Operational risk

Last updated May 29, 2023

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. The process to manage operational risk is known as operational risk management. The definition of operational risk, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks: "The risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses".^[1]^[2] The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical (e.g. infrastructure shutdown) or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.

Previously, in Basel I, operational risk was negatively defined: namely that operational risk are all risks which are not market risk and not credit risk. Some banks have therefore also used the term operational risk synonymously with non-financial risks.^[3] In October 2014, the Basel Committee on Banking Supervision proposed a revision to its operational risk capital framework that sets out a new standardized approach to replace the basic indicator approach and the standardized approach for calculating operational risk capital.^[4]

Contrary to other risks (e.g. credit risk, market risk, insurance risk) operational risks are usually not willingly incurred nor are they revenue driven. Moreover, they are not diversifiable and cannot be laid off. This means that as long as people, systems, and processes remain imperfect, operational risk cannot be fully eliminated. Operational risk is, nonetheless, manageable as to keep losses within some level of risk tolerance (i.e. the amount of risk one is prepared to accept in pursuit of his objectives), determined by balancing the costs of improvement against the expected benefits. Wider trends such as globalization, the expansion of the internet and the rise of social media, as well as the increasing demands for greater corporate accountability worldwide, reinforce the need for proper risk management.

Thus operational risk management (ORM) is a specialized discipline within risk management. It constitutes the continuous-process of risk assessment, decision making, and implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of the various operational risks. ORM somewhat overlaps quality management ^[5] and the internal audit function.

Background

Until Basel II reforms to banking supervision, operational risk was a residual category reserved for risks and uncertainties which were difficult to quantify and manage in traditional ways^[6] – the "other risks" basket.

Such regulations institutionalized operational risk as a category of regulatory and managerial attention and connected operational risk management with good corporate governance.

Businesses in general, and other institutions such as the military, have been aware, for many years, of hazards arising from operational factors, internal or external. The primary goal of the military is to fight and win wars in quick and decisive fashion, and with minimal losses. For the military and the businesses of the world alike, operational risk management is an effective process for preserving resources by anticipation.

Two decades (from 1980 to the early 2000s) of globalization and deregulation (e.g. Big Bang (financial markets)), combined with the increased sophistication of financial services around the world, introduced additional complexities into the activities of banks, insurers, and firms in general and therefore their risk profiles.

Since the mid-1990s, the topics of market risk and credit risk have been the subject of much debate and research, with the result that financial institutions have made significant progress in the identification, measurement, and management of both these forms of risk.

However, the near collapse of the U.S. financial system in September 2008^[7]^[8] is an indication that our ability to measure market and credit risk is far from perfect and eventually led to the introduction of new regulatory requirements worldwide, including Basel III regulations for banks and Solvency II regulations for insurers.

Events such as the September 11 terrorist attacks, rogue trading losses at Société Générale, Barings, AIB, UBS, and National Australia Bank serve to highlight the fact that the scope of risk management extends beyond merely market and credit risk.

These reasons underscore banks' and supervisors' growing focus upon the identification and measurement of operational risk.

The list of risks (and, more importantly, the scale of these risks) faced by banks today includes fraud, system failures, terrorism, and employee compensation claims. These types of risk are generally classified under the term 'operational risk'.

The identification and measurement of operational risk is a real and live issue for modern-day banks, particularly since the decision by the Basel Committee on Banking Supervision (BCBS) to introduce a capital charge for this risk as part of the new capital adequacy framework (Basel II).

Definition

The Basel Committee defines operational risk in Basel II and Basel III as:

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.^[9]

The Basel Committee recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided that the minimum elements in the Committee's definition are included.

Scope exclusions

The Basel II definition of operational risk excludes, for example, strategic risk – the risk of a loss arising from a poor strategic business decision.

Other risk terms are seen as potential consequences of operational risk events. For example, reputational risk (damage to an organization through loss of its reputation or standing) can arise as a consequence (or impact) of operational failures – as well as from other events.

