Insurers and banks are currently grappling with how best to model operational risk. Many firms struggle to come up with sensible figures that can past any proper validation criteria when faced with issues like limited applicable data, correlation with other risks, aggregation challenges, and the impact of prospective operational risks from the use of new technology.
McKinsey have an interesting article out suggesting a structured approach to the issue. The graphic below illustrates their approach.
click to enlarge
No one approach is ideal or applicable to all. Notwithstanding this, financial firms all too often focus on justifying a low operational charge to regulators in their capital modelling rather than ensuring that their approach can be embedded into their control framework as a practical risk management tool for management and employees to use in being continually vigilant of operational risks whilst offering tangible incentives to mitigate risk which are, by their nature, unanticipated.