Risk is inherent in any walk of life in general and in financial sectors in particular. Till recently, due to regulated environment, banks could not afford to take risks. But of late, banks are exposed to same competition and hence are compelled to encounter various types of financial and non-financial risks. Risks and uncertainties form an integral part of banking which by nature entails taking risks. There are three main categories of risks; Credit Risk, Market Risk & Operational Risk. OPERATIONAL RISK
Always banks live with the risks arising out of human error, financial fraud and natural disasters. The happenings such as WTC tragedy, Barings debacle etc. has highlighted the potential losses on account of operational risk. Exponential growth in the use of technology and increase in global financial inter-linkages are the two primary changes that contributed to such risks. Operational risk, though defined as any risk that is not categorized as market or credit risk, is the risk of loss arising from inadequate or failed internal processes, people and systems or from external events.
In order to mitigate this, internal control and internal audit systems are used as the primary means. Risk education for familiarizing the complex operations at all levels of staff can also reduce operational risk. Insurance cover is one of the important mitigators of operational risk.
Operational risk events are associated with weak links in internal control procedures. The key to management of operational risk lies in the bank’s ability to assess its process for vulnerability and establish controls as well as safeguards while providing for unanticipated worst-case scenarios.
Operational risk involves breakdown in internal controls and corporate governance leading to error, fraud, performance failure, compromise on the interest of the bank resulting in financial loss. Putting in place proper corporate governance practices by itself would serve as an effective risk management tool. Bank should strive to promote a shared understanding of operational risk within the organization, especially since operational risk is often interwined with market or credit risk and it is difficult to isolate.
Definition of operational risk has evolved rapidly over the past few years. At first, it was commonly defined as every type of unquantifiable risk faced by a bank. However, further analysis has refined the definition considerably. Operational risk has been defined by the Basel Committee on Banking Supervision1 as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. This definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors. Likely forms of manifestation of operational risk
A clear appreciation and understanding by banks of what is meant by operational risk is critical to the effective management and control of this risk category. It is also important to consider the full range of material operational risks facing the bank and capture all significant causes of severe operational losses.
Operational risk is pervasive, complex and dynamic. Unlike market and credit risk, which tend to be in specific areas of business, operational risk is inherent in all business processes. Operational risk may manifest in a variety of ways in the banking industry.
The Basel Committee has identified the following types of operational risk events as having the potential to result in substantial losses: * Internal fraud – For example, intentional misreporting of positions, employee theft, and insider trading on an employee’s own account. * External fraud – For example, robbery, forgery, cheque kiting, and damage from computer hacking. * Employment practices and workplace safety – For example, workers compensation claims, violation of employee health and safety rules, organized labour activities, discrimination claims, and general liability.
* Clients, products and business practices – For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering, and sale of unauthorized products. * Damage to physical assets – For example, terrorism, vandalism, earthquakes, fires and floods. * Business disruption and system failures – For example, hardware and software failures, telecommunication problems, and utility outages. * Execution, delivery and process management – For example: data entry errors, collateral management failures, incomplete legal documentation, and unauthorized access given to client accounts, non-client counterparty mis-performance, and vendor disputes. Relevance of Operational risk function
Growing number of high-profile operational loss events worldwide have led banks and supervisors to increasingly view operational risk management as an integral part of risk management activity. Management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, and reduce errors in transaction processing, and so on. However, what is relatively new is the view that operational risk management is a comprehensive practice comparable to the management of credit and market risks.
Operational Risk differs from other banking risks in that it is typically not directly taken in return for an expected reward but is implicit in the ordinary course of corporate activity and has the potential to affect the risk management process. However, it is recognized that in some business lines with minimal credit or market risks, the decision to incur operational risk, or compete based on the perceived ability to manage and effectively price this risk, is an integral part of a bank’s risk / reward calculus. At the same time, failure to properly manage operational risk can result in a misstatement of an institution’s risk profile and expose the institution to significant losses. ‘Management’ of operational risk is taken to mean the ‘identification, assessment and / or measurement, monitoring and control / mitigation’ of this risk. Organizational set up and culture
Operational risk is intrinsic to a bank and should hence be an important component of its enterprise wide risk management systems. The Board and senior management should create an enabling organizational culture placing high priority on effective operational risk management and adherence to sound operating procedures. Successful implementation of risk management process has to emanate from the top management with the demonstration of strong commitment to integrate the same into the basic operations and strategic decision making processes. Therefore, Board and senior management should promote an organizational culture for management of operational risk.
It is recognized that the approach for operational risk management that may be chosen by an individual bank will depend on a range of factors, including size and sophistication, nature and complexity of its activities. However, despite these differences, clear strategies and oversight by the Board of Directors and senior management; a strong operational risk culture, i.e., the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a bank’s commitment to and style of operational risk management; internal control culture (including clear lines of responsibility and segregation of duties); effective internal reporting; and contingency planning are all crucial elements of an effective operational risk management framework.
Ideally, the organizational set-up for operational risk management should include the following:
* Board of Directors
* Risk Management Committee of the Board
* Operational Risk Management Committee
* Operational Risk Management Department
* Operational Risk Managers
* Support Group for operational risk management
Identification of operational risk
Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is identified clearly and subjected to adequate assessment procedures.
