CHAPTER 1: INTRODUCTION
Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” Financial markets in the last two decades have been highlighted by large-scale financial failures due to incompetence and fraud, such as Barings, Daiwa, Allied Irish Banks, Orange County, Enron, along with man-made and natural disasters, such as “9/11,” Hurricanes Andrew and Katrina. As a consequence, operational risk has been acknowledged to overweigh the importance of credit and market risks.
Since 2001, the Basel Committee for the Banking Supervision of the Bank of International Settlements has been requiring banks to set aside regulatory capital amount that would cover potential operational loss. The capital amount must be evaluated on a one-year aggregated basis at a sufficiently high confidence level. Statistical tools are required to accurately assess the frequency and severity distributions.
The presence of so-called “low frequency/ high severity” events poses problems for the modeling of operational risk and calls for models capable of capturing excessive heavy-tailedness in the data.
Operational risk is one of the important arms of the risk management triangle - the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization.
Risk Management Triangle
Credit Risk Market (Treasury) Risk.
Operational risk capital charge is a mandatory requirement in global banking sector. This puts in a lot of stress and strain on a bank's management.
Operational Risk is also known as Transaction Risk in some countries.
In order to efficiently face this new challenge of operational risk in risk management, the prerequisites for efficiently facing the operational risk are enumerated as follows :
Ø creation of risk culture ;
Ø enterprise wide operational ;
Ø risk awareness.
Proactive steps at all the levels of operation should operate as a safety valve and in the process, may in turn facilitate lower risk capital charge.
Risk mapping is often mentioned both in describing various approaches to operational risk management and, in an audit context, in formulating the key steps to control self-assessment, as the cornerstone of the risk identification process. Yet there is little published guidance on how to perform it effectively and on how to ensure that the resulting map is indeed complete and consistent. In other words, although the term is widely used by bankers, auditors, regulators and consultants alike, and although all these professionals
may even agree on what constitutes an acceptable final product, they will most likely give widely different explanations on how to get such product, the resources needed and the costs involved.
Risk mapping is difficult for a number of reasons, all of which can be summarized by reminding ourselves that ‘the map is not the territory'. No matter how accurate and thorough our analysis is, what really goes on in the business is never exactly what is written in the manual. Here are just a few of the key dimensions:
1 People: Processes are affected by people, and people, no matter how formalized the process is, adapt, interpret and improvise in response to circumstances.
2 Specialization: Very few people really understand a specific business process and its interactions with other people and systems within the bank. When one of these people leaves or is just absent for a while, the potential for an operational failure appears.
3 Processes: Processes change all the time and any mapping becomes obsolete almost overnight after being completed.
In this research, I describe a methodology for the mapping of operational risk with the objective of identifying the risks inherent in the different steps of a business process, selecting the key risk indicators (KRIs) (Hoffman, 2002; Davis and Haubenstock, 2002) and designing the most appropriate control activities. In my approach, therefore, risk mapping is the basis for all the key components of operational risk management - identification, assessment, monitoring/reporting and control/mitigation - as defined by the Basel Committee on Banking Supervision (2003).
There is more than one way to map risks. The most common technique is probably the mapping on a probability/severity chart (Figure 1) so as to identify the key priorities for management. The result in most cases helps to distinguish between high severity/low frequency and high frequency/ low severity losses, but which in general gives no indication as to what management actions to take in order to change the existing risk profile. Another way is to map the risks to the phases of a business activity where they can occur and identify the key risk factors and drivers in the process. This leads to a somewhat more complex result, rich in qualitative information rather than in quantitative assessment, but giving very clear indications as to which parts of the process should be changed in order to make a difference to the overall risk exposure. It also allows for the identification of the KRIs that are more relevant to each risk exposure.
Pursuing the application of KRIs to operational risk assessment is suggested by the need to capture the various issues we find with purely statistical approaches as well as the impact that managerial decisions may have on the operational risk profile. In market and credit risk measurement, the key managerial decisions are taken in deciding portfolio composition, thereby affecting the resulting risk profile directly and in a manner that measurement models have no problem in capturing. In operational risk measurement, on the other hand, managerial decisions may affect the risk profile in a number of different ways (through changes in control procedures, systems, personnel, to name but a few), none of which any measurement model can capture in a simple and direct way. Statistical approaches in particular will be at a loss in taking into account such changes, as historical data will reflect a risk and control environment which by and large no longer exists. The requirement of the new Basel Accord (Basel Committee on Banking Supervision, 2004) - to base risk assessment on 5 years of historical data - if taken too literally will have banks generating risk capital charges on the basis of information largely unrelated to the current and, even less, the future risk and control environment.
1.3. Research Question:
This work to start with will take a step back and ask the fundamental question of why do banks fail? Further the work shall research the recommendations of BASEL II and will try to seek the answer for: Will the BASEL II requirements make the systematic goals of safety and stability more achievable for banks/FI's? If yes, how? If no, how?
Appropriate “Organizational structure” is a precondition for orderly management of any activity/ group working within the purview of organizational capabilities. Operational risk management is all pervasive in terms of activities of an organization e.g. if ‘people' factor in operational management is poorly managed in a bank, other activities of the bank e.g. credit/market risk management, are likely to suffer . Similarly, legal aspects of any transaction/ function, if loosely dealt with, increases the likelihood of loss to the organization.
Organizational structure for operational risk management needs to be compact and broad-based. The structure must be compatible with :-
Ø an organization's size;
Ø complexity of operations and area of operations;
Ø in tune with its risk appetite.
The area of operational risk management is a matter of discretion which comes under the purview of regulatory authorities/banks.
Through my research I have tried out to make out a clear and concise understanding of BASEL II accord for Banks/FI's in operational risk perspective. The work shall also try to suggest the suitable customization of BASEL II recommendations and implications of the same for effectively managing operational risk. It may also lead to forecasting the emerging trends in operational risk and ways to mitigate the same.
1.5. Chapter Scheme
The chapter scheme of my dissertation is as follows:
Chapter 2: This chapter describes the literature review and the findings.
Chapter 3: This chapter describes research methodology and some of the variables included in empirical analysis.
Chapter 4: This chapter provides the basis of qualitative research.
Chapter 5: This chapter gives details of case studies analyzed for research purpose.
Chapter 6: This chapter discuses the analysis and the findings.
Chapter 7: This chapter includes the conclusion.
CHAPTER 2: LITERATURE REVIEW
Until very recently, it has been believed that banks are exposed to two main risks. In the order of importance they are credit risk (i.e., counterparty failure risk) and market risk (i.e., risk of loss due to changes in market indicators, such as equity prices, interest rates and exchange rates). Operational risk has been regarded as a mere part of “other” risks.
Operational risk is not a new concept for banks: operational losses have been reflected in banks' balance sheets for many decades. They occur in the banking industry every day. Operational risk affects the soundness and operating efficiency of all banking activities and all business units. We begin our discussion with an explanation of the notion of risk.
2.2. Risk and Risk Management
In the financial context, risk is the fundamental element that affects financial behavior. There is no unique or uniform definition of risk: different financial institutions may define risk slightly differently, depending on the specifics of their banking structure, operations and investment strategies. The definition of risk also depends on the context.
In the economics literature, generally risk is not necessarily a negative concept, and is understood as uncertainty about future or the dispersion of actual from expected results. In the context of business investment, risk is the volatility of expected future cash-flows (measured, for example, by the standard deviation), and in the context of the Capital Asset Pricing Model (CAPM) is the risk of asset price volatility due to market-related factors and is captured by β. Such definitions do not exclude the possibility of positive outcomes. Hence, for the operational risk we need a different definition.
For the purposes of operational risk modeling and analysis, the definitions from insurance are more appropriate, as the notion of risk in insurance has a negative meaning attached to it. Risk is perceived as the probability and impact of a negative deviation, the probability or potential of sustaining a loss, “a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected or hoped for” , or “an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way” . As the next step, we need to distinguish operational risk from other categories of financial risk.
A comprehensive framework of risk management is applicable equally to all types of bank (Iqbal and Mirakhor, 2007). The process of risk management is a two (2) step process. The first is to identify the source of the risk, i.e. to identify the leading variables causing the risk. The second is to devise methods to quantify the risk using mathematical models, in order to understand the risk profile of the instrument.
Once a general framework of risk identification and management is developed, the techniques can be applied to different situations, products, instruments and institutions.
It is crucial for all banks to have comprehensive risk management framework as there is growing realization among IBs that sustainable growth critically depends on the development of a comprehensive risk management framework (Greuning and Iqbal, 2007).
A robust risk management framework can help banks to reduce their exposure to risks, and enhance their ability to compete in the market (Iqbal and Mirakhor, 2007). A reduction in each institution's exposure will reduce the systemic risk as well. Hence, it is necessary that banks have in place a comprehensive risk management and reporting process to identify, measure, monitor, manage, report and control different categories of risks.
2.2.1. Understanding Risk and Risk Management
It is important for staff of banking institutions to understand the aspect of risk in the banking operations and the risks that are inherent and exposed in their business operations. Better understanding of risk management is also necessary especially in the financial intermediation activities where managing risk is one of the important activities. A study conducted by Boston Consulting Group (2001) found that the sole determining success factors is not the technical development but the ability to understand risk strategically and also the ability to handle and control risk organizationally. Secondly, in order to realize a risk based management philosophy, the attitude and mindset of the employees need to be changed whereby they must be brought to understand that managing risk is crucial for success. This implies that there must be intensive training, clearly defined structures and responsibilities, as well as commitment to change. In addition, it was identified that banks in North America and Australia concentrate on risk management primarily to enhance their competitive positions. Meanwhile in Europe, Asia and particularly in South America, risk management is considered primary from the perspective of regulatory requirements.
Then, Al-Tamimi and Al-Mazrooei (2007) found that the UAE banks staff have good understanding of risk and risk management, which might give an indication about the ability of these banks to manage risks efficiently in the future. Moreover, understanding risk and risk management had positive effect on risk management practice although it is insignificant.
