THE CONCEPT OF OPERATIONAL RISK

What is operational risk?

One of the widely used definition of operational risk is found in the Basel II Accords which is as follows:
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and
systems, or from external events”. This definition includes legal risk but excludes strategic risk and
reputational risk. In the context of Basel II, legal risk includes, (but is not limited to) exposure to fines,
penalties, or punitive damages resulting from supervisory actions, as well as private settlements.
This definition is casual in nature, that is, it highlights the causes of operational risk.
ACTIVITY

From the definition given above, identify the major causes or sources of operational risk.

This definition, with slight variations have been widely adopted across financial services and here are
some of the definitions:
Solvency II defined operational risk as ‘the risk of change in value caused by the fact that actual losses
incurred for inadequate or failed internal processes, people and systems, or from external events
(including legal risk) differ from expected losses.
Deutsche Bank defines operational risk as the potential for failure (including the legal component) in
relation to employees, contractual specifications, documentation, technology infrastructure and disasters,
external influences and customer relationships.

REFLECTION

In the institution were you did your work related learning, how did they define operational risk? was
everyone aware of the definition?

Operational risk is at its core, a mistake, error, or hazard. Operational risk is embedded in how the
enterprise functions, and are often driven by people and IT systems that do produce errors. Contrary to
other risks like market and credit risks, operational risks are not willingly incurred and are not revenue
driven, rather, they are driven by the firm’s operations. Operational risk is often viewed as, “the cost of
doing business” as it directly impacts profitability and needed capital. In many ways that is true. It is not
separable from the act of doing business, as it is also embedded in other activities undertaken by the
enterprise.
Operational risk manifests through the complex web of employees, products, clients, systems, legal
judgments, regulation, and fines. Operational risk is never really predictable, but firms must be prepared
for it as part of an enterprise risk management strategy. Decisions that involve the implicit acceptance of
operational risk may not clearly expose the operational risk involved. This is especially dangerous, as a
business manager does not explicitly take on operational risk, as he or she would do for market risk or
credit risk. Instead it shows up in how the business is executed.
There is a huge variety of specific operational risks. By their nature, they are often less visible than other
risks and are often difficult to pin down precisely. Operational risks range from the very small, for example,
the risk of loss due to minor human mistakes, to the very large, such as the risk of bankruptcy due to
serious fraud. Operational risk can occur at every level in an organisation.
Operational risk is one of the misunderstood risk but it can lead to the collapse of an organisation when
not managed well. It can lead to additional regulatory and reputational harm and it has a dangerous
feature of contagion. It gives rise to new or additional risks. This is especially true when the operational
risk in question is left unattended by management.

BACKGROUND TO OPERATIONAL RISK

Operational risk began life as a residual category of risk, something left over from market and credit risk
management practices, a fear category with a challenging reality and status. This category of risk
contained all risks and uncertainties that could not be measured and managed using traditional risk
management tools. The basic term operational risk was first officially used in 1991 but it did not gain
extensive usage until the mid to late 1990s when Basel II formally recognised operational risk as a
separate risk category. However, this does not mean there were no operational risk related losses before
Basel II. For many years, businesses in general have always been aware of hazards and uncertainties
arising from operational factors, (internal or external), human motivation and fraud, business disruption,
legal liability, information technology infrastructure etc. Basel II only institutionalised operational risk as a
risk category, befitting of regulatory and managerial attention. By labelling all risk that were considered
residual as ‘operational risk’, Basel II renewed the visibility of these risks and repositioned their location
and status and ushered them in a new space of regulatory, political and social expectations.
The history of operational risk cannot be complete without mentioning various scandals in the banking
sector such as collapse of Barings Bank in 1995. Nicholas Leeson, the rogue trader credited with the
destruction of Barings Bank, has been viewed by some as the true author and unwitting originator of
operational risk. These scandals help to figure the history of operational risk (retrospectively) and serves
as a model example of operational risk failure. When Barings and other banking scandals occurred,
regulatory reviews and discussion which led to the recognition of operational risk as separate risk
category by Basel II were already in progress.
Basel II not only introduced operational risk as a separate risk category, but it also introduced the capital
charge for operational risk as part of the capital adequacy framework and also prescribed methods of
calculating the operational risk capital charge for banks. While largely intended for internationally active
banks, the operational risk management notions set out in Basel II have since been adapted into
equivalent regulatory guidance and rules for the insurance sector and other areas of financial services
including asset management and pension funds. Most financial organisations have integrated operational
risk management into their business activities. Also, the concepts of operational risk are being
increasingly developed and practiced extensively within non-financial services firms with non-financial
services firms investing significantly in the management of operational risk exposures in areas such as
health & safety practices, disaster management, preventing harm to customers due to product
consumption, anti-corruption practices etc.
In recent years, there has been an increase in the frequency and severity of operational losses both in
financial services industry and other non-financial services industries due to increasing complexity in
business operations among other issues. This has led to increased regulatory attention paid to
operational risks. Given the increasing incidence and severity of operational risks and realisation of
business benefits of managing operational risks, various organisations are increasingly paying attention
to management of operational risks which has given rise to operational risk management as separate
discipline. The operational risk management discipline, though maturing rapidly, is still at its infancy as
there are many problematic areas bedevilling the discipline such as lack of universal definition,
measurement of operational risk, lack of universal ORM framework.

