Chapter 16
MANAGING OPERATIONAL RISK
In this chapter we introduce the concept of operational risk management in banking. Operational risk is as old as banking, but its management has only recently been given some of the focus afforded to credit, interest rate, market, and liquidity risk due to regulator attention. In the past, operational risk was often simply placed in the same category as credit risk, despite it being different conceptually.
Measurement, modelling, and capital allocation associated with operational risk are challenging and are the topic of much debate. However, operational risk management continues to grow and be refined as a discipline in the face of losses in an increasingly complex banking environment driven by globalisation, regulation, and technology.
As with other risks, the Board of Directors should approve appropriate limits for specific and overall operational risk in the risk appetite statement.
OPERATIONAL RISK OVERVIEW
Whether huge and headline making or relatively small, banks suffer losses regularly from risks outside of credit, interest rates, and markets. In the 1990s, once the Basel Committee had determined that operational risk should be formalised as a concept in Basel II – with capital allocated against it – market participants made attempts to create a working definition. For many, operational risk was simply “other” risk, or a residual category for difficult to measure risk. Presently, most accept the Basel II definition of “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events”. For regulatory capital purposes, this includes legal risk but not reputational and strategic risks.
Operational risk is a test of management and corporate governance and can stem from:
- Internal processes: must have clear, orderly, and complete processes to meet responsibilities to clients, manage risk, control payments, protect against fraud, and comply with regulation;
- People: must communicate and enforce rules, minimise conflicts of interest, and set proper incentives to maintain an ethical culture;
- Systems: must have adequate technology resources that are backed up and protected from security breaches;
- External events: must know and monitor clients to guard against fraud and protect people and facilities.
Operational risk management encompasses quality, change, and business continuity management disciplines, and also crisis management in adverse situations. While not included in the regulatory definition of operational risk or capital allocation, operational risk failings affect reputation, client satisfaction, business and earnings volatility, as well as shareholder value.
Basel II specified seven Level 1 categories of operational risk: Internal Fraud; External Fraud; Employment Practices and Workplace Safety; Clients, Products, and Business Practices; Damage to Physical Assets, Business Disruption, and System Failures; and Execution, Delivery, and Process Management. These are further broken down into Level 2 and Level 3 categories. Examples of actual operational risk failures are shown in Figure 16.1.
| Type | Category | Description | Bank | Year |
| Internal Fraud | Fraud/unauthorised trading | Derivatives | Barings | 1995 |
| Fraud/unauthorised trading | US Treasury bonds | Daiwa | 1995 | |
| Fraud/unauthorised trading | Commodities | Sumitomo | 1996 | |
| Fraud/unauthorised trading | Foreign exchange | Allied Irish | 2002 | |
| Fraud/unauthorised trading | Foreign exchange | National Australia Bank | 2004 | |
| Fraud/unauthorised trading | Proprietary trading | Société Générale | 2008 | |
| Fraud/unauthorised trading | Exchange traded funds | UBS | 2011 | |
| External Fraud | Accounting fraud/ Parmalat | Overstated earnings | Numerous | 2003 |
| Accounting fraud/World Com | Overstated earnings | Numerous | 2004 | |
| Accounting fraud/Enron | Overstated earnings | Numerous | 2004 | |
| Employment | Discrimination | Racial bias | Merrill Lynch | 2013 |
| Business Practices | Mutual funds trading abuse | Late trading | Bank of America | 2003 |
| Market manipulation | European Treasury bonds | Citi | 2006 | |
| ABS mis‐selling | CDOs | Goldman Sachs | 2007 | |
| Libor rigging | Collusion | Numerous | 2008 | |
| Discriminatory lending | Racial bias | Wells Fargo | 2012 | |
| Aid tax evasion | Inadequate reporting | Swiss banks | 2013 | |
| Swaps mis‐selling | Overselling | UK banks | 2013 | |
| Physical | Terrorist attack – 9/11 | Disruption, destruction | Numerous | 2011 |
| Systems/Execution | Faulty mortgage underwriting | Incomplete data, records | Numerous | 2008 |
| Payment processing failure | No client access to funds | RBS | 2012 | |
| Trading risk controls failure | Proprietary trading | J.P. Morgan | 2012 | |
| Money laundering risk controls failure | Inadequate checks | Numerous | 2013 | |
| Accounting failure | Capital position | Bank of America | 2014 |
Figure 16.1 Operational risk failure: types and examples
Banks extend the grouping loss events along eight business lines to create a matrix. Business lines include commercial banking, retail banking, payment and settlement, agency services, trading and sales, corporate finance, asset management, and retail brokerage. Regulators have worked with banks to map business activities to business lines to avoid distortions and arbitrage.
