Introduction

Understanding Operational Risk is intuitively fundamental to its effective management. But a review of the profession's literature, regulations and training reveals that whilst there are many thousands of words on the subject of integrated frameworks for managing Operational Risk, specific behaviours and quantification, there is a lack of an overarching theory that might explain and predict its behaviour. This observation was made very clearly in a paper written by Dr Patrick McConnell, which opens with the statement that "Unlike credit and market risk, operational risk is lacking in basic theory as to why, where and when operational risk losses occur" (McConnell, 2017).

The challenge is that Market and Credit Risk are respectively defined as risks of losses arising from external events, i.e. the movement of market prices or the failure of a customer/counterparty to meet its obligations, whilst Operational Risk is primarily defined as losses arising from internal causal factors. In his brief paper McConnell proposes that Operational Risk losses arise when formal information channels are corrupted, interrupted or disrupted and that the scale of any losses can be linked to the quantum of data involved. In this book, I adopt a different approach, as I have set out Ten Laws of Operational Risk that describe how inadequacies or failures; business profiles; human and institutional behaviours and biases; and internal and external causes combine to result in events. The nature of the impacts drives both the rapidity and the scale of any resulting losses. Whilst this is different from McConnell's approach, his paper was both my inspiration for this book, and also influenced my ideas.

Part One of the book begins by following Professor Richard Feynman's advice and observing that over the last two decades there are distinct patterns and trends in the behaviour of Operational Risk loss data, systematically collected by either the Basel Committee1 or the Operational Riskdata eXchange Association (ORX).2 For example, whilst the vast majority of Operational Risk loss events have relatively low impacts, a very small number of loss events, primarily Conduct Risks, have disproportionately high impacts.3 Additionally, whilst some categories of Operational Risk remain quite stable, others show persistent trends over time. Finally, the risk profiles of firms vary by business line and also by bank. All of these observations suggest that Operational Risk is far from random, and hence, Chapters 2 to 4 describe Ten Laws that explain these various behaviours.

The first five laws are described in Chapter 2 and relate to the occurrence, detection and the financial significance of individual loss events. Specifically, they identify the nature of the inadequacies or failures that constitute Operational Risk events: the business profiles of firms, and the underlying internal and external causes, and assess their varying relevance to different categories of Operational Risk. Business profile is systematically defined in terms of a firm's strategy (both past and present), culture and infrastructure, including governance; processes; people and systems, and its external relationships with authorities, e.g. regulators; its sources of capital, funding and revenues; third (and fourth) party service providers; and society (this is set out in the diagram below).

The first five laws also cover the nature of control failures; the rapidity (velocity) with which different categories of impacts accrete; the duration of events; and the lags between the detection of events and their subsequent crystallisation into losses.

The final five laws describe the interactions between Operational Risk and other factors. Chapter 3 covers the concentration of losses in firms driven by either internal or external causes (6th and 7th Laws respectively), and the occurrence of Systemic Operational Risk Events (SOREs).4 It identifies that internal causes primarily drive the occurrence of Operational Risk events, whilst the most important external cause, economic change, increases the occurrence and detection of Operational Risk events, and also their velocity, duration and lags. The ubiquitous role of causes in many of these laws is reflected in a revised version of the profession's butterfly diagram, which is included later in this Introduction.

FIGURE I.1 The business profile of a firm (Grimwade, 2020)

Chapter 4 explores the extent to which Operational Risk losses reflect the dynamic interaction between firms and their risk profiles (8th Law: Risk Homeostasis). Firms will naturally respond to losses outside of their appetite, by enhancing controls.5 As a consequence, the 8th Law implies that past losses may not always be a good guide to the future loss experiences of a firm. Additionally, as firms also respond to anticipated risks, then Chapter 4 provides an overview of the various behavioural biases that may influence humans in assessing remote risks. The 9th Law deals with the ability of firms to transfer risks to other entities. It describes how Market and Credit Risks can be transformed into Operational Risk, through the "granting" of Real Options, and that the absolute quantum of risk is conserved through this process. This chapter also notes the ability of firms to transfer actively Operational Risk through insurance, which is explored further in Chapter 12. Finally, the 10th Law explains how firms can proactively take Operational Risk by selling products and providing services, in return for fee income. It demonstrates that this source of revenue generates disproportionate Operational Risks.

Not all of these laws are original observations, and I have referenced the originators of ideas such as, Systemic Operational Risk Events, SOREs (McConnell, 2015); risk velocity (Chaparro, 2013); Risk Homeostasis (Wilde, 1998); and the Swiss Cheese Model (Reason, 1990).

Each of these laws is briefly defined in both words and a simple formula. These formulae take inspiration from an early proposed approach by the Basel Committee (September 2001) for quantifying Operational Risk:

TABLE I.1 The coverage of the Ten Laws of Operational Risk and their units

This formula assumes a defined relationship between expected losses and the tail of the loss distribution,6 i.e. a factor ?i,j would have translated an estimate of expected losses for a Basel business line i and a Basel event type j into a capital charge.7

Whilst some of the formulae set out in this book are designed to illustrate the various interrelationships between different factors,8 i.e. they are functions of these factors, others can actually be either calculated or measured. Each of these formulae are illustrated through the use of empirical data, primarily based upon an analysis of 443 large Operational Risk losses (defined as losses that are =$0.1 billion) suffered by 31 current and former Global Systemically Important Banks (G-SIBs) between 1989 and 2020. This data is sourced from the IBM FIRST Risk Case Studies of loss events that are in the public domain. IBM retains copyright to the materials in this database.

Chapter 5 focuses upon three taxonomies that underpin these Ten Laws, i.e. inadequacies or failures; impacts and causes. The taxonomy for inadequacies or failures describes the natures of both events and also control failures. The causal taxonomy is based upon a review of the causes explicitly (rather than implicitly) described in a number of very well-documented events. The correlations between these different causal factors are calculated, with the strongest correlations relating to strategy; culture; governance; people; and processes. These taxonomies are used in subsequent chapters to support the estimation of remote events (Chapter 9); to identify both sensitivities to the impacts of economic change (Chapter 11) and predictive metrics (Chapter 13); and to explain the coverage of insurance policies (Chapter 12).

Part Two of the book concludes (Chapter 6) by analysing how well these Ten Laws actually explain the behaviours described in Chapter 1. It also assesses the existence of order within the laws, for example, a review of the formulae reveals, unexpectedly, that they imply that there are units attributable to different categories of controls, i.e. preventive, detective and corrective/resilience controls, respectively, have units of: events, time and...