Analysis of BAELL II Recommendations
Disclaimer: This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers. You can view samples of our professional work here.
Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.
CHAPTER 1: INTRODUCTION
Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” Financial markets in the last two decades have been highlighted by large-scale financial failures due to incompetence and fraud, such as Barings, Daiwa, Allied Irish Banks, Orange County, Enron, along with man-made and natural disasters, such as “9/11,” Hurricanes Andrew and Katrina. As a consequence, operational risk has been acknowledged to overweigh the importance of credit and market risks.
Since 2001, the Basel Committee for the Banking Supervision of the Bank of International Settlements has been requiring banks to set aside regulatory capital amount that would cover potential operational loss. The capital amount must be evaluated on a one-year aggregated basis at a sufficiently high confidence level. Statistical tools are required to accurately assess the frequency and severity distributions.
The presence of so-called “low frequency/ high severity” events poses problems for the modeling of operational risk and calls for models capable of capturing excessive heavy-tailedness in the data.
Operational risk is one of the important arms of the risk management triangle - the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization.
Risk Management Triangle
Credit Risk Market (Treasury) Risk.
Operational risk capital charge is a mandatory requirement in global banking sector. This puts in a lot of stress and strain on a bank's management.
Operational Risk is also known as Transaction Risk in some countries.
In order to efficiently face this new challenge of operational risk in risk management, the prerequisites for efficiently facing the operational risk are enumerated as follows :
Ø creation of risk culture ;
Ø enterprise wide operational ;
Ø risk awareness.
Proactive steps at all the levels of operation should operate as a safety valve and in the process, may in turn facilitate lower risk capital charge.
Risk mapping is often mentioned both in describing various approaches to operational risk management and, in an audit context, in formulating the key steps to control self-assessment, as the cornerstone of the risk identification process. Yet there is little published guidance on how to perform it effectively and on how to ensure that the resulting map is indeed complete and consistent. In other words, although the term is widely used by bankers, auditors, regulators and consultants alike, and although all these professionals may even agree on what constitutes an acceptable final product, they will most likely give widely different explanations on how to get such product, the resources needed and the costs involved.
Risk mapping is difficult for a number of reasons, all of which can be summarized by reminding ourselves that ‘the map is not the territory'. No matter how accurate and thorough our analysis is, what really goes on in the business is never exactly what is written in the manual. Here are just a few of the key dimensions:
- People: Processes are affected by people, and people, no matter how formalized the process is, adapt, interpret and improvise in response to circumstances.
- Specialization: Very few people really understand a specific business process and its interactions with other people and systems within the bank. When one of these people leaves or is just absent for a while, the potential for an operational failure appears.
- Processes: Processes change all the time and any mapping becomes obsolete almost overnight after being completed.
In this research, I describe a methodology for the mapping of operational risk with the objective of identifying the risks inherent in the different steps of a business process, selecting the key risk indicators (KRIs) (Hoffman, 2002; Davis and Haubenstock, 2002) and designing the most appropriate control activities. In my approach, therefore, risk mapping is the basis for all the key components of operational risk management - identification, assessment, monitoring/reporting and control/mitigation - as defined by the Basel Committee on Banking Supervision (2003).
There is more than one way to map risks. The most common technique is probably the mapping on a probability/severity chart (Figure 1) so as to identify the key priorities for management. The result in most cases helps to distinguish between high severity/low frequency and high frequency/ low severity losses, but which in general gives no indication as to what management actions to take in order to change the existing risk profile. Another way is to map the risks to the phases of a business activity where they can occur and identify the key risk factors and drivers in the process. This leads to a somewhat more complex result, rich in qualitative information rather than in quantitative assessment, but giving very clear indications as to which parts of the process should be changed in order to make a difference to the overall risk exposure. It also allows for the identification of the KRIs that are more relevant to each risk exposure.
Pursuing the application of KRIs to operational risk assessment is suggested by the need to capture the various issues we find with purely statistical approaches as well as the impact that managerial decisions may have on the operational risk profile. In market and credit risk measurement, the key managerial decisions are taken in deciding portfolio composition, thereby affecting the resulting risk profile directly and in a manner that measurement models have no problem in capturing. In operational risk measurement, on the other hand, managerial decisions may affect the risk profile in a number of different ways (through changes in control procedures, systems, personnel, to name but a few), none of which any measurement model can capture in a simple and direct way. Statistical approaches in particular will be at a loss in taking into account such changes, as historical data will reflect a risk and control environment which by and large no longer exists. The requirement of the new Basel Accord (Basel Committee on Banking Supervision, 2004) - to base risk assessment on 5 years of historical data - if taken too literally will have banks generating risk capital charges on the basis of information largely unrelated to the current and, even less, the future risk and control environment.
1.3. Research Question:
This work to start with will take a step back and ask the fundamental question of why do banks fail? Further the work shall research the recommendations of BASEL II and will try to seek the answer for: Will the BASEL II requirements make the systematic goals of safety and stability more achievable for banks/FI's? If yes, how? If no, how?
Appropriate “Organizational structure” is a precondition for orderly management of any activity/ group working within the purview of organizational capabilities. Operational risk management is all pervasive in terms of activities of an organization e.g. if ‘people' factor in operational management is poorly managed in a bank, other activities of the bank e.g. credit/market risk management, are likely to suffer . Similarly, legal aspects of any transaction/ function, if loosely dealt with, increases the likelihood of loss to the organization.
Organizational structure for operational risk management needs to be compact and broad-based. The structure must be compatible with :-
- an organization's size;
- complexity of operations and area of operations;
- in tune with its risk appetite.
The area of operational risk management is a matter of discretion which comes under the purview of regulatory authorities/banks.
