Operational Risk Management
Risky Business
Turbulent times focus attention on operational risk management in financial services
By Fotios C. Harmantzis
Today's turbulent financial markets, growing regulatory environments and increasingly complex financial systems have led risk managers to realize the importance of measuring and managing operational risk (OpRisk). According to the Basel Committee on Banking Supervision (BCBS), OpRisk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.
Infrastructure failures (e.g., information technology, terrorist attacks), fraud (e.g., rogue trading), and legal and regulatory risks (e.g., fines) have become the motivators behind the move to proactively manage OpRisk in large financial services institutions (FSIs).
Although credit and market risk are now well understood and are therefore more likely merely to wound, OpRisk remains an enigma for risk managers. It is the relative lack of understanding of it that is threatening. Unlike market and credit risk, which tend to be isolated in specific areas of business, operational risks are inherent in all business processes. It is a broader concept than "operations" or back office risk.
Of all the different types of risk that can affect firms, OpRisk can be among the most devastating and the most difficult to anticipate. Management of operating risks is a key component of our financial and risk management discipline that drives net income results, capital management and customer satisfaction. Rigorously controlled and well-managed risk frees up resources and capital for revenue generating opportunities.
Along with established capital charges for market and credit risk, Basel proposes an explicit capital charge to guard the banks against operational risks. As of January 2005, the new capital guidelines will require FSIs to implement robust systems for the collection and tracking of data. As a result, the biggest financial institutions have started devoting significant resources to identify, measure, analyze, report and mitigate this potentially catastrophic risk class. They aim to implement a framework that meets all the compliance requirements with the New Capital Accord (BIS II) regulations: data collection, data tracking and a robust internal risk-control system.
The intense interest among industry participants, regulators and other observers on OpRisk has created a great opportunity for operations research specialists, risk managers and management scientists to apply quantitative and qualitative techniques in this field. The management of OpRisk has no doubt taken on increased importance in FSIs in recent years, and banks are becoming increasingly sophisticated in determining how it a can be accomplished.
Defining Operational Risk
Broadly speaking, OpRisk contains the losses that follow from acts undertaken (or neglected) in carrying out business activities. Therefore, when a transaction is priced solely in terms of market and credit risks, an important risk (which can have devastating financial consequences) is missing from the product pricing.
After four years of intensive debate on what constitutes an operational risk, the BCBS provides the following definition for purposes of quantification and capital allocation: "Operational Risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events."
Strategic and reputational risks are not included in this definition. The four operational risk categories are further clarified as follows:
People: losses associated with intentional violation of internal policies by current or past employees. In some specific cases, the risk extends to people who are being considered for employment.
Process: losses that have been incurred due to a deficiency in an existing procedure, or the absence of a procedure. Losses in this category can result from human error or failure to follow an existing procedure. Process-related losses are unintentional.
Systems: losses that are caused by breakdowns in existing systems or technology. Losses in this category are unintentional. If intentional technology-related losses occur, they should be placed in either the People or External category.
External: losses occurring as a result of natural or man-made forces, or the direct result of a third party's action.
The definition focuses on the causes of OpRisk and is open to endless discussion about the detailed definition of each loss category. Figure 1 shows the results of a recent poll (November 2002) regarding the causes of OpRisk in banks (available from the Risk Management Association Web site, www.rmahq.org). OpRisk managers and the insurance community are engaged in a lively debate regarding the pros and cons of the three common categorization methods (event, cause and effect). Tables 1 and 2 demonstrate the classification proposed by Basel.
