The Best Tool for Operational Risk Management

If you want to learn from the operational risk mistakes of others and prevent incidents that could severely impact your firm's reputation and bottom line, then case studies are your best bet. An effective operational risk case study asks the right questions, details the consequences of the incident and offers suggestions for what could have been done to avert it.

When we think of operational risk, fraud and information technology failures are likely among the first things that come to mind. But simple human errors are also part of the equation. Last year's “Fat Finger” incident at Samsung Securities offers an excellent example of what a case study can teach us about human errors, poor oversight and system deficiencies.

On April 6, 2018, Samsung Securities, one of the largest brokerages in South Korea, accidentally issued $105 billion worth of shares to its employees. Under the company's stock ownership plan, it was supposed to pay dividends worth 2.8 billion won ($2.6 million) to about 2,000 employees. But a Samsung Securities employee mistakenly entered “shares” instead of “won” (South Korea's currency) into the computer system, resulting in the issuance of 2.8 billion shares - more than 30 times the company's number of outstanding shares.

Although Samsung Securities discovered the incident 37 minutes after it occurred and notified the employees affected that the shares had been erroneously granted, some of them sold the stock, despite warnings from the company.

What went wrong at Samsung Securities? Plenty. Let's examine a case study model to break down the incident, its consequences and the lessons learned.

The Bow-Tie Model

Good case studies can either be outsourced or written internally, based on public resources. One of the most popular and effective approaches to operational risk case studies is the bow-tie model, which (1) explains the underlying causes, motives, opportunities and means that are at the basis of the incident; (2) thoroughly describes the incident itself; and (3) breaks down the consequences, including direct and indirect loss amounts.

The bow-tie model can certainly help us understand what happened at Samsung Securities, and can also yield ideas on preventing similar incidents from unfolding in the future. The "fat finger" incident happened in just a fraction of a second - an errant keystroke resulting in the issuance of an extremely costly and grossly erroneous dividend. The underlying causes include poor supervision, ineffective internal controls and inadequate regulatory monitoring.

The model also yields a series of probing questions about the incident: Why was one person allowed to initiate and authorize this transaction? Why did there appear to be no segregation of duties? Why didn't the IT system block the issuance and distribution of an extraordinary number of shares? And why wasn't the naked short-selling immediately prevented?

The consequences of this blunder were manifold. Analysts criticized the firm for having neither a filtering system for preventing human errors nor a warning system that could have stopped the issuance of more shares than actually existed.

The Financial Supervisory Service, South Korea's financial watchdog, found that 21 employees of Samsung Securities had either sold or attempted to sell the mistakenly-issued shares. All 21 lost their jobs, and several are facing criminal charges.

The National Pension Service, South Korea's biggest pension fund, stopped using Samsung Securities to trade stock almost immediately after the incident. Roughly seven weeks later, South Korean prosecutors raided the broker's head office, which precipitated the partial suspension of its brokerage services and the resignation of its CEO.

Unique Challenges

Operational risk is different from - and I think more difficult to manage than - credit risk and market risk. One reason is that it can arise anywhere in the organization - from commercial units, to brick-and-mortar bank shops, to support functions and IT systems.

Its impact, moreover, is difficult to quantify. Keep in mind that the advanced modeling approach to measuring operational risk has been eliminated, while the new benchmark - the standardized measurement approach - has drawbacks of its own.

While banks use databases to collect and store data on operational risk incidents, it is difficult, in practice, to extrapolate from these past occurrences - particularly with respect to quantifying losses.

Indeed, a bank's own incident database provides only a very limited view of its current operational risk exposure. The incident data that is collected is typically the result of a stochastic process, and therefore not necessarily commensurate with a firm's operational risk exposure to specific event types.

The operational risk case study is the go-to methodology for overcoming this randomness bias. It expands the experience from learning from one's own errors to learning from errors made by others. While reading detailed accounts of incidents that happened elsewhere, operational risk managers may very well ask themselves questions that will help them avoid similar mistakes: Could this happen at our firm? If it does, what would I do? And what specific steps can our organization take to prevent this from happening?

Parting Thoughts

Case studies are among the biggest assets in the operational risk manager's toolkit. When we analyze the case study of the Samsung Securities “fat finger” incident, important questions are triggered. Why, for example, weren't checks and balances in place to prevent this stock pay-out from happening? Why wasn't the employee alerted that a payout of 1,000 shares per share is extraordinary? And why didn't IT controls prevent the illegal naked short-selling?

A more fundamental question relates to the irresponsible behavior of the 21 employees who attempted, illegally, to benefit from the “fat finger” blunder.

How would your employees behave under a similar scenario? Case studies provide the answers every firm needs to avoid being the next poster child for operational risk disaster.

Marco Folpmers (FRM) is a professor of financial risk management at Tilburg University. He is also a managing director at Accenture Finance and Risk.