Module6: Operational Risk Management

 The internal processes, people, systems and external events as provided in how we defined Operational risk in the previous module, can be considered as the drivers of Operational Risk. However, Basel Committee on Banking Supervision has classified Operational Risk into Seven Loss Event Categories:

Category 1 We call it Internal Fraud It involves at least one bank employee. It could be taking bribe or kickbacks, embezzlement, insider trading, theft, forgery, money laundering, wrong data entry for personal gain etc.

Category 2 is called External Fraud acts which are committed by third parties Hacking, Phishing, Theft, Forgery, check kiting, Extortion, embezzlement etc. fall into this category

Employment practice and workplace safety that is Category 3 Acts resulting in claims, fines or penalties related to discrimination, harassment, violation of employee health and safety rules. Losses due to organized labour action etc. also fall under this category

Category 4 Clients, products, and business practices, Mis selling of products or services, not meeting the suitability or fiduciary requirements, unintentionally or due to negligence all fall under this category.

Examples could be fiduciary breaches, misuse of confidential customer data, money laundering, sale of unauthorized products, disputes over performance of advisory activities, mis-selling etc.

category 5 damage to physical assets this includes losses due to damage to physical assets resulting from natural disasters such as earthquakes or other events. Examples could be terrorism, vandalism, earthquakes, fires, floods or losses due to an event such as a pandemic.

category 6 business disruption and system failures which includes losses due to disruption of business or system failure. For example hardware and software crashes, utility outages or telecommunication issues.

Category 7 execution, delivery, and process management: Losses from failed transaction processing or process management, and disputes with trade counterparties and vendors. Examples include data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to clients’ accounts,

Accounting error/ entity attribution error, Other task mis-performance, Delivery failure, Collateral management failure, Data Entry Maintenance Error, Failed mandatory reporting etc.

Further, a bank’s business is divided into eight business lines. Let us now look at what these business lines are. The business lines are Trading and Sales Payment & Settlement Retail Banking Commercial Banking Agency Services Corporate Finance Asset Management and Retail Brokerage

Now this results in a 8 by 7 matrix or 56 potential sources or Drivers for Operational risk.

What is the process Banks employ to Manage Operational Risk? As we discussed in Module III on Risk Management, Operational Risk Management process also involves Identification, Assessment or Measurement, Mitigation and Control and Monitoring & Reporting.

For identification and Assessment of Operational Risk; Banks employ a tool called Risk and Control Self Assessment or RCSA.

For measurement of Operational Risk, Loss Data & Scenario Analysis is used. For mitigation Banks employ various internal control methods, for example employing a maker checker concept in their day to day operations, following a stringent product approval and amendment process.

They could also include external control methods, which include internal and external audits. For monitoring & Reporting of Operational Risk, another tool comes in handy that is Key Risk Indicator (KRI).

And tools such as RCSA or Risk Control Self-Assessment are used to assess and measure Risk. We will discuss these tools and methods in the subsequent Modules on Credit Risk, Market Risk and Operational Risk Management.

Mitigation and Control is achieved through setting of Limits. For example for credit Risk, exposure limits are generally set. Depending on the nature of business/ credit line, these limits could be individual exposure limits or Sectoral Exposure limits or even Country exposure Limits.

So, for Market Risk also there can be various exposure limits or Limits for Value at Risk or Stop Loss Limits for Trading. Hedging is another tool that we use for mitigation. For Operational Risk, Mitigation and control can be achieved through setting up Business Continuity Plans (BCPs),

Through Trainings, Through Insurance. Monitoring of Operational risk is done through Key Risk Indicators.

