Objectivity in operational risk taking

As the operational risk management discipline has evolved, most noticeably since the onset of the 2007/08 Global Financial Crisis, a persistent challenge that has plagued many operational risk management programmes is setting objective and measurable operational risk appetite to guide operational risk-taking. For this reason, when the UK’s Financial Conduct Authority (the “FCA”) and Prudential Regulation Authority (the “PRA”) issued a joint discussion paper on operational resilience in 2017, a new tool to guide operational risk-taking became apparent, in the context of impact tolerances. Final regulatory policy came into force in March 2021.

The relationship between risk appetite and impact tolerances was not immediately visible for business leaders and risk professionals to see. After all, risk appetite defines the amount of risk a firm is willing to take in pursuit of strategic objectives, whereas impact tolerances define the maximum level of tolerable harm (either to a customer, client, the firm, or the wider market). In this regard, whilst both tools serve a distinct objective, they are inextricably linked given the relationship between risk likelihood and impact.

The FCA defines impact tolerances as “…the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.”

For more explanation of regulatory policy or definitions, please see the FCA’s website. Impact tolerances, put simply, articulate an acceptable level of risk around adverse customer, client, firm, or market outcomes when, not if, a disruptive event occurs. This underlines the premise of risk appetite and impact tolerances being intricately linked as they both express an attitude towards risk taking.

Risk appetite versus impact tolerances; the operational differences

Whilst risk appetite and impact tolerances are inherently linked, there are some fundamental differences to be considered when setting, monitoring, or governing operational risk appetite and implementing resilience strategies to contain the impact of materialised risks within impact tolerances for important business services.

• Risk appetite often refers to an aggregate amount of risk taken in pursuit of strategic objectives. In this regard, measures of operational risk appetite will not likely be specific to an individual product or service. This underlines the importance of process-level measurement approaches of operational risk to improve the identification and measurement of operational risks, providing the basis to understand the impact of risks in the functioning of processes critical to one or more products or services.
  
  
• Risk appetite measurements often consider the likelihood and impact of risks materialising whereas impact tolerances assume a 100% probability of a risk materialising. Said another way, impact tolerances eliminate the concept of operational tail risks (high impact, low frequency risks), requiring business products and services to be designed to mitigate intolerable harm when, not if, a tail risk materialises (often referred to as severe but plausible risk scenarios).
  
  
• The materialisation of a risk, occasionally referred to as a risk event or disruption, could impact multiple products and important business services. This requires the understanding of aggregate impacts to clients, customers, the firm and wider market stability as a consequence of the risk event or disruption. For example, in the case of the Lloyds TSB system migration failure in 2018, some customers suffered multiple impacts leading to severe levels of vulnerability, such as the loss of access to current accounts, non-payment of direct debits and the inability to purchase goods or services instore. This aggregated level of harm was much more severe when compared to customers who, for example, might have experienced isolated disruption, such as the inability process mortgage applications, yet might have banked elsewhere. Importantly, however, the cause of the disruption to both groups of customers was caused by the materialisation of the same risk with varying levels of impact.
  
  
• A risk with severe impact but a low likelihood of occurrence could be within risk appetite, but the materialisation of the risk could result in the firm operating outside one or more impact tolerances.
  
  
• A lower impact tolerance will reflect a lower appetite for risk and therefore influence the cost-of-risk and the type and balance of controls required to mitigate harm to customers, clients, the firm, and the wider market.
  
  

Integrating risk appetite and impact tolerance measurements

Establishing the connection between risk-taking and mitigating the impact of risks when, not if, they materialise requires a multi-pronged approach. Some firms are in the process of setting impact tolerances for important business services to meet the immediate regulatory deadline of the 31^st of March 2022 but have not yet established the link between impact tolerances and the firm’s risk appetite framework. The below suggestions aim to help guide the continued integration of operational risk appetite and impact tolerances as firms embed impact tolerances into the design and running of important business services / business operations.

The following items are recommended for incorporating into multi-generation risk management programme plans, promoting continuous evolution in the pursuit of maximising commercial value in the adoption of risk appetite and impact tolerance toolsets.

• Align the setting of operational risk appetite and impact tolerances to consistent impact measures. This approach will help translate operational risk appetite measures from often subjective measures to objective measures, and expose potential disparities in operational risk-taking against the understanding of intolerable harm when, not if, the risk materialises. This does not imply a firm should not take risk but will help identify the cost of risk-taking (or the cost-of-resilience) and help guide the determination of key controls required to mitigate intolerable harm as risks materialise.
  
  
• Embed operational risk assessment, measurement, and monitoring tools across key business processes (e.g., risk and control self-assessments, loss event analysis, root cause analysis, etc.). Operational resilience relies on the understanding of inherent and residual risks in the quality and performance of business processes linked to the delivery of business products and services. Applying operational risk management tools to business processes will aid the firm’s ability to identify and prioritise risk management resources and investments, whilst providing a mechanism in which to compare the firm’s aggregate operational risk profile against the firm’s risk appetite, risk tolerance and risk capacity thresholds.
  
  
• Expand the use of risk appetite tools to specify exceptions of where risk-taking is not accepted, whether in whole or in part. This will provide greater articulation to executive management and risk-owners within the first line of defence of the intentions behind operational risk-taking in pursuit of strategic objectives, whilst reducing the potential exposure of intolerable harm to customers, clients, the firm, or the wider market in the absence of suitable mitigation controls or other resilience strategies.
  
  
• Enhance the process of root cause analysis to evaluate whether root and problem causes of operational losses or disruptions were identified as operational risks in the processes found to have failed. This will provide a basis in which to assess the effectiveness and adequacy of controls, such as the balanced adoption of preventative, detective, corrective, and mitigating controls, relative to the stated impact tolerance(s) and actual level of harm caused (as identified through the root cause analysis process).
  
  
• Identify interdependencies between risks within the firm’s risk taxonomy, where the materialisation of the risk could lead to the operational loss or disruption to one or more business services. This will require, amongst other techniques, the assessment of risks against strategic objectives, initiatives, and investments to fully understand how planned business change could influence the firm’s operational risk profile, thereby effecting the resilience of important business services (within stated impact tolerances). Common examples of strategic changes altering a firm’s operational risk profile include system re-platforming, adoption of advanced technologies (e.g., process automation or automated decisioning using artificial intelligence), material outsourcing, divestitures, global growth, etc.).
  
  

In closing …

Board and executive management members have struggled to translate operational risk appetite into actionable measures, providing a reliable basis in which to set, monitor and govern operational risk-taking. The adoption of impact tolerances introduces a new tool to guide the setting of risk appetite, based on the understanding of intolerable harm to customers, clients, the firm, and/or the wider market.

The introduction of impact tolerances is not intended to replace risk appetite, but the intricate linkage between the two tools cannot be ignored. If applied appropriately, integrating the setting and measurement of risk appetite and impact tolerances will enhance the understanding of how, when and where firms accept operational risk-taking in pursuit of strategic objectives, whilst also improving the resilience of important products and services at the same time to protect the interests of your customers, clients, firm, and wider market stability.