|
 

 




  
‡ A growing desire has emerged to organize the
components of operational risk into what
Hubner et al. (2003) call a ³coherent structural
framework´
‡ Haunbenstock (2003) identifies the
components of the operational risk framework
as:
‡ (i) strategy,
‡ (ii) process,
‡ (iii) infrastructure, and
‡ (iv) the environment
 vtrategy:
‡ development of a risk management strategy;
‡ development of risk management culture;
‡ definition of management roles and
responsibilities;
‡ ensuring that an appropriate management
and control structure is in place
(he risk management framework: Process
‡ (he process involves the day-to-day activities
required to understand and manage operational risk,
given the chosen strategy.

‡ (he process consists of

‡ (i) risk and control identification,
‡ (ii) risk measurement and monitoring,
‡ (iii) risk control/mitigation, and
‡ (iv) process assessment and evaluation.
 Process : Risk and control identification
‡ Risk identification starts with the definition of operational risk
to provide a broad context for potential threats

‡ (he best way to identify risk is to talk to people who live with
it on a daily basis

‡ (he degree of risk is typically defined as frequency and

severity, rated either qualitatively or quantitatively

‡ Mestchian (2003) suggests a decomposition of operational

risk into process, people risk, technology, and external risk

‡ (hen these risk can be identified as low, medium, or high in

different business activities like in (able on the next slide, or
with frequency or severity like in Figure 2, one slide next
Risk identification
 Risk assessment of activities
‡ a
 ÷RF : Process - Identification
‡ Risk identification should also include monitoring of the
external environment and industry trends, as new risks
emerge continuously

‡ (ii) Control identification

‡ (he identification of controls is part of the identification
process, as it complements the identification of risk.
‡ Controls include:
± management oversight,
± information processing,
± activity monitoring,
± automation,
± process controls,
 ± segregation of duties,
± performance indicators
± and policy and procedures

(he control framework defines the appropriate approach to

controlling each identified risk

(iii) Risk Mitigates

‡ Risk mitigators include
± training,
± insurance programs,
± diversification and
± outsourcing
‡ Insurance, which is a means of risk control/mitigation, is
typically applied against the large exposures where a loss
would cause a charge to earnings greater than that
acceptable in the risk appetite

‡ For the purpose of risk identification, the Federal Reserve

vystem (1997) advocates a three-fold risk-rating scheme that
includes (i) inherent risk, (ii) risk controls, and (iii) composite
risk.

‡ Inherent risk (or gross risk) is the level of risk without

consideration of risk controls, residing at the business unit
level
‡ Inherent risk depends on (i) the level of activity relative to the
firm¶s resources, (ii) number of transactions, (iii) complexity of
activity, and (iv) potential loss to the firm

‡ Composite risk (or residual risk or net risk) is the risk

remaining after accounting for inherent risk and risk
mitigating controls

‡ (he Federal Reserve vystem (1997) provides a matrix that

shows composite risk situation based on the strength of risk
management (weak, acceptable, strong) and the inherent risk
of the activity (low, moderate, high)
‡ For example, when weak risk management is applied to low
inherent risk, the resulting risk is low/moderate composite risk

‡ ÷n the other extreme, when strong risk management is

applied to high inherent risk, the composite risk will be
moderate/high

‡ Illustration is given in the figure on next slide

(he FRv¶s classification of inherent and composite risks
‡ (iv) Risk measurement
‡ As risks and controls are identified, risk measurement
provides insight into the magnitude of exposure, how well
controls are operating and whether exposures are changing
and consequently require attention

‡ (he borderline between identification and measurement is

not clear, however, Haubenstock (2003) identifies the
following items as relevant to the measurement of operational
risk
‡ a. Risk drivers, which are measures that drive the inherent
risk profile and changes in which indicate changes in the risk
profile
‡ (hese include transaction volumes, staff levels, customer
satisfaction, market volatility, the level of automation

‡ b. Risk indicators, which are a broad category of measures

used to monitor the activities and status of the control
environment of a particular business area for a given risk
category.
‡ (he difference between drivers and indicators is that the
former are Y
Y
YY
Y
Y
Y
Y



‡ Examples of risk indicators are profit and loss breaks, failed

trades and settlements and systems reliability
‡ c. (he loss history: which is important for three reasons: (i)
loss data are needed to create or enhance awareness at
multiple levels of the firm; (ii) they can be used for empirical
analysis; and (iii) they form the basis for the quantification of
operational risk capital

‡ d.Causal models: which provide the quantitative framework

for predicting potential losses.
‡ (hese models take the history of risk drivers, risk indicators
and loss events and develop the associated multivariate
distributions.
‡ (he models can determine which factor(s) have the highest
association with losses
‡ e. Capital models, which are used to estimate regulatory
capital as envisaged by Basel II.

‡ f. Performance measures: which include the coverage of the

self-assessment process, issues resolved on time, and
percentage of issues discovered as a result of the self
assessment process

‡ (v) reporting
‡ Reporting is an important element of measurement and
monitoring
‡ A Key objective of reporting is to communicate the overall profi
le of operational risk across all business lines and types of
risk.