Figure 1: Poll: Which of the above represents the foremost area of OpRisk in your organization? (source: RMA Webpage)
| Investment Banking | Corporate Finance |
| Trading and Sales | |
| Banking | Retail Banking |
| Commercial Banking | |
| Payment and Settlement | |
| Agency Services and Custody | |
| Others | Asset Management |
| Retail Brokerage |
Table 1. Basic Business Line Classification
| Event- Type Category (Level 1) | Subcategories |
| 1. Internal Fraud | Unauthorized Activity Theft and Fraud |
| 2. External Fraud | Theft and Fraud Systems Security |
| 3. Employment Practices & Workplace Safety | Employee Relations Safe Environment Diversity & Discrimination |
| 4. Clients, Products & Business Practices | Suitability, Disclosure & Fiduciary Improper Business or Market Practices Product Flaws Selection, Sponorship & Exposure Advisory Activities |
| 5. Damage to Physical Assets | Disasters and other events |
| 6. Business Disruption and System Failure | Systems |
| 7. Execution, Delivery & Process Management | Transaction Capture, Execution & Maintenance Monitoring and Reporting Customer Intake and Documentation Customer/Client Account Management Trade Counterparties Vendors & Supplies |
Table 2. Basic Loss Event Type Classification
Basel Treatment of Operational Risk
In November 1999, the Capital Adequacy Framework identified OpRisk as a key area of regulatory consideration. The New Capital Accord identifies three methods for calculating OpRisk capital charge, with increasingly sophistication and advanced qualitative criteria:
Internal Measurement Approach (IMA): The business lines of the standardized approach are overlaid with a series of OpRisk types. For each business line/risk type combination, regulators define an exposure indicator (EI). Banks then use internal data to define the probability of a loss event (PE) per unit of the exposure indicator, and the expected loss given such an event (LGE). Expected losses (EL) by business line and risk type are the product of these three components. Regulators supply a fixed multiplier (gamma) to translate these expected losses into a capital charge, i.e., Value-at-Risk (VaR) figure for unexpected losses.Clearly, the Basic and Standardized approaches represent too little science. Allocating capital based on simple aggregate activity measures fails to distinguish between well-run and poorly run units. However, these approaches are not out of line with the practice in many internal efforts to allocate economic, as opposed to regulatory, capital. The IMA framework is similar to the one followed for market risk. However, without data to calibrate such a framework objectively, it will have the appearance of scientific sophistication with little of the reality.
Loss Distribution Approach (LDA): LDA involves estimating two distributions based on internal loss data. One distribution is the loss associated with a single event, and the other is the frequency of loss events over a given time horizon (usually one year).
Scorecard Approach: This approach uses forward-looking risk indicators, built into "scorecards," to measure relative levels of risk. In order to qualify for the AMA, the approach must have a sound quantitative basis.
The Basel Accord states that as banks move along the continuum, they will reap the reward of a lower capital charge. Further, the Accord also mandates that failure to comply will be addressed by a variety of supervisory actions including increased oversight, senior management changes, and the requirement of additional capital.
The Accord emphasizes the importance of data collection and stipulates that banks must have data collection processes in place long before the January 2005 deadline, when the new capital requirements become mandatory. It also mandates that banks must be able to prove that these systems are robust and that they can be audited. The committee does not believe that that any institution will have sufficient internal data to support the LDA when the Accord goes into effect at the beginning of 2005.
Clearly, the Basel Committee wants to keep the aggregate capital requirement roughly constant for most banks under the new Accord. A very desirable secondary goal should be to create internal incentives for improved OpRisk management and a reliable basis for trend analysis.
The Operational Risk Framework
The large FSIs are in the process of building a framework that provides an enterprise-wide view of losses and allows them to proactively manage OpRisk, no matter if the risks lie in operational processes, resources, systems or external events. This framework should meet the compliance requirements with the BIS II Regulations, in terms of data collection, data tracking and a robust internal risk-control system.
The framework should deal with operational risk measurement and management issues, such as: developing efficient management and organizational frameworks; economic capital allocation; advanced operational VaR (OpVaR) measurement techniques; internal loss database design and implementation; data collection and reporting; definition and categorization issues; risk indicators analysis; and the integration of operational risk measurement with control self-assessment scores and insurance.
Figure 2: The OpRisk "wheel"
The basic components of the OpRisk framework are as follows (refer to Figure 2, known as the "OpRisk wheel"):
Figure 3: The "Risk Map" of a Line of Business
The Information Support
When it comes to OpRisk, data is neither plentiful nor consistent. Definitions of what constitutes an operational loss differ from institution to institution and even across departments. Even the range of items to be considered under the operational loss heading is a subject to dispute. In addition, even with agreement on the relevant risk categories, there remains room for dispute on how to calibrate exposure drivers for each area. On a "purely scientific" basis, the problem is effectively hopeless in the current environment. Consider the following potential obstacles:
Sources of data.
Integration of data (objective and subjective) provides details of events and risk indicators for model calibration, a predictive look at new initiatives, and a retrospective picture of the historical patterns of risk in the business processes.
The internal OpRisk database. The development of a model for measuring OpRisk begins by building an internal database. Events therein should carry their losses or potential losses, the business activity giving the losses, and other risk indicators. The creation and management of the database is key to understanding the business environment.
The aiming target should be a comprehensive database that provides reliable information on significant losses, e.g., losses above a certain threshold. Major financial institutions have started putting in place a process for ongoing tracking and monitoring of OpRisk losses to facilitate the effective measurement and management of OpRisk.
Data should be reviewed for accuracy and completeness. The database should include only those losses that have impacted the firm — not losses that have been realized by individuals or shareholders, since this information cannot reliably be used for modeling purposes.
