Exploring Risk Exposure Methodologies

March 2021

Exploring
Risk Exposure
Methodologies
summary report
Structured methods for operational risk analysis

Managing risk together orx.org

 Exploring Risk Exposure Methodologies

Become a member
of the world's 100 + research reports
and papers
leading operational
risk management
association 100 +
member
19
years’
firms experience
Joining ORX gives you access to
operational risk loss data, research
studies and initiatives and a global
network of over 100 financial firms. 800k + loss events in
our database

For more resources and To find out how ORX Membership will enhance
information on operational operational risk management at your firm visit
risk visit www.orx.org managingrisktogether.orx.org/orx-membership
 Exploring Risk Exposure Methodologies

Contents
4 Executive summary
Area of op risk:
Risk measurement
5 Introduction
The Exploring Risk Exposure Methodologies study is
part of the ‘Risk Measurement’ area of our world-leading
6 Structured scenarios research programme, where we cover a wide range of
topics, including capital calculation and methodology,
8 Focus of this pilot models and stress testing. Taking part in and accessing
the full outputs from research is free to members. Other

8
firms can benefit for a small fee.
Bayesian networks for operational risk management
For more information about ORX research, visit

10 Visualising structured scenarios

managingrisktogether.orx.org/op-risk-research

12 Why use structured scenarios?

13 Two scenario structures: Pandemic and Vendor Failure

13 Pandemic structure

15 Capturing operational risk impacts of coronavirus

16
Disclaimer: ORX has prepared this document with care and attention.
Vendor failure structure ORX does not accept responsibility for any errors or omissions.
ORX does not warrant the accuracy of the advice, statement or

19
recommendations in this document. ORX shall not be liable for any
Conclusion loss, expense, damage or claim arising from this document. The
content of this document does not itself constitute a contractual

20
agreement, and ORX accepts no obligation associated with this
Report contacts document except as expressly agreed in writing. ©ORX 2021

3
 Exploring Risk Exposure Methodologies

Executive summary
Much of operational risk quantification relies on two techniques – loss distribution
approaches (LDAs) and scenario analysis.
Each have their own merits and areas of application: LDAs The risk drivers relevant to a specific risk are typically not
are useful for familiar risk types for which sufficient data idiosyncratic as they relate to the fundamental processes
is available, while scenarios can be used to assess new or that give rise to operational risk events. Rather, the specific
emerging risks, or for which data may be sparse. values (or distributions) that these factors may take vary
across companies, as well as the strength of controls which
A third approach, which in some way tries to build a may mitigate their impact. As a result, the approach also
bridge between these two, are structured scenarios�. provides opportunities for industry collaboration to agree
The assumption behind these approaches is that the on the sets of relevant factors, and the mechanism by which
underlying exposure an institution has to a specific risk can they interact and lead to the exposure to risks.
be described by a set of factors. These variables drive the
frequency and severity of loss events, and by identifying and As well as banks and insurers from our membership, this
understanding them, you can both measure the exposure to collaboration also included the specialist consultancy,
a risk and know how best to control and mitigate it. Elseware3, who have extensive experience in creating
structure scenarios for operational risk. Structured scenarios
This paper reports on an industry initiative that ran require investment of time and expertise to create, but
throughout 2020 to create structured scenarios for by taking an industry approach, this burden is shared and
pandemic and vendor failure risks. The initiative used expertise is pooled, leading to a more efficient and robust
Bayesian networks2 as the modelling approach, but other outcome.
methods could also be applicable.
This report presents the results from the pilot project, which
By using Bayesian networks, the structured scenarios are aimed to identify the most important risk drivers for two
given a conceptual framework for gaining deeper insight very topical scenarios – Pandemic and Vendor Failure. It
into risk drivers and how they relate to each other. The provides background information on structured scenarios
relationships can easily be visualised and serve as basis for and Bayesian networks, before going into more detail on the
internal conversations involving a variety of stakeholders model structures that were built for the two scenarios.
– thereby bringing together risk modellers, risk managers,
and businesses, each of whom have much to gain from an The results are two models, which will deepen the
accessible basis for informed conversations on particular understanding of each of these risks and promote structured
risks. scenarios as a way of performing risk measurement.

