Operational Risk Management in Banking — The What, The Why & The How?

Operational risk in banking is the risk (direct or indirect) resulting from inadequate or failed internal processes, people, and systems and external events for a bank including business risk and reputation risk. Alternatively, all risks apart from market and credit risks constitute operation risks for a financial firm. Although it is referred to as a non-financial risk, it can lead to both financial and reputation loss.

But, why focus on Operation Risk: Operation Risk management facilitates looking at a banking firm enterprise in a holistic way to create a detailed risk profile that the stakeholders can use to run the bank in a better and more efficient way. Apart from this, operation risk management helps a bank to manage the severity and frequency of events and losses, Scale operational risk exposure to conform to acceptable risk levels, ensure adequate control to maintain exposure and risk within the acceptable level, and determine capital to absorb extreme losses associated with risks which are difficult to control or where control mechanism give up.

Types of Operations Risk: Unlike market and credit risk, operation risk is difficult to identify & control as it is embedded in the firm itself and is prone to external/random events. Unlike the conception that operational risk is synonymous with risk in operations, it encompasses multiple domains like Fraud, Discrimination, Advisory Risk, Product Liability, Cyber Risk, Legal Risk, Model Risk, Project Management, etc.

It can be divided into 4 types:

A. Process Risk: Arises from inadequate or failed internal processes of the bank, such as the processing of transactions, accounting, execution, Delivery, Process Management, Business Disruption, and system failures. This risk can result from errors or omissions in these processes or from the failure to implement adequate controls.

B. People Risk: Arises from the actions of employees or other individuals associated with the bank, such as contractors or vendors. This risk can result from employee errors, misconduct, or fraud, or from the failure to attract or retain key personnel.

C. Technological Risk: Stems from the failure or inadequacy of technology systems of the bank, such as software or hardware, used by the bank. This risk can result from system failures, cyber-attacks, or data breaches.

D. External Risk: These are events outside the control of the bank, such as natural disasters, external theft, fraud, damage to physical assets geopolitical events, or changes in regulations. This risk can affect the bank’s operations, customers, or reputation.

Line of defense for Operation Risk Management: Operational Risk Management in banking warrants 3 steps — Identification of Risk, Assessment of Risk, and Mitigation of Risk. These responsibilities are divided within the firm at different levels, as mentioned below:

1. First Line of defense: Management controls and Internal control measures that own and manage the firm’s risk.
2. Second line of defense: Functions that oversee & specialize in risk management complaints like Security, Risk Management, Compliance, Quality, etc.
3. Third line of defense: They provide independent assurance above all internal audits i.e. Governing body, Audit Committee, and Board.

Operational Risk Measurement Tools: All 3 steps in risk management involves the use of tools for measuring the risk before assessing and planning for mitigation. They are:

1. Loss/Gain Data capture: Backward looking scenario for cause analysis where root cause analysis of losses and gains are done to determine reasons for the breakdown in banking operations.

2. Key Risk Indicators Monitoring: Forward-looking cases where leading, and lagging & performance indicators are analyzed to identify trends in operation risk in banks.

3. Risk/Control Assessment: Focus on the cultural aspect including control assessment by management and overall assessment framework that accounts for all types of management.

4. Reporting/Analysis and Governance: Mode of influencing decision-making via risk analysis and plays an active role in the governance of the banking enterprise structure.

5. Scenario Analysis: For accessing exposure to the potential frequency and severity of unexpected losses a bank can incur due to operational risk.

Operational Risk Measurement Challenges: Proactive planning of risk assessment and mitigations is a tough process and hence banks have to be ready to face certain challenges like:

1. Potential losses for the bank may be unbound, hence call should be taken about acceptable loss.
2. Exposure to the bank due to risk might be undefined and un-dimensioned.
3. Unlike market and credit risk, losses due to operational risk are not capped.
4. Loss severity distribution is fat-tailed.
5. Risks are not easily controllable in the short term as risks are mostly recognized post-event and management and risk measurement follow a diverse path.

Operation Risk Management Equation:

Although a bank would love to get rid of all the operational risks, it is practically not possible. Banks must ponder upon which risk to mitigate and which risk adopting. In terms of an equation, this can be explained below:

The Operational Risk Management Equation

A bank must be ready to adopt some of the risks and the extent of the same has to be decided based on the risk appetite of the bank.

Understanding Aspects of Risk Equation: The 2 major areas for understanding the risk equation are Risk assessment (To understand the risk bank is dealing with) and Control analysis (To find inefficiencies, control, and mitigation)

1. Risk Assessment:

Focus areas & factors to be considered in risk assessment

2. Control Analysis:

Focus areas & factors to be considered in control analysis

Major Techniques at Bank’s disposal for Operational Risk Management

1. RCSA (Risk and control self-assessment)

Risk identification & management tool for the bank’s business lines & support functions to identify risk clusters and control duplications or over-controls and to set up prevention & control measures and corrective plans. RCSA is a proactive approach, unlike operation loss reporting which is a reactive approach.

