| |
Operational Risk
The
Basel ii Framework:
Definition of operational risk
Operational risk is defined as the
risk of loss
resulting from inadequate or failed
internal processes, people and systems or from external events.
This definition includes legal risk, but excludes strategic and
reputational risk.
The measurement methodologies
The framework outlined below presents three methods for
calculating operational risk capital charges in a continuum of
increasing sophistication and risk sensitivity:
-
(i) the Basic Indicator Approach;
-
(ii) the Standardised Approach; and
-
(iii) Advanced Measurement Approaches (AMA)
Banks are encouraged to move along the spectrum of available
approaches as they develop more sophisticated operational risk
measurement systems and practices. Qualifying criteria for the
Standardised Approach and AMA are presented below.
Internationally active banks and banks with significant
operational risk exposures (for example, specialised processing
banks) are expected to use an approach that is more sophisticated
than the Basic Indicator Approach and that is appropriate for the
risk profile of the institution.
A
bank will be permitted to use the Basic Indicator or Standardised
Approach for some parts of its operations and an AMA for others
provided certain minimum criteria are met.
A bank will not be allowed to choose to revert to a simpler
approach once it has been approved for a more advanced approach
without supervisory approval. However, if a supervisor determines
that a bank using a more advanced approach no longer meets the
qualifying criteria for this approach, it may require the bank to
revert to a simpler approach for some or all of its operations,
until it meets the conditions specified by the supervisor for
returning to a more advanced approach.
Observed range of practice in key elements of Advanced
Measurement Approaches (AMA)
October 2006
Background
The work of the Accord Implementation Group's Operational
Risk Subgroup (AIGOR) focuses on the practical challenges
associated with the development, implementation and maintenance
of an operational risk management framework meeting the
requirements of Basel II, particularly as they relate to the
Advanced Measurement Approaches (AMA).
The AIGOR has been specifically mandated to, among other things,
exchange and catalogue subgroup members' views on operational
risk implementation issues and the range of acceptable bank
practices for measuring and managing operational risk under the
AMA.
In recognition of the evolutionary nature of
operational risk management as a risk management discipline, the
Basel II Framework intentionally provides a significant degree
of flexibility for banks in the development of an operational
risk management framework under the AMA.
It is not surprising, therefore, that the range of practice that
has emerged in relation to any given issue tends to be quite
broad.
The flexibility provided banks in the development
of an AMA, however, should not be interpreted to suggest a
lesser standard of supervisory review and assessment or that
supervisors are prepared to accept as reasonable any and all
responses to the challenges banks face in this area.
On the contrary, prudential supervisors have an interest in
identifying and encouraging bank operational risk practices that
are consistent with safety and soundness and level playing field
objectives.
Furthermore, at various times the industry has encouraged the
AIG and its subgroups to establish and maintain high standards
for what constitutes acceptable practice and to publish "sound
practice" papers to communicate those standards and promote
consistency across jurisdictions.
Purpose
Against this backdrop, the AIGOR has prepared a "range of
practice" paper using information obtained from members'
supervisory work, benchmarking exercises, discussions with bank
management and other sources. This paper describes specific
practices that have been observed in relation to some of the key
challenges AMA banks currently are
facing in their operational risk-related work in three subject
areas: internal governance, data and modelling.
While this paper does not address all issues or
reference every practice identified with respect to any given
issue, it does focus on the key issues in each of the three
subject areas and provide a reasonable cross-section of the
practices observed with respect to those issues. Because it is
focused on bank, and not supervisory, practice, the paper does
not address home-host issues.
No judgment is intended or
implied regarding the acceptability of any of the practices
reflected in this paper. For example, the fact that a particular
practice is discussed should not be interpreted as an
endorsement of that practice by the AIGOR or any of its members.
Nor should the absence of a particular practice be interpreted
to imply either that it is or is not considered acceptable by
supervisors.
The principal purpose of the paper is to catalogue the key
issues and corresponding practices observed among AMA banks
operating in AIGOR member countries.
As such, the paper provides the international community of bank
supervisors a means of framing the discussion of acceptable
practice in both the management and measurement of operational
risk and monitoring the evolution of industry practice and
supervisors' reactions.
