File Downloaded From www.BUstudymate.

in
Risk Management – Operations Risk

Introduction to Operations Risk: Operational risk is defined as the ―risk of loss resulting from inadequate
or failed internal processes, people and systems, or from external events.‖ It includes regulatory (or legal)
risk, external (including counterparty) risk and internal risk. Reducing operational risk is vital to firms within
the financial services industry as sound operational risk management will improve a firm's efficiency,
provide a stable working environment and improve day-to-day working conditions. Operational risk failures,
however, can have severe consequences for firms and, in the most serious cases, threaten their survival.

Recently, there have been several examples in the news of firms that have suffered major financial and
reputational damage as a result of operational risk failings. These cases, along with other factors, have caused
financial institutions to take a much more focused look at the various operational risks they face, ranging
from information security, to business disruptions, to employee errors and more.

Definition of Operations Risk:

The Basel II Committee defines operational risk as: "the risk of direct or indirect loss resulting from
inadequate or failed internal processes, people and systems or from external events".

Meaning of Operations Risk:

Operational risk is the risk that is not inherent in financial, systematic or market-wide risk. It is the risk
remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in
internal procedures, people and systems.

Causes of Operational Risks: There are many causes of operational risks. It‘s difficult to prepare an
exhaustive list of causes because operational risks may occur from unknown and unexpected sources.
Broadly, most operational risks arise from one of three sources.

- People risk: Incompetency or wrong posting of personnel and misuse of powers.

- Information technology risk: The failure of the information technology system, the hacking of the
computer network by outsiders, and the programming errors that can take place any time and can
cause loss to the bank.
- Process-related risks: Possibilities of errors in information processing, data transmission, data
retrieval, and inaccuracy of result or output.

Operations Risk Management:

The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk
assessment, risk decision making, and implementation of risk controls, which results in acceptance,
mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting
from inadequate or failed internal processes and systems; human factors; or external events.

Definition of ORM:

―The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk
assessment, risk decision making, and implementation of risk controls, which results in acceptance,
mitigation, or avoidance of risk.‖

Swaminath S, Asst. Professor, Commerce Dept. Page 1

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

Features of Operational Risk in Management:

A. As inherent to business, i.e. inseparably linked with almost all business activities;
B. As specific, i.e. its precise form and, therefore, all measures to control and mitigate it strongly depend
on the specific company profile; and
C. As a cultural risk because the handling of so varied and networked risks as they are summarized
under the heading of operational risk is a question of a company‘s risk culture, i.e. its approach and
practices in treating risks especially in day-to-day business.

Principles of ORM:

a) Accept risk when benefits outweigh the cost.

b) Accept no unnecessary risk.
c) Anticipate and manage risk by planning.
d) Make risk decisions at the right level.

ORM Process / Levels of ORM:

A. In Depth: The International Organization for Standardization defines the risk management process in
a four-step model:
1. Establish context
2. Risk assessment – Risk identification, Risk analysis & Risk evaluation
3. Risk treatment
4. Monitor and review

This process is cyclic as any changes to the situation (such as operating environment or needs of the
unit) requires re-evaluation per step one.

B. Deliberate: The U.S. Department of Defense summarizes the deliberate level of ORM process in a
five-step model:
1. Identify hazards
2. Assess hazards
3. Make risk decisions
4. Implement controls
5. Supervise (and watch for changes)

C. Time critical: The U.S. Navy summarizes the time critical risk management process in a four-step
model:
1. Assess the situation: The three conditions of the Assess step are task loading, additive
conditions, and human factors.
- Task loading refers to the negative effect of increased tasking on performance of the tasks.
- An additive factor refers to having a situational awareness of the cumulative effect of
variables (conditions, etc.).
- A human factor refers to the limitations of the ability of the human body and mind to adapt to
the work environment (e.g. stress, fatigue, and impairment, lapses of attention, confusion, and
willful violations of regulations).
Swaminath S, Asst. Professor, Commerce Dept. Page 2
Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

