All articles

Operational Risk Management

The trend in operational risk management is increasing as companies fail to manage operational risks. Technology is beginning to play an increasingly important role in assessing the risks of companies – management is committed to improving data management practices to improve the degree of accuracy of risk identification.

Methods of Operational Risk Management

The Basel Committee on Banking Supervision and various supervisory authorities prescribe a number of Operational Risk Management standards for banks and similar financial institutions.

Complementing these standards, Basel II distinguishes three methods of calculating capital to cover operational risks:

  • Basic Indicator Approach is based on the annual income of a financial institution;
  • Standardized Approach is based on the annual income of each of the business lines of a financial institution;
  • Advanced Measurement Approaches are based on the internal risk assessment infrastructure of the bank in accordance with prescribed standards. These include Internal Measurement Approach (IMA), Loss Distribution Approach (LDA), Scorecard Approach (SCA).

The risk management infrastructure should include:

  • identification;
  • evaluation;
  • monitoring;
  • reduction of operational risks.

Most operational risks are managed within the departments themselves, where these risks arise. IT professionals are best equipped to deal with systemic risks. The staff of the back-office can provide the necessary information on settlement risks, etc. However, overall planning, coordination and monitoring should be provided centrally – by the department of operational risk management. The work should be carried out in cooperation with the management of market and credit risks in the common ERM infrastructure.

Risk situations can be divided into two major categories:

  • those that happen often and entail moderate losses;
  • those that happen rarely, but entail significant losses.

Accordingly, the operational risk management should combine both quantitative and qualitative risk assessment methods. For example, settlement errors in the bank’s trading operations happen quite regularly, but they can be statistically modeled. Other situations occur less frequently, have an irregular nature, and therefore, are not amenable to modeling. These include terrorist acts, natural disasters, and fraud in the trade sphere. 

Qualitative methods include:

  • loss reports;
  • managerial supervision;
  • employee interviews;
  • interview to find out the reasons for leaving
  • self-evaluation of leadership;
  • internal audit.

Examples of operational risks are:

  • technological failures;
  • inadequate storage of documents and records;
  • illiterate management, lack of supervision, reliability and control;
  • errors in financial models and reports;
  • attempts to hide losses or achieve personal gain (fraudulent trade);
  • third party fraud.

Risk Categories

The Basel Committee identified seven main categories of events that lead to losses.

Fraud within the company

Losses associated with fraud, illegal property or non-compliance with laws or regulations in a company involving at least one of the internal parties.

External fraud

Losses associated with fraud or illegal property or non-compliance with the law by a third party. This includes theft, robbery, hacker attacks and other such factors.

Job and labor safety

Losses related to acts that are contrary to laws or agreements regarding labor, health and safety, resulting in compensation for claims for compensation for personal injury or for discrimination.

Customers, products and business practices

Losses associated with an unintentional or negligent mistake in the performance of professional duties for specific customers or in connection with the nature or design of products.

Damage to physical resources

Losses associated with the loss or damage of resources due to natural disasters or other events.

Failures in business and system failures

Losses related to business failures or system failures. This category includes losses in connection with the failure of computer equipment, software, networks or malfunctions in the work of public utilities.

Execution, Delivery and Management of Processes

Losses related to failures in transaction processing or process management, as well as losses caused by unsuccessful relationships with suppliers and manufacturers.

The risk indicators are different from the events that caused the losses. They are not associated with specific losses, but indicate a general level of operational risks. Examples of indicators:

  • the number of additional working hours for the staff;
  • degree of staffing;
  • daily volume of transactions;
  • the level of staff turnover,
  • system downtime.

From a modeling perspective, the goal is to find links between specific risk indicators and the frequency of events that entail losses. If such connections can be identified, then risk indicators can be used to track periods of increased operational risk.

After carrying out an assessment of operational risks (qualitatively or quantitatively), you can proceed to the next stage. The task is to:

  • avoid certain risks,
  • for other risks, try to neutralize their consequences or
  • just take some risks as one of the components of doing business.

The advantages of managing operational risks are:

  • reduction of operational losses;
  • reduction audit costs and compliance with regulatory requirements;
  • detection of illegal activities;
  • decrease in exposure to future risks.