It is also expected to be a valuable resource for both banks and
national supervisors to use in their respective implementation
processes.
In light of its broad membership and exposure
to AMA banks, the AIGOR is an ideal forum in which the
supervisory community might develop a perspective on the
acceptable range of practice. In so doing, the AIGOR can
facilitate greater consistency in the assessment of AMA
practices among national supervisors.
While the paper does not purport to define best practice, it is
reasonable to expect that some of the practices identified in
the development of this paper might be viewed as falling outside
the range of what supervisors consider acceptable. Where
observed practices are determined to be unacceptable, the AIGOR
anticipates that it will identify them as such, as and when a
clear consensus emerges, contributing to a narrowing of the
range of practice over time.
It is reasonable to expect that when a particular practice is
identified as being unacceptable, national supervisors will give
due consideration to the need for appropriate transitional
arrangements.
Business environment and internal control factors (BEICFs)
BEICFs are indicators of a bank’s operational risk profile
that reflect underlying business risk factors and an assessment
of the effectiveness of the internal control environment.
They introduce a forward-looking element to an AMA by
considering, for example, rate of growth, new product
introductions, findings from the challenge process (eg internal
audit results), employee turnover and system downtime.
Incorporating BEICFs into an AMA helps to ensure that key
drivers of operational risk are captured and that a bank’s
operational risk capital estimates are sensitive to its changing
operational risk profile.
Basel text
“In addition to using loss data, whether actual or
scenario-based, a bank's firm-wide risk assessment methodology
must capture key business environment and internal control
factors that can change its operational risk profile.
These factors will make a bank's risk assessment more
forward-looking, more directly reflect the quality of the bank's
control and operating environments, help align capital
assessments with risk management objectives, and recognise both
improvements and deterioration in operational risk profiles in a
more immediate fashion.
To qualify for regulatory capital purposes, the use of these
factors in a bank's risk measurement framework must meet the
following standards:
- the choice of each factor needs to be justified as a
meaningful driver of risk, based on experience and involving the
expert judgement of the affected business areas. Whenever
possible, the factors should be translatable into quantitative
measures that lend themselves to verification.
- the sensitivity of a bank's risk estimates to
changes in factors and the relative weighting of the various
factors need to be well reasoned. In addition to capturing
changes in risk due to improvements in risk controls, the
framework must also capture potential increases in risk due to
greater complexity of activities or increased business volume.
- the framework and each instance of its application,
including the supporting rationale for any adjustments to
empirical estimates, must be documented and subject to
independent review within the bank and by supervisors.
- over time, the process and the outcomes need to be
validated through comparison to actual internal loss experience,
relevant external data and appropriate adjustments made.”
(paragraph 676)
Issues/background
In principle, a bank with strong internal controls in a stable
business environment will have, all else being equal, less
exposure to operational risk than a bank with internal control
weaknesses or that is experiencing rapid growth or introducing
new products.
Accordingly, banks are expected to assess the level of and
trends in the operational risk and related control structures
across the organisation and build the results of such
assessments, generally referred to as BEICFs, into the risk
management and measurement aspects of their AMA methodology.
The assessments should be current and comprehensive and should
identify the critical operational risks facing the bank. The
assessment process should be sufficiently flexible to encompass
a bank’s full range of activities (including new activities),
changes in internal control systems or an increased volume of
information.
The challenges in this area include determining which BEICFs to
consider and
how to build them into the model.
As the results of the risk assessment are to be incorporated
in a bank’s capital calculation, management must ensure that the
risk assessment process is appropriate and that the results
reasonably reflect the risks of the bank.
For example, if a bank reduces its operational risk estimate on
the strength of robust internal control factors, then there
should be some process for ensuring that the impact of internal
control factors on the final capital estimate is plausible,
prudent and consistent with actual experience.
Range of practice
Banks have tended to focus much less on this AMA element than on
the collection of internal loss data or the development of
scenarios.
In general, while banks have developed a variety of approaches
for incorporating BEICFs into their management of operational
risk (eg risk and control self-assessments, key risk
indicators), most consider the application of BEICFs in the risk
measurement system as the most challenging of the four required
AMA elements.
