See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/227576075

Operational Risk

Chapter · January 2011

DOI: 10.1002/9780470400531.eorms0591

CITATIONS READS

3 24,060

1 author:

Rodney Coleman
Imperial College London
37 PUBLICATIONS   649 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Rodney Coleman on 20 June 2018.

The user has requested enhancement of the downloaded file.

OPERATIONAL RISK
RODNEY COLEMAN
Department of Mathematics,
Imperial College London,
London, UK
RISKS ARISING FROM BUSINESS ACTIVITY
You lose business opportunities while your
computer systems are down. You settle
a wrongful dismissal claim. You receive a
penalty notice for the late filing of documents.
Your employee embezzles from you. Your
customer records have gone missing. A flood
has breached your stock room damaging
goods awaiting shipment. These are the day-
to-day hazards of running a business beyond
those from its money-making activities. This
is operational risk, often shortened to oprisk.
It excludes risks which result in losses from
poor business decisions. Oprisk losses will
generally stem from weak management,
from outsourcing nonstrategic activities, or
from external factors.
Operational risk events happen every-
where, not just in a business environment;
for example, injuries sustained from a
design weakness in playground or fairground
equipment, or engineering flaws resulting in
a mass recall of motor cars. Poor labeling
on pharmaceutical packaging can lead to
the wrong dose being administered. Swabs
or instruments can be left in a patient after
surgery. Attention to safety has a big role in
mitigating these hazards.
Major construction projects—digging
tunnels, mineral extraction, raising bridges,
building skyscrapers— all need careful plan-
ning not just to support efficient operations
but to minimize avoidable delays from opera-
tional risk events. Large companies involved
with manufacturing, technology, telecommu-
nications, and media services will all have
operational risk management departments.
Business is entered into with the aim of
generating wealth, in the pursuit of returns
Wiley Encyclopedia of Operations Research and Management Science, edited by James J. Cochran
Copyright © 2010 John Wiley & Sons, Inc.
1
on capital. In contrast, the supervision,
control, and management of operational risk
absorbs capital in the protection of wealth,
without being directly profit generating.
Indeed a major cost is often on business
continuity planning, preparing for eventual-
ities beyond the control of management that
threaten the business environment. These
include terrorism, civil unrest, systems fail-
ings including hacking, organized crime, and
nature’s worst behavior such as hurricanes,
tsunamis, and volcanic ash clouds.
Measuring and modeling operational risk
events is needed to answer questions of how
high to build a flood barrier, how much to
spend on railway safety, and how much to put
into reserves to protect a bank from collapse.
Oprisk data for study are hard to come by;
their publication might expose a firm’s fail-
ings, and make it lose competitive advantage.
The financial sector has led much of the study
of operational risk, not only because losses
are widely expressed in monetary terms but
also since the industry is highly regulated.
This is to ensure not only that our savings
and pensions are safe but also that businesses
and governments would be able to continue to
borrow and lend following a worst case finan-
cial crisis. When the loss events are penalties
imposed for contravening regulations, they
enter the public domain.
Onetime categorized as the catch-all
‘‘other risks’’ after credit and market risk
are excluded, operational risk was pretty
universally considered to be unmeasurable.
In 2001, however, Basel II, which set out a
regulatory framework for operational risk
in international banking, was to give a
generally accepted definition for operational
risk [1, para. 664, p. 140]. It was to be the risk
of loss resulting from inadequate or failed
internal processes, people, systems, or from
external events. More importantly, Basel II
was the driving force behind developments
in operational risk management practices,
the search for robust risk measurement, and
the requirements of transparency through
disclosure. This has made operational risk a
2 OPERATIONAL RISK
Hazards
Causes
Possible outcomes
Likelihoods ⇒ Impacts ⇒
loss frequencies loss severities
Risk
Figure 1. A basic risk structure.
significant topic in business and management
studies. (For more on Basel II, see Box B.)
The basic operational risk structure is
shown in Fig. 1. A risk management struc-
ture and an operational risk management
structure follow later.
OPERATIONAL RISK EVENTS MAKE
HEADLINES
Public attention gets drawn to operational
risk when infrequent but high impact events
occur. Fitch’s OpVar database has nearly 500
events in the United States between 1978 and
2005 where the losses exceeded $10 million.
With 10 years of data, the 2004 loss data
collection exercise (LDCE) has more than 100
events in the United States where the losses
were $100 million or more [2, p. 2].
Brief narratives follow on some extreme
oprisk events.
• Union Carbide. During the night of
December 3, 1984, 40 tons of poisonous
gas leaked from the US owned Union
Carbide pesticide factory in Bhopal,
India, and settled over neighboring
slums. More than half a million people
were exposed to the deadly fumes.
Within days, 3500 people were dead,
and more than 15,000, possibly as
many as 25,000, have died since.
It stands as the world’s worst ever
industrial accident. Union Carbide
denied responsibility. The effects of the
gas on survivors continues, with chronic
illnesses, cancers, and children with
birth defects. Environmentalists claim
that the neighborhood has not been rid
of toxins, said to be still polluting the
local water supply.
• Space Shuttle Challenger Disaster. On
January 28, 1986, shortly after take-
off from the Kennedy Space Center in
Florida, the space shuttle Challenger
exploded killing all seven on board. A
seal on a rocket booster motor had failed
allowing hot pressurized gas to reach an
external fuel tank, causing its structure
to fail and the spacecraft to disintegrate.
• Bank of Credit and Commerce Interna-
tional. BCCI was closed down in 1991
after it was revealed that accumulated
losses totaling more than a billion US
dollars had been fraudulently hidden
from auditors and regulators.
• Sumitomo Corporation. Between 1985
and 1999, a star copper trader at Sum-
itomo incurred massive losses through
risky trading. It was sufficient to affect
the entire copper market.
• Barings Plc. Barings Bank, a long estab-
lished merchant bank in the city of
London, became insolvent in 1995 when
a young trader at its Singapore sub-
sidiary lost £860 million from excessive
and unauthorized speculation on the
Tokyo stock exchange index. He hid this
activity for two years. When brought to
light, it was found that he had failed to
hedge enormous outstanding positions,
cover for which required payments that
Barings could not meet. That its main
assets were held offshore probably con-
tributed to the Bank of England being
prepared to let the bank fail.
• Prudential Insurance Company of
America. The Prudential paid out
$2 billion in settlement of a class
action lawsuit relating to its agents
deliberately misleading purchasers
throughout a period of 13 years up
to 1995. More recently in the United
Kingdom, there was similarly the
costly endowment mis-selling scandal

