CHAPTER 1
Introduction

A ship is safe in harbor, but that's not what ships are built for.

-John A. Shedd

Over the following 19 chapters, we will explore a topic that has become, over the last 25?years, a topic of growing importance. From a risk type that, as we shall see in Chapter 1, didn't even have a name, Operational Risk Management (ORM) has burgeoned into a topic at least on parity with the more traditional risk types of credit and market risk. The number of articles and books written, the large community of ORM professionals, the fervent interest in ORM conferences (such as Risk.net's 'Op Risk Europe' and 'Op Risk America' and CefPro's 'New Generational Operational Risk' events) and the attention given to it by regulators - both national and supranational - is testament to the importance of this once-maligned subject.

Two decades ago, the Basel Committee on Banking Supervision's (BCBS) Basel 2 introduced operational risk into the capital regime for internationally active banks (which in the EU was then also applied to domestic banks and investment firms). A series of high-profile scandals, most notably the collapse of Barings Bank due to the rogue trading of Nick Leeson, alerted regulators to the importance of the risks arising from people, processes, systems and external events. Unlike credit and market risks - which had previously been the primary focus of regulators and risk managers - operational risk had the potential to be catastrophic - as in the case of Barings. Basel 2 not only required firms to assign capital for operational risk but also crucially introduced 'sound practices' for its management.

In the years that followed, firms busily created operational risk functions, introduced new tools, including Risk Control Self-Assessment (RCSA) and scenario analysis, started collecting operational risk loss data and using external loss data (including from external loss databases including the old British Banking Association's (BBA's) 'GOLD' and ORX) and created new operational risk governance committees to provide governance and oversight. The most ambitious firms (and those mandated by their regulators such as in the USA) pursued the Holy Grail of ORM, 'The Advanced Measurement Approach' (AMA), which was the most sophisticated of the three options available under the Basel 2 regime and required not only highly sophisticated capital modelling but also advanced management of operational risk.

By the late 2000s, most regulated firms in the UK employed operational risk managers and had established operational risk frameworks. This contrasted with the early 2000s, at which time when the UK Financial Services Authority (UK FSA) wanted to engage with the industry on the nascent Basel 2 and CRD regime, it had to engage with staff from compliance, finance and regulatory reporting functions within firms - operational risk functions simply didn't exist!

Many predicted that the controversial decision by the Basel Committee to kill off the AMA in 2015, a signal to many practitioners of the diminished status of operational risk, might be a final nail in the coffin for ORM as a distinct function altogether! Especially so, given the trend post-GFC of fragmentation, whereby firms created new functions (often with separate risk frameworks) to consider hot topics like cyber conduct, vendor management, market conduct, fraud, financial crime and so forth. ORM as a distinct function or even as an umbrella seemed to be redundant!

To paraphrase the great Mark Twain, the report of operational risk's death was grossly exaggerated!

Lyndon Nelson, formerly a senior regulator at UK FSA and then PRA, in an excellent speech in June 2018 on operational resilience at OpRisk Europe ('Resilience and continuity in an interconnected and changing world', 13 June 2018), recounted how he had addressed a group of new operational risk managers and he had explained that they would be 'pioneers'. Lyndon explained that operational resilience will establish itself on par with financial resilience and be a key part of the firm's risk profile. As regulators have made clear, operational resilience is an outcome and it is delivered through the management of operational risk.

WHY ANOTHER BOOK ON ORM

So readers may well ask, 'Why another book on Operational Risk Management?' After all, there are a plethora of excellent practitioner books out there. Our riposte is there are compelling reasons why we believe our book is worthwhile.

First, as highlighted above, operational risk as a discipline, including due to the regulatory focus on operational resilience as the outcome of effective operational risk management, is growing in importance and profile. By focusing on resilience outcomes rather than the process of managing ORM, regulators have reignited interest in ORM and the tools of ORM. As such, it is timely to re-examine the tools of ORM in light of the outcomes now expected by boards and regulators.

Second, the inexorable progress of technology, including greater automation of processes, use of GenAI, LLM, NLP and the application of innovative new technology to the managing of risk, adds a new dimension to the operational risk landscape, both in terms of the nature of risk and how it is managed. Cyber risk is a perennial feature in the annual 'Top Ten Risks' carried out by various organisations, including Risk.net, where they survey ORM professionals to get a sense of the risks keeping risk professionals awake at night and digital resilience is a top focus of regulators.

Third, the inexorable rise in outsourcing by firms and the consequent focus by regulators on managing third and nth party risk make non-financial risk management ever more important. The regulatory focus on operational resilience and managing vulnerabilities arising from third parties and sub-outsourcing has again elevated the importance of this dimension to non-financial risk management.

Finally, there are some excellent books by practitioners, most notably the books by Ariane Chapelle, Elena Pykhova, Michael Grimwade, Cathy Hampson, Tony Blundon and John Thirlwell, but none of these excellent books bring out the critical importance of operational resilience and none are written with a specific focus on the regulatory context, history and expectations. One of the key concerns and expectations of regulators, and a key theme of our book, is the need for an integrated approach to ORM that seeks to break down the silos in non-financial risk management (i.e. between the different types of operational risk), avoid duplication, improve efficiency and add value. We will also argue that ORM should also have a legitimate role in seeking to address silos in the overall Enterprise Risk Management (ERM) framework given that these silos are a potential source of operational risk.

OUR APPROACH

In the 19 chapters that follow, we will explain ORM's place within the broader ERM universe (Chapter 2) and explore the origins and evolution of ORM as a discipline (Chapter 3), including the roles of the BCBS, UK FSA and the Institute of Operational Risk (IOR). In Chapter 4, we will delve into the different approaches taken by regulators to operational risk management, including in the UK, the USA, the EU and Asia.

In Chapters 5-7, we will explore ORM Tools and Frameworks, setting out best practices on the building blocks (including governance, risk appetite and taxonomy), risk identification and assessment (including best practices for RCSA and scenario testing) and how to assess and manage controls, including how to achieve the optimum balance of control.

In Chapter 8, we will discuss operational resilience, including its origins and evolution, the relationships to Business Continuity Management (BCM) and ORM, the BCBS principles and national approaches. We will also consider the EU's Digital Operational Resilience Act (DORA) and the relationship between concepts of harm in operational resilience and consumer regulations. Chapter 9 will review risk incidents, including how to get to the root causes using the bow tie. Chapter 10 will explain how Third Party Risk Management (TPRM) is the elephant in the room for ORM and resilience.

We will then consider monitoring and reporting of operational risk and the Holy Grail of predictive Key Risk Indicators (KRIs) in Chapter 11, before explaining how to mitigate and manage risks (Chapter 12) and risk reporting (Chapter 13). We will conclude by exploring hot topics and the future, including the art of regulatory relations (Chapter 14), the rise and fall of AMA (Chapter 15) and how to select and get the best use out of a Governance, Risk and Compliance (GRC) system (Chapter 16). We will then explore the potential use of GenAI and other innovative new technologies...