Unlike lending or trading, new operational risks are not acquired to build revenue and profits. Operational risks can be more difficult to foresee and cannot be diversified, sold off, or hedged in the banking market. The only potential mitigation and pricing tool is insurance, which depends on availability. While operational risk cannot be eliminated, the goal must be to keep it within acceptable limits and prevent it from surpassing potential gains. Improvement to processes is necessary and protection increased when benefits are likely to exceed costs.
When the concept of operational risk was first formulated, some banks drew on inspiration from other institutions that had extensive experience monitoring operational risk, such as the military, in building their own methodologies.
CONDUCT RISK
While not an explicit part of the Basel framework, the concept of conduct risk has gained intensive focus following the financial crisis. The OECD has published multilaterally agreed, government backed guidelines for corporate behaviour, as well as guidelines for consumer financial protection. When the UK's Financial Conduct Authority (FCA) was launched in 2013, it placed conduct risk at the centre of its agenda. While not formally defined, conduct risk is the risk that a bank's performance will result in poor outcomes for customers. From the perspective of shareholders, this could be an issue as serious as market risk because such a negative outcome could have an impact as extreme as any other risk exposure and ultimately result in the bank's collapse.
Simply stated, banks must demonstrate fair regard for the interests of their customers in order to maintain the integrity of markets.
The FCA defines drivers of conduct risk as:
- Inherent: information asymmetries, biases and heuristics, inadequate financial capability;
- Structures and behaviours: ineffective competition, culture, and incentives, conflicts of interest;
- Environmental: regulatory and policy changes, technological developments, economic and market trends.
Negative behaviours the FCA is working to eradicate include:
- Putting profits ahead of ethics and customer interests;
- Taking tick‐box and legalistic approaches in dealing with customers, where compliance is limited to the letter rather than the spirit of the law;
- Treating disclosure at the point of sale as the end of responsibility to ensure a good outcome for the customer.
The FCA is striving to keep “the wrong products from ending up in the wrong hands” and avoiding “people not being able to get access to the right products, to the detriment of society”.
While much of the focus of conduct risk pertains to consumers, the principles apply to wholesale business as well.
Products with high growth and margins have potentially high conduct risk, and warrant added management scrutiny.
The management of conduct risk falls to the Chief Risk Officer's (CRO) department.
OPERATIONAL RISK MEASUREMENT
The key to developing operational risk management has been the building of operational risk measurement. To achieve this, historical data is gathered and organised into an internal loss database. Consequently, operational risk measurement and therefore management has become more robust, objective, and credible. Rather than relying simply on “expert” opinion, data is measured and audited. Risk can be replicated, referred to, and compared. This leads to a greater understanding of business area processes and can further highlight the risks to back up hard decisions on resources, limits, and capital.
The data process must consider:
- Automation: makes for ease of access and consistency;
- Frequency: some data can be collected daily (for example, transaction processing) while other data (for example, fraud or losses) can only be collected in a more meaningful way on a monthly or quarterly basis, etc.;
- Detail: some types of data can be collected more easily (for example, legal fees, customer compensation, fines) than others (for example, increased funding costs for failed trades).
Once risk is identified and classified, data can be collected and modelling can begin.
OPERATIONAL RISK MEASUREMENT CONCEPTS
Data capture should include gross loss amounts, dates, and any recoveries, as well as qualitative descriptions of events and causes.
Loss definition
Gross loss is the loss from an operational risk before recoveries. The loss may be recorded for risk management purposes prior to the consequences that this will have on the financial statements. Net loss is the loss after recoveries that could be amended over time. Insurance should be treated as a special recovery category, otherwise it will obscure the measurement of the riskiness of the activity.
Loss data thresholds
Loss collection thresholds are the minimum values above which loss amounts must be collected and recorded in the internal loss database. In setting thresholds, banks must ensure that all material exposure is captured.
Thresholds are a supervisory requirement. Levels may vary across business lines, but regulators seek consistency among peer banks.
Banks generally use judgement rather than statistical evidence to set thresholds. However, the level can affect modelling of expected losses. Losses must not be disregarded only because they are relatively small, and in fact recording “near losses” can be valuable. The higher the threshold, the more difficult it may be to reconcile operational risk totals within the financial statements.
A simple test of the appropriateness of the current threshold is to calculate the total subthreshold losses as a percentage of all losses.
Date of loss allocation
Losses from operational risk often build up over time and are not identified for months or years. The Daiwa unauthorised trading scandal proceeded for more than 10 years (“incurred”) before it was exposed (“reported”). Legal settlements and regulatory fines are generally incurred well after events. Recognition of loss may vary for risk measurement and financial statement purposes.