of people being misled into exchanging
defined company pension plans for
riskier and less advantageous market-
funded schemes. In December 2002 one
of the insurers involved, Abbey Life,
was fined a record £1 million and paid
£160 million in compensation to 45,000
policy holders.
• Hurricane Andrew. In 1992, Hurricane
Andrew swept through the south of
Florida. The damage led to a $16 billion
insurance payout, a record insured
loss, only exceeded with the terrorist
attack that devastated the World Trade
Centre in Manhattan on September 11,
2001.
• The Global Financial Crisis of
2007–2009. The worldwide finan-
cial breakdown began with the credit
crunch, the seizing up of the markets
on August 9, 2007 following problems
created by subprime mortgage lending
in the United States. It was the result
of a bubble created by cheap borrowing,
with offloaded debt insured against
default. In their premium pricing, the
insurers failed to take account of the
risk that property values might fall
with consequent defaults on mortgage
repayment. The operational risk was
in the lack of due diligence: the lenders
in failing to check the means of their
mortgage applicants, the purchasers of
the debt similarly in respect of the mort-
gages supporting it, and the insurers in
taking on the default risk. Poor business
practices caused the crisis to propagate
from insurers without the means to pay
out on the mortgage defaults, to the
banks who lent the money, and to the
householders who lost their homes. This
is illustrated by the fall of Northern
Rock, which suffered the first run on a
British retail bank in a century. (Box A.)
• Deepwater Horizon. On April 20, 2010,
50 miles off the Louisiana coast in the
Gulf of Mexico, the Deepwater Horizon
drilling rig exploded and sank killing
11 workers. Hundreds of thousands
of gallons of oil began leaking daily
from a ruptured pipe, causing untold
environmental damage. The oil slick
OPERATIONAL RISK 3
washing up on the beaches threatened
wildlife and businesses. The fishing
industry was all but halted, and
tourism was curtailed. The drilling
platform was leased to the British oil
giant BP from the Swiss headquartered
rig operator Transocean, the world’s
largest offshore drilling company. The
explosion happened after the US com-
pany Halliburton, the world’s largest
provider of services to the energy
industry, laid cement casings round the
well head, completing its construction.
BP acknowledged that it had been
unprepared for the disaster. Opera-
tional risk controls failed in this case.
• Volcanic Ash. On April 14, 2010, a
volcano erupted through the Eyjafjal-
lajökull glacier in Iceland and sent a
cloud of ash into the upper atmosphere.
For safety reasons, the airspace over
parts of northern Europe was closed.
With thousands of flights grounded,
there was widespread disruption to
travel and business activity. Travelers
became stranded abroad. Airspace
was cautiously reopened five days
later. The previous volcanic eruption
at the glacier had been in Decem-
ber 1821. The long passage of time
since led to the 2010 eruption being
called a ‘‘black swan’’ event, an event
so unlikely as to be off everybody’s
radar.
RISKS AND RISK MANAGEMENT
Before considering operational risk and its
management, we give a very brief introduc-
tion to risks in general and their manage-
ment.
Classifying Risks
Risks are often sorted into categories, such as
those given here with illustrative examples
[3, p. 107].
• People Risks. Deliberate willful behav-
ior such as fraud or malicious dam-
age. Errors such as mistakes brought
on by fatigue, incompetence, lack of
management supervision, and inade-
quate staffing levels.
4 OPERATIONAL RISK

