What types of financial and reputational losses from operational risks are banks exposed to? A quick search of published lists would reveal a long list ranging from fraud, cybersecurity, data management issues, discrimination, aggressive selling, unauthorized trading, deceptive sales practice, weather-related damages, earthquakes, war, changing regulations, client lawsuits, employee safety, etc. The list is very long and often contains overlaps such as a cybersecurity attack resulting in fraud. Which is it? Is it Fraud or Cybersecurity? Or a war may cause a cybersecurity incident and an employee safety issue. Which is War, Cybersecurity, or Employee Risk. When confronted with a long overlapping unstructured list we apply MECE to chunk each of these instances into a hierarchical mutually exclusive (non-overlapping) and comprehensive structure. That is the goal.
How would you go about doing this? Since there is no readymade solution, we apply Agile Problem Solving. You start with the goal which is to have a MECE List of operational risk exposures and work backward to a starting initial solution. Where will you get this initial starting solution? Do a quick search for a hierarchically structured list. If you find one that is MECE you are finished. After a quick search, you will discover that the regulators have come up with such a hierarchical list. Basel published this hierarchical list. The list has three levels with each level subdividing each type of operational risk into more granular subtypes. The first level consists of 7 types
1. Internal Fraud
2. External Fraud
3. Employment Practices and Workplace Safety
4. Clients, Products, and Business Practice
5. Damage to Physical Assets
6. Business Disruption and Systems Failures
7. Execution, Delivery, and Process Management
The problem with this list is that it is overlapping. For example, system failure can lead to either internal (involving an employee) or external fraud. So is it a Business Disruption and Systems Failure or is it Internal Fraud.
Or a business disruption can cause a delivery issue. Again, this event can go into either Business Disruption or Systems Failures (#6) or Execution, Delivery, and Process Management (#7).
Or under-compensation of employees led to the hiring of a less than-qualified employee, who after a month on the job failed to execute a fraud management process resulting in an external party committing fraud. Is this an Internal Fraud (#1) (involves an employee) or an External Fraud (#2) or an Employment Practices and Workplace Safety (#3)
There are numerous such examples. In addition, where does damage to information assets fit into one of the seven? And so, although the Basel list of operational risk types is an improvement of the very long random list presented at the start, it is insufficient to avoid the ambiguity that a MECE structure would provide nor is it comprehensive enough to include such losses due to damage to information assets. (Notice that we are saying insufficient and enough because we are looking for something good enough for the purpose rather than perfect, which doesn't exist)
Perhaps the industry did a better job. There are various industry lists. They vary in detail but are broadly similar. For example, a leading industry publication has the following list of the Top 2022 Operational Risks. (https://www.bakermckenzie.com/en/insight/publications/guides/top-10-op-risks-2022)
IT disruption
Theft and fraud
Talent risk
Geopolitical risk
Information security
Resilience risk
Third-party risk
Conduct risk
Climate risk
Regulatory risk
A quick test will reveal that it has the same overlapping issues as the Basel list. For example, an IT disruption can lead to information security and fraud, client risk can lead to IT disruption, and talent risk can lead to an information security risk if not enough talented individuals can be hired to develop the processes that secure the information.
Another quick search results in an operational risk type list from Risk.net
Once again you will find the same overlapping categories. problems. For example, a Mobile banking vulnerability allows a hacker to access and drain a client account- is it IT failure or Theft and Fraud
or
Data management issues resulted because of employees being distracted by a huge, complex, and disruptive org change that led to Clients being overcharged and the FI restituting to clients to avoid a lawsuit but they suffered a regulatory fine. Is it Data Management, Org change, or Regulatory risk?
This list is more like a list of top operational risk concerns. However concerns, although important, are not the same as risk types. Many of these are causes that may result in an opertional risk (ie a financial or reputational loss from an operational type of event)
One can continue the search and hope to discover a MECE list, but a better strategy is to employ Agile. We do this by starting with either the Basel list or the industry list or better yet both and iterate until we get a good enough MECE list. Whichever list is chosen as the starting point, the next iteration can be grouping each of the items in the list into an outcome and causes. For example, Theft and Fraud are outcomes while IT Disruption is the cause of some other type of outcome loss such as fraud or a client claim resulting from losses suffered by the client because they were unable to timely execute a trade due to an IT disruption. There may be a financial and reputational loss from a fine imposed by a regulator (the outcome) due to conduct risk by employees, information security, or third parties. Since there may be multiple causes for the same outcome, we can achieve our goal of creating a MECE list of operational risk types by chucking the initial list by outcomes. Here is one MECE version resulting from several outcome-based iterations.
Internal Fraud
External Fraud
Employee Settlements
Clients Settlements
Damage to Assets
Regulatory Settlements
Test it yourself and determine if major overlap issues remain or if it is not comprehensive enough to fit certain types of operational risk losses.
Unfortunately, this is not yet been widely adopted and most FI, industry associations, and industry operational loss databases continue to use some variation of either the Basel or Industry list or both.
We will therefore continue with the Basel List, despite its drawbacks because it remains the reference list for the industry and regulators. FI, industry associations, and industry operational loss databases that use some variation of the Basel or industry list face significant overlap issues and resulting inconsistent classifications. They restore the consistency of classification within their organizations through complex decision tree rules of the type: if x, y, z, and d are present then it is, say, IT disruption but if x and b are present then it is a fraud, and so on. Much better to adopt the above MECE list but such is life.
I believe that identifying operational risk exposures is key to effective risk management, ensuring organizations can mitigate potential impacts through comprehensive analysis.
The MECE structure is extremely effective for many situations, but at the same time many problems are too complex to be categorized under one umbrella without it being extremely specific. The Basel Risk categories do overlap, and it is an issue, but at the same time what is stopping a event or risk from being classified under multiple risk types- rather than a vague umbrella term or an ultra specific one.
There are many lists to identify the types of operational risk, based on different rules such as industry lists and the Basel list. I am wondering if we can create a MECE framework that relies on loss type as the first layer. Specifically, categorize the losses resulting from operational risk, use them as the first layer, and see if there are any risk types that belong to these categories, then compile them into a list.
Given that there are many overlaps between each risk type, the firms have designed decision trees to be more specific on the classification. I am wondering what are the most important benefits of clearly identifying the types of risk exposure. For example, will firms apply much more controls on the risk that results in more losses? If yes, is that effective? Are there any regulatory rules that require disclosure of the risk exposures?
I'm now really confused about what MECE is. Last week, when we were doing a case study, I thought MECE was a framework for solving problems. But this week, we were just doing some data analysis, and we still had to use MECE, which felt more like a decision tree. So what exactly is MECE, and what kinds of problems can it be applied to?