What is Operational risk?

Operational risk is “the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses”. This definition, adopted by the European union Solvency II Directive for insurers, is a variation from that adopted in the Basel II regulations for banks. In October 2014, the Basel Committee on Banking Supervision proposed a revision to its operational risk capital framework that sets out a new standardized approach to replace the basic indicator approach and the standardized approach for calculating operational risk capital.

It can also include other classes of risk, such as fraud, security, privacy protection, legal risks, physical (e.g. infrastructure shutdown) or environmental risks.

Operational risk summarizes the risks a company undertakes when it attempts to operate within a given field or industry. Operational risk is the risk not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems.

Operational risk is a broad discipline, close to good management and quality management.

In similar fashion, operational risks affect client satisfaction, reputation and shareholder value, all while increasing business volatility.

Contrary to other risks (e.g. credit risk, market risk, insurance risk) operational risks are usually not willingly incurred nor are they revenue driven. Moreover, they are not diversifiable and cannot be laid off, meaning that, as long as people, systems and processes remain imperfect, operational risk cannot be fully eliminated.

Operational risk is, nonetheless, manageable as to keep losses within some level of risk tolerance (i.e. the amount of risk one is prepared to accept in pursuit of his objectives), determined by balancing the costs of improvement against the expected benefits.

Wider trends such as globalization, the expansion of the internet and the rise of social media, as well as the increasing demands for greater corporate accountability worldwide, reinforce the need for proper operational risk management.

Background

Until Basel II reforms to banking supervision, operational risk was a residual category reserved for risks and uncertainties which were difficult to quantify and manage in traditional ways – the “other risks” basket.

Such regulations institutionalized operational risk as a category of regulatory and managerial attention and connected operational risk management with good corporate governance.

Of course, businesses in general, and other institutions such as the military, have been aware, for many years, of hazards arising from operational factors, internal or external. The primary goal of the military is to fight and win wars in quick and decisive fashion, and with minimal losses. For the military, and the businesses of the world alike, operational risk management is an effective process for preserving resources by anticipation.

Two decades (from 1980 to the early 2000s) of globalization and deregulation (e.g. Big Bang (financial markets)), combined with the increased sophistication of financial services around the world, have introduced additional complexities into the activities of banks, insurers and firms in general and therefore their risk profiles.

Since the mid-1990s, the topics of market risk and credit risk have been the subject of much debate and research, with the result that financial institutions have made significant progress in the identification, measurement and management of both these forms of risk.

However, the near collapse of the U.S. financial system in September 2008 is an indication that our ability to measure market and credit risk is far from perfect and eventually led to introduction of new regulatory requirements worldwide, including Basel III regulations for banks and Solvency II regulations for insurers.

Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale, Barings, AIB, UBS and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

These reasons underscore banks’ and supervisors’ growing focus upon the identification and measurement of operational risk.

The list of risks (and, more importantly, the scale of these risks) faced by banks today includes fraud, system failures, terrorism and employee compensation claims. These types of risk are generally classified under the term ‘operational risk’.

The identification and measurement of operational risk is a real and live issue for modern-day banks, particularly since the decision by the Basel Committee on Banking Supervision (BCBS) to introduce a capital charge for this risk as part of the new capital adequacy framework (Basel II).

Definition of Operational risk

The Basel II Committee defines operational risk as:

“The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

However, the Basel Committee recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided that the minimum elements in the Committee’s definition are included.

Scope exclusions

The Basel II definition of operational risk excludes, for example, strategic risk – the risk of a loss arising from a poor strategic business decision.

Other risk terms are seen as potential consequences of operational risk events. For example, reputational risk (damage to an organization through loss of its reputation or standing) can arise as a consequence (or impact) of operational failures – as well as from other events.

Basel II seven event type categories

The following lists the official Basel II defines the seven event types with some examples for each category:

1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery.
2. External Fraud – theft of information, hacking damage, third-party theft and forgery.
3. Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety.
4. Clients, Products, and Business Practice – market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning.
5. Damage to Physical Assets – natural disasters, terrorism, vandalism.
6. Business Disruption and Systems Failures – utility disruptions, software failures, hardware failures.
7. Execution, Delivery, and Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets.