DRIVERS OF OPERATIONAL RISK

Individual Assignment

CATEGORIES OF OPERATIONAL RISK

In order to effectively measure, manage and allocate resources, it is important to categorise operational
risks. Operational risks come in various forms, sizes and have varying degrees of severity. Specific
operational losses which organisations many content differ from institution to institution. Compiling a list
of operational risk will be enormous as operational risks are constantly emerging as new products and
product platforms emerge in the financial sector. Below are some common methods of categorising
operational risks.
1) The Risk Matrix
Under the risk matrix, losses are categorised according to their frequency and severity. Operational risks
can fall into any of the following four broad frequency-severity categories:
 Low Frequency /Low Severity
 Low Frequency/High Severity
 High Frequency/ Low Severity
 High Frequency/ High Severity
NB: These categories are a simplification of a much broader reality. In practice, the frequency spectrum
can be further subdivided into annual, quarterly, monthly, weekly, daily, hourly categories and in the case
of trading activities nanoseconds. On the severity spectrum, losses can be subdivided into specific dollar
amounts, e.g. less than $50; $51-$200; $201-$500 etc.
Combining the specific dollar amounts with specific frequencies helps operational risk managers to
identify, measure, describe and express particular operational risk exposure. For example, a bank
exposed to internal fraud losses can say it is exposed to less $50 internal fraud losses per week. This
detailed classification is also useful for regulatory purposes.
2) Operational Risk Event Type (Basel II Classification)
Basel II regulatory framework which recognised operational risk as a separate risk category also divided
operational risk into seven risk event types/categories which are as follows:
Event Type Definition
Internal Fraud Losses resulting from an act involving at least one internal party of a type
intended to defraud, misappropriate property, or circumvent regulations or
company policy, excluding discrimination and diversity, e.g. tax evasion,
bribery
External Fraud Losses resulting from an act by a third party of a type intended to defraud,
misappropriate property or circumvent the law, e.g. theft party and forgery,
hacking
Employment Losses resulting from an act inconsistent with workplace safety and
Practices employment, health or safety law or agreements, payment of personal injury
accident injury claims, payments arising from diversity and discrimination
events, e.g. wrongful termination, discrimination claims, harassment claims
Clients. Products & Losses arising from unintentional/negligent failure to meet a professional
Business Practices obligation to specific clients or from nature product design of a product, e.g.
market manipulation, antitrust, improper trade, product defects, fiduciary
breaches, account churning.
Damage to Physical Losses arising from loss of or damage to physical assets by natural disasters
Assets and other events such as terrorism, vandalism
Business Disruption & Losses arising from disruption of business or system failures, e.g. utility
System Failures outages/disruption, hardware failures, software failures,
Execution, Delivery & Losses from failed transaction processing or process management, from
Process Management relations with trade counter parts e.g. data entry errors, accounting errors,
failed mandatory reporting, negligent loss of client assets, vendor disputes

ACTIVITY: Contextualise this to the insurance industry. Can these operational risk type be used for
insurance industry too? Which categories of operational risk are more common in the insurance
industry?

3) Expected Versus Unexpected Losses

One common way to classify operational risk is to consider expected vs. unexpected risks. Expected
operational risks are those risks which are predictable or anticipated to occur because they are naturally
associated with the internal or external environment of the firm and hence may occur frequently.
Examples of such risks may include: -
 Credit card fraud for a firm offering credit card products.
 Damages due to hurricanes for an asset management firm with offices in a city which
experiences a hurricane season every year.
 Disruption to IT systems due to power cuts for an insurance firm with offices in a city where
seasonal power cuts are normal.
Management of such risks is integrated within the planning and execution of business activities. For
example, organisations may manage such risks by incorporating them within the pricing of their products.
Alternatively, the organisation may raise accounting provisions, include it as part of business budgets or
invest in improving the efficiency of business processes.
On the other hand, unexpected losses are losses that cannot be foreseen/predicated/anticipated as they
are not innate part of the internal or external environment of the firm and hence may occur rarely.
Examples of such risks may include:
 Disruption to IT Systems due to the escalation of a cyber-war between two or more countries.
 Damage to physical assets due to solar storms.
 Disruptions to business operations due to the rapid spread of a serious epidemic.