2.2.2. Requirement for Risk Management
Risk management framework is important for banks. The risk management strategy must be integrated with its overall corporate strategies (e.g. Froot and Stein, 2004). In conjunction with the underlying frameworks, basic risk management process that is generally accepted is the practice of identifying, analysing, measuring, and defining the desired risk level through risk control and risk transfer. BCBS (2001) defines financial risk management as a sequence of four (4) processes: (1) the identification of events into one or more broad categories of market, credit, operational and other risks into specific sub-categories; (2) the assessment of risks using data and risk model; (3) the monitoring and reporting of the risk assessments on a timely basis; and (4) the control of these risks by senior management. BCBS (2006), on risk management processes, require supervisors to be satisfied that the banks and their banking groups have in place a comprehensive risk management process. This would include the Board and senior management to identify, evaluate, monitor and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. In addition, as suggested by Al-Tamimi (2002), in managing risk, commercial banks can follow comprehensive risk management process which includes eight (8) steps: exposure identification; data gathering and risk quantification; management objectives; product and control guidelines; risk management evaluation; strategy development; implementation; and performance evaluation (e.g. Baldoni, 2008; and Harrington and Niehaus, 2009).
2.2.3. Risk Identification
There are few conceptual studies on risk identification of financial institutions (e.g. Kromschroder and Luck, 2008; Luck 2008;; Pausenberger and Nassauer, 2000; Tchankova, 2002; Barton et al. 2002 ) and few empirical studies that include risk identification of banks (e.g. Al-Tamimi, 2002; Al-Tamimi and Al-Mazrooei, 2007). Risk identification is the first stage of risk management (Tchankova, 2002) and a very important step in risk management (Al-Tamimi and Al-Mazrooei, 2007). The first task of the risk management is to classify the corporate risks according to their different types (Pausenberger and Nassauer, 2000). The first step in organizing the implementation of the risk management function is to establish the crucial observation areas inside and outside the corporation (Kromschroder and Luck, 2008). Then, the departments and the employees must be assigned with responsibilities to identify specific risks. For instance, interest rate risks or foreign exchange risks are the main domain of the financial department. It is important to ensure that the risk management function is established throughout the whole corporation; i.e. apart from parent company, the subsidiaries too have to identify risks, analyze risks and so on.
Pausenberger and Nassauer (2000) also state that it is advisable for most corporations to implement early warning systems. An early warning system is a special information system enabling the management board to identify risks in time by observing the development of defined indicators (Luck, 2008). Other instruments that could be used to identify risks are checklists of possible disturbances or breakdowns, risk workshops, examination of corporate processes, internal inspections and interviews, loss balance, etc. It is advisable to make use of the knowledge and skill of external experts, for instance, forecasts of banks about the development of interest rates or foreign exchange rates. There are many other approaches for risk identification, for instance, scenario analysis or risk mapping. An organization can identify the frequency and severity of the risks through risk mapping which could assist the organization to stay away from high frequency and low severity risks and instead focus more on the low frequency and high severity risk. Risk identification process includes risk-ranking components where these ranking are usually based on impact, severity or dollar effects (Barton et al. 2002). According to him, the analysis helps to sort risk according to their importance and assists the management to develop risk management strategy to allocate resources efficiently.
2.3. Operational Risk
Operational Risk is one of the important arms of the risk management triangle -the other two being Credit Risk and Market (Treasury) Risk. Any organization, particularly in the banking sector, is squarely exposed to operational risks emanating within or outside the organization (Levine and Hoffman, 2004).
There was no precise definition of operational risk until Basel Accord II came into being in June 2004. Furthermore, for the first time in the history of global banking, operational in capital charge has been made a mandatory requirement in banking. This certainly puts in a lot of stress and strain on a bank's management.
Operational Risk is also known as Transaction Risk in some countries in order to efficiently face this new challenge in risk management, the prerequisites are -creation of risk culture and enterprise wide operational risk awareness. Proactive steps at all the levels of operation will operate as a safety value and in the process, may facilitate lower risk capital charge (Bagchi, 2006).
As it has been mentioned that until the release of Basel Accord II in June 2004, there was no universal definition of operational risk in banking (Anna et al., 2007) . It was generally believed that as ‘risk' would mean loss in any event or transaction, any risk other than credit risk and market risk would have to be reckoned as an operational risk, without the need of creating any separate identity for such risk. However this way of looking at operational risks is dangerously vague. Prof Hans Geiger, an international authority on risk management, has viewed operational risk from a direct angle and an indirect angle as under:
Indirect Angle: “Operational risks are all those risks which cannot e classified as credit risk or market risk.”
Direct Angle: “Operational risk is an expression of the danger of unexpected direct or indirect losses resulting from inadequate or failed internal processes, people and systems and from external events.”
Basel Accord II has laid down the following definition for adoption by the countries and hence this should be treated as a standard definition of operational risk:
Operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputation risk.” (Bagchi, 2006)
2.3.1. Reasons for Increasing Focus on Operational Risk Management
* On - going spate ( sudden trend flow) of financial deregulation procedures due to globalization.
* Influence of technology and automation in managing business with other side effects.
* Complex organizational structures arising out of re - organization of business enterprises (e.g. merger/ de -merger etc.).
* Opportunities for business process outsourcing.
* Growing complexity of products/services, as banks now provide total business services and employ CRM (Customer Relationship Management) in their business activities.
* With liberalization and globalization, banks compete very hard with each other for business.
* Capital allocation for operational risks is a prime requisite for today's business organizations.
2.3.3. Operational Risk Vs Operations Risk
Operational Risk has a wider coverage wherein process, people, systems etc. of an organization are also considered. In general while operational risk is analogous to operations risk, in the context of risk management, they are not alike as will be evident from the following table:
Table 1: Distinction between Operational Risk and Operations Risk
According to the “Kenneth Swensen of Federal Reserve Bank of Chicago”, there is a clear demarcation between operational risk and operations risk, from the viewpoint of relative risk contents.
Operational risk should deserve special attention for an organization so that its procedures become fully Basel Accord II compliant.
He remark regarding Basel II is , “…… under Basel II, if you are not moving forward, you are losing ground”.
The distinctions are clearly mentioned below :
1. Operational Risk encompasses enterprise wide risk of loss arising out of inadequate, failed internal processes, people system or from external events.
1. Operations Risk encompasses risk by loss arising out of back office reconciling processes and does not generally cover front office functions.
2. Integrated risk management is the watch - dog of such risk management function in the organization
2. Internal audit Department usually manages such risks. It is the first line of defense.
3. Basel Accord II specifies capital charge computation based on three approaches evolved for the purpose.
3. There is no requirement for any specific capital charge.
4. The organization must prepare and periodically update on operational risk policy mentioning, and should frame a computation method of measurement of operational risk capital.
4. There is no need for any specific policy document since each organization is guided by its manual/ book of instruction.
5. Regulatory Authority under pillar II has the responsibilities to review enterprise wide operational risk management of the organization.
5. Regulatory Authorities do not have any Pillar II responsibility. They may review operation risk as an ingredient of operational risk.
6. Corporate Governance study must take into account operational risk management of an organization especially the effect of any human error/skill deficiency aspects.
6. Corporate Governance angle does no form part of operations risk.
2.3.4. Distinction between Operational Risk and Operational Crisis
Operational risk is an all - inclusive concept covering :-
Ø intra -organizational ( internal ) risks such as those related to people, processes and systems;
Ø external events such as natural calamities, terrorism etc.
In case of extreme external events such as natural catastrophes, there is no real distinction between operational risk and operations risk since such an event requires crisis management initiative. But a routine operational risk management dose requires operational crisis management to avert serious consequences.
The points of distinction are enumerated as under:
1. Operational Risk includes elements of Expected and unexpected (expected loss such as loss in process errors of say 0.1% of gross income).
1. Operational Crises covers only unexpected loss.
2. The continuity of business is not affected if some operational risk events do not have serious implications on organization's position (say, internal fraud of 0.1% of annual net profit).
2. An organization's continuity may be seriously affected if the crisis event is catastrophic.
3. Operational risk management dose not generally imply disaster recovery.
3. Operational crisis management generally involves disaster recovery.
4. Operational risk factors do not generally trigger off reputational risk (a minor processing error in a customer's savings account may not effect the bank's reputation).
4. Crisis event may sometimes (e.g. product failure, contamination etc., Union Carbide Gas leak incident in MP) triggers off reputational risk leading to fall in market share, equity share price etc.
5. Operational risk management in generally concerned with two phases:
5. Operational crisis management generally involves three phase;
6. Operational risk may not always turn out to be a danger.
6. Operational crisis is generally of a ‘moment of danger.'
2.3.5. Effective way of managing Operational Risk
Poor operational risk management, especially in the banking sector, may generate serious financial losses caused by
Ø external/internal fraud,
Ø system failure,
Ø and other related operational lapses.
Damage to a bank's reputation, even if it is a private bank, may also be severe.
Ø Effective operational risk management provides boosts sale by taking care of the following:
Ø It tends to minimize severity or frequency of operational risk loses.
Ø It creates a mechanism to optimize operational effectiveness throughout the bank.
Ø Various business portfolios are better managed if the processes, systems and procedures are sound, together with people strength.
Ø Strategic decision making by senior management is supported by a robust risk management system.
Ø It ensures business continuity, as there are high probabilities of unexpected operational events owing to changing trends and globalization.
Ø Capital allocation can be optimally utilized to the advantage of the bank.
2.3.6. Traditional Vs Modern Approach of Operational Risk Management
Traditional Operational Risk Management
Banks were managing operational risks in a traditional manner, going by the belief that such risks are really ‘residual' risks that remain after the dominant risks of credit risk and market risk have been taken care of .Hence meager attention was extended to managing operational risks.
Under the traditional approach, routine operational controls in banking were mainly through
Ø internal checks,
Ø balancing of ledgers,
Ø careful recruiting process etc.
Ø Audit and compliance aspects.
Ø Insurance against risks was resorted to where necessary.
Modern Operational Risk Management
Operational risk management in banking took the shape of modern approach with the release of Basel Accord II ( recommendations on banking laws and regulations ) in June'04.
Modern approach of operational risk management aims at creating and maintaining an effective operational risk management strategy. This approach involves the following elements:
Ø Realistic measurement framework on operational risk factors as against sole reliance on internal checks, auditors etc.
Ø Operational risk losses calculated and summarized on the basis of past loss data and estimate for the future forms the core of strategic decision making especially for developing a new product or for encouraging a new technology.
