1. Trang chủ >
  2. Kinh Doanh - Tiếp Thị >
  3. Quản trị kinh doanh >

2 OR: How can we define it?

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (7.03 MB, 811 trang )

Operational Risk: Definition, Measurement and Management


more generally, problems of incompetence and negligence of the financial institution

human resources. There are many examples of significant losses suffered by major financial institutions which can be related to this factor:

• In May 2001, a Lehman Brothers dealer in London wrongly input a 300 USD million

value for a stock market trade rather than USD 3 million, causing a 120 points reduction

in the FTSE 100 stock market index;

• In December 2001 UBS Warburg suffered a USD 50 million loss in its Japanese equity

portfolio due to a data entry error regarding the number of shares of a stock trade;

• At the beginning of 2002 Allied Irish Bank suffered a USD 750 million loss on a

significant trading position built by a trader of its US subsidiary who clearly violated

the internal rules of the bank (see Box 17.1).

Publisher's Note:

Permission to reproduce this image

online was not granted by the

copyright holder. Readers are kindly

requested to refer to the printed version

of this chapter.


Risk Management and Shareholders’ Value in Banking

Systems. This factor includes the events related to information systems and technology in

general. They include hardware and/or software failures, computer hacking or viruses, and

telecommunications failures. The growing reliance of the financial industry on information systems and, more generally, on technological resources, has significantly increased

the importance of this type of risk. A number of examples of significant losses suffered

by financial institutions are also extensively documented, regarding this type of risk factor. They typically include losses originated by events such as unauthorized access to

information and systems security, excessive risk taking due to software failures, loss of

data due to information system failures, and utility outages.

Processes. This factor includes the losses that originate from inadequacies in the internal

processes and procedures. Examples include events such as the violation of the information system security due to insufficient controls (security risk), errors in the execution

and/or settlement of securities and foreign currency transactions (transaction and settlement errors), inadequate record-keeping, accounting and taxation errors, mispricing and

errors in risk measurement due to problems in the internal models and methodologies

(model risk), and breaches of mandate.

External events. This final factor includes all the losses a bank may suffer as a consequence of a wide range of external events which typically are not under the control of

the bank’s management. These include events such as changes in the political, regulatory

and legal environment that negatively affect the bank’s profitability, operational failures

at suppliers or outsourced operations, criminal acts such as theft, vandalism, robbery, or

terrorism, and natural events such as fire, earthquake and other natural disasters. This

type of OR losses are significantly different from the ones related to people, systems and

processes. Indeed, while the latter can be minimized, both in their frequency and their

impacts, through the development of adequate internal procedures (e.g., clearly defining individual responsibilities, and adequate internal control policies), the occurrence of

external events does not depend on the banks’ internal investments, policies and efforts,

although the bank management plays a role in trying to minimize their impact on the

P&L account, e.g. through adequate contingency plans.

External factors might also cause reputational losses (although these do not fall into

operational risk, as defined by the Basel Committee). Think, e.g., of a bank financing a

company which is subsequently found guilty of selling weapons to a rogue state supporting

terrorism: if the bank’s brand and the company’s name are repeatedly mentioned together

in the press, the bank is likely to suffer a damage, e.g., because customers may want to

move their accounts.2

Table 17.1 reports the above classification of OR main factors.

17.2.2 Some peculiarities of OR

Before moving to the analysis of the alternative criteria to measure OR, it is important to

take a look at some peculiarities of this type of risk.


At the beginning of 2002, a medium-sized US bank was threatened (and its senior management actually

attacked) by an environmentalist action group, because of financing a company operating in biotechnologies

and genetically-modified food.

Operational Risk: Definition, Measurement and Management


Table 17.1 Operational risk and its main factors



Fraud, collusion and

other criminal


IT problems

(hardware or software

failures, computer

hacking or viruses,

Violation of internal or


external rules

(unauthorized trading, Unauthorised access

insider dealing, etc.)

to information and

systems security

Errors related to


Unavailability and

incompetence or

questionable integrity


of data

Loss of important

employees (illness,

injury, problems in

retaining staff, etc.)

Violations of systems




Utility outages




settlement and

documentation errors

(transaction risk )

Errors in models,

methodologies and

mark to market

(model risk )

Accounting and

taxation errors


formalization of

internal procedures.

Compliance issues.