Management of such risks may involve support from specialist departments e.g. Business Continuity
Management department to deal with business continuity related risks. Such risks are usually managed
through capital reserves, insurance or investment in controls.
RELATIONSHIP BETWEEN OPERATIONAL RISK AND OTHER RISK TYPES
Operational risks arise in the presence of other risk types. It is interrelated with other risk types the size
and sometimes it can be difficult to draw a distinction between operational and other risk types. An
operational loss/event can be dramatically magnified by other risks and operational risks can also
dramatically magnify other risks. Consider the following examples:
Example 1 (operational risk and market risk)
You instruct your stock broker to buy Starnet shares but the broker erroneously places a sell order instead
of a buy order. This will result in losses and the losses will be magnified should the market move in
another direction rather than remaining stable.
Example 2 (Operational Risk and credit risk)
A bank issuing out loans forgets to get details of the client or incorrectly captures them or misplaces them.
In the event of a financial crises which triggers defaults, the loss will be magnified as the bank will fail to
collect the owed money even from those who could have paid since they will not have enough
documentation on clients so as to institute debt collection. The 2008 Financial Crisis has always been
seen as a credit risk event by a closer look shows that the event was magnified by operational risk. There
was a series of process failures which appeared as external event but was actually a product of poor or
failed processes; missing and incomplete loan documentation; misrepresentation of a personal financial
details of borrowers etc.
Example 3 (operational risk and legal risk)
When government banned the use of foreign currency, business models that were based on forex failed.
For example, many companies failed to process payments and salaries as old payment systems failed
to recognise the new currency.

ACTIVITY

Identify the other major categories of risks. How do they relate with operational risk?
The problem of ensuring clear boundaries between different risks is something that operational risk
managers face day-to-day. Operational risk managers often need to interact with risk managers dealing
with other risk types and have to justify why some risks should be considered as part of Operational Risk
Management. Even with clearly documented boundary conditions between risk types, from time to time
situations arise which are not covered by existing definitions and need resolution with other risk
disciplines.
Within this context, it is also important to consider the relationship between Enterprise Risk Management
and Operational Risk Management. Most companies today prefer to manage their risks exposures in an
integrated way, under an umbrella framework commonly referred to as Enterprise Risk Management
(ERM). This approach is based on the premise that risks are interconnected and need to be managed
together in a consistent and holistic approach, with clear differentiation of the boundaries between them.
ERM is concerned with management of risk at an enterprise level while ORM is concerned with
management of risks at program, function or operational levels. It is important that one understands the
differences between enterprise risk management and operational risk management and the benefits of
integrating ORM into ERM. Operational risks are best managed and measured if they are integrated into
the ERM program. ERM ensures that operational risks are elevated, they are considered in resource
allocation, there are fewer crises, there is improved organisational performance, shared solutions and
increased awareness of operational risks.
ACTIVITY

Explain, briefly the benefits of integrating operational risk management into operational risk
management

Distinguish operational risk from enterprise risk

CONCEPTUAL ISSUES IN OPERATIONAL RISK MANAGEMENT

A Conceptual issue is a concerned with definition, relations of concepts, abstract issues in a field and is
crucial to solving a problem. Below are some of the conceptual issues in operational risk management:
 Definition of operational risk management
Definition of operational risk management affects how organisations manage operational risk. For
example, if operational risk is defined as a residual category of risk, little attention will be paid to it. Some
definitions are broad, they include legal and strategic risks while some definitions are narrow. Some
definitions of operational risk are negative while some are positive.
Operational risk has proved problematic to define, although such difficulties in fixing the meaning have
enhanced rather than detracted from its importance. Operational risk is no simple or self-evident category;
it is a label for diverse range of practices, a vision of control and regulation in an elusive field, and an
imperative to manage a newly visible range of problems. It is both a name for a set of problems and
interests, and a promise of a new way of intervening in the internal structure of financial organisations.
  Operational Risk Management Responsibility
There is no consensus on whether there should be an operational risk management department and
operational risk officers. Some feel there should be an independent operational risk department while
others think operational risk should be managed by the risk management department or financial officer.
 Lack of universal framework
Operational Risk Management frameworks and strategies depend on the size and sophistication of the
firm; nature and complexity of the business, there are no universal frameworks.

 Operational Risk Measurement

Measuring operational risk is a challenge due to data collection challenges and lack of models. Effective
risk measurement requires quality data collected over a long period of time and robust models. Data
collection on operational risk started recently when operational risk was recognised as a separate risk
category. Since this is a new field, models are still being developed.

 Interrelationship between operational risk and other risks

The confluence between operational risk and other risk sometimes makes it difficult to identify and assess
risk operational exposures and the impact of some errors can only be seen decades later after the
damage has occurred. Also, it creates conflicts on who should manage certain risk as some operational
risk encroach other risk disciplines.

NB: Operational risk is a result of unpredictable, not fully understood failure mechanism. Managing
operational risk requires an engineering like understanding of systems, process and failure mechanisms
but most business do not invest enough to understand processes or systems especially if the systems
and processes are secondary to business models/goals.