Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
Module II: Key Risks and their Measurement
Section C: Operational Risk
Chapter 1: Overview of Operational Risk
Prof. Richa Verma Bajaj
Objective
This chapter is to introduce the subject of operational risk, discuss the nature of occurrence
of such risk, the broad categories and the related regulatory frameworks, such as Basel and
RBI guidelines.
Structure
1.1 Introduction
1.2 Definition of Operational Risk
1.3 Linkage between Causes- Events- Effects
1.4 Difference between Credit, Market and Operational Risk
1.5 Why Operational Risk Management is important?
1.6 Categories of Operational Risk Losses
1.7 Top 10 Operational Risks for 2017
1.8 Organizational Set-up and Key Responsibilities for Operational Risk Management
1.9 Conclusion
1.1 Introduction
Operational risk can be defined1 as “risk associated with operating a business”. Operational
risk is a broader term than operations risk; the latter is associated only with managing
branch, deposits or loan operations. Operational risk, on the other hand, encompasses risk
associated with finance and value driving operations of a bank, on account of frauds,
settlement errors, accounting and modeling mistakes, legal exposures, litigation, natural
disasters, IT malfunctioning/breakdowns/errors/virus, inefficiency, inadequacy and
negligence of staff etc. Several cases likes Baring’s2 have shown that operational risk and
operational losses, more so than credit and market losses, can lead to the demise of
1
Crouchy (2001)
2
When the smoke finally clears from the recent corporate collapses, the image in the mirror may not be an Enron or a WorldCom
but it could be the infamous shortfalls in operations risk management that appear not only to be at the core of the failures but are
reminiscent of the factors leading to the Barings Bank debacle. Walter J. Smiechewicz: http://www.fraud-Magazine.com /article.
aspx? id=4294968220
Page 1 of 8
� Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
institutions. Operational risk management (ORM) discipline has been gaining attention in
the financial-services sector on account of internal factors such as corporate financial
scandals, trading frauds and inappropriate market practices as also external factors such as
political developments, regulation, terrorist activities and natural disasters. Operational
risk has increased due to the adoption of financial technology which has been changing
rapidly, globalization of financial services, and outsourcing/off-shoring of operations and
processes. All these have led to increased regulatory focus as well as heightened internal
concern with operational risk. It is for these reasons that RBI has advised banks that they
should be able to estimate how much capital they need to hold against operational risks.
The definition of operational risk has evolved rapidly over the past few years. The various
phases through which operational risk have evolved are as follows:
Table 1: Basel and RBI Consultation Process
New Basel Capital Framework June, 1999
CP 2 January, 2002
Working Paper CP 2 1/2 September, 2001
Sound Practices December, 2001
Sound Practices July, 2002
Sound Practices February, 2003
CP 3 April, 2003
Basel Accord June, 2004
Revised Accord June, 2006
RBI’s Operational Risk Management Guidelines October 14, 2005
Loss Data Collection Exercises 2002, 2004, 2007 and 2008
RBI Guidelines on The Standardised Approach March 2010
RBI Guidelines on Advanced Measurement Approach April 2011
Consultative document on Standardized Measurement Approach (SMA) March 2016
Standardized Approach of Operational Risk (Basel III) December 2017
1.2 Definition of Operational Risk
Initially, Operational Risk was treated as: (i) Every type of unquantifiable risk faced by a
Bank; (ii) Residual risk; risks other than credit and market risk. However, based on further
analysis the definition has been sharpened considerably. Today it is the only risk type
which has a regulatory definition. As Basel Operational risk is, “the risk of loss resulting
from inadequate or failed internal process, people and systems or from external
events.” This definition of operational risk is based on the underlying causes of operational
risk. It seeks to identify why a loss happened and at the broadest level indicates four
causes/factors namely people, processes, systems and external factors. Operational risk
Page 2 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
includes legal risk, but excludes strategic and reputation risk. Legal Risk includes, but not
limited to, the risk of loss resulting from failure to comply with laws, prudent ethical
standards and contractual obligation. It also includes the exposure to litigation from all
aspects of an institution's activities. Strategic risk is the current and prospective impact on
earnings or capital arising from adverse business decisions, improper implementation of
decisions, or lack of responsiveness to industry changes. Reputational risk is the potential
that negative publicity regarding an institution’s business practices, whether true or not,
will cause a decline in the customer base, costly litigation, or revenue reductions3. Basel
and RBI guidelines state that operational risk is different from other banking risks because
it does not arise in the risk reward business activities but arises in the natural course of
corporate activity. The operational risk definitions above emphasizes upon the linkage
between Cause – Event - Effects.