2. Balance your resources: This refers to balancing resources in three different ways:
- Balancing resources and options available. This means evaluating and leveraging all the
informational, labor, equipment, and material resources available.
- Balancing Resources verses hazards. This means estimating how well prepared you are to
safely accomplish a task and making a judgment call.
- Balancing individual verses team effort. This means observing individual risk warning signs.
It also means observing how well the team is communicating, knows the roles that each
member is supposed to play, and the stress level and participation level of each team member.
3. Communicate risks and intentions:
- Communicate hazards and intentions.
- Communicate to the right people.
- Use the right communication style. Asking questions is a technique to opening the lines of
communication. A direct and forceful style of communication gets a specific result from a
specific situation.
4. Do and debrief. (Take action and monitor for change.) - This is accomplished in three
different phases:
- Mission Completion is a point where the exercise can be evaluated and reviewed in full.
- Execute and Gauge Risk involves managing change and risk while an exercise is in progress.
- Future Performance Improvements refers to preparing a "lessons learned" for the next team
that plans or executes a task.

Benefits of ORM:

1. Reduction of operational loss.

2. Lower compliance/auditing costs.
3. Early detection of unlawful activities.
4. Reduced exposure to future risks.

Methods of Operational Risk Management: Basel II and various Supervisory bodies of the countries have
prescribed various soundness standards for Operational Risk Management for Banks and similar Financial
Institutions. To complement these standards, Basel II has given guidance to 3 broad methods of Capital
calculation for Operational Risk: -

A. Basic Indicator Approach - based on annual revenue of the Financial Institution.

B. Standardized Approach - based on annual revenue of each of the broad business lines of the
Financial Institution.
C. Advanced Measurement Approaches - based on the internally developed risk measurement
framework of the bank adhering to the standards prescribed (methods include IMA, LDA, Scenario-
based, Scorecard etc.)

The Operational Risk Management framework should include identification, measurement, and monitoring,
reporting, control and mitigation frameworks for Operational Risk.

Swaminath S, Asst. Professor, Commerce Dept. Page 3

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

What Comprises Operations Risk?

Features of ORM Software / Requirements: Here are a few features that should necessarily be a part of
your operational risk management solutions:
A. A risk tracking process: An automated risk identifying, assessing and measuring program is ideal in
an operational risk management software technology. Consistent and organized monitoring of events
is requisite to detect risk exposure at individual and enterprise levels. ORMS should help you conduct
a quantitative and qualitative analysis of the identified risk. Risk levels and risk mapping easily allow
you to spot and prioritize hazards.
B. Identifying the instigating events and capturing the root causes
your operational risk management software should be equipped to expose the events and root causes
that led to a risk origination. This is the lead towards mitigating risks, avoiding loss and evaluating
loss expectancy. ORMS should be designed to oversee the event time charts and cycles to trace the
risk causes.
C. Prompt risk notifications: ORMS should have its key risk indicators in place, coupled with relevant
risks from the repository. Automated notifications should be delivered to indicate the breach of risk
thresholds in a timely manner. Providing a heat map at earlier stages that signifies risk position even
before they approach is a commendable software solution.
D. Report generation catered to stakeholders: An ORMS should function to deliver heat maps and
reports customized to each stakeholder's needs. The reported information should be sufficient and
timely in order to allow optimum decision making. Timely reporting is a process in which operational
risk management data will be integrated across different functions and updated on a real-time basis,
prior to report generation.

Basel II: The following lists the official Basel II define the seven event types with some examples for
each category:

A. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions,

bribery
B. External Fraud - theft of information, hacking damage, third-party theft and forgery

Swaminath S, Asst. Professor, Commerce Dept. Page 4

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

C. Employment Practices and Workplace Safety - discrimination, workers compensation, employee

health and safety
D. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product
defects, fiduciary breaches, account churning
E. Damage to Physical Assets - natural disasters, terrorism, vandalism
F. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
G. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed
mandatory reporting, negligent loss of client assets

Implementation of ORM in Business:-

Swaminath S, Asst. Professor, Commerce Dept. Page 5

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

ORM Framework:

Characteristics of Operations Risk:

Before we can talk about modeling operational risks, it's useful to first understand the unique characteristics
of operational, or "op" risks and their implications on modeling methods.

