Operational risk has been often underestimated and set aside in relation to other risks by many insurance companies during the past, especially in insurance and banking industry. Nowadays, operational risk has been given more attention, as it has been realized that proper and effective operational risk management can significantly reduce unnecessary operational losses. It can also result in enhanced productivity and more effective and efficient business processes that are crucial for every organization. Managing operational risk is not an easy task, and companies are constantly dealing with difficulties in creating a suitable integrated system how to asses, reduce and manage their risks in an adequate way. The main problem is that operational risk has been for many years neglected and experiences have shown that consequences of that type of risk have frequently resulted in large capital losses and liquidation of companies. Other also important problems are lack of quality information, traditional approaches in quantifying risk and unreliability of these types of approaches. However, large numbers of insurance companies have turned towards using scenario analysis, which is eased by development of modern and advanced information technology. All this problems, concerns and activities are referred to one of the main principles of every insurance company, and that is, insuring solvency. Solvent insurance company is perceived as capable of covering and redeeming all claims, regardless of their size and number, without any difficulties towards its clients. Also, it is considered being able to pay its financial obligations towards state, other companies and employees in maturity deadlines. In making all this possible, insurance company need to adequately allocate and manage their capital and risk. That means, insuring an adequate level of capital for covering all risks that they are facing in their business activities with the final goal of creating value. Being and staying solvent is for insurance companies extremely important, not only because of the facts mentioned above, but also due to regulatory institutions that demand and enforce companies to be solvent and require level of capital needed for maintaining solvency. The most important forthcoming regulation, for insurance company, is called "Solvency II". It represents a new set of regulatory rules that should, besides protecting insurers, ensure long term stability of the financial and insurance sector. Solvency II implies narrow engagement in risk management and risk recognition in company's business activities. In that way, companies would be properly capitalized according to all undertaken risks. Also, they would adapt business policy and desired profitability towards their own risk exposure. Nowadays, companies are increasingly putting effort in complying with all of the Solvency II regulations. It is a long process that requires a lot of work and faces various difficulties. Implementation of Solvency II has been postponed for a couple of times so far and it is supposed to be put in charge on beginning of 2015. As companies progress through their implementation programmes, some aspects that had hitherto taken a backseat are now starting to receive more attention as it is realized that they may have more impact than previously thought. One of such areas is Operational Risk. It is often seen as just a catch-all for "other" risks, and especially those that are not conveniently tractable; the fundamental importance of operational risk is increasingly being realized, as recognition spreads that this is where many of the insurance industry's killer risks can tend to lurk. Management of operational risks, and crafting companies that are ever more robust to these risks, are now seen as key aspects of sound insurance management. Operational risk is also moving up companies agendas, as the capital charge under the Solvency II Pillar I standard-formula calculation is a rather crude measure, essentially based on business volumes. Whilst this has the benefit of simplicity, in some situations it is leading to what are seen as excessive capital requirements. There has been also a new wave of demand for the quantification of operational risk. For insurance companies, current Solvency II requirements are triggering the development of internal operational risk models. At first glance, the less explicit requirements of Solvency II regarding methodology choice seem to be an advantage. However, the lack of insurance industry benchmarks and regulatory rules can result in lengthy and difficult-to-manage approval processes. Operational risk extends well beyond the confi nes of a risk model or formula-based quantifi cation. It encompasses a company's business activities and is an integral part of an efficient enterprise-wide risk management framework. Over the past few decades many insurers have capitalised on the market and have developed new business services for their clients. On the other hand, the operational risk that these insurers face have become more complex, more potentially devastating and more difficult to anticipate. Although operational risk is possibly the largest threat to the solvency of insurers, it is a relatively new risk category for them. It has been identified as a separate risk category in Solvency II. To date, most of the controversy over Solvency II has foscused on the draft directive, the calculation of technical provisions and the formulas used to calculate the Minimum Capital Requirement (MCR) and the Solvency Capital Requirement (SCR). These initiatives have focused on measurement of insurance and asset risks. Many have the view that there are still numerous issues concerning operational risk that must be resolved under Solvency II. The purpose of this thesis is to provide a better insight on how to effectively manage operational risk (OpRisk) and what are the implications from the new regulatory rules of Solvency II. It is designed as a management perspective in dealing with operational risk, but all of the aspect of that type of risk has been included in the work. Due to the broad area of operational risk management (ORM), the thesis is focused on main aspects of the