Basel II seven event type categories

The following lists the seven official Basel II event types with some examples for each category:

Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery ^[10]
External Fraud – theft of information, hacking damage, third-party theft and forgery
Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
Clients, Products, and Business Practice – market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
Damage to Physical Assets – natural disasters, terrorism, vandalism
Business Disruption and Systems Failures – utility disruptions, software failures, hardware failures
Execution, Delivery, and Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

Difficulties

It is relatively straightforward for an organization to set and observe specific, measurable levels of market risk and credit risk because models exist which attempt to predict the potential impact of market movements, or changes in the cost of credit. These models are only as good as the underlying assumptions, and a large part of the recent financial crisis arose because the valuations generated by these models for particular types of investments were based on incorrect assumptions.

By contrast, it is relatively difficult to identify or assess levels of operational risk and its many sources. Historically organizations have accepted operational risk as an unavoidable cost of doing business. Many now though collect data on operational losses – for example through system failure or fraud – and are using this data to model operational risk and to calculate a capital reserve against future operational losses. In addition to the Basel II requirement for banks, this is now a requirement for European insurance firms who are in the process of implementing Solvency II, the equivalent of Basel II for the insurance sector.^[11]

Methods for calculating operational risk capital

Basel II and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk:

Basic Indicator Approach – based on annual revenue of the Financial Institution
Standardized Approach – based on annual revenue of each of the broad business lines of the Financial Institution
Advanced Measurement Approaches – based on the internally developed risk measurement framework of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-based, Scorecard etc.)

The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk.

There are a number of methodologies to choose from when modeling operational risk, each with its advantages and target applications. The ultimate choice of the methodology/methodologies to use in your institution depends on a number of factors, including:

Time sensitivity for analysis;
Resources desired and/or available for the task;
Approaches used for other risk measures;
Expected use of results (e.g., allocating capital to business units, prioritizing control improvement projects, satisfying regulators that your institution is measuring risk, providing an incentive for better management of operational risk, etc.);
Senior management understanding and commitment; and
Existing complementary processes, such as self-assessment^[12]

Standardised Measurement Approach (Basel III)

The Basel Committee on Banking Supervision (BCBS) has proposed the "Standardised Measurement Approach" (SMA) as a method of assessing operational risk as a replacement for all existing approaches, including AMA. The objective is to provide stable, comparable and risk-sensitive estimates for the operational risk exposure and is effective January 1, 2022.^[13] The SMA puts weight on the internal loss history (losses of the last 10 years must be considered). It is possible to consider net losses (after recoveries and insurance).

The marginal coefficient (α) increases with the size of the BI as shown in the table below.


Bucket	BI range (in €bn)	BI marginal coefficients (αi)
1	≤1	12%
2	1 < BI ≤30	15%
3	> 30	18%

The ILM is defined as:

$ILM=\ln(\exp(1)-1+(LC/BIC)^{0}.8)$

where the Loss Component (LC) is equal to 15 times average annual operational risk losses incurred over the previous 10 years.^[13]

Related Research Articles

The Basel Accords refer to the banking supervision accords issued by the Basel Committee on Banking Supervision (BCBS).

In finance, systemic risk is the risk of collapse of an entire financial system or entire market, as opposed to the risk associated with any one individual entity, group or component of a system, that can be contained therein without harming the entire system. It can be defined as "financial system instability, potentially catastrophic, caused or exacerbated by idiosyncratic events or conditions in financial intermediaries". It refers to the risks imposed by interlinkages and interdependencies in a system or market, where the failure of a single entity or cluster of entities can cause a cascading failure, which could potentially bankrupt or bring down the entire system or market. It is also sometimes erroneously referred to as "systematic risk".

Basel II classified legal risk as a subset of operational risk in 2003. This conception is based on a business perspective, recognizing that there are threats entailed in the business operating environment. The idea is that businesses do not operate in a vacuum and in the exploitation of opportunities and their engagement with other businesses, their activities tend to become subjects of legal liabilities and obligations.

Bank regulation is a form of government regulation which subjects banks to certain requirements, restrictions and guidelines, designed to create market transparency between banking institutions and the individuals and corporations with whom they conduct business, among other things. As regulation focusing on key factors in the financial markets, it forms one of the three components of financial law, the other two being case law and self-regulating market practices.

Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. It is now extended and partially superseded by Basel III.

Financial risk management is the practice of protecting economic value in a firm by managing exposure to financial risk - principally operational risk, credit risk and market risk, with more specific variants as listed aside. As for risk management more generally, financial risk management requires identifying its sources, measuring it, and the plans to address them. See Finance § Risk management for an overview.

