Measuring and Managing

Operational Risk Under

Basel II
Constantinos Stephanou
The World Bank
Risk Management Workshop Colombia
February 17, 2004

Outline of Presentation

Introduction to Operational Risk (OR)

The Basel II OR framework
Measuring OR under the AMA
Latest QIS OR Results
OR Management
Evaluation, Implications and
Conclusions

What is OR?
Applies to all firms (financial and nonfinancial)
Used to be a catch-all phrase for nonfinancial risks
Current Basel II definition is the risk of
loss resulting from inadequate or failed
internal processes, people and
systems or from external events
Includes both internal and external event
risk
Legal risk is also included, but strategic,
reputational and systemic risks are not

Examples of OR Loss Events

Types of OR*

Examples
Unauthorized transaction resulting in monetary
loss
Embezzlement of funds
Branch robbery
Hacking damage (systems security)

Internal Fraud
External Fraud

Employment
Employee discrimination issues
Practices &

Workplace Safety Inadequate employee health or safety rules

Clients, Products Money laundering
& Business
Lender liability from disclosure violations or
Practices
aggressive sales
Natural disasters, e.g. earthquakes
Damage to
Physical Assets Terrorist activities
Business
Disruption and Utility outage (e.g. blackout)
System Failures
Execution,
Data
error
* Based on Basel Committees
ORentry
loss event
classification see Appendix for details.
Delivery &
4
Incomplete or missing legal documents
Process

Major OR Characteristics
Partly endogenous
Unwanted by-product of corporate activity
Positively related to complexity of
operations

Highly idiosyncratic
OR events tend to be less correlated to
each other and to other risk types
Less directly linked to business cycles

In principle (partially) controllable ex

ante
Trade-off is mostly risk vs. cost of
avoidance, not risk vs. return

Key Drivers of Interest in OR

Recent
Experience

Regulatory
Pressure

Market
Developments

Firm-wide
Risk Management

High-profile cases and related

negative publicity
Examples include Allfirst, Barings,
Enron etc.
Basel IIs explicit capital
requirements for OR
Additional complexity brought about
by automation, outsourcing, large
volume service provision,
deregulation, M&A, risk transfer etc.
6

Size Compared to Other

Risks

OR is sizeable compared to other risk

types
Its exclusion can make certain businesses
Entity appear
Methodology
Dat
OR Findings
artificially attractive,
e.g.
asset
e
management and trading

RMG of
Basel
Committee

Quantitative Impact
Survey (QIS2-Tranche 1)
of 41 banks

200
1

15% (on average) of economic

capital

MOW

Benchmarking study of
10 banks

200
1

11% (on average) of

economic capital

MOW

Analysis of OpRisk
Analytics loss database

200
2

1.05% of risk-weighted assets,

corresponding to 13% of the
BIS minimum capital
requirement

RMA /
FMCG

Survey of 12 banks

200
2

11%-17% of economic capital

* Capital and Risk: New Evidence on Implications of Large Operational Losses by de

Fontnouvelle, DeJesus-Rueff,
and Rosengren
Reserve Bank
of Boston, with
Boston
Analysis of Jordan
OpRisk
200(Federal
Estimates
consistent
SeptemberAnalytics
2003).
Fed*
and OpVantage
3
the amount of OR capital held

OR Measurement Pre-Basel
II
OR capital measurement was topdown
Approaches
Description

% of income/assets/costs, compared
to peers
% of non-interest income, compared
Indicator /
Benchmarking to non-financial analogs
% of total capital calculated to cover
financial risks (credit, market etc.)
Deviation in earnings (neutralized
Residual
Earnings
for impact of financial volatility) at
Volatility
specified confidence interval

and subject to various problems

Arbitrariness / inconsistency
Comparability

Basel II Framework for OR

Scope of application
Pillar I (minimum capital requirements)
Definition
Business line mapping
Classification of loss event types
Measurement approaches (3)
Qualifying criteria

Pillar II (supervisory review)

