Professional Documents
Culture Documents
Operational Risk New
Operational Risk New
FACULTY OF ISLAMIC
BANKING AND FINANCE
UNIVERSITY OF HARGEISA
GROUP 7
1. Mahdi Muhumed Mahamoud
2. Abdikariim Ali Mahamoud
3. Hamda Abdiqadir Ahmed
4. Fatuh Ali Mahamed
Table of content
1. Introduction
2. Objectives of operational risk
3. What is the operational risk
4. How does operational risk management works
5. Benefits of the operational risk
6. Who manages operational risk
7. Regulatory guidance
8. Stages of operational risk
9. Pillars of operational risk
10. Conclusion
11. Reference page
12. Appendix
2
Introduction
Operational risk (OR) has not been a well-defined concept. It refers to various potential failures
in the operation of the firm, unrelated to uncertainties with regard to the demand function for the
products and services of the firm. These failures can stem from a computer breakdown, a bug in
a major computer software, an error of a decision maker in special situations, etc. The academic
literature generally relates operational risk to operational leverage (i.e. to the shape of the
production cost function) and in particular to the relationship between fixed and variable cost.
Operational risk is a fuzzy concept since it is often hard to make a clear-cut distinction between
operational risk and ‘normal’ uncertainties faced by the organization in its daily operations. For
example, if a client failed to pay back a loan, is it then due to ‘normal’ credit risk, or to a human
error of the loan officers that should have known better all the information concerning the client
and should have declined to approve the loan? Usually all credit-related uncertainties are
classified as part of business risk. However, if the loan officer approved a loan against the bank’s
guidelines, and maybe he was even given a bribe, this will be classified as an operational risk.
Therefore the management of a bank should first define what is included in operational risk. In
other words, the typology of operational risk must be clearly articulated and codified. A key
problem lies in quantifying operational risk. For example, how can one quantify the risk of a
computer breakdown? The risk is a product of the probability and the cost of a computer
breakdown. Often operational risk is in the form of discrete events that don’t occur frequently.
Therefore, a computer breakdown today (e.g. a network related failure) is different in both
probability and the size of the damage from a computer breakdown 10 years ago. How can we
quantify the damage of a computer failure? What historical event can we use in order to make
3
a rational assessment? The problems in assessing operational risk does not imply that they should
be ignored and neglected. On the contrary, management should pay a lot of attention to
understanding operational risk and its potential sources in the organization precisely because it is
hard to quantify operational risk. Possible events or scenarios leading to operational risk should
be analyzed. In the next section we define operational risk and discuss its typology. In some
cases operational risk can be insured or hedged. For example, computer hardware problems can
be insured or the bank can have a backup system. Given the price of insurance or the cost of
hedging risks, a question arises concerning the economic rationale of removing the risks. There
is the economic issue of assessing the potential loss against the certain insurance cost for each
Regulation
Help in meeting the capital adequacy requirement set out by regulators and develop awareness of
capital efficiency so as to help the bank meet its capital performance objective.
Create awareness of the level of risk incurred and ensure that product pricing compensates for
the levels of risks undertaken. Explore the range of alternatives for risk mitigation and choose the
4
Quality of service
Improve the overall quality of the banks product, processes and services to customers
Enable the bank reduce the probability and potential impact of losses through the introduction of
“good practice”.
Enable the businesses and functional areas to improve controls and mitigation of significant
operational risk across the bank involving every employee at all levels for pro-active
Awareness
Develop a common understanding of operational risk across the bank involving every employee
Risk ownership
Ensure that there is clear ownership for each element of operational risk and assign clear
5
WHAT IS THE OPERATIONAL RISK?
Definition: - is the risk of direct or indirect loss resulting from inadequate or failed internal
6
People: - Includes: fraud; breaches of employment law; unauthorized activity; loss or lack of
Process: - Includes: payment or settlement failures; documentation which is not fit for
System: - Includes: failures during the development and systems implementation process, as
7
External events: - Includes: external crime; outsourcing (and insourcing) risk; natural and
Other hand we define Operational risk is the risk associated with operating the business.
