Operational risk


Operational risk is "the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events, differ from the expected losses". This definition, adopted by the European Solvency II Directive for insurers, is a variation from that adopted in the Basel II regulations for banks. In October 2014, the Basel Committee on Banking Supervision proposed a revision to its operational risk capital framework that sets out a new standardized approach to replace the basic indicator approach and the standardized approach for calculating operational risk capital.
It can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical or environmental risks.
The study of operational risk is a broad discipline, close to good management and quality management.
In similar fashion, operational risks affect client satisfaction, reputation and shareholder value, all while increasing business volatility.
Contrary to other risks operational risks are usually not willingly incurred nor are they revenue driven. Moreover, they are not diversifiable and cannot be laid off. This means that as long as people, systems, and processes remain imperfect, operational risk cannot be fully eliminated.
Operational risk is, nonetheless, manageable as to keep losses within some level of risk tolerance, determined by balancing the costs of improvement against the expected benefits.
Wider trends such as globalization, the expansion of the internet and the rise of social media, as well as the increasing demands for greater corporate accountability worldwide, reinforce the need for proper operational risk management.

Background

Until Basel II reforms to banking supervision, operational risk was a residual category reserved for risks and uncertainties which were difficult to quantify and manage in traditional ways – the "other risks" basket.
Such regulations institutionalized operational risk as a category of regulatory and managerial attention and connected operational risk management with good corporate governance.
Of course, businesses in general, and other institutions such as the military, have been aware, for many years, of hazards arising from operational factors, internal or external. The primary goal of the military is to fight and win wars in quick and decisive fashion, and with minimal losses. For the military, and the businesses of the world alike, operational risk management is an effective process for preserving resources by anticipation.
Two decades of globalization and deregulation, combined with the increased sophistication of financial services around the world, have introduced additional complexities into the activities of banks, insurers and firms in general and therefore their risk profiles.
Since the mid-1990s, the topics of market risk and credit risk have been the subject of much debate and research, with the result that financial institutions have made significant progress in the identification, measurement, and management of both these forms of risk.
However, the near collapse of the U.S. financial system in September 2008 is an indication that our ability to measure market and credit risk is far from perfect and eventually led to the introduction of new regulatory requirements worldwide, including Basel III regulations for banks and Solvency II regulations for insurers.
Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale, Barings, AIB, UBS, and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.
These reasons underscore banks' and supervisors' growing focus upon the identification and measurement of operational risk.
The list of risks faced by banks today includes fraud, system failures, terrorism, and employee compensation claims. These types of risk are generally classified under the term 'operational risk'.
The identification and measurement of operational risk is a real and live issue for modern-day banks, particularly since the decision by the Basel Committee on Banking Supervision to introduce a capital charge for this risk as part of the new capital adequacy framework.

Definition

The Basel Committee defines operational risk in Basel II and Basel III as:
The Basel Committee recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided that the minimum elements in the Committee's definition are included.

Scope exclusions

The Basel II definition of operational risk excludes, for example, strategic risk – the risk of a loss arising from a poor strategic business decision.
Other risk terms are seen as potential consequences of operational risk events. For example, reputational risk can arise as a consequence of operational failures – as well as from other events.

Basel II seven event type categories

The following lists the seven official Basel II event types with some examples for each category:
  1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud – theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practicemarket manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets – natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures – utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

    Difficulties

It is relatively straightforward for an organization to set and observe specific, measurable levels of market risk and credit risk because models exist which attempt to predict the potential impact of market movements, or changes in the cost of credit. These models are only as good as the underlying assumptions, and a large part of the recent financial crisis arose because the valuations generated by these models for particular types of investments were based on incorrect assumptions.
By contrast, it is relatively difficult to identify or assess levels of operational risk and its many sources. Historically organizations have accepted operational risk as an unavoidable cost of doing business. Many now though collect data on operational losses – for example through system failure or fraud – and are using this data to model operational risk and to calculate a capital reserve against future operational losses. In addition to the Basel II requirement for banks, this is now a requirement for European insurance firms who are in the process of implementing Solvency II, the equivalent of Basel II for the insurance sector.

Methods for calculating operational risk capital

Basel II and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk:
The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk.
There are a number of methodologies to choose from when modeling operational risk, each with its advantages and target applications. The ultimate choice of the methodology/methodologies to use in your institution depends on a number of factors, including:
The Basel Committee on Banking Supervision has proposed the "Standardised Measurement Approach" as a method of assessing operational risk as a replacement for all existing approaches, including AMA. The objective is to provide stable, comparable and risk-sensitive estimates for the operational risk exposure and is effective January 1, 2022.
The SMA puts weight on the internal loss history. It is possible to consider net losses.
The marginal coefficient increases with the size of the BI as shown in the table below.
BucketBI range BI marginal coefficients
1≤112%
21 < BI ≤3015%
3> 3018%

The ILM is defined as:
where the Loss Component is equal to 15 times average annual operational risk losses incurred over the previous 10 years.