Importance of Operational Risk in Banks
2.1 Introduction
The purpose of this chapter is to survey the recent literature on operational risk in banks. The starting point is to define financial risk and risk management in order to have an overview of risks in the financial sector. Then the chapter continues to define operational risk which is the central theme of this study, and then it proceeds to examine the importance and classification of operational risk. Furthermore this chapter will discuss the characteristics of operational risk and the operational risk process.
2.2 What is operational risk?
Among the various risks that financial organizations face, operational risks are regarded as being the most important of them because they can lead to the destruction of a business. This could be the result of a loss of reputation or a loss of operation capability of a company. Nowadays several banks have their own internal definition of operational risk which must be understandable, recognized, and identical across the bank.
According to Medova and Kyriacou [1] (2001) practitioners define operational risk as ‘everything not covered by exposure to credit and market risk.’ This definition is not easy to work with and cannot be the basis of operational risk measurement. The reason for this is that de¬ning operational risk as the difference between total risk and the sum of market risk and credit risk makes it impractical to identify activities that give rise to operational risk, which is a requirement for measuring and modelling this kind of risk.
The definition which was initially proposed by the British Bankers Association is extensively used and adopted by the Bank for International Settlement in January 2001. Operational risk was described as:
‘the risk of direct or indirect loss resulting from inadequate or failed internal processes, people or systems or from external events.’
This definition covers legal risk but excludes strategic and reputational risk. The principle behind this is that of having a minimum regulatory operational risk capital charge. The reaction of the industry to this definition was a critical one as the definition of direct and indirect losses was not clear. In this regard the Basel committee on banking supervision proposed an amended definition for operational risk. This definition overlooked any indirect losses for the purpose of determining regulatory capital, since these losses are difficult to measure. More precisely, the Basel Committee on Banking Supervision (2004a) de¬nes operational risk as
“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”.
This definition is based on the fundamental causes of operational risk. It tries to ascertain why a loss happened and at a wider level it distinguishes among four causes: people, processes, systems and external factors.
Although there is no single agreed upon definition of operational risk, risk professionals agreed among themselves that the definition should include:
‘Breakdowns or failures relating to people, internal processes, technology or the consequences of external events.’ – International Association of Financial Engineers
2.3 Importance of Operational Risk.
The frequent appearance of financial scandals in the financial industry has intensified attention on operational risk. Although the risk of fraud and external events has been in existence since the beginning of banking, the possibility that operational risk might arise has increased due to recent technological advances. According to the BCBS (1999) operational risk is
‘sufficiently important for banks to devote the necessary resources to quantify.’
Hiwatashi (2002) stated that operational risk has increased its importance and is being looked at by various banks due to deregulation, improvements in technology and increased international competition. Likewise the increase in the number of mergers and acquisition has expanded operational risk in banks. Wharton (2002) declared that the benefit of managing operational risk is of great importance due to the fact that while innovative financing techniques have reduced credit and market risk it has expanded operational risk within banks. Hiwatashi (2002) also said that due to the increased complexity in bank operations, the need for effective risk management has also increased therefore making traditional qualitative risk management inadequate. According to Hiwatashi banks strive to measure operational risk for a number of reasons. The first reason is that a bank will be better able to develop objective measures in order to examine the adequacy of internal risk control processes. Secondly, the increase in the viability of the methods used to calculate operational risk has induced banks to allocate economic capital to operational risk.
2.4 Classification of Operational risk.
Operational losses can be classified on three different criteria: the causes of operational failure, the resulting loss event, and the legal and accounting forms of consequential losses.
Figure 2.1 The three dimensions of operational losses
Inadequate employee management
Obsolete computer systems
Inexperienced personnel
Large transaction volumes
Internal fraud
External fraud
Discrimination
System failure
Natural disasters
Write-downs
Loss of recourse
Legal liability
Regulatory and compliance
Damage to physical assets
Source: Mori and Harada (2001, p. 3)
A comprehensive loss event type classification is proposed by the BCBS. This is shown in Appendix 1.
Classification of losses based on causes would include
People risk. This risk can take place due to workers’ compensation claims, desecration of employee health and safety rules and discrimination claims. People risks can also comprise inadequate training and management, human error, lack of segregation of duties, dependence on key individuals, lack of integrity, and lack of honesty. These risks can be minimized through intensive training of staff, implementation of adequate controls and improved staffing resources.
