STEVEN BOSCH 0993549

(1)

O P E R A T I O N A L R I S K M A N A G E M E N T

A R I S K S E L F - A S S E S S M E N T A T A B N A M R O M O N A C O

STEVEN BOSCH 0993549

ABN AMRO BANK NV MONTE CARLO JULIEN FRENI AMSTERDAM JOHN BAMBER UNIVERSITY OF GRONINGEN MR DRS E. GNIRREP

MRS DRS H. P. VAN PEET

MARCH 2003

f a c u l t y o f m a n a g e m e n t a n d o r g a n i s a t i o n ; u n i v e r s i t y o f g r o n i n g e n

(2)

- - 1 Foreword

This document is primarily the result of a research for ABN AMRO Private Banking in Monaco, Monte Carlo. An assignment at the bank’s Risk Management Department from February 2002 until October 2002 formed the basis of this thesis. Management was looking for a tool to identify and assess operational risk. After this period, I was able to obtain additional knowledge within the field of Operational Risk by means of a consequent three months’ assignment at ABN AMRO Bank’s global support function for Operational Risk Management Private Clients and New Growth Markets (ORM PC-NGM) in Amsterdam from November 2002 until February 2003.

In Monaco I would like to thank Mr J.Freni, (Head Risk Management) for his support and dedication, just as Mr C.P.S. Noyon (Country Representative Monaco), for giving me this great opportunity.

In Amsterdam, many thanks go to Mr J. Bamber and Mr G. Szamosi from ORM PC-NGM, who provided me with a lot of additional information and interesting work on an international level.

In addition, I give my thanks to Mr drs. E. Gnirrep and Mrs drs. H. van Peet, guiding teachers of the University of Groningen at the Faculty of Management and Organisation for their critical notes and supportive remarks.

Secondarily, this dissertation is the result of more than five years of studies in The Netherlands and abroad. I could have never done this without the support of my parents. At the end of a very nice and interesting period my gratitude goes to them: thanks a lot!

Steven Bosch

Amsterdam, March 2003

(3)

- - 2 Mana gement Su mmary

Management of ABN AMRO Monaco is confronted with a problem within the field of Operational Risk Management (ORM). It is unable to identify and assess operational risk in the organisation, a risk that increasingly leads to operational losses. The rollout of a facilitated Risk Self-Assessment (RSA) is considered an effective solution for this problem. This is an instrument with which the organisation is enabled to identify and assess operational risk bottom-up, with the organisational members providing primary input. The design and implementation of a standardised and practical approach to recurrently self-assess operational risk should ultimately contribute to the improvement of operational risk control.

To achieve the above, the following main research question has been defined:

‘What elements should the Risk Self-Assessment approach comprise in order to systematically self-assess operational risk within ABN AMRO - Monaco and how should this be done and built up, to meet related internal requirements and to enable a recurrent application of the instrument?’

Diagnosis and Program of Requirements

To answer this question, a search for the internal requirements is the first step. This means that the research starts with a diagnosis to formulate restrictions for the subsequent stages design and change. The internal diagnosis is based on the five Conditions for Effective Control (C.E.C.). Regarding the problem as a control problem, management (the controlling organ - CO) is to meet these conditions if it wants to effectively control the relevant organisational sub-unit (the controlled system - CS) to perform an RSA. In this respect it was diagnosed to what extent these conditions were met and to what extent improvement was required. The conclusion of the diagnosis is a Program of Requirements (PoR) that mentions those elements that need to be achieved once the design has been completed and implemented. The (PoR) is divided into three separate parts: content, procedure and structure. An overview of the most important elements of the newly designed RSA is given below.

Since employees not specialised in operational risk management are asked to deliver input, a practical definition of operational risk is formulated that aims at a clarification of the concept of operational risk.

The prevailing internal view of risk is supported in the sense that it is loss-based and that risk consists of an event that is caused by a root cause. Only direct loss is sought for, with the existing Corporate Loss Database (CLD) as useful additional input. Identification of operational risk occurs process-wise and use is made of the ranking of business processes as constructed by Operational Audit function.

Conceptual Design

For this first RSA it is recommended to consider high-risk processes only. A structured approach is envisaged by breaking down the processes into discrete process stages. The making of standard classifications provides further structure for the event, the cause and loss of operational risk. The chosen categories foresee connection with the official ‘Basle’ definition operational risk. Assessment is designed to occur only after a prioritisation of the identified risks by making an estimation of the Exposure (E). (E) is based on the frequency in which a process stage is executed. Identified risks with a sufficient (E) are assessed by measuring Impact (I) and Likelihood (L). This measurement is not intended to generate mathematical or scientific results but is to give management an overview of the frequency and severity of a risk as expected by the people involved. Both for (I) and for (L) standard scaling is designed, to enable comparable results and cater for consistent outcomes. It is decided to let the scale for (I) be dependent on the loss relative to the branch’ total year income. The results are presented on a so-called ‘rainbow-chart’

and it is made possible to give management an indication of the urgency for (improved) risk control.

(4)

- - 3 Practical design

Dependent on the stage of the RSA (identification, prioritisation or assessment) either a hub-and-spoke approach or a network approach is chosen as way of processing information.

Design of the approach to identify operational risk is borrowed from the Delphi Technique. Participants give their input independently and receive consolidated feedback of all input by a central unit (hub-and- spoke). This occurs two times; it starts with asking for examples and experiences and results in an operational risk definition validated through a sign-off. The (control) culture diagnosis as part of the third C.E.C made clear that individually conducted open interviews in this stage are preferred over questionnaires or group meetings. A risk averse attitude and a blame culture can thus be circumvented.

Design of the approach to assess operational risk is borrowed from the Nominal Group Technique where people working in the presence of each other give their ideas independently. Voting on both the (I) and (L) occurs independently, just as the collection of ideas to take mitigating action. The gathering of all involved is taken advantage of to discuss the risks found (network). Review of current controls and sharing of ‘risk-experience’ should enhance insight and increase the reliability of the vote.

Implementation

Implementation of the RSA should occur in a phased approach: unfreezing, moving and freezing is the proposed way to do this.

Related to unfreezing is the concept of meta-control. Management is in charge of pursuing meta control, since it should only indirectly influence the process of identification and assessment done by the CS. An important aspect is its primary responsibility for creating a (positive/supportive) culture in which the RSA can be embedded. It comes down to controlling the awareness, perception and attitude (or culture) of all involved. This ‘second level of control’ should merely consist of organising related presentations, introducing a facilitator, using the Intranet to explain the risk and the approach and answering questions.

