Operational risk. Introduction During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the.

Operational riskOperational risk

IntroductionIntroductionDuring the early part of the decade, much of the focus During the early part of the decade, much of the focus was on techniques for measuring and managing market was on techniques for measuring and managing market risk. risk.

As the decade progressed, this shifted to techniques of As the decade progressed, this shifted to techniques of measuring and managing credit risk. measuring and managing credit risk.

By the end of the decade, firms and regulators were By the end of the decade, firms and regulators were increasingly focusing on risks "other than market and increasingly focusing on risks "other than market and credit risk“. These came to be collectively called credit risk“. These came to be collectively called operational risks. This catch-all category of risks operational risks. This catch-all category of risks including:including:

- employee errors,- employee errors, - systems failures,- systems failures, - fire, floods or other losses to physical assets,- fire, floods or other losses to physical assets, - fraud or other criminal activity.- fraud or other criminal activity.

IntroductionIntroductionOperational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems.

However, operational risk is harder to quantify and model than market and credit risks.

Improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management.

IntroductionIntroduction

The Basel Committee (2004) defines The Basel Committee (2004) defines operational risk as the risk of loss resulting operational risk as the risk of loss resulting from inadequate or failed internal from inadequate or failed internal processes, people and systems, or from processes, people and systems, or from external events.external events.

The committee indicates that this definition The committee indicates that this definition excludes systemic/strategic risk, reputation excludes systemic/strategic risk, reputation risk and legal risk.risk and legal risk.

Introduction

Strategic risk: i.e. the risk of a loss arising from a poor Strategic risk: i.e. the risk of a loss arising from a poor strategic business decision, and reputation risk strategic business decision, and reputation risk (damage to an organization through loss of its (damage to an organization through loss of its reputation or standing)reputation or standing)

A significant but non-catastrophic operational loss A significant but non-catastrophic operational loss could still affect its reputation possibly leading to a could still affect its reputation possibly leading to a further collapse of its business and organizational further collapse of its business and organizational failure.failure.

Categories of Loss Events1. Internal Fraud:

Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity / discrimination events, which involves at least one internal party.

Examples:- Transactions not reported (intentional)- Transaction type unauthorized (with monetary loss)- Fraud / credit fraud / worthless deposits- Theft- Misappropriation of assets- Smuggling- Account take-over / impersonation, etc.- Tax non-compliance - Bribes

Categories of Loss Events

2. External Fraud:

Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.

Examples:

- Hacking damage

- Theft of information (with monetary loss)

Categories of Loss Events

3. 3. Employment Practices and Workplace Safety: Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events.

Examples: -Compensation, benefit, termination issues- Organized labor activities- General liability (slips and falls, etc.)- Employee health & safety rules and events Workers compensation-All discrimination types

Categories of Loss Events

4. Clients, Products & Business Practice:4. Clients, Products & Business Practice:

Losses arising from an unintentional or Losses arising from an unintentional or negligent failure to meet a professional negligent failure to meet a professional obligation to specific clients (including fiduciary obligation to specific clients (including fiduciary and suitability requirements), or from the nature and suitability requirements), or from the nature or design of a product.or design of a product.

Examples:Examples:

- Natural disaster losses- Natural disaster losses

- Human losses from external sources - Human losses from external sources (vandalism) (vandalism)

Categories of Loss Events

5. Damage to Physical Assets: 5. Damage to Physical Assets:

Losses arising from loss or damage to physical Losses arising from loss or damage to physical assets from natural disaster or other eventsassets from natural disaster or other events

Examples:Examples:

- Hardware- Hardware

- Software- Software

- Telecommunications- Telecommunications

- Utility outage / disruptions- Utility outage / disruptions

Categories of Loss Events6. Execution, Delivery & Process Management: 6. Execution, Delivery & Process Management:

Losses from failed transaction Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

Examples:MiscommunicationData entry, maintenance or loading errorMissed deadline or responsibilityModel / system disoperationAccounting error / entity attribution errorDelivery failureCollateral management failureFailed mandatory reporting obligationInaccurate external report (loss incurred)Client permissions / disclaimers missedLegal documents missing / incompleteUnapproved access given to accountsIncorrect client records (loss incurred)Negligent loss or damage of client assets Vendor disputes

Risk indicators

Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk. Examples of risk indicators a firm might track are:

- amount of overtime being performed by back-office staff,

- staffing levels,

- daily transaction volumes,

- employee turnover rates,

- systems downtime.

Operational Risk Management

From a modeling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.