Characteristic of Op Risks Implication

1. Op risks are endogenous, i.e., specific to the facts
and circumstances of each company. They are shaped
by the technology, processes, organization, personnel,
and culture of the company. By contrast, market, credit
and insurance risks are driven generally by exogenous
factors.
Need to gather company-specific data.
However, most companies don't have a long
history of relevant data. In banking, industry
wide data is being gathered, but it may not be
representative.

2. Op risks are dynamic, continuously changing with
business strategy, processes, technology, competition,
etc.
3. The most cost-effective strategies for mitigating op
risks involve changes to business processes,
technology, organization, and personnel.
Even a company's own historical data may not
be representative of current and future risks.
Need a modeling approach that can measure
the impact of operational decisions. For
example, "how will op risks change if the
company starts selling and servicing products
over the Internet, or if a key function is
outsourced?"

The endogenous and dynamic nature of op risks suggests a greater reliance on expert input and professional
judgment to fill data gaps—at least until companies gather enough historical data over varying business
environments. Use of operational strategies to mitigate op risks suggests a causal modeling approach that
managers can use to perform "what-if" analyses. After all, the goal of risk management is to reduce op risks,
not just measure them.

Swaminath S, Asst. Professor, Commerce Dept. Page 6

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

Risk Modeling Methods: This list of methods is by no means exhaustive. However, it illustrates very nicely
that there is large inventory of risk modeling methods across finance, engineering, and decision science
disciplines that can be drawn on to suit a particular circumstance.

A. Methods Based on Statistical Analysis of Historical Data: Market, credit, and insurance risks rely
heavily on statistical analysis of historical data for quantification. These risks are modeled primarily
by using methods on the left side of Figure 1. These include, for example:
- Actuarial approaches based on convoluting (difficult) frequency & severity probability
distributions.
- Simulation using stochastic differential equations.
- Extreme value theory to model the tail of a probability distribution

Operational risks can also be modeled using these methods, when there is adequate amount of representative
historical data. High-frequency, low-severity op risks, such as bank settlement errors for example, usually
generate enough data to use methods based on statistical analysis. Although even in this example, as banks
implement straight-through-processing (STP), the risk will change, and the historical data may not be a
reliable indicator of prospective risks.

B. Methods Based on Expert Input: Decision scientists have long relied on methods to quantify risks
when there is little or no objective data. They have had to rely almost exclusively on expert input to
quantify risks, such as likelihood of success or failure of a new drug in early stages of research. These
include:
- Delphi method to elicit information from a group of experts.
- Decision trees, which lay out decision points and resulting discrete uncertain outcomes.
- Influence diagrams, which also map out cause-effect relationships
Over time, they have refined these methods to minimize the pitfalls and biases arising from estimating
subjective probabilities, thereby increasing the reliability of these approaches.

C. Methods Based on a Combination of Data and Expert Input: The methods listed in the middle of
Figure 1 rely on a combination of historical data, to the extent it's available, and expert input as
needed to fill data gaps. They include, for example:
- Fuzzy logic, which uses linguistic variables and rules based on expert input.
- System dynamics simulation, which uses non-linear system maps to represent the causal
dynamics of a system.
- Bayesian Belief Networks (BBN), which relies on a network of cause-effect relationships,
quantified using conditional probabilities.