The success of the stage of moving is heavily dependent on the one who is conducting and administering the process of the RSA, the facilitator (being one of the prerequisites of management). Moving the organisation comes down to effective control. Control of the RSA takes place intrinsically, since decision making is partially executed by the CS and partially by the facilitator who is a member of the CS himself.

This type of control requires a person with well-developed social skills and good communicative capabilities to explain the process and promote the instrument.

Freezing comes down to stabilising the recently changed organisation. In order to recurrently perform a similar program in the future (being another prerequisite), sound planning and detailed process descriptions for the to be analysed processes are required. For this last stage management taking responsibility is of key importance. Dedication should be shown by really improving operational risk control and appointing risk owners. (Financially) rewarding the participants is another key component.

Recommendations

For future sessions of the RSA it is recommended to have an existing employee assuming the role of

facilitator and it is preferred to let this person be coming from the Organisation and Information (O&I)

department. ORM is not easily combined with Credit Risk and Market Risk, while O&I is used to regular

and intensive interaction with staff on topics related to organisational diagnosis. A future RSA is of

specific importance if a significant change occurs within the organisation. An additional process, a

reorganisation or an altered structure could result in a transformed way of working. To ensure controls of

sufficient quality and quantity, an internal analysis can be useful on where a malfunction might take place

and what the (I) and (L) of an operational loss event might be. The results of this first round RSA should

not only be used to improve the procedure internally, but also be shared with other branches within PC-

NGM.

(5)

- - 4

Table of Conten ts Foreword ...0

Management Summary ...2

Appendix ...6

1 General Introduction ...7

2 Situation Description ...8

2.1 Context of the research ...8

2.1.1 The environment ...8

2.1.2 The company ...8

2.1.3 The department...8

2.2 Risk categories ...9

3 Research Methodology ...10

3.1 Description of the Problem Area & Background...10

3.2 The management question ...12

3.3 Problem Definition...12

3.3.1 Research Objective...13

3.3.2 Main Research Question ...13

3.4 Conceptual Model...13

3.5 Sub Research Questions...17

3.6 Operationalisations and definitions...17

3.7 Boundaries and conditions of the research ...18

3.7.1 Process-oriented conditions...19

3.7.2 Content-oriented boundaries ...19

3.8 Approach of the research ...20

3.9 Methods of Data Collection ...22

4 The Control Situation ...25

4.1 Introduction...25

4.2 Problem owner analysis ...25

4.3 Diagnosis of the Control Situation...26

4.4 Control within AAB Monaco...27

4.5 Conditions for Effective Control (CEC) ...28

5 Analysis of the Conditions for Effective Control ...31

5.1 Introduction...31

5.2 C.E.C. 1: The Objectives for controlling the RSA...31

5.2.1 Criteria to check the objectives for controlling the RSA ...31

5.2.2 Description of objectives for the RSA ...32

5.2.3 Diagnosis of objectives ...35

(6)

- - 5

5.3 C.E.C. 2: Model of the controlled system...35

5.3.1 Goal of the model ...36

5.3.2 Delineation of the model ...36

5.3.3 The aggregation-level...37

5.3.4 Choice of subsystems ...38

5.3.5 Type of Model and Language used ...39

5.3.6 Model – and system reticulation ...39

5.4 C.E.C. 3A: The Environment and its potential influences...39

5.4.1 Group ABN AMRO (Corporate Centre) ...39

5.4.2 The facilitator of the RSA ...40

5.4.3 The regulating authority BIS ...41

5.4.4 The loss event...41

5.5 C.E.C. 3B: The Condition of the Controlled System...43

5.5.1 Process-oriented versus result-oriented...43

5.5.2 Human-oriented versus Work-oriented ...45

5.5.3 Organisation-connected versus professional ...45

5.5.4 Open versus closed...46

5.5.5 Tight control versus loose control ...47

5.5.6 Pragmatic versus normative ...48

5.5.7 Control culture questionnaire ...49

5.5.8 Conclusion environment and internal situation (C.E.C. 3)...50

5.6 C.E.C. 4: The Control Type and Measures chosen ...51

5.6.1 Control characteristics and mix of control measures ...51

5.6.2 Conclusion control type and – measures (C.E.C. 4)...53

5.7 C.E.C. 5: Information processing capacity ...54

5.7.1 Interdependence of business processes ...54

5.7.2 Conclusion information processing capacity (C.E.C. 5) ...57

5.8 Program of Requirements ...58

5.8.1 Content ...58

5.8.2 Procedure...59

5.8.3 Structure ...60

6 Conceptual Design of the Risk Self Assessment ...61

6.1 Introduction...61

6.2 The concept of operational risk...61

6.2.1 A definition of operational risk ...61

6.3 Process-wise identification and assessment ...63

6.3.1 Selection of business processes in the branch ...64

6.3.2 A classification of risk causes ...66

6.3.3 A classification of events ...68

6.3.4 Combination of cause- and event categorisation...70

6.4 An assessment of outcomes ...71

6.4.1 A loss-based approach...71

6.4.2 Assessment of Impact...73

6.4.3 Assessment of Likelihood ...74

6.4.4 Indication of Exposure ...75

(7)

- - 6

6.5 Conclusion ...76

7 Practical Design of the Risk Self Assessment ...77

7.1 Introduction...77

7.2 Identification ...77

7.2.1 Interview versus standard questionnaire ...79

7.2.2 Collaborative versus individual...80

7.3 Prioritisation and Assessment ...81

7.4 Reporting of results...82

7.5 Conclusion ...84

8 Implementation and Recommendations ...85

8.1 Introduction...85

8.2 Implementation in phases ...85

8.2.1 Unfreezing...85

8.2.2 Moving ...86

8.2.3 Freezing...87

Conclusion ...89

References...90

Appendix

(8)

- - 7 1 General In troduction

ABN AMRO Bank N.V. Monaco Branch decided in the beginning of 2002 to design and implement a locally adapted Operational Risk Self-Assessment Program (RSA) through its Risk Management Department. It appeared that operational risks were increasingly leading to operational losses. To be able to improve control, a deepened insight in the risk type was deemed required. In this introduction it is described what structure is chosen for the research related to this decision. The research was started to solve management’s problem of not having enough knowledge how to approach such a new instrument.

A start is made with a concise overview of the situational setting, or the context, of the problem. General insight into the bank and the Risk Department are treated in combination with the risk types involved in banking.