Pillar III (market disclosure/discipline)
Quantitative Impact Study (QIS) results
9

Scope of Application for OR

Primarily intended for internationally
active banks and banks with significant OR
exposures
Applied, on a fully consolidated basis, at
holding company and lower levels within a
banking group
Insurance activities are excluded

Supervisory approval required for banks to

revert to simpler approach once approved
for more advanced one
10

Pillar I Approach 1
Basic Indicator
Corresponds to the Standardized Approach for
credit risk
Capital charge is 15% (alpha) of banks
average annual gross income over previous 3
years
Gross income should exclude provisions, insurance
income, realized profits/losses from sale of securities
in banking book, and extraordinary or irregular
items

No specific criteria/requirements for its use

Banks are encouraged to comply with Basel
Committees guidance on Sound Practices for the
Management and Supervision of Operational Risk
11
(February 2003)

Pillar I Approach 2
Standardized / Alternative Standardized
Banks activities divided (mapped) into 8
business lines
Capital charge is sum of specified % (beta) of
each business lines average annual gross
income over previous 3 years*
Beta varies by business line (12%-18% range)
General criteria required to qualify for its use
Active involvement of Board and senior management
in OR management framework
Existence of OR management function, reporting and
systems
toSystematic
* Subject
national supervisory
discretion, the
Standardized
Approach
(ASA) canby
tracking
of Alternative
OR data
(including
losses)
be chosen. It uses volume of loans and advances (instead of gross income) as the exposure
12
line
indicator business
for the retail and
commercial banking business lines.

Business Line Mapping

LEVEL 1

BETA
FACTORS

LEVEL 2

ACTIVITY GROUPS

Corporate Finance
Corporate
Finance

18%

Trading and
Sales

18%

Retail
Banking

12%

Commercial
Banking
Payment &
Settlement
Agency
Services

15%
18%
15%

Asset
Management

12%

Retail
Brokerage

12%

Mergers and Acquisitions, Underwriting, Privatizations, Securitization, Research,

Municipal /
Government Finance Debt (Government, High Yield), Equity, Syndications, IPO, Secondary Private
Placements
Merchant Banking
Advisory Services
Sales
Fixed Income, Equity, Foreign Exchanges, Commodities, Credit, Funding, Own
Market Making
Position Securities, Lending and Repos, Brokerage, Debt, Prime Brokerage
Proprietary Positions
Treasury
Retail Banking
Retail Lending and Deposits, Banking Services, Trust and Estates
Private Banking
Card Services
Project Finance, Real Estate, Export Finance, Trade Finance, Factoring, Leasing,
Commercial Banking
Lends, Guarantees, Bills of Exchange
External Clients

Payments and Collections, Funds Transfer, Clearing and Settlement

Custody

Escrow, Depository Receipts, Securities Lending (Customers), Corporate Actions

Corporate Agency
Corporate Trust
Discretionary Fund
Management
Non-Discretionary
Fund Management

Issuer and Paying Agents

Pooled, Segregated, Retail, Institutional, Closed, Open, Private Equity

Retail Brokerage

Execution and Full Service

Pooled, Segregated, Retail, Institutional, Closed, Open

13

Pillar I Approach 3
Advanced Measurement Approaches
(AMA)
Corresponds to the IRB Approach for credit risk
OR capital charge to be derived from banks
own methods
Its use (partial or full) is subject to supervisory
approval
The extent of partial use is determined by bank
criteria and is conditional on submission of a plan to
roll out AMA fully over time
A hybrid allocation mechanism approach is allowed
for the calculation of OR capital for certain
internationally active banking subsidiaries*

Broadly similar general criteria and qualitative

standards as for Standardized Approach, to be14

* Principles for the home-host recognition of AMA operational risk capital, Basel Committee on
Banking Supervision (January 2004).

Pillar I Approach 3 (cont.)