Through my research I have tried out to make out a clear and concise understanding of BASEL II accord for Banks/FI's in operational risk perspective. The work shall also try to suggest the suitable customization of BASEL II recommendations and implications of the same for effectively managing operational risk. It may also lead to forecasting the emerging trends in operational risk and ways to mitigate the same.
1.5. Chapter Scheme
The chapter scheme of my dissertation is as follows:
Chapter 2: This chapter describes the literature review and the findings.
Chapter 3: This chapter describes research methodology and some of the variables included in empirical analysis.
Chapter 4: This chapter provides the basis of qualitative research.
Chapter 5: This chapter gives details of case studies analyzed for research purpose.
Chapter 6: This chapter discuses the analysis and the findings.
Chapter 7: This chapter includes the conclusion.
CHAPTER 2: LITERATURE REVIEW
Until very recently, it has been believed that banks are exposed to two main risks. In the order of importance they are credit risk (i.e., counterparty failure risk) and market risk (i.e., risk of loss due to changes in market indicators, such as equity prices, interest rates and exchange rates). Operational risk has been regarded as a mere part of “other” risks.
Operational risk is not a new concept for banks: operational losses have been reflected in banks' balance sheets for many decades. They occur in the banking industry every day. Operational risk affects the soundness and operating efficiency of all banking activities and all business units. We begin our discussion with an explanation of the notion of risk.
2.2. Risk and Risk Management
In the financial context, risk is the fundamental element that affects financial behavior. There is no unique or uniform definition of risk: different financial institutions may define risk slightly differently, depending on the specifics of their banking structure, operations and investment strategies. The definition of risk also depends on the context.
In the economics literature, generally risk is not necessarily a negative concept, and is understood as uncertainty about future or the dispersion of actual from expected results. In the context of business investment, risk is the volatility of expected future cash-flows (measured, for example, by the standard deviation), and in the context of the Capital Asset Pricing Model (CAPM) is the risk of asset price volatility due to market-related factors and is captured by β. Such definitions do not exclude the possibility of positive outcomes. Hence, for the operational risk we need a different definition.
For the purposes of operational risk modeling and analysis, the definitions from insurance are more appropriate, as the notion of risk in insurance has a negative meaning attached to it. Risk is perceived as the probability and impact of a negative deviation, the probability or potential of sustaining a loss, “a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected or hoped for” , or “an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way” . As the next step, we need to distinguish operational risk from other categories of financial risk.
A comprehensive framework of risk management is applicable equally to all types of bank (Iqbal and Mirakhor, 2007). The process of risk management is a two (2) step process. The first is to identify the source of the risk, i.e. to identify the leading variables causing the risk. The second is to devise methods to quantify the risk using mathematical models, in order to understand the risk profile of the instrument.
Once a general framework of risk identification and management is developed, the techniques can be applied to different situations, products, instruments and institutions.
It is crucial for all banks to have comprehensive risk management framework as there is growing realization among IBs that sustainable growth critically depends on the development of a comprehensive risk management framework (Greuning and Iqbal, 2007).
A robust risk management framework can help banks to reduce their exposure to risks, and enhance their ability to compete in the market (Iqbal and Mirakhor, 2007). A reduction in each institution's exposure will reduce the systemic risk as well. Hence, it is necessary that banks have in place a comprehensive risk management and reporting process to identify, measure, monitor, manage, report and control different categories of risks.
2.2.1. Understanding Risk and Risk Management
It is important for staff of banking institutions to understand the aspect of risk in the banking operations and the risks that are inherent and exposed in their business operations. Better understanding of risk management is also necessary especially in the financial intermediation activities where managing risk is one of the important activities. A study conducted by Boston Consulting Group (2001) found that the sole determining success factors is not the technical development but the ability to understand risk strategically and also the ability to handle and control risk organizationally. Secondly, in order to realize a risk based management philosophy, the attitude and mindset of the employees need to be changed whereby they must be brought to understand that managing risk is crucial for success. This implies that there must be intensive training, clearly defined structures and responsibilities, as well as commitment to change. In addition, it was identified that banks in North America and Australia concentrate on risk management primarily to enhance their competitive positions. Meanwhile in Europe, Asia and particularly in South America, risk management is considered primary from the perspective of regulatory requirements.
Then, Al-Tamimi and Al-Mazrooei (2007) found that the UAE banks staff have good understanding of risk and risk management, which might give an indication about the ability of these banks to manage risks efficiently in the future. Moreover, understanding risk and risk management had positive effect on risk management practice although it is insignificant.
2.2.2. Requirement for Risk Management
Risk management framework is important for banks. The risk management strategy must be integrated with its overall corporate strategies (e.g. Froot and Stein, 2004). In conjunction with the underlying frameworks, basic risk management process that is generally accepted is the practice of identifying, analysing, measuring, and defining the desired risk level through risk control and risk transfer. BCBS (2001) defines financial risk management as a sequence of four (4) processes: (1) the identification of events into one or more broad categories of market, credit, operational and other risks into specific sub-categories; (2) the assessment of risks using data and risk model; (3) the monitoring and reporting of the risk assessments on a timely basis; and (4) the control of these risks by senior management. BCBS (2006), on risk management processes, require supervisors to be satisfied that the banks and their banking groups have in place a comprehensive risk management process. This would include the Board and senior management to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. In addition, as suggested by Al-Tamimi (2002), in managing risk, commercial banks can follow comprehensive risk management process which includes eight (8) steps: exposure identification; data gathering and risk quantification; management objectives; product and control guidelines; risk management evaluation; strategy development; implementation; and performance evaluation (e.g. Baldoni, 2008; and Harrington and Niehaus, 2009).