risk, its definitions, features, measuring and quantifying. Framework for managing OpRisk will be thoroughly described and Solvency II demands and considerations will also be stated and explained. Sources used for the thesis are mostly external and precisely selected. An interview will also be undertaken with a risk manager in a company in which the writer is currently doing an internship. This will surely help me, as a writer, to better understand the subject and be more competent in explaining and bringing closer the topic developed in my thesis to anybody who reads it or has some questions regarding the subject. I decided for this topic because I was astonished by the fact that large number of insurance companies, especially in Croatia, are losing significant amount of time and money on simple every day processes. In other words, operative tasks are a factory of a big number of errors and losses due to poor process control or human error caused by too much workload. That is because I see a need to better understand and mange operational risk in order to achieve better overall results in all business sectors and diminish losses and errors to a minimum. In the thesis, Chapter 2 is regarding defining and properly explaining operational risk, and mentioning its features, categories and dimensions. Chapter 3 is concerning measuring and modeling of OpRisk, its taxonomy and problems that arise from these types of processes and how do company face them. Chapter 4 explains the Operational Risk Management Framework, its stages, challenges and difficulties. Possible risk transfers are also mentioned in this chapter as a way of protection from unwanted events. In Chapter 5, it is discussed about the Solvency II and its implications, most of them regarded by the Pillar I. Benefits and concerns that are expected in the future from the new regulatory rules will also take a part in this chapter. After chapter 5, there will be a thorough conclusion about the whole process of managing operational risk, with respect to the insurance industry and the effect that Solvency II will have regarding that specific type of risk.
OPERATIONAL RISK AS A TERM Risk represents the probability of a potential event happening and resulting in harmful consequences. In the evaluation of the risk size, major factor taken in consideration is the severity of consequences produced by the risk itself. Hence, risk stands as a measure of probability of an unexpected outcome. International Organization for Standardization defines risk as a Ã¢â‚¬Å¾probability combination of an event happening and its effects"adding that Ã¢â‚¬Å¾effects can be positive or negative"and suggests also that Ã¢â‚¬Å¾in some situations, risk represents a degree of deviation from what is expected". If we look at the term risk from the insurance industry perspective, we can determine risk as danger of a negative financial outcome from a possible future event. Insurance industry has a key role in society when it comes to risk management, simply because insurance provides the mechanism of risk dispersion through forming a risk community. It allows individuals and legal entities (business subjects) to accept the risk that would be unacceptable without the existence of insurance. Whole industry is focused mainly on the identification, evaluation and determination of the risk price and, by default, on risk management.
2.1. Defining operational risk Operational risk has multiple definitions. All of them can be used as a reference in defining this type of risk. It is possible to define it as, "the risk arising from inadequate or failed internal processes, people and systems or from external events". This definition, which is based on the underlying causes of operational risk, includes legal risk but excludes business and reputational risk. Based on this defi nition, the concept of operational risk was subsequently developed to take into account the distinction between causes, events and the resulting operational losses (consequences or effects). Moreover, there are other operational risk definitions which can represeent different perspectives of looking towards risk, such as: Ã¢â‚¬Å¾OpRisk is the risk of everything other than credit and market risk" Ã¢â‚¬Å¾OpRisk is the risk associated with the Operations department" Ã¢â‚¬Å¾OpRisk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, systems failure and inadequate procedures or controls" C:UsersFilipDesktopfinal thesis- MIRM13pictures for final thesisWindowsLiveWriterFridaysMovieOperationalRiskPart12007FRM_CD5Aimage_2.png Figure 2.1. Segregation of causes and effect of operational risk; and other risk types All the definitions imply and emphasize the components and/or causes of operational risk. We can also call them risks or effects and they are: Processes/Policy, such as inefficiencies or ineffectiveness in the various business processes within the firm. For example like, accounting mistakes, value-supporting processes such as IT, HR, non-compliance with internal policies or external regulation or failures and other. People, such as employee error, employee misdeeds, employer, conflict of interest or from other internal fraudulent behaviour, health and security, etc. Technology, risks arising from defective hard- or software, failures in other technology such as networks or telecommunications, as well as breaches in IT security, system failures caused by breakdown, data quality and integrity issues, inadequate capacity, and poor project management. External, such as loss caused by the actions of external parties (for example, external fraud, competitor behaviour and regulatory changes) as well as macroeconomic and socioeconomic events, "money laundry", lack of physical security for the institution and its representatives, etc. Looking at the various definitions and causes, it is obvious that defining operational risk is very demanding and challenging. But, it is also very important because if we want to manage and measure something, first we need to define it. Defining operational risk is problematical because it is so diverse. To get a feel of how diverse it is, we need to examine the kinds of loss events that can be classified under operational risk.
