Operational Risk. The Regulatory Requirements and Management Process

List of contents

1. Introduction and Definition

2. Important Regulatory Requirements of Operational Risk
2.1 The Basel Capital Accord
2.1.1 The First Pillar: Minimum Capital Requirements
2.1.2 The Second Pillar: Supervisory Review Process
2.1.3 The Third Pillar: Market Discipline
2.2 Sound Practices
2.3 The National Implementation of Basel II in Germany

3. The Operational Risk Management Process
3.1 Risk Identification
3.2 Risk Assessment
3.3 Reporting
3.4 Management of operational risks
3.4 Monitoring

4. Bibliography

1. Introduction and Definition

During the last twenty years operational risk has extremely gained an importance in the financial sector. Although this type of risk is definitely not new but rather one of the oldest, it has remained unconsidered for a relatively long time. However operational risks have always existed and do exist in the daily business ever since the foundation of every financial institution. Considering the icreased complexity and global developments in the financial system as well as the recent extremely large losses caused by operational risk, this risk type has finally acquired a greater relevance. One of the most popular examples for the tremendous losses caused by operational risk is the collapse of the Barings Bank in the year 1995 due to an inadequate control system and serious failures in management and supervisory. Other practical examples of operational risks will be listed below.

Unlike other types of risks operational risks are very heterogeneous and diversified. The term includes a variety of meanings and range from employee errors, systems’ failures and frauds up to external events, such as fire or floods. Therefore the former definition of operational risk was a negative one, which stated what the term is not - e.g. credit, market or liquidity risk - it was the “other risks” basket (Utz 2006: 52). But this definition has proven to be “opaque and less than useful” (Carol 2003: 104) and is now obsolete.

Since a consistent definition is absolutely necessary for a general framework for managing and controlling operational risks, the Basel Committee provided a more precise definition. It defines the operational risk as: “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events” (BCBS 2001: 2). This definition includes also the legal risk, but not the reputation risk and strategic risk (BCBS 2001: 2). A lot of industry representatives applied this definition, hence it can now be assumed as the standard one (Resti and Sironi 2007: 512).

According to this definition, the operational risk can be divided into two main streams of risk: the external and the internal risk: The internal risk arises inside the institution, whereas the external risk arises outside the institution (Utz 2006: 57). In particular, the Basel II refers to four different risk factors: people, systems and processes, which belongs to the internal risk and external events, which are counted among the external risk. These factors are explained briefly in the following:

- People: The risk factor people refers to human behaviour and includes, for instance, aspects like human errors and failure, frauds, criminal activities of employees, lack of integrity and honesty, negligence etc.
- System: The risk factor systems refers to losses coming from the technological system in the institution like, for example, problems with the IT, unauthorized accesses to information, failures in communication, failure in the safety system etc.
- Processes: The factor processes encompasses different errors in the transactions, but also in general business models, accounting to taxation errors, compliance issues etc.
- External events: Finally the risk factor external events covers different criminal activities, like theft or vandalism, political and military events, like war or sanctions, changes in the legal environment and also natural events, like fire, flood etc. (cf. Resti and Sironi 2007: 512 pp).

In practice there are of lot of examples for large losses caused by one or more of these operational risk factors. For instance, the collapse of Jürgen Schneider’s real estate imperium in the year 1994. Dr. Jürgen Schneider took out large loans based on falsified balance sheets and construction documentation as well as rent contracts from over 50 banks. The financial collapse of his real estate company caused a net loss of 2, 4 billion of DM for the banks. The banks did not manage this operational risk - they failed to audit and to control the financing transactions of Jürgen Schneider.

Furthermore, another important aspect of operational risk is that it is generally not directly taken in return for an additional reward, but just occurs as a result of corporate activity. However the operational risk is rising with increasing business activity (BCBS 2003: 3).

In summary, the operational risk includes a wide variety of different internal and external aspects and also has overlaps with other types of risks, especially with the Credit Risk. Therefore it is necessary that individual elements and features of operational risk are well identified and clearly distinguished (Utz 2006: 64).The Basel Committee on Banking Supervision contributed to an effective handling with operational risk by implementing a framework of regulations related to this risk type. These regulatory requirements are presented below.

2. Important Regulatory Requirements of Operational Risk

In the last few years, the regulatory requirements of operational risk have become progressively more detailed and transparent, especially with the extended discussion about the new Basel Capital Accord (Basel II). Considering the global developments in the financial sector at the turn of the millennium the Basel Committee on Banking Supervision (BCBS) published in the year 1998 the first document, which explicitly treats the operational risk management from a qualitative point of view (BCBS 1998 and Kaiser/Köhne 2007: 20 f.). This document exposed the importance and the enormity of operational risk as an individual considerable risk factor (Chernobai/Rachev/Fabozzi 2007: 36). Ever since the BCBS introduced the second set of accords in the year 2004 the operational risk finally became established as a substantial distinct risk category besides the market and the credit risk. Among other things the accord tends to implement an overt and effective handling with operational risks in banks and financial institutions.

Important aspects of Basel II relevant to operational risk as well as its national implementation in Germany are presented in the next chapters.

2.1 The Basel Capital Accord

The Basel Committee on Banking Supervision, which plays a leading role in setting and establishing of international risk management regulations and guidelines, introduced the Basel II in the year 2004 and, two years later, the revised framework of the new capital accord in June 2006 (cf. BCBS 2006). It replaced the first capital measurement framework of the year 1988, commonly known as Basel I. Considering the financial crisis of 2007-2008 the BCBS introduced the Third Accord (Basel III), which rules certainly do not supersede the Basel II framework but rather complement some parts of it (Cortez 2011: 223). Since all the important regulations regarding the operational risk are mostly based on Basel II, following remarks refer only to this accord.