2.2.3. Risk Identification
There are few conceptual studies on risk identification of financial institutions (e.g. Kromschroder and Luck, 2008; Luck 2008;; Pausenberger and Nassauer, 2000; Tchankova, 2002; Barton et al. 2002 ) and few empirical studies that include risk identification of banks (e.g. Al-Tamimi, 2002; Al-Tamimi and Al-Mazrooei, 2007). Risk identification is the first stage of risk management (Tchankova, 2002) and a very important step in risk management (Al-Tamimi and Al-Mazrooei, 2007). The first task of the risk management is to classify the corporate risks according to their different types (Pausenberger and Nassauer, 2000). The first step in organizing the implementation of the risk management function is to establish the crucial observation areas inside and outside the corporation (Kromschroder and Luck, 2008). Then, the departments and the employees must be assigned with responsibilities to identify specific risks. For instance, interest rate risks or foreign exchange risks are the main domain of the financial department. It is important to ensure that the risk management function is established throughout the whole corporation; i.e. apart from parent company, the subsidiaries too have to identify risks, analyze risks and so on.
Pausenberger and Nassauer (2000) also state that it is advisable for most corporations to implement early warning systems. An early warning system is a special information system enabling the management board to identify risks in time by observing the development of defined indicators (Luck, 2008). Other instruments that could be used to identify risks are checklists of possible disturbances or breakdowns, risk workshops, examination of corporate processes, internal inspections and interviews, loss balance, etc. It is advisable to make use of the knowledge and skill of external experts, for instance, forecasts of banks about the development of interest rates or foreign exchange rates. There are many other approaches for risk identification, for instance, scenario analysis or risk mapping. An organization can identify the frequency and severity of the risks through risk mapping which could assist the organization to stay away from high frequency and low severity risks and instead focus more on the low frequency and high severity risk. Risk identification process includes risk-ranking components where these ranking are usually based on impact, severity or dollar effects (Barton et al. 2002). According to him, the analysis helps to sort risk according to their importance and assists the management to develop risk management strategy to allocate resources efficiently.
2.3. Operational Risk
Operational Risk is one of the important arms of the risk management triangle -the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization (Levine and Hoffman, 2004).
There was no precise definition of operational risk until Basel Accord II came into being in June 2004. Furthermore, for the first time in the history of global banking, operational in capital charge has been made a mandatory requirement in banking. This certainly puts in a lot of stress and strain on a bank's management.
Operational Risk is also known as Transaction Risk in some countries in order to efficiently face this new challenge in risk management, the prerequisites are -creation of risk culture and enterprise wide operational risk awareness. Proactive steps at all the levels of operation will operate as a safety value and in the process, may facilitate lower risk capital charge (Bagchi, 2006).
As it has been mentioned that until the release of Basel Accord II in June 2004, there was no universal definition of operational risk in banking (Anna et al., 2007) . It was generally believed that as ‘risk' would mean loss in any event or transaction, any risk other than credit risk and market risk would have to be reckoned as an operational risk, without the need of creating any separate identity for such risk. However this way of looking at operational risks is dangerously vague. Prof Hans Geiger, an international authority on risk management, has viewed operational risk from a direct angle and an indirect angle as under:
Indirect Angle: “Operational risks are all those risks which cannot e classified as credit risk or market risk.”
Direct Angle: “Operational risk is an expression of the danger of unexpected direct or indirect losses resulting from inadequate or failed internal processes, people and systems and from external events.”
Basel Accord II has laid down the following definition for adoption by the countries and hence this should be treated as a standard definition of operational risk:
Operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputation risk.” (Bagchi, 2006)
2.3.1. Reasons for Increasing Focus on Operational Risk Management
* On - going spate ( sudden trend flow) of financial deregulation procedures due to globalization.
* Influence of technology and automation in managing business with other side effects.
* Complex organizational structures arising out of re - organization of business enterprises (e.g. merger/ de -merger etc.).
* Opportunities for business process outsourcing.
* Growing complexity of products/services, as banks now provide total business services and employ CRM (Customer Relationship Management) in their business activities.
* With liberalization and globalization, banks compete very hard with each other for business.
* Capital allocation for operational risks is a prime requisite for today's business organizations.
2.3.3. Operational Risk Vs Operations Risk
Operational Risk has a wider coverage wherein process, people, systems etc. of an organization are also considered. In general while operational risk is analogous to operations risk, in the context of risk management, they are not alike as will be evident from the following table:
Table 1: Distinction between Operational Risk and Operations Risk
According to the “Kenneth Swensen of Federal Reserve Bank of Chicago”, there is a clear demarcation between operational risk and operations risk, from the viewpoint of relative risk contents.
Operational risk should deserve special attention for an organization so that its procedures become fully Basel Accord II compliant.
He remark regarding Basel II is , “…… under Basel II, if you are not moving forward, you are losing ground”.
The distinctions are clearly mentioned below :
1. Operational Risk encompasses enterprise wide risk of loss arising out of inadequate, failed internal processes, people system or from external events.
1. Operations Risk encompasses risk by loss arising out of back office reconciling processes and does not generally cover front office functions.
2. Integrated risk management is the watch - dog of such risk management function in the organization
2. Internal audit Department usually manages such risks. It is the first line of defense.
3. Basel Accord II specifies capital charge computation based on three approaches evolved for the purpose.
3. There is no requirement for any specific capital charge.
4. The organization must prepare and periodically update on operational risk policy mentioning, and should frame a computation method of measurement of operational risk capital.
4. There is no need for any specific policy document since each organization is guided by its manual/ book of instruction.
