Operational Risk Management: An Emergent Industry

Abstract

Financial institutions have always been exposed to operational risk - the risk of loss from faulty internal controls, human error or misconduct, external events, or legal liability. Only in the past decade, however, has operational risk risen to claim a central role in risk management within financial institutions, taking its place alongside market and credit risk as a hazard that financial institutions, regulators, and academics seriously study, model, and attempt to control and quantify. This newfound prominence is reflected in the Basel II capital accord, in numerous books and articles on operational risk, and in the emergence of a rapidly expanding operational risk management profession that is expected to grow at a compound annual rate of 5.5%, from US$992 million in 2006 to US$1.16 billion in 2009. This increased emphasis on operational risk management corresponds to a much wider trend of responsive or enforced self-regulation, both in the United States and internationally, that attaches significant importance to the internal control and compliance mechanisms of business and financial institutions. Driven by legal changes and well-organized compliance industries that include lawyers, accountants, consultants, in-house compliance and human resources personnel, risk management experts, and workplace diversity trainers (hereafter, legal intermediaries), internal compliance expenditures have increased substantially throughout the past decade, assuming an ever-greater role in legal liability determinations and organizational decision-making, and consuming an ever-greater portion of corporate and financial institution budgets. This chapter situates operational risk management - particularly those components of operational risk related to legal risk and the risk of loss from employee misconduct - within the broader literature on enforced self-regulation, internal controls, and compliance, arguing that the increased focus on operational risk management portends both positive and negative effects. On the one hand, business and financial institutions that are law abiding and avoid unforeseen and unaccounted for disasters are an obvious positive. At the same time, however, all operational risk management is not created equally. Some operational risk expenditures may prove more effective at enhancing the profits or positions of particular firm constituencies and legal intermediaries, or luring regulators and firm stakeholders into a false confidence regarding operational risk management, than at significantly reducing operational risk losses. Indeed, recent rogue trading losses such as those at Societe Generale and MF Global Ltd. demonstrate that operational risk measures such as those embraced in Basel II are no substitute for sound firm management and regulatory oversight.