Operational risk

Operational risk (OR) has not been a well-defined concept. It refers to various
potential failures in the operation of the firm, unrelated to uncertainties with regard
to the demand function for the products and services of the firm. These failures can
stem from a computer breakdown, a bug in a major computer software, an error of
a decision maker in special situations, etc. The academic literature generally relates
operational risk to operational leverage (i.e. to the shape of the production cost
function) and in particular to the relationship between fixed and variable cost.

OR is a fuzzy concept since it is often hard to make a clear-cut distinction between
OR and ‘normal’ uncertainties faced by the organization in its daily operations. For
example, if a client failed to pay back a loan, is it then due to ‘normal’ credit risk, or
to a human error of the loan officers that should have known better all the information
concerning the client and should have declined to approve the loan? Usually all
credit-related uncertainties are classified as part of business risk. However, if the
loan officer approved a loan against the bank’s guidelines, and maybe he was even
given a bribe, this will be classified as an OR.
Therefore the management of a bank should first define what is included in OR. In
other words, the typology of OR must be clearly articulated and codified. A key
problem lies in quantifying operational risk. For example, how can one quantify the
risk of a computer breakdown? The risk is a product of the probability and the cost
of a computer breakdown. Often OR is in the form of discrete events that don’t occur
frequently. Therefore, a computer breakdown today (e.g. a network related failure) is
different in both probability and the size of the damage from a computer breakdown
10 years ago. How can we quantify the damage of a computer failure? What historical
event can we use in order to make a rational assessment?

The problems in assessing OR does not imply that they should be ignored and
neglected. On the contrary, management should pay a lot of attention to understanding
OR and its potential sources in the organization precisely because it is hard to
quantify OR. Possible events or scenarios leading to OR should be analyzed. In the
next section we define OR and discuss its typology. In some cases OR can be insured
or hedged. For example, computer hardware problems can be insured or the bank
can have a backup system. Given the price of insurance or the cost of hedging risks,
a question arises concerning the economic rationale of removing the risks. There is
the economic issue of assessing the potential loss against the certain insurance cost
for each OR event.

Regulators require a minimum amount of regulatory capital for price risk in the
trading book (BIS 98) and credit risk in the banking book (BIS 88), but there are
currently no formal capital requirements against operational risk. Nevertheless, the
1999 Basel conceptual paper on a comprehensive framework for arriving at the
minimum required regulatory capital includes a requirement for capital to be allocated
against operational risk. Previous chapters of the book are devoted to the
challenges associated with capital allocation for credit and market risk. This chapter
examines the challenges associated with the allocation of capital for OR.

In this chapter we look at how to meet these present and future challenges by
constructing a framework for operational risk control. After explaining what we think
of as a key underlying rule – the control functions of a bank need to be carefully
harmonized – we examine the typology of operational risk. We describe four key steps
in implementing bank operational risk, and highlight some means of risk reduction.
Finally, we look at how a bank can extract value from enhanced operational risk
management by improving its capital attribution methodologies.

Failure to identify an operational risk, or to defuse it in a timely manner, can
translate into a huge loss. Most notoriously, the actions of a single trader at Barings
Bank (who was able to take extremely risky positions in a market without authority
or detection) led to losses ($1.5 billion) that brought about the liquidation of the
bank.
The Bank of England report on Barings revealed some lessons about operational
risk. First, management teams have the duty to understand fully the businesses
they manage. Second, responsibility for each business activity has to be clearly
established and communicated. Third, relevant internal controls, including independent
risk management, must be established for all business activities. Fourth,
top management and the Audit Committee must ensure that significant weaknesses
are resolved quickly.

Looking to the future, banks are becoming aware that technology is a doubleedged
sword. The increasing complexity of instruments and information systems
increase the potential for operational risk. Unfamiliarity with instruments may lead
to their misuse, and raise the chances of mispricing and wrong hedging; errors in
data feeds may also distort the bank’s assessment of its risks. At the same time,
advanced analytical techniques combined with sophisticated computer technology
create new ways to add value to operational risk management.
The British Bankers’ Association (BBA) and Coopers & Lybrand conducted a survey
among the BBA’s members during February and March 1997. The results reflect the
views of risk directors and managers and senior bank management in 45 of the
BBA’s members (covering a broad spectrum of the banking industry in the UK). The
survey gives a good picture of how banks are currently managing operational risk
and how they are responding to it. Section I of the report indicated that many banks
have some way to go to formalize their approach in terms of policies and generally
accepted definitions. They pointed out that it is difficult for banks to manage
operational risk on a consistent basis without an appropriate framework in place.
Section II of the report indicated that experience shows that it is all too easy for
different parts of a bank inadvertently to duplicate their efforts in tackling operational
risk or for such risks to fall through gaps because no one has been made responsible
for them. Section III of the report revealed that modeling operational risk generates
the most interest of all operational risk topic areas. However, the survey results
suggest that banks have not managed to progress very far in terms of arriving at
generally accepted models for operations risk. The report emphasized that this may
well be because they do not have the relevant data. The survey also revealed that
data collection is an area that banks will be focusing on. Section IV revealed that
more than 67% of banks thought that operational risk was as (or more) significant
as either market or credit risk and that 24% of banks had experienced losses of more
than £1 million in the last 3 years. Section VI revealed that the percentage of banks
that use internal audit recommendations as the basis of their response to operational
risk may appear high, but we suspect this is only in relation to operational risk
identified by internal audit rather than all operational risks. Section VII revealed that
almost half the banks were satisfied with their present approach to operational risk.
However, the report pointed out that there is no complacency among the banks.
Further, a majority of them expect to make changes in their approach in the next 2
years.

For reasons that we discuss towards the end of the chapter, it is important that
the financial industry develop a consistent approach to operational risk. We believe
that our approach is in line with the findings of a recent working group of the Basel
committee in autumn 1998 as well as with the 20 best-practice recommendations
on derivative risk management put forward in the seminal Group of Thirty (G30)
report in 1993 (see Appendix 1).