Box A. Northern Rock

This former Building Society (savings and loan company) had floated on the stock exchange
as a bank in 1997. It moved into subprime lending in 2006, issuing mortgages in excess
of 100% of property valuations, often on self-reported and unverified household incomes.
It expanded quickly to become the United Kingdom’s fifth largest bank, funding its
rise by borrowing on money markets, securitizing its mortgage debt, and other financial
instruments. When the US’s $8 trillion housing bubble burst, it became clear that Northern
Rock’s business model was severely defective.
The credit crunch of August 2007 caused the share price to fall fast. In September, there
were depositors queuing round the block seeking to withdraw their generally modest
savings. Withdrawals were also being made on-line. In December, the Bank of England
stepped in by providing liquidity support, and sought a buyer, but without success. On
February 22, 2008, it was taken into public ownership. Yet, it was considered to be well
managed operationally.
No measures had been taken to provide for a fall in property prices. It has been reported
that Lehman Brothers had underwritten £100 billion of Northern Rock’s debt (collateral-
ized debt obligations on mortgage-backed securities).
Lehman Brothers itself filed for bankruptcy on September 15, 2008. A week earlier, the
giant US mortgage lenders Fannie Mae and Freddie Mac had received a government
bailout, and the largest insurance company, AIG, and the largest savings and loan
company, Washington Mutual, were in dire straits, lining up for support.
The response to the collapse of Northern Rock was to herald the international effort to
stave off global collapse of the financial system.

• Cumulative Interactive Risks. Minor We need also to understand that these

errors build up leading to a major loss.
The effects accumulate as they prop-
agate through a company. This is the
so-called Swiss cheese model, where the
holes/hazards line up, with all controls
failing simultaneously. It is widely used
in investigating catastrophic incidents
[3, p. 113; 4, p. 234].
• Systems and Process Risks. Technology
failure, programming errors, errors in
data management, insufficient process-
ing capacity. Lost or wrong paperwork,
and inadequate segregation of duties.
• External Factors. The sinking of a
cruise liner would severely damage
the entire cruising industry, and have
an immediate impact on shipping
insurance premiums.
• Randomness. Low risk events having
high impact can be due to pure chance.
However unlikely, lottery jackpots are
won.
categories are not necessarily mutually
exclusive. Catastrophic industrial accidents
at a plant can occur despite the plant having
an exemplary safety record. In March 2005,
there was an explosion at BP’s Texas City
refinery which left 16 people dead and
more than 170 injured. A report on the
incident found that BP had interpreted
improvements in personal injury rates as
indicating acceptable process safety per-
formance. Elliott et al. [5] used this in the
introduction to their study of the relationship
between occupational illnesses and injuries
(OII) and the major incidents reported to
the US Environmental Protection Agency
over the same period, 1996 to 2000. Their
statistical analysis finds only weak evidence
of a link.
A Simple Framework for Risk Management
This is given in Fig. 2.
 OPERATIONAL RISK 5

Box B. Basel II
The Basel Committee for Banking Supervision (BCBS) was set up in 1974 as a committee
of the Bank for International Settlement (BIS) to provide a regulatory framework for
internationally active banks. In its Basel Accord of 1998, now known as Basel I, it settled
the minimal level of capital to be held by banks as provision for credit risk and market
risk. In 2001, it moved to do the same for operational risk in its New Basel Capital Accord,
known as Basel II [1]. It was approved by the European Parliament in 2005, and came
into effect across the entire European Union (EU) in 2008.
The accord sets out a risk sensitive way of calculating reserve capital to cover possible
defaults. Institutions are required to categorize operational risk losses by event type,
promoting identification of risk drivers. There is no mandated methodology.
Pillar 1 of Basel II gives three ways of calculating the operational risk capital charge, with
increasing complexity, but benefiting from a reduced charge.
• The basic indicator approach (BIA) calculates the reserve capital simply as a proportion
of gross revenue.
• The standardized approach (TSA) divides the activities of a bank into eight business
lines (Table 2), with standard capital charges for each based on calculated risk indicators.
• The advanced measurement approach (AMA) requires that the banks model loss distri-
butions of cells of a business line/loss event type grid from operational risk loss data
that they themselves have collected, supplemented as required by external data.
Pillar 2 of the accord requires banks to demonstrate that their management and supervi-
sory systems are satisfactory. Pillar 3 relates to transparency, requiring them to report on
their operational risk management.
Solvency II, the EU’s regulatory directive for insurers, has adopted the same three pillars.
This directive will come into force throughout the EU in 2013.
In November 2007, the US banking agencies approved the US Final Rule for Basel II.
Banks will be grouped into the large or internationally active banks that will be required
to adopt AMA, those that voluntarily opt-in to AMA, and the rest who will adopt an
extended version of the earlier Basel I. A Basel III is in preparation.

