Chapter 6 – Operational Risk

Operational risk has been defined by the Basel Committee on Banking Supervision (BCBS), as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’.

Classification of operational risk:

1. Cause Based
   1. People Oriented Causes : Negligence, incompetence, insufficient training, integrity, key man
   2. Process Oriented (Transaction Based) Causes : Business volume fluctuation, organizational complexity, product complexity, major changes
   3. Process Oriented (Operational Control Based) Causes : Inadequate segregation of duties, lack of management supervision inadequate procedures
   4. Technology Oriented Causes : Poor technology and telecom, obsolete application, lack of automation, information system complexity, poor design, development and testing
   5. External Causes : Natural disasters, operational failures of a third party, deteriorated Social or political context.

2. Effect Based
   1. Legal Liability
   2. Regulatory, Compliance and Taxation Penalties
   3. Loss or Damage to Assets
   4. Restitution
   5. Loss of Recourse
   6. Write Downs

3. Event Based
   1. Internal Fraud
   2. External Fraud
   3. Employment practices and workplace safety
   4. Clients, Products and Business practices
   5. Damage to physical assets
   6. Business disruption and system failures
   7. Execution, delivery and process management

Operational Risk Quantification

The Basel Committee has put forward a framework consisting of 3 options for calculating operational risk capital charges in a ‘continuum’ of increasing sophistication and risk sensitivity.

(i) The Basic Indicator Approach (BIA)

(ii) The Standardised Approach (TSA)

(iii) Advanced Measurement Approach (AMA)

Reserve Bank has initially allowed the banks to use the Basic Indicator Approach for computing regulatory capital for operational risk. Some banks are expected to move along the range toward more sophisticated approaches as they develop more sophisticated operational risk management systems and practices which meet the prescribed qualifying criteria.

• The Basic Indicator Approach

At the minimum, banks in India should adopt this approach immediately while computing capital for operational risk. Under this, the banks have to hold capital for operational risk equal to a fixed percentage (alpha) of a single indicator which has currently been proposed to be “gross income”. This approach is available for all banks irrespective of their level of sophistication. The charge may be expressed as follows:

K BIA = [ E (GI a)]/n

Where: KBIA = the capital charge under the Basic Indicator Approach.

GI = annual gross income, where positive, over the previous three years

a =15% set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator.

n = number of the previous three years for which gross income is positive.

• The Standardised Approach

In the Standardised Approach, banks’ activities are divided into 8 business lines given above. Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line. Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line_ It should be noted that in the Standardised Approach gross income is measured for each business line, not the whole institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line

Beta factors for different business lines

Corporate finance Gross income 18%

Trading and sales Gross income 18%

Retail banking Gross income 12%

Commercial banking Gross income 15%

Payment and settlement Gross income 18%

Agency services Gross income 15%

Asset management Gross income 12%

Retail brokerage Gross income 12%

• Advanced Measurement Approaches (AMA)

Under the AMA, the regulatory capital requirement will be equal the risk measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria for the AMA. Use of the AMA is subject to supervisory approval.

Supervisory approval would be conditional on the bank demonstrating to the satisfaction of the relevant supervisors that the allocation mechanism for these subsidiaries is appropriate and can be supported empirically.. The board of directors and senior management of each subsidiary are responsible for conducting their own assessment of the subsidiary’s operational risks and controls and ensuring the subsidiary is adequately capitalised in respect of those risks.

Generic Measurement Approach

Measurement approach implementation begins with operational risk profiling which involves the following:

1.  Identification and quantification of operational risk
2.  Prioritization of operation risk and identification of risk concentrations
3.  Formulation of strategy by the bank for operational risk management and risk based audit.

The estimated levels of operational risk depend on:

(a) Estimated probability of occurrence which is mapped on a scale of 5 which implies

1. negligible risk
2. low risk
3. medium risk
4. high risk &
5. very high risk.

(b) Estimated potential financial impact : It is also mapped on,a scale of 5 as above.

(c) Estimated impact of internal controls: This is estimated as fraction in relation to total control which is valued at 100%.

For example if the probability of occurrence is medium i.e. 2, potential financial impact is very high i.e. 4 and impact of internal controls is 50%, the estimated level of operational risk can be worked out as:

Estimated level of operational risk = estimated level of occurrence x estimated potential financial impact x estimated impact of internal controls.

=I (2 x 4 x (1 — 0.5] ^0.5 =1.73 or Low.

