Measuring and Managing Operational

Risk Under Basel II

 Outline of Presentation
Introduction to Operational Risk
(OR)
The Basel II OR framework
Measuring OR under the AMA
Latest QIS OR Results
OR Management
Evaluation, Implications and
Conclusions
 hat is OR?

pplies to all firms (financial and non-financial) Used to be a

catch-all phrase for non-financial risks Current Basel II definition
is "the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events''

ncludes both internal and external event risk

egal risk is also included, but strategic, reputational and systemic risks
are not.

irect losses are included, but indirect losses (opportunity costs) and
near misses are not
 Examples of OR Loss Events

Examples of OR Loss Events

 Major OR Characteristics
Partly endogenous
Unwanted by-product of corporate activity Positively
related to complexity of operations
Highly idiosyncratic
OR events tend to be less correlated to each other and
to other risk types
Less directly linked to business cycles
In principle (partially) controllable ex ante
Trade-off is mostly risk vs. cost of avoidance, not risk
vs. return
Key Drivers of Interest in OR
 Size Compared to Other Risks
OR is sizeable compared to other risk types
Its exclusion can make certain businesses appear
Artificially attractive, e.g. asset management and trading
 asel II Framework for OR

cope of application

illar I (minimum capital requirements) Definition

usiness line mapping Classification of loss event types

Measurement approaches (3) Qualifying criteria

illar II (supervisory review)

illar III (market disclosure/discipline)

 Scope of Application for OR
Primarily intended for internationally active banks
and banks with significant OR exposures
Applied, on a fully consolidated basis, at holding
company and lower levels within a banking group
Insurance activities are excluded
Supervisory approval required for banks to revert
to simpler approach once approved for more
advanced one
 illar I - Approach 1
asic Indicator

orresponds to the Standardized Approach for credit risk

apital charge is 15% ('alpha') of bank's average annual gross income

over previous 3 years

ross income should exclude provisions, insurance income, realized

profits/losses from sale of securities in banking book, and
extraordinary or irregular items

o specific criteria/requirements for its use

illar I - Approach 2
tandardized / Alternative Standardized

ank's activities divided ('mapped') into 8 business lines

apital charge is sum of specified % ('beta') of each business line's average

annual gross income over previous 3 years*

eta varies by business line (12%-18% range)

eneral criteria required to qualify for its use

Active involvement of Board and senior management in OR

management framework

Existence of OR management function, reporting and systems

Business Line Mapping
 illar I - Approach 3
dvanced Measurement Approaches (AMA) Corresponds to the IRB
Approach for credit risk OR capital charge to be derived from bank's ow
methods Its use (partial or full) is subject to supervisory approval
The extent of partial use is determined by bank criteria and is
conditional on submission of a plan to roll out AMA fully over time

A hybrid 'allocation mechanism' approach is allowed for the calculation

of OR capital for certain internationally active banking subsidiaries*

roadly similar general criteria and qualitative standards as for Standardized

Approach, to be met on initial and on-going basis

dditional quantitative standards

Soundness standard: selected approach must capture 'tail' loss events

 Pillar I - Approach 3 (cont.)
Additional quantitative standards (cont.)
— Regulatory capital requirement for OR is the sum of EL and UL*
— Sound, internally determined OR loss correlations can be used
— Internal and relevant external loss data, scenario analysis, and
business environment and internal control factors should be used
— Minimum 5-year observation period for internal loss data**
— Criteria for internal loss event capture (e.g. threshold levels, mapping
by business line and event type***, recoveries, attribution etc.)
— Credit losses from OR to be recorded but excluded from
calculations
Risk mitigation
— Risk mitigating impact of insurance limited to 20% of capital charge
— Various compliance criteria for risk mitigation recognition

"Unless the bank can demonstrate that it is adequately capturingEL, in its internal business practices" (section 629b, Pillar One, Third Consultative Paper on
The New Basel Capital Accord', Basel Committee on Banking Supervision, April 2003).
lternative AMA Approaches
iven embryonic state of OR measurement, Basel II lets 'a
thousand flowers bloom' in the AMA