‡ (here are two alternative ways of reporting to a central

database as shown in Figure

‡ ÷ne way is indirect reporting where there is a hierarchy in the

reporting process, which can be arranged on a geographical
basis.
‡ ÷therwise, direct reporting is possible where every unit
reports directly to a central database
‡ a
‡ Reporting methods:
‡ Checklists are probably the most common approach to self-
assessment

‡ vtructured questionnaires are distributed to business areas to

help them identify their level of risk and related controls
‡ (he response would indicate the degree to which a given risk
affects their areas.
‡ It would also give some indication of the frequency and
severity of the risk and the level of risk control that is already
in place
‡ (he narrative approach is also used to ask business areas
‡ to define their own objectives and the resulting risks
‡ (he workshop approach skips the paperwork and gets
people to talk about their risks, controls, and the required
improvements

‡ Lam (2003b) identifies two schools of thoughts with regard to

quantitative and qualitative measures of risks

‡ (i) the one believing that what cannot be measured cannot be

managed, hence the focus should be on quantitative tools
‡ and (ii) the other, which does not accept the proposition that
operational risk can be quantified effectively, hence the focus
should be on qualitative approaches
‡ Lam (2003b) warns of the pitfalls of using one approach
rather than the other, stipulating that ³the best practice
operational risk management incorporates elements of both´.

(vi) Risk control/mitigation

‡ When risk has been identified and measured, there are a
number of choices in terms of the actions that need to be
taken to control or mitigate risk

‡ (hese include (i) risk avoidance, (ii) risk reduction, (iii) risk
transfer, and (iv) risk assumption (risk taking)
‡ Risk avoidance can be quite difficult and may raise questions
about the viability of the business in terms of the risk-return
relation
‡ A better alternative is risk reduction, which typically takes the
form of risk control efforts as it may involve tactics ranging
from business re-engineering to staff training as well as
various less extensive staff and/or technical solutions.

‡ Cost-benefit analysis may be used to assist in structuring

decisions and to prevent the business from being controlled
out of profit
‡ a
‡ a
‡ a
 People issues
‡ the relevant type and calibre of people are
available;

‡ there are adequate levels of training and

development of the staff;

‡ the staff have the skill levels that are

appropriate to the tasks assigned to them
 (echnology issues
‡ adequate systems to support the various
product lines;
‡ systems are available for management
information and reporting;
‡ there is communication infrastructure to
support the operation;
‡ data warehouses that allow integration and
consolidation of information and data across
the organization;
‡ tools and systems available for managing
market risk across the organization

‡ enterprise-wide credit monitoring and credit

risk management systems.
 (hemes in risk management framework
‡ (here are four fundamental themes that are critical for
establishing and maintaining a comprehensive and effective
risk management framework

‡ 1 (he ultimate responsibility for risk management must be

with the board of directors. (hey need to ensure that
organization structure, culture, people and systems are
conducive to effective risk management. (he requirements
for risk management must be defined and established by
those charged with overall responsibility for running the
business
‡ 2. (he board and executive management
must recognize a wide variety of risk types,
and ensure that the control framework
adequately covers all of these. As well as
including market and credit risks, it should
include operations, legal, reputation and
human resources risks, that do not readily
lend themselves to measurement
‡ 3. (he support and control functions, such as
the back and middle offices, internal audit,
compliance, legal, I( and human resources,
need to be an integral part of the overall risk
management framework
‡ 4. Risk management objectives and policies
must be a key driver of the overall business
strategy, and must be implemented through
supporting operational procedures and
controls.
‡ a
‡ a
‡ a
‡ a
‡ Operational risk can be minimized in a number
of ways: Internal control methods consist of
›






± Individuals responsible for committing
transactions should not perform clearance and
accounting functions

ï



± Entries (inputs) should be matched from two
different sources, that is, the trade ticket and the
confirmation by the back office.
ð



‡ Results (outputs) should be matched from different
sources, for instance the trader¶s profit estimate and
the computation by the middle office


( 

‡ Important dates for a transaction (e.g., settlement,
exercise dates) should be entered into a calendar
system that automatically generates a message
before the due date.
‡ s
 



: Any amendment to
original deal tickets should be subject to the same
strict controls as original trade tickets.

External control methods consist of

s


: (rade tickets need to be con¿rmed
with the counterparty, which provides an
independent check on the transaction.






 : (o value positions, prices
should be obtained from external sources. (his also
implies that an institution should have the capability
of valuing a transaction in-house before entering it.
3. !  
: (he counterparty should be
provided with a list of personnel authorized to trade,
as well as a list of allowed transactions.
4. 
: (he payment process itself can
indicate if some of the terms of the transaction have
been incorrectly recorded, for instance, as the ¿rst
cash payments on a swap are not matched across
counterparties.

5. 



 : (hese examinations

provide useful information on potential weakness
areas in the organizational structure or business
process.
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a
‡ a