Introduction to Operational Risk

• There are many ways operational risk can be defined. It is sometimes defined very broadly as any risk that is not a market risk or credit risk. A much narrower definition is that – it consists of risks arising from operational mistakes, including the risk that a bank transaction is processed incorrectly, but excluding the risk of fraud, cyberattacks, or damage to physical assets.
• Operational risk has been defined by the Basel Committee as – ” The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.“
• The International Association of Insurance Supervisors defines operational risk similarly as – “The risk of adverse change in the value of capital resources resulting from operational events such as inadequacy or failure of internal systems, personnel, procedures or controls, as well as external events.”
• These definitions include the risks arising from computer hacking, fines from regulatory agencies, litigation, rogue traders, terrorism, systems failures, and so on. However, they do not  include strategic risks or reputational risks.

Categories of Operational Risk

• According to Basel committee, operational risk can be categorized into following seven categories –
  1. Internal fraud – Acts intended to defraud, misappropriate property, or circumvent regulations, the law, or company policy involving at least one internal party. Examples include intentional misreporting of positions, employee theft, and insider trading.
  2. External fraud – Acts, by a third party, intended to defraud, misappropriate property, or circumvent the law. For example, robbery, forgery, check kiting, and computer hacking.
  3. Employment practices and work-place safety – Acts inconsistent with employment, health or safety laws or agreements, or which result in payment of personal injury claims, or claims relating to diversity or discrimination issues. For example, workers compensation claims, violation of employee health and safety rules, discrimination claims.
  4. Clients, products, and business practices – Unintentional or negligent failure to meet a professional obligation to clients and the use of inappropriate products or business practices. For example, fiduciary breaches, misuse of confidential customer information, money laundering, and the sale of unauthorized products.
  5. Damage to physical assets – Loss or damage to physical assets from natural disasters or other events. For example, terrorism, vandalism, earthquakes, fires, and floods.
  6. Business disruption and system failures – For example, hardware and software failures, utility outages, and telecommunication problems.
  7. Execution, delivery, and process management – Failed transaction processing or process management, and disputes with trade counterparties and vendors. For example, data entry errors, collateral management failures, incomplete legal documentation.

Large Risks – Cyber Risks

• The advancement of credit and debit cards, online banking, mobile wallets, electronic funds transfers, and similar technologies has been advantageous for both financial institutions and their clients. However, these innovations have also opened doors to cybercrime.
• Cyber crime includes various illicit activities, including the theft of money, intellectual property, personal and financial data, and more. These crimes may involve actions like data destruction, embezzlement, and fraud. Notably, large corporations face persistent cyberattacks, with an increasing number of successful breaches each year. Additionally, there could be numerous successful attacks that go unreported.
• Cyber threats can come in in various forms, including individual hackers, nation-states, organized crime, and even insiders. Consequently, defensive measures such as user account controls, encryption, intrusion detection software, and firewalls must be developed to counteract these threats.
• One of the notable examples is Yahoo. The details along with the financial consequences are given below-Companies need to acknowledge the reality that, despite the implementation of highly advanced defenses, the risk of falling victim to a cyberattack always exists. Therefore, alongside preventive measures, it is crucial to focus on managing the aftermath when a company’s cyber defenses are compromised. Companies should have readily deployable plans to address attacks of varying degrees of severity. In certain cases, an extreme response to an attack, such as temporarily suspending the acceptance of new transactions, may become necessary.

• • The first breach, disclosed in September 2016, had taken place in late 2014, impacting more than 500 million Yahoo! user accounts. A separate breach, occurring earlier in August 2013, was reported in December 2016. Initially thought to affect over 1 billion user accounts, Yahoo! later confirmed in October 2017 that all 3 billion user accounts were compromised. These data breaches that compromised information of users such as names, email addresses, telephone numbers, security questions and answers, dates of birth, and passwords.
  • This resulted in a 3% drop in its stock price the day after the breach was revealed, resulting in a $1.3 billion loss in market capitalization. The stock fell further after that.
  • A $35 million penalty from the Securities and Exchange Commission (SEC) for misleading the public and failing to promptly notify customers about the breach.
  • Settlement charges of $85 million to cover damages, along with the obligation to provide free credit monitoring services to over 200 million customers.
  • Legal expenses totaling $35 million and an additional $16 million related to the cyber incident.
  • Further expenses of $11 million for legal costs, investigations conducted by five state and federal agencies, and 44 class action lawsuits.