Losses may best be modelled when assigned to a wider timeframe.
Grouping of loss events
Banks sometimes group a number of losses into a single loss for purposes of efficiency. If the individual losses are small and unrelated, the group should be excluded in the modelling process to prevent distortion of the results.
Model granularity, model validation, and monitoring
Limiting the number of loss groupings makes for a critical mass of data and overall simplicity. This may be unsatisfactory if risks within groups are substantially different and independent. According to the Basel text, measurement “must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates”. If data is limited, external data sources or different modelling techniques are required.
As with other types of risks, methods and models must be monitored and validated on a periodic basis, and if necessary reviewed by specialist external parties. This includes:
- Integrity of inputs, assumptions, processes, and outputs;
- Independence from business lines;
- Relevance and soundness of model through testing;
- Consistency with policies approved by the Board of Directors.
The monitoring and validation process should ask whether the framework is a realistic reflection of the operational risk position and highlight any issues or deficiencies.
Distribution assumptions
Distribution assumptions form the basis of all operational risk models, and are made for severity and frequency. Banks use a range of distributions to estimate severity, including generalised power law Pareto distributions of extreme value theory, empirical distributions, and lognormal distributions.
In estimating frequency, there is a consensus among most banks that a Poisson distribution should be used, but some assume a negative binomial distribution. In using a Poisson distribution, banks must consider how capital needs could be met if loss frequency exceeds what would seem the most reasonable of conservative assumptions.
It is important not to restrict the analysis to one type of distribution, but to rather test and parameterise several based on the available data.
Banks can model “working” (expected losses/provisioning) and “non‐working” (unexpected) losses separately.
Data integration
Data integration involves combining internal loss, external loss, scenario, and control factor data to quantify operational risk. Bayesian inference can be used to update loss estimates as new data is acquired. Many banks began operational risk measurement relying on external loss data, given that internal loss data was limited. As internal loss data is accumulated and its variation with other sources decreased, credibility models could be used to increase its weighting. This allows for a greater focus on bank‐specific rather than industry‐wide and less relevant risk data over time.
Regardless, it must be remembered that using data is backward looking and is only a guide for the future.
BASEL OPERATIONAL RISK FRAMEWORK
Based on the original Basel Accord, the Basic Indicator Approach (BIA) used a single indicator (gross income) as the proxy for overall operational risk exposure. Banks held capital for operational risk equal to the average over the previous 3 years of a fixed percentage of annual gross income (“alpha” – typically 15%). Any year that showed a negative or zero annual gross income would be excluded.
Gross income is net interest and non‐interest income before deduction of operational losses.
The Basic Indicator Approach was the simplest of Basel II operational risk approaches and often used by smaller banks with limited international operations. However, all approaches are to be replaced under Basel III final form with a single standardised approach.
STANDARDISED APPROACH
In its publication of the “final chapter” of Basel III, which some commentators refer to erroneously as “Basel IV”, the Basel Committee acknowledged that the Advanced Measurement Approach (AMA) for operational risk regulatory capital had not worked. Operational risk capital held by banks had been insufficient to cover operational risk losses and internal models had proved ineffective in assessing capital requirements for risks such as misconduct and inadequate systems and controls.
Thus, the AMA and the 3 standardised methods will be replaced with a single standardised approach. From 2022 onwards, operational risk capital will be a function of:
- A three year average of certain Business Indicators (BI), for example, interest, lease and dividends, services and financial;
- A Marginal Coefficient, which will increase as the BI rises (0.12 - 0.18);
- An Internal Loss Multiplier (based upon 15 x a bank's average historical losses over the preceding 10 years).
This approach means that the internal models developed and implemented up to now will no longer be required from 2022 onwards, when there will be a single standardised approach for operational risk regulatory capital.
QUALITATIVE INPUT AND MODEL VALIDATION
Even after extensive use of quantitative methods, qualitative analysis is important in evaluating results and validating models. After sophisticated statistical modelling and simulation, the curve and severity of low probability, high impact events need to be debated. Discussions on the estimates as to how correlated these risk events are within the bank must follow.
Quantitative methods are most straightforward in analysing high probability, low impact areas like transaction processing. These methods are less useful in assessing risks related to areas such as governance, organisation, and incentives.
Banks, markets, regulations, and products change. Banks merge, restructure, and undergo shifts in organisation and culture. Business processes and technology evolve rapidly. Data can only be backward looking, so it is important for banks to use qualitative input from senior managers as well as risk and business experts. Risk events must be viewed within context as to how the individual bank would be affected, depending on circumstances. Potential severity may vary enormously, particularly if a number of events occur at once. High impact but rare events must be evaluated for general characteristics, but also uniqueness.
