1

OPERATIONAL RISK
MANAGEMENT



















By

Lalima Arora









May, 2013


2




OPERATIONAL RISK
MANAGEMENT















By

Lalima Arora




Under the guidance of



Shri R.S. NEGI Dr. K.S. Sujit
Chief Manager Assistant Professor
Bank of Baroda IMT, Ghaziabad








May, 2013


3

Certificate of Approval



The following Summer Project Report titled "Risk Management" is hereby approved as a certified study
in management carried out and presented in a manner satisfactory to warrant its acceptance as a
prerequisite for the award of Post-Graduate Diploma in Management for which it has been submitted.
It is understood that by this approval the undersigned do not necessarily endorse or approve any statement
made, opinion expressed or conclusion drawn therein but approve the Summer Project Report only for the
purpose it is submitted.

Summer Project Report Examination Committee for evaluation of Summer Project Report



Name Signature






1. Faculty Examiner DR. K.S.Sujit ___________________





2. PG Summer Project Co-coordinator Shree R.S. Negi ___________________




4


Certificate from Summer Project Guides




This is to certify that Ms. Lalima Arora, a student of the Post-Graduate Diploma in Management, has
worked under our guidance and supervision. This Summer Project Report has the requisite standard and
to the best of our knowledge no part of it has been reproduced from any other summer project,
monograph, report or book.









Dr. K.S. Sujit Shree R.S. Negi
Assistant Professor Chief Manager
IMT, Ghaziabad Bank of Baroda
Address: Bur Dubai
Date Date


5

Abstract

Operational Risk in Banking Sector

By

Lalima Arora

Operational risk is a daily and continuous 24 X 7 X 365 process. It is a way of life, not an event or a
meeting at the end of the quarter. Each person and stakeholder at you organization or institution is
responsible for it and should live each day embracing it. (Operationalrisk.blogspot.com)

Operational risk is a major concern in the banking sector but it is not accorded sufficient importance.
Operational risk has the potential to ruin the bank overnight. Researchers often place it after Credit and
Market Risk. In 1988, the BCBS in Basel, Switzerland, published a set of recommendations on banking
laws and regulations called Basel I. The Basel I accord dealt with only, credit risk in a simple manner
while market risk was an afterthought; operational risk was not dealt with at all.

Events such as the September 11 terrorist attacks, rogue trading losses at Socit Gnrale, Barings, AIB
and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond
merely market and credit risk. Clubbed with the increasing risk due to advanced technology woke the
Banking world to operational risk. The growing importance of Operational Risk was soon realized and
Basel came out with a second accord that provided guidelines that dealt with operational risk, under 3
pillars.


This study uses the Basel framework and my personal experience under the guidance of my mentor Shree
R.S. Negi to understand the operational risk present in the banking sector, how it is dealt and measures to
mitigate it. The research site was Bank of Baroda, Zonal Office, Dubai. The perspective assumed was of
the top management of these firms.


The clinical methodology used consisted of three phases:

i) A pilot study of the bank for two months along with, including a visit to the various
departments of the bank to understand the working of the bank. It is imperative to
understand the business for a better understanding of operational risk
ii) Study of secondary data sources and
iii) Use of excel and palisade software for calculation of charge on data provided by bank


The practices were examined for three likely audiences:

i) Researchers in management
ii) Managers in bank
iii) Public policy makers in developing countries.

.

6




The major findings are:


1. The importance of Operational Risk Management has increased manifold with increasing
sophistication of technology. Access to technology is widespread, easy and cheap.
Fraud and theft has evolved from gun men looting the bank to highly organized rings of best &
brightest minds using technology. Internet and ATMs are the most in-use tools for hefty and quick
frauds, involving losses equal to Millions of Dollars.

2. The Basel II prescribes 3 methods to calculate charge, which is capital to be set aside for unexpected
losses:
2.1. Basic Indicator Approach
2.2. Standardized Approach
2.3. Advanced Measurement Approach
These techniques are discussed further in this project. As the bank moves to a more
sophisticated technique it cannot revert back to a simpler technique. The more sophisticated
the technique is, generally lesser is the charge to be kept aside.

3. The Basel II framework places emphasis on calculation of charge and not on corporate governance.
Though it mentions sound policies for the management, it doesnt place sufficient emphasis on
Corporate Governance. Without proper governance the calculation of charge is of no real use.

4. It is important to plan and prevent losses than to just keep aside capital for unexpected losses. Proper
planning and sound practices help mitigate risk. Regular external audits and internal checks are an
integral part of mitigating risk. It is pertinent that top management is aware of the risk involved in the
activities performed at the ground level. They should ensure that a proper framework for mitigating
risk is formulated and adopted by the staff.

















7



Acknowledgement



This research paper would not have been possible without the support of many people. I would like to
express my gratitude to Shree R.S. Negi, who offered invaluable assistance, support and guidance.
I would like to thank Baral sir, our internship co-ordinator, and Sujit sir, my college project mentor for
their constant support.

