Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an Organization’s business functions (Basel Committee on Banking Supervision, 2004). Operational risk exists in every organization, regardless of size or complexity.
Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems. However, operational risk is harder to quantify and model than market and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and capital budgeting.
There are three major contributors to the operational risk, namely:
- Equipment: There is no doubt that the equipment is a major contributor to the operational risk. Equipment is operated by humans, in order to produce products. Maintenance activities are performed on all equipment.
- Production: Loss production (including scheduled maintenance and turnaround) and product quality below standards are an operational risk. Production loss may be due to equipment failure, lack of raw material supplies, shortage in packaging, or shipping and storage.
- Human: Humans are the key contributors to operational risk. People often cause system failure and make up costs when equipment fails, and production is reduced, for example, in terms of labor costs.
Measuring Operational Risk
A key component of risk management is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk.
Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division.
Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association.
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure statistical analysis. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks.
Managing Operational Risk
Risk evaluation is used to make decisions about the significance of the risks to the organisation and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the organisation’s risk appetite. The risk appetite will be influenced by the size and type of organisation, its capacity for risk and its ability to exploit opportunities and withstand setbacks. Once the severity of the risk has been established, one or more of the following methods of controlling risk can be applied:
- accepting the risk
- sharing or transferring the risk
- risk reduction
- risk avoidance.
Insurance is a long established control method for transferring risk. This applies to a number of types of operational risk, for example, damage to buildings. However, more recently there has been an increase in the use of insurance combined with other methods such as business continuity management. One issue with measuring and managing subjective operational risks is that unless the risk occurs, it is not possible to be certain of the impact of the risk. The severity of the risk may be underestimated. One of the issues with operational risk is the continuously changing business environment. This is stressed in Internal control: guidance for directors on the Combined Code, also known as the Turnbull Report (1999), which states: ‘A company’s objectives, its internal organisation and the environment in which it operates, are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the risks to which it is exposed.’ Once a decision has been made about how to manage or control the risk, it is important to have a process in place to monitor actively and to review and report regularly on the risk management framework.
Methods for Calculating Operational Risk Capital
Basel II and various supervisory bodies of the countries have prescribed various soundness standards for operational risk management for banks and similar financial institutions. To complement these standards, Basel II has given guidance to 3 broad methods of capital calculation for operational risk:
- Basic Indicator Approach – based on annual revenue of the Financial Institution
- Standardized Approach – based on annual revenue of each of the broad business lines of the Financial Institution
- Advanced Measurement Approaches – based on the internally developed risk measurement framework of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-based, Scorecard etc.)
The operational risk management framework should include identification, measurement, monitoring, reporting, control and mitigation frameworks for operational risk. There are a number of methodologies to choose from when modeling operational risk, each with its advantages and target applications. The ultimate choice of the methodology/methodologies to use in your institution depends on a number of factors, including:
- Time sensitivity for analysis;
- Resources desired and/or available for the task;
- Approaches used for other risk measures;
- Expected use of results (e.g., allocating capital to business units, prioritizing control improvement projects, satisfying regulators that your institution is measuring risk, providing an incentive for better management of operational risk, etc.);
- Senior management understanding and commitment; and
- Existing complementary processes, such as self-assessment
IT Governance Framework
Operational Risk Management (ORM)
IT Operations (Information Technology Operations)
IT Strategy (Information Technology Strategy)
IT Sourcing (Information Technology Sourcing)
Key Risk Indicator (KRI)
Governance, Risk And Compliance (GRC)
Risk-Adjusted Return on Capital (RAROC)
Risk Assessment Framework (RAF)
Risk Based Testing
Risk IT Framework
Risk Management Framework (RMF)
Risk Maturity Model (RMM)
Enterprise Risk Management (ERM)
Federal Risk and Authorization Program (FedRAMP)
Chief Risk Officer (CRO)
Chief Information Officer (CIO)]]
Value Risk Matrix (VRM)
Value at Risk
Total Cost of Risk (TCoR)
Cox's Risk Matrix Theorem
Social Media Governance
Information Security Governance
Information Governance (IG)
Enterprise Architecture Governance
Information Governance Initiative (IGI)
Information Governance Reference Model (IGRM)
Calder-Moir IT Governance Framework
IT Operations Management (ITOM)
IT Operations Analytics (ITOA)
Operational Business Intelligence (OBI)
Operational Data Store (ODS)
Operational Level Agreement (OLA)
Operational Technology (OT)