Management Tools bodies for their own use, can support

The following are approaches to risk manage-
ment, and in particular to operational risk
management (ORM).
• Risk and Control Self-Assessment
(RCSA). This is the identification,
evaluation and checks on the effec-
tiveness of all significant risks, and
the recording and reporting of the
results. This may involve the use
of questionnaires to establish expert
opinion, monitoring key performance
indicators (KPIs), form filling, work-
shops, and independent assessments.
External methodologies developed for
RCSA, or by supervisory and regulatory
this.
• Loss Event Monitoring. This is the col-
lection and tracking of loss events and
near misses, with regular reporting.
In some fields, regulators will have
specified the events they require to
be tracked. Good management will
expand on these, particularly in respect
of near-miss events which can be
predictive of potential loss.
• Key Risk Indicators (KRIs). Tracking
and monitoring KRIs can provide early
warnings of areas of concern. Doubts
stand as to their predictive value.
6 OPERATIONAL RISK
Risk reevaluation
Figure 2. The risk management cycle.
(Source: Taken with permission from Risk Control procedure
implementation
Books [6, p. 228].)
• Stress and Scenario Testing. This is
the contingency planning for possible
adverse events, from payouts occa-
sioned by a badly drawn up contract,
to the disaster recovery and business
continuity to follow from terrorism or
natural catastrophe causing the loss of
headquarters, paperwork, processing
capacity, and so on. It involves testing
impact tolerance and resilience.
CLASSIFYING OPERATIONAL EVENTS
When something is defined only by what it
is not, there is always going to be a problem
in giving it a taxonomy. A major hindrance
prior to Basel II was not only its lack of a con-
structive definition but also the absence of
data. Operational risk losses were generally
treated as costs of doing business and allo-
cated to the department where they occurred.
As such they were not recorded specifically
as operational losses. Even when they were
identified as such, if the losses were small,
they were not going to contribute signifi-
cantly to business failure. Post Basel II, data
can still be very sparse. An insurer recently
had just two oprisk events to show finan-
cial supervisors, with another six possible
(personal communication).
Operational Risk Loss Event Types in Banking
and Insurance
In practice, we would need to identify the
operational risk loss events particular to the
business activity. A start at this classification
can be made by using the seven designated
categories of loss events given in Basel II, also
adopted in Solvency II, the EU regulations.
Risk identification
Risk assessment
Control procedure
development
• Internal Fraud (IF). Losses within the
business from fraud, misappropriation
of property, unauthorized activity, and
circumventing regulations.
• External Fraud (EF). Fraudulent claims
by an external party, forgery, and hack-
ing damage to systems security.
• Employment Practices and Workplace
Safety (EP and WS). Organized labor
activity, violations of employee health
and safety rules, discrimination in
employment, and personal injury
claims.
• Clients, Products, and Business Prac-
tices (CP and BP). Unintentional failure
or negligence in meeting professional
obligations to clients or customers
(customer complaints, the suitability
of advice, lack of disclosure, including
breaches of trust). Flaws in the design
or behavior of a product.
• Damage to Physical Assets (DPA).
Losses from damage to property from
natural catastrophes (hurricanes,
floods) or man-made events (fires,
explosions, terrorism, pollution).
• Business Disruption and System Fail-
ures (BD and SF). Losses due to hard-
ware or software failure, system design
failure, and other infrastructure issues.
• Execution, Delivery, and Process
Management (ED and PM). Failed
transaction processing or management,
failed customer/client services (account
errors, data entry errors, and incorrect
payments), and inadequate monitoring
and reporting.
 OPERATIONAL RISK 7

Table 1. The Percentages of Losses of $10,000 or More for Each Event Type (Taken from the
2005 LDCE in the United States)
Event type IF EF EP and WS CP and BP DPA BD and SF ED and PM Other Total
Losses (%) 3.8 41.8 7.6 9.2 0.7 0.7 35.3 0.8 100
Source: [7].

Table 2. Business Units and Business Lines in the years 2000 to 2008. Insurance has
for International Banking Activities Under a different set of business lines from bank-
Basel II. Percentages of Losses are from the ing. The most significant with respect to
2005 LDCE operational risk are given in Table 3. The
Business unit Business line Frequency (%) event types are those mentioned in the
section titled ‘‘Operational Risk Loss Event
Investment • Corporate finance 0.4
banking
Types in Banking and Insurance.’’ The data,
• Trading and 7.9 derived from Selvaggi [8, Fig. 4A, p. 14],
sales give percentages of loss amounts for those
business activity/event type cells having at
Banking • Retail banking 65.3 least 4% of the total loss amount.
This information tells little about the
• Commercial 5.5
banking
actual events. For this we need level 2 and
level 3 categories, the seven event types
• Payment and 4.8 being level 1. To illustrate this, again from
settlement the ORIC database, Table 4, derived from
Selvaggi [8, Fig. 4B, p. 15], shows the most
• Agency services 5.5 significant level 2 and level 3 event types in
Others • Asset 2.7 terms of both severity and frequency (values
management over 4%). It excludes losses arising from
the UK’s mis-selling of endowment policies
• Retail brokerage 7.9 scandal. We note that natural disasters do
not feature as significant.
Source: [7].