Breach of mandate


Criminal activities

(theft, terrorism or


Political and military

events (wars or

international sanctions)

Changes in the

political, legal,

regulatory and tax

environment (strategic

risk )

Natural events (fire,

earthquake, flood, etc.)

Operational failure at

suppliers or outsourced


Inadequate definition

and attribution of


The most relevant one is related to the fact that OR, contrary to market and credit risks,

is not taken on a voluntary basis but is simply a natural consequence of the different

activities performed by a financial institution.

Indeed, a bank can avoid a specific type of market risk by closing (or avoiding) trading

positions which are sensitive to that market specific factor; alternatively, it could hedge

that specific exposure by trading a derivative instrument. Assume a bank is expecting the

French stock exchange to perform badly: it could simply avoid taking a long position on

the French equity market or hedge any pre-existing position by selling stock index futures

on the CAC 40 index. In the same way, a bank can avoid a specific credit risk by simply

refusing to grant a loan or by buying protection through an OTC credit derivative.

This line of reasoning does not apply to OR. Indeed, the only way to avoid OR is to

close down any banking business. As shown by the examples above, OR is intrinsically

connected to all banking activities, from lending to securities trading and underwriting,

from payment services to investment banking. This simply means that a bank cannot

avoid this type of risk. Furthermore, despite the recent development of a number of risk

transfer instruments,3 OR hedging is hampered by the lack of a liquid secondary market,

like those available for interest, market and credit risks.

A second important feature of OR, which makes it different from other risk types such

as interest or market risks, relates to its nature of “pure risk” as opposed to “speculative

risks”. By this, we mean that while for interest or market risks, risk originates from the

volatility of returns, which in turn may lead to either positive results (profits) or negative


See section 17.4.


Risk Management and Shareholders’ Value in Banking

ones (losses), OR (like casualty risks covered by insurance policies) does not give rise to

return variability but simply to the possibility of losses.4 Indeed, it would quite difficult

to imagine a human error or an IT failure generating unexpected profits!

A third important peculiarity of OR (linked to the previous one) is that it does not

involve an increasing relationship between risk and expected returns. In fact, while in

the case of financial risks (such as interest rate, market or credit risks) higher risks

are typically associated to higher expected returns, this is not the case for OR. Indeed,

if we exclude the cost savings which may result from lower investments in effective

internal processes, procedures and controls, there is no reason to expect a higher OR to

be associated to a higher profitability for the bank. Lending money at a high interest rate

to a high leverage company or investing in the equity capital of a small biotech company

both represent high risk investments, with possibilities of significant losses. However, they

are also associated to a relatively high expected return. Assume a bank operating in the

securities settlement business does not enforce adequate internal controls and procedures

and is therefore exposed to a significant risk of human and information system errors.

While this too does represent a risky activity, there is no reason to expect it to generate

higher profits for the bank.

A fourth peculiarity of OR is related to its complexity, as far as identification and

understanding of risks are involved. This is clearly reflected by the different definitions of

OR that can be found in the financial industry, and is most likely the consequence of the

wide heterogeneity of the factors that generate OR losses. Such a complexity becomes

fully apparent when OR is to be measured: indeed, as we shall see in the next section,

measuring OR also requires to overcome significant problems related to data availability,

extreme and rare events, etc.

Finally, it is worth stressing that, as mentioned above, OR is different from other

banking risks because of the lack of hedging instruments. Indeed, while in recent years a

Table 17.2 OR peculiarities




Consciously and willingly faced


“Speculative” risks, implying losses or profits

Pure risks, implying losses only

Consistent with an increasing relationship

between risk and expected return

Not consistent with an increasing

relationship between risk and expected


Easy to identify and understand

Difficult to identify and understand

Comparatively easy to measure and quantify

Difficult to measure and quantify

Large availability of hedging instruments

Lack of effective hedging instruments

Comparatively easy to price and transfer

Difficult to price and transfer


An exception to this rule is represented by external events. Indeed, events such as changes in the regulatory,

fiscal or political context in which a bank operates may give rise both to unexpected losses and to unexpected

profits if these changes affect the bank’s profitability favourably.

Operational Risk: Definition, Measurement and Management


number of financial institutions and insurance companies have started to offer risk transfer

instruments which allow to hedge losses arising from some specific (and mainly external)

events, a liquid secondary market for the OR hedging does not yet exist.5

The peculiarities of OR and its main differences with respect to financial risks are

summarized in Table 17.2.


