Operational Risk

Last Updated 4/17/17

Operational risk has played a role in many of the banking industry scandals taking place over the past two decades. As the financial system has become more interconnected and complex than ever before, the challenge of understanding and mitigating operational risks has increased. Improvements in operational risk management (ORM) have taken on greater focus and visibility within the financial services industry and in many other industries. In recent years, the NAIC, through its Solvency Modernization Initiative (SMI), has been exploring ways to increase the regulatory focus on operational risk. In addition, as a result of the Solvency II regulations, many large European insurance companies have begun to establish formal ORM programs.

Overview: The International Association of Insurance Supervisors (IAIS) defines “operational risk” as the risk of adverse change in the value of capital resources resulting from operational events such as inadequacy or failure of internal systems, personnel, procedures or controls, as well as external events. It refers to risk that result from shortfalls or inadequacies in the management of otherwise quantifiable risk, and from unforeseen external events that can impact an insurer. Operational risk potentially exists in all business activities; it encompasses a wide range of events and actions or inactions, such as fraud, human error, accounting errors, legal actions and system failures. Many of these problems arise during the course of conducting day-to-day business operations and are typically managed with little or no incident.

Operational risk became recognized as a major risk class in the mid-1990s following a number of large-scale insolvencies in the banking industry caused or exacerbated by events outside of market and credit risk (i.e., Orange County, 1994; Barings Bank, 1995; and Daiwa Bank, 1995, among others) and undermined the confidence in the banking system. In these cases, significant losses were incurred due to operational risk failures. In response, the Basel Committee on Banking Supervision (BCBS) released a proposal in June 1999 to replace the 1988 Basel Capital Accord (Basel I), which applied to all banks in the U.S., with a new risk-sensitive framework. The initial consultative proposal introduced an operational risk category and corresponding capital requirements.

As operational risk has become recognized as a distinct risk category, the value of effectively managing operational risk has increased considerably of late. However, operational risk is difficult to identify and assess as the causes are extremely heterogeneous, thus making developing statistical models for operational risk challenging. A sound operational risk model extends well beyond the confines of a formula-based quantification. It encompasses a company’s business activities and is an integral part of an efficient enterprise risk-management framework. An insurer’s underlying operational risk profile should be thoroughly reviewed across its range of business activities in order to identify and estimate the model input requirements. The principal challenge is to combine two essential sources of information: empirical loss data and expert judgment.

Many companies have been leveraging the experience of the banking industry, which has been focused on operational risk for more than a decade. However, historical data on the frequency and severity of losses are often not available. Thus, uniform historical data upon which operational risk capital charges could be built is lacking. Organizations, such as the Operational Risk Consortium (ORIC), have begun to collect data from participating financial institutions to develop operational risk loss data consortiums. ORIC was founded in 2005 to advance operational risk management and measurement. It facilitates the anonymized and confidential exchange of operational risk data between member firms, providing a diverse, high quality pool of quantitative and qualitative information on relevant operational risk exposures.

Status: State insurance regulators, working together through the NAIC, have been looking at whether and how best to incorporate internal and external aspects of operational risk more explicitly into the risk-based capital (RBC) formulas. In 2013, the Capital Adequacy (E) Task Force turned its attention to operational risk. The Task Force’s Operational Risk (E) Subgroup, has been charged as follows: “Evaluate options for developing an operational risk charge in each of the RBC formulas and provide a recommendation to the Capital Adequacy (E) Task Force as to treatment of operational risk in the RBC formulas.”

Recent NAIC initiatives have also resulted in the adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (#505), as well as corporate governance standards as qualitative means for considering internal operational risk and some aspects of external risk via a group-wide assessment. An Own Risk and Solvency Assessment (ORSA) will require insurers to self-assess reasonably foreseeable and relevant material risks (i.e., underwriting, credit, market, operational, liquidity risks, etc.) that could have an impact on an insurer’s ability to meet its policyholder obligations.