2.2. Features of operational risk Characteristics of operational risk that distinguish it from other risks are that it is diverse, very peculiar, one-side and hard to manage. One also important fact that separates it from other risks is that operational risk is not taken directly; it is present inside normal business activities which undoubtedly make operational risk management very challenging and demanding. The diversity of the scope of operational risk is one feature that distinguishes it from the relatively narrowly defined market risk and credit risk, which are more widely understood and appreciated (by fi rms and regulators) as risk types. The diversity of operational risk (ranging from legal concerns to technological issues to behavioral matters to acts of God) makes it diffi cult to limit the number of dimensions required to describe it. Operational risk encompasses the types of risk emanating from all areas of the firm: front office to the back office and support areas. It is embedded in all other business risks and also intertwines with them, it is directly connected with human factor and hard to quantify. Hence, identifying operational risk is more difficult than identifying any other risk. Another specific feature of operational risk lies in its presence in all business processes. It can be considered as a by-product of everyday business activities and it can derive from business complexity, system and human errors, etc. That is why we can say that it is one-sided and driven solely by its role as an undesired effect of increasingly complex business operations. In this sense, the risk-return trade off associated with market risk has no equivalence in the case of operational risk, meaning that exposure to operational risk can cause losses without boosting the potential rate of return on capital and assets. To argue that point, it could be wrong to think that operational risk is one-sided in that sense. Insurance companies, other financial institutions and firms in general are taking that risk on purpose with the aim of realizing potential return. So, if it was one-sided, then every firm's objective would be to eliminate it completely, thus this can be done most effectively by shutting down your business. We all think that doing such thing would be a drastic, unwanted and not right minded action. By taking on operational risk, companies earn income while being exposed to the risk of incurring operational losses when they materialize. This is a basic example of a risk-return tradeoff. Hence, the fact is that operational risk should not be perceived as being entirely associated with the cost of doing business. Instead, it has to be seen as an integral part of the bundle of risks that are taken to generate profit. Operational risk, as mentioned before differs from market and credit risk, is peculiar in the sense that when it strikes one firm, it does not spread to other companies, implying the absence of contagion or system-wide effects. That means it is firm-specific and not systemic like some other risks. We can believe that operational risk is so specific also because it is considered that operational losses tend to have no correlation with general market forces. This is not a characteristic of market risk and credit risk. Market downturn affects all companies, and a default by the customers of one firm affects its ability to meet its obligations towards other companies.
