The document discusses operational risk within the financial services industry and the Bank's operational risk management framework. It describes how the Bank identifies and manages operational risks through processes like risk control self-assessments and collecting operational loss event data. It provides an influence diagram showing factors that could lead to human errors in the Bank's risk management department. It also briefly compares sources of operational risk across different industries like transportation, focusing on factors like reputational, financial, and legal losses.

1. 1"
Operational+Risk:+
Helios+Padilla+Mayer,+February+21,+2012+
+
1.+Operational+Risk+within+financial+institution+
The" Bank" provides" a" range" of" collective" portfolio" management" services" for" UCITS" IV"
regulated"funds1"in"Luxembourg."The Risk Manager (my role) provides the risk management process for all
UCITS within the Bank. UCITS"are"subject"to"certain"operational"risks"that"can"materialize"into"capital'
losses" or" poor' investment' performance." Operational" risks" are" related" to" the" different( features( and(
quality(of(the(trading,(settlement(and(valuation(procedures(operated(by(the(Companies,"which"may"increase"
the" chances" of" losses" due" to" human" or" technical" errors." Figure" 1" displays" an" Operational" Risk"
Management"Framework"for"the"Bank.""
"Operational"risks"are"managed"through"the"processes"named"Risk"Control"Self"Assessment"
(“RCSA”)" Programme." The" Bank" mandates" a" RCSA." Each" Department," within" the" Bank" at" a" frequency"
reviewed" annually" by"the" Corporate" Risk" Management," must" complete" or" update" an" RCSA." The" RCSA"
identifies"each"key"process"undertaken"by"the"department,"together"with"related"Activities,"Risks"and"
Controls" (“PARC”)." Risks" and" Controls" are" then" assessed" by" the" business" unit," assigning" Impact" and"
Likelihood"scores"to"Risk"scores"(1S10"rating),"and"Effectiveness"ratings"to"Control"scores"(1S10"rating)."
Risk" and" Control" are" derived" for" each" Activity" and" (rollSup)" Process" and" compared" to" preSdefined"
thresholds" to" determine" the" relative" level" of" risk" and" control" in" each" Process." Certain" defined"
combinations"of"Risk"Score"and"Control"Score"trigger"Required"or"Recommended"Action"Plans."Required"
Action"Plans"must"be"formally"documented"with"actions"to"be"taken,"target"dates"and"assigned"owners."
Open"Action"Plans"are"tracked"to"completion."All"documentation"of"RCSAs"is"maintained"on"the"Bank’s"
OpVaR" system" (except" first" time" Initial" Assessments" which" are" completed" on" spreadsheets);" OpVaR"
requires" that" each"assessment" has" an"assigned"Assessor," Reviewer" and" Approver" –" Corporate"Risk"&"
Compliance"undertakes"the"Reviewer"role."
The"Bank"collects"operational'loss'event'data"to"monitor'operational'risk'exposure."Each"
Department" prepares" the" necessary" documentation" for" approval" of" loss" payments" to" client" accounts"
(processed"independently"by"Operations),"and"ensure"completion"of"the"ASL"Form"on"the"EMEA"Loss"
Database" (all" losses" above" $250)." The" Operations" &" Technology" Risk" reconciles" the" Loss" Database"
monthly"and"also"ensures"losses"above"$5000"are"entered"and"approved"on"the"Corporate"Loss"Event"
Database"(OpVaR)."In"addition,"operational"risk"within"the"front"office"trading"functions"are"monitored"
through"frequent"reporting"and"covered"during"the"periodic"due"diligence"reviews"on"delegated"functions."
Reports"included"also"main"Key+Risk+Indicators"related"to"operational"risk:"
-! Review"of"material"Net"Asset"Value"(NAV)"errors"noted"during"the"period"of"the"report;"
1
UCITS"(Undertaking"for"Collective"Investment"in"Transferable"Securities)"IV"directive"sets"a"regulatory"
framework"for"the"EU"Investment"Fund"Industry,"with"emphasis"on"funds"domiciled"in"Luxembourg.""