Hereafter, a methodological justification is given. Methodology is important as it critically guards all processes it represents. More specifically, it represents knowledge production, knowledge use as well as the quality of the knowledge itself (De Leeuw, 1996, p. 10)

¹

Furthermore, the object of observation depends on the methodological decisions made by the researcher. These aspects will be referred to in the dedicated chapter ‘Methodology’. A management problem will be translated into a formulation of the problem definition. The sources of information, the research method, and theoretical concepts are discussed subsequently.

The subsequent chapters are dedicated to the design and implementation of the RSA, after a thorough diagnosis with the Conditions for Effective Control as leading framework. The diagnosis leads to a Program of Requirements that limits the possibilities for both design and implementation as it takes important elements from the internal organisation into account that have to be met.

Since the development of the Risk Self-Assessment took place simultaneously with its roll-out over the organisation, useful input for the design originated from internal application. Regular feedback loops thanks to a ‘learning by doing’ lead to a final result that has proved highly valuable for the Monegasque branch.

1 Leeuw, A.C.J. De, Bedrijfskundige Methodologie, Management van Onderzoek, Van Gorcum, Assen: 1996

(9)

- - 8 2 Situ ati on Descrip tion

2.1 Context of the research 2.1.1 The environment

Monaco is the second smallest state in the world, coming after Vatican City, with French as the official language. Population numbers some 30,000 of whom 5,000 are Monegasque nationals. The principality's climate, scenery and gambling facilities have made Monaco known as a tourist and recreation centre.

However, the principality is also a business centre for private and corporate banking. It is a tax haven both for individuals who have established residence and for foreign companies that have set up businesses and offices. No income taxes (except for French citizens), low business taxes, attractive geographic position and safety contribute to a high activity in private and corporate banking.

2.1.2 The company

ABN AMRO Bank N.V. is one of the world’s largest banks with total assets of more than EUR 600 billion and a presence in over 60 countries. Its activities are grouped into three strategic business units:

Wholesale Clients (WSC); Consumer & Commercial Clients (CCC), and Private Clients & Asset Management (PCAM). The unit Private Clients is internally linked with New Growth Markets, with global Operational Risk Management (ORM) aiming at both units. ABN AMRO Private Clients is the largest private bank in the Netherlands and a top 5 player in the European private banking market. It employs over 3600 people and has a strong presence in all major financial and offshore centres in the world.

Within the Principality of Monaco, a branch of ABN AMRO has been active in the field of private and corporate banking since November 1993. The Monegasque establishment is an agency of the holding ABN AMRO Bank N.V. Around sixty to seventy employees with a wide variety of nationalities contribute to the delivery of a range of financial products and services that meet the needs of private and corporate clients. ABN AMRO Bank defines the concept of Private Banking as a personal, confidential and professional banking service of the highest possible quality. Each client receives a tailored service that meets his or her individual requirements by means of a personal relationship manager who co- ordinates all their financial affairs. To offer related and supporting services, ABN AMRO is working closely with accountants, solicitors, and other financial and legal experts.

²

An overview of the main processes within private banking is enclosed in the appendix

2.1.3 The department

The department responsible for the RSA project is the Risk Department. The main function of ‘risk’ is to indicate to line management how to cope with identified risks, to monitor risky transactions or situations and to take action to mitigate these risks. Risk management is a process that exists of the following six phases:

³

2 ABN AMRO Monaco Web Site - http://www.abnamro.com/monaco/

3 NIBE-SVV Algemene Opleiding Bankbedrijf

(10)

- - 9 1. The recognition that the bank runs a certain risk;

2. Policy formulation to cope with the identified risks;

3. Risk policy conversion into operational/practical countermeasures;

4. Measurement of risks;

5. Reporting to line management of estimated impact and likelihood;

6. Risk control.

An official definition of the risk management function within a bank is:

⁴

‘Identifying and defining the risks the firm is exposed to, assessing their magnitude, mitigating them, using a variety of procedures and setting aside capital for potential losses’

2.2 Risk categories

⁵

ABN AMRO runs risks in many interrelated fields, which could result in an inability to realise the objectives the bank has formulated.

The bank has distinguished seven categories of risk.

1. Market Risk 2. Legal Risk 3. Credit Risk 4. Liquidity Risk 5. Operational Risk 6. Strategic/business risk 7. Reputational Risk

These seven categories are closely intertwined and of these categories, operational risk is the category that is dealt with in this research. Negative (loss) events triggered by operational risk, in particular, have a strong impact on other risk categories. Some examples provide some clarification how operational risk can lead to other risks:

- Due to an unbalanced credit approval process (operational risk), Credit Risk can exceed desired levels, e.g. created by overexposure in a certain business area;

- Due to inadequate internal position monitoring (operational risk), an adverse movement in market prices might go unnoticed and increase Market Risk;

- Errors in fraud prevention controls (operational risk event) can result in Legal and Reputational Risks.

The exact causal relation between the categories and the definitions of each of them is included in the appendix.

4 Davies, J., et al., Defining and Aggregating Operational Risk Information, Warburg Dillon Read, London: 2000

5 Group Risk Policy Document ABN AMRO, ORP&S, July 5, 2002

(11)

- - 10 3 Res ea rch Method ology

3.1 Description of the Problem Area & Background

To show local management in Monaco the context of operational risk, a short introductory paragraph is dedicated to the wider problem area and the background of the risk type. The success of a firm wide Risk Self Assessment promoted by management is in the first place dependent on management’s understanding of the problem.

The risk it concerns here in specific is called operational risk. A definition of operational risk coming from the Risk Management Group of the Basle Banking Committee is the following:

“The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.”

⁶

Malfunctioning and deficiencies in systems, daily processes or human behaviour could result in outcomes that are harmful to the bank’s reputation or position. Errors and business interruptions can potentially result in financial losses and other damage to the organisation. Any failure or inadequacy potentially generates losses of an unknown size, given that no corrective action is taken during the time span when the risk remains ignored. And, to make things even worse: there are many potential causes for such deficiencies or malfunctioning. Operational risk encompasses risks coming from all areas of the organisation, from the front office to the back office and support areas.

⁷

This definition is different from

"operations" risk, which relates to the back-office activities generally performed by operations departments.

