Hans Geiger

Regulating and Supervising Operational Risk for Banks

Abstract: There is a renewed interest of banks and supervisors in operational risk. In the new Capital Adequacy Framework of June 1999 the Basel Committee calls for capital charges for operational risks as a component of Pillar one. Based on an analysis of the definitions of operational risk and its demarcation versus credit and market risk, this paper argues that it would be inappropriate to introduce extra capital charges for operational risks in Pillar one. The correct answer to the challenges of operational risk is not seen in Pillar one but in Pillar two, the supervisory review process, and in Pillar three, the effective use of market discipline. This paper was presented at the Conference Future of Financial Regulation: Global Regulatory Reform and Implications for Japan (17 Oct 2000) in Tokyo. Hans Geiger is professor at the Swiss Institute of Banking of the University of Zurich and a member of the European Shadow Financial Regulatory Committee.

1. History of operational risk Operational risk is not a new, but the oldest risk which banks face. A newly-established bank is confronted with operational risks before it even decides on its first credit transaction or market position. There are, however, some aspects which are new and hence of topical interest: (1) the perception that operational risks have increased markedly in the last few years (2) the realization that the merely quantitative approach to credit and market risk overlooks key danger areas and that operational risk management should consequently be developed into a discipline in its

Regulating and Supervising Operational Risk for Banks

own right (3) the inclusion of operational risks in any type of total risk management (4) and last but not least the renewed interest of supervisory authorities in operational risk. The most important cause of this interest in the subject have been those spectacular cases in which banks have suffered publicly-disclosed losses resulting from operational risks. The most prominent case has been the substantial Barings losses which brought the bank down at the start of 1995, setting off a mid-sized earthquake in banking and regulatory supervisory circles. It is now the conventional wisdom that the derivatives losses of GBP 827 million were not actually market risks so much as operational risks.1 This opinion will be dealt with in greater detail below. The supervisory authorities have only recently started to take a closer look at operational risks. In September 1998 the Basel Committee published an initial report on this topic, without mentioning the question of regulation. The report merely said: The Committee will continue to 2 monitor developments in this area. In the new Capital Adequacy Framework of June 1999 the Basel Committee then expressly called for capital charges for operational risks as a component of Pillar one:3 From a regulatory perspective, the growing importance of this risk category [i.e. operational and other risk] has also led the Committee to conclude that such risks are too important not to be treated separately within the capital 4 framework. In the update of November 1999 this intention was confirmed and defined in more concrete terms: The Risk Management Group is developing a framework for applying capital charges to 5 operational risk . The supervisors assume on the basis of surveys that some 25% of current regulatory capital is needed for operational risks. The Risk Management Group of the Basel Committee has conducted
1 Bank of England (1995), and Parsley (1996), p. 74. 2 Basle Committee on Banking Supervision (1998b) p. 7. 3 The new capital framework consists of three pillars: minimum capital requirements (pillar 1), a supervisory review process (pillar 2), effective use of market discipline (pillar 3) 4 Basel Committee on Banking Supervision (1999c), p. 50. 5 Basel Committee on Banking Supervision (1999b)

Hans Geiger

recent surveys on the top-down approach and the bottom-up, or box, approach. The former focuses on a capital charge on non-interest income, the latter on the compilation of risk indicators, business volume indicators and availability of loss data for the various business lines and nine new risk types.6 An important reason for the interest of the supervisory authorities in a capital requirement for operational risks seems to be that as a result of the unbundling of risk and capital charges, overall capital adequacy requirements fall, which the supervisory authorities wish to prevent. 2. Definition of operational risk The prerequisite for the theoretical analysis of a problem is the definition of terms. The term operational risks has only been defined in the last few years. The chronological development of this definition is given here in brief, as it is relevant to our subject. Risk is not understood merely as uncertainty about the future or the probability of sustaining a loss but is defined as an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way.7 This definition implies that a bank does not accept risks simply as fate but deals with them actively. Risk is measured by the probability and impact of a negative deviation. It follows from this concept that the opposite of risk is opportunity. Other authors define risk neutrally, comprising not only negative but positive deviations. This difference is not relevant for operational risks. In contrast to credit and market risk, the assumption of operational risk does not generate higher revenue. Nor are operational risks proportional to trading volume. This definition, it is important to note, does not class every loss as a risk, only the unexpected loss. Taking the example of lending: only those loan losses are designated as risks which exceed the expected losses
6 Basel Committee on Banking Supervision Risk Management Group (2000) 7 Geiger (1999), p. 556.