Additional quantitative standards (cont.)
Regulatory capital requirement for OR is the sum of
EL and UL*
Sound, internally determined OR loss correlations
can be used
Internal and relevant external loss data, scenario
analysis, and business environment and internal
control factors should be used
Minimum 5-year observation period for internal loss
data**
Criteria for internal loss event capture (e.g.
threshold levels, mapping by business line and event
type***, recoveries, attribution etc.)
* Unless the bank can demonstrate that it is adequately capturing EL in its internal business
Credit
losses
OR
to be recorded
butBasel
excluded
practices
(section 629b,
Pillarfrom
One, Third
Consultative
Paper on The New
Capital
Accord,from
Basel Committee
on Banking Supervision, April 2003).
calculations
** When the bank first moves to the AMA, a three-year historical data window is acceptable
15
(section 632, ibid).

Risk mitigation
*** See Appendix for Basel IIs proposed loss event type classification.

Alternative AMA Approaches

Given embryonic state of OR
measurement, Basel II lets a thousand
flowers bloom in the AMA
(At least) three types of approaches
identified
Internal Measurement Approaches (IMA)
- PD/EAD/LGD-type framework, where capital
charge (UL) is a fixed function gamma
(calculated by bank itself) of EL

Loss Distribution Approaches (LDA)

- Capital from modeling loss frequency and severity
distributions

Scorecard approaches
- Base level top-down OR capital is allocated to

16

AMA Toolkit

Internal loss event data

External loss data
Scalars / Exposure Indicators
Scenario analyses
Key Risk/Performance Indicators
(KRIs/KPIs)
Quantitative measures serving as early
warning indicators

Control and Risk Self Assessments

(CRSAs)
Qualitative assessments of inherent risks
and controls

17

AMA Some Practical Issues

Topic

Issues

Selecting minimum materiality threshold

Determining frequency and severity of loss
events
Mapping to supervisory event types/business
Internal lines
loss event Identifying and leveraging existing historical
loss databases
data
collection Establishing an automated process of
collection, validation, attribution and reporting
that aligns with incentives
Setting the boundary between OR and other
risk types

Determining which KRIs and CRSA scores

Scorecard will be included
developm
Adjusting scores to make them objective and
ent

18

CAUSE

Example: Internal Loss

Capture
Internal (people, processes or systems) or
external event

LOSS EVENT

CONSEQUENC
E

DISCOVERY

CORRECTION

COST

Classification (e.g. Basels Level 1, 2 and 3 event

type categories)
Description of loss (e.g. cash shortage)
Detection of loss event (e.g. reconciliation)
Description of corrective process (e.g. account
edits)

ATTRIBUTION

Monetary loss type* (e.g. write-down, restitution

etc.)
DISCLOSURE
19
* See Appendix for monetary loss type classification.

Example: Loss
Modeling

Populating the loss distribution for a

specific business line and event type
EVENT TYPES
Low
Severity
A
High
e.g. routine
Frequency processing error

Low
Frequency

High
Severity

LOSS DISTRIBUTION
Frequency EL

UL (99.9%
confidence
interval)

N/A
OR Capital

e.g. branch
robbery

e.g. 9/11

Severity
Mostly internal
loss data
(types A and B)

Mostly external
loss data and
scenarios (type
C)

20

Pillars II and III

Pillar II
The four key principles mentioned also
apply for OR
2003 paper on Sound Practices for the
Management and Supervision of OR to
form basis for Pillar 2 evaluation

Pillar III
Qualitative disclosures
- OR capital approach, including AMA description
(if applicable)
- Various OR management objectives and policies

Quantitative disclosures
- OR capital charge at the top consolidated level of21
banking group

QIS OR Results
QIS 3* OR results are broadly consistent with the
Committees objectives
New OR capital requirement outweighs reduced credit
risk capital requirements, so overall change is a small
increase**
- OR constitutes 8%-15% of existing (Basel I) capital
requirements, depending on selected group of countries
- Much greater variation of OR results within each group
- Sizable increase in capital requirements for specialized
banks
- Optional Alternative Standardized approach preferable for
banks with high margins (e.g. retail lenders)

