Operational risk management for banks
Operational Risk (OR) is the risk of direct and indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes reputational and strategic risks.
According to the Basel II accord, a financial institution, based on the level of sophistication of their operational risk management systems and practices, has the option of using one of the following approaches to calculation their operational risk capital charge:
- The basic indicator approach under which capital is calculated as the average over the past three years of a fixed percentage, or alpha, equal to 15% times the enterprise – level positive gross income. Negative gross incomes incurred during this period are excluded from the calculation of the average.
- The Standardized approach where fixed percentages, called betas, of 12%, 15%, or 18% depending on the business line, are applied to that line’s gross income, positive or negative. The sum across business lines is floored at zero. The average of this result over the previous three years is the capital charge.
There is an alternative to the Standardized Approach called the Alternative Standardized Approach that is available to entities that demonstrate that the use of this measure produces a better and improved risk charge. Under this alternative approach, the operational risk capital charge/methodology is the same as for the Standardized Approach except for two business lines — retail banking and commercial banking. For these business lines, loans and advances — multiplied by a fixed factor ‘m’ — replaces gross income as the exposure indicator.
- The Advanced Measurement approach is calculated using the banks own internal operational risk measurement system. The internal operational risk measurement system must consist of the following four data elements:
- Internal loss data,
- External loss data,
- Scenario analysis, and
- Business environment and internal control systems factors.
Within the operational risk management framework we will start our discussion with reviewing the three core components and then take a deeper look.
Risk Control Self Assessment (RCSA)
Risk control self assessments are used to identify risks present in the various units that make up the entity and the efficiency of the controls used to mitigate them.
Using RCSA helps the entity to understand its business processes of its various units (RCSA entities) and their related risks (RCSA risk types & exposure categories), define where the controls are (RCSA controls) and generate a subjective assessment of how well the controls are working (RCSA self assessment). See Annex 3 to understand the methodology followed for a RCSA process.
Key Risk Indicator (KRI)
KRIs are measurable metrics or indicators that track operational risk exposure or loss. An example of a KRI is the number of customer complaints. As the customer complaints increase, the probability that there are some underlying and potentially systemic mistakes and errors of judgment being made is likely to rise. Changes in the value of the indicator are likely to be associated with changes in operational risk exposure or operational loss exposure. Other examples of KRIs include volume, staff turnover, frequency of unmatched trades, etc.
KRI and associated loss events need to be captured with associated organization hierarchy data so that operational risk losses can be assigned to a given function within a given business line.
According to Basel II, all activities of the entity are mapped in a mutually exclusive and jointly exhaustive manner in one of eight business lines:
|LEVEL 1||LEVEL 2||Activity groups|
|Corporate Finance||Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, high yield), equity, syndications, IPO, secondary private placements|
|Trading and Sales||Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage|
|Retail Banking||Retail Banking||Retail lending and deposits, banking services, trust and estates|
|Private Banking||Private lending and deposits, banking services, trust and estates, investment advice|
|Card Services||Merchant/commercial/corporate cards, private labels and retail|
|Commercial Banking||Commercial Banking||Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange|
|Payment and Settlement||External Clients||Payments and collections, funds transfer, clearing and settlement|
|Agency Services||Custody||Escrow, depository receipts, securities lending (customers) corporate action|
|Corporate Agency||Issuer and paying agents|
|Asset Management||Discretionary Fund Management||Pooled, segregated, retail, institutional, closed, open, private equity|
|Non – Discretionary Fund Management||Pooled, segregated, retail, institutional, closed, open|
|Retail Brokerage||Execution and full service||Execution and full service|
Currently Basel II specifies eight business lines (Annex 8 of http://bis.org/publ/bcbs128.pdf ).
According to Basel II (Annex 9 of http://bis.org/publ/bcbs128.pdf), loss events fall into one of seven categories. These categories are further divided by sub category and activities.
|Event – Type Category (Level 1)||Definition||Categories (Level 2)||Activity Examples (Level 3)|
|Internal Fraud||Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party||Unauthorized Activity|
|Theft and Fraud|
|External Fraud||Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party||Theft and Fraud|
|Employment Practices & Workplace Safety||Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events||Employee Relations|
|Diversity & Discrimination||All discrimination types|
|Clients, Products & Business Practices||Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.||Suitability, Disclosure & Fiduciary|
|Improper Business or Market Practices|
|Selection, Sponsorship & Exposure|
|Advisory Activities||Disputes over performance of advisory activities|
|Damage to Physical Assets||Losses arising from loss or damage to physical assets from natural disaster or other events.||Disasters and other events|
|Business Disruption and System Failures||Losses arising from disruption of business or system Failures||Systems|
|Execution, Delivery & Process Management||Losses from failed transaction processing or process management, from relations with trade counterparties and vendors||Transaction Capture, Execution &|
|Monitoring and Reporting|
|Customer Intake and Documentation|
|Customer / Client Account Management|
|Vendors & Suppliers|
- Exceptions: Actions done in breach of the laid down policies intentionally, due to extraordinary circumstances and with due approval
- Near Misses: Operational risk events that do not lead to a loss.
- Transactions in Difficulty: (TIDs) transactions that could potentially have operational loss as a probable outcome
- Operational risk gain events”: operational risk events that generate a gain
- Opportunity costs/lost revenues: operational risk events that prevent undetermined future business from being conducted (eg unbudgeted staff costs, forgone revenue and project costs related to improving processes).
- International Convergence of Capital Measurement and Capital Standards – A Revised Framework Comprehensive Version – Basel Committee on Banking Supervision – June 2006
- Operational Risk –Supervisory Guidelines for the Advanced Measurement Approaches– Basel Committee on Banking Supervision – June 2011
- IS Auditing procedure -Control Risk Self-Assessment (RCSA) – Information Systems Audit and control systems – 2003
- Key Risk Indicators – Their Role in Operational Risk Management and Measurement – Jonathan Davies, Mike Finlay, Tara McLenaghen, Duncan Wilson – Risk Business International Limited -13-2-2006