Professional Documents
Culture Documents
net/publication/227576075
Operational Risk
CITATIONS READS
3 24,060
1 author:
Rodney Coleman
Imperial College London
37 PUBLICATIONS 649 CITATIONS
SEE PROFILE
All content following this page was uploaded by Rodney Coleman on 20 June 2018.
Wiley Encyclopedia of Operations Research and Management Science, edited by James J. Cochran
Copyright © 2010 John Wiley & Sons, Inc.
1
2 OPERATIONAL RISK
This former Building Society (savings and loan company) had floated on the stock exchange
as a bank in 1997. It moved into subprime lending in 2006, issuing mortgages in excess
of 100% of property valuations, often on self-reported and unverified household incomes.
It expanded quickly to become the United Kingdom’s fifth largest bank, funding its
rise by borrowing on money markets, securitizing its mortgage debt, and other financial
instruments. When the US’s $8 trillion housing bubble burst, it became clear that Northern
Rock’s business model was severely defective.
The credit crunch of August 2007 caused the share price to fall fast. In September, there
were depositors queuing round the block seeking to withdraw their generally modest
savings. Withdrawals were also being made on-line. In December, the Bank of England
stepped in by providing liquidity support, and sought a buyer, but without success. On
February 22, 2008, it was taken into public ownership. Yet, it was considered to be well
managed operationally.
No measures had been taken to provide for a fall in property prices. It has been reported
that Lehman Brothers had underwritten £100 billion of Northern Rock’s debt (collateral-
ized debt obligations on mortgage-backed securities).
Lehman Brothers itself filed for bankruptcy on September 15, 2008. A week earlier, the
giant US mortgage lenders Fannie Mae and Freddie Mac had received a government
bailout, and the largest insurance company, AIG, and the largest savings and loan
company, Washington Mutual, were in dire straits, lining up for support.
The response to the collapse of Northern Rock was to herald the international effort to
stave off global collapse of the financial system.
Box B. Basel II
The Basel Committee for Banking Supervision (BCBS) was set up in 1974 as a committee
of the Bank for International Settlement (BIS) to provide a regulatory framework for
internationally active banks. In its Basel Accord of 1998, now known as Basel I, it settled
the minimal level of capital to be held by banks as provision for credit risk and market
risk. In 2001, it moved to do the same for operational risk in its New Basel Capital Accord,
known as Basel II [1]. It was approved by the European Parliament in 2005, and came
into effect across the entire European Union (EU) in 2008.
The accord sets out a risk sensitive way of calculating reserve capital to cover possible
defaults. Institutions are required to categorize operational risk losses by event type,
promoting identification of risk drivers. There is no mandated methodology.
Pillar 1 of Basel II gives three ways of calculating the operational risk capital charge, with
increasing complexity, but benefiting from a reduced charge.
• The basic indicator approach (BIA) calculates the reserve capital simply as a proportion
of gross revenue.
• The standardized approach (TSA) divides the activities of a bank into eight business
lines (Table 2), with standard capital charges for each based on calculated risk indicators.
• The advanced measurement approach (AMA) requires that the banks model loss distri-
butions of cells of a business line/loss event type grid from operational risk loss data
that they themselves have collected, supplemented as required by external data.
Pillar 2 of the accord requires banks to demonstrate that their management and supervi-
sory systems are satisfactory. Pillar 3 relates to transparency, requiring them to report on
their operational risk management.
Solvency II, the EU’s regulatory directive for insurers, has adopted the same three pillars.
This directive will come into force throughout the EU in 2013.
In November 2007, the US banking agencies approved the US Final Rule for Basel II.
Banks will be grouped into the large or internationally active banks that will be required
to adopt AMA, those that voluntarily opt-in to AMA, and the rest who will adopt an
extended version of the earlier Basel I. A Basel III is in preparation.
Risk identification
• Stress and Scenario Testing. This is • Internal Fraud (IF). Losses within the
the contingency planning for possible business from fraud, misappropriation
adverse events, from payouts occa- of property, unauthorized activity, and
sioned by a badly drawn up contract, circumventing regulations.
to the disaster recovery and business
• External Fraud (EF). Fraudulent claims
continuity to follow from terrorism or
by an external party, forgery, and hack-
natural catastrophe causing the loss of
ing damage to systems security.
headquarters, paperwork, processing
capacity, and so on. It involves testing • Employment Practices and Workplace
impact tolerance and resilience. Safety (EP and WS). Organized labor
activity, violations of employee health
and safety rules, discrimination in
CLASSIFYING OPERATIONAL EVENTS employment, and personal injury
When something is defined only by what it claims.
is not, there is always going to be a problem • Clients, Products, and Business Prac-
in giving it a taxonomy. A major hindrance tices (CP and BP). Unintentional failure
prior to Basel II was not only its lack of a con- or negligence in meeting professional
structive definition but also the absence of obligations to clients or customers
data. Operational risk losses were generally (customer complaints, the suitability
treated as costs of doing business and allo- of advice, lack of disclosure, including
cated to the department where they occurred. breaches of trust). Flaws in the design
As such they were not recorded specifically or behavior of a product.
