CHAPTER 1

1.0 INTRODUCTION
The purpose of this study is to analyse operational risk management in the banking sector in
Zimbabwe. Operational risk is among various risk types that banks are exposed to and the
impacts of operational risks have been negatively affecting bank’s operations. Several banks’
both local and international banks have incurred losses due to this type of risk. As a result of
the increases in incidences of operational risks a framework for operational risk management
was established by the Bank of International Settlement and the Framework is known as the
Basel II framework. Therefore, this research will explore how banks in Zimbabwe
particularly Ecobank has been managing its exposure to operational risks.

1.1 BACKGROUND
Operational risk is one of the risks’ which has been overlooked by the banks. Banks have
been mainly focussing on market risk and credit risk which were considered to be the major
financial risks affecting the banking industry. However due to the increase in losses being
incurred in the banking industry bank have now also put their focus on operational risk
management. Modiha (2009:1) stated that “there are a number of events that have taken place
in the financial sector that emphasise the need for robust operational risk management.”
Examples of banks which have incurred huge losses as stated by Jorion (2003:534) include:
Allied Irish Bank’s $691 million loss in 2002, NatWest $127 million loss in 1997 and
Sumitomo $2.6million loss in 1996. Lehman Brothers is also another institution which has
gone bankrupt due to lack of proper operational management. It is due to the increase in these
losses that the Basel Committee in 2001 proposed for capital charge to be set aside by banks
as buffer against operational risk (Tchernobai, 2006).The Basel Accord II which was
established in 2006 takes it account operational risk as one of the risks affecting banks. In the
case of Zimbabwe a number of banks have been affected by lack of proper operational risk
management. In order to improve Operational Risk Management in the Zimbabwean banking
sector the Reserve Bank of Zimbabwe drafted a Framework for Operational Risk
Management (2006).Therefore due to all these problems the analysis of operational risk
management is of paramount importance to all banks. This research is based on the analysis
of operational risk in banking sector in Zimbabwe paying special attention on operational risk
management in Ecobank Zimbabwe Limited.

1|Page
1.1.1 Background of the Zimbabwean Banking Sector

The financial sector in Zimbabwe was deregularised and liberalised in the early 1990s
through the Economic Structural Adjustment Programme (ESAP). This opened the room for
foreign banks to enter the Zimbabwean banking sector. The Reserve Bank of Zimbabwe is at
the apex of all banks in Zimbabwe and it regulates all the banking activities conducted by
every bank in Zimbabwe. As of 31 December 2014, the RBZ highlighted that there were 19
operating banking institutions which were comprised of; (a) Fourteen (14) commercial banks,
one (1) merchant bank, one (1) savings bank and the remaining are ( 3) three building
societies.

1.1.2 Brief background of the Company

Ecobank Transnational Incorporated is a universal banking institution which is present in 35
African countries. In Zimbabwe, the bank operates as a commercial bank under the name
Ecobank Zimbabwe Limited (EZW). The limited company in comprised on the bank and a
company for asset management.

1.2 THE PROBLEM STATEMENT

Over the past three decades several banks both local and international have incurred huge
losses due to failure in managing operational risk management. These losses have resulted in
some banks going bankrupt and in the process the depositors have been left stranded. Most of
the banks have also been reluctant to incorporate all aspects of operational risk in their risk
profile and thereby creating a gap. Therefore, this research is based on an analysis of
operational risk management on the Zimbabwean banking sector, a case of Ecobank.

1.3 RESEARCH OBJECTIVES

1.3.1 The main objectives

a) To determine whether the banks in Zimbabwe are following the RBZ Guidelines for
Operational Risk Management.
b) To assess whether banks in Zimbabwe are taking into account capital charges
requirements for operational risk management as stipulated by Pillar of the Basel II
Accord.
c) To determine how banks in Zimbabwe are managing operational risk.
d) To determine the major causes and consequences of operational risks in banks.
e) To find out the tools that are being used by banks to manage operational risk.

2|Page
1.3.2 Research Questions

a) What is operational risk?

b) What are the causes of operational risk?
c) What are tools for managing operational risk and how they are used by Ecobank?
d) What are the steps being taken by banks to ensure that operational risk is kept in
check?
e) What are the measures for reducing operational risk?

1.4 RESEARCH ASSUMPTIONS

a) Failure to manage operational risk by banks can lead to huge losses or fines.
b) Banks are setting aside capital charges for operational risk as stipulated by Basel 2
Accord.
c) Banks are using the RBZ Framework as a guideline for Operational Risk
Management.
d) The respondents will provide accurate information.
e) All banks are exposed to operational risk.
f) The tools for measuring operational risk are the same across all the banks.
g) The sample size to be used in the research is a true representative of all banks in
Zimbabwe.

1.5 THE SIGNIFICANCE OF THE RESEARCH

 This study is significant to all the banks in Zimbabwe; this is because all banks are
exposed to operational risk. Especially those who are in risk management department
and internal audit department they can make use of the findings in this research for
decision making purposes in future.
 It is of paramount importance to assess whether banks are complying with the rules
and regulations that governs their operations. Therefore, this research is of importance
as it assesses the extent to which Ecobank has implemented the guidelines of the
governing boards such as the RBZ and the Basel Committee.
 Given the rise in the failure of banking institutions the research findings from this
research can be useful in trying to determine if operational risks are the major causes
of bank failures.

3|Page
  This research is also useful for benchmarking purposes for future researches to be
conducted.

1.6 SCOPE OF STUDY

This study is focussed on the importance of operational risk management in the banking
sector. The research is mainly based on Ecobank Zimbabwe Limited and how the bank is
managing operational risks. The study was conducted using two major frameworks for
operational risk management. These frameworks are (a) RBZ Guidelines on Risk
Management (2006) or the BSD report (b) Basel II Accord. Therefore this research will try to
explore the extent to which the bank has integrated these frameworks into their banking
operations.

4|Page
 CHAPTER 2
LITERATURE REVIEW
Walliman (2001) states that “the objective of the initial literature review is to discover
relevant material published in the chosen field of study and to search for the suitable problem
area.” This section will deal with literature review in respect to operational risk management
in the banking sector.

2.1 The concept of Risk

(Fabozzi et al, 2003:5) defined risk as “the degree of uncertainty associated with the expected
returns.” Risk can be systematic risk or unsystematic risk.Brown and Reilly (2009)defined
unsystematic risk as unique risk which is “diversifiable” and this diversification can be
achieved by spreading the risk through increasing investments in an asset portfolio. In
contrast systematic risk is the one which is not diversifiable by increasing investment in a
portfolio of assets to spread the risk.

2.1.1 Types of Financial Risks common in the banking sector

2.1.1.1 Market risk

Market risk is defined as the “risk of losses due to the movements in the financial market
prices or volatilities,”(Jorion, 2009:247).The variables include interest rates, foreign
exchange rates, equities and commodities.

2.1.1.2 Interest rate risk

“Interest rate risk is the risk incurred by a financial institution when the maturities of its
assets and liabilities are mismatched and the interest rates are volatile,” (Saunders et al,
2009).

2.1.1.3 Credit Risk

“Credit risk is the risk that a counterparty, whether a participant or other entity, will be unable
to meet its financial obligations when due, or at any time in the future,” (CPSS – IOSCO,
2012)

2.1.1.4 Liquidity Risk

Liquidity risk is, “the probability of a situation when a financial institution is unable to meet
its proper (both cash and payment) obligations as they become due,” (Teply&Dedek, 2003).

5|Page
2.1.2 Enterprise Risk Management (Corporate Risk Management)
“Enterprise risk management (ERM) is a process which is effected by an organisation’s board
of directors, the management team and other personnel, applied in strategy setting and
through the organisation. Furthermore, it is designed to identify potential events that may
affect the organisation, and manages the risk to be within the organisation’s risk apetite as
well providing a realistic assurance regarding the achievement of an organisation’s goals and
objectives,” (COSO, 2004 in Oblakovic, 2013).

2.2 What is Operational Risk?

Authors such as Jorion (2009) argued that operational risk in not easy to identify as compared
to market risk or credit risk. Jorion (2009) went on to give two definitions of operational risk,
the other one is a narrow definition and the other is a wider definition. The narrow definition
defined operational risk management as the one which is associated with transaction
processing.

Furthermore, (CPSS-IOSCO, 2012:20) defined operational risk as the risk in which

“deficiencies in information systems, or internal processes, human errors, management
failures or disruptions from external events will result in the reduction, deterioration, or break
down of services provided by a financial institution.” Operational risk can also be a result of
malfunctions in existing technology. Operational risk has an effect of reducing the
effectiveness of the measures that Ecobank or any other financial institution may take to
manage risk for example it impairs the banks’ ability to complete settlements as well as it
hampers the banks’ ability to assess and manage their credit exposures. Operation risk can
come from both internal and external sources. Other operational failures include fraud, data
loss or insufficient capacity.

2.2.1 Short comings of the definition of Operational Risk

Several authors have argued that the two common definitions of operational risk fail to take
into account other components of operational risk.

2.2.1.1 The Narrow definition

The International Finance Corporation (2012) argues that, the narrow definition of
operational risk covers legal risk but excludes strategic risk and reputational risk.
Furthermore, Jorion (2009; 590) also supports this criticism but he went on to say that the
definition “includes internal business events and external events such as external fraud,

6|Page
regulatory effects, security breaches and natural disasters.” The Basel Committee though it
also accepted the narrow definition as its official definition for operational, the same
disadvantages of the definition were raised.

2.2.1.2 The Broad Definition

The broad definition which defines operational risk as risk other than credit risk or market
risk is criticised by organisations such as the International Finance Corporation (2012) in the
sense that it omits the largest component of operational risk which is business risk. Richard J.
Herring (2002) defined business risk as, “the risk of loss that is attributable to the
organisation’s inability to drive down costs as quickly as business revenues decline.

2.3 Distinctions between Operational Risk and other types of financial risks

Operational risk has some features which distinguishes it from other types of risks which the
banks are exposed to. Figure 2.1 below illustrates these differences:

Figure 2.1 Operational risk Vs Other Financial Risks

Source: IFC (2012)

The International Finance Corporation (2012) states that, “market risk and credit risks are
specific to the financial industry whereas operational risk is a general risk with particular
features in Banking.” The major distinction which was noted by this organisation is that
market risk and credit risk are taken for financial reward as opposed to operational risk which
is inherent (exists) in the normal operations of the business.

7|Page
The IFC (2012) gave the following features of operational risk

 It is diverse in its scope.

 It is complex in comparison to other forms of risk.
 It includes the risks that originates from various areas of the business
 Fewer resources have been dedicated to it.
 Employees are required to be multi skilled.
 There does take into account the risk/ return trade-off that is inherent to market and
credit risk.

2.3.1 Operational Risk and its relationship with other types of Risks
The Business Dialogue published by KPMG (2012) suggests that in some instances
operational risk can expose institutions to other types of risk. Figure 2.2 below is an
illustration of how operational risk is linked to other types of risks:
Figure 2.2: Operational Risk and its link to other types of risks

Source: KPMG Business Dialogue 2012

KPMG (2012) asserts that there is need to pay attention to the invisible part of the icebeg.
Lack of understanding of operational risk can expose the banks to other types of risk as
shown above. KPMG (2012) also mentioned that, “common examples include the market
related operational risk events that are mainly associated with activities such as rouge trading,
unauthorized, leverage operations and complex products.”

2.4 Classification and causes of operational risk

Muehlenbrock, Messinin and Segui (2012) separated the causes of operational risk into
external risks and internal risks. In supporting their idea they used the following table:

8|Page
 Table 2.1:Causes of Operational risk
Cause Risk Event (what goes wrong) Impact

Internal (process, people & systems) Fraud

Human Error in transaction processing Customer's claim
Missing a control step Near misses
Disruption or system failures (hardware, software, Telecommunications) Forgone revenue
Act of sabotage or vandalism from a n employee repurchase of stuff
Not Compliance with law and regulatory requirements fine from authority
Dispute with employee due to discrimination or harassment
New service and or change in the current processes

External Fraud
Act of terrorism and sabotage

Source:Muehlenbrock, Messinin and Segui (2012) - Operational Risk.