Ø Quantification of various operational risk factors facilitates optimal capital allocation.
Ø Staff skill development exercise on an regular basis enables better output with lesser probability of errors and losses.
2.3.7. Operational Risk: A Challenge to Financial Institutions and Regulators
Operational Risk exhibits more severity than Credit Risk, Market Risk & Liquidity Risk. Global Association of Risk Professionals (GARP) has also undertaken a number of new initiatives to educate the organizations about the Operational risk.
Operational Risk is capable of eroding the complete organization and can cause huge loss on the reliability factor of the financial company. As per GARP, Operational risk shall be the single largest risk facing the financial industry the world over by the year 2010. The most difficult part in managing operational risk is the fact that the threats and challenges can originate and spread at the speed of thought in operations of a Bank.
The financial industry is growing all over the world in spite of the poor economic indicators forcing stricter regulations, policies and thus prompts greater awareness of the various challenges faced by financial industry.
Operational risk ( especially for financial industry )should be placed at the highest level of attention in order to ensure smooth functioning of the organization as it can hamper the organization's future growth.
Regulators formulating the policies and regulations for effective management of operational risk are faced by the following challenges :-
Ø Ever changing requirements of policies.
Ø Policies are expensive to start and implement at the workplace.
Ø They also hamper the normal functioning of financial organization and requires trainings across all verticals.
Ø Employee and customer participation is difficult to managed.
2.3.8. Operational Risk and Financial Organizations
Advent of newer and convenient technology for various processes and tasks has made :-
Ø our financial system has become more susceptible to attacks by hackers and viruses.
The system needs to quarantined ( detained) for all possible leak holes and if found must be plugged immediately because of the following reasons :-
Ø The financial system is the backbone of economy for any country or region.
Ø It is the system that makes the economy grow and maintain its track.
Ø It is of prime importance that the operational risk at this industry must be managed with
With increasing level of pilferage at the financial system, the hard money of the customer and the reputation of the financial organization is at stake.
Operational risk management of a system can be effectively handled with
Ø continuous up gradation
Ø security walls for new threats
2.4. How to Manage Operational Risk
Operational risks management should be incorporated in all the functional areas of banks in order to trace potential sources of risks.
Management of Operational Risk by banks differs in the following respects :-
Ø Difference in ‘size' of the banks in question.
Ø Difference in ‘sophistication' of various bank's services and activities.
Ø Difference in infrastructural make-up of the predominant areas of operations.
Ø Difference in people skill-sets employed in banks.
Ø Difference in organizational culture of diverse banks.
The approaches to effective risk management adopted by various banks may be different, the principles to be followed by all the banks must be uniform in character.
Fundamental truths are principles which support any specific activity or group of activities to exhibit clarity in effective operational risk management.
In risk management, the following set of fundamental principles dominates the entire operating environment of an organization ( which is financial in character such as a bank) :-
Ø Close involvement of top level management should be at the policy formulation stage, and during the entire process of implementation along with periodic monitoring.
Ø Risk element in various segments within an organization may vary depending on the type of the intra - activities ( occurring within the organizational boundary).
Ø Severity and magnitude of risk must be documented, stating in clear terms the check points and safeguards to be adopted for effective risk management . It should also be ensured that check points and safeguards operate consistently and effectively, besides being flexible.
Ø While segregating and assigning duties to various personnel, clear lines of responsibility should be drawn.
Ø Staff accountability must be clearly pronounced so that various risk segments are handled are handled by various functionaries with full understanding and dedication, while also owning the responsibility for their actions.
Ø Risk areas need to be identified. Identified risks should be measured, monitored and controlled as per the needs and operating environment of the organization.
Ø A system of “internal risk audit” needs to be established which works in tandem with internal audit of financial accounts and provides regular risk audit feedback at periodic intervals..
Ø All the risk segments should operate in an integrated manner on an enterprise wide basis.
Ø ‘Risk Tolerance' limits for various categories must be in effectively implemented and ‘exception reports' should be generated on occurrence of certain exceptional events.
2.4.1. Operational risk can be divided into three functions:
§ Efficient and effective maintenance of business infrastructure mostly consists of
Ø information systems,
Ø security policy,
Ø internal controls
Ø risk management
§ Effective internal audit function,
Ø which includes assurance about
Ø integrity of information systems, compliance,
Ø effective internal controls, assurance and effective internal audit
§ Pricing of operational risk management, includes
Ø measurement of losses,
Ø pricing of operational risks for each line of business,
Ø RAROC ( Risk-adjusted Return on Capital) and measuring capital requirement
2.4.2. Operational Risk Policy
Policy document of any activity group of activities provides a broad framework for a specific course of action. It acts as a source of guidelines and procedures to be followed for effective risk management.
A bank must have a specific policy document for operational risks which should be duly approved by the board of directors.
In view with the requirements of Basel Accord I, operational risk is seen as an altogether ‘new dimension' for commercial banking.
The ten principles invoked by Base Committee act as corner stone for drafting policies which provides guidelines like :-
Ø One cannot have a ‘one-size-fits-all' operational risk policy that is appropriate for all the banks.
Ø Each bank should devise its policy document in its best judgment, with the sole purpose of ensuring identification, measurement and monitoring and control of its various categories of operational risks on an ongoing basis.
Mere codification of risk principles is not enough. They need to be implemented by a defined course of action.
Documented policies are necessary in view of the following :
Risk management activity must give appropriate weight age :-
Ø to the nature of each risk encountered,
Ø to the organization' s nature of business
Ø availability of skill sets,
Ø information systems.
Clear documentation of the operational risk factors should be provided to the personnel.
Operating instructions to deal with each factor is to be made to enable effective risk management.
Ø Methodology and models of risk evaluation should be in-built in the system.
Ø Action points for correction of deficiencies beyond tolerance levels must be provided in the policy.
Ø Appropriate management information system (MIS) is a perequisite for smooth and successful operation of risk management activities. Data collection, updating should be accurate and prompt.
Ø Organizational structure should be designed in such a manner that it fits into the organization's risk philosophy and risk appetite. Functional powers and responsibilities must be specified for the officials in charge of managing each risk segment.
Ø Back testing process must be installed. It incorporates quality and accuracy of risk measurement on actual basis as compared against model generated results and corrective actions are taken.
Ø Periodical review should to be undertaken to validate the risk mitigating tools of each segment and to initiate improvements where necessary.
Ø Provision of appropriate skills to various official dealing with risk management functions in the organization should be undertaken through in-house/external training programs.
Ø Policies should be in place to cover action points that are used to successfully handle a crisis situation which would have otherwise eluded planned safety nets by an organizational contingent planning system.
Critical activities involved in effective risk management are enumerated as follows :-
Ø Need for active monitoring vis-à-vis capacity in the situation of risking business volume.
Ø Extent of staff shortness vis-à-vis customer complaints.
Ø Work allocation to experienced staff versus temporary staff.
Ø Assessment of employee morale, judging by the number of resignations.
Ø Tracking and correcting errors and losses.
2.5. From Operational Resilience to Operational Excellence
With the ongoing dynamism of existing financial institutions, “Perfection will be tolerated, excellence is desired”, are the keywords today.
A structure and system for operational resilience is not sufficient enough, Banks need to migrate from Operational Resilience to Operational Excellence to effectively function in the long run ( profitability with survival ).
Financial organizations need to visualize the threats of tomorrow.
Operational Risk Management Policy should be sound in character.
Operational Risk Management Policy should be effective and have a profound effect on all functional areas of a bank.
Operation Risk Management should be robust and act as a non-pierce able wall of protection build around the operations of the organization.
Operational excellence is a situation where in the Bank/organization :-
Ø Has an in-built firewall which is difficult to break
Ø The firewall facilitates smooth operations of the Bank,
Ø The firewall is self updatable i.e., it updates on a regular basis for shielding the organization from the new risks originating from the business environment
Ø Has an effective mitigation policy in place to minimize loss due to the breach of security firewall of the financial organization.
2.5.1. Risk and resilience
The operational risk concept is in its nascent stage and the identification and control policies developed so far will need to be reviewed and updated continuously. Other financial risks including the credit risk, market risk, liquidity risk , forex risk have been understood in depth and effective models for their study are established. Their prediction, control and mitigation has reached a stage of maturity andthere are fewer new developments expected in these risks. The policies and regulations for handling such risks are in place and trained workforce is also available for management of these risks (Parsley 2006).
Operational risk poses a bigger and new challenge. The models developed so far may have effective in the past however it is possible that living with the same model may prove disastrous. It is also required to carry a balancing act for the economies of implementation of such systems and its pitfalls. BASEL II has provided a comprehensive list of guidelines for adherence to manage the operational risk, however the key question will be to restrict to those set of guidelines or taking a view of the fresh challenges daunting the financial industry (Parsley 2006).
2.6. BASEL II
The Basel Committee on Banking Supervision (BCBS) was established in 2004 as a subcommittee of the Bank for International Settlements (BIS). The main objective of the BCBS is the harmonisation of supervisory standards worldwide to strengthen the international banking sector.
In 2008 the BCBS developed and published the so-called 'Basel Capital Accord' (Basel I). In this capital framework the BCBS outlined the calculation of a target standard capital ratio in relation to a financial institution's credit risk exposures. While focusing exclusively on credit risk, the Committee identified that minimum capital charges ought to be designed to also cover other than credit risks (Bank for International Settlements 2008, p.2). In January 2001 the BCBS published the proposal for a new capital framework, 'The New Basel Capital Accord', commonly known as Basel II. One of the most significant changes from Basel I to Basel II was the introduction of a formal capital charge against operational risks in financial institutions. (Hans, 2000)
It explicitly recognized operational risk as a distinct class of risk, different from credit and markets risks, and as a significant contributor to a financial services bank's risk profile . The Basel II Accord proposed various approaches for measuring a bank's operational risk exposure. These approaches and their adoptions by banks have evolved over time and the levels of sophistication of methodologies under these approaches vary widely. (Navin and Godwin, 2009)
Basel Accord II, while inventing the new calls of risk-‘operational risk', rightly considered that the probability of loss from such risks should be sufficiently cushioned in banking by stipulating the requirement of an appropriate value of capital charge. Such a charge is assessed, not on any scientific bases as such, but more on a notional or guess basis. To that extent, the building of operational risk capital charge in a particular bank may not be constructed to be a real “buffer” or inadequate, either. But then, as risk remains in operational activities, the notional/guessed cover should serve some purpose any way, hence the emergence of the concept of capital charge for operational risk. Some highly sophisticated techno-savvy international banks assess operational risk coved based on their interbank performance that is judged on the basis of the following factors:
(i) Internal audit ratings
(ii) Pas Business Volume
(iii) Error rates and magnitude
(iv) Income volatility
The rationale for a capital charge against operational risks were the development of increasingly sophisticated financial products and technology in conjunction with increased numbers of high-profile losses in the finance industry, which could be attributed to poor operational risk management (Bank for International Settlements 2003b). In June 2004 the BCBS published the final version of Basel II, in which it refined its earlier recommendations regarding the calculation of an operational risk capital charge. (Hans, 2000)
2.6.1. Three Pillar Framework
The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed processes, people and systems or from external events.
