Operational risk can result in losses from failed internal processes, people, or systems or from external events. It is inherent in all business activities. There are four main approaches under Basel II to calculate capital requirements for operational risk: Basic Indicator Approach, Standardized Approach, Advanced Measurement Approaches (AMA), and the Internal Ratings-Based Approach (IRB). The Standardized Approach divides activities into business lines and assigns risk factors to each to determine capital charges. The AMA uses a bank's internal risk measurement system to determine regulatory capital requirements subject to supervisory approval.

1. OPERATIONAL RISK MANAGEMENT
11/16/12 1

2. What is Operational Risk?
 The risk of loss resulting from inadequate or failed
internal processes, people and systems or from
external events (The Basel II Capital Accord)
 FORMERLY any risk but market and credit risks
 It is NOT a brand new stuff and it is the risk that affects
all businesses
 Operational risk is inherent in carrying out a process/
operational activity.
11/16/12 2

3. Classification of Operational Risks
High High  Operational risk events are
Frequency Frequency classified by two factors:
Low High  frequency – how often the
Frequency
Impact Impact event occurs
 impact – the amount of the
Low Low
Frequency Frequency losses resulting from the
event
Low High
Impact Impact
Impact
11/16/12 3

4. Classification of Operational Risks
 Generally, operational risk management focuses on only
two of these event types:
 Low frequency / high impact (LFHI)
 High frequency / low impact (HFLI)
 Why?
11/16/12 4

5. Classification of Operational Risks
 High frequency/low impact events are managed to
improve business efficiency. These events tend to be
readily understood and are viewed as ‘the cost of doing
business’.
 Examples?
11/16/12 5

6. Expected loss verses unexpected loss
 Expected loss is the loss incurred as a bank conducts its
normal business.
 Can be simply defined as the cost of doing business
 The only way to totally prevent them is to cease doing
business.
11/16/12 6

7. Expected loss versus unexpected loss
 A bank uses statistical methods to predict its expected
losses.
 In short, the firm uses past data and experience to
predict the future.
 A simple method of calculating expected loss is to
compute the mean (average) of the actual losses over a
given time and accept this as the likely future level.
11/16/12 7

8. Expected loss verses unexpected loss
 A firm may also attempt to ‘predict’ its unexpected losses
using statistics, much like the way that is used to predict
expected losses.
 The problems are the past data may not available and
therefore to calculate unexpected loss a firm uses:
 available internal data
 external data from other firms
 data from operational risk scenarios
11/16/12 8

9. Operational risk event categories
 The simplest way of understanding operational risk in banks is to
categorize it as anything but credit risk or market risk.
 However, this is a very broad definition and does not help manage
operational risk.
 Generally, operational risk events can be subdivided into:
 internal process risk
 people risk
 systems risk
 external risk
 legal risk
11/16/12 9

10. Internal Process Risk
 Internal process risk is defined as the risk associated
with the failure of a bank’s processes or procedures.
 During a bank’s day-to-day operations, staff follow preset
working practices.
 These procedures and policies will include all the
checks, and controls required to ensure that customers
are correctly served and the bank remains within the
laws and regulations by which it is governed
11/16/12 10

11. Internal Process Risks
 Internal process risk events include:
 documentation – inadequate, insufficient or wrong
 lack of controls
 marketing errors
 misselling
 money laundering
 incorrect or insufficient reporting (e.g. regulatory)
 transaction error
 Reviewing and improving a bank’s internal processes as part of
operational risk management can improve its efficiency. Errors often
occur when a process is complicated, disorganized or easily
circumvented, all of which are also inefficient business practices.
11/16/12 11

12. Risk Management Process Feedback Loop
1. Identify, assess and
prioritize risks
6. Revise 2. Develop
policies and strategies to
procedures measure risk
5. Test
effectiveness 3. Design policies and
and evaluate procedures to mitigate risks
results
4. Implement
and assign
responsibility
11/16/12 12

13. There are four fundamental steps to managing operational risk, with
each step leading to improvements in management & control quality and
greater economic profit
REPORTING
• Integrated MIS
reporting
MEASUREMENT • Awareness of
• Estimation of annual exposures
losses – cost of • Knowledge of
operational failure controls quality
PROCESSES
• Estimation of VaR – • Cost benefit analysis
Economic Profit
• Loss data collection
risk capital • Improved risk
• Risk indicator data
• Estimation of scores mitigation and
FRAMEWORK collection
representing quality transfer strategy
• Risk strategy, • Control self- of internal controls
tolerance assessment
• Roles and • Risk assessment and
responsibilities analysis
• Policies and • Workflow
procedures • Automatic notification
• Risk definition and • Follow up action
categorization
Management & Control Quality

14. The universe of operational risks spans causes, events and
consequences
CAUSES EVENTS CONSEQUENCES
Inadequate Legal Liability
segregation of duties
Internal Regulatory, Compliance
Insufficient training Fraud & Taxation Penalties
External Loss or Damage
Lack of management
Fraud to Assets EFFECTS
supervision
Monetary
Employment Practices Losses
Inadequate Restitution
& Workplace Safety
auditing procedures
Clients, Products
Inadequate security Loss of Recourse
& Business Practices
measures
Damage to
• Physical Assets Write-down
• Business Disruption
& System Failures
• Reputation OTHER
Execution, Delivery & IMPACTS
Poor systems
Process Management Forgone
design
Business Interruption Income
Poor HR
policies