Large Risks – Compliance Risks

• Compliance risk is the risk that an organization may face fines or penalties due to its intentional or unintentional failure to adhere to industry regulations, internal policies, or established best practices. Examples of compliance risk include money laundering, aiding clients in tax evasion, and supporting terrorist financing, all of which can result in substantial penalties.
• Notable instances of compliance risk include:
  • Volkswagen’s Emissions Scandal (USD 2.8 Billion Fine): Volkswagen failed to comply with U.S. emissions standards by using deceptive methods during emissions testing. This violation led to a substantial fine of approximately USD 2.8 billion.
  • HSBC’s Anti-Money Laundering Lapses (USD 1.9 Billion Penalty): HSBC faced a USD 1.9 billion penalty in 2012 for its failure to implement anti-money laundering programs at its Mexican branches. This allowed Mexican drug traffickers to deposit large sums of illicit money in cash. HSBC reached a deferred prosecution agreement with the U.S. Department of Justice, involving a significant fine and the appointment of an independent compliance monitor.
  • BNP Paribas’ Sanctions Violation (USD 8.9 Billion Penalty): In 2014, BNP Paribas agreed to pay USD 8.9 billion (equivalent to one year’s profit) to the U.S. government for facilitating dollar-denominated transactions on behalf of Sudanese, Iranian, and Cuban parties. These transactions occurred despite U.S. economic sanctions against these countries. In addition to the fine, BNP Paribas faced restrictions on certain U.S. transactions for a year.
•  Regulatory violations, even if they stem from a small portion of a large organization’s global operations, can result in substantial costs, including fines and reputational damage. Financial institutions must establish robust systems to ensure compliance with all relevant laws and regulations. Technology solutions, such as real-time detection systems for suspicious account activity and fund transfers, can play a crucial role in achieving compliance.

Large Risks – Rogue Trader

• The risk of rogue trading has been dramatized in the various finance movies over the last decade or so. Rogue trading is essentially the risk that a company faces when an employee engages in unauthorized actions or trades that result in significant losses. Notable instances include
  • Nick Leeson, a trader at Barings Bank, whose unauthorized trading activities led to a staggering loss of USD 1 billion, ultimately causing the bank’s collapse in 1995.
  • Jerome Kerviel, another trader, incurred losses of EUR 4.9 billion due to his unauthorized trading activities, impacting Société Générale. Some such cases have been discussed in the 1st module (Foundations of Risk Management) of the FRM Part 1 curriculum.
• To safeguard against rogue trading, one measure a bank can take is to ensure complete independence between the front office (responsible for trading) and the back office (responsible for transaction verification and record-keeping).
• A more complex issue arises when dealing with unauthorized trading discoveries. When a trader engages in unauthorized trading and incurs losses, there are typically adverse consequences for the trader. However, complications arise when the trader generates substantial profits through significant unauthorized risks. In such cases, there may be a temptation within the company to overlook the violations. Nevertheless, this short-term approach can foster a culture where risk limits are not taken seriously, ultimately setting the stage for potential disaster.

Basel II Regulations

• The Basel Committee on Banking Supervision (BCBS) is responsible for developing global regulations, which are subsequently implemented by bank supervisors in each member country. In 1999, an initial draft of what would later become Basel II was introduced. This draft aimed to revise credit risk capital calculation methods and included an unexpected element: the intention to mandate banks to hold capital specifically for operational risk, in addition to the capital already designated for market risk and credit risk.
• While risk managers found it challenging to quantify operational risk, the Basel Committee acknowledged that numerous significant losses suffered by banks were attributable to operational risk rather than market or credit risk. Despite the difficulties in precise quantification, the committee stressed the importance of banks allocating additional resources to manage operational risk.
• The final Basel II rules for banks had three approaches:
  • The basic indicator approach,
  • The standardized approach, and
  • The advanced measurement approach (AMA).

