Professional Documents
Culture Documents
Operational Risk: Risks Arising From Business Activity
Operational Risk: Risks Arising From Business Activity
Wiley Encyclopedia of Operations Research and Management Science, edited by James J. Cochran
Copyright © 2010 John Wiley & Sons, Inc.
1
2 OPERATIONAL RISK
This former Building Society (savings and loan company) had floated on the stock exchange
as a bank in 1997. It moved into subprime lending in 2006, issuing mortgages in excess
of 100% of property valuations, often on self-reported and unverified household incomes.
It expanded quickly to become the United Kingdom’s fifth largest bank, funding its
rise by borrowing on money markets, securitizing its mortgage debt, and other financial
instruments. When the US’s $8 trillion housing bubble burst, it became clear that Northern
Rock’s business model was severely defective.
The credit crunch of August 2007 caused the share price to fall fast. In September, there
were depositors queueing round the block seeking to withdraw their generally modest
savings. Withdrawals were also being made on-line. In December, the Bank of England
stepped in by providing liquidity support, and sought a buyer, but without success. On
February 22, 2008, it was taken into public ownership. Yet, it was considered to be well
managed operationally.
No measures had been taken to provide for a fall in property prices. It has been reported
that Lehman Brothers had underwritten £100 billion of Northern Rock’s debt (collateral-
ized debt obligations on mortgage-backed securities).
Lehman Brothers itself filed for bankruptcy on September 15, 2008. A week earlier, the
giant US mortgage lenders Fannie Mae and Freddie Mac had received a government
bailout, and the largest insurance company, AIG, and the largest savings and loan
company, Washington Mutual, were in dire straits, lining up for support.
The response to the collapse of Northern Rock was to herald the international effort to
stave off global collapse of the financial system.
Box B. Basel II
The Basel Committee for Banking Supervision (BCBS) was set up in 1974 as a committee
of the Bank for International Settlement (BIS) to provide a regulatory framework for
internationally active banks. In its Basel Accord of 1998, now known as Basel I, it settled
the minimal level of capital to be held by banks as provision for credit risk and market
risk. In 2001, it moved to do the same for operational risk in its New Basel Capital Accord,
known as Basel II [1]. It was approved by the European Parliament in 2005, and came
into effect across the entire European Union (EU) in 2008.
The accord sets out a risk sensitive way of calculating reserve capital to cover possible
defaults. Institutions are required to categorize operational risk losses by event type,
promoting identification of risk drivers. There is no mandated methodology.
Pillar 1 of Basel II gives three ways of calculating the operational risk capital charge, with
increasing complexity, but benefiting from a reduced charge.
• The basic indicator approach (BIA) calculates the reserve capital simply as a proportion
of gross revenue.
• The standardized approach (TSA) divides the activities of a bank into eight business
lines (Table 2), with standard capital charges for each based on calculated risk indicators.
• The advanced measurement approach (AMA) requires that the banks model loss distri-
butions of cells of a business line/loss event type grid from operational risk loss data
that they themselves have collected, supplemented as required by external data.
Pillar 2 of the accord requires banks to demonstrate that their management and supervi-
sory systems are satisfactory. Pillar 3 relates to transparency, requiring them to report on
their operational risk management.
Solvency II, the EU’s regulatory directive for insurers, has adopted the same three pillars.
This directive will come into force throughout the EU in 2013.
In November 2007, the US banking agencies approved the US Final Rule for Basel II.
Banks will be grouped into the large or internationally active banks that will be required
to adopt AMA, those that voluntarily opt-in to AMA, and the rest who will adopt an
extended version of the earlier Basel I. A Basel III is in preparation.
Risk identification
• Stress and Scenario Testing. This is • Internal Fraud (IF). Losses within the
the contingency planning for possible business from fraud, misappropriation
adverse events, from payouts occa- of property, unauthorized activity, and
sioned by a badly drawn up contract, circumventing regulations.
to the disaster recovery and business
• External Fraud (EF). Fraudulent claims
continuity to follow from terrorism or
by an external party, forgery, and hack-
natural catastrophe causing the loss of
ing damage to systems security.
headquarters, paperwork, processing
capacity, and so on. It involves testing • Employment Practices and Workplace
impact tolerance and resilience. Safety (EP and WS). Organized labor
activity, violations of employee health
and safety rules, discrimination in
CLASSIFYING OPERATIONAL EVENTS employment, and personal injury
When something is defined only by what it claims.
is not, there is always going to be a problem • Clients, Products, and Business Prac-
in giving it a taxonomy. A major hindrance tices (CP and BP). Unintentional failure
prior to Basel II was not only its lack of a con- or negligence in meeting professional
structive definition but also the absence of obligations to clients or customers
data. Operational risk losses were generally (customer complaints, the suitability
treated as costs of doing business and allo- of advice, lack of disclosure, including
cated to the department where they occurred. breaches of trust). Flaws in the design
As such they were not recorded specifically or behavior of a product.
as operational losses. Even when they were
• Damage to Physical Assets (DPA).
identified as such, if the losses were small,
Losses from damage to property from
they were not going to contribute signifi-
cantly to business failure. Post Basel II, data natural catastrophes (hurricanes,
can still be very sparse. An insurer recently floods) or man-made events (fires,
had just two oprisk events to show finan- explosions, terrorism, pollution).
cial supervisors, with another six possible • Business Disruption and System Fail-
(personal communication). ures (BD and SF). Losses due to hard-
ware or software failure, system design
Operational Risk Loss Event Types in Banking failure, and other infrastructure issues.
and Insurance • Execution, Delivery, and Process
In practice, we would need to identify the Management (ED and PM). Failed
operational risk loss events particular to the transaction processing or management,
business activity. A start at this classification failed customer/client services (account
can be made by using the seven designated errors, data entry errors, and incorrect
categories of loss events given in Basel II, also payments), and inadequate monitoring
adopted in Solvency II, the EU regulations. and reporting.
