 |
|
Operational Risk
According to the
Basel ii Framework:
A. Definition of operational risk 644. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. B. The measurement methodologies 645. The framework outlined below presents three methods for calculating operational risk capital charges in a continuum of increasing sophistication and risk sensitivity:
646. Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices. Qualifying criteria for the Standardised Approach and AMA are presented below. 647. Internationally active banks and banks with significant operational risk exposures (for example, specialised processing banks) are expected to use an approach that is more sophisticated than the Basic Indicator Approach and that is appropriate for the risk profile of the institution. A bank will be permitted to use the Basic Indicator or Standardised Approach for some parts of its operations and an AMA for others provided certain minimum criteria are met. 648. A bank will not be allowed to choose to revert to a simpler approach once it has been approved for a more advanced approach without supervisory approval. However, if a supervisor determines that a bank using a more advanced approach no longer meets the qualifying criteria for this approach, it may require the bank to revert to a simpler approach for some or all of its operations, until it meets the conditions specified by the supervisor for returning to a more advanced approach. Before that Basel ii Framework According to the Bank of International Settlements (September 1998, Operational Risk Management), the most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform in a timely manner or cause the interests of the bank to be compromised in some other way, for example, by its dealers, lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems or events such as major fires or other disasters. A working group of the Basle Committee interviewed approximately thirty major banks from the different member countries on the management of operational risk. Several common themes emerged during these discussions: * Awareness of operational risk among bank boards and senior management is increasing. Virtually all banks assign primary responsibility for managing operational risk to the business line head. Those banks that are developing measurement systems for operational risk often are also attempting to build some form of incentive for sound operational risk management practice by business managers. This incentive could take the form of a capital allocation for operational risk, inclusion of operational risk measurement into the performance evaluation process, or requiring business line management to present operational loss details and resultant corrective action directly to the bank’s highest levels of management. *While all banks surveyed have some framework for managing operational risk, many banks indicated that they were only in the early stages of developing an operational risk measurement and monitoring framework. Awareness of operational risk as a separate risk category has been relatively recent in most of the banks surveyed. Few banks currently measure and report this risk on a regular basis, although many track operational performance indicators, analyse loss experiences and monitor audit and supervisory ratings. *Many banks have identified significant conceptual issues and data needs, which would need to be addressed in order to develop general measures of operational risk. Unlike market and perhaps credit risk, the risk factors are largely internal to the bank and a clear mathematical or statistical link between individual risk factors and the likelihood and size of operational loss does not exist. Experience with large losses is infrequent and many banks lack a time series of historical data on their own operational losses and their causes. While the industry is far from converging on a set of standard models, such as are increasingly available for market and credit risk measurement, the banks that have developed or are developing models rely on a surprisingly similar set of risk factors. Those factors include internal audit ratings or internal control self-assessments, operational indicators such as volume, turnover or rate of errors, loss experience, and income volatility. Additional details from the interviews are discussed below under five categories:
Many banks noted that awareness of operational risk at the board of director or senior management level has been increasing. The focus on operational risk management as a formal discipline has been recent but was seen by some banks as a means to heighten awareness of operational risk. The greater interest in operational risk was reflected in increased budgets for operational risk measurement, monitoring and control, as well as in the assignment of responsibility for measuring and monitoring operational risk to new or existing risk management units. Overall the interview process uncovered a strong and consistent emphasis on the importance of management oversight and business line accountability for operational risk. Senior management commitment was deemed to be critical for successful corporate-wide risk management. Banks reported that high-level oversight of operational risk is performed by its board of directors, management committees or audit committee. In addition, most respondents referred to the important role of an internal monitor or “watchdog” , such as a risk manager or risk committee, product review committee, or internal audit, and some banks identified several different internal watchdogs, who were all seen as important, such as the financial controller, the chief information officer and internal auditors. The assignment of formal responsibilities for operational risk measurement and monitoring is far from universal, with only about half of the banks interviewed having such a manager in place. Virtually all banks agreed that the primary responsibility for management of operational risk is the business unit or, in some banks, product management. Under this view, business area managers are expected to ensure that appropriate operational risk control systems are in place. Many banks reinforce this risk attribution and responsibility through charging operational losses to the related business or product area. In an earlier survey of internal audit issues, some supervisors noted the trend to conduct more internal control reviews in the business line, rather than in independent units such as internal audit. Several respondents to the operational risk survey noted the creation of new controls or risk management in business lines to assist in the identification and control of risk. Several banks noted one potential benefit of formalising an approach to operational risk. That is the possibility of developing incentives for business managers to adopt sound risk management practices through capital allocation charges, performance reviews or other mechanisms. Many banks are working toward some form of capital allocation as a business cost in order to create a risk pricing methodology as well. Risk Measurement, Monitoring and Management Information Systems Definition of operational risk At present, there is no agreed upon universal definition of operational risk. Many banks have defined operational risk as any risk not categorised as market or credit risk and some have defined it as the risk of loss arising from various types of human or technical error. Many respondent banks associate operational risk with settlement or payments risk and business interruption, administrative and legal risks. Several types of events (settlement, collateral and netting risks) are seen by some banks as not necessarily classifiable as operational risk and may contain elements of more than one risk. All banks see some form of link between credit, market and operational risk. In particular, an operational problem with a business transaction (for example, a settlement fail) could create market or credit risk. While most banks view technology risk as a type of operational risk, some banks view it as a separate risk category with its own discrete risk factors. The majority of banks associate operational risk with all business lines, including infrastructure, although the mix of risks and their relative magnitude may vary considerably across businesses. Six respondent banks have targeted operational risk as most important in business lines with high volume, high turnover (transactions/time), high degree of structural change, and/or complex support systems. Operational risk is seen to have a high potential impact in business lines with those characteristics, especially if the businesses also have low margins, as occurs in certain transaction processing and payments-system related activities. Operational risk in trading activities was seen by several banks as high. A few banks stressed that operational risk was not limited to traditional “ back office” activities, but encompassed the front office and virtually any aspect of the business process in banks. |
|
|