1 Commonly also referred to as factor models or exposure models | 2 “Pearl, J. (1988) Probabilistic Reasoning in Intelligent Systems. San Francisco, CA: Elsevier | 3 https://www.elseware.fr/ 4
 Exploring Risk Exposure Methodologies

Introduction
In early 2020, ORX launched a new initiative to explore the use of structured
scenarios for operational risk measurement, specifically structured scenarios based
on Bayesian networks.

The aim of the pilot project was to discover how financial • Can the industry work together to create a factor
institutions are using structured scenarios and gauge driven approach to measure operational risk that more
the interest among the ORX membership in joining an adequately reflects the organisational risk profile?
industry community to explore these methods and share
expertise. • What can ORX do to support members that are using,
or plan to implement, such an approach?
Structured scenarios using Bayesian networks are built
on risk drivers corresponding to both firm-specific and This meant exploring whether we could, together with a
external variables describing the environment. They are group of industry representatives, create a set of basic
developed using subject matter input to build structures models or structures4, which individual firms can use and
that capture loss generating processes that reflect adapt for their own purposes. The intention was to focus
the organisational risk profile to specific risk types and on two scenarios to explore the feasibility and interest in
scenarios. this kind of collaboration.

As they are data driven, they can be seen as building If successful, the pilot study would serve as a road map to
a bridge between conventional scenarios and purely create additional structures for a suite of scenarios that
quantitative approaches to measure operational risk ORX member institutions could benefit from.
exposure. They, therefore, promise to provide a more The project was run in collaboration with Elseware5, a
nuanced view of operational risk profile. Nevertheless, specialist consultancy with experience in structured
while structured approaches have been in use for a scenarios based on Bayesian networks, who provided
while and are increasing in popularity, they have yet to input and guidance during the project.
become a widely adopted approach for operational risk
quantification. It was also overseen by a steering group of 13 member
institutions, who were responsible for the general
The two central questions that the pilot aimed to explore direction of the project and provided input and feedback
were: on the developed structures.

4 The term “structures” is used throughout most of the report | 5 https://www.elseware.fr/ 5

 Exploring Risk Exposure Methodologies

Structured scenarios ORX Scenarios

Much of operational risk measurement has been dominated by two common ORX Scenarios is a
approaches, which can be considered to represent two ends of a spectrum, unique resource that
ranging from a purely quantitative and more data-driven end to a qualitative effectively addresses
and more subjective end (figure 1). practitioners’ needs of
At the quantitative end, operational risk losses are In light of this, it has become common practice
scenario identification,
typically modelled and extrapolated from event among financial institutions to establish scenario assessment, quantification
data using a loss distribution approaches (LDAs). programmes in parallel to quantitative risk and validation practices.
These methods are useful for the more commonly estimations, in order to gain a better understanding
experienced risks and for which firms have a lot of of the organisational operational risk exposure.
historic data to draw from. Additionally, financial regulators are seeing You can compare your scenario portfolio
the benefits of scenarios for operational risk and methods against your peers to ensure
LDA modelling is arguably more objective. However, management. In the recently updated draft version full coverage of the most relevant scenarios.
as it relies heavily on historic loss data, it is also of its Principles for the Sounds Management
“backward looking” in the sense that it assumes that of Operational Risk6, the BCBS stresses the
the future risk profile is, to some extent, stationary importance and usefulness of scenarios to
and can be inferred from loss histories. Moreover, understand how financial firms can remain resilient
it can be difficult to apply LDA models to risks for and tackle new risks, such as climate change.
which internal data is scarce, such as known risks
for which firms do not have a lot of historical losses, Structured scenarios, in many ways, build a
or emerging risks which are not yet well understood. bridge between quantitative LDA methods and
qualitative conventional scenarios. They blend
Conventional scenarios represent the other, more statistical methods with the risk-focused approach
qualitative end of the spectrum. Developed from a of conventional scenarios. However, rather than
storyline, these scenarios rely on input from subject beginning with a scenario narrative, a structure
matter experts (SMEs) to estimate organisational is developed based on a set of identified and
exposures. While this makes them less objective relevant risk drivers. The structure itself reflects how
in nature, conventional scenarios are useful for different internal and external risk drivers influence
assessing situations that organisations have one another, as well as the overall exposure to the Find out more about
previously had little or no exposure to. This includes risk in question. ORX Scenarios
emerging risks, of which the potential severity is
notoriously hard to assess.