This section describes a step-by-step approach to the measurement of OR. Such an

approach is aimed at highlighting the implications of an effective OR measurement system for the organizational structure of the bank; indeed, as we shall see, the different

profiles of operational risk will have to be defined through the active participation of the

senior and middle management running the various business lines of the bank. Since the

main aim of this paragraph is to help the reader understand the managerial implications

of setting up an OR measurement system, the techniques used, by way of example, for

the assessment and quantification of expected and unexpected losses will deliberately be

kept very simple. Appendix 17A will describe a more sophisticated, statistical approach

based on EVT (extreme value theory, see Chapter 9).

Before we enter into the details of the various phases of an OR measurement system,

let us first briefly discuss the main criteria and objectives of an OR measurement system.

First, measuring OR requires an appropriate mapping process of the bank’s – and eventually of other banks – historical losses to the relevant risk factors. This allows one to

build an adequate database, which can then be used to measure OR accurately. Second,

measuring OR requires to distinguish between an expected loss component, which should

be covered by adequate provisions, and an unexpected loss component, which should be

covered by the bank’s equity capital. Finally, an appropriate OR measurement system

should be aimed at estimating the amount of economic capital absorbed by this type of

risk. This implies that the measurement system should be consistent with the criteria (time

horizon, confidence level, etc.) used by the bank for the measurement of the other types

of risks.

Let us now look at the problems which are typically faced by a bank trying to measure OR.

The first problem comes from the fact that some of the events related to OR tend

to produce losses which are difficult to quantify. Take the example of a bank whose

franchise has been negatively affected by a regulatory change. Quantifying the loss

requires an estimate of the negative impact of such change on the bank’s future earnings,

√ which could be quite difficult.

A second problem is related to the fact that some of the OR events are quite rare.

This means that an individual bank has a limited direct experience of such losses. This

in turns makes it quite difficult to estimate the probability distribution of these events

in a statistically significant way. A bank may then decide to turn to pooled data, like

those recorded in publicly available databases: however, this is likely to pose several

challenges. First, and most significant, not all losses are reported publicly. Also, as larger


In the case of credit risk we do not only refer to credit derivatives but also to all the transactions such

as loan sales and securitization which allow to transfer risk. A typical example is represented by the CBO

(collateralized bond obligations) and CLO (collateralized loan obligations) markets.


Risk Management and Shareholders’ Value in Banking

losses are more likely to have been reported, a positive relationship may exist between

the loss amount and the probability that it is included in public data sources. If such

a relationship exists, then the data are not a random sample from the population of all

operational losses, but rather a biased sample containing a disproportionate number of

very large losses. Statistical inference based on such samples can yield biased parameter

estimates: namely, the presence of too many large losses is likely to lead to an upwardbiased estimate of the bank’s exposure to OR. To avoid such a problem, banks may

decide to pool together their internal databases on operational losses, subject to a mutual

√ confidentiality commitment (see the introduction to this part of the book).

A third problem relates to the low reliability of past historical data for the estimate of

both the probability and the loss size of future OR events. Take, e.g., losses originated by

errors in the IT systems for interbank payments or international securities settlement.

These kind of loss events have become less and less frequent over time thanks to

technological and organizational progress. Their historical frequency is therefore a bad

proxy for their future probability; conversely, past data may underestimate the threat

posed by new classes of operational risks, like those related to hackers and computer

√ crime.

Finally, OR measurement is negatively affected by the fact that it has become “fashionable” only in rather recent times. Indeed, banks all over the world started to seriously

analyse this type of risk and collect relevant data only in the late 90’s. OR measurement therefore suffers from a relative lack of statistically significant time series of loss

data, which are needed to estimate expected and unexpected losses. Indeed, the lack

of reliable internal operational loss data has often prevented banks from improving the

statistical techniques used for OR measurement. Due to the unavailability of adequate

databases, many banks are still to achieve proper risk quantification models covering

operational risk.

Having stated the main objectives and characteristics of an OR management system, let

us introduce our simplified approach. As indicated by Figure 17.1, the next sections will

discuss a number of different phases that will build up a complete OR measurement


17.3.1 Identifying the risk factors

The first phase in OR measurement requires to estimate the relevant risk factors. This

means defining a list of the events which the bank would consider as part of OR. This

phase is particularly important as it should also allow to build a common language across

the different business units of the bank. Table 17.1 reports an example of the possible

outcome of this first phase.

