Operational Risk Management under the Basel accord

4 mins read

Operational Risk (OR) is the risk of direct and indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes reputational and strategic risks.

According to the Basel II accord, a financial institution, based on the level of sophistication of their operational risk management systems and practices, has the option of using one of the following approaches to calculation their operational risk capital charge:

  1. The Basic Indicator approach under which capital is calculated as the average over the past three years of a fixed percentage, or alpha, equal to 15% times the enterprise – level positive gross income. Negative gross incomes incurred during this period are excluded from the calculation of the average.
  2. The Standardized approach where fixed percentages, called betas, of 12%, 15%, or 18% depending on the business line, are applied to that line’s gross income, positive or negative. The sum across business lines is floored at zero. The average of this result over the previous three years is the capital charge.

    There is an alternative to the Standardized Approach called the Alternative Standardized Approach that is available to entities that demonstrate that the use of this measure produces a better and improved risk charge. Under this alternative approach, the operational risk capital charge/methodology is the same as for the Standardized Approach except for two business lines — retail banking and commercial banking. For these business lines, loans and advances — multiplied by a fixed factor ‘m’ — replaces gross income as the exposure indicator.

  3. The Advanced Measurement Approach (AMA) is calculated using the bank’s own internal operational risk measurement system. The internal operational risk measurement system must consist of the following four data elements:
    1. Internal loss data,
    2. External loss data,
    3. Scenario analysis, and
    4. Business environment and internal control systems factors.

The next two sections review the current definition of Business lines, activities and loss events.

Operational Risk Management – Business lines and activities

According to Basel II, all activities of the entity are mapped in a mutually exclusive and jointly exhaustive manner in one of eight business lines:

LEVEL 1 LEVEL 2 Activity groups
Corporate Finance Corporate Finance
Merchant Banking
Advisory Services
Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, high yield), equity, syndications, IPO, secondary private placements
Trading and Sales Sales
Market Making
Proprietary positions
Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage
Retail Banking Retail Banking
Retail lending and deposits, banking services, trust and estates
Private Banking Private lending and deposits, banking services, trust and
estates, investment advice
Card Services Merchant/commercial/corporate cards, private labels and retail
Commercial Banking Commercial Banking Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange
Payment and Settlement External Clients Payments and collections, funds transfer, clearing and settlement
Agency Services Custody

Escrow, depository receipts, securities lending (customers) corporate action
Corporate Agency Issuer and paying agents
Corporate Trust
Asset Management Discretionary Fund Management
Pooled, segregated, retail, institutional, closed, open, private equity
Non-discretionary Fund Management Pooled, segregated, retail, institutional, closed, open
Retail Brokerage Retail Brokerage Execution and full service

Operational Risk Management – Loss event and activities

According to Basel II (Annex 9 of http://bis.org/publ/bcbs128.pdf), loss events fall into one of seven categories. These categories are further divided by sub category and activities.

Other loss types

Besides the losses defined in the table below there may also be other loss types which are important for risk management but are not generally considered in the quantification of operational risk charge. These items are useful for detecting failures and errors in processes and internal control systems. They include:

Event- Type Category (Level 1) Definition Categories
(Level 2)
Activity Examples
(Level 3)
Internal Fraud Losses due to acts of a type intended to defraud,
misappropriate property or circumvent regulations,
the law or company policy, excluding diversity/
discrimination events, which involves at least one
internal party
Unauthorized Activity
Transactions not reported (intentional)
Transaction type unauthorized (w/monetary loss)
Mismarking of position (intentional)
Theft and Fraud Fraud / credit fraud / worthless deposits
Theft / extortion / embezzlement / robbery
Misappropriation of assets
Malicious destruction of assets
Check kiting
Account take-over / impersonation / etc.
Tax non-compliance / evasion (willful)
Bribes / kickbacks
Insider trading (not on firm’s account)
External Fraud Losses due to acts of a type intended to defraud,
misappropriate property or circumvent the law, by a third party
Theft and Fraud Theft/Robbery
Check kiting
Systems Security Hacking damage
Theft of information (w/monetary loss)
Employment Practices & Workplace Safety Losses arising from acts inconsistent with
employment, health or safety laws or agreements,
from payment of personal injury claims, or from
diversity / discrimination events
Employee Relations Compensation, benefit, termination issues
Organized labor activity
Safe Environment General liability (slip and fall, etc.)
Employee health & safety rules events
Workers compensation
Diversity & Discrimination All discrimination types
Clients, Products & Business Practices Losses arising from an unintentional or negligent
failure to meet a professional obligation to specific
clients (including fiduciary and suitability
requirements), or from the nature or design of a
Suitability, Disclosure & Fiduciary Fiduciary breaches / guideline violations
Suitability / disclosure issues (KYC, etc.)
Retail customer disclosure violations
Breach of privacy
Aggressive sales
Account churning
Misuse of confidential information
Lender liability
Improper Business or Market Practices Antitrust
Improper trade / market practices
Market manipulation
Insider trading (on firm’s account)
Unlicensed activity
Money laundering
Product FlawsProduct defects (unauthorized, etc.)
Model errors
Selection, Sponsorship & Exposure Failure to investigate client per guidelines
Exceeding client exposure limits
Advisory ActivitiesDisputes over performance of advisory activities
Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. Disasters and other events Natural disaster losses
Human losses from external sources (terrorism,
Business Disruption and System Failures Losses arising from disruption of business or system
Systems Hardware
Utility outage / disruptions
Execution, Delivery & Process Management Losses from failed transaction processing or process
management, from relations with trade
counterparties and vendors
Transaction Capture, Execution &
Data entry, maintenance or loading error
Missed deadline or responsibility
Model/system misoperation
Accounting error / entity attribution error
Other task misperformance
Delivery failure
Collateral management failure
Reference Data Maintenance
Monitoring and Reporting Failed mandatory reporting obligation
Inaccurate external report (loss incurred)
Customer Intake and Documentation Client permissions/disclaimers missing
Legal documents missing/incomplete
Customer / Client Account Management Unapproved access given to accounts
Incorrect client records (loss incurred)
Negligent loss or damage of client assets
Trade Counterparties Non-client counterparty misperformance
Misc. non-client counterparty disputes
Vendors & Suppliers Outsourcing
Vendor disputes
  • Exceptions: Actions done in breach of the laid down policies intentionally, due to extraordinary circumstances and with due approval
  • Near Misses: Operational risk events that do not lead to a loss.
  • Transactions in Difficulty: (TIDs) transactions that could potentially have operational loss as a probable outcome
  • Operational risk gain events”: operational risk events that generate a gain
  • Opportunity costs/lost revenues: operational risk events that prevent undetermined future business from being conducted (eg unbudgeted staff costs, forgone revenue and project costs related to improving processes).