operations. Rewarding individuals and teams for self-identifying operational risks, near misses, and undetected events is a valuable strategy that can prevent costly consequences. Creativity is key when celebrating success in operational areas.
• A firm’s choices regarding shareholders, clients, staff, and third-party suppliers can impact its reputation. Partnering with the wrong type of client is a significant operational risk for firms.
• Good practice in reputation management is, as usual, a combination of detective, preventive, and corrective measures. When an accident occurs, effective corrective measures involve following the three R’s of crisis communication –
  • Regret – recognizing and apologizing for the incident
  • Reason – explaining why the incident happened, transparently identifying the firm’s responsibilities
  • Remedy – arriving at a satisfactory solution to compensate for stakeholder damage.
• Effective reputation management requires stakeholder analysis to identify the importance and impact of each stakeholder on the organization. Not all stakeholders are equally important or affected by operational events. It’s essential to differentiate stakeholders to design specific remedies for reputational risks. For example, if a scandal affects a bank’s investment banking department, primary stakeholders to manage include institutional investors, large corporate clients, and regulators. Regulators are very important stakeholders for financial service firms, especially large ones facing scrutiny. Maintaining a reputation for transparency, collaboration, and respect for regulators can be valuable when seeking approvals or handling operational failures.
• Positive stakeholder engagement and dialogue can build up “reputation capital” for an organization, which can serve as a buffer of goodwill during a crisis and improve the firm’s resilience to unexpected shocks. Effective crisis management and resilience can also reinforce a firm’s reputation, and vice versa.