17.3.2 Mapping business units and estimating risk exposure

The second phase requires to map, to the factors identified in the first phase, the various

business lines and activities carried out by individual business units. This means that

one needs to identify all relevant OR events for each business unit. For example, it is

quite likely that “internal fraud” events play a major role for the trading unit, while being

almost irrelevant for the securities placement business.

Operational Risk: Definition, Measurement and Management


1. Identification of the risk factors

2. Estimating exposures to the risk factors – Exposure Indicator (EI)

(mapping business processes)

3. Estimating probability of occurrence of the risky events – Probability of Event (PE)

4. Estimating loss in case of events (severity) – Loss Given Event (LGE and LGER)

5. Estimating expected loss – Expected Loss (EL = EI x PE x LGER)

6. Estimating unexpected loss – Unexpected Loss (UL)

7. Estimating OR capital at risk (CaR)

Figure 17.1

The different phases of the OR measurement process

This phase is similar to the “risk factor mapping” process that banks have to carry

out regarding financial risks (see, e.g., Chapters 3 and 5). More specifically, one needs to

identify (see Table 17.3):

(i) for each business unit, the relevant risk factors;

(ii) for each business line with in a business unit, one or more exposure indicators (EI)

representing its vulnerability to different risk factors. These EIs could be P&L variables, such as gross operating income, or balance sheet aggregates, like total asset

under management.6

17.3.3 Estimating the probability of the risky events

The third phase of the measurement process requires to estimate a probability of occurrence for each risk factor/business unit combination. This estimate may be based on

different techniques and data sources depending on whether loss events are frequent, so

that internal bank data are likely to be enough to allow a statistically significant estimate,

or events, in which case other data sources need to be identified (like pooled databases


This exposure indicator may not be needed in case a monetary definition of the average loss for each OR

event is adopted rather than a percentage of the exposure one (see next section).


Risk Management and Shareholders’ Value in Banking

Table 17.3 Mapping business units to risk factors

Risk factors

People Technology Processes External











Merchant Banking,

Advisory Services,

Securities u/w &


Securities u/w

& placement












Trading &



Retail Banking,

Cards, Private





Corporate Lending,

Project Finance


Payment and


Payment and







Corporate Agency,







Unit trusts,

segregated accounts





Life & Casualty






Proprietary Trading,

Sales, Mkt Making









Retail Brokerage








Legend: TR = total revenues, GI = gross operating income, AM = assets under management, TP = total premiums.

run by interbank consortia,7 as well as data provided by professional data vendors8 ). The

former events typically tend to generate relatively low losses: hence, they are generally

labelled as “high frequency low impact (HFLI) events”. Conversely, less frequent events

are often associated with more significant losses and therefore are called “low frequency

high impact (LFHI) events”. As a result, probability distribution for OR losses tend to be


An example of such cooperative efforts is Morexchange (Multinational Operational Risk Exchange), a database

originally introduced in November 2000 by major financial institutions such as JP Morgan, CIBC and Royal

Bank of Canada. This database, managed by the a New York-based software company called NetRisk, collects

all operational loss data from the member banks, which are analysed and standardised in order to make them

comparable across banks of different sizes, and finally returned on an aggregate basis to all member banks.


Two examples are represented by OpRisk Analytics and OpVantage, a division of Fitch Risk Management.

Both vendors gather information on operational losses exceeding $ 1 million and collect data from public

sources such as news reports, court filings, and regulatory authorities filings.

Operational Risk: Definition, Measurement and Management






Figure 17.2

High frequency – low impact versus low frequency – high impact events

highly skewed to the right (see Figure 17.2);9 furthermore, due to the special relevance of

extreme losses, the right tail of the distribution is often modelled though ad hoc estimation

techniques, like Extreme Value Theory (see Chapter 9).

The probability of each different type of OR event (that is, of each business unit/risk

factor combination) can be estimated subjectively by the bank’s management, based either

on qualitative judgement or a formal rating system. Such ratings capture the relevance of

a given specific risk factor for the individual business unit, business line or activity, i.e.,

their vulnerability to the risk factor. Such a rating system can then be used, just as for

credit ratings, to quantify the probability of occurrence associated with different rating

classes. Table 17.4 reports a simplified example for a bank’s trading unit: this is based on

a 1 to 10 scale, where each value is associated to probability range covering a one-year

risk horizon.

