04/13/23 1

OPERATIONAL RISK MANAGEMENT

04/13/23 2

What is Operational Risk?

The risk of loss resulting from inadequate or failed

internal processes, people and systems or from

external events (The Basel II Capital Accord)

FORMERLY any risk but market and credit risks

It is NOT a brand new stuff and it is the risk that affects

all businesses

Operational risk is inherent in carrying out a process/

operational activity.

04/13/23 3

Classification of Operational Risks

Operational risk events are

classified by two factors:

frequency – how often the

event occurs

impact – the amount of the

losses resulting from the

event

High

Frequency

Low

Impact

High

Frequency

High

Impact

Low

Frequency

Low

Impact

Low

Frequency

High

Impact

Fre

qu

ency

Impact

04/13/23 4

Classification of Operational Risks

Generally, operational risk management focuses on only

two of these event types:

Low frequency / high impact (LFHI)

High frequency / low impact (HFLI)

Why?

04/13/23 5

Classification of Operational Risks

High frequency/low impact events are managed to

improve business efficiency. These events tend to be

readily understood and are viewed as ‘the cost of doing

business’.

Examples?

04/13/23 6

Expected loss verses unexpected loss

Expected loss is the loss incurred as a bank conducts its

normal business.

Can be simply defined as the cost of doing business

The only way to totally prevent them is to cease doing

business.

04/13/23 7

Expected loss versus unexpected loss

A bank uses statistical methods to predict its expected

losses.

In short, the firm uses past data and experience to

predict the future.

A simple method of calculating expected loss is to

compute the mean (average) of the actual losses over a

given time and accept this as the likely future level.

04/13/23 8

Expected loss verses unexpected loss

A firm may also attempt to ‘predict’ its unexpected losses

using statistics, much like the way that is used to predict

expected losses.

The problems are the past data may not available and

therefore to calculate unexpected loss a firm uses:

available internal data

external data from other firms

data from operational risk scenarios

04/13/23 9

Operational risk event categories

The simplest way of understanding operational risk in banks is to

categorize it as anything but credit risk or market risk.

However, this is a very broad definition and does not help manage

operational risk.

Generally, operational risk events can be subdivided into:

internal process risk

people risk

systems risk

external risk

legal risk

04/13/23 10

Internal Process Risk

Internal process risk is defined as the risk associated

with the failure of a bank’s processes or procedures.

During a bank’s day-to-day operations, staff follow preset

working practices.

These procedures and policies will include all the

checks, and controls required to ensure that customers

are correctly served and the bank remains within the

laws and regulations by which it is governed

04/13/23 11

Internal Process Risks

Internal process risk events include:

documentation – inadequate, insufficient or wrong

lack of controls

marketing errors

misselling

money laundering

incorrect or insufficient reporting (e.g. regulatory)

transaction error

Reviewing and improving a bank’s internal processes as part of

operational risk management can improve its efficiency. Errors often

occur when a process is complicated, disorganized or easily

circumvented, all of which are also inefficient business practices.

04/13/23 12

Risk Management Process Feedback Loop

1. Identify, assess and prioritize risks

2. Develop strategies to measure risk

3. Design policies and procedures to mitigate risks

4. Implement and assign

responsibility

5. Test effectiveness and evaluate

results

6. Revise policies and procedures

FRAMEWORK• Risk strategy,

tolerance

• Roles and responsibilities

• Policies and procedures

• Risk definition and categorization

FRAMEWORK• Risk strategy,

tolerance

• Roles and responsibilities

• Policies and procedures

• Risk definition and categorization

MEASUREMENT• Estimation of annual

losses – cost of operational failure

• Estimation of VaR – risk capital

• Estimation of scores representing quality of internal controls

MEASUREMENT• Estimation of annual

losses – cost of operational failure

• Estimation of VaR – risk capital

• Estimation of scores representing quality of internal controls

PROCESSES• Loss data collection

• Risk indicator data collection

• Control self-assessment

• Risk assessment and analysis

• Workflow

• Automatic notification

• Follow up action

PROCESSES• Loss data collection

• Risk indicator data collection

• Control self-assessment

• Risk assessment and analysis

• Workflow

• Automatic notification

• Follow up action

REPORTING• Integrated MIS

reporting

• Awareness of exposures

• Knowledge of controls quality

• Cost benefit analysis

• Improved risk mitigation and transfer strategy

REPORTING• Integrated MIS

reporting

• Awareness of exposures

• Knowledge of controls quality

• Cost benefit analysis

• Improved risk mitigation and transfer strategy

There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit

Management & Control Quality

Eco

no

mic

Pro

fit

The universe of operational risks spans causes, events and consequences

Insufficient trainingInsufficient training

CAUSES EVENTS CONSEQUENCES

Lack of managementsupervision

Lack of managementsupervision

Inadequateauditing procedures

Inadequateauditing procedures

Inadequate security measures

Inadequate security measures

Poor HRpolicies

Poor HRpolicies

Poor systemsdesign

Poor systemsdesign

Inadequate segregation of duties

Inadequate segregation of duties

ExternalFraud

ExternalFraud

Employment Practices & Workplace Safety

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Clients, Products & Business Practices