As shown by table 2.1 the major sources of internal risks are processes, people and systems.
The impact for both internal and external factors may be the same.

On the other hand Jorion (2009:590) classified operational risk into 5 distinctive groups and
these are people, processes, systems, external factors and physical risks such as fire and
natural disasters. Furthermore, Jorion (2009) suggested that, “ among the above mentioned
risks, a notable risk for complex products is model risk, which is due to using wrong models
for valuing and hedging assets.” This is a form of internal risk which involves a combination
of factors such as lack of knowledge with product complexity and most probably
programming errors.

2.5 Operational Risk and the Basel Accord

The continued collapse and failure of banks especially in western countries led to the creation
of the committee known as the Basel Committee. Modiha (2011) suggests that the committee
was formed by the central bank governors of the G10 countries in 1974. These countries
comprises of Canada, France, Belgium, Italy, Japan, Netherlands, Sweden, Switzerland,
United Kingdom and USA. The main aims of the Basel Committee were that banks should
set aside capital to act as a buffer in the event of risk as well as developing methodologies
that would reflect a risk profile of an individual bank. The Basel Committee (2001) argued
that “capital charges for risks should include a range of approaches to accommodate the
variations in industry risk measurement and management practices.”

The Basel Committee (2001) defined operational risk as “the risk of indirect or direct loss
that results from insufficient or failed internal processes, people and systems or from external
events.” However in this definition the Basel Committee left out strategic and reputational

9|Page
risk for the purpose of a minimum regulatory operational risk capital charge. According to
Modiha (2011:19) the Basel Committee first initiated Basel Accord 1 in 1988, this accord
was mainly centred on credit risk and in 1996 the accord was amended to incorporate market
risk. The Basel 2 which now includes operational risk was published in 2006. “The Basel 2
Accord proposed three pillars to play critical role in the operational risk capital framework
(Patel & George, 2009). The two authors described the 3 pillars as follows:

Pillar 1: Minimum Capital Requirement

These mainly cover credit, market and operational risk, (Jorion, 2009:668).

Pillar 2: Supervisory review process

The Basel 2 Accord expanded the roles of the supervisors as compared to the previous
frameworks of the Accord. Jorion (2009) put forward that supervisor need to ensure the
following factors.

- Banks have in place processes for assessing their capital in relation to the risks.
- Banks are indeed operating above the minimum capital requirements.
- Corrective action is taken as soon as a problem arises.

Pillar 3: Market discipline requirements

The Basel 2 framework put emphasis on the need for banks to disclose risks in the financial
statements, (Jorion, 2009). The author went on to say that the information is useful to market
participants in analysing the risk profiles of banks and the capital adequacy levels. The
following formula was given to calculate capital adequacy of a bank.

Capital Adequacy formula

Source: Jorion (2009:pp669)

The formula indicates that the bank must hold at least 8% in capital to meet its capital
requirements.

10 | P a g e
Patel and George (2009) argued that pillar 1 requires bank to calculate operational risk capital
charges and in quantifying the capital charges these three approaches can be used: (a) Basic
Indicator Approach (b) Standardized Approach (c) Advanced Measurement Approach.

2.5.1 Basic Indicator Approach

Modiha (2011:23) says that “under this approach the bank holds the income for an average of
3 years, only where the income was positive.” According to the Basel Committee (2001) the
basic indicator approach allocates operational risk using a single indicator as its proxy for
bank’s overall risk. This approach also uses alpha (α) which will be a fixed percentage of
gross income.

2.5.2 Standardized Approach

According to Patel and George (2009) the standardized approach is an extension of the basic
indicator approach, whereby the bank is seen as an amalgamation of a hierarchy of business
units and business lines. The Basel Committee (2001) further asserts that the standardized
approach’s intention is to serve as a proxy for the amount of operational risk within each
business unit. In each business line the Beta (β) factor will be multiplied by a financial
indicator to determine capital charges. As stated by the Basel Committee (2001) the total
capital charge is the summation of all capital charges across the business units.

2.5.3 Advanced Measurement Approach

Modiha (2011:23) said that “under this approach banks calculate the capital requirement for
operational risk using own internal models. Authors describe this approach as the most
complex approach when compared to the above mentioned approaches.

The above mentioned approaches have a qualification criterion which can be used by banks
to determine which criteria to use. The criterion is explained below:

2.5.4 The qualification Criteria for the Approaches

The Basel Committee (2001) suggest that the Basic Indicator Approach can be applied to any
bank since it is the easiest of the three methods for measuring operational risk. However, if a
bank is using this approach it should comply with the “Operational Risk Sound Practises”,
which were explained in their 2011 paper.

In order for the Bank to use The Standardised Approach the Basel Committee (2001) assets
that over and above meeting the “Operational Risk Sound Practices”, the bank will be
required to:

11 | P a g e
  Have an independent audit function and risk control department.
 Use of effective systems for risk reporting.
 The Board of directors and the top management should be actively involved in the
risk management process.
 There should appropriate documentation of the risk management systems.

Lastly the under the Advanced Measurement Approach, the Basel Committee (2001) suggests
that risk types, business lines and exposure indicators should be standardized by supervisors
and the banks are in a position to use internal loss data. The Committee further states that
“accuracy of loss data, and confidence in the results of calculations using that data, have to be
established through use tests.”

2.6 Principles for the sound management of operational risk

In May 2011, the Basel Committee published an article titled “Principle for theSound
Managementof Operational Risk and the Role of Supervision.” In the article the Committee
come up with a set of eleven for sound Management of Operational risk. The Basel
Committee (2011) subdivided these principles into the categories and these categories are (1)
governance, (2) Risk Management and (3) the role of disclosure. The State Bank of Pakistan
(2014) has also made an effort to explain the eleven principles and these are listed below:

 Principle 1: The board of Directors have the ultimate responsibility and are
accountable for ensuring that there is a strong risk management culture within the
organisation. The board can also delegate the responsibility to top management but
should be there to give guidance.
 Principle 2: The banks are required to develop implement and maintain a Framework
for Operational Risk Management that will be fully integrated into the bank’s overall
process for risk management. The bank will choose a Framework that will be
consistent with its nature, size, risk profile and complexity. The Basel Committee
(2011) highlighted that the Framework should be documented and approved by the
directors. Furthermore, the Committee stated that the Framework document should
include the following issues:
o Operational risk and operational loss should be defined.
o Identification of the governance structures that will be used to manage
operational risk, reporting lines and accountabilities.

12 | P a g e
 o The tools for risk assessment should be stated and how they will be used.
o State how the bank institute and monitors limits for the inherent and residual
risk exposure.
o Setup the Management Information System (MIS) and the risk reporting
mechanism for the Bank.
o Provide a common classification of operational risk terms to make sure that
there is consistency in terms of identification of risk, exposure rating and risk
management goals.
o Setup a process which can be utilised for independent review and assessment
of operational risk.
o State the procedure for reviewing the Framework whenever there are some
changes in the operational risk profile of the bank.
 Principle 3: The Basel Committee (2011; 8) states that, the board of directors are to
establish, endorse and regularly review the Framework. Over and above that the top
management will also be monitored by the board to make sure that the policies,
procedures and the systems are being implemented effectively at all decision levels.
 Principle 4: It is the duty of the board of directors to approve and re-assess the risk
appetite of the bank. The board also approves the tolerance statement for operational
risk in line with the nature, size as well as the complexity of business being conducted
by the bank.
 Principle 5: The top management has a duty to come up with a transparent
governance structure with well stated and consistent lines of responsibilities. Once the
structure has been approved by the board of directors the senior management will then
implement it ensuring that the policies and procedures and the systems for managing
operational risk encompasses all activities and processes in linewith the risk appetite
and tolerance of the bank.
 Principle 6: The top management is expected to make sure that the identification and
assessment of operational risk that is inherent in all the business activities, processes
and systems is well understood.
 Principle 7: The top management of the bank should make sure that, there exists a
process for approving new products, new activities, processes as well as new systems
that can adequately assess operational risk.

13 | P a g e
  Principle 8: The top management of the bank should implement a procedure for
monitoring operational risk profiles and material exposures to losses regularly.
Furthermore there should be an appropriate reporting mechanism throughout the
organisation’s management levels and the business lines that will be able to support
the proactive management of operational risk.
 Principle 9: The bank’s control environment should be strong and should be able to
utilize the policies, procedures and systems. This means that there should be
appropriate internal controls as well as appropriate risk mitigation strategies.
 Principle 10: The Basel Committee (2011; 17) states that the “banks should have
business resiliency and continuity plans that should be put in place to ensure an ability
of the bank to operate on an on-going basis and limit of losses if there is an event
which would lead to severe business disturbance.
 Principle 11: The bank is expected to disclose its approaches of operational risk
management to all its stakeholders. This is critical and according to State Bank of
Pakistan it leads to transparency and market discipline.

2.7 RESERVE BANK OF ZIMBABWE FRAMEWORK ON OPERATIONAL RISK

MANAGEMENT: BSD GUIDELINE

The Reserve Bank of Zimbabwe as the regulator of all the financial institutions in Zimbabwe
come up with a Framework in 2006, which can be used by all banks as a guideline to
Operational Risk Management. This guideline also known as the BSD guideline is strongly
linked to the Basel II Accord on Operational Risk which was drafted in 2001 and 2011.

2.7.1 RBZ Operational Risk Framework

According to the RBZ Framework (2006) banks are expected to come up with a sound and
effective system for Operational Risk Management. Furthermore, the banks are to regard
Operational Risk as a separate risk which can be managed separately from all other risks.
Each bank is supposed to establish a framework for Operational Risk Management that will
be commensurate with the size and complexity of the operations of the bank.
2.7.1.1 The Components of the Framework

The RBZ Framework (2006) stipulates that the Operational Risk Management Framework for
each bank should constitute the following components:

i. Board and Senior Management oversight.

14 | P a g e
 ii. Operational Risk Management Strategy, policies and procedures.
iii. Adequate Management Information Systems (MIS).
iv. Sound internal controls and reviews.

2.7.1.2The Policies and Procedures

The RBZ Guideline (2006) clearly highlights the following policies and Procedures for
ORM:

a) A bank must come with documented policies and procedures for Operational Risk
Management. The policies which the bank would have established will contain the
strategies, the objectives as well as the key components of the Framework for
management of Operational Risk. This will also include the process for Operational Risk
Management.
b) The Board of Directors is responsible for the strategies for ORM, as well as making sure
that the strategies have been aligned with the overall organisation’s objectives.
Furthermore, it is the responsibility of the Board to set the risk appetite of the bank.
c) There is need for the bank to ensure that the policies and procedures for ORM have been
communicated to all the employees of the bank.
d) The policies and procedure of the bank should highlight all the aspects of the bank’s
ORM Framework, including:
i. The organisational structure of the bank which then defines the roles for ORM, the
responsibilities as well as the lines of reporting for those who perform operational
risk linked functions.
ii. A definition for operational risk including the types of loss event that the bank
would need to monitor.
iii. How internal and external operational risk loss data will be recorded and used,
including scenario analysis.
iv. A Framework for risk reporting and the information types that will be included in
the risk management reports.
v. The establishment and integration of business environment and internal control
factor assessments into the ORM Framework.
vi. The internal Framework of the institution that will be used to quantify the risk
exposure of the bank.

15 | P a g e
 vii. The qualitative factors as well as the risk mitigants and how they are integrated
into the ORM Framework.
viii. The factors that have an influence on the measurement of Operational Risk.
ix. The provisions for the review and the approval of significant policy and
procedural exceptions.
e) The bank’s ORM policy should be backed by a set of principles that are applicable to
specific elements of Operational Risk for example, new product approval, new customer
approval, new IT systems approval, business continuity plans, crisis management as well
as anti-money laundering.

