360

30
Operational risk
management

Operational risk
The importance of managing operational risk has been well established for some
time. Operational risk may be considered to be the type of risk that will disrupt
normal everyday activities. In many ways, operational risk is closely related to
infrastructure risks described in the FIRM risk scorecard classification system.
Operational risks are usually hazard risks, and historically this has been an area
of strong application of risk transfer by way of insurance. However, operational risk
now has a more extensive application and a more specific definition, especially in
financial institutions. Whilst addressing the same types of risks, operational risk in
financial institutions is differentiated by the fact that there is a need to quantify these
risks in terms of potential financial loss.
Financial institutions are required to have sufficient capital reserves available to
meet the actual and potential financial losses and obligations faced by the organiza-
tion. This is a key requirement of the regulatory framework set out for banks in the
Basel II Accord and under emerging regulation for European insurance companies
through the Solvency II European Directive. Therefore, financial institutions need to
measure the level of operational risk that they face. A major contributing factor to
the global financial crisis was that banks adopted high-risk strategies that resulted in
the banks having insufficient capital when the risks materialized.
The capital adequacy regulations that are based on Basel II require that banks
take their operational risk exposure into account in determining their capital
requirements. This operational risk management framework should include identifi-
cation, measurement and monitoring, reporting, control and mitigation frameworks
for operational risk. This assessment of capital requirements is often called economic
capital.
In addition, the regulations require that banks must follow one of three specific
quantitative methods to provide another measure of capital requirement. This is the
so-called regulatory capital. Two of the methods are based on the incomes of the
financial institution. The third method requires assessment of all material operational
risk exposures to a high degree of statistical quality. Under the Solvency II European
Directive, insurance companies in the EU will have to adopt a similar approach.
 Operational risk management 361

Basel II is the second of the Basel Accords that set out recommendations on banking
laws and regulations, as issued by the Basel Committee on Banking Supervision.
The purpose of Basel II (2004) is to create an international standard that banking
regulators can use when creating regulations about how much capital banks need
to put aside to guard against the types of financial and operational risks they face.
Basel III requirements have been developed, although it is not anticipated that Basel III
will come fully into force until 2019.

Definition of operational risk

Operational risks faced by banks and other financial institutions represent essen-
tially the same types of disruptive hazard risks that are faced by other organizations,
although the definition may be broader and the terminology slightly different. The
specific point in the case of operational risk for financial institutions is that the level
of operational risk needs to be quantified, because the level of risk has to be covered
by available capital within the institution. This leads to an imperative for the bank
to reduce the level of operational risk to the lowest level that is cost-effective.
Banks have long been concerned with market risk and credit risk (and insurance
companies with underwriting risk as well), but the advent of Basel II and Solvency II
requires financial institutions to consider broader operational risk exposures. Opera­
tional risk was initially defined as being any form of risk that was not market risk or
credit risk. This imprecise definition was replaced by Basel II with a definition of
operational risk as: ‘the risk of loss resulting from inadequate or failed internal pro­
cesses, people and systems or from external events’.
The Basel II definition includes legal risk, but excludes strategic and reputational
risk. The types of risks associated with the Basel II definition include the following:
●● internal fraud, including misappropriation of assets, tax evasion and bribery;
●● external fraud including theft, hacking and forgery;
●● employment practices and workplace safety;
●● clients, projects and business practices;
●● damage to physical assets;
●● business interruption and systems failures;
●● execution, delivery and process management.
However, there is also recognition that operational risk is a term that has a variety
of meanings and that certain financial institutions use a different term or a broader
definition. The Basel II definition identifies four types of risk categories: people,
process, system and external risks. People risks include failure to comply with pro­
cedures and lack of segregation of duties. Process risks include process failures and
inadequate controls. System risks include failure of applications systems to meet user
requirements and the absence of built-in control measures. Finally, external risks
include action by regulators (change of regulation, but excluding enforcement or
disciplinary action), unsatisfactory performance by service providers and fraud, both
362 Risk governance

internal and external. External risks also include legal action by customers of finan-
cial institutions in relation to negligence or fraud committed by staff.
The definitions of market risk and credit risk are also worth considering in rela-
tion to financial institutions. Market risk is the risk that the value of investments
may decline over a period, simply because of economic changes or other events that
impact large portions of the market. Credit risk is the risk that there will be a failure
by a customer/client to repay the principal and/or interest on a loan or other out-
standing debt in a timely manner, or at all. Underwriting risk is also important for
insurance companies; it is the exposure to the risks of the client through insurance
policies.