• Banks initially adopted the basic indicator approach, then moved to the standardized approach after meeting specific criteria. To qualify for the advanced measurement approach (AMA), they had to fulfill additional, more complex criteria.
• In the basic indicator approach, operational risk capital is set equal to 15% of the three-year average annual gross income. Gross income is defined as:

Gross Income = Interest earned-interest paid + non-interest income

• The standardized approach is like the basic indicator approach, but it involves individual calculations for each business line with varying percentage rates applied to gross income across these lines, as per this table.

Business Line	Capital (% of Gross Income)
Corporate finance	18%
Trading and sales	18%
Retail banking	12%
Commercial banking	15%
Payment and settlement	18%
Agency services	15%
Asset management	12%
Retail brokerage	12%

• The Advanced Measurement Approach (AMA) in Basel II is notably more complex compared to the other two methods. Banks must handle operational risk similarly to credit risk, setting capital at the 99.9th percentile of the loss distribution minus the anticipated operational loss. This model can be depicted as shown in the figure.
• In the AMA approach, banks must consider all possible combinations of the eight (8) business lines outlined in the table under the standardized approach and the seven (7) operational risk categories. For each of the 56 (=7×8) combinations, they are tasked with estimating the 〖99.9〗^th percentile of the loss. These individual estimates are then combined to calculate the overall capital requirement.

Revision to Basel II – 

• The AMA method effectively raised awareness of operational risks among financial institutions. However, regulators found it problematic due to significant variations in the capital requirements calculated by different banks. Two banks provided with the same data could arrive at substantially different capital requirements when using the AMA method.
• As a result, in March 2016, the Basel Committee announced its intention to replace all prior methods for determining operational risk capital with the standardized measurement approach (SMA).

Standardized Measurement Approach (SMA)

• The SMA introduces the Business Indicator (BI), which is similar to gross income but provides a more relevant measure of bank size. For example, items that reduce gross income, such as trading losses and operating expenses, are treated differently, causing BI to increase.
• The BI Component for a bank is derived from the BI using a piecewise linear relationship. Subsequently, a loss component is computed as follows:

7X + 7Y + 5Z

where,

X is average of all losses from operational risk over past 10 years,

Y is average of losses greater than EUR 10 million from operational risk over past 10 years,

Z is average of losses greater than EUR 100 million from operational risk over past 10 years.

• These calculations are structured in a way that ensures the loss component and the BI Component are equivalent for an average bank. The Basel Committee furnishes a formula for computing the required capital based on the loss and the BI component.

Determining the Loss Distribution – LOSS FREQUENCY

• Economic capital calculations require a distribution, like that in figure discussed is AMA approach, for multiple categories of operational risk losses and their collective outcomes.
• The key determinants of an operational risk loss distribution are –
  • Average Loss Frequency
  • Loss Severity

Determining the Loss Distribution – Loss Frequency

• The Average Loss Frequency is the average number of times in a year that large losses occur. Loss frequency is frequently modeled using a Poisson distribution. When the expected number of losses in a year is denoted as λ, the Poisson distribution calculates the probability of n losses happening during the year with the formula –

• The parameter λ is equal to the average number of losses in each time period. If, 20 losses occur over 4 years, then average number of losses per year (λ) will be equal to –

λ = 20/4 = 5

• The probability that there will be exactly 3 losses over a period of 1 year can be calculated as –

\[
P(3) = \frac{e^{-5} \times 5^3}{3!} = 0.1404 = 14.04\%
\]