2.3. Operational risk categories and dimensions As mentioned in the chapter before, operational risk comes from different sources. It is hard to control their effects which can result in operational losses. Therefore, important thing is to thoroughly understand these causes, in other words categories, and properly manage activities that are part of them. Basically we can divide operational risk sources into 5 categories: Organisation Policy Technology Human External events The 5 suggested categories are major and they present a valid base for solving problems for management. They represent a cluster of sub-categories which had to be created in order to allow the adding of new OpRisk aspects and the subtracting of obsolete ones. They allow one to be more specific on firm relevant risk drivers which require focus and responsibility assignment. Important is the intellectual, organizational and continuous discipline in categorizing the risks and in doing something reasonable about them. There are many sub-categories which are divided among 5 mentioned major categories. ORGANISATION: Governance, Structure, Culture, Communication, Project Management, Outsourcing, Business continuity, Security POLICY: Policy and process, Compliance, Product, Client TECHNOLOGY: Communications, Hardware and Software, IT Security HUMAN: Employee, Employer, Conflict of interest EXTERNAL: Physical, Litigation, Fraud It is important that this sub-categorisation relies on a root analysis, i.e. causation of OpRisk loss events. By linking causation to relevant business activities, it is intended to use this structure as a tool with which to act upon OpRisk, thereby providing management with an OpRisk framework. The structure also lends itself to possible quantification by drawing upon data sources relevant for modeling as well as for qualitative reporting. Good risk management is crucial in order to sustain profitable and high returns and depend also a lot on managing operational risk. It is not a new term in insurance but it is not also yet well known and sophisticated like management of other type of risks (credit and market risk). But, company's management does realize that understanding risks has always been fundamental management process. Hence, good risk management can produce and add value in 2 dimensions: Control: Independent risk assessment, compliance, business continuity planning, supervisory requirements, limits, progress reporting, escalation, corrections, etc. Shareholder value creation: efficiency, correct risk evaluation and pricing, duplicate control avoidance, rational economic capital allocation, reduction of regulatory capital, product enhancements, competitive strategic advantage, improved reputation, etc. The dimension "1. Control" covers the following: avoiding accidents, catching non-compliance and illegal actions, complying with rules and regulations, complying with usual management needs. The dimension "2. Shareholder value creation" adds a further stage which treats OpRisk more like a real business. OpRisk management also deals with quality management, efficiency management and the concept of opportunity cost. Naturally, the line between control and shareholder value creation is difficult to draw. The important thing is the direction to be chosen.
MEASURING AND MODELLING OPERATIONAL RISK Operational risk management, in terms of modeling and measuring the risk, is not new to financial institutions: stability of information technology systems, client claims, acts of fraud, or internal controls failures have been closely monitored for years. However, these elements have historically been treated separately. More than one century ago, an Irish mathematician and physicist Lord Kelvin (1842-1907) made the following statement: Ã¢â‚¬Å¾I often say when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind. " He remarked this to science, which is by default more precise than trying to measure operational risk. We can argue about, whether it will ever be possible to accurately measure this type of risk. In accordance to operational risk, the word Ã¢â‚¬Å¾measurement" has also some similarities with the word Ã¢â‚¬Å¾assessment". But, we should distinguish these two words, in sense that risk measurement refers to the quantification of risk, whereas risk assessment represents a wider concept, hence refers to the interpretation of non-qualitative pieces of information. No matter how we call it, this process remains an important one for the purpose of developing the skills and expertise for its proper management. The accuracy of risk measurement methods crucially depends on the soundness of risk model and the availability of data. Proper risk modeling requires a thorough understanding of recurrent patterns that underlie the risk under consideration. The appropriateness of those risk models is inherently linked to data availability and thus the occurrence of events. Not only do incidents help better understanding the underlying risk structures but they also provide the ground for statistical testing of risk models. Furthermore, the accuracy of risk models depends on the measurability of outcomes and thus goes hand in hand with a sound definition and understanding of effects. Importance of risk modeling and measuring has definitely increased over the years due to changing environments of the insurance companies and banks. In order to remain stable and Ã¢â‚¬Å¾in shape", the companies need to adapt to this new surroundings which is more complex, demanding. Operational risk modeling is also needed to serve the company's management as a tool for bringing and making better business decisions and solutions on the wanted level of taking operational risk (risk appetite). Many operational risk experts agree on the fact that the only feasible way to properly manage operational risk is it successfully identify and minimize it, which on the other hand requires development of adequate quantification techniques.
