Operational Risk Management in Banks

1 1
 Risk, Return and Capital
• Risk is related to amount of capital that the firm requires to achieve a sufficient level of
protection against adverse circumstances.
=

• Risk is used to adjust the returns from business activities to determine whether
activities are adding value to business.
=

2
3
Basel and RBI Consultation Process

Basel •
•
New Basel Capital Framework (1999)
Basel II Accord (2006)
• Standardized Approach of Operational Risk (Basel III) (2017)
Committee • PSMOR (2021)

Reserve • Guidance note on Management of Operational Risk (2005)

• Guidelines on The Standardised Approach (TSA)/Alternative Standardised Approach (ASA)
Bank of (2010)
• Guidelines on Advanced Measurement Approach (AMA) (2011)
India (RBI) • MD on Minimum Capital Requirements for Operational Risk (December, 2021)
 Why Financial Institutions should worry about managing their
operational risk?

• Direct Financial Impact

PNB's loss for the quarter following the scam's discovery was also a massive $1.90
billion - the biggest ever for an Indian lender.

• Impact on Market Capitalization

• Regulatory Scrutiny

PNB fraud: Bank loses Rs 8,000 crore market cap in 2 days; 6 times its annual profit

5
 Definition of Operational Risk (Basel II)
Operational risk is defined as “the risk of loss resulting from
inadequate or failed internal process, people and systems or
from external events.” (BCBS, 644)

Why a loss happened?

6 6
Causes & Consequences: We tend to only focus on the loss Events without giving
serious thought to their cause AND their consequences.

Events (What Happened?)

Cause Internal Fraud (IF)
(Why did event happen?)
External Fraud (EF)
People
Employment Practices and Workplace Safety (EPWS)
Process
Clients, Products & Business Practices (CPBP)
System
External Events Damage to Physical Assets (DPA)
Business Disruption and System Failures (BDSF)
Execution, Delivery & Process Management (EDPM)

Effects (What are the consequences?)

7 7
s
 Internal and External Fraud
• A typical organization loses 5% of its revenues to fraud each year,
Association of Certified Fraud Examiners (ACFE), 2020
• ₹5 trillion in bank frauds in the past seven and half years
• 100 crores every day
• One bank official is held for fraud every four hours in a public sector bank
(PSB), an analysis of data compiled by The Times of India, based on a
Reserve Bank of India (RBI) report, revealed.
• An estimated USD 1 trillion is paid each year in bribes
• India lost a staggering USD 13 billion to trade misinvoicing, Global Financial
Integrity
Resulting from lack of adequate internal processes, people and systems to tackle operational risks (Annual Report, RBI)

Total Fraud Losses in Banks in India

10000 2000

9000 1800

8000 1600

7000 1400

6000 1200

5000 1000

4000 800

3000 600

2000 400

1000 200

0 0
2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

Number of Frauds Value of Frauds (Billion Indian Rupees)

Employment Practices and Workplace Safety
• 151 workers sustain a work-related accident every 15 seconds
(International Labor Organisation).

• Estimates from the International Social Security Association (ISSA)

suggest that costs associated with nonfatal workplace accidents alone
equal approximately 4 percent of world gross domestic product (GDP)
each year
Clients Products and Business Practices
• Globally, from the beginning of the financial crisis and until 2020,
penalties and fines on banks are expected to top US$ 400 billion.

• In last five years, the Reserve Bank has imposed monetary penalties
on many occasions on various commercial banks operating in India

• According to reports from UNODC and Europol, two to five per cent
of the global GDP is laundered every year. This accounts for EUR 715
billion to 1.87 trillion.
• The losses from operational risks at major banks world-wide have
fallen sharply, from a peak of 6.2% of gross income in 2011 to 1.6% in
2016 (ORX).

What about India??

