3. operational risk
• risk due to organisation operations
• arising from execution of a company's business
functions
• operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and
systems, or from external events (Basel II)
• it is not used to generate profit
• to keep losses within limit (driven by risk appetite)
4. operational risk management
• there is no one size fits all approach
• operational risk is much harder to identify than
market and credit risk
5. operational risk categories
• broad concept focuses on people, processes and
systems and external factors
• more detailed approach under Basel II regulations:
– Internal Fraud
– External Fraud
– Employment Practices and Workplace Safety
– Clients, Products, & Business Practice
– Damage to Physical Assets
– Business Disruption & Systems Failures
– Execution, Delivery, & Process Management
6. operational risk categories (II)
• people - due to human error, loss of personnel and
health and safety issues
• process - due to business performance processes or
projects as well as capacity and reporting matters
• systems/technology - due to technical issues of
systems, computers and equipment as well as data
quality and security
• external events - due to external factors, regulatory
environment and natural hazards
7. ORM exercise
choose your company
list 2-3 risks with 4 categories:
people, process, systems/technology, external events
8. people risk
• Employee collusion/fraud
• Employee error
• Employee misdeed /crime
• Employment law
• Health and safety at work
• Insufficient or lack of knowledge/skills
• Loss of key personnel (key personel risk)
14. KRI - Key Risk Indicators
• metrics used to monitor identified risk exposures
over time
• measure used in management to indicate how risky
an activity is
• differs from a Key Performance Indicator (KPI) which
is measure of how well something is being done
• give us an early warning to identify potential risky
event
15. KRI management
• effective indicator selection: relevance, measurable,
predictive
• selection process approach: top-down or bottom-up
• using composite or index indicators
• indicator threshold and limits, escalation triggers
• indicator trending and scale (green, amber, red)
• reporting: level of reporting, frequency and
presentation style
16. KRI examples
• customer complaints volume
• product return ratio
• volume/value of products breakage
• number of caught shoplifter / value of loss due to customer
theft
• staff turnover
• staff sickness days
• number of over-time hours utilized
• number of data capture errors
• number of virus or phishing attacks
• number of server restart requested
17. ORM exercise 3
propose KRI
for most common risks in each category
18. BCP - business continuity planning
• is a roadmap for continuing operations under
extreme conditions
• effective prevention and recovery for the
organization
• active preparation and planning for emergencies
– critical (urgent) organization functions/ activities
– non-critical (non-urgent) organization functions/ activities
21. #1 Basic Indicator Approach
• simplest operational risk measurement method
• banks has to hold capital reserves for operational
loss
• average income gross income from previous 3 years
times given percentage (alpha)
• years with negative or zero income excluded
• committee alpha percentage – 15% (represents
industry average operational risk)
21
22. #2 Standardized Approach
• more complex method of operational risk
measurement
• banks has to hold capital reserves for operational
loss
• three-year average across each of the business lines
in each year times given percentage (beta)
22
24. #3 Advanced Measurement Approach
• comprehensive method based on bank’s internal
operational risk measurement system
• quantitative and qualitative criteria
• subject of regulatory approval
• minimum five-year observation period of internal
loss data
• external data could be used
24
25. Advanced Measurement Approach (II)
• bank must be able to demonstrate that its approach
captures even unlikely events
• high-severity events must be subject of scenario
analysis and use external data and expert advisory