Three Pillar Framework advocates the following principals to be followed for effective operational risk capital framework :
Ø Pillar 1: Minimum regularity capital requirement for operational risk.
Ø Pillar 2: Supervisory review process should enforce a rigorous control environment to limit exposure to capital risk.
Ø Pillar 3: Market discipline requirements.
Pillar 1 concerns itself with quantification of operational risk capital charges.
Basel II Accord opposed three broad approaches which are enumerated as follows :-
Ø Basic indicator Approach : This is a method of computation of risk capital of banks on the specified indicator ( 15% of average gross income) calculated over previous three years.
BIA is actually the ‘default option' hence, there are no qualifying criteria. Banks which are not in a position to initially adopt a more sophisticated approach may follow this.
* Operational risk exposure is very loosely connected with income-total business -operating expenditure may still be a better indicators.
* Quality of operational risk management between two banks with approximately same level of income cannot be assessed.
* Operational risk assessment, as such, being complicated, effectiveness of such a simple method is very much in doubt.
* Standardized Approach: This is a method of computation of operational risk capital of banks that is arrived at by dividing the bank's activities into eight business lines and taking a specific percentage of gross income of each business and aggregating the same for a given year.
* The regulatory authority of the country should be convinced that the board of directors and senior management are actively involved in the bank's operational risk management.
* Bank's operational risk management system must be ‘conceptually sound' and implemented with integrity.
* Bank should have sufficient resources necessary for using the approach, control and audit aspects.
* Banks should have developed specific policies and criteria for mapping gross income for its business line as well as appropriate system of periodical review thereof.
* Assumption that operational risk varies proportionality to gross income is erroneous. When trading income is negative there is no capital charge, although the business line is quite risky.
* Banks adopting standardized approach may not derive any additional benefit since eventually operational risk percentage works out to 15%.
* A bank's higher/lower quality of operational risk management will not be reflected under this approach as it is not more risk sensitive than basic indicator approach.
* Advanced Measurement Approach (AMA): This is the method of computation of operational risk capital of banks based on estimates of unexpected losses using internal and external loss data, scenario analysis and bank specific business environment and internal control factors.
The computation of operational risk capital charge under AMA takes into account the following:
* Internal loss data of various units/sectors.
* Probability of loss event.
* Loss Given Event
The specific approval of regulatory authority of concerned country is to be obtained which may examine following aspects of the bank wishing to adopt the approach:
* The bank must have an independent operational risk functional framework responsible for the design and implementation of operational risk management that provides an appropriate control and reporting system.
* The bank's internal operational risk system must operate in such a manner that internal capital allocation and risk analysis is appropriately made and that it provides incentives for improved operational risk management.
* The bank must have a proper system in place to initiate appropriate action based on operational risk report.
There are qualifying criteria for banks to follow one of the above approaches and all the approaches can also be used in bank in different business-lines based on the qualification standards. (Navin and Godwin, 2009)
2.6.2. Approach to be followed by Banks in India
Of the aforesaid various approaches of operational risk capital charge computation, banks in India will follow initially basic indicator approach as per RBI advice. This appears to be based on the following factors:
* This approach is simple to operate while at the same time is a reasonable base for computing operational risk capital charge.
* Fundamental ingredient of 15% of gross income can be adopted conveniently under BIA, by banks in India.
* The approach provides for higher level of capital charge, as may be reflected through gross income levels of the bank, enabling the regulatory authorities in India to smoothly control banks under their jurisdiction.
* “The Operational Risk Management discipline is in an embryonic state”. Hence, till the system proves to be really effective, simple approach (BIA) may serve the purpose of banks in India in light of complexity, range of customers, national priorities, vast operational area etc. In Indian banking, an accurate demarcation of various business lines is difficult. Hence, BIA is most suitable for Indian Banking since it does not require bifurcation of gross income into various business lines as is enquired for more sophisticated approaches (Rey 2005).
2.7. Solvency II: Future Prospects for Operational Risk
Solvency II, a capital accord created in 2007 and revised in February 2008, will have far reaching effects on the insurance industry. This capital accord seeks not only to protect policyholders and beneficiaries but also to harmonize the insurance business across EU member states, which should reduce inconsistencies and opportunities for arbitrage between national markets. Its focus is on insurance groups rather than separate legal entities, and it applies to all life insurance, non-life insurance.
One important point to remember is that this capital accord draws heavily on Basel II for operational risk principles and practices. These include governance, risk and control self assessments, operational loss databases, key risk indicators (KRIs) and economic capital calculations. The Solvency II framework consists of three pillars, each covering a different aspect of the economic risks facing insurers. This three-pillar approach aims to align risk measurement and risk management. The first pillar relates to the quantitative requirement for insurers to understand the nature of their risk exposure. As such, insurers need to hold sufficient regulatory capital to ensure that (with a 99.5% probability over a one-year period) they are protected against adverse events. The second pillar deals with the qualitative aspects and sets out requirements for the governance and risk management of insurers. The third pillar focuses on disclosure and transparency requirements by seeking to harmonise reporting and provide insight into insurers' risk and return profiles.
2.7.1. The Importance of Operational Risk in Solvency II
Over the past few decades many insurers have capitalized on the market and have developed new business services for their clients. On the other hand, the operational risk that these insurers face have become more complex, more potentially devastating and more difficult to anticipate. Although operational risk is possibly the largest threat to the solvency of insurers, it is a relatively new risk category for them. It has been identified as a separate risk category in Solvency II. Operational risk is defined as the capital charge for ‘the risk of loss arising from inadequate or failed internal processes, people, systems or external events'. This definition is based on the underlying causes of such risks and seeks to identify why an operational risk loss happened. It also indicates that operational risk losses result from complex and non-linear interactions between risk and business processes.
2.8. Risk Mapping and Operational Risk
Risk mapping is the basis of operational risk as, unlike market and credit risks, it is not product specific. The market risk of a derivative contract depends strictly on the contract's features and on the relevant market risk factors. Once the deal is concluded, the underlying process, by and large, does not matter to the related market risk exposure. It is impossible, on the other hand, to analyse the operational risk in the trading activities of a bank without a thorough understanding of the whole trading process from initial negotiation to final accounting.
It is also not enough to analyse operational risk on a business unit basis. Although this may seem natural in the light of the need to allocate responsibility and reward performance and good behaviour, it will give a biased view of operational risk exposures and may even miss some of them altogether. In fact, failures in one part of the process can generate failures in others as well as materialize into losses within units that are organizationally separate, while being part of the same business process. Controls, on the other hand, are often performed by an organizational unit in order to prevent or detect failures happening elsewhere. In many cases, the organizational separation within the same process (segregation of duties) is a key control feature in itself. For a more general discussion on operational risk measurement's frameworks and methodologies, see Crouhy et al. (1998), van der Brink (2002) and Ebno¨ ther et al. (2003).
Risk mapping is an analysis tool whereby risk exposures are linked to the relevant parts of the business process. Designing this tool requires a methodology to identify and cover all the relevant risks. The mapping will then allow a bank to analyse the causes of operational failures as well as to link the consequent financial loss to the part of the organization at the origin of the problem. In turn, this will be the key step to a transparent measurement and reporting of the corresponding operational risk exposure as well as to foreseeing and acting upon (through internal controls and other management tools) those exposures that are not in line with the bank's risk appetite.
The role of KRIs is very relevant in the monitoring and in the forward-looking analysis of operational risk both in complementing any statistical analysis in areas where data are not readily available and in ensuring all information about the evolution of the risk and control environment is taken into account (Finlay, 2004; Vinella, 2004).
A KRI is an operational or financial variable that provides a reliable basis for estimating the likelihood and the severity of one or more operational risk events. It can be a specific causal variable as well as a proxy for the drivers of the events and/or the loss related to an operational risk. It can be strictly quantitative, like the turnover rate in a business unit or the number of settlement errors, or more qualitative, like the adequacy of system or the competence of personnel. It can be perfectly objective, like the number of hours of system downtime, or more subjective, like the overall complexity of a portfolio of derivatives. But in order to be useful, it will always have to be somehow linked to one of the risk drivers, or better to one of the mechanisms generating an operational failure.
It follows that indicators have to be regularly reviewed and updated by discarding those that have become irrelevant or redundant, changing the way key data are collected and processed and developing new ones according to the evolution of the risk and the control environment.
2.9. Risk Management and Current Financial Crisis
Widespread failures of bank risk management have been a defining characteristic of the current financial meltdown. Should we go further, however, and charge the risk management profession with major responsibility for the crisis?
To answer this question, we must first review how global wholesale finance has evolved in terms of risk management over the past quarter century. Over the past 25 years, the field of risk management spearheaded a revolution in banking. This revolution, built on academic theories of risk analysis and asset pricing and practical experience with exchange-traded derivatives, shifted the core businesses of leading banks and brokerage houses from lending and agency underwriting/execution toward risk intermediation and proprietary trading.
The revenue volatility associated with this new-look wholesale banking affected even the best firms, and failure to achieve economies of scale meant losses even in good years for many second- and third-tier competitors. But for a dozen or so industry leaders, risk intermediation and trading for their own account proved to be highly profitable.
One important source of dealer revenue was earning a bid-offer spread on transactions in financial assets. While spreads received per trade tended to shrink over time as technology improved and products matured, trading volumes exploded and costs per trade declined rapidly, helping support total revenue earned from this type of dealer business. Over time, however, an increasing proportion of revenue came from proprietary risk taking. Such "prop trading" was at first an outgrowth of dealers' intermediation in off-exchange products.
