Operational Risk

Explained:

The Basel Committee (2004) defines operational risk as

the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

The committee indicates that this definition includes legal risk but excludes systemic risk and reputational risk.

During the 1990s, financial firms and other corporations focused increasing attention on the emerging field of financial risk management. This was motivated by

concerns about the risks posed by the rapidly growing OTC derivatives markets;

publicized financial losses, including those of Barings Bank, Orange County and Metallgesellschaft;

regulatory initiatives, especially the Basel Accords.

During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the decade progressed, this shifted to techniques of measuring and managing credit risk. By the end of the decade, firms and regulators were increasingly focusing on risks "other than market and credit risk." These came to be collectively called operational risks. This catch-all category of risks was understood to include,

Ads by Contingency Analysis

<![if lt IE 4]> <script src="http://servedbyadbutler.com/adserve/;ID=147917;size=336x265;setID=82402;type=js" type="text/javascript"> </script> <noscript> <a href="http://servedbyadbutler.com/go2/;ID=147917;size=336x265;setID=82402"> <img src="http://servedbyadbutler.com/adserve.ibs/;ID=147917;size=336x265;setID=82402;type=img" border="0" height="265" width="336" alt=""></a> </noscript><![endif]>

employee errors,

systems failures,

fire, floods or other losses to physical assets,

fraud or other criminal activity.

Firms had always managed these risks. The new goal was to do so in a more systematic manner. The approach would parallel—and be integrated with—those that were proving effective with market risk and credit risk.

The task appeared daunting. Financial institutions and regulators had had to dedicate considerable resources to managing market risk and credit risk, and those were well-known, narrowly-defined risks. Operational risk was anything but well defined. People disagreed about the specific contingencies that should be considered operational risks—should legal risks, tax risks, management incompetence or reputational risks be included? The debate was more than academic. It would shape the scope of initiatives to manage operational risk.

Another problem was that operational contingencies don't always fall into neat categories. Losses can result from a complex confluence of events, which makes it difficult to predict or model contingencies. In 1996, the Crédit Lyonnais trading floor was destroyed by fire. This might be categorized as a loss due to fire. It might also be categorized as a loss due to fraud—investigators suspect employees deliberately set the fire in order to destroy evidence of fraud.

The Basel Committee outlined basic practices in a (February 2003) paper Sound Practices for the Management and Supervision of Operational Risk. That paper, together with efforts by researchers and risk managers at major banks have helped to shape emerging risk management practices for operational risk.

Most operational risks are best managed within the departments in which they arise. Information technology professionals are best suited for addressing systems-related risks. Back office staff are best suited to address settlement risks, etc. However, overall planning, coordination, and monitoring should be provided by a centralized operational risk management department. This should closely coordinate with market risk and credit risk management departments within an overall enterprise risk management framework.

Contingencies broadly fall into two categories:

those that occur frequently and entail modest losses;

those that occur infrequently but may entail substantial losses.

Accordingly, operational risk management should combine both qualitative and quantitative techniques for assessing risks. For example, settlement errors in a trading operation's back office happen with sufficient regularity that they can be modeled statistically. Other contingencies affect financial institutions infrequently and are of a non-uniform nature, which makes modeling difficult. Examples include acts of terrorism, natural disasters, and trader fraud.

Ads by Contingency Analysis

<![if lt IE 4]> <script src="http://servedbyadbutler.com/adserve/;ID=147917;size=336x265;setID=104594;type=js" type="text/javascript"> </script> <noscript> <a href="http://servedbyadbutler.com/go2/;ID=147917;size=336x265;setID=104594"> <img src="http://servedbyadbutler.com/adserve/;ID=147917;size=336x265;setID=104594;type=img" border="0" height="265" width="336" alt=""></a> </noscript><![endif]>

Qualitative techniques include

loss event reports,

management oversight,

employee questionnaires,

exit interviews,

management self assessment, and

internal audit.

Quantitative techniques have been developed primarily for the purpose of assigning capital charges for banks' operational risks. Much work in this field was performed by regulators developing the Basel II accord on bank capital adequacy. Early results were reported in a (January 2001) consultative document, which was included in a package of documents outlining the proposed Basel II accord. Extensive industry feedback on that document lead the committee to issue a follow-up (September 2001) working paper on operational risk. A subsequent (April 2003) consultative document made further modifications to Basel II. The final Basel II accord was released in 2004.