as operational losses. Even when they were
• Damage to Physical Assets (DPA).
identified as such, if the losses were small,
Losses from damage to property from
they were not going to contribute signifi-
cantly to business failure. Post Basel II, data natural catastrophes (hurricanes,
can still be very sparse. An insurer recently floods) or man-made events (fires,
had just two oprisk events to show finan- explosions, terrorism, pollution).
cial supervisors, with another six possible • Business Disruption and System Fail-
(personal communication). ures (BD and SF). Losses due to hard-
ware or software failure, system design
Operational Risk Loss Event Types in Banking failure, and other infrastructure issues.
and Insurance • Execution, Delivery, and Process
In practice, we would need to identify the Management (ED and PM). Failed
operational risk loss events particular to the transaction processing or management,
business activity. A start at this classification failed customer/client services (account
can be made by using the seven designated errors, data entry errors, and incorrect
categories of loss events given in Basel II, also payments), and inadequate monitoring
adopted in Solvency II, the EU regulations. and reporting.
OPERATIONAL RISK 7
Table 1. The Percentages of Losses of $10,000 or More for Each Event Type (Taken from the
2005 LDCE in the United States)
Event type IF EF EP and WS CP and BP DPA BD and SF ED and PM Other Total
Losses (%) 3.8 41.8 7.6 9.2 0.7 0.7 35.3 0.8 100
Source: [7].
Table 2. Business Units and Business Lines in the years 2000 to 2008. Insurance has
for International Banking Activities Under a different set of business lines from bank-
Basel II. Percentages of Losses are from the ing. The most significant with respect to
2005 LDCE operational risk are given in Table 3. The
Business unit Business line Frequency (%) event types are those mentioned in the
section titled ‘‘Operational Risk Loss Event
Investment • Corporate finance 0.4
banking
Types in Banking and Insurance.’’ The data,
• Trading and 7.9 derived from Selvaggi [8, Fig. 4A, p. 14],
sales give percentages of loss amounts for those
business activity/event type cells having at
Banking • Retail banking 65.3 least 4% of the total loss amount.
This information tells little about the
• Commercial 5.5
banking
actual events. For this we need level 2 and
level 3 categories, the seven event types
• Payment and 4.8 being level 1. To illustrate this, again from
settlement the ORIC database, Table 4, derived from
Selvaggi [8, Fig. 4B, p. 15], shows the most
• Agency services 5.5 significant level 2 and level 3 event types in
Others • Asset 2.7 terms of both severity and frequency (values
management over 4%). It excludes losses arising from
the UK’s mis-selling of endowment policies
• Retail brokerage 7.9 scandal. We note that natural disasters do
not feature as significant.
Source: [7].
Table 4. Level 2 and Level 3 Event Categories from Insurance Losses in ORIC (2000–2008)
that Show Loss Amounts and the Frequency of Losses of 4% or More
Level 2 events Level 3 events Size (%) Frequency (%)
Advisory activities Mis-selling (nonendowment) 13 9
Transaction capture, execution, Accounting error 12
maintenance Inadequate process documentation 8
Transaction system error 8 6
Management information error 7
Data entry errors 7 5
Management failure 5
Customer service failure 4 16
Suitability, disclosure, fiduciary Customer complaints 6 4
Systems Software 6
Customer/client account Incorrect payment to client/customer 9
management Payment to incorrect client/customer 4
Theft and fraud Fraudulent claims 4
Total 76 57
Source: [8].
faced by an organization, measured by their The perception of the risk needs to match
impact in terms of their frequency and the actual risk. Hazards that have not yet
severity. In many cases, from a list of 100 been encountered may not even be consid-
operational risks identified as occurring ered, and when considered have risks that
within an organization, no more than 5 or are hard to calculate.
10 will give rise to the most serious of the
loss events and loss amounts. However, the Operational Risk Management Structure
ubiquitous nature of operational risk req-
uires that day-to-day management must use Figure 3, based closely on Álvarez [6, p. 231],
bottom-up as well as top-down risk control. shows the structure of an operational risk
There needs to be an understanding of the management program.
risk in all activities. Aggregating losses An internal operational loss event reg-
over business lines and activities would ister would typically show high impact
tend to hide the low impact risks behind events at low frequency among events of
those having a more dramatic effect. The high frequency but low impact. A financial
bottom-up approach is thus a necessary institution might therefore sort its losses
part of seeing the complete risk picture. into ‘‘expected loss’’ (EL) to be absorbed
Aggregation at each higher level informs by earnings, ‘‘unexpected loss’’ (UL) to be
management throughout the business. covered by risk reserves (so not totally
OPERATIONAL RISK 9
Objectives
Define goals
Make them known to management and staff
Reporting Processes
Provide a revised operational risk profile Prepare an action plan
Address issues raised and modify objectives Carry out risk identification
Analysis Risks
Check effectiveness of controls Identify hazards to be managed or mitigated
Compile information Assess risks for impact and frequency
Controls
Obtain management responses
Prepare a control framework
Figure 3. The operational risk management cycle. (Source: Taken with permission from Risk
Books [6].)
unexpected), and ‘‘stress loss’’ (SL) requiring occur, is such that data publicly available or
core capital or risk financing for cover. from commercial or consortia databases will
The ‘‘EL’’ per transaction can easily be need to be explored.
embedded in the transaction pricing. It is
the rare but extreme stress losses that the
Insurance
institution must be most concerned with.
