Operational Risk
The Basel ii Framework: Definition
of operational risk
Operational risk is defined as
the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events. This
definition includes legal risk, but excludes strategic and
reputational risk.
The
measurement methodologies
The framework outlined
below presents three methods for calculating operational risk
capital charges in a continuum of increasing sophistication and
risk sensitivity: (i) the Basic Indicator Approach;
(ii) the Standardised Approach; and (iii) Advanced
Measurement Approaches (AMA)
Banks are
encouraged to move along the spectrum
of available approaches as they develop more sophisticated
operational risk measurement systems and practices. Qualifying
criteria for the Standardised Approach and AMA are presented
below.
Internationally active banks and banks with
significant operational risk exposures (for example, specialised
processing banks) are expected to use an approach that is more
sophisticated than the Basic Indicator Approach and that is
appropriate for the risk profile of the institution. A
bank will be permitted to use the
Basic Indicator or Standardised Approach for some parts of its
operations and an AMA for others provided certain minimum
criteria are met.
A bank will not be allowed to
choose to revert to a simpler approach once it has been approved
for a more advanced approach without supervisory approval.
However, if a supervisor determines that a bank using a more
advanced approach no longer meets the qualifying criteria for
this approach, it may require the bank to revert to a simpler
approach for some or all of its operations, until it meets the
conditions specified by the supervisor for returning to a more
advanced approach.
Every Monday Top 10 risk and compliance management related
news stories and world events Do you want to receive
every Monday the Top 10 risk and compliance management related
news stories and
world events that (for better or for worse)
shaped the week's agenda, and what is next? You may
submit the form that follows. We meet strict national and
international privacy standards. You can unsubscribe at any
time.
Observed range of practice in key elements of Advanced
Measurement Approaches (AMA)
Background
The work of the Accord Implementation Group's
Operational Risk Subgroup (AIGOR) focuses on the practical
challenges associated with the development, implementation and
maintenance of an operational risk management framework meeting
the requirements of Basel II, particularly as they relate to the
Advanced Measurement Approaches (AMA). The AIGOR has
been specifically mandated to, among other things, exchange and
catalogue subgroup members' views on operational risk
implementation issues and the range of acceptable bank practices
for measuring and managing operational risk under the AMA.
In recognition of the evolutionary nature of operational
risk management as a risk management discipline, the Basel II
Framework intentionally provides a significant degree of
flexibility for banks in the development of an operational risk
management framework under the AMA. It is not
surprising, therefore, that the range of practice that has
emerged in relation to any given issue tends to be quite broad.
The flexibility provided banks in the development of an
AMA, however, should not be interpreted to suggest a lesser
standard of supervisory review and assessment or that
supervisors are prepared to accept as reasonable any and all
responses to the challenges banks face in this area. On
the contrary, prudential supervisors have an interest in
identifying and encouraging bank operational risk practices that
are consistent with safety and soundness and level playing field
objectives. Furthermore, at various times the industry
has encouraged the AIG and its subgroups to establish and
maintain high standards for what constitutes acceptable practice
and to publish "sound practice" papers to communicate those
standards and promote consistency across jurisdictions.
Purpose
Against this backdrop, the AIGOR has
prepared a "range of practice" paper using information obtained
from members' supervisory work, benchmarking exercises,
discussions with bank management and other sources.
This paper describes specific practices that have been observed
in relation to some of the key challenges AMA banks currently
are facing in their operational risk-related work in three
subject areas: internal governance, data and modelling.
While this paper does not address all issues or reference every
practice identified with respect to any given issue, it does
focus on the key issues in each of the three subject areas and
provide a reasonable cross-section of the practices observed
with respect to those issues. Because it is focused on bank, and
not supervisory, practice, the paper does not address home-host
issues.
No judgment is intended or implied regarding the
acceptability of any of the practices reflected in this paper.
