Operational risks by banks have never been recognised till BASEL II imposed on banks to look forward. Take a look at the broad canvas of Operational risks applicable for banks

1. 1
Operational Risk Management
The Raw Canvas
By Kalyan Debnath
For

2. What Is Wrongly Believed in Operational Risk
“What can be new about managing operational risk? It has
been managed ever since modern day banks were born.”
– CEO of a bank
“Operational risk never brought down a bank; it has always
been credit or market risks.”
– A Board Director in a Bank
•

3. What went wrong across the globe – The circle of
misfortune
3
Many of these have risk management tools in place & are wedded
to sophisticated technology – But ???
Source: ERisk.Com

4. Why did they occur?
4

5. The Paradox that all enterprise would face
“Controls deter growth”
OR
“Growth undermines control”
A great challenge to overcome
5

6. But most unfamiliar losses have occurred in the recent years due to this risk
– Baring collapse, Sumitomo losses, GTB debacle
– Credit Card losses, Arthur Andersen episode
– Payment frauds, money laundering
• What has changed in operational risk horizon?
– Exponential growth in transaction volumes; new and specialised
operational processes
– Constantly evolving and more dependence on technology
– Demanding customers and quick turnaround time
– eCommerce
– Competitive pressures on costs
– Complex financial products
– New practices – securitisation, outsourcing
These developments have forced Operational Risk recognised as a separate
risk discipline – to be measured and risk capital cover provided
6
What paved the way for Operational Risk recognition

7. Definition of Operational Risk
Basel Committee
• “The risk of loss resulting from inadequate or failed internal
Processes, People and Systems or external events”
(excluding strategic and reputational risk)
Organisation Specific
• Organisations can modify the above definition with deletions
or emphases that will reflect their individual circumstances (may
include strategic & reputational risk
“Operational risk is not simply about measurement, or providing for
capital charges,
It’s about the management of ‘PPT’ (Processes, People and Technology)

8. Operational risks culminate into operational loss :
Definitions
Indirect vs. Direct
• Direct Impact on the P&L accounts e.g. operational errors, cash loss
• Indirect Impact in the P&L accounts e.g. loss of client due to poor levels of
service, technology downtime
Expected vs. Unexpected
• Expected losses are typically covered in yearly provisions e.g. credit card fraud,
loan losses, NPA provisioning
• Unexpected losses e.g. financial penalty from the regulator - has to be covered
through economic capital
Budgeted vs. Non Budgeted
• Budgeted loss e.g. connected to non reconciliation of bank books, contingent
liability
• Non Budgeted e.g. attrition of key staff and knowledge
“Operational losses are essentially another indicator telling
us how the system of risk management is working or not
working”

9. Basel Proposals on Operational Risk – The Three Pillars
• Pillar 1: Minimum capital requirements (Measurement)
–Spectrum of options: Basic Indicator, Standardised and Internal
Measurement (AMA) approaches
–Higher the options higher will be the sophistication and risk modelling
• Pillar 2: Supervisory review (Qualitative assessment)
–Framework and methodology for estimating capital
–Management of risk: Senior management involvement, policies,
processes, internal controls, reporting, reviews and internal audit
• Pillar 3: Market discipline (Disclosure)
–To include disclosure on risk management policies and practices, risk
events and losses, estimated risk levels, economic capital allocation
–A Bank will be judged, over a period of time, by the quality of disclosures

10. How to go about it

11. Risk Identification, Assessment, Treatment and Mitigation
11
Risk Prioritization, treatment
& Mitigation
• Prioritize Risks based on Inherent
Risk assessment, Control
Effectiveness
• Prepare risk-control-classification
3D matrix
• Focus Management Attention on
the Significant / Systemic Risks
• Evolve risk treatment action
agenda.
• Create / Track Action Plans to
Address Risk Mgt Gaps
• Develop residual risk transition
map and integrate with risk
reporting process.
Key Risk Indicators &
Integration
• Based on Risk Drivers identify
Critical, Few, Multi-Dimensional
Key Risk Indicators
• Focus on Leading KRIs for
Indications of Rising Risk Levels
• Ensure Coordination Between the
Operational Risk Initiatives, and
Ongoing Business Processes.
• Set up process and automation to
track KRIs
Risk Identification
& Assessment
• Business Unit level process
mapping and process hierarchy.
• Risk driver Identification and
arriving at risk inventory
• Assessment of impact and
likelihood of risks
• Risk assessment and
classification
• Control effectiveness testing and
risk control map

12. Risk Monitoring and calibration
12
Monitoring of Key Risk
Indicators
• Gather and Track KRIs
• Establish Escalation Thresholds,
Static and Dynamic Thresholds
• Begin Trend Analysis to Identify
Rising Risk Levels Prior to Loss
Events Occurring
• Integrate KRIs into Risk
Management Processes to
Identify Trends, Evaluate Risk
Environment of Company
• Integrate with residual risk
transition framework
• Realign the risk reporting system
Loss Event Tracking
• Put up distinctive process to
differentiate loss with loss events
• Develop Op Risk Event capture
• Identify, Track, and Classify Direct
/ Indirect Loss Events among
several dimensions, including
Event Type, Risk Category, Root
Cause, Outcome / Loss Type, etc.
• Supplement Internal Losses with
External Loss Event Data to
Complete Distribution Tail
• Ensure full technology back up and
integration with the MIS
architecture
Calibration and measure
• Ensure Quality Control Over RCM,
KRIs, and Loss Events
• Integrate and Leverage Root
Cause Analysis into Process
• Develop Reporting to Ensure
Management has Ability to Monitor
Risk Environment
• Apply Statistical Methods to
Generate Distributions providing
for Data Limitations
• Set stage for AMA approach with
key inferences from the statistical
tools applied.
• Identify measurement roadmap

13. Risk Measurement (AMA)
•Left to the Banks. But must demonstrate that it captures potentially severe
tail loss events.
13
•While different methodologies will exist for risk quantification, data and
certain calculation elements will be common. Must have and maintain
rigorous procedure for model development and validation.
•Must be consistent with the loss event types defined under the accord.
•The model must provide