The Basel II accord defines operational risk as «the risk of loss resulting from inadequate or failed processes, people and systems or from external events» (Bank for International Settlements, Basel Committee on Banking Supervision, Operational Risk Supporting. Documentation to the New Basel Capital Accord (Basel: BIS, 2002), p. 2).
Operational risk covers any event that can have an impact on the operations of the bank, which in the extreme, can lead to failed internal processes. These failures can result from problems related to staff, technology, fraud, infrastructure, communications, physical security, or internal policies and procedures. It also includes instances where individual staff members fail to disclose potential problems.
Operational risks reflect problems that at first glance are not financial, but can lead to great financial losses. Due to this the following requirements of operational risk management are necessary:
- Operational risk classification;
- Interconnection of operational risk with other types of risk;
- Organization of a risk management function;
- Quantitative models for gauging and quantifying operational risk;
- Analysis of operational effectiveness based on risk factors (RAROC);
- Creation of internal control systems;
Operational risk sources classification
Operational risk classification as a rule is based on risk sources for the ability to control and the subsequent measurement.
The Basel Committee proposes the following classification of operational risk sources:
- Personnel (intentional actions of employees that can harm a company’s activities);
- Processes (errors and incorrect execution of transactions in the implementation of business processes or performance of official duties);
- System (violation of current activity as a result of failure or unavailability of IT services);
- Environment (attack or other threats from the external environment, which cannot be controlled by the company and are beyond its direct control).
However, depending on the goals and particularity of the different lending organizations, there are also other examples of classifications.
As an example, there is the classification proposed by the American Bank, Bankers Trust:
- Staff risk (risk associated with employees of a financial institution);
- Technological risk (risk caused by failures of information systems);
- Risk of physical damage (risk occurred as a result of natural disasters);
- Risk of relationships (risk reflecting the difficulties of relationships with customers and insufficient internal controls);
- External risk (risk occurred as a result of fraudulent actions of third-party organizations).
Note that sometimes the risk of inadequate models (the usage of incorrect mathematical models for risk assessment) is made in a separate category.
Operational risk management
Both Value-at-Risk (VaR) conception based models and causal models can be used for operational risk assessment. Analytic monitoring reports are often applied to control operational risks.
The implementation of a comprehensive operational risk management system is a difficult task. It requires great attention to details and a sufficiently high overall level of the credit organization’s automation.
Some of the major components of an operational risk management system are listed below:
1. Implementation and control of activity indicators of the bank’s units and staff:
- Indicators of current activity (number of false transactions, customers claims, staff turnover etc.);
- Indicators of the efficiency of controls (number of corrected operations, number of unconfirmed trades, discrepancies in data reconciliation, unauthorized access to data etc.);
- The risk indicators (the indicators are derived by matching the indicators of above two groups).
2. Analysis of income volatility (used the technique of operational Value-at-Risk);
3. Development of causal models;
4. Probability analysis and forecast of potential losses.
A bank should develop a system for managing operational risk and evaluate the adequacy of capital given this operational risk system’s outputs. The system should include adequate operational risk management policies outlining the bank’s approach to identifying, assessing, monitoring, controlling and mitigating its operational risks.