A Closer Look: Operational Risk Management


The success of an organization is dependent, in large part, on the effectiveness of its operating environment. The journey toward operational excellence requires a refined and informed approach to balancing operational risk and operational controls.

In order to best manage to an appropriate level of risk, one needs to understand the operational risks inherent in running a process or product, assess the effectiveness of the control environment, and accurately calculate the residual risk exposure – so one can mitigate it to within acceptable limits.

The Risk Lifecycle

Much like market and credit risk, operational risk follows a similar cycle – it is important to track risk exposure through the cycle in order to achieve the desired level of risk mitigation.

Risk Management
For illustrative purposes only.

Focus on Identification

To effectively identify the organization's key operational risks, one best practice is to take a multi-faceted approach to understanding and managing Operational Risk.  For example, the data sourced from a single tool (e.g., a Risk & Control Self Assessment) is useful, however, its value in accurately identifying and assessing operational risk exposures may be materially enhanced when combined with:

  • Data sourced through complementary but independent Operational Risk tools, and
  • Operational data (e.g., portfolio and trade data)

The goal is to build a holistic, comprehensive, and balanced view of operational risks, trends, and exposures. This has the ability to provide a more informed view for management to use in targeting investment in controls.

Risk management
For illustrative purposes only.
  • Risk & Control Self Assessment: An assessment of the risks inherent in executing a process, the effectiveness of the controls in place to manage the risk and the residual risk remaining.
  • Event Analysis: Root cause analysis of events with an unintended outcome and enhancement of controls if appropriate.
  • Targeted Risk Assessment: A deep dive independent assessment of the risks and controls in a process or set of processes, usually conducted by the Operational Risk team.
  • Operating Metrics: Data points collected to support risk analysis; may include key performance indicators, key control indicators or business data sets.
  • Key Risk Indicators: Quantitative indicators of changes in risk levels built using operating metrics and measured against thresholds.
  • Process Mapping: Detailed breakdown of activities, steps, and controls within a process to support assessment of risks and controls; use for training, change management, audit management, etc.
  • Scenario Analysis: Analysis of the effectiveness of controls for highly unlikely but plausible events that may result in disruption to the business; feeds capital reserving, where applicable.

Keeping Pace with Change

Change can often increase risk. Investment managers typically run a diverse portfolio of products and mandates, each of which can present a unique, and sometimes nuanced, set of operational challenges. Both the operational processes underpinning the execution of the products, and the products themselves, are often subject to significant change. This is driven by a series of factors including client demand, market dynamics, new regulation, external threats, technology developments, and organizational restructuring, to name a few.

These factors all change the inherent risk profile of the firm, stress the control environment and cause potential dislocation between the two, therefore increasing residual risks. It is the role of the Operational Risk team, in conjunction with business teams, to proactively identify, assess and help manage these dynamic risks and exposures.

We believe Operational Risk is best managed by not only doing ‘point in time’ assessments of risk; but rather by monitoring and managing the continually evolving operational risk profile of the firm.

This information is for informational purposes only and not intended to, and does not relate specifically to any investment strategy or product that AQR offers. The risk management process described herein will not always be successful. It is being provided merely to provide a framework to assist in the implementation of an investor’s own analysis and an investor’s own view on the topic discussed herein.