At least) three types of approaches identified Internal Measurement

Approaches (IMA)
PD/EAD/LGD-type framework, where capital charge (UL) is a
fixed function 'gamma' (calculated by bank itself) of EL

oss Distribution Approaches (LDA)

Capital from modeling loss frequency and severity distributions

corecard approaches
AMA — Some Practical Issues
Example: Internal Loss Capture
xample: Loss Modeling
Populating the loss distribution for a specific business
line and event type
VENT TYPES LOSS DISTRIBUTION
illars II and III
illar II

he four key principles mentioned also apply for OR

003 paper on 'Sound Practices for the Management and Supervision of

OR' to form basis for Pillar 2 evaluation

illar III

ualitative disclosures

OR capital approach, including AMA description (if applicable)

Various OR management objectives and policies
OR Management Framework*
Example: OR Control and Mitigation
OR control and mitigation measures
Aimed at both center and tail of OR loss distribution Can be both preventive
(ex ante) and mitigating (ex post) Increasingly based on cost-benefit analysis
There exists a variety of alternative measures
Operational excellence initiatives, e.g. six-sigma, TQM etc. Service Level
Agreements with vendors/service providers Contingency planning and
disaster recovery Capital Risk transfer
- Insurance, e.g. blanket bond, D&O liability, contingent capital etc.
- Capital markets, e.g. cat bonds, weather derivatives
valuation of Basel OR Framework
Pros
orces banks to focus on growing OR issue

ncourages industry efforts for pooling of loss data etc.

llows AMA flexibility and offers simple alternative for smaller banks

ons
eak risk sensitivity of non-AMA approaches Arbitrary rules for Basic and Standardized
Approaches

One-size-fits-all exposure indicators and alpha/beta factors

Ad hoc cap on mitigation from insurance

ikely Impact of OR Capital Charge
Calibrated to produce minimal change at system level

Some redistribution of capital requirements towards

banks with large specialized processing businesses

xamples: brokerage, custody and asset management May incentivize

some of these institutions to de-bank

maller domestic banks will opt for the Basic or

Standardized/Alternative Standardized approach
Implications for Emerging Markets
• Similar themes to Basel IFs credit risk framework
^ OR framework should not be examined in isolation
Conclusions
Basel II has made OR a distinct and important discipline in its
own right
Industry-wide convergence to OR standards will continue to
evolve for the foreseeable future
Loss definitional issues, data collection techniques and quantification
methodologies still under discussion
No one right answer on how to proceed
Approach based on strategic priorities, organizational culture, practical
(cost-benefit) considerations and market/regulatory developments
Classification of Loss Events
Classification of Loss Events (cont.)
Classification of Loss Events (cont.)
EVENT-TYPE CATEGORIES ACTIVITY EXAMPLES
CATEGORY (LEVEL 1) DEFINITION (LEVEL 2) (LEVEL 3)
Monetary Loss Types
Operational Risk Management:
Developments and Challenges
 Discussion Scope

• What is Operational Risk?

• What were the Driving Forces that Gave Rise
to the Operational Risk Management
Discipline?
• What are the Key Elements of ORM?
• What’s Different?
• Key Issues and Challenges Today
What is Operational Risk?

“The risk of loss from inadequate or failed internal

processes, people, and systems or from external
events …”
 What Gave Rise to ORM?
First and foremost, it was the Losses.
Some of the largest landmark cases were:

• Herstatt 1974

• Drexel 1988+
• BCCI 1991
• Orange County and Prudential Securities 1994
• Barings 1995
• Sumitomo 1996

• Long Term Capital 1998

• “9/11” and Enron 2001
• WorldCom 2002
• Putnam 2003
 What Else?

Other Factors – Fallout from the Losses:

• Corporate Governance
• Recognition of the Need for:
– Quantification
– Enhanced Controls
Then came the regulations and laws:
• Basel II and Regulatory Capital
• Sarbanes Oxley in the U.S.
Distinctive Elements of ORM

• The Definition and Focus on

Risk Response / Mitigation
• Profile of the Function
 Distinctive Elements (Cont’d)

• The Loss Data

– Internal
– External Collections
– External Sharing
• Risk Indicator and Control Data
• The Need for Improved Quantification
• Resources
• Risk Control Assessment Tools
 What Else is Different?