One can subdivide operational risk into two components: operational failure risk and
Operational failure risk arises from the potential for failure in the course of operating the
business. A firm uses people, process, and technology to achieve business plans, and any one
of these factors may experience a failure of some kind. Accordingly, operational failure risk
is the risk that exists within the business unit caused by the failure of people, process or
technology. A certain level of the failures may be anticipated and should be built into the
business plan. It is the unanticipated and therefore uncertain failures that give rise to risk.
These failures can be expected to occur periodically, although both their impact and their
frequency may be uncertain. The impact or the financial loss can be divided into the expected
amount, the severe unexpected amount and the catastrophic unexpected amount. The firm
may provide for the losses that arise from the expected component of these failures by
charging revenues with a sufficient amount of reserve. The firm should set aside sufficient
Operational strategic risk arises from environmental factors such as a new competitor that
changes the business paradigm, a major political and regulatory regime change, earthquakes
and other factors that are generally outside the control of the firm. It also arises from a major
new strategic initiative, such as getting into a new line of business or redoing how current
business is to be done in the future. All businesses also rely on people, processes and
8
technology outside their business unit, and the same potential for failure exists there. This
The first stage of any Operational Risk Management strategy is of course to understand the
nature of your business and the particular risks associated with it. If you manage a company that
runs water ski lessons, there will be risks your business will face that are very different to a
company that creates technology for vending machines. Spending time worrying about risks that
are nothing to do with you is just wasting time. There are three levels of Operational Risk
Management that you can choose to embark upon, and these are as follows: -
In-depth: As the name suggests, this is the kind of risk management that we would all be
undertaking in an ideal world, as it will deliver the best results and practically make risk a thing
of the past (not completely, of course, as not every risk is foreseeable). We don’t live in an ideal
world, but there are still many situations when you can take the time to plan for a new project or
business venture with in-depth Operational Risk Management, which can include staff training
Deliberate: This is still not ‘panic stations’ in the world of risk management but is undertaken at
various stages during the life cycle of a project or a business and can come in the form of routine
usually done in the midst of operational change when there is only a limited amount of time for it
to be done before the potential consequences of any non-identified risks might start to be felt.
9
The US Navy has the following processes for time-critical ORM: Assess the situation; Balance
Before you decide whether or not you want to investigate how Operational Risk Management
works and what you need to do to implement it, you will want to know what the potential
benefits of it are.
These will help to convince those with sign-off on the decision that it is the right move for your
There are plenty more benefits as well as a few challenges, as with a major business process, but
Operational Risk Management is an essential step for every company that is looking to avoid
10
We believe that a partnership between business, infrastructure, internal audit and risk
management is the key to success. The question is how can this partnership be constituted? In
particular, what is the nature of the relationship between operational risk managers and the bank
audit function? The essentials of proper risk management require that (a) appropriate policies be
in place that limit the amount of risk taken and (b) authority be provided to change the risk
profile, to those who can take action, and (c) that timely and effective monitoring of the risk is in
place. No one group can be responsible for setting policies, taking action, and monitoring the risk
taken, for to do so would give rise to all sorts of conflict of interest Policy setting remains the
responsibility of senior management, even though the development of those policies may be
The authority to take action rests with business management, who are responsible for controlling
the amount of operational risk taken within their business. Business management often relies on
expert areas such as information technology, operations, legal, etc. to supply it with services
required to operate the business. These infrastructure and governance groups share with business
management the responsibility for managing operational risk. The responsibility for the
development of the methodology for measuring operational risk resides with risk management.
Risk management also needs to make risks transparent through monitoring and reporting. Risk
management should also portfolio manage the firm’s operational risk. Risk management can
actively manage residual risk through using tools such as insurance. Portfolio management adds
value by ensuring that operational risk is adequately capitalized as well as analyzed for
operational risk concentration. Risk management is also responsible for providing a regular
review of trends, and needs to ensure that proper operational risk reward analysis is performed in
the review of existing business as well as before the introduction of new initiatives and products.