According to the RBI Systematic Risk Survey, operational risk, although,

at medium level, but is showing rising trend from October 2015
Examples: Event Classification

13
• July 2019, Capital One, the US credit card giant, said a hacker had
penetrated the bank’s firewall and got hold of the personal data of
100 million credit card applicants as well as 140,000 social security
numbers and 80,000 bank account numbers of existing credit card
customers.
• Misappropriation of funds from various accounts committed by
Manager while posted at Kota Branches under Regional Office jaipur.
• builder got the plot registered in favour of his wife without getting the
same mutated in her name as per the revenue records. Also, payment
was made without inspection of the site. On inspection, it was found
that House was not constructed
• The party had withdrawn Rs.15,000/- from his savings account
through ATM when there was no balance. Again the party tried to
withdraw money on next day and succeed to withdraw Rs.15,000/-.
Due to this his balance in savings account turned to Debit.
• Goldman Sachs International (GSI) was fined $45 million by the
Financial Conduct Authority (FCA) for failing to provide accurate and
timely reporting relating to 220.2 million transaction reports between
November 2007 and March 2017.
• Wall Street brokerage Morgan Stanley settled a sex discrimination suit
brought by the Equal Employment Opportunity Commission (EEOC)
for $54 million. In its lawsuit, the EEOC alleged a pattern of
discrimination that denied scores of women promotions and gave
higher salaries to less productive men.
• Fire due to short-circuit in Vijaywada branch resulted in loss of Rs
219000
• Six armed miscreants entered the branch and took everyone at gun
point. One miscreant forced branch Manager to show him the strong
room. Later, they fled away with cash amount of Rs. 12.28 lac and
also robbed Rs. 3 Lac from a customer.

• Burglary at the branch . 4 new sets of computers & few old

computers were stolen from the branch premises.
 A loss event is an operational loss event is determined by the causes rather than
consequences of an event.

Boundary Event

Bank Customer (Defaulted) What type of an Event it is?

Credit Risk/Operational Risk

Collateral (Value of Collateral Decline) Non-Credit Risk/Operational Risk

 Loss Event Type Category (Annex-9)
Event Type Category (Level-1) Categories (Level-2) Activity Example (Level – 3)

Internal Fraud Unauthorized Activity, Theft and Transaction not reported, Fraud, Bribe
Fraud
External Fraud Theft and Fraud, System Security Theft/robbery, Hacking damage, theft of
information
Employment Practices and Employee Relation, safe Compensation, termination issue, workers
Workplace Safety environment compensation
Clients, Products & Business Suitability, Disclosure & Fiduciary, Breach of privacy, failure to investigate
Practices Improper Market Practices client per guidelines, exceeding client
exposure limits
Damage to Physical Assets Disaster & other Events Natural disaster losses, terrorism

Business Disruption and system Systems Hardware, software

failures
Execution, delivery & Process Transaction Capture, Execution, Data entry error, Failed mandatory
Management Customer Documentation, Vendor reporting obligation, legal documents
& Suppliers missing 23 23
 Operational Risk Taxonomies
Nature of Event Causal Event Classification
Classification
Idiosyncratic/Controllable/ People Internal Fraud
Bank-Specific Events Employment Practices and Workplace Safety
Process Client Products and Business Practices
Execution Delivery and Process Management
System Business Disruption and System Failure
Systematic/ External External Fraud
Uncontrollable Events Events Damage to Physical Assets

A loss event is an operational loss event is determined by the causes rather

than consequences of an event.
 Data Puddle: An Issue
• Data ‘puddles’ occur when the loss event being analysed can be correctly classified into
more than one risk category. Example:

- The Officer breached the control limits related to portfolio, sector or borrower unit.
(Internal Fraud/CPBP)

- PNB Fraud (Internal Fraud/Process Failure)

- Sub-prime Crises (Operational Risk/Credit Risk Event)

25 25
• According to the recent survey of operational risk professional across
the globe (2022) by risk.net, the biggest operational risk the banks are
exposed to is IT disruptions followed by Theft and Fraud and Talent
Risk.

