Hand preventing falling dominoes knocking over others

Strategic Decision-Making Through Risk Assessment

Jump to Section:


With losses as much as $20 trillion in the U.S. alone, the global financial crisis of 2007-2008 wreaked havoc across the globe. As some financial institutions failed and others were bailed out by taxpayers, businesses and individuals went bankrupt, and weaknesses were revealed in the world’s financial system. As recession and years of slow growth ensued, around the world governments, organizations and individuals all asked the questions: “What laws can we pass? What rules can we enforce? How can we prevent a financial crisis like this from occurring again?”

Responding to changing regulations is not a new activity for financial institutions. But responding effectively requires deep knowledge of an organization’s risk profile and an understanding of overall business strategy.

No matter the industry an organization operates in, regulation presents new obligations, including ensuring compliance. With the right approach, however, organizations can shift how they approach “compliance.” Rather than simply being a mandatory requirement, it can become a way to rethink their approach to overall risk management, their overall business strategy, and give fundamental insights into their operations and challenges that can help identify new paths to growth and success.

In Depth

Organizations should rethink their approach to operational risk assessment “from one that is strictly about compliance to one that involves a deeper understanding of an organization’s risk profile and what that means from a business perspective,” says Jacqueline Geiger, Financial Institutions Practice Leader, Aon Risk Solutions.

A full risk assessment can help identify process efficiency improvements, find opportunities to decrease operational running costs, minimize volatility in earnings, and, ultimately, improve long-term shareholder value.

Moreover, there is an important – if unquantifiable – value that results from the improved governance and decision-making that can and should flow from an organization having a more detailed understanding of its operations and potential exposures.

The experiences of the financial sector in the years following the crisis that started in 2007 can provide valuable lessons in how to maximize the benefits of operational risk management for leaders in any business.

New Regulations And Increasing Standardization

New regulations are still being tailored to incorporate lessons learned from the financial crisis. Designed to reduce the risk of another global crash, the Dodd-Frank Act in the U.S. has attempted to modernize the way financial institutions manage liquidity. The Act aimed to redefine capital buffers, as old capital requirements were deemed insufficient, with the overall goal of attempting to rid the system of institutions that are “too big to fail.”

Instead of merely looking at specific organizations, regulators are now looking at broader systems that can stress or fail and cause widespread financial instability. Regulators are now in agreement that the size of the institution and range and scope of activities of those firms can severely impact not just industries, but whole economies.

In an attempt to standardize how organizations set capital requirements, the Basel Committee has proposed that the Advanced Measurement Approach, a self-assessment methodology for setting capital requirements under the Basel II regulatory framework, be replaced with a new methodology called the Standardized Measurement Approach. Under this approach, the revised operational risk capital framework will be based on a single non-model-based method for the estimation of operational risk capital.

Assessing Risk To Respond To Challenges

Traditionally, operational risk management has been viewed as “a check the box activity, and has been approached from a compliance perspective,” says Jin Kang, Director, Financial Institutions Risk Advisory, Aon Risk Solutions. Kang recommends that operational risk management should be considered not simply as about ensuring that a firm has done its due diligence and adhered to rules, but more about value-creation. They should be seen not as a cost of doing business, but rather as an opportunity for profit.

“Operational risk derives from the failure of people, processes, systems or an external cause,” says Kang. The larger the business, or the more regulated the industry, the greater the potential cost of such failures. For example, an oil spill for an energy company or asbestos-related liability could result in lost revenue, potential fines or even long-term brand damage. Losses from market shocks or changing regulations could also be deemed operational risks.

The impact of globalization is a major source of volatility as companies and their supply chains expand internationally. This opens the door to incompatibilities in cross-border regulation. Globalization also brings the operational risks of dealing in politically and economically unstable emerging markets and relying on suppliers or customers in different parts of the world. The more complex the system, the more risk there is.

Kang points out that while it may be common to assume emerging markets can be a source of instability, the biggest risks tend to come from developed-market revenue centers, due to the size and complexity of their operations. Working to understand that complexity means organizations will be better able to plan for and respond to crises if and when they occur.

Managing Operational Risk

If operational risk derives from systemic failures or inadequacies, says Jonathan Humphries, Executive Director, Operational Risk Solutions, Aon Benfield, then a more advance risk framework should “enable the business to better understand and manage its exposures.”

According to Humphries, any company seeking to better manage its operational risk should ask itself three questions:

1) Does it have an appropriate risk governance framework in place to enable identification, management and mitigation of exposures?

2) Are business decisions made using information derived from its risk governance framework?

3) Does it have an appropriate risk transfer program in place to mitigate the effect of unexpected losses?

Preparing For Tomorrow’s Unknowns

Focusing on improving corporate governance and developing best practice strategies can be transformational, not least because the cost of implementing a cohesive risk control program may turn out to be immaterial compared to the cost of having no preparation at all.

But perhaps most importantly, organizations that integrate risk management as part of their culture and strategic vision will be better able to respond to shocks and changes. Such companies will already have a strong understanding of their risk information and so should be able to respond to challenges – and opportunities – more effectively.

“Risk management is not just about regulatory compliance,” says Geiger. “It is about your ability to quantify, model and understand your risk better in order to make better-informed decisions.’’

Talking Points

“While new risks such as cyber security have moved to center stage, old risks like damage to reputation/brand and increasing competition are taking on new dimensions and complexities. These constantly evolving and interconnected challenges have made risk management a necessity for survival and a key driver for success in this diverse, competitive, and fragile marketplace.” – Aon Global Risk Management Survey

“High-quality capital must be complemented with effective governance and appropriate culture; strong risk management processes and internal controls; and a broad view of risk that encompasses all of a bank’s activities.” – William Coen, Secretary General of the Basel Committee

“It is critical to extend the standardised measurement formula to recognise the risk mitigating effect of hedge mechanisms such as insurance as is the case for market and credit risk.” – Andrés Portilla, Managing Director, Regulatory Affairs, Institute of International Finance & David Strongin, Executive Director, Global Financial Markets Association

“The attitudes of some risk managers need to change, where they should move away from their traditional compliance orientation, instead adopting a more enterprise-wide view that is less confrontational and more proactive.” – Simon Ashby, associate Professor of Financial Services at the Plymouth Business School

Further Reading