Managers face several technical issues when it comes down to designing an internal OpRisk database. What data to collect and why, regarding losses, exposures, KRDs/KRIs and management control information? What is the optimal database structure? What about "near misses" data — mistakes that almost cost the bank but which are sorted out just in time? There are many other technical issues regarding losses and KRDs/KRIs data module design and implementation; database features and specifications; security and user authorization issues; hardware and software requirements; and integration with the bank's internal systems, e.g. accounting system.
The "granularity" of loss and risk data records by the different LOBs is another important issue. If banks record their internal losses in very general categories, and do not associate losses with enough contextual information, it may be impossible later to drill down into the data to look for finer gradations of risk, or to reclassify the database according to an agreed industry or regulatory standard.
OpRisk teams should identify the sources of data and how to obtain it, ensuring it is all captured and reported to a central database. "Open issues" type of events should not be included in the database, but should be made available upon request.
People argue, however, that the main barriers to data collection are economic and cultural — not technical and methodological. For example, some managers worry that admitting to mistakes and totalling losses will weaken their position. Also, to the collection of KRIs, the bank would need to be convinced that there would be considerable benefits. The decision about whether to gather data comes down to a cost/benefit analysis, just like any other decision.
External data provision. OpRisk data is unique in the financial world because OpRisk events often occur in private, out of the public eye. Unlike market and credit risk observations, OpRisk observations are not summarised on a Reuters or Bloomberg screen.
Internal operational loss data is the most relevant information for measuring operational risk, but it is generally insufficient for purposes of modeling OpRisk. More specifically, in order to measure OpVaR, one must be able to accurately measure the probability of rare loss events taking place. Rare events, by definition, occur infrequently, so it is unlikely that a single institution will have experienced a sufficiently large number of these events to develop a useful data pool. Therefore, based on internal data alone, an institution will find it extremely difficult to estimate the shape of the tail of its loss severity distributions. To address this dilemma, the firm has two options: it can estimate the shape of the tail using "expert" opinion and scenario analysis (people usually question and dispute those scenarios), or it can use external data.
Banks cannot develop their OpRisk strategy in isolation. Once a bank has begun to gather a rich set of data on internal losses and KRIs, it may decide that it needs to compare this information to the pattern of losses incurred by other banks. The use of external loss data can also strengthen and extend the knowledge that has been gleaned from internal data gathering. With more public understanding of the magnitude and frequency of OpRisk events, stakeholders will become less sensitive to these events and not use OpRisk losses as a proxy for bad management. In addition, by sharing data, the possibility of creating efficient OpRisk financing and transfer markets, increases dramatically.
Figure 4: Typical Loss Distribution for Operational Risk losses
However, there are consistency and technical issues related to the use of external data, which makes the whole problem more challenging. Reliability issues arise when data is drawn from so many different institutions of varying sizes, and from different control structures, cultures and countries. This information is also subject to numerous truncations and data capture biases. For example, the scaling problem has not been resolved yet, nor have aggregation problems associated with the internal data or consistency in categorization of event types between different institutions.
Initiatives are underway to make an industry-wide database a reality and to promote sharing data. Firms would benefit from sharing by having more robust information with which to model operational losses and arrange risk-transfer solutions.
Quantification and Capital Allocation
According to Basel, "A capital charge for operational risk should cover unexpected losses. Provisions should cover expected losses." The measurement of OpRisks along the different LOBs will enable the allocation of risk capital to be determined from historical loss information and/or scenario analysis. It will highlight risky business activities, and help management monitor and manage the risk. An OpRisk system should take a tool-kit approach, permitting users to select various combinations of quantification approaches, depending on their preferences. Futures should include curve fitting using maximum likelihood estimators to various types of distributions; Monte Carlo simulations; modeling the benefits of insurance; and methods to consider both internal and external data for calibration.
First, we should hypothesize families of distributions, based on descriptive statistics and empirical evidence on observations of public and non-public loss events. Families of distributions often suggested:
- Frequency distribution (the chance that a loss event will occur). (Poisson, Binomial, Negative Binomial distribution)
- Severity distribution (the size of the loss). (Lognormal, Weibull, Frechet, Gumbel, Pareto, Beta, Gamma, Mixture, etc.)
Estimation of parameters. Having selected the "model" distribution, the risk manager uses the available sets of data to estimate the model parameters.
Determining how representative the fitted distributions are. The parameters might be selected on the basis of opinion, or by visually inspection, or by applying "goodness of fit" tests to the existing data, for example, Chi-square, Kolmogorov-Smirnov (KS) and weighted KS tests. However, "goodness of fit" tests make sense when a moderate amount of data is available. Therefore, the "best fits" derived from very limited sample sets may not necessarily reflect that would be expected from the complete distribution (were it available).