Operational risk has been perceived as an important theme for financial institutions only relatively recently. Sometimes operational risk has been seen as a market risk, or as a credit risk. The famous case of the Barings Bank in 1995 where one trader (Nick Leeson) was responsible for a loss of $ 1,3 billion was first seen as a market risk. The losses were the result of wrong bets on the Tokyo’s stock index. The purchase of large amounts of future contracts took place in a period of economic downturn in the Japanese markets. Indeed, the downward movement in market prices was causing enormous deficits in Barings’ books. However, the main internal reason, was the fact that Leeson was able to hide losses in a special account that he controlled. He was violating a central tenant of good operational risk practices:

lack of dual controls and checks and balances. He was acting settlement manager for both the back and front office and was able to hide accumulating losses for more than two years.

Gradually the regulating authorities started to define operational risk. At first instance this was very basic:

‘all risks except market and credit risk’. In addition, the financial industry became aware that operational risk was also present outside the trading environment. Losses have also been caused by computer viruses such as the ‘I love you virus’ in 2000. More and more, management of operational risk is seen as an integral part of the measures to protect itself against losses, and not as excessive as Barings was confronted with in 1995. Seven main drivers of change made an increased focus on operational risk management at the bank

⁸

. These factors are placing pressure on management to develop more dynamic and effective tools for identifying, measuring and managing operational risk. They are treated below.

- The first factor is the increasing complexity of organisations. The sophistication and complexity of banking practices is increasing. Factors contributing to this tendency is outsourcing of business activities, securitisation of assets and the implementation of new, networked technologies. The

6 Basel Committee on Banking Supervision, Operational Risk, January 2001, http://www.bis.org/publ/bcbsca07.pdf

7 Karow, Chris, Operational Risk: Ignore It at Your Peril;, Risk Management, E &Y, 2001

8 ABN AMRO Corporate Centre

(12)

- - 11 necessary involvement of external parties to fulfil these supplementary activities, has got its reflection in the increased complexity internal processes, triggering a larger likelihood and higher impact of operational risk

- New capital requirements by global regulators, such as the Basle Committee on Banking Supervision (see before), are placing greater emphasis on the quality of operational risk management. In the next five years these regulators may require a specific operational risk capital charge for many regulated entities, including financial institutions. A capital charge that is derived from an internal measurement approach should function as a buffer for potential operational losses. Since financial institutions are striving to use risk capital as efficiently as possible, proactive operational risk management is asked for.

- The focus of rating agencies will be increasingly placed on the quality of systems that identify, assess and control operational risks. The extent to which financial institutions are able to control operational risk will serve as a significant criterion for credit rating agencies. These agencies are evaluating the creditworthiness of financial institutions such as banks and their judgement heavily influences how easy a bank can attract credit. Hence, a very important type of institution to take into account as stakeholder.

- Several severe losses in the Banking Industry, have triggered an increased attention for all that can go wrong in the execution of internal processes, just as the systems and staff involved. The rise of the impact of severe losses is depicted in the figure below.

Figure 1: Trading losses in the international banking industry

- Fifth, the trend toward decentralisation and employee empowerment, which results in more decisions being made by individual business-line managers, is increasing the need for management to understand the risk posed by these isolated decisions, to create transparency around decision-making processes, and to monitor the enterprisewide exposure to risk.

- Sixth, financial modernisation and market pressures are accelerating the pace of convergence, creating pressures for companies to broaden product offerings, increasing competition, and forcing less-regulated entities toward more structured regulatory oversight that necessitates improved risk management and enhanced management information.

- The seventh major force is the shift toward fee-based activities, which has intensified the need to

manage operational risk to attract and retain clients. Most of the profit companies receive, is

compensation for accepting and managing operational risk for activities ranging from check clearing

(13)

- - 12 to transaction processing. There is a shift from traditional banking towards a more trading-oriented environment. An institution's capabilities in this area are having a greater impact on its earnings and success.

Due to this increasing emphasis on operational risk management, it is very relevant to have clear what is meant with this term. Operational risk management consists of several steps. Confusion easily occurs when talking about (operational) risk management on one side and (operational) risk control on the other side. Actually when one is managing operational risk the first steps to be taken is that to identify a risk, upon which evaluation, analysis and measurement take place, before it is mitigated through risk controls or by finding other solutions such as insuring against it. The question what is done about the risk after it has been identified, understood, and dimensioned is related to control. Thus, by designing and implementing control measures the focus should be on the reduction of the risk of operational losses.

What will become clear in the next chapter is that this research is executed to help ABN AMRO Monaco to achieve a complete picture of the operational risk it runs through an RSA. It can be considered a way to cover the first steps in the management of operational risk within the bank. With this information control measures can be implemented.

3.2 The management question

As a response to these threats and developments, ABN AMRO – Monaco is confronted with a problem.

Management wants to have clear how operational risks can be identified and assessed by all staff involved in order to better control that risk and prevent losses. The purpose of the assignment given to me is as follows.

⁹

‘Management of the Monegasque branch is looking for a practical and standardised tool to perform a risk self-assessment in a recurring way. Principle idea is to develop an interactive tool with which the organisational members can identify and assess operational risks by themselves. Occasionally management is facing direct losses that could have been prevented if action would have been taken on beforehand. To be able to take timely action in the future, the branch should be enabled to systematically identify and assess those inadequacies and/or failures in day-to-day processes, human behaviour and systems, that potentially trigger direct losses to the bank.’ A larger risk awareness should contribute to a decreased risk exposure as well.

3.3 Problem Definition

The above management problem serves as a basis for further research. Analysing the question makes clear that it regards an internal identification and assessment of malfunctions or deficiencies in the internal processes, systems and human behaviour. This corresponds with the current definition of operational risk created by regulatory authorities, as has become clear in the above. The purpose is to understand, allocate and assess a risk before it turns into a loss and to make staff aware of the presence of operational risk. Interactive means that the employees themselves discover what they think is critical and open to change, in order to improve the situation. To do this, a method has to be put in place that foresees an objective assessment and multi-dimensional scope of view. Several approaches and scopes of view are imaginable, and various ways of collecting and analysing information can be opted for. This enables me in dialogue with management to decide how (potentially) negative outcomes are to be treated in the approach and where the participants have to focus on more in-depth. The ultimate goal of management is to create operational effectiveness and an objective tool to measure this from inside the organisation on regular basis. Effectiveness can be measured by the extent to which objectives are achieved.

9 As was communicated to me during introductory discussion with branch’ management.

(14)

- - 13 Concluding, the problem it concerns here is an internal bottleneck that hinders effective operational risk control. The bottleneck management tries to tackle is the organisation’s inability to track and assess operational risk in an early stage. The problem is treated as a new phenomenon which is part of operational risk management. However, one can argue that the field of operational risk management is not new, but has everything to do with ‘good management’. As soon as processing and internal functioning is managed effectively, malfunctioning of systems or losses due to human errors are prevented anyway.