The percentages of losses of $10,000 or more OPERATIONAL RISK MANAGEMENT

for each event type, derived from [7, slide
10], the 2005 LDCE in the United States, are
shown in Table 1.
Business Lines
Managing operational risk requires a more
granular breakdown of the business activi-
ties in which the losses occur. Basel II gives
eight broad business lines within the banking
sector, creating an 8 × 7 grid of 56 business
line/event type cells. Table 2 shows the per-
centages of losses from each business line
from the 2005 LDCE [7, slide 12].
The Operational Risk Consortium Ltd.
(ORIC) database of operational risk events,
established in 2005 by the Association of
British Insurers (ABI), has nearly 2000
events showing losses exceeding £10,000
Is anything more than common sense needed
for ORM? Or so a referee of an application
for research funds reported to the awarding
panel. We already manage our exposure to
operational risk by locking filing cabinets and
doors, by using fancy passwords, by installing
antivirus software, and so on. It has been
argued that it would be sufficient for every
employee, from the shop floor through to the
main board, to be educated about risk. Of
course, one response might be that we would
still need to address problems from outsourc-
ing and other subcontracting, and from exter-
nal events outside the control of the firm. We
must remember also that personal attention
to risk does not preclude process risk.
A widely accepted approach in risk
management is to identify the major risks
8 OPERATIONAL RISK

Table 3. Business Activity/Event Type Grid Showing Percentages of Loss Amounts

(Minimum 4%) in the ORIC Database (2000–2008)
Event type
Business activity CP and BP ED and PM BD and SF Others Total
Sales and distribution 18.9 6.8 0.7 26.4
Customer service/policy 13.2 2.3 15.5
Accounting/finance 23.4 0.1 23.5
IT 6.0 6.6 12.6
Claims 4.0 1.4 5.4
Underwriting 6.3 0.3 6.6
Others 5.1 11.8 1.4 10.0
Total 24.0 65.5 7.4 11.4 100.0
Source: [8].

Table 4. Level 2 and Level 3 Event Categories from Insurance Losses in ORIC (2000–2008)
that Show Loss Amounts and the Frequency of Losses of 4% or More
Level 2 events Level 3 events Size (%) Frequency (%)
Advisory activities Mis-selling (nonendowment) 13 9
Transaction capture, execution, Accounting error 12
maintenance Inadequate process documentation 8
Transaction system error 8 6
Management information error 7
Data entry errors 7 5
Management failure 5
Customer service failure 4 16
Suitability, disclosure, fiduciary Customer complaints 6 4
Systems Software 6
Customer/client account Incorrect payment to client/customer 9
management Payment to incorrect client/customer 4
Theft and fraud Fraudulent claims 4

Total 76 57
Source: [8].

faced by an organization, measured by their
impact in terms of their frequency and
severity. In many cases, from a list of 100
operational risks identified as occurring
within an organization, no more than 5 or
10 will give rise to the most serious of the
loss events and loss amounts. However, the
ubiquitous nature of operational risk req-
uires that day-to-day management must use
bottom-up as well as top-down risk control.
There needs to be an understanding of the
risk in all activities. Aggregating losses
over business lines and activities would
tend to hide the low impact risks behind
those having a more dramatic effect. The
bottom-up approach is thus a necessary
part of seeing the complete risk picture.
Aggregation at each higher level informs
management throughout the business.
The perception of the risk needs to match
the actual risk. Hazards that have not yet
been encountered may not even be consid-
ered, and when considered have risks that
are hard to calculate.
Operational Risk Management Structure
Figure 3, based closely on Álvarez [6, p. 231],
shows the structure of an operational risk
management program.
An internal operational loss event reg-
ister would typically show high impact
events at low frequency among events of
high frequency but low impact. A financial
institution might therefore sort its losses
into ‘‘expected loss’’ (EL) to be absorbed
by earnings, ‘‘unexpected loss’’ (UL) to be
covered by risk reserves (so not totally