Determining the Loss Distribution – Loss Severity

• Loss Severity is the probability distribution of the size of each loss. The parameters of mean and standard deviation for loss severity are often modeled using a lognormal distribution.
• Suppose the mean and standard deviation of the loss size are estimated to be μ and σ, respectively. Also, suppose the mean of the logarithm of the loss size is μ_1 and variance of the logarithm of the loss size is σ_1^2. Then, under the lognormal assumption,
•  

 where, w = σ/μ²

• Suppose the mean and standard deviation of the loss size are estimated (in USD million) as 70 and 28, then, w=(28/70)^2=0.16

The logarithm of the loss size therefore has a mean and variance of –

\[
\mu_1 = \ln \left( \frac{70}{\sqrt{1.16}} \right) = 4.17, \quad \sigma_1^2 = \ln (1 + 0.16) = 0.148
\]

Determining the Loss Distribution – Monte Carlo Simulation

• Once λ, μ and σ have been estimated, a Monte Carlo simulation can be used to determine the probability distribution of the loss. The general approach is illustrated in the figure below.

• The steps in the procedure are as follows –
  • Step 1 – Sample from the Poisson distribution to determine the number of loss events(n)in a year. For example, the percentile of the Poisson distribution can be sampled as a random number between 0 and 1.
  • Step 2 – Sample n times from the lognormal distribution of the loss size for each of the n loss events.
  • Step 3 – Sum the n loss sizes to determine the total loss.
  • Step 4 – Repeat steps 1 to 3 many times.

• Suppose that the average loss frequency (λ) is 5 and the
  random number sampled is 0.39. This corresponds
  to four loss events. This can be
  shown as follows –
  • P⁡(Losses≤3)=0.265
  • P⁡(Losses≤4)=0.440
    The sampled number 0.39 lies between these twocumulative probabilities.

• Suppose the loss size has mean 70 and standard deviation28. The mean and variance of the logarithm of loss size
  has already been found previously as 4.17 and 0.148.
• For step 2, sampling is done four times from a normal distribution with mean 4.17 and variance 0.148. If the numbers sampled are 3.9, 4.7, 5.3, and 4.11, the three losses are

e^3.9  = 49.40

e^4.7=109.95

e^5.3  = 200.34

e^4.1  = 60.34

• Step 3 gives the total loss on that simulation trial of 305.81 ( = 60.34 + 164.02 + 81.45).

49.40+109.95+200.34+60.34=420.03

• By conducting numerous Monte Carlo simulation trials like this, a probability distribution for the total loss is obtained, from which the required percentile can be calculated.

Data Issues – Estimation Procedures

• Due to the scarcity of historical data on operational risk losses, determining loss frequency and severity for a specific category of losses can be challenging, and hence it involves a blend of data and subjective judgment.
• Loss frequency can be derived either from a bank’s internal data or assessed subjectively by operational risk professionals, taking into account existing controls.
• In cases where loss severity cannot be estimated from a financial institution’s own data, the losses incurred by other financial institutions may serve as a reference. Mechanisms for sharing loss data among banks have been established. Moreover, data vendor services like Factiva and Lexis-Nexis can be valuable in providing information on publicly reported losses experienced by other banks.

Data Issues – Potential Biases

• Data obtained from data vendors may be biased as they typically report only large losses. Utilizing vendor data directly to establish the loss severity distribution may result in a bias toward larger losses.
• To mitigate this bias, using the data solely for determining relative loss severity is advisable. For instance, if vendor data suggests that Loss Type A (for which the bank lacks data) is, on average, half as severe as Loss Type B (for which the bank has data), the bank can assume that the mean loss for Loss Type A is half the calculated mean loss using its own data for Loss Type B.
• Another potential bias relates to the magnitude of losses.
• Suppose Bank X has revenue of USD 15 billion and undergoes a loss of USD 250 million. Meanwhile, Bank Y, with revenues of USD 7.5 billion, references this loss event to gauge the potential severity of a similar loss it might face. It’s improbable that Bank Y’s loss would reach the magnitude of USD 250 million, given its smaller size compared to Bank X. However, just because revenue of Bank Y is half of that of revenue of X, estimating its loss to be merely half of Bank X’s may be overly optimistic. The relationship can be
  approximated as –

• It is estimated that β=0.23 gives a good fit. The loss for Bank A in the previous example would therefore be –

or USD 256 million.