Client demands to buy or sell over time left a dealer with fluctuating asset positions, and the role of risk analysis and risk management expanded to help control the potential loss from that changing exposure.
Gradually, dealers learned how to add incremental revenue through (1) actively managing their risk positions (taking account of information from trading); (2) lending and syndication activities; and (3) monitoring and analysis of economic and market developments. As prop trading delivered strong profits, banks steadily expanded the risk on their books, further increasing &- gic importance of risk management
2.9.1. Evolving Practices
Over the past 15 years, as modern risk management proved it could improve the efficiency of trading books and as managers with trading experience moved into senior executive positions, banks extended formal portfolio risk analysis, to other lines of business, such as corporate and consumer lending and other types of risk (including credit, operational and fee-revenue risk). One key insight that emerged early on from comparative analysis of risk-adjusted returns of bank businesses was that when the cost of the risk associated with loans was correctly evaluated, lending to high-quality corporate borrowers was typically unprofitable.
Lending businesses required substantial equity capital, and, to make a profit in lending, banks needed a yield spread that covered the high risk premium bank shareholders looked to earn. However, it turned out that banks generally could not earn the necessary return lending to investment-grade borrowers at the spreads set by bond investors who owned corporate credit risk (directly and transparently).
Of course, investment-grade corporate credit was not the only problematic lending business for the banks. Analysis of risk-adjusted returns indicated that a large part of the direct lending done by banks was marginally profitable or unprofitable. Given the danger that loans could cause large losses to a bank in the event of a severe economic downturn, market spreads for a range of commercial and consumer loans arguably did not cover costs inclusive of the capital that a prudentIx- risk managed bank should use to support lending activities.
It is sometimes thought that banks securitized primarily to reduce regulatory capital requirements or to raise cash funding. While these factors certainly made securitization substantially more attractive, the underlying economics were compelling in any case: factoring in the cost of equity capital, it was a money-losing proposition for banks to hold commoditized loan assets. Moreover, securitization offered lower credit spreads to borrowers and higher risk-adjusted returns to investors.
By 2006-07, credit spreads had narrowed to such an extent that the risk-adjusted return to lending had become particularly unattractive for banks. Spreads are wider now, but so is the required risk premium return on bank equity. On balance, bank profitability and market share in loan markets seems to have improvedbut this is likely a cyclical fluctuation around an intact structural trend toward investors owning an increasing share of credit assets directly (rather than indirectly, through banks).
Even as they sought to reduce exposure to lending, dealer banks retained a comparative advantage in arranging, originating, syndicating and securitizing credit. If economies of scale were achieved, these activities not only allowed amortization of the costs of specialized and expensive staff resources but also used relatively small amounts of equity capital. So the same type of assessment of risk-adjusted returns that suggested direct lending was often more efficiently done by investors also highlighted the fact that the origination and distribution of risk assets could be a very attractive line of business.
Implementation of Basel II has been described as a long journey rather than a destination by itself. The journey is certainly tougher than we thought. Undoubtedly, it would require commitment of substantial capital and human sources on the part of banks and the supervisors. For banks, the main challenges appear to be the skills shortages and data inadequacies coupled with uncertainties regarding costs associated with implementation. It is a regulatory responsibility to encourage banks to have a phased implementation programme starting from a traditional baseline scenario of identification of operational risks, assessment, and awareness monitoring and integrating these elements over a period. Basel II implementation and operational risk mitigation process puts heavy burden on supervisors to detect problems in banks, to stay on top of the latest advances in risk management and to avoid abuses of many powers that are given to supervisors.( http://www.bis.org/review/r051222g.pdf)
CHAPTER 3: RESEARCH METHODLOGY
This section deals with the appropriate choice of research method which is suitable for the given study and shall be useful in reaching to the conclusion accurately and effectively.
3.2. Research Process
The marketing research always deals with the systematic process of research for given topic. In marketing research, it becomes necessary to outline the framework according to the research question and demand. The outline should affect the approach towards the conclusion and thus, help in taking out the conclusion. Proper identification, collection, analysis and distribution of essential information required for the research work. After this procedure the data collected for the study becomes relevant and can be analyzed accordingly. The research process for my study has been shown below:
3.3. Research Design
The research design is prepared with the aim of providing the proper way of research with respect to the study. This makes it important to clearly define the research design, which should be in order as it is required. However, the research on a particular topic can be done in many ways but for researcher it is more important to take out the best and suitable among these methods. (Walonick, 2003). There are various reasons for choosing the appropriate method of researches e.g. the approach, the topic etc.
3.3.1. Approach of the Study
There are two types of research strategies: qualitative and quantitative approaches (Holme and Solvang 2001, p. 84). The purpose of a qualitative approach is to gain a deeper understanding and description of a problem, through gathering and analysis of detailed data of ideas, feelings and attitudes. It is conducted through deep interviews in one or a limited number of companies in order to obtain comprehensive information (Tull and Hawkins 2003, p. 100) .For this reason; the questions are normally open-ended in qualitative interviews.
3.3.2. Research Strategy
A study according to Yin (2004), can take place through five different research strategies, namely experiments, surveys, archival analysis, histories and case studies. Furthermore, Yin (2004) states that the selection of the research strategies that can be utilized depends on three distinct conditions, these are;
* Proper understanding of research question of the study.
* The conclusion to be obtained from the research method.
* The key focus of study should not be diverted.
To choose among the right research strategy, it is important to understand the research question of the study. Secondly, the author shall consider the environment and the conclusion to be obtained from the research work. Thirdly, the research strategy should accomplish the provided target of the research. In this section all the research questions posed begin with how the research is intended to be organized. The alternative research strategies available to be implemented include surveys and case studies. Hence, to take out the proper implications of the research done through selected research strategy, it becomes compulsory to choose the suitable methodology so as to focus on the main research rationale and question (Yin 2004).
Case studies are preferred with the aim to search for qualitative research through journals, articles and other experiences. These are the source of experience which can be used for clear understanding of the past and using those experiences in future, so that the mistakes can be avoided.(Saunders and Lewis 2002).
3.3.3. Data Collection Method
There are broadly two distinctions of data, namely: Primary & Secondary data. Primary data is collected for some designated research which has never earlier been attempted. It involves collection of data using forms, interviews, group discussions etc. The data is further put to statistical analysis to firm up the report of analysis. This method is more accurate and provides definite actionable end results. The data collection process here is however tedious in this method and take longer to complete. The primary data collection method dates back to 19th Century when the reporting style was also naïve and no proper research mechanism was known.
The secondary method of research is relatively easier and involves data collection from existing sources of information or research of other people. The method involves sourcing of data from articles, white papers, internet media, print media, journals, existing research articles on the same topic and other reliable sources. However, information is gathered and filtered out for the use of the particular use of the research that is being carried out. This research involves a lot of time of segregation of the correct and relevant data.
3.3.4. Data Analysis
Data analysis is the most critical part in carrying any form of research. The data analysis part involves complete knowledge and understanding of the research goal to begin with. The analysis of the data needs to be carried in a structured format. Data analysis can be done on quantitative or qualitative basis. The quantitative data analysis involves use of statistical tools like SPSS, Minitab etc , wherein the data collected over a length of time or events needs to be organized in a particular format and using the statistical methods, the data is presented in its understandable form. This method is more exact and provides with accurate analysis of the past data which can be spread out for future predictions or correlations (Helen 2007).
The qualitative analysis however, relies more on the theoretical concepts developed and forms a preposition based on the information in the form of responses, case studies and other relevant research material.
Firstly, data reduction was conducted, secondly the data was displayed and finally conclusions were drawn and the data verified.
The methodology I am proposing rests on the following key concepts:
1. The drivers of operational risk are also the key resources present in each banking activity: people, process, technology and external factors.
2. An operational failure will occur every time one or more of these resources is inadequate to the task being performed. This may happen because the resource is insufficient either in quality or in quantity (capacity and capability), unavailable at a critical stage (availability and criticality), or because they break down altogether.
3. Meaningful KRIs will measure and anticipate the inadequacies described above, and key control activities will be designed to address them (through prevention, reduction and detection).
The methodology is pictorially described in Figure 2, which shows the central role of key resources as drivers of operational risk and the relationship between failures in those resources and operational events and losses. It also shows, as discussed more in detail further below, that each KRI needs to give a direct measure of the extent or likelihood of failure in one or more resources drivers.
This approach is not different in principle from the one adopted in market risk where we start from the so-called risk factors, equity and commodity prices, interest and exchange rates. Then we examine the exposure of the bank to these factors. This is the result of all the existing positions the bank has opened at a given point in time. Then we look at the way the portfolio of positions is affected by the behaviour of the risk factors. This is what we call sensitivity of the position (in the language of option-pricing theory indicated by Greek letters). Finally, by combining positions, sensitivities and statistical information on the risk factors, we estimate the potential loss, that is, the maximum change in value for the portfolio on a given time period with a given probability: value at risk (VAR). Figure 3 shows how resources/risk drivers applied to specific combinations/portfolios of activities expose the bank to risks that depend critically on how these resources can fail to perform as expected.
The key steps in risk mapping can be summarized as follows:
1. Identification of the key activities (process mapping): This will offer a clear picture of what activities are carried out as part of each process, where such activity is carried out and how they are performed. A map allows examining a business process clearly, without the ‘distraction' of the organizational structure or internal politics. In process mapping, the level of detail can be from a broad organizational process perspective down to a micro-detail approach of the smallest unit of work. It is often useful to map business processes at a high level and then drill down to successive lower levels. This enables to identify the critical element and the potential flaws or inefficiencies in processes.
Furthermore, process maps present information about a business process in its organizational context. In other words, with one diagram a user can see all the steps (or events) involved in a business process, the organizational function that performs the steps, the dependencies in the process and the order in which the steps are generally performed. The user can also see the sequential and concurrent nature of activities and the decision points. Unlike data flow diagrams, process maps take into consideration organizational units (process owners) and characterize how information moves throughout an organization as business is performed.