The synthetic judgements or ratings assigned to each business unit should reflect both

the intrinsic risk of the BU and the level and quality of the controls in place. Indeed, the

introduction of a more effective system of internal controls should, other things equal,

lead to a better rating and therefore a lower risk.

The main shortcoming of this “risk quantification” phase is that it is mostly based on

the managers’ subjective appraisal of risks. This can be mitigated in two ways:

• the exposure indicators and the risk levels assigned to each business unit should reflect

a consensus within the banking industry; in other words, while each bank may have a


Figure 17.1 only looks at the two most common types of events. However, combinations represented by high

frequency-high impact (HFHI) events and low frequency-low impact (LFLI) events, while less common, can

also be identified.


Risk Management and Shareholders’ Value in Banking

Table 17.4 Example of OR exposure for a bank’s trading unit

Risk factor

Qualitative judgement Rating (1 = low risk; Probability range

10 = high risk)

1. Human resources

– fraud



0.3 %–0.5 %

– negligence



1.0 %–2.0 %

– violation of internal rules



7.0 %–10.0 %

– systems failures



0.5 %–1.0 %

– software errors



5.0 %–7.0 %

– telecommunication



0.1 %–0.3 %

– model risk



– transaction risk



2.0 %–3.0 %

– documentation risk



0.3 %–0.5 %

– political risk



0.0 %–0.1 %

– regulatory/fiscal risk



5.0 %–7.0 %

– natural events



0.1 %–0.3 %

2. Technology

3. Processes

>10.0 %

4. External events

different risk profile as compared to the industry average, industry data should always

be used as a benchmark to assess the credibility of the valuation process;

• the valuation of each business unit risk profile should be performed by an independent

unit, such as the internal audit department, based on rigorous, objective and well-defined

criteria, which have to be consistent with the best market practices and applied in a

uniform way to all the bank’s business units; these criteria should be made explicit and

periodically updated.

Finally, it is important to highlight that, while based on subjective judgement and discretionary valuations, the approach described above is relatively flexible and can be easily

tailored to the organizational complexity of the bank, taking account of its risk profile

and the quality of the controls in place.

17.3.4 Estimating the losses

The distinction between HFLI and LFHI events is also relevant for the fourth phase of

the OR measurement process, i.e. when one wants to estimate the average loss associated

Operational Risk: Definition, Measurement and Management


to each type of risky event. Indeed, once the probability of each event (“probability of

event” – PE) has been estimated, a measure of the loss in the case of an event (“loss

given event” – LGE) is needed to quantify the expected loss.

The loss given event can be expressed as either a monetary amount – average dollar

loss – or a percentage of the exposure indicator. In the latter case it is called loss given

event rate (LGER).

Table 17.5 reports some information sources that can be used to estimate PE and LGE.

Table 17.5 Information sources for the measurement of OR

Probability of event (PE)

√ Internal audit reports

√ Internal historical events data

√ Management reports


√ Experts’ opinions (Delphi techniques )

Vendors’ estimates

√ Budgets

Business plans

Loss given event (LGE)

√ Management interviews

√ Internal historical loss data

Historical loss data from other banks or

√ consortium data series

√ Industry benchmark

External estimates (consultants,

dataproviders, vendors, etc.)

Source: adapted from Crouhy, Galai, Mark (2000).

Table 17.6 reports some examples of information sources that can be used for some

specific OR events.

Table 17.6 OR risk factors: example of cause, effect and information source

Risk factor



Loss of key human

resources acquired by



Productivity decrease due

to an unexpected increase

in the business volume


Costs related to the

updating of information



Variance in revenues and

profits (recruiting &

training expenses,

negative impact on the

existing HR)

Information source

Delphi technique

Variance in process costs √ Historical series

with respect to the

External estimates

expected levels

Variance in technological √ Historical series

resources management

√ External estimates

and maintenance costs

Industry benchmarks

The estimate of LGE can also be based on a subjective valuation performed by the

bank’s management;11 however, estimates based on actual historical data look preferable.


Delphi are iterative techniques aimed at developing consensus among different people which can be used to

obtain a group estimate of the probability of future events.


An example is given by the bottom-up approach adopted by the Italian Banking Association for its common

database of OR losses, where the indicator can take four different values:

Xem Thêm
Tải bản đầy đủ (.pdf) (811 trang)