• It is also important to adjust loss severity estimates for inflation. A loss of a certain size observed ten years ago can be expected to be larger if the same set of circumstances repeat themselves.

Scenario Analysis

• Financial institutions utilize scenario analysis to estimate the frequency and severity of losses, especially for events with low frequency but high severity, which are critical determinants of the extreme tails of the loss distribution. This method involves listing and creating scenarios for these events, drawing from the institution’s experience, other banks’ known experiences, and hypothetical scenarios crafted by risk management professionals and consultants. Loss frequency and severity estimates are made for each scenario, and Monte Carlo simulations are employed to establish a probability distribution for total losses across various loss categories. The loss frequency estimate takes into account the controls in place and the nature of the business at the financial institution.
• Estimating the probability of rare events poses challenges. One approach is to categorize events and have operational risk experts assign each loss to a specific category, such as scenarios occurring once every 1,000 years (𝜆=0.001), once every 100 years (𝜆=0.01), and so forth.

• So overall, scenario analysis involves evaluating losses not yet experienced by a financial institution but potentially occurring in the future. Managerial judgment is applied to assess loss frequency and severity, fostering discussions on how these events may unfold. This analysis aids in forming strategies to respond to a loss event and minimizing the probability of its occurrence.

Risk Control and Self-Assessment

• Risk Control and Self Assessment (RCSA) serves as a method for financial institutions to comprehend operational risks and instill awareness of these risks among employees. Line managers and their teams are tasked with identifying various risk exposures, encompassing both historical losses and potential future risks. Some RCSA approaches include –
  • interviewing line managers and their staff
  • asking line managers to complete risk questionnaires
  • reviewing risk incident history with line managers
  • reviewing third-party reports such as those of auditors, regulators, and consultants
  • eviewing reports of the experiences of similar managers in other companies
  • using of suggestion boxes and intranet reporting portals
  • implementation of a ‘whistle blowing’ process to encourage the reporting of risk issues
  • carrying out brainstorming in a workshop environment
• The evaluation process should be conducted regularly, quantifying the frequency and severity of loss events. While some losses are inevitable in business, the RCSA facilitates enhancements by diminishing the frequency, severity, or both for certain events.

Key Risk Indicators

• Gaining insight into the risks encountered by line managers can result in the creation of key risk indicators (KRIs). These are specific data points that signal an increased likelihood of operational risk losses in particular areas. In certain instances, corrective measures can be implemented proactively. Basic examples of KRIs include metrics related to –
  
  • Staff turnover
  • Failed transactions
  • Positions filled by temps
  • Unfilled positions
• Effectively utilizing these indicators requires monitoring their changes over time to identify unusual behavior. Some KRIs are more subtle; for instance, an employee’s reluctance to take vacations could signal potential unauthorized trading or embezzlement. Employing tools like surveillance software to detect abnormal email or phone activity indicating unlawful or unethical behavior can be valuable.

Education

• Employee education plays a crucial role in mitigating operational risk, particularly in compliance, where substantial losses can occur. Instilling awareness among employees about unacceptable business practices and fostering a culture that deems such practices unacceptable is vital.
• Legal disputes are an unfortunate inevitability in business. In such disputes, where an organization is being sued, all relevant internal communications must be disclosed, potentially leading to embarrassment. Therefore, the in-house legal department in a financial institution must remind employees to exercise caution in written emails and recorded phone calls.
• Prior to communicating through emails or recorded phone calls, employees should always contemplate whether they would be comfortable if the communication were to become public knowledge.

Allocation of Economic Capital

• Business units receive an allocation of economic capital to facilitate the calculation of return on capital, similar to the procedure used for credit risk capital allocation.
• Allocating operational risk capital creates an incentive for business unit managers to minimize operational risk. If a manager successfully demonstrates a reduction in either loss frequency or severity, the business unit receives a lower capital allocation. This improves the unit’s return on capital, potentially leading to a larger bonus for the manager. This allocation process aims to sensitize managers to the significance of operational risk.
• However, it is not always optimal to reduce operational risk. In any business unit, a certain level of operational risk is inevitable, and decisions to decrease operational risk by increasing operating costs should be justified through a cost-benefit analysis.

