Really Operational risk in concept is the same in bank as it is in a utility provider however the emphasis seems to be on reducing faults in utility providers while in banks it is all about capital. Many analysts from the financial sector in particular argue that both are the same creature dressed in a different skin but with our more 'heavy industry' based businesses such as manufacturing and utilities the focus is generally towards bottom up techniques.
In particular Basel II doesn't seem to stress best practices for fighting risk, its’ focus is all about measuring the potential exposure so that a reserve of money can be held and this reserve is referred to as the tier I, II [III] capital reserve. There have been many critiques on this thinking, I am far from the first and I am also a big believer that if banks treated this risk class in a more real manner, closer to the cause and by learning techniques from operational risk programs in these adjacent industries then management of events becomes an easier task. Specifically if a bank simply treats risk as a compliance exercise then working tangible outcomes are often lost, tacit knowledge of staff is not utilized and enthusiasm for the program dwindles as costs escalate.
Utility providers on the other hand tend to lend themselves to being real about creating systems that actually reduce potential exposure and at the coal face of the business where such exposures can be seen. Their programs will generally include and be written in manner that:
# There is an ability to capture loss data and assign those events to a cause for a better understanding on the businesses problems in the context of the business.
# The company has incentives to locate and find potential pathogens for failure through an investigative approach into understanding causality. Causality and hazard solutions allow event description to be built up in a manner that one event can be proven to cause another, for example:
Water + slippery surface + people present = possible occupational & safety hazard.
That's the hazard, now we remove the hazard by destroying the equation. Here is a solution: It’s raining, we have a paved floor and people are at the door, we reduce the hazard by laying out a carpet and/or putting up a sign stating "the surface is wet watch out for a slippery floor".
Of course there are many of these hazard reducing tools in a power station and they form the key basis for policy; the rules of how staff use machinery around so that a safe, productive and importantly continuous environment is sustained.
A good program will also have a process for showing how to monitor potential causes that increase the likelihood of fault so that planning of activities can be carried out to reduce failure. Such a program is an ongoing exercise of review and record otherwise it is not representative of new potential threats and their associated problems.
The system also needs to allow the business to easily track its best practice so it should create a list of workable actions for staff to engage during failure, so that faults are resolved quickly, effectively and without incurring additional knock-on effects.
Taking this one step further these workable actions also allow benchmarks to be created between departments for a formal monitoring and reporting process. This process then tracks whether a department is reducing its operational risk as planned or whether there is an erosion on quality in staff efforts and that means more hazards.
I am not saying banks don’t do this, because they certainly do. Most financial institutions have a comprehensive branch audit team, and controlled self assessment is usually scattered throughout their operations however one is left with the feeling that many staff in banks don’t actually know why they are doing something when it is operational risk in nature. They simply tick the box and most data in operational risk sits in silos and is used to calculate capital reserves.
Risk and reliability assessment techniques in other industries tend to be put into two classes, quantified or heuristic. Quantified assessment techniques in these industries use specific algorithms to calculate the actual likelihood and consequence of a failure by proceeding to a solution from an explicit and complete step analysis such as FMEA or Fault modes and Effects Analysis. FMECA is a popular set of methodologies employed by heavy industry for understanding the critical nature of a fault, the pathogens that drive the fault and what the consequences are. Banks on the other hand don’t seem to become tied up with FMECA and I would beg to wonder whether the typical operational risk analyst in a bank would be up on FMECA at all. Yet outside the world of finance FMECA has such a following that some industry regulated bodies have published failure modes for specific systems and structures they know their regulated companies use. These publication notes of course can be used by any company for a plan for managing the predictability of outages in specific cycles of operation.
Here is the list of such cycles taken from the MIL-SD-1629A US Military Standard:
# Premature operation
# Failure to operate at a prescribed time
# Intermittent operation
# Failure to cease operation at the prescribed time
# Loss of output or failure during operation
# Degraded output or operational capability
# Other unique failure condition based on system characteristics and operational requirements or constraints
Looking at risk this way has some distinct advantages, primarily understanding the probability of a systems up time we are able to plan business continuity programs. We are also able to understand what processes need to be carried out by staff during each cycle of operation. Another advantage of course is being able to describe the Mean Time to Repair for each component and this leads to a good threat analysis for change management staff and that is where operational risk is often featured yet not factored into capital.
