1.

Definition of operational risk

1.1. Reality
The existing operational risk rate has risen dramatically in recent years. Many
significant bank failures have occurred around the world as a result of the modern
economy. The terrorist attacks of September 11, and fraudulent company losses at
Société Générale (France), Barings (UK), AIB (Ireland), and the National Bank of
Australia demonstrate that risk control is more than just market risk and credit risk.
And, in particular, the number of operational risk damages is typically very high. The
most notable is the 1995 failure of Barings Bank, one of Britain's oldest banks, which
sparked a massive uproar in the banking community. An employee of this bank, Nick
Leeson, "borrowed" Barings for equity speculation, resulting in a $1.4 billion loss
despite the bank's fixed capital of just $ 615 million.

When the existing risk occurs in all classes of risks that must be handled and is closely
linked to other categories of risks in banking activities, it becomes more apparent.
Credit risk and business risk present current risk, either directly or indirectly.

1.2. Definition

According to the Basel Committee on banking supervision:

“Operational risk is the risk of loss due to human causes, inadequate or poor operation
of the process and system; external objective events "

- The cause of operational risk:

+ Risks due to regulations, professional processes: Operational risks caused
by the process due to incomplete contractual documents, lack of specific
instructions, make it difficult for employees or have many inadequacies,
incomplete, creating a gap for bad guys to take advantage of. bad for the
bank.
+ Risks are caused by bank officials: Operational risk caused by employees
and internal fraud. This is one of the main reasons causing risks in the
banking industry. And especially, the risk caused by the injured employee
 causes great damage. Bank staff are highly qualified and well informed
people, they can cheat or collude internally and externally, but sometimes
it can be confusing due to large and complex workloads. magazine in the
banking industry. Employee fraud: theft or collusion between bank staff
and customers. Bank staff intentionally recorded the wrong position,
intentionally marked the wrong position, performed illegal transactions,
and insider transactions. Employees collude with outsiders to destroy, steal
or steal or accept bribes…. Employees accidentally make mistakes: bank
employees may mistakenly account for the wrong transaction or the wrong
currency when transferring money ... Commercial banks lose or lack key
characters.
+ Risks caused by external influences: In addition to the above reasons, there
are also operating risks, the cause of which is external factors such as law,
natural disasters, crime, terrorism ... The risk of external fraud is mainly
related to theft. Document fraud fraud is carried out by a third party outside
the organization.
+ Risks from information technology systems: Operational risk caused by
information technology can be caused by poor software quality that can
easily cause errors or system security loopholes due to incomplete
information data or insecure information security systems. . Without a
modern information technology system, it can create many security holes,
vulnerable to hackers entering the system to steal customer information or
other information. These hackers can counterfeit credit cards or ATM cards
to withdraw the bank's money, causing a lot of damage and can affect the
reputation of the bank.
+ Risks due to other reasons.

1.3. Characteristics
If credit risk and market risk relate to only one or several parts of a bank, then
operational risk is related to all divisions.

For example: If a power failure occurs or a computer system error is suspended, the
entire banking operation will be halted.

Or, if the capital mobilization process is not in accordance with the current regulations
of the regulators, there is a risk that the bank will be penalized and the transactions will
be canceled.

=>> The main cause of operational risk, which can be seen through the above examples
and comes from human factors with activities such as fraud, embezzlement, document
forgery, information theft, performing transactions not in accordance with the authority,
intentionally acting against the regulations of the bank, the law,..

2. Ratio or how to measure operational risk at banks

2.1. Indicators for measuring KRIs

- Definition: KRIs are metrics or systems for calculating the cost of operational
risk.

As a result, something that meets the aforementioned criteria is called a risk predictor.
When an indication reflects particularly serious damage or a pattern of mishaps, it
becomes important. We're looking for metrics that monitor the intensity and frequency
of operational risk.

Risk metrics are made up of a number of different criteria that reflect each level of risk.
In banks, some of the most widely used metrics include:

Incident Indicators for Measuring Risk (KRIs)

Cheat - Number of insider frauds

- Number of outsider frauds

Customer - The number of allegations and conflicts that

complaints and have been reported.
disputes - The number of grievances reported has
 surpassed X days.

Vacancies - The percentage of workers who are unemployed.

- Empty vacancies for more than X days.

Product policy - A large number of products were provided but

were not properly completed;

- The number of products deployed was too late.

Errors - The sum of money is inadequate or has been wasted

as a result of a mistake.

- The number of offences is insufficient.

Transaction - Amount of trading

processing.
- The sum of past-due debt that is now awaiting
settlement.

Information - The number and duration of device outages

technology - The number and duration of unscheduled server
outages.

- Number of offenses, fines, and warnings for

Violation of
agency/law violations
regulations.