Difficulties

It is relatively straightforward for an organization to set and observe specific, measurable levels of market risk and credit risk because models exist which attempt to predict the potential impact of market movements, or changes in the cost of credit. It should be noted however that these models are only as good as the underlying assumptions, and a large part of the recent financial crisis arose because the valuations generated by these models for particular types of investments were based on incorrect assumptions.

By contrast it is relatively difficult to identify or assess levels of operational risk and its many sources. Historically organizations have accepted operational risk as an unavoidable cost of doing business. Many now though collect data on operational losses – for example through system failure or fraud – and are using this data to model operational risk and to calculate a capital reserve against future operational losses. In addition to the Basel II requirement for banks, this is now a requirement for European insurance firms who are in the process of implementing Solvency II, the equivalent of Basel II for the banking sector.

Operational Risk Identification & Assessment

As a first step, firms should identity the relevant operational risks inherent in their activities, processes, products, and systems. One technique for identifying risks is to observe all processes and create a list of potential risk sources (known as Business Process Mapping). This step should be completed by the risk management department in conjunction with knowledgeable and well-seasoned employees of various departments within the firm. This method allows for open communication/discussion and can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. Other techniques for identifying risk include critical self assessment, actuarial models, scenario analysis, external data collection, and comparative analysis.

Subsequent to identifying the risks, firms should asses its exposure on a quantitative and qualitative basis. Quantitative assessments are related to direct financial loss which could have potentially been caused from the actualization of a risk. Quantitative assessments are only required for risks which may potentially result in a direct financial loss to the firm. Consider the following factors in evaluation of each risk:

• Frequency of occurrence: How often might the risk event occur? To help determine the frequency of occurrence, consider events that actually happened and potential future events. It will be helpful to also refer to events which have occurred external to the firm (other firms in the banking industry).
• Typical damage: What is the average estimated financial loss? If this event has occurred in the past, consider what the average damage it resulted in.
• Exceptional damage: What is the severe estimated financial loss? For the exceptional damage, consider what the largest loss would be if this event occurs.

Measuring Operational risk

A key component of risk management is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk.

Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division.

Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association.

Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure statistical analysis. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks.

Methods of operational risk management

Operational risk can play a key role in developing overarching risk management programs that include business continuity and disaster recovery planning, and information security and compliance measures. A first step in developing an operational risk management strategy can be creating a risk map – a plan that identifies, assesses, communicates and mitigates risk.

Basel II and various Supervisory bodies of the countries have prescribed various soundness standards for Operational Risk Management for Banks and similar Financial Institutions. To complement these standards, Basel II has given guidance to 3 broad methods of Capital calculation for Operational Risk

1. Basic Indicator Approach (BIA) – This method calculates operational risk capital based on the firm’s annual gross income. The capital held for operational risk must be equal to 15% of the firm’s average annual gross income (for the previous three years). Exclude the years in which the firm’s annual gross income was zeroor negative.
2. Standardized Approach (TSA) – This method states that firms must divide their activities into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage. Gross income within each business line serves as a proxy for the scale of business operations. It determines the likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated by multiplying gross income by a factor (12%-18%) assigned to that business line.
3. Advanced Measurement Approaches (AMA) – Under the AMA, the regulatory capital requirement is generated by the firm’s internal operational risk measurement system. To use this approach, firms must first meet certain regulatory requirements. For instance, firms must have a sound operational risk management system and sufficient resources to conduct such internal assessments.

The Operational Risk Management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for Operational Risk.

Operational Risk Monitoring & Reporting

An effective monitoring and reporting process is essential for adequately managing operational risk. There should be timely reporting of key information to senior management and the board of directors to support proactive management of risks. The reports should be precise, inclusive, and reliable across business lines. Keep in mind that excessive amounts of data may impede effective decision making. Reports should highlight significant operational risk events and losses and any breaches of set limits (i.e. risk appetite/tolerance of the firm).