Failure of operational risk management

Operational risk management is at a crucial point in its development. Numerous approaches

have been developed across different industries, but many institutions are struggling to make
these fully effective by really embedding them into the day-to-day management of their
business. In order to overcome this challenge, it is essential to define clearly the relationship
between operational risk processes and the overall control environment.
Indeed, the effectiveness of operational risk management has been impeded by a
common failure to truly embed operational risk into the overall management of risk and
control. Group risk functions must demonstrate to business-unit staff the full potential of
using operational risk processes, developed under the group framework to manage the
actual risks in the business.
As a consequence, the governance of operational risks involves more than just
calculating the yearly operational risk capital. As economies and financial conditions change
over time, so does the operational risk exposure. This implies that a number of specific
operational risk events may become even more likely, which in times of crises require the
attention of top management.

The losses associated with the failure to manage operational risk can be very
substantial. Losses suffered by so-called rogue traders are sometimes attributed to
market risk. The argument is that the losses occurred because market conditions
changed in an unexpected way and significant losses materialized. From an opera-
tional risk perspective, this analysis is incorrect.
It is more correct to say that the losses occurred because of a failure to control
the activities of traders. If the operations had been controlled by adequate
operational risk controls, the traders would not have been in a position to have
put substantial assets of the bank at risk. Blaming the losses on the market risk
when such substantial assets of the bank should not have been in the market at all is
incorrect.
 Operational risk management 363

Basel II and Basel III

Basel II has been in existence for some time and, at the time of writing this book
(2016), Basel III requirements have been developed, but may not be introduced until
2019. The revised requirements contained in Basel III are likely to be consistent with
what has gone before. Likewise, the development of Solvency II that will define
capital requirements for insurance companies has been completed and the date for
full implementation is currently anticipated to be as late as 2019. The approach
taken in Solvency II is consistent with the approach in Basel II and Basel III.
The 10 principles of ‘Sound Practices’ on operational risk put forward by the
Basel II committee are set out in Table 30.1. One of the key requirements, as set out
in Principle 5, is that processes necessary for assessing operational risk should be
established. The intention of Basel II is to help protect the international financial
system from the types of problems that might arise should a major bank or a series
of banks collapse.

Ta b le 30.1 ORM principles (Basel II)

The 10 principles on ‘Sound Practices’ of the Basel II committee are as follows:

1 The board is responsible for establishing the operational risk strategy.

2 Senior management is responsible for implementing the operational risk
strategy.
3 Information, communication and escalation flows must be established.
4 Operational risks inherent in activities, processes, systems and products
should be identified.
5 Processes necessary for assessing operational risk should be established.
6 Systems should be implemented to monitor operational risk exposures and
loss events.
7 Policies, processes and procedures to control or mitigate operational risks
should be in place.
8 Supervisors should require banks to have an effective system to identify,
measure, monitor and control operational risk.
9 Supervisors should conduct regular independent evaluations of these
principles.
10 Sufficient public disclosure should be made to allow stakeholders to
assess the operational risk exposure and the quality of operational risk
management.
364 Risk governance

Basel II attempts to protect the international financial system by setting up rigorous

risk and capital management requirements designed to ensure that a bank holds
capital reserves appropriate to the risk the bank exposes itself to through its lending
and investment practices. These rules mean that the greater risk to which the bank is
exposed, the greater the amount of capital it needs to hold to safeguard its solvency
and overall economic stability. Basel II aims to ensure that capital allocation is more
risk sensitive, that operational risk is separated from credit risk (both of which
should be quantified) and that a global regulatory regime is in place.
The Basel II Accord describes a comprehensive minimum standard for capital
adequacy that national supervisory authorities are working to implement. In addition,
Basel II is intended to promote a more forward-looking approach to capital super­
vision that encourages banks to identify the risks they face and improve their ability
to manage those risks. As a result, it is intended to be more flexible and better able
to evolve with advances in markets and risk management practices.
There has been considerable debate about the effectiveness of the Basel II Accord
(2004) in achieving its stated objectives. The effectiveness of the accord should be
assessed against the failure of the banking system in 2008. The role of that failure in
the global financial crisis has been the topic of much detailed evaluation.

Measurement of operational risk

Operational risk has become a specific issue in financial institutions, because of the
requirement to measure/quantify the level of operational risk that they face. The
measurement of operational risk can involve a number of methods and these are
normally based on historical information, simulated information or a combination
of these. Table 30.2 sets out examples of operational risks faced by a bank or finan-
cial institution.
Basel II offers three alternative approaches to measuring operational risk for
regulatory capital purposes, as set out below. The first two methods are a proxy for
operational risk management exposure; whilst research work was undertaken to
validate these methods, individual firms could vary substantially from the assess-
ments these two methods would provide:
●● Basic indicator approach: calculates the value of operational risk capital
using a single indicator for the overall risk exposure.
●● Standardized approach: calculates the value for operational risk, using
a broad financial indicator, multiplied by operational loss experience.
●● Advanced approach: uses the internal loss data and a combination of
qualitative and quantitative methods to calculate the operational risk
capital.
In order to measure operational risk, the financial institution needs to adopt a
structured approach. Even after the identification of the risks, quantification is only
possible if the amount of damage and risk probabilities are determined. Operational
 Operational risk management 365