Deepest gratitude also to:

Shukla sir SME, Zonal Office
Raghav sir Diera branch
Manjula maam, JP sir, Ritika & Bindu maam Operations, Dubai Office
H.K Singh NRE desk, Dubai Office
Amrit and Veena maam Treasury, Zonal Office
Kamlesh sir Trade Finance, Zonal Office
Sunil sir Debt Syndication, Zonal Office
Katkar sir HR department
Hardeep sir IT department





























8

Table of Contents


Page
Abstract (maximum two pages) 5
Acknowledgement 7
Table of Contents 8
List of Figures 9
List of Tables 10
List of Appendices -
List of Abbreviations 11

Contents

CHAPTER 1: HISTORY OF BANKING: 13
CHAPTER 2: BANKING SECTOR IN UAE 16

CHAPTER 3: BANK OF BARODA 18

CHAPTER 4: TYPES OF RISK 20

CHAPTER 5: INTRODUCTION TO OPERATIONAL RISK 22

CHAPTER 6: RISK MANAGEMENT 28

CHAPTER 7: BASEL II 30

CHAPTER 8: CONCLUSION AND RECOMMENDATIONS 44















9



List of Figures


Figure No. Description Page

FIGURE 1: BARTER SYSTEM .......................................................................................................................................... 13
FIGURE 2: GOLDSMITH ................................................................................................................................................ 13
FIGURE 3: RECEIPT FOR DEPOSIT ................................................................................................................................. 14
FIGURE 4: GOLDSMITH BANKER .................................................................................................................................. 14
FIGURE 5: CENTRAL BANK LOGO ................................................................................................................................. 17
FIGURE 7: IMPORTANCE OF OPERATIONAL RISK ......................................................................................................... 25
FIGURE 8: RISK MANAGEMENT ................................................................................................................................... 28
FIGURE 9: METHODS TO CALCULATE CHARGE ............................................................................................................ 32
FIGURE 10: EL, UL AND VAR AT 99.9% CI ..................................................................................................................... 36
FIGURE 11: LOSS DISTRIBUTIONS ................................................................................................................................ 38
FIGURE 12: SOUND PRACTICES .................................................................................................................................... 40
FIGURE 13: SOUND PRACTICES - BOD .......................................................................................................................... 41
FIGURE 14:SOUND PRACTICES - SENIOR MANAGEMENT ............................................................................................ 42
FIGURE 15: TECHNIQUES TO CALCULATE CHARGE ...................................................................................................... 44

























10



List of Tables

Figure No. Description Page

TABLE 1: BOB FACT SHEET ........................................................................................................................................... 18
TABLE 2: STRUCTURE OF BOB ...................................................................................................................................... 19
TABLE 3: TYPES OF RISK ............................................................................................................................................... 20
TABLE 4: TIMELINE OF OPERATIONAL FAILURE IN BANKS ........................................................................................... 22
TABLE 5: CAUSES, EVENTS AND CONSEQUENCES ....................................................................................................... 26
TABLE 6: CAUSES OF OPERATIONAL RISK .................................................................................................................... 27
TABLE 7: 3 PILLARS OF BASEL II ................................................................................................................................... 30
TABLE 8: SA- BUSINESS LINES ...................................................................................................................................... 34
TABLE 9: POISSON DISTRIBUTION FOR FREQUENCY ................................................................................................... 38
TABLE 10: PARETO DISTRIBUTION FOR SEVERITY ........................................................................................................ 39
TABLE 11: COMBINED DISTRIBUTION .......................................................................................................................... 39

































11





Abbreviations


AMA Advanced Measurement Approach
BCBA Basel Committee for Banking Supervision
BIA Basic Indicator Approach
BIS Bank for International Settlement
BOB Bank of Baroda
LDA Loss Data Analysis
SA Standardised Approach
SLR
CRR
LIBOR
EBOR
ETF
M/Mn Million
B/Bn Billion
VaR Value at Risk



12

Reference

Books

Basel II accords, issued by BCBS, BIS


Government Publication

Central Bank of UAE website,
http://www.centralbank.ae/en/pdf/bsed/1-1-LB%20br.%20List%2031-10-2010_english.pdf


Journal Paper

Ali Samad Khan, Assessing & Measuring Operational Risk, OpRisk Advisory


Sven Muehlenbrock, Head of Financial Risk Management, Francesca Messini, FRM, Financial Risk
Management, Bertrand Segui, Actuary, Financial Risk Management: Operational Risk Business
Dialogue, KPMG


Article in a Newspaper

Indian outsourcing business under scanner after $45-mn global ATM heist, The Indian Express, May 10
th
,
2013


Websites

www.bankofbaroduae.ae
www.youtube.com
www.bionicturtle.com
www.wikipedia.com
www.bis.org














13

CHAPTER 1: HISTORY OF BANKING:



In the medieval age there were no banks and people relied on barter system for exchange of goods and
services. This system has been used for centuries and was functional long before money was invented.
People exchanged their goods and services for goods and service offered by others.


Figure 1: Barter System

Need for a common unit of exchange was realized due to:

Absence of common measure of value
Need for presence of double coincidence of wants
Indivisibility of certain goods
Lack of standards for deferred payments
Difficulty in storing wealth

This problem was solved by using Gold and Silver bullion.

Figure 2: Goldsmith


14

At that time, disposable wealth was usually held in the form of gold or silver bullion. For safety, such
assets were kept in the safe of the local goldsmith, he usually being the only individual who had a vault
on his premises.

The goldsmith would issue a receipt for the deposit and, to undertake financial transactions, the buyer
would withdraw his gold and give it to the seller, who would then deposit it again, frequently with the
same goldsmith. As this was a time-consuming process, it became common practice for people to simply
exchange smiths' receipts when conducting financial transactions.