For example, the fact that a particular practice is discussed
should not be interpreted as an endorsement of that practice by
the AIGOR or any of its members. Nor should the absence
of a particular practice be interpreted to imply either that it
is or is not considered acceptable by supervisors. The
principal purpose of the paper is to catalogue the key issues
and corresponding practices observed among AMA banks operating
in AIGOR member countries. As such, the paper provides
the international community of bank supervisors a means of
framing the discussion of acceptable practice in both the
management and measurement of operational risk and monitoring
the evolution of industry practice and supervisors' reactions.
It is also expected to be a valuable resource for both
banks and national supervisors to use in their respective
implementation processes.
In light of its broad
membership and exposure to AMA banks, the AIGOR is an ideal
forum in which the supervisory community might develop a
perspective on the acceptable range of practice. In so doing,
the AIGOR can facilitate greater consistency in the assessment
of AMA practices among national supervisors. While the
paper does not purport to define best practice, it is reasonable
to expect that some of the practices identified in the
development of this paper might be viewed as falling outside the
range of what supervisors consider acceptable. Where observed
practices are determined to be unacceptable, the AIGOR
anticipates that it will identify them as such, as and when a
clear consensus emerges, contributing to a narrowing of the
range of practice over time. It is reasonable to expect
that when a particular practice is identified as being
unacceptable, national supervisors will give due consideration
to the need for appropriate transitional arrangements.
Business environment and internal control factors (BEICFs)
BEICFs are indicators of a bank’s operational risk profile
that reflect underlying business risk factors and an assessment
of the effectiveness of the internal control environment.
They introduce a forward-looking element to an AMA by
considering, for example, rate of growth, new product
introductions, findings from the challenge process (eg internal
audit results), employee turnover and system downtime.
Incorporating BEICFs into an AMA helps to ensure that key
drivers of operational risk are captured and that a bank’s
operational risk capital estimates are sensitive to its changing
operational risk profile.
Basel text
“In addition
to using loss data, whether actual or scenario-based, a bank's
firm-wide risk assessment methodology must capture key business
environment and internal control factors that can change its
operational risk profile. These factors will make a
bank's risk assessment more forward-looking, more directly
reflect the quality of the bank's control and operating
environments, help align capital assessments with risk
management objectives, and recognise both improvements and
deterioration in operational risk profiles in a more immediate
fashion. To qualify for regulatory capital purposes,
the use of these factors in a bank's risk measurement framework
must meet the following standards:
- the choice of each
factor needs to be justified as a meaningful driver of risk,
based on experience and involving the expert judgement of the
affected business areas. Whenever possible, the factors should
be translatable into quantitative measures that lend themselves
to verification.
- the sensitivity of a bank's risk
estimates to changes in factors and the relative weighting of
the various factors need to be well reasoned. In addition to
capturing changes in risk due to improvements in risk controls,
the framework must also capture potential increases in risk due
to greater complexity of activities or increased business
volume.
- the framework and each instance of its
application, including the supporting rationale for any
adjustments to empirical estimates, must be documented and
subject to independent review within the bank and by
supervisors.
- over time, the process and the outcomes
need to be validated through comparison to actual internal loss
experience, relevant external data and appropriate adjustments
made.” (paragraph 676)
Issues/background
In
principle, a bank with strong internal controls in a stable
business environment will have, all else being equal, less
exposure to operational risk than a bank with internal control
weaknesses or that is experiencing rapid growth or introducing
new products. Accordingly, banks are expected to assess
the level of and trends in the operational risk and related
control structures across the organisation and build the results
of such assessments, generally referred to as BEICFs, into the
risk management and measurement aspects of their AMA
methodology. The assessments should be current and
comprehensive and should identify the critical operational risks
facing the bank. The assessment process should be sufficiently
flexible to encompass a bank’s full range of activities
(including new activities), changes in internal control systems
or an increased volume of information. \The challenges in
this area include determining which BEICFs to consider and how
to build them into the model.