Risk-adjusted return on capital (RAROC) is a risk-based profitability measurement framework for analysing risk-adjusted financial performance and providing a consistent view of profitability across businesses. The concept was developed by Bankers Trust and principal designer Dan Borge in the late 1970s. Note, however, that increasingly return on risk-adjusted capital (RORAC) is used as a measure, whereby the risk adjustment of Capital is based on the capital adequacy guidelines as outlined by the Basel Committee.

<span class="mw-page-title-main">Financial risk</span> Any of various types of risk associated with financing

Financial risk is any of various types of risk associated with financing, including financial transactions that include company loans in risk of default. Often it is understood to include only downside risk, meaning the potential for financial loss and uncertainty about its extent.

Operational risk management (ORM) is defined as a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk.

Advanced measurement approach (AMA) is one of three possible operational risk methods that can be used under Basel II by a bank or other financial institution. The other two are the Basic Indicator Approach and the Standardised Approach. The methods increase in sophistication and risk sensitivity with AMA being the most advanced of the three.

The term Advanced IRB or A-IRB is an abbreviation of advanced internal ratings-based approach, and it refers to a set of credit risk measurement techniques proposed under Basel II capital adequacy rules for banking institutions.

The term Foundation IRB or F-IRB is an abbreviation of foundation internal ratings-based approach, and it refers to a set of credit risk measurement techniques proposed under Basel II capital adequacy rules for banking institutions.

In the context of operational risk, the standardized approach or standardised approach is a set of operational risk measurement techniques proposed under Basel II capital adequacy rules for banking institutions.

Loss given default or LGD is the share of an asset that is lost if a borrower defaults.

Exposure at default or (EAD) is a parameter used in the calculation of economic capital or regulatory capital under Basel II for a banking institution. It can be defined as the gross exposure under a facility upon default of an obligor.

Asset and liability management is the practice of managing financial risks that arise due to mismatches between the assets and liabilities as part of an investment strategy in financial accounting.

The Capital Requirements Directives (CRD) for the financial services industry have introduced a supervisory framework in the European Union which reflects the Basel II and Basel III rules on capital measurement and capital standards.

Solvency II Directive 2009 is a Directive in European Union law that codifies and harmonises the EU insurance regulation. Primarily this concerns the amount of capital that EU insurance companies must hold to reduce the risk of insolvency.

Basel III is the third Basel Accord, a framework that sets international standards for bank capital adequacy, stress testing, and liquidity requirements. Augmenting and superseding parts of the Basel II standards, it was developed in response to the deficiencies in financial regulation revealed by the financial crisis of 2007–08. It is intended to strengthen bank capital requirements by increasing minimum capital requirements, holdings of high quality liquid assets, and decreasing bank leverage.

The Capital Requirements Regulation(EU) No. 575/2013 is an EU law that aims to decrease the likelihood that banks go insolvent. With the Credit Institutions Directive 2013 the Capital Requirements Regulation 2013 reflects Basel III rules on capital measurement and capital standards.

References

↑ "Basel II: Revised international capital framework". Bis.org. 2004-06-10. Retrieved 2013-06-06.
↑ "Solvency II Glossary – European Commission" (PDF). CEA – Groupe Consultatif. Retrieved 2014-04-29.
↑ Hida, Edward; Pieper, Michael. "The future of non-financial risk in financial services". Deloitte. Retrieved 16 September 2020.
↑ "Operational risk capital: Nowhere to hide" (PDF). PwC Financial Services Regulatory Practice, November, 2014.
↑ "Operational Risks in Financial Services: An Old Challenge in a New Environment" (PDF). Credit Suisse Group. Archived from the original (PDF) on 2016-03-04. Retrieved 2014-04-29.
↑ "The Invention of Operational Risk" (PDF). CARR – ESRC Center for Analysis of Risk and Regulation. Retrieved 2014-04-30.
↑ Financial crisis of 2007–08
↑ Subprime mortgage crisis
↑ International Convergence of Capital Measurement and Capital Standards (PDF). Bank for International Settlements. 2006. p. 144. ISBN 92-9197-720-9.
↑ "Liontrust Asset Management: Annual Report & Financial Statements 2020". MarketScreener. July 21, 2020.
↑ "Solvency – European Commission". Ec.europa.eu. 2012-11-26. Retrieved 2013-06-06.
↑ Sanchez, Luis; Ceske, Robert; Hernandez, Jose (1 December 2000). "Quantifying Event Risk: The Next Convergence". Journal of Risk Finance (Spring 2000). CiteSeerX 10.1.1.454.372 .
1 2 Basel III: Finalising post-crisis reforms (PDF). Bank for International Settlements. 2017. ISBN 978-92-9259-022-2.

