Tunis Business School - Fall 2024

Operational Risk Management

Eymen Errais, PhD, FRM

Introduction to Operational Risk
 Introduction to operational risk

▪ According to Basel committee, operational risk is defined as the risk of loss resulting
from inadequate or failed internal processes, people and systems, or from external
events.

▪ The Basel Committee has further classified risk events according to seven event types:
➢ Internal Fraud
➢ External Fraud
➢ Employment practices and workplace safety
➢ Clients, products, and business practices
➢ Damage to physical assets
➢ Business disruption and system failures
➢ Execution, delivery, and process management

Page 3
 Internal Fraud

▪ Internal fraud (IF): Events intended to defraud, misappropriate property, or circumvent

regulations or company policy, involving at least one internal party, categorized into
unauthorized activity and internal theft and fraud.

▪ Types of internal fraud vary by business line. An indicative list:

➢ Corporate Finance: Loan fraud, Embezzlement, Failure to follow procedures/limits,
misuse of confidential information
➢ Trading and Sales: Unauthorized trading, misappropriation of assets, misreporting of
positions, breaching of trading limits
➢ Retail Banking: Theft or customer data, embezzlement, theft of assets, checks fraud
➢ Commercial Banking: Fraudulent transfer of funds, embezzlement, theft of customer
funds
➢ Payment & settlement: Payment fraud, theft of customer funds or assets
➢ Asset Management: Unauthorized trading

Page 4
 External Fraud

▪ External fraud (EF): Events intended to defraud, misappropriate property, or

circumvent the law, by a third party, categorized into theft, fraud, and breach of system
security.

▪ Examples of external fraud include:

➢ Theft and Fraud
o Theft/Robbery
o Forgery
o Check Kiting
➢ Systems Security
o Hacking damage
o Theft of Information (w/monetary loss)

Page 5
 Employment practices and workplace safety

▪ Employment practices and workplace safety (EPWS): Acts inconsistent with

employment, health, or safety laws or agreements, categorized into employee
relations, safety of the environment, and diversity and discrimination.
▪ Employment Practises can further be subdivided according to the following sub-
categories:
➢ Employee Relations
o Compensation, Benefits, Termination issues
o Organised Labour Activity
➢ Safe Environment
o General Liability (slip and fall, etc.)
o Employee Health & Safety Rules events
o Workers Compensation
➢ Diversity & Discrimination
o All discrimination types

Page 6
 Clients, products, and business practices

▪ Clients, products, and business practices (CPBP): Events due to failures to comply
with a professional obligation to clients, or arising from the nature or design of a
product, including disclosure and fiduciary, improper business and market practices,
product flaws, and advisory activities.

▪ Examples include fiduciary breaches, misuse of confidential customer information,

improper trading activities on the bank’s account, money laundering, and sale of
unauthorised products.

Page 7
 Damage to physical assets

▪ Events leading to loss or damage to physical assets from natural disasters or other
events such as terrorism.

▪ Types of physical damage vary by business line. An indicative list:

➢ Trading and Sales: Business continuity failure, damage to building and premises
➢ Retail Banking: Fire, floods, damage to building and premises
➢ Commercial Banking: Damage to building and premises, Natural disaster
➢ General: Natural disaster, Terrorist attack, Earthquake

Page 8
 Business disruption and system failures

▪ Business disruption and system failures (BDSF): Events causing disruption of business
or system failures.

▪ Types of business disruption may vary by business line. An indicative list:

➢ Retail Banking: Utility outage, Online system failure

➢ Payment & Settlement: Failure of payments infrastructure
➢ General: IT system failure

Page 9
 Execution, delivery, and process management
▪ Execution, delivery, and process management (EDPM): Events due to failed
transaction processing or process management that occur from relations with trade
counterparties and vendors, classified into categories such as transaction execution
and maintenance, customer intake and documentation, and account management.
▪ Types of execution errors vary by business line. An indicative list:
➢ Corporate Finance: Inaccurate/incomplete contracts, Transaction errors, Staff
errors
➢ Trading and Sales: Data entry errors, model risk
➢ Retail Banking: Pricing errors, failures of external suppliers
➢ Commercial Banking: Failure to follow procedures, incomplete loan documentation,
processing error
➢ Payment & Settlement: Data entry error, failure to follow procedures
➢ Agency Services: Processing error
➢ Asset Management: Mismanagement of account assets
➢ General: Inaccurate financial statements, vendor failure, tax non-compliance
Page 10
Historical Cases
 Large Operational Risk – Cyber risks

▪ Cyber risks are risks of losses from external attacks on an institution's systems. They
can originate from many sources, including organized crime, hackers, and insiders.
They generally lead to fraud, embezzlement, loss/theft of personal or company data,
and theft of intellectual property. Companies can protect against cyber risks through
conducting regular phishing exercises to educate employees, user account controls,
firewalls, and various intruder detection software.

