UNIVERSITY OF HARGEISA

FACULTY OF ISLAMIC
BANKING AND FINANCE
UNIVERSITY OF HARGEISA

PROJECT TITLE: - OPERATIONAL RISK

GROUP 7
1. Mahdi Muhumed Mahamoud
2. Abdikariim Ali Mahamoud
3. Hamda Abdiqadir Ahmed
4. Fatuh Ali Mahamed

Project Supervisor: - Asma Ali Yassin

 Operational risk

Table of content
1. Introduction
2. Objectives of operational risk
3. What is the operational risk
4. How does operational risk management works
5. Benefits of the operational risk
6. Who manages operational risk
7. Regulatory guidance
8. Stages of operational risk
9. Pillars of operational risk
10. Conclusion
11. Reference page
12. Appendix

2
 Introduction
Operational risk (OR) has not been a well-defined concept. It refers to various potential failures

in the operation of the firm, unrelated to uncertainties with regard to the demand function for the

products and services of the firm. These failures can stem from a computer breakdown, a bug in

a major computer software, an error of a decision maker in special situations, etc. The academic

literature generally relates operational risk to operational leverage (i.e. to the shape of the

production cost function) and in particular to the relationship between fixed and variable cost.

Operational risk is a fuzzy concept since it is often hard to make a clear-cut distinction between

operational risk and ‘normal’ uncertainties faced by the organization in its daily operations. For

example, if a client failed to pay back a loan, is it then due to ‘normal’ credit risk, or to a human

error of the loan officers that should have known better all the information concerning the client

and should have declined to approve the loan? Usually all credit-related uncertainties are

classified as part of business risk. However, if the loan officer approved a loan against the bank’s

guidelines, and maybe he was even given a bribe, this will be classified as an operational risk.

Therefore the management of a bank should first define what is included in operational risk. In

other words, the typology of operational risk must be clearly articulated and codified. A key

problem lies in quantifying operational risk. For example, how can one quantify the risk of a

computer breakdown? The risk is a product of the probability and the cost of a computer

breakdown. Often operational risk is in the form of discrete events that don’t occur frequently.

Therefore, a computer breakdown today (e.g. a network related failure) is different in both

probability and the size of the damage from a computer breakdown 10 years ago. How can we

quantify the damage of a computer failure? What historical event can we use in order to make

3
a rational assessment? The problems in assessing operational risk does not imply that they should

be ignored and neglected. On the contrary, management should pay a lot of attention to

understanding operational risk and its potential sources in the organization precisely because it is

hard to quantify operational risk. Possible events or scenarios leading to operational risk should

be analyzed. In the next section we define operational risk and discuss its typology. In some

cases operational risk can be insured or hedged. For example, computer hardware problems can

be insured or the bank can have a backup system. Given the price of insurance or the cost of

hedging risks, a question arises concerning the economic rationale of removing the risks. There

is the economic issue of assessing the potential loss against the certain insurance cost for each

operational risk event.

OBJECTIVES OF OPERATIONAL RISK

 Regulation

Meet or exceed the regulatory requirements.

 Better capital management

Help in meeting the capital adequacy requirement set out by regulators and develop awareness of

capital efficiency so as to help the bank meet its capital performance objective.

 Reward for better risk management

Create awareness of the level of risk incurred and ensure that product pricing compensates for

the levels of risks undertaken. Explore the range of alternatives for risk mitigation and choose the

most cost effective solution to address the operational risk incurred.

4
  Quality of service

Improve the overall quality of the banks product, processes and services to customers

 Reduce impact and probability of events

Enable the bank reduce the probability and potential impact of losses through the introduction of

“good practice”.

 Improve controls and mitigate risks

Enable the businesses and functional areas to improve controls and mitigation of significant

operational risk across the bank involving every employee at all levels for pro-active

management of operational risks.

 Awareness

Develop a common understanding of operational risk across the bank involving every employee

at all levels for pro-active management of operational risks.

 Risk ownership

Ensure that there is clear ownership for each element of operational risk and assign clear

responsibility for related day to day risk management and mitigation.

5
 WHAT IS THE OPERATIONAL RISK?

Definition: - is the risk of direct or indirect loss resulting from inadequate or failed internal

processes, people and system or from external events.

Figure of operational risk 1

6
 People: - Includes: fraud; breaches of employment law; unauthorized activity; loss or lack of

key personnel; inadequate training; inadequate supervision.

 Process: - Includes: payment or settlement failures; documentation which is not fit for

purpose; errors in valuation/pricing models and processes; project management failures;

internal/external reporting; (miss) selling.

 System: - Includes: failures during the development and systems implementation process, as

well as failures of the system itself; inadequate resources.

7
 External events: - Includes: external crime; outsourcing (and insourcing) risk; natural and

other disasters; regulatory risk; political risk; utilities failures; competition.

Other hand we define Operational risk is the risk associated with operating the business.

One can subdivide operational risk into two components: operational failure risk and

operational strategic risk.

 Operational failure risk arises from the potential for failure in the course of operating the

business. A firm uses people, process, and technology to achieve business plans, and any one

of these factors may experience a failure of some kind. Accordingly, operational failure risk

is the risk that exists within the business unit caused by the failure of people, process or

technology. A certain level of the failures may be anticipated and should be built into the

business plan. It is the unanticipated and therefore uncertain failures that give rise to risk.

These failures can be expected to occur periodically, although both their impact and their

frequency may be uncertain. The impact or the financial loss can be divided into the expected

amount, the severe unexpected amount and the catastrophic unexpected amount. The firm

may provide for the losses that arise from the expected component of these failures by

charging revenues with a sufficient amount of reserve. The firm should set aside sufficient

economic capital to cover the severe unexpected component.

 Operational strategic risk arises from environmental factors such as a new competitor that

changes the business paradigm, a major political and regulatory regime change, earthquakes

and other factors that are generally outside the control of the firm. It also arises from a major

new strategic initiative, such as getting into a new line of business or redoing how current

business is to be done in the future. All businesses also rely on people, processes and

8
 technology outside their business unit, and the same potential for failure exists there. This

type of risk will be referred to as external dependencies.

How does operational risk management work?

The first stage of any Operational Risk Management strategy is of course to understand the

nature of your business and the particular risks associated with it. If you manage a company that

runs water ski lessons, there will be risks your business will face that are very different to a

company that creates technology for vending machines. Spending time worrying about risks that

are nothing to do with you is just wasting time. There are three levels of Operational Risk

Management that you can choose to embark upon, and these are as follows: -

In-depth: As the name suggests, this is the kind of risk management that we would all be

undertaking in an ideal world, as it will deliver the best results and practically make risk a thing

of the past (not completely, of course, as not every risk is foreseeable). We don’t live in an ideal

world, but there are still many situations when you can take the time to plan for a new project or

business venture with in-depth Operational Risk Management, which can include staff training

or and the implementation of new policies and procedures.

Deliberate: This is still not ‘panic stations’ in the world of risk management but is undertaken at

various stages during the life cycle of a project or a business and can come in the form of routine

safety checks or performance reviews.

Time-Critical: This kind of Operational Risk Management involves more urgency as it is

usually done in the midst of operational change when there is only a limited amount of time for it

to be done before the potential consequences of any non-identified risks might start to be felt.

9
The US Navy has the following processes for time-critical ORM: Assess the situation; Balance

your resources: Communicate risks and intentions; and do and debrief.

Benefits of operational risk management

Before you decide whether or not you want to investigate how Operational Risk Management

works and what you need to do to implement it, you will want to know what the potential

benefits of it are.

These will help to convince those with sign-off on the decision that it is the right move for your

organization, so here are the main benefits of Operational Risk Management:-

 Improving the reliability of business operations

 Improving the effectiveness of the risk management operations

 Strengthening the decision-making process where risks are involved

 Reduction in losses caused by poorly-identified risks

 Early identification of unlawful activities

 Lower compliance costs

 Reduction in potential damage from future risks

There are plenty more benefits as well as a few challenges, as with a major business process, but

Operational Risk Management is an essential step for every company that is looking to avoid

potentially damaging issues.

Who manages operational risk?

10
We believe that a partnership between business, infrastructure, internal audit and risk

management is the key to success. The question is how can this partnership be constituted? In

particular, what is the nature of the relationship between operational risk managers and the bank

audit function? The essentials of proper risk management require that (a) appropriate policies be

in place that limit the amount of risk taken and (b) authority be provided to change the risk

profile, to those who can take action, and (c) that timely and effective monitoring of the risk is in

place. No one group can be responsible for setting policies, taking action, and monitoring the risk

taken, for to do so would give rise to all sorts of conflict of interest Policy setting remains the

responsibility of senior management, even though the development of those policies may be

delegated, and submitted to the board of directors for approval.

The authority to take action rests with business management, who are responsible for controlling

the amount of operational risk taken within their business. Business management often relies on

expert areas such as information technology, operations, legal, etc. to supply it with services

required to operate the business. These infrastructure and governance groups share with business

management the responsibility for managing operational risk. The responsibility for the

development of the methodology for measuring operational risk resides with risk management.

Risk management also needs to make risks transparent through monitoring and reporting. Risk

management should also portfolio manage the firm’s operational risk. Risk management can

actively manage residual risk through using tools such as insurance. Portfolio management adds

value by ensuring that operational risk is adequately capitalized as well as analyzed for

operational risk concentration. Risk management is also responsible for providing a regular

review of trends, and needs to ensure that proper operational risk reward analysis is performed in

the review of existing business as well as before the introduction of new initiatives and products.

11
In this regard risk management works very closely but is independent of the business

infrastructure, and the other governance groups. Operational risk is often managed on an ad hoc

basis. And banks can suffer from a lack of coordination among functions such as risk

management, internal audit, and business management. Most often there are no common bank-

wide policies, methodologies or infrastructure’s result there is also often no consistent reporting

on the extent of operational risk within the bank as a whole. Furthermore, most bank-wide

capital attribution models rarely incorporate sophisticated measures of operational risk. Senior

management needs to know if the delegated responsibilities are actually being followed and if

the resulting processes are effective. Internal audit is charged with this responsibility. Audit

determines the effectiveness and integrity of the controls that business management puts in place

to keep risk within tolerable levels. At regular intervals the internal audit function needs to

ensure that the operational risk management process has integrity, and is indeed being

implemented along with the appropriate controls. In other words, auditors analyze the degree to

which businesses are in compliance with the designated operational risk management process.

They also offer an independent assessment of the underlying design of the operational risk

management process. This includes examining the process surrounding the building of

operational risk measurement models, the adequacy and reliability of the operations risk

management systems and compliance with external regulatory guidelines, etc. Audit thus

provides an overall assurance on the adequacy of operational risk management. A key audit

objective is to evaluate the design and conceptual soundness of the operational value-at-risk

(VaR) measure, including any methodologies associated with stress testing, and the reliability of

the reporting framework. Audit should also evaluate the operational risks that affect all types of

risk management information systems – whether they are used to assess market, credit or

12
operational risk itself – such as the processes used for coding and implementation of the internal

models. This includes examining controls concerning the capture of data about market positions,

the accuracy and completeness of this data, as well as controls over the parameter estimation

processes. Audit would typically also review the adequacy and effectiveness of the processes for

monitoring risk. And the documentation relating to compliance with the qualitative/quantitative

criteria outlined in any regulatory guidelines. Regulatory guidelines typically also call for

auditors to examine the approval process for vetting risk management models and valuation

models used by front and back-office personnel Auditors also need to examine any significant

change in the risk measurement process. Audit should verify the consistency, timeliness and

reliability of data sources used to run internal models, including the independence of such data

sources. A key role is to examine the accuracy and appropriateness of volatility and correlation

assumptions as well as the accuracy of the valuation and risk transformation calculations.

Finally, auditors should examine the verification of the model’s accuracy through an examination

of the back testing process.

Regulatory guidance

As a minimum all companies must adhere to regulatory requirements. However, there are few

countries where specifically drafted requirements cover operational risk management. The Bank

of International Settlements (BIS) have just published a set of requirements on internal control

which contain guidance in operational risk management. It is expected that regulators in each

country will incorporate these into their own regimes. However, some regulators would claim

that they already have a robust approach to operational risk. Different countries have different

approaches to operational risk. In the United Kingdom the Bank of England has since the

Banking Act 1987 asked banks to appoint reporting accountants to review under Section 39 of

13
That act the internal control environments and to report on their adequacy for the risks to which

each firm is exposed.

The Bank of England published a Guidance Note on Reporting Accountants’ Reports on Internal

Controls and other Control Systems which provides a description of key controls and their

expectations about their adequacy. In the next year the author expects further regulatory

guidance on operational risk. Various countries already have the elements of operational risk

regulatory frameworks:

 RATE process in the UK

 CAMEL process in the USA

 BAK Minimum Requirements for Trading Institutions in Germany.

The challenge for the regulators is to build an approach on the solid foundations already

established in many countries.

Stages of Operational Risk Management

Those were the stages the Navy uses for time-critical Operational Risk Management, but for a

more standard risk management process these are the usual stages you will need to undertake:

 Risk Identification: As mentioned earlier, understanding the risks specific to your business

is key, but there are also many potential risks that affect any kind of business and you need to

identify all of them, both those that are recurring and those that can be one-off events.

The identification process needs to involve staff from all levels of the business if possible,

bringing a variety of backgrounds and experiences to make a cohesive result. Risks that can

14
 be identified by work floor staff will be very different and no less critical than those

identified from the boardroom.

 Risk Assessment: Once the risks have been identified, they need to be assessed. This needs

to be done from both a quantitative and qualitative perspective and factors like the frequency

and severity of occurrence need to be taken into consideration. The assessment needs to

prioritize the management of these risks in relation to those factors.

 Measurement and Mitigation: Mitigating these risks (if not actually eliminating them

altogether) is the next stage, with controls put in place that should limit the company’s

exposure to the risks and the potential damage caused by them.

 Control

 Regular process.

 Performed by risk owners.

 Focus on control design and control performance.

 Different types of controls, e.g.: preventive and detective.

 Control design may suddenly become ineffective between quarters, due to changes in

business structure, personnel, products or services offered.

 Fully documented audit trail (ideally electronic document storage).

 It is vital to follow-up on any control weaknesses highlighted and also to incorporate the

results in management reporting.

 Results should feed in to Internal Audit Programmer

15
 Monitoring and Reporting: Any Operational Risk Management plan must have something

in place for the ongoing monitoring and reporting of these risks if only to demonstrate how

effective the plan has been. Most of all, it’s to ensure that the solutions put in place are

continuing to be effective and doing their job in managing the risks.

There are other processes and models out there, particularly in the banking world, but most

follow similar approaches to the one listed above.  As long as you are picking an approach that

suits your specific needs and situation, you will be on the way to a successful Operational Risk

Management strategy.

SUMMARY OF STAGES OF OPERATIONAL RISK

16
17
 Risk identify

Risk
assessment

measurement
and Mitigation

Control

Monitoring
and Reporting

Figure of stages

Pillars of operational risk management

Policy Lays down the scope, objective overall

guidelines for bank-wide operational risk
management.

Lays down the positive, rules or

Governance responsibilities and reporting lines of
structure 18
the personnel involved in operational
risk.
 Involves risk identification, validation
or assessment, mitigation,
Process measurement and reporting envisaged
by Basel II and RBI for effective risk
management.

Required for collection of loss data and

assessment results, aggregation of risk
Technology information and reporting.

For structured dissemination of ORM

Training process across the bank and creating robust
risk management environment.

Figure of pillars

Conclusion
An integrated goal-congruent risk management process that puts all the elements together, will

open the door to optimal firm-wide management of risk. ‘Integrated’ refers to the need to avoid a

fragmented approach to risk management – risk management is only as strong as the weakest

link. ‘Goal congruent’ refers to the need to ensure that policies and methodologies are consistent

with each other. Infrastructure includes having the right people, operations technology and data

to appropriately control risk. One goal is to have an ‘apple-to-apple’ risk measurement scheme

so that one can compare risk across all products and aggregate risk at any level. The end product

is a best-practice management of risk that is also consistent with business strategies. This is a

19
‘one firm, one view’ approach that also recognizes the complexity of each business within the

firm. In this chapter we have stressed that operational risk should be managed as a partnership

among business units, infrastructure groups, corporate governance units, and internal audit and

risk management. We should also mention the importance of establishing a risk-aware business

culture. Senior managers play a critical role in establishing a corporate environment in which

best-practice operational risk management can flourish. Personnel will ultimately behave in a

manner dependent on how senior management rewards them. Indeed, arguably the key single

challenge for senior management is to harmonize the behavior patterns of business units,

infrastructure units, corporate governance units, internal audit and risk management and create

an environment in which all sides ‘sink or swim’ together in terms of managing operational risk.

Reference page

Website
http://tallyfy.com/operational-risk-management

https://www.actuaries.org.uk/system/files/documents/pdf/c9.pdf

https://www.slideshare.net/mobile/angbeenbush/operational-risk-management-orm

Books

20
●The Professional’s Handbook of
Financial Risk Management
●The essentials of risk management

Appendix
The G30 report stressed the importance of hiring skilled professionals: Recommendation 16 states that
one should ‘ensure that derivatives activities are undertaken by professionals in sufficient number and
with the appropriate experience, skill levels, and degrees of specialization’. The G30 also stressed the
importance of building best-practice systems. According to Recommendation 17, one should ‘ensure that
adequate systems for data capture, processing, settlement, and management reporting are in place so that

21
derivatives transactions are conducted in an orderly and efficient manner in compliance with management
policies’.
People
The survey of industry practices examined the involvement in the derivatives activity of people at all
levels of the organization and indicated a need for further development of staff involved in back-office
administration, accounts, and audit functions, etc. Respondents believed that a new breed of specialist,
qualified operational staff, was required. It pointed out that dealers (large and small) and end-users face a
common challenge of developing the right control culture for their derivatives activity.
Systems
The survey confirmed the view that dealing in derivatives can demand integrated systems to ensure
adequate information and operational control. It indicated that dealers were moving toward more
integrated systems, between front- and back-office (across types of transactions). The industry has made a
huge investment in systems, and almost all large dealers are extensive users of advanced technology.
Operations
The role of the back-office is to perform a variety of functions in a timely fashion. This includes
recording transactions, issuing and monitoring confirmations, ensuring legal documentation for
transactions is completed, settling transactions, producing information for management and control
purposes. This information includes reports of positions against trading and counterparty limits, reports
on profitability, and reports on exceptions. There has been significant evolution in the competence of staff
and the adequacy of procedures and systems in the back office.
Controls
Derivative activities, by their very nature, cross many boundaries of traditional financial activity.
Therefore the control function must be necessarily broad, covering all aspects of activity. The primary
element of control lies in the organization itself. Allocation of responsibilities for derivatives activities,
with segregation of authority where appropriate, should be reflected in job descriptions Org.chart.
Audit
The G30 pointed out that internal audit plays an important role in the procedures and control framework
by providing an independent, internal assessment of the effectiveness of this framework. The principal
challenge for management is to ensure that internal audit staff has sufficient expertise to carry out work in
both the front and back office. Able individuals with the appropriate financial and systems skills are
required to carry out the specialist aspects of the work.

22