External links

Bank Management and Control, Springer – Management for Professionals, 2020
Principles for the Sound Management of Operational Risk
Operational Risk in the Basel II framework
Bank Management and Control, Springer – Management for Professionals, 2014
The Institute of Operational Risk The institute provides professional recognition and enables members to maintain competency in the discipline of operational risk.
OpRisk & Regulation is the home page of the leading educational resource on operational risk, including a magazine, training, conferences, books, etc.
Revised international capital framework is the text of the new Basel II Accord.
Operational Risk Blog is a resource for operational risk content.
Strategic risk index Archived 2013-11-09 at the Wayback Machine is an index quantifying the level of strategic risk in markets around the world.
Constraints of Consistent Operational Risk Measurement and Regulation: Data Collection and Loss Reporting, Andreas A. Jobst, 2007 (Journal of Financial Regulation and Compliance)
The Credit Crisis and Operational Risk – Implications for Practitioners and Regulators, Andreas A. Jobst, 2010 (Journal of Operational Risk, Vol. 5, No. 2)
The Risk Management Association – leading industry organization for operational risk professionals
Practical articles, on BIS2 and risk modeling, submitted by professionals to help create an industry standard
FRB Boston paper on measurement of operational risk
Operational Risk – The Sting is Still in the Tail But the Poison Depends on the Dose, Andreas A. Jobst, 2007 (Journal of Operational Risk)
Tyson Macaulay (2008). "Convergence of Operational and Credit Risk" (PDF). Archived from the original (PDF) on 2013-06-17.
Tyson Macaulay (2008). "Operational Continuity and Additivity of Operational Risk" (PDF). Archived from the original (PDF) on 2013-06-17.
Tyson Macaulay (2008). "Metrics and Operational Continuity" (PDF). Archived from the original (PDF) on 2013-06-17.
Operational Risk Consortium is a consortium that collects and analyzes operational risk loss data for the insurance industry.
The Journal of Operational Risk is a quarterly journal publishing research on operational risk theory and practice

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Basel II: Revised international capital framework". Bis.org. 2004-06-10. Retrieved 2013-06-06.

[2] "Solvency II Glossary – European Commission" (PDF). CEA – Groupe Consultatif. Retrieved 2014-04-29.

[DeloitteNFR-3] Hida, Edward; Pieper, Michael. "The future of non-financial risk in financial services". Deloitte. Retrieved 16 September 2020.

[4] "Operational risk capital: Nowhere to hide" (PDF). PwC Financial Services Regulatory Practice, November, 2014.

[5] "Operational Risks in Financial Services: An Old Challenge in a New Environment" (PDF). Credit Suisse Group. Archived from the original (PDF) on 2016-03-04. Retrieved 2014-04-29.

[6] "The Invention of Operational Risk" (PDF). CARR – ESRC Center for Analysis of Risk and Regulation. Retrieved 2014-04-30.

[7] Financial crisis of 2007–08

[8] Subprime mortgage crisis

[9] International Convergence of Capital Measurement and Capital Standards (PDF). Bank for International Settlements. 2006. p. 144. ISBN 92-9197-720-9.

[10] "Liontrust Asset Management: Annual Report & Financial Statements 2020". MarketScreener. July 21, 2020.

[11] "Solvency – European Commission". Ec.europa.eu. 2012-11-26. Retrieved 2013-06-06.

[OpRiskQuant-12] Sanchez, Luis; Ceske, Robert; Hernandez, Jose (1 December 2000). "Quantifying Event Risk: The Next Convergence". Journal of Risk Finance (Spring 2000). CiteSeerX 10.1.1.454.372 .

[:0-13] 1 2 Basel III: Finalising post-crisis reforms (PDF). Bank for International Settlements. 2017. ISBN 978-92-9259-022-2.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]