3.1. Operational risk model taxonomy Creating an operational risk model is extremely important because it identifies company's exposures to that type of risk, especially the financial impact of these exposures. Firms over the time change their strategies, distribution channels and product offerings. Due to that, management of the firms should also be interested will be, which is another aspect of the issue that the model should deal with. Last, but not least, the model should provide information that enables the management to compare the situation with those of other firms. The first step in any model development is to define the model scope and motivation. Besides the obvious purpose of quantifying operational risk, it is important to determine if the need arises from internal requirements (e.g., earnings at risk or scenario analysis for risk appetite) or if model development is also driven by regulatory requirements (e.g., Solvency II internal model or standard formula approach). The basic scope definition is the first step to develop key information for a suitable model design, for example, the appropriate percentiles of measurement, the calculation frequency and eventual constraints in the choice between different approaches. Thorough operational risk model building requires both an overarching governance framework and a robust basis of components. Model inputs, calculations and outputs are embedded in a governance framework that defines all key elements for the sound development, use and maintenance of the model. Identifying the core principles that underlie the operational risk process is the fundamental in deciding on the optimal model to be used. In general, operational risk models are classified into Top-Down Models and Bottom-Up Models, both of which rely on historical data. Bottom-up models are based on an analysis of loss events in individual processes, whereas top-down models require the calculation of the capital charge at the firm level and subsequently allocating it to the business lines, often using a proxy such as expenses or a scorecard approach. Top-down models quantify operational risk without attempting to identify the events or causes of losses. That is, the losses are simply measured on a macro basis. The principal advantage of this approach is that little effort is required with collecting data and evaluating operational risk. Main types of Top-down models are: Multifactor models for pricing equity CAPM approach Income-based models Expense-based models Scenario analysis Risk indicator models Bottom-up models quantify operational risk on a micro level being based on identified internal events, and this information is then incorporated into the overall capital charge calculation. The advantage of bottom-up approaches over top-down approaches lies in their ability to explain the mechanism of how and why operational risk is formed within an institution. C:UsersFilipDesktopslika3.PNG Figure 3.1. An example of modeling methods of operational risk Main bottom-up models are:
Actuarial model Process model focuses mainly on individual processes that are undertaken to perform operational activities. It basically means that, process approach models can be also characterized as bottom-up models. All processes are divided into components and each component is examined in order to identify the operational risk associated with it. It includes these techniques: Causal Networks (performing scenario analysis and simulations using historical data), Statistical Quality Control and Reliability Analysis (similar to causal networks) and Connectivity Analysis (estimating potential losses using connectivity matrix). Factor model can be understood as an attempt to identify the major determinants of operational risk, on institution level or on lower levels such as individual business lines or processes. This type of approach encompasses these techniques: Risk Indicators (regression-based technique used to identify risk factors), CAPM-like Models (arbitrage pricing models used to relate the volatility of returns), Predictive Models (operational losses are identified using discriminate analysis and similar techniques). Actuarial model focuses on the loss distribution associated with operational risk. It covers the following techniques: The Empirical Loss Distributions Technique (plotting data on losses in a histogram), The Parameterized Explicit Distributions Approach (smoothing the distribution choosing an explicit distributional form, and The EVT-Extreme Value Theory (used to describe the distribution of extreme values in repetitive processes).