11
In this regard risk management works very closely but is independent of the business
infrastructure, and the other governance groups. Operational risk is often managed on an ad hoc
basis. And banks can suffer from a lack of coordination among functions such as risk
management, internal audit, and business management. Most often there are no common bank-
wide policies, methodologies or infrastructure’s result there is also often no consistent reporting
on the extent of operational risk within the bank as a whole. Furthermore, most bank-wide
capital attribution models rarely incorporate sophisticated measures of operational risk. Senior
management needs to know if the delegated responsibilities are actually being followed and if
the resulting processes are effective. Internal audit is charged with this responsibility. Audit
determines the effectiveness and integrity of the controls that business management puts in place
to keep risk within tolerable levels. At regular intervals the internal audit function needs to
ensure that the operational risk management process has integrity, and is indeed being
implemented along with the appropriate controls. In other words, auditors analyze the degree to
which businesses are in compliance with the designated operational risk management process.
They also offer an independent assessment of the underlying design of the operational risk
management process. This includes examining the process surrounding the building of
operational risk measurement models, the adequacy and reliability of the operations risk
management systems and compliance with external regulatory guidelines, etc. Audit thus
provides an overall assurance on the adequacy of operational risk management. A key audit
objective is to evaluate the design and conceptual soundness of the operational value-at-risk
(VaR) measure, including any methodologies associated with stress testing, and the reliability of
the reporting framework. Audit should also evaluate the operational risks that affect all types of
risk management information systems – whether they are used to assess market, credit or
12
operational risk itself – such as the processes used for coding and implementation of the internal
models. This includes examining controls concerning the capture of data about market positions,
the accuracy and completeness of this data, as well as controls over the parameter estimation
processes. Audit would typically also review the adequacy and effectiveness of the processes for
monitoring risk. And the documentation relating to compliance with the qualitative/quantitative
criteria outlined in any regulatory guidelines. Regulatory guidelines typically also call for
auditors to examine the approval process for vetting risk management models and valuation
models used by front and back-office personnel Auditors also need to examine any significant
change in the risk measurement process. Audit should verify the consistency, timeliness and
reliability of data sources used to run internal models, including the independence of such data
sources. A key role is to examine the accuracy and appropriateness of volatility and correlation
assumptions as well as the accuracy of the valuation and risk transformation calculations.
Finally, auditors should examine the verification of the model’s accuracy through an examination
Regulatory guidance
As a minimum all companies must adhere to regulatory requirements. However, there are few
countries where specifically drafted requirements cover operational risk management. The Bank
of International Settlements (BIS) have just published a set of requirements on internal control
which contain guidance in operational risk management. It is expected that regulators in each
country will incorporate these into their own regimes. However, some regulators would claim
that they already have a robust approach to operational risk. Different countries have different
approaches to operational risk. In the United Kingdom the Bank of England has since the
Banking Act 1987 asked banks to appoint reporting accountants to review under Section 39 of
13
That act the internal control environments and to report on their adequacy for the risks to which
The Bank of England published a Guidance Note on Reporting Accountants’ Reports on Internal
Controls and other Control Systems which provides a description of key controls and their
expectations about their adequacy. In the next year the author expects further regulatory
guidance on operational risk. Various countries already have the elements of operational risk
regulatory frameworks:
The challenge for the regulators is to build an approach on the solid foundations already
Those were the stages the Navy uses for time-critical Operational Risk Management, but for a
more standard risk management process these are the usual stages you will need to undertake:
Risk Identification: As mentioned earlier, understanding the risks specific to your business
is key, but there are also many potential risks that affect any kind of business and you need to
identify all of them, both those that are recurring and those that can be one-off events.
The identification process needs to involve staff from all levels of the business if possible,
bringing a variety of backgrounds and experiences to make a cohesive result. Risks that can
14
be identified by work floor staff will be very different and no less critical than those
Risk Assessment: Once the risks have been identified, they need to be assessed. This needs
to be done from both a quantitative and qualitative perspective and factors like the frequency
and severity of occurrence need to be taken into consideration. The assessment needs to
Measurement and Mitigation: Mitigating these risks (if not actually eliminating them
altogether) is the next stage, with controls put in place that should limit the company’s
Control
Regular process.
Control design may suddenly become ineffective between quarters, due to changes in
It is vital to follow-up on any control weaknesses highlighted and also to incorporate the
15
Monitoring and Reporting: Any Operational Risk Management plan must have something
in place for the ongoing monitoring and reporting of these risks if only to demonstrate how
effective the plan has been. Most of all, it’s to ensure that the solutions put in place are
There are other processes and models out there, particularly in the banking world, but most
follow similar approaches to the one listed above. As long as you are picking an approach that
suits your specific needs and situation, you will be on the way to a successful Operational Risk
Management strategy.