Loss Data Collection Exercise results indicate

data availability issues for many business
* 188 banks from G10 countries and 177 banks from 30 other countries participated in this exercise. See
Quantitative
Impact Study
3 Overview
of Global Results (Basel Committee on Banking Supervision,
line/event
type
combinations
May 2003).
See next page

22

** In order to avoid sample selection problems (e.g. the banks completing the IRB approaches is only a
subset of those completing the Standardized approach), only the results from the Standardized

% of
total
gross
loss
amount
s

QIS OR Results (cont.)*

LOSS
EVENT
TYPE
BUSINESS
LINE

Intern
al
Fraud

Extern
al
Fraud

% of
total
# of
loss
event
s

Employ Clients, Dama Busine Execut Total

m.
Produc
ge to
ss
.,
Practice
ts and Physic Disrupt Delive
s and
Busine
al
. and
ry and
Workpla
ss
Assets System Proces
ce0.15% Service
s0.45% 0.89%
0.15%
0.04%
0.03% Failure
0.02%
0.04%
Safety 2.03%
s
s
Mgmt 3.51%
0.03%
0.10%
0.64%
0.63%
0.01%
0.06%

0.20%
0.21%
0.23%
0.07%
0.29%
9.74% 10.9%
0.10%
0.76%
0.52%
0.83%
2.48%
1.13%
0.23%
8.96%
14.9%
2.68%
1.10%
0.34%
11.2% 61.1%
4.36%
4.50%
36.2%
4.36%
0.34%
5.45%
3.26%
1.12%
29.4%
Trading and Sales 4.26%
10.1%
0.18%
0.17%
0.11%
0.10%
2.14% 7.22%
3.81%
0.65%
Retail Banking 0.27%
2.01%
0.23%
4.17%
0.26%
13.8%
7.95%
29.0%
0.05%
0.05%
0.02%
0.68%
0.11%
0.17%
2.82% 3.92%
Commercial
0.29%
0.27%
0.15%
0.13%
0.19%
1.20%
1.01%
3.25%
Banking
0.02%
2.92% 3.15%
0.01%
0.07%
0.03%
0.04%
0.06%

Corporate
Finance

Payment and
Settlement

0.05%

0.51%

2.23%
4.25%
1.77% 2.35%
0.01%
0.03%
0.06%
0.09%
0.08%
0.28%
Agency and
0.08%
0.06%
0.13%
0.99%
0.03%
1.45%
2.78%
0.03%
Custody Services
1.68
0.12%
0.04%
0.01%
1.14%
0.11%
3.75% 6.91%
%
0.65%
0.79%
0.02%
2.03%
0.36%
1.25%
6.58%
11.7%
Asset
1.14%
100%
3.31%
42.4%
8.52%
7.17%
35.1%
1.40%
Management
15.5%
6.76%
13.1%
2.73%
7.23%
24.3%
29.4%
100%
0.00%

0.10%

0.06%

1.28%

Retail Brokerage

* Sample of 89 banks, 47,269 loss events and 7.8 billion in OR-related losses reported in The 2002 Loss
Total Exercise for Operational Risk: Summary of the Data Collected (Risk Management Group,
Data Collection
Basel Committee on Banking Supervision, March 2003).
Note: Totals may not add up because no business line/event type information was provided for a few loss

23

OR Management
Framework*
Corporate Governance

Identification
and Assessment

Monitoring

Board of Directors to provide guidance, approve and

periodically review banks OR management framework
Senior management to translate framework into specific
policies, processes and procedures consistently and
comprehensively
Establishment of independent OR management function

OR identification based on process/activity maps, and loss

data collection
Development of forward-looking early warning indicators
and self-assessments
OR quantification, based on data sources and scenario
analysis
Validation and back-testing of results
Systematic tracking of loss events, KRIs and CRSA scores
Timely, accurate, relevant and periodic MIS and other (e.g.
heat map) reporting
Education and communication workshops, Forums etc.

