a.

Examine the key challenges to building a mature and effective Operational Risk
Management program and recommend the best practices.

Operational risk is defined by the Basel Committee on Banking Supervision (2006) as: “the risk
of loss resulting from inadequate or failed internal processes, people and systems or from
external events. This definition includes legal risk but excludes strategic and reputational risk”. It
is not easy to build and successfully implement operational risk management in an organization.
Companies may face various challenges. Federal Housing Finance Agency (2013) describes an
operational risk management program as the set of policies and activities through which an entity
manages its operational risk exposures.

Lack of understanding is one of the challenges when it comes to building a mature and effective
operational risk management program. Employees might have troubles in understanding what
operational risk management is about and may view operational risk as solely a divisional or
business specific issue rather than a companywide pursuit. All these misconceptions hinder the
success of the program. It is important that everyone in the organisation has an appreciation of
what operational risk management is. So that they can be actively involved and contribute
towards building a mature and effective program. Take for example those with responsibility,
they will have clear understanding of their duties and tasks. Communication at this point
becomes key.

The best practices to this challenge is to communicate operational risk management throughout
the organization by means of awareness. This can be achieved through marketing and training of
employees. Marketing involves creating awareness about the operational risk and the operational
risk function throughout the organisation. Educating the people in the organization on what
operational risk management is, its importance and benefits to the organization, reporting of
identifies operational risk and the dangers of poor operational risk management. Thus there will
be clarity and people can understand about operational risk. At the same time marketing enable
the operational risk function to build relationships with other departments which is key in an
ORM program. Employee understanding can also be achieved through training. Training is done
for everyone, specialized training is carried out for those who are involved in operational.
Specialised training is done so that the employees gain more knowledge and skill about issues or
developments related to operational risk management and for them to successfully implement the
ORM program.

Another challenge is that of involvement and participation of the Board of directors and senior
management. They are accountable and directly responsible of program. Effective risk
management program starts with “The Tone at the Top” driven by the top management and
adhered by the bottom line Metric Stream (2019). The support of the executives is important
as it will influence the organisation to prioritise ORM. It will be difficult to build a mature
program if there is no support from the board of the directors or if they have less commitment
and they perceive operational risk management solely as a regulatory mandate, rather than as an
important means of enhancing competitiveness and performance. The roles that they play is
crucial for the success of the operational risk management program. These include approving the
operational risk framework, governance structure as well as overseeing the performance of the
senior management towards achievement of a mature and effective program in the organisation.
Issues such as governance structure is important for an effective program as it set out the roles
and responsibilities of the operational risk function as well as those who manage lines of
business. Management and the board must understand the importance of operational risk and
demonstrate their support. it is their responsibility to ensure that a strong operational risk
management culture (Basel committee on supervision,2011). Best practice to get them on board
is through marketing, that is demonstrating the importance of operational risk and its importance
to the organisation. Need for increased awareness and appreciation across boards and senior
management to better understand operational risk management 

The other challenge relates to development of loss data bases. For the program to be effective
there is need to develop business-line databases to capture loss events attributable to various
categories of operational risk. This may a challenge for some companies, as operational risk
management is new. Operational risk has been in existence for a long period. However, because
it was not being recognized, organisations were not collecting data. Thus there is no availability
of such data. Time will tell before there is adequate data for loss events. As a result of inadequate
data, companies are faced with challenges of implementation and also measuring risk. According
to Metric Stream (2019) Basel II specifically requires a minimum of three years of data for
initial implementation and ultimately five years for the Advanced Measurement
Approaches (AMA). Thus need for historical data (including external data) has been a cause

for concern for many enterprises. They are faced with difficulties in measuring risk due to
lack of meaningful and timely data across business unit and product lines. The best practices that
can be adopted in this case in order to gather data is coming up with policies and procedures
which set a minimum criteria for data collection and establish the methodology of data
collection. There is need for the company to collect high quality data. The risk function should
partner with other functions so that relevant data from business lines is obtained.

The other challenge to a mature and effective operational risk management program is that
Operational Risk Management (ORM) programs can be manual, disjointed, and over-
complicated (Idnani, 2019). The systems and programs are disconnected. This is largely to the
fact that operational risk management developed as a reactive function in response to regulations
and compliance. According to Metric Stream (2019) many firms find themselves besieged with
manual and disjointed systems, over-engineered programs, and metrics that are reported for the
sake of regulations or compliance

Companies are also faced with challenges of adequately identifying operational risks. Metric
Stream (2019) asserts that operational risk has become more complex to manage as organizations
are driven by advancements in technology, globalization, competition, and shrinking profit
margins. All these complexities expose businesses to more risks which are dynamic and ever
changing. Companies are faced with challenges of adequately identifying and managing the risks
which they are exposed to. Risk identification tools need to be efficient in identifying new risks.
They should have data collection programs, to pick up any industry losses and risks. Key risk
indicators can also be used as they can predict changing risk and also provide early signals. Use
of other tools such as RCSA. At the same time, the operational risk management policies and
procedures should be regularly updated as the operational risk profile of an entity changes.