Most operational risks are best managed within the Most operational risks are best managed within the departments in which they arise.departments in which they arise.

Information technology professionals are best suited Information technology professionals are best suited for addressing systems-related risks. Back office staff for addressing systems-related risks. Back office staff are best suited to address settlement risks, etc. are best suited to address settlement risks, etc.

Operational Risk Management

The Operational Risk Management framework The Operational Risk Management framework should include identification, measurement, should include identification, measurement, monitoring, reporting, control and mitigation monitoring, reporting, control and mitigation frameworks for Operational Riskframeworks for Operational Risk..

The operational risk management should be The operational risk management should be provided by a centralized department that provided by a centralized department that should closely coordinate with market risk and should closely coordinate with market risk and credit risk management departments within an credit risk management departments within an overall business risk management framework. overall business risk management framework.

Contingencies broadly fall into two categories:Contingencies broadly fall into two categories:

- those that occur frequently and entail modest - those that occur frequently and entail modest losses;losses;

- those that occur infrequently but may entail - those that occur infrequently but may entail substantial losses.substantial losses.

Accordingly, operational risk management should Accordingly, operational risk management should combine both qualitative and quantitative techniques combine both qualitative and quantitative techniques for assessing risks. for assessing risks.

For example, settlement errors in a trading operation's For example, settlement errors in a trading operation's back office happen with sufficient regularity that they back office happen with sufficient regularity that they can be modeled statistically. can be modeled statistically.

Operational Risk Management

Operational Risk Management

Other contingencies affect financial institutions Other contingencies affect financial institutions infrequently and are of a non-uniform nature, which infrequently and are of a non-uniform nature, which makes modeling difficult. Examples include acts of makes modeling difficult. Examples include acts of natural disasters, and trader fraud.natural disasters, and trader fraud.

Qualitative techniques include:Qualitative techniques include: - loss event reports,- loss event reports,

- management oversight,- management oversight,- employee questionnaires,- employee questionnaires,- exit interviews,- exit interviews,- management self assessment, and - management self assessment, and - internal audit.- internal audit.

Operational Risk ManagementQuantitative techniques have been developed primarily for the purpose of assigning capital charges for banks' operational risks.

Basel II allows large banks to base operational risk capital requirements on their own internal models.

Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modeled using techniques developed for property & casualty insurance. Contingencies that arise more frequently are more amendable to statistical analysis.

Operational Risk Management

Statistical modeling requires data. For operational contingencies, two forms of data are useful:

- data on historical loss events, and

- data on risk indicators.

Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution's reputation). There are three ways data on loss events can be categorized:

- event

- cause

- consequence

Operational Risk Management

For example, an event might be a mis-entered trade. For example, an event might be a mis-entered trade. the cause might be inadequate training, a systems the cause might be inadequate training, a systems problem or employee fatigue. problem or employee fatigue.

Consequences might include a market loss, fees paid Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm's to a counterparty, a lawsuit or damage to the firm's reputation. reputation.

Any event may have multiple causes or Any event may have multiple causes or consequences. consequences.

Operational Risk Management

Tracking all three dimensions of loss events facilitates Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the the construction of event matrices, identifying the frequency with which certain causes are associated frequency with which certain causes are associated with specific events and consequences. with specific events and consequences.

Even with no further analysis, such matrices can Even with no further analysis, such matrices can identify for management areas for improvement in identify for management areas for improvement in procedures, employee training, close management procedures, employee training, close management oversight, segregation of duties, purchase of oversight, segregation of duties, purchase of insurance, employee background checks, exiting insurance, employee background checks, exiting certain businesses, and the capitalization of riskscertain businesses, and the capitalization of risks. . Choice of techniques will depend upon a costChoice of techniques will depend upon a cost--benefit benefit analysisanalysis. .

Methods of Operational Risk ManagementMethods of Operational Risk Management Basel II has given guidance to 3 broad methods of Basel II has given guidance to 3 broad methods of Capital calculation for Operational Risk in Banks and Capital calculation for Operational Risk in Banks and similar Financial Institutionssimilar Financial Institutions

Basic Indicator Approach Basic Indicator Approach - - based on annual revenue based on annual revenue of the Financial Institutionof the Financial Institution

Standardized Approach Standardized Approach - - based on annual revenue of based on annual revenue of each of the broad business lines of the Financial each of the broad business lines of the Financial InstitutionInstitution

Advanced Measurement Approaches Advanced Measurement Approaches - - based on the based on the internally developed risk measurement framework of internally developed risk measurement framework of the bank adhering to the standards prescribed the bank adhering to the standards prescribed