Operational risk is everywhere and risk management is needed everywhere. Nevertheless, the high frequency of operational losses and the high impact of some large losses has underscored the importance of the rise of this new field called operational risk management. Recently there is a recognition of the importance of identifying, understanding and measuring operational risks more intelligently. This research therefore can also be considered an attempt to respond to the need for additional insight in this respect.

The above clarifies that the problem is twofold. Firstly, there is the need for a solution to the bottleneck as described above. This means that internal control of operational risk is to be improved to prevent or minimise operational losses. Secondly it can be regarded as the design of an approach to understand, identify and assess operational risk for which knowledge (in the general field) of operational risk management in financial institutions is required. Verschuren (1996, p. 33)

¹⁰

emphasises the importance of taking into account why the research is performed and what is done in the research. In the wording of the problem definition these two issues should be referred to. The problem definition therefore consists of two separate elements. The research objective, which presents why the research is necessary and the research question, which indicates what knowledge is required to achieve the objective.

The answer to the main research question can be found by answering the different sub questions (De Leeuw, 1996, p. 146) To ensure a uniform picture of the terms mentioned, a list of operationalisations and definitions have been included as well.

3.3.1 Research Objective

The objective of this research is:

‘To design and to give recommendations on how to implement a standardised and practical approach that can be used by “ABN AMRO Monaco - Private Banking” to recurrently execute a self-assessment of operational risks in order to make a contribution to the improvement of operational risk control.’

3.3.2 Main Research Question

The main research question of this research is:

‘What elements should the Risk Self-Assessment approach comprise in order to systematically self-assess operational risk within ABN AMRO - Monaco and how should this be done and built up, to meet related internal requirements and to enable a recurrent application of the instrument?’

3.4 Conceptual Model

According to the former paragraphs, the research topic represents several interrelated elements. The conceptual model in a research indicates the global view, which is the basis of the research. (De Leeuw, 1996, p. 56). The conceptual model will be used as a powerful tool to guide the research. It figures the

10 Verschuren, P.J.M., De Probleemstelling voor een onderzoek, Het Spectrum, Utrecht: 1996

(15)

- - 14

main elements and shows how these are interrelated. The links with theoretical concepts and frameworks

are given as well. The function of theory in a research is that it is helpful in selecting the relevant parts of

the reality, in analysing these parts and finally in guiding the way towards solutions.

(16)

- - 15

Figure 2: Conceptual Model

Diagnosis of 5 Conditions for Effective Control (CEC)

Design and Implementation of RSA Process ‘Input’

‘Output’

Facilitator/Researcher

‘Controlled System’

AAB PB Monaco

‘Controlling Organ’

Management AAB Monaco

Condition 1 Condition 5

Condition 4

Condition 2

Identification and assessment of operational risk

Condition 3

(17)

- - 16 The basis of the conceptual model is the sequence diagnosis, design and implementation of the tool/program to identify and assess operational risk by the organisation. The diagnosis is structured according to the Conditions for Effective Control. It is analysed whether, and if yes what, gaps are present that prevent the Controlling Organ from adequately controlling the use of the RSA. The choice has been made to regard the problem in the light of the control model since management is controlling the executors of the RSA so that they effectively self-assess their risks. Minimally, the CO should meet the five conditions, if not its attempt to control the controlled system is expected to fail. The content of the five conditions is specified in a later stage in this chapter. It is envisaged to use additional theoretical concepts for the diagnosis for each of the conditions.

The design is based on the ‘Input’ provided by the diagnosis. Input is considered the Program of Requirements (PoE) that delineates the choices for designing the RSA. In addition to the PoE, input will consist of theory related to the concept operational risk to answer questions related to the definition, understanding, identification and assessment of the risk. Also, the practical approach, i.e. the way in which the employees and the facilitator roll-out the RSA, will build upon theory from behavioural sciences, containing concepts for interview techniques and group decision making. Concerning the Implementation phase, as input will be made use of the model of Lewin (De Leeuw, 2000, p. 340)

¹¹

, who distinguishes between the stages unfreezing, moving and freezing.

Regarding the Risk Self-Assessment Program - the part of the conceptual model within the grey oval zone - it is made clear that it consists of several steps that can be performed simultaneously. Namely, the process of identification and assessment can be split up over separate organisational units at the same time. The striped horizontal arrows indicate that both feedback as feedforward loops are implemented, to validate information given by the participants and to plan for additionally required steps in the RSA, such as a selection of most urgent risks. It also represents the possibility of flexible performance of the RSA. It should not be necessary to have a strictly linear execution of the process, but a start can be made with one before the other has finished totally.

The ‘Output’ of the RSA is twofold. A set of identified and assessed operational risks in a to be defined format is the first type of output. This information can ultimately lead to improved control by improvements in systems, processing, culture or structure by management or other organisational units to whom the responsibility of improvement is delegated. The second type of output is related to the process RSA itself. The design and implementation of this first time program will lead to adaptations and deviation from the initial ideas of how to conduct the RSA. These adaptations and deviations are partially used to change the process immediately, i.e. during the write-up of this research report. Partially they will be communicated to management as recommendations. It will be recommended how to improve the program for future editions. I was also able to formulate these recommendations by assuming a temporary position at Dutch ABN AMRO headquarters’ Operational Risk Management unit.

The facilitator/researcher in this research is playing an interesting role, on which will be elaborated in the diagnosis as well. The facilitator is expected to conduct the RSA, or at least to assist the employees in the process of identification and assessment. However, that same person is expected to set-up the precise procedure as well. Therefore, it is attempted to depict the control model in the conceptual model as a situation of management performing control over both the controlled system and the facilitator, who are conducting control rather intrinsically. This can be underpinned by the fact that management is not directly involved in the RSA but it should only create the necessary conditions, such as awareness of the risk type and full delegation of authority. The facilitator/researcher is thus involved in all phases of both the research and the RSA. This is shown by encircling the model with the facilitator/research as starting point.

11 Leeuw, A.C.J. de, Bedrijfskundig management, primair proces, strategie en organisatie, Van Gorcum, Assen: 2000

(18)

- - 17 3.5 Sub Research Questions

The main research question focuses on what knowledge is required to design and implement a Risk Self- Assessment Program, and consists of the following sub-questions:

“Diagnosis”

A. Considering the execution of an RSA a control problem, what are the conditions for effective control that need to be obeyed at the least?

