Operational Risk (OR) is the risk of direct and indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes reputational and strategic risks.
According to the Basel II accord, a financial institution, based on the level of sophistication of their operational risk management systems and practices, has the option of using one of the following approaches to calculation their operational risk capital charge:
- The Basic Indicator approach under which capital is calculated as the average over the past three years of a fixed percentage, or alpha, equal to 15% times the enterprise – level positive gross income. Negative gross incomes incurred during this period are excluded from the calculation of the average.
- The Standardized approach where fixed percentages, called betas, of 12%, 15%, or 18% depending on the business line, are applied to that line’s gross income, positive or negative. The sum across business lines is floored at zero. The average of this result over the previous three years is the capital charge.
There is an alternative to the Standardized Approach called the Alternative Standardized Approach that is available to entities that demonstrate that the use of this measure produces a better and improved risk charge. Under this alternative approach, the operational risk capital charge/methodology is the same as for the Standardized Approach except for two business lines — retail banking and commercial banking. For these business lines, loans and advances — multiplied by a fixed factor ‘m’ — replaces gross income as the exposure indicator.
- The Advanced Measurement Approach (AMA) is calculated using the bank’s own internal operational risk measurement system. The internal operational risk measurement system must consist of the following four data elements:
- Internal loss data,
- External loss data,
- Scenario analysis, and
- Business environment and internal control systems factors.
The next two sections review the current definition of Business lines, activities and loss events.
Operational Risk Management – Business lines and activities
According to Basel II, all activities of the entity are mapped in a mutually exclusive and jointly exhaustive manner in one of eight business lines:
| LEVEL 1 | LEVEL 2 | Activity groups |
| Corporate Finance |
Corporate Finance Municipal/Government Finance Merchant Banking Advisory Services | Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, high yield), equity, syndications, IPO, secondary private placements |
| Trading and Sales | Sales Market Making Proprietary positions Treasury | Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage |
| Retail Banking |
Retail Banking | Retail lending and deposits, banking services, trust and estates |
| Private Banking | Private lending and deposits, banking services, trust and estates, investment advice | |
| Card Services | Merchant/commercial/corporate cards, private labels and retail | |
| Commercial Banking | Commercial Banking | Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange |
| Payment and Settlement | External Clients | Payments and collections, funds transfer, clearing and settlement |
| Agency Services |
Custody | Escrow, depository receipts, securities lending (customers) corporate action |
| Corporate Agency | Issuer and paying agents | |
| Corporate Trust | ||
| Asset Management |
Discretionary Fund Management | Pooled, segregated, retail, institutional, closed, open, private equity |
| Non-discretionary Fund Management | Pooled, segregated, retail, institutional, closed, open | |
| Retail Brokerage | Retail Brokerage | Execution and full service |
Operational Risk Management – Loss event and activities
According to Basel II (Annex 9 of http://bis.org/publ/bcbs128.pdf), loss events fall into one of seven categories. These categories are further divided by sub category and activities.
Other loss types
Besides the losses defined in the table below there may also be other loss types which are important for risk management but are not generally considered in the quantification of operational risk charge. These items are useful for detecting failures and errors in processes and internal control systems. They include:
| Event- Type Category (Level 1) | Definition | Categories (Level 2) | Activity Examples (Level 3) |
| Internal Fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party |
Unauthorized Activity |
Transactions not reported (intentional) Transaction type unauthorized (w/monetary loss) Mismarking of position (intentional) |
| Theft and Fraud | Fraud / credit fraud / worthless deposits Theft / extortion / embezzlement / robbery Misappropriation of assets Malicious destruction of assets Forgery Check kiting Smuggling Account take-over / impersonation / etc. Tax non-compliance / evasion (willful) Bribes / kickbacks Insider trading (not on firm’s account) | ||
| External Fraud |
Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party | Theft and Fraud |
Theft/Robbery Forgery Check kiting |
| Systems Security | Hacking damage Theft of information (w/monetary loss) | ||
| Employment Practices & Workplace Safety |
Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events | Employee Relations |
Compensation, benefit, termination issues Organized labor activity |
| Safe Environment | General liability (slip and fall, etc.) Employee health & safety rules events Workers compensation | ||
| Diversity & Discrimination | All discrimination types | ||
| Clients, Products & Business Practices |
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. | Suitability, Disclosure & Fiduciary |
Fiduciary breaches / guideline violations Suitability / disclosure issues (KYC, etc.) Retail customer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information Lender liability |
| Improper Business or Market Practices | Antitrust Improper trade / market practices Market manipulation Insider trading (on firm’s account) Unlicensed activity Money laundering | ||
| Product Flaws | Product defects (unauthorized, etc.) Model errors | ||
| Selection, Sponsorship & Exposure | Failure to investigate client per guidelines Exceeding client exposure limits | ||
| Advisory Activities | Disputes over performance of advisory activities | ||
| Damage to Physical Assets | Losses arising from loss or damage to physical assets from natural disaster or other events. | Disasters and other events |
Natural disaster losses Human losses from external sources (terrorism, vandalism) |
| Business Disruption and System Failures |
Losses arising from disruption of business or system Failures | Systems |
Hardware Software Telecommunications Utility outage / disruptions |
| Execution, Delivery & Process Management |
Losses from failed transaction processing or process management, from relations with trade counterparties and vendors |
Transaction Capture, Execution & Maintenance | Miscommunication Data entry, maintenance or loading error Missed deadline or responsibility Model/system misoperation Accounting error / entity attribution error Other task misperformance Delivery failure Collateral management failure Reference Data Maintenance |
| Monitoring and Reporting | Failed mandatory reporting obligation Inaccurate external report (loss incurred) | ||
| Customer Intake and Documentation | Client permissions/disclaimers missing Legal documents missing/incomplete | ||
| Customer / Client Account Management | Unapproved access given to accounts Incorrect client records (loss incurred) Negligent loss or damage of client assets | ||
| Trade Counterparties | Non-client counterparty misperformance Misc. non-client counterparty disputes | ||
| Vendors & Suppliers | Outsourcing Vendor disputes |
- Exceptions: Actions done in breach of the laid down policies intentionally, due to extraordinary circumstances and with due approval
- Near Misses: Operational risk events that do not lead to a loss.
- Transactions in Difficulty: (TIDs) transactions that could potentially have operational loss as a probable outcome
- Operational risk gain events”: operational risk events that generate a gain
- Opportunity costs/lost revenues: operational risk events that prevent undetermined future business from being conducted (eg unbudgeted staff costs, forgone revenue and project costs related to improving processes).