RCSA Objectives and flow: It IDENTIFIES operation risk, ASSESS & QUANTIFY the institution’s exposure to operational risk, EVALUATE the prevention & control system and MITIGATE the risk.

The flow of RCSA is: Establishing relationships with risk owners — — Qualitative risk assessment — — — Getting details on typical risk events — — Event analysis, ratings, and events — — Setting priorities — — Design mechanisms to manage risk — — Management awareness — — Action approvals.

RCSA Methodology: There are 3 methods that a bank can use to do RCSA based on various firm-related factors. These methods are:

RCSA Methodologies for Banks

RCSA Result Reporting Tools

Unless RCSA results are relevant to management decision-making, the exercise is no more than an expensive awareness tool.

The RCSA risk management reporting strategy can be categorized into 3 parts:

RCSA Reporting Strategy

2. Indicators approach to monitoring operation risk.

Banks can use the indicators approach to identify, assess and mitigate operational risk. These indicators are dependent on the data sources which are being referred to. Hence, handling data becomes a major part of using this approach.

Indicators used for operational risk management in banking

A. KRI (Key Risk Indicators): It measures the frequency, severity, and impact of operational risk or corporate actions that occurs during the reporting period.

Key Risk Indicators (KRIs)

B. Key Performance Indicators: KPIs are the measures that evaluate the scale of banking activities.

Key Performance Indicators (KPIs)

C. Key Control Indicators: KCIs are the measures to monitor the effectiveness of established Operation risk management procedures, collected from business units, Risk management, Internal audit reports, and regulators.

Key Control Indicators (KCIs)

3. Control objectives, procedures, and configurations

It is a framework that tracks any possible events from end to end for their effect on the bank. The stages are Pre-event, Monitoring, and Post event. Each of these phases has specifically actionable for the bank as mentioned below.

Control Methodology Focussed on Risk Events

4. Scenario Analysis

The scenario analysis is done to proactively find the operational risk scenes and plan for their mitigation.

It includes the following process:

1. Scenario Risk Drivers: Management and Expert groups identify the business area for which scenario analysis must be done along with risk types to be covered and data sources to be used.
2. Assumption Formulation: Since scenario analysis is forward-looking, certain assumptions should be considered. These are related to the frequency, severity, loss amount, recovery, and return time related to risk via risk owners and data sources.
3. Scenario Selection: Once the scenario brainstorming has been done, the validation team will pick the worst-case scenario and best-case scenario along with setting the baseline. This is further checked via audit integrity check.
4. Capital Planning: The risk Management team plans for the AMA model and provisions for conducting the analysis.
5. Follow-up: Once the analysis has been done, the control plan and mitigation plan are drafted and reviewed by expert groups.

Framework for Operational Risk Management in Banking

Each of the methodologies has its pros and cons & must be used based on the firm’s factors. However, one way of understanding is to plot them on a loss-severity and frequency map as shown below:

Framework for Using Methodology of Operational Risk Management in Banking

This gives an understanding to the bank for designing the scenario requirement and a tool to pick which methodology to work with.

For example — In the case of Scenario analysis, the bank must work with a low-frequency, high-severity event

For ensuring the integrity and consistency of estimates, the following factors a bank must look at the:

1. Clearly defined and repeatable process
2. Good quality background preparations of participants
3. Qualified and experienced facilitators
4. Representatives of the business, subject matter experts, and risk managers
5. A structured process for the selection of data for scenario parameters
6. High-quality documentation of the scenario formulations and outputs
7. Robust independent challenge process and oversight by risk management
8. A process that is responsive to internal and external changes
9. A mechanism for mitigating biases inherent in scenario processes

Operational Risk Framework Stages and Framework

To successfully implement a fully functional and effective operational risk management framework, there are following steps that a bank must adopt:

A. Starting Point: Banks identify the potential risks via internal audits & predominantly reactive measures while keeping safety-mindedness. Banks must be wary of error avoidance & risk aversion while identifying the risks.

B. Creating the basis: Banks should assemble their operation risk unit as mentioned in the line of defenses, opt for proactive control, and devise a framework and strategy for the identification, assessment, and mitigation of operational risks.

C. Implementation: Banks must conduct self-assessments, identify relevant databases, and start a collection of lost data.

D. Enhancements ongoing adaptation: Focus on the key risk indicators, business process analysis, scenario analysis, operation risk analysis, and operation value at risk.

E. Integration: Bank-wide capital allocation for conducting risk management process and focus on enterprise risk management.

In conclusion, operational risk management is an essential aspect of risk management in banking. The identification, assessment, and mitigation of operational risks are critical to maintaining the financial stability of banks and protecting their reputation. The effective management of operational risks requires a comprehensive and integrated approach that involves all levels of the organization, from front-line staff to senior management. Banks must continuously monitor and evaluate their operational risks and implement measures to mitigate these risks to ensure that they are adequately prepared for any eventuality. As the banking industry continues to evolve, the management of operational risks will become increasingly important, and banks must remain vigilant and proactive in their risk management efforts.