6 https://www.bis.org/bcbs/publ/d508.htm 6
 Exploring Risk Exposure Methodologies

Figure 1: Operational risk measurement approaches in comparison

LDA modelling Conventional scenarios

• Useful where a lot of • Cannot be applied to • Useful for rare events • Rely on SME input
data is available situations never experienced
• Scenarios are typically • Common risk drivers
• More objective but • Difficult to include controls assessed individually and are often assessed
backward looking and mitigation efforts independently of each other in isolation

Quantitative/objective Qualitative/subjective

Structured • Buidling a bridge between the two • Require more expertise • Are useful to • Allow for the inclusion
approaches: More use of data and time during inital assess rare events of controls and
scenarios and SME input where necessary development mitigation efforts

Structured scenarios typically require more effort and resources for their initial development but promise important benefits for risk management.

A key benefit is that, as they draw from firm Understanding the drivers of both well-known and lesser-
and business data, the structures can more known risks provides an understanding of exposure
accurately reflect organisational risk profiles to each, and a starting point for mitigating action.

Where this data is continuously monitored, this allows Where risk drivers are used across different structures
for the simple, regular updating of the model output, in the scenario suite, the creation of a risk driver
providing an up-to-date view of the risk profile. library provides an understanding of how individual
risk drivers create a dependence between risks.
7
 Exploring Risk Exposure Methodologies

Focus of Bayesian networks

this pilot for operational risk
In light of the coronavirus (Covid-19)
outbreak in 2020, the pilot study management
focused on two very topical scenarios: Bayesian networks are a common approach to modelling and were
Pandemic and Vendor Failure. first used for operational risk more than 20 years ago7.
The scenarios which the pilot study focused on
were selected with the guidance of the project However, despite their advantages in terms of that have a direct effect on another node, i.e.
steering group. clarity and transparency, they have not found an edge originates from the former and points
their way into the more mainstream quantifying to the latter, are called parent nodes. The
The second scenario was chosen also with view
methods used in the industry. nodes to which the edge points are called child
to demonstrate some of the merits of structured
nodes. Examples of this are shown in figure 2.
scenarios. A pandemic can be considered both a Bayesian networks can be visualised as
scenario of its own and a stress on other scenarios. graphs, in which variables are represented by The variables represented by the nodes are
The vendor failure example served to demonstrate nodes and their relationship is described by random variables with at least two possible
how stressed risk drivers could be considered. the edges between the variables. This simple outcomes. These outcomes can be Boolean,
Furthermore, structured scenarios allow for the way of representing variables visualises which categorical, or quantitative (in the last case,
inclusion of mitigating efforts. The vendor failure variables influence one another. The graph bins can be used to capture the data).
structure served to show how this can be done as well, only links variables that affect others. Nodes
and both aspects are explained in detail later in this
report.

The focus on pandemic and vendor failure additionally

links in with a range of other work that ORX completed
in 2020 to support its membership in dealing with
the coronavirus outbreak. An overview of our free
coronavirus resources can be found on
https://managingrisktogether.orx.org/coronavirus

7 See for example Alexander, C. (2000). 'Bayesian Methods for Measuring Operational Risk.' Discussion
Papers in Finance 2000-02. The University of Reading. Reading: The Business School for Financial Markets.
8
 Exploring Risk Exposure Methodologies

Figure 2: Example of Bayesian network

ORX Risk
Parent
node of
Variable 1
Driver
Workbooks
variable 2

ORX began exploring structured

scenarios in the first iteration of the
Risk Driver Workbook series published
Child node between 2013 and 2015.
of variable 1 Parent
and parent Variable 2 Variable 3 node of These workbooks are a suite of practitioner guides for
node of variable 4 building operational risk scenarios. Their first iteration
variable 4 included examples of very simple structures that
make use of the logical framework behind Bayesian
networks to demonstrate the effect of certain risk
drivers on operational risk exposures.

Contact us today about accessing Risk Driver

Workbooks with the ORX Scenarios service https://
Child managingrisktogether.orx.org/orx-scenarios
node of
Variable 4 variables
2 and 3

The method makes it feasible to derive a set of conditional distributions by greatly simplifying
calculations where relationship, or edges, do not exist. If two variables are not linked, it is implied
that they are conditionally independent of each other, i.e. the value of one variable does not
influence the value of the other.
9
 Exploring Risk Exposure Methodologies