Operational capital-at-risk (CaR). Once the distributions have been established, a CaR model can be applied and CaR results obtained. The key to stable and robust CaR numbers is to find distributions that best fit the data. For example, using multiple distributions to estimate the distribution of the underlying data means that the CaR results will be more robust, as long as the basis for selecting the curves can be justified.
Of course, there are several problems to overcome: sample size (usually limited data sets), "fat tails" (a relatively high proportion of "unusual" or "catastrophic" events); truncation; data-capture; biases, scale; inflation; mixing internal and external data for calibration; fitting data to the most appropriate frequency and severity distributions, factoring in insurance; VaR, etc.
The relative scarcity of OpRisk data means that the risk managers often have to adjust either the data that is available, or the models that they use. There is a series of techniques that can be applied to limited data sets or that estimate/extrapolate data using limited data samples, for example "resampling with replacing" ("bootstrapping"). Resampling with replacement allows analysts to create multiple distributions for analysis, all of which are based on empirical data — thus eliminating the need to "assume" any distribution.
It is critical that attention be paid to how well the distributions employed by the analyst fit the empirical OpRisk data. To combat fitting problems, the severity distribution can be broken up and different distributions can be fitted to different portions of the curve. For example, the risk manager might use an empirical distribution for the bulk, lognormal for the middle and generalized Pareto for the tail.
Currently, most OpRisk groups have adopted an actuarial-based approach, using either real loss data (when available) or scenario analysis. The approach is theoretically valid for the purposes of quantification of OpRisk. The model, e.g., a compound Poisson, derives frequency and severity distributions, which drive the cumulative loss distribution (losses due to different risk types) for each LOB. For example, a compound Poisson process with Lognormal severity intensity is commonly used. Monte Carlo simulation calculates the expected losses and the OpVar percentiles. A typical time horizon is one year. The better the data, the more reliable the resulting VaR figures.
In addition to the actuarial approach for risk quantification, OpRisk specialists experiment with Bayesian modeling, extreme value theory and causal modeling. Extreme value theory (EVT) provides a useful framework for the application of parametric smoothing methods to fit the tail of loss distribution beyond a certain level. That is, EVT helps the risk manager to estimate the shape of the distribution deep into the tail, where relatively little data are available.
Conclusions
Deregulation and globalization of FSIs, together with the growing sophistication of financial technology, are making the activities of banks (and thus their risk profiles) more diverse and complex. Developing banking practices at internationally active banks suggest that risks other than credit and market risk can be substantial.
Although OpRisk management is still immature, there is a growing industry. Regulatory organizations have been stressing the importance of OpRisk during the last few years.
By creating an OpRisk awareness culture, FSIs can enhance their ability to achieve their objectives and improve their processes, technology and business practices. Sustainable best practices would lead to reduced losses, higher profitability, and improved customer and employee satisfaction. Finally, demonstrating to regulators that serious and careful consideration is given to OpRisk can lead to relief of capital charges and reduced corporate insurance premiums.
References
- Basel Committee on Banking Supervision, www.bis.org
- Crouhy, M, Mark, R. and Galai, D., 2000, "Risk Management," McGraw-Hill Trade.
- Embrechts, P, Klupperberg, C and Mikosch, T., 1997, "Modeling Extreme Events," Springer.
- Harmantzis, C. F., 2002, "Methodologies for Management and Measuring Operational Risk," INFORMS Annual Meeting 2002 San Jose, Calif.
- Jorion, P., 2000, "Value at Risk: The New Benchmark for Managing Financial Risk," McGraw-Hill Trade.
- Ceske, R, Hernandez, V. J and Sanchez, M. L., "Quantifying Event Risk: The Next Convergence," The Journal of Risk Finance, spring 2000.
- Cruz, M., Coleman, R. and Salkin, G., 1998, "Modeling and Measuring Operational Risk," Journal of Risk, Vol. 1, pg. 63-72.
- Operational Risk Special Report, 2000, Risk, November 2000.
Fotios C. Harmantzis (fharmant@stevens-tech.edu) is an assistant professor at the Howe School of Technology Management, Stevens Institute of Technology, in Hoboken, N.J.
OR/MS Today copyright © 2003 by the Institute for Operations Research and the Management Sciences. All rights reserved.
Lionheart Publishing, Inc.
506 Roswell Rd., Suite 220, Marietta, GA 30060 USA
Phone: 770-431-0867 | Fax: 770-432-6969
E-mail: lpi@lionhrtpub.com
URL: http://www.lionhrtpub.com
Web Site © Copyright 2003 by Lionheart Publishing, Inc. All rights reserved.