Operational Risk
According to the
Basel ii Framework:
A. Definition of operational risk
644. Operational risk is defined as the
risk of loss
resulting from inadequate or failed
internal processes, people and systems or from external events.
This definition includes legal risk, but excludes strategic and
reputational risk.
B. The measurement methodologies
645. The framework outlined below presents three methods for
calculating operational risk capital charges in a continuum of
increasing sophistication and risk sensitivity:
-
(i) the Basic Indicator Approach;
-
(ii) the Standardised Approach; and
-
(iii) Advanced Measurement Approaches (AMA)
646. Banks are encouraged to move along the spectrum of available
approaches as they develop more sophisticated operational risk
measurement systems and practices. Qualifying criteria for the
Standardised Approach and AMA are presented below.
647. Internationally active banks and banks with significant
operational risk exposures (for example, specialised processing
banks) are expected to use an approach that is more sophisticated
than the Basic Indicator Approach and that is appropriate for the
risk profile of the institution.
A
bank will be permitted to use the Basic Indicator or Standardised
Approach for some parts of its operations and an AMA for others
provided certain minimum criteria are met.
648. A bank will not be allowed to choose to revert to a simpler
approach once it has been approved for a more advanced approach
without supervisory approval. However, if a supervisor determines
that a bank using a more advanced approach no longer meets the
qualifying criteria for this approach, it may require the bank to
revert to a simpler approach for some or all of its operations,
until it meets the conditions specified by the supervisor for
returning to a more advanced approach.
Before
that Basel ii Framework
According
to the
Bank of International Settlements (September 1998, Operational
Risk Management), the most important types of operational risk
involve
breakdowns in internal controls and corporate governance.
Such breakdowns can lead to financial losses through error, fraud,
or failure to perform in a timely manner or cause the interests of
the bank to be compromised in some other way, for example, by its
dealers, lending officers or other staff exceeding their authority
or conducting business in an unethical or risky manner.
Other aspects of operational risk include major failure of
information technology systems or events such as major fires or
other disasters.
A working group of the Basle Committee interviewed approximately
thirty major banks
from the different member countries on the management of
operational risk.
Several common themes emerged during these discussions:
*
Awareness of operational risk among bank boards and senior
management is
increasing.
Virtually all banks assign primary responsibility for managing
operational risk to the business line head.
Those banks that are developing measurement systems for
operational risk often are also attempting to build some form of
incentive for sound operational risk management practice by
business managers.
This incentive could take the form of a capital allocation for
operational risk, inclusion of operational risk measurement into
the performance evaluation process, or requiring business line
management to present
operational loss details and resultant corrective action directly
to the bank’s highest levels of management.
*While all banks surveyed have some framework for managing
operational risk, many banks indicated that they were only in the
early stages of developing an operational risk measurement and
monitoring framework.
Awareness of operational risk as a separate risk category has been
relatively recent in most of the banks surveyed. Few banks
currently measure and report this risk on a regular basis,
although many track operational performance indicators, analyse
loss experiences and monitor audit and supervisory ratings.
*Many banks have identified significant conceptual issues and data
needs, which would need to be addressed in order to develop
general measures of operational risk.
Unlike market and perhaps credit risk, the risk factors are
largely internal to the bank and a clear mathematical or
statistical link between individual risk factors and the
likelihood and size of operational loss does not exist.
Experience with large losses is infrequent and many banks lack a
time series of historical data on their own operational losses and
their causes.
While the industry is
far from converging on a set of standard models,
such as are increasingly available for market and credit risk
measurement, the banks that have developed or are developing
models rely on a surprisingly similar set of risk factors.
Those factors include internal audit ratings or internal control
self-assessments, operational indicators such as volume, turnover
or rate of errors, loss experience, and income volatility.
Additional details from the interviews are discussed below under
five categories:
-
Management Oversight;
-
Risk Measurement, Monitoring and Management Information Systems;
-
Policies and Procedures;
-
Internal Controls; and
-
View of Possible Role for Supervisors.
Management Oversight
Many banks noted that awareness of operational risk at the board
of director or senior management level has been increasing.
The focus on operational risk management as a formal discipline
has been recent but was seen by some banks as a means to heighten
awareness of operational risk.
The greater interest in operational risk was reflected in
increased budgets for operational risk measurement, monitoring and
control, as well as in the assignment of responsibility for
measuring and monitoring operational risk to new or existing risk
management units.
Overall the interview process uncovered a strong and consistent
emphasis on the importance of management oversight and business
line accountability for operational risk.
Senior management commitment was deemed to be critical for
successful corporate-wide risk management. Banks reported that
high-level oversight of operational risk is performed by its board
of directors, management committees or audit committee.
In addition, most respondents referred to the important role of an
internal monitor or “watchdog” , such as a risk manager or risk
committee, product review committee, or internal audit, and some
banks identified
several different internal watchdogs, who were all seen as
important, such as the financial controller, the chief information
officer and internal auditors.
The assignment of formal responsibilities for operational risk
measurement and monitoring is far from universal, with only about
half of the banks interviewed having such a manager in place.
Virtually all banks agreed that the primary responsibility for
management of operational risk is the business unit or, in some
banks, product management. Under this view, business area managers
are expected to ensure that appropriate operational risk control
systems are in place.
Many banks reinforce this risk attribution and responsibility
through charging operational losses to the related business or
product area. In an earlier survey of internal audit issues, some
supervisors noted the trend to conduct more internal control
reviews in the business line, rather than in independent units
such as internal audit.
Several respondents to the operational risk survey noted the
creation of new controls or risk management in business lines to
assist in the identification and control of risk.
Several banks noted one potential benefit of formalising an
approach to operational risk. That is the possibility of
developing incentives for business managers to adopt sound risk
management practices through capital allocation charges,
performance reviews or other mechanisms.
Many banks are working toward some form of capital allocation as a
business cost in order to create a risk pricing methodology as
well. Risk Measurement, Monitoring and Management Information
Systems
Definition of operational risk
At present,
there is no agreed upon universal definition
of operational risk. Many banks have defined operational risk as
any risk not categorised as market or credit risk and some have
defined it as the risk of loss arising from various types of human
or technical error.
Many respondent banks associate operational risk with settlement
or payments risk and business interruption, administrative and
legal risks. Several types of events (settlement, collateral and
netting risks) are seen by some banks as not necessarily
classifiable as operational risk and may contain elements of more
than one risk.
All banks see some form of link between credit, market and
operational risk. In particular, an operational problem with a
business transaction (for example, a settlement fail) could create
market or credit risk. While most banks view technology risk as a
type of operational risk, some banks view it as a separate risk
category with its own discrete risk factors.
The majority of banks associate operational risk with all business
lines, including infrastructure, although the mix of risks and
their relative magnitude may vary considerably across businesses.
Six respondent banks have targeted operational risk as most
important in business lines with high volume, high turnover
(transactions/time), high degree of structural change, and/or
complex support systems.
Operational risk is seen to have a high potential impact in
business lines with those characteristics, especially if the
businesses also have low margins, as occurs in certain transaction
processing and payments-system related activities.
Operational risk in trading activities was seen by several banks
as high. A few banks stressed that operational risk was not
limited to traditional “ back office” activities, but encompassed
the front office and virtually any aspect of the business process
in banks.
Free
E-book: 100 Job Descriptions in Risk and Compliance Management
|
