I welcome you to the Risk and Compliance blog! For starters, I intend this first post to introduce operational risk and its share in the crisis, all alike, by just defining it.
During the thick of the crisis, while my team and I were working with the clientele to tidy up their risk management infrastructure, I could only, but wonder at how credit and liquidity risks had subsumed the others, and gained prominence. I often compare this to RCI (Root Cause Identification) analysis - simple, look beyond the obvious to find the true reason - much like the five why's. Penetrating this shroud, reveals the true cause - Operational risk - of which the RCI itself is a key tenet!
The usage of complex instruments / strategies, which was behind much of the crisis, had 2 key impact elements - their risks weren't clearly analysed or captured (for instance CDO and CDS were sliced into and treated as ordinary bonds with a set duration and interest rate) and their systemic impact was never clearly understood.
Be it slicing down a complex securitization, feeding oversimplified data/overly optimistic assumptions or building risk models using an unusually longer term trend, all these made sure that the alarms didn't sound early enough - the banks had their reason - they wanted to keep the limits imposed on the trading desk stable by maintaining a constant capital.
Before moving any further, let's quote the definition of Oprisk; again - "...risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events"
In effect, the whole scheme of things point to the failure in managing the acts of employees (the management included), botched internal control processes and system checks.
Also, new products carry more risk. Period. Hence, the models should have imposed a penalty on assets that are complex, difficult to understand or rarely traded, which wasn't to be.
"Sound Practices for the Management and Supervision of Operational Risk" published in February 2003 clearly outlines a fundamental principle: "Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures" - Voila!, these new financial products should have been evaluated for their inherent risks and subjected to proper assessment and monitoring.
Further principles 1, 2 and 3 outline the responsibilities of the management and board, while principles 8 and 9 chalk out the role of supervisory oversight - all these work together to rule out any weak links in the 'subjective' Oprisk chain - turned out to be a failure as systemic as risk of these new instruments.
Operational risk needs to be viewed as a 'horizontal', pervasive across all transactions and unless this attitude seeps through the organisational culture, such events are bound to continue...