5. Regulatory Authority under pillar II has the responsibilities to review enterprise wide operational risk management of the organization.
5. Regulatory Authorities do not have any Pillar II responsibility. They may review operation risk as an ingredient of operational risk.
6. Corporate Governance study must take into account operational risk management of an organization especially the effect of any human error/skill deficiency aspects.
6. Corporate Governance angle does no form part of operations risk.
2.3.4. Distinction between Operational Risk and Operational Crisis
Operational risk is an all - inclusive concept covering :-
Ø intra -organizational ( internal ) risks such as those related to people, processes and systems;
Ø external events such as natural calamities, terrorism etc.
In case of extreme external events such as natural catastrophes, there is no real distinction between operational risk and operations risk since such an event requires crisis management initiative. But a routine operational risk management dose requires operational crisis management to avert serious consequences.
The points of distinction are enumerated as under:
1. Operational Risk includes elements of Expected and unexpected (expected loss such as loss in process errors of say 0.1% of gross income).
1. Operational Crises covers only unexpected loss.
2. The continuity of business is not affected if some operational risk events do not have serious implications on organization's position (say, internal fraud of 0.1% of annual net profit).
2. An organization's continuity may be seriously affected if the crisis event is catastrophic.
3. Operational risk management dose not generally imply disaster recovery.
3. Operational crisis management generally involves disaster recovery.
4. Operational risk factors do not generally trigger off reputational risk (a minor processing error in a customer's savings account may not effect the bank's reputation).
4. Crisis event may sometimes (e.g. product failure, contamination etc., Union Carbide Gas leak incident in MP) triggers off reputational risk leading to fall in market share, equity share price etc.
5. Operational risk management in generally concerned with two phases:
5. Operational crisis management generally involves three phase;
6. Operational risk may not always turn out to be a danger.
6. Operational crisis is generally of a ‘moment of danger.'
2.3.5. Effective way of managing Operational Risk
Poor operational risk management, especially in the banking sector, may generate serious financial losses caused by
Ø external/internal fraud,
Ø system failure,
Ø and other related operational lapses.
Damage to a bank's reputation, even if it is a private bank, may also be severe.
Ø Effective operational risk management provides boosts sale by taking care of the following:
Ø It tends to minimize severity or frequency of operational risk loses.
Ø It creates a mechanism to optimize operational effectiveness throughout the bank.
Ø Various business portfolios are better managed if the processes, systems and procedures are sound, together with people strength.
Ø Strategic decision making by senior management is supported by a robust risk management system.
Ø It ensures business continuity, as there are high probabilities of unexpected operational events owing to changing trends and globalization.
Ø Capital allocation can be optimally utilized to the advantage of the bank.
2.3.6. Traditional Vs Modern Approach of Operational Risk Management
Traditional Operational Risk Management
Banks were managing operational risks in a traditional manner, going by the belief that such risks are really ‘residual' risks that remain after the dominant risks of credit risk and market risk have been taken care of .Hence meager attention was extended to managing operational risks.
Under the traditional approach, routine operational controls in banking were mainly through
Ø internal checks,
Ø balancing of ledgers,
Ø careful recruiting process etc.
Ø Audit and compliance aspects.
Ø Insurance against risks was resorted to where necessary.
Modern Operational Risk Management
Operational risk management in banking took the shape of modern approach with the release of Basel Accord II ( recommendations on banking laws and regulations ) in June'04.
Modern approach of operational risk management aims at creating and maintaining an effective operational risk management strategy. This approach involves the following elements:
Ø Realistic measurement framework on operational risk factors as against sole reliance on internal checks, auditors etc.
Ø Operational risk losses calculated and summarized on the basis of past loss data and estimate for the future forms the core of strategic decision making especially for developing a new product or for encouraging a new technology.
Ø Quantification of various operational risk factors facilitates optimal capital allocation.
Ø Staff skill development exercise on an regular basis enables better output with lesser probability of errors and losses.
2.3.7. Operational Risk: A Challenge to Financial Institutions and Regulators
Operational Risk exhibits more severity than Credit Risk, Market Risk & Liquidity Risk. Global Association of Risk Professionals (GARP) has also undertaken a number of new initiatives to educate the organizations about the Operational risk.
Operational Risk is capable of eroding the complete organization and can cause huge loss on the reliability factor of the financial company. As per GARP, Operational risk shall be the single largest risk facing the financial industry the world over by the year 2010. The most difficult part in managing operational risk is the fact that the threats and challenges can originate and spread at the speed of thought in operations of a Bank.
The financial industry is growing all over the world in spite of the poor economic indicators forcing stricter regulations, policies and thus prompts greater awareness of the various challenges faced by financial industry.
Operational risk ( especially for financial industry )should be placed at the highest level of attention in order to ensure smooth functioning of the organization as it can hamper the organization's future growth.
Regulators formulating the policies and regulations for effective management of operational risk are faced by the following challenges :-
Ø Ever changing requirements of policies.
Ø Policies are expensive to start and implement at the workplace.
Ø They also hamper the normal functioning of financial organization and requires trainings across all verticals.
Ø Employee and customer participation is difficult to managed.
2.3.8. Operational Risk and Financial Organizations
Advent of newer and convenient technology for various processes and tasks has made :-
Ø our financial system has become more susceptible to attacks by hackers and viruses.
The system needs to quarantined ( detained) for all possible leak holes and if found must be plugged immediately because of the following reasons :-
Ø The financial system is the backbone of economy for any country or region.
Ø It is the system that makes the economy grow and maintain its track.
Ø It is of prime importance that the operational risk at this industry must be managed with
With increasing level of pilferage at the financial system, the hard money of the customer and the reputation of the financial organization is at stake.
