Operation risk management

In the banking industry, op-risk is as old as banking itself. The banking landscape has undergone a sea change and is becoming more complex in terms of volume of business, product innovation, financial engineering, new market practices, fast and rapid technology innovation, deregulation, consolidation of banks and increasing competition among banks. This has increased probability of failure or mistakes from the operations point of view; it has increased the focus on managing op-risk. The new BIS guideline, generally known as Basel II Accord, recognizes this and places increased emphasis on op-risk management. The Basel committee defines op-risk as the risk "of loss resulting from inadequate or failed internal processes, people and systems or from external events". This definition includes legal risk, but excludes strategic and reputation risk. As banks move towards implementing Basel II norms, they need to evolve an internal framework for effective management of op-risk. Depending on the size, complexity and organizational structure of bank, a five-step approach can be used for building a robust op-risk framework: Identification of operational risk through event framework Analysing the causes of events Risk mapping Risk measurement and control Management of operational risk and, thereby, capital management To start with, banks, as part of identification, should classify and capture all operational losses in the form of "events". Events are nothing but "occurrences" or "happenings". Banks should start accumulating data on events that have occurred in the past and also identify potential events. All events should be defined with attributes, such as, frequency of event, severity, loss amount, reason for loss, date of discovery of loss and date of occurrence. Banks can adopt the seven type of events suggested by Risk Management Group (RMG) of Basel committee for one of their quantitative studies (QIS-2) which includes internal fraud, external fraud, employment practices and work safety, client products and business services, damages to physical assets, business disruption and system failures and execution delivery. The second step involves doing a causal analysis to understand the exact cause for the above events and estimate the actual loss as well as potential loss in case the events are repeated. This analysis on cause of events can make the bank understand the level of exposure and the op-risk management strategy it needs to adopt. Once banks have developed an event database and done the causal analysis, they can start risk mapping. Risk mapping is a tool wherein banks can map the above risk events and losses to any specified set of business lines. Basel has come out with eight set of business lines corporate finance, trading and sales, retail banking, commercial banking, payment and settlement, agency and custody services, asset management and retail brokerage to which the events collected by bank can be mapped. Op-risk measurement is still evolving in terms of tools and techniques that can be used for effective measurement and management. Banks can follow either or both of qualitative risk measurement or quantitative risk measurement:

The generic ways of measuring op-risk include qualitative risk measurement techniques such as critical assessment method, which involves questionnaire format and interviews with all line managers to identify the op-risk events. Another widely used approach, which is a combination of qualitative as well as quantitative approaches, is the Key Risk Indicators (KRI) approach, which involves identifying indicators, which convey good idea about the scope of business and thereby the risk involved. For instance, portfolio size, volume of transactions traded, volume of deals routed through payment and settlement systems, etc., form one set of predictive indicators. KRI is more a predictive model than a cause-and-event approach. A common quantitative approach used is Loss Distribution Approach (LDA), which involves arriving at a right fit distribution of historical loss events and, thereby, at quantitative results like expected loss and finally operational value at risk. Another forward-looking scenario generation approach for op-risk measurement is Loss Scenario Modeling, which involves generating simulations for loss scenarios based on the events and losses captured in the first step. Basel II norms suggest three approaches for measurement of op-risk. The simplest approach, best suited for less sophisticated and small balance-sheet banks, is the Basic Indicator Approach (BIA). BIA requires banks to allocate capital based on a single indicator of operational risk, which in this case will be average gross income of past three years multiplied by factor called alpha, which is set at 15 per cent. The second approach is the Standardized Approach (SA), which involves mapping the bank's business lines to the set of eight business lines and use multiplier (Beta) of average gross income to compute capital charge. Also, there is the Alternative Standardized Approach (ASA), which uses loans and advances, instead of gross income, for retail banking and commercial banking business lines multiplied by fixed factor which results in capital charge to be set aside. The most sophisticated approach suggested is advanced measurement approach (AMA). Under the AMA, the regulatory capital requirement will equal the risk measures generated by the bank's internal operational risk measurement system using quantitative and qualitative criteria for the AMA. Internal data used must be based on a minimum historical observation period of five years. However, when a bank first moves to AMA, a three-year period is acceptable. Banks need to employ the quantitative approaches like Internal Measurement Approach (IMA) or Loss distribution Approach (LDA) or Balance Scorecard Approach (BSA) for adopting AMA. All AMA approaches compute the expected and unexpected loss. The most significant aspect for a bank to graduate from Basic Indicator Approach (BIA) to Advanced Measurement Approach (AMA) is the potential benefit of less capital allocation for operational risk. As op-risk involves failures during operations in daily business, the key steps in op-risk management involve improving internal control environment, designing and developing procedures to implementing the risk management processes and employing risk transfer techniques, such as insurance, to mitigate the loss arising from operational risk. Credit rating agencies have started rating banks based on their risk control and management frameworks. Investor awareness has also increased to the extent that banks with robust risk management frameworks are able to attract strategic investments with less effort. Given the known benefits of implementing the provisions of the Basel II accord, banks should prioritise their strategy towards op-risk management. A constructive approach in this direction could be to automate the suggested five-step approach and, as a first step, to start developing a loss event database.

Information Control Models

These regulations, definitions and attitudes published by Bank for International Settlement (BIS), Banking Regulation and Supervision Agency (BRSA), and other stakeholders lead us to answer whether current ICMs are applicable for controlling the operational risks defined in Basel II. The organizations are increasingly exposed to various operational risks related to the use of IT since IT is now intrinsic to and pervasive within enterprises (ISACA, 2006), e.g. virus attacks, unauthorized access to data, breakdown of infrastructure, system and infrastructure contingency, performance problems. In order to prevent such risks efficiently, the banks are forced to identify, analyze and evaluate potential IT related operational risks. They should implement appropriate IT Governance (Jochum, 2006) in order to provide a controlled IT framework to the business processes since IT Governance enables an organization to attain three vital objectives: regulatory and legal compliance, operational excellence, and risk optimization. The organizations can ease their venture into IT Governance that ensures that the enterprises IT sustains and extends the organizations strategies and objectives (ITGI, 2005), by leveraging various industry standard frameworks. Champbell (2003) categorizes over fifty ICMs under following subcategories: control objectives communities, principles communities, capability maturity communities, checklists, risk management frameworks, and taxonomies. Most frameworks provide requisite support materials in the form of roadmaps, guides, templates, libraries, and samples. While these are not turn-key methodologies that will embed IT Governance into the organization, the frameworks provide a foundation for creating a governance structure. Therefore, the organizations are arguing to harmonize and integrate the leading frameworks to achieve greater compatibility. The ICMs covered in this study, the An Aggregated Information Technology Checklist for Operational Risk Management 55ir sponsoring organizations, and the numbers of control objectives in each ICM are listed in Table below