Detailed task instructions may accompany the map and use the process numbers as a reference. For example, a sub-process could be accompanied by a detailed document that clearly articulates the steps and specific instructions used by the relevant department to perform it. These detailed step-by-step instructions also include what department or person ‘owns' the process, the inputs and outputs of the process and any dependencies of the process. Not only do the instructions thoroughly document the system, but they can also be used as a foundation for training materials.
2. Analysis of the risk drivers: People, process, systems and external dependencies will influence different activities in different ways. The main tools that line managers can use to fulfill their organizational responsibility are, in fact, the key internal drivers of operational risk - people, systems and facilities. This is the basic reason why line management bears primary responsibility for managing operational risks. Analysing the role and the relative relevance of each factor within an activity allows understanding how, in what circumstances and why that resource may fail.
3. Analysis of the risk factors - quantity, quality, criticality and failure: In each activity, the same resources can fail in different ways depending on the nature of the task performed as well as on the specific risk and control environment. Capacity, for instance, may be the main risk factor in certain back office activities while dependency on critical people may be the key risk factor in a trading front office and so on.
4. Identification of the risks: ‘What happens?' is the next question to answer, following the consequences of the failure all the way down the process (and through the related ones). The really important thing during risk identification is not to miss any risks out. You can decide to ignore some of them at a later stage, after you have assessed them, but they all need to be included at this stage. Whatever technique (or techniques) you use, it is important to provide an audit trail so that you can be sure of what happened and that no risks were omitted.
5. Identification and analysis of the losses: This is the key step, not only for future categorization and statistical analysis, but also to prioritize exposures and subsequent control actions. Although at the beginning, in the absence of a reliable database of historical losses, this task may be primarily based on management's expert judgment, it is important to ensure that the resulting estimates are then updated constantly following any operational event. Information contained in commercial databases of operational losses can be used in the development of specific scenarios for risk analysis as well as to supplement limited internal data. It could not, however, be the main basis for a statistical estimate of operational risk.
Finally, because of the swift actions normally taken to correct control weaknesses emerging from operational events, a reliable process for identification and assessment of losses must take into account the changes occurring in the risk and control environment and reflect them quantitatively in the overall estimate of operational risk.
6. Identification and analysis of KRIs. KRIs will be identified on the basis of the information gathered in the previous steps, namely the drivers, the factors and the potential losses, and ranked according to their predictive ability. KRIs should be:
* Relevant, strongly related to the frequency of operational failure and/or severity of impact.
* Non-redundant: If two indicators are strongly correlated, only one should be considered.
* Measurable: As much as possible, indicators should be objectively (and independently) quantifiable and verifiable.
* Easy to monitor: Indicator tracking should not be too cumbersome and expensive.
* Auditable: Indicators and their sources should be properly documented.
Because many different operational and financial variables can be used as risk indicators, KRIs form an absolute heterogeneous set. There are thus many different ways to classify them. The following simple classification stresses the relationship between KRIs and the two key features of an operational risk exposure: likelihood and severity.
Descriptive indicators are variables that give information about some key business dimension, such as size, volume and amounts, and can therefore be thought as somehow linked to the impact (loss) of an operational failure. Examples of descriptive indicators are number of transactions, volume of trades and size of assets.
Performance indicators are usually related to the output of a business process and give an indication on how well a certain process is working. Therefore, they are normally related to problems in the process and can also be used to get an indication of how likely a certain operational failure is. Typical performance indicators are number of settlement errors and amount of related losses, number of cancellations and other manual interventions, and hours of system downtime.
Control indicators are linked to management actions and represent variables that management can usually directly control. Their main feature is that management can predict their evolution and can thus use them as indicators of how the control environment will be in the immediate future. Examples of control indicators are compensation alignment, percentage of complex products in a portfolio and age of IT systems. Descriptive KRIs will be to an extent related to the potential impact of operational risk, but their ability to predict operational events will be minimal. Performance KRIs, on the other hand, will be more related to the likelihood of an event but will need to be combined with some descriptive indicator to give an idea of the potential impact.
In general, control indicators that are related to management actions will give information on the likelihood of future events that are neither captured by VAR, to the extent that the latter - as a statistical technique -only captures information related to the past, nor by descriptive or performance-related indicators.
In Figure 5, I have mapped the above categories in terms of their ability to work as predictors of operational events and proxies for operational risk exposures. I have also added VAR as a benchmark that is, hopefully, strongly related to both likelihood and impact of future events.
CHAPTER 5: CASE STUDIES
In this section I have examined the circumstances surrounding operational risk-related losses at various banks. I have provided the background information to the cases, followed by a summary and comparison of the major factors behind the losses. This section also explores how the actions of individual in these institutions - particularly changes in their risk appetite given performance relative to a reference point - can be linked to theories in psychology and behavioral finance literature.
People, processes, systems and external events constitute the overall boundary of operational risks in banking. Reputation and strategic risks, though not treated under operational risk, may in some cases be a constituent of a recognized operational risk factor. Such risks are also highlighted in the case studies below:
1. Mr. Depositwalaa, a Saving Bank (SB) account holder in Model Bank, deposited a cash of Rs. 10,000/- in his account on 31-12-04, taking the balance in his account to Rs. 15,000/-, thereafter on 1-1-05 he issued a cheque to Mr. Bookwalla for Rs. 7000/-. The cheque was presented on 2-1-05 for payment but Model Bank refused payment on grounds of inadequate funds in the payer's account.
When Mr. Depositwalaa filed for compensation, the bank conducted an investigation and found that the cash deposit of Rs. 10,000/- made by Mr. Depositwalaa was credited to another account holder-Mr. D Wallam, instead of being credited to Mr. Depositwalaa's account.
Identified risk creators for this example are as follows:
* Process risk (effecting wrong credit)
* Reputational risk (bad customer service, hence, the compensation claim)
2. Under its Monthly income Plan, Model Bank issued a Fixed Deposit (FD) receipt of Rs. 1 Lac in the name of Mr. Depositwalaa with the monthly interest slated to be credited to his SB account from time to time.
After making the fixed deposit, Mr. Depositwalaa went overseas. He returned to India after one year and checked up his SB account balance. He noticed that monthly interest from the deposit was not at all credited to his SB account despite standing instruction to that effect being in place. He enquired from the bank's counter clerk but received an evasive reply. He lodged a complaint with the bank for immediate credit of interest, together with interest on the delayed interest amount.
Upon investigation, Model Bank discovered that the standing instructions to deposit monthly interest on the FD were not noted in the computer system; the fact that fixed deposit was under monthly income scheme was also not recorded.
Identified Risk creators in this example are as follows:
* Process risk (not recording the standing instructions on the computer)
* People risk (not responding to the customer's query in an appropriate manner)
* Reputation risk (the account holder being an important person, may spread by word-of-mouth, information on the bank's poor system and unsatisfactory customer service).
3. M/s SME Manufacturing Company- a partnership firms was sanctioned cash credit limit of Rs. 1 Lac by Model Bank on 31-12-04. The appropriately stamped security documents were executed by the parties on 1-1-05 and an advance amount of Rs. 50,000/- was disbursed by the bank on the same day, by honoring a cheque signed by Mr. Arvind-one of the partners of the firm.
On 10-1-05 when the balance in cash credit account was around Rs. 1 Lac, a complaint was received from Mr. Govind, the other partner of the firm, saying that he did not execute any security documented for the advance.
Upon investigation it turned out:
i. The signatures of Mr. Govind on the security document were forged.
ii. Besides Mr. Arvind, the other person to sign the document, Mr. Solik, was a minor.
Identified risk creators: Defective document:
* Legal Risk
* People Risk
4. Model Bank sanctioned a Term Loan limit of Rs. 1 Lac to M/s Good Book Distributors for purchase of a computer, furniture etc. on an interest rate of 10.5% p.a.
The rate of interest in the loan ledger of the bank's computer system was recorded as 1.5% p.a.
Later on, the borrower defaulted on payments and the bank filed a suit for recovery, claiming interest at the rate of 10.5% p.a. During defense, arguments in the court, the borrowers countered that he agreed rate of interest was 1.5% p.a. and not 10.5% p.a. as claimed by he bank. In support of their claim, they produced the statement of account from the bank, showing the interest rate as 1.5% p.a.
Identified risk creators in this example are:
* System (not recording interest properly)
* People (not verifying all related documents before filing the suit)
5. Model Bank had one of its branches in Ideal Town in a state capital. Resourceful business people had maintained their accounts with the bank and this had turned out to be quite profitable for the bank. The management of the bank, in their endeavor to increase the size of their business, shifted the bank's branch to a more spacious building at a location that was a bit distant from Ideal Town. Soon after, many of their valued customers shifted their accounts to other banks having branches that were in Ideal Town or closer to it.
Within a year, Model Bank's branch showed operational loss as against profits earned since inception, owing to loss of remunerative customer accounts.
Identified risk creators in this example are
* People (lack of foresight of top management in assessing the consequences of shifting to a new location)
* Strategic risk (inappropriate decision leading to a shrinkage in value of business, resulting in operational loss)
Findings and Analysis
6.1. Cause-Event-Effect Analysis on Operational Risks
Operational risk is in involuntary spectrum of the functioning of an organization- if there is existence of an organization there will be a host of activities, core and non-core each of which can be a potential source of operational risk. Hence, in the broadcast sense, the operations, functions or activities of an organization may themselves be the cause of operational risks.
‘Event-effect' follows the cause. While the causes in operational risks may be the failure of people, processes, systems or external events, an event may take various forms e.g. fraud by employees of the organization or outsiders, unintended mistakes made by the employees, etc. The effect, however, may be different, even though the cause is the same. Severity of loss will be the determining factors on effect analysis.
In cause-event-effect analysis in operational risk management, an important aspect is that as strategic and reputation risks may often significant loss-effect, they are not captured under the operational risk canvas. It is not always possible to attribute a loss effect purely to a single group of operational risk causes. “One could give several examples where loss of reputation and consequential loss of business far exceeds any direct loss and where the initial cause was a combination of circumstances where poor business judgment as well as perhaps a dose of human incompetence and even downright deception, played a role. Should these events be ignored because they do not fall neatly into codified categories of credit, market and operational risks?”
6.2. Risk Decomposition
Cause-event-affect analysis facilitates the process of operational risk decomposition, which implies the following:
* Identification of various sources of operational risk factors.