Process risk. These risks are related to the implementation and upholding of transactions as well as the various other aspects of managing a business. This includes new products and services risk, errors and omissions, inadequate or tough security, incompetent quality control and so on.
System and technology risk. The growing reliance on IT systems by banks is a major source of operational risk. Data corruption problems, whether unintentional or on purpose, are regular sources of embarrassing and costly operational mistakes.
External risk. This source of risk is the most difficult to manage as institutions do not have much control over it. For instance, external risk includes external fraud such as external money laundering, natural disasters such as floods and non-natural disaster.
The Basel committee has recommended the classification of operational risk into controllable units on the basis of regulatory-designated business units. The main drawback in using it is that it may be inadequate for banks since the composition of the regulatory business lines for the standardized approach does not exhibit the way in which banks are structured. This categorization is shown in appendix A.
Peccia (2003) suggests that the classification of losses by the area of impact on the outcome is more suitable since the eventual intent is to justify the volatility of earnings coming up from the direct impact of losses on the financial results.
2.5 The Characteristics of Operational Risk
Operational risk has several characteristics that distinguish it from other types of risk. The three main characteristics are that it is diverse, one-sided and idiosyncratic. The diversity of operational risk is one of the features that distinguish it from market and credit risk. Its diversity does not make it easy to define operational risk as it entails a number of aspects.
The BCBS (2003c, p 6.) emphasised the diversity of operational risk by maintaining that
“it can occur in any activity, function, or unit of the institution.”
Another unique characteristic of operational risk is that it is one sided in the sense that it is an undesired by product of increasingly complex business operations. This implies that losses can occur due to exposure to operational risk especially when there is not improvement in the rate of return on capital and assets. The view of operational risk as being one sided was brought forward by Lewis and Lantsman (2005) as
‘There is a one-sided probability of loss or no loss.’ [2]
An additional feature of operational risk is idiosyncratic meaning that when it hits one bank it does not spread on to other banks. Operational risk was also described as idiosyncratic by Lewis and Lantsman (2005) since:
‘The risk of loss tends to be uncorrelated with general market forces.’
Finally, other characteristics that distinguish operational risk from credit and market risk are that in the case of operational risk the concept of exposure is not clear, there is the difficulty in de¬ning a suitable element of risk since this element varies across and within banks and that it may be hard to separate the loss events attributable to the three kinds of risks.
2.6 Risk Management Environment
The building of an appropriate infrastructure aimed at controlling the banks’ operations and the resultant risk is generally left in the hands of the business unit.
2.6.1 Risk Identification and assessment
An effective operational risk management system should identify both the internal and external factors that could influence the accomplishment of its bank’s objectives either positively or negatively. Internal risks arise from the bank’s structure, the nature of the bank’s activities, the quality of the bank’s human resources and organizational changes while external risk result from changes in industry and technological progress. Tools utilized in identifying and assessing operational risk include:
Internal Loss Data Collection and Analysis:
An examination of loss events can produce an explanation of the origin of large losses and knowledge on whether control failures are remote or consistent.
Risk Self-Assessment
This requires banks to assess its operations and activities against a list of potential exposure to operational risk. This process is carried out internally and frequently it includes checklists and/or workshops to spot the strengths and weaknesses of the operational risk environment. An example is the use of scorecards; these transform qualitative assessments into quantitative metrics that provide a comparative ranking of the various types of operational risk exposures.
Risk Maps
The risk mapping process should identify all the potential risks that might influence the main processes, people, and operational systems and link them to the operations process map. This process can reveal areas of weakness and help undertake management action.
Figure 2.3: Risk map
Source: C.Alexander (2003)
2.6.2 Measurement
The aim of the risk measurement stage is to provide an insight on the degree of exposure, how efficiently are controls working and whether exposures are shifting therefore requiring attention. There are six types of measures frequently applied. These are:
Risk drivers.
These are measures that run the inherent risk profile of the organization. Changes in the risk profile will lead to the usage of different measures. There are varies risk drivers which are
transaction volumes,
staff levels,
skill levels
customer satisfaction
Market volatility
Product maturity
Level of automation
Results obtained from this measure might be qualitative however they can have value when analyzed as a measure across business areas. Risk drivers are helpful in predicting future issues as they are forward-looking measures. Major changes in risk drivers could mean changes largely on the level of quality or it may indicate a possible rise in operational losses or other kinds of risk.
Risk Indicators
These are measures applied to monitor the performance and status of the control environment of a specific business area for a given operational risk category. Risk indicators can be measured frequently, for instance on a-daily basis. The main benefits of risk indicators are that the operational risk management process is kept dynamic and risk profiles are up-to-date.
