You are on page 1of 38

State Street HCL Services

Operational Risk in
Financial Services
-- - - - - - - - - - - - - - -
The official Learning Module on Operational Risk

State Street HCL Services


Risk management has always been an explicit or implicit fundamental management process in financial
services. Today, however, there is more pressure to avoid things going wrong while continuing to improve
corporate performance in the new environment. Good risk management is a decisive competitive
advantage. It helps to maintain stability and continuity and supports revenue and earnings growth.

Risk management is an obligation to stakeholders; diligent and intelligent risk taking is an "attitude" towards
stakeholders. Despite all the progress in the quantification of risks, risk management will remain a blend of
art and science. Quantified risk is seductive, but can be misleading or provide a "false sense of security";
imperfections have to be acknowledged. Comprehensive, institution-wide strategy and tactics towards risk
can no longer be achieved by applying common sense only - albeit common sense remains crucial. There
is a need for credible and relevant methodologies to identify, define, assess, reduce, transfer, avoid and
manage risk.

Risk management is a daily struggle against uncertainty and a daily learning process: Risk management is
not a program, but a process for which senior management and Board of Directors are increasingly called
upon to ensure. New governance requirements are quite explicit about this responsibility. Good risk
management is not only a defensive mechanism, but also an offensive weapon. Quality of leadership and
governance is increasingly an issue of risk management.

The management of market and credit risks has made great progress as to its methodologies and
quantification approaches, given the vast and reasonably reliable data and statistics. This does not mean
that misjudgments as to the future are rarer, but the approach is more empirically founded.

Operational risks - while not new but in a new environment - have received tremendously increased
attention as of very recent. While dealing with "operational risks" more closely, companies realized the
breadth and complexity of such a task. You can name anything out of the "banking-life", it almost certainly
has an operational risk touch. The confusion as to OpRisk and its management is quite impressive in the
industry: Definitions not settled, frameworks different, data hazy, models complex and/or not (yet) credible,
academics impractical, consultants looking for new assignments lack a track record, quants hungry for
fresh challenges. Supervisors – in spite of all - are eager to get additional capital charges. Activism is
abounding. What an imbroglio to start with?!

Operational risk management is - simply put - good management and close to quality management. As
management in financial services is dealing with people for people - in a continuous process and ever
changing environment – there cannot be an easy answer or a simple model.

Mistakes and failures, i.e. OpRisk losses, happen daily in every financial services organization, some
negligible, some more serious; very rarely they can be very grave. This should make every manager
humble, also in the judgment on competitors. The general environment for financial services will continue to
change dramatically. It will call for significant and continuous adjustments in the way enterprises do
business and adapt their operations.

State Street HCL Services

With dramatically increased competition - also from non-banks - a successful OpRisk management is
crucial for survival. In the future, the market will be less forgiving of any colossal lapse. Reputation is
increasingly also built on OpRisk management skills. These are some of the reasons why OpRisk gets
such attention at present.

A financial services organization must be a learning organization and increasingly also a "knowledge-
organization". Having observed the financial scene for some years, experts are fully aware that every
organization is always in different stages of quality performance and process sophistication, given the
interdependencies of internal projects and external pressures. They also know that there are many "paths
to Rome". There is often not "only one solution" in management. It would be quite presumptuous to try for a
complete paper on "good OpRisk management" or "good management": This paper contains suggestions
based on personal opinion and observations.

We will also realize that the experts seem to have a "preoccupation" with the number 12. Over centuries,
the number 12 has played the symbolic role of completeness - which is somewhat ambitious for an active
banker. More important, my observations tell me that "12 messages" are just about digestible to keep one's
attention span. They also force a priority setting.

The 12 Golden Organizational Principles in Risk Management

Ahead of the OpRisk discussion, the following 12 Golden Rules in Risk Management should be a guide
throughout the presentation. They are the result of observations and adjustments over the years and apply
to OpRisk aspects as well. Some of the following 12 conclusions or issues sound banal, but probably are
the more vital elements when it comes to implementation.

The 12 Key Principles in Risk Management

Our principles have not changed, but as a "learning organization" in a dynamic environment, we are
continuously adjusting the contents with new priorities or refinements based on experience. The issue is
not the intellectual level of the 12 principles but rather their diligent implementation - which is challenging in
a diverse, global and changing world. Thereby no organization ever achieves an ideal or perfect positioning
in every respect.

Executing the Fundamentals

1. Risk is uncertainty about future results.

Risk taking = risk management.

Do not fear but respect risks. - Ensure the balance of gains versus losses.
"Informed and intelligent" risk-taking, including attention to proportionality, concentration and
diversification _ active portfolio management.
Watch liquidity/flexibility aspects in turbulent times. Watch harm by association.
Never forget "extreme event" risks. Deal with consequences of the unexpected cases.
Capital allocation based on Economic Risk Capital.

State Street HCL Services

2. The 6 S's for the systematic mental discipline of an organization: the logical sequence.

a) Strategy
b) Structure
c) System
d) Systems
e) Safety
f) Speed

3. Clear structure, allocation of responsibility and accountability and discipline are basic

Prioritize disciplined processes and structures.

Transparency as to policies, directives, etc.
Clear and communicated responsibility and accountability. "Ownership" of issues and risks.
No conflicts of interest: i.e. front office versus support areas - but "constructive tension" where

4. Rigorous measures in case of non-compliance/breaches.

Know the rules of the game: courage for unpleasant measures with a "culture of
It takes a lot of discipline, training and time to get everyone worldwide on an adequate
control/compliance level.
Adequate compliance environment: Responsibility lies not only with immediate heads -
leadership function of each management level.
Retaining the perspective

5. Completeness, integrity and relevance of data/systems/information as a basis.

No diagnosis without information.

Know what you do not know.
What is measured, observed and recognized gets attention.
Data characteristics are ideally: Complete, objective, consistent, transparent, standardized,
comparable across the institution, interpretable, auditable, replicable, embedded in aggregated
processes, and above all they are relevant and credible as to facts and perceptions.
Credibly quantified and relevant risks represent an opportunity. If not credible, cynicism
Thoughtful self-challenge - especially rigorous audit reports - can provide a formidable basis to
avoid/limit operational risks.

6. Risk management is a tenacious process not a program.

Prevention ahead of correction.

"Best practice" as goal. However "best practice" must be applied intelligently – no "fads".
Ongoing questioning of strategy, structure, systems, safety, simplicity, speed.
State Street HCL Services

Risk and compliance awareness ideally with everyone.

Care about substance, not only legalistic form: "smell test" with "overall view".
Focus on long-term initiatives versus short-term ones.
Emphasize furthering the risk culture, rather than controlling the numbers.
Management of risks for own organization comes ahead of risk management for

7. Risk management is part art, part science.

Facts, perceptions, expectations – all are important.

Markets might promise but never guarantee anything.
Risk management is often the art of drawing sufficient conclusions from insufficient premises.
Watch internal and external exuberances and paralysis. Counterbalancing is a management
To be right too soon is also wrong: timing is the issue.
Common sense for reality checks, especially for models.

8. Limitation of models.

A model is always a strong reduction/approximation of a more complex reality.

Models are as good as the underlying assumptions: "garbage in" – "garbage out effect".
Not all risks are relevant and/or quantifiable: also here, use 20/80 approach.
"Reductio ad absurdum" may lead to a "model figure" but is irrelevant in the overall context.
New external parameters and continuous restructurings can make models questionable, as
there is no reliable base material.
Comparisons of absolute model figures with those of third parties are questionable:
The prime internal value added of a good model – including the stress test – is its trend over
Theoretical rigidity may not prevail over practical relevance and credibility.
Models are always only part of an overall risk management approach and must include
common sense.

9. Complex organizations, restructurings and projects can add risks.

Complexity is the enemy of speed and responsiveness: try hard for simplicity.
The more complex a risk type is the more specialized, concentrated and controlled its
management must be.
Focus on human aspect

10. A financial institution is a “knowledge and learning organization”.

Faster race – higher bar: antennae out to receive and implement internal and external input.
Data is ubiquitous and abounds:
Timely sorting and packaging in the proper context creates relevant information and value
added. People with authority especially must be educators: source, share, synthesize and save
State Street HCL Services

Specialists can "walk out" easily in good times.

Learn from mistakes and determine causality.
Self-management and leadership with regard to a culture of open communication based on
"experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn
knowledge-givers into heroes as part of evaluation/incentive process.
Continuous learning and training is part of the evaluation/incentive process.
Knowledge alone is not enough: it is the rigorous implementation which leads to results.

11. Responsible control/compliance/risk culture is as important as the most sophisticated


Those values count which are enforced.