16
17
Risk identify
Risk
assessment
measurement
and Mitigation
Control
Monitoring
and Reporting
Figure of stages
Figure of pillars
Conclusion
An integrated goal-congruent risk management process that puts all the elements together, will
open the door to optimal firm-wide management of risk. ‘Integrated’ refers to the need to avoid a
fragmented approach to risk management – risk management is only as strong as the weakest
link. ‘Goal congruent’ refers to the need to ensure that policies and methodologies are consistent
with each other. Infrastructure includes having the right people, operations technology and data
to appropriately control risk. One goal is to have an ‘apple-to-apple’ risk measurement scheme
so that one can compare risk across all products and aggregate risk at any level. The end product
is a best-practice management of risk that is also consistent with business strategies. This is a
19
‘one firm, one view’ approach that also recognizes the complexity of each business within the
firm. In this chapter we have stressed that operational risk should be managed as a partnership
among business units, infrastructure groups, corporate governance units, and internal audit and
risk management. We should also mention the importance of establishing a risk-aware business
culture. Senior managers play a critical role in establishing a corporate environment in which
best-practice operational risk management can flourish. Personnel will ultimately behave in a
manner dependent on how senior management rewards them. Indeed, arguably the key single
challenge for senior management is to harmonize the behavior patterns of business units,
infrastructure units, corporate governance units, internal audit and risk management and create
an environment in which all sides ‘sink or swim’ together in terms of managing operational risk.
Reference page
Website
http://tallyfy.com/operational-risk-management
https://www.actuaries.org.uk/system/files/documents/pdf/c9.pdf
https://www.slideshare.net/mobile/angbeenbush/operational-risk-management-orm
Books
20
●The Professional’s Handbook of
Financial Risk Management
●The essentials of risk management
Appendix
The G30 report stressed the importance of hiring skilled professionals: Recommendation 16 states that
one should ‘ensure that derivatives activities are undertaken by professionals in sufficient number and
with the appropriate experience, skill levels, and degrees of specialization’. The G30 also stressed the
importance of building best-practice systems. According to Recommendation 17, one should ‘ensure that
adequate systems for data capture, processing, settlement, and management reporting are in place so that
21
derivatives transactions are conducted in an orderly and efficient manner in compliance with management
policies’.
People
The survey of industry practices examined the involvement in the derivatives activity of people at all
levels of the organization and indicated a need for further development of staff involved in back-office
administration, accounts, and audit functions, etc. Respondents believed that a new breed of specialist,
qualified operational staff, was required. It pointed out that dealers (large and small) and end-users face a
common challenge of developing the right control culture for their derivatives activity.
Systems
The survey confirmed the view that dealing in derivatives can demand integrated systems to ensure
adequate information and operational control. It indicated that dealers were moving toward more
integrated systems, between front- and back-office (across types of transactions). The industry has made a
huge investment in systems, and almost all large dealers are extensive users of advanced technology.
Operations
The role of the back-office is to perform a variety of functions in a timely fashion. This includes
recording transactions, issuing and monitoring confirmations, ensuring legal documentation for
transactions is completed, settling transactions, producing information for management and control
purposes. This information includes reports of positions against trading and counterparty limits, reports
on profitability, and reports on exceptions. There has been significant evolution in the competence of staff
and the adequacy of procedures and systems in the back office.
Controls
Derivative activities, by their very nature, cross many boundaries of traditional financial activity.
Therefore the control function must be necessarily broad, covering all aspects of activity. The primary
element of control lies in the organization itself. Allocation of responsibilities for derivatives activities,
with segregation of authority where appropriate, should be reflected in job descriptions Org.chart.
Audit
The G30 pointed out that internal audit plays an important role in the procedures and control framework
by providing an independent, internal assessment of the effectiveness of this framework. The principal
challenge for management is to ensure that internal audit staff has sufficient expertise to carry out work in
both the front and back office. Able individuals with the appropriate financial and systems skills are
required to carry out the specialist aspects of the work.
22