Most banks have developed methodologies to capture key BEICFs,
but few are currently able to substantiate how they quantify the
impact of those factors on the capital calculation. As a
consequence, the practice for many banks is still very much in
its formative stages.
One of the current applications of BEICFs is in the
development of scorecards, the results of which are used to
assess operational risk drivers and controls at a bank’s chosen
level of granularity and then adjust the measured operational
risk capital amount on the basis of these assessments.
Another is as part of the risk identification process in the
development of operational risk scenarios. A much less common
practice is the use of BEICFs as a direct statistical input or
adjustment within the AMA model.
Advanced Measurement Approaches
(AMA)
655. Under the AMA, the regulatory capital requirement will
equal the risk measure generated by the bank’s internal
operational risk measurement system using the quantitative and
qualitative criteria for the AMA discussed below.
Use of
the AMA is subject to supervisory approval.
656. A bank
adopting the AMA may, with the approval of its host supervisors
and the support of its home supervisor, use an allocation
mechanism for the purpose of determining the regulatory capital
requirement for internationally active banking subsidiaries that
are not deemed to be significant relative to the overall banking
group but are themselves subject to this Framework in accordance
with Part 1.
Supervisory approval would be conditional
on the bank demonstrating to the satisfaction of the relevant
supervisors that the allocation mechanism for these subsidiaries
is appropriate and can be supported empirically.
The
board of directors and senior management of each subsidiary are
responsible for conducting their own assessment of the
subsidiary’s operational risks and controls and ensuring the
subsidiary is adequately capitalised in respect of those risks.
657. Subject to supervisory approval as discussed in
paragraph 669(d), the incorporation of a well-reasoned estimate
of diversification benefits may be factored in at the group-wide
level or at the banking subsidiary level.
However, any
banking subsidiaries whose host supervisors determine that they
must calculate stand-alone capital requirements (see Part 1) may
not incorporate group-wide diversification benefits in their AMA
calculations (e.g. where an internationally active banking
subsidiary is deemed to be significant, the banking subsidiary
may incorporate the diversification benefits of its own
operations — those arising at the sub-consolidated level — but
may not incorporate the diversification benefits of the parent).
658. The appropriateness of the allocation methodology will
be reviewed with consideration given to the stage of development
of risk-sensitive allocation techniques and the extent to which
it reflects the level of operational risk in the legal entities
and across the banking group.
Supervisors expect that
AMA banking groups will continue efforts to develop increasingly
risk-sensitive operational risk allocation techniques,
notwithstanding initial approval of techniques based on gross
income or other proxies for operational risk.
659. Banks
adopting the AMA will be required to calculate their capital
requirement using this approach as well as the 1988 Accord as
outlined in paragraph 46.
Qualifying criteria
1. The Standardised
Approach*
* Supervisors
allowing banks to use the Alternative Standardised Approach must
decide on the appropriate qualifying criteria for that approach,
as the criteria set forth in paragraphs 662 and 663 of this
section may not be appropriate
660. In order to qualify
for use of the Standardised Approach, a bank must satisfy its
supervisor that, at a minimum:
• Its board of directors
and senior management, as appropriate, are actively involved in
the oversight of the operational risk management framework;
• It has an operational risk management system that is
conceptually sound and is implemented with integrity; and
• It has sufficient resources in the use of the approach in
the major business lines as well as the control and audit areas.
661. Supervisors will have the right to insist on a period
of initial monitoring of a bank’s Standardised Approach before
it is used for regulatory capital purposes.
662. A bank
must develop specific policies and have documented criteria for
mapping gross income for current business lines and activities
into the standardised framework.
The criteria must be
reviewed and adjusted for new or changing business activities as
appropriate.
The principles for business line mapping
are set out in Annex 8.
663. As some internationally
active banks will wish to use the Standardised Approach, it is
important that such banks have adequate operational risk
management systems.
Consequently, an internationally
active bank using the Standardised Approach must meet the
following additional criteria:*
(a) The bank must have an
operational risk management system with clear responsibilities
assigned to an operational risk management function.