Lead by example – practice what you preach.
Combine overall judgment by experienced people with specialist knowledge.
Mistakes or misjudgments are unavoidable: The ways of correcting mistakes are part of
Risk culture on the whole is the final responsibility of the top management.

12. Human element is THE critical factor of success.

Professionalism includes: inquisitiveness, feel, intuition and inspiration for risk and market
Good mix of professional, open-minded and honest people with formal training, professional
and life experience, integrity and character.
Honesty includes intellectual honesty: Cover-ups are lethal.
Successful risk management is primarily the result of the capacity, aptitude and attitude of the
people involved: people shape the culture, reputation and brand equity.

Summary and Outlook: 12 Conclusions

1. OpRisk management is nothing new per se. Risk management and OpRisk management in
banking have been around since the inception of banking. From obscurity they moved to
respectability. From respectability they have at least reached prominence. Over the last 10 years,
risk management especially for market and credit risks, has reached the impact stage. OpRisk
management today is gaining prominence, but the stage of the full quantitative impact has not
been reached. Its quantitative foundation - with credible, relevant and meaningful total figures -
cannot be expected in the near future. Perhaps it never will be!

What is new and will become a more prevalent development:

Generally increased risk awareness, including OpRisk

More rational, more analytical attempts to identify, define, categorize, measure, quantify and
partly transfer losses and risks
Closer attention by regulators
State Street HCL Services

Attention by and responsibility of senior management and Board of Directors

OpRisk seen in a broader context
A fast changing environment, in which OpRisk management takes place: boundaries
increasingly blur, more non-banks enter the turf, consolidation and convergence in the industry
continue, dis-intermediation and global capital markets grow faster

2. OpRisk is not "other risks":

The term "other risks" stems from the obsolete notion of OpRisk as all non-market and non-credit risks.
Many institutions have moved away from this negative definition to a positive definition. Contrary to market
and credit risks, OpRisk are usually not willingly incurred, often they are insignificant in an overall context.
Also for reputation reasons, OpRisks are avoided.

OpRisks are primarily institutional, "bank made", "internal", context dependent, incredibly multifaceted,
often judgmental, interdependent, often not clearly discernible vis à vis e.g. market and credit risks and not
diversifiable. OpRisks cannot be laid off in liquid trading markets: OpRisks are only eliminated if a bank
ceases to be. Market and credit risks are revenue driven, OpRisks are not. OpRisk management is often
close or parallel to quality management and, therefore, contributes to client satisfaction, reputation and
shareholder value.

These are some of the reasons why the definition, measurement and modeling of OpRisk is so difficult to
come by.

Having recognized the above, a suggested OpRisk definition could be: "Operational risk is the risk of
adverse impact to business as a consequence of conducting it in an improper or inadequate manner and
may result from external factors."

This definition needs categorization: Organization, Policy / Process, Technology, Human, External.

3. The OpRisk management of the future has to be seen in the wider context of globalization and
Internet-related technologies. The 2 major future drivers - globalization and Internet-related
technologies - will challenge the banks to take on additional and partly new OpRisk:

The increasing globality of financial services increases the demands on governance, including
environmental and social responsibility. Globalisation - with its many advantages for the stakeholders of a
modern firm - usually adds complexity and diversity of cultures, management and staff. A common culture -
and a common risk culture - will be one of THE challenges for a globally oriented organization.

Managing a modern company means managing on behalf of all core stakeholders. Creating value for
clients, staff and business partners is a precondition for creating shareholder value. Sustained and sound
profitability is also the best contribution for avoiding systemic risks and protecting savers. Old World and
New World are moving towards One World. Ubiquitous computing and Internet-related technologies (IRT)
make every business a data-based business in a new e-economy, especially in financial services.

State Street HCL Services

IRT changes everything. IRT is no longer just a strategy supporter, but a strategy enabler: it enables
transactions and services any time, instantaneously, with no barriers, at decreasing prices. Such a
"technical environment" represents a major new challenge for management and especially for OpRisk
management. While computing solves many OpRisk problems, it also creates new ones: IT, control,
compliance, security, privacy protection etc.

4. Banks face continued dilemmas which have OpRisk ramifications:

The most venerable versus the most vulnerable

E-commerce hype versus hybris
Dot-com culture with rapid responses and change versus structured, systematic, sometimes slow
structure / system and legacy systems
Innovation "entrepreneurship" and "intrapreneurship" versus structure and processes
Consistency and predictability versus change and innovation
Long term orientation versus short term performance pressure
Security versus speed
Scale and standardization versus scope and differentiation
"Roots" versus "strong wings" of management and staff in global organizations
Local conditions versus global pressures: "glocalism"
Maximizing activities where the outcome is controlled and minimizing exposures for which there is
little or no control over the outcome
Operating and capital allocation efficiency versus compliance, control and capital requirements of
Shareholder pressure versus other stakeholders' expectation

The winners will be those who understand the forces of change best, implement accordingly and
"synchronize" their efforts optimally in turbulent times.

5. Good OpRisk management prevents crises. The only alternative to good OpRisk management is
crisis management. With good OpRisk management an organization manages its risks. In a crisis
situation, the crisis itself often manages the organization.

All the more important is good management, e.g. along the diligent, disciplined, daily management
of the 12 S's of an organization: strategy, structure, system/s, staff, safety, speed, skills, style,
shared values, stakeholders, symbol, and synchronization.

Clear structures and processes with defined allocation of responsibilities are preconditions for a
successful OpRisk management. The control and compliance environment is increasingly checked
by supervisors, who more and more ask for individual responsibility.

6. Good OpRisk management - in combination with quality management - is a decisive base for
enhancing the reputation of a bank: OpRisk deficiencies appear in every bank, almost daily.
However, shareholders and other stakeholders will be much less forgiving of a major OpRisk
mishap in the future. In a major crisis, the impact on market capitalization and reputation can be
significant during the first few months. Thereafter, the responsibilities for the disaster and the

State Street HCL Services

OpRisk management capability to deal with the aftermath become more visible. Thereby,
consistent and effective communication as well as honesty shows a fundamental financial value.

7. A more analytical OpRisk management approach is emerging: The attention it receives is a

multiple of what it was only 5 years ago. OpRisk has been controlled - at least in some fashion - for
years. It is now becoming more formalized and increasingly measured or at least consciously

Financial institutions and regulators / supervisors should be aware of the cost / benefit relationship
of setting in place the quantification of OpRisk involving data gathering, models, procedures,
systems and staff. The experience of setting up such systems for the quantification of market risks
indicates the cost and inertia involved for changing the system and systems for a relatively little
disputed analytical approach.

Think first, organize second and act third in the right and not the wrong direction. The financial services
industry as a whole - notwithstanding the major differences among banks - has made considerable
progress over the last 2 - 3 years in OpRisk areas, such as: definition, aspects of strategy and planning,
structure, reporting, tools, capital allocation and risk transfer. There is still a long way to go to reach an
effective, credible and implementable OpRisk analytical framework.

8. OpRisk management is a continuous learning process: OpRisk management is not a program; it is

a continuous, diligent process throughout an organization.

9. OpRisk measurement and internal loss information should - also in the interest of rational data
collection, risk transfer solutions and potential risk quantification - be guided by the following
characteristics: Relevant in the overall context, complete, objective, consistent, transparent,
minimally standardized to be used across institutions, interpretable, teachable, auditable and
above all, credible by facts and perception.

The credibility of OpRisk measurement is enhanced if there is quantitative evidence of cost of

collecting data versus benefits of measurement. Existing OpRisk measurements and tools are
usually not expressed in financial terms, excepting loss databases can be misleading, inconsistent,
irritating and confusing.

10. There is no credible and satisfying overall model applicable to "OpRisk at large" available for the
quantification at present, except for some subcategories which might not be relevant in the overall context.
However, the momentum is building each year with improved data on hand. Remember the pains
in building market and credit risk models over the years, with an incomparably better database.
They became core and standard management tools.
I doubt whether there can be one "catch-all" OpRisk model with a credible outcome: "more sizzle
than steak"? In addition, it is management which is responsible for the reasonableness and
credibility of models, not academics, quants, or supervisors. There will be a convergence of a
common definition, concept, tools and models, but it will take years.

State Street HCL Services

We should not overlook that an analytically sophisticated, credible and accepted approach to risk
management is only one important attribute of a strong risk management effort. Also, there always has to
be ample room for common sense. A simple number can be so intriguing, but do not ever forget
the "garbage in - garbage out" effects.

11. Developments to be expected:

Greater involvement and "buy-in" by senior management and Board of Directors.