As the results of the risk
assessment are to be incorporated in a bank’s capital
calculation, management must ensure that the risk assessment
process is appropriate and that the results reasonably reflect
the risks of the bank. For example, if a bank reduces
its operational risk estimate on the strength of robust internal
control factors, then there should be some process for ensuring
that the impact of internal control factors on the final capital
estimate is plausible, prudent and consistent with actual
experience.
Range of practice
Banks have tended to
focus much less on this AMA element than on the collection of
internal loss data or the development of scenarios. In
general, while banks have developed a variety of approaches for
incorporating BEICFs into their management of operational risk
(eg risk and control self-assessments, key risk indicators),
most consider the application of BEICFs in the risk measurement
system as the most challenging of the four required AMA
elements. Most banks have developed methodologies to
capture key BEICFs, but few are currently able to substantiate
how they quantify the impact of those factors on the capital
calculation. As a consequence, the practice for many banks is
still very much in its formative stages.
One of the
current applications of BEICFs is in the development of
scorecards, the results of which are used to assess operational
risk drivers and controls at a bank’s chosen level of
granularity and then adjust the measured operational risk
capital amount on the basis of these assessments.
Another is as part of the risk identification process in the
development of operational risk scenarios. A much less common
practice is the use of BEICFs as a direct statistical input or
adjustment within the AMA model.
Advanced
Measurement Approaches (AMA)
655. Under the AMA, the
regulatory capital requirement will equal the risk measure
generated by the bank’s internal operational risk measurement
system using the quantitative and qualitative criteria for the
AMA discussed below.
Use of the AMA is subject to
supervisory approval.
656. A bank adopting the AMA may,
with the approval of its host supervisors and the support of its
home supervisor, use an allocation mechanism for the purpose of
determining the regulatory capital requirement for
internationally active banking subsidiaries that are not deemed
to be significant relative to the overall banking group but are
themselves subject to this Framework in accordance with Part 1.
Supervisory approval would be conditional on the bank
demonstrating to the satisfaction of the relevant supervisors
that the allocation mechanism for these subsidiaries is
appropriate and can be supported empirically.
The board
of directors and senior management of each subsidiary are
responsible for conducting their own assessment of the
subsidiary’s operational risks and controls and ensuring the
subsidiary is adequately capitalised in respect of those risks.
657. Subject to supervisory approval as discussed in
paragraph 669(d), the incorporation of a well-reasoned estimate
of diversification benefits may be factored in at the group-wide
level or at the banking subsidiary level.
However, any
banking subsidiaries whose host supervisors determine that they
must calculate stand-alone capital requirements (see Part 1) may
not incorporate group-wide diversification benefits in their AMA
calculations (e.g. where an internationally active banking
subsidiary is deemed to be significant, the banking subsidiary
may incorporate the diversification benefits of its own
operations — those arising at the sub-consolidated level — but
may not incorporate the diversification benefits of the parent).
658. The appropriateness of the allocation methodology will
be reviewed with consideration given to the stage of development
of risk-sensitive allocation techniques and the extent to which
it reflects the level of operational risk in the legal entities
and across the banking group.
Supervisors expect that
AMA banking groups will continue efforts to develop increasingly
risk-sensitive operational risk allocation techniques,
notwithstanding initial approval of techniques based on gross
income or other proxies for operational risk.
659. Banks
adopting the AMA will be required to calculate their capital
requirement using this approach as well as the 1988 Accord as
outlined in paragraph 46.
Qualifying criteria 1. The
Standardised Approach*
* Supervisors allowing banks to
use the Alternative Standardised Approach must decide on the
appropriate qualifying criteria for that approach, as the
criteria set forth in paragraphs 662 and 663 of this section may
not be appropriate
660. In order to qualify for use of
the Standardised Approach, a bank must satisfy its supervisor
that, at a minimum:
• Its board of directors and senior
management, as appropriate, are actively involved in the
oversight of the operational risk management framework;
•
It has an operational risk management system that is
conceptually sound and is implemented with integrity; and
• It has sufficient resources in the use of the approach in
the major business lines as well as the control and audit areas.