2. 2"
-! Review"of"the"reconciling"items"between"the"Custody"Department"and"the"Fund"Accounting"
Department,"such"as"report"holding"and"cash"reconciling"items;"
-! Review" of" the" reconciling"items" between" the" Fund" Accounting" Department" and" Transfer"
Agency"Department,"noted"during"the"period"of"the"report"unit"reconciling"items;"""
-! Review"of"the"settlement"risk"of"the"failed"trades"noted"by"the"Custody"Department;"and"
-! Review"of"the"issues"related"to"late"trading"market"timing."
The"operational'risks'material'to'the'UCITS"are:"
-! Valuation"risk""S"a"holding"in"the"UCITS"may"be"valued"incorrectly,"as"some"prices"may"be"
uncertain"at"a"point"in"time;"
-! Settlement"risk"–"an"expected"payment"for,"or"delivery"securities"may"not"occur"on"time"or"
at"all;"
-! Regulatory"risk"–"the"UCITS"may"be"affected"by"changes"in"economic"and"market"condition"
due"to"political"developments"and"changes"in"government"policies;"
-! Dependence"on"the"investment"manager"–"the"success"of"UCITS"depends"upon"the"abilities"
of" investment" manager" to" develop," implement" and" maintain" adequate" and" effective"
operational"processes."
The"Bank’s"Risk"Management"Function,"through"regular'due'diligence,"reviews"the"adequacy"
and"effectiveness"of"the"operational"processes"at"investment"manager"level."As"part"of"the"onSgoing"risk"
profiling"of"the"Funds,"the"Risk"Management"Function"obtains'copies'of'relevant'control'reports;"this"is"
also"covered"as"part"of"the"periodic"due"diligence"reviews."The"frequency"and"severity"of"operational"risk"
events"is"minimal"due"to"strict"and"regularly"performed"due"diligence"controls.""
Furthermore,"Business'Continuity'Plans"of"the"investment"managers"are"reviewed"as"part"
of" the" due" diligence." The" Bank’s" Corporate" Compliance" Designate" serves" as" the" Business" Continuity"
Coordinator"for"the"Bank"This"role"involves"acting"as"a"contact"for"Global"Business"Continuity"Recovery"
Services"(“GBCRS”)"in"its"communication"of"policy"and"practical"requirements"to"the"Bank,"as"well"as"
facilitating"the"business"in"the"completion"of"a"number"of"tasks"mandated"by"Corporate"Policies"and"best"
practice," including" annual/periodic" update" of" Business" Continuity" Plans," annual" offsite/alternate"
workspace"test"and"periodic"simulations."
"
"
"
"

3. 3"
Figure"1:"The"Bank’s"Operational"Risk"Management"Framework"
"
Mean"
Expected"Loss" Unexpected"Loss"
Operational"Risk"Modeling"Process"
Loss"Event" " " " Risk"and"Control"" " Scenario""
Data"Program" " " " Self"Assessment" " " Analysis"
Fiduciary"Risk"
Management"
Insurance"
Business"
Continuity"
Recovery"
Process"
Product"and"
Process"Risk"
Review"
Outsourcing"
Risk"
Management"
Business"
Process"
Transition"Risk"
Management"
Operations"
Concentration"
Risk"
Management"
Technology"
Risk"
Management"
Market"Risk"
Management"
Metrics"
Reporting"

4. 4"
"
"
2.##Influence#Diagram#for#human#errors#in#the#Bank#
An" Influence( Diagram" is" used" to" measure" different" operational" risks," including" human"
error" risks." It" is" based" on" Bayesian" conditional" probability" theory" and" allows" quantifying decision
options and preferences in order to select the optimal decision policy. The" diagram" represents" an"
interaction"of"different"factors"that"together"cause"an"incident.""Figure"2"resents"a"simplified"Influence"
Diagram"at"my"division"(Risk"Management)."Our"Bank"provides"global"fund"asset"management"services,"
among"them"also" monitoring"and"assessing"risks"of"clients’"portfolios"under"the"UCITS"IV"directive.2"I"
assume"that"due"to"human"errors,"risk"management"process"may"not"be"done"correctly"and"the"key"risk"
event"is"loss"related"to"the"inaccurate"risk"assessment"of"the"client"portfolio."This"loss"can"be"expressed"as"
financial"loss"for"potential"investors"in"the"selected"portfolio."However,"loss"for"institution"is"represented"
in"lower"revenues"as"the"number"of"clients"that"the"institution"is"managing"will"decrease"once"it"becomes"
clear"that"the"institution"is"not"capable"of"providing"an"accurate"risk"assessment.""
Risk"assessment"and"its"accuracy"depend"on"many"factors,"external"and"internal."Internal"
risk" assessment" model" is" built" on" both" external" and" internal" data" sources." However," data" that" are"
collected"externally"(through"Bloomberg"or"directly"received"by"the"client)"may"have"errors"that"cannot"
be"verified"internally."Internal"data"sources"are"usually"verified"through"the"internal"process"(usually"
compliance"office),"however,"its"verification"depends"on"the"proficiency"of"staff"executing"this"function"
and"quality"of"IT"software"available"for"collection"and"validation"of"data."Internal"process"is"verified"also"
by" external" auditor," which" is" selected" on" a" careful" assessment" of" available" track" record" (this" is" best"
possible"information,"however,"there"may"be"information"that"is"not"known"to"the"institution"during"the"
selection"process"and"selected"auditor"may"not"be"the"best"one)."A"success"of"internal"risk"model"depends"
foremost"on"staff"efficiency,"which"is"also"crucial"for"internal"data"collection"process"and"internal"quality"
data"and"process"controls."Staff"efficiency"is"a"key"for"human"errors;"lack"of"staff,"inadequately"trained"
staff"(in"terms"of"incorrect"handling"of"IT"software,"incorrect"data"control"mechanisms,"incorrect"process"
verification),"overburdened"staff"(too"many"(sophisticated)"clients"handled"by"1"person)"can"lead"to"en"
expansive"growth"of"human"errors"and"results"in"an"incorrect"modelling"and"risk"assessment."Thus,"the"
key"to"minimization"of"human"errors"in"the"risk"assessment"process"is"to"ensure"that"staff"that"is"hired"
possesses" relevant" competencies" to" optimally" perform" their" tasks." Furthermore," staff" must" receive" a"
correct"training"relevant"to"their"tasks"in"the"institution"(for"example,"staff"responsible"for"IT"software"
has"access"to"ITRrelated"courses,"staff"responsible"for"data"control"has"access"to"dataRqualityRmanagement"
courses,"staff"responsible"for"risk"modelling"possess"relevant"quantitative"techniques,"etc.)"and"also"an"
ongoing"training"and"update"in"skills"is"enabled."""
2"Ibidem."""

5. 5"
Figure"2:"Influence"Diagram"for"Risk"Management"Department"
Loss$related$to$
Inaccurate$Risk$
Assessment$of$the$
Client$
External"Data"Sources"
Bloomberg" Client"
Internal"Data"Sources"
#"of"Clients"in"Portfolio"
IT"software"available"
Staff"efficiency"
Complexity"of"
Clients"
Lack"of"Staff Lack"of""
competencies"
Lack"of"
training"
Internal"Data"and"
Process"Control"
Internal"Risk"
Assessment"Model"
External"
Verification"(Audit)"
Process"
Selection"Process"" Track"Record"

6. 6"
3.#Comparison#of#Operational#Risk#between#5#Industries##
While"Operational"Risk"is"discussed"most"in"the"financial"services"industry,"it"is"present"and"
has"to"be"dealt"with"in"any"other"industry."Reason"(1997)"discusses"operational"risk"in"financial,"rail"
transport,"civil"aviation"and"nuclear"power"sectors"(these"are"all"industries"where"safety"is"critical)"and"
concludes"that"failures"do"not"happen"only"due"to"human"errors,"but"are"provoked"by" organizational"
inabilities"to"account"for"human"mistakes"and"slippages."He"argues"that"the"failure"to"learn"from"past"
mistakes,"worsening"of"safety"procedures"and"processes,"changes"in"management,"lack"of"risk"control"and"
reporting,"relaxed"attitude"towards"attention"to"detail"lead"to"potential"losses."He"emphasizes"that"the"
successful" operation" risk" control"is"possible" only" if:" (1)"there" is"a"good" governance" and" management"
practice"in"the"company","and"(2)"there"is"a"need"for"a"regular"assessment"of"risk"effectiveness"and"control"
processes."""
Below"I"provide"a"short"analysis"of"operational"risk"across"different"industries."However,"
despite" differences," (at" least)" 3" common" potential" losses" can" be" identified:" (1)" reputational" loss," (2)"
financial"losses,"and"(3)"legal"losses."
(A)#Transportation#industry#(aviation):#
One"of"the"main"operational"risk"issues"for"aviation"industry"is"operational"safety"policy"with"flight"safety"
the"highest"priority"to"any"other"decisions."This"requires"a"strict"operational"framework"not"only"for"the"
air" company" personnel," but" also" for" all" subcontractors." " The" aviation" business" is" exposed" to" several"
factors,"such"as"delays,"exceptional"weather"conditions,"strikes"of"related"parties"at"the"airport"(flight"
control"unions,"for"example),"failure"in"IT"systems"and"infrastructure,"which"can"be"provided"internally"of"
by"external"suppliers"and"are"crucial"for"a"safe"flight"operations,"supplier"failure"(for"example,"reserve"
parts,"maintenance"conditions,"catering"services),"fleet"grounding"or"restrictions"(for"example,"even" if"
there" is" a" reported" accident" " or" failure" with" another" airline," all" fleet" could" be" grounded" and" cause" a"
disruption" in" operator’s" services)." While" usually" air" accidents" are" extremely" rare," the" major" event"
provoked" is" loss" of" life," possible" impact" on" environment," and" financial" losses" associated" with" the"
destruction"of"the"plane"and"possible"financial"compensation"of"victims’"relatives.""
(B)#Medical#care#(surgeries)#
Risk" management" in" medical" care" is" extremely" complex" because" they" are" not" contained" within" the"
organization"but"follow"patients."Operational"risks"are"related"to"the"balance"between"quality"of"services"
offered"and"cost"optimizing"operational"framework"of"the"service"provider."The"most"severe"loss"related"
with"a"failed"surgery"is"loss"of"life."Furthermore,"if"such"event"results"in"a"legal"suit"against"a"provider,"a"
hospital"can"suffer"major"financial"losses"if"negligence"or"any"other"mistake"in"the"surgical"procedure"is"
identified."""
(C)#Financial#services#
According"to"Basel"II"framework,"operational"risks"for"financial"services"in"general"arise"due"to"internal"
processes,"system"failure,"internal/external"fraud,"employment"practices,"loss"of"key"people"(change"of"

7. 7"
jobs,"retirement,"and"healthy"issues),"clients/products/business"practices,"and"external"incidents."These"
risks"always"result"in"financial"losses,"ranging"from"insignificant"amounts"to"major"amounts."Furthermore,"
risks"are"always"related"with"the"reputational"loss"of"institution,"business"interruption"and"third"party"
liability.""