* Measuring each factor's contribution to the operational risk pool.
* Comparing ex-post realized outcomes to ex-ante risks.
* Identifying the risks taken intentionally and those taken inadvertently.
6.5. Operational Risk and Basel II
Operational risk became part of that first draft of the consultative process from which emerged Basel II did the subject appear on the agenda for the majority of senior managements. In February 2003, the Basel Committee issued Sound Practices for the Management and Supervision of Operational Risk, in which it sought to provide guidance.
Under operational risk principle No. 5, Basel Committee guideline provides that pertinent operational risk information should be regularly reported to senior management and board of directors so that proactive actions can be initiated in good time.
The committee has rightly left it to each bank to decide on the periodically management reports should take into account the following areas:
* Internal financial, operational and compliance data.
* External market information on major events and conditions relevant for decision making purposes.
* Problem areas should be dealt with extensible.
* Timely corrective action on outstanding issues to be highlighted.
* Reports should reflect ‘sufficient higher level information' with a focus on material and strategic implications.
* Reporting of operational risk loss data should be on the basis of ‘date of discovery'
Under the Accord it is expected that reporting requirement must facilitate an appropriate assessment of the banks”
a) Risk Profile
b) Capital Profile
The report should be a handy guide for:
* Evaluation of risk level vis-à-vis capital level.
* Evaluation of sensitivity and reasonableness factored into capital charge computation.
* Determination of a bank's capital level.
* Assessment of future capital level keeping in view the bank's risk profile.
6.6. “Sound Practices” for Managing Operational Risk
For the operational risk management to be effective, it should be managed in an integrated manner and on an enterprise wide basis. Such an approach of operational risk management may be viewed as a TRIANGLE as shown below:
Basel Committee has evolved Ten Principles for effective management of operational risks by banks, with any eye on the need of clear lines of responsibility, segregation of duties, effective internal reporting, contingency planning and above all, supervision of activities by the bank's board and senior management (Guldimann 2003). These principles are mentioned in the next section.
The components for an overall operational risk framework have begun to emerge in the banking community. Some disagreement exists on the details of the approach and implementation process. Due to the complexity of today's financial services companies, senior management needs to distinguish between mandatory components to be implemented regardless of size, business, and products and the bank-specific aspects of development, including the implementation approach and specific deviations in methods and tools.
In “Sound Practices,” the Basel Committee noted that: ... management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, and reduce errors in transaction processing, and so on. However, what is relatively new is the view of operational risk management as a comprehensive practice comparable to the management of credit and market risk in principle, if not always in form. [Developing economic trends], combined with a growing number of high-profile operational loss events worldwide, have led banks and supervisors to increasingly view operational risk management as an inclusive discipline, as has already been the case in many other industries”.
“Sound Practices” can also be seen as another step in articulating comprehensive rules for corporate governance for all major risk types. The ten principles for the effective management and supervision of operational risk. These principles reflect:
* Activities many financial institutions have been successfully developing over the years as part of their operational risk frameworks
* The current thinking of supervisory regimes on Basel II, highlighting the importance placed on the New Accord's Pillars II and III
6.7. The Ten Principles of the Basel Committee's “Sound Practices”
The ten principles concentrate on the high-level standards deemed necessary for the management of operational risks. In keeping with the Basel Committee's goals, the principles are deliberately high-level to allow banks to develop approaches suitable to their organizational needs.
The ten principles can be summarized as follows:
1. The board of directors and senior management are responsible for approving the establishment and review of a framework for managing operational risk and establishing the organization's operational risk strategy.
Following aspects are important for complying with this principle:
* Operational risk must be recognized as a separate category of risk even though in some cases there may be an overlap of risk categories.
* Bank's operational risk framework has to be chalked out covering inter alia, the following:
i. Main/document constituents of operational risk factors, as derived from fraud analysis.
ii. Bank's appetite level and tolerance level for operational risk e.g. whether focus will be more on decentralization/centralization of authority and powers of staff managing the bank. Also, to a certain extent, risk in various segments of the bank's operation may be accepted.
iii. Form-wide implication rather than activation/ unit wise implication to be adopted.
iv. Bank's prioritization of operational risk retention and transfer, by way of insurance etc. e.g. whether fidelity insurance is to be taken for all categories of staff, whether all the assets are to be insured or not etc.
v. Clear direction should be available at all levels with regard to modality of identification, assessment, monitoring and controlling/ mitigating the risks.
2. Senior management is responsible for implementing the operational risk strategy consistently throughout the entire organization and developing policies, processes, and procedures for all products, activities, processes, and systems.
Following aspects are important for complying with this principle:
* Operational risk framework covering operations, policies and procedures would have to be covered under internal audit programme.
* Internal audit mechanism has to verify the effectiveness of bank's operational risk management.
* The bank's Board, either directly or through an audit committee, should ensure that internal audit programme is appropriate to the bank's risk exposures.
* Appropriator trained and competent personnel should be entrusted with internal audit functions. They should have autonomy and independence within the framework of the bank's organizational structure and should have any operational management responsibilities.
3. Information, communication, and escalation flows must be established to maintain and oversee the effectiveness of the framework and management performance.
Following aspects are important in complying with this principle:
* Senior management of a bank would have to ensure bank-wide implementation of operational risk management. The senior management should also develop policies, processes and procedures for managing operational risks. Thus, senior management must have full control of the operational risk management strategy.
* To avoid any significant gaps or overlaps in effective management of all categories of risks, the staff entrusted with managing operational risks, the staff entrusted with managing operational risk should be encouraged to communicate effectively with those managing credit risk and market risk. As per Basel Committee's expectations, staff at all levels in banks should have the necessary experience, technical capabilities and access to resources.
* The bank's remuneration policies should be such that they do not encourage rewards to staff members who deviate from policies, thereby weakening the bank's risk management process.
* For supporting high transaction volumes, facility of advanced technologies may be availed with high quality of documentation of controls.
4. Operational risks inherent in all current activities, processes, systems, and new products should be identified.
Following aspects are important in complying with this principle:
* Operational risk identification is the basic requirement in effective management of operational risks. There are two organized set of factors of such an identification:
a) Internal factors: Bank's structure, nature of activities, quality of human resources, organizational changes, employee turnover etc.
b) External factors: Changes in banking industry, regulatory policies, technological advances etc.
* A bank's material products, activities, processes and systems, especially those related to new products, should be subjected to comprehensive assessment based on their “inherent risks”.
* Internationally recognized assessment tools of operational risk in a bank's activities are as given below:
a) Self risk assessment: Against a menu of probable and violent risk vulnerabilities, a bank's operations and activities are assessed as an internally driven tool. Scorecards that identify strengths and weaknesses are developed for the purpose.
b) Risk mapping: Various products/ business lines, organizational functions, processes are mapped out based on the risk type. Weak areas are spotted out and remedial management action is initiated.
c) Use of statistics and/or metrics: Risk indicators located on the basis of statistics and /or metrics in respect of failed trades, staff turnover, severity of errors and omissions are analyzed and appropriate control mechanism is establish.
d) Quantification: Operational losses can be quantified on the basis of systematic tracking and recording of the frequency, severity etc. for individual loss events. This can be combined with external loss data, along with scenario analysis.
5. Processes necessary for assessing operational risk should be established.
Following aspects are important in complying within this principle:
* Monitoring system for operational risk should be effective in quickly detecting and correcting deficiencies in the policies frequency and/or severity of events that are likely to generate loss.
* Early warning of future losses should be incorporated which should be forward looking and should reflect potential sources if operational risk areas.
* Spotting potential risk areas demands a systematic and ongoing evaluation system. Following general risk areas must be looked into:
a) Rapid business/product growth.
b) The need to frequently introduce new or innovative products.
c) Rapid employee turnover.
d) Transaction breaks
e) System down time.
* Operational risk reports should be generated regularly for the perusal of senior management and board of directors. Such risk reports should contain all the aspects that have severe operational risk implications.
6. Systems should be implemented to monitor operational risk exposures and loss events by major business lines.
Following aspects are important in complying with this principle:
* Material operational risks in a bank must be controlled and/or mitigated through approached policies, processes and procedures.
* The bank's strategies are reviewed periodically, keeping in view its overall risk appetite and profile.
* The basic aspect to be followed is to decide:
a) Nature of risks to be controlled.
b) Nature of risks to be mitigated by risk transfer in the form of appropriate insurance cover.
c) Nature of risks to be kept under ‘self insurance' i.e. risk to be retained with the bank.
d) Activities likely to generate certain types of risks are not to be accepted at all.
* Control of risks within the organization should be undertaken based on the Four Eye Principle which involves:
a) Segregation of various functions
b) Cross checking
c) Dual control of assets
d) Dual signature
* Risks such as natural disasters, which cannot be controlled and display low frequency-high severity characteristics, should be transferred to insurance of risks should not create any ‘legal risks'.
* In cases of very rare events of low severity, a bank may choose to retain certain operational risks, to put it in the words of Basel Committee, ‘self insure' such risks. However such retention/self-insurance should be:
b) Consistent with the bank's overall business strategy
c) Compatible with the bank's risk appetite
* Basel Committee has suggested that for ensuring compliance of a bank's documented policies, processes and procedures by its staff at various levels, the following system must be put in place:
a) Top level reviews of the bank's progress towards the stated objectives.
b) Checking for compliance with management controls.
c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues.
d) A system of documented approval and authorizations to ensure accountability to an appropriate level of management.
7. Policies, processes, and procedures to control or mitigate operational risks should be in place, together with cost/benefit analyses of alternative risk limitation and control strategies.
Following aspects are important in complying with this principle:
* It is possible that due to sudden damage to the bank's physical telecommunication or Information Technology
(IT) infrastructure, the bank is unable to meet its business obligations, especially where disruption extends to the payment system.
* Depending on the bank's size and complexity of its operations, it is necessary that appropriate disaster recovery and continuity plans are in place.
* Where services of external vendor or other third parties are availed of in the normal course of the banks' withdrawal of services by the vendor does not disrupt the bank's operations.
* A periodical review system relating to disaster recovery and business continuity plans must be established. In light of the banks past experience in dealing with disasters, necessary improvement should be undertaken.
* The basic objective of disaster recovery and business continuity plans is to avoid operational risk losses and where unavoidable, at least to limit such loss.
