FRIDAY, MARCH 24, 2017
Font Size
Featured Leverage Six Sigma to Manage Operational Risk in Financial Services

Leverage Six Sigma to Manage Operational Risk in Financial Services

The recent spate of events such as rogue trading losses, flash trades and a seeming outbreak of Ponzi schemes has made many in financial services wary about their existing risk management practices. In post-financial crisis times, financial services companies are already under pressure to cut their operational costs while also being expected to comply with stringent regulatory norms. To escape from this financial and economic quagmire, financial services companies are seeking practices that will enable them to effectively and efficiently manage their risks. This article showcases how financial services can leverage Six Sigma tools to manage their operational risk and reduce costs.

Operational Risk

Operational risk is perhaps the most significant risk financial services face. In the last two decades, virtually every major loss in the financial industry (e.g., Enron, Baring Banks, Madoff, subprime credit crisis) has been driven by operational failure.

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, according to Basel II, recommendations on banking laws and regulations defined by the Basel Committee on Banking Supervision (BCBS, a group that encourages common approaches and standards among country members). Any of the following events are categorized as operational risks:

  • Internal fraud
  • External fraud
  • Violation of employment practices and workplace safety
  • Breach of client, product or business protocols
  • Damage to physical asset
  • Business disruption and system failure
  • Execution, delivery and process management failure

Challenges in Managing Operational Risk

Variation, whether it is seen as portfolio returns, transaction outcomes or KPI (key performance indicator) performance, is interpreted as risk within the world of financial services. Financial processes are inherently complex; they often cut across multiple functions and geographies. They are susceptible to multiple failure points. It is hard for risk managers to identify the few critical events within a daily data deluge. Once those critical points are identified, monitoring these risk triggers is another bane in the life of a risk manager.

Six Sigma and Operational Risk Management

There are significant opportunities to apply Six Sigma to managing risk in financial services. Failure mode and effects analysis (FMEA) and control charts are two Six Sigma tools that have proven successful in this task.

FMEA: Identify and Prioritize Risk

FMEA is an excellent tool for managing operational risk within financial services. Risk managers can use FMEA to list the failure points of a process then subsequently prioritize risks based on the severity of financial impact, frequency of the occurrence and the ability to detect failure events. Beyond those uses, FMEA also can help managers in developing a mitigation plan for high-priority risk events.

The three key benefits of using FMEA in managing operational risk follow:

  1. Listing the failure points of a process
  2. Defining uniform criteria for the prioritization of risk events
  3. Developing mitigation plans for high priority risk events

Table 1 demonstrates an FMEA for a bank’s ATM operations. Only two key process steps of ATM operation (“ATM pin authentication” and “dispense cash”) are shown here, but this approach can be scaled across most of the banking processes.

Table 1: FMEA Round 1 (Click to Enlarge)

Table 1: FMEA Round 1 (Click to Enlarge)

In a typical ATM operation, the ATM pin authentication step can fail in two ways: unauthorized access and authentication failure. While an unauthorized access event might lead to a highly dissatisfied customer, an authentication failure event will typically result in a mildly annoyed customer. Based on the severity of impact (SEV), frequency of occurrence (OCC) and detection ability (DET) of a failure event, a risk manager determines the risk priority number (RPN) of different failure points.

Similarly, the dispense cash process steps may have failure points such as cash not disbursed, amount debited but no cash disbursed, and extra cash dispensed. These examples illustrate that among the failure events listed, the cash not disbursed event has the highest RPN of 196. Based on this assessment, a risk manager may decide to take action such as increasing the minimum cash threshold limit of heavily used ATMs to mitigate the high-priority risk of an out-of-cash situation. Hence, by utilizing the FMEA tool a risk manager is able to determine critical failure events within the ATM operation and take suitable risk mitigation actions against these key failure events. Table 2 shows the FMEA updated with the recommended risk mitigation actions.

Table 2: FMEA Round 2 (Click to Enlarge)

Table 2: FMEA Round 2 (Click to Enlarge)

Control Charts: Monitor Risks

Financial services companies use KRI (key risk indicators) to determine the level of exposure to a given operational risk at any particular point in time. KRI reporting and escalation is typically based on trigger levels set by an expert assessment. But in addition to the trigger level set by such assessment, the monitoring of KRIs can be enhanced by plotting KRI data points in control charts. KRIs plotted in control charts will reveal the following supplementary insights:

  • Indication of any special pattern or trend observed in performance of the process. This will act as a warning signal for any impending risk events.
  • Indication of whether existing controls are sufficient for keeping the current process in a stable state and within expected tolerance levels.

For example, consider the check-clearing operation within a retail bank. Management has mandated the maximum number of checks that can be processed beyond one week as 60. The financial organization tracks the KRI, number of checks processed after one week, to estimate the level of potential liability arising from customer complaints and to manage the execution, delivery and process failure risk against BCBS standards. The figure below shows a control chart in which that KRI is plotted.

Number of Checks Processed After One Week

At first glance the KRI seems to be performing well as it has never breached the upper threshold level (specification limit) of 60 check-clearing requests pending beyond one week set by the management. But upon closer scrutiny, the control chart highlights a trend from Week 22 through Week 28 of an increasing number of check-clearing requests pending beyond the stipulated one-week timeframe. This trend acts as a warning that the KRI may breach the upper threshold level in the near future, which in turn could make the bank vulnerable to litigation for the late processing of checks or for a delayed payment from the customers. This indicator suggests the bank should immediately review its check processing operation and take the necessary steps to bring this KRI in control.


Reducing variation, or risk, in any company or industry should be a top priority. When markets crash and the rules of an industry change, risk becomes ever more dangerous to an organization. FMEA and control charts – simple yet powerful tools – can reveal hidden pain points that need addressing and allow companies to predict future pain points before they are revealed to the general public.

Register Now

  • Stop this in-your-face notice
  • Reserve your username
  • Follow people you like, learn from
  • Extend your profile
  • Gain reputation for your contributions
  • No annoying captchas across site
And much more! C'mon, register now.

Leave a Comment


Profile photo of Doug Coenson
Doug Coenson

Great article. I would be interested in knowing if anyone has a risk management plan for their tax department, and if so, would they be willing and able to share it with me.

Sanford Mann

Regulatory risk is the risk of failure to comply with applicable financial services regulatory rules and regulations exposing the Group to penalties and reputation damage. The Group’s board, through the GACC, delegates to the Group Compliance Officer the authority to ensure that the compliance process is operating effectively and to monitor adherence to the statutory, regulatory and supervisory requirements.


Login Form