Learning Center
Plans & pricing Sign in
Sign Out

Slide 1 - Zahid


									   Lecture 16

Operational Risk
• A growing desire has emerged to organize
  the components of operational risk into what
  Hubner et al. (2003) call a “coherent structural
• Haunbenstock (2003) identifies the
  components of the operational risk framework
• (i) strategy,
• (ii) process,
• (iii) infrastructure, and
• (iv) the environment
• development of a risk management strategy;
• development of risk management culture;
• definition of management roles and
• ensuring that an appropriate management
  and control structure is in place
The risk management framework: Process
• The process involves the day-to-day activities
  required to understand and manage operational risk,
  given the chosen strategy.

•   The process consists of
•   (i) risk and control identification,
•    (ii) risk measurement and monitoring,
•   (iii) risk control/mitigation, and
•   (iv) process assessment and evaluation.
 Process : Risk and control identification
• Risk identification starts with the definition of operational risk
  to provide a broad context for potential threats

• The best way to identify risk is to talk to people who live with
  it on a daily basis

• The degree of risk is typically defined as frequency and
  severity, rated either qualitatively or quantitatively

• Mestchian (2003) suggests a decomposition of operational
  risk into process, people risk, technology, and external risk

• Then these risk can be identified as low, medium, or high in
  different business activities like in Table on the next slide, or
  with frequency or severity like in Figure 2, one slide next
Risk identification
      Risk assessment of activities
• a
         ORF : Process - Identification
• Risk identification should also include monitoring of the
  external environment and industry trends, as new risks
  emerge continuously

• (ii) Control identification
• The identification of controls is part of the identification
  process, as it complements the identification of risk.
• Controls include:
   –   management oversight,
   –   information processing,
   –   activity monitoring,
   –   automation,
   –   process controls,
   – segregation of duties,
   – performance indicators
   – and policy and procedures

The control framework defines the appropriate approach to
  controlling each identified risk

(iii) Risk Mitigates
• Risk mitigators include
   – training,
   – insurance programs,
   – diversification and
   – outsourcing
• Insurance, which is a means of risk control/mitigation, is
  typically applied against the large exposures where a loss
  would cause a charge to earnings greater than that
  acceptable in the risk appetite

• For the purpose of risk identification, the Federal Reserve
  System (1997) advocates a three-fold risk-rating scheme that
  includes (i) inherent risk, (ii) risk controls, and (iii) composite

• Inherent risk (or gross risk) is the level of risk without
  consideration of risk controls, residing at the business unit
• Inherent risk depends on (i) the level of activity relative to the
  firm’s resources, (ii) number of transactions, (iii) complexity of
  activity, and (iv) potential loss to the firm

• Composite risk (or residual risk or net risk) is the risk
  remaining after accounting for inherent risk and risk
  mitigating controls

• The Federal Reserve System (1997) provides a matrix that
  shows composite risk situation based on the strength of risk
  management (weak, acceptable, strong) and the inherent risk
  of the activity (low, moderate, high)
• For example, when weak risk management is applied to low
  inherent risk, the resulting risk is low/moderate composite risk

• On the other extreme, when strong risk management is
  applied to high inherent risk, the composite risk will be

• Illustration is given in the figure on next slide
The FRS’s classification of inherent and composite risks
• (iv) Risk measurement
• As risks and controls are identified, risk measurement
  provides insight into the magnitude of exposure, how well
  controls are operating and whether exposures are changing
  and consequently require attention

• The borderline between identification and measurement is
  not clear, however, Haubenstock (2003) identifies the
  following items as relevant to the measurement of operational
• a. Risk drivers, which are measures that drive the inherent
  risk profile and changes in which indicate changes in the risk
• These include transaction volumes, staff levels, customer
  satisfaction, market volatility, the level of automation

• b. Risk indicators, which are a broad category of measures
  used to monitor the activities and status of the control
  environment of a particular business area for a given risk
• The difference between drivers and indicators is that the
  former are ex ante whereas the latter are ex post

• Examples of risk indicators are profit and loss breaks, failed
  trades and settlements and systems reliability
• c. The loss history: which is important for three reasons: (i)
  loss data are needed to create or enhance awareness at
  multiple levels of the firm; (ii) they can be used for empirical
  analysis; and (iii) they form the basis for the quantification of
  operational risk capital

• d.Causal models: which provide the quantitative framework
  for predicting potential losses.
• These models take the history of risk drivers, risk indicators
  and loss events and develop the associated multivariate
• The models can determine which factor(s) have the highest
  association with losses
• e. Capital models, which are used to estimate regulatory
  capital as envisaged by Basel II.