Operational risk management of a system can be effectively handled with
Ø continuous up gradation
Ø security walls for new threats
2.4. How to Manage Operational Risk
Operational risks management should be incorporated in all the functional areas of banks in order to trace potential sources of risks.
Management of Operational Risk by banks differs in the following respects :-
Ø Difference in ‘size' of the banks in question.
Ø Difference in ‘sophistication' of various bank's services and activities.
Ø Difference in infrastructural make-up of the predominant areas of operations.
Ø Difference in people skill-sets employed in banks.
Ø Difference in organizational culture of diverse banks.
The approaches to effective risk management adopted by various banks may be different, the principles to be followed by all the banks must be uniform in character.
Fundamental truths are principles which support any specific activity or group of activities to exhibit clarity in effective operational risk management.
In risk management, the following set of fundamental principles dominates the entire operating environment of an organization ( which is financial in character such as a bank) :-
Ø Close involvement of top level management should be at the policy formulation stage, and during the entire process of implementation along with periodic monitoring.
Ø Risk element in various segments within an organization may vary depending on the type of the intra - activities ( occurring within the organizational boundary).
Ø Severity and magnitude of risk must be documented, stating in clear terms the check points and safeguards to be adopted for effective risk management . It should also be ensured that check points and safeguards operate consistently and effectively, besides being flexible.
Ø While segregating and assigning duties to various personnel, clear lines of responsibility should be drawn.
Ø Staff accountability must be clearly pronounced so that various risk segments are handled are handled by various functionaries with full understanding and dedication, while also owning the responsibility for their actions.
Ø Risk areas need to be identified. Identified risks should be measured, monitored and controlled as per the needs and operating environment of the organization.
Ø A system of “internal risk audit” needs to be established which works in tandem with internal audit of financial accounts and provides regular risk audit feedback at periodic intervals..
Ø All the risk segments should operate in an integrated manner on an enterprise wide basis.
Ø ‘Risk Tolerance' limits for various categories must be in effectively implemented and ‘exception reports' should be generated on occurrence of certain exceptional events.
2.4.1. Operational risk can be divided into three functions:
§ Efficient and effective maintenance of business infrastructure mostly consists of
Ø information systems,
Ø security policy,
Ø internal controls
Ø risk management
§ Effective internal audit function,
Ø which includes assurance about
Ø integrity of information systems, compliance,
Ø effective internal controls, assurance and effective internal audit
§ Pricing of operational risk management, includes
Ø measurement of losses,
Ø pricing of operational risks for each line of business,
Ø RAROC ( Risk-adjusted Return on Capital) and measuring capital requirement
2.4.2. Operational Risk Policy
Policy document of any activity group of activities provides a broad framework for a specific course of action. It acts as a source of guidelines and procedures to be followed for effective risk management.
A bank must have a specific policy document for operational risks which should be duly approved by the board of directors.
In view with the requirements of Basel Accord I, operational risk is seen as an altogether ‘new dimension' for commercial banking.
The ten principles invoked by Base Committee act as corner stone for drafting policies which provides guidelines like :-
Ø One cannot have a ‘one-size-fits-all' operational risk policy that is appropriate for all the banks.
Ø Each bank should devise its policy document in its best judgment, with the sole purpose of ensuring identification, measurement and monitoring and control of its various categories of operational risks on an ongoing basis.
Mere codification of risk principles is not enough. They need to be implemented by a defined course of action.
Documented policies are necessary in view of the following :
Risk management activity must give appropriate weight age :-
Ø to the nature of each risk encountered,
Ø to the organization' s nature of business
Ø availability of skill sets,
Ø information systems.
Clear documentation of the operational risk factors should be provided to the personnel.
Operating instructions to deal with each factor is to be made to enable effective risk management.
Ø Methodology and models of risk evaluation should be in-built in the system.
Ø Action points for correction of deficiencies beyond tolerance levels must be provided in the policy.
Ø Appropriate management information system (MIS) is a perequisite for smooth and successful operation of risk management activities. Data collection, updating should be accurate and prompt.
Ø Organizational structure should be designed in such a manner that it fits into the organization's risk philosophy and risk appetite. Functional powers and responsibilities must be specified for the officials in charge of managing each risk segment.
Ø Back testing process must be installed. It incorporates quality and accuracy of risk measurement on actual basis as compared against model generated results and corrective actions are taken.
Ø Periodical review should to be undertaken to validate the risk mitigating tools of each segment and to initiate improvements where necessary.
Ø Provision of appropriate skills to various official dealing with risk management functions in the organization should be undertaken through in-house/external training programs.
Ø Policies should be in place to cover action points that are used to successfully handle a crisis situation which would have otherwise eluded planned safety nets by an organizational contingent planning system.
Critical activities involved in effective risk management are enumerated as follows :-
Ø Need for active monitoring vis-à-vis capacity in the situation of risking business volume.
Ø Extent of staff shortness vis-à-vis customer complaints.
Ø Work allocation to experienced staff versus temporary staff.
Ø Assessment of employee morale, judging by the number of resignations.
Ø Tracking and correcting errors and losses.
2.5. From Operational Resilience to Operational Excellence
With the ongoing dynamism of existing financial institutions, “Perfection will be tolerated, excellence is desired”, are the keywords today.
A structure and system for operational resilience is not sufficient enough, Banks need to migrate from Operational Resilience to Operational Excellence to effectively function in the long run ( profitability with survival ).
Financial organizations need to visualize the threats of tomorrow.
Operational Risk Management Policy should be sound in character.
Operational Risk Management Policy should be effective and have a profound effect on all functional areas of a bank.
