The Basel Committee (2004)
defines operational risk as
the risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events.
The committee indicates that this definition excludes systemic risk,
legal risk and reputational risk.
During the 1990s, financial firms and other
focused increasing attention on the emerging field of
management. This was motivated by
concerns about the risks posed by the rapidly
publicized financial losses, including those of
regulatory initiatives, especially the
During the early part of the decade, much of the focus was
on techniques for measuring and managing
As the decade progressed, this shifted to techniques of measuring and
credit risk. By the end of the decade, firms and regulators were
increasingly focusing on risks "other than market and credit risk." These came to be
collectively called operational risks.
This catch-all category of risks was understood to include,
fire, floods or other losses to physical assets,
fraud or other criminal activity.
Firms had always managed these risks. The
new goal was to do so in a more systematic manner. The approach would
parallel—and be integrated with—those that were proving effective with
market risk and credit risk.
The task appeared daunting. Financial institutions and
regulators had had to dedicate considerable resources to managing market risk
and credit risk, and those were well-known, narrowly-defined risks.
Operational risk was anything but well defined. People disagreed about the
specific contingencies that should be considered operational risks—should
legal risks, tax risks, management incompetence or reputational risks be
included? The debate was more than academic. It would shape the scope of
initiatives to manage operational risk.
Another problem was that operational contingencies don't
always fall into neat categories. Losses can result from a complex
confluence of events, which makes it difficult to predict or model
contingencies. In 1996, the Crédit Lyonnais trading floor was destroyed by
fire. This might be categorized as a loss due to fire. It might also be
categorized as a loss due to fraud—investigators suspect employees
deliberately set the fire in order to destroy evidence of fraud.
The Basel Committee outlined basic practices in a (February
2003) paper Sound Practices for the Management and Supervision of
Operational Risk. That paper, together with efforts by researchers and
risk managers at major banks have helped to shape emerging risk management
practices for operational risk.
Most operational risks are best managed within the
departments in which they arise. Information technology professionals are
best suited for addressing systems-related risks. Back office staff are
best suited to address settlement risks, etc. However, overall planning,
coordination, and monitoring should be provided by a centralized
operational risk management department. This should closely coordinate
with market risk and credit risk management departments within an overall
enterprise risk management framework.
Contingencies broadly fall into two categories:
those that occur frequently and entail modest losses;
those that occur infrequently but may entail substantial
Accordingly, operational risk management should combine
both qualitative and quantitative techniques for assessing risks. For example, settlement
errors in a trading operation's back office happen with sufficient
regularity that they can be modeled statistically. Other contingencies
affect financial institutions infrequently and are of a non-uniform
nature, which makes modeling difficult. Examples include acts of
terrorism, natural disasters, and trader fraud.
Qualitative techniques include
loss event reports,
management self assessment, and
Quantitative techniques have been developed primarily for
the purpose of assigning capital charges for banks' operational risks.
Much work in this field was performed by regulators developing the
II accord on bank capital adequacy. Early results were reported in a (January
consultative document, which was included in a package of documents
outlining the proposed Basel II accord. Extensive industry feedback on
that document lead the committee to issue a follow-up (September
2001) working paper on operational risk. A subsequent (April
2003) consultative document made further modifications to Basel II.
The final Basel II accord was released in
Basel II allows large banks to base operational risk
capital requirements on their own internal models. This has spawned
considerable independent research into methods for measuring operational
risk. Techniques have been borrowed from fields such as actuarial science
and engineering reliability analysis.
Contingencies of an infrequent but potentially catastrophic nature can, to
some extent, be modeled using techniques developed for property & casualty
insurance. Contingencies that arise more frequently are more
amendable to statistical analysis.
Statistical modeling requires data. For operational
contingencies, two forms of data are useful:
data on historical loss events, and
data on risk indicators.
Loss events run the gamut—settlement errors, systems
failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in
the case of theft) or indirect (as in the case of damage to the
institution's reputation). There are three ways data on loss events can be
For example, an event might be a mis-entered trade. the
cause might be inadequate training, a systems problem or employee fatigue.