2.7.2 OPERATIONAL RISK MANAGEMENT PROCESS

The RBZ Guideline (2006) highlights that the process for ORM has the following stages
which are illustrated in figure

Figure 2.3 Source; RBZ (2006), Risk Management

2.7.2.1 Risk Identification and Assessment

Risk Identification is essential in coming up with a vigorous operational risk monitoring and
control system. KPMG (2012) described risk identification as “the detection of any event
which potentially triggers a material business impact, or which represents an adjustment of
the risk profile.” For risk identification to be successful the bank should take into account
both the internal factors and the external factors which could unfavourably affect the business
in a negative way. Furthermore KPMG (2012) suggests that the bank will have to identify the
root causes of operational risk.

16 | P a g e
According to the State Bank of Pakistan (2014) Business units play a pivotal role in risk
identification as they have more information pertaining to the risks they are exposed to as
well as the processes in their business lines. The State Bank of Pakistan (2014) also stated
that the aim of the risk identification process is to ensure that all the information that is
necessary for Operational Risk Management Framework is available. However the process of
identifying operational risk is a complex process which involves requires large volumes of
data to be gathered. Nevertheless there are a number of tools which can be used for
identifying and assessing operational risk.

According the RBZ Guideline (2006), the management of the bank should establish a process
that will be used to identify the nature and the types of operational risks that the bank is
exposed to. The management should also determine the causes and as well as the effects on
the banking institutions. Effective operational risk identification and assessment processes are
vital for a bank to understand its risk profile and effectively focus risk management
resources. Furthermore, the RBZ Guideline (2006) stipulates that in identification of
operational risk the bank should take note of internal factors (such as quality of personal, the
organisational structure and the labour turnover) and the external factors such as
technological advancement that could have a negative impact on the accomplishment of the
banking institution’s objectives.

According to the RBZ Guideline (2006) each and every bank should use systems that provide
meaningful information for the assessment of a financial institution’s exposure to operational
risk and then come up with policies for risk mitigation. The RBZ expects banks to make use
of the at least one on the processes explained below, among other in the identification and
assessment of operational risk:

2.7.2.1.1 Tools for Operational Risk identification and Assessment

i. Self-Risk Assessment

Each and every business unit in the bank is expected to assess its activities against a set of
potential operational risk vulnerabilities. Self-Risk Assessment process include; the
incorporation of checklists together with workshops to come up with the strengths and
weakness of the operational risk environment.

ii. Risk Mapping

17 | P a g e
The RBZ Guideline (2006) requires the banks to establish a structure to map business units,
the organisational functions or process flows by the type of risk so that the right corrective
actions are implemented.

iii. Key Risk Indicators

These are often early warning signs that the bank should take note of. These key risk
indicators are usually statistics in most cases financial that encompass the following; failed
trades, the employee turnover rate of the bank and the rate of recurrence and or severity of
errors and omissions. These key risk indicators they give an insight on the risk position of the
bank and there is need for the bank to review the indicators so that the management will be
aware of the changes that may expose the bank to operational risks.

iv. Scorecards

The RBZ Guideline (2006) expects each and every bank to have systems for;

a) Translation of qualitative assessments into quantitative metric that will give a relative
grading of different types of operational risk exposure.
b) Allocation of economic capital to business lines in relation to performance.
c) Dealing with factor inherent risks and the controls to mitigate them.
v. Thresholds/Limits

The ORM Framework for the bank must clearly state the limits to be adhered to. The
management will then make use of these limit levels as they will guide them on areas of
potential problems when the limits are exceeded.

2.7.2.2 Operational Risk Measurement

Jorion (2009:592) suggest that once operational risk has been identified it has to be
quantified. According the RBZ Guideline (2006), a bank should implement all-inclusive
ORM Framework that enables the bank to estimate its operational risk exposure. In addition
the assumptions underpinning the ORM Framework should be well documented including the
choice of inputs, distributional assumptions and the weighting of qualitative and quantitative
elements. If there are changes to assumptions justification should be provided by
management. The tools for operational risk quantification include the following:

 Internal loss event data.

18 | P a g e
  External operational loss event data.
 Business environment.
 Internal control factor assessments.
 Scenario Analysis.

However a bank should select an analytical framework that is suitable for its business model.
On the other hand Jorion (2009) postulated that there are two approaches for operational risk
measurement and these are explained below:

2.7.2.2.1 Approaches for Operational Risk Measurement

 Top-down Approach: According to Milan Rippel and PetrTeplý* (2011; 26) this
approach “measures operational risk without attempting to identify the events or
causes of losses.”

 Bottom-up Approach: According to Jorion (2009), bottom-up models quantifies

operational risk at a micro level. In other words they begin at an individual business
unit level or process level. Furthermore, the results will then be combined to establish
the risk profile of the organisation. The major advantage of these models is that they
enable the banks to have better knowledge of the causes of operational risk.

2.7.2.3 Risk Monitoring and Reporting

The RBZ Guideline (2006) states that, “the results from the measurement system should be
summarized in reports that can be used by bank-wide operational risk and functional lines to
understand, manage and control operational risks and losses.” The reports are useful in
assessment of operational risk. In addition the regularity of monitoring by the bank should
reflect the risks involved and the occurrence as well as the nature of changes in the operating
environment. Moreso, the Guideline stipulates that, “the internal control systems should be
integrated into the bank’s operations as a monitoring tool. Furthermore, the results from these
monitoring activities have to be included in the management and Board reports as well as
compliance reviews conducted by the internal audit function or the risk management
department of the bank.

2.7.2.3.1 Benefits of having a good system for Operational Risk reporting

KPMG (2012) described the benefits of a sound reporting system for operational risk by
using the internal view and the external view.

19 | P a g e
  Internal View: The benefits under this view include; improvement in risk awareness,
the bank can make more informed decisions and finally procedures for action can be
clearly defined.
 External View: According to KPMG (2012), the benefits include improved
reputation against competitors, it minimizes reputational risk and finally there is more
transparency especially to external stakeholders such as shareholders and auditors

2.7.2.4 Risk Control and Mitigation

A bank should have a system in place for making sure that all the staff members are
complying with a documented set of internal control policies concerning a bank’s ORM
system, (RBZ Guideline, 2006). In addition the bank’s infrastructure for operational risk
control should keep pace with the changes in business operations for example introduction of
new products.

Inorder to effectively control operational risk a bank should establish a sound internal control
system. These systems help to protect the organisational resources as well as compliance with
the laws and regulations. Sound internal control systems are critical in reducing operational
risks causes by human errors, irregularities of internal processes and systems, (RBZ
Guideline, (2006).

The RBZ Guiline (2006) stipulates that a sound internal control system ensures the following:

i. Appropriate segregation of duties.

ii. Close monitoring and adherence to assigned risk limits/thresholds.
iii. Maintaining safeguards for access to and use of bank assets and records.
iv. Staff training.
v. Identification of business lines or products where returns happen to be out of line with
expectations.
vi. Regular reconciliations and verification of transactions and accounts.

The bank should make use of the above operational risk mitigation tools to minimise the
exposures and frequency of occurrence of operational risks in the bank. In addition, the RBZ
guideline (2006) indicates that banks establish appropriate policies and procedures to mitigate
their exposures against the following operational risk drivers:

20 | P a g e
 i. New products and activities.
ii. Change of IT systems, facilities and equipment.
iii. E-banking services.
iv. Outsourcing arrangements.
v. Money laundering.
vi. Suitability of customers.
vii. External documentation for example contracts and transaction statements.

However, other organisations such as Oesterreichische Nationalbank (OeNB) and Financial

Market Authority (FMA) (2006), suggested that operational risk can be treated using the
following strategies (a) risk avoidance (b) risk mitigation (c) risk sharing and transfer (d) risk
acceptance.

2.7.2.4.1 Risk avoidance

OeNB and FMA (2006) suggested that, in a cost-benefit analysis, banks should go for this
strategy especially where the expected margin of activities is less than the cost of risk
considering all the risks. Moreso, those activities should never be launched at all. The same
authors suggests that, factors such as time horizon, reputational risk and the strategic
objectives have to be considered before a decision is made.

2.7.2.5 Contingency and Business Continuity Plans

Every bank is required by RBZ to put in place well documented business contingency plans
to make sure that the bank’s operational will not be significantly disrupted in the event of an
operational risk event occurring, (RBZ Guidelines, 2006). In addition the RBZ expects the
business contingency plans of the banks to include various types of scenarios in which the
financial institution may be exposed to. The responsibility of management is to identify those
business processes that are critical especially those can hinder business resumption if they are
affected by any operational risk event. The RBZ Guideline (2006) stipulates that in the case
of critical business processes, the bank needs to;

i. Identify the methods for resuming service in the case of an outrage.

ii. Pay particular attention to the ability of the bank to restore electronic or physical
records that are necessary for business resumption.

21 | P a g e
 iii. Making sure that back-up files are kept at a disaster recovery site which will be an
off-site facility.

Lastly the RBZ Guideline (2006) states that the business continuity plans should be reviewed
regularly so that they are in line with the bank’s current operations and business strategies.

CHAPTER SUMMARY
This chapter covered concepts on Operational Risk Management (ORM) in the banking
sector. The concept of ORM is still in its development stage where scholars are still trying to
find ways on how to come up with a precise definition of operational risk. In the chapter the
researcher described how Operational Risk is linked to other types of financial risks as well
as how to mitigate operational risk. Some of the major highlights of the chapter include the
ORM Framework and the Principles for sound ORM. Lastly the researcher used the Basel
Accord and the RBZ Framework as his main guidelines.

22 | P a g e
 CHAPTER 3
RESEARCH METHODOLOGY
Jonker and Pennick (2010), described methodology as the way in which a researcher chooses
to handle a particular question (which may subsequently result in a problem definition).
Furthermore, the two authors suggest that the research methodology describes how the
researcher will deal with organisations or people as well as the approach that will be used by
the researcher.The first section provides the research design which was used by the
researcher. The subsequent sections encompasses of the research strategy, the research
approach, population and sampling then finally sources of data as well as research
instruments.

3.1 RESEARCH DESIGN

Smith and Albaum (2012) defined research design as a framework for conducting a study and
gathering of data. In simple terms it involves the procedures that will be used by the
researcher to get the needed information. The techniques which will be used to acquire
information which is essential for structuring and solving the research problem are also
detailed in the research design. According to Greener (2008) research design is affected the
by research topic, the audience, information to be accessed and the available resources. In
addition there are research design consideration which includes; ethical issues, practical
issues, sampling and analysis of results issues. Other issues that the researcher had to
consider included the objective and economic procedures. For the purpose of this study the
researcher’s research design will be based on both exploratory research and descriptive
research in an integrated approach.

In this case the data to be collected by the researcher will mainly be based on operational risk
in the banking sector paying special attention to Ecobank. In this research the design
decisions will answer the following questions:

a) What the research is all about?

b) What is the purpose of the study?
c) Where would the researcher conduct his research?
d) What type of data is being required?
e) How is the data going to be collected?
23 | P a g e
 f) What will be the size the sampling frame?
g) How the data will be analysed and presented?

3.1.2 Exploratory Research

The goal of these researches is to discover the problems, the identification of relevant
variables as well as the coming up with solutions to the problem, (Smith &Albaum, 2010).
The researcher chose exploratory research design because it enables the researcher to identify
the problem. Exploratory studies assist the researcher to forecast challenges and variables that
might arise in the project. Exploratory study keeps the project manageable and this can save a
lot of time. According to Smith and Albaum (2012) exploratory research encompasses the
following techniques;

 Literature search– this involves searching on what others have written about the
subject matter.
 Expert Interviews with knowledgeable people – these can be in the form of one on
one interviews or focus group discussions.
 Case studies – these gives an in-depth understanding of a particular situation.

3.1.3 Descriptive Research

Basically descriptive studies, “provides the information on groups and phenomena that
already exists with no new groups being created,” (Smith &Albaum, 2010). In the context of
this research they can provide basis for the solutions to the research problem. In other words
the reason for combining descriptive research and exploratory research was to have better
understanding of the research problem.