Power Law

• Economic capital is often calculated with high confidence levels, and in certain probability distributions, the power law is observed. If v is the value of a random variable and x is a high value of v, then the power law holds it is approximately true that –

where,

Pr⁡ denotes probability, and K and α are parameters.

• The power law, describes the fatness of the right tail of the probability distribution of 𝑣. Parameters 𝐾 and 𝛼, dependent on the variable, determine the scale and fatness of the right tail, respectively. A decrease in 𝛼 leads to a fatter tail.
• Broadly speaking, the power law is applicable to probability distributions of random variables resulting from the aggregation of numerous independent random effects.
• Operational risk losses can follow the power law, proving beneficial in specific circumstances. For instance, assuming estimated values 𝐾 and 𝛼 are 8,000 and 4 (respectively), the power law equation can be utilized to estimate the 99.5 percentile of the loss distribution (in USD millions) by solving for 𝑥:

\[
P(v > x) = 0.005 \quad \text{(as 99.5 percentile of the loss distribution is being estimated)}
\]

\[
0.005 = 8000 \times x^{-4} \quad \Rightarrow \quad \ln(0.005) = \ln(8000) – 4 \ln(x)
\]

\[
\Rightarrow \ln(x) = 3.571 \quad \Rightarrow \quad x = e^{3.571} \approx 35.566
\]

Note – The above equation could have also been easily solved without taking ln on both sides.

• Another application of Power Law –
  
  As in the previous example, assuming estimated values 𝐾 and 𝛼 are 8,000 and 4 (respectively), the probability of the loss exceeding 20 million can be calculated as
  P⁡(v>20)≈8000〖×20〗^(-4)=0.05
  i,.e., only 5 percent of the time, the loss of 20 million will be exceeded, or simply, 20 million is the 95th percentile of the loss.

Insurance

• Numerous operational risks are insurable, but operational risk managers must thoroughly assess the justifiability of insurance costs. The SMA, which evaluates operational risk, considers the frequency and magnitude of losses incurred in the past ten years. Insuring against losses not only diminishes their severity but also lowers capital requirements.
• To comprehend how insurance companies perceive operational risk, it is essential to examine two primary risks they encounter –
  • Moral Hazard
  • Adverse Selection

Moral Hazard

• Moral hazard refers to the risk that the presence of an insurance contract might encourage the insured entity to engage in behavior that increases the likelihood of a loss.
• For instance, consider the moral hazard associated with rogue trader losses. If a bank is insured against such losses, there is a concern that traders may take significant unauthorized risks. If the outcome is profitable, the bank benefits, but if a loss occurs, a claim is filed with the insurance company.
• To manage moral hazard, insurance companies establish clear trading limits and often insist that policies remain undisclosed to traders. Losses are thoroughly investigated, and failure to adhere to insurance requirements may result in the forfeiture of payouts.
• Insurance companies employ deductibles, making financial institutions responsible for the initial portion of any loss, and may include a co-insurance provision where the insurance company covers only a percentage of the loss. There is always a cap on the total payout amount, and insurance premiums may rise following a loss.

Adverse Selection

• Adverse selection poses the challenge of an insurance company distinguishing between low-risk and high-risk situations. If uniform premiums are charged for a specific risk type across all financial institutions, it tends to attract clients with the highest risk.
• For instance, offering the same insurance premiums to all banks for rogue trader losses may lead banks with weaker internal controls to purchase more insurance, while those with robust internal controls might find the cost prohibitive and opt for less insurance.
• To address adverse selection, insurance companies conduct thorough research on potential customers before providing quotes. In the context of rogue trader insurance, a financial institution must demonstrate to the insurance company that it has effective risk controls in place to qualify for coverage.