• Applying Quantitative Analysis to a Broad

Array or a Composite of Risk Classes (not just
single LOB’s)
• Puts a Name to a Collection of Risk Classes on
a Par with Credit and Market Risks
• Risk Capital
Regulatory Developments
Basel Committee on Banking
Supervision

• Intent for Operational Risk

– To include “Other Risks” in regulatory capital charges
– To refine implied buffer in the 1988 Accord
• Basel Committee Pronouncements:
– January 2001 Consultative Document on Operational Risk
– Various Working Papers
– Most Recent: November 2005 International Convergence
Standards
Background and Regulatory
Developments

• Basel, Switzerland - home of the Bank for International

Settlements (BIS)
• “Basel I”: The 1988 Basel Accord – Primary initial focus
on Credit Risk
• Evolution toward Market and Liquidity Risks
• Most Recent Discussions: Further refinement of Credit
Risk and Segregation of Operational Risk
• Next on the Agenda: Basel IA and Basel II
Basel Capital Adequacy Framework

The Component Parts (“Three Pillars”):

• Minimum Capital Requirements
• Supervisory Review of Capital
Adequacy
• Market Discipline
OR Regulatory Capital

• Implications and Realities

– Standard Definition
– Advancement of the Discipline
– Regulatory models now more visible than
economic operational risk models
• Range of Proposed Approaches:
– Basic Indicator Approach
– Standardized Approach
– Advanced Measurement Approaches
“The Standardized Approach”

K TSA = Σ (EI 1-8*β 1-8 )

• Divides firm into 8 business lines
• Applies financial indicators by line
• A beta factor is applied by line
• Issues:
– Still relatively risk insensitive
– Data factors are relatively blunt
“Advanced Measurement Approaches”

• Also divides firm into a series of business

lines and risk types
• Separate expected loss figure generated
from each line / event type combination.
• Simple aggregation of business lines
• Still many questions, including:
– Industry Data?
– Diversification effect?
AMA Mapping for Quantification

t
g

en
ce

ki n

e
le s

m
g

ice

ag
an

ki n

an

ttle

gt.
Sa

er
Fin

rv
lB
an

Se

ok
tM
Se
&

ica
te

lB

Br
g

&

se
cy
a

din

er
ta i
or

nt

As

l
en

ta i
mm
rp

e
Re
a

Ag
ym

Re
Tr
Co

Co

Pa
Internal Fraud

External Fraud

Employ Pract & Workplce Safety

Clients Products & Bus Practices

Damage to Physical Assets

Bus Disruption & System Failures

Execution, Delivery & Process Mgt.

AMA “Loss Distribution Approach”

• Introduced in September, 2001 as one of proposed

Advanced Management Approaches (AMA).
• Estimates probability distribution functions by:
– imposing distribution assumptions or
– deriving them with empirical data
• Produce likely distribution of losses over a future
time horizon (e.g., one year).
• Capital charge based on simple sum of VaR for each
business line and risk type.
Components of AMA

Qualitative Standards
• Independent Function
• Internal Measurement System Integration
• Regular Reporting
• System Documentation
• Internal / External Audit
• Validation
Components of AMA (Cont’d)

Quantitative Standards
• Committee Not Specifying approach or
Distributional Assumptions
• Specified Loss Event Types
• The sum of EL / UL
• Measurement System must be Sufficiently
Granular to capture major Drivers of risk
• May use internally derived correlations
Components of AMA (Cont’d)

Quantitative Standards (Cont’d)

• Must have Key Features:
– Internal Data,
– External Data,
– Scenario Analysis and
– Bus Environ and Control Factors (BECF)
• Documented and Verified Approach to
Weighing the Elements (Note: 99.9%
Percentile Confidence Interval Required)
Advancement

• Quantitative Analysis Evolution

• Quantitative Role in Operational
Risk Management
• The Value of Risk-Based Capital
• Enhanced Organizational Profile
Concerns

