June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 38 of 92 to be insulated from those high impact events to which one is exposed or perhaps increased security of physical assets to mitigate sabotage, for example. All of these types of risks must be identified to the extent possible and mitigated though insurance or other type products. As stated in the 2003 White Paper, these “techniques are used to reduce the company’s operative risk profile in a preventative rather that reserve manner,” which is more appropriate because of the extreme nature of these events. 4.5.3. Identification of External Risks from Legal, Regulatory, Political, and Environmental Exposures These operative risks are distinct from the previous categories and each other however, the approach used in their identification can be similar. The primary groups that the Chief Risk Officer (“CRO”) will need to coordinate with in the identification phase are the following: • General Counsel • Corporate Compliance • Environmental Here again, as in the previous categories, identification will entail a collaborative effort with business personnel who have the in-depth knowledge of what the potential threats to earnings are and what capital is needed to prepare for such occurrences. This category does not lend itself to quantitative methodologies due to the fact that potential events are so unique that each will have to be addressed through the collective expertise of those involved in that line of business. We will discuss measurement in more detail later in this paper, however due to the unique nature of these operative risks, the identification and quantification will both be done through a qualitative process that translates events into potential effects on earnings, mitigation measures, and capital requirements. PRINCIPLE 5: [Companies] should establish the process necessary for measuring operational risk This is unquestionably the most difficult aspect of an Operative Risk Assessment Program. It’s exciting to think about using mathematical models to understand and explain operative loss events. However, the reality is that there is no proven technique that survived the rigorous scientific scrutiny for it to be taken as the “norm.” This is by no means an excuse for not endeavoring to measure such risks. The universe of operative risks is varied and some risks do lend themselves to quantitative techniques, some do not. Recall the categories of Operative Risk: • Operational: internal risks from people, processes, and systems