(D)#Hospitality#industries#(hotels,#cruise#ships)#
Main" operational" risks" in" hospitality" industries" arise" from" the" ability" to" attract" and" retain" qualified"
personnel" mainly" due" to" reflection" of" unattractive" working" hours" (evening" shifts," weekends," and"
holidays)"in"compensation"received."Poor"financial"compensation"could"cause"minor"incidents,"such"as"
thefts,"and"lead"to"a"destruction"of"reputational"risk."Furthermore,"many"hotel"complexes"or"cruise"ships"
do"not"take"advantage"of"modernized"technology"to"maximize"their"revenues."External"operational"risk"is"
related"to"a"changed"demography"and"travel"patterns"and"needs"(younger"generations"vs."babyUboomers),"
and"recently,"due"to"the"financial"crisis,"income"availability"to"travel"has"reduced"and"negatively"impacted"
hospitality"industry"in"general.""Cruise"ships,"on"the"other"hand,"bear"additional"operational"risk,"related"
to"security"of"travelling"–"recent"accidents"(Concordia,"food"poisoning"on"some"cruises"from"Miami)"are"
having"a"severe"impact"on"reputation"of"cruise"tourism.""""
(E)#Utilities#(nuclear#power#plant#generation)#
Risks in the nuclear power industry are systemic (Koplow, 2011). If an accident occurs in one place, the
impact is spilled over the entire industry as many reactors rely on the same technology, were built by the
same contractors, or employ similar defences (in the case of a terrorist attack). The"principal"risk"related"to"
the" nuclear" power" plant" operations" arises" from" radiation" impact" on" health" and" environment." Recent"
accident" in" Japan" as" well" as" the" accident" in" Chernobyl" was" due" to" the" lack" of" design" strategy" for"
preventing"accidents"and"mitigating"their"potential"effects."None"of"the"plants"had"built"a"sufficient"backU
up" system" to" prevent" an" equipment" failure" disaster." In" case" of" Chernobyl," the" reactor" was" not" built"
properly"to"retain"radioactivity"within"the"vessel.""
Frequency refers to how often a loss event happens, and is measured in terms of number
of events per time units. It is described by a discrete distribution. Severity depends on the monetary
impact of the event, and is described by a continuous distribution. In operational risk both components
have to be considered separately, since there exist loss events with low frequency but high severity (e.g.
catastrophes, damage to physical assets); on the other hand, there are plenty of high frequency, low
severity events (e.g. small credit frauds, accounting errors, etc.). Transportation industry is usually
facing low frequency and high severity events. For health care industry (surgeries), frequency of
events is diminishing as a success rate of surgeries is increasing over time. Severity (if measured in
financial impact) is small, but high when measured as “a loss of life” impact. Financial sector faces
high frequency events, but severity can vary from low scale (small credit frauds, accounting errors) to
high scale (rouge-traders- related losses). Hospitality industries (hotels and cruise ships) should face

8. 8"
medium frequency events (some of them also provoked by political and economic disruption at the
centres of destination and therefore a drop in arrivals), however, severity event can be high (revenue
loss due to low arrivals, destruction of asset – hotel, ship in case of natural disaster, loss of life in case
of cruise ship accident – case of Concordia). Utilities industry (nuclear power plant) if facing low
frequency events, but extremely high severity events – a failure in nuclear power plant can lead to an
environmental disaster.
Risk mitigation measures require a good understanding of the hazard and the factors
contributing to its occurrence, since any mechanism that will be effective in reducing risk will have to
modify one or more of these factors. Risk mitigation measures may work by reducing the probability
of occurrence, or the severity of the consequences, or both. Achieving the desired level of risk
reduction may require the implementation of more than one mitigation measure. For transport
industry (aviation), important risk mitigants are revision of the system design (before system
implementation), non-punitive reporting of deviations to flight safety, monitoring the quality of
external suppliers according to the company’s (and international) standards and practices and
regulations prescribed for flight operators, changes to staffing arrangements; continuous training of
personnel to deal with the risk (Stolzer,"Halford,"Goglia,"2011),. For medical care (surgeries), it is
important to obtain a second (and third) opinion prior to the surgery, keeping track on surgeries
performed and causes identified in case of failed procedure, and an ongoing training of staff involved
in surgeries (surgeons, anesthetist, nurses). Due to the potentially high financial losses related to legal
procedures, medical providers also undertake insurance against potential failures in services. For
financial services, insurance is allowed as risk mitigant as losses can be measured precisely. Other
risk mitigants are internal management controls, self-insurance by allocating a part of regulatory
capital for operational risk, securitization of certain operational risks (like catastrophic bonds), risk
transfers (for example, certain parts of risk can be underwritten or funded by a separate entity) For
hospitality industries (hotels, cruises), personnel training is the most important risk mitigant as these
industries are very labor-intensive. It is also important to have proper security systems in place (such
as video cameras in common areas of hotel, security boxes in rooms, cabins) to prevent thefts. For that
reasons, hotels can decide to outsource more complex operational functions to experts. For cruises,
passengers need to understand security measures that will be undertaken in case of accident and
organize a rescue exercise once on board. For utilities (nuclear plants), risk mitigants are periodic
safety reviews and upgrades of reactors, training of personnel to operate properly upgraded reactors,
taking up insurance against employee liability, material damage or breakdown or business interruption
( International Atomic Energy Agency, 2001).