Operation Risk Management should be robust and act as a non-pierce able wall of protection build around the operations of the organization.
Operational excellence is a situation where in the Bank/organization :-
Ø Has an in-built firewall which is difficult to break
Ø The firewall facilitates smooth operations of the Bank,
Ø The firewall is self updatable i.e., it updates on a regular basis for shielding the organization from the new risks originating from the business environment
Ø Has an effective mitigation policy in place to minimize loss due to the breach of security firewall of the financial organization.
2.5.1. Risk and resilience
The operational risk concept is in its nascent stage and the identification and control policies developed so far will need to be reviewed and updated continuously. Other financial risks including the credit risk, market risk, liquidity risk , forex risk have been understood in depth and effective models for their study are established. Their prediction, control and mitigation has reached a stage of maturity andthere are fewer new developments expected in these risks. The policies and regulations for handling such risks are in place and trained workforce is also available for management of these risks (Parsley 2006).
Operational risk poses a bigger and new challenge. The models developed so far may have effective in the past however it is possible that living with the same model may prove disastrous. It is also required to carry a balancing act for the economies of implementation of such systems and its pitfalls. BASEL II has provided a comprehensive list of guidelines for adherence to manage the operational risk, however the key question will be to restrict to those set of guidelines or taking a view of the fresh challenges daunting the financial industry (Parsley 2006).
2.6. BASEL II
The Basel Committee on Banking Supervision (BCBS) was established in 2004 as a subcommittee of the Bank for International Settlements (BIS). The main objective of the BCBS is the harmonisation of supervisory standards worldwide to strengthen the international banking sector.
In 2008 the BCBS developed and published the so-called 'Basel Capital Accord' (Basel I). In this capital framework the BCBS outlined the calculation of a target standard capital ratio in relation to a financial institution's credit risk exposures. While focusing exclusively on credit risk, the Committee identified that minimum capital charges ought to be designed to also cover other than credit risks (Bank for International Settlements 2008, p.2). In January 2001 the BCBS published the proposal for a new capital framework, 'The New Basel Capital Accord', commonly known as Basel II. One of the most significant changes from Basel I to Basel II was the introduction of a formal capital charge against operational risks in financial institutions. (Hans, 2000)
It explicitly recognized operational risk as a distinct class of risk, different from credit and markets risks, and as a significant contributor to a financial services bank's risk profile . The Basel II Accord proposed various approaches for measuring a bank's operational risk exposure. These approaches and their adoptions by banks have evolved over time and the levels of sophistication of methodologies under these approaches vary widely. (Navin and Godwin, 2009)
Basel Accord II, while inventing the new calls of risk-‘operational risk', rightly considered that the probability of loss from such risks should be sufficiently cushioned in banking by stipulating the requirement of an appropriate value of capital charge. Such a charge is assessed, not on any scientific bases as such, but more on a notional or guess basis. To that extent, the building of operational risk capital charge in a particular bank may not be constructed to be a real “buffer” or inadequate, either. But then, as risk remains in operational activities, the notional/guessed cover should serve some purpose any way, hence the emergence of the concept of capital charge for operational risk. Some highly sophisticated techno-savvy international banks assess operational risk coved based on their interbank performance that is judged on the basis of the following factors:
(i) Internal audit ratings
(ii) Pas Business Volume
(iii) Error rates and magnitude
(iv) Income volatility
The rationale for a capital charge against operational risks were the development of increasingly sophisticated financial products and technology in conjunction with increased numbers of high-profile losses in the finance industry, which could be attributed to poor operational risk management (Bank for International Settlements 2003b). In June 2004 the BCBS published the final version of Basel II, in which it refined its earlier recommendations regarding the calculation of an operational risk capital charge. (Hans, 2000)
2.6.1. Three Pillar Framework
The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed processes, people and systems or from external events.
Three Pillar Framework advocates the following principals to be followed for effective operational risk capital framework :
Ø Pillar 1: Minimum regularity capital requirement for operational risk.
Ø Pillar 2: Supervisory review process should enforce a rigorous control environment to limit exposure to capital risk.
Ø Pillar 3: Market discipline requirements.
Pillar 1 concerns itself with quantification of operational risk capital charges.
Basel II Accord opposed three broad approaches which are enumerated as follows :-
Ø Basic indicator Approach : This is a method of computation of risk capital of banks on the specified indicator ( 15% of average gross income) calculated over previous three years.
BIA is actually the ‘default option' hence, there are no qualifying criteria. Banks which are not in a position to initially adopt a more sophisticated approach may follow this.
* Operational risk exposure is very loosely connected with income-total business -operating expenditure may still be a better indicators.
* Quality of operational risk management between two banks with approximately same level of income cannot be assessed.
* Operational risk assessment, as such, being complicated, effectiveness of such a simple method is very much in doubt.
* Standardized Approach: This is a method of computation of operational risk capital of banks that is arrived at by dividing the bank's activities into eight business lines and taking a specific percentage of gross income of each business and aggregating the same for a given year.
* The regulatory authority of the country should be convinced that the board of directors and senior management are actively involved in the bank's operational risk management.
* Bank's operational risk management system must be ‘conceptually sound' and implemented with integrity.
* Bank should have sufficient resources necessary for using the approach, control and audit aspects.
* Banks should have developed specific policies and criteria for mapping gross income for its business line as well as appropriate system of periodical review thereof.
* Assumption that operational risk varies proportionality to gross income is erroneous. When trading income is negative there is no capital charge, although the business line is quite risky.
* Banks adopting standardized approach may not derive any additional benefit since eventually operational risk percentage works out to 15%.
* A bank's higher/lower quality of operational risk management will not be reflected under this approach as it is not more risk sensitive than basic indicator approach.