Ta b le 30.2 Operational risk for a bank

Event Definition Description Examples
category

Internal fraud Losses due to Unauthorized Unreported transactions

fraud, activity, theft and Unauthorized transactions
misappropriation or fraud Theft and fraud
circumvention of Tax non-compliance
regulations by Insider trading
internal party

External Losses due to fraud, Systems security, Theft/robbery

fraud misappropriation or theft and fraud Forgery
circumvention of Hacking/theft of
the regulations by information
third party

Employees Losses arising from In a safe Compensation claim

injury or non- environment, Discrimination allegation
compliance with damaged
the employment employee relations
legislation and discrimination

Clients Losses arising from Disclosure and Fiduciary breaches

failure to meet fiduciary Disclosure violations
professional Misuse of confidential
obligations to information
clients

Physical Losses arising from Disasters and Natural disaster losses

assets loss or damage to other events Terrorism/vandalism
physical assets

Systems Losses arising from Systems Hardware or software

disruption of failure
business or system Telecommunications
failures Utility disruption

Processes Losses from failed Transaction Data entry, or loading error

transaction capture, execution, Missed deadline or
processing or documentation responsibility
process and maintenance Failed reporting obligation
management Incorrect records
366 Risk governance

risks are hard to quantify since loss histories are usually not available and some risks
cannot easily be quantified.
Many banks have undertaken detailed evaluation and quantification of their
operational risks. In general, it has been discovered that the size of the bank (measured
in terms of number of employees) influences the size of losses that will be suffered.
This appears to indicate that larger banks tend to have larger clients. The other
general trend being identified is that the number of losses is strongly correlated to
the number of customers that use the bank.

Difficulties of measurement
The development of interest in operational risk has been based on the need to quan-
tify operational risk in financial institutions. The challenges of quantifying opera-
tional risk have been considerable. Expected levels of loss can only be estimated,
even if the probability of loss is fairly accurately known. Although statistical
approaches have been adopted and developed, a universally accepted approach is
still not available.
The expected losses can have a direct and indirect cost. Indirect costs are often
larger, and include the loss of a customer. This loss can be represented by the present
value of that customer and all future gains from that relationship. Actions that
should be taken will include internal control measures as well as evaluation by
internal audit. Internal audit within a financial institution has the familiar, but
vitally important, responsibility of checking whether procedures are followed in
practice and whether the procedures themselves are likely to be effective in reducing
the level of operational risk.
Table 30.3 illustrates the different natures of operational risk faced by financial
and industrial companies. The table provides a comparison of the nature and impact
of human error in a financial institution, compared with an industrial undertaking.
It is clear that the control of staff behaviour and actions is much more difficult in
financial institutions than in manufacturing facilities.
It is worth noting that operational risk quantification is possible for non-financial
institutions, and a transport company (for example) could investigate the opera-
tional risks associated with its activities. The risks associated with the operations
include the price of fuel, tax obligations and the financial impact of delivery mistakes.
Operational risks can arise from road traffic accidents or other delivery delays and
changes by customers that have not been correctly incorporated into the delivery
schedule.
It is likely that the most important operational risks faced by a transport company
would be incorrect customer deliveries and road traffic accidents. The quantification
of risk exposures associated with the various categories of operational risk will help
a transport company focus on those risks with the greatest potential to cause disrup-
tion to normal efficient routine operations, and then take the appropriate control
actions to reduce these operational risk exposures.
 Operational risk management 367

Ta b le 30.3 Operational risk in financial and industrial companies

Financial Industrial

Errors mostly arise when people reach Errors are mostly due to people reaching
their mental limits their physical limits

Systems are highly complex and People are working in relatively simple
widely distributed and the environment relationships and the environment is highly
is only partly manageable manageable

Loss prevention is concerned with Loss prevention is mainly concerned with

security of value and assets physical safety, equipment protection and
avoiding accidents

Loss prevention is aimed at avoiding Loss prevention is aimed at avoiding

financial loss physical harm to people or equipment
and/or the manufacture of faulty goods
(scrap)

The main incentive for committing The main incentive for making deliberate
mistakes is personal financial gain or mistakes is reducing effort or (possibly)
self-interest sabotage

Risk management is a key skill in Risk management is not central to

financial services and has central operations, although the aim is to avoid
importance to the organization disruption to manufacturing processes