Consequences might include a market loss, fees paid to a counterparty, a
lawsuit or damage to the firm's reputation. Any event may have multiple
causes or consequences. Tracking all three dimensions of loss events
facilitates the construction of event matrices, identifying the frequency
with which certain causes are associated with specific events and
consequences. Even with no further analysis, such matrices can identify
for management areas for improvement in procedures, training, staffing,
The Basel Committee breaks down loss events into seven
Loss due to acts of a type intended
to defraud, misappropriate property or circumvent regulations,
the law or company policy, excluding diversity / discrimination
events, which involves at least one internal party.
unauthorized (with monetary loss)
Theft and Fraud
/ credit fraud / worthless deposits
/ extortion / embezzlement / robbery
take-over / impersonation, etc.
non-compliance / evasion (willful)
trading (not on firm's account)
Losses due to acts of a type
intended to defraud, misappropriate property or circumvent the
law, by a third party
Theft and Fraud
Theft of information
(with monetary loss)
Employment Practices and Workplace
Losses arising from acts
inconsistent with employment, health or safety laws or
agreements, from payment of personal injury claims, or from
diversity / discrimination events.
benefit, termination issues
(slips and falls, etc.)
Employee health &
safety rules and events
Diversity & Discrimination
Clients, Products & Business
Losses arising from an
unintentional or negligent failure to meet a professional
obligation to specific clients (including fiduciary and
suitability requirements), or from the nature or design of a
Suitability, Disclosure & Fiduciary
Fiduciary breaches /
disclosure issues (KYC, etc.)
Breach of privacy
Improper Business or Market
Improper trade /
Insider trading (on
Selection, Sponsorship & Exposure
Failure t investigate
client per guidelines
performance or advisory activities
Damage to Physical Assets
Losses arising from loss or damage
to physical assets from natural disaster or other events
Disasters and Other Events
Human losses from
external sources (terrorism, vandalism)
Business Disruption & Systems
Losses arising from disruption of
business or system failures
Utility outage /
Execution, Delivery & Process
Losses from failed transaction
processing or process management, from relations with trade
counterparties and vendors
Transaction Capture, Execution &
maintenance or loading error
Missed deadline or
Model / system
Accounting error /
entity attribution error
Monitoring & Reporting
report (loss incurred)
Customer Intake & Documentation
Client permissions /
missing / incomplete
Customer / Client Account
given to accounts
records (loss incurred)
Negligent loss or
damage of client assets
Vendors & Suppliers
Source: Basel Committee (February
Risk indicators differ from loss events. They
are not associated with specific losses, but indicate the general level of
operational risk. Examples of risk indicators a firm might track are:
amount of overtime being performed by back-office staff,
daily transaction volumes,
employee turnover rates,
From a modeling standpoint, the goal is to find
relationships between specific risk indicators and corresponding rates of
loss events. If such relationships can be identified, then risk indicators
can be used to identify periods of elevated operational risk.
Once operational risks have been—qualitatively or
quantitatively—assessed, the next step is to somehow manage them.
Solutions may attempt to
avoid certain risks,
accept others, but attempt to mitigate their consequences,
simply accept some risks as a part of doing business.
Specific techniques might include: employee training,
close management oversight, segregation of duties, purchase of insurance,
employee background checks, exiting certain businesses, and the
capitalization of risks. Choice of
techniques will depend upon a cost-benefit analysis.
Basel Committee An
international committee that has
played a leading role in standardizing bank regulations across
A process of choosing what ventures, deals or trades to engage in,
usually based upon some cost or risk-return analysis.
Risk due to uncertainty in a counterparty's ability to
meet its obligations.
risk management Practices by which a firm optimizes the
manner in which it takes financial risk.
Risk from uncertainty due to legal actions or uncertainty in the applicability
or interpretation of contracts, laws or regulations.
Risk due to uncertain liquidity.
market risk Exposure to the uncertain market value of a portfolio.
The risk that models are applied to tasks for which they are
inappropriate or are otherwise implemented incorrectly.
risk Comprises two components:
uncertainty and exposure.
Ads by Contingency Analysis
is a short, practical book that approaches operational risk from an
entirely qualitative perspective. Cruz (2002)
is more theoretical, focusing on quantitative techniques for
measuring operational risk. Risk Books (2003)
is an excellent edited collection offering an
all-encompassing treatment of the subject. Alexander (2003)
is an edited collection addressing operational risk primarily in
the context of Basel II.
is the website of an industry organization established
for the exchange of operational risk
related loss information among its members in a standardized,
http://www.bis.org is the website of the Bank for
International Settlement, which sponsors the Basel Committee. The
website has numerous documents related to operational risk,
including many cited in this glossary article.
glossary direct link:
copyright © Contingency Analysis, 1996 -