Figure 3: Receipt for Deposit

Meanwhile, the goldsmith had another business. He lent out his own gold charging interest. As the
industry expanded more and more people asked for a loan. This gave the goldsmith an idea. He decided,
as the depositors hardly ever came to remove their gold and they never came at the same time, he could
get away with lending against the depositors gold as long as lenders repaid.
For a long time the goldsmith got richer and richer, earning interest on depositors gold and he flaunted it.


Figure 4: Goldsmith Banker



15

The depositors soon became suspicious, and threatened to withdraw their gold if the goldsmith didnt
come clean, but they checked that their gold was safe with goldsmith and demanded that they be paid a
part of the share of interest he earned. Thus the goldsmith became their banker.


This was the beginning of banking. The banker paid a low interest rate on deposits of other peoples
money that he then loaned out at a higher interest rate. The difference covered the banks operational cost
and the profit.

A bank is a financial institution that accepts deposits as source of its funds and applies these deposits for
lending and investing purpose. Banks act as intermediaries providing a link between people with excess
and shortage of funds. But modern day banking is not limited to this definition. Let us consider the
goldsmiths tail further.

The goldsmith banker was not satisfied with the income left after paying off interest to depositor and the
demand for credit grew fast as Europeans spread out across the world. But the gold in the vault was
limited, thats when the goldsmith got an even bolder idea, since no one except himself knew what was in
the vault. He could lend out claim cheques on gold that was not even there. As long as all the depositors
didnt come to claim their real gold at the same time no one would even find out. This scheme worked
very well, and the banker became enormously wealthy, earning interest on wealth that didnt even exist.

The idea that the banker would create money out of nothing was too outrageous for anyone to believe and
the flaw did not occur to people. But the power to invent money went to the bankers head.
In time, the magnitude of bankers loan and his ostentatious wealth triggered suspicion in the mind of
people. Some borrowers started to demand real gold instead of paper representations. Rumors spread and
suddenly several wealthy depositors showed up to remove their gold. But the goldsmith didnt have
enough gold to pay back the claim cheques he had put in their hands (Liquidity Risk).

This phenomenon is called a run on the bank and it ruins public confidence in all bankers (Reputational
Risk).

The run on the bank and the damage of goldsmiths reputation was caused by the goldsmiths ambition of
earning higher profits, lack of system check and proper processes (Operational Risk).

Due to huge demand of credit, this practice of creating wealth out of nothing was legalized and regulated.
Bankers agreed to abide by limits for the fictional money they could create. Fractional Reserve System
was introduced and the ratio was estimated at 9(fictional money) is to 1(real money). The central bank
was set up to regulate local banks and enforce limits by surprise inspections. In case of a run, the central
bank would support local bank with emergency infusions of gold.

Thus the concept of local bank or commercial banks supported by a Central Bank was introduced.








16

CHAPTER 2: BANKING SECTOR IN UAE

There are total 51 banks in UAE, out of which 23 are local banks incorporated in the UAE and 28 are
foreign banks.




UAE is a federation of 7 emirates, namels Abu Dhabi, Dubai, Sharjah, Ajman, Ras Al Khema, Umm Al
Quwain and Fujeirah. The banking sector in UAE is managed by Central Bank of the UAE. The main
responsibility of the Central Bank is formulation and implementation of banking, credit and monetary
policies, to ensure the growth of the national economy of the UAE in a balanced manner.




Locally incorporated Banks
in the UAE

1. National Bank of Abu Dhabi
2. Abu Dhabi Commercial Bank
3. Al Masraf (erstwhile ARBIFT)
4. Union National Bank
5. Commercial Bank of Dubai
6. Dubai Islamic Bank PJSC
7. Emirates NBD Bank
8. Emirates Islamic Bank
9. Mashreq Bank PSC
10. Sharjah Islamic Bank
11. Bank of Sharjah PSC
12. United Arab Bank PJSC
13. InvestBank PLC
14. The National Bank of R.A.K or
RAKBANK
15. Commercial Bank International
16. National Bank of Fujairah PSC
17. National Bank of U.A.Q PSC
18. First Gulf Bank
19. Abu Dhabi Islamic Bank
20. Dubai Bank
21. Noor Islamic Bank
22. Al Hilal Bank
23. Ajman Bank

Foreign Banks in the UAE

1. National Bank of Bahrain
2. Rafidain Bank
3. Arab Bank PLC
4. Banque Misr
5. El Nilein Bank
6. National Bank of Oman
7. Credit Agricole - Corporate and
Investment Bank
8. Bank of Baroda
9. BNP Paribas
10. Janata Bank
11. HSBC Bank Middle East Limited
12. Arab African International Bank
13. Al Khaliji (France) S. A.
14. Al Ahli Bank of Kuwait
15. Barclays Bank PLC
16. Habib Bank Ltd.
17. Habib Bank A.G Zurich
18. Standard Chartered Bank
19. CitiBank N.A.
20. Bank Saderat Iran
21. Bank Meli Iran
22. Blom Bank France
23. Lloyds TSB Bank PLC
24. The Royal Bank of Scotland N.V.
25. United Bank Ltd.
26. Doha Bank
27. Samba Financial Group
28. National Bank of Kuwait.