We now come to Risk control and self-assessment or RCSA.RCSA is an important way in which banks try to achieve a better understanding of their operational risk exposures. It entails asking the business units to identify their operational risks. So banks identify and assess their risks and controls in various products and processes of the business units. Now the first step in this is assessment of risks. Risks which are embedded in a firm’s processes that is inherent risks. It is accepted that every Banking activity has some inherent risk. We first identify these risks and then we identify the controls associated with these risks . As risks are usually reported by business units, the effectiveness of these controls is assessed to understand their effectiveness in mitigating the risk. A self-assessment is done to determine whether there is some residual risk that is the risk which remains even after the controls are in place. Usually banks adopt a workshop-based model where employees of a business unit sit together and undertake this 4 step self-assessment process. This process is repeated for all critical business units of a bank. The Business Unit can then decide whether the risks are controlled within the tolerance limits or some enhanced controls are required to reduce risk Or keep it within acceptable limits One significant challenge that arises is to collate this data after applying weights to these risks and identifying the key risks. For this, Banks use vendor provided systems or develop their own systems. However, the process is complex and involves a lot of subjectivity.

Key Risk Indicators or KRIs are measurable metrics or indicators, which can provide insight into the Bank’s risk exposure or loss. When KRIs are monitored periodically , they can alert the Bank to changes that may be indicative of increasing risk. An example of KRI could be number of customer complaints, number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions. KRIs can be drawn from internal loss data, near miss data, RCSA results, Audit Findings, Past experience and intuition of the Manager. Sometimes these indicators are classified into Key Risk Indicators or KRIs, Key Performance Indicators or KPIs and Key Control Indicators or KCIs KRIs are matrix which provide insight and monitor the risk faced by banks. KPIs measure the performance or the achievement of targets KCIs provide information on the extent to which a given control is meeting its intended objective. Another classification for indicators is in terms of Leading or Predictive indicators and Lagging or Detective indicators. Banks lay more emphasis on identifying and monitoring Leading Indicators because they are Forward Looking and can provide the bank's the Early warning Signals of impending risk events. For monitoring of KRIs it is necessary to have thresholds that trigger intervention or escalation. Usually a Traffic Light Signal Structure is followed for setting thresholds. KRIs are of help at Business Unit level as well as at Corporate Level. At Business Level KRIs help in Identifying any disturbing activity patterns, Escalating Risk Decisions if thresholds are breached, Monitoring the performance of Controls. And at Corporate Level KRIs help in aggregating, analysing and reporting risks profile changes and Control Performance. Now what is the criteria for identifying a good KRI ?A KRI should be effective, comparable and easy to use. An acronym that can be used to remember the criteria for a good KRI is SMART-RM. Specific, Measurable, Auditable, Relevant, having Thresholds which can be used for Risk Monitoring.

Operational Risk Capital Charge

Operational Risk Capital is required to protect the bank against the possibility of operational risk losses.

Basel II provided three approaches for deciding the operational risk capital requirements:

•  The Basic Indicator Approach (BIA)
• The Standardized Approach (TSA)
• Advanced Measurement Approach (AMA).

In BIA a multiple of Gross Income of the Bank is accepted as the Operational Risk Capital.

In TSA multiple of Gross Income at Business Line levels are aggregated to arrive at the Operational Risk Capital.

 AMA  offers banks possibility of lower capital requirements in exchange for investing in risk management technologies.

Advanced Measurement Approach (AMA) requires capital modeling based on the following elements:

• Internal Loss Data i.e. Bank’s own Loss data.
• External Loss Data i.e. Relevant and suitably scaled loss data of other Banks. External Loss Data is required as many a times there is paucity of Internal Loss Data.
• Inputs from Risk and Control Self-Assessment & Key Risk Indicators.
• Scenario Analysis is where Banks look to model extreme tail events i.e. events which happen rarely but when they happed the cause severe loss. Scenario Analysis is a judgment based subjective exercise.

These inputs are used to model a loss distribution from which Advanced Measurement Approach capital charge is obtained at 99.9% confidence level.

Standardized Measurement Approach (SMA)

In March 2016 Basel Committee indicated its intention to totally change its procedures for determining operational risk regulatory capital. In particular, it stated that the Advanced Measurement Approach (AMA) is to be abandoned and a new approach, Standardized Measurement Approach (SMA) is to be adopted.

The reason for moving away from Advanced Measurement Approach was the subjectivity and complexity involved in modelling which was resulting in inconsistency across Banks in its application. i.e. different banks arriving at different capital requirement using same data.

SMA is a lot simpler than AMA, it is a combination of Internal Loss Data (bank’s own Loss data) and inputs from bank’s financial statement.