Difference between revisions of "Operational Risk"
m (The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).) |
|||
| Line 1: | Line 1: | ||
| − | '''Operational Risk''' is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an [[Organization|Organization’s]] [[Business Function|business functions]] (Basel Committee on Banking Supervision, 2004). Operational risk exists in every [[Organization|organization]], regardless of size or complexity.<ref>Definition - What Does Operational Risk Mean? [https://www.rmahq.org/operational-risk/ RMA]</ref> | + | '''Operational Risk''' is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an [[Organization|Organization’s]] [[Business Function|business functions]] ([[Basel Committee on Banking Supervision]], 2004). Operational risk exists in every [[Organization|organization]], regardless of size or complexity.<ref>Definition - What Does Operational Risk Mean? [https://www.rmahq.org/operational-risk/ RMA]</ref> |
| − | Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems. However, operational risk is harder to quantify and model than market and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and capital budgeting. | + | Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk [[management]] systems. However, operational risk is harder to quantify and [[model]] than [[market]] and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk [[measurement]] and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and [[capital]] budgeting. |
| Line 10: | Line 10: | ||
There are three major contributors to the operational risk, namely: | There are three major contributors to the operational risk, namely: | ||
*Equipment: There is no doubt that the equipment is a major contributor to the operational risk. Equipment is operated by humans, in order to produce products. Maintenance activities are performed on all equipment. | *Equipment: There is no doubt that the equipment is a major contributor to the operational risk. Equipment is operated by humans, in order to produce products. Maintenance activities are performed on all equipment. | ||
| − | *Production: Loss production (including scheduled maintenance and turnaround) and product quality below standards are an operational risk. Production loss may be due to equipment failure, lack of raw material supplies, shortage in packaging, or shipping and storage. | + | *Production: Loss production (including scheduled maintenance and turnaround) and [[product]] [[quality]] below standards are an operational risk. Production loss may be due to equipment failure, lack of raw material supplies, shortage in packaging, or shipping and storage. |
| − | *Human: Humans are the key contributors to operational risk. People often cause system failure and make up costs when equipment fails, and production is reduced, for example, in terms of labor costs.<ref>Contributors to Operational Risk [https://www.sciencedirect.com/science/article/pii/B9780080999975000447 YongBaiWei, LiangJin]</ref> | + | *Human: Humans are the key contributors to operational risk. People often cause [[system]] failure and make up costs when equipment fails, and production is reduced, for example, in terms of labor costs.<ref>Contributors to Operational Risk [https://www.sciencedirect.com/science/article/pii/B9780080999975000447 YongBaiWei, LiangJin]</ref> |
'''Measuring Operational Risk<ref>Measuring Operational Risk [https://www.frbsf.org/economic-research/publications/economic-letter/2002/january/what-is-operational-risk/ FRBSF]</ref>'''<br /> | '''Measuring Operational Risk<ref>Measuring Operational Risk [https://www.frbsf.org/economic-research/publications/economic-letter/2002/january/what-is-operational-risk/ FRBSF]</ref>'''<br /> | ||
| − | A key component of [[Risk Management|risk management]] is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk. | + | A key component of [[Risk Management|risk management]] is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the [[business]] line in which the event occurred. In this way, a bank can hope to identify which events have the most [[impact]] across the entire firm and which business practices are most susceptible to operational risk. |
Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing [[Database (DB)|databases]] for monitoring such losses and creating risk indicators that summarize these [[Data|data]]. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division. | Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing [[Database (DB)|databases]] for monitoring such losses and creating risk indicators that summarize these [[Data|data]]. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division. | ||
| − | Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient [[Data Modeling|data for modeling purposes]]. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association. | + | Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor [[accounting]] errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. [[Data]] on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient [[Data Modeling|data for modeling purposes]]. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association. |
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure [[Statistical Analysis|statistical analysis]]. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks. | Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure [[Statistical Analysis|statistical analysis]]. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks. | ||
| Line 25: | Line 25: | ||
'''Managing Operational Risk<ref>Managing Operational Risks [https://www.cimaglobal.com/Documents/ImportedDocuments/51_Operational_Risk.pdf CIMA Global]</ref>'''<br /> | '''Managing Operational Risk<ref>Managing Operational Risks [https://www.cimaglobal.com/Documents/ImportedDocuments/51_Operational_Risk.pdf CIMA Global]</ref>'''<br /> | ||
| − | Risk evaluation is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks. | + | Risk [[evaluation]] is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks. |
Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied: | Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied: | ||
*accepting the risk | *accepting the risk | ||
| Line 32: | Line 32: | ||
*risk avoidance. | *risk avoidance. | ||
| − | Insurance is a long established control method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as [[Business Continuity Management (BCM)|business continuity management]]. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it | + | Insurance is a long established [[control]] method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as [[Business Continuity Management (BCM)|business continuity management]]. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it |
| − | operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a process in place to monitor actively and to review and report regularly on the [[Risk Management Framework (RMF)|risk management framework]]. | + | operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a [[process]] in place to monitor actively and to review and report regularly on the [[Risk Management Framework (RMF)|risk management framework]]. |
'''Methods for Calculating Operational Risk Capital<ref>Methods for Calculating Operational Risk Capital [https://en.wikipedia.org/wiki/Operational_risk Wikipedia]</ref>'''<br /> | '''Methods for Calculating Operational Risk Capital<ref>Methods for Calculating Operational Risk Capital [https://en.wikipedia.org/wiki/Operational_risk Wikipedia]</ref>'''<br /> | ||
[[Basel II]] and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk: | [[Basel II]] and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk: | ||
| − | *Basic Indicator Approach – based on annual revenue of the Financial Institution | + | *Basic [[Indicator]] Approach – based on annual revenue of the Financial Institution |
*Standardized Approach – based on annual revenue of each of the broad business lines of the Financial Institution | *Standardized Approach – based on annual revenue of each of the broad business lines of the Financial Institution | ||
| − | *Advanced Measurement Approaches – based on the internally developed risk measurement framework of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-based, Scorecard etc.) | + | *Advanced Measurement Approaches – based on the internally developed risk measurement [[framework]] of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-based, Scorecard etc.) |
| − | The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk. There are a number of methodologies to choose from when modeling operational risk, each with its advantages and target applications. The ultimate choice of the methodology/methodologies to use in your institution depends on a number of factors, including: | + | The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk. There are a number of methodologies to choose from when modeling operational risk, each with its advantages and [[target]] applications. The ultimate choice of the [[methodology]]/methodologies to use in your institution depends on a number of factors, including: |
*Time sensitivity for analysis; | *Time sensitivity for analysis; | ||
*Resources desired and/or available for the task; | *Resources desired and/or available for the task; | ||
*Approaches used for other risk measures; | *Approaches used for other risk measures; | ||
| − | *Expected use of results (e.g., allocating capital to business units, prioritizing control improvement projects, satisfying regulators that your institution is measuring risk, providing an incentive for better management of operational risk, etc.); | + | *Expected use of results (e.g., allocating capital to business units, prioritizing control [[improvement]] projects, satisfying regulators that your institution is measuring risk, providing an incentive for better management of operational risk, etc.); |
*Senior management understanding and commitment; and | *Senior management understanding and commitment; and | ||
*Existing complementary processes, such as self-assessment | *Existing complementary processes, such as self-assessment | ||
Revision as of 17:24, 6 February 2021
Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an Organization’s business functions (Basel Committee on Banking Supervision, 2004). Operational risk exists in every organization, regardless of size or complexity.[1]
Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems. However, operational risk is harder to quantify and model than market and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and capital budgeting.
source: Wavestone
There are three major contributors to the operational risk, namely:
- Equipment: There is no doubt that the equipment is a major contributor to the operational risk. Equipment is operated by humans, in order to produce products. Maintenance activities are performed on all equipment.
- Production: Loss production (including scheduled maintenance and turnaround) and product quality below standards are an operational risk. Production loss may be due to equipment failure, lack of raw material supplies, shortage in packaging, or shipping and storage.
- Human: Humans are the key contributors to operational risk. People often cause system failure and make up costs when equipment fails, and production is reduced, for example, in terms of labor costs.[2]
Measuring Operational Risk[3]
A key component of risk management is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk.
Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division.
Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association.
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure statistical analysis. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks.
Managing Operational Risk[4]
Risk evaluation is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks.
Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied:
- accepting the risk
- sharing or transferring the risk
- risk reduction
- risk avoidance.
Insurance is a long established control method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as business continuity management. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a process in place to monitor actively and to review and report regularly on the risk management framework.
Methods for Calculating Operational Risk Capital[5]
Basel II and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk:
- Basic Indicator Approach – based on annual revenue of the Financial Institution
- Standardized Approach – based on annual revenue of each of the broad business lines of the Financial Institution
- Advanced Measurement Approaches – based on the internally developed risk measurement framework of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-based, Scorecard etc.)
The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk. There are a number of methodologies to choose from when modeling operational risk, each with its advantages and target applications. The ultimate choice of the methodology/methodologies to use in your institution depends on a number of factors, including:
- Time sensitivity for analysis;
- Resources desired and/or available for the task;
- Approaches used for other risk measures;
- Expected use of results (e.g., allocating capital to business units, prioritizing control improvement projects, satisfying regulators that your institution is measuring risk, providing an incentive for better management of operational risk, etc.);
- Senior management understanding and commitment; and
- Existing complementary processes, such as self-assessment
See Also
IT Governance
IT Governance Framework
Operational Risk Management (ORM)
IT Operations (Information Technology Operations)
Business Operations
Business Strategy
IT Strategy (Information Technology Strategy)
Enterprise Architecture
IT Sourcing (Information Technology Sourcing)
Operational Efficiency
Risk
Key Risk Indicator (KRI)
Governance, Risk And Compliance (GRC)
Risk-Adjusted Return
Risk-Adjusted Return on Capital (RAROC)
Risk Analysis
Risk Assessment
Risk Assessment Framework (RAF)
Risk Based Testing
Risk Communication
Risk Governance
Risk IT Framework
Risk Management
Risk Management Framework (RMF)
Risk Matrix
Risk Maturity
Risk Maturity Model (RMM)
Risk Mitigation
Risks Analysis
Riskware
Architectural Risk
Enterprise Risk Management (ERM)
Federal Risk and Authorization Program (FedRAMP)
Chief Risk Officer (CRO)
Chief Information Officer (CIO)]]
Value Risk Matrix (VRM)
Value at Risk
Total Cost of Risk (TCoR)
Cox's Risk Matrix Theorem
Credit Risk
E-Governance
Data Governance
Social Media Governance
Information Security Governance
Information Governance (IG)
Corporate Governance
Policy Governance
Enterprise Architecture Governance
Governance
Information Governance Initiative (IGI)
Information Governance Reference Model (IGRM)
Simulation Governance
Calder-Moir IT Governance Framework
IT Operations Management (ITOM)
IT Operations Analytics (ITOA)
Operations Research
Operations Development
Operations Management
Operational Agility
Operational Business Intelligence (OBI)
Operational Design
Operational Intelligence
Operational Data Store (ODS)
Operational Level Agreement (OLA)
Operational CRM
Operational Plan
Operational Technology (OT)
References
- ↑ Definition - What Does Operational Risk Mean? RMA
- ↑ Contributors to Operational Risk YongBaiWei, LiangJin
- ↑ Measuring Operational Risk FRBSF
- ↑ Managing Operational Risks CIMA Global
- ↑ Methods for Calculating Operational Risk Capital Wikipedia