Most of these methods are borrowed from other disciplines, primarily the engineering sciences. As in the
case of Goldilocks, for op risks, "The statistical methods require too much data," "The decision science
methods rely too much on expert input," and "The methods in the middle are just right!" These methods offer
the best match to the unique characteristics of op risks. As businesses have become more complex and the
interdependencies have increased, managers have struggled to maintain control and make decisions under
uncertainty. Use of enterprise data warehousing and data mining has substantially increased the amount of
data that is available to managers. However, the sad truth is that the terabytes of data have not significantly
increased their understanding of the enterprise wide business dynamics.
Swaminath S, Asst. Professor, Commerce Dept. Page 7
Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

The complexity of the systems is increasing at a faster rate than our knowledge of it. Managers have
responded by focusing on smaller areas of their business and becoming more specialized. They have a much
deeper understanding of their domain but a much lesser understanding of how their domain interacts with
others. Modeling techniques need to be flexible enough to consolidate knowledge that is fragmented across
many experts. They also need to effectively leverage both data and expert input in order to develop a clearer
and more reliable representation of reality.

Operations Risk at Banks: Always banks live with the risks arising out of human error, financial fraud and
natural disasters. The happenings such as WTC tragedy, Barings debacle etc. has highlighted the potential
losses on account of operational risk. Exponential growth in the use of technology and increase in global
financial inter-linkages are the two primary changes that contributed to such risks.

Operational risk, though defined as any risk that is not categorized as market or credit risk, is the risk of loss
arising from inadequate or failed internal processes, people and systems or from external events. In order to
mitigate this, internal control and internal audit systems are used as the primary means.

Risk education for familiarizing the complex operations at all levels of staff can also reduce operational risk.
Insurance cover is one of the important mitigators of operational risk. Operational risk events are associated
with weak links in internal control procedures. The key to management of operational risk lies in the bank‘s
ability to assess its process for vulnerability and establish controls as well as safeguards while providing for
unanticipated worst-case scenarios.

Operational risk involves breakdown in internal controls and corporate governance leading to error, fraud,
performance failure, compromise on the interest of the bank resulting in financial loss. Putting in place
proper corporate governance practices by itself would serve as an effective risk management tool. Bank
should strive to promote a shared understanding of operational risk within the organization, especially since
operational risk is often interwined with market or credit risk and it is difficult to isolate.

Over a period of time, management of credit and market risks has evolved a more sophisticated fashion than
operational risk, as the former can be more easily measured, monitored and analysed. And yet the root causes
of all the financial scams and losses are the result of operational risk caused by breakdowns in internal
control mechanism and staff lapses.

So far, scientific measurement of operational risk has not been evolved. Hence 20% charge on the Capital
Funds is earmarked for operational risk and based on subsequent data/feedback, it was reduced to 12%.
While measurement of operational risk and computing capital charges as envisaged in the Basel proposals
are to be the ultimate goals, what is to be done at present is start implementing the Basel proposal in a phased
manner and carefully plan in that direction. The incentive for banks to move the measurement chain is not
just to reduce regulatory capital but more importantly to provide assurance to the top management that the
bank holds the required capital.

Swaminath S, Asst. Professor, Commerce Dept. Page 8

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

The 5-M Factors are a model called Man-Machine-Medium-Mission-Management, and are used to examine
the nature of accidents in the transport industries. It was started by T.P. Wright's Man-Machine-Environment
triad at Cornell University. The 5-M incorporates a diagram of 3 intertwined circles and one all-
encompassing circle. In each of the smaller circles "Man," "machine," and "medium" are placed. The large
circle is labeled "Management." The space in the middle where they all meet is called "Mission," which is
the objective the other four M's have in common. It can also be used in troubleshooting - 5 factors Man-
Machine-Materials-Method-Medium (or environment).

The 5-M Model comprises of Man, Machine, Medium, Mission and Management are five core areas that
failing factors of accident/incident may appeared in. This model is one of the most common used methods in
aviation industry to examine aviation accident/incident. It provides manager with a systematic way of
focusing and analyzing areas that errors mostly occurred within the structure of organization.

Man: When an aircraft accident occurs many questions are asked regarding the human component that was
operating the aircraft or system at the time of the accident. Successful accident investigation therefore
requires the investigator to probe beyond the, ‗human failure‘, so as to be able to determine the underlying
factors that contributed or lead to this failure. The question 'Why', arises a lot during investigation of the
operator at the time of investigation. For example: -
 Was the individual mentally or physically capable of responding properly? If not, why?
 Did this failure occur due to a self-induce state such as alcohol intoxication or fatigue?
 Had the individual been properly trained in how to cope with the situation that leads to the accident?
 If not who was responsible for the training deficiency and why?
 Was the individual given adequate operational information on which to base decisions?
 If they were not given proper information, who failed to provide the information and why?
 Was the individual distracted to the point that he/she was not paying proper attention to their duties?
 If so who or what created the distraction and why?

Swaminath S, Asst. Professor, Commerce Dept. Page 9

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

These are only a few of the questions that arise during a human-factor investigation when trying to establish
what caused the accident. The answers to each of such questions are very vital for the effective measures to
be put in place so as to prevent the accident from re-occurring.

Machine: Due to technology, the machine (aviation technology) has enabled great advances to the aviation
industry. Through automation, human mental work load has been reduced significantly and productivity
increased3. However when machine and computer become more complicated and advances to replace more
jobs from human, it surface occasional problems which are detected with relation to human limitation in
handling them. Therefore, modern aircraft designs are revise through this problem detected to further reduce
the effect of any of these hazards. For instance good design should not only seek to make system failure
unlikely, but it should also ensure that, should it never the less occur, one single failure will not result in an
accident4.

Medium: The medium (environment) in which the aircraft operation takes place, equipment is used and
personnel work directly affects safety4. From the point of view of accident prevention the environment is
considered to comprise of; the natural environment and the artificial environment. One example could be the
unexpected weather condition that form ice near the engine area where ice is injected into the engine, or
reduces the air intake amount which resulted in engine failure.

Mission: The type of mission or the purpose of the operation is also considered important during the
investigation process. This is because each risk is associated with different types of operation which do vary.
One example is the mission/procedure too ambitious that could not be possibly achieve? Each mission being
different will have certain intrinsic hazards that are accepted with the type of mission4.

Management: The training of proper safety procedures is normally done by the management team of the
certain airline or aviation organization. Therefore accident prevention rests on management, as its only
management in any organization that controls the allocation of resources4. For example it is management
that determines the type of aircraft to purchase, what routes to operate in, training and operational procedures
to be given, personnel who will maintain as well as fly the aircraft and so forth. Management are thus the
cornerstone for safety and accident prevention techniques.

Technology Risk: Information technology risk, or IT risk, IT-related risk is any risk related to information
technology. While information has long been appreciated as a valuable and important asset, the rise of the
knowledge economy has led to organizations becoming increasingly dependent on information, information
processing and especially IT. Various events or incidents that compromise IT in some way can therefore
cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to
catastrophic in scale. Assessing the probability of likelihood of various types of event/incident with their
predicted impacts or consequences should they occur is a common way to assess and measure IT risks.
Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the
threats, vulnerabilities, exposures, and asset values. IT risk management can be considered a component of a
wider enterprise risk management system. The establishment, maintenance and continuous update of ISMS
provide a strong indication that a company is using a systematic approach for the identification, assessment
and management of information security risks.

Swaminath S, Asst. Professor, Commerce Dept. Page 10

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

Bank & Operational Risk Management: An Article

Banks can adopt the seven type of events suggested by Risk Management Group (RMG) of Basel committee
for one of their quantitative studies (QIS-2) which includes internal fraud, external fraud, employment
practices and work safety, client products and business services, damages to physical assets, business
disruption and system failures and execution delivery.

It involves doing a causal analysis to understand the exact cause for the above events and estimate the actual
loss as well as potential loss in case the events are repeated. This analysis on cause of events can make the
bank understand the level of.

Once banks have developed an event database and done the causal analysis, they can start risk mapping. Risk
mapping is a tool wherein banks can map the above risk events and losses to any specified set of business
lines.

Basel has come out with eight set of business lines corporate finance, trading and sales, retail banking,
commercial banking, payment and settlement, agency and custody services, asset management and retail
brokerage to which the events collected by bank can be mapped.

Op-risk measurement is still evolving in terms of tools and techniques that can be used for effective
measurement and management. Banks can follow either or both of qualitative risk measurement or
quantitative risk measurement:

The generic ways of measuring op-risk include qualitative risk measurement techniques such as critical
assessment method, which involves questionnaire format and interviews with all line managers to identify
the op-risk events.

Another widely used approach, which is a combination of qualitative as well as quantitative approaches, is
the Key Risk Indicators (KRI) approach, which involves identifying indicators, which convey good idea
about the scope of business and thereby the risk involved.

For instance, portfolio size, volume of transactions traded, volume of deals routed through payment and
settlement systems, etc., form one set of predictive indicators. KRI is more a predictive model than a cause-
and-event approach.

A common quantitative approach used is Loss Distribution Approach (LDA), which involves arriving at a
right fit distribution of historical loss events and, thereby, at quantitative results like expected loss and finally
operational value at risk.

Another forward-looking scenario generation approach for op-risk measurement is Loss Scenario Modeling,
which involves generating simulations for loss scenarios based on the events and losses captured in the first
step.

Basel II norms suggest three approaches for measurement of op-risk. The simplest approach, best suited for
less sophisticated and small balance-sheet banks, is the Basic Indicator Approach (BIA). BIA requires banks
to allocate capital based on a single indicator of operational risk, which in this case will be average gross
income of past three years multiplied by factor called alpha, which is set at 15 per cent.

Swaminath S, Asst. Professor, Commerce Dept. Page 11

Visit www.BUstudymate.in For More Study Materiial
 File Downloaded From www.BUstudymate.in
Risk Management – Operations Risk

The second approach is the Standardised Approach (SA), which involves mapping the bank's business lines
to the set of eight business lines and use multiplier (Beta) of average gross income to compute capital charge.

Also, there is the Alternative Standardised Approach (ASA), which uses loans and advances, instead of gross
income, for retail banking and commercial banking business lines multiplied by fixed factor which results in
capital charge to be set aside.

The most sophisticated approach suggested is advanced measurement approach (AMA). Under the AMA, the
regulatory capital requirement will equal the risk measures generated by the bank's internal operational risk
measurement system using quantitative and qualitative criteria for the AMA. Internal data used must be
based on a minimum historical observation period of five years. However, when a bank first moves to AMA,
a three-year period is acceptable.

Banks need to employ the quantitative approaches like Internal Measurement Approach (IMA) or Loss
distribution Approach (LDA) or Balance Scorecard Approach (BSA) for adopting AMA. All AMA
approaches compute the expected and unexpected loss. The most significant aspect for a bank to graduate
from Basic Indicator Approach (BIA) to Advanced Measurement Approach (AMA) is the potential benefit of
less capital allocation for operational risk.

As op-risk involves failures during operations in daily business, the key steps in op-risk management involve
improving internal control environment, designing and developing procedures to implementing the risk
management processes and employing risk transfer techniques, such as insurance, to mitigate the loss arising
from operational risk. Credit rating agencies have started rating banks based on their risk control and
management frameworks. Investor awareness has also increased to the extent that banks with robust risk
management frameworks are able to attract strategic investments with less effort.

Given the known benefits of implementing the provisions of the Basel II accord, banks should priorities their
strategy towards op-risk management. A constructive approach in this direction could be to automate the
suggested five-step approach and, as a first step, to start developing a loss event database.

******************************************************************************

Swaminath S, Asst. Professor, Commerce Dept. Page 12

Visit www.BUstudymate.in For More Study Materiial