"

9. 9"
Table"1:"Operational"Risk"Characteristics"for"Different"Industries"
Industry# Loss#Potential# Frequency# and#
Severity#Distribution*#
Risk#Mitigants#
Transportation#
(aviation)#
Major"loss"of"life."
Environmental"Damage."
Reputational"Loss."
Low"frequency"(2),"
High"severity"(4)"
System"design"revision"
NonUpunitive" reports" of"
deviations"to"flight"safety"
Monitoring" of" external"
suppliers’"quality"
Changes" to" staffing"
arrangement"
Continuous"personnel"training"
"
Medical# care#
(surgery)#
Loss"of"life."
PostUsurgical"complications."
Reputational"Loss."
Diminishing" frequency"
(4)"
Low"severity"(2)"
Second"opinion"
Knowledge" system" software"
(track"of"surgical"procedures)"
Ongoing" training" of" personnel"
(surgeons,"nurses)"
Insurance"
Financial#Services# Major"financial"losses."
Reputational"Loss."
Business"interruption."
Third"party"liability."
High"frequency"(5)"
Low" and" high" severity"
(from"1"–"5)"
Insurance"
Internal"management"controls"
Self"insurance"
Securitization"
Risk"transfer"
Hospitality#
Industries# (hotels,#
cruises)#
Limited"financial"losses"(thefts,"
frauds" accidents," loss" of"
revenue" due" to" cyclicality" of"
industries)."
Loss" of" life" (cruises" U"
Concordia)"
Reputational"Loss.""
Low"frequency"(3)"
High"severity"(3)"
Personnel"training"
Security"systems"–"outsourcing"
to"experts"
Implementation" of" safety"
exercises" on" board" (for"
cruises)""
Utilities# (nuclear#
power#generation)#
Loss"of"life."
Permanent"damages"(radiation"
impact)."
Environmental" Damage"
(radioactive"waste)."
Reputational"Loss.""
Low"frequency"(1)"
High"severity"(5)"
Security"system"upgrade"
Safety"control"
Personnel"trainings"
Insurance"
"
*"I"rank"frequency"and"severity"events"by"assigning"1"to"the"lowest"probable"event"and"5"to"a"highest"probable"event.""
"
References:"
Koplov, Doug, 2011, “Nuclear Power: Still Not Viable Without Subsidies,” Union of Concerned Scientists (UCS)
Publications, Cambridge, MA, USA, February 2011, 146 pp.
International Atomic Energy Agency, 2001, “Risk Management: A tool for improving nuclear power plant
performance,” IAEA, Austria, April 2001, 88 pp.
Stolzer,"Alan"J.,"Carl"D."Halford,"John"J."Goglia,"2011,”"Implementing*Safety*Management*Systems*in*Aviation,”"
Ashgate"Publishing,"Burlington,"VT,"USA,"June"2011,"297"pp.""
Reason,"James,"1997,"“Managing the Risks of Organisational Accidents. Ashgate Publishing Limited, 1997.