Developments in operational risk

Before considering developments in operational risk, it is worth noting that
concerns about operational risks are universal in all organizations. Although the
banks and other financial institutions may have a specific approach to operational
risk, the issues that are being considered are the same issues that affect all other
types of organizations in the public, private and third sectors. (The third sector
refers to not-for-profit organizations, including charities, membership and voluntary
bodies.)
Although the issues are the same, the approach in banks and other financial
institutions can be different. In a non-financial institution, the questions related
to operational risk may well be: ‘What is the value of my assets, how do I protect
them and to what extent and value (or limit of indemnity) do I need to purchase
insurance?’ In the financial sector, the questions are more likely to be: ‘What are the
368 Risk governance

capital requirements attached to my assets?’ and ‘Can I afford to keep that amount
of (non-productive) capital in reserve, or do I need to purchase insurance and to
what value or limit of indemnity?’
It is generally accepted that operational risk concerns need to be integral to the
management of a financial institution. It is often the case that management trainees
within financial institutions spend some time in the risk management function, as
they progress with their career in the general management side of the business. It is
the intention that this involvement with risk management will create greater awareness
before the individual progresses into other roles.
The measurement of operational risk in financial institutions is still proving to
be a challenge, especially during the global financial crisis, which has showed
that the extent of operational risk exposure was greater than most banks believed.
Certain financial institutions are seeking to adopt risk management standards,
such as ISO 31000, the IRM standard and the COSO framework. Basel II does not
prescribe or require any particular framework for use with operational risk manage-
ment, except that the adopted framework is conceptually sound and pays high regard
to integrity issues.
There are other tensions that exist with the development of operational risk
within financial institutions. In many cases, the quantification of operational risk is
seen as a compliance requirement rather than a business opportunity. Given that the
quantification of operational risk can be quite technical, there may be a tendency for
management within an organization to feel that it is the role of the operational risk
manager to take responsibility for this work.
The responsibility for the management of risk and the implementation of controls
usually rests with the line managers. If this responsibility is not accepted, there is a
danger that operational risk management will not be fully integrated into manage-
ment of the financial institution, with disastrous consequences.
Calculation of operational risk exposure is a requirement of Basel II, and financial
institutions therefore have to undertake this work. Financial institutions are driven
by increasing regulatory demands and other corporate governance pressures. Raising
the level of operational risk awareness by quantifying the level of risk and explaining
the full significance of risk management to relevant members of staff should be to the
benefit of the organization. This increased awareness will enable the organization to
identify the sources of operational risk and take appropriate cost-effective actions to
optimize the level of operational risk exposure.
The US-based Risk and Insurance Managers Society (RIMS) has undertaken an
evaluation of the causes of the global financial crisis. This evaluation considered the
contri­bution that could have been made by enterprise risk management (ERM) and
the reasons for the failure in the application of ERM tools and techniques. RIMS
concluded that the global financial crisis was not a failure of ERM, but was caused
by the following failures:
●● There was an over-reliance on the use of financial models, with the mistaken
assumption that the ‘risk quantifications’ (used as predictions) based solely on
financial modelling were both reliable and sufficient tools to justify decisions
to take risk in the pursuit of profit.
 Operational risk management 369

●● There was an over-reliance on compliance and controls to protect assets, with

the mistaken assumption that historic controls and monitoring a few key
metrics are enough to change human behaviour.
●● There was a failure to properly understand, define, articulate, communicate
and monitor risk tolerances, with the mistaken assumption that everyone
understands how much risk the organization is willing to take.
●● There was a failure to embed enterprise risk management best practices from
the top all the way down to the trading floor, with the mistaken assumption
that there is only one way to view a particular risk.
The text box below provides an example of how financial institutions report on their
operational risks. This edited extract demonstrates the scope of operational risk, but
also illustrates that financial institutions (FIs) face exactly the same range of opera-
tional risks as non-FIs. The key difference is that FIs are required to quantify their
operational risk, so that capital can be allocated to fund these risks.

Scope of operational risk

The group risk department defines and prescribes the insurance, market and operational
risk assessment processes for the business. It performs second-line reviews, including the
reserving and capital modelling processes, and undertakes regular reviews of all risks in
conjunction with management, with the results of these reviews recorded in risk registers.
Listed below are the principal operational risks that Admiral has identified through its
ERM framework:
●● People risk:
– Failure to recruit, develop and retain suitable talent.
●● Process risk:
– A failure in processes or failure of their associated controls.
●● Technology risk:
– Failure to invest and successfully implement, appropriate technology.
●● Cyber risk:
– Financial loss, data loss, business disruption or damage to reputation from failure of
IT systems.
●● Customer outcome risk
– Failure of products, processes or services to meet customer and regulator
expectations.

Admiral Group plc

Annual Report and Accounts 2015