Basel II allows large banks to base operational risk capital requirements on their own internal models. This has spawned considerable independent research into methods for measuring operational risk. Techniques have been borrowed from fields such as actuarial science and engineering reliability analysis.

Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modeled using techniques developed for property & casualty insurance. Contingencies that arise more frequently are more amendable to statistical analysis.

Statistical modeling requires data. For operational contingencies, two forms of data are useful:

data on historical loss events, and

data on risk indicators.

Loss events run the gamut—settlement errors, systems failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution's reputation). There are three ways data on loss events can be categorized:

event

cause

consequence

For example, an event might be a mis-entered trade. the cause might be inadequate training, a systems problem or employee fatigue. Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm's reputation. Any event may have multiple causes or consequences. Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the frequency with which certain causes are associated with specific events and consequences. Even with no further analysis, such matrices can identify for management areas for improvement in procedures, training, staffing, etc.

The Basel Committee breaks down loss events into seven general categories:

Categories of Loss Events
Exhibit 1

Event-Type Category (Level 1)	Definition	Categories (Level 2)	Activities Examples (Level 3)
Internal Fraud	Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity / discrimination events, which involves at least one internal party.	Unauthorized Activity	Transactions not reported (intentional) Transaction type unauthorized (with monetary loss) Mismarking of position (intentional)
Internal Fraud		Theft and Fraud	Fraud / credit fraud / worthless deposits Theft / extortion / embezzlement / robbery Misappropriation of assets Forgery Check kiting Smuggling Account take-over / impersonation, etc. Tax non-compliance / evasion (willful) Bribes / kickbacks Insider trading (not on firm's account)
External Fraud	Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party	Theft and Fraud	Theft / robbery Forgery Check kiting
External Fraud		Systems Security	Hacking damage Theft of information (with monetary loss)
Employment Practices and Workplace Safety	Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events.	Employee Relations	Compensation, benefit, termination issues Organized labor activities
		Safe Environment	General liability (slips and falls, etc.) Employee health & safety rules and events Workers compensation
		Diversity & Discrimination	All discrimination types
Clients, Products & Business Practice	Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.	Suitability, Disclosure & Fiduciary	Fiduciary breaches / guideline violations Suitability / disclosure issues (KYC, etc.) Retail consumer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability
		Improper Business or Market Practices	Antitrust Improper trade / market practice Market manipulation Insider trading (on firm's account) Unlicensed activity Money laundering
		Product Flaws	Product defects (unauthorized, etc.) Model errors
		Selection, Sponsorship & Exposure	Failure t investigate client per guidelines Exceeding client exposure limits
		Advisory Activities	Disputes over performance or advisory activities
Damage to Physical Assets	Losses arising from loss or damage to physical assets from natural disaster or other events	Disasters and Other Events	Natural disaster losses Human losses from external sources (terrorism, vandalism)
Business Disruption & Systems Failures	Losses arising from disruption of business or system failures	Systems	Hardware Software Telecommunications Utility outage / disruptions
Execution, Delivery & Process Management	Losses from failed transaction processing or process management, from relations with trade counterparties and vendors	Transaction Capture, Execution & Maintenance	Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Model / system misoperation Accounting error / entity attribution error Other task misperformance Delivery failure Collateral management failure Reference data maintenance
		Monitoring & Reporting	Failed mandatory reporting obligation Inaccurate external report (loss incurred)
		Customer Intake & Documentation	Client permissions / disclaimers missed Legal documents missing / incomplete
		Customer / Client Account Management	Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets
		Trade Counterparties	Non-client counterparty misperformance Misc. non-client counterparty disputes
		Vendors & Suppliers	Outsourcing Vendor disputes

Source: Basel Committee (February 2003).

Ads by Contingency Analysis

Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk. Examples of risk indicators a firm might track are:

amount of overtime being performed by back-office staff,

staffing levels,

daily transaction volumes,

employee turnover rates,

systems downtime.

From a modeling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.

Once operational risks have been—qualitatively or quantitatively—assessed, the next step is to somehow manage them. Solutions may attempt to

avoid certain risks,

accept others, but attempt to mitigate their consequences, or

simply accept some risks as a part of doing business.

Specific techniques might include: employee training, close management oversight, segregation of duties, purchase of insurance, employee background checks, exiting certain businesses, and the capitalization of risks. Choice of techniques will depend upon a cost-benefit analysis.