Having insight in and understanding the conditions for effective control is a prerequisite for further diagnosis in this field. The assumption is that if one or more conditions are not met, a failure of control will be inevitable.

B. What restrictive requirements for the design of an effective method can be derived from an analysis of the current state of relevant parts of the organisation in light of the conditions discussed under A?

Diagnosis of the CO and the CS on the conditions for effective control should lead to a program of requirements.

Such a program delineates the consequent design of characteristics of the instrument and the way the tool is implemented.

“Design”

C.

How should the term operational risk be defined and conceptualised and in what way should an identification and assessment of this risk category be pursued to comply with this definition and requirements (see B)?

A practical definition, a logical grouping of suitable-sized units and categorisation of findings is prerequisite to a systematic identification and assessment. The design of a conceptual and standardised way of identification and assessment is envisaged.

D. What should the practical approach to the RSA look like to meet the internal requirements as indicated under sub question B and what technique(s) available in behavioural sciences should be chosen?

Each phase in the RSA process will require a customised way of collecting and analysing data. Literature on self- diagnosis and group decision making will prove important tools in setting up an effective approach.

“Implementation and recommendations”

E. Which steps should be taken and in what order should they take place to implement the designed approach of the local RSA in the organisation?

This question is related to the procedural requirements which are to be met to attempt an effective roll-out of an organisation wide conducted RSA. Recommendations are based on the actual roll-out which took place in the period from March 2002 until October 2002.

3.6 Operationalisations and definitions

- ABN AMRO Private Banking (Monaco Branch)

Private banking is a relationship business where clients are accorded personalised service and products are packaged to fulfil individual objectives. Purposes are to preserve, protect and enhance clients’ net wealth by means of the management and administration of their financial affairs and assets in and outside their country of residence.

¹²

- Private Clients

12 ABN AMRO Instruction Manuals and Compliance, http://domino01.ao.nl.abnamro.com/DGIT/DI/nspubld2.nsf/

(19)

- - 18 ABN AMRO Monaco develops and maintains a client base of high net worth clients and provides customised Private Banking services to these clients. Private (Individual) Clients that have a very high level of capital, - or income, and require special services conform the Private Banking Service Concept, helping them in wealth accumulation and preservation. Segmentation is made on the size of the assets a client holds. The minimum free cash flow for a client requiring (international discretionary) investment management is 1 million.

¹³

- Operational Risk

The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.

¹⁴

- Operational Risk Management

The organisational function that involves the identification, assessment, mitigation and monitoring of operational risks. This is done in various ways, such as the implementation of a Corporate Loss Database (CLD), RSA and other programs to be introduced in 2003.

¹⁵

- Risk Self-Assessment

RSA is a structured means for identifying and assessing risks aimed at improving risk control. It focuses on Operational Risks. In addition the ownership of key risks - and measures introduced to mitigate unacceptable risk exposure - is clearly identified. Risk self assessment is conducted by staff and management (supported by a facilitator) of the organisational unit being assessed. (Van den Brink, 2002, p. 10)

¹⁶

- Identification of operational risk

Identification in the sense of this research means to arrive at a common understanding about risk specific to the sub-unit that is taken into account.

- Assessment of operational risk

Assessment in the sense of this research means a collective estimation of the risk exposure and the probability of the risk occurring. The assessment should lead to prioritisation of risks and actions for improvement of risk controlr.

- Direct Operational Loss

A direct operational loss is an incident that causes direct ‘out of pocket’ expenses and/or financial liabilities as a result of an operational loss event.

¹⁷

3.7 Boundaries and conditions of the research

To prevent the research from becoming too comprehensive, it makes sense to mark edges around the area to be examined. Content-oriented boundaries are important, as they point out what aspects should be included in the research. Aspects should be added or deleted, in congruence with the focus of the research project. Conditions have to be taken into account as well.

13 ABN AMRO Instruction Manuals and Compliance, http://domino01.ao.nl.abnamro.com/DGIT/DI/nspubld2.nsf/

14 Basle Committee, Operational Risk, January 2001, http://www.bis.org/publ/bcbsca07.pdf

15 Business Unit PC NGM, Charter of Operational Risk Management

16 Brink, G.J. van den, Operational risk, Palgrave Publishers Ltd, New York: 2002

17 ABN AMRO Business Unit PC NGM, Charter of Operational Risk Management

(20)

- - 19 Conditions of the research differ from boundaries in the sense that the researcher cannot change them.

Another characteristic is that conditions concern the process of the research. Boundaries on the contrary, are content-oriented. Both types of delineation are treated below.

3.7.1 Process-oriented conditions

- Time available;

The project has to be finished 1

^st

October 2002, so this means a total period available of seven months.

Within these months both a useful approach should be designed and management information on the operational risks disclosed. Another condition concerning ‘time available’ is the time the employees should sacrifice to participate in interviews and group meetings. This has to be done during regular opening hours of the bank with the number of group meetings as be limited as possible.

- Available resources;

The resources available concern the employees who are involved, the location of the research, the information systems and the money dedicated to this project. A trainee carries out the project in co- operation with Head Risk and the Internal Controller. Support by these two employees is indispensable Furthermore, a significant input is required of the employees who are assessing the operational risks themselves. Besides human resources, there is a need for an internal location where the interviews are held, group meetings are organised and presentations are given. Important information systems include access to a reliable network (Intranet and Internet) and a system to collect and present the (impact and likelihood of) risks. A detailed budget should be made by management and not to be exceeded by the executing team.

- The extent to which the information can be freely dispersed;

The internal assessment envisages covering the main parts of the organisation. Due to the documentation of internal deficiencies and failures, management demands the acquired information to be classified

‘confidential’. Therefore, the research and its results will contain details related to incurred losses or real internal malfunctioning.

3.7.2 Content-oriented boundaries

- Private Banking as focus

The research is only targeting the Private Banking activity, since it is the core competence of the Monegasque branch. Corporate Banking, serving onshore and offshore companies, is not included.

- A structured approach

The approach should be systematic and well structured. After the first rollout of the RSA Process, it should be possible to repeat a similar process over and over again on a regular basis. A proper documentation and description of the several phases will therefore be indispensable;

- Content supplied by employees

The approach should focus on a large amount of interaction with the involved employees. The role of the

researcher could be described as ‘facilitator’. Since the information, diagnosis and recommendation for

improvement are (for the main part) coming from the employees, the approach should be regarded a self-

evaluation.