661. Supervisors will have the right to insist on a period
of initial monitoring of a bank’s Standardised Approach before
it is used for regulatory capital purposes.
662. A bank
must develop specific policies and have documented criteria for
mapping gross income for current business lines and activities
into the standardised framework.
The criteria must be
reviewed and adjusted for new or changing business activities as
appropriate.
The principles for business line mapping
are set out in Annex 8.
663. As some internationally
active banks will wish to use the Standardised Approach, it is
important that such banks have adequate operational risk
management systems.
Consequently, an internationally
active bank using the Standardised Approach must meet the
following additional criteria:*
(a) The bank must have an
operational risk management system with clear responsibilities
assigned to an operational risk management function.
The
operational risk management function is responsible for
developing strategies to identify, assess, monitor and
control/mitigate operational risk;
for codifying
firm-level policies and procedures concerning operational risk
management and controls;
for the design and
implementation of the firm’s operational risk assessment
methodology;
for the design and implementation of a
risk-reporting system for operational risk.
(b) As part
of the bank’s internal operational risk assessment system, the
bank must systematically track relevant operational risk data
including material losses by business line.
Its
operational risk assessment system must be closely integrated
into the risk management processes of the bank.
Its
output must be an integral part of the process of monitoring and
controlling the banks operational risk profile.
For
instance, this information must play a prominent role in risk
reporting, management reporting, and risk analysis.
The
bank must have techniques for creating incentives to improve the
management of operational risk throughout the firm.
(c)
There must be regular reporting of operational risk exposures,
including material operational losses, to business unit
management, senior management, and to the board of directors.
The bank must have procedures for taking appropriate
action according to the information within the management
reports.
(d) The bank’s operational risk management
system must be well documented.
The bank must have a
routine in place for ensuring compliance with a documented set
of internal policies, controls and procedures concerning the
operational risk management system, which must include policies
for the treatment of non compliance issues.
(e) The
bank’s operational risk management processes and assessment
system must be subject to validation and regular independent
review.
These reviews must include both the activities
of the business units and of the operational risk management
function.
(f) The bank’s operational risk assessment
system (including the internal validation processes) must be
subject to regular review by external auditors and/or
supervisors.
* For other banks, these criteria are
recommended, with national discretion to impose them as
requirements.
Advanced Measurement Approaches (AMA)
General Standards
664. In order to qualify for use of the
AMA a bank must satisfy its supervisor that, at a minimum:
• Its board of directors and senior management, as
appropriate, are actively involved in the oversight of the
operational risk management framework;
• It has an
operational risk management system that is conceptually sound
and is implemented with integrity; and
• It has
sufficient resources in the use of the approach in the major
business lines as well as the control and audit areas.
665. A bank’s AMA will be subject to a period of initial
monitoring by its supervisor before it can be used for
regulatory purposes.
This period will allow the
supervisor to determine whether the approach is credible and
appropriate.
As discussed below, a bank’s internal
measurement system must reasonably estimate unexpected losses
based on the combined use of internal and relevant external loss
data, scenario analysis and bank-specific business environment
and internal control factors.
The bank’s measurement
system must also be capable of supporting an allocation of
economic capital for operational risk across business lines in a
manner that creates incentives to improve business line
operational risk management.
Qualitative standards
666. A bank must meet the following qualitative standards
before it is permitted to use an AMA for operational risk
capital:
(a) The bank must have an independent
operational risk management function that is responsible for the
design and implementation of the bank’s operational risk
management framework.
The operational risk management
function is responsible for codifying firm-level policies and
procedures concerning operational risk management and controls;
for the design and implementation of the firm’s
operational risk measurement methodology;
for the design
and implementation of a risk-reporting system for operational
risk;
and for developing strategies to identify,
measure, monitor and control/mitigate operational risk
(b) The bank’s internal operational risk measurement system must
be closely integrated into the day-to-day risk management
processes of the bank.
