Exposure
Exposure is the potential to experience financial and reputational losses, in normal and stress situations, arising, according to Basel*, from inadequate or failed internal processes, people, systems, or external events. This is too general to be useful in managing operational risk.
As a result, Basel through consultation with the Industry developed a hierarchal list, with 3 levels. and 7 types of events that give rise to operational risk losses.
(see section 25. 17 of https://www.bis.org/basel_framework/chapter/OPE/25.htm?inforce=20230101&published=20200605)
​
* (section 3 of https://www.bis.org/bcbs/publ/d515.pdf
What types of financial and reputational losses from operational risks are banks exposed to? A quick search of published lists would reveal a long list ranging from fraud, cybersecurity, data management issues, discrimination, aggressive selling, unauthorized trading, deceptive sales practice, weather-related damages, earthquakes, war, changing regulations, client lawsuits, employee safety, etc. The list is very long and often contains overlaps such as a cybersecurity attack resulting in fraud. Which is it? Is it Fraud or Cybersecurity? Or a war may cause a cybersecurity incident and an employee safety issue. Which is War, Cybersecurity, or Employee Risk. When confronted with a long overlapping unstructured list we apply MECE to chunk each of these instances into a hierarchical mutually exclusive (non-overlapping) and comprehensive structure. That is the goal
How would you go about doing this? Since there is no readymade solution, we apply Agile. You start with the goal which is to have a MECE list of operational risk exposures and work backward to a starting initial solution. Where will you get this initial starting solution? Do a quick search for a hierarchically structured list. If you find one that is MECE you are finished. After a quick search, you will discover that the regulators have come up with such a hierarchical list. Basel published this hierarchical list. The list has three levels with each level subdividing each type of operational risk into more granular subtypes. The first level consists of 7 types 1. Internal Fraud 2. External Fraud 3. Employment Practices and Workplace Safety 4. Clients, Products, and Business Practice 5. Damage to Physical Assets 6. Business Disruption and Systems Failures 7. Execution, Delivery, and Process Management The problem with this list is that it is not nonoverlapping. For example, system failure can lead to either internal (involving an employee) or external fraud. Or a business disruption can cause a delivery issue. An under-compensation of employees may be caused by a process management issue. There are numerous such examples. Where would damage to information assets fit into one of the seven? And so, although the Basel list of operational risk types is an improvement of the very long random list presented at the start, it is insufficient to avoid the ambiguity that a MECE structure would provide nor is it comprehensive enough to include such losses due to damage to information assets. (Notice that we are saying insufficient and enough because we are looking for something good enough for the purpose rather than perfect, which doesn't exist)
click on image for full article
How would you go about doing this? Since there is no readymade solution, we apply Agile. You start with the goal which is to have a MECE List of operational risk exposures and work backward to a starting initial solution. Where will you get this initial starting solution? Do a quick search for a hierarchically structured list. If you find one that is MECE you are finished. After a quick search, you will discover that the regulators have come up with such a hierarchical list. Basel published this hierarchical list. The list has three levels with each level subdividing each type of operational risk into more granular subtypes. The first level consists of 7 types 1.Internal Fraud 2.External Fraud 3.Employment Practices and Workplace Safety 4.Clients, Products, and Business Practice 5.Damage to Physical Assets 6.Business Disruption and Systems Failures 7.Execution, Delivery, and Process Management The problem with this list is that it is not nonoverlapping. For example, system failure can lead to either internal (involving an employee) or external fraud. Or a business disruption can cause a delivery issue. An under-compensation of employees may be caused by a process management issue. There are numerous such examples. Where would damage to information assets fit into one of the seven? And so, although the Basel list of operational risk types is an improvement of the very long random list presented at the start, it is insufficient to avoid the ambiguity that a MECE structure would provide nor is it comprehensive enough to include such losses due to damage to information assets. (Notice that we are saying insufficient and enough because we are looking for something good enough for the purpose rather than perfect, which doesn't exist)
click on image for full article
Perhaps the industry did a better job. There are various industry lists. They vary in detail but are broadly similar. For example, a leading industry publication has the following list of the Top 2022 Operational Risks. (https://www.bakermckenzie.com/en/insight/publications/guides/top-10-op-risks-2022) 1.IT disruption 2.Theft and fraud 3.Talent risk 4.Geopolitical risk 5.Information security 6.Resilience risk 7.Third-party risk 8.Conduct risk 9.Climate risk 10.Regulatory risk A quick test will reveal that it has the same overlapping issues as the Basel list. For example, an IT disruption can lead to information security and fraud, client risk can lead to IT disruption, and talent risk can lead to an information security risk if not enough talented individuals can be hired to develop the processes that secure the information.