Greater visibility of the risk management function and its place within the organization.
A greater general awareness and institutionalization of risk management, including OpRisk; a
sophisticated risk management framework with more analytical and predictive contents. "As people
are walking all the time in the same spot, a path appears." (Lu Xun). On the one hand, there are
more traditional concerns about "high frequency, low impact" losses with concerted efforts like
quality management, straight through- processing, controls. On the other hand, there is a
pronounced concern for "low frequency, high impact" losses, with corresponding risk transfers.
A more conscious analytical and multi-disciplined integration of credit, market and OpRisk control
functions: internal and external audit, legal and compliance, product control, operations, insurance,
finance. Sound OpRisk management is, therefore, becoming a core competency of risk
management and of general management.
A better focused business approach: a move from a "defensive" posture of OpRisk management to
an "offensive" positioning. Risk management is always and consciously an integrated part of good
business management.
Loss events are opportunities to improve structure, system and systems. Risk management
becomes TQM and, therefore, synonymous with good customer service, which supports reputation
and share price.
Strategic planning is linked with risk management and OpRisk.
Internal and external audit play a crucial role, especially if more ex-ante and not exclusively ex-post
Credible and relevant internal database systems become more commonly defined, standardized,
structured, systematic, comprehensive and consistent as part of a modern risk management
framework. Data sharing agreements in neutralized form get created, excepting very confidential
data on legal disputes. Tools become more integrated and are also used by line or front functions.
The focus on quantification attempts is increasing. Important, however, remains the relevance and
credibility of such attempts. A "false sense of security" could lead to wrong priority setting and
counterproductive outcomes.
Internal economic risk capital models include OpRisk in view of more internal rational capital
allocation targets.
More risk transfer to third parties who are able to analyze, diversify and bear OpRisk of banks:
insurance for external risks and for integrated risk products as well as for standardized capital
market transactions. Some insurance companies increasingly "detect" the huge potential in this
Extreme internal and external risks, (e.g. rogue trading, hackers, IT security) become increasingly
insurable. Reliable and punctual insurance protection will have to be recognized by supervisors.
More outsourcing of non-core activities and partnerships with banks and non-banks, especially
Internet-related. All this entails new aspects of OpRisk which need close attention.

10 | P a g e
State Street HCL Services

New regulatory and supervisory standards and entities converge, cooperation and information
sharing between supervisors gets closer. Global rules? More intervention? More judgments on
management? More influence on the strategy of a bank?
Risk creates value, profits come from taking risks. Regulators and supervisors who do not take this truism
into account - well-meaning in the name of creditors' and investors' protection and avoidance of systemic
risks - end up in making the financial system more unstable. The level playing field remains - unfortunately -
an unresolved issue, but would have fostered the credibility of regulators.

The BIS should be encouraged to add a Pillar 4 to the suggested and discussed Pillars 1 - 3: sustained
sound and diversified profitability as THE precondition and THE contribution to protect creditors and to
avoid systemic risks. For such profitability and growth, good OpRisk management is core.

Understanding and managing OpRisk is more important than putting a regulatory value on it. Close to
100% of the benefit of OpRisk management is derived from the fact of doing so. Regulators and
supervisors should hopefully be positively impressed by the ongoing conscious OpRisk management
efforts in the industry. Various regulators and supervisors seem to prefer a simple "box-ticking OpRisk
capital charge", which is just not fair, difficult to evaluate credibly or ignores the relevant issues like "good
management". There are many different ways other than "capital" to judge an organization;

Banking supervision is firmly risk-based. Regulators and supervisors - especially with the planned BIS Pillar
1 - 3 approach - take on a greater interest and a rather pronounced responsibility in the OpRisk arena.
According to supervisors, OpRisk should be supported by a Pillar 1 capital requirement for each bank and
additional Pillar 2 capital for "special OpRisk situations"; there are continued arguments about the
justification for Pillar 1 OpRisk capital requirements. With Pillar 2, the supervisors take on an additional risk
management layer for the respective bank; industry knowledge, including insurance, management know-
how and judgment capabilities, is the challenge for supervisors.

Regulators and supervisors finally have to come to grips with the following issues:

Really threatening OpRisk issues for banks have been very rare in the past; they were not of
systemic nature.
The 9 major mishaps of financial institutions were all issues of management, not of regulatory
Civilian and military studies - reveal: Insufficient management and processes were responsible for
80% of the mishaps. There are better "checks and controls by supervisors", which have nothing to
do with regulatory capital.
Convergence is observed in almost all financial activities. Why not convergence of the very same
activities' regulatory environment?
Non-banks are exposed to the same OpRisk as banks. Both, however, represent similar "systemic
risks". What are the measures of the regulators to avoid such potential systemic risks of non-
banks? Why care about systemic risks by banks while ignoring those by non-banks? Why should
banks be charged with a special OpRisk regulatory charge? Why should banks become less

11 | P a g e
State Street HCL Services

12. OpRisk management is good management of the 12 S's of an organization Senior

management is called upon to OpRisk management is only very partly rocket science and partly
social science as the targeted objects and issues change continuously and the past does not repeat itself in
the same context. Good OpRisk management may never get a Nobel Prize, but is still core for successful
survival. Discipline is the discipline for good OpRisk management. Good OpRisk management relies on
proper corporate culture with a diligent risk culture and a positive acceptance of control.

Good OpRisk management within a proper risk culture includes:

Proper structure and governance

Risk management visibility
Control, compliance
Forward-looking internal audit and corresponding follow-ups
Proper tools and analytical measurement of OpRisk
Attempts for credible and relevant quantification
Proper skills and style
Continuous adjustments of safety measures especially related to Internet activities and above all:
A shared values attitude as to "acceptability of risks"

When an organization reaches and maintains such a challenging level, it achieves the most important steps
towards a successful OpRisk management. Good OpRisk management improves quality and reduces cost
by cutting risks.

As a consequence, good OpRisk management amounts to a competitive advantage and is reflected in the
shareholder value. OpRisk is not so much about capital and models, it is about management: diligent,
arduous and daily OpRisk management supports the stability and continuity of a firm. The issue is not
capital, it is human beings in an organization serving human beings with their actions and reactions.

Not surprisingly, therefore, the critical OpRisk management success factor is management and staff:
experienced people with integrity, credibility, visibility and acceptance within the organization. This strong
statement - I hope it is strong enough - is evidenced by the experience of the major mishaps in the past
financial history and by the experience of the military with the longest OpRisk exposure of human history.

Finally, every employee should ideally be a risk or control manager in his/her daily activity:
A general pure awareness of risks is already a major step towards successful OpRisk management.

Operational Risks:

Framework for Definitions and Dimensions

Before managing anything, it is important to know what it is to be managed. Therefore, a definition of

OpRisk is needed. This definition has to be understood, accepted and identical across an organization.

The survey of BBA (1999) 1 provides a good overview of the different views on OpRisk definitions. To
summarize its results:
12 | P a g e
State Street HCL Services

A consensus about the nature of OpRisk is emerging as regards OpRisk being the risk of losses
resulting from inadequate or failed processes, people, and systems or from external events
Definitions of OpRisk in each specific firm are different

The widespread confusion prevailing in the financial industry about OpRisk is somewhat fading,
progressively opening the way for more convergence of its generic features. This, however, does not mean
that a unique, industry wide definition of OpRisk will emerge.

The following sample of the major OpRisk definitions by the industry and regulators shows that, while there
is a broad agreement on the general concept of OpRisk, diversity in some detailed aspects will continue to

"OpRisk is the risk of everything other than credit and market risk”
"OpRisk is the risk associated with the Operations department" (narrowest definition)
"OpRisk is the risk that deficiencies in information systems or internal controls will result in
unexpected loss. The risk is associated with human error, systems failure and inadequate
procedures or controls" (BIS)3
"OpRisk is the risk of direct or indirect losses resulting from inadequate or failed processes, people,
and system or from external events" (BBA/ISDA/RMA)4

With OpRisk, the devil lies in the details. Each institution has its own, individual and unique operational
setting. Thus, to be able to manage OpRisk might require tailoring its definition and its sub-categories to the
firm’s specific setting.

Five major OpRisk-Categories and their Sub-Categories

The following OpRisk-definition is used by mostly all Investment Banking Groups:

"Operational risk is the risk of adverse impact to business as a consequence of conducting it in an

improper or inadequate manner and may result from external factors.