Loss History
The three main motives in collecting a historical series of loss data are: to generate awareness at several levels of the organization; for empirical analysis so that corrective action is taken to enhance the control environment and to create the foundation for the quantification of operational risk capital.
Casual Models.
These models present the quantitative framework to predict potential losses and act upon them. These models construct their multivariate distributions based on the history of risk drivers, risk indicators and loss events. The goal of these models is to establish which factor(s) have the utmost connection with losses.
Capital models
Capital plays an important part in achieving complete pricing models and risk-adjusted operation measures. The Basel committee suggested three approaches for calculating regulatory capital that are: Basic indicator approach, Standardized approach and the advanced measurement approach.
Performance measures
These measures are employed at the commencement of the year to set targets and at the end of the year to determine their performance. Instances of performance measures include; the reporting of the self-assessment process, problems resolved promptly and the detection of issues in accordance with the self-assessment process.
2.6.3 Risk analyses, monitoring and reporting.
Banks should have in place an adequate and regular monitoring process that helps banks to detect quickly and adjust deficiencies in policies, procedures and practices which in turn help reduce the potential frequency and/or severity of a loss event. In addition banks should establish suitable indicators to provide them with early notifications of any increase in future losses. These indicators should be forward-looking that could signal the potential sources of operational risk.
The outcome of these monitoring activities should be incorporated in frequent management and board reports as is the case for compliance reviews carried out by the internal audit or risk management functions. The operational risk reports should enclose internal financial, operational, and compliance data as well as external market information. In addition, they should be distributed among several areas of the bank so that problem areas could take timely corrective action. Also bank should regularly confirm that the timelines, accuracy, and significance of reporting systems and internal controls are reliable. The monitoring stage is essential as it will enable the board of directors to understand the bank’s overall operational risk profile and concentrate on the strategic implications of the business.
2.6.4 Control and mitigate.
Once risks are identified and measured, then banks have to choose which action to take to control or mitigate risk. These actions include:
Risk avoidance,
Risk avoidance can be quite hard and may raise issues about the feasibility of the business in terms of the risk-return relation.
Risk reduction,
Here banks adopt the practice of risk control efforts which may comprise schemes that range from business re-engineering to staff training. Risk reduction involves the use of a heat map as shown in Fig 2.4. If the risk appetite of the firm permits it to be in the lowest three risk zones, it will move points falling in the high risk zones to the low risk zones by spending more money to strengthen controls and/or lessening the complexity of the business environment.
Fig 2.4: Risk reduction by strengthening controls and reducing complexity
Source: Moosa, I. A. (2007)
Risk transfer
Mestchian (2003) described risk transfer as ‘the external solution to operational risk.’ The principal tool for risk transfer is insurance such as property protection, fire, workers compensation, employers’ liability and professional indemnity.
(iv) Risk assumption
Risk assumption is the act of taking on risk either through proactive decision or non-payment. Here risk is supported by the firm’s capital.
In practice, a firm may use an amalgamation of risk reduction, risk transfer and risk taking but it depends on the frequency and severity of the underlying risk.
2. 7 The Basel Committee and operational Risk
The Basel committee on banking supervision (BCBS) is a committee of banking supervisory authorities which was established in 1975 by the central bank governors of the Group of Ten. It is the major player in the network of financial risk regulation and it aims to set risk management regulations to financial institutions worldwide in order to ensure harmonization across all sectors in the financial industry. The BCBS strive to enhance the quality of banking supervision by exchanging information on national supervisory issues, methods and techniques in order to support a general understanding.
2. 7. 1 The 1988 Basel Accord and the Basel II Accord.
In 1988 the BCBS developed a global standard for measuring capital adequacy for banks which became to be known as the Basel I Accord. The objective behind this framework was to stabilize the way banks were regulated in varies countries. In addition, the Accord made it feasible for banks to practice better capital allocation and regulatory decision-making thereby assist in making the financial system more sound and stable. The capital requirement set in The 1988 Accord was only in terms of credit risk even though the total capital requirement was planned to cover other risks as well. A single, one-size-fits-all credit risk measurement framework was laid down in this Accord.