Objectives
Define goals
Make them known to management and staff
Reporting
Provide a revised operational risk profile
Address issues raised and modify objectives
Analysis
Check effectiveness of controls
Compile information
Controls
Obtain management responses
Prepare a control framework
Figure 3. The operational risk management cycle. (Source: Taken with permission from Risk
Books [6].)
unexpected), and ‘‘stress loss’’ (SL) requiring
core capital or risk financing for cover.
The ‘‘EL’’ per transaction can easily be
embedded in the transaction pricing. It is
the rare but extreme stress losses that the
institution must be most concerned with.
This structure is the basis of the loss data
analysis approach to operational risk. Hard
decisions need to be made in choosing the
EL/UL and UL/SL boundaries. This latter
would often be the maximum probable loss.
Besides these, a threshold ‘‘petty cash’’ limit
is needed to set a minimum loss for recording
it as an operational loss. Loss events with
recovery and other near-miss events also
need to be in the internal database for
the information they carry. The threshold
and boundaries are set separately for each
business activity/event type category.
External Data
In addition to the management tools men-
tioned in the section titled ‘‘Management
Tools’’, operational risk management will
often need to supplement their internally col-
lected data. The shortage of in-house oprisk
data, particularly large loss events that
would have a major influence in estimating
reserve funds to cover a major loss should it
OPERATIONAL RISK 9
Processes
Prepare an action plan
Carry out risk identification
Risks
Identify hazards to be managed or mitigated
Assess risks for impact and frequency
occur, is such that data publicly available or
from commercial or consortia databases will
need to be explored.
Insurance
Transferring operational risk through insur-
ance is problematic as a risk management
tool [3, p. 187].
For example:
• Blanket cover would not be available,
leaving unforeseen events uncovered.
• Exclusions could deny payment. Simi-
larly, delays in payment, possibly for
years if legal proceedings take place,
could put firms at risk.
• The absence of sufficient and appropri-
ate data would make pricing the risk
difficult.
• Risk transfer may lead to moral hazard,
the abandonment of responsibility for
risk management.
Most importantly perhaps is that, although
insurance is a means of mitigating the con-
sequence of operational risk losses, it does
nothing to enhance control of the risk itself
[9, pp. 11 and 259–260].
10 OPERATIONAL RISK
MODELING OPERATIONAL RISK
The Marked Point Process
The appropriate structure for modeling
oprisk events is that of the marked point pro-
cess. Along the time line (the x axis) we have
points representing the times of occurrence
of the events. We attach marks to each of
these points. These are labels representing
information about the events (see the section
titled ‘‘Database Acquisition’’). In practice,
the first label is the loss size z, which can be
represented by a vertical spike at its time
point t, its height being proportional to the
size (with the y axis showing the scale). The
second label is a code i for the ith business
activity, and a third with a code j for the jth
event type. We are thus coding each point by
a (t, z, i, j).
The statistical modeling has to identify
the probability structure for these four-
dimensional descriptors. We can study each
business line separately and compare its
losses and their occurrence times with those
for any other business line, or even the rest
of the business lines; and similarly for the
event types, and every business line/event
type combination. This structure can be
visualized as the superposition on the time
line of processes for each business line/event
type combination (i, j) separately. The
interaction between the interval processes of
gaps between events and their sizes can also
be studied.
We have here a rich mixture to model.
In practice, we would need substantial
amounts of data to provide more than just
basic statistical properties. In the section
titled ‘‘Example: Fitting GEV and GPD,’’ we
model data from a single activity and event
type and fit only a loss severity probability
distribution.
MEASURING OPERATIONAL RISK
Basel [1, para. 665] requires that the inter-
nal measurement system of banks adopt-
ing the advanced measurement approaches
‘‘must reasonably estimate unexpected losses
based on the combined use of internal and
relevant external loss data, scenario analy-
sis, and bank-specific business environment
and internal control factors (BEICF).’’
Using the prudent amount of risk capital
allocation as a proxy for risk, and obtaining
this measure by modeling collected loss data,
may seem to satisfy the need for objectivity. It
seems to avoid the subjective interpretation
of risk indicators and expert opinion.
In practice, the quality of data and of its
collection, the appropriateness of the model
choice, the risk modeling of potential high
impact outcomes that have not happened,
the very shortage of data on those that have,
and assessing and aggregating the loss from
a major event, or the potential loss from a
near miss, the dynamics of risk management
practices making historic data out of date, the
use of external data which cannot match the
loss profile of the business, all of these point
to loss data analysis being a highly subjec-
tive approach to quantitative measurement
of operational risk.
Despite this, the act of establishing a price
for risk highlights risky activities, as well as
those held back because of exaggerated risk
assessment. It can be used as the basis of
cost–benefit analysis in capital allocation.
Further, loss data modeling allows for pre-
dictions and forecasting, for identifying cor-
relations between business lines and between
event types, for scenario analysis, stress test-
ing, benchmarking, validation, backtesting,
and so on.
There is no true answer, and no method-
ology on its own can provide it. Multiple
approaches should be used, both qualitative
and quantitative. The objective must be to
assist management in acquiring a sensitivity
to data, and in its interpretation for use in
decision making.
Database Acquisition
A loss event register is vital to understand-
ing the risk environment. The data entered
should show more than just the loss amounts.
The records should show for each loss event
• a reference number for the event;
• the level 2 business line code;
• the level 3 business line code;

• the event type;
• where it occurred;
• when it occurred;
• when it was discovered;
• the gross loss amount;
• amount of any direct recovery;
• amount of any indirect recovery;
• if a near-miss event, an estimate of the
potential loss amount;
• reference numbers of related events;
• a short narrative, to include, if needed,
proposed corrective action. (Source: [3,
p. 111; 10].)
External Data
Basel II requires internationally active
banks to have a systematic process for
determining as to when external data must
be used and how to make use of the data (‘‘the
use test’’), for example, scaling, qualitative
adjustments, or improving scenario analysis.
The accuracy and completeness of external
data have to be validated.
Scenario analysis enables an organiza-
tion to consider responses. However, merging
extreme scenario data with actual loss data
corrupts those data and distorts the loss dis-
tribution, and could lead to higher capital
charges than might otherwise be the case.
External loss data are available from
industry consortia and commercial sources.
Reference has already been made in the
sections titled ‘‘Operational Risk Events
Make Headlines’’ and ‘‘Business Lines’’ to
the OpVar and ORIC databases.
The Operational Riskdata eXchange
(ORX) Association is a well-established
database of operational risk events in bank-
ing. The not-for-profit consortium collects
data quarterly from its 54 member banks
from 15 countries, using a standard format.
It has attempted to establish loss data stan-
dards for the secure exchange of high-quality
anonymous oprisk loss data. The standard
format of ORX informed the list proposed
in the section titled ‘‘Database Acquisition’’
for internal database acquisition. In March
2010, ORX reported that it has more than
OPERATIONAL RISK 11
180,000 losses, each at least ¤20,000, and
totaling more than ¤47 billion [10].
There are also national banking
databases, and those using publicly available
information from the press and trade pub-
lications. Insurance companies have their
own claims registers, with accurate records
of amounts paid in settlement.
The Small Sample Problem
An extreme loss in a small sample is over-
representative of its 1-in-a-1000 year or 1-in-
a-10,000 year chance, yet underrepresented
if not observed. The largest losses are gener-
ally overly influential in any fitted model. So,
we must conclude that fitting a small data
set cannot truly represent the loss process
whatever model is used.
Basic to statistical practice is reporting on
the quality of any estimate. With only a small
data sample of oprisk losses, with none very
large, we have no way of reporting an accu-
rate value of a loss that would be seen only
once in a 1000 years. It is a well-understood
principle that any statistical inferences about
models in regions far outside the range of the
available data should be treated with caution.
In carrying out loss data analysis we are oper-
ating outside our statistical comfort zone.
Probability Modelling of Loss Data
The Gaussian (normal distribution) model of
much of statistical inference is inadequate
for loss data. Even a truncated normal dis-
tribution that excludes negative and small
positive values gives too little chance to large
and very large losses. The lognormal dis-
tribution has been used instead historically
in econometrics theory, and the Weibull in
reliability modeling.
Two models that can allow rare large
observations come from extreme value the-
ory. The generalized extreme value (GEV)
distribution and the generalized Pareto dis-
tribution (GPD) are the limit distributions
as sample sizes increase to infinity. Envi-
ronmental studies (hydrology, pollution, sea
defences, etc.) already use them. Each of
them has parameters μ giving location, σ
scale, and ξ shape, which we vary to obtain
a good fit. The location μ and scale σ are
12 OPERATIONAL RISK

0.006

0.005

0.004

0.003

0.002

0.001
Figure 4. The probability densities of
GEV (0.70, 230, 100) (line) and GPD (0.70, 0.0
150, 125) (dashes). 0.0 200 400 600 800 1000

Table 5. Penalties Imposed by Financial Regulators (In Thousands of US Dollars)

3822 907 735 556 423 395 302 260 248 220 204 193 180 160 150
2568 845 660 550 417 360 297 255 239 220 202 191 176 157 147
1416 800 650 506 410 350 295 252 232 220 200 186 176 154 146
1299 750 630 484 406 350 275 251 230 215 200 185 165 151 143
917 743 600 426 400 332 270 250 229 211 194 182 165 151 143
Source: [12].

not to be identified with the population mean
and standard deviation. For the GPD, μ is
the lower bound of the range. Figure 4 shows
the form of their respective probability den-
sity functions. Models with four and more
parameters, such as Tukey’s g-and-h class of
distributions, are also gaining users: but they
do require more data than is usually avail-
able. They have though been seen to capture
the loss distribution of aggregated firm-wide
losses. Readers are referred to Young and
Coleman [3] for plots and properties of these
and other models.
Example: Fitting GEV and GPD. This
section follows the analysis in Young and
Coleman [3, pp. 399–403], summarized
in Coleman [11], for fitting the 75 losses
given in Cruz [12, p. 83]. In Table 5, these
data have been ordered and rounded to the
nearest $1000.
Figure 5 shows the sample cumulative
distribution function (the observed propor-
tion of values less than x) shown as steps,
together with four fitted cumulative distribu-
tion functions (the height y is the probability
of obtaining a future value less than x). The
range of observation is (143, 3822). Figure 5
shows a good fit in each case. Table 6 shows
the values of four fitted models, and some
large quantile values for each of them (the x
values for given y values). For example, the
99th percentile Q(0.99) is at a loss value of
3663 for the first model. The others are at
2794, 4457, and 2605. The 99.9th percentiles
range from 7595 to 22,452. This Q(0.999) is to
be the basis of regulatory charging in bank-
ing, with Q(0.995) for insurers. Estimation
far outside a data set is always fraught. This
can lead to significant errors in high quan-
tile estimation. Quantiles give no information
about how big a future loss larger than Q(p)
is likely to be. A measure used for this is the
mean excess, also called conditional value-at-
risk (CVaR). This computes the mean over
the values greater than Q(p) of the fitted
model probability.
A simulation study of GPD (0.70, 150, 125)
gave an approximate 95% confidence interval
for Q(0.999) of (5200, 9990).
A simulation of 4000 values from
GEV (0.53, 230, 130) gave the estimates
(0.50, 227, 126) for its parameters, empha-
sizing the need for large data sets.
The computations were made using Aca-
demic Xtremes, a computer package that
accompanies Reiss and Thomas [13].
 OPERATIONAL RISK 13

0.5

Figure 5. The sample cumulative distri-

bution function (steps) with the four fitted 0.0
models of Table 6. (Source: [3, p. 401].) 0.0 1000 2000 3000 4000

Table 6. The Parameters, Quantiles, and Fitted Values of the GEV and
GPD Models when Fitted to Loss Data
Fitted model GEV GEV GPD GPD
Parameter estimates
ξ 0.53 0.70 0.44 0.70
μ 230 230 135 150
σ 130 100 165 125
Quantiles
Q(0.9) 777 793 866 793
Q(0.95) 1230 1169 1425 1161
Q(0.99) 3663 2794 4457 2605
Q(0.995) 5906 4046 7258 3619
Q(0.999) 18,066 9525 22,452 7595
Data Model values
1416 1614 1459 1902 1435
2568 2280 1925 2733 1857
3822 4842 3470 5929 3160
Source: [3, pp. 400–403].