The
operational risk management function is responsible for
developing strategies to identify, assess, monitor and
control/mitigate operational risk;
for codifying
firm-level policies and procedures concerning operational risk
management and controls;
for the design and
implementation of the firm’s operational risk assessment
methodology;
for the design and implementation of a
risk-reporting system for operational risk.
(b) As part
of the bank’s internal operational risk assessment system, the
bank must systematically track relevant operational risk data
including material losses by business line.
Its
operational risk assessment system must be closely integrated
into the risk management processes of the bank.
Its
output must be an integral part of the process of monitoring and
controlling the banks operational risk profile.
For
instance, this information must play a prominent role in risk
reporting, management reporting, and risk analysis.
The
bank must have techniques for creating incentives to improve the
management of operational risk throughout the firm.
(c)
There must be regular reporting of operational risk exposures,
including material operational losses, to business unit
management, senior management, and to the board of directors.
The bank must have procedures for taking appropriate
action according to the information within the management
reports.
(d) The bank’s operational risk management
system must be well documented.
The bank must have a
routine in place for ensuring compliance with a documented set
of internal policies, controls and procedures concerning the
operational risk management system, which must include policies
for the treatment of non compliance issues.
(e) The
bank’s operational risk management processes and assessment
system must be subject to validation and regular independent
review.
These reviews must include both the activities
of the business units and of the operational risk management
function.
(f) The bank’s operational risk assessment
system (including the internal validation processes) must be
subject to regular review by external auditors and/or
supervisors.
* For other banks, these criteria are
recommended, with national discretion to impose them as
requirements.
Advanced Measurement Approaches (AMA)
General standards
664. In
order to qualify for use of the AMA a bank must satisfy its
supervisor that, at a minimum:
• Its board of directors
and senior management, as appropriate, are actively involved in
the oversight of the operational risk management framework;
• It has an operational risk management system that is
conceptually sound and is implemented with integrity; and
• It has sufficient resources in the use of the approach in
the major business lines as well as the control and audit areas.
665. A bank’s AMA will be subject to a period of initial
monitoring by its supervisor before it can be used for
regulatory purposes.
This period will allow the
supervisor to determine whether the approach is credible and
appropriate.
As discussed below, a bank’s internal
measurement system must reasonably estimate unexpected losses
based on the combined use of internal and relevant external loss
data, scenario analysis and bank-specific business
environment and internal control factors.
The bank’s
measurement system must also be capable of supporting an
allocation of economic capital for operational risk across
business lines in a manner that creates incentives to improve
business line operational risk management.
Qualitative standards
666. A bank must meet the following qualitative standards
before it is permitted to use an AMA for operational risk
capital:
(a) The bank must have an independent
operational risk management function that is responsible for the
design and implementation of the bank’s operational risk
management framework.
The operational risk management
function is responsible for codifying firm-level policies and
procedures concerning operational risk management and controls;
for the design and implementation of the firm’s
operational risk measurement methodology;
for the design
and implementation of a risk-reporting system for operational
risk;
and for developing strategies to identify,
measure, monitor and control/mitigate operational risk
(b) The bank’s internal operational risk measurement system must
be closely integrated into the day-to-day risk management
processes of the bank.
Its output must be an integral
part of the process of monitoring and controlling the bank’s
operational risk
profile.
For instance, this
information must play a prominent role in risk reporting,
management reporting, internal capital allocation, and risk
analysis.
The bank must have techniques for allocating
operational risk capital to major business lines and for
creating incentives to improve the management of operational
risk throughout the firm.
(c) There must be regular
reporting of operational risk exposures and loss experience to
business unit management, senior management, and to the board of
directors.
The bank must have procedures for taking
appropriate action according to the information within the
management reports.
(d) The bank’s operational risk
management system must be well documented.
The bank must
have a routine in place for ensuring compliance with a
documented set of internal policies, controls and procedures
concerning the operational risk management system, which must
include policies for the treatment of non compliance issues.
(e) Internal and/or external auditors must perform regular
reviews of the operational risk management processes and
measurement systems.