The BCBS took on a comprehensive amendment on the 1988 Accord. The reason being its inability to deal with changes in the banking environment such as taking into consideration market innovations, and the shift toward a more complex banking industry which made the 1988 Accord outdated. Furthermore, one of the key objectives behind the implementation of the Basel II Accord is to tighten the gap between regulatory capital requirements and the economic capital generated by the banks’ own internal models. The finalization of the Basel II capital accord was in June 2006. It sets and defines detailed instructions on the capital assessment of operational risk and recommends a number of methods that banks may consider in the estimation of the operational capital charge.
2. 7. 2 The Three pillars of the Basel II Accord
The main elements of a successful operational risk management system are thoroughly detailed in the three pillars of Basel II. This Accord sets up an explicit treatment of operational risk. It requires banks to hold independently identified regulatory capital for operational risk, further supervisory scrutiny of their risk management will be faced and the size of the capital charge for operational risk is expected to be revealed as well as the procedure used to determine it. These pillars are applicable not solely to operational risk but also to credit and market risk.
The three pillars of the Basel II Accord are as follows:
2. 7. 2. 1 Pillar 1: Minimum Capital Requirements
The minimal capital requirements for operational risk are determined using one of the measurement approaches set by the Basel Committee. The committee allows banks to use different approaches for the various parts of their operations.
The three methods presented by the Basel Committee are:
Basic indicator approach.
The basic indicator approach utilizes a single indicator to calculate the capital reserve:
The average annual gross income that is net interest income + net non- interest income. The capital charge is 15% of the average gross income for the last three years.
Fixed percentage α. This is set to 15 % by the Basel Committee.
The main benefits behind this approach are that it is simple and transparent and that it makes use of easily accessible data. In addition its implementation is simple and can be collectively applied across financial organizations in order to establish the charge for operational risk. However one main drawback of this approach is that it is only responsive to a limited firm-specific needs and qualities. Since the capital charge set by the supervisors does not justify the quality of controls, it is expected to be used by small banks with only a few business lines.
The Standardized Approach.
The standardized approach in contrast to the basic indicator approach is more complicated when it comes to the calculation of the capital charge as it uses a combination of financial indicators and organizational business lines. In this approach gross income is split into eight standard business lines, each with a different beta factor to calculate the minimum capital. This is shown in the table below.
For the standardized approach, the capital reserve is thus calculated using the following formula:
Where
KTSA = Total capital charge under the standardized approach
GI(1–8) = Annual gross income for each of the eight business lines in a given year over a period of three years
β(1–8) = A fixed percentage, set by the Basel Committee, related to the business line
The main advantage behind this approach is that it better signals the varying risks across business lines. In spite of this it can only be used if the bank exhibits effective operational risk management and control.
The Advanced Measurement Approach
The AMA approach is meant to be complex, advanced and the most risk sensitive among the three approaches. The BCBS (2004a) rewards a lower capital charge to those banks that progress from the BIA to the AMA approach. It is important that the AMA approach should be approved by the supervisors before banks are able to apply it. The capital charge requirement in the AMA approach is derived from the banks’ use of its internal operational risk measurement system. Only under this approach the committee considers insurance as a mitigator of operational risk.
2. 7. 2. 2 Pillar 2: Supervisory Review Process.
The main task of Pillar II is to set up adequate regulatory policies to overview the capital adequacy in banks. This Pillar is built around four key principles. Basically these involve: banks to have a process to evaluate their overall capital in association with their risk profile and a strategy to keep up with their capital levels. The other principle states that supervisors should check the banks’ internal capital adequacy tools and strategies together with their competence to monitor and certify their compliance with regulatory capital ratios. Also banks are required to operate above the minimum regulatory capital ratios and hold capital in excess of the minimum. Lastly supervisors should take prompt action when capital falls below the minimum levels required to hold the risk characteristics of the bank.
2. 7. 2. 3 Pillar 3: Enhanced Disclosure- Market Discipline.
This pillar encourages banks to make regular disclosure of information in order to improve market discipline, making banks’ risk management more effective. However this will require market participants to be sufficiently informed about the operational risks the bank is taking as it plays a key role by financial transparency in Basel II. The banking committee deems that disclosures are needed on a semi-annual basis, as quoted in section 211 of the “New Basel Capital Accord: An Explanatory Note.”
Consequently banks should have:
A Formal disclosure policy accepted by the board of directors that deals with the banks approach for determining what disclosures it will formulate and the internal controls over the disclosure process.
A process for evaluating the suitability of their disclosures including validation and their frequency.
Some of the core qualitative and quantitative aspects that financial organizations ought to disclose are listed in the table hereunder:
