Exiting the financial quagmire: Using Six Sigma to reduce operational risk in financial services

Abhishek Soni

How risk managers can use FMEA and control charts to control risk

Financial service organizations are under severe pressure to cut operational costs while simultaneously being expected to comply with increasingly strict regulatory norms in the wake of the global financial meltdown. Meanwhile, these same organization have become increasingly wary of their existing risk management practices in the wake of headline grabbing scandals such as rogue trading outright fraud. But financial services have a proven tool at their disposal to manage their operational risk and reduce cost: Six Sigma.

Operational Risk

Operational risk is perhaps the most significant risk financial services face. In last two decades virtually every major loss in the financial industry – from Enron and Baring Bank through to the subprime credit crisis - has been driven by operational failure.

The Basel II Committee succinctly defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Any of the following events are categorized as operational risks:

  • Internal fraud
  • External fraud
  • Violation of employment practices and workplace safety
  • Breach of client, product or business protocols
  • Damage to physical assets
  • Business disruption and system failure
  • Execution, delivery and process management failure

Challenges in managing operational risk

Variation, whether it is in portfolio returns, transaction outcomes or KPI performance, is interpreted as risk within financial services. Throughout the execution of day-to-day transactions, financial service companies encounter several challenges in managing their operational risk.

Financial processes are inherently complex; they often cut across multiple functions and geographies. As a result of this they are susceptible to multiple failure points. And it’s a big headache for the risk manager to identify the critical few events within this data deluge. Monitoring these risk triggers over a period is another bane in life of risk manager.

Six Sigma and Operational Risk Management

Six Sigma aims to reduce variation in processes so there is huge opportunity for application of six sigma tools/techniques within financial services in managing risk. In fact, the Basel Committee has already recommended Six Sigma as a best practice to manage operational risk within banking and financial services.

Here is how two Six Sigma tools - FMEA and control chart – can be effective in managing operational risk.


FMEA as tool to identify and prioritize risk

Failure Modes Effects Analysis (or FMEA) is an excellent tool to manage operational risk within financial services. A risk manager can utilize FMEA to list the failure points of a process then subsequently prioritize risks based on severity of financial impact, frequency of the occurrence and detectability of failure events. Additionally, FMEA also has a provision to develop mitigation plan for high priority risk events.

Key benefits of using FMEA in managing operational risk are:

  • It helps in listing the failure points of a process
  • It helps in defining uniform criteria for prioritization of risk events
  • It helps in developing mitigation plan for high priority risk events

The table below demonstrates an FMEA for Bank ATM operations. For illustration purposes only two key process steps of ATM operation (ATM pin authentication and Dispense Cash) are considered but this concept can be scaled across most of the banking processes.

Process Step

Potential Failure Mode

Potential Failure Effect


Potential Causes


Current process controls



Action Recommended

ATM pin authentication

Unauthorized access

Unauthorized cash withdrawal. Very dissatisfied customer


Lost or stolen ATM card


Block ATM card after three failed authentication attempt



Authentication Failure

Annoyed customer


Network Failure


Install load balancer to distribute workload across network links



Dispense Cash

Cash not disbursed

Dissatisfied Customer


ATM out of Cash


Internal alert of low cash in ATM



Increase minimum cash threshold limit of heavily used ATMs to prevent out of cash instances

Account debited but no cash disbursed

Very dissatisfied customer


Transaction Failure. Network Issue


Install load balancer to distribute workload across network links



Extra cash dispensed

Bank loses money


Bill stuck with each other.

Bills stacked in incorrect denomination stack




In a typical ATM operation, an ATM pin authentication process step can fail into two potential modes: Unauthorized access and Authentication failure. While an unauthorized access event might lead to a highly dissatisfied customer, an authentication failure event will result in a mildly annoyed customer. Based on the severity of impact, frequency of occurrence and detectability of failure event a risk manager determines the risk priority number (RPN) of different failure points.

A similar exercise is completed for Dispense cash process steps to determine RPN for its different failure points viz. cash not disbursed, amount debited but no cash disbursed and extra cash dispensed. This example illustrates that among all the failure events the Cash not disbursed event has the highest RPN of 196.

Based on this assessment, the risk manager decides to take additional action such as increase minimum cash threshold limit of heavily used ATMs to mitigate the high priority risk of an "out of cash" situation. By utilizing FMEA a risk manager is able to determine critical failure events within ATM operations and take suitable risk mitigation actions against these key failure events.

FMEA analysing potential failure modes of ATM operations (click to enlarge)

Control Chart as tool to monitor risks:

Financial services widely use KRI (key risk indicators) to determine the level of exposure to a given an operational risk which the organization has at any particular point in time. For example, financial organizations track the KRI number of customer requests processed after the cutoff date, to estimate the level of potential liability arising from customer complaints and to manage execution, delivery and process failure risk as per Basel norms.

At present KRI reporting and escalation is based on the trigger levels set by expert assessment. But, in addition, to the trigger level set by expert assessment, monitoring of these KRIs can be further enhanced by plotting these KRI data points in control chart. KRIs plotted in control chart will reveal following supplementary insights:

  • Indicate any special pattern or trend observed in performance of process. This will act as warning signal for any impending risk events
  • Indicate whether existing controls are sufficient enough to keep current process in stable state & within expected tolerance level or not.

The below example demonstrates the use of control chart to monitor KRI. In the figure below, the KRI- number of customer requests processed after the cutoff date is plotted in control chart and this control chart reveals following facts:

Control chart plotting customer requests processed after cutoff date (click to enlarge)

At first glance the KRI seems to be performing well as KRI has never breached the upper threshold level (specification limit) of 50 customer requests set by management.

But a close scrutiny of control chart highlights a special trend of continuously increasing number of customer requests post week 22 till week 28 .This trend signals the warning that this KRI might breach the upper threshold level in the upcoming future and proper action needs to taken to bring this KRI in control.

Key Terms:

KRI:A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is.

Basel Committee:The Basel Committee on Banking Supervision (BCBS) is an international committee of banking supervisory authorities that formulates broad supervisory standards and guidelines and recommends statements of best practice in banking supervision.


Anthony Taratino & Deborah Cernaukas, Risk Management in Finance. 2009