* Advanced Measurement Approach (AMA): This is the method of computation of operational risk capital of banks based on estimates of unexpected losses using internal and external loss data, scenario analysis and bank specific business environment and internal control factors.
The computation of operational risk capital charge under AMA takes into account the following:
* Internal loss data of various units/sectors.
* Probability of loss event.
* Loss Given Event
The specific approval of regulatory authority of concerned country is to be obtained which may examine following aspects of the bank wishing to adopt the approach:
* The bank must have an independent operational risk functional framework responsible for the design and implementation of operational risk management that provides an appropriate control and reporting system.
* The bank's internal operational risk system must operate in such a manner that internal capital allocation and risk analysis is appropriately made and that it provides incentives for improved operational risk management.
* The bank must have a proper system in place to initiate appropriate action based on operational risk report.
There are qualifying criteria for banks to follow one of the above approaches and all the approaches can also be used in bank in different business-lines based on the qualification standards. (Navin and Godwin, 2009)
2.6.2. Approach to be followed by Banks in India
Of the aforesaid various approaches of operational risk capital charge computation, banks in India will follow initially basic indicator approach as per RBI advice. This appears to be based on the following factors:
* This approach is simple to operate while at the same time is a reasonable base for computing operational risk capital charge.
* Fundamental ingredient of 15% of gross income can be adopted conveniently under BIA, by banks in India.
* The approach provides for higher level of capital charge, as may be reflected through gross income levels of the bank, enabling the regulatory authorities in India to smoothly control banks under their jurisdiction.
* “The Operational Risk Management discipline is in an embryonic state”. Hence, till the system proves to be really effective, simple approach (BIA) may serve the purpose of banks in India in light of complexity, range of customers, national priorities, vast operational area etc. In Indian banking, an accurate demarcation of various business lines is difficult. Hence, BIA is most suitable for Indian Banking since it does not require bifurcation of gross income into various business lines as is enquired for more sophisticated approaches (Rey 2005).
2.7. Solvency II: Future Prospects for Operational Risk
Solvency II, a capital accord created in 2007 and revised in February 2008, will have far reaching effects on the insurance industry. This capital accord seeks not only to protect policyholders and beneficiaries but also to harmonize the insurance business across EU member states, which should reduce inconsistencies and opportunities for arbitrage between national markets. Its focus is on insurance groups rather than separate legal entities, and it applies to all life insurance, non-life insurance.
One important point to remember is that this capital accord draws heavily on Basel II for operational risk principles and practices. These include governance, risk and control self assessments, operational loss databases, key risk indicators (KRIs) and economic capital calculations. The Solvency II framework consists of three pillars, each covering a different aspect of the economic risks facing insurers. This three-pillar approach aims to align risk measurement and risk management. The first pillar relates to the quantitative requirement for insurers to understand the nature of their risk exposure. As such, insurers need to hold sufficient regulatory capital to ensure that (with a 99.5% probability over a one-year period) they are protected against adverse events. The second pillar deals with the qualitative aspects and sets out requirements for the governance and risk management of insurers. The third pillar focuses on disclosure and transparency requirements by seeking to harmonise reporting and provide insight into insurers' risk and return profiles.
2.7.1. The Importance of Operational Risk in Solvency II
Over the past few decades many insurers have capitalized on the market and have developed new business services for their clients. On the other hand, the operational risk that these insurers face have become more complex, more potentially devastating and more difficult to anticipate. Although operational risk is possibly the largest threat to the solvency of insurers, it is a relatively new risk category for them. It has been identified as a separate risk category in Solvency II. Operational risk is defined as the capital charge for ‘the risk of loss arising from inadequate or failed internal processes, people, systems or external events'. This definition is based on the underlying causes of such risks and seeks to identify why an operational risk loss happened. It also indicates that operational risk losses result from complex and non-linear interactions between risk and business processes.
2.8. Risk Mapping and Operational Risk
Risk mapping is the basis of operational risk as, unlike market and credit risks, it is not product specific. The market risk of a derivative contract depends strictly on the contract's features and on the relevant market risk factors. Once the deal is concluded, the underlying process, by and large, does not matter to the related market risk exposure. It is impossible, on the other hand, to analyse the operational risk in the trading activities of a bank without a thorough understanding of the whole trading process from initial negotiation to final accounting.
It is also not enough to analyse operational risk on a business unit basis. Although this may seem natural in the light of the need to allocate responsibility and reward performance and good behaviour, it will give a biased view of operational risk exposures and may even miss some of them altogether. In fact, failures in one part of the process can generate failures in others as well as materialize into losses within units that are organizationally separate, while being part of the same business process. Controls, on the other hand, are often performed by an organizational unit in order to prevent or detect failures happening elsewhere. In many cases, the organizational separation within the same process (segregation of duties) is a key control feature in itself. For a more general discussion on operational risk measurement's frameworks and methodologies, see Crouhy et al. (1998), van der Brink (2002) and Ebno¨ ther et al. (2003).
Risk mapping is an analysis tool whereby risk exposures are linked to the relevant parts of the business process. Designing this tool requires a methodology to identify and cover all the relevant risks. The mapping will then allow a bank to analyse the causes of operational failures as well as to link the consequent financial loss to the part of the organization at the origin of the problem. In turn, this will be the key step to a transparent measurement and reporting of the corresponding operational risk exposure as well as to foreseeing and acting upon (through internal controls and other management tools) those exposures that are not in line with the bank's risk appetite.
The role of KRIs is very relevant in the monitoring and in the forward-looking analysis of operational risk both in complementing any statistical analysis in areas where data are not readily available and in ensuring all information about the evolution of the risk and control environment is taken into account (Finlay, 2004; Vinella, 2004).
