Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk (BCBS). Operational risk is different from other risks (e.g. credit, market, liquidity) because it is usually not taken in exchange for an expected return; it exists in the natural course of business activity. Failure to appropriately manage operational risk can expose firms to significant losses.
Operational Risk Management Process
The process of risk management for operational risk is similar to the risk management process described in the previous article, “What is Risk Management?“. The process consists of identification, assessment, measurement, mitigation, monitoring, and reporting of risks.
Risk Identification & Assessment:
As a first step, firms should identity the relevant operational risks inherent in their activities, processes, products, and systems. One technique for identifying risks is to observe all processes and create a list of potential risk sources (known as Business Process Mapping). This step should be completed by the risk management department in conjunction with knowledgeable and well-seasoned employees of various departments within the firm. This method allows for open communication/ discussion and can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. Other techniques for identifying risk include critical self assessment, actuarial models, scenario analysis, external data collection, and comparative analysis.
Subsequent to identifying the risks, firms should asses its exposure on a quantitative and qualitative basis. Quantitative assessments are related to direct financial loss which could have potentially been caused from the actualization of a risk. Quantitative assessments are only required for risks which may potentially result in a direct financial loss to the firm. Consider the following factors in evaluation of each risk:
- Frequency of occurrence: How often might the risk event occur? To help determine the frequency of occurrence, consider events that actually happened and potential future events. It will be helpful to also refer to events which have occurred external to the firm (other firms in the banking industry).
- Typical damage: What is the average estimated financial loss? If this event has occurred in the past, consider what the average damage it resulted in.
- Exceptional damage: What is the severe estimated financial loss? For the exceptional damage, consider what the largest loss would be if this event occurs.
Note: For the above factors, take into account the relevant controls in place which mitigate the risk.
The qualitative assessment is concerned with other all losses which could occur with the actualization of the risk. It is related to the level of severity of the risk (high medium, low). The assessment should consider the factors discussed in the quantitative assessment as well as mitigating controls, potential damages to reputation, and other factors.
Risk Measurement & Mitigation:
Risk reduction can arise in terms of a decrease in the financial damages or frequency of occurrence of loss events. An important step in the risk mitigation process is to assess and improve on the existing mitigating controls and to create new controls as necessary. An effective risk management plan should contain a timetable for reviewing controls along with relevant risk owners responsible for implementation. Internal controls should be in place to provide assurance that the firm will have efficient and effective operations and will comply with relevant laws and regulations.
Risk Monitoring & Reporting:
An effective monitoring and reporting process is essential for adequately managing operational risk. There should be timely reporting of key information to senior management and the board of directors to support proactive management of risks. The reports should be precise, inclusive, and reliable across business lines. Keep in mind that excessive amounts of data may impede effective decision making. Reports should highlight significant operational risk events and losses and any breaches of set limits (i.e. risk appetite/tolerance of the firm).
Basel II Capital Calculation Methods
The Basel Committee on Banking Supervision (BCBS) is an international group created in response to international concerns of banking instability. For a brief history on the Basel Accords refer back to the “Basel III Key Updates” article. To ensure bank safety and adequate protection from risk, BCBS requires banks to hold capital against various risks, including operational risk. The amount of capital a firm needs to hold is directly proportional to the amount of risk the firm may be exposed to. In order to conform to the Basel Accords, firms must implement one of the following measures to calculate the capital charge for operational risk:
- Basic Indicator Approach (BIA) – This method calculates operational risk capital based on the firm’s annual gross income. The capital held for operational risk must be equal to 15% of the firm’s average annual gross income (for the previous three years). Exclude the years in which the firm’s annual gross income was zeroor negative.
- Standardized Approach (TSA) – This method states that firms must divide their activities into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage. Gross income within each business line serves as a proxy for the scale of business operations. It determines the likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated by multiplying gross income by a factor (12%-18%) assigned to that business line.
- Advanced Measurement Approaches (AMA) – Under the AMA, the regulatory capital requirement is generated by the firm’s internal operational risk measurement system. To use this approach, firms must first meet certain regulatory requirements. For instance, firms must have a sound operational risk management system and sufficient resources to conduct such internal assessments. The following lists the official Basel II defined event types with some examples for each category:
- Internal Fraud – embezzlement of assets, bribery, and tax evasion
- External Fraud- identity or information theft, computer hacking, forgery and robbery
- Employment Practices and Workplace Safety – safety of employees, discrimination and workers compensation
- Clients, Products, & Business Practice- breach of fiduciary duties, improper trades and market manipulation
- Damage to Physical Assets – natural disasters and terrorism
- Business Disruption & Systems Failures – software failures and system disruptions/downtime
- Execution, Delivery, & Process Management – accounting errors and data entry errors
Corporate Governance (Operational Risk)
Corporate governance is the structural design of how risk management functions within a firm. Risk should be managed within known and agreed risk tolerances (risk appetite). According to the BCBS, common industry practice for sound operational risk governance relies on three lines of defense:
- Business Line Management - In charge of identifying and managing the risks inherent in the products, services, and activities for which they are responsible.
- Independent Corporate Operational Risk Management Function - Responsible for the design, maintenance, and ongoing development of the operational risk framework within the firm. This includes measuring and reporting of risks and challenging the output provided by the business lines.
- An Independent Review and Challenge – Must be competent and independent from the development, implementation and operation of the risk governance framework.
Note: Other schools of thought consider a fourth line of defense, the board of directors. The three lines of defense ultimately report into the board.
A culture of risk awareness and open communication amongst the three lines of defense is imperative to effective operational risk governance. The board of directors is responsible for promoting a culture of risk awareness and for overseeing senior management to ensure that relevant policies and procedures are implemented across all decision levels. In addition the board of directors should approve and review the risk appetite and tolerance statement for operational risk. In turn, senior management should develop an effective governance structure with clear lines of responsibility and ensure that policies and procedures are followed. The chief risk officer (CRO) should report to the CEO or CFO and be independent of business lines. The role of the chief risk officer should include the following duties:
- Develop and evaluate risk management policies and procedures
- Provide risk leadership
- Establish and review risk metrics used for risk assessment
- Provide appropriate risk reports
- Challenge decisions regarding risk
Operational risk is not taken in exchange for a return; however the failure to manage this risk may result in significant losses. The BCBS provides three different methods of calculating capital (BIA, TSA, & AMA). Proper management of operational risks may lead to a reduction of losses and can result in a more accurate assessment the firm’s exposure. An effective corporate governance framework leads to proactive and informed decision making.
Basel Committee on Banking Supervision: Consultative Document on Operational Risk. January 2001. www.bis.org
Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational Risk. December 2010. www.bis.org
Institute of Operational Risk: Operational Risk Governance. September 2010. www.ior-institute.org/