Regulating and Supervising Operational Risk for Banks

which have been factored into the price. This notion of risk implies that a bank has an idea of its expected losses for the various areas of risk. These ideas are based on more or less validated information about the future external environment (e.g. in relation to the business cycle and interest rate levels) on the one hand and the future internal environment of the bank on the other. Past experience almost always plays a key role. Another definition of terms is important for an understanding of risk: it is not only the distinction between expected and unexpected losses which is significant, but also that between acceptable and unacceptable. These two terms reflect a banks capacity to take on risk 8 and its attitude to risk. The acceptance of unexpected losses is determined not only by economic but to a great extent by sociological and psychological elements. The search for a generally-valid definition of operational risks has only taken on momentum in banking in the past few years.9 This definition must fit into the framework of general risk definition mentioned above. Unlike in industry, banks' risk management in the past focused largely on credit and market risk, with mathematical modelling and measurement playing a strong role. The last few years have seen the search for a generally recognized concept of operational risk, conducted principally by practitioners and banking supervisors, giving rise to a wealth of definitions, often mutually irreconcilable. The definitions can be split into two categories: indirect and direct definitions. Under the indirect definition, operational risks are understood to be all those risks which cannot be classed as credit or market risks. As it is a simple definition, this formulation was widely welcomed at the outset and supervisory authorities have been utilizing it until very recently. But a closer examination reveals that an indirect definition is unsatisfactory on practical and theoretical grounds. From a theoretical standpoint, the indirect definition is unsatisfactory because it

8 Luhmann speaks in this connection of catastrophe threshold. See Luhmann (1991), p. 11. 9 Jameson (1998).

Hans Geiger

fails to address nearly all the key issues of defining and demarcating terms. A survey of the definitions published in the last few years by a total of 16 banks, consultancies and supervisory authorities shows that the following words occur most frequently: processes and procedures, people and human errors, internal control, internal and external events, direct and indirect losses, failure, technology and systems. Nearly all definitions emphasize the internal side of operations but frequently unexpected external events are also classed as operational risks. Many approaches speak of losses both in the sense of direct financial losses, and also of indirect ones which frequently derive from the loss of a banks reputation and market value. I regard the wording of the British BankersAssociation (BBA) as the best one and one which seems to be sweeping the field of late. It is: Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from 10 external events. Adapting this to my general concept of risk, I define the term as follows: Operational risk is an expression of the danger of unexpected direct or indirect losses resulting from inadequate or failed internal processes, people, and systems or from external events. The most important characteristics of this definition are: The focus on internal aspects which the bank can and should shape and influence. These are often actions or failure to take action by the bank and its staff. These risks are clearly separate from market and credit risks. The importance of process orientation in the operational risk concept. The emphasis placed on the process aspects locates the definition of operational risk management in the vicinity of total quality management. The operational risks in the banking sector resemble similar risks in industry more closely than they do market or credit risks in a bank.

10 British Bankers' Association et al. (2000), p. 39.

Regulating and Supervising Operational Risk for Banks

The decisive role played by human beings and the errors they commit, both out of self-interest as well as ignorance. There are three types of operational risk in this context: Hazards, errors, conflicts.11 In this connection behavioural risks and the incentive effects of business structures, compensation and promotion systems and generally speaking, the selection, instruction and monitoring of staff, customers and other business partners are of great significance.12 The external incidents are natural, political or military events, losses and deficiencies in the technical infrastructure, as well as changes in and problems with the legal, tax and regulatory environment, all occurring outside the realms of credit and market risk. The important role played by the internal control system, the elements and rules of which have been known and accepted for decades but which are often forgotten or neglected during periods of restructuring or product and process innovation.13 Many of the notorious losses in recent banking history could have been avoided or limited had the established rules been followed.

3. Identification and demarcation versus credit and market risk (RIM) 14

It is desirable both in terms of practical utility and theoretical clarification to distinguish the operational risks defined in the last section from other risk categories, thereby allocating all a banks risks to well-defined risk

11 Guldimann (1999), p. 54. 12 These questions were already regulated in Roman law. The due care and diligence of the principal comprises cura in eligendo, cura in instruendo, cura in custodiendo. See Rey (1998), p. 204 f. 13 Basle Committee on Banking Supervision (1998b), p. 8ff. 14 See Geiger and Piaz (2000).