A KRI is an operational or financial variable that provides a reliable basis for estimating the likelihood and the severity of one or more operational risk events. It can be a specific causal variable as well as a proxy for the drivers of the events and/or the loss related to an operational risk. It can be strictly quantitative, like the turnover rate in a business unit or the number of settlement errors, or more qualitative, like the adequacy of system or the competence of personnel. It can be perfectly objective, like the number of hours of system downtime, or more subjective, like the overall complexity of a portfolio of derivatives. But in order to be useful, it will always have to be somehow linked to one of the risk drivers, or better to one of the mechanisms generating an operational failure.
It follows that indicators have to be regularly reviewed and updated by discarding those that have become irrelevant or redundant, changing the way key data are collected and processed and developing new ones according to the evolution of the risk and the control environment.
2.9. Risk Management and Current Financial Crisis
Widespread failures of bank risk management have been a defining characteristic of the current financial meltdown. Should we go further, however, and charge the risk management profession with major responsibility for the crisis?
To answer this question, we must first review how global wholesale finance has evolved in terms of risk management over the past quarter century. Over the past 25 years, the field of risk management spearheaded a revolution in banking. This revolution, built on academic theories of risk analysis and asset pricing and practical experience with exchange-traded derivatives, shifted the core businesses of leading banks and brokerage houses from lending and agency underwriting/execution toward risk intermediation and proprietary trading.
The revenue volatility associated with this new-look wholesale banking affected even the best firms, and failure to achieve economies of scale meant losses even in good years for many second- and third-tier competitors. But for a dozen or so industry leaders, risk intermediation and trading for their own account proved to be highly profitable.
One important source of dealer revenue was earning a bid-offer spread on transactions in financial assets. While spreads received per trade tended to shrink over time as technology improved and products matured, trading volumes exploded and costs per trade declined rapidly, helping support total revenue earned from this type of dealer business. Over time, however, an increasing proportion of revenue came from proprietary risk taking. Such "prop trading" was at first an outgrowth of dealers' intermediation in off-exchange products.
Client demands to buy or sell over time left a dealer with fluctuating asset positions, and the role of risk analysis and risk management expanded to help control the potential loss from that changing exposure.
Gradually, dealers learned how to add incremental revenue through (1) actively managing their risk positions (taking account of information from trading); (2) lending and syndication activities; and (3) monitoring and analysis of economic and market developments. As prop trading delivered strong profits, banks steadily expanded the risk on their books, further increasing &- gic importance of risk management
2.9.1. Evolving Practices
Over the past 15 years, as modern risk management proved it could improve the efficiency of trading books and as managers with trading experience moved into senior executive positions, banks extended formal portfolio risk analysis, to other lines of business, such as corporate and consumer lending and other types of risk (including credit, operational and fee-revenue risk). One key insight that emerged early on from comparative analysis of risk-adjusted returns of bank businesses was that when the cost of the risk associated with loans was correctly evaluated, lending to high-quality corporate borrowers was typically unprofitable.
Lending businesses required substantial equity capital, and, to make a profit in lending, banks needed a yield spread that covered the high risk premium bank shareholders looked to earn. However, it turned out that banks generally could not earn the necessary return lending to investment-grade borrowers at the spreads set by bond investors who owned corporate credit risk (directly and transparently).
Of course, investment-grade corporate credit was not the only problematic lending business for the banks. Analysis of risk-adjusted returns indicated that a large part of the direct lending done by banks was marginally profitable or unprofitable. Given the danger that loans could cause large losses to a bank in the event of a severe economic downturn, market spreads for a range of commercial and consumer loans arguably did not cover costs inclusive of the capital that a prudentIx- risk managed bank should use to support lending activities.
It is sometimes thought that banks securitized primarily to reduce regulatory capital requirements or to raise cash funding. While these factors certainly made securitization substantially more attractive, the underlying economics were compelling in any case: factoring in the cost of equity capital, it was a money-losing proposition for banks to hold commoditized loan assets. Moreover, securitization offered lower credit spreads to borrowers and higher risk-adjusted returns to investors.
By 2006-07, credit spreads had narrowed to such an extent that the risk-adjusted return to lending had become particularly unattractive for banks. Spreads are wider now, but so is the required risk premium return on bank equity. On balance, bank profitability and market share in loan markets seems to have improvedbut this is likely a cyclical fluctuation around an intact structural trend toward investors owning an increasing share of credit assets directly (rather than indirectly, through banks).
Even as they sought to reduce exposure to lending, dealer banks retained a comparative advantage in arranging, originating, syndicating and securitizing credit. If economies of scale were achieved, these activities not only allowed amortization of the costs of specialized and expensive staff resources but also used relatively small amounts of equity capital. So the same type of assessment of risk-adjusted returns that suggested direct lending was often more efficiently done by investors also highlighted the fact that the origination and distribution of risk assets could be a very attractive line of business.
Implementation of Basel II has been described as a long journey rather than a destination by itself. The journey is certainly tougher than we thought. Undoubtedly, it would require commitment of substantial capital and human sources on the part of banks and the supervisors. For banks, the main challenges appear to be the skills shortages and data inadequacies coupled with uncertainties regarding costs associated with implementation. It is a regulatory responsibility to encourage banks to have a phased implementation programme starting from a traditional baseline scenario of identification of operational risks, assessment, and awareness monitoring and integrating these elements over a period. Basel II implementation and operational risk mitigation process puts heavy burden on supervisors to detect problems in banks, to stay on top of the latest advances in risk management and to avoi
Cite This Dissertation
To export a reference to this article please select a referencing stye below: