Operational Risk: Identification,

Measurement, Management and

Control
Bangladesh Bank Training Academy
October 2014

Glenn Tasky
Banking Supervision Advisor
(Supported by International Monetary Fund)
Bangladesh Bank
Mobile: 0175 978 4744 Email: glenn.tasky@bb.org.bd
 Operational Risk
Definition
Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people, and systems or
from external events.

The definition includes legal risk. (Note: legal risk sometimes

handled under compliance risk).

Losses can be direct (monetary) or indirect (effects of negative

media coverage, loss of customers).

2
 Operational Risk
Sources

 People… make mistakes, act unethically or carelessly.

 Processes… sometimes not adequate
… sometimes not followed
 Systems … have limitations
… can have programming errors
… can have security issues
… can be “down” or unavailable
 External events… aren’t preventable, but sometimes the
consequences are

3
 Operational Risk Sources (1 of 4)

People
ChoicePoint, a data aggregation company,
had to acknowledge selling personal
data on over 140,000 customers to an
identity theft ring.

Resulted in over $30m in fines and costs –

company is no longer independent.

4
Operational Risk Sources (2 of 4)

Processes
Citi (one of the largest US banking groups)
confirmed that UPS (a logistics and
delivery service) had lost computer
tapes containing information on nearly
4 million customers while they were in
transit to the bank’s credit bureau.

Bank of America admitted to losing tapes

with customer identifiers and account
information on 1.2 million.

5
 Operational Risk Sources (3 of 4)

Systems
Target Corporation, a large American
retailer, was hacked in November 2013,
ultimately resulting in the accessing by
a criminal network of 40 million credit-
card numbers, along with 70 million
addresses, phone numbers, and other
pieces of information.

The retailer has been criticized for

ignoring warnings from its hacker-
detection tools. The CEO resigned in
early May 2014.

6
Operational Risk Sources(4 of 4)

External events
– Natural disasters
– Terrorism
Cantor Fitzgerald, a U.S. Government
securities dealer, lost 658 out of its 960
New York employees in 9/11 attacks.
It survived as a business because it had an
electronic trading subsidiary, and also was
able to reconfigure its system so trades
went through London instead of New
York.

7
Some other consequences of operational risk
events
Investor punishment: One study
showed that the negative impact on market
value over a 120-day period following the
announcement of an operational risk loss is
roughly 12 times the amount of the actual loss.

Regulatory sanctions: Regulators

required one bank in Singapore to increase its
capital by an additional SGD 200 million
following a data-center failure that lasted only
seven hours, even though customers were
compensated.

8
 Operational Risk: Spectacular News
(some trading examples)

• Bruno Iksel, aka “London Whale,” Total Losses:

JP Morgan Chase, lost more than $2b $6.2 billion
in 15 days

• Jerome Kerviel, Soc Gen, bet 200% Losses:

of the bank’s capital, or €50b €4.9 billion

• John Rusnak, AIB, bet 3,000 times $700 million

his $2.5 m trading limit

• Yasuo Hamanaka, Sumitomo, held

5% of the global copper market $2.6 billion
 Another way of categorizing Operational Risk
– by Event Types
• Event type A: Internal Fraud
• Event type B: External Fraud
• Event type C: Employment Practices
and Workplace Safety
• Event type D: Clients, Products, and
Business Practices
• Event type E: Damage to Physical Assets
• Event type F: Business Disruption and
System Failure
• Event type G: Execution, Delivery, and
Process Management

10
 What are the most common Event Types?
Which cause the biggest losses?
• Event type A: Internal Fraud
• Number of instances
• Event type B: External Fraud
– G: 37% of all instances
• Event type C: Employment Practices (158,000 total instances of loss
and Workplace Safety amounting to €20,000 or more )
• Event type D: Clients, Products, and – B: 35% of all instances
Business Practices
• Event type E: Damage to Physical
Assets
• Event type F: Business Disruption • Monetary volume of losses
and System Failure – D: 38% of losses (total losses
• Event type G: Execution, Delivery, and €53.8 billion)
Process Management – G: 32% of losses
Note: The data were compiled from a sample of
66 leading banks in all regions of the world,
from 2006-2010

11
 Taking a look at the important Event Types in
detail
 Event type B: External
Fraud
– Client misrepresentation of
information
– Theft
– Loan fraud
– Cybercrime
– Forgery
– Check fraud
– Theft of information
– Fraudulent transfer of funds
– Payment fraud

12
 Taking a look at the important Event Types in
detail
 Event type D: Clients,
Products, and Business
Practices
– Regulatory violation.
– Compromised customer
information.
– Fiduciary breach.
– Mis-selling products, ignoring
customer suitability.
– Noncompliance with anti-money
laundering regulations.

13
 Taking a look at the important Event Types in
detail
 Event type G: Execution, Delivery,
and Process Management
– Inaccurate/incomplete contract.
– Transaction, processing, data entry error.
– Staff error in lending process.
– Mismanagement of account assets.
– Model risk.
– Pricing error.
– Failure of external supplier/vendor.
– Failure to follow procedures.
– Lost or incomplete loan documentation.
– Tax noncompliance.

14
 In which business lines do we find the most
operational risk?
• Corporate Finance
• Trading and Sales
• Retail Banking
• Commercial Banking
• Clearing
• Agency services
• Asset management
• Retail brokerage
• Private banking
• Corporate items
• Across multiple lines

15
 In which business lines do we find the most
operational risk?
• Corporate Finance
• Number of losses:
• Trading and Sales – Retail banking 59%
• Retail Banking – Trading and sales 11%
• Commercial Banking
• Clearing
• Agency services
• Monetary volume of
• Asset management
losses:
• Retail brokerage
– Retail banking 37%
• Private banking – Trading and sales 26%
• Corporate items
• Across multiple lines

16
 Operational Risk
Risk Management Environment
Four steps in OR risk management

Identification and Assessment

Monitoring and Reporting

Control and Mitigation

Business Resiliency and Continuity

17
 Four Steps in OR Risk Management
Identification and Assessment
• Conditions that increase exposure to operational risk
– Bank engages in new activities or develops new products
– Bank enters unfamiliar markets
– Bank implements new business processes or ICT systems
– Bank has far-flung operations geographically distant from HQ
– New activities transition from low level to key revenue drivers
– High staff turnover

• Under these circumstances, banks have to be

especially alert!

18
 Four Steps in OR Risk Management
Identification and Assessment
• Tools to use in identifying and assessing OR:
– Audit findings (can uncover inherent risk or vulnerabilities).
– Internal loss data collection and analysis.
• Categorize actual losses according to Event Type and Business Line.
• Quantify losses.
– External loss data collection and analysis.
• Use industry studies to determine most common/most costly events.
• Stay up to date on actual bank OR events as reported in media.
– Risk assessments
• Bank reviews its processes against a library of potential
threats and vulnerabilities and considers potential impact.

19
 Four Steps in OR Risk Management
Identification and Assessment (contd.)
• Tools to use in identifying and assessing OR:
– Business process mapping (can show exact points of possible
vulnerability).
– Scenario analysis:
• Purpose is to identify high-impact, low-frequency events in business
units.
• Business unit heads may not like this!
• Requires putting estimated value and probability of occurrence on
possible events.
• May lead to higher capital requirements for business unit.

20
 Four Steps in OR Risk Management
Identification and Assessment (contd.)
• Tools to use in identifying and assessing OR:
– Scenario analysis (continued)

“Are you saying that you want us to figure out how to lose
$10 million?” – business line head

Goal of scenario analysis is to identify

potential scenarios that could create
losses above some threshold (say, $10
million)

21
 Four Steps in OR Risk Management
Identification and Assessment (contd.)

• Tools to use in identifying and assessing OR:

– Scenario analysis (continued)

The risk of catastrophic loss is difficult to measure by other

means.
Has some drawbacks:
- Humans are poor at estimating probabilities of
catastrophic events (also known as “tail Events).
- Managers may be shy about discussing potential
vulnerabilities in their business units.

22
 Four Steps in OR Risk Management
Identification and Assessment (contd.)
• Tools to use in identifying and assessing OR:
– Scenario analysis (continued)

Example of successful scenario analysis:

Participants identified a large loss due to a

duplicate wire sent overseas that was not
recoverable.

Expected loss was $10 million and probability

estimated as one event every five years.

23
 Four Steps in OR Risk Management
Monitoring and Reporting
• Senior management MUST regularly monitor
operational risk profiles and material exposures to
losses.

• Reports on OR to senior management should include:

– Actual losses
– Inventory of possible events and expected losses
– Narrative of internal and external vulnerabilities
– Progress on correcting gaps

24
 Four Steps in OR Risk Management
Control and Mitigation
• Internal controls are key to avoiding operational risk
events
– Code of conduct.
– Segregation of duties and dual control (to avoid concealment of
losses, errors, or other inappropriate actions).
– Clear authorities, approval processes.
– Monitoring for adherence to limits.
– Safeguards for access to and use of bank assets, records.
– Appropriate staffing level and training.
– Identification of business units where activity seems excessive.
– Vacation policy (absence for two consecutive weeks).

25
 Four Steps in OR Risk Management
Control and Mitigation (contd.)
• Control over ICT risks and outsourcing
risks
– Business continuity, disaster recovery
– Careful selection of service providers
– Contingency plans in case of non-performance by
service provider

• Transferring risk is sometimes an option

– Insurance
– Insurance is a complement, not a substitute, for
internal controls!

26
 Operational Risk
Some Summary Remarks

• Categorize potential event losses by impact and frequency

Scenario analysis
High

External data, scaled Out of Business

to fit bank
Loss data collection Key risk indicators
Low
Impact of Loss Event

Risk and control Monitoring and reporting

assessment
Low High
Frequency of Loss Event

27
 Operational Risk
Some Summary Remarks
• Have a governing structure for OR
Business units,
subsidiaries, support Risk identification
functions

CFO’s office Determination of risk owner and creation of Top Risk

(Operational Risk Section) List

Business units, Key Risk Indicator Creation of mitigation

subsidiaries, support
functions identification plans

Operational Risk
Committee Mitigation of risk Acceptance of risk Transfer of risk

Business units,
subsidiaries, support Implementation of Outsourcing or Insurance
mitigation
functions

28
Every risk must have an owner!

29