Hans Geiger

categories that do not overlap each other. But comprehensive risk modelling of this nature would go well beyond the scope of the present discussion. Hence we shall limit ourselves to differentiating operational risks from credit and market risks, and from all other types of risk. The focus is on whether we understand by risk the causes of a negative deviation from desired or planned outcome or whether we see the negative effects as the risk. Not a few definitions and explanations of operational risk fail to clarify this aspect. Sometimes a mixture of cause and effect is used for identification and demarcation. For example, if we examine the conventional wisdom that Barings derivatives losses were actually not market risks but operational risks in the light this approach, we find that the statement makes little sense. It is not a matter of eitheror but cause and effect. The causes were doubtless operational: the grossly negligent breach of recognized internal control principles. But it is just as clear that the effect was an unexpected loss of market value, that is, market risk. Below, a cause/effect matrix, known as a Risk Identification Matrix (RIM), is used to identify and demarcate operational risks. The causes are used to demarcate the operational from other risks. Operational risks are all unexpected losses which have their origin in internal errors or staffrelated deficiencies, in processes and systems and in external events. The (negative) effect is manifested either directly in unexpected credit (I), market (II) or operational losses (unexpected extra costs (III) or lower revenues (IV) or indirectly, in an unexpected reduction of market value (V) of the bank. The direct losses are reflected in the balance sheet and profit and loss statement and the indirect ones in the value of the discounted future cash flow. The possible effects of operational risks are marked in Figure 1 with an arrow ()

Regulating and Supervising Operational Risk for Banks

Effect
direct manifestation
loss from loss from counterparty change market value value uncertain/wrong info about counterparty uncertain/wrong info about market develop other causes inadequate/failed processes persons systems external events other losses operational loss more expense less income

indirect manifest.
NPV, market value

A/B/ a a a

Cause

I/a

II

III

IV

Source: Geiger, Piaz 2000

Figure 1: Risk Identification Matrix (RIM). Source: Geiger and Piaz (2000) The RIM is a conceptual aid. It serves to enhance linguistic communication and helps to convey an overall picture of how the causes and effects of risks are related. Using the RIM, credit and market risks can be defined more clearly. Credit risk could be defined in three different ways: Narrow definition on the basis of cause and effect as unexpected losses from changes in credit rating owing to uncertain or erroneous information about the counterparties. (A). By this definition, unexpected loan losses which are of operational origin are not credit risks.

Hans Geiger

Definition based on effects as unexpected losses arising from changes in credit rating (a). In this definition, unexpected loan losses of operational origin (I) (e.g. owing to deficient credit monitoring) would also be classed as credit risks and should then not be listed again as operational risks in the overall risk analysis, unless it is expressly stated that they are being counted twice. Broad definition based on causes as all unexpected losses from uncertain or erroneous information about counterparties. This would also include for example an operational loss constituted by the higher costs of employing additional account managers. (B)

In the RIM, others are listed both on the cause and effect axes. This row and column are intended merely to show that neither cause nor effect is adequately captured in the terms credit, market and operational. 4. Management of operational risk

This study does not attempt to deal with the topic of managing operational risk in any detail. Nevertheless, some comments are necessary with respect to regulation and supervision. The scope of operational risks is measured by the probability and impact of the unexpected losses stemming from the deficiency or failure of internal processes, persons and systems, or external occurrences. A quantitative assessment requires such losses to be quantified as expected costs and assumes that probabilities and actual losses can be measured. At the theoretical level, complete quantification is impossible.15 In practice, any analysis of probability and size of operational risks is also defeated by the lack of relevant data. Operational risks and the losses they generate should be captured systematically and completely at the level of the individual transaction in a database or risk ledger. They should then be

15 See Young (1999).

10

Regulating and Supervising Operational Risk for Banks

analysed and where appropriate quantified and aggregated.16 This is one of the urgent tasks facing systematic operational risk management: to systematize operational risks and place them in the loss probability and size matrix (Fig. 2).17 Hence it is desirable that a standardized methodology to describe operational risks be developed for the financial services sector, as an aid to practical risk management, the arrangement of insurance solutions and also for academic research. A number of such data models already exist.18

low

Probalility high

Severity low

Figure 2: Size and probability of unexpected losses. Source: own diagram For operational risk policy the following rules result from an analysis of the size and probability of losses: business areas with a high likelihood and high level of operational risk (A) are naturally to be avoided. Areas with a low level but high probability of losses (B) are often not perceived as risk areas but merely as cost-intensive or low quality. In such cases, the problems are frequently to be found in process and system