Visualising structured scenarios

Using the assumptions of Bayesian network theory, the framework used to develop the structures for this pilot project were
based on the Exposure, Occurrence, Impact framework developed by Elseware8,9.
For the purpose of this report, the structures that follow are presented as shown in
figure 3. Each structure consists of three basic variables, which together make up
Risk drivers and global variables
the overall exposure: The basic variables are quantified through risk drivers, which can be internal
or external factors that drive the exposure through determining the marginal
• The exposure variable determines the focus and scope of the model. It
distributions of the child nodes they link to. While more risk drivers tend to link to
describes the “resource”, which determines the scale of exposure to a particular
the impact variable, they can also be taken into consideration for the occurrence
risk. A resource constitutes a valid exposure variable if each unit can be
variable.
considered to be independently exposed to the risk. For example, the level of
exposure to individual card fraud may be determined by the number of cards Most external risk drivers are referred to as “global variables”. These are either
in circulation. Other examples of resource variables include the number of primary triggers for an event, or indirectly drive the severity of the exposure.
customers, products, or certain assets.

• The occurrence variable defines the probability that an event may occur Control variables and stressed variables
and includes any trigger variables that lead to an event. The exposure variable
A key advantage of structured scenarios over LDAs is that they provide a straight-
and the occurrence variable together are analogous to the event frequency in
forward way to include control variables and mitigating efforts. This leads to the
conventional scenarios.
updating of the probability distribution of the relevant risk drivers.
• The impact variable often combines several cost components that are typically
In addition, certain risk drivers can be stressed in order to consider how they
the result of a combination of risk drivers. The variable provides the estimated
might behave under particular environmental influences or circumstances. This is
impact per unit of exposure and is later scaled by the exposure variable to reflect
visualised in the form of the red node in figure 3. The possibility to stress risk drivers
the size of the organisation or, alternatively, the entity, business, or operation
makes structured scenarios particularly useful for stress testing exercises.
under consideration.
The inclusion of control variables and the stressing of variables provide examples
While not visually identified differently in the structure, for clarity, this report of a more general advantage of structured scenarios, which is that the models lend
uses the term cost component to describe those risk drivers that directly themselves to sensitivity analysis and “what-if” scenarios. By changing one variable
define the impact variable and assign a monetary value to the variable. while keeping the other assumptions unchanged, the structures provide insight into
the effects of the change in the variable on the overall exposure.

8 https://www.elseware.fr/xoi-method/ | 9 Naim, P. and Condamin, L. (2019). Operational Risk Modeling in Financial Services. Chichester: Wiley. 10
 Exploring
Exploring Risk
risk exposure
Exposure methodologies
Methodologies

Figure 3: Example scheme of a structured scenario

Basic variable Control

Risk driver Control Global

Risk driver Stressed variable
variable

Global variable

Global
Risk driver Risk driver Risk driver Risk driver
variable

Exposure Occurrence Impact

The exposure is the resource that exposes a firm The occurrence captures the probability of an event The impact captures the loss amount per unit of
to a risk. This can be, for example, the number of occurring and leads to a loss when a resource is exposure. It is an amount of loss which is further
employees (or a specific group of employees, such affected. The occurrence and exposure together are broken down into several components as necessary,
as traders), products, models, or certain assets. therefore analogous to the frequency of an event. e.g. direct loss, repair costs, indirect costs, loss of
income, and/or fines.

11
 Exploring Risk Exposure Methodologies

Why use structured scenarios?

The visualisation of Bayesian networks and structured scenarios presented in the preceding sections indicate the
advantages that structured scenarios can offer for operational risk management and measurement (figure 4).

initial set of structures, the participant reported that they could later be adapted and
Transparency repeatedly applied with ease. In addition, the assessments all started from the same
Structured scenarios provide a systematic and transparent method to consider set of risk drivers and ensured a consistent assessment across the organisation.
and capture risk drivers, their interaction, and their contribution to the overall
exposure to a risk type. They thereby provide risk managers with an effective means
to talk about specific risk types, and communicate results and findings to senior
Figure 4: Advantages of structured scenarios
management, businesses, and other stakeholders.

In addition, and as previously touched upon, running the analysis under different
assumptions can provide further insights. By gaining a better understanding of the
role of specific risk drivers through sensitivity and “what-if” analyses, risk managers
can be in a better position to identify internal control gaps or shortcomings.

Scalability Transparency
The calculation of an impact value per unit of exposure allows to scale the model
to firm size. Obtaining the value of the impact variable also means that they are
comparable within and across organisations, entities and business units.