(21)

- - 20 3.8 Approach of the research

To ensure a well-structured examination of the situation and the design of a proper tool, the research is split up into three phases. According to De Leeuw (2000, p. 291), these phases are diagnosis, design and change. As starting point is taken the research question, which is based on the management problem.

Hereafter, diagnosing the situation, designing a tool and recommending organisational changes should solve the management problem. See the figure below.

Figure 3: DDC-Model

Diagnosis

The risk self-assessment is part of operational risk management in its attempt to control operational risks.

In order to control this risk-type, the organisation must identify and assess the operational risk present in the organisation. Management now, wants to steer the organisation in such a direction that it (the organisation) finds and measures the specific risk type by itself. To achieve this generic goal, management is looking for a tool. This is an indication that the current approach to achieve this goal is not sufficient or not present. So, before the tool can be designed, there should be a diagnosis of what is actually missing or what is (possibly) going wrong. The first indication is given by the management problem, which was given before. But a problem is always subjective and therefore, a problem is more than only ‘a discrepancy between the factual and desired situation’. In order to cope with this subjectivity of the problem, it is important to appoint a problem owner. An owner’s ‘Real Life System’ (De Leeuw, 2000, p. 279) influences the system the owner has made of the reality he or she is confronted with and serves as the origin of the need for organisation-analysis. ‘What actors have what kind of problems with

Design

To invent and work out a solution to the problem found

Change

To implement the solution in the organisation

Diagnosis

Problem oriented analysis of the internal organisation

fe ed b a ck

(22)

- - 21 what (sub)systems of the organisation?’ is the main question the problem owner analysis should give an answer to. (De Leeuw 2000, p. 320).

The above means that diagnosis will first focus on disclosing the problem type of the problem owners of this research. Secondly there will be an examination of the imperfections in the current situation regarding the identification and measurement of operational risks. An attempt to answer this question is structured according to the Conditions for Effective Control: discussing these conditions should make clear whether management is sufficiently ‘equipped’ and prepared to successfully pursue a risk self-assessment. The diagnosis phase finishes with a listing of the ‘Program of Requirements’, which serves as a starting point for the design of the instrument. The RSA should be able to cope with distracting variables that make the organisation potentially deviate from the objectives management has set. These variables are external if it concerns factors that take place outside the relevant sub-system. Coping with distracting variables or threats can be done by control measures in order to obtain the desired output. De Leeuw (1997, p. 118) has depicted this situation as follows.

Figure 4: The Controlled System and its environmental relations

Diagnosis should take place to obtain insight in the elements mentioned in the figure.

Design

Once these elements are known and after it has been made clear what the instrument should do, the method can be defined, based on the requirements found in the diagnosis. Potential instruments to identify risks, to guide an assessment and to influence risk awareness amongst staff will be examined and formulated. A conceptualisation of the term operational risk should take place as well: making decisions on how to approach operational risk forms a substantial part of the design. Design of the tool will come down to the establishment of a procedure, with which the organisation can identify and assess operational risks (possibly guided by a facilitator). Several alternative methods will be reviewed and based hereon a choice or combination of choices related to the approach will be made.

Change & Evaluation (recommendations)

A workable and standardised approach requires several changes in the organisation, both related to structure as related to attitude. Influencing the attitude of the organisation or a definition of the function the facilitator of the project are examples related to change. The Risk Self-Assessment should lead to significant and consistent (categories of) results. Management’s assignment to come up with an approach and satisfying results should lead to recommendations directed to changes in the organisation.

External influences Output

Control measures

CS

(23)

- - 22 Recommendations are rather practically oriented, such as educational requirements, to what extent a dedicated department is necessary and how frequently an assessment is deemed necessary. Answers to this type of questions will be given in the final chapter and will be based on practical experience of the researcher and literature available.

In practice, the phases of the model are seldom performed in a linear way, but are likely to occur parallel to each other. In the set up of this research, the choice is made to perform the diagnosis before the other two stages. Factors discussed during the diagnosis are both dedicated to the design and to change/implementation. These two stages – design and change – are discussed in an integrated way. This approach is supported by the following picture, which depicts how design and change interrelate.

Figure 5: Design and Change as parallel processes.

It will be decided upon to let the ‘controlled change of the form’ be one of the types of rationality as put forward by Kickert. He distinguishes between content, procedure and structure. For the recommendations related to change the focus is put on how to get desired results, i.e. the procedure. What is done and who is in charge of these tasks is integrated into the Design-part.

3.9 Methods of Data Collection

Clarke (1999, p.67)

¹⁸

writes that ‘Normally a range of techniques form the core of an overall research strategy, thus ensuring that the information acquired has the depth and detail necessary to enable (the researcher) to produce a report which the conclusions can be drawn with a certain degree of confidence.’

As most common methods he mentions questionnaires, interviews, observation and documentary sources.

He and many other authors agree on the fact that multiple sources are required. For the purpose of reproducibility of this research, it will be mentioned what types of data collection are chosen for what kind of information need. It concerns only those data collection methods that are needed to perform the diagnosis, design and implementation of the tool, as opposed to those methods that are included in the tool itself.

- Questionnaires

In this research use will be made of a so-called control culture questionnaire amongst all participants.

This questionnaires facilitates a clear picture of the internal control culture and consists of approximately

18 Clarke, A. Evaluation Research: An introduction to Principles, Methods and Practice, Sage Publications Ltd, London: 1999

Design process: Thinking and deciding about the form

Change process: Controlled change

of the form

(24)

- - 23 25 questions/statements. It is used as a supplementary tool, a mix of methods focussed on culture will be used. It is taken care of that the questionnaire is delivered with a covering letter, looks attractive and is easy to follow and that the questions are not to long with a clear wording and appearing in a logical order.

Questionnaires are capable of producing large quantities of highly structured, standardised data. There is a limited flexibility and the focus is on measurement. This makes that questionnaires are not used as primary method of data collection, but only marginally to support qualitative data gathering.

- Interviews

Interviewing is another research method widely used. Clarke (1999, p. 71) mentions that it is of use particularly with qualitative researches. Since this research can be characterised a qualitative research, it is chosen to be the most common way to collect data. In general terms, a broad distinction is made between the basic types of interview format: structured or standardised interview, the semi-structured or semi-standardised interview and the unstructured or unstandardised interview (Clarke, p. 72). A structured interview, also referred to as a formal interview, relies on a questionnaire or interview schedule as the instrument for collecting data. A semi-structured interview follows a less rigid format. Although standardised questions are included, there are also open-ended questions designed to elicit more qualitative information. The interviewer has some control over how the research instrument is implemented and can vary the order and phrasing of questions. An unstructured interview is a purely qualitative interviewing strategy in which questions and follow-up probes are generated during the interview itself. The interview is completely open-ended in character and is particularly useful at the beginning of a study to become acquainted with the subject and the participants.