The other challenge goes to the fact that operational risk management is a complex process.
Requires coming up with models that reflect actual world, measuring risk (quantifying risk) is
not easy task. In measuring risk, company the company has to ensure that methodologies used
are consistent with an entity-wide definition of operational risk
A common perception that organizations do not have sufficient resources to invest in
operational risk management. Operational risk management is associated with a lot of costs
such as labour, technology, performance remuneration and compliance. The company needs to
invest in proper staff with the right skills to carry out operational risk management process at the
same time there are costs in training the employees in the organisation. Ontop of that there is

techonolgy .

Poor culture. Orm should be embedded in the activities of an org. It is the duty of the top
management set an appropriate tone of commitment to the goal of effective operational risk
management

Poor governance

Lack of communication- communication should be made to relevant ppl. It should influence

activities of department. Thusissues or inter-departmental relationships should be taken into
consideration.

Common language. Establishing standard risk terminology that will be used moving forward,
which is conducive to successful Risk and Control Self-Assessments (RCSAs). one of the first
steps to understanding the nature of operational risks in your organization is through a Risk and
Control Self-Assessment (RCSA).Defining Risk

The issue: One of the biggest challenges is establishing a consistent and commonly applied risk
nomenclature. Any inconsistencies between risk definitions or methodologies are likely to
jeopardize the program?s success.

Potential solution: Establishing a formal risk management framework and common risk
nomenclature can be accomplished through working groups comprised of at least one
representative from each significant business unit and shared service function. The most critical
goal of the group is to establish the definition of risk itself. While each risk category may be
distinct, the definition of risk must be consistent and supported by clear guidance. The group
must also create a risk inventory and supporting risk taxonomy to further define and rank all the
risks faced by the organization.
Federal Housing Finance Agency,2013 The regulated entity’s definition should be reviewed and
approved by the board of directors. This definition forms the cornerstone of the ORMP because it
determines the group of risks that will and will not be managed under the rubric of operational risk,
and therefore what risk data will be collected, quantified, and modeled and where management
attention should be focused. Once defined, this definition should be clearly communicated to all
staff.

process for assessing changes in the business environment and the impact on operational risk.

organizations do not have sufficient resources to invest in operational risk management

Need for greater communication and education around the importance of operational risk
management and the consequences of operational failures on a company’s bottom line.
Promoting organization-wide understanding of the program’s value and function Risk review
committees can be an important tool to evaluate operational risk controls.

A number of organizations use risk review committees to assess current controls before any new
business line is initiated. The committee then outlines the necessary control changes that must
be implemented in order to support the business line. Both line managers and senior management
must agree on the efficacy of the controls before implementation by the business line. These
committees can greatly enhance overall communication on operational risk issues and can also
raise awareness about potential problems.

Indicators are important tools to assess operational risk controls.

There are numerous indicators that firms can monitor to assess their operational risk controls.
These indicators can provide a common way of determining whether a company is successfully
monitoring controls and carefully scrutinizing the business lines. Firms need a common
dashboard to evaluate operational risks.
However, the composition of existing and historical losses will not necessarily provide a guide to
future losses.

There are a number of issues that arise in using specific indicators. Earnings in either the top tier
or the bottom tier of a firm may offer insight into either excessive or inadequate risk taking.
Revenue growth itself is not necessarily an indicator of good risk management. Rapid growth
should indicate that a firm is doing well, but the appearance of success can hide underlying
problems. Increasing revenue may indicate high risk-taking, or provide business lines with
greater influence to resist changes (since firms may be reluctant to restrict a profitable business.
Stable earnings are also not necessarily indicative of strong operational risk controls, since stable
earnings may also mask inadequate attention to risk. The appearance of stability could lull
managers into a false sense of security, and lead them to overlook potential problems in their
controls. Small profit margins are suspect, as business lines with very low earnings may be
under-invested. Senior management and risk managers need to carefully scrutinize business
lines with earnings in either the top tier or the bottom tier of a firm, paying special attention to
excessive or inadequate risk-taking. The loss/expense ratio of a business line or a company may
provide insight into the effectiveness of operational risk controls.
Culture occupies a pivotal role in effective operational risk management.The importance of
culture must not be underestimated or taken for granted, even though many aspects of a firm’s
culture can be difficult to quantify, measure or model. Corporate culture is a pivotal factor in
how risk is controlled and, therefore, must be taken into account when measuring the
effectiveness of operational risk controls.