Moreover, the risk drivers that firms would take into account for particular scenarios
are likely not firm-specific. Rather, specific values that these factors could take may
vary, as well as the strength of controls in place to mitigate their impact. This creates
opportunities for sharing industry knowledge and experiences.
Scalability Adaptability
Adaptability
Once established, the structures can be rolled out to different levels within
organisations, such as to different legal entities or businesses. Evidence from a
steering group participant, who initially established a set of structured scenarios
at group level, showed that the further roll out at other levels of the organisation
proved straight-forward. While more effort and time was required to establish the

12
 Exploring Risk Exposure Methodologies

Two Pandemic structure

scenario
A pandemic can be considered both as a stress on other financial repercussions that pandemics can have. Moreover,
scenarios (for example, the operational impact of home it was added because the purpose of structured scenarios
working on transaction processing) and a scenario on its is not just to understand what determines capital levels, but
own (for example, considering the direct impacts of the also how organisations can be affected by certain risks more

structures: pandemic on people).

As with all scenarios, it is important to define the boundaries

and carefully determine which cost components and risk
widely and what the associated business implications are.

The resource variable under consideration was employees,

albeit further structures could have been developed

Pandemic drivers should or should not be included to avoid double-

counting. Here, the pandemic is a standalone structure
looking at the impact on employees.
alongside to estimate the effect on other resources, such
as customers, services, offices or vendors.10 Here it is
important to distinguish between the cases in which a

and Vendor
pandemic warrants a scenarios structure in its own right,
The rationale behind the structure presented in figure 5 is or constitutes a stress on other scenarios. To demonstrate
that a pandemic outbreak leads to: the case of the latter, the second structure on vendor failure
shows how a stress can be included in a scenario that

Failure
• Additional costs to protect employees from considers resources affected by the associated changed
becoming ill environment.
• Additional costs to enable employees to continue
their work and keep operations running, including
The following sections additional IT costs or other operational expenses Applications of the model
present the two structures, (for example, the hiring of additional staff)
The structure can be used to estimate the impact of a
Pandemic and Vendor • A reduction in productivity caused by a reduced pandemic in two situations.
labour force
Failure, that were developed
as part of the pilot project. The structure is therefore aligned with the ORX guidance for Interpandemic situation
recording coronavirus-related operational risk losses, which This describes a situation between two pandemics and
was developed as part of the work of the ORX Definitions sufficiently ahead of the next expected outbreak, i.e. no
Working Group (see page 15 for further details). It also significant epidemic is foreseeable in the near-term future. In
draws from the experience of the coronavirus pandemic, this case, the parameters, in particular those at the regional
which led to people being unable to work due to infections level, will be based on past experiences and/or on SME input.
and, in contrast to previous global outbreaks, led to
nationwide lockdowns in many countries that restricted and Pre-pandemic situation
changed working environments over long periods of time.
In this case, a significant outbreak has occurred and may
The loss of productivity does not usually fall under the remit develop into a pandemic, albeit is not yet officially considered
of operational risk loss and, as indicated in figure 5, has been as such. As a result, the probability of a pandemic occurring
added as an optional component. It was included to give should be increased, and regional parameters may be
firms the possibility to gain an understanding of the wider adjusted based on current developments.

10 https://managingrisktogether.orx.org/coronavirus/scenario-development-handbook-pandemic 13
 Exploring Risk Exposure Methodologies

Figure 5: Pandemic structure

Basic variable
Region

Risk driver

Global variable

Illness Pandemic Workforce Business

duration duration status line

IT
Status Protection infrastructure Operational Fraction Slowdown
LMH Revenue
duration costs costs costs at risk factor

Workforce Staff Revenue

NbEmp Pandemic augmentation
protection impact Optional
component

Exposure Occurrence Impact

14
 Exploring Risk Exposure Methodologies

Capturing operational risk

impacts of coronavirus
In July 2020, the ORX Definitions Working Group (DWG) published a
guidance note for capturing operational impacts due to coronavirus. The
note was the result of a series of calls with representatives from the 50
financial institutions that form part of the DWG.
The recommended general approach is that firms • Cleaning costs – cleaning costs clearly
should consider whether an impact would have attributable to the pandemic, such as the cost
been experienced without the pandemic. In the of deep cleaning buildings where staff have
case it had not, the impact should be included in tested positive for coronavirus.
operational risk reporting. Therefore, the impact
should be included if: • Protective equipment – for example, plastic
screens in branches, face masks, gloves
1. The cost has arisen as a result of the required to maintain operations during the
coronavirus pandemic. pandemic.