3.2. Measuring operational risk Because risk cannot be eliminated completely, risk measurement is the key to, and an essential prerequisite for, effective risk management. And it is not only about the amount of risk, but also where it resides, what contributes to it and the impact of mitigation strategies. All of these dimensions are important for companies that aspire for the implementation of effective risk management practices. And while there is nothing wrong in principle with using a capital buffer for any sort of risk, the resulting capital charge will only create unsound incentives if the calculation method is poor. Currently, efforts are directed at the improvement of the techniques used for operational risk measurement and consequently management. The accuracy of risk measurement methods crucially depends on the soundness of risk model and the availability of data. Proper risk modeling requires a thorough understanding of recurrent patterns that underlie the risk under consideration. The appropriateness of those risk models is inherently linked to data availability and thus the occurrence of events. Not only do incidents help to better understand the underlying risk structures, but they also provide the ground for statistical testing of risk models. Furthermore, the accuracy of risk models depends on the measurability of outcomes and thus goes hand in hand with a sound definition and understanding of effects. To ensure a credible outcome of the quantification, it is thus necessary to look at each element of OpRisk one by one, as each might require a specific quantification method. Measurement of operational risk involves looking at its four different aspects within an organisation:
its size, severity and intensity
its context dependency
its interaction The size describes the observed extent of a move. The frequency describes the number of times a move of a given size occurs within say a given time period or a given organisational unit. The context dependency describes whether the move size is different in different situations or not. This tells whether every operational risk event is unique in itself or shows regularities in occurrence as drivers do not alter. Context dependency is high for operational risk as its major drivers, people and organisation, are unique and change permanently. This is why the use of databases of industry operational risk events has limited relevance for the specific firm. Also, the higher the context dependency, the less the past will be a good indicator for the future. The interaction describes the interlinkages between moves. In the area of operational risk it is very important as several risk elements are highly interrelated. Operational risk encompasses events with very differing frequencies and possibly patterns of occurrence and severities. Very important step in determining the applicability of statistical analysis is to appropriately and qualitatively categorize potential incidents based on probability, frequency and severity of events, using experience and experts' opinion. In measuring operational risk, it is also important to be clear about the purpose it should serve. In other words, it needs to be compatible with the business needs of the company. It means that the quantification output should be geared for management demands and ensuring that measurement makes the most efficient use of existing resources and is relevant and credible. C:UsersFilipDesktopslike.PNG Figure 3.2. Operation risks segregated between the Probability of Event and Severity of Impact After the operational risk has been properly modeled and measured, it is also essential to calculate the adequate capital charge for it. In general, the capital charge is in most cases calculated from the total loss distribution by using the concept of VAR (Value at Risk). The use of the concept of VAR to measure operational risk capital requirements has been the target of some criticism. Most of the critics refer to stipulating that although VAR models have been developed for operational risk, questions remain about the interpretation of the results. Another problem is that VAR figures provide an indication of the amount of risk but not of its form (for example, legal as opposed to technology).
3.3. Problems in measuring and modeling There are a lot of difficulties that companies face during their actions to quantify and model operational risk. Since there are a number of models and techniques that can be used in performing these processes, it does not necessarily mean that all of them can suit every company's needs. Therefore, it is important to understand thoroughly firm's internal processes in order to adequately choose the best suited quantification model. Measuring risk has been always a challenge, especially in terms of operational risk. That does not mean we should put more effort in other type of risks and neglect it. While persisting to measure and model operational risk effectively, one should first distinguish these two terms. Modeling operational risk is essentially an exercise that is conducted with the objective of arriving at the best-fit distribution for potential operational losses over a given period of time (normally a year). Typically, the distribution of operational losses is obtained by combining the loss frequency and loss severity distributions. The measurement of operational risk amounts to arriving at a single figure that tells us how much the underlying firm is likely to lose with a certain probability, so that a correspondingly adequate amount of capital is held for the purpose of protecting the firm from insolvency. Measurement can be based on modeling and on ad hoc methods (without using modeling). The nature of operational risk is very different from other types of risks. In fact, operational risk losses share many characteristics with insurance claims, suggesting that most actuarial models can be a natural choice of the model for operational risk, and models that are well developed by the insurance industry can be almost exactly applied to operational risk for other industries. Most serious problems that company's encounter while attempting to model and measure their risk is:
Problems of definition and data availability
Cyclicality of risk and loss events