Internal control policies, processes, procedures and

systems
Incorporation in budgeting, strategy and business
applications
Evaluation
of alternative
risk mitigants
* Largely based on Sound Practicesfor
the Management
and Supervision
of Operational Risk, Basel
Control and
Mitigation

Committee on Banking Supervision (February 2003).

24

Example: OR Control and

Mitigation

OR control and mitigation measures

Aimed at both center and tail of OR loss

distribution
Can be both preventive (ex ante) and
mitigating (ex post)
Increasingly based on cost-benefit analysis

There exists a variety of alternative

measures
Operational excellence initiatives, e.g. sixsigma, TQM etc.
Service Level Agreements with
vendors/service providers
Contingency planning and disaster recovery25

Evaluation of Basel OR
Framework
Pros
Forces banks to focus on growing OR issue
Encourages industry efforts for pooling of loss data
etc.
Allows AMA flexibility and offers simple alternative
for smaller banks

Cons
Weak risk sensitivity of non-AMA approaches
Arbitrary rules for Basic and Standardized
Approaches
- One-size-fits-all exposure indicators and alpha/beta
factors
- Ad hoc cap on mitigation from insurance

High compliance costs vs. unproven business

benefits for AMA
* Taken from
sub-title of Bank
Operational
Risk Management
(Moodys,
June 2002).
- Relatively
few
perceived
incentives
for banks
to

AMA

move to
26

Likely Impact of OR Capital

Charge
Calibrated to produce minimal change
at system level
Some redistribution of capital
requirements towards banks with large
specialized processing businesses
Examples: brokerage, custody and asset
management
May incentivize some of these institutions to
de-bank

Smaller domestic banks will opt for the

Basic or Standardized/Alternative
Standardized approach
27

Implications for Emerging

Markets

Similar themes to Basel IIs credit risk

framework
OR framework should not be examined in isolation
Issue
Questions

Scope of Is AMA adoption a realistic prospect?

applicati Will Basel II apply on a fully consolidated basis at
on
group level?
Arent the current alpha and beta factors
Calibrati calibrated too high?
on
Will the capital charges encourage foreign banks
to move out?

Home- How do you ensure coordination in cross-border

supervision?
host
recogniti How to level playing field between domestic and
on
foreign banks?

Isnt adherence to Basel Core Principles a

28

Conclusions
Basel II has made OR a distinct and
important discipline in its own right
Industry-wide convergence to OR
standards will continue to evolve for
the foreseeable future
Loss definitional issues, data collection
techniques and quantification
methodologies still under discussion

No one right answer on how to proceed

Approach based on strategic priorities,
organizational culture, practical (costbenefit) considerations and
market/regulatory developments

29

Appendix

30

Classification of Loss Events

EVENT-TYPE
CATEGORY
(LEVEL 1)
Internal Fraud

External Fraud

DEFINITION

CATEGORIES
(LEVEL 2)

ACTIVITY EXAMPLES
(LEVEL 3)

Losses due to acts of a type intended

to defraud, misappropriate property or
circumvent regulations, the law or
company policy, excluding
diversity/ discrimination events, which
involves at least one internal party

Unauthorized Activity Transactions not reported (intentional)

Trans type unauthorized (w/ monetary loss)
Mismarking of position (intentional)
Theft and Fraud

Fraud/ credit fraud/ worthless deposits

Theft/ extortion/ embezzlement/ robbery
Misappropriation of assets
Malicious destruction of assets
Forgery
Check kiting
Smuggling
Account take-over/ impersonation/ etc.
Tax non-compliance/ evasion (willful)
Bribes/ kickbacks
Insider trading (not on firm's account)

Losses due to acts of a type intended

to defraud, misappropriate property or
circumvent the law, by a third party

Theft and Fraud

Theft/ Robbery
Forgery
Check kiting

Systems Security

Hacking damage
Theft of information (w/ monetary loss)

31

EVENT-TYPE
CATEGORY
(LEVEL 1)