OPERATIONAL RISK 7
Table 1. The Percentages of Losses of $10,000 or More for Each Event Type (Taken from the
2005 LDCE in the United States)
Table 2. Business Units and Business Lines in the years 2000 to 2008. Insurance has
for International Banking Activities Under a different set of business lines from bank-
Basel II. Percentages of Losses are from the ing. The most significant with respect to
2005 LDCE operational risk are given in Table 3. The
Business unit Business line Frequency (%) event types are those mentioned in the
section titled ‘‘Operational Risk Loss Event
Investment • Corporate finance 0.4
Types in Banking and Insurance.’’ The data,
banking
• Trading and derived from Selvaggi [8, Fig. 4A, p. 14],
7.9
sales give percentages of loss amounts for those
business activity/event type cells having at
Banking • Retail banking 65.3 least 4% of the total loss amount.
This information tells little about the
• Commercial 5.5 actual events. For this we need level 2 and
banking
level 3 categories, the seven event types
• Payment and 4.8 being level 1. To illustrate this, again from
settlement the ORIC database, Table 4, derived from
Selvaggi [8, Fig. 4B, p. 15], shows the most
• Agency services 5.5 significant level 2 and level 3 event types in
Others • Asset 2.7 terms of both severity and frequency (values
management over 4%). It excludes losses arising from
the UK’s mis-selling of endowment policies
• Retail brokerage 7.9 scandal. We note that natural disasters do
not feature as significant.
Source: [7].
Event type
Business activity CP and BP ED and PM BD and SF Others Total
Sales and distribution 18.9 6.8 0.7 26.4
Customer service/policy 13.2 2.3 15.5
Accounting/finance 23.4 0.1 23.5
IT 6.0 6.6 12.6
Claims 4.0 1.4 5.4
Underwriting 6.3 0.3 6.6
Others 5.1 11.8 1.4 10.0
Total 24.0 65.5 7.4 11.4 100.0
Source: [8].
Table 4. Level 2 and Level 3 Event Categories from Insurance Losses in ORIC (2000–2008)
that Show Loss Amounts and the Frequency of Losses of 4% or More
Total 76 57
Source: [8].
Objectives
Define goals
Make them known to management and staff
Reporting Processes
Provide a revised operational risk profile Prepare an action plan
Address issues raised and modify objectives Carry out risk identification
Analysis Risks
Check effectiveness of controls Identify hazards to be managed or mitigated
Compile information Assess risks for impact and frequency
Controls
Obtain management responses
Prepare a control framework
Figure 3. The operational risk management cycle. (Source: Taken with permission from Risk
Books [6].)
0.006
0.005
0.004
0.003
0.002
0.001
Figure 4. The probability densities of
GEV (0.70, 230, 100) (line) and GPD (0.70, 0.0
150, 125) (dashes). 0.0 200 400 600 800 1000
3822 907 735 556 423 395 302 260 248 220 204 193 180 160 150
2568 845 660 550 417 360 297 255 239 220 202 191 176 157 147
1416 800 650 506 410 350 295 252 232 220 200 186 176 154 146
1299 750 630 484 406 350 275 251 230 215 200 185 165 151 143
917 743 600 426 400 332 270 250 229 211 194 182 165 151 143
Source: [12].
not to be identified with the population mean the values of four fitted models, and some
and standard deviation. For the GPD, μ is large quantile values for each of them (the x
the lower bound of the range. Figure 4 shows values for given y values). For example, the
the form of their respective probability den- 99th percentile Q(0.99) is at a loss value of
sity functions. Models with four and more 3663 for the first model. The others are at
parameters, such as Tukey’s g-and-h class of 2794, 4457, and 2605. The 99.9th percentiles
distributions, are also gaining users: but they range from 7595 to 22,452. This Q(0.999) is to
do require more data than is usually avail- be the basis of regulatory charging in bank-
able. They have though been seen to capture ing, with Q(0.995) for insurers. Estimation
the loss distribution of aggregated firm-wide far outside a data set is always fraught. This
losses. Readers are referred to Young and can lead to significant errors in high quan-
Coleman [3] for plots and properties of these tile estimation. Quantiles give no information
and other models. about how big a future loss larger than Q(p)
Example: Fitting GEV and GPD. This is likely to be. A measure used for this is the
section follows the analysis in Young and mean excess, also called conditional value-at-
Coleman [3, pp. 399–403], summarized risk (CVaR). This computes the mean over
in Coleman [11], for fitting the 75 losses the values greater than Q(p) of the fitted
given in Cruz [12, p. 83]. In Table 5, these model probability.
data have been ordered and rounded to the A simulation study of GPD (0.70, 150, 125)
nearest $1000. gave an approximate 95% confidence interval
Figure 5 shows the sample cumulative for Q(0.999) of (5200, 9990).
distribution function (the observed propor- A simulation of 4000 values from
tion of values less than x) shown as steps, GEV (0.53, 230, 130) gave the estimates
together with four fitted cumulative distribu- (0.50, 227, 126) for its parameters, empha-
tion functions (the height y is the probability sizing the need for large data sets.
of obtaining a future value less than x). The The computations were made using Aca-
range of observation is (143, 3822). Figure 5 demic Xtremes, a computer package that
shows a good fit in each case. Table 6 shows accompanies Reiss and Thomas [13].
OPERATIONAL RISK 13
0.5
Table 6. The Parameters, Quantiles, and Fitted Values of the GEV and
GPD Models when Fitted to Loss Data