16 See Hoffman (1998) p. 37ff. 17 See Levine and Hoffmann (2000). 18 See e.g. NetRisk (2000).

high

Hans Geiger

11

design and are thus closely related to the topic of quality management.19 They should be reduced by preventive measures. Small-scale losses with a low degree of probability should be accepted (C) if the costs of prevention exceed the amount of reducing the losses. The spectacular operational losses are mostly located in box D: low probability, high level of loss (D). For such cases, preventive measures such as governance, internal control and management incentives are most important. Although the relevant principles have been known for decades, the Basel Committee on Banking Supervision notes in a recent study that lack of internal controls is behind many a major loss. The Committee has thus drafted 13 principles for executive management and boards of directors and proposed rules for monitoring by the banking supervisory authorities.20 The methods developed in the field of finance, especially Value at Risk (VaR), are not suited to extreme losses. Insurance solutions can often be of assistance here, provided the problem of moral hazard can be kept under control. Additional reinsurance is advisable for extreme losses. Very high deductibles are one of the measures used to cope with moral hazard. Recently the international market has been seeing insurance policies for operational risks, and for large banks too. One example is the FIORI policy developed by Swiss Re New Markets.21 The chances of an insurance policy being successful depend on the majority of the big banks participating, for in the insurance paradigm, those needing capital come from exactly the same group as those with capital.22 A new variant of the insurance solution is contingent capital. In essence, a contingent capital instrument is an option to raise capital, subject to certain conditions.23. Provisions have to be made for all expected operational risks and for the

19 See Greenbaum and Thakor (1995) p.727 ff., and Bruhn (1996), especially p. 82 f. 20 Basle Committee on Banking Supervision (1998a), p. 2ff. 21 Swiss Re New Markets: Financial Institutions Operational Risk Insurance Policy. See also Avery and Milton (2000). 22 Gumerlock (1999), p.112. 23 Shimpi (1999), pp. 160 172.

12

Regulating and Supervising Operational Risk for Banks

unexpected ones up to the amount of the deductibles. It is clear that the insurers counterparty risk replaces the operational risk if insurance is taken out. Regulatory capital is not suitable to cover such risk. Let me summarize: the main elements of operational risk management are: APIP&C: avoid, prevent, insure, provide and collect data. In the day-to-day management of operational risks the following trends are visible in the banking community:24 Creation of a formal organization of operational risk management, which clarifies competencies and responsibilities of business areas and hierarchy levels in a bank. An important first step in this direction is the systematic reporting of operational risks up through the hierarchy to the level of the board of directors. Inclusion of operational risks in an overall risk management concept. Development and implementation of tools for operational risk management. There are currently five main tools: (1) self-assessment (2) risk mapping (3) risk indicators (4) escalation triggers (5) loss event models. Inclusion of operational risk management in a value-oriented global management concept e.g. on the basis of a Risk Adjusted Performance Measurement: RAPM.25 The attempt is made here to identify economic capital for operational risks. As already discussed, I view this VaR-oriented approach as not very suitable for operational risks. Generally, managements are adopting the bottom-up method for operational risk rather than the top-down approach.

24 British Bankers' Association et al. (2000), p. 3ff. 25 The RAPM concept seeks to account for risk by adjustments to profitability and capital. See Saunders (1999), p. 151.

Hans Geiger

13

5. Consequences for regulation and supervision of operational risk

From the standpoint discussed above of defining and demarcating operational risks, it would seem inappropriate for several reasons for the regulatory authorities to plan extra capital charges for operational risks in Pillar 1 in addition to credit and market risks: Firstly operational risks are frequently reflected in unexpected credit and market losses. Where this is the case, the current regulations already include them in the calculation of statutory capital and provisions. It would thus be implausible to have them underpinned twice over in arbitrary fashion, for example by capital charges on non-interest income, as stated in the Consultative Paper of the Basel Committee and the related commentaries since its publication.26 Even if a charge on income were sensible, the proposed non-inclusion of interest income is difficult to justify on theoretical grounds. Secondly, the problems of operational risks are of quite a different order than those of market and credit risks: it is not a matter of unexpected losses from transactions and external events but of the behaviour of the bank management and staff and of prevention and measures which the bank has to take or avoid. The assumption of operational risk does not lead to higher yields and the risks are hardly proportional to business volume. The operational risk management of a bank resembles the risk management of the industrial and energy sectors much more than it does credit and market risk management. Analysis of causes, prevention, early warning systems and emergency measures are more important than measurement, diversification and hedging. Insights derived from industrial total quality management are arguably of great use in this regard, because process aspects and prevention play a central role. All these measures call for considerable resources, albeit not in the form of abstract capital but in the form of personnel, technology and systems. In the final analysis, the various

26 Basel Committee on Banking Supervison (1999), p. 50 51.

14

Regulating and Supervising Operational Risk for Banks

challenges of operational risk management have to do with the banks risk culture. Operational risk management is not a one-off task which management can delegate when the work has been completed but an ongoing process of improvements in, and learning at the bank. A third big difference between the management of credit and market risk on the one hand and operational risks on the other is the combination of various risks: for credit and market risks the combination of various risks reduces risk through diversification. The combination of three portfolios with CHF 10 million market risk each may result in a total market risk of CHF 20 million. Our hypothesis is that the combination of various operational risks does not diversify but multiply the potential losses. The hypothesis of the curse of multiplication of operational risk is not based on empirical or theoretical work, but rather on evidence from famous cases27 and personal experience in the banking industry. The hypothesis can be illustrated with the example of a business principals duty of care and diligence towards his staff under Roman law. This duty comprises three tasks: the careful selection (S), training (T) and monitoring (M) of personnel.28 If a deficiency in these three duties generates a loss of CHF 10 million in each, the total loss produced when combining the three is not CHF 20 million, nor even 30 million but more likely a multiple of that, say perhaps CHF 1,000 million.29 That is pretty much what happened to Barings. There are obvious limits to the hypothesis of the curse of multiplication. The hypothesis is not meant to provide a formula for computing aggregate operational risks, but rather to illustrate a fundamental difference between market and credit risk and operational risk. One theoretical limit is that no single risk factor must have a value of zero, because in this case the result of the

27 E.g. Barings (1995), Credit Suisse Chiasso (1977), Daiwa (1995), Deutsche Morgan Grenfell (1996), Sumitomo (1996) 28 cura in eligendo, cura in instruendo, cura in custodiendo. See Rey (1998), p. 204 f. 29 10 x 10 x 10

Hans Geiger

15

multiplication would be zero. A second limit lies in the fact that the multiplication formula does not take into account the sequence and timing of the different risk factors and the feedback between them.30 The rules of risk reduction through diversification do apply in some technical areas of operational risk management: Building a back-up computer center in another area of the country reduces the probability of both failing at the same time owing to e.g. power failure or earthquake. Fourthly, capital charges are basically the wrong way to tackle operational risks. If expected and unexpected credit and market losses actually occur, then both the business and the capital will have theoretically vanished and the bank will be no more. If on the other hand the expected and unexpected operational risks occur (as causes), the capital base would be gone but the business would still be there, at least to some extent. The result would be a bank which would or could no longer fulfil its capital requirements. Fifthly, it can hardly be argued that big and well-known operational losses could have been avoided or reduced by capital requirements. On the contrary, having to comply with a not very sensible statutory capital requirement could be an alibi for not implementing the measures which actually were necessary. Finally, it is interesting to observe the first stages of a new debate on the appropriateness of the corporate finance standard risk model. In Shimpis opinion, this standard model on which regulatory capital requirements are based has to be combined with the insurance model. The resulting insurative model would include various sorts of onbalance-sheet capital as well as off-balance-sheet capital, especially in the form of insurance.31 The insurance solution is decisive given the possibility of extreme operational losses.

30 The result of S x T x M is identical to S x M x T. The result of a process of defective S, T, and M is influenced by the sequence and timing of the three risks and the feedback between them. 31 Shimpi (1999), p. 49 f.

16

Regulating and Supervising Operational Risk for Banks

These arguments highlight the faulty reasoning behind the new capital adequacy requirement. However, I am not generally of the opinion that todays banks have enough or too much equity capital for their businesses. On the contrary, I subscribe to the opinion of the Sub-Group of the Shadow Financial Regulatory Committees of Europe, Japan, and U.S.: that minimum capital ratios should be higher than those currently 32 in place. Nor should my criticism be construed as implying that the regulatory authorities ought not to intervene in the field of operational risks. The correct answer, however, is not Pillar one but Pillar two, the supervisory review process, and especially the utilization of Pillar three, the effective use of market discipline, for operational risk too. In the case of Pillar two, the regulatory authorities ought to ascertain whether the banks are adhering to best practice in their corporate governance and internal control systems.33 They should take action if this is not the case. In the case of Pillar three, the regulatory authorities should prescribe that banks provide systematic and transparent reporting on operational risks to their shareholders and the public. Positive and powerful incentives for boards of directors and management can be expected from the reputational aspects and possible civil law actions often associated with operational risks.