Problems of correlation Problems of definition and data availability refer to finding the right definition for operational risk. Experts argue that this problem derives from the fact that definition of operational risk is too elastic to be useful for developing a proper measurement model. Data availability is another big concern for the companies, in other words data unavailability. For proper development of operational risk management data quality and the amount of information is crucial. This is due to the lack of reliable internal operational loss data which impedes further progress in managing and measuring operational risk. Scarcity of available historical data, data-arrival process and loss severity process are also parts of the mentioned problem, Data Availability. Shortage of relevant data means that the models and conclusions drawn from the available limited samples would lack sufficient explanatory power. This, in turn, means that the estimates of the expected loss and VaR may be highly volatile and unreliable. In addition, complex statistical or econometric models cannot be tested on small samples. The problem becomes amplified when dealing with modeling extremely high operational losses. One cannot model tail events when only a few such data are present in the internal loss database. One of the solutions to the data availability problem is to augment internal data with external data on the operational losses incurred by other firms. One problem here is that external data must be scaled to fit the size and business mix of the underlying firm to make it suitable for the estimation of operational risk for that firm. Another problem here emerges because in scaling external data it is not clear if an increase in the scale of operations results in a proportional increase in operational risk, which leads to the issue of size and how to measure size. Cyclicality of risk and loss events is another problem in measuring and modeling operational risk. Using past risks data to measure future risk can be a problem if there are cyclical factors that impact operational risk measures. Historical data on operational risk gathered during an economic expansion may not be relevant for a period of recession. Loss events incorporate cyclical components that are correlated with systematic risk factors such as macroeconomic fluctuations and regulatory shifts. It is typical, however, to ignore cyclical factors and extend an unadjusted trend line into the future. Problems of correlation regard with assumptions that need to be made about the correlation of operational loss events. If the assumption of correlation across risk types and business lines is accepted, capital charges by risk type and business lines should be summed together, leading to a higher capital charge than in the standardized approach given by the regulatory directives. However, it is difficult to assess the level of correlation between different risk types and business units because of the lack of historical data.
OPERATIONAL RISK MANAGEMENT-ORM Risk management provides number of benefits for companies because it enables identification of all existing risks and their interdependencies. It enables also proactive identification of new risks that can occur in business activities and helps companies to be prepared for the catastrophic events. All this is a big benefit for firms because risk management ensures underwriting of risks that is based on knowledge and synchronized with previously determined risk tolerance. It is considered that the harmful consequences for financial industry following after the terrorist attack on 11. Of September would not be so significant if insurance companies had implemented aggregated risk management. The management of operational risk is not a new idea, neither is it an activity that firms have not indulged in. On the contrary, firms have always striven to manage the risk of fire through insurance and fire safety measures. Furthermore, they have always had specialists who managed other kinds of operational risk, such as the lawyers and other legal specialists who are involved in managing legal risk and the structural engineers who look after buildings and structures. This is typically done both proactively (for example, by providing advice to management prior to signing a contract and by maintaining buildings) and reactively (by providing legal representation in a court of law, representing the firm in out-of-court settlements of disputes, and doing repair work on damaged structures). There is definitely growing tendency to promote the perception of operational risk management as a discipline ranking alongside credit and market risk management and one that is necessary for an integrated risk management framework. This requires clear borders between operational risk, on the one hand, and credit risk and market risk on the other. One of the objectives of establishing the operational risk management function is to help the co-ordination of the application of specialist skills because co-ordination encourages greater communication and transparency. A question arises as to who is responsible for operational risk, and this question might be interpreted to mean two different things. The fi rst interpretation is that the question refers to the risk "owners", the risk takers who indulge in activities that lead to operational risk. The second interpretation is that it refers to who is responsible for managing operational risk, whether it is the risk owner or a more centralized corporate body. This is, therefore, a corporate governance issue. In the broadest sense, risk management should be integrated into the activities of the risk-takers in the firm. But for an independent risk management structure to operate, there has to be an oversight activity that works independently of the risk takers. C:UsersFilipDesktopCapture.PNG Figure 3.1. Stages of Operational Risk Management Development In the past, insurance companies have almost completely lean on internal control processes of their own business activities. Although these processes are still relevant, lately specific structures and models have emerged that put more emphasis on managing operational risk. Companies understand that having a clear strategy of managing risks they achieve better business performance and overall results. Operational risk management
4.1. ORM Framework Effective operational risk management is unthinkable without establishing a framework which serves as a guideline for adequate treatment of operational risk in companies. Implementing operational