15. Using internal and external loss data can calculate Value at Risk
INDIVIDUAL RISK MATRIX FOR LOSS VAR TOTAL LOSS
LOSS EVENTS LOSS DATA DISTRIBUTIONS CALCULATION DISTRIBUTION
74,712,345 Frequency
74,603,709 of events
74,457,745
74,345,957
74,344,576 VaR
•
EMPLOYMENT CLIENTS, EXECUTION, BUSINESS
Calculator
PRACTICES & PRODUCTS & DAMAGE TO DELIVERY & DISRUPTION AND
INTERNAL EXTERNAL WORKPLACE BUSINESS PHYSICAL PROCESS SYSTEM
FRAUD FRAUD SAFETY PRACTICES ASSETS MANAGEMENT FAILURES TOTAL
Corporate Finance Nu mb er 36 3 25 36 33 150 2 315
0 1 2 3 4
Mea n 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215
Standard Deviatio n 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976
e.g.,
Trading & Sales Nu mb er 50 4 35 50 46 210 3 441
Mea n 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322
Standard Deviatio n 8,541 13,463 5,768 11,835 5,184 368 35,315 10,464
•
Retail Banking Nu mb er 45 4 32 45 42 189 3 397
Mea n 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690
Monte
Standard Deviatio n 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417
Commercial Bankin g Nu mb er 41 3 28 41 37 170 2 357
Mea n 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721
Standard Deviatio n 6,918 10,905 4,672 9,586 4,199 298 28,605 8,476
Payment & Settlements Nu mb er 37 3 26 37 34 153 2 321
Mea n 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349
Carlo
Standard Deviatio n 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628
•
Agency Services Nu mb er 44 4 31 44 40 184 2 386
Mea n 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018
Standard Deviatio n 7,472 11,777 5,045 10,353 4,535 321 30,893 9,154
Asset Manag ement Nu mb er 40 3 28 40 36 165 2 347
167,245 Simulation
Mea n 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217
Severity
Standard Deviatio n 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238
Retail Brokerage Nu mb er 48 4 33 48 44 198 3 417
Mea n 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660
Standard Deviatio n 8069 12719 5449 11182 4898 347 33365 9886
Engine
Insuranc e Nu mb er 43 4 30 43 39 179 2 375
Mea n 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394
142,456 of loss
Standard Deviatio n 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897
Total Nu mb er 435 36 302 435 399 1,812 24 3,806
Mea n 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926
Mean 99th Percentile
Standard Deviatio n 7,331 11,555 4,950 10,158 4,450 315 30,311 8,981
123,345 Annual Aggregate Loss ($)
113,342
94,458
0-10 10- 20- 30- 40-
20 30 40 50

16. Composite control assessment/indicator scores can be used to modify
capital figures
CONTROL
ASSESSMENT/INDICATOR
VAR SCORE CAPITAL
Adjustment for
Quality of
Current Control
Environment
210 100 190
Current score
Previous score 50
0
Linking capital to changes in the quality of internal controls provides an incentive for
desired behavioral change

17. What does it tell us?
11/16/12 17

18. Basel II Approaches on Operational Risk
•Basic Indicator •Standardized
•Standardized •Foundation IRB
•Advanced Measurement •Advanced IRB
•OPERATIONAL •CREDIT
11/16/12 18

19. The Basic Indicator Approach
 Banks using the Basic Indicator Approach must hold
capital for operational risk equal to the average over the
previous three years of a fixed percentage (denoted
alpha) of positive annual gross income.
 Figures for any year in which annual gross income is
negative or zero should be excluded from both the
numerator and denominator when calculating the
average.
11/16/12 19

20. The charge may be expressed as follows:
11/16/12 20

21. The Standardized Approach
 In the Standardized Approach, banks’ activities are divided into eight business lines:
corporate finance, trading & sales, retail banking, commercial banking, payment &
settlement, agency services, asset management, and retail brokerage.
 Within each business line, gross income is a broad indicator that serves as a proxy
for the scale of business operations and thus the likely scale of operational risk
exposure within each of these business lines.
 The capital charge for each business line is calculated by multiplying gross income by
a factor (denoted beta) assigned to that business line.
 Beta serves as a proxy for the industry-wide relationship between the operational risk
loss experience for a given business line and the aggregate level of gross income for
that business line.
 It should be noted that in the Standardized Approach gross income is measured for
each business line, not the whole institution, i.e. in corporate finance, the indicator is
the gross income generated in the corporate finance business line
11/16/12 21

22. Standardized Approach
11/16/12 22

23. Standardized Approach
11/16/12 23

24. Mapping Business Lines
?
11/16/12 24

25. Advanced Measurement Approaches (AMA)
 Under the AMA, the regulatory capital requirement will
equal the risk measure generated by the bank’s internal
operational risk measurement system using the
quantitative and qualitative criteria.
 Use of the AMA is subject to supervisory approval.
 A bank adopting the AMA may, with the approval of its
host supervisors and the support of its home supervisor,
use an allocation mechanism for the purpose of
determining the regulatory capital requirement
11/16/12 25