Its output must be an integral
part of the process of monitoring and controlling the bank’s
operational risk profile.
For instance, this information
must play a prominent role in risk reporting, management
reporting, internal capital allocation, and risk analysis.
The bank must have techniques for allocating operational
risk capital to major business lines and for creating incentives
to improve the management of operational risk throughout the
firm.
(c) There must be regular reporting of operational
risk exposures and loss experience to business unit management,
senior management, and to the board of directors.
The
bank must have procedures for taking appropriate action
according to the information within the management reports.
(d) The bank’s operational risk management system must be
well documented.
The bank must have a routine in place
for ensuring compliance with a documented set of internal
policies, controls and procedures concerning the operational
risk management system, which must include policies for the
treatment of non compliance issues.
(e) Internal and/or
external auditors must perform regular reviews of the
operational risk management processes and measurement systems.
This review must include both the activities of the
business units and of the independent operational risk
management function.
(f) The validation of the
operational risk measurement system by external auditors and/or
supervisory authorities must include the following:
•
Verifying that the internal validation processes are operating
in a satisfactory manner; and
• Making sure that data
flows and processes associated with the risk measurement system
are transparent and accessible.
In particular, it is
necessary that auditors and supervisory authorities are in a
position to have easy access, whenever they judge it necessary
and under appropriate procedures, to the system’s specifications
and parameters.
Quantitative standards AMA soundness
standard
667. Given the continuing evolution of
analytical approaches for operational risk, the Committee is not
specifying the approach or distributional assumptions used to
generate the operational risk measure for regulatory capital
purposes.
However, a bank must be able to demonstrate
that its approach captures potentially severe ‘tail’ loss
events.
Whatever approach is used, a bank must
demonstrate that its operational risk measure meets a soundness
standard comparable to that of the internal ratings-based
approach for credit risk, (i.e. comparable to a one year holding
period and a 99.9th percentile confidence interval).
668.
The Committee recognises that the AMA soundness standard
provides significant flexibility to banks in the development of
an operational risk measurement and management system.
However, in the development of these systems, banks must have
and maintain rigorous procedures for operational risk model
development and independent model validation.
Prior to
implementation, the Committee will review evolving industry
practices regarding credible and consistent estimates of
potential operational losses.
It will also review
accumulated data, and the level of capital requirements
estimated by the AMA, and may refine its proposals if
appropriate.
Detailed criteria
669. This section
describes a series of quantitative standards that will apply to
internally generated operational risk measures for purposes of
calculating the regulatory minimum capital charge.
(a)
Any internal operational risk measurement system must be
consistent with the scope of operational risk defined by the
Committee in paragraph 644 and the loss event types defined in
Annex 9.
(b) Supervisors will require the bank to
calculate its regulatory capital requirement as the sum of
expected loss (EL) and unexpected loss (UL), unless the bank can
demonstrate that it is adequately capturing EL in its internal
business practices.
That is, to base the minimum
regulatory capital requirement on UL alone, the bank must be
able to demonstrate to the satisfaction of its national
supervisor that it has measured and accounted for its EL
exposure.
(c) A bank’s risk measurement system must be
sufficiently ‘granular’ to capture the major drivers of
operational risk affecting the shape of the tail of the loss
estimates.
(d) Risk measures for different operational
risk estimates must be added for purposes of calculating the
regulatory minimum capital requirement.
However, the
bank may be permitted to use internally determined correlations
in operational risk losses across individual operational risk
estimates, provided it can demonstrate to the satisfaction of
the national supervisor that its systems for determining
correlations are sound, implemented with integrity, and take
into account the uncertainty surrounding any such correlation
estimates (particularly in periods of stress).
The bank
must validate its correlation assumptions using appropriate
quantitative and qualitative techniques.
(e) Any
operational risk measurement system must have certain key
features to meet the supervisory soundness standard set out in
this section.