- Kris's ambition:

o Double-check that the risk assessment is right.

o Ensuring that danger warnings are sent to business units in a timely and accurate way.
 2.2. Method for calculating operational risk

Depending on the complexity and risk sensitivity in each business operation

Bank, Basel II proposes three ways for banks to determine the minimum amount of
capital required to assess the cost of operational risk management:

• The Basic Indicator Approach (BIA) tool, which is focused on a financial institution's
annual sales.

• The Standardized Approach (SA), which is focused on the annual sales of each
financial institution's business line.

• The Approach to Advanced Measurement (AMA)

Without the permission of a supervisor, a bank could not use the simplified method after
using the more sophisticated method. If the supervisor decides that the bank's use of a
more sophisticated method does not fulfill the method's standard qualification, the bank
may be asked to resort to a single solution. more straightforward

2.2.1. The Basic Indicator Approach (BIA) framework is focused on a

financial institution's annual sales.

The basic indicator approach is much simpler than the other techniques for measuring
operational risk and is therefore recommended for small financial entities whose
operations are not very complex.

This method calculates the operational risk for the entire organization and then assigns
the result to the operational lines. The basic indicator is measured as a percentage of
gross income over that of the preceding three years.

There are several reasons why this indicator is calculated through gross income. First of
all, it is verifiable. Secondly, because it is immediately available and also because it is a
counter-cyclical measure that helps to reliably measure the size of activities.

2.2.2. The Standardized Approach (SA) is focused on a financial institution's

annual sales for a business line.

According to this method for measuring operational risk, banks' activities are divided
into eight lines of business: corporate finance, sales and trading, retail banking,
commercial banking, payments and settlements, agency services, asset management and
retail brokerage.

Within each line of business, gross revenue serves as an indicator to measure the scale
of commercial operations and, therefore, to calculate the possible exposure to
operational risk in each line.

It is calculated by taking the three-year average of the sum of the regulatory capital
charges for each operating line in each year.

To use the standard approach, a bank must meet certain requirements:

● Both the board of directors and senior management must be involved in

overseeing the operational risk management framework.
● It must have a solid operational risk management system that is implemented
throughout the company.
● It must have sufficient resources to use this approach in the main lines of
business, as well as in the areas of control and auditing.

2.2.3. The Advanced Assessment Approach (AMA) - is built on a bank's

internal risk measurement implementation process that meets regulatory
requirements.

Out of the three approaches to measuring operational risk, this is the most sophisticated
method. With the AMA model, banks can create their own empirical model to quantify
the capital required for operational risk.
An AMA framework should include the use of four quantitative elements for its
development: internal loss data, external data, scenario and business environment
analysis, or internal control factors.

3. What is Vietnam banks’ situation?

According to regulations, from January 1, 2020, banks will have to apply the standard
of 41/2016-TT / NHNN regulations on capital adequacy ratios for foreign banks and
bank branches. One of the most important things about Circular 41 is to ensure a
minimum capital adequacy ratio (CAR) of at least 8%..