• From many years, Process related Losses are more severe

- Clients, products and business practices event lead to highest losses
(Amount)
 Taxonomy: To effect types
• P&L Effect (in case of operational risk loss events).
• Reputation Damage
• Near Misses

NPA
27 27
Fraud in Wells Fargo: Impact
• Wells Fargo experienced the biggest operational risk loss in April,
continuing a run of significant fines that have dogged the bank since
2016. The Consumer Financial Protection Bureau and the Office of
the Comptroller of the Currency fined Wells Fargo a total of $1 billion
for two violations: failing to follow correct procedure for mortgage
applications, and inappropriately adding insurance cover for
borrowers who had vehicle loans with the bank.
• US Federal Reserve order to Wells Fargo in February, which stops the
bank from being able to grow at all until it improves its governance
and risk management practices, is just the latest sobering example for
banks
It includes legal risk, but excludes strategic and reputation risk.

Legal Risk includes, but not limited to, the risk of loss resulting from failure to comply
with laws, prudent ethical standards and contractual obligation. It also includes the
exposure to litigation from all aspects of an institution's activities.

Strategic risk is the current and prospective impact on earnings or capital arising from
adverse business decisions, improper implementation of decisions, or lack of
responsiveness to industry changes.

“Reputational risk is the potential that negative publicity regarding an institution’s

business practices, whether true or not, will cause a decline in the customer base, costly
litigation, or revenue reductions”. Board of Governors of the Federal Reserve System (2004)

29 29
• Financial Stability Report, called frauds in banks and financial institutions as
“one of the emerging risks to the financial sector.”

• “In a number of large value frauds, serious gaps in credit underwriting

standards were evident,” the RBI said, adding that some of the gaps include
lack of continuous monitoring of cash flows and cash profits, diversion of
funds, double financing and general credit governance issues in banks.

• RBI: Indian banks to fully disclose its bad loans, speed up their recovery, and
stop hiding fraud cases as non-performing assets

• Weak Implementation of EWS is major causes of Frauds in Banks

 Trends relating to GNPAs Ratio and Rate of Recovery for Banks in India
(NPAs have declined in 2021 and Recovery Rate has improved)
14 60.00

12
50.00

10
40.00

30.00

20.00
4

10.00
2

0 0.00
2003-04 2004-05 2005-06 2006-07 2007-08 2008-09 2009-10 2010-11 2011-12 2012-13 2013-14 2014-15 2015-16 2016-17 2017-18 2018-19 2019-20

GNPAs Ratios Rate of Recovery

31
 Long run Pooled PD of Canara Bank

9.00%
8.00%
7.00%
6.00%
5.00%
4.00%
3.00%
2.00%
1.00%
0.00%
2008-09 2009-10 2010-11 2011-12 2012-13 2013-14 2014-15 2015-16 2016-17 2017-18 2018-19 2019-20 2020-21

Recovery Rate of Canara Bank

70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
2009-10 2010-11 2011-12 2012-13 2013-14 2014-15 2015-16 2016-17 2017-18 2018-19 2019-20 2020-21
 Profile of Credit and Non-credit Losses
Employmen
Clients, Business Execution, Total
t practices Damage to
Internal External products & disruptions delivery &
& physical
Fraud Fraud business & system processs
workplace assets
practices failures management
safety
TOTAL No. of events 2 57 0 0 0 0 0 59
(Credit Total Loss
Related) 9.47 5289.19 0.00 0.00 0.00 0.00 0.00 5298.66
Amt
TOTAL No. of events 23 44 0 0 3 0 18 88
(Non Credit Total Loss
Related) 138.96 1224.34 0.00 0.00 2.69 0.00 128.07 1494.06
Amt
No. of events 25 101 0 0 3 0 18 147
TOTAL Total Loss
148.43 6513.54 0.00 0.00 2.69 0.00 128.07 6792.72
Amt

It has been claimed that 50% of banks bad debts are, in fact, operational risk losses, often
through failures of documentation which invalidate collateral, whether on retail or
wholesale transaction.
33
• Timely recognition and reporting to reduce economic costs and
address vulnerabilities

• Experience suggests that many times the fraud comes to light when
banks start recovery on a Bad loan

• According to Global Banking Fraud Survey, KPMG International 2019 ,

“fraud recoveries are less than 25 percent of fraud losses”.
Thank You

35