Banks organise regular internal workshops to discuss operational risk, with managers completing risk scorecards by business line and event. Besides frequency and financial severity, impacts such as reputation and employee retention and morale can be scored in a broader assessment of operational risk.
Just as with quantitative input, qualitative input must be assessed for quality. Risk management must attempt to ensure it is asking the right people when calling for expert opinion. Depending on the bank's culture, vested interest can bias and affect responses. Finally, some respondents may fail to grasp extreme circumstances.
Qualitative inputs should be converted into metrics for scenario analysis. Estimates from respondents on the distribution of the uncertainty of variables must be collated to anchor and adjust models. Scenario analysis should be forward looking, as clearly defined as possible, and repeatable.
Key risk indicators
As described earlier, business environment control factors are risk metrics and statistics used to monitor drivers of risk exposure.
- Key Performance Indicators (KPIs): monitor operational efficiency (for example, system downtime, staff turnover);
- Key Control Indicators (KCIs): monitor effectiveness of controls (for example, outstanding confirmations, audit exceptions);
- Key Risk Indicators (KRIs): a selection of KPIs and KCIs (typically 10–15) used to warn of escalating risk to trigger management attention and action. Composite KRIs can be rolled up to top management.
Indicators must be measurable and not complicated so as not to become a control issue in and of themselves, as well as a representative of the business line and its risk. If an indicator is broken down to the lowest level and assigned a cost centre, it can be kept in use throughout organisational changes.
The Basel Committee assumes the use of risk indicators to be subjective in nature and cautions against overweighting.
OPERATIONAL RISK MANAGEMENT FRAMEWORK
The Basel Committee has outlined 11 principles for operational risk management. These are intended to be a high‐level operating framework that should set the culture for management of operational risk at the right level.
They are as follows:
- The Board of Directors should establish a strong risk management culture that provides appropriate standards and incentives for responsible behaviour throughout the bank;
- Banks should develop, implement, and maintain a framework that is fully integrated into the bank's overall risk management processes;
- The Board of Directors should establish, approve, and periodically review the framework and oversee senior management to ensure effective implementation;
- The Board of Directors should approve an operational risk appetite and tolerance statement;
- Senior management should develop a clear and robust governance structure for Board approval with well‐defined lines of responsibility;
- Senior management should ensure identification and assessment of risk;
- Senior management should ensure an approval process for new products and systems;
- Senior management should implement a process for monitoring and reporting to support proactive management of operational risk;
- Banks should have a strong control environment to utilise processes and systems, internal controls, and risk mitigation and transfer;
- Bank should have continuity plans for severe business disruption;
- Bank public disclosures should allow stakeholders to assess operational risk management.
Governance structure involves three lines of defence: business line management, risk management, and independent review (for example, audit). The latter two report to Board level committees. Risk management encompasses a number of areas including: compliance, legal, IT and data protection, new account opening, health and safety, HR screening, and building security.
Further defence comes from national supervisors and shareholders.
A good test of an operational risk management system is whether it addresses causes, events, and impact:
- Causes: classifies reasons for losses, helps perform “root cause” analysis, seeks prevention;
- Events: ensures risks are captured, integral to the Advanced Measurement Approach;
- Impact: helps set priorities and mitigation strategies.
Banks will want to assess whether their approach to operational risk is more “top‐down” or “bottom‐up” orientated. “Top‐down” allows management to drive strategy and policy, unify standards, use firm‐wide experience, and mitigate risk on an aggregated basis. “Bottom‐up” fully utilises the dynamic, “real world” knowledge of those closest to the business and emphasises personal responsibility and ownership. The best approach is a combination of the two with neither overemphasised.
Mervyn King, the chair of South Africa's internationally respected King Committee on Corporate Governance, stated memorably that “the tone at the top, the tune in the middle, and the beat at the bottom” are all crucial.
CONCLUSIONS
The addition of an operational risk regulatory capital charge at the time of Basel II focused attention on this aspect of risk management in banks. Operational risk covers a wide range of exposures, from technology and physical security risk to employee fraud risk and beyond. The governance structure in place at a bank must be adequate to ensure satisfactory monitoring and mitigation of such risks. That said, similarly to the interest‐rate risk in the banking book exposure in a bank, there are few if any examples of a bank failing due to operational risk issues (Barings in 1995 is a good example), and the multibillion dollar fines received by banks for issues such as compliance lapses, customer mis‐selling, and sanctions busting in the years following 2008, none of which broke any bank, suggest that this state of affairs will continue. That said, given that operational risk drives a regulatory capital charge, it remains an important area for the bank's risk management department.