8. Supervisors should require banks to have an effective system in place to identify, measure, monitor, and control operational risks.
This principle specifies the functional role responsibilities of the regulatory banking authorities of each country; Pillar-2-Basel Accord II supervisory review process is expected to look into each bank's operational risk management framework. Where, as a result of such review, they conclude that risk policies of the bank post a threat to the safely and soundness of the bank, they may initiate corrective action.
9. Supervisors should conduct (directly or indirectly) regular independent evaluations of these principles and ensure that effective reporting mechanisms are in place.
This principle demands supervisory action with regard to independent evaluation of a bank's policies, procedure and practices relating to operational risk management. Pillar-2 requirements also apply under this principle. Basel Committee has stated that such independent evaluation of operational risks by the supervisors (RBI, in case of Indian Banks) should broadly include assessment of the following:
* Operational risk management process and overall control environment.
* How the bank undertakes monitoring and reporting of entire operational risk profile, taking into account data on operational losses and potential risk indicators.
* Procedures within the bank in respect of prompt remedial action on risk event and vulnerabilities on operational risk.
* Bank's control system i.e. their review and audit mechanism to ensure intestate of arrangements.
* The effectiveness of the bank's disaster recovery and business continue plans.
* Operational risk management process.
* The effectiveness of the bank's operational risk mitigation efforts, especially through insurance
* Approach of the bank's computing capital adequacy for operational risk in light of its risk profile.
* In case of banks which are part of a financial group, an assessment of procedure, especially on managing entire group's operational risk matters be made-where necessary, the services of external auditors may be sought by the supervisors.
With regard to the supervisors remaining apprised of the development in banks, appropriate reporting mechanism should be put in place by the bank to enable the supervisor to receive the appropriate information. One such method may be that each bank forwards its internal management reports to supervisors on a regular basis.
10. Sufficient public disclosure should be made to allow market participants to assess an organization's operational risk exposure and the quality of its operational risk management.
Recognizing the fact that the area of operational risk disclosure is not well established in banks in various countries, Basel Committee feels that “timely and focused” disclosure, keeping in view the size, risk profile and complexity of a bank's operations would lead to enhance market discipline. This disclosure framework should allow investors to determine as to how the concerned bank identifies, measures, monitors and controls and mitigates operational risks.
Pillar 3 of Basel Accord II requires banks to devote full attention on market discipline.
As mentioned above, Basel Accord II recognizes insurance as a risk mitigant in a limited way only. However, qualitatively a bank may always initiate the following elements as risk mitigates from its operational risk angle:
* Training and re-training of staff at all levels.
* Diversification of activities.
* Selective withdrawal from high risk products/activities.
Operational risk monitoring implies, ensuring that each functional unit is in tune with the bank's risk philosophy, risk appetite and business transactions within the regulatory setting. Also, whenever any significant deviation is noticed, immediate remedial action is taken in the best interests of the organization.
6.8. Usual Components of a Sound Operational Risk Policy Document
A fully effective operational risk policy document must contain the following components:
a) Top management's involvement should be spontaneous and proactive. An operational risk committee with top management members and functional specialists must meet at least on a quarterly basis for monitoring the bank's operational risk segments.
b) Upon intensive study of operational risk content data and the intensity of each component in the previous 5-7 years, the top management should assess the areas requiring improvement, on a regular basis. For example, if some areas where the bank has its branches are regularly affected by flood, appropriate steps should be initiated for risk control. Such risk related findings should be placed before operational management committee from time to time and if need be, these should be escalated to the board of directors.
c) Specifying criteria, for identifying roles, responsibilities and inter-relationships of various functionaries involved in bank wide operational risk management.
d) State/area wise view of top management as to the intensity of impact of any particular type of operational risk e.g. in some parts of a country , risks related to external events may be more than internal process, system or people related risks.
e) Identification of the risk mitigant that the bank would like to have e.g. fidelity insurance for staff, bank's property insurance etc.
f) Decision on how frequently the bank's manual of instructions is to be updated-ideally it should be on annual basis. Loan policy/credit risk policy documents of banks are generally updated annually.
g) Specific arrangements are to be made for providing and enhancing the skills of the staff.
h) Reward/punishment measures for intentional/ deliberate mistakes are to be in place.
i) The extent to which the bank would avail of outsourcing of technology to deal with operational risks.
j) What specific arrangements should be in place by way of disaster recovery on account of accidental disruption or for other operational reasons so that business continuity is not seriously hampered.
k) How templates for operational risk reporting package containing interalia, risk control, key indicators and loss-tracking will be used for improvement in operational risk management.
l) How issues on internal/external conflicts of interest will be dealt with.
Four Eye Principles:
(i) Segregation of various functions,
(ii) Cross checking,
(iii) Dual control of assets and
(iv) Double signature, is the best monitoring tool.
Basel Committee has observed that many international banks undertake monitoring by keeping a continuous track on operational performance measures such as volume, turnover, settlement failures, delays and errors.
It has also been observed that in many cases they monitor operational losses directly with analysis of each occurrence and thereafter, senior management/Board is appraised of the nature and causes of loss with full description.
A monitoring system needs to be effectively supported by an appropriate control system.
6.9. Areas of Operational Risk Control
Any operational risk control starts from the personnel's response to intra-organization activity at each stage. Thereafter, the external environment, as it is, and as it is likely to be, is evaluated on a continuous basis. If an organization is in a position to effectively manage its internal settings, the influence of adverse external events may at best be treated as extraordinary. But no control measure should be designed so tightly that it prevents reasonable accomplishment of the organization's needs for existence. For example, if a bank does not want to lend, how can there be documentation, irregularly related to lending, due to the lapse of the bank's staff?
For effective control of operational risks in banking, the following aspects need greater attention:
* Regular overseeing by top management
* Regular check on information processing
* Regular activity monitoring.
* Segregation of duties and responsibilities of various personnel of the bank.
* Establishing performance evaluation for each staff member.
* Documenting activity process and implementation procedure.
* Periodic analysis of external environment and response of peer banks to environmental changes.
CHAPTER 7: CONCLUSION
Operational risk identification and measurement is still in an evolutionary stage as compared to the maturity that market and credit risk measurement have achieved. In the perspective of operational risk is such as external or internal frauds, to that extent, the quantum of the requirement of operational risk management, Mitigation implies reduction of the probability and/or impact of an operational risk event on an enterprise-wide basis. Hence, if an appropriate and value-based risk mitigant outside the enterprise remains operative for a particular risk event such as fire, or a group of risk events such as external or internal frauds, to that extent, the quantum of the requirement of operational risk capita; of the organization must stand reduced (Saunders 2004).
Reporting of operational risk means giving an account of occurrences of loss experienced in the course of the business operations over a specific time-band (Parsley 2006). The reporting frequency and structure for reporting varies from organization to organization depending on their size and complexity of operations as also on the past trends.
In banking, the functional units such as branches are widely spread, especially in Indian Public Sector banking. On the top of this, there may be various layers in the bank such as Regional Authorities/Zonal Authorities, besides the Head Quarters (Luhmann 2002). Often major incidents such as frauds are also required to be reported to regulatory authorities immediately on occurrence/detection of any event of loss/potential loss.
Therefore, reporting of operational risk in banking needs to be compact and the reporting machinery is required to be so organized that reliability, accuracy, coupled with speed and consistently, is maintained on an ongoing basis. Technology is to be the key driver in the entire reporting system.
In this research, I have discussed the concepts of risk mapping and KRIs in operational risk management. I have examined the main objectives of these tools and proposed a general methodology to map operational risks to business activities and to select KRIs. I have shown how to apply the methodology to two specific, albeit rather stylized, business cases.
As automation and complexity in banking operations reach new heights, risk mapping is bound to take a central role both in business and in risk management. With the recent increase in scrutiny and pressure for tightening controls coming from regulators and legislators alike, the need for understanding, documenting and monitoring banking activities is becoming a major concern at top management level and is not anymore an exclusive endeavour for auditors and operations managers. Amongst all the control tools available to managers, KRIs have one clear advantage, if properly selected and interpreted: they are forward looking. They ideally complement statistical models, with their sophisticated analysis of past information, through a snapshot, imperfect and error-prone as it may be, of what might happen in the immediate future.
In activities where timing is always tight, consequences are swift and unforgiving, and where complexity often clouds the real mechanics of events, monitoring a set of well-identified KRIs can substantially enhance the effectiveness of risk management and substantially reduce operational exposures. A systematic, factor-driven analysis of processes, going from risk factors through failure and consequences of failures can help identify the most important indicators almost as a by-product of risk mapping.
Furthermore, a more holistic view of processes and risks can be achieved by considering a structured set of indicators as a means of drawing an overall picture of operational risk exposures. This bank-wide analysis can be implemented through the construction of an operational risk scorecard, summarizing, aggregating and reporting KRIs by business activity and risk category.
Finally, it should be noted that, no matter how sophisticated the tools are and how penetrating the analysis is, risk mapping, KRIs and scorecard will only be effective with the full involvement of the business people concerned. Not only are they the most important source of information, and therefore the basis for the whole analytical process, but they are those that will make the measurement and monitoring activities meaningful by helping in interpreting, updating and improving them. In the end, it is never an analytical or mathematical model that makes the difference, but rather its effective implementation within the day-to-day management of the business and the ability to update it in order to respond to the changes in the risk and control environment.
 Of course, it is possible that for example an employee error can result in an operational gain rather than loss for the bank, but this possibility is generally ignored for the purpose of operational risk modeling. We do not treat this case.
 E. J. Vaughan and T. Vaughan. Fundamentals of Risk and Insurance. John Wiley & Sons, 9 edition, 2003.
 H. Geiger. Die Risikopolitik der Banken, Teil 1 und Teil 2. Der Schweizer Treuhander, 73(6/7 und 8):555 - 564, 713 - 718, 1999.
 Consultative Document, Operational Risk, BIS, January 2001.
 Damian Handzy, Risk professional -Advancing the risk profession, June 2009, A GARP Media Publication, pp60
 Damian Handzy, Risk professional -Advancing the risk profession, June 2009, A GARP Media Publication, pp 60
 Basel Committee on Banking Supervision. “Sound Practices for the Management and Supervision of Operational Risk,” February 2003, p. 3.