UNIT 7: OPREATIONAL RISK MANAGEMENT

1. Discuss the framework of business lines and event type as per the Basel committee foroperational risks.
2. Assess the consequential effect of operational risks.

3. Evaluate the different possible measures of operational risks.

4. Discuss the Basel principles of sound operational risk management for international financialinstitutions.
5. Assess the different methods for operational risk mitigation.

Operational risk can be viewed as the risk which will disrupt

normal day to day activities.

In many non-financial organisations, operational risk will be commonly related to hazard and
infrastructure risks. However, for banks and other financial institutions, operational risks have
more distinct features and are more extensive.

Financial institutions are exposed to high potential financial loss if there are high operational
risks. As such, they need to ensure that they have sufficient capital reserves to meet the current
and future financial loss.

According to the Bank for International Standards (BIS), operational risk is “the risk of loss
resulting from inadequate or failed internal processes, people and systems or from external
events

1
The Basel Committee needs banks to hold capital for operational risk but the Committee admits
that the approach for operational risk management selected by an individual firm would rest upona
range of factors such as its size and complexity, and the type and intricacy of its activities. In this
regard, it is required by banks and other financial institutions to collect their own data and carry
out their own analysis. In this regard, it is suggested that operational risk exposures and losses be
segmented into a series of standardised business lines and event types.

2
From above, it can be seen that Basel provides seven operational risk event types, along with
examples on situations relating to operational exposures. When combinedwith business lines,
thefollowing matrix is obtained:

The characteristics of operational risks are distinct in that they lead to other risk issues. Many
financial institutions fail to recognise the high importance of operational risk as they focus more
their risk management efforts on mitigating either credit risks or market risks. However,
operational risks have its consequential effects too. These are as follows:

 Legal risk - There are complex contractual relations between an institution and its
customer. As an example, if there are failed procedures in debt recovery, there may be legal
proceedings from the customers who feel they are unfairly treated and who feel that there
is a breach of contract.

 Market risks – There might be breach in the market risk limit if staff are not trained
to detect error in the portfolio management system.

3
  Liquidity risks– If there is an inefficient monitoring system in terms of cash
management from the finance department, there might be a liquidity problem to pay for
currentexpenditure items.

 Reputational risks- A fraud can lead to an impaired reputation that may

materialise in the form of losses due to the declining trust of customers and investors. If
the news become public, there is a risk that it lowers the reputation of the institution.

 Regulatory risks-There might be sanctions from the regulator in case of non

compliance with current procedures or processes. As an example, not following the
established KYC procedures can result in fraud or money laundering and can either result
to fines imposed by the regulator or license being revoked in certain circumstances.

 Credit risks– The inadequate processes for reviewing credit standings and granting
loans can result in credit risks. The operational risks could be originated by people where
staff misinterpreted counterparty’s financial statements due to a lack of skills and
appropriate training.

MEASUREMENT OF OPERATIONAL RISK

Based on the Basel committee definitions of operational risks, different measures can be used
tocategorise the sources of operational risks. The measures can be categorised as follows:
 Systems: Infrastructure
 Systems: Information Technology
 Business Processes
 People
 External Events

4
 Systems: Infrastructure

The measures relating to infrastructure depend on whether certain requirements

are satisfied. If those requirements are not met, then there is a high operational risks
emanating from system infrastructure. These main requirements are as follows:
 How far the facilities are outdated?
 Are there adequate maintenance and repairs?
 Are there clear organizational documentation with regards to responsibilities?
 How many emergency exercises have been conducted?

If the above requirements are not satisfactory, there is an indication of inadequate system
infrastructure leading to higher operational risks.

Systems: Information Technology

In many businesses, IT systems are essential for their smooth day to day running. The followings
are the main indicators to gauge the level of operational risks related to IT:
 Does the firm has an inadequate software quality?
 Are there any policies related IT security?
These will related to whether there are unauthorized access by third parties or unauthorizedaccess
by employees.
 How far the Information Technology used by organisation be vulnerable to malicious
software?
 Is there are a policy in place to ensure data protection?
 Are there ongoing operation and monitoring of IT systems?

5
 Business Processes

To assess the operational risks in business processes the followings are considered:

 Is there a sound documentation of business processes? Undocumented or poorlydocumented

processes lead to confusion among employees and higher operational risks.

 Are there any bottlenecks in the current process? There may be lack of specified delegation of
activities such that there is a lack of communication flow among units, creating delays in
processing.

 How many redundancies are detected in processes? There may be duplication of responsibilities
or activities such that some processes are not needed.

 Is there a structured and systematic procedure for specific project management? There may be
confusion on the responsibilities and power to conduct projects and these can lead to delays in
project execution.
People

The main risks falling under the category of people risks are as follows:

 How many staff act relating to the intent to make personal gain and to cause damage have been
registered? These relate to criminal acts such cases of embezzlement of funds, fraud, corruption,
data theft, etc.

 Are there human errors without any intent to make personal gain or create damage to the
employer? These may relate to incorrect processing of data, incorrect execution of procedures
due to lack of knowledge or expertise, wrong input in the IT software, clerical mistakes amongst
others.

 Are there adequate personnel resources to carry the task effectively and efficiently in the
organisation? Limited number of personnel can lead to more pressure on current staff,
leading to higher risk of operational errors.

6
 External Events

Even when all precautionary measures have been taken by the firm, there are some external events
beyond control which can disrupt the operations of the organisation. These relate to the
followings:
 How far the business will be subject to risks of natural disasters?
 How far the organization is subject to external crime such as robbery, larceny and burglary?
 Are there any risks relating to terrorisms, wars or political interference?

OPERATIONAL RISK MANAGEMENT AND MITIGATION

The Basel committee describes eleven principles of sound operational risk management for
international financial institutions. These principles cover the following three areas which are
Governance, the risk management environment and the role of
disclosure. Following the consultative paper in June 2011 by the Basel committee, the
principles are as follows: (SEE SUMMARY BELOW THIS LIST)

1. Principle 1: “The board of directors should take the lead in establishing a strong risk
management culture. The board of directors and senior management should establish a corporate
culture that is guided by strong risk management and that supports and provides appropriate
standards and incentives for professional and responsible behaviour. In this regard, it is the
responsibility of the board of directors to ensure that a strong operational risk management
culture exists throughout the whole organization.”

2. Principle 2: “Banks should develop, implement and maintain a Framework that is fully
integrated into the bank’s overall risk management processes. The Framework for operational
risk management chosen by an individual bank will depend on a range of factors, including its
nature, size, complexity and risk profile”.
3. Principle 3: “The board of directors should establish, approve and periodically review the
Framework. The board of directors should oversee senior management to ensure that the policies,
processes and systems are implemented effectively at all decision levels”.

7
4. Principle 4: “The board of directors should approve and review a risk appetite and tolerance statement for
operational risk that articulates the nature, types and levels of operational risk that the bank is willing to
assume”.
5. Principle 5: “Senior management should develop for approval by the board of directors a clear,
effective and robust governance structure with well defined, transparent and consistent lines of
responsibility. Senior management is responsible for consistently implementing and maintaining
throughout theorganisation policies, processes and systems for managing operational risk in all of
the bank’s material products, activities, processes and systems consistent with the risk appetite
and tolerance”.
6. Principle 6: “Senior management should ensure the identification and assessment of the
operational risk inherent in all material products, activities, processes and systems to makesure the
inherent risks and incentives are well understood”.
7. Principle 7: “Senior management should ensure that there is an approval process for all new
products, activities, processes and systems that fully assesses operational risk”.
8. Principle 8: “Senior management should implement a process to regularly monitor operational
risk profiles and material exposures to losses. Appropriate reporting mechanisms should be in
place at the board, senior management, and business line levels that support proactive
management of operational risk”.

9. Principle 9: “Banks should have a strong control environment that utilizes policies, processes
and systems; appropriate internal controls; and appropriate risk mitigation and/ortransfer strategies.
10. Principle 10: Banks should have business resiliency and continuity plans in place to ensure an
ability to operate on an ongoing basis and limit losses in the event of severe business disruption”.
11. Principle 11: “A bank’s public disclosures should allow stakeholders to assess its approach to
operational risk management”.

8
Principle 1: Strong Risk Culture
Board leads in creating strong risk management culture.
Corporate culture guided by risk management and responsible behavior.
Board ensures operational risk culture throughout the organization.
Principle 2: Integrated Framework
Banks develop an operational risk management framework.
Framework tailored to bank's nature, size, complexity, and risk profile.
Principle 3: Framework Oversight
Board establishes, approves, and reviews the Framework.
Board oversees effective implementation at all decision levels.
Principle 4: Risk Appetite Statement
Board approves and reviews operational risk appetite and tolerance.
Articulates the types and levels of operational risk the bank accepts.
Principle 5: Governance Structure
Senior management creates transparent governance structure.
Clearly defined responsibilities for managing operational risk.
Principle 6: Risk Identification and Assessment
Senior management identifies and assesses inherent risks.
Ensures understanding of risks and incentives across products and activities.
Principle 7: Approval Process
Senior management implements approval process for new activities.
Full operational risk assessment for new products, processes, and systems.
Principle 8: Risk Monitoring
Senior management monitors operational risk profiles regularly.
Reporting mechanisms for proactive risk management at all levels.
Principle 9: Strong Control Environment
Banks establish robust control environment.
Utilizes policies, internal controls, risk mitigation strategies.
Principle 10: Business Resiliency and Continuity
Banks have plans for business resiliency and continuity.
Ensures ongoing operation and limits losses during disruptions.
Principle 11: Transparent Disclosures
Bank's public disclosures reflect operational risk approach.
Stakeholders can assess the bank's risk management approach.