Risk mitigation

Under the AMA, a bank will be allowed to recognise the risk mitigating impact of insurance in the measures of operational risk used for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total operational risk capital charge calculated under the AMA. A bank’s ability to take advantage of such risk mitigation will depend on compliance with the following criteria:

• The insurance provider has a minimum claim paying ability rating of A (or equivalent). The insurance policy must have an initial term of no less than one year. For policies with a residual term of less than one year, the bank must make appropriate haircuts reflecting the declining residual term of the policy, up to a full 100% haircut for policies with a residual term of 90 days or less. The insurance policy has a minimum notice period for cancellation of 90 days.
• The insurance policy has no exclusions or limitations triggered by supervisory actions or, in the case of a failed bank, that preclude the bank. receiver or liquidator from recovering for damages suffered or expenses incurred by the bank, except in respect of events occurring after the initiation of receivership or liquidation proceedings in respect of the bank, provided that the insurance policy may exclude any fine, penalty, or punitive damages resulting from supervisory actions.
• The risk mitigation calculations must reflect the bank’s insurance coverage in a manner that is transparent in its relationship to, and consistent with, the actual likelihood and impact of loss used in the bank’s overall determination of its operational risk capital.
• The insurance is provided by a third-party entity. In the case of insurance through captives and affiliates, the exposure has to be laid off to an independent third-party entity, for example through re insurance, that meets the eligibility criteria_
• The framework for recognising insurance is well reasoned and documented.
• The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.

Scenario analysis

A bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events. This approach draws on the knowledge of experienced business managers and risk management experts to derive reasoned assessments of plausible severe losses for instance, these expert assessments could be expressed as parameters of an assumed statistical loss distribution. In addition, scenario analysis should be used to assess the impact of deviations from the correlation assumptions embedded in the bank’s operational risk measurement framework, in particular, to evaluate potential losses arising from multiple simultaneous operational risk loss events. Over time, such assessments need to be validated and re-assessed through comparison to actual loss experience to ensure their reasonableness. Business environment and internal control factors in addition to using loss data, whether actual or scenario-based, a bank’s bank-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile. These factors will make a bank’s risk assessments more forward-looking, more directly reflect the quality of the bank’s control and operating environments, help align capital assessments with risk management objectives, and recognise both improvements and deterioration in operational risk profiles in a more immediate fashion. To qualify for regulatory capital purposes, the use of these factors in a bank’s risk measurement framework must meet the following standards:

 The choice of each factor needs to be justified as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas. Whenever possible, the factors should be translatable into quantitative measures that lend themselves to verification.

 The sensitivity of a bank’s risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned. In addition to capturing changes in risk due to improvements in risk controls, the framework must also capture potential increases in risk due to greater complexity of activities or increased business volume.

 The framework and each instance of its application, including the supporting rationale for any adjustments to empirical estimates, must be documented and subject to independent review within the bank and by supervisors.

 Over time, the process and the outcomes need to be validated through comparison to actual internal loss experience, relevant external data, and appropriate adjustments made.

Integrated Risk Management (IRM)

IRM stands for management of all risk that are associated with the activities undertaken across the entire organistion. For banks these risks are liquidity risk, interest rate risk, market risk, credit risk and operational risks.

Total risk to an organization is the net effect of all risks associated with the activities of a bank. Net effect of all risks may not be same as sum total of all risk due to diversification effect of risk. Hence integration implies a coordinated approach (and not accounting approach) across various activities and taking benefit of various diversification opportunities that exist or may be created in the bank.

Need for IRM: This approach centralizes the process of supervising risk exposure so that the organization can determine how best to absorb, limit or transfer the risk. The information available with the bank can be analyzed to determine the overall nature of organizational risk exposures including their correlation, dependencies and off-sets. The advantages are:

1. It aligns the strategic aspects of risk with day to day operational activities.
2. It facilitates greater transparency for investors and regulators
3. It enhances revenue and earning growth
4. It controls downside risk potential.

Integrated Risk Management Approach

The process of IRM consists of :

(a) strategy — integration of risk management as a key corporate strategy.

(b) organization — establishment of Chief Risk Officer position with accountability to board.

(c) process — identifying, assessing and controlling risk should be common across the banks

(d) systems — risk management systems should be developed to provide information to support the enterprise risk management functions.

Organizational structure : The Board is the apex unit responsible for the entire risk of the bank. Risks are not to be seen in isolation and have to be managed in an integrated manner.

Policies and procedures: These should be developed using a top down approach and consistent with one another. Risk limits: Such limits assist in maintaining overall exposures at acceptable levels.