3.2 RESEARCH APPROACH

In conducting this research the researcher used a mixed research approach. Cresswell and
Plano Clark (2011) defined a mixed research approach as, “a procedure for collecting,
analysing and mixing both quantitative and qualitative methods in a single study or a series of
studies to understand a research problem. Therefore a mixed approach is constituted of both
quantitative and qualitative methods for gathering data. Adams (2007) assets that qualitative
research make use of data collection and analysis methods which are non-quantitative in
nature and is more of exploratory and it describes reality as experienced by the respondents.
Furthermore, Adams (2007) defined quantitative research as “the type of research that is

24 | P a g e
based on the methodological principles of positivism and adheres to the standards of a strict
research design developed prior to the actual research.” Quantitative research involves the
use statistics and is a quantitative measurement.

3.2.1 Justification of a mixed research approach

Cresswell (2012:535) suggest that a researcher can opt for a mixed research approach for the
following reasons:

I. The mixed approach is useful in capturing the better of the two approaches
(qualitative and quantitative). As a result the researcher will be able to take advantage
of the strengths of both qualitative and quantitative research approaches.
II. Furthermore, the mixed approach allows the researcher to collect data using both the
open ended qualitative data and the closed ended quantitative data. In this case this
can improve the quality and the depth of the findings.
III. A mixed approach is also useful when either qualitative or quantitative researches are
not enough to address the problem on an individual basis. For example, more
information may be required to give a clear picture of the phenomenon or to support
the first database.
IV. A mixed approach can be useful in identifying the best research instruments for data
collection in line with the research problem.
V. Lastly a mixed research approach enables the researcher understand different
perspectives of the study.

The mixed approach combines both qualitative research and qualitative research as illustrated
by Figure 3.1 below:

Figure 3.1 The Mixed Research Approach

Source: Own Development

25 | P a g e
However the procedures for a mixed research are time consuming as they require extensive
data collection as well as analysis, (Cresswell, 2012). Furthermore there is need to merge or
to link both qualitative and quantitative data
3.3 RESEARCH STRATEGY

In terms of the research strategy the researcher used a mixed or an integrated research method
which was constituted of the survey method and the case study method. According to Yin
(2009) the major advantage of an integrated strategy is that it has the ability to address more
complex research question and also an integrated approach can allow the researcher to have
rich data as compared to a situation where one method is used. It is also to combine these
methods since they are not mutually exclusive.

Figure 3.2An Integrated Research Strategy

Source: Own Development

3.3.1 Case Study

They are mostly used to for analysing organisations. In this study, the case study will be
useful in gathering data from Ecobank Zimbabwe Limited. Case studies can also allow the
researcher to use mixed data collection. According to Adams (2007) the key advantage for
case studies “is the scope for gathering a rich source of data that allows for particularisation,
which is getting to know the uniqueness of the individual case and its context.

Yin (2014) defined a case study as “an empirical inquiry that investigates a contemporary
phenomenon (the case) in depth and within its real life context, especially when the
boundaries between the phenomenon and context are not clearly evident,” On the other hand
Cresswell (2012:465) defined a case study as “an in-depth exploration of an enclosed system

26 | P a g e
for example, an activity, individual, event or process based on extensive collection of data.”
In addition a case study answers questions “why” and “how”, (Yin, 2009).

3.3.1.1 Justification of the Case Study

A case study is often chosen by researchers as a way of having a getting illustration of an in-
depth picture of the corporate brand in each case in a manner that generalizations and
statistics typically cannot, (Yin, 2009) in (Anisimova& Thomson, 2012). As a result this
enabled the researcher to have an in-depth understanding on the analysis of operational risk in
Ecobank Zimbabwe.The other reason why the researcher chose the case study is that, a case
study is flexible and can be best suited to a case (Ecobank) as well as the research questions,
(Hyett, Kenny & Dickson-Swift, 2014).

3.3.1.2 Criticism of the Case Study

 Anisimova and Thomson (2012) argued that case study research is open to criticism
in the sense that, they are usually not applicable in other studies as cases differ from
organisation to organisation.
 Yin (2009) criticized case studies on the following grounds; (a) they lack rigor and are
considered to be a sloppy research method, (b) they lack the basis for scientific
generalisation, (c) they involve a lot of documentation, (d) they lack the ability to
address the problem.

Despite the above stated limitation other authors have emphasized that, a case study can be a
starting point for developing theory, or a starting point for a future more detailed research
which will then be generalized. To deal with limitations of the case study, the researcher used
a survey in a case study research. Table 3.1 shows various types of case studies;

Table 3.1 Types of Case Studies

Source; Cresswell (2012)

27 | P a g e
3.3.2 Survey

The researcher used the survey as the second research strategy and according to Nandan and
Mathiyazhagan (2010), the word survey is derived from Anglo-French word “surveer” which
means to look over and survey was defined as, “a technique of descriptive research that is
used to collect primary data basing on spoken or written communication with a representative
sample of respondents from the target population.” Driscoll (2011) suggests that surveys are
useful if the researcher has an intention to gather information pertaining to trends, opinions,
experiences and behaviours and they allow the researcher to generalise findings.

3.3.2.1 Justification of a Survey

Mathers, Fox and Hunn (2009) stated the following merits and demerits of using surveys as a
research method;

 They have internal and external validity.

 Are efficient in the sense that they are cost effective.
 Cover a large geographical area
 Surveys are flexible.

3.3.2.2 Limitation of Surveys

 The findings are dependent upon the sampling frame and accuracy can be
compromised.
 They are good at explaining why people think or act as they do.

3.4 POPULATION AND SAMPLE

This section outlines all the elements which will be used in conducting the research. In this
research a representative sample that will yield reliable information will be used.

3.4.1 POPULATION

Modiha (2011;50) quoted Blumberg, Cooper and Schindler that there are basically five
different unit of analysis that are often used in research design and these include,
organisations, individuals, divisions, departments and groups. Since this research is mainly
centred on operational risk in the banking sector and in particular Ecobank, the target

28 | P a g e
population is constituted of all the employees in Ecobank Zimbabwe. From that target
population a sample was drawn to participate in the research.

3.4.2 SAMPLING

For the purpose of this research the researcher did not use a census rather convenience
sampling technique was used in selecting the respondents. Smith and Albaum (2012)
described convenience sampling as a technique that covers a range of ad hoc processes for
choosing the respondents. It involves working with respondents who are accessible,
cooperative and easily measured. This is a form of non-probability sampling. In addition
Bradford University School of Management described convenience sampling as sampling
those who are immediately available. This sampling technique reduces time wasted in
revisiting the respondents in the event that the researcher is not able to see all respondents on
a single visit. However the sampling technique is suffers from the criticism that it can be very
biased.

3.4.2.1 Sample size

The sample size is the number of items to be chosen from the population and it has to be
representative. In this case, the researcher selected the sample based on the entire department
in Ecobank using convenience sampling. The sample size that was targeted by the researcher
was least 30 respondents. In coming up with the sample size the research applied the
following criterion that was suggested by Israel (2009);

 The level of precision.

 The confidence level.
 The degree of variability.

3.5 SOURCES OF DATA

Basically there are two sources of data and these are primary data and secondary data
sources.

3.5.1 Primary Data

Primary data is referred to as, “first hand data rather than found in a book, database or
journal,” (Driscoll, 2011). This means that, it is data that is being collected for the first time
and no one has conducted that research. Primary data can be gathered through the use of

29 | P a g e
qualitative research or quantitative research. In this study, primary data was gathered through
the use of questionnaires and interviews.

3.5.2 Secondary Data

Secondary data is that data which has already been gathered and recorded by other
researchers and is readily available, (Ut Tran Thi, 2013). This data can be obtained from
various sources such as books, journal articles, the internet and other sources of information.

3.5.2.1 Reasons for gathering secondary data

It is advisable to gather secondary data before one can actually gather primary data. In some
instances secondary data may be sufficient to solve the research problem and hence no need
to conduct primary research. However for the purposes of this research the researcher
conducted both primary and secondary research. According to Smith and Albaum (2012)
secondary research is often conducted for the reasons explained below;

 The researcher made use of research data to define the research problem as well as
refining the research objectives and research questions.
 In addition secondary data was useful in laying the foundation for conducting the field
research.
 Lastly the researcher used secondary research to come up with population and coming
up with the most appropriate sampling techniques for the research.
 According to Ut Tran Thi, (2013) secondary is essential in fact findings and model
building.

3.5.2.2 Merits and demerits of secondary data

The advantage of secondary research is that information is less costly to acquire. For
example, the researcher made use of the already available information and this saves a lot of
time. Information was accessed freely online using the University resources.

However, Smith and Albaum (2012) went on to argue that, secondary data has some pitfalls,
one has to be very careful as secondary information available may have been collected for
other purposes different from the researcher’s problems.

3.6 RESEARCH INSTRUMENTS

30 | P a g e
For the purposes of this study the researcher used two research instruments and these are
questionnaires and focus group discussions. The survey questionnaires were specifically used
to collect quantitative data, while focus group discussed were used to gather qualitative data.
The use of these two instruments enabled the researcher to capture both qualitative data and
quantitative data.

3.6.1 QUESTIONNAIRES

Harris and Brown (2010) highlighted that in questionnaires, “participants respond to prompts
by choosing from predetermined answers for example licket.” This instrument involves the
collection of quantitative data and it is more objective. However the data gathered through
the use of questionnaires can be affected by factors such as coding errors and statistical
analysis. In drafting the questionnaire the researcher used of both open ended questions and
closed ended questions. Mathers, Fox and Hunn (2009) defined closed questions as those
questions with answers which will be defined in advance and the respondents only have to
choose the most appropriate answer from the provided list of answers. Closed questions have
an advantage that they have a faster response rate. Using questionnaire the respondents
answered the questions on their own without interference of the researcher.

3.6.1.1 Justification for using questionnaires

I. The cost is relatively low especially were questionnaires are sent by email. The use of
emails always enables larger geographical areas to be covered.
II. The questionnaires are generally free from bias as the respondents answer questions
on their own.
III. There is also enough time for the respondents to give out well thought answers.
IV. The respondents who are not easy to approach can be reached conveniently using
emailed questionnaires.
V. Through the use of questionnaires a large sample size can be made use and hence
more reliable and accurate information can be gathered.

3.6.1.2 Limitations for using questionnaires

I. Low response rate if they are to be administered through post.

II. Questionnaires are mainly useful when the respondents are educated and cooperative.

31 | P a g e
III. Control of questionnaires can be lost once they are sent especially when using emails.
At times they can be viewed as junk emails and this can further lower the response
rate.
IV. Questionnaires take time and may not be suitable when time is limited.
V. The possibility of ambiguous replies is also high and at times the respondent may
omit questions when answering.

3.6.1.3 How the questionnaires were designed

In designing the questionnaires for this study the researcher followed the ideas that were
suggested by Abawi (2013) that, a good questionnaire designing should follow the steps
which are discussed below:

 Defining the research objectives – the researcher ensured that the research objectives
were clearly stated.
 State the target method and how they will be reached – the researcher also laid out the
target method that he was going to use in conducting the research.
 Questionnaire structuring – the researcher structure the first draft of the questionnaire
for pilot study.
 Pilot study – the pilot study was conducted to test the validity of the instrument and
the results were positive.
 Distributions of questionnaire – finally the adjusted questionnaires were distributed to
all the respondents for final data collection.

3.6.1.4 How the questionnaires where administered

In terms of the administration of questionnaires most of the questionnaires were delivered by

the research to the actual respondents on hand. This means that the researcher had to move
around with questionnaires to the selected respondents. By so doing the researcher was able
to control the questionnaires.

3.6.2 INTERVIEWS

The interviews were selected as the second research instrument basing of the following
advantages which they offer to the researcher as stated by Nandan and Mathiyazhagan
(2010):

32 | P a g e
  They provide room for more detailed information to be collected.
 Response rate is generally higher.
 Instant responses can be obtained from the interviewee.
 In an interview set up it is easier to correct misinterpretations by the interviewee.
 Interviews are flexible in such a way that questions can be restructured if need be.

3.6.2.1 Limitations of Interviews

However, though the interviews have the above advantages the researcher faced the
following challenges in conducting the interviews:

 It was not easy to organize interviews especially with the senior managers as they
were busy most of the times.
 The other aspect is that the interviews were time consuming.
 The fact that the researcher is the one who conducted the interviews with the
interviewees; this may introduce bias as the interviewees may end up giving
imaginary information in order impress the researcher.

3.7 ETHICAL CONSIDERATIONS IN RESEARCH

During the data collection process the researcher ensured that he had to be as ethical as
possible. Some of the ethical issues which were considered include issues to do with respect
for dignity and diversity, confidentiality and avoidance of harm, Peersman (2014). According
to Driscoll (2011) universities commonly follows the Institutional Review Boards (IRBs) as
guidelines that oversee research and the author raised the following ethical issues:

 Voluntary participation of respondents – respondents should be notified in

advance.
 Confidentiality – the identity of the respondents must be kept anonymous.
 Researcher bias – the research findings should not be biased.

Over and above the stated ethical issues Grenner (2008) suggest that the criteria used in
research considers ethical issues on respect of participants, no harm to respondents such as
embarrassment and avoidance of deceptive information.

In ensuring that the researcher was ethical enough confidentiality was maintained and on the
questionnaire it was clearly stipulated that the research was mainly for academic purposes
and the respondents were given the freedom to answer the questions which they were

33 | P a g e
comfortable in answering. Furthermore the researcher had to ask for official approval from
Ecobank to collect data and how that data will be used. The researcher followed the following
stages:

 During the preparatory stage Ecobank Zimbabwe Head Office in Borrowdale was
consulted.
 During the data gathering phase, the researcher ensured that the respondents remained
unknown. The questionnaires were also structure in such a way that there were no
sections requiring respondents to fill in private details.
 In the interviews all the interactions were based on first agreeing with the
interviewees and mutual trust to each other.
 In analysing the data confidentiality of respondents was maintained.

3.8.1 Strategies for addressing the ethical issues

Greener (2008) gave an outline of the following three strategies which were used by the
research to deal with ethical issues;

 Stakeholder Analysis – In this case the researcher identified Ecobank employees and
management team as well as shareholders and customers as the stakeholders. Having
identified the stakeholders the researcher went on to design a risk analysis for each
identified stakeholder group as well as the impact which was low or high.
 Informed Consent – this stage involves notifying the respondents why one is
conducting the research and the role they will play in the research. The respondents
also have the right to know what will happen to the collected data. In response to this,
the researcher had to ensure that the Human Resources department at Ecobank was
notified about the research. In situation were respondents decide to withdraw with
their consent, the researcher is advised not to proceed in carrying out the research.
 Objectivity – The researcher ensured that the techniques that were used to collect
data were able to capture all the relevant details without missing out some important
points. Therefore to achieve this, the researcher used a voice recorder in the interview
so that all the information will be captured.

3.8 VALIDITY TEST

In order to test validity of the instruments for data gathering the researcher conducted a pilot
study in which a total of 6 questionnaires were distributed to test them. In the process of

34 | P a g e
conducted this pilot study the researcher was advised by the respondents to add the critical
elements of the RBZ guideline which the researcher had missed out. Therefore the
questionnaire was restructured in order to improve its validity as well as ensuring that all the
questions were clear to understand.

3.9RESEARCH LIMITATIONS

This research was subject to a number of limitations. Firstly, this study was based on a case
study of a single organisation and therefore it lacks generalisation. This is mainly because a
case study is case specific and what might be the case in one organisation might not be the
case in other organisation. Therefore, more justice could have been done had the study
included other organisations also. Nevertheless, the research can be used as a benchmark for
future researches. The second limitation is that not all questionnaires were completed and
therefore this reduced the pool of data that could have been collected. It would have been
great had all the questionnaires completed. The other limitation is that the research use
convenience sampling and this sampling technique is open to criticism in the sense that the
researcher has to use the respondents who would be immediately accessible at the time of
data gathering. As a result of this the researcher may miss out collecting information on the
other target respondents who might be knowledgeable about the area of study. In addition, the
researcher would have covered more ground had the topic been linked to the performance of
the organisation and trends could have been made to analyse the impact of operational risk
management on bank performance. Nevertheless, this research can be useful as a starting
point for future researches.

CHAPTER SUMMARY

The researcher faced many competing designs that can provide data. The researcher had to
make a choice which was based on expected value of information and associated costs.
Basing on the available resources, time and other constraints such as costs the researcher
conducted a single case study on Ecobank Zimbabwe. The researcher research design was a
mixed approach which comprised of exploratory research and descriptive research. In terms
of research strategy the researcher also used an integrated strategy the reason behind was to
improve the quality of data to be gathered. The mixed approach of qualitative and
quantitative approach was used to gather data through the use of questionnaires and focus
group discussions. Mostly importantly the researcher had to consider the ethical issues in
research which governs how a research should be conducted.
35 | P a g e
 CHAPTER 4
DATA PRESENATION, ANALYSIS AND INTERPRETATION
The previous chapter described the methodology which was used by the researcher in
conducting his research. This chapter is an outline of the research findings which were
presented in the form of mainly tables then graphs as well as some explanations. The findings
are based on the data which was gathered using two research instruments which are (a) the
interview (b) questionnaires.

4.1 The Sample Size and Response Rate

Thirty five (35) questionnaires were prepared and circulated by the researcher. A total of 31
(88.57%) questionnaires were received. However of the 31 questionnaire one (2.86) had
missing details and as a result the researcher had to discard that questionnaire. This brought
the figure to 30 questionnaires which were used in the analysis. Therefore the response rate
was 85.71% and this response rate was satisfactory considering that the minimum sampling
frame of 30 had been met by the researcher. Table 4.1 illustrates the response rate:

Table 4.1 Response Rate

Questionnaires Distributed Frequency Percentage

Questionnaires Distributed 35 100%
Total Responses 31 88.57%
Missing Fields 1 2.86%
Unable to Respond 4 11.43%
Valid Questionnaires 30 85.71%
Source:Primary Data

4.2 Reliability Test

The questionnaire was tested for internal consistency to ensure that it was reliable. The
researcher used SPSS Cronbach’s alpha to test the reliability of the instrument. Eighty one
(81) variables drawn from the questionnaire were used to calculate the value of alpha. The
obtained alpha was 0.864 and this indicated that scale which was used by the researcher had
high internal reliability. The questionnaire was reliable as no single item significantly
affected the alpha value if that item was to be deleted. The alpha values if each item were

36 | P a g e
deleted was within 0.854 – 0.870. This is illustrated in the appendix section. Table 4.2 below
indicated the Cronbach alpha obtained:

Table 4.2 Reliability Statistics

Cronbach's Alpha N of Items

.864 81

Source:Primary Data

4.3 Factor Analysis

Cronbach alpha is mainly used to analyse coefficient of reliability that is consistency only.
However it is of paramount importance to test the dimensionality of the scale which was
used. Therefore, factor analysis was conducted to test the dimensionality of the scale. The
researcher conducted factor analysis test using SPSS and Figure 4.1 shows the scree plot that
was obtained from the data gathered. A scree plot shows the Eigen values against all the
factors and in this case the researcher used 39 components. The graph depicts how many
factors to retain and of much interest is the point where the curve begins to flatten. Therefore,
the curve begins to flatten between Factor 8 and 10. Factor 10 has an Eigen value which is
below 1. Therefore only 9 Factors can be retained.

Figure 4.1 Scree Plot, Source Raw Data

37 | P a g e
The second test which was conducted in the factor analysis was on the Total Variance
Explained. Total Variance Explained shows all the factors that can be extracted from the
analysis together with their Eigen values, the variance that attributable to each factor in
percentage as well as the cumulative variance of the factor and the preceding factor. Table
4.3 indicates the first factor has an Eigen value of 9.400 and it accounts for 24.102% of the
variance, while the median factor, which is factor five (5) has an Eigen value of 2.410 and it
accounts for 6.179% of the variance. The ninth factor which is the last one had an Eigen
value of 1.326 and accounts for 3.399% of the variance. The factors which were not included
not were significant.

Table 4.3 Total Variance Explained

Component Extraction Sums of Squared Loadings Rotation Sums of Squared Loadings

Total % of Variance Cumulative % Total % of Variance Cumulative %

1 9.400 24.102 24.102 5.099 13.074 13.074

2 7.171 18.386 42.488 4.967 12.735 25.810
3 4.160 10.667 53.156 4.493 11.520 37.330
4 2.844 7.293 60.449 4.260 10.922 48.252
5 2.410 6.179 66.628 4.210 10.796 59.048
6 1.994 5.112 71.741 2.854 7.318 66.366
7 1.709 4.383 76.123 2.377 6.095 72.460
8 1.407 3.607 79.730 2.251 5.771 78.231
9 1.326 3.399 83.129 1.910 4.898 83.129
Source: Primary Data

4.4 GENERAL INFORMATION

This section covers a description of the profile of the responses which were valid. In
gathering data the researcher ensured that the identity of the respondents remains unknown
and no confidential information was recorded.

4.4.1 Gender of the respondents

It is of paramount importance to have an understanding on the demographic patterns of the
respondents. Figure 4.2 illustrates the gender of all the valid responses. The majority of the
respondents were males which contributed 70% of the total responses, while females
contributed 30% of all the valid responses.

38 | P a g e
 30%
Male
70% Female

Figure: 4.2 Gender distributions of the respondents

4.4.2 The Age Group of the Respondents

The research findings indicated that, the age group 20-24years had 3.3% of the valid
responses, age group 25-29years had 10% of the valid responses, age group 30-34years had
40 and finally the age group of 35years and above had 46.7%. Therefore it can be concluded
that the majority of the respondents were starting from the age of 30 and above with a total
percentage of (40% + 46.7% = 86.7%). Table 4.4 illustrates this;

Table 4.4: The Age Groupof the Respondents

Age Group Frequency Percent

20-24Years 1 3.3

25-29Years 3 10.0

Valid 30-34Years 12 40.0

35+Years 14 46.7

Total 30 100.0

Source: Primary Data

4.4.3 The level of education of the respondents

In this question the respondents were asked to indicate their level of education. Table 4.3
indicates that 16.7% of the valid respondents have diplomas as their highest level of
education. This is followed by 40% of the respondents who have level of education up to
degree level and finally 43.3% of the respondents have acquired post graduate degrees.
Therefore from the findings it can be noted that, the respondents in Ecobank are well
educated as the majority 83.3% (40+43.3) have at least a degree as their level of education.

39 | P a g e
 45
40
Responses in (%) 35
30
40 43.3
25
20
15 16.7
10
5
0
Diploma Degree Postgraduate
Level of Education

Figure 4.3 – The Level of Education of the respondents

4.4.4 Number of years in the organisation

Table 4.5 indicates that 20% of the respondents have been in the organisation for 0-2years,
23.3% of the respondents have in the organisation for 3-5years, while 23.3% of the
respondents also been in the organisation for 6-8years and finally 33.3% of the respondents
have been in the organisation for at least 9years. Therefore the majority 56.6% that is, (23.3 +
33.3) have been in the organisation for at least 6 years.

Table 4.5 Number of Years in the organisation

Number of Years in Organisation Frequency Percent

0-2 Years 6 20.0

3-5 Years 7 23.3

6-8 Years 7 23.3

9+ Years 10 33.3

Total 30 100.0

Source: Primary Data

4.4.5 Position in the organisation

The position of an individual in the organisation is an indication of the influence that he/she
has in that organisation. Table 4.6 shows that, 3.3% of the respondents indicated that they are
in the top management, 40% of the respondents indicated that they are middle managers,
23.3% of the respondents indicated that they are supervisors and 33.3% of the respondents
were non-managers.

Position in the organisation Frequency Percent

Top Management 1 3.3

Middle Management 12 40.0

40 | P a g e
Supervisory 7 23.3

Non-Managerial 10 33.3

Total 30 100.0
 Table 4.6 Position of the Respondents in the organisation

Source: Primary Data

4.4.6 Department in the organisation

The research findings indicates that 10% of the respondents were in the Internal Audit
department, both Internal Control and Finance department contributed 6.7 each of the
respondents, Risk Management contributed 13.3% and the other departments contributed the
majority of the respondents with 63.3%. This is shown in table 4.7,

Table 4.7 Department of respondents in the organisation

Department Frequency Percent

Internal Audit 3 10.0

Finance 2 6.7

Internal Control 2 6.7

Risk Management 4 13.3

Other 19 63.3

Total 30 100.0

Source: Primary Data

4.5 OPERATIONAL RISK MANAGEMENT

4.5.1 Enterprise Risk Management (ERM)

In this question the respondents were asked to indicate if Ecobank employed Enterprise Risk
Management. From the findings it was noted that the majority of the respondents 96.7%
agreed that Ecobank employs Enterprise Risk Management as a risk management framework.
Only 1 respondent (3.3%) of the total respondents highlighted that he was not sure if Ecobank
makes of ERM. Therefore a conclusion can be made that most the respondents were aware of
ERM.
4.5.2 Impact of various risk types on ERM in Ecobank
In this question the respondents were asked on the impact of various risk types on Enterprise
Risk Management. The majority 73.4% (26.70%+46.70%) indicated that credit risk had at
least a higher impact on ERM. 23.30% of the respondents were neutral and only 3.30%
suggested that credit risk had low impact on ERM. 26.70% of the respondents agreed that
41 | P a g e
market risk had high impact and highest impact respectively. 33.30% were neutral on their
reservations and a meagre 13.30% responded that market risk had low impact on ERM.
Furthermore, a greater percentage 70% that is, (40%+30%) of respondents highlighted that
liquidity risk had high impact and highest impact on ERM respectively. While less than half
of the respondents indicated that liquidity risk had low impact (13.30%) and least impact
(3.30%) on ERM. Finally, most respondents 30% + 26.70% agreed that operational risk had
high impact and highest impact on ERM respectively. Interestingly, 26.70% of the
respondents were neutral, followed by 13.30% respondents who suggested that operational
risk had low impact on ERM and lastly, only 3.30% indicated that operational risk had the
least impact on ERM. Table 4.8 shows the responses obtained;
Table 4.8 - Impact of various risk types on Enterprise Risk Management
RESPONSES
[1] Least [2] Low [4] High [5] Highest STD
Risk Type Impact Impact [3] Neutral Impact Impact Mean DEV
Credit Risk 0% 3.30% 23.30% 26.70% 46.70% 4.17 0.913
Market Risk 0% 13.30% 33.30% 26.70% 26.70% 3.67 1.028
Liquidity Risk 3.30% 13.30% 13.30% 40% 30% 3.8 1.126
Operational Risk 3.30% 13.30% 26.70% 30% 26.70% 3.63 1.129
Source: Primary Data

4.6 OPERATION RISK MANAGEMENT (ORM) FRAMEWORK

4.6.1 Operational Risk Framework

As stated in chapter 2 the RBZ Guidelines requires every bank to have a framework for
operational risk. This question required the respondents to indicate if Ecobank had a
framework for operational risk management. From the findings all the respondents 100%
highlighted that their institution has a framework for operational risk management. Therefore,
this implies that Ecobank was complient in terms of having a framework for operational risk.

4.6.2 The elements of the ORM Framework

Table 4.8 shows the responses on the elements of the Operational Risk Management (ORM)
Framework. 96.70% of the total respondents they agreed that the framework of their
organisation has board and senior management oversight as an element. Only 3.3%
respondents were not sure if their organisation’s framework had board and senior
management oversight as an element of the Framework. This is illlustrated by table 4.9;
Table 4.9 Elements of the ORM Framework

42 | P a g e
 RESPONSES

ELEMENT YES NO NOT SURE

Board and Senior Management Oversight 96.70% 0% 3.30%
Operational Risk Management strategy, policies & procedures 100% 0% 0%
Clearly documented policies, processes & procedures for ORM 96.70% 3.30% 0%
Adequate Management Information System 93.3 0% 6.70%
Sound internal controls and reviews 96.70% 0% 3.30%
Source: Primary Data
Table 4.9 shows that, all the respondents (100%) agreed that Ecobank had strategies, policies
and procedures in their Operational Risk Management Framework. In addition, the findings
show that 96.70% of the respondents agreed that Ecobank has incorporated clearly
documented policies and procedures in the ORM framework, while only 3.30% disagreed
with this. The majority (93.30%) of the respondents agreed that Ecobank has adequate
Management Information Systems for ORM, while a minority (6.70%) of the respondents
opposed this. Finally, majority (96.70%) of the respondents agreed that Ecobank has sound
internal controls and reviews in their ORM Framework, while 3.30% of the respondents were
not sure if the bank had sound internal controls and reviews.

4.6.3 Effectiveness of the Policies and Procedures being used for ORM

Table 4.10 shows the distribution of the responses in terms of the effectiveness the policies
and procedures which were used by Ecobank in the management of operational risk. A
greater percentage of the valid respondents 66.7% highlighted that the policies and
procedures currently being used for ORM in Ecobank were effective to a larger extent. 20%
indicated that the policies were effective to a very large extent and only 13.3% were neutral
in terms of their responses. This implies that, the policies and procedures currently being
utilised by Ecobank to manage operational risk are adequate.
Table 4.10 – Effectiveness of the Policies and Procedures for ORM

Effective of Policies and Procedures Frequency Percent

Neutral 4 13.3

Large Extent 20 66.7

Very Large Extent 6 20.0

Total 30 100.0

Source: Primary Data

43 | P a g e
4.6.4 Principles that apply to specific components of operational risk

The RBZ Guideline of 2006 mandates every bank’s ORM Framework to be supported by the
principles in Table 4.11. The research findings indicated that, the majority (96.70%) of the
respondents agreed that their ORM framework was supported by the principle of new
customer approval and only 3.30% were not sure about this. Most of the respondents 96.70%
also agreed that the Framework was supported by the principle of new product approval and
3.30% were not sure if this principle was incorporated in the ORM Framework. 96.70% of
the respondents agreed that the ORM Framework was supported by the principle of new
information and technology system approval while, 3.30% were not sure. The majority
(56.70%) of the respondents supported that outsourcing was a component of the ORM
Framework, 10 % disagreed and 33.30% were not sure. Furthermore, most of the respondents
agreed that business continuity planning was a component of their organisation’s ORM
Framework. Finally all the respondents (100%) agreed that their organisation ORM
Framework is supported by the principle of crisis management and anti-money laundering.
RESPONSES
COMPONENT YES NO NOT SURE
New Customer Approval 96.70% 0% 3.30%
New Product Approval 96.70% 0% 3.30%
New Information technology system Approval 96.70% 0% 3.30%
Outsourcing 56.70% 10% 33.30%
Business Continuity Planning 96.70% 0% 3.30%
Crisis Management 100% 0% 0%
Anti-money laundering 100% 0% 0%

Table 4.11 Principles that apply to components of operational risk

Source: Primary Data

4.7 RISK IDENTIFICATION AND ASSESSMENT

4.7.1 Factors that affect risk identification

In this question the respondents were asked to state the factors which their organisation
considered in the identification of operational risks. In the literature review two factors were
identified and these are internal factors and external factors. According to the questionnaire
all the respondents (100%) indicated that that their organisation considered both internal and
external factors in identifying operational risk.

44 | P a g e
4.7.2 Risk Factors which lead to incidences of operational risk

Table 4.12 shows the risk factors which lead to incidences of operational risk. The risk
factors are people, systems, processes and external events and are analysed individually. The
finding indicates that to a greater extent people are leading to incidences of operational risk.
This is supported by a mean score of 3, 6 which is above average. In addition the majority of
the respondents suggested that to a larger extent systems are leading to incidences of
operational risk. This is supported by a mean score of 2.8 which was greater than 2.5. The
third factor is processes and the findings indicated that, the majority of the respondents
supported that to a large extent processes lead to incidences of operational risk with a mean
score of 3.17. Finally, the results also indicates that to a large extent (mean = 3.07) external
events lead to incidences of operational risk. Therefore, this implies that the overall the
respondents agreed that to a larger extent the risk factors mentioned in chapter 2 lead to
incidences of operational risk.

Table 4.12 Factors leading to incidences of Operational Risk

[1]Very [5] Very
Small [2] Small [3] [4] Large large
Risk Factor Extent Extent Neutral extent extent Mean STD Dev

People 10% 3.30% 26.70% 36.70% 23.30% 3.6 1.192

Systems 10% 30% 33.30% 23.30% 3.30% 2.8 1.031

Processes 3.30% 26.70% 26.70% 36.70% 6.70% 3.17 1.02

External Events 10% 10% 50% 23.30% 6.70% 3.07 1.015

Source: Primary Data

4.7.3 To what extent is the organisation affected by consequences of operational risk

Table 4.13 shows the extent to which Ecobank is affected by consequences of operational
risk which were mentioned in chapter 2. From the findings it can be observed that to a large
extent (mean=3.2) the respondents agreed that Ecobank is affected to a large extent by
financial loss. Secondly, the findings indicates that majority of the respondents supported that
Ecobank was affected by business disruptions to a large extent. However, this is not the case
for legal claims, the majority (mean = 2.33) suggested that Ecobank if affected by legal
claims in a smaller extent.

Table 4.13 Consequences of operational risk

Consequence [1]Very [2] Small [3] [4] Large [5] Very Mean STD Dev

45 | P a g e
 Small large
Extent Extent Neutral extent extent

Financial Loss 13.30% 20% 20% 26.70% 20% 3.2 1.349

Business Disruption 13.30% 26.70% 33.30% 10% 16.70% 2.9 1.269

Legal Claims 30% 33.30% 20% 6.70% 10% 2.33 1.269

Source: Primary Data

4.7.4 Tools for identification and Assessment of Operational Risk

Table 4.14 shows the tools which are in the RBZ Guideline (2006) as tools for operational
risk identification and assessment. From the research, the researcher discovered that the
majority (93.33%) of the valid respondents agreed that self-risk assessment was used as a tool
for operational risk identification and assessment. The other 6.67% were disagreeing (3.33%)
and were not sure 3.33%. Secondly, the majority 96.70% of the respondents’ consent that
their organisation was indeed using risk mapping as a tool for ORM and the remaining 3.30%
were not sure if their organisation was using risk mapping. Furthermore, a greater percentage
of the respondents (96.70%) approved that their organisation was using key risk indicators as
a tool for operational risk identification and assessment and only 3.30% were not sure. 90%
of the respondents agreed that scorecards were used to identify and assess risk, while 6.70
disapproved that and 3.30% were not sure. Finally, the majority of the respondents suggested
that they used limits or threshold as a tool to assess operational risk and 6.70% were not sure
about this.

Table 4.14 Tools for Identification and Assessment of Operational Risk

RESPONSES
PROCESSES YES NO NOT SURE
Self Risk Assessment 93.33% 3.33% 3.33%
Risk Mapping 96.70% 0% 3.30%
Key Risk Indicators 96.70% 0% 3.30%
Scorecards 90% 6.70% 3.30%
Thresholds/Limits 93.30% 0% 6.70%
Source: Primary Data

4.7.5 Effectiveness of the Tools for Operational Risk Management

The RBZ guidelines stipulates that banks must use tools that are in commensurate with the
complexity and size of bank in managing operational risk. In this regard table 4.15 shows the
responses on the effectiveness of the tools which are being used to identify and assess
operational risk. The majority of the respondents 43.30% and 26.70% indicated that self-risk

46 | P a g e
 assessment was effective as a tool for risk assessment to a large extent and very large extent
respectively. On the other hand, 20% had a response which was neutral, while 6.70% and
3.30% highlighted that self-risk assessment was to a small extent and very small extent
effective as a tool for operational risk assessment respectively. In addition, most of the
responses 43.30% and 23.30% indicated that risk mapping was effective as a tool for risk
assessment to large extent and to a very large extent respectively. Interestingly, 26.70% of the
total responses were neutral and 6.70% highlighted that risk mapping was less effective as a
tool for operational risk assessment and measurement.

According to the questionnaire, a majority 76.70% (46.70% + 30%) indicated that key risk
indicators were to a large extent and very large extent effective as tools for operational risk
assessment respectively. However, 3.30% each believed that key risk indicators were
effective to a smaller extent and very small extent respectively. 16.70% of the total responses
were neutral. In addition, 46.70% and 13.30% of the responses believed that scorecards are
effective in operational risk assessment to a larger extent and very large extent respectively.
This was followed by 26.70% who were neutral and 6.70% each highlighted that scorecards
were effective only to a smaller extent and very small extent as tools for operational risk
management respectively. Lastly, a greater proportion 43.30% and 23.30% of the respondents
indicated that threshold were effective to a large extent and very extent respectively as tools
for operational risk assessment. This is illustrated in table 4.15

Table 4.15 Effectiveness of the tools for Operational Risk identification and assessment
[1]Very [5] Very
Small [2] Small [4] Large large
PROCESSES Extent Extent [3] Neutral extent extent Mean STD Dev

Self-Risk Assessment 3.30% 6.70% 20.00% 43.30% 26.70% 3.83 1.02

Risk Mapping 0% 6.70% 26.70% 43.30% 23.30% 3.83 0.874

Key Risk Indicators 3.30% 3.30% 16.70% 46.70% 30% 3.97 0.964

Scorecards 6.70% 6.70% 26.70% 46.70% 13.30% 3.53 1.042

Thresholds/Limits 3.30% 3.30% 26.70% 43.30% 23.30% 3.8 0.961

Source: Primary Data

4.8 MEASUREMENT OF OPERATIONAL RISK

4.8.1 Tools for measuring Operational Risk
Table 4.16 shows the responses for the tools which where suggested by RBZ as tools for
operational risk measurement. All the respondents (100%) approved that Ecobank uses

47 | P a g e
internal operational loss event data to measure operational risk. Secondly, majority (86.70%)
of the respondents agreed that their organisation is using relevant external operational loss
data to measure operational risk. This was followed by 10% of the respondents who were not
sure and only a 3.30% did not concur with the use of the tool. Moreso, the findings indicated
that the majority (93.40%) of all the valid respondents approved that Ecobank uses business
environment as a tool to measure operational risk and only a small percentage disagreed
(3.3%) and another 3.3% was not sure. 96.70% of the respondents indicated that internal
control factor assessments were being utilised to measure operational risk and 3.30% were
not sure. Lastly, the majority (76.70%) agreed that Ecobank is making use of scenario
analysis to measure operational risk, 13.30% disagreed and 10% were not sure.

Table 4.16 Tools for Measurement of Operational Risk

Tool YES NO NOT SURE
Internal Operational Loss Event Data 100% 0% 0%
Relevant External Operational Loss Event Data 86.70% 3.30% 10%
Business Environment 93.40% 3.30% 3.30%
Internal Control Factor Assessments 96.70% 0% 3.30%
Scenario Analysis 76.70% 13.30% 10.00%
Source: Primary Data

4.9 MONITORING AND REPORTING OPERATIONAL RISK

According to the RBZ Guidelines, banks are expected to integrate internal control system into
the bank’s operations, the findings from the research indicated that all the respondents
(100%) approved that Ecobank has an internal control system which is integrated into the
bank’s operations. Furthermore, the researcher also found out that, the results which were
obtained through the internal control system were included in the management and board
meetings. This was also approved by all respondents. However, in terms of management
information systems (MIS) a majority of 93.3% approved that Ecobank had an MIS for risk
reporting and only 6.7% were not really sure about the MIS. Table 4.17 shows the
distribution of responses in terms of whether the organisation had an MIS for operational risk
reporting

Table 4.17 Does the organisation have an MIS for Operational Risk Reporting

Frequency Percent

48 | P a g e
 YES 28 93.3

NOT SURE 2 6.7

Total 30 100.0

Source: Primary Data

4.9.1 The Effectiveness of the Management Information System

The RBZ guidelines state that each bank should have an effective MIS for operational risk
reporting. Table 4.18 shows the responses in terms of the effectiveness of the MIS system at
Ecobank. The findings clearly show that the majority of the respondents 56.7% and 30%
suggested that the MIS was effective to a large extent and very large extent respectively.
Only a small percentage of 13.3% was neutral.

Table 4.18 Effectiveness of MIS in terms of Risk reporting

Frequency Percent

Neutral 4 13.3

Large Extent 17 56.7

Very Large Extent 9 30.0

Total 30 100.0

Source: Primary Data

4.10 RISK CONTROL AND MITIGATION

4.10.1 Drivers of Operational Risk

This question required the respondents to indicate the extent to which Ecobank is affected by
operational risk drivers mentioned in the RBZ guideline. According the questionnaire
majority of the respondents indicated that Ecobank is affected by new products and activities
as a driver of operational risk and this is supported by a mean score of 3.27. In addition, a
mean score of 3.4 indicated that most of the respondents approved that Ecobank is affected
by change in IT systems, facilities and equipment to a large extent as a driver of operational
risk.

49 | P a g e
 On the other hand, a mean score of 3.47 highlighted that e-banking services were also to a
larger extent drivers of operational risk Ecobank. A mean score of 2.93 on outsourcing
arrangement meant that a greater proportion of the respondents believed that outsourcing
arrangements to a greater extent were drivers of operational risk. In addition, the majority of
the respondents (mean=3.3) highlighted that to a large extent money laundering was a driver
of operational risk in the organisation. On other hand, a mean score of 3.17 indicated that to a
larger extent suitability of customer led to operational risks in their organisation. Lastly, a
mean score of 3.3 implies that to a greater extent external documentation was a driver of
operational risk. Therefore it can be noted that the majority agreed that the drivers of
operational risk mentioned in the RBZ guideline (2006) were indeed affecting Ecobank.
Please see Table 4.19 for the distribution of the responses in terms of their beliefs on the
drivers of operational risk in Ecobank.

Table 4.19 Drivers of Operational Risk

[1]Very [2] [4] [5] Very
Small Small [3] Large large STD
Operational Risk Driver Extent Extent Neutral extent extent Mean Dev

New Products & Activities 10% 6.70% 36.70% 40% 6.70% 3.27 1.048

Change of IT systems, Facilities and Equipment 3.30% 16.70% 33.30% 30% 16.70% 3.4 1.07

E-banking Services 3.30% 13.30% 33.30% 33.30% 16.70% 3.47 1.042

Outsourcing Arrangements 13.30% 13.30% 46.70% 20% 6.70% 2.93 1.081

Money Laundering 10% 16.70% 26.70% 26.70% 20% 3.3 1.264

Suitability of Customers 3.30% 30% 26.70% 26.70% 13.30% 3.17 1.117

External Documentation e.g Contracts 6.70% 20% 30% 23.30% 20% 3.3 1.208

4.10.2 Mitigants for the drivers of Operational Risk

The respondents were asked on their belief on the adequacy of the controls that the bank had
in mitigating operational risk. Table 4.20 shows the distributions of their responses in terms
of their belief and the mean scores were recorded. According to the responses a mean of 3.47
indicated that to a greater extent the bank had adequate controls for mitigating operational
risks which comes as a result of new products and activities. A mean score of 3.87

50 | P a g e
 highlighted that, the majority believed that the bank had adequate controls for mitigation of
changes in IT systems, facilities and equipment as a driver of operational risk. In addition, a
mean score of 3.67 indicates that the majority approved that the bank had sufficient controls
for dealing with outsourcing arrangements as drivers of operational risk.

Moreso, a mean score of 3.9 is an indication that most of the respondents felt that to a larger
extent the bank had sufficient controls to handle money laundering as a driver of operational
risk. A mean score of 3.53 highlighted that a greater proportion of the respondents believed
that to a larger extent the bank had enough controls to deal with suitability of customers as
potential drivers of operational risk. Lastly, a mean score of 3.43 indicated that most of the
respondents to a larger extent believed that the bank had adequate controls for dealing with
external documentation as a driver of operational risk.

Table 4.20 Does the Organisation have Adequate Controls for Operational Risk Drivers
[5]
[1]Ver [2] [4] Very
y Small Small [3] Large large STD
Operational Risk Driver Extent Extent Neutral extent extent Mean Dev
New Products & Activities 6.70% 16.70% 20.00% 36.60% 20.00% 3.47 1.196
Change of IT systems, Facilities and Equipment 3.30% 6.70% 13.30% 53.30% 23.40% 3.87 0.973
E-banking Services 0.00% 6.70% 36.60% 40.00% 16.70% 3.67 0.844
Outsourcing Arrangements 0.00% 13.30% 36.70% 40% 10.00% 3.47 0.86
Money Laundering 0% 6.70% 26.70% 36.70% 30% 3.9 0.923
Suitability of Customers 6.70% 10% 26.70% 36.60% 20.00% 3.53 1.137
External Documentation e.g Contracts 3.30% 6.70% 40% 43.30% 6.70% 3.43 0.858
Source: Primary Data

4.10.3 Controls for Operational Risk

This question required the respondents to indicate whether their organisation’s internal
control system included the factors highlighted in Table as methods for operational risk. A
majority of the respondents (96.70%) indicated that indeed their organisation used
segregation of duties as a method of controlling operational risk and only 3.30% indicated
that the bank did not include segregation of duties in their internal control system. In addition
all the respondents (100%) agreed that the bank incorporated the following in their internal

51 | P a g e
control system (a) close monitoring of adherence to assigned risk thresholds/limits (b)
maintaining safeguards for access to and use of bank assets and records (c) regular
verification and reconciliation of transactions and accounts. Furthermore, a greater
percentage (90%) agreed that their organisation ensures that the employees have the
appropriate expertise needed for them to execute their duties and 6.7% of the respondents
disagreed while only 3.30% were not sure. Lastly, a majority (90%) of the respondents also
agreed that the internal control system of the bank was able to identify the business lines
where returns are not in line with expectations. Interestingly, 3.3% of the respondents
disagreed and 6.7% were not sure about this.
Table 4.21Internal Control methods for operational risk
RESPONSES
Internal Control Method YES NO NOT SURE
Segregation of duties 96.70% 3.30% 0%
Close monitoring of adherence to assigned risk limits/thresholds 100% 0% 0%
Maintaining Safeguards for access to and use of bank assets and records 100% 0% 0%
Staff Training 90% 6.70% 3.30%
Identifying business lines where returns are way out of line with expectations 90% 3.30% 6.70%
Regular verification & reconciliations of transactions & accounts 100 0% 0%

4.10.4 Effectiveness of the Controls for Operational Risk

Table 4.22 shows the distribution the responses on how effective the internal control methods
were effective in terms of controlling operational risk. According to the questionnaire, a
majority (mean=4.3) of the respondents indicated that segregation of duties was more
effective as an internal control method of operational risk. In addition, most of the
respondents (mean = 4.47) believed that close monitoring of adherence to assigned limits was
a more effective way of operational risk. A mean score of 4.3 indicates that a greater
percentage of the respondents believe tha maintaining of safeguards for access to and use of
bank assets and records is an effective way of operational risk controlling. On the other hand,
a mean score of 4.2 indicated that the majority of the respondents believe tha staff training is
also a more effective way of operational risk controlling. Moreso, a mean score of 4.03
implies that most of the respondents regard identification of business lines where returns are
not in line with expectations as an effective way for operational risk controlling. Finally, a
mean score of 4.37 highlights that, a greater proportion of the respondents believe that regular
verification and reconciliations of transactions and accounts are effective methods of
controlling operational risk in the bank.

52 | P a g e
 Table 4.22 Effectiveness of the internal control methods for Operational Risk

[l] Least [2] Less [3] [4] [5] Most STD

Internal Control Method effective effective Neutral Effective Effective Mean DEV
Segregation of duties 3.30% 0% 13.30% 36.70% 46.70% 4.23 0.935
Close monitoring of adherence to assigned risk
limits/thresholds 0% 3.30% 6.70% 30% 60% 4.47 0.776
Maintaining Safeguards for access to and use of
bank assets and records 3.30% 0% 10% 36.70% 50% 4.3 0.915
Staff Training 0% 0% 16.70% 46.70% 36.70% 4.2 0.714
Identifying business lines where returns are way
out of line with expectations 3.30% 0% 16.70% 50% 30% 4.03 0.89
Regular verification & reconciliations of
transactions & accounts 0% 6.70% 10% 23.30% 60% 4.37 0.928
Source: Primary Data

4.10.5 Contingency and Business Continuity plans

This question required the respondents to indicate if their organisation had well documented
contingency and business continuity plans to ensure the ability of the bank to continue as a
going concern. From the research findings all the respondents (100%) indicated that Ecobank
has well documented contingency and business continuity plans to ensure the ability of the
bank to continue as a going concern. This implies that bank was compliant on the guideline
that all mandated should establish business resumption and contingency plans as a way of
minimising the impacts of operational risk.

4.10.6 Adequacy of the Business Resumption and Contingency Plans which have been
put in Place
Table 4.23 shows the distribution of responses in terms of the adequacy of the business
resumptions and contingency plans considering the complexity and the size of the bank. A
major of the respondents 80% (46.7% + 33.3%) believed that the bank to a large extent and
very large extent had adequate resources in place which were in line with the size of the bank
respectively. Interestingly on 20% of the total respondents were neutral.

Table 4.23 Adequacy of the Business Continuity Plans that have been put in place

Frequency Percent

Neutral 6 20.0

Large Extent 14 46.7

Very Large Extent 10 33.3

Total 30 100.0
Source: Primary Data

53 | P a g e
4.11 Additional Comments on how the institution is working towards efficient
Operational Risk Management

This was an open ended question which required the respondents to give an explanation on
what the organisation has been doing in order to improve its operational risk management.
Most of the respondents were reluctant to give their feedback on this question. Nevertheless,
the researcher managed to take note of a few comments that were written. The first
respondent only highlighted that on the time of conducting the research the organisation was
on track. The second respondent highlighted that, the bank was guided by the regulations of
the central bank. The third respondent highlighted that, courses are conducted through the
Virtual Banking Institute are designed by the Ecobank Group every 3 months.

4.12 ANALYSIS OF THE INTERVIEWS

The researcher managed to conduct one interview to get clarifications especially on the
questions pertaining to the Basel II Framework. The findings are discussed on the next page:

4.12.1 Is the bank setting aside capital charges as required by the Basel II Accord?
This question was asked to determine whether the bank had implemented the requirements by
the Pillar 1 of the Basel II Accord to set aside capital charges for operational risk
management. The researcher obtained the response that the bank was compliant and capital
charges were being set aside not only for operational risk but also for other types of risk.
Furthermore, the interviewee indicated that the computation for the capital charges were
conducted by the Financial Control department and the methods which were used were based
on predictions.

4.12.2 To what extent do you believe the bank has been following the guidelines for
Basel II and RBZ?
The interviewee was asked this question in order to determine the extent to which the bank
had implemented the guidelines. The findings on this question were that, Ecobank had tried
its best in terms of the implementation of both the Basel II Accord and the RBZ Framework.
The interviewee actually responded by saying that, “Ecobank had done a lot in terms of
integrating the two Frameworks into the bank’s operation; actually Ecobank is far ahead of
other banks in terms of implementation.

54 | P a g e
4.12.3 What other means is the organisation using to manage operational risk?
The question asked the interviewee to indicate the other means that were being used by the
organisation to manage operational risk besides what the Basel II and the RBZ framework. In
responding to this question the interviewee indicated that, Ecobank conducted monthly
Business Unit Risk Committees’ (BURC) for each department and the Business Risk
Committee (BRC) for the whole bank. In these committees ways of managing operational
risks will then be discussed and feedback given on the progress in each business unit.
Furthermore, the interviewee also indicated that, the bank had implemented software known
as Acclerate Operational Risk Management Software.

CHAPTER SUMMARY
This chapter was mainly based on the presentation, analysis and presentation of the findings.
The findings were obtained through the use of a questionnaire and interviews. Excel and
SPSS software were used to analyse the questionnaire questions.

CHAPTER FIVE
SUMMARY, CONCLUSION AND RECOMMENDATIONS
In the previous chapter the researcher presented, analysed and interpreted the gathered data.
The main aim of the chapter is give a summary of the study that was conducted by the
researcher. This would involve a recap on the restatement of the research objectives and
questions in order to make sure that these were achieved. The summary will also include the
methodology used, a brief outline of the research findings and the conclusion as well as the
recommendations.

5.1 SUMMARY

5.1.1 The purpose of the study

This study focused on the analysis of operational risk management in the Zimbabwean
banking sector paying special attention to Ecobank as a case study.

5.1.2The restatement of main research objectives

The main research objectives of the study were: (a) to determine whether the Zimbabwean
banks are following the RBZ Guidelines on Operational Risk Management (b) to determine

55 | P a g e
whether banks are setting aside capital charges as required by the Basel II Framework in the
management of operational risk (c) to determine how the banks are managing operational risk
(d) the identify the causes and the consequences of operational risks on the banks.

5.1.3 The Methodology

A methodology of a research is simply how a researcher chooses to deal with a specific

question (research problem). The methodology of the researcher was comprised of an
integrated research design which included descriptive research and exploratory research. In
addition, the researcher also used an integrated research strategy which was comprised of a
case study and survey. The main reason for the selection of an integrated strategy was to
increase the depth of the data. In terms of the research approach the researcher used a mixed
research approach which was both qualitative and quantitative. The interview with the
Internal Audit department in Ecobank was to collect qualitative and more explanatory
information, while the questionnaires were distributed to gather quantitative data. The target
population was all employees in Ecobank Zimbabwe of which a sample size of at least 30
was to be drawn from target population. Convenience sampling technique was used in which
the questionnaires were distributed to those who were readily available at the time of
distributing the questionnaires. The researcher also conducted a pilot study to test the validity
of the research instrument and the responses were overwhelming. Finally, ethical
considerations were considered during the whole process of conducting the study.

5.1.4 Discussion on the findings

The section contains a brief discussion of the research findings to determine whether the
research objectives were achieved and to determine whether the research questions were
answered.

5.1.4.1 Are the banks following the RBZ Guidelines on Operational Risk Management?

The RBZ as the regulator of all financial institution in the country has set guidelines which
must be followed by the banks in terms of operational risk management. One of the main
elements of the guidelines is for each bank to have a framework for operational risk
management. According to the research finding it can be noted that Ecobank had indeed put
in place a framework for operational risk management which was already operational. This
can be supported by a response rate of 100% that the bank had a framework for operational
risk management.

56 | P a g e
Secondly, the RBZ guidelines clearly stipulate that, in the framework for operational risk
management should contain strategies, policies and procedures for operational risk
management. According to the findings it can be noted that 100% of the respondents
indicated Ecobank had already established the strategies, policies and procedures for
operational risk management. It terms of the effectiveness of these policies and procedures a
majority of 86.7% indicated that to a large extent these strategies and policies were effective
in the management of operational risk.

The third issue is that the RBZ guidelines of 2006 require the banks to put in place a
Management Information System (MIS) for operational risk monitoring and reporting. In line
with this the findings indicated that Ecobank had established an MIS for operational risk
reporting which was already functional. This is supported by a majority of 93.3% who stated
that indeed the bank had an MIS for operational risk management.

Lastly the RBZ expects the Framework for operational risk management to incorporate sound
internal control systems and reviews. According to the research all the respondents 100%
suggested that, Ecobank had already an internal control system which was integrated in the
bank’s operations. Furthermore, the results from the internal control system were also used in
the management meeting as well as board meetings.

5.1.4.2 Does Ecobank set aside capital charges as required by the Basel II Framework?

Pillar 1 of the Basel II framework states that a bank should set aside capital charges as a
buffer for operational risks. The calculations of the capital charges should consider the
complexity of the bank as well as its size. From the interview which was conducted it was
discovered that Ecobank is setting aside these capital charges as mandated in the Pillar 1. In
terms of the calculations of the figures, the financial control department in Ecobank was
responsible for that duty. A special formula was used for coming up with the prediction on
the figures.

5.1.4.3 The causes and consequences of operational risk

The major causes of operational risk highlighted in the RBZ Guideline of 2006 include; (a)
New products and activities (b) changes in IT systems, facilities and equipment (c) e-banking
services (d) outsourcing arrangements (e) money laundering (f) suitability of customers (g)
external documentation. Table 4.19 in chapter four clearly indicated that most of the
respondents suggested that to a larger extent the above causes were indeed drivers of

57 | P a g e
operational risk in their organisation. Nevertheless, the analysis on Table 4.20 in chapter four
indicates that, the majority of the respondents believe that their organisation has adequate
controls for controlling the drivers of operational risk. On the other hand, the major
consequences of operational risk which were discovered are financial loss, legal claims and
business disruption. The research findings in Table 4.13 indicated that a majority of the
respondents believe that, the organisation was affecting to a greater extent only by financial
losses and business disruptions with mean scores above 2.5. Interestingly the majority of the
respondents (mean = 2.33) believe that their organisation is affected by legal claims only to a
smaller extent.

5.1.4.4 How operational risk is managed by the banks

The research findings indicate that the bank is making use of the risk management process as
way of managing its exposure to operational risk. The main process which is being used is
the one in the RBZ guidelines which has the following stages (a) Risk identification and
assessment (b) risk measure (c) risk monitoring and reporting and risk control and mitigation.
It is also important to note that this is a continuous process and the stages are not independent
of each other. Furthermore, the findings also indicated that Ecobank has incorporated the
principles of sound operational risk management which are in the Basel II framework in their
operational risk management framework.

5.2 CONCLUSION

This section looks at a conclusion that can be drawn that is based on the findings of this
study. Basing on the findings it can be concluded that, Ecobank Zimbabwe Limited has made
significant progress in the implementation of the RBZ Guidelines of 2006. The bank has
already established a framework for operational risk management which is in full swing. This
is supported by the majority of the respondents who indicated that indeed a framework for
operational risk management was functional. In terms of management of operational risk, it
can be concluded that the bank has put adequate controls in place as suggested by a majority
of the respondents. However, it can also be noted that there are gaps here and there especially
in terms of operational risk management awareness to all the staff members in the
organisation. Some of the employees were not really sure about all the elements in the
framework. Despite this, the researcher can conclude that to a greater extent Ecobank is
following the RBZ Guidelines on operational risk management. In terms of the Basel II
framework, a conclusion can be made that the bank is setting aside capital as buffer for

58 | P a g e
operational risk management as required by Pillar 1 of the Basel II Accord. Furthermore, the
bank has incorporated the principles of sound and effective operational risk management
which are highlighted in the Basel II document released in 2011. Therefore, the researcher
safely concluded that to a greater extent Ecobank was compliant in terms of operational risk
management as required by both RBZ and Basel II.

5.3 RECOMMENDATIONS

This section is an outline of the recommendations that were proposed by the researcher which
can be useful for operational risk management in the organisation.

5.3.1 Recommendation 1 – Staff Training

The findings indicate that a gap existed in other staff members on their knowledge in terms of
operational risk management in their organisation. A number of respondents highlighted that
there were not sure about some of the elements of their organisation’s framework for
operational risk management. Therefore, the researcher proposed that, a training programme
specifically for operational risk management awareness will be of importance to the
organisation. Furthermore, there is need for the organisation to make some follow ups in
order to ensure that all the employees are aware of the operational risk management
framework.

5.3.2 Recommendation 2: Full implementation of the Frameworks

The findings highlighted that there were gaps some in terms of full implementation of the
frameworks. There the researcher recommended that the bank can proceed to fully implement
all the elements of the framework as this can be critical for the bank’s operational risk
management. This can increase the preparedness of the bank to handle operational risk
drivers.

5.4 FUTURE RESEARCH IDEAS

The future research ideas can be drawn from the limitations of this study. Firstly further
researches can be conducted considering all the banks Zimbabwe and not limiting only to one
case study as is the case for this research. Secondly further researches can be done on
examining the impacts of operational risk on the bank’s performance. Finally, other
researchers are free to validate this research by using this research as a yardstick for their own
research and then determine applicability of the findings of this research.

59 | P a g e
60 | P a g e