This review must include both the
activities of the business units and of the independent
operational risk
management function.
(f) The
validation of the operational risk measurement system by
external auditors and/or supervisory authorities must include
the following:
• Verifying that the internal validation
processes are operating in a satisfactory manner; and
•
Making sure that data flows and processes associated with the
risk measurement system are transparent and accessible.
In particular, it is necessary that auditors and supervisory
authorities are in a position to have easy access, whenever they
judge it necessary and under appropriate procedures, to the
system’s specifications and parameters.
Quantitative standards
AMA soundness
standard
667. Given the
continuing evolution of analytical approaches for operational
risk, the Committee is not specifying the approach or
distributional assumptions used to generate the operational risk
measure for regulatory capital purposes.
However, a bank
must be able to demonstrate that its approach captures
potentially severe ‘tail’ loss events.
Whatever approach
is used, a bank must demonstrate that its operational risk
measure meets a soundness standard comparable to that of the
internal ratings-based approach for credit risk, (i.e.
comparable to a one year holding period and a 99.9th percentile
confidence interval).
668. The Committee recognises that
the AMA soundness standard provides significant flexibility to
banks in the development of an operational risk measurement and
management system.
However, in the development of these
systems, banks must have and maintain rigorous procedures for
operational risk model development and independent model
validation.
Prior to implementation, the Committee will
review evolving industry practices regarding credible and
consistent estimates of potential operational losses.
It
will also review accumulated data, and the level of capital
requirements estimated by the AMA, and may
refine its
proposals if appropriate.
Detailed criteria
669.
This section describes a series of quantitative standards that
will apply to internally generated operational risk measures for
purposes of calculating the regulatory minimum capital charge.
(a) Any internal operational risk measurement system must be
consistent with the scope of operational risk defined by the
Committee in paragraph 644 and the loss event types defined in
Annex 9.
(b) Supervisors will require the bank to
calculate its regulatory capital requirement as the sum of
expected loss (EL) and unexpected loss (UL), unless the bank can
demonstrate that it is adequately capturing EL in its internal
business practices.
That is, to base the minimum
regulatory capital requirement on UL alone, the bank must be
able to demonstrate to the satisfaction of its national
supervisor that it has measured and accounted for its EL
exposure.
(c) A bank’s risk measurement system must be
sufficiently ‘granular’ to capture the major drivers of
operational risk affecting the shape of the tail of the loss
estimates.
(d) Risk measures for different operational
risk estimates must be added for purposes of calculating the
regulatory minimum capital requirement.
However, the
bank may be permitted to use internally determined correlations
in operational risk losses
across individual operational risk
estimates, provided it can demonstrate to the satisfaction of
the national supervisor that its systems for determining
correlations are sound, implemented with integrity, and take
into account the uncertainty surrounding any such correlation
estimates (particularly in periods of stress).
The bank
must validate its correlation assumptions using appropriate
quantitative and qualitative techniques.
(e) Any
operational risk measurement system must have certain key
features to meet the supervisory soundness standard set out in
this section.
These elements must include the use of
internal data, relevant external data, scenario analysis and
factors
reflecting the business environment and internal
control systems.
(f) A bank needs to have a credible,
transparent, well-documented and verifiable approach for
weighting these fundamental elements in its overall operational
risk measurement system.
For example, there may be cases
where estimates of the 99.9th percentile confidence interval
based primarily on internal and external loss event data would
be unreliable for business lines with a heavy-tailed loss
distribution
and a small number of observed losses.
In such cases, scenario analysis, and business environment and
control factors, may play a more dominant role in the risk
measurement system.
Conversely, operational loss event
data may play a more dominant role in the risk measurement
system for business lines where estimates of the 99.9th
percentile confidence interval based primarily on such data are
deemed reliable.
In all cases, the bank’s approach for
weighting the four fundamental elements should be internally
consistent and avoid the double counting of qualitative
assessments or risk mitigants already recognised in other
elements of the framework.
Internal data
670. Banks must
track internal loss data according to the criteria set out in
this section.
The tracking of internal loss event data is
an essential prerequisite to the development and functioning of
a credible operational risk measurement system.
