Where Next with Operational Risk?

Observation and measurement issues pose continuing challenges

Friday, October 16, 2020

By Peter Hughes


Despite 20 years of endeavor, it's thumbs down for banks' approach to operational risk management (ORM). The Basel Committee on Banking Supervision has abandoned the banks' flagship advanced measurement approach (AMA), and C-suite executives wonder what possible business value can be derived from subjective, non-aggregatable color-coded risk-and-control self-assessments.

As a researcher, I spend a good deal of time reading academic papers. One recently came into my hands written by an eminent group of academics and practitioners on the topic of systemic risk and financial stability. It included this comment: “A risk is inherently unobservable - only outcomes are observable.”

This statement, presented as fact rather than conjecture, should give us cause for concern. Why? Because its apparent acceptance as a truism could be due to the failure of risk managers and accountants to provide boards, management, investors, regulators and other stakeholders with a means of effectively monitoring and managing accumulating operational risks. After all, if you can't observe something, you have no means by which to manage it.

A Brief Redux on Observation

What is observation? There are two components: qualitative and quantitative. The qualitative is concerned with the presence or absence of expected properties in an object; the quantitative involves the assignment of values to an object's expected properties through counting or measuring.

Observing accumulating operational risks in financial institutions is admittedly tricky because of the juxtaposition, in timing and valuation, between the creation of an exposure and the realization of a related loss in accounting records.

The time lag between the two events can be long, possibly years or even decades, while the identification of an exposure is typically reported through an assessment metric based on three colors - red, amber, green, or “RAG“ - with any associated losses being valued and accounted for in financial terms.

Influences on Exposures

All exposures to risk are subject to both financial and non-financial influences. For example, a multitude of internal processes and activities combine to create a loan, whereas credit losses are valued exclusively in financial terms.

Simply stated, if internal lending processes and activities are failing (an operational risk), then the probability of credit losses (a financial risk) increases. This same loss dynamic is true of all financial risk types.

Peter Hughes headshot
“The absence of valuation and accounting for operational risks has consequences,” Peter Hughes writes.

Declaring a risk to be “inherently unobservable” is possibly due to the non-financial component of accumulating risk exposures being generally viewed as unquantifiable. Consequently, firms have almost universally defaulted to color-coded risk-and-control self-assessments, leaving accountants unable to account for them.

To state the obvious, business lines' P&Ls cannot be charged with the cost of the operational risk capital they consume if the only information on current consumption is subjectively derived, non-aggregatable color-coded risks.

Valuation and Climate Change

The absence of valuation and accounting for operational risks has consequences. For example, in the ongoing debate on climate change and environmental risk, the former U.S. Secretary of the Treasury, Henry Paulson, has commented, “The problem is that people assume that natural capital is a free good, and if you don't put a value on it, they will value it as zero.”

That statement says a lot about what is wrong with risk management and accounting today.

First, business leaders and stakeholders need aggregation-enabled numbers to manage risk. Color-coding is not an acceptable substitute. Second, the extent to which risk-taking exposes capital, whether natural or financial, needs to be valued and accounted for in the form of expected loss provisions to ensure business accountability.

Finally, the fallacy of the advanced measurement approach is exposed. Deducing current exposure to risk through modelling the historic damage and destruction already inflicted on natural and financial capital adds little or nothing to the management of accumulating risks. Indeed, in 2016 the Basel Committee announced the withdrawal of the AMA as an accepted method of calculating regulatory capital.

The Challenge

Paulson points out that where there is non-valuation, people will assume the default value is zero. This is so true. If operational risk is unvalued and unreported in official accounting records, it's tantamount to a free pass for less-principled businesses to play fast and loose with customers, investors, the environment and public health and safety.

There can be no greater or more urgent challenge for risk managers and accountants than to find a real- or near-real-time method of valuing accumulating exposures to operational risk. The preservation of natural and financial capital could depend on it. The first step is recognizing there is a problem; the second is believing it can be solved.

Peter Hughes ( is chairman of the Risk Accounting Standards Board at SERRAQ. He is also a visiting fellow and advisory board member of the Durham University Business School's Centre for Banking, Institutions and Development (CBID), where he leads research into risk-based accounting. He was formerly a banker with JPMorgan Chase.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals