Professional Documents
Culture Documents
Chapter 30
Chapter 30
30
Operational risk
management
Operational risk
The importance of managing operational risk has been well established for some
time. Operational risk may be considered to be the type of risk that will disrupt
normal everyday activities. In many ways, operational risk is closely related to
infrastructure risks described in the FIRM risk scorecard classification system.
Operational risks are usually hazard risks, and historically this has been an area
of strong application of risk transfer by way of insurance. However, operational risk
now has a more extensive application and a more specific definition, especially in
financial institutions. Whilst addressing the same types of risks, operational risk in
financial institutions is differentiated by the fact that there is a need to quantify these
risks in terms of potential financial loss.
Financial institutions are required to have sufficient capital reserves available to
meet the actual and potential financial losses and obligations faced by the organiza-
tion. This is a key requirement of the regulatory framework set out for banks in the
Basel II Accord and under emerging regulation for European insurance companies
through the Solvency II European Directive. Therefore, financial institutions need to
measure the level of operational risk that they face. A major contributing factor to
the global financial crisis was that banks adopted high-risk strategies that resulted in
the banks having insufficient capital when the risks materialized.
The capital adequacy regulations that are based on Basel II require that banks
take their operational risk exposure into account in determining their capital
requirements. This operational risk management framework should include identifi-
cation, measurement and monitoring, reporting, control and mitigation frameworks
for operational risk. This assessment of capital requirements is often called economic
capital.
In addition, the regulations require that banks must follow one of three specific
quantitative methods to provide another measure of capital requirement. This is the
so-called regulatory capital. Two of the methods are based on the incomes of the
financial institution. The third method requires assessment of all material operational
risk exposures to a high degree of statistical quality. Under the Solvency II European
Directive, insurance companies in the EU will have to adopt a similar approach.
Operational risk management 361
Basel II is the second of the Basel Accords that set out recommendations on banking
laws and regulations, as issued by the Basel Committee on Banking Supervision.
The purpose of Basel II (2004) is to create an international standard that banking
regulators can use when creating regulations about how much capital banks need
to put aside to guard against the types of financial and operational risks they face.
Basel III requirements have been developed, although it is not anticipated that Basel III
will come fully into force until 2019.
internal and external. External risks also include legal action by customers of finan-
cial institutions in relation to negligence or fraud committed by staff.
The definitions of market risk and credit risk are also worth considering in rela-
tion to financial institutions. Market risk is the risk that the value of investments
may decline over a period, simply because of economic changes or other events that
impact large portions of the market. Credit risk is the risk that there will be a failure
by a customer/client to repay the principal and/or interest on a loan or other out-
standing debt in a timely manner, or at all. Underwriting risk is also important for
insurance companies; it is the exposure to the risks of the client through insurance
policies.
The losses associated with the failure to manage operational risk can be very
substantial. Losses suffered by so-called rogue traders are sometimes attributed to
market risk. The argument is that the losses occurred because market conditions
changed in an unexpected way and significant losses materialized. From an opera-
tional risk perspective, this analysis is incorrect.
It is more correct to say that the losses occurred because of a failure to control
the activities of traders. If the operations had been controlled by adequate
operational risk controls, the traders would not have been in a position to have
put substantial assets of the bank at risk. Blaming the losses on the market risk
when such substantial assets of the bank should not have been in the market at all is
incorrect.
Operational risk management 363
risks are hard to quantify since loss histories are usually not available and some risks
cannot easily be quantified.
Many banks have undertaken detailed evaluation and quantification of their
operational risks. In general, it has been discovered that the size of the bank (measured
in terms of number of employees) influences the size of losses that will be suffered.
This appears to indicate that larger banks tend to have larger clients. The other
general trend being identified is that the number of losses is strongly correlated to
the number of customers that use the bank.
Difficulties of measurement
The development of interest in operational risk has been based on the need to quan-
tify operational risk in financial institutions. The challenges of quantifying opera-
tional risk have been considerable. Expected levels of loss can only be estimated,
even if the probability of loss is fairly accurately known. Although statistical
approaches have been adopted and developed, a universally accepted approach is
still not available.
The expected losses can have a direct and indirect cost. Indirect costs are often
larger, and include the loss of a customer. This loss can be represented by the present
value of that customer and all future gains from that relationship. Actions that
should be taken will include internal control measures as well as evaluation by
internal audit. Internal audit within a financial institution has the familiar, but
vitally important, responsibility of checking whether procedures are followed in
practice and whether the procedures themselves are likely to be effective in reducing
the level of operational risk.
Table 30.3 illustrates the different natures of operational risk faced by financial
and industrial companies. The table provides a comparison of the nature and impact
of human error in a financial institution, compared with an industrial undertaking.
It is clear that the control of staff behaviour and actions is much more difficult in
financial institutions than in manufacturing facilities.
It is worth noting that operational risk quantification is possible for non-financial
institutions, and a transport company (for example) could investigate the opera-
tional risks associated with its activities. The risks associated with the operations
include the price of fuel, tax obligations and the financial impact of delivery mistakes.
Operational risks can arise from road traffic accidents or other delivery delays and
changes by customers that have not been correctly incorporated into the delivery
schedule.
It is likely that the most important operational risks faced by a transport company
would be incorrect customer deliveries and road traffic accidents. The quantification
of risk exposures associated with the various categories of operational risk will help
a transport company focus on those risks with the greatest potential to cause disrup-
tion to normal efficient routine operations, and then take the appropriate control
actions to reduce these operational risk exposures.
Operational risk management 367
Financial Industrial
Errors mostly arise when people reach Errors are mostly due to people reaching
their mental limits their physical limits
Systems are highly complex and People are working in relatively simple
widely distributed and the environment relationships and the environment is highly
is only partly manageable manageable
The main incentive for committing The main incentive for making deliberate
mistakes is personal financial gain or mistakes is reducing effort or (possibly)
self-interest sabotage
capital requirements attached to my assets?’ and ‘Can I afford to keep that amount
of (non-productive) capital in reserve, or do I need to purchase insurance and to
what value or limit of indemnity?’
It is generally accepted that operational risk concerns need to be integral to the
management of a financial institution. It is often the case that management trainees
within financial institutions spend some time in the risk management function, as
they progress with their career in the general management side of the business. It is
the intention that this involvement with risk management will create greater awareness
before the individual progresses into other roles.
The measurement of operational risk in financial institutions is still proving to
be a challenge, especially during the global financial crisis, which has showed
that the extent of operational risk exposure was greater than most banks believed.
Certain financial institutions are seeking to adopt risk management standards,
such as ISO 31000, the IRM standard and the COSO framework. Basel II does not
prescribe or require any particular framework for use with operational risk manage-
ment, except that the adopted framework is conceptually sound and pays high regard
to integrity issues.
There are other tensions that exist with the development of operational risk
within financial institutions. In many cases, the quantification of operational risk is
seen as a compliance requirement rather than a business opportunity. Given that the
quantification of operational risk can be quite technical, there may be a tendency for
management within an organization to feel that it is the role of the operational risk
manager to take responsibility for this work.
The responsibility for the management of risk and the implementation of controls
usually rests with the line managers. If this responsibility is not accepted, there is a
danger that operational risk management will not be fully integrated into manage-
ment of the financial institution, with disastrous consequences.
Calculation of operational risk exposure is a requirement of Basel II, and financial
institutions therefore have to undertake this work. Financial institutions are driven
by increasing regulatory demands and other corporate governance pressures. Raising
the level of operational risk awareness by quantifying the level of risk and explaining
the full significance of risk management to relevant members of staff should be to the
benefit of the organization. This increased awareness will enable the organization to
identify the sources of operational risk and take appropriate cost-effective actions to
optimize the level of operational risk exposure.
The US-based Risk and Insurance Managers Society (RIMS) has undertaken an
evaluation of the causes of the global financial crisis. This evaluation considered the
contribution that could have been made by enterprise risk management (ERM) and
the reasons for the failure in the application of ERM tools and techniques. RIMS
concluded that the global financial crisis was not a failure of ERM, but was caused
by the following failures:
●● There was an over-reliance on the use of financial models, with the mistaken
assumption that the ‘risk quantifications’ (used as predictions) based solely on
financial modelling were both reliable and sufficient tools to justify decisions
to take risk in the pursuit of profit.
Operational risk management 369
The group risk department defines and prescribes the insurance, market and operational
risk assessment processes for the business. It performs second-line reviews, including the
reserving and capital modelling processes, and undertakes regular reviews of all risks in
conjunction with management, with the results of these reviews recorded in risk registers.
Listed below are the principal operational risks that Admiral has identified through its
ERM framework:
●● People risk:
– Failure to recruit, develop and retain suitable talent.
●● Process risk:
– A failure in processes or failure of their associated controls.
●● Technology risk:
– Failure to invest and successfully implement, appropriate technology.
●● Cyber risk:
– Financial loss, data loss, business disruption or damage to reputation from failure of
IT systems.
●● Customer outcome risk
– Failure of products, processes or services to meet customer and regulator
expectations.