2. It was an unexpected cost, i.e. was not planned • Building costs – immediate additional costs
for, budgeted for, or part of any strategic plan of building closure caused by pandemic (for
that was in place before the pandemic. example, additional security costs).

3. It was not a goodwill payment/cost incurred (e.g. • Cost of establishing a pandemic command
ex-gratia payments etc). centre – costs over and above existing
business continuity planning/control spend.
It was recommended to include the following costs:
The full guidance note can be downloaded via
• Working from home – one-off costs of https://managingrisktogether.orx.org/coronavirus/
additional work-at-home equipment (e.g. capturing-operational-risk-impacts-coronavirus
laptops) and services (e.g. increased VPN
capacity) required specifically as a result of the
pandemic.

15
 Exploring Risk Exposure Methodologies

Vendor failure structure

Third party (or outsourcing) risk has been high on the list of top and emerging risks over the last few years, but the urgency
around managing this risk, and monitoring the financial stability and viability of vendors, increased with the onset of the
2020 coronavirus outbreak.
While previously at place 6 of the top risks in the ORX Operational Risk Horizon published in January 202011, during the course of the year, third party risk became one of the
top three risks causing concern for operational risk managers (see table 1).

Table 1: Top 5 risks ranged by industry management professionals in September

2020. Taken from the ORX Top Risk Review, October 202012
Level 1 Risk (taken from ORX Reference Taxonomy)
Operational Risk Horizon 2020 Covid Risk Review (May 2020) Top Risk Review (September 2020)

1 Information Security (inc. Cyber) Business Continuity Information Security (inc. Cyber)

2 Conduct Information Security (inc. Cyber) Third Party

3 Technology Transaction Processing & Execution (ranked 7th in September 2020) Business Continuity

4 Regulatory Compliance People (ranked 9th in Septmber 2020 Technology (ranked 7th in May 2020)

5 Financial Crime Third Party Regulatory Compliance (ranked 11th in May 2020)

Organisations across countries and industries have disruption (either technical or due to information further described below and after the description of
experienced financial distress due to coronavirus security incidents) of vendors, causing financial losses the basic variables and associated risk drivers.
and the restrictions on work, supply chains and experienced while the firm tries to return to operations
travel that came with it. Such circumstances can at previous service levels. Additionally, structured scenarios allow for the
have knock-on effects on client firms, including on inclusion for controls and mitigating efforts. An
financial institutions. The structure presented in figure To consider the additional stress of a pandemic, example of this has also been provided in the form of
6 therefore considers both the potential default and certain nodes in figure 6 are identified as risk drivers a node representing a resilience plan that firms might
that can be stressed. The rationale behind this is have in place. This is also further described below.

11 https://managingrisktogether.orx.org/research/operational-risk-horizon-2020 | 12 https://managingrisktogether.orx.org/operational-risk-research/top-risk-review 16
 Exploring Risk Exposure Methodologies

Figure 6: Vendor failure structure

Basic variable Control Vendor

tier
Risk driver Stressed variable

Global variable

Credit Daily Intensity Resiliency Failure

rating spending ratio plan type

Number Daily
Technical InfoSec Return to
of key Default
disruption disruption impact operations
vendors

Exposure Occurrence Impact

17
 Exploring Risk Exposure Methodologies

Vendor tiers Figure 7: Categorisation of "key" vendors

(Adapted from McKinsey and Co, 2016)13
The occurrence and impact components of this structure
include a vendor tier node that further defines other risk
drivers in the structure. This allows us to distinguish between
different types of vendors and the impact that their disruption

HIGH
or default might have on an organisation.

In a 2016 paper, McKinsey & Co proposed a categorisation of

vendors into four categories and along two dimensions (figure
7). Depending on their spending on the vendor’s products
or services, or financial impact, and their business criticality,
Fundamental Strategic

Spending (Financial impact)

vendors can be categorised as strategic, fundamental, niche
or transactional.

The categorisation defines vendors with a high business

criticality (and cross-enterprise impact) and requiring higher
levels of spending for their goods and services as strategic
partners. An estimated one per cent or less of the total vendor
base fall into this category.