• f. Performance measures: which include the coverage of the
  self-assessment process, issues resolved on time, and
  percentage of issues discovered as a result of the self
  assessment process

• (v) reporting
• Reporting is an important element of measurement and
•   A Key objective of reporting is to communicate the overall profi
    le of operational risk across all business lines and types of

• There are two alternative ways of reporting to a central
  database as shown in Figure

• One way is indirect reporting where there is a hierarchy in the
  reporting process, which can be arranged on a geographical
• Otherwise, direct reporting is possible where every unit
  reports directly to a central database
• a
• Reporting methods:
• Checklists are probably the most common approach to self-

• Structured questionnaires are distributed to business areas to
  help them identify their level of risk and related controls
• The response would indicate the degree to which a given risk
  affects their areas.
• It would also give some indication of the frequency and
  severity of the risk and the level of risk control that is already
  in place
• The narrative approach is also used to ask business areas
• to define their own objectives and the resulting risks
• The workshop approach skips the paperwork and gets
  people to talk about their risks, controls, and the required

• Lam (2003b) identifies two schools of thoughts with regard to
  quantitative and qualitative measures of risks

• (i) the one believing that what cannot be measured cannot be
  managed, hence the focus should be on quantitative tools
• and (ii) the other, which does not accept the proposition that
  operational risk can be quantified effectively, hence the focus
  should be on qualitative approaches
• Lam (2003b) warns of the pitfalls of using one approach
  rather than the other, stipulating that “the best practice
  operational risk management incorporates elements of both”.

(vi) Risk control/mitigation
• When risk has been identified and measured, there are a
   number of choices in terms of the actions that need to be
   taken to control or mitigate risk

• These include (i) risk avoidance, (ii) risk reduction, (iii) risk
  transfer, and (iv) risk assumption (risk taking)
• Risk avoidance can be quite difficult and may raise questions
  about the viability of the business in terms of the risk-return
• A better alternative is risk reduction, which typically takes the
  form of risk control efforts as it may involve tactics ranging
  from business re-engineering to staff training as well as
  various less extensive staff and/or technical solutions.

• Cost-benefit analysis may be used to assist in structuring
  decisions and to prevent the business from being controlled
  out of profit
• a
• a
• a
               People issues
• the relevant type and calibre of people are

• there are adequate levels of training and
  development of the staff;

• the staff have the skill levels that are
  appropriate to the tasks assigned to them
            Technology issues
• adequate systems to support the various
  product lines;
• systems are available for management
  information and reporting;
• there is communication infrastructure to
  support the operation;
• data warehouses that allow integration and
  consolidation of information and data across
  the organization;
• tools and systems available for managing
  market risk across the organization

• enterprise-wide credit monitoring and credit
  risk management systems.
     Themes in risk management framework
• There are four fundamental themes that are critical for
  establishing and maintaining a comprehensive and effective
  risk management framework

• 1 The ultimate responsibility for risk management must be
  with the board of directors. They need to ensure that
  organization structure, culture, people and systems are
  conducive to effective risk management. The requirements
  for risk management must be defined and established by
  those charged with overall responsibility for running the
• 2. The board and executive management
  must recognize a wide variety of risk types,
  and ensure that the control framework
  adequately covers all of these. As well as
  including market and credit risks, it should
  include operations, legal, reputation and
  human resources risks, that do not readily
  lend themselves to measurement
• 3. The support and control functions, such as
  the back and middle offices, internal audit,
  compliance, legal, IT and human resources,
  need to be an integral part of the overall risk
  management framework
• 4. Risk management objectives and policies
  must be a key driver of the overall business
  strategy, and must be implemented through
  supporting operational procedures and
• a
• a
• a
• a
• Operational risk can be minimized in a number
  of ways: Internal control methods consist of
1. Separation of functions
  – Individuals responsible for committing
    transactions should not perform clearance and
    accounting functions

  2. Dual entries
  – Entries (inputs) should be matched from two
    different sources, that is, the trade ticket and the
    confirmation by the back office.
3. Reconciliations
• Results (outputs) should be matched from different
  sources, for instance the trader’s profit estimate and
  the computation by the middle office

4. Tickler systems
• Important dates for a transaction (e.g., settlement,
  exercise dates) should be entered into a calendar
  system that automatically generates a message
  before the due date.
• Controls over amendments: Any amendment to
  original deal tickets should be subject to the same
  strict controls as original trade tickets.

External control methods consist of
1. Confirmations: Trade tickets need to be confirmed
  with the counterparty, which provides an
  independent check on the transaction.

2. Verification of prices: To value positions, prices
  should be obtained from external sources. This also
  implies that an institution should have the capability
  of valuing a transaction in-house before entering it.
3. Authorization: The counterparty should be
  provided with a list of personnel authorized to trade,
  as well as a list of allowed transactions.
4. Settlement: The payment process itself can
  indicate if some of the terms of the transaction have
  been incorrectly recorded, for instance, as the first
  cash payments on a swap are not matched across

5. Internal/external audits: These examinations
  provide useful information on     potential weakness
  areas in the organizational structure or business
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a
• a

To top