OpRisk may tangibly manifest itself in the likes of business disruption, control failures, errors, misdeeds or
external events, and can be captured in five major OpRisk categories:

1. Organization
2. Policy/Process
3. Technology
4. Human
5. External"

13 | P a g e
State Street HCL Services

The 5 suggested categories are major and they present a valid base for solving problems for management.
The crucial issue is the intellectual framework and discipline for present and future problem-solving
approaches under new paradigms:

1. Organization: risks arising from such issues as change management, project management,
corporate culture and communication, responsibilities, allocation and business continuity planning.
2. Policy and Process: risks arising from weaknesses in processes such as settlement and payment,
non-compliance with internal policies or external regulation or failures in products or client dealings.
3. Technology: risks arising from defective hard- or software, failures in other technology such as
networks or telecommunications, as well as breaches in IT security.
4. Human: risks arising from failure of employees, employer, and conflict of interest or from other
internal fraudulent behavior.
5. External: risks arising from fraud or litigation by parties’ external to the firm, as well as lack of
physical security for the institution and its representatives.

Not surprisingly, the 5 major OpRisk categories need further refining. Subcategories have to be created
which allow the adding of new OpRisk aspects and the subtracting of obsolete ones. They allow one to be
more specific on firm relevant risk drivers which require focus and responsibility assignment. Important is
the intellectual, organizational and continuous discipline in categorizing the risks and in doing something
reasonable about them:

OpRisk Sub-Categories

1. Governance / Structure
2. Culture
3. Communication
4. Project Management
5. Outsourcing
6. Business continuity
7. Security

Policy / Process
8. Policy and process
9. Compliance
10. Product
11. Client
12. Communications
13. Hard- and Software
14. IT Security

14 | P a g e
State Street HCL Services

15. Employee
16. Employer
17. Conflict of interest
18. Physical
19. Litigation
20. Fraud

These 20 sub-categories cannot be considered as complete. As methodologies and techniques advance at

CSG, so will these sub-categories be refined or deleted. After all, complexity requires breaking down and

It is important that this sub-categorization relies on a root analysis, i.e. causation of OpRisk loss events. By
linking causation to relevant business activities, it is intended to use this structure as a tool with which to act
upon OpRisk, thereby providing management with an OpRisk framework. The structure also lends itself to
possible quantification by drawing upon data sources relevant for modeling as well as for qualitative

While it is impossible to describe all aspects of each 20 sub-categories in this paper, important here is to
focus on the structure, the framework-basis, and their relevance to the daily management of any financial
services firm:

Operational Risk ≠ Total Risk - Credit Risk - Market Risk

Defining OpRisk in an exclusionary way - i.e. "totals risk - credit risk - market risk" - prevents from
identifying a structured way of managing it. Credit and market risks originate from outside the bank. In
contrast, OpRisk originates primarily from within the specific organization, except risks in the category

Some supervisors define Total Risk = Market Risk + Credit Risk + Other Risk. "Other Risks" include
primarily risks as to strategy, reputation, commission and fee income, liquidity, interest rate, legal,
operations. Ideally for some supervisors, models would produce a regulatory capital for all "Other Risks"
which is - certainly not yet - feasible in a credible fashion.

Risk as to strategy, reputation, commission and fee income, liquidity, interest rate have each to be and can
be handled in a different fashion. These risks are not covered here. Strategy risk deals with the existing
base of a bank and its options, based on a what-if analysis. Strategy is doing the right thing at the right
time. It is not so much the strategy, but implementation which in turn is OpRisk. The relative assessment
comes from the market, i.e. the relative stock performance.

Reputation risk is the aggregation of the outcome of all risks plus other internal and external factors.
Reputation is the outcome of the mix of doing the right thing and doing things right over an extended
period. The best measure is relative share performance, revenue growth, number of clients growth, rating
and attracting and keeping good staff.

Reputation is a reflection of facts, perceptions and expectations and a key factor for the share price.
15 | P a g e
State Street HCL Services

Commission and Fee Income risk (C&F) is above all determined by outside forces: market moves, margin
pressures. C&F risks are primarily revenue related and can be stress-tested with simple what-if analysis
which can be easily compared across banks: What if business volume decreases by e.g. 20%? What are
the effects on total revenues, NIAT, dividends? What is the organization’s flexibility to adjust to a downturn
over years?

Regulatory capital is not the solution for every risk. For Economic Risk Capital, an earnings-at-risk model
serves the purpose. Interest rate and liquidity risks are for my taste part of market risks. Models are
available for determining "outliers", i.e. those who are significantly above average for interest rate risks.
Legal risks - like litigation, documentation issues - are part of OpRisk. The legal environment and its
changes are part of strategy risk.

The Dimensions of OpRisk Management

Sustained, attractive returns increasingly depend on excellent risk management, including OpRisk
management. OpRisk of a bank is not new, it is as old as banks are. To understand the risks has always
been a fundamental, if only implicit, management process. What is new is:
The increased explicit awareness and consciousness of managers and senior management for
OpRisk issues
The explicit and analytical approach
The better awareness to gear an organization’s risk profile towards those risks for which it has a
comparative advantage in managing
The pressure to allocate capital more consciously

Risk management can add value and represent a valid business case in two dimensions:

1. Control: Independent risk assessment, compliance, business continuity planning, supervisory

requirements, limits, progress reporting, escalation, corrections, etc.
2. Shareholder value creation: efficiency, correct risk evaluation and pricing, duplicate control
avoidance, rational economic capital allocation, reduction of regulatory capital, product enhancements,
competitive strategic advantage, improved reputation, etc.

The dimension "1. Control" basically covers the following: avoiding accidents, catching non-compliance and
illegal actions, complying with rules and regulations, complying with usual management needs.

The dimension "2. Shareholder value creation" adds a further stage which treats OpRisk more like a real
business. OpRisk management also gets close to quality management, efficiency management and the
concept of opportunity cost.

Naturally, the line between control and shareholder value creation is difficult to draw. Important is the
direction to be chosen. OpRisk management, therefore, can move from one extreme to another one: Crisis
management _ business continuity planning _ compliance _ shareholder and other stakeholder value
enhancement. The spectrum moves from the Bottom to the Board Room.

There are neither ready-made solutions, nor quick-fixes, confusion is ubiquitous, activism is widely-spread -
and consultants enjoy hey days.
16 | P a g e
State Street HCL Services

Any major OpRisk management project has the following five preconditions for success:

Strong management support

Credibility overall
Small realistic steps: all at once is impossible
A better organization afterwards
Respect the constraints: compliance also with supervisors' requirements

Such a project may not be just "another project".

The four Stages of OpRisk Management

Major OpRisk-Mishaps in Financial Services:

12 Lessons learned - Introduction

Mistakes create opportunities. Exploiting such opportunities requires a willingness and capacity to learn.
Analysis of past internal or external mistakes is key to at least partially avoiding them in the future. Existing
OpRisk literature devoted to the investigation of lessons learned from past losses focuses on a few highly
publicized events.

This is primarily due to a widespread cultural barrier leading firms and individuals to disclosing only a
minimum of information concerning financial mishaps. In fact, most individuals and institutions tend to avoid

17 | P a g e
State Street HCL Services

"twisting the knife in the wound", viewing mistakes as shameful and preferring to address new challenges
rather than to resolve old ones. To tackle OpRisk, we must overcome this cultural barrier and refrain from
turning the page of mishap before having read and re-read it attentively!

The aim of this paper is to do such a revisiting in order to derive lessons from past collapses commonly
associated with an OpRisk event. This should help us to devise priorities and areas of focus for a
successful OpRisk management.

The 1977 Credit Suisse Chiasso Case

The old Credit Suisse Chiasso branch scandal of 1977 is a good example of Murphy’s Law in terms of a
fraud induced OpRisk. The reason for allocating the Chiasso scandal to an OpRisk event is that it occurred
exclusively as a consequence of having conducted business in an improper and inadequate manner.
Structural, procedural and control failures, errors and misdeeds were essential in building the Chiasso

What happened?

In the early 1960s, the Chiasso branch manager set up an offshore trustee company (Texon), officially
managed and controlled by an outside third party legal office. Texon provided the Chiasso branch manager
with a medium to "externalize" branch losses and a vehicle to circumvent CS controls on loans and
investments. The fraud began with placing customers' saving deposits in high yield instruments against CS
letters of guarantee for Texon.

Over time, the fraud extended to transferring non-performing branch loans for their full value to Texon and
converting the guarantees into participations. These practices were to continue until March 1977. During
this period and until the end of 1976, head office ignored several internal signals which hinted at
irregularities. Management never wondered how the Chiasso branch could show a sustained impressive
profitability track record, while other branches had to digest bad loans. Neither did it bother to inquire how
Chiasso could provide loans which other branches - based on headquarter imposed restrictions - had to
turn down.

Nor did it provide for a channel through which branch staff could escalate their concerns on possible
irregularities to head office. In summary, headquarters followed a policy of "why bother as long as profits
flowed". External signals raised to senior management were investigated on a minimalistic basis. Several
competitors’ complaints in 1968, 1969 and then again in 1976 about the practices of the Chiasso branch
were dismissed or superficially investigated, despite documented evidence.