17

The Central Bank is also working to
maintain a fixed exchange rate of the dirham
against the U.S. dollar and to ensure the free
convertibility of the national currency into
foreign currencies, in addition to its role
as "Bank of Banks" and the Government's
bank and its financial adviser.

The largest bank in UAE is Emirates NBD,
with a total of 129 branches, followed by
Abu Dhabi National Bank with 119 branches.



Among the foreign banks HSBC ranks no. 1, followed by standard chartered and Bank of Baroda stands
at the third position with a share market share of 7%.




Figure 6: UAE Currency








Figure 5: Central Bank Logo

6. Central Bank logo


18

CHAPTER 3: BANK OF BARODA


Bank of Baroda is Indias only International Bank, present in UAE for the past
39years, with over 32 branches till date.




Table 1: BOB Fact Sheet







19



Structure of Bank of Baroda, Zonal office:




Table 2: Structure of BOB

Front Office
Account Opening,
issue of cheque
book/ATM card
NRI Desk
Account Closing
Cash deposit/
withdrawal
Back Office
Debt Syndication
SME
Retail department
Trade Finance
Treasury
Risk Management

20

CHAPTER 4: TYPES OF RISK

Table 3: Types of Risk


1. Operational Risk:

Operational risk arises from the people, processes and the system through which a company
operates and risk arising due to external factors. It is the risk involved in the day to day
functioning of the bank. It involves:

Delay in services, long waiting lines, etc
Fraud, theft
Mistakes
Laws and Legal regulations/ Documentation
Environmental Risk
Concentration Risk a bank should invest in a diversified portfolio to avoid the risk of
concentration of investment in one single industry.
Country Risk the risk of entering transaction with banned countries.





Risk
Operational Market Credit Reputational

21

2. Credit Risk:

It is the risk of default by the borrower due to:

Death
Insolvency
Illness
Bankruptcy
Downturn of economy
Willful default


3. Market Risk:

Liquidity Risk this is the risk of bank not being able to meet unexpected demand of
cash. For this purpose the bank needs to maintain adequate liquid assets and funds in the
form of SLR and CRR with the central bank.

Currency Risk it arises when more than one currency is involved and the rate of
exchange fluctuates.

Interest Rate Risk it is the risk of changing interest rates. LIBOR, EBOR, etc.



4. Reputational Risk:

It is the risk arising due to negative publicity of the bank. All failures of the bank create a
negative image in the eyes of the customer and hamper the business of the bank. All other
risks, operational risk in particular, may spoil the image of the bank and break the
stakeholders trust leading to reputational risk.










22

CHAPTER 5: INTRODUCTION TO OPERATIONAL RISK

5.1. Introduction to Operational Risk






Table 4: Timeline of Operational Failure in Banks


BARINGS BANK:


Barings bank, one of the oldest banks in UK failed due to rogue trading by Nick Leeson, the
derivates manager of the bank. He was appointed the General Manager of new operation in
future markets on SIMEX (Singapore International Monetary Exchange).

Leeson made unauthorized speculative trades that at first earned large profits for the bank
amounting to 10 Million, which accounted for 10% of Barings Banks annual income.
Leeson earned a bonus of 130,000 on his salary of 50,000 and also the trust of his seniors and
freedom to undertake any transaction. This ultimately led to the failure of the bank.
1994
USD 1.4
BILLION
BARINGS
BANK
ROGUE
TRADER - NICK
LEESON

2008
USD 7.2 BILLION
SOCGEN
ROGUE TRADER -
JEROME KERVIEL
2008
BANK RUN
NORTHERN BANK
SUBPRIME
MORTAGAGE CRISIS
2011
USD 2.3 BILLION
UBS
ROGUE TRADER -
KWEKU ADOBOLI

2012
USD 45 MILLION
RAK BANK & BANK
OF MUSCAT
HACKING


23


Management at Barings allowed Leeson to remain Chief Trader along with being responsible for
settling his trades (jobs usually done by two different people). This made it very easy for Leeson
to hide losses from his superiors. Leeson used one of Baring Banks error accounts to hide his
losses, and by the end of 1992, the losses exceeded 2M. By the end of 1994 ballooned to
200M by the end of 1994.

By the end of 1992, the account's losses exceeded 2 million, which ballooned to 208 million
by the end of 1994.

The beginning of the end occurred on 16 January 1995, when Leeson placed a short straddle in
the Singapore and Tokyo stock exchanges, essentially betting that the Japanese stock market
would not move significantly overnight. However, the Kobe earthquake hit early in the morning
on 17 January, sending Asian markets, and Leeson's trading positions, into a tailspin. Leeson
attempted to recoup his losses by making a series of increasingly risky new trades (using a Long-
Long Future Arbitrage), this time betting that the Nikkei Stock Average would make a rapid
recovery. However, the recovery failed to materialize.
Leeson left a note reading "I'm Sorry" and fled Singapore on 23 February. Losses eventually
reached 827 million (US$1.4 billion), twice the bank's available trading capital. After a failed
bailout attempt, Barings was declared insolvent on 26 February.

This is a huge operational failure arising due to lack of proper supervision of employees and
reporting process and this could have been avoided if anyone had checked the authenticity of the
transactions undertaken by Leeson.