Internal
loss data is crucial for tying a bank’s risk estimates to its
actual loss experience.
This can be achieved in a number
of ways, including using internal loss data as the foundation of
empirical risk
estimates, as a means of validating the inputs
and outputs of the bank’s risk measurement system, or as the
link between loss experience and risk management and control
decisions.
671. Internal loss data is most relevant when
it is clearly linked to a bank’s current business activities,
technological processes and risk management procedures.
Therefore, a bank must have documented procedures for assessing
the on-going relevance of historical
loss data, including
those situations in which judgement overrides, scaling, or other
adjustments may be used, to what extent they may be used and who
is authorised to make such decisions.
672. Internally
generated operational risk measures used for regulatory capital
purposes must be based on a minimum five-year observation period
of internal loss data, whether the internal loss data is used
directly to build the loss measure or to validate it.
When the bank first moves to the AMA, a three-year historical
data window is acceptable (this includes the
parallel
calculations in paragraph 46).
673. To qualify for
regulatory capital purposes, a bank’s internal loss collection
processes must meet the following standards:
• To assist
in supervisory validation, a bank must be able to map its
historical internal loss data into the relevant level 1
supervisory categories defined in Annexes 8 and 9 and to provide
these data to supervisors upon request.
It must have
documented, objective criteria for allocating losses to the
specified business lines and event
types.
However, it
is left to the bank to decide the extent to which it applies
these categorisations in its internal operational risk
measurement system.
• A bank’s internal loss data must be
comprehensive in that it captures all material activities and
exposures from all appropriate sub-systems and geographic
locations.
A bank must be able to justify that any
excluded activities or exposures, both individually and in
combination, would not have a material impact on the overall
risk estimates.
A bank must have an appropriate de
minimis gross loss threshold for internal loss data collection,
for example €10,000.
The appropriate threshold may vary
somewhat between banks, and within a bank across business lines
and/or
event types.
However, particular thresholds
should be broadly consistent with those used by peer banks.
• Aside from information on gross loss amounts, a bank
should collect information about the date of the event, any
recoveries of gross loss amounts, as well as some descriptive
information about the drivers or causes of the loss event.
The level of detail of any descriptive information should be
commensurate with the size of the gross loss amount.
• A
bank must develop specific criteria for assigning loss data
arising from an event in a centralised function (e.g. an
information technology department) or an activity that spans
more than one business line, as well as from related events over
time.
• Operational risk losses that are related to
credit risk and have historically been included in banks’ credit
risk databases (e.g. collateral management failures) will
continue to be treated as credit risk for the purposes of
calculating minimum regulatory capital under this Framework.
Therefore, such losses will not be subject to the
operational risk capital charge*.
Nevertheless, for the
purposes of internal operational risk management, banks must
identify all material operational risk losses consistent with
the scope of the definition of operational risk (as set out in
paragraph
644 and the loss event types outlined in Annex 9),
including those related to credit risk.
Such material
operational risk-related credit risk losses should be flagged
separately within a bank’s internal operational risk database.
The materiality of these losses may vary between banks,
and within a bank across business lines and/or event types.
Materiality thresholds should be broadly consistent with those
used by peer banks.
• Operational risk losses that are
related to market risk are treated as operational risk for the
purposes of calculating minimum regulatory capital under this
Framework and will therefore be subject to the operational risk
capital charge.
* This applies to all banks, including
those that may only now be designing their credit risk and
operational risk databases.
External data
674. A bank’s
operational risk measurement system must use relevant external
data (either public data and/or pooled industry data),
especially when there is reason to believe that the bank is
exposed to infrequent, yet potentially severe, losses.
These external data should include data on actual loss amounts,
information on the scale of business operations
where the
event occurred, information on the causes and circumstances of
the loss events, or other information that would help in
assessing the relevance of the loss event for other banks.
A bank must have a systematic process for determining the
situations for which external data must be used and the
methodologies used to incorporate the data (e.g. scaling,
qualitative adjustments, or informing the development of
improved scenario analysis).
The conditions and
practices for external data use must be regularly reviewed,
documented, and subject to periodic independent review.