Vendors with high financial impact but low business criticality

are fundamental partners, while those with low financial
impact but high business impact are niche partners. Less than
three per cent of vendors fall into each of these categories.
The remaining vendors, which are estimated to constitute
up to 90 per cent of the typical vendor base, are considered Transactional Niche
transactional partnerships.13

While the fraction of vendors that are falling into those three
LOW

categories is comparatively low, McKinsey estimates the total

expenditure on these vendors to be just under 90 per cent of
total third party spend. If using the expenditure as a basis to
estimate the potential financial impact of vendor default and
disruption, defining strategic, fundamental, and niche vendors
as “key” makes their assessment a manageable exercise. At LOW HIGH
the same time, these vendors can be expected to make up the
largest part of the potential exposure for this scenario. Business criticality and cross-enterprise impact

13 McKinsey and Co, 2016 18

 Exploring Risk Exposure Methodologies

Conclusion
What-if and sensitivity In the case of the vendor failure structure, the
nodes that could be stressed are identified in
analysis figure 6. As a pandemic unrolls, the restricted
and changed working environments put
The pandemic outbreak in early 2020 had
far-reaching consequences for the global
pressure on vendors, who themselves might We believe that there is huge merit
be dependent on products and services that
economy, including slumped GDP and stark
have become difficult to procure. for the use of structured scenarios for
increases in unemployment in many countries.
Macroeconomic factors can be relevant and operational risk management.
important risk drivers to consider for certain Inclusion of mitigation
scenarios. Structured scenarios allow for the In light of the fast-changing environments in which
consideration of environmental factors, both in
variable: Resiliency plan financial institutions operate, structured scenarios have
the form of global variables that directly affect Structured scenarios also allow for the much to offer as they can provide a more accurate
other nodes, or as stresses on certain nodes. inclusion of controls or mitigation efforts. view of the organisational risk profile than a pure loss-
The resiliency plan variable included as an driven approach can provide. In addition, there are
For this kind of ‘what-if’ analysis, thought must clear benefits in using structured scenarios as a basis
be given to which nodes can be expected to indirect risk driver of the impact variable (see
figure 6) reflects any steps a firm has taken to lead informed conversations over risk profiles with
be affected by changes in the environment. stakeholders across the lines of defence and at different
The nodes are stressed by establishing to dampen the impact from vendor default
or disruption. This has a direct effect on the levels of seniority.
alternative distributions, typically with the
help of subject matter expert (SME) input. return to operations node and may even The pilot study showed the advantages of creating
The performance of sensitivity analysis for counteract some of the effects of a stressed a community to bring the industry together and
specific nodes can add further value and environment on the node. discuss structured approaches and examples of
provide a better understanding of the result of specific models. During the project, both structures
each change in the assumptions. were presented to wider audiences, including at the
2020 Analytics and Scenario forum and a webinar
with interested firms. The positive feedback and lively
discussions showed that there is a clear interest among
the ORX membership to learn more about structured
scenarios and, where firms have already used such
approaches, to share knowledge and experiences.
Extended ORX Reference Taxonomy This report presenting the two structures that were
developed as part of the pilot will be made available
ORX has leveraged the wisdom of crowds to create: to the ORX membership together with an appendix
• A new operational and non-financial risk reference taxonomy providing examples of the data quantifying each variable.
Further research that continues this work will be part of
• Complementary causal and impact categories
the risk measurement research stream and conducted in
cooperation with the ORX Scenarios service.
Download the ORX Reference Taxonomy

19
 Exploring Risk Exposure Methodologies

Managing risk together Report contacts

ORX
ORX believes many heads are better than one. We’re here to bring the best minds of the
international operational risk community together. Dr Luke Carrivick
Director of Research and Information
By pooling our resources and by sharing ideas, information and experiences, we can
learn how best to manage, understand and measure operational risk and become less luke.carrivick@orx.org
vulnerable to losses. We work closely with over 100 member firms to develop a deeper
understanding of the discipline and practical tools. We set the agenda, maintain industry
Annika Westphal
standards, and garner fresh insights.
Risk Measurement & Data Manager
ORX is owned and controlled on an equal basis by its members.
annika.westphal@orx.org
For more information about ORX, visit our website at www.orx.org
Giuseppe Aloi
Scenario Programme Manager
giuseppe.aloi@orx.org

Elseware
Patrick Naim
CEO
patrick.naim@elseware.fr

Laurent Condamin
Managing Director
laurent.condamin@elseware.fr

Elseware is a specialist in structured

risk analysis, helping to bridge the gap
between quantification and management.
 Exploring Risk Exposure Methodologies

Managing risk together orx.org