These elements must include the use of
internal data, relevant external data, scenario analysis and
factors reflecting the business environment and internal control
systems.
(f) A bank needs to have a credible,
transparent, well-documented and verifiable approach for
weighting these fundamental elements in its overall operational
risk measurement system.
For example, there may be cases
where estimates of the 99.9th percentile confidence interval
based primarily on internal and external loss event data would
be unreliable for business lines with a heavy-tailed loss
distribution and a small number of observed losses.
In
such cases, scenario analysis, and business environment and
control factors, may play a more dominant role in the risk
measurement system.
Conversely, operational loss event
data may play a more dominant role in the risk measurement
system for business lines where estimates of the 99.9th
percentile confidence interval based primarily on such data are
deemed reliable.
In all cases, the bank’s approach for
weighting the four fundamental elements should be internally
consistent and avoid the double counting of qualitative
assessments or risk mitigants already recognised in other
elements of the framework.
Internal data
670.
Banks must track internal loss data according to the criteria
set out in this section.
The tracking of internal loss
event data is an essential prerequisite to the development and
functioning of a credible operational risk measurement system.
Internal loss data is crucial for tying a bank’s risk
estimates to its actual loss experience.
This can be
achieved in a number of ways, including using internal loss data
as the foundation of empirical risk estimates, as a means of
validating the inputs and outputs of the bank’s risk measurement
system, or as the link between loss experience and risk
management and control decisions.
671. Internal loss data
is most relevant when it is clearly linked to a bank’s current
business activities, technological processes and risk management
procedures.
Therefore, a bank must have documented
procedures for assessing the on-going relevance of historical
loss data, including those situations in which judgement
overrides, scaling, or other adjustments may be used, to what
extent they may be used and who is authorised to make such
decisions.
672. Internally generated operational risk
measures used for regulatory capital purposes must be based on a
minimum five-year observation period of internal loss data,
whether the internal loss data is used directly to build the
loss measure or to validate it.
When the bank first
moves to the AMA, a three-year historical data window is
acceptable (this includes the parallel calculations in
paragraph 46).
673. To qualify for regulatory capital
purposes, a bank’s internal loss collection processes must meet
the following standards:
• To assist in supervisory
validation, a bank must be able to map its historical internal
loss data into the relevant level 1 supervisory categories
defined in Annexes 8 and 9 and to provide these data to
supervisors upon request.
It must have documented,
objective criteria for allocating losses to the specified
business lines and event types.
However, it is left
to the bank to decide the extent to which it applies these
categorisations in its internal operational risk measurement
system.
• A bank’s internal loss data must be
comprehensive in that it captures all material activities and
exposures from all appropriate sub-systems and geographic
locations.
A bank must be able to justify that any
excluded activities or exposures, both individually and in
combination, would not have a material impact on the overall
risk estimates.
A bank must have an appropriate de
minimis gross loss threshold for internal loss data collection,
for example €10,000.
The appropriate threshold may vary
somewhat between banks, and within a bank across business lines
and/or event types.
However, particular thresholds
should be broadly consistent with those used by peer banks.
• Aside from information on gross loss amounts, a bank
should collect information about the date of the event, any
recoveries of gross loss amounts, as well as some descriptive
information about the drivers or causes of the loss event.
The level of detail of any descriptive information should be
commensurate with the size of the gross loss amount.
• A
bank must develop specific criteria for assigning loss data
arising from an event in a centralised function (e.g. an
information technology department) or an activity that spans
more than one business line, as well as from related events over
time.
• Operational risk losses that are related to
credit risk and have historically been included in banks’ credit
risk databases (e.g. collateral management failures) will
continue to be treated as credit risk for the purposes of
calculating minimum regulatory capital under this Framework.
Therefore, such losses will not be subject to the
operational risk capital charge*.