This research starts off with an initial exploration of the ideas, insight and attitude of the main internal stakeholders, such as management, risk department staff and the internal auditor. Their objectives and knowledge is of the utmost importance to get a clear picture of how to approach and start the RSA. These interviews will take place rather informally and intensively. It doesn’t make any sense to come up with a highly structured interview technique, because questions are dependent on people’s definitions and ideas of the situation at hand. There is a need for unstructured interviewing with the result mainly presented in the methodology chapter (being Chapter 3). Further stages in the research process are facilitated by a more structured interview technique, i.e. semi-structured interviewing. Refinement of ideas already generated before, ask for a more guided conversation to steer the interviewee in the desired direction.

Interviews are not included in this research, a consequence of my promise to management to keep all sources anonymous and information obtained confidential. The same goes for the actual risk identification and assessment interviews.

- Observation

One of the advantages of doing an 8-month internship in a local branch combined with an assignment at a central level of the bank is the possibility of comparison. Being involved in several banking processes, having the opportunity to facilitate an RSA and conducting a range of interviews results in a wide variety of observations. This has made clear that the way of working in Monaco is different from the way work is done in Amsterdam. Conclusions can be made ‘in perspective’; they become relative to another social entity, which caters for more trustworthy results. Observation as way of collecting data is very useful to obtain supportive information and can be used at various instances. Personal experience is an important resource. Direct experience of programme activities (read: RSA activities) enables the facilitator to draw on tacit, as well as propositional, knowledge, in order to describe and anticipate a situation or series of events (Clarke, 1999 p. 80). According to Clarke’s categorisation (1999, p. 80) the role of observer as participant seems to be most appropriate. It entails a lot of social interaction and makes the observations less overt. This keeps participants acting in their usual way, they are less prone to behave in a socially accepted manner.

- Documentary Sources

(25)

- - 24 Another primary resource is documentary sources. A wide variety of sources will be available, ranging from internal policy documents to literature provided by academic libraries. Based on Burgess (1984) Clarke (1999, p. 83) makes a distinction between primary - and secondary sources. Primary sources refer to documents compiled by individuals who have firsthand experience of the events described. Examples include minutes of meetings, office memoranda and personal diaries. Secondary source material consists of documents produced by individuals who do not possess personal knowledge of the situation. An example would be a written abstract of a lengthy report. In this research I will mostly make use of primary sources. Since the study is theory-driven both (international -) business related theory and specific operational risk related literature will be made use of. In addition to scientific literature, documents provided by ABN AMRO will be an important source as well. An attempt is made to work with and create a synthesis of various internal sources within ABN AMRO PCAM. Also, I will try to collect data from other Strategic Business Units (SBU’s) and other functional areas than where the research applies to. Thus, data collection will take place beyond Operational Risk Management at local Private Clients level.

It is difficult to indicate the order in which data collection takes place, since all three stages (diagnosis,

design and implementation) are served by various methods combined. As a general remark, unstructured

interviews and internal documents will be used in the beginning of the research to get clear what local

management means and wants me to do. For the diagnosis, semi-structured interviews observations, the

control culture questionnaire and systems theory-literature (i.e. documentary resources) will be the main

instruments to collect data. Specific operational risk literature and social science theory will prove to be

most important for the design of the process to assess and identify operational risk. Observations during -

and experience with the roll-out of the RSA are a second significant input in this stage. Implementation

takes into account the cultural situation as experienced during the first edition of the RSA and theory how

to design a structured implementation.

(26)

- - 25 4 The Con trol Si tua tion

4.1 Introduction

Organisation diagnosis can be considered:

‘The process of using concepts and methods from the behavioural sciences to assess an organisation’s current state and find ways to increase its effectiveness.’ (Harrison 1987, p. 23)

‘Every empirical-based activity, taking place to judge or estimate the situation and activities of the organisation, just as the effects of change therein.’(Karow 2001, p. 10)

An important conclusion to be made out of these two definitions is that the following elements are key- factors:

- to estimate the situation of an organisation;

- to estimate the effects of change;

- to make use of concepts and methods from behavioural sciences;

- to find ways to increase the organisation’s effectiveness.

The attempt will be made to take these four factors into account during the diagnosis. It will be necessary to find potential pitfalls or problems the organisation might face if the RSA instrument is to be designed and implemented. The current situation and the effects of change are therefore important to consider: both elements will have their impact on the extent to which the results of an RSA are satisfactory. To increase the organisation’s effectiveness, i.e. by diminishing its susceptibility to operational risks, a profound insight is a prerequisite. Not only behavioural aspects such as the control culture or the overall atmosphere need to be considered, but also the way in which control takes place and the objectives with respect to operational risk. Before this is examined, a problem owner analysis is performed, to find out whether the problem is really a problem and whether a diagnosis is useful.

4.2 Problem owner analysis

According to De Leeuw (1997, p. 209), a problem is always connected to a problem owner. In reality, problems are rarely isolated and often involve several problem owners. In this case, several problem owners can be appointed. In order to control the problem, it should be clear what kind of problem it concerns. The three possible types of problems De Leeuw (1997, p. 213) mentions, are: perception problems, goal problems or reality problems. Only reality problems can be considered control problems and for this kind of problems control objectives should be formulated.

The project it concerns here is a self-assessment of the organisation. This involves that, in addition to the explicit problem mentioned by management, a group of problem owners should be added: the employees that are supposed to self-assess the organisation on operational risks. They are confronted with problems if a risk stays unnoticed and finally results in loss for which they might be responsible. The actual executing team (the operational risk department) to which responsibility of the project has been delegated, can be seen as a third group of problem owners. The team is expected to find a solution to the problem and should start with a diagnosis to get a hold of it. Interviewing these groups

¹⁹

and being part of one group has given me confidence that the nature of the problem is intersubjective, the subjectivity is shared by a coalition. Everyone agrees that money is directly lost if operational risk events are occurring and not sufficiently controlled. Examples of fraud being successful or if information is not sufficiently backed-up

19 Interviews are not included for reasons of confidentiality