This is considered an important step in implementing the Basel II model in risk

management for the entire banking system. However, up to now, there are only 18
qualified banks and there are still many banks that have not met this standard.
Up to now, only 16 (out of 35 domestic banks) have announced the application of
Circular 41, including Vietcombank, VIB, MB, Techcombank, ACB, MSB, HDBank,
OCB, VPBank, TPBank, VietBank, Viet Capital Bank, SeABank, BIDV,
LienVietPostBank, NamABank and two foreign banks, ShinhanBank and Standard
Chartered Vietnam.
Vietcombank and VIB are the first two members approved by the State Bank to apply
Circular 41 a year earlier than the effective date and are also the first two banks to meet
Basel II standards in Vietnam (month). 11/2018).
The Vietnamese commercial banking system has grown in terms of total assets,
distribution network, number of employees and diversification of business activities
over the years. Potential risks are increasing in all three areas of credit risk, market risk
and operational risk, and the causes of operational risk are also increasing.
In order to enhance the effectiveness and efficiency of banking inspection and
supervision, with the approval of the Prime Minister, the State Bank has strengthened
the organizational model of the Banking and Inspection Agency in the direction of
streamlining and efficiency, ensuring good implementation of functions, tasks and roles
of inspection and supervision of banking operations. Thereby, creating an important
premise for continuing to innovate inspection and supervision activities in the direction
closer to international practices and standards and in line with the development practice
of the banking industry in the new period.
In 2019, the inspection work is renewed, closely linked to the supervision, step by step
combining and applying the method of inspection on the basis of risk, towards the
prevention and early warning of risks which possibilities arise. In 2019, the State Bank
carried out 1,420 inspections and issued inspection conclusions and inspection records
for 1,379 inspections; issued 10,170 recommendations and requests to credit institutions
to overcome problems and shortcomings; issued 216 decisions to sanction
administrative violations for credit institutions and businesses, individuals with a total
fine of about 19.65 billion VND. In addition, the State Bank has also applied handling
measures to organizations and individuals in order to consolidate the organization and
stabilize the operating apparatus at a number of credit institutions, focus on
restructuring and handling bad debts; credit extension, bond investment in potentially
risky areas. At the same time, promoting the application of information technology to
improve early warning capacity of potential systematic risks and prevent the risk of law
violation of credit institutions. On the basis of the mistakes and risks discovered through
supervision, the State Bank has issued about 250 risk guidelines and warnings on issues
such as cross-ownership between credit institutions and stock, crowded at credit
institutions; real estate loan balance soared; high bad debt at credit institutions; granting
credit to major customers (total credit granting is over 500 billion dong); investment in
corporate bonds. At the same time, it is required that the manager and executive of the
credit institution must promptly take measures to rectify and handle existing problems
and risks that have been warned by the State Bank; strictly comply with legal
regulations, strengthen inspection and supervision of activities, ensure safe and healthy
operations.
In order to create enough legal basis for credit institutions to implement Basel II capital
standards according to the standard method, the State Bank has issued Circular No.
13/2018 / TT-NHNN dated May 18, 2018 on internal control systems of commercial
banks and foreign bank branches. The issuance of Circular No. 13/2018 / TT-NHNN
contributes to qualitative changes in the management, administration, risk management
and control of credit institutions; helps prevent, warn, and promptly handle mistakes
and risks, contributing to minimizing the possibility of losses and the risk of breakdown
of the banking system. Accordingly, credit institutions must rearrange and reorganize
the inspection and control apparatus according to the model of 03 defensive lines;
strengthening the responsibility and independence in management and supervision of
the Board of Directors, the Board of Management and the Supervisory Board; seriously
implementing the inspection and control activities for all operations of the credit
institution from the head office to branches and transaction offices; strengthening risk
management for material risks, determining the risk appetite in accordance with the
financial and governance capacity of the credit institution; perform capital calculation,
capital management to ensure sufficient capital to offset risks; strengthen the
independent inspection and evaluation of the internal audit. In addition, SBV staff have
gradually applied quantitative methods, analytical techniques in accordance with
international practice in system risk assessment such as Stress Test, Systematic risk
warning mechanism (SRAM), early warning model, building a financial cycle to
monitor, evaluate, analyze risks and propose appropriate policies and tools in each
period.

BIDV:

In 2018, BIDV issued the Anti-Corruption Work Program, aimed at concretizing the
Government's anti-corruption program in the banking sector in 2018 No. 01 / CTr-
NHNN dated August 17, 2018 of the Governor of the state bank of Vietnam. The
program focuses on the following contents: enhancing the roles and responsibilities of
officers and employees in the whole system, especially the head of the unit,
strengthening the management of staff, strictly implementing regulations on the
organization and personnel, control assets, income; enhancing publicity and
transparency in performance of tasks, manage financial effectively and according to
regulations, set up and implement the standard norms regime; strengthen inspection,
control, internal audit, comply with regulations on citizen reception, settlement of
complaints and denunciations in order to update information on corruption, promote the
inspection of the party.
BIDV always attaches great importance to propaganda and education to raise awareness
and responsibility of officials, party members and employees on anti-corruption,
regularly propagating the Code of Ethics and Code of Conduct of BIDV, organizing
compulsory competitions on professional ethics, style and trading space. In addition,
BIDV also grasped, implemented and instructed in a timely and complete manner legal
documents as well as guiding documents related to the prevention and fight against
corruption for each employee. Some contents are focused on propaganda and learning
organization during the year such as: Contents of anti-corruption work stated in Central
Conference Resolution 4 (Session XI), Conclusion No. 21- KL / TW 5 Central
Conference (Session XI) and associated with the implementation of the Directive of the
Politburo on "Continue to promote the study and follow the moral example of Ho Chi
Minh".
In order to manage and control operational risks, in 2019, BIDV has been
synchronously implementing many tasks such as: establishing organizational structure,
managing risks according to the model of 3 lines of protection from the Head Office to
the branches; elaborate and promulgate a full system of regime documents; research and
implementation of operational risk management tools such as RCSA (Risk Self-
Identification and Control), KRI (Key Risk Sign), LDC (Collecting and analyzing
operating risk loss data), BCP (Business Continuity Plan), concurrently performs
operational risk management for outsourcing activities, new products, activities in new
markets and in information technology application; Implementation of the reporting
regime of operational risk management in full compliance with the requirements of the
state bank in Circular No. 13/2018 / TT-NHNN. In 2019, BIDV has concentrated
resources to implement the Consulting Project, deploying advanced operational risk
management tools according to practices to improve the efficiency of operating risk
management tools use, approach to advanced operational risk management practices in
the world. In addition, BIDV also actively researched and calculated the Regulatory
Capital for operational risks under the guidance of the State Bank of Vietnam in
Circular No. 41/2016 / TT-NHNN dated December 30, 2016, and at the same time
continued to build building and upgrading software programs to support the collection
and processing of operational risk data, the calculation of capital required for
operational risks has also been done automatically on the software program. Operational
risk management culture has also been enhanced through training courses and
communication workshops on operational risk management. BIDV always emphasizes
the anti-corruption work as one of the important and cross-cutting contents in the
operating direction of the whole system.
BIDV's Steering Committee for Anti-Corruption and Crime was established from the
Head Office to its member units (At the Head Office: BIDV's Steering Committee for
Anti-Corruption, Crime Prevention and Control is made by the Chairman of the Board
of Directors. Head of the Committee; At the member units: The Steering Committee for
Anti-Corruption and Crime Prevention is led by the Director), in order to ensure the
consistency in the direction and administration and proactively in the fight against
corruption and crime in the whole system.