This structure is the basis of the loss data Transferring operational risk through insur-
analysis approach to operational risk. Hard ance is problematic as a risk management
decisions need to be made in choosing the tool [3, p. 187].
EL/UL and UL/SL boundaries. This latter For example:
would often be the maximum probable loss.
Besides these, a threshold ‘‘petty cash’’ limit • Blanket cover would not be available,
is needed to set a minimum loss for recording leaving unforeseen events uncovered.
it as an operational loss. Loss events with • Exclusions could deny payment. Simi-
recovery and other near-miss events also larly, delays in payment, possibly for
need to be in the internal database for years if legal proceedings take place,
the information they carry. The threshold could put firms at risk.
and boundaries are set separately for each • The absence of sufficient and appropri-
business activity/event type category. ate data would make pricing the risk
difficult.
External Data
• Risk transfer may lead to moral hazard,
In addition to the management tools men- the abandonment of responsibility for
tioned in the section titled ‘‘Management risk management.
Tools’’, operational risk management will
often need to supplement their internally col- Most importantly perhaps is that, although
lected data. The shortage of in-house oprisk insurance is a means of mitigating the con-
data, particularly large loss events that sequence of operational risk losses, it does
would have a major influence in estimating nothing to enhance control of the risk itself
reserve funds to cover a major loss should it [9, pp. 11 and 259–260].
10 OPERATIONAL RISK
0.006
0.005
0.004
0.003
0.002
0.001
Figure 4. The probability densities of
GEV (0.70, 230, 100) (line) and GPD (0.70, 0.0
150, 125) (dashes). 0.0 200 400 600 800 1000
not to be identified with the population mean the values of four fitted models, and some
and standard deviation. For the GPD, μ is large quantile values for each of them (the x
the lower bound of the range. Figure 4 shows values for given y values). For example, the
the form of their respective probability den- 99th percentile Q(0.99) is at a loss value of
sity functions. Models with four and more 3663 for the first model. The others are at
parameters, such as Tukey’s g-and-h class of 2794, 4457, and 2605. The 99.9th percentiles
distributions, are also gaining users: but they range from 7595 to 22,452. This Q(0.999) is to
do require more data than is usually avail- be the basis of regulatory charging in bank-
able. They have though been seen to capture ing, with Q(0.995) for insurers. Estimation
the loss distribution of aggregated firm-wide far outside a data set is always fraught. This
losses. Readers are referred to Young and can lead to significant errors in high quan-
Coleman [3] for plots and properties of these tile estimation. Quantiles give no information
and other models. about how big a future loss larger than Q(p)
is likely to be. A measure used for this is the
Example: Fitting GEV and GPD. This
section follows the analysis in Young and mean excess, also called conditional value-at-
Coleman [3, pp. 399–403], summarized risk (CVaR). This computes the mean over
in Coleman [11], for fitting the 75 losses the values greater than Q(p) of the fitted
given in Cruz [12, p. 83]. In Table 5, these model probability.
data have been ordered and rounded to the A simulation study of GPD (0.70, 150, 125)
nearest $1000. gave an approximate 95% confidence interval
Figure 5 shows the sample cumulative for Q(0.999) of (5200, 9990).
distribution function (the observed propor- A simulation of 4000 values from
tion of values less than x) shown as steps, GEV (0.53, 230, 130) gave the estimates
together with four fitted cumulative distribu- (0.50, 227, 126) for its parameters, empha-
tion functions (the height y is the probability sizing the need for large data sets.
of obtaining a future value less than x). The The computations were made using Aca-
range of observation is (143, 3822). Figure 5 demic Xtremes, a computer package that
shows a good fit in each case. Table 6 shows accompanies Reiss and Thomas [13].
OPERATIONAL RISK 13
0.5
Table 6. The Parameters, Quantiles, and Fitted Values of the GEV and
GPD Models when Fitted to Loss Data
Fitted model GEV GEV GPD GPD
Parameter estimates
ξ 0.53 0.70 0.44 0.70
μ 230 230 135 150
σ 130 100 165 125
Quantiles
Q(0.9) 777 793 866 793
Q(0.95) 1230 1169 1425 1161
Q(0.99) 3663 2794 4457 2605
Q(0.995) 5906 4046 7258 3619
Q(0.999) 18,066 9525 22,452 7595
Data Model values
1416 1614 1459 1902 1435
2568 2280 1925 2733 1857
3822 4842 3470 5929 3160
Source: [3, pp. 400–403].