Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. It is categorized into people, processes, systems/technology, and external risks. Key risk indicators are metrics used to monitor identified operational risks over time and provide early warnings. Banks use three approaches to operational risk management - the basic indicator approach, standardized approach, and advanced measurement approach - which require banks to hold capital reserves proportional to their operational risk exposure based on business lines and historical loss data.

1. Risk Management
University of Economics, Kraków, 2012
Tomasz Aleksandrowicz

2. operational risk management
operational risk
tools & techniques
ORM in banking

3. operational risk
• risk due to organisation operations
• arising from execution of a company's business
functions
• operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and
systems, or from external events (Basel II)
• it is not used to generate profit
• to keep losses within limit (driven by risk appetite)

4. operational risk management
• there is no one size fits all approach
• operational risk is much harder to identify than
market and credit risk

5. operational risk categories
• broad concept focuses on people, processes and
systems and external factors
• more detailed approach under Basel II regulations:
– Internal Fraud
– External Fraud
– Employment Practices and Workplace Safety
– Clients, Products, & Business Practice
– Damage to Physical Assets
– Business Disruption & Systems Failures
– Execution, Delivery, & Process Management

6. operational risk categories (II)
• people - due to human error, loss of personnel and
health and safety issues
• process - due to business performance processes or
projects as well as capacity and reporting matters
• systems/technology - due to technical issues of
systems, computers and equipment as well as data
quality and security
• external events - due to external factors, regulatory
environment and natural hazards

7. ORM exercise
choose your company
list 2-3 risks with 4 categories:
people, process, systems/technology, external events

8. people risk
• Employee collusion/fraud
• Employee error
• Employee misdeed /crime
• Employment law
• Health and safety at work
• Insufficient or lack of knowledge/skills
• Loss of key personnel (key personel risk)

9. process risk
• Accounting error
• Capacity risk
• Contract risk
• Product complexity/ product flaws
• Project risk
• Reporting error
• Settlement/payment error
• Transaction error
• Valuation error

10. technology risk
• Data quality
• Programming errors
• Security breach
• Strategic risks complexity (platform/suppliers)
• System capacity
• System compatibility
• System delivery
• System failure
• System suitability

11. external risk
• Legal / Regulatory
• Money laundering
• Outsourcing
• Political
• Supplier/Partner risk
• Tax
• Fire/Natural disaster
• Theft/Robbery
• Physical security (terrorism, vandalism)

12. ORM exercise 2
propose a solution for
most common risks in each category

13. ORM tools & techniques
• internal controls & audit
• training & procedures
• key risk indicators (KRI)
• strategic diversification/outsourceing
• insurance
• hazard prevention - emergency management
• business continuity planning (BCP)

14. KRI - Key Risk Indicators
• metrics used to monitor identified risk exposures
over time
• measure used in management to indicate how risky
an activity is
• differs from a Key Performance Indicator (KPI) which
is measure of how well something is being done
• give us an early warning to identify potential risky
event

15. KRI management
• effective indicator selection: relevance, measurable,
predictive
• selection process approach: top-down or bottom-up
• using composite or index indicators
• indicator threshold and limits, escalation triggers
• indicator trending and scale (green, amber, red)
• reporting: level of reporting, frequency and
presentation style

16. KRI examples
• customer complaints volume
• product return ratio
• volume/value of products breakage
• number of caught shoplifter / value of loss due to customer
theft
• staff turnover
• staff sickness days
• number of over-time hours utilized
• number of data capture errors
• number of virus or phishing attacks
• number of server restart requested

17. ORM exercise 3
propose KRI
for most common risks in each category

18. BCP - business continuity planning
• is a roadmap for continuing operations under
extreme conditions
• effective prevention and recovery for the
organization
• active preparation and planning for emergencies
– critical (urgent) organization functions/ activities
– non-critical (non-urgent) organization functions/ activities

19. BCP life-cycle

20. operational risk management
industry example: banking
three approaches to ORM

21. #1 Basic Indicator Approach
• simplest operational risk measurement method
• banks has to hold capital reserves for operational
loss
• average income gross income from previous 3 years
times given percentage (alpha)
• years with negative or zero income excluded
• committee alpha percentage – 15% (represents
industry average operational risk)
21

22. #2 Standardized Approach
• more complex method of operational risk
measurement
• banks has to hold capital reserves for operational
loss
• three-year average across each of the business lines
in each year times given percentage (beta)
22

23. Standardized Approach – beta factor
23

24. #3 Advanced Measurement Approach
• comprehensive method based on bank’s internal
operational risk measurement system
• quantitative and qualitative criteria
• subject of regulatory approval
• minimum five-year observation period of internal
loss data
• external data could be used
24

25. Advanced Measurement Approach (II)
• bank must be able to demonstrate that its approach
captures even unlikely events
• high-severity events must be subject of scenario
analysis and use external data and expert advisory