SOCIATES GENERAL:

Similarly 0n January 24, 2008, Sociates General bank announced that a single futures trader,
Jerome Kerviel fraudulently lost the bank 4.9 billion (equivalent to $7.2billion). He entered into
a series of bogus trades. He always closed the deal within 2-3 days, just before the banks internal
control system would trigger notice. Some analysts suggest that unauthorised trading of this scale
may have gone unnoticed initially due to the high volume in low-risk trades normally conducted
by his department. The bank said that whenever the fake trades were questioned, Kerviel would
describe it as a mistake then cancel the trade, after which he would replace that trade with
another transaction using a different instrument to avoid detection.

NORTHERN ROCK BANK:

Northern Rock bank failed due to its innovative lending techniques that first led to its growth. It
followed a process called securitization, wherein, it extended mortgage loans to its customers
and based on this funding, sold these mortgages in the International Capital Markets. Due to the
subprime mortgage crisis in the US in 2008, the demand for the mortgage fell in the market and
the bank faced liquidity problems, even though its assets were greater than its liabilities. The
bank borrowed from the Bank of England in September 2008, to replace the funds they were not
able to raise from the money market.

24

This led to panic among individual depositors, who feared that their savings might not be
available should Northern Rock go into receivership. The result was a bank run the UK's first
in 150 years where depositors lined up outside the bank to withdraw all of their savings as
quickly as possible, particularly since everyone else was doing the same.

The main cause of the bank run was Journalists like BBcs Robert Peston, who broke the news of
the borrowing from Bank of England.

UBS BANK:

On September 15, 2011, UBS became aware of a massive loss, estimated at US$2.3 billion, due
to unauthorized trading. Adoboli is suspected to have used the fact that some ETF transactions in
Europe are not issued confirmations until after settlement has taken place. The exploitation of
this process allows a party to transaction to receive payment for a trade before the transaction has
been confirmed. While the cash proceeds in this scheme cannot be simply retrieved, the seller
may still show the cash on their books and possibly use it in further transactions.


RAK BANK & BANK OF MUSCAT:

More recently, a major worldwide pre-paid card heist occurred, involving RakBank in UAE and
Bank of Muscat in Oman. A gang of criminals stole an astounding total of $45Million in a matter
of hours by hacking into the database of prepaid cards. These banks outsourced the processing of
cards to India.

The theft was a well planned attack and involved hacking the database of the bank in India and
US and compromise data of RakBank and Bank of Muscat to:

1. Copy the account data and to create access codes that was loaded on plastic cards, like,
old hotel keys and expired credit cards with a magnetic stripe.
2. Eliminate the withdrawal limits on pre-paid cards.
3. Increase the balance amounts of customers by using funds held by banks that back up
prepaid credit cards.

A network of operatives then fanned out to rapidly withdraw money in cities of Japan, Russia,
Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and many other countries. This money
was then laundered to the ringleader through expensive purchases or shopped in wholesale.

With rapid advancement in technology, the operational system is being exposed to increasing
risk of cybercrime. A large attack like this awakens the cybercrime community and they find
innovative ways to find loopholes in the system.






25

5.2. Importance of Operational Risk:


Figure 7: Importance of Operational Risk

Operational Risk can contribute to other types of risks and is interlinked with all functions of the
bank. It is pervasive at all levels of the bank, starting from the ground level to higher level and in all
departments of the bank.

A failure by the staff to provide satisfactory service for its client may severely hamper the reputation
of the bank. A fraud or theft caused due to negligence of the management will shatter the trust of the
customers and bring down the image of the bank.

A mistake while calculating the Credit Rating of a customer may lead to credit risk. If, say the actual
rating of a client is BBB and the officer gives it a rating AA, the actual risk of lending to the
customer is higher than that calculated by the banking official and a default by BBB client is more
likely.

A US report claims that 60% of all frauds and data breach are by insiders.
Rogue Traders have the potential to bring down the bank overnight. In the above cases we
have seen that banks like Barings and Northern Rock were liquidated due to operational
failure.



Operational
Risk
Credit Risk
Market Risk
Reputational
Risk
Strategic Risk
Liquidity Risk

26

5.3. Operational Risk : Causes, Events & Consequences


Table 5: Causes, Events and Consequences














C
a
u
s
e
s

Inadequate
segregation of duties
Insufficeient training
Lack of management
supervision
Inadequate security
measures
Inadequate auditing
procedures
Poor systems design
Poor HR policies
E
v
e
n
t
s

Internal Fraud
External Fraud
Employment Practices
& Workplace Safety
Clients, Products and
Business Practices
Damage to Physical
Assets
Business Distruption &
Stystem Failures
Execution, Delivery &
Process Management
C
o
n
s
e
q
u
e
n
c
e
s

Legal Liability
Regulatory,
Compliance and
Taxation Penalties
Loss or Damage to
Assets
Restitution
Loss of Recourse
Write Down

Reputation
Business Interuption
Effects:
Monetary
Losses
Other
Impacts:
Foregone
Income


27

5.4. Operational Risk:



The definition adopted by Basel II states:

Operational risk is defined as the risk of loss resulting from inadequate or failed internal
processes, people and systems from external events. This definition includes legal risk, but
excludes strategic and reputational risk. Strategic and reputational risk is not included in this
definition for the purpose of a minimum regulatory operational capital charge.