Scenario analysis
675. A bank must use scenario analysis of expert opinion in
conjunction with external data to evaluate its exposure to
high-severity events.
This approach draws on the
knowledge of experienced business managers and risk management
experts to derive reasoned assessments of plausible severe
losses.
For instance, these expert assessments could be
expressed as parameters of an assumed statistical loss
distribution.
In addition, scenario analysis should be
used to assess the impact of deviations from the correlation
assumptions embedded in the bank’s operational risk measurement
framework, in particular, to evaluate
potential losses
arising from multiple simultaneous operational risk loss events.
Over time, such assessments need to be validated and
re-assessed through comparison to actual loss
experience to
ensure their reasonableness.
Before
that Basel ii Framework
According
to the
Bank of International Settlements (September 1998, Operational
Risk Management), the most important types of operational risk
involve
breakdowns in internal controls and corporate governance.
Such breakdowns can lead to financial losses through error, fraud,
or failure to perform in a timely manner or cause the interests of
the bank to be compromised in some other way, for example, by its
dealers, lending officers or other staff exceeding their authority
or conducting business in an unethical or risky manner.
Other aspects of operational risk include major failure of
information technology systems or events such as major fires or
other disasters.
A working group of the Basle Committee interviewed approximately
thirty major banks
from the different member countries on the management of
operational risk.
Several common themes emerged during these discussions:
*
Awareness of operational risk among bank boards and senior
management is
increasing.
Virtually all banks assign primary responsibility for managing
operational risk to the business line head.
Those banks that are developing measurement systems for
operational risk often are also attempting to build some form of
incentive for sound operational risk management practice by
business managers.
This incentive could take the form of a capital allocation for
operational risk, inclusion of operational risk measurement into
the performance evaluation process, or requiring business line
management to present
operational loss details and resultant corrective action directly
to the bank’s highest levels of management.
*While all banks surveyed have some framework for managing
operational risk, many banks indicated that they were only in the
early stages of developing an operational risk measurement and
monitoring framework.
Awareness of operational risk as a separate risk category has been
relatively recent in most of the banks surveyed. Few banks
currently measure and report this risk on a regular basis,
although many track operational performance indicators, analyse
loss experiences and monitor audit and supervisory ratings.
*Many banks have identified significant conceptual issues and data
needs, which would need to be addressed in order to develop
general measures of operational risk.
Unlike market and perhaps credit risk, the risk factors are
largely internal to the bank and a clear mathematical or
statistical link between individual risk factors and the
likelihood and size of operational loss does not exist.
Experience with large losses is infrequent and many banks lack a
time series of historical data on their own operational losses and
their causes.
While the industry is
far from converging on a set of standard models,
such as are increasingly available for market and credit risk
measurement, the banks that have developed or are developing
models rely on a surprisingly similar set of risk factors.
Those factors include internal audit ratings or internal control
self-assessments, operational indicators such as volume, turnover
or rate of errors, loss experience, and income volatility.
Additional details from the interviews are discussed below under
five categories:
-
Management Oversight;
-
Risk Measurement, Monitoring and Management Information Systems;
-
Policies and Procedures;
-
Internal Controls; and
-
View of Possible Role for Supervisors.
Management Oversight
Many banks noted that awareness of operational risk at the board
of director or senior management level has been increasing.
The focus on operational risk management as a formal discipline
has been recent but was seen by some banks as a means to heighten
awareness of operational risk.
The greater interest in operational risk was reflected in
increased budgets for operational risk measurement, monitoring and
control, as well as in the assignment of responsibility for
measuring and monitoring operational risk to new or existing risk
management units.
Overall the interview process uncovered a strong and consistent
emphasis on the importance of management oversight and business
line accountability for operational risk.
Senior management commitment was deemed to be critical for
successful corporate-wide risk management. Banks reported that
high-level oversight of operational risk is performed by its board
of directors, management committees or audit committee.
In addition, most respondents referred to the important role of an
internal monitor or “watchdog” , such as a risk manager or risk
committee, product review committee, or internal audit, and some
banks identified
several different internal watchdogs, who were all seen as
important, such as the financial controller, the chief information
officer and internal auditors.