Nevertheless, for the
purposes of internal operational risk management, banks must
identify all material operational risk losses consistent with
the scope of the definition of operational risk (as set out in
paragraph 644 and the loss event types outlined in Annex 9),
including those related to credit risk.
Such material
operational risk-related credit risk losses should be flagged
separately within a bank’s internal operational risk database.
The materiality of these losses may vary between banks,
and within a bank across business lines and/or event types.
Materiality thresholds should be broadly consistent with those
used by peer banks.
• Operational risk losses that are
related to market risk are treated as operational risk for the
purposes of calculating minimum regulatory capital under this
Framework and will therefore be subject to the operational risk
capital charge.
* This applies to all banks, including
those that may only now be designing their credit risk and
operational risk databases.
External data
674. A
bank’s operational risk measurement system must use relevant
external data (either public data and/or pooled industry data),
especially when there is reason to believe that the bank is
exposed to infrequent, yet potentially severe, losses.
These external data should include data on actual loss amounts,
information on the scale of business operations where the
event occurred, information on the causes and circumstances of
the loss events, or other information that would help in
assessing the relevance of the loss event for other banks.
A bank must have a systematic process for determining the
situations for which external data must be used and the
methodologies used to incorporate the data (e.g. scaling,
qualitative adjustments, or informing the development of
improved scenario analysis).
The conditions and
practices for external data use must be regularly reviewed,
documented, and subject to periodic independent review.
Scenario analysis
675. A bank must use scenario analysis
of expert opinion in conjunction with external data to evaluate
its exposure to high-severity events.
This approach
draws on the knowledge of experienced business managers and risk
management experts to derive reasoned assessments of plausible
severe losses.
For instance, these expert assessments
could be expressed as parameters of an assumed statistical loss
distribution.
In addition, scenario analysis should be
used to assess the impact of deviations from the correlation
assumptions embedded in the bank’s operational risk measurement
framework, in particular, to evaluate potential losses
arising from multiple simultaneous operational risk loss events.
Over time, such assessments need to be validated and
re-assessed through comparison to actual loss experience to
ensure their reasonableness.
Before that Basel ii
Framework According to the Bank of International
Settlements (September 1998, Operational Risk Management), the
most important types of operational risk involve breakdowns in
internal controls and corporate governance. Such
breakdowns can lead to financial losses through error, fraud, or
failure to perform in a timely manner or cause the interests of
the bank to be compromised in some other way, for example, by
its dealers, lending officers or other staff exceeding their
authority or conducting business in an unethical or risky
manner. Other aspects of operational risk include major
failure of information technology systems or events such as
major fires or other disasters.
A working group of the
Basle Committee interviewed approximately thirty major banks
from the different member countries on the management of
operational risk. Several common themes emerged during
these discussions: * Awareness of operational risk among
bank boards and senior management is increasing.
Virtually all banks assign primary responsibility for managing
operational risk to the business line head. Those banks
that are developing measurement systems for operational risk
often are also attempting to build some form of incentive for
sound operational risk management practice by business managers.
This incentive could take the form of a capital
allocation for operational risk, inclusion of operational risk
measurement into the performance evaluation process, or
requiring business line management to present operational
loss details and resultant corrective action directly to the
bank’s highest levels of management.
*While all banks
surveyed have some framework for managing operational risk, many
banks indicated that they were only in the early stages of
developing an operational risk measurement and monitoring
framework. Awareness of operational risk as a separate
risk category has been relatively recent in most of the banks
surveyed. Few banks currently measure and report this risk on a
regular basis, although many track operational performance
indicators, analyse loss experiences and monitor audit and
supervisory ratings.
*Many banks have identified
significant conceptual issues and data needs, which would need
to be addressed in order to develop general measures of
operational risk. Unlike market and perhaps credit
risk, the risk factors are largely internal to the bank and a
clear mathematical or statistical link between individual risk
factors and the likelihood and size of operational loss does not
exist. Experience with large losses is infrequent and
many banks lack a time series of historical data on their own
operational losses and their causes.