It Includes:

Table 6: Causes of Operational Risk





Transactions
Information
People
Execution
Inadeqauate
Supervision
Relationship
Rogue
Trader
Criminal Theft
Fraud
Customer
Insufficient
Training
Poor
Management
Theft
Technology
Lack of
Resources
Compliance
Legal
Regulations
Reputation

28

CHAPTER 6: RISK MANAGEMENT


Risk management is the identification, assessment, prioritization and mitigation of risk
associated to the business to ensure that the risk is attuned to the risk taking appetite of the
organization. The Process of Risk Management includes:




Figure 8: Risk Management


Identifying Risk includes:

1. Analysis of workflows and processes
2. Listing all the possible risks and their causes

Assessing The Risk Involves:

1. Assesing the likelihood of risk.
2. Assessing the impact of risk

Identify Risk
Assess the
Risk
Select Risk
Control
Measures
Implement
Risk Control
Measures
Monitor &
Review

29

LIKELIHOOD*IMPACT = RISK

Selecting Risk Control Measure:

1. Identify control choices
2. Determine priorities
3. Make control decisions

Implementing Risk Controls:

1. Establish authority and responsibility
2. Define Structure
3. Define processes and procedures
Monitoring and Review:

1. Define Monitoring
2. Define the structure
3. Monitor processes
4. Review processes




















30


CHAPTER 7: BASEL II

7.1. Intoduction

The Basel Committee on Banking Supervision (BCBS) was established to issue the banking
supervision accords that deal with banking laws and recommendations, called BASEL Accords
and it has issued 3 accords till date. The Basel II deals with operational risk, credit risk and
market risk.

The Basel I I has 3 pillars


Table 7: 3 Pillars of Basel II

1. The First pillar The first pillar deals with maintenance of regulatory capital calculated for
three major components of risk that a bank faces: credit risk, operational risk and market risk.
Other risks are not considered fully quantifiable at this stage.

31

2. The Second Pillar It provides better tools and guidelines to the management for regulating
and mitigating risk. Banks can review their risk management system and develop a supervisory
review policy.
3. The Third Pillar This pillar aims to complement the minimum capital requirements and
supervisory review process by developing a set of disclosure requirements which will allow the
market participants to gauge the capital adequacy of an institution.
























32

7.2. BASEL II : First Pillar


Regulatory Capital Called Operational Risk charge is to be calculated. The charge represents the amount
of capital that a bank should maintain as a cushion against losses arising from operational risk.

The Basel II suggests 3 methods to calculate charge:


Figure 9: Methods to Calculate Charge


Bank of Baroda follows the Basic Indicator approach to calculate Capital Requirements. I have
used Excel to calculate charge using Basic Indicator Approach and Standardized approach on
banks actual data provided to me. I have calculated VaR using Palisade software @risk
through Loss Data Approach under Advanced Measurement Approach.







33

1. Basic Indicator Approach (BIA)

Banks using the basic indicator approach must hold capital for operational risk equal to the average over
the previous three years of a fixed percentage of positive annual gross income multiplied by a fixed factor
called alpha.

3
(GI*Alpha)/3

i=1

Figures for any year, in which, annual gross income is negative or zero should be excluded from both the
numerator and denominator when calculating the average.

The fixed percentage alpha is typically 15 percent of annual gross income.

I calculated the charge to be 88912.45(all figures in 1000AED) or AED 88.912 Million through BIA, as
seen in the table below





This technique is simple to use and easy to understand. Most banks use this technique for calculation of
charge.
But the charge calculated is not accurate, as the risk is not always directly proportional to the income.
This technique fails to take into account the system and processes in place in the bank. For an efficient
bank, were risk mitigation and control systems are followed the risk is likely to be less.






Basic Approach
Gross Income Alpha Factor GI*Alpha
March, 2011 520005 15% 78000.75
March, 2012 624254 15% 93638.1
March, 2013 633990 15% 95098.5
88912.45

34

2. STANDARDISED APPROACH (SA)

Banks activities are divided into eight business lines. Within each business line, gross income is a broad
indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational
risk exposure within each of these business lines.

The capital charge for each business line is calculated by multiplying gross income by a factor (denoted
beta) assigned to that business line. Beta serves as a proxy for the industry-wide relationship between the
operational risk loss experience for a given business line and the aggregate level of gross income for that
business line.

Business Line Beta Factor
Corporate finance 18%
Trading and sales 18%
Retail banking 12%
Commercial banking 15%
Payment and settlement 18%
Agency services 15%
Asset Management 12%
Retail Brokerage 12%
Table 8: SA- Business lines




35

In order to qualify for use of the standardised approach, a bank must satisfy its regulator that, at a
minimum:

1. Its board of directors and senior management, as appropriate, are actively involved in the
oversight of the operational risk management framework;
2. It has an operational risk management system that is conceptually sound and is implemented with
integrity; and
3. It has sufficient resources in the use of the approach in the major business lines as well as the
control and audit areas.
Using the standardized approach I calculated the risk to be 96914.5(1000AED) or AED 96.914
Million.





This technique is also easy to understand and calculate, but it is hardly used by any bank.
As here, the rationale of the standardized beta value for all banks in not clear and not applicable to all
banks.
Generally the value of charge decreases with a more sophisticated approach, but here we see that the
charge is increasing from AED 88.912 Million to AED 96.915 Million.
Reason being Basel perceives the risk in BOBs activities to be relatively higher. On the contrary, this
bank faces very few cases of operational risk.