Only the concerns of tax authorities on withholding tax evasion triggered an internal investigation in 1969.
The latter remained restricted to ensure the compliance of guarantees with regulations. Fact finding mostly
took place on a verbal basis and was satisfied by vague explanations. Internal audit was not requested to
act. Information about the identified irregularities remained limited to four individuals at the headquarters
until late 1976.

The implementation of corrective measures was never verified. In December 1976, the breakdown of
Weisscredit Bank - which failed due to similar practices as those practiced by the Chiasso branch - finally

18 | P a g e
State Street HCL Services

triggered concerns about the situation in Chiasso. Several initiatives were launched to investigate the links
and exposure of the branch to Texon.

In March 1977, a hasty and insufficiently prepared press statement about the fraud was issued. It contained
neither precise information about the risk amount nor any assurances of a contingency plan. The wildest
speculations broke loose and triggered a major crisis.

OpRisk Scandals in Financial Services: 12 Lessons

The total of 9 relevant cases of the past presented lead to the following 12 lessons for everybody:

1. A framework based on the OpRisk categorization elements constitutes a useful basis for identifying
major OpRisk drivers. If used as a checklist, it provides the basis for a disciplined and systematic
review of the aspects commonly at the root of OpRisk. The framework allows focusing
management’s attention on major weak spots requiring particular and regular attention.

2. It is not only "Banks" which incur OpRisk; non-banks can equally present a potential systemic risk.

3. Lack of good governance at large and lack and/or breach of policies and processes are the
common issues for all 9 cases. The 12 S's of each organization failed at work: Strategy,
structure, system/s, safety, speed, style, skills, just to name the most important here.

4. Human inadequacies are - not surprisingly - relevant in all cases, whether character or skill. The
big "C" for character in banking is as alive as ever.

5. External risks did not play a major role in any of the most severe cases of the past with the
exception of the BCCI case. However, the past is not an indicator for the future: Potential external
hazards need appropriate attention.

6. Relative size of an operational mishap tends to be correlated with the level of the perpetrator. In
fact - with the exception of the Barings and the not discussed Kidder Peabody cases - operational
crises tend to be:
Major when the perpetrator stems from management or owners
Absorbable when the perpetrator stems from more junior positions

7. The speed of irregularity detection generally depends on the complexity of the financial instruments
Short for more complex trading instruments - see transparent market developments, MIS
and generally higher "risk awareness".
Longer for standard financial instruments - see documentation for loans with long tenors,

8. Operational irregularities tend to happen more often in branches or remote subsidiaries than at

19 | P a g e
State Street HCL Services

9. Trust is recommended, but must be complemented by diligent supervision and accepted controls.
Senior management and Boards have to take their supervisory function seriously and invest time in
it. This often requires a personal follow-up, no hesitation in being more demanding on details, as
well as a sharing of the personal assessment of the situation with colleagues. Unavailability of
direct and reliable information is a problem. Therefore, additional checks are needed such as:

Track record of irregularities (e.g. tax irregularities)

Track record of generating competitors' complaints
Sustained profits and absence of bad loans compared with others
Feedback to inquiries
Site visits
Intuition, "gut feeling": Management is seldom an "IQ" issue only

10. Significantly higher returns than average over time deserve more attention. Are the people involved
really that much smarter?

11. Internal and external communication and expectation management is crucial; both are part of
OpRisk management once the mishap is recognized. It requires a crisis task force devoted to finding
out all the facts and devising a clear contingency plan of measures to be taken to sort out the problem.
Co-ordination with authorities and experts from the public relations / communication department is
essential. Based on this, a professional communication strategy has to be defined ensuring
explanatory, fact based press releases
12. If you do not learn from internal and/or external mistakes, you just make another mistake. An
organization must be a learning organization. Otherwise, a financial services organization cannot
be a knowledge company - which is what it should be.

Some interesting questions can be raised:

Did the models of LTCM work - with the smartest quant brains available worldwide?
Would any of the present and potentially upcoming quantification approaches for
OpRisk (including Value at Risk, Extreme Value Theory, Chaos Theory etc.) have been of
relevant use at the time of occurrence?
Would such theoretical quantification ex-ante have avoided the mishaps?
Would any of the today's quant-approaches have calculated a large enough capital
requirement to avoid a total collapse of BCCI or Barings?
And, if so, would these two organizations with such huge additional capital
Requirements have been competitive before the collapse?

Organizations with a 5000 Year OpRisk Experience:

12 Lessons - Introduction

Experience is often key to success. OpRisk is not constrained to banking activities but involved in all
activities and organizations of human beings. Long before analytical OpRisk management came into
fashion in the financial industry; it was already a core concern for several sectors of life. Since it exists, the

20 | P a g e
State Street HCL Services

military as a managed human and technical organization has been devising ways to manage operational

Armies over the years have as an organization developed certain principles which have been adjusted
again and again. Not to learn from this experience in financial services - also with technological challenges
- would be arrogant and represent another OpRisk opportunity loss.

For decades, the manufacturing industry has been devising solutions for controlling their OpRisk. The
OpRisk management methods developed by these sectors of activity are the result of many years of trial
and error, of fine-tuning and of perfectioning.

The aim of this chapter is to review a selected set of the methods of OpRisk management. This should help
to devise or confirm the key elements and rules that should feature financial sector's approach to OpRisk
management. Very briefly, methods for managing OpRisk, which have been developed by the US military
with its recent experience, are reviewed. This leads again directly or indirectly relevant for financial services

Principles of the Military

In the military, the purpose of OpRisk management is to enhance hazard identification in the operational
environment in order to eliminate risks or reduce them to an acceptable level.

The US military has developed simple tools to help its leaders make sound decisions in a logical manner in
order to manage identified risks. The general structure of these tools is common to all units. However, their
detailing and implementation is very unit specific.

Operational Risk Management Six Step Process

1. Identify the Risk

The first step is to identify the hazards or risks. It is crucial to obtain a complete list of the hazards to which
an operation is exposed. The 5-M model - man, machine, media, management, and mission - provides the
basic framework for analyzing operational systems and determining the relationship between composite
elements that work together to perform the mission.
21 | P a g e
State Street HCL Services

There is a significant overlap between the elements of the 5-M model as they interrelate directly. However,
the most crucial elements are leadership and management, because they define how this interaction takes
place. Military and civilian safety studies cite management processes to amount to 80% of reported
mishaps. The focus of the 5-M model is to identify in detail what could cause a mishap, or an operational
risk. Therefore, the army places extreme importance on detailing the various elements of the 5-M model.
Based on its experience, it has developed a detailing covering all risk origins for each of the elements of the
5-M model.

2. Assess the Risk

With the hazards identified, some method is required to assess and prioritize the list of hazards. The aim is
to put the limited resources against the risk faced. For this purpose, risk is defined as "the probability and
severity of loss linked to the hazard".

How does one go about assessing the OpRisk level? The army provides a useful systematic and simple
approach for going through each element of the 5-M checklist:

First, assess the hazard exposure

Second, assess the hazard severity
Third, assess the mishap event probability
Fourth, complete the risk assessment

3. Analyze Risk Control Measures

After having completed the risk assessment, the USAF analyses control measures. For each hazard
exceeding an acceptable level of risk, the USAF:
Identifies risk control measures
Determines risk control effects
Prioritizes the list of available risk control measures

The identification of risk control measures involves searching for as many risk control options as possible
by referring to the list of causes. Risk control options include avoidance, reduction, spreading and
transference. Tools used to perform this task are brainstorming, mission accident analysis and "what-if"
analysis. In the financial sector, the analysis of past OpRisk events could offer interesting avenues in
identifying relevant risk control measures.

The determination of risk control effects evaluates the effectiveness of each control measure. Tools used in
this context are mishap risk index matrices, scenarios and next accident assessments. In the financial
sector these tools are also available, but could benefit from enhancing mechanisms and standards for
systematic learning from mishaps.

The prioritization of risk controls prepares the choice of measures to be taken. Best controls are generally
consistent with mission objectives and the optimum use of available resources. It involves the use of tools
such as computer modeling, opportunity assessment and a cost versus benefit analysis. In the financial
sectors similar tools are used, but not often in the context of OpRisk.

