Actuarial News - News, Actuary Wiki, SOA & CAS exam study materials and more

Ali Samad-Khan, President of OpRisk Advisory LLC, said that while the COSO framework helps organizations address certain obvious control issues, it has significant weaknesses. And these weaknesses render it inappropriate for use in operational risk management. He claims that the risk assessment methodology embedded within the COSO ERM framework is conceptually flawed because it produces false positives and false negatives. By acting on such information, managers may inadvertently invest in programs designed to improve controls in areas where they are already over-controlled while ignoring areas of major control weakness.

COSO was created in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. Other functions were to study the causal factors that lead to fraudulent financial reporting and to develop recommendations for public companies and their independent auditors, the SEC and other regulators, and for educational institutions. Samad-Khan presented research and details supporting his recent article "Why COSO is Flawed," published in Operational Risk magazine (www.operationalriskonline.com).

He told the audience that there are two fundamentally different world views driving the differences in the way banks approach operational risk management. "Those who follow the traditional audit-driven view typically believe that operational risks are in the processes," said Samad-Khan. Under this approach organizations begin by identifying the full spectrum of risk within each process, and then assess these risks "before and after controls" to identify potential problem areas. They then accept those risks that are either not material or are adequately controlled, and develop actions plans for those that need to be mitigated. "People who subscribe to this point of view often believe that the modeling of operational risk is not useful for managing operational risk or are at least highly skeptical of any tangible benefits," he said.

The loss data-driven view holds that "operational risks manifest themselves across the entire spectrum of businesses," said Samad-Khan. The first step is defining the universe of operational risk using mutually exclusive and exhaustive risk categories. Practitioners would then use internal and external historic loss data to populate a risk matrix "letting data dictate where risk really exists," he explained. The raw historical data can then be objectively transformed into frequency and severity distributions. The end product is a set of aggregate loss distributions, which reflect the firm's true exposure to all operational risk types. By combining an actuarial approach with a methodology that measures the quality of the corresponding internal control environment for each risk type, Samad-Khan said, practitioners can directly compare risk values and control scores. Armed with such information, managers can subsequently optimize the risk-control relationship in the context of cost benefit analysis. In addition, legitimate risk values and control scores can be monitored as they change over time - which is an important Sarbanes-Oxley requirement.

Samad-Khan believes these two opposing views stem from confusion and misconception surrounding certain key concepts. "The differences relate to a few basic questions, such as: What is risk? And what is operational risk?" said Samad-Khan. Mark Verheyen, Vice President of ReAdvisory, a service of Carvill, addressed operational risk in the context of a property/casualty insurance company. He began by illustrating operational risk's impact on p/c companies, citing the failure of HIH Insurance in Australia due to under-reserving, under-pricing, lack of internal controls, rapid expansion into unfamiliar markets, mismanagement, and abuse of reinsurance. "It was the largest failure in Australian history," Verheyen said. While these causes could be classified in traditional insurance company risk categories such as underwriting risk, Verheyen noted that they all fall under the umbrella of operational risk. "Operational risk is not separate and distinct from the more traditional risk categories," he said. "Rather, it overlaps these categories."

Verheyen contended that operational risk was arguably the largest single threat to an insurer's solvency. "Operational risk isn't a distinct class of risk that insurers are required to hold capital for," he added, "although many sources of operational risk are implicitly included in the regulatory capital models". He explained that proactive communication and the monitoring of key risk indicators, such as production, internal controls, staffing, claims, and outside data sources can encourage changes in behavior in the underwriting cycle that will help p/c insurance companies manage operational risk.

The session was moderated by Donald Mango, director of research and development for GE Insurance Solutions. Mango concluded the session by explaining to the attendees that the combined messages of the two speakers made clear that actuaries will play a big role in operational risk analytics, within the insurance industry and beyond.

The Casualty Actuarial Society is an organization dedicated to the advancement of the body of knowledge of actuarial science applied to property, casualty and similar risk exposures. The primary goal of the Casualty Actuarial Society is to provide education and research to help its members become leading experts in the evaluation of hazard risk and the integration of hazard risk with strategic, financial and operational risk.