Standardised Approach
All figures in 1000AED
Gross Income GI*beta
Business Line March, 2010 March, 2011 March, 2012 Beta March, 2010 March, 2011 March, 2012
Corporate Finance 260002.5 312127.5 316995 18% 46800.45 56182.95 57059.1
Trading & Sales 52000.5 62425.5 63399 18% 9360.09 11236.59 11411.82
Retail Banking 78000.75 93638.25 95098.5 12% 9360.09 11236.59 11411.82
Commercial Banking 130001.25 156062.75 158497.5 15% 19500.1875 23409.4125 23774.625
Payments & Settlements 0 0 0 18% 0 0 0
Agency Services 0 0 0 15% 0 0 0
Asset Management 0 0 0 12% 0 0 0
Retail Brokerage 0 0 0 12% 0 0 0
520005 624254 633990 85020.8175 102065.5425 103657.365
96914.575

36

3. AMA
Under AMA the banks are allowed to develop their own empirical model to quantify required capital for
operational risk. Banks can use this approach only subject to approval from their local regulators. Once a
bank has been approved to adopt AMA, it cannot revert to a simpler approach without supervisory
approval.
Also, according to section 664 of original Basel Accord, in order to qualify for use of the AMA a bank
must satisfy its supervisor that, at a minimum:
Its board of directors and senior management, as appropriate, are actively involved in the oversight of
the operational risk management framework;
It has an operational risk management system that is conceptually sound and is implemented with
integrity; and
It has sufficient resources in the use of the approach in the major business lines as well as the control
and audit areas.

The most common approach under AMA is the Loss Distribution Approach to calculate Value at Risk and
Economic Loss.

Value at Risk is the potential loss a bank can suffer through its people, process, system and external
events.

Economic Capital is the amount a bank should keep aside to cover unexpected losses for operational risk.
Unexpected loss is the difference between VAR and expected loss, as figure below shows. This is the
amount of capital that the institution should establish to cover unexpected losses for operational risk
corresponding to the desired confidence level.
Expected loss is equal to mean of the loss distribution.
Confidence level (CI) is a type of interval estimate of a population parameter and is used to indicate the
reliability of an estimate.


Figure 10: EL, UL and VaR at 99.9% CI

37

For calculation of VaR, data of operational losses occurring internally in the bank are recorded and
clubbed with external loss data.

Frequency and Severity components of the loss distribution are taken into account separately and then
combined through convolution.

Frequency refers to how often a loss event happens, and is measured in terms of number of events per
time units. It is described by a discrete distribution.

Severity depends on the monetary impact of the event, and is described by a continuous distribution. In
operational risk both components have to be considered separately

To establish the appropriate level of capital to cover unexpected losses due to operational risk one first
has to establish an adequate confidence level. Obviously, one would like to establish confidence levels
close to 100 %. In practice, however, this is not possible since loss distributions are never perfectly
identified using (usually incomplete) historical data, and even if we could perfectly identify these loss
distributions, the level of capital required would be too high (and costly). Nevertheless, the confidence
levels used in risk management usually lie in the range from 95 % to 99 % and higher
Once we have defined the confidence level at which we would like to cover unexpected losses, the
calculation of the corresponding amount of capital involves the following steps:

i) Frequency and severity distributions are identified from the data;
ii) Both distributions are combined to obtain an aggregate loss distribution;
iii) Operational Value at Risk (VAR) is obtained by taking the percentile of the aggregate loss distribution
at the desired confidence level.

The main difficulty of the procedure described above, however, lies in step in the combination or
aggregation of the frequency and severity distributions obtained from the data.
As mentioned above, both distributions consist of a completely different nature, since the first is a discrete
distribution, expressed in terms of number of events per time units (eg. number of frauds per month),
while the second is a continuous distribution, expressed in monetary units (eg. dollars). Hence both
distributions are not directly additive or multiplicative.
To combine both types of distributions closed form solutions involve solving analytical formulas. For the
problem at hand the most straightforward closed form solution is to combine distributions by means of a
(mostly theoretical) mathematical operation, called convolution, represented by the * (star) symbol.This
operation usually involves solving complicated integrals.
I used the software @risk by palisade for the purpose of calculating Value at Risk (VAR) through
convolution.


38


Figure 11: Loss Distributions

I used the loss data of bank combined with operational loss data of other banks in UAE, available in news
clippings on google for calculating VAR through Palisade Software. I fixed the confidence interval at
99% and then calculated the Poisson distribution for frequency, followed by Pareto distribution for
severity of loss.
I combined these two through Monte Carlo simulation to arrive at Value at Risk.
I got the following results (All figures are in Lakhs of Rupess).


Table 9: Poisson Distribution for frequency

39


Table 10: Pareto Distribution for Severity

Table 11: Combined Distribution
As per the results of simulation using @risk, the VAR=Rs149600 (AED 9973), Expected Loss=Rs110195
(AED7346), Economic Charge=VAR-EL=39405 (AED2627)
It is a very small fraction of charge calculated through either BIA or SA. Though it is a complex
technique to implement, it is a scientific technique to calculate charge and is accurate for all banks as it
takes into view the actual risk faced by the bank in the past. The past may not always correspond with the
future findings. But the capital tied down is the least through this technique.