While the industry
is far from converging on a set of standard models, such as are
increasingly available for market and credit risk measurement,
the banks that have developed or are developing models rely on a
surprisingly similar set of risk factors.
Those factors
include internal audit ratings or internal control
self-assessments, operational indicators such as volume,
turnover or rate of errors, loss experience, and income
volatility.
Additional details from the interviews are
discussed below under five categories:
Management Oversight;
Risk Measurement, Monitoring and Management Information
Systems; Policies and Procedures; Internal Controls; and
View of Possible Role for Supervisors. Management
Oversight
Many banks noted that awareness of operational
risk at the board of director or senior management level has
been increasing. The focus on operational risk
management as a formal discipline has been recent but was seen
by some banks as a means to heighten awareness of operational
risk. The greater interest in operational risk was
reflected in increased budgets for operational risk measurement,
monitoring and control, as well as in the assignment of
responsibility for measuring and monitoring operational risk to
new or existing risk management units.
Overall the
interview process uncovered a strong and consistent emphasis on
the importance of management oversight and business line
accountability for operational risk.
Senior management
commitment was deemed to be critical for successful
corporate-wide risk management. Banks reported that high-level
oversight of operational risk is performed by its board of
directors, management committees or audit committee. In
addition, most respondents referred to the important role of an
internal monitor or “watchdog” , such as a risk manager or risk
committee, product review committee, or internal audit, and some
banks identified several different internal watchdogs, who
were all seen as important, such as the financial controller,
the chief information officer and internal auditors.
The assignment of formal responsibilities for operational risk
measurement and monitoring is far from universal, with only
about half of the banks interviewed having such a manager in
place.
Virtually all banks agreed that the primary
responsibility for management of operational risk is the
business unit or, in some banks, product management. Under this
view, business area managers are expected to ensure that
appropriate operational risk control systems are in place.
Many banks reinforce this risk attribution and responsibility
through charging operational losses to the related business or
product area. In an earlier survey of internal audit issues,
some supervisors noted the trend to conduct more internal
control reviews in the business line, rather than in independent
units such as internal audit. Several respondents to
the operational risk survey noted the creation of new controls
or risk management in business lines to assist in the
identification and control of risk.
Several banks noted
one potential benefit of formalising an approach to operational
risk. That is the possibility of developing incentives for
business managers to adopt sound risk management practices
through capital allocation charges, performance reviews or other
mechanisms. Many banks are working toward some form of
capital allocation as a business cost in order to create a risk
pricing methodology as well. Risk Measurement, Monitoring and
Management Information Systems
Definition of operational
risk
At present, there is no agreed upon universal
definition of operational risk. Many banks have defined
operational risk as any risk not categorised as market or credit
risk and some have defined it as the risk of loss arising from
various types of human or technical error.
Many
respondent banks associate operational risk with settlement or
payments risk and business interruption, administrative and
legal risks. Several types of events (settlement, collateral and
netting risks) are seen by some banks as not necessarily
classifiable as operational risk and may contain elements of
more than one risk. All banks see some form of link
between credit, market and operational risk. In particular, an
operational problem with a business transaction (for example, a
settlement fail) could create market or credit risk. While most
banks view technology risk as a type of operational risk, some
banks view it as a separate risk category with its own discrete
risk factors.
The majority of banks associate operational
risk with all business lines, including infrastructure, although
the mix of risks and their relative magnitude may vary
considerably across businesses. Six respondent banks have
targeted operational risk as most important in business lines
with high volume, high turnover (transactions/time), high degree
of structural change, and/or complex support systems.
Operational risk is seen to have a high potential impact in
business lines with those characteristics, especially if the
businesses also have low margins, as occurs in certain
transaction processing and payments-system related activities.
Operational risk in trading activities was seen by several
banks as high. A few banks stressed that operational risk was
not limited to traditional “ back office” activities, but
encompassed the front office and virtually any aspect of the
business process in banks.
|