Generally speaking I have reservations about the direction in which the regulatory authorities have been seeking to develop capital adequacy requirements recently. The recipe seems to be: ever more detailed regulations and an ever greater depth of information required, which is equivalent to risk disaggregation. In so doing, the authorities are following management practice at leading banks and the methods of academic research, and they are doing so ever more closely. In so doing the regulatory authorities are de facto releasing the banks executive

32 Shadow Financial Regulatory Committees of Europe Japan and the U.S. (1999), p.4. 33 Basle Committee on Banking Supervision (1998a), Basel Committee on Banking Supervision (1999a)

Hans Geiger

17

managements from having to answer one of the most important questions of all: what is the appropriate level of capital for my bank? With their current approach of requiring capital underpinning for operational risks the regulatory authorities risk making regulatory rules out of proposed solutions that even well-managed banks have never applied successfully in detail and over a period of time and that have not been seriously entertained by the academic community either thus far. SOURCES Avery, R. and Milton, P. (2000) Insurers to the Rescue? Operational Risk, Special Edition of Risk Professional, 61 - 69. Bank of England (1995) Report of the Board of Banking Supervision. Inquiry into the Circumstances of the Collapse of Barings, London. Basel Committee on Banking Supervision Risk Management Group (2000) Other Risks Preliminary Survey, Basel. Basel Committee on Banking Supervision (1999a) Enhancing Corporate Governance for Banking Organisations, Basel. Basel Committee on Banking Supervision (1999b) Update on Work on a New Capital Adequacy Framework, Basel. Basel Committee on Banking Supervision (1999c) A New Capital Adequacy Framework (Consultative Paper), Basel. Basle Committee on Banking Supervision (1998a) Framework for Internal Control Systems in Banking Organisations, Basle. Basle Committee on Banking Supervision (1998b) Operational Risk Management, Basle. British Bankers' Association, International Swaps and Derivatives Association and Robert Morris Associates (2000), Operational Risk Management - The Next Frontier, The Journal of Lending & Risk Management, March, 38 -44.

18

Regulating and Supervising Operational Risk for Banks

Bruhn,

M. (1996) Qualittsmanagement fr Dienstleistungen. Grundlagen, Konzepte, Methoden, Berlin, Heidelberg, New York.

Geiger, H. (1999), Die Risikopolitik der Banken, Teil 1 und Teil 2, Der Schweizer Treuhnder, 73, 6/7 und 8, 555 - 564, 713 - 718. Geiger, H. and Piaz, J.-M. (2000) Identifikation und Bewertung operationeller Risiken, In Handbuch Bank-Controlling (ed., Schierenbeck, H.) Wiesbaden. (forthcoming) Greenbaum, S. I. and Thakor, A. V. (1995) Contemporary Financial Intermediation, Fort Worth. Guldimann, T. (1999), Operational Risk: Divide and Conquer, Risk, April, 54. Gumerlock, R. (1999), The Future of Risk, Euromoney, June, 112-114. Jameson, R. (1998), Playing the Name Game, Risk, October , 38 - 42. Levine, M. and Hoffmann, D. G. (2000) Enriching the Universe of Operational Risk Data: Getting Started on Risk Profiling, Operational Risk, 25 - 39. Luhmann, N. (1991) Soziologie des Risikos, Berlin, New York. NetRisk (2000) Methodology for the Classification of Operational Losses. www.netrisk.com Parsley, M. (1996), Risk Management's Final Frontier, Euromoney, September, 74 - 79. Rey, H. (1998) Ausservertragliches Haftpflichtrecht, Zrich. Saunders, A. (1999) Financial Institutions Management. A Modern Perspective, Boston et al. Shadow Financial Regulatory Committees of Europe Japan and the U.S. (1999) Improving the Basle Committee's New Capital Adequacy Framework, New York. Shimpi, P. A. (ed.) (1999) Integrating Corporate Risk Management, Zurich.

Hans Geiger

19

Young, B. (1999), Raising the Standard, Risk Magazine, Special Report on Operational Risk, November.