Frequency Modeling threshold used for the internal data against

Standard statistical methods can be used to
fit Poisson or negative binomial probability
distributions to frequency counts. Experience
shows that the daily, weekly, or monthly fre-
quencies of loss events tend to occur in ways
that cannot be fitted well by either of these
models.
Combining Internal and External Data
When data from an external database are
combined with an in-house data set, the
former are relocated and scaled to match the
latter. Then, we adopt the location and scale
of the internal data. Finally, we check the
the new threshold for the relocated and
rescaled external data, and set the larger of
the two as the new threshold, eliminating all
data points that fall below.
This is illustrated in Giacometti et al. [14,
p. 7], where we see that it can lead to strange
statistical results if the location and scale
metrics are not chosen appropriately. A table
shows a mean of pooled data having a mean
smaller than the mean of both the internal
and the external data. The same happens
to the medians. Elsewhere another pooling
shows skewness and a kurtosis of pooled
data being larger than those of the separate
 14 OPERATIONAL RISK
sets. We should perhaps be seeking a bet-
ter standardization of operational risk loss
data. In Reiss and Thomas [13], a logarith-
mic transformation of the data is taken prior
to standardization. This corresponds to fit-
ting a lognormal probability distribution to
the data, but it did not entirely rectify the
paradoxical result. A two-parameter extreme
value theory model such as the standard
Gumbel distribution should be a better choice
for standardization. This choice has been
applied in an environmental context relating
different measures of air pollution [15].
CONCLUDING REMARKS
With risk being found in every enterprise,
why does finance have such a prominent role
in the study of it? Or does it? The theory of
probability and statistics grew out of calcu-
lation of the odds in gambling. Knowing its
true value gave an edge to any gambler. The
mathematics was extended to set the price
for life insurance, to determine the premium
that should be charged for assuming the risk.
The financial services regulators make
explicit in their rules the requirements of
modeling, measuring, and using the results of
the exercise. There are no prescriptive rules
for the models that are to be used. The finance
industry is still searching for the best prac-
tice. This is driving efforts at finding robust
processes for operational risk, and evaluating
methodologies for it. We must wait and see
what emerges.
REFERENCES
1. Basel Committee on Banking Supervi-
sion. International convergence of capi-
tal measurement and capital standards.
Basel: Bank for International Settlements;
2006.
2. de Fontnouvelle P, De-Jesus V, Jordan
J, et al. Capital and risk: new evidence
View publication stats
on implications of large operational losses.
Federal Reserve Bank of Boston. Working
Paper No. 03-5. Available at www.bos.frb.org/
bankinfo/oprisk/articles.htm.
3. Young B, Coleman R. Operational risk assess-
ment. Chichester: John Wiley & Sons, Ltd.;
2009.
4. Reason J. Managing the risk of organisa-
tional accidents. Aldershot: Ashgate Publish-
ing; 1997.
5. Elliott MR, Kleindorfer PR, DuBois JJ, et al.
Linking OII and RMP data: does everyday
safety prevent catastrophic loss? Int J Risk
Assess Manage 2008;10:130–146.
6. Álvarez G. An operational risk management
framework. In : Davis E, editor. Operational
risk: practical approaches to implementa-
tion. London: Risk Books; 2005. pp. 227–
236.
7. Cole RT. New challenges for operational risk
measurement and management – a regula-
tor’s perspective. 2008. Keynote address.
www.bos.frb.org/bankinfo/qau/conf/
oprisk2008.
8. Selvaggi M. Analysing operational risk in
insurance. ABI Research Paper 16. Asso-
ciation of British Insurers; 2009. www.abi.
org.uk.
9. Williams C, Smith M, Young P. Risk man-
agement and insurance. 8th ed. New York:
McGraw-Hill; 1998.
10. ORX. Available at www.orx.org/orx-data.
11. Coleman R. A VaR too far. Capco Inst J Finan
Trans 2010;28:123–129.
12. Cruz MG. Modeling, measuring and hedging
operational risk. Chichester: John Wiley &
Sons, Ltd.; 2002.
13. Reiss R-D, Thomas M. Statistical analysis
of extreme values. 3rd ed. Basel: Birkhäuser
Verlag; 2007.
14. Giacometti R, Rachev S, Chernobai A, et al.
Aggregation issues in operational risk. J Oper
Risk 2008;3(3):3–23.
15. Heffernan JE, Tawn JA. A conditional
approach for multivariate extreme values.
J Roy Stat Soc B 2004;66:1–34.