40

7.3. BASEL II : Second and Third Pillar

RISK MANAGEMENT SOUND PRACTICES & DISCLOSURE




The Basel II identifies 4 level of concern by identifying role of Board of Directors, Senior Management,
Supervisors and Staff:





Figure 12: Sound Practices







Sound
Practices
Role of Board
of Directors
Role of Senior
Management
Role of
Advisors
Role of
Disclosure

41


1. Role of Board Directors:

It is the responsibility of Board of Directors to ensure strong operational risk management culture
through:

Figure 13: Sound Practices - BOD


1.1. Operational Risk Environment Board of Directors should establish a
Corporate Culture that encourages sound practices to manage and mitigate risk.
Appropriate standards and incentives for professional and responsible behaviour
encourage strong risk management culture.

1.2. Operational Risk Management Framework Board of Directors must be
aware of all operational risks. They should periodically review and approve the
risk management framework. The framework should by fully integrated into the
banks overall risk management processes. The framework depends on a range of
factors of the bank, including its size, nature, complexity and risk profile.

1.3. Internal Audit Board of Directors must assure framework is subject to
effective and comprehensive internal audit.




Role of
Board of
Directors
Environment for
Risk Management
Operational Risk
Management
Framework
Internal Audit

42


2. Senior Management:

Senior Management should develop a clear, effective and robust governance structure well defined,
transparent and consistent lines of responsibility. Senior Management is also responsible for implementing
Operational risk management framework and develop activities, policy, procedure, process, system and
materials for managing operational risk in all of banks activities, products, policy, process, systems to make
sure the inherent risks and incentives are well understood. This is an ongoing process in a bank taking place
for all activities at all levels on daily basis.


Figure 14:Sound Practices - Senior Management

2.1. Identifying and Assessing Operational Risk senior management should
ensure the identification and assessment of the operational risk inherent in all
material products, activities, processes and systems to make sure the inherent
risks and incentives are well understood.
2.2. Monitoring and Reporting Operational Risk They should implement a process
to regularly monitor risk profiles and material exposures to losses. Appropriate
reporting mechanisms should be in place at the board, senior management and
business line levels that support proactive management of operational risk.
2.3. Controlling and Mitigating Operational Risk Banks should have a strong
control environment that utilises policies, processes and systems; appropriate
internal controls; and appropriate risk mitigation and transfer strategies.
Risk
Management
Activies by
Senior
Management
Identifying and
Assessing
Operational
Risk
Monitoring and
Reporting
Operational
Risk
Controlling and
Mitigating
Operational
Risk
Contingency
and Business
Continuity Plan

43

2.4. Contingency and Business Continuity Plan Banks should have business
resiliency and continuity plans in place to ensure an ability to operate on an
ongoing basis and limit losses in the event of severe business disruption.

3. Role of Supervisor:

3.1. Supervisory Review Framework Banking supervisor should ensure that all
banks have an effective system to identify and assess, monitor, control and
mitigate all operational risk.
3.2. Independent Evaluation Supervisor must conduct regular and independent
evaluation of the bank policies, procedures and practices related to operation risk.

4. Role of Advisors

4.1. Public Disclosure (Pillar III) bank should make sufficient public disclosure
to allow its stakeholders to assess its approach to operational risk management.

























44

CHAPTER 8: CONCLUSION AND RECOMMENDATIONS:

1. As the business of the bank and risk sensitivity increases, the bank can move to a more sophisticated
approach. As the sophistication of the technique increases, the capital set aside and tied down for
unexpected losses decreases. As we see in the above example that using AMA the charge is equal to
AED2627, as compare to charge calculated through BIA 88912 and SA 96914.
The bank would benefit greatly by moving to Advanced Measurement Approach.

Figure 15: Techniques to calculate charge

2. More importantly these methods to calculate charge only help keep aside capital for future unexpected
losses, but they dont do anything to control these losses. Mitigating risk is the most important part of
Risk Management and it requires Corporate Governance.
Bank of Baroda is Indias first public sector bank to be rated for Corporate Governance. It has an ICRA
rating of GR2.

CORPORATE
GOVERNANCE
INDEPENDENT
FUNCTIONING OF RISK
MANAGEMENT AND
AUDIT DEPARTMENTS
TRAINING FOR SENIOR
MANAGEMENT AND
BOARD OF DIRECTORS
TRANSPARENT
COMMUNICATION AND
FULL DISCLOSURES

AWARENESS AND
IMPLEMENTATION OF
LATEST AND SCIENTIFIC
FRAMEWORKS FOR
MANAGEMENT OF RISK

45


3. The departments like risk management, compliance and inspection & audit should have an
independent structure and not come under the Chief Managing Director of the branch, but should
be independent and should report directly to head office.



4. Management teams have a duty to understand fully the businesses they manage. Responsibility
for each business activity must be clearly established. Clear segregation of duties is fundamental
to any effective risk control system. Effective, independent and regular audits to ensure
compliance and effectiveness of framework are necessary to ensure that the framework designed
and implemented for management of risk is suitable and sufficient for the organisation.
BOARD OF
DIRECTORS
SUB COMMITTEE OF
ASSET LIABILITY
MANAGEMENT AND
RISK MANAGEMENT
INSPECTION AND
AUDIT
RISK MANAGEMENT COMPLIANCE