• Regulation Leading Risk Management

• Risk Management as a Compliance
Function
• Prescriptive vs. Principles-based Risk
Management
• Balance between Measurement and
Management
• Data Concerns
• Diversification Effect Concerns
What’s Next?
INSTITUTIONS _
D Bank for International Settlements (BIS)
— Established in 1930; Headquartered in Basel
— Mandate: cooperation among central banks (and other agencies) in pursuit of
monetary and financial stability.
D Basel Committee for Banking Supervision
— Established in 1 974 by the central bank governors of the Group of Ten
countries; Present Chairman: Mr Jaime
Caruana, Governor of the Bank of Spain; Secretariat (12 persons) provided by the
BIS
— Members: Representatives of central banks / authorities with formal
responsibility for the prudential supervision of the
banking business of Belgium, Canada, France, Germany, Italy, Japan, Luxembourg,
the Netherlands, Spain, Sweden,
Switzerland, United Kingdom and United States.
— Meets regularly four times a year. About twenty-five technical working groups
and task forces which also meet
regularly.
— Activity: Formulation of broad supervisory standards and guidelines and
statements of best practice in the expectation
that individual authorities will take steps to implement them through detailed
arrangements - statutory or otherwise -
which are best suited to their own national systems. Recommendations have no
legal force.
Activity: Formulation of broad supervisory standards and guidelines and statements
of best practice in the expectation
that individual authorities will take steps to implement them through detailed
arrangements - statutory or otherwise -
1. BASEL II OVERVIEW BACKGROUND
Basel I: 8% minimum capital ratio
— out-of-date regulatory regime implemented in 1988
- Not risk sensitive e.g. for credit risks, No coverage of operational risk
— No differentiation between banks' degrees of sophistication
— Growing divergence to sophisticated banks' practice (e.g. Economic Risk
Capital approaches)
Targets of Basel II
— Goal is to address known deficiencies in Basel I rules and reduce
opportunities for arbitrage
— More risk sensitivity to align capital more closely with underlying risks, e.g.
credit risk
— Encourage improvement of risk management in banks
— Maintain current capital levels in the banking system
1. BASEL II OVERVIEW
3 PILLAR ARCHITECTURE
1. BASEL II OVERVIEW
TIMELINE
. BASEL II OVERVIEW

IMS AND BUILDING BLOCKS

Aims of Basel II reforms

Radical overhaul of current, out-of-date regulatory regime

Goal is to address known deficiencies in Basel I rules and reduce opportunities for arbitrage

More 'risk sensitivity' for credit risk (i.e. lower ratings = higher charge) plus capital for Op Risk

Roughly similar to Economic Risk Capital (ERG) style approach for capital calculations

Pillar 1 - Summary of proposals:

Pillar 2: Formalized requirements, esp. re: internal capital assessments

d Pillar 3: Large increase in external disclosure, including heavy details about Basel II capital components
2. BASEL II MENU APPROACH OVERVIEW
PILLAR 1 - OPERATIONAL RISK: 3 OPTIONS
3. BASEL II IMPLICATIONS: GOVERNANCE
SYSTEMATIC CONTROL TASKS REQUIRED
3. BASEL II IMPLICATIONS: GOVERNANCE
BANK SPECIFIC ORGANISATION OF CONTROL TASKS
 4. IMPLEMENTATION ISSUES: CREDIT RISK
DATA
STANDARDISED APPROACH
D Availability of external ratings
D Requires to gather more details about each individual collateral
INTERNAL RATING BASED APPROACH
D Need to gather enormous detail about each individual loan -
even under the Standardized approach D Requires complete re-
engineering of how some banks process
loans D Standardizing data sets across branches/subsidiaries is a
major
challenge - warehouse or inter-connect?
4. IMPLEMENTATION ISSUES: OPERATIONAL RISK
DATA & SYSTEMS
STANDARDISED APPROACH
D Break down of Gross Income in Regulatory Business lines D
Specification of local implementation: beware of quick fix from
consultants
ADVANCED MEASUREMENT APPROACH
D Vendors are a sensible way to go in selected areas, but...
D Data relevance & scarcity
D Model development must be ownership by the bank
D Use Test: Models must be integrated into decision-making
5. CONCLUSION AND OUTLOOK
WHAT CAN BANKS AND THEIR STAFF DO?
d At organisation level
- Prepare risk management processes & systems for Basel II compliance
- Substantial changes in oversight & governance of those processes
- Closer integration of risk management & financial control functions
- Closer integration of risk & capital management, e.g. capital allocation by
product/counterparty
d At the risk-MIS level
- Correct/timely capture of all transactional and counterparty dimensions
- Correct exposure measurement a) for internal purposes and b) regulatory
purposes
- Pricing systems more integrated with risk assessments (use test)
d At the individual risk staff level
- Work on making data/rating more appropriate, timely and of sounder quality
- Trades are entered correctly in the MIS
5. CONCLUSION AND OUTLOOK BASEL II IN GENERAL
d Substantial benefits from aligning regulatory and economic capital
- Improved acceptance of capital allocation
- Enhanced market perception, process efficiency and risk-based pricing
- Increase number of variables to influence capital requirements
d New balancing of strategies
- Drive to expand retail business likely to increase competition (e.g. retail,
mortgages, SME's)
- Drive to reduce non-investment grade business likely to increase specialization
- Drive to push corporate/bank clients to enhance governance/disclosure set-up
- Potential of consolidation for banks focused on corporate, SL, SF business
d The industry/supervisory dialogue must go on ... to Basel III?
- Build a common understanding
- Clarification of interpretation issues
- Concrete examples and suggestions
ANNEX: OPERATIONAL RISK CONTENT
1. OVERVIEW QUALIFYING CRITERIA
2. BASIC INDICATOR APPROACH
3. STANDARDISED APPROACH
4. COMPARING OPERATIONAL RISK WITH CREDIT &
MARKET RISK
5. THE 4 ELEMENTS OF THE AMA QUANTIFICATION
6. FOCUS ON HIGH-IMPACT LOW-FREQUENCY EVENTS?
7. "SWISS-CHEESE" MODEL - "MAJOR" OpRISK EVENTS
8. COMPONENTS OF CSG'S SCENARIO ANALYSIS
OPERATIONAL RISK
OVERVIEW QUALIFYING CRITERIA
ANNEX: OPERATIONAL RISK
BASIC INDICATOR APPROACH
ANNEX: OPERATIONAL RISK
STANDARDISED APPROACH
 ANNEX: OPERATIONAL RISK AMA
COMPARING QpRISK WITH CREDIT AND MARKET
RISK
The table below compares OpRisk with market and credit risk, considering
each characteristic in turn and its impact on the ability to quantify OpRisk. While
market and credit risk have many similarities, OpRisk is very different.
Market Risk Credit Risk OpRisk

Risk position Quantifiable

Yes Yes Difficult*
exposure
Money lent; Potential Difficult - no ready position
Exposure measure Position; Risk sensitivity
exposure equivalent available*

Completeness Portfolio Known Known Unknown

Completeness
Context
Context Low Medium High
dependency
dependency &
data relevance Data frequency High Medium Low*

Measurement Risk assessment VAR; Stress testing Rating & loss models No true risk models
& validation
Accuracy Good Reasonable Low
Adequate data for Backtesting difficult to Results very difficult to test
Testing
backtesting perform over short term over any time horizon
Market risk models well Using models considered
Summary established and proven reasonable - but should Models appear inadequate
tools be used with care
 ANNEX: OPERATIONAL RISK AMA
THE 4 ELEMENTS OF THE AMA QUANTIFICATION

d A bank's AMA OpRisk model must include the following 4 elements:

(1) Internal loss data (2) External loss data
(3) Scenario analysis (4) Business environment & internal control factors
d There are a number of practical implementation issues with each of these 4 elements:
ANNEX: OPERATIONAL RISK AMA
FOCUS ON HIGH-IMPACT LOW-FREQUENCY EVENTS
ANNEX: IMPLEMENTATION ISSUES CONTENT
1. RISK CULTURE
2. CREDIT RISK: SYSTEMS
3. CHALLENGES FOR REGULATORS
4. SWISS FEDERAL BANKING COMMISSION'S APPROACH
ANNEX: IMPLEMENTATION ISSUES
RISK CULTURE
Developing a risk management culture for credit will require
major change in many banks
The concepts of PD, LGD and EAD need to permeate down to
loan officers and up to Boards
Model needs integration into everyday activities - pricing, capital
allocation, provisioning, rewards
Boards (and some management) need education in portfolio
concepts of credit risk
"Old school" credit officers will need retraining
Biggest challenge for banks in many markets is that the
incentives will not be there in many cases for moving to the
higher levels of B2
 ANNEX: IMPLEMENTATION ISSUES CREDIT RISK
SYSTEMS
STANDARDISED APPROACH
D Limited system requirements
D Specification of local implementation: beware of quick fix from
consultants
INTERNAL RATING BASED APPROACH
D Vendors are a sensible way to go in selected areas, but... D Model
development must be ownership by the bank: only
partnership with vendors D Use Test: Models must be integrated into
decision-making
ANNEX: IMPLEMENTATION ISSUES CHALLENGES FOR
REGULATORS
The Basel II framework is extremely demanding on supervisors
Three types of responsibilities:
- General compliance
— Pillar 2 Supervisory Review
— Eligibility (permission) to use IRB or components thereof
Third set is where the biggest challenges are and which will require skill
upgrades in many regulators
Second set requires judgment - not something that every regulatory
agency has fostered
— The challenge is to develop a framework within which supervisors can make
decisions and exercise their judgements - requires guidance, peer review
and accountability
— It will move many regulators outside their comfort zones
ANNEX: BASEL II IMPLEMENTATION IN SWITZERLAND
SWISS FEDERAL BANKING COMMISSION'S APPROACH
hy the Interest In Operational Risk?
mphasis on transparency in financial reporting

Technological advances make data more readily

available

Investor advocacy groups demand more disclosure

Bank regulators encouraging market discipline as a

regulatory device

Legislation tightening accounting standards as a

s Operational Risk Increasing?
eregulation, globalization, and advances in technology
have increased complexity

Complex, multinational production processes

Financial products with numerous embedded

options and guarantees

Exploding variety and complexity of hedging

products and strategies
Is Operational Risk Increasing?
New technologies create new risks
> Automated back office processing systems
increase risk of system failure
> Hedging strategies reduce market and credit risk
but create additional operational risks
> E-banking and E-commerce increase risk of fraud
and create new and unknown risks
> Outsourcing creates new risk exposures
egulatory and Rating Firm Response
asel Committee

Incorporates a charge for operational risk in its

Basel Capital Accord

Established guiding principles for the

management of operational risk

ating firms (Moody's, Fitch, Standard & Poor's) will

consider operational risk in assigning firm financial
Motivation for Study
In spite of increasing attention to operational risk,
little systematic information exists on the extent
and impact of operational risk
Existing evidence is mostly anecdotal
Basel Committee survey mostly sketchy and does
not identify specific firms or events
What Is Operational Risk?
Until the Basel Committee's deliberations, no
consistent definition existed
Basel Committee definition: "Operational risk is the
risk of loss resulting from inadequate or failed internal
processes, people, and systems, or from external
events"
Operational risks arise from the breakdown of the
production processes that constitute a financial
institution's value chain, producing goods and services
for customers
What Is Operational Risk II?
Operational risk does not include
> Strategic risk
> Reputational risk
> Systemic risk
> Market risk or
> Credit risk
Basel Committee: Op Risk Event Types
Employment practices and workplace safety
— losses from violations of health or safety laws, discrimination
in employment, personal injury claims
Internal fraud — losses from fraud, misappropriation of
property, circumvention of regulations involving an internal
party
External fraud — fraud by an external party Clients,
products, and business practices -
unintentional or negligent failure to meet professional obligation
to clients (including fiduciary violations) or from the nature or
design of a product
Basel Committee: Business lines
Basel Committee also classifies events into standard
business lines (for banks):
> Corporate finance
> Trading and sales
> Retail banking
> Commercial banking
> Payment and settlement
> Agency services
> Asset management
> Retail brokerage
Can Operational Risk Be Insured?
Some operational risks can be insured
> Bankers blanket bond covers internal fraud
> Property insurance: natural & man-made disasters
> Liability insurance covers some types of negligence
> Limited coverage available for systems failure
Many op risks are "catastrophic" & uninsurable
> Catastrophic system failure
> Rogue traders, etc.
> Transaction processing and counterparty risk
Fraudulent misrepresentations to customers
 I. Definition
• The Specific Nature of Operational Risk
– Embedded risk
• Not a transaction-risk but a risk embedded in processes, people and
systems and due to external events.
– Inherent risk
• A large part of operational risk is inherent to the business in which
we are engaging and inherent to management processes.
– Hidden risk
• The costs due to OR are difficult to trace or anticipate since most are
hidden in the accounting framework.
• Leads to underestimation of the risk (e.g. information security).
– Unstable risk
• Not linearly linked to the size of the activities. Small activities can be
very risky high risk, and vice versa.
• OR can be very unstable and grow exponentially in a short period.
– Reputation risk
• A second order risk, leading to additional damage in the form of
damage to reputation.
 I. Definition
Underlying causes of operational losses : processes - people - systems -
or external events.
Legal risk included , strategic and reputation risk excluded.

Appropriate manager per category of operational event :

Execution, Delivery & Process Management : ORM
Clients, Product & Business Practices : ORM
Internal fraud : Inspection / ORM
External fraud : Inspection
Employment practices & workplace safety : Security
Damage to physical assets : Security
Business disruption & system failures : Security
 II. Outlines of the Basle
Reform
• General Objective :
– Define rules and procedures for banks to properly cover
their different types of risks due to business activity.
• Three Pillars
– Pillar One : Capital Adequacy - formulas and calculations
– Pillar Two : Supervisory Review Process - adjustment of
supervision to individual risks profiles
– Pillar Three : Market Discipline - information disclosure
 II. Outlines of the Basle
Reform
• Regulatory Capital for OR introduced for the first time
• Rule of thumb : OR capital = 12% of minimum capital requirement
• Basic indicator approach (BI ):
– OR capital function of gross income (15%)
– Gross income = interest margin + fees + other revenues
• Standardised approach (β )
– Only accessible to local banks
– OR capital function of gross income per business line
– Beta factor between 12% and 18% of gross income, estimated
via QIS on a sample of 29 institutions.
 II. Outlines of the Basle
Reform
 Standardised approach (β ) - Business lines

Business line Bêta factor

Corporate Finance 18%
Trading & Sales 18%
Retail Brokerage 12%
Retail Banking 12%
Commercial Banking 15%
Payment & Settlement 18%
Asset Management 12%
Agency services (custody,
corporate agency, corporate
trust) 15%
 II. Outlines of the Basle
Reform
Advanced Measurement Approach (AMA ) in Basle II:
• Banks are free to model their OR capital themselves
• Strongly recommended for internationally active banks
• Floor capital at 75% (so far) of the capital level under the Standardised
Approach, and 9% of total regulatory capital
• Submitted to quantitative and qualitative standards, such as:
 incident reporting history of 5 years, minimum 3 years;
 mapping of risks and losses to regulatory categories
 independent ORM function;
 implication of the senior management;
 written policies and procedures;
 active day-to-day OR management.
 II. Outlines of the Basle
Reform
Advanced Measurement Approach (AMA ) in Basle II:

• Several types of models admitted by the Committee:

 Loss Distribution Approach (LDA) : purely quantitative
 Scorecard approach :mainly quantitative : assessment of risk level

and quality of risk management based on different dimensions

 Mix of the two : capital calculations based on incident data +

adjustments to account for risk management quality

 III. Modelling
Operational Risk
Quantitative approach : LDA (Loss Distribution Approach)
• Frequency distribution of losses per business line : Poisson distr.

• Severity distribution of losses per business line : logN distr.

Both distributions are combined by Monte Carlo simulations.

 III. Modelling
Operational Risk
LDA
• Modeling of frequency and of severity distribution of losses, per business line
• Internal data : to model to body of the distribution
• External data : to model extreme events (tail of the distribution)
Frequency
Body region Tail region

Loss amount
Internal data External data
Cut-off mix
99.9% = Required Capital
 III. Modeling Operational
Risk
Remaining issues on :
√ the cut-off mix
√ the relevant data to include (different processes in each firm)

Crucial data choice in the capital determination

Paradox of the incident data collection :

• Data collection is mandatory,
• But external data essentially drive the capital amount.

Data collection needed for active ORM reasons.

 IV. Managing
Operational Risk
Four Dimensions of Operational Risks

Risk & Control Self-Assesment (RCSA)

Key Risks /Key Performance Indicators

Dashboards - Dynamic risk analysis

Internal Reporting : Mapping of losses

 Dimension One : Incident
Incident reporting tool :
Reporting
 Free to define, often Access based
 Full reporting tool, for management purposes, > 1000 € loss
 Internal control when encoding
 Fields to include per event :
1. Date
2. Event localisation : BU, department, service
3. Event type : codification of Basle categories
4. Business line : codification of Basle categories
5. Comment : nature of the event
6. Gross Loss amount
7. Recovery amount : via insurance / other
8. Actions taken : preventive / corrective
9. Reporter coordinates.
 Dimension One : Incident
Reporting
• First exploitation possibilities of an incident database
– Summary statistics of the losses
– ! Matching the organisation chart rather than the Basle categories
– Total losses, Min, Max, Frequency
• “Low Frequency, High Severity” events
– Identification of the potential “uncapped” risks
– Top loss analysis
– Examples?
• “High Frequency, Low Severity” events
– Recurrent, small, similar events
– May signal a breach in control
– Could be inherent to the activity (to be included in pricing)
 Dimension Two :
Dynamic Loss Analysis
 Dashboards
 Periodic reporting (monthly/quarterly) of KRI’s
 Early warning: timely identification of changes in control level : change
in the trend

Example
UNIT TOTAL ALL
Number Amount Average Loss/Income % TOP 5 amounts
Q1 1.
Q2 2.
Q3 3.
Q4 4.
5.
PER TYPE
Type x
Number Amount Average Loss/Income % TOP 5 amounts
Q1 1.
Q2 2.
Q3 3.
Q4 4.
5.
 Dimension Three : Key
Risks & Key
Performance Indicators
 People: turn-over, temporary staff, overtime, client complaints, absenteeism
 Processing: outstanding confirmations, (status/duration of) reconciliation; failed &
overdue settlements; claims & complaints; manual bookings; reversals
 Accounting: volumes & lead-times suspense-accounts; reversals;
 Systems: logs of downtimes; hacking-attempts; project-planning-overruns

Tolerance Actual
Risk Category KRI Measures Required* Levels Score Indicator Management Action
Transaction Recording/ Front/Back Office No >1 day, Value
Processing reconciling items

Transaction Recording/ Net marginal cost of interest Value

Processing charging

Trade Settlement Trade Fails % of month's trades,

duration of total fails
 Dimension Three : KRIs
& KPIs
• Headlines :
– Regular KRI reporting for all businesses and
functions
– Green, Amber and Red thresholds for all KRI’s
– Develop new/better KRI’s on on-going basis
– Discuss all KRI reports in OR committee
– Immediate management response to red and amber
KRI’s
– Trend analysis and local lessons learnt program
 Dimension Four : RCSA

Identification Assessment Mitigation

Acceptablerisks

IDENTIFIED
CONTROL
RISKS

KEY
UNACCEPTABLE
RISKS TRANSFER
RISKS

Unidentified
risks AVOID
 Dimension Four : RCSA

Identification
Incident reporting analysis
Check list from the key risks library
Prioritization list with the line management
Orientation questionnaires with selected people
from the department.
 Dimension Four : RCSA
• RCSA performed by local management, with the support of
ORM
 RCSA processes for all key businesses and functions
 High level management driven identification of key risk
areas
 Apply & document the analytic RCSA process
 Report & discuss the outcomes of a RCSA in ORC
 Implementation & progress-tracking of mitigating
actions and key risk indicators (KRI)
 Line management is responsible and key for the output
 Dimension Four : RCSA
Mitigation of uncapped or significant risks via :
Better controls : process control / supervision /
training,
Transfer : insurance policies / merge of
activities,
Avoidance : activity suppression / outsourcing /
automation.