22 | P a g e
State Street HCL Services

4. Make Control Decisions

After having prioritized risk control measures, the person in USAF who is accountable for accepting the risk
has to make the risk control decisions. For each hazard, the accountable person selects those risk control
measures that will reduce the risk to an acceptable level. Tools assisting in making this choice are
databases of implementation decisions recorded in a standardized format. In the financial industry an
important requirement for such a procedure would be a clear responsibility allocation for each OpRisk

The benefits of the operation are set against the level of risk of the operation, considering the cumulative
risk of all identified hazards, the long term consequences of the decision and the law of diminishing returns
of resources allocated to risk control

5. Risk Control Implementation

Once the operations are launched it is essential to ensure the implementation of the selected risk control
measures. In the USAF, this involves:
Making the implementation clear
Establishing accountability
Providing support

Clarifying implementation entails making sure that control measures are understood. For this purpose,
directives, a roadmap for implementation as well as a description of the attempted end state are provided.
Tools used for this task are examples, pictures, charts, job aids, etc. In the financial industry, policies,
directives and manuals are often used as well as training material. These could be complemented by
simple summaries of lessons learned from practical OpRisk cases.

Accountability is an important element of OpRisk management. It requires sign off and proper
documentation of all relevant risk taking decisions. In the financial industry, this aspect is critical given the
relatively rapid turnover of staff. Quick response times, however, should not serve as an excuse to neglect
documentation. Possibly computer aided standardized decision making forms could provide an avenue for
enhancing accountability.

To be successful, command must support the control measures put in place. This requires getting
command approval prior to implementing a control measure. In the financial industry, this would possibly
require making OpRisk an issue for the BoD and mandating the CRO or COO with the day to day
management of OpRisk.

6. Supervise and Review

Once the operation is running it requires to be supervised. This entails the monitoring of the operation to
ensure that:
Controls are effective and remain in place
Changes in the operation which require further risk management are identified
Actions are taken to correct ineffective risk controls and reinitiate the risk management steps in
response to new hazards

23 | P a g e
State Street HCL Services

Tools assisting in performing supervision include inspection, observation and feedback programs. In the
financial industry management reviews, audits and controlling investigations are increasingly tailored to
OpRisk management aspects. The operations must also be periodically reviewed. The review process must
be systematic. Once assets are expended to control risks, a cost benefit analysis must be accomplished to
see whether risk and cost are in balance.

OpRisk: 12 Lessons to learn & implement -

1. "OpRisk management is a process, not a program! It requires incorporating risk in decision making
at all levels."

2. "OpRisk management is:

Logic-based common sense approach to decision making
Integrates the 5-M factors, before, during and after the operation
Not a radical new way of doing things
"Mission oriented"

3. Always use the proper methodology: The 5-M concept:

Management (standards, procedures, values, goals)
Media (environment)
Mission or mishap

Risk categories are categorized as to their severity and probability

4. Apply the 6 steps process (Air Combat Command):

Identify risk
Assess risk
Analyze risk
Make control decisions
Implement risk control
Supervise and review

Intensity of risk management is different with time available:

Hasty = time critical: on the run consideration of the 6 steps above
Deliberate: complete 6 steps application _ add time and techniques
In-depth: complete 6 steps application _ add time, techniques and energy

5. Civilian and military studies reveal: Insufficient management processes are responsible for 80% of
mishaps Personnel is the dominant factor in mishaps.

Therefore, it has to be led. Ideally, management should ensure that everyone when performing his
or her tasks takes into account some risk management considerations. Experience of military on
the quality of involvement strongly supports this approach;

24 | P a g e
State Street HCL Services

Successful risk management requires an enterprise culture which makes everyone a risk manager.
Such a culture ensures pro-active risk Management

6. "Safety is built on integrity, trust and leadership, created and sustained by effective
communication" = enterprise culture

7. To establish a personal ownership as a risk culture, five levels of OpRisk management training can
be conceived:
Indoctrination: Making everyone aware of OpRisk
User: Introduce concerned individuals to the five step OpRisk management process
Advanced: Train relevant individuals to apply OpRisk management and its tools
Leader: Enable responsible individuals to make OpRisk management decisions
Senior leader: Provide a basic understanding of OpRisk management

8. Anticipate and manage risk by planning: This first rule is one of simple efficiency and economy.
Risks are more easily managed when addressed in the planning stage of an operation.

9. Make risk decisions at the right level: This is a level where the decision-maker has the necessary
information, experience and maturity to make a good decision. Normally risk decisions are made
by the leader directly responsible for the operation, e.g. at the level where the risk taking can be
influenced and is born. However, the level of approval authority should be commensurate with the
level of risk accepted. Final risk decision-making authority resides with the agency or individual
assigning the tasking within the chain of command.

10. Accept no unnecessary risk: Leaders who accept unnecessary risk are gambling with others’ lives
(in banking with others’ money). Take only risks that are necessary to accomplish the mission.

11. Accept risk when benefits outweigh the cost: This rule recognizes two key truths:
There is some degree of risk associated with all operations.
The goal of OpRisk management is not to eliminate risk, but to manage the risk so that the
mission can be accomplished with the minimum amount of loss

12 KISS: Keep It Short and Simple - This rule recognizes three key truths:

Complexity is often at the root of risk

Communication is essential to mitigate risks
Others do not per se understand one’s thinking

25 | P a g e
State Street HCL Services

Risk Management Framework

An analytical and conscious approach to solve management issues - in this context in regard to OpRisk
management - can be structured along the 12 S's for every organization.

Each financial services organization has its own peculiar history, set-up, strategy, structure, values and
challenges. Retail banking, asset management, brokerage, trading, investment banking, insurance, they all
have very different prerequisites. Here, I have tried to come up with some salient common and general
OpRisk related denominators concerning any organization, irrespective of its peculiarities. By nature,
the comments are more oriented toward high level issues.

Basically, one can differentiate between "six tiers of defense" for risks:

Tier 1: Business front line with the prime responsibility for taking and managing risks
Tier 2: Support functions like product control, strategic risk management, legal and compliance,
country management with focus on specific risk areas and concentrations
Tier 3: Senior management and supervisory board with focus on the overall risk profile
Tier 4: Internal and external audit with focus on deficiencies as to policy, structure, rules,
regulations etc.
Tier 5: Regulators - supervisors with prime role of an external referee
Tier 6: Shareholders and other stakeholders as ultimate daily overall judges

Strategy and Structure

There are very few really original banking strategies. Implementation is the issue. However, any financial
organization without a dedicated, simple and continuously checked strategy is lost from the start: "Strategy
is always simple, but it is not for that reason easy" (von Clausewitz). The strategy should secure no undue
risk taking, e.g. set ambitious but realistic targets.
26 | P a g e
State Street HCL Services

The structure very much depends on the strategy. Only a logical structure can lead to the successful
implementation of the S's, especially for OpRisk management and its related issues like TQM, efficiency
and effectivity. A structure for the 21st century has to take into account the need for continued innovation
and creativity: structure with flexibility.

We also should not completely overlook Peter Drucker's statement: "No institution can possibly survive if it
needs geniuses or supermen to manage it. It must be organized in such a way as to be able to get along
under a leadership composed of average human beings."

Management Structure for OpRisk

A survey has identified 3 generic organizational models for OpRisk management:

A Head Office OpRisk function

A dedicated but decentralized support
Internal Audit playing a lead role in OpRisk management.

Corporate Operational Risk Organization Model

As important as the concrete structure is the visibility, acceptance and firmness of risk management, as it is
not a profit center. Risk management must add value by:
Fostering risk awareness in various situations and cycles of a firm or market
Setting standards
Ensuring smooth running of the firm's risk processes and methods
Disclosing and escalating relevant risks to senior management
No positions, but helping to prevent losses
Offering constructive risk mitigation and pricing advice
Assessing / quantifying risks
Benchmarking with peers, where feasible

27 | P a g e
State Street HCL Services

Framework of OpRisk Management

A common framework for OpRisk management for banks which has emerged recently includes integrated
processes, tools and mitigation strategies. This framework has 6 components as presented below.

Enterprise-wide OpRisk Management Framework

OpRisk Control Process: 12 General Rules to Watch

In its September 1998 framework on internal control the BIS mentions three main objectives and roles of
the internal control framework:
Efficiency and effectiveness of activities (performance objectives)
Reliability, completeness and timeliness of financial and management information (information
Compliance with applicable laws and regulations (compliance objectives)

Internal control consists of 5 interrelated elements:

Management oversight and the control culture

Risk recognition and assessment
Control activities and segregation of duties
Information and communication
Monitoring activities and correcting deficiencies

28 | P a g e
State Street HCL Services

The control and compliance process of a firm represents one of the most decisive OpRisk management
tasks, especially in today's environment. An appropriate control and compliance culture is part of the risk
culture. This "cultural aspect" needs close and continued attention by senior management. "Culture" is
Qualitative. It cannot be quantified or modeled. For me, the risk culture aspect is the most decisive factor
and base for good risk management.

