Understanding operational risk is fundamental to its effective management. This paper sets out ten laws that govern the behavior of operational risk relating to the occurrence and detection/duration of events; the rapidity with which firms suffer losses; the lags in crystallization of losses; and internal and external drivers of concentration. The paper also considers the transference and conservation of risk; risk homeostasis (ie, control expenditure will respond to increased risk to return firms to within appetite); and the proactive taking of operational risk by firms in order to obtain fee and commission income. These laws are underpinned by event, causal and impact taxonomies. Each of the laws is illustrated through the analysis of loss and financial data for thirty-one current and former global systemically important banks, before and after the global financial crisis. Finally, the paper briefly considers the impacts of these laws on how firms should undertake stress testing and risk and controls self-assessments, and select predictive key risk indicators, and also the extent to which these laws make predictions as to the outcomes of three emerging threats.
Read full abstract