Classification of Loss
Events (cont.)
DEFINITION

Employment Practices Losses arising from acts

and Workplace Safety inconsistent with employment,
health or safety laws or
agreements, from payment of
personal injury claims, or from
diversity/ discrimination events

Clients, Products &

Business Practices

Losses arising from an

unintentional or negligent failure
to meet a professional obligation
to specific clients (including
fiduciary and suitability
requirements), or from the
nature or design of a product

CATEGORIES
(LEVEL 2)

ACTIVITY EXAMPLES
(LEVEL 3)

Employee Relations

Compensation, benefit, termination issues

Organized labor activity

Safe Environment

General liability (slip and fall, etc.)

Employee health & safety rules events
Workers compensation

Diversity &
Discrimination

All discrimination types

Suitability, Disclosure
& Fiduciary

Fiduciary breaches/ guideline violations

Suitability/ disclosure issues (KYC, etc.)
Retail consumer disclosure violations
Breach of privacy
Aggressive sales
Account churning
Misuse of confidential information
Lender Liability

Improper Business
or Market Practices

Antitrust
Improper trade/ market practices
Market manipulation
Insider trading (on firm's account)
Unlicensed activity
Money laundering

Product Flaws

Product defects (unauthorized, etc.)

Model errors

Selection, Sponsorship
& Exposure

Failure to investigate client per guidelines

Exceeding client exposure limits

Advisory Activities

Disputes over performance of advisory

activities

32

Classification of Loss
Events (cont.)

EVENT-TYPE
CATEGORY (LEVEL 1)

DEFINITION

CATEGORIES
(LEVEL 2)

ACTIVITY EXAMPLES
(LEVEL 3)

Damage to
Physical Assets

Losses arising from loss or damage to

Disasters and other
physical assets from natural disaster or other events
events

Natural disaster losses

Business Disruption
and System Failures

Losses arising from disruption of business

or system failures

Hardware

Execution, Delivery &

Process Management

Losses from failed transaction processing or Transaction Capture,

process management, from relations with
Execution &
trade counterparties and vendors
Maintenance

Systems

Human losses from external sources

(terrorism, vandalism)

Software
Telecommunications
Utility outage/ disruptions
Miscommunication
Data entry, maintenance or loading error
Missed deadline or responsibility
Model/ system misoperation
Accounting error/ entity attribution error
Other task misperformance
Delivery failure
Collateral management failure
Reference Data Maintenance

Monitoring and
Reporting

Failed mandatory reporting obligation

Inaccurate external report (loss incurred)

Customer Intake and

Documentation

Client permissions/ disclaimers missing

Legal documents missing/ incomplete

Customer/ Client
Account Management

Unapproved access given to accounts

Incorrect client records (loss incurred)
Negligent loss or damage of client assets

Trade Counterparties

Non-client counterparty misperformance

Misc. non-client counterparty disputes

Vendors & Suppliers

Outsourcing
Vendor disputes

33

Monetary Loss Types

Loss Type

Causes

Monetary Loss

Legal and
Liability

Lost legal suit

External legal and other related costs

in response to an operational risk
event

Regulatory,
Compliance
and Taxation
Penalties

Penalties paid to the

regulator

Fines or the direct cost of any other

penalties, such as license revocationassociated costs (excludes lost/forgone
revenues)

Loss or
Damage to
Assets

Neglect, accident, fire,

earthquake

Reduction in the value of the firms

non-financial assets and property

Restitution

Interest claims
(note: excludes legal
damages that are
addressed under Legal
and Liability costs)

Payments to third parties of principal

and/or interest, or the cost of any
other form of compensation paid to
clients and/or third parties

Loss of
Recourse

Inability to enforce a
legal claim on a third
party for the recovery of
assets due to an
operational error

Payments made to incorrect parties

and not recovered; includes losses
arising from incomplete registration of
collateral and inability to enforce
positions

Write Downs

Fraud, mis-represented
market and/or credit
risks

Direct reduction in value of financial

assets as a result of operational events34