 Metric Stream (2019) Factors like lack of understanding of upcoming technology regarding
operational risk management, failure to get the top management to focus on the benefits of the
program, improved productivity and quality, as well as on loss reduction, and lack of meaningful
and timely data across business unit and product lines make the implementation of an ORM
system all the more formidable.
 b. With the aid of examples, explain the impact of the various types of model risks on an
insurance company.

A model applies theories, techniques and assumptions to process input data into quantitative
estimates for a particular purpose (Rule,2019) .Model risk is the risk of loss arising from using
inaccurate models to make decisions. According to American Academy of Actuaries (2019)
Model risk is the loss (economic, reputational, etc.) arising from decisions based on flawed or
misused models. Rule (2019) asserts that in insurance, a model going wrong might mean under-
pricing of products, under-reserving against risks or treating certain customer groups unfairly.
While in case of internal models used to calculate regulatory capital requirements, it could result
in insufficient capital to protect policyholders. This write up seeks to identify and explain the
various types of model risks and their impact on an insurance company.

The first type if model risk and model misspecification is erroneous model. In this case, the
model itself is incorrect. Stochastic process might be misspecified, missing risk factors,
misspecified relationships, transaction costs and liquidity factors (such as Liquidity risk). Take
for example, according to Dowd (2013) many models ignore transactions costs and assume that
markets are perfectly liquid. Such assumptions are convenient for modelling purposes, but can
lead to major errors where trasactions costs are significant and market liquidity is limited. Such
problems are highlighted by difficulties experienced by portfolio insurance strategies in October
1987 crash, where strategies predicted on dynamic hedging were unhinged by the inability to
unwind positions positions as the markets fell. The failure to allow for illiquidity lead to much
larger losses than the model anticipated. Derman (1996) adds that a critical consequence of an
incorrect model is that the probability of a significantly adverse event is often substantially
greater than one would expect based on model predictions.

The other model risk involves incorrect implementation of the model. In this case, the model is
correct however there is failure in implementing it. It is software based the risk that one can
make an error either accidentally or intentionally when implementing the model. Some models
require extensive programming and complex computations which involves popular functions.
Incorrect model implementation includes bugs in the programme, technical errors and inaccurate
numerical approximation. Stricker et al (2014) adds that this type is model risk involves use of
wrong algorithm in implementing a model or the correct algorithm is used but contains bugs and
coding errors. Take for example an insurance company which has developed a model for
calculating its capital requirement and on implementation there is human error during the
process, when manipulating raw data, inputs and outputs. This leads to poor programming of the
model which produce incorrect and undesirable results. It might produce capital requirement that
is significantly too low and does not reflect the risks that it is exposed to. This has a major
impact on the insurance company as it might not have inadequate capital when faced with
challenges.

Incorrect model calibration involves estimating intervals, dealing with outliers, estimating and
revising estimated parameters. Take for example improper estimation of µ or λ (mean). It also
involves fitting the wrong parameters in order to formulate a model, estimation errors, choosing
wrong estimating techniques and estimating wrong intervals. Dowd (2013) adds that parameters
might be estimated with error, not kept up to date and estimated over inappropriate sample
periods. A company can lose high amounts of money than that which is suggested by the
model.Take for example a pricing model
Market data processing is another type of model risk were quality of model depends on the
accuracy of input parameter values that feed the model.

The last type of model risk is model mis-application. While a model may be mathematically
correct and consistent with finance theory, making use of accurate data. It can be mis applied in a
given situation. Take for example applying a model for calculating basic solvency capital
requirement for a life insurance company to a non-life insurance company. This will have an
impact on the insurance company as capital requirement for operational risks will not be
correctly reflected. Such that in event of an operational risk, the company will not have enough
capital to absorb the risk or might be nder-reserved.

-Model will produce incorrect and undesirable results. Take for example, an insurer’s internal
model might produce a capital requirement that is significantly too low and does not reflect the
risks that it is exposed to or a pricing model might include analytical methods that lead to
outcomes that are outside the insurer’s risk appetite or, in the extreme, in breach of regulations or
illegal.

Wrong decision making which later results to losses