9
In addition of having sound operational risk management principles, firms can

consider thefollowing methods for operational risk mitigation

1. Audits and Controls

2. Business continuity planning and disaster recovery

3. Insurance
4. Information Management Policy,

5. Physical security

6. Risk awareness
7. Training

Audits and Controls

There should be regular audits to recognise operational problems.
For instance, the system shouldallow for accounting errors to be identified before they escalate to bigger proportions. To
this effect, all processes should have controls and check points which are integrated to recognize errors and prevent
losses such as fraud and theft. In this respect, it is important that there is segregation of duties among staff to ensure
that there is no end-to-end authority to process transactions. A simple example could be that one person shall
process payment transaction and another person should be responsible for verification.

Business Continuity Planning and Disaster Recovery

In simple terms, Business continuity planning is how an organization prepares for future incidents that could jeopardize
its existence. The range of incidents that should be covered will include everything from local events like fires through to
regional disruption such as earthquakes or national security incidents and extend to international events like
terrorism and pandemics.In case of a serious incident such as loss of access to premises or the failure of a major part of
an organisation, it is important to have in place a well-defined, documented and tested disaster recovery plan. Such plans
inevitably focus on recovery of access to IT systems and data, but also commonly cover the provision of alternative
premises (if needed) and other facilities, as well as setting out plans for communications with employees and with other
stakeholders such assuppliers, customers and the media at a time of crisis.

Insurance
Businesses can take out insurance policies to reduce operational risks which can be in terms of fraud, fire or human
errors leading to loss. For instance, a bank can insure itself against theft in certain conditions. However, it is also important
to consider the conditions of the insurance policyand what events are specifically covered.

Information Management Policy

It is important that firms categorise the types of information which it receives and gives from and to different

10
 stakeholders. The information can be held on paper or in soft copy. To this effect, the staff of the institution or firm must
know which information can be shared and which ones are shared only with prior authorization. Most information
nowadays are online and the issue of cyber security is of utmost importance for many institutions. Indeed, there is an
increasing threat from cyber criminals to hack the IT system of the firm and get access to personal and other sensitive

information. Appropriate steps need to be taken to protect it regardless of the medium. These steps could besecure IT
systems, secure network systems, restricted access to some staff, password protected files, Malware prevention, remove
media controls amongst others.

Physical Security
Physical security considers the measures that are taken to prevent unauthorized access to facilities, equipment and
resources and to safeguard personnel and property from damage or mischief. According to the guidelines on the
security measures for operational and security risks of payment services by the European Banking Authority (2017),
“….physical and logical access to systems should be permitted only for individuals who are authorized by the management
body or, where relevant, by senior management; authorization should be assigned according to the staff’s tasks and
responsibilities, limited to individuals who are appropriately trained and monitored”. In addition, it is stated that there
should be “…. controls that reliably restrict such access to systems to those with a legitimate business requirement.
Electronic access by applications to data and systems should be limited to the minimum possibly”.

Risk Awareness
Communicating a risk is important as it may help to reduce it. For instance, a fraud can be communicated to front line
managers for them to be better equip on detection of such type of risks. In particular, risk awareness policies assist
employees to understand the principle of reducing the probability of risk occurring, and their key roles which they play to
mitigate these operational risks.

Training
Training for all relevant staff should be provided by the firm to help employees to use the systems and processes more
effectively and to reduce human errors. Training should also be provided to handle external events associated with
operational risks.

11
 Audits and Controls:

 Regular audits to identify operational issues.

 Controls and checkpoints integrated to catch errors and prevent losses (fraud, theft).
 Segregation of duties to prevent end-to-end transaction authority.

Business Continuity Planning and Disaster Recovery:

 Business continuity planning prepares for incidents jeopardizing existence.

 Covers incidents from local to international scale.
 Disaster recovery plans for major incidents, focus on IT recovery, communications, alternative facilities.

Insurance:

 Businesses can use insurance to reduce operational risks (fraud, fire, errors).
 Conditions of insurance policy and covered events are important considerations.

Information Management Policy:

 Categorize information received and shared with stakeholders.

 Address cyber security threats to protect sensitive information.
 Secure IT systems, networks, controlled access, password protection, malware prevention.

Physical Security:

 Prevent unauthorized access to facilities and resources.

 Access allowed only for authorized individuals based on tasks and training.
 Control electronic access to data and systems.

Risk Awareness:

 Communicate risks to reduce them (e.g., fraud) and increase detection.

 Risk awareness policies help employees understand reducing risk probability.

Training:

 Provide training to staff for effective system use, reducing human errors.
 Train for external events linked to operational risks.

12