Damage to Physical Assets

Damage to Physical Assets

Business Disruption & System Failures

Business Disruption & System Failures

Execution, Delivery & Process ManagementExecution, Delivery & Process Management

Internal Fraud

Internal Fraud

Regulatory, Compliance & Taxation Penalties

Regulatory, Compliance & Taxation Penalties

RestitutionRestitution

Loss of RecourseLoss of Recourse

ReputationReputation

Business InterruptionBusiness Interruption

EFFECTSMonetary Losses

OTHERIMPACTSForgoneIncome

•

•

•

Write-downWrite-down

Loss or Damage to Assets

Loss or Damage to Assets

Legal LiabilityLegal Liability

Using internal and external loss data can calculate Value at Risk

INDIVIDUALLOSS EVENTS

RISK MATRIX FOR LOSS DATA

VARCALCULATION

TOTAL LOSSDISTRIBUTION

74,712,345

74,603,709

74,457,745

74,345,957

74,344,576

167,245

142,456

123,345

113,342

94,458

•

•

•

LOSS DISTRIBUTIONS

Frequencyof events

Frequencyof events

Severity of loss

Severity of loss

43210

40-50

30-40

20-30

10-20

0-10

INTERNAL

FRAUD EXTERNAL

FRAUD

EMPLOYMENT PRACTICES & WORKPLACE

SAFETY

CLIENTS, PRODUCTS &

BUSINESS PRACTICES

DAMAGE TO PHYSICAL ASSETS

EXECUTION, DELIVERY & PROCESS

MANAGEMENT

BUSINESS DISRUPTION AND

SYSTEM FAILURES TOTAL

Corporate Finance Number 36 3 25 36 33 150 2 315

Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215

Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976

Trading & Sales Number 50 4 35 50 46 210 3 441

Mean 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322

Standard Deviation 8,541 13,463 5,768 11,835 5,184 368 35,315 10,464

Retail Banking Number 45 4 32 45 42 189 3 397

Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690

Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417

Commercial Banking Number 41 3 28 41 37 170 2 357

Mean 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721

Standard Deviation 6,918 10,905 4,672 9,586 4,199 298 28,605 8,476

Payment & Settlements Number 37 3 26 37 34 153 2 321

Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349

Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628

Agency Services Number 44 4 31 44 40 184 2 386

Mean 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018

Standard Deviation 7,472 11,777 5,045 10,353 4,535 321 30,893 9,154

Asset Management Number 40 3 28 40 36 165 2 347

Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217

Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238

Retail Brokerage Number 48 4 33 48 44 198 3 417

Mean 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660

Standard Deviation 8069 12719 5449 11182 4898 347 33365 9886

Insurance Number 43 4 30 43 39 179 2 375

Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394

Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897

Total Number 435 36 302 435 399 1,812 24 3,806

Mean 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926

Standard Deviation 7,331 11,555 4,950 10,158 4,450 315 30,311 8,981

Annual Aggregate Loss ($)Mean 99th Percentile

VaR Calculator

e.g.,Monte Carlo

Simulation Engine

VaR Calculator

e.g.,Monte Carlo

Simulation Engine

Composite control assessment/indicator scores can be used to modify capital figures

0

Current score

VAR

CONTROL ASSESSMENT/INDICATOR

SCORE

Adjustment for Quality of

Current Control Environment

Adjustment for Quality of

Current Control Environment

CAPITAL

190190100210210

Previous score 50

Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change

04/13/23 17

What does it tell us?

04/13/23 18

Basel II Approaches on Operational Risk

•Basic Indicator•Standardized

•Advanced Measurement

•OPERATIONAL

•Standardized•Foundation IRB•Advanced IRB

•CREDIT

04/13/23 19

The Basic Indicator Approach

Banks using the Basic Indicator Approach must hold

capital for operational risk equal to the average over the

previous three years of a fixed percentage (denoted

alpha) of positive annual gross income.

Figures for any year in which annual gross income is

negative or zero should be excluded from both the

numerator and denominator when calculating the

average.

04/13/23 20

The charge may be expressed as follows:

04/13/23 21

The Standardized Approach

In the Standardized Approach, banks’ activities are divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage.

Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines.

The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.

Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line.

It should be noted that in the Standardized Approach gross income is measured for each business line, not the whole institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line

04/13/23 22

Standardized Approach

04/13/23 23

Standardized Approach

04/13/23 24

Mapping Business Lines

?

04/13/23 25

Advanced Measurement Approaches (AMA)

Under the AMA, the regulatory capital requirement will

equal the risk measure generated by the bank’s internal

operational risk measurement system using the

quantitative and qualitative criteria.

Use of the AMA is subject to supervisory approval.

A bank adopting the AMA may, with the approval of its

host supervisors and the support of its home supervisor,

use an allocation mechanism for the purpose of

determining the regulatory capital requirement