1.3 Linkage between Causes- Events- Effects
Linkage between Causes- Events- Effects is come to be used as a common language for
analyzing operational risk by efficiently identifying, assessing and reporting operational
risk related information. For example: the cause of a loss due to fire might be shortage of
combustible materials, the event might be a fire, and the loss might be financial expenses
resulting from damage to building. For compliance purpose, banks may tend to focus only
on the loss events without giving serious thought to the possible causes and consequences.
It must be added that cause identification can help the bank in controlling the possible
future occurrence of the same event and impact analysis helps the bank in identifying the
consequences of an event and its impact on bank’s profit and loss account. That is why it is
said that bank should look at operational risk for control than for compliance only.
Following is pictorial presentation of the above:
3
Board of Governors of the Federal Reserve System, 2004
Page 3 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
It is said that a clear appreciation and understanding of what is meant by operational risk is
critical for effective management and control of this risk category. It is also important to
consider the full range of material operational risks facing the bank and capture all
significant causes of severe operational losses in various business lines through various
event types and capture it in BLET (i.e. Business Lines and Event Type) matrix as presented
below. The BLET is important for proper operational risk measurement and management
in a Bank. For Example, A borrower submitted fake documents while availing housing loan
from Bank. This event will be highlighted in following BLET in highlighted cell, i.e. Housing
loan belongs to Retail Banking and customers submitted fake document that is why; it is
loss occurring to bank from external fraud.
Table 2: BLET Matrix
Event Type
Client, Products and
Business Disruption and
Execution Delivery and
Physical
Employment Practices
and Workplace Safety
Business Line
Process Management
Business Practices
External Fraud
System Failure
Internal Fraud
to
Damage
Corporate Finance Assets
Trading and Sales
Retail Banking
Commercial
Banking
Payment and
Settlement
Agency Services
Assets
Management
Retail Brokerage
1.4 Difference between Credit, Market and Operational Risk
Operational risk is considered as universal, complex and dynamic. Unlike market and credit
risk, which tend to be in specific areas of business, operational risk is inherent in all
business processes. The major differences in three risks (credit, market and operational)
are highlighted as below:
Page 4 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
Table 3: Key differences in risk types
Market Risk Credit Risk Operational Risk
Elements Securities-Trades Loans- Processes
investments
Where Investment and Loan Portfolio- Throughout the Bank-
Observed Trading Desk-Treasury Credit Business Area
Department
Mitigation Derivatives as hedging Credit Risk Insurance
mechanism Mitigants
Is Exposure Yes Yes Difficult
Quantifiable?
1.5 Why Operational Risk Management is Important?
Ineffective operational risk management4 affects financial institutions in three ways:
(i) Actual operational risk losses are a direct hit on the income. Similarly cost of
inefficient processes reduces the income,
(ii) It is often seen that operational risk failures of companies impact equity prices. Such
impact on equity prices often well exceeds the actual financial losses experienced, and
(iii0 Operational risk failures can increase costs and complexity of compliance. It can
result in increased regulatory scrutiny, affecting not just the specific failure, but the
institution as a whole.
1.6 Categories of Operational Risk Losses
Operational risk events are classified into two categories based upon the frequency of their
occurrence and their impacts.
1. Low Frequency/ high impact (large loss) events (major): like fraud and natural
disasters.
2. High Frequency/ low impact (small loss) events (minor): back-office processing
errors and credit card frauds
1.7 Top 10 Operational Risks for 2017
Operational risk, as we stated earlier could occur on account of many reasons. In this
regard, Top 10 Operational Risks for 2017, as determined by risk practitioners5 are:
4
Ellis et al (2012), Why Financial Institutions should worry about managing their operational risk?”
5
Risk.net
Page 5 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
i. Cyber Risk and data security: Cyber security is a huge risk. The recent attack of
ransomware that impacted the banks across the globe is an example of this risk.
Cyber security has become a very important agenda with banks and financial
institutions.
ii. Regulation: Regulation by itself is not a risk. It is to safeguard the market against
risk that regulations are framed. Inability to react speedily to regulation resulting in
below par compliance can invite penalties and other action.
iii. Outsourcing: Failure of outsourced agencies to conform to well laid procedures,
violations etc., can cause financial losses, penalties and also lead to reputational risk.
iv. Geopolitical Risk: Geopolitics is about how geography and economics of two
countries influence relations; economic and trade particularly; between countries. A
recent example of geopolitical is the flare-up of tensions between Saudi Arabia and
Iran that resulted in a spike in the price of oil. Another example is the subprime
crisis of US that exploded as global financial crisis. These risks are difficult to predict
but have very large impact.
v. Conduct Risk: Conduct risk is the possibility of financial loss or damage to financial
institution by poor judgment of its managers and employees. Mis-selling and
unethical business methods are included in conduct risk. This risk has gained more
attention in financial sector let alone other corporate sector because it is now clear
that unethical business strategies was one of the primary causes of the 2007
financial crisis. According to the Financial Stability Board, an international financial
regulatory body, a major takeaway from the great recession of 2007 is that risk to a
firm's reputation should not be underestimated and more attention must be paid to
improving the quality of products. LIBOR manipulation, mis-selling of derivatives
and violation of anti-money laundering/know-your-customer (AML/KYC), banks
selling its own payment protection insurance schemes are examples of conduct risk.
vi. Organisational Change: Banks are undergoing metamorphosis on account of new
regulations, digital banking etc. This calls for change of processes procedures etc.
Failure to react to change in time could pose risk to the banks.
vii. IT Failure: Most banking operations are based on software programs that work
upon large databases and create management information. Software failures can
wreck immense havoc upon functioning of banks.
viii. AML, CTF and sanctions/penalties due to non-compliance. The scope of AML,
CTF is increasing and the need to repeat KYC and monitor accounts has become very
difficult to manage.
ix. Fraud: This is one of the major risks faced by banks. Frauds in banks can happen in
any area of a banks operation. Frauds involve large amount of funds.
x. Physical Attack: This includes robbery, dacoity, ATM heist, hijack of money vans
etc.
Page 6 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
Operational risk has to be managed. Prevention and avoidance are the first two steps in
minimizing impact of operational risk. A question arises can it not be altogether
eliminated? It should be every financial institutions’ endeavor, though it may not be
possible.
1.8 Organizational Set-up and Key Responsibilities for Operational Risk Management
It is recognized that the approach towards operational risk management chosen by an
individual bank will depend on a range of factors, including size and sophistication, nature
and complexity of its activities. However, despite these differences, clear strategies and
oversight by the Board of Directors and senior management; a strong operational risk
culture, i.e. the combined set of individual and corporate values, attitudes, competencies
and behavior that determine a bank's commitment to and style of operational risk
management; internal control culture (including clear lines of responsibility and
segregation of duties); effective internal reporting; and contingency planning are all crucial
elements of an effective operational risk management framework. A typical organisation
chart for supporting operational risk management function could be as shown below.
Ideally, the Organizational set-up for Operational Risk Management should include the
following:
Board of Directors
Risk Management Committee of the Board
Operational Risk Management Committee
Operational Risk Management Department
Operational Risk Managers
Support Group for operational risk management
Page 7 of 8
�Course: Risk Management (Module II: Key Risks and their Measurement) NIBM, Pune
Figure 1: Typical Organizational Structure for Operational Risk Management
Source : www.rbi.org.in
1.9 Conclusion
Managing operational risk is becoming an important feature of sound risk management
practices in modern financial markets in the wake of phenomenal increase in the volume of
transactions, high degree of structural changes and complex support systems. The most
important type of operational risk over the years involves breakdowns in internal controls
and corporate governance. Such breakdowns can lead to financial loss through error, fraud,
or failure to perform in a timely manner or cause the interest of the bank to be
compromised. That is why; over the years focus of the bank on operational risk is
increasing. It is felt that operational risk has some linkage with credit and market risks. For
which also the regulator has given treatment through their guidelines on boundary events.
On the whole, managing this risk properly, is the need of the hour.
Page 8 of 8