VIETCOMBANK:

Along with the comprehensive provision of banking products and services,

Vietcombank is increasingly focusing on operational risk management (O&M).
Vietcombank's O&M framework, including the model, organizational structure and
policy and process of O&M management, has been continuously improved to ensure
compliance with State management agencies' regulations in Circular 13 and standards.
innovation of Basel II. In 2019, Vietcombank's O&M will continue to be focused and
strengthened, with the aim of minimizing operational risk losses to protect the Bank,
shareholders and customers. Operational risk management is effectively deployed not
only in width but also in depth across the whole system through O&M tools such as
incident reporting, risk self-assessment and control points, and develop and monitor key
risk indicators (KRI), risk assessment for all new policies, regulations, products and
services, including outsourcing. These tools effectively aid in identifying, measuring,
assessing, and minimizing operational risks. In particular, Vietcombank has invested in
the modern management software system, thereby enhancing automation, enhancing the
effectiveness and quality of O&M work at Vietcombank. In particular, Vietcombank is
very active in implementing specific processes and actions to manage critical
operational risks. In particular, fraud risk management (risk management) continues to
be strengthened, with the comprehensive implementation of the policy, process and
tools of risk management, the implementation of the whistle-blowing mechanism and
related regulations. personnel management to prevent and detect early signs of fraud
risks. In addition, the information technology (IT) risk management framework
continues to be strengthened and perfected to prevent and minimize IT risks and
maintain continuity in the operation of IT systems. In addition to measures to prevent,
detect and mitigate operational risks, Vietcombank also continues to transfer operational
risks through operational risk insurance packages to bank assets as a measure.
Additional risk management helps protect the bank in case of serious losses. In addition
to technical tools, Vietcombank is also constantly focusing on improving the modern
risk management culture through training, ensuring compliance with the Code of
Conduct and professional ethics, and building an integrated working environment. to
prevent risks.

4. Your suggestion

Firstly, each bank needs to focus on the internal management and control on a regular
and continuous basis. When detecting unusual signs, the Supervisory Board must
immediately report to the Board of Directors to quickly release settlement solutions.
The bank is a particularly sensitive business sector, the risk of happening is not only
related to each of the bank's managers or employees, but it also affects all depositors,
businesses or institutions that have credit relations with banks. Therefore, with each
bank, the management of modern risk or internal control is even more necessary to
operate effectively. Combining commercial banks, the State Bank or other competent
state agencies also needs to strengthen the inspection, inspection and supervision of the
operations of commercial banks, with strong sanctions against officials. Bank
embezzlement, or accepting bribes, step by step purify the banking system.

Secondly, Vietnam should map out a roadmap to apply Basel II's methods of measuring
capital costs, based on the economic situation, the development of the banking system
accordingly. As same as India, the State Bank of Vietnam should not apply a single cost
of capital to all banks, but should let banks choose the right measurement method for
themselves. Branches of foreign banks in Vietnam with conditional conditions can use
advanced methods such as AMA, while domestic banks are not eligible to apply for
BIA or STA. Beside that, it is possible to apply a mixed regime within a bank, but if the
branches operating in geographic areas are too different in terms of socioeconomic
conditions or cultural level, then options can also be chosen to calculate the cost of
capital.

Of course, the new regulations of Basel II also have many difficulties in applying in
developing countries, the problem is to apply the Basel II risk measurement models in a
flexible and appropriate way. It is thought that, in order to apply the Basel II rules, it is
not necessary to have complicated models, we need a simpler application for Vietnam.
Commercial banks will be the best advisor to the SBV.