The assignment of formal responsibilities for operational risk
measurement and monitoring is far from universal, with only about
half of the banks interviewed having such a manager in place.
Virtually all banks agreed that the primary responsibility for
management of operational risk is the business unit or, in some
banks, product management. Under this view, business area managers
are expected to ensure that appropriate operational risk control
systems are in place.
Many banks reinforce this risk attribution and responsibility
through charging operational losses to the related business or
product area. In an earlier survey of internal audit issues, some
supervisors noted the trend to conduct more internal control
reviews in the business line, rather than in independent units
such as internal audit.
Several respondents to the operational risk survey noted the
creation of new controls or risk management in business lines to
assist in the identification and control of risk.
Several banks noted one potential benefit of formalising an
approach to operational risk. That is the possibility of
developing incentives for business managers to adopt sound risk
management practices through capital allocation charges,
performance reviews or other mechanisms.
Many banks are working toward some form of capital allocation as a
business cost in order to create a risk pricing methodology as
well. Risk Measurement, Monitoring and Management Information
Systems
Definition of operational risk
At present,
there is no agreed upon universal definition
of operational risk. Many banks have defined operational risk as
any risk not categorised as market or credit risk and some have
defined it as the risk of loss arising from various types of human
or technical error.
Many respondent banks associate operational risk with settlement
or payments risk and business interruption, administrative and
legal risks. Several types of events (settlement, collateral and
netting risks) are seen by some banks as not necessarily
classifiable as operational risk and may contain elements of more
than one risk.
All banks see some form of link between credit, market and
operational risk. In particular, an operational problem with a
business transaction (for example, a settlement fail) could create
market or credit risk. While most banks view technology risk as a
type of operational risk, some banks view it as a separate risk
category with its own discrete risk factors.
The majority of banks associate operational risk with all business
lines, including infrastructure, although the mix of risks and
their relative magnitude may vary considerably across businesses.
Six respondent banks have targeted operational risk as most
important in business lines with high volume, high turnover
(transactions/time), high degree of structural change, and/or
complex support systems.
Operational risk is seen to have a high potential impact in
business lines with those characteristics, especially if the
businesses also have low margins, as occurs in certain transaction
processing and payments-system related activities.
Operational risk in trading activities was seen by several banks
as high. A few banks stressed that operational risk was not
limited to traditional “ back office” activities, but encompassed
the front office and virtually any aspect of the business process
in banks.
Free
E-book: 100 Job Descriptions in Risk and Compliance Management
|
|
Join the International Association of
Risk and Compliance Professionals (IARCP). Membership is Free
www.risk-compliance-association.com/How_to_become_member.htm
Benefits for Members:
www.risk-compliance-association.com/Member_Benefits.htm
Reading Room
www.risk-compliance-association.com/Reading_Room.htm
Certified Risk and Compliance Management Professional
(CRCMP)
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm
Certified Information Systems Risk and Compliance
Professional (CISRCP)
www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm
Privacy and Compliance with the Federal Trade Commission
Fair, the California Online Privacy Protection Act, the Children
Online Privacy Protection Act, the Privacy Alliance, the Controlling
the Assault of Non-Solicited Pornography and Marketing Act
www.risk-compliance-association.com/Privacy.htm
Become a member of the International Association of Risk and
Compliance Professionals (IARCP). Membership is Free. You will
receive a monthly newsletter with risk and compliance management
news, alerts and opportunities. You can register below:
Distance Learning and
Online Certification programs
from the International Association of Risk
and Compliance Professionals (IARCP)
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm
The
Cost:
US$
297
What is included in this
price:
A. The
official presentations
we use in our
instructor-led classes
B. Up to
3 Online Exams
C.
Personalized Membership Certificate printed in full colour.
Processing, printing,
packing and posting to
your office or home
Certified Risk and Compliance Management Professional (CRCMP) -
Distance
Learning and Online Certification Program
Certified Information Systems
Risk and Compliance Professional (CISRCP) -
Distance
Learning and Online Certification Program
To
learn more:
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm
| |