Risk identification is paramount for the subsequent development of a viable operational risk monitoring and control system. Effective risk identification should consider both internal factors (such as the bank’s structure, the nature of the bank’s activities, the quality of the bank’s human resources, organizational changes and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank’s objectives.
The first step towards identifying risk events is to list out all the activities that are susceptible to operational risk. To begin with, we can list: * The main business groups viz. corporate finance, trading and sales, retail banking, commercial banking, payment and settlement, agency services, asset management, and retail brokerage. * The analysis can be further carried out at the level of the product teams in these business groups, e.g. transaction banking, trade finance, general banking, cash management and securities markets. * Thereafter the product offered within these business groups by each product team can be analyzed, e.g. import bills, letter of credit, bank guarantee under trade finance.
After the products are listed, the various operational risk events associated with these products are recorded. An operational risk event is an incident/experience that has caused or has the potential to cause material loss to the bank either directly or indirectly with other incidents. Risk events are associated with the people, process and technology involved with the product. They can be recognized by: (i) Experience – The event has occurred in the past;
(ii) Judgment – Business logic suggests that the bank is exposed to a risk event; (iii) Intuition – Events where appropriate measures saved the
institution in the nick of time; (iv) Linked Events – This event resulted in a loss resulting from other risk type; (v) Regulatory requirement – regulator requires recognition of specified events. Assessment of Operational Risk
In addition to identifying the risk events, banks should assess their vulnerability to these risk events. Effective risk assessment allows a bank to better understand its risk profile and most effectively target risk management resources. Amongst the possible tools that may be used by banks for assessing operational risk are: * Self Risk Assessment: A bank assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines.
Scores may address inherent risks, as well as the controls to mitigate them. * Risk Mapping: In this process, various business units, organizational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritize subsequent management action. * Key Risk Indicators: Key risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank’s risk position. These indicators should be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions. Monitoring of Operational Risk
An effective monitoring process is essential for adequately managing operational risk. Regular monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes and procedures for managing operational risk. Promptly detecting and addressing these deficiencies can substantially reduce the potential frequency and/or severity of a loss event.
In addition to monitoring operational loss events, banks should identify appropriate indicators that provide early warning of an increased risk of future losses. Such indicators (often referred to as early warning indicators) should be forward-looking and could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover, transaction breaks, system downtime, and so on. When thresholds are directly linked to these indicators, an effective monitoring process can help identify key material risks in a transparent manner and enable the bank to act upon these risks appropriately.
The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a bank’s activities. The results of these monitoring activities should be included in regular management and Board reports, as should compliance reviews performed by the internal audit and/or risk management functions. Reports generated by (and/or for) intermediary supervisory authorities may also inform the corporate monitoring unit which should likewise be reported internally to senior management and the Board, where appropriate. Senior management should receive regular reports from appropriate areas such as business units, group functions, the operational risk management unit and internal audit.
The operational risk reports should contain internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making. Reports should be distributed to appropriate levels of management and to areas of the bank on which areas of concern may have an impact. Reports should fully reflect any identified problem areas and should motivate timely corrective action on outstanding issues. To ensure the usefulness and reliability of these risk reports and audit reports, management should regularly verify the timeliness, accuracy, and relevance of reporting systems and internal controls in general. Management may also use reports prepared by external sources (auditors, supervisors) to assess the usefulness and reliability of internal reports. Reports should be analyzed with a view to improving existing risk management performance as well as developing new risk management policies, procedures and practices. The ORM Process Summary
The ORM process comprises six steps, each of which is equally important:
Step 1: Identify the Hazard
A hazard is defined as any real or potential condition that can cause degradation, injury, illness, death or damage to or loss of equipment or property. Experience, common sense, and specific analytical tools help identify risks. Step 2: Assess the Risk
The assessment step is the application of quantitative and qualitative measures to determine the level of risk associated with specific hazards. This process defines the probability and severity of an accident that could result from the hazards based upon the exposure of humans or assets to the hazards.
Step 3: Analyze Risk Control Measures
Investigate specific strategies and tools that reduce, mitigate, or eliminate the risk. All risks have three components: probability of occurrence, severity of the hazard, and the exposure of people and equipment to the risk. Effective control measures reduce or eliminate at least one of these. The analysis must take into account the overall costs and benefits of remedial actions, providing alternative choices if possible. Step 4: Make Control Decisions
Identify the appropriate decision-maker. That decision-maker must choose the best control or combination of controls, based on the analysis of step 3. Step 5: Implement Risk Controls Management must formulate a plan for applying the controls that have been selected, then provide the time, materials and personnel needed to put these measures in place. Step 6: Supervise and Review
Once controls are in place, the process must be periodically reevaluated to ensure their effectiveness. Workers and managers at every level must fulfill their respective roles to assure that the controls are maintained over time. The risk management process continues throughout the life cycle of the system, mission or activity. Conclusion
Operational risk management provides a logical and systematic means of identifying and controlling risk. Operational risk management is not a complex process, but does require individuals to support and implement the basic principles on a continuing basis. Operational risk management offers individuals and organizations a powerful tool for increasing effectiveness and reducing accidents. The ORM process is accessible to and usable by everyone in every conceivable setting or scenario. It ensures that all FAA personnel will have a voice in the critical decisions that determine success or failure in all our operations and activities. Properly implemented, ORM will always enhance performance.