▪ Some of the best-known examples of cyber risks include:

✓ The 2011 cyberattack on Yahoo, which resulted in the data breach of 3 billion user
accounts;
✓ The 2016 hacking of the Central Bank of Bangladesh's networks;
✓ The 2017 cyberattack on Equifax, which affected the data of 143 million users.

Page 12
 Large Operational Risk – Compliance risks

▪ Compliance risks are risks that an organization will incur fines and penalties as a
result of intentional or unintentional failures to follow laws and regulations. Regulatory
infractions are especially important because they can result from a small part of an
organization's global activities but can lead to hefty fines. Designing adequate software
and instituting internal training can mitigate these risks. Examples include:

▪ The USD 1.9 billion fine levied on HSBC in 2012 due to lack of adequate anti-money
laundering programs;
▪ The USD 8.9 billion payment by BNP Paribas to the U.S. government as a result of
transacting with sanctioned countries;
▪ The USD 2.8 billion fine levied on Volkswagen for cheating on emissions tests.

Page 13
 Large Operational Risk – Rogue trader risk

▪ Rogue trader risk is the risk that a single employee's (trader's) activities, if not
properly detected and supervised, could lead to significant losses for an institution.
However, institutions may be tempted to let rogue activities, even if detected, continue
unsanctioned if they lead to a profit. One of the most effective ways to protect against
rogue trader risk is to separate the activities of the front and back offices: the front
office should conduct trading activities, while an independent back office should be
responsible for verifying transactions and recordkeeping.

▪ Two of the best-known examples of rogue trading are

✓ Nick Leeson at Barings Bank, which resulted in a nearly USD 1 billion loss for the
bank that led to its collapse in 1995,
✓ The EUR 4.9 billion loss suffered by Société Générale in 2008 due to the activities
of Jérôme Kerviel. Other rogue trading examples involve UBS in 2011 and Allied
Irish Bank in 2002.

Page 14
 Biggest fines coming from operations risk

Page 15
 Historical cases

▪ January 2008—SocGen (4.9 billion euros loss). A trader, Jerome Kerviel,

systematically deceives systems, taking unauthorized positions worth up to 49 billion
euros in stock index futures. The bank has enough capital to absorb the loss but its
reputation is damaged.

▪ December 2001 - The Enron scandal drew attention to accounting and corporate fraud
as its shareholders lost $74 billion in the four years leading up to its bankruptcy, and its
employees lost billions in pension benefits

▪ February 1995—Barings ($1.3 billion loss). Nick Leeson, a derivatives trader, amasses
unreported losses over two years. Barings goes bankrupt.

Page 16
Measuring Operational Risk
 Comparison of approaches

▪ Top-down models attempt to measure operational risk at the broadest level, that is,
using firmwide or industry-wide data. Results are then used to determine the amount of
capital that needs to be set aside as a buffer against this risk. This capital is allocated to
business units.

▪ Bottom-up models start at the individual business unit or process level. The results are
then aggregated to determine the risk profile of the institution. The main benefit of
bottom-up models is that they lead to a better understanding of the causes of operational
losses, as in the case of value at risk (VAR)-based market risk systems.

Page 18
 Tools to measure and manage operational risk

• Audit oversight. This consists of reviews of business processes by an external

audit department.

• Critical self-assessment. Each business unit identifies the nature and degree
of operational risk. The tools used for this type of process include checklists,
questionnaires, and facilitated workshops. The results are then aggregated, in a
bottom-up approach.

• Key risk indicators. This approach consist of simple measures that provide an
indication of whether risks are changing over time. These early warning signs can
include audit scores, staff turnover, trade volumes, and so on. The assumption is
that operational risk events are more likely to occur when these indicators
increase. These objective measures allow the risk manager to forecast losses
through the application of regression techniques, for example.