Basel II creates an international standard for banks and financial institutions in order to provide a regulatory framework for the main risk factors: credit risk, market risk as well as - and this is new - operational risk. The accord is based on three main pillars: The first pillar (Minimum Capital Requirements) refers to the regulatory capital, which banks are expected to hold for operational risk; the second pillar (Supervisory Review of Capital Adequacy) refers to regulatory validation and supervision of the risk management and the third pillar (Market Discipline) refers to public disclosures.

In the following the three pillars are presented more detailed. In so doing, the focus is on the first pillar, which introduces important measurement methods for the quantitative assessment and evaluation of operational risk in order to determine the minimum capital adequacy.

2.1.1 The First Pillar: Minimum Capital Requirements

Since the introduction of Basel II, banks are obliged to hold separately identified regulatory capital not only for credit and market risk but also for the operational risk in order to cover the potential losses with capital and so to reduce the danger of insolvency (Maslen 2010: 27). Before operational risk was only considered by implication because of difficulties in determining this kind of risk. Therefore appropriate measurement methods for the quantitative minimum capital requirements of operational risks are necessary. The first pillar encompasses new orders about the capital allocation of operational risk and provides various risk measurement methods, which range from basic, standardized to advanced approaches based on the internal bank systems. These new regulations lead to an improvement of organizational procedures, because the management started to focus more intense on operational risk as a separate entity. By introducing the new regulation, a decrease of operational risk should have been supported at best. The choice of the approaches is optional, so long as certain quantitative and qualitative minimum requirements for the respective approaches are satisfied - so that every bank may apply a method, which best suits its internal system and risk profile (Kunze 2007: 87; Deutsche Bundesbank 2014). Three different categories of approaches for determining the capital adequacy for operational risk are specified in detail below.

- Basic Indicator Approach

The Basic Indicator Approach is compared to the other approaches as a very undemanding one, it can be used by every type of financial institution, which is working on a national level and does not have an excessive degree of operational risk. Banks using the Basic Indicator Approach are obliged to hold a certain amount of capital in case of losses caused by operational risk. The sum is composed of 15 per cent of the average positive gross income of the last three years (Kaiser/Köhne 2007: 27).

This type of approach can present potential problems, because it is not risk-sensitive. This shows the missing connection between the danger of operational risk losses and the amount of the indicator. In fact, a relation between the operational risk and the required capital for losses does not exist. This is why this kind of approach does not provide an incentive for the risk management to improve its methods and procedures to reduce operational risk. It can be assumed that credit institutions with a higher gross income can compensate losses in general better than the ones with a smaller gross income (Kunze 2007: 264). Even though the advantage of using the gross income as an indicator is, inter alia, its easy calculation and its good comparability between distinct institutions (Kunze 2007: 265).

- Standardized Approach

The Standardized Approach utilizes as well as the Basic Indicator Approach the gross income for the calculation of the required capital. However, the calculation is provided for each business unit individually instead of one calculation for the whole business. In order to be allowed to use this sort of approach the bank has to ensure the fulfilment of certain qualitative criteria, which include the risk sensitivity of the Management Committee and the regularly monitoring of operational risk. Furthermore the existence of a functional risk management system is expected, as well as the presence of adequate resources, which are highly relevant for the calculation of the Standardized Approach (Eller/Heinrich/Perrot/Reif 2010: 117). The activities of the bank are in accordance with Basel II split into eight distinct sectors. For each business sector exists a weighting factor, which is called beta factor. The beta factor amounts either 12, 15 or 18 per cent and is multiplied with the respective gross income (Kaiser/Köhne 2007: 28). The sectors are divided in Private Banking, Corporate Finance, Trading and Sales, Commercial Banking, Payment and Settlement, Agency Services, Asset Management and Retail Brokerage (Kaiser/Köhne 2007: 81).

The total required capital for operational risk is calculated by adding the average gross income of the last three years of each sector multiplied with the respective beta factor. The Negative gross incomes of the business sectors can be offset with the positive ones. By conducting this procedure, a greater risk sensitivity can be induced (Kaiser/Köhne 2007: 28).

- Advanced Measurement Approach

If the institution has a developed risk management and fulfils determined criteria, it is allowed to make use of the Advanced Measurement Approach. There is no explicit predefined measure method for the calculation of the required capital, the institution is authorized to create its own internal risk measurement for the calculation of the required capital (Eller/Heinrich/Perrot/Reif 2010: 117). The Basel Committee on Banking decided to accept the own creation of internal risk measurements in the hope that the measurement methods improve faster. The Committee ensures a decline of the required capital for operational risk by using the Advanced Measurement Approach (Carol 2003: 195).

Furthermore the institution is permitted to use this type of approach in combination with the other two approaches, the only precondition is the coverage of the whole risk (Kaiser/Köhne 2007: 33).

The predetermined criteria are subdivided in qualitative and quantitative ones, they imply the criteria of the Standardized Approach and demand even greater efforts. The qualitative criteria require for example a documentation of the risk management system or a financial reporting to the management board and the executives about occurred and potential operational risks, as well as a validation of the measurement model conducted by external auditors or the Committee on Banking Supervision.

The quantitative category includes, among other things, a detailed report of the causes of operational risk, the use of internal and external data, the utilization of the scenario analysis and factors, which reflect the business environment and the internal control system, as well as the calculation of the required equity capital as a sum of expected and unexpected losses (Kaiser/Köhne 2007: 32).

[...]