OpRisk Control: 12 General Rules as a Check List

1. Control is a difficult balance between action making the fortune and "the cautious seldom err"
(Confucius): Have a control environment and a compliance culture which accepts internal
supervision: Compare some of the "S" of an organization: strategy _ structure _ system _ systems
_ safety _ speed _ staff _ skills _ style _ shared values.

2. Regulators' standards are continuously being raised, especially in OECD countries. Supervisors
increasingly discipline breaches of responsibilities. Individuals are increasingly held responsible by

3. Map regulatory requirements directly to compliance control.

4. Organize the activities so that they can be controlled: Establish clear structures and procedures;
allocate responsibilities to suitable individuals. Integrate OpRisk functions/responsibilities in job

5. Construct procedures relevant for the concrete activity, including: Structure, activity, workflow,
"owner" of specific activity, does "owner" know what he/she owns, checks organized, records, key
risks, regulatory requirements, controls.

6. Document the procedures and maintain the relevant documents: You might have to prove

7. Procedures should ideally have the following characteristics:

Single document as to rules and requirements
Structured along the activity flow
Clear: so someone else can pick it up; see staff turnover, role of temps and consultants
Instructing: what is to be done in case of......
Teachable: so it can be used as a training aid
Implementable: use simple check lists

8. Train management and staff:

Train the supervisors of staff: supervisors also check.

9. Special attention for control procedures should be paid to the following:

29 | P a g e
State Street HCL Services

New business / activity / product

Internet activity, e-business
Security, safety: access to infrastructure, internal data
Client privacy protection, including data on clients
Insider trading
Conflicts of interest
Money laundering
Suitability of clients
Branch/subsidiary offices, especially far away from HO
Overly profitable areas
Internal communication/information flow
Change management

10. Compliance plays an increasingly core role for OpRisk control

Proper positioning of compliance for a specialized activity: e.g. private banking has very
different requirements compared to investment banking
Compliance officers becoming risk managers: from a rule based approach to a function based
Enough and suitable compliance staff?
Adequate procedures and reporting lines?
Access to senior management?
Staff understands compliance function?
Compliance monitoring?
Elevation procedures?
Investigation on breaches?
Follow-up on rectification?

11. E-commerce presents a new control/compliance challenge

Entrepreneurs and creative innovators also need structure and systematic approaches in
management: e-enablement = e-compliance
E-business within the firm's regulatory and compliance framework
Monitoring by senior management

12. Supervisory board and senior management have an increasing responsibility for controls and
compliance: from back to board room
Key functions and procedures?
Control environment?
Adequate compliance function?
Controls: serious breaches and their remedial follow-ups?
Database on breaches?
Clear areas of management responsibility?

30 | P a g e
State Street HCL Services

Management support for controls?

Compensation impact?

Staff and Skills

The value of a financial services institution increasingly lies in its intangibles: data, knowledge, skills,
people, network, reputation and brand. These are bundled together in the organization and can also reflect
in OpRisk. Worldwide, a battle for talent is going on. Human capital has become more important than
financial capital. Human capital with its creativity will become THE core asset. The brain ware is the issue,
not the hardware!

For financial institutions, employee selection, retention and development is at least on the same level as
customer loyalty or shareholder support. As a matter of fact, the last two stakeholders' aspects very much
depend on proper management and staff. Despite all the quantitative and analytical methods used in
disciplined and structured organizations, people still base their decisions on personal inclination, ad-hoc
influences, group dynamics, belief systems, cultural norms and values.

Staff and Skills: 12 Principles

1. Personality of a person is probably the most important core trait for a successful long term survival
in an organization, followed by motivation and ability. If above statement is correct, personality
aspects should be the key selection and retention arguments. There is seldom a large difference
between what a person is privately versus professionally.

These aspects should never be forgotten as the ultimate source of OpRisk is always human in
nature. This is important for risk management in general as risks are perceived subjectively: when
a risk taker is in a relevant gain position, he/she becomes more conservative; in a position of loss,
he/she normally becomes more risk seeking, having not much to lose (Prospect theory).

A common bias is also the personal confirmation bias: more attention is given to information which
confirms a personal hypothesis than information which contradicts it. All this requires employees
with character, integrity and ability to be self-critical.

2. Never hire or keep anybody where there are question marks as to integrity and intellectual honesty;
it only leads to additional OpRisk. This is easy to say, difficult to do. Intuition, experience and EQ
remain important. "Integrity without knowledge is weak and useless, and knowledge without
integrity is dangerous and dreadful" (S. Johnson, 1709 - 1784).

Hire people who understand what they do and what they decide. For tasks of some importance,
always hire somebody who is interested in developing him- or herself.

3. If the difference between very good and not so good employees is 2 to 1, then the selection,
retention and development of people becomes even more crucial. Recruiting and nurturing skills of
managers and HR will be challenged even more in regard to this OpRisk.

31 | P a g e
State Street HCL Services

Not only the responsibility, position, empowerment, outlook, compensation and colleagues attract
excellent staff. More flexibility is needed for e.g. for job-sharing, part-time or term-time working,
dress-downs, telecommuting, childcare, paternity leave, special leave, no-strings attached
sabbaticals, privileged early-stage investments, stock options, tax advice.

4. Be aware that different attitudes exist, especially among younger people:

Be part of a fashionable job with positive vibrations, even if very demanding and
hyperactive, or
Ensure balance between private and professional lives

Both attitudes can lead to personal growth, but watch the drag factor of a 80% commitment only:
another OpRisk issue.

5. Managers and staff in Operations and Support often are not in the limelight like front people. This
does not imply that aspirations and expectations of support people can be kept low! Take into
account the aspects shown under 3., but also include some limelight. Example: "Team of the
month" as an official firm wide announcement. Make entrepreneurship and creativity an issue, also
in operational or support areas.

6. Excellent performers in front functions or specialists are not necessarily good people managers -
which can mean OpRisk. Some aspects of management can be learned, but not all. New skills
needed in a competitive world include the management of change, of confrontation without hostility
and of conflicts.

7. People's ability to change/learn is not primarily a function of capacity, but of choice. People with the
most attractive personality and best skills are the most mobile. Management and staff of a global
organization need to demonstrate four key qualifications:

Knowledge and

Without these, a global organization is bound to have problems. It is probably correct that a proper
culture of an organization improves people's attitudes and strengths. Global markets require a mix
of management skills, including sensitivity, multicultural perspective, technological literacy, IQ, EQ
and leadership.

8. Continuous training and retraining becomes crucial for each employer and employee, given the
new economic environment, diversity of staff, high turnover rates and the coming termination of
loyalty and lifetime employment.

9. The new technology of Inter- and Intranet makes a very efficient, continuous in-house education
and training - Webucation - possible: B2E.

32 | P a g e
State Street HCL Services

10. Knowledge management is an increasingly important and conscious corporate activity. It leverages
existing intellectual information assets, corporate experience and best practice. This is even more
crucial, given the growing diversity of staff and high turnover rates.

Organizations are being challenged to identify and separate the high-value, high-utility data from
the low-value data. Staff is mostly over-newsed and often under-informed. Therefore, knowledge
management is also information management: the right contents in proper form, at the right time
to the right people becomes the key to success.

11. Coming to other regions from the USA, management and staff issues in regard to discrimination,
mobbing, bullying, harassments of all sorts and infrastructural environment aspects have to be a
senior management's OpRisk concern today. Staff pressure, litigation and/or media pressure in
those areas are becoming more prevalent in Europe. Tougher legislation will come up.

12. The engagement of outside consultants has become an important skill feature for almost any
financial institution, including for OpRisk management matters. Such a temporary skill acquisition
can be successful as long as the following conditions are met:

Well formulated specified mandate with time limit

Right experience
Your project must be a consultant's priority
Qualification of team members with specific responsibilities
Acceptable financial situation of the consulting firm
No conflict of interest
Credibility as ambassador for the institution
Compliance with internal rules during the contract, including trading rules

The consulting hey days for the introduction of the Euro and for Year 2000 are over. New engagements
must be found among which OpRisk matters are most welcome. Some consultants are playing on fears
about vulnerability rather than providing relevant and credible solutions; some of their representations vis à
vis regulators do not make life easier for banks.

Style and Shared Values: 11 Guidelines

1. Culture is core for the identity of people. Traditionally, culture has been linked to common
language, values, customs and beliefs on a local, national and perhaps regional level. New mass
media and Internet seem to be forging tomorrow's global culture with an internationalization of
activities and staff.

Is the culture of global identification and cyber citizenship going to be enough of roots, values and
beliefs? Corporate culture - an expression often used and misused - is this formal and informal,
written and unwritten and often invisible totality of common norms, values, thinking and acting
which determines the behaviors of management and staff. Each organization has its very specific
corporate culture. It is a qualitative expression of the organization, internally and externally; such
an expression can be difficult to describe.

33 | P a g e
State Street HCL Services

2. Risk culture - besides people - is THE most crucial factor for a successful risk management
generally and in OpRisk management in particular. This aspect is - in my judgment - even more
important than the most sophisticated quantitative risk models which also need intellectual honesty.
The control culture acts above all at the very place where risks are taken: At the level of the
individual acting on behalf of the firm.

What is acceptable may differ from one individual or organization to the next; "acceptability" needs
formal and informal processes. Not every decision can have or should have written rules:
Managers and staff have to be able to make the majority of their decisions within a cultural
framework, even if he or she acts far away. Purely and formally ruled staff is an excellent recipe for
getting mediocre quality only.

3. Top responsibility for the risk culture lies with senior management. Some components of a good
risk culture:

Honesty, intellectual honesty; integrity; fairness

Flat structure; proper system and systems
Properly formulated policies
Clear guidelines and manuals
Continuous risk oriented training
Alert staff, supportive management
Active and constructive communication
Open agendas
Acceptance of controls
Natural, risk conscious behavior; risk-adjusted compensation
Elimination of undesirable managers and staff
Prevention of risks ahead of correction
Identification with the company; sense of belonging

4. Financial services are largely a judgment business. Therefore, mistakes happen daily as the future
turns out differently than expected. It follows that a key factor in risk management and risk culture
is discipline and perseverance as THE message of senior management. Discipline must be in
place as to following structures, system and systems, but also as to admitting and learning from
mistakes and correcting them properly.

5. The style of a company should be inspiring - according to my perhaps still idealistic taste - with the
following parameters: The employee brings competitive performance short-term and continuous
competence building long-term. At the same time, the employer cares for competitive employment
terms and conditions short-term and commits sustained investment in employability long-term.

Given the environment today and tomorrow, such contract between employee and employer
should be attractive for both partners. Important are the shared aspirations, openness and the
ability to work in a team. "It is by acts, not by ideas that people live" (Anatole France).

34 | P a g e
State Street HCL Services

6. The role of internal communication through informal processes and structures must not be
underestimated. Such processes often are the sources of initiatives, creativity, innovation, energy
and avoidance of risks.

6.1 One recipe for OpRisk management is the removal of a "blame culture". To sack or reprimand staff
after an incident can lead to covering up future problems. Therefore, a performance appraisal
process must be designed to pick-up poor shows at an early stage. Staff must feel less concerned
about admitting mistakes.

7. Avoid "silo thinking and acting" in OpRisk management. All should know what others - relevant for
their responsibilities - are doing and planning. A "full picture" environment, professionalism and
motivation will be improved. Avoid the "knowledge is power" syndrome.

8. Risk management - in the context of corporate culture and specifically for risk / control culture - is a
continuing, never-ending process, not a program. Controlling and disaster simulation are good
measures for judging the overall state of the organization and using as base for improvements.

9. "To take care" of management and staff is not synonymous with "caring for people";
psychologically, there can be a very fine line between the two. Subordinates or staff fully realizes
this. Senior management's action and reaction should take this into account when working towards
mitigating OpRisk.

10. Whether an organization has a good or bad risk culture is a highly qualitative judgment. While it is
the most crucial aspect of risk management, it cannot be mathematically quantified. The direct non-
quantifiable characteristics of risk culture make regulators uneasy. To singularly judge an
organization with maturity and experience must be highly challenging for an outside supervisor,
certainly much more than "box-ticking".

11. Common denominators and shared values of an organization are becoming much more relevant,
given the "dilution" of other institutions' credibility, the rapid change, the diversity and fluctuation of
staff and the globalization of business.

Managing Operational Risks:

Practical Instruments and Tools


Management of operations has always used some sort of tools to identify, assess, control and manage
OpRisk in its day-to-day specific area of activity. With the increased awareness of senior management for
risks in general and for OpRisk in particular, these tools have received closer attention.

No one tool on its own is sufficient; each has its limitations. "Synchronization" of the tools combined with
previously discussed, more high level approaches of general management - including audits and
compliance measures - is the issue. Such an approach leads to integrated risk management.
Control and Risk Self-Assessment According to a recent study, self-assessment is the most widely used
tool among banks.
35 | P a g e
State Street HCL Services

Control and Risk Self-Assessment (CRSA) is a work team-based technique to help managers identify and
measure OpRisk through estimates based on the consensus opinion of a group of knowledgeable
managers and staff. The ultimate objective of this process is to foster the identification, assessment and
mitigation of OpRisk.

CRSA uses a formally documented process in which management and/or work teams review the
effectiveness of the business controls to contain risks and to meet defined objectives. A facilitator
is designated to assist the work team whose members should be people who are key to the achievement of
the specific business objective or are influencing the operation that has been selected for review. In many
cases, a cross-functional work team helps to develop the broadest possible coverage for the achievement
of the business objective.

Management must clarify the relationship between the organization’s primary corporate objectives and the
specific business line objectives for each participating unit. These objectives can include diverse areas, as
well as diverse practical applications for every department and every employee function.

Workshops are conducted with employees from participating departments using a framework consisting of
control categories, to review the controls in place to achieve each business objective under analysis. The
framework's categories may include: purpose, commitment, planning, capability, direct controls,
measurement, employee well-being and morale, process oversight and culture.

The objectives are analyzed in terms of:

Threats - events that could prevent the achievement of an objective

Controls - activities that provide additional assurance that objectives are met
Agreed residual risk - the real or possible events or situations where a business/quality
objective is not being met or may not be met given the controls in use/place.

The information on threats, controls and risks is captured for each business objective. The information is
then documented, summarized and reported to senior management. Due to the dynamic nature of a firm's
risk profile, CRSA findings should periodically be updated.

Impact & Frequency Scorecard

It can also be useful to assess the impact and frequency of identified and relevant OpRisk events. This may
be done using an impact and frequency scoring system. In particular OpRisk events that are identified as
having potentially significant impact can be isolated for further analysis which may include frequency
estimator and investigative study. Based on the fact findings from these analytical tools, appropriate
management response can then be deployed.

Risk Indicators and Escalation Triggers

OpRisk literature is full of fancy terms like KPI, KCI and KRI. These are nothing but abbreviations of the
superlative of one and the same thing: All departments in a bank watch certain figures or trends related to
their work. Sales people would monitor performance; settlement staff monitors mistakes resulting from
inaccuracies in their operation etc. They all choose certain indicators which can be sensibly tracked over
36 | P a g e
State Street HCL Services

time. A selection of the most valuable of these indicators is then elevated to "key indicator" status.

The market has coined three different names for such indicators which are relevant for OpRisk

Key Performance Indicators (KPI) are normally used for monitoring operational efficiency; red flags are
triggered if the indicators move outside the established range. Examples: failed trades, staff turnover,
volume, systems downtime. Key Control Indicators (KCI) demonstrates the effectiveness of controls.


A number of audit exceptions, number of outstanding confirmations. Key Risk Indicators (KRI) are primarily
a selection of KPIs and KCIs. This selection is made by risk managers from a pool of business
data/indicators considered useful for the purpose of risk tracking.

A KRI gives insight on the extent of stress of an activity. Examples include a number of failed trades,
severity of errors and omissions, cancel and corrects, change management events, contract staff versus
permanent staff, IT security breaches, breaches in Service Level Agreements, unfilled vacancies, absence
levels and customer satisfaction surveys.

Typically, a business unit or department uses 10-15 different KRI's. KRIs must be used as a time series to
monitor and foresee trends. If skillfully used, such trend analyses can serve as an early warning system
and provide directional input for senior management involvement.

Group-wide KRI - Rolling up from Base Data to Group OpRisk Indicators

37 | P a g e
State Street HCL Services

Risk and Process Mapping

OpRisk mapping is based on self-assessment / perception survey and is a qualitative technique to identify,
categorize, analyze and assign:

Specific risks against a standard template

Controls or other tactics to manage identified risks
Residual risks and desired levels of residual risks
Responsibility for management of identified risks

Process or activity mapping is a technique employed to describe business processes in a clear, visible way.
In the context of OpRisk, it is designed to provide a reflection of the diverse activities that take place within
the departments, identifying risk drivers and controls. It can also help highlight issues such as:
The time delay between the risk and the control that identifies it. This gives an indication of
how long a risk may exist before its controls discover it.
More than one control to prevent the same risk may indicate over-inspection and
inefficiencies or lack of confidence in the process.
Lack of control to prevent a risk may be a consequence of a process inadequacy.


38 | P a g e