Page 19
 Tools to measure and manage operational risk
• Earnings volatility. This approach consists of taking a time series of earnings,
after stripping the effect of market and credit risk, and computing its volatility. This
risk measure is simple to use but has numerous problems. The measure also
includes fluctuations due to business and macroeconomic risks, which fall outside
of operational risk. Also, such a measure is backward-looking and does not
account for improvement or degradation in the quality of controls.
• Causal networks. Networks describe how losses can occur from a cascade of
different causes. Causes and effects are linked through conditional probabilities.
Simulations are then run on the network, generating a distribution of losses. Such
bottom-up models improve the understanding of losses since they focus on drivers
of risk. Causal networks are best applied to processes involving complex work
flows with many activities.
• Actuarial models. These models combine the distribution of frequency of losses
with their severity distribution to produce an objective distribution of losses due to
operational risk. These can be either bottom-up or top-down models.
Page 20
 Actuarial models : Loss Distribution Approach (LDA)

• Actuarial models estimate the objective distribution of losses from historical data
and are widely used in the insurance industry. Such models combine two
distributions: loss frequencies and loss severities.

• The loss frequency distribution describes the number of loss events over a
fixed interval of time. The loss severity distribution describes the size of the loss
once it occurs. This is called the loss distribution approach (LDA).

Page 21
Managing Operational Risk
 Capital allocation and insurance

▪ Like market VAR, the distribution of operational losses can be used to estimate
expected losses as well as the amount of capital required to support this financial
risk.

Page 23
 Capital allocation and insurance

▪ The expected loss (EL) represents the size of operational losses that should be
expected to occur. Typically, this is dominated by high-frequency, low-severity events.
This type of loss is generally absorbed as an ongoing cost and managed through internal
controls. Such losses are rarely disclosed.

▪ The unexpected loss (UL) represents the deviation between the quantile loss at some
confidence level and the expected loss. Typically, this represents lower frequency,
higher-severity events. This type of loss is generally offset against capital reserves or
transferred to an outside insurance company, when available.

▪ The stress loss represents a loss in excess of the unexpected loss. By definition, such
losses are very infrequent but extremely damaging to the institution.

Page 24
 Mitigating operational risk

▪ Operational risk can be minimized in a number of ways, through internal and external
controls.

▪ Internal control methods consist of:

o Separation of functions.
o Dual entries.
o Reconciliations.
o Tickler systems. Important dates for a transaction (e.g., settlement and exercise
dates) should be entered into a calendar system that automatically generates a
message before the due date.
o Controls over amendments.

▪ External control methods consist of : confirmations, verification of prices, authorization,

internal and external audits

Page 25
The Basel operational risk
charge
 Operational Risk Charge

▪ One of the most significant additions to the Basel II Accord, finalized in 2004, is the operational
risk charge (ORC). This establishes a minimum amount of capital that banks need to hold to cover
their operational risk.

▪ The new rules allow three alternative methods to compute ORC :

o Basic Indicator Approach

o Standardized Approach

o Advanced Measurement Approach

Page 27
 Basic Indicator Approach

▪ The simplest is called the basic indicator approach (BIA). This is based on an
aggregate measure of business activity. The capital charge equals a fixed percentage,
called the alpha factor, of the exposure indicator defined as gross income (GI) (This is
taken as the average of positive gross income numbers over the past three years.
Negative values are excluded.)

▪ The advantage of this method is that it is simple, is transparent, and uses readily
available data. The problem is that it does not account for the quality of controls. As a
result, this approach is expected to be mainly used by nonsophisticated banks.

Page 28
 Standardized Approach

▪ The second method is the standardized approach (TSA).Here, the bank’s activities are
divided into eight business lines. Within each business line, gross income is taken as
an indicator of the scale of activity. The capital charge is then obtained by multiplying
gross income by a fixed percentage, called the beta factor, and summing across
business lines:

Page 29
 Advanced Measurement Approach (AMA)

▪ The third class of method is the advanced measurement approach (AMA). This allows banks to
use their own internal models in the estimation of required capital using quantitative and
qualitative criteria set by the Basel Accord. No particular method is prescribed, but AMA is allowed
only if the bank demonstrates effective management and control of operational risk.

▪ The qualitative criteria are similar to those for the use of internal market VaR systems. Once these
are satisfied, the risk charge is obtained from the unexpected loss (UL) at the 99.9% confidence
level over a one-year horizon:

Page 30