The hidden costs of operational risk

| Article

Many companies regard the funds they allocate to meet the regulatory requirements concerning operational controls as money well spent. Avoiding operational risks—either dramatic (embezzlement and loan fraud, for example) or mundane (such as regulatory compliance)—can prevent sizable losses from damages, fines, and sullied reputations.

Yet few companies think strategically about operational controls. In our experience, executives typically view paying a fine, for example, or reaching a settlement in a court case as merely the cost of staying in the game. They approach operational-risk measures not as exemplary management practice but as regulatory requirements that should be dispatched with a minimum of fuss. Perhaps they should think again. Many companies underestimate the long-term effect of these events on their market value. Indeed, recent McKinsey research shows that a company’s loss from such a crisis pales beside the eventual loss to shareholders. And it’s not necessarily the biggest missteps that deliver the biggest blows; share prices can plummet as a result of even the smallest events.

Corporations can take a better-informed and more systematic approach to preventing operational-risk crises—and to protecting shareholder value when they do occur. Certain organizational changes and processes will promote a more rapid and candid response and reinforce measures to prevent similar events from recurring.

Operational crises in financial institutions

The experience of the financial-services industry yields useful insights into the long-term effects of operational risk. Financial institutions are particularly vulnerable to events that make them appear risky in the eyes of their customers. Moreover, they typically have a wealth of data to call on as well as strict reporting standards. In general, these companies base their risk calculations and allocate their capital on the probability that a particular incident will occur and the size of the resulting financial loss—the sum pocketed by an embezzler, for instance, or the fine for breaking a rule. At present, few banks factor potential market losses into their operational-risk-management plans or capital allocations, for example.

We analyzed more than 350 operational-risk incidents1 at financial institutions in Europe and North America and found that as news of a crisis reached the market, the initial declines were limited to levels in line with the actual fines, settlements, and monetary losses. Yet over the next 120 working days, the total returns to shareholders (TRS) of our sample declined by a whopping $278 billion,2 more than 12 times the total actual loss of $23 billion (Exhibit 1).

1
It gets worse.

Moreover, we found that the size of the loss varied with the kind of operational crisis that caused it.3 First, we organized the 350-plus incidents in our sample into a number of categories. We then analyzed those categories4 that included more than 20 incidents—enough to yield reliable, in-depth results. Five types of crises led to the harshest responses from the market (Exhibit 2):

2
Five deadly sins
  1. Embezzlement. This type of internal fraud appears to have a contradictory effect on corporate market valuations: a net gain around the date when the event is first revealed but an eventual 3.5 percent loss in market value.
  2. Loan fraud. The market value of companies reporting losses from borrowers that fraudulently obtained credit and later defaulted declined by 3.5 percent of TRS.
  3. Deceptive sales practices and concealment. The market reacts negatively to penalties—such as those resulting from misleading equity research or from miscalculated pension annuities—handed down by regulatory bodies or civil courts. Recovery, if it occurs at all, is short-lived, and companies can lose as much as 5.5 percent of their TRS over the next 120 working days.
  4. Antitrust. Settlements are negotiated in suits brought against companies for price-fixing in, for example, commodity, credit card, or equities markets. The companies involved in such events lost 3.5 percent of their market value in the month following a settlement. Most of them subsequently recovered their losses, however.
  5. Compliance. Imminent fines for various forms of malpractice can generate losses even before they take effect. The market reaction after a fine can shave an additional 5.5 percent off shareholder value—though there can be some recovery after three months.

The way companies communicate information about such events to investors can delay or exacerbate the market’s response. European markets tend to overreact at first, perhaps in the absence of readily available information, and assume the worst until contrary evidence emerges; in contrast, the immediate response of US investors is commensurate with the actual loss. As more information emerges, the market continues to respond (Exhibit 3). Investors in both Europe and the United States assume that the losses exceed the amounts reported, perhaps in the belief that such events signify general mismanagement and herald further losses (possibly too small to report) that will affect the company’s future ability to create value. This negative reaction levels out at some point, as investors either forget the event or come to believe that the problem has been corrected.

3
Responding to risk

A shareholder value approach to managing operational risk

These results suggest that CFOs and their executive teams can protect and even improve returns to shareholders by understanding and managing operational risk more systematically. While most institutions have already carried out some elements of an operational-risk program, an effort to place a premium on preserving shareholder value will create additional responsibilities.

The critical task for executive teams is to establish an operational-risk policy and the guidelines for implementing it. This process can be a challenge for employees who don’t understand the risk categories; if risks aren’t clearly defined and understood, efforts to measure and monitor them—let alone rank them by cost—will likely prove ineffective.

Intuitive as this approach may seem, many companies remain ill prepared to deal with an operational-risk crisis. While they may attempt to be as forthcoming as possible with investors, at times they find it impossible to provide full details. When one European bank, for example, attempted to communicate the extent of its loss from unauthorized trading, it couldn’t provide an accurate estimate. As losses mounted, any credibility the company may have gained from its initial candor evaporated because investors began to suspect that it was hiding something or that another upward revision was yet to come.

We believe an effective risk-management policy should have the following elements.

A common language and understanding of operational risk. Many European financial institutions are using the definitions in the Bank for International Settlements’ Basel II accord as a starting point, and companies in other industries could do the same.

A shared approach to assessing risks. Agreeing on how to predict the frequency of events and calculate their severity is one example. Some Web-enabled tools can quickly collate the data needed to conduct easy, accurate risk assessments, which can then be updated frequently.

A clear process. Companies should outline at what level of the company business-risk assessments will be conducted and how the approach to them will be integrated with the requirements of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) and the Sarbanes-Oxley accounting rules.

A loss database. Tracking internal operational losses can help a company make forecasts and agree on key risk indicators. A database can also integrate the reporting and analysis functions and thus alert managers of significant trends.

With the foregoing elements in place, a company can calculate its capital against the Basel II requirements, rank its risks, analyze their causes, and mitigate the damage, thereby focusing effort on the most serious risks. But the process will also reveal numerous small and frequent errors in everyday processes as well as some large and infrequent events that can become major problems. Companies can reduce the number of small errors across their operations by using tools such as the Six Sigma approach or failure-mode analysis. But to reduce the number of larger errors, they will need to review and strengthen their business practices, compliance and risk-management culture, business-continuity planning, and corporate-insurance programs.

Create a governance structure for managing operational risk. In the past, many good efforts to control risk lacked centralized executive oversight. In financial-services institutions, for example, the responsibility for managing operational risk is often unclear and dispersed. Even companies that have a chief risk officer usually emphasize strategic areas, such as credit or market risk. As a result, most companies don’t have a comprehensive view of the operational risk they face; nor does any single person or group ensure that messages to the markets are clear, accurate, and consistent.

In our opinion, best practice starts with defining the organizational and governance responsibility for dealing with operational risk throughout the institution as a whole. In this way, the roles and responsibilities for managing corporate and business-unit risk are complementary, and their links to auditing, compliance, operations, and technology are clear.

Increase transparency during a crisis. The knee-jerk reaction to a crisis is to clam up immediately—perhaps in the expectation that it can be minimized or that investors won’t find out. This approach is precisely wrong. If news of a crisis leaks to the market before a company comes forward on its own, the shareholders’ response is much worse. When efforts to prevent a crisis don’t succeed, the company should make its communications with investors more transparent. Even where the size of the loss is quite significant, a company is better off disclosing everything up front.

To see whether different approaches to shareholder communications had different effects on the size of the market loss, we analyzed the strategies adopted by comparable companies that suffered crises of similar magnitude. We found clear differences in the time needed for the share prices of different companies to recover. Consider two cases of major unauthorized trading that led to losses of several hundred million dollars each. One institution released a series of negative statements, including numerous upward revisions of the amount of the loss and various related resignations and reorganizations. The market penalized the company heavily during the six months following the crisis. The other institution was candid from the outset and provided lots of details. Just as important, it issued no further bad news related to the event. This company suffered no long-term damage to its market value, and within six months its TRS had returned nearly to its predicted market-adjusted level had the event not occurred.


Operational crises can be unexpectedly costly and potentially catastrophic events. Organizations in every industry can reduce their exposure only by understanding the different kinds of operational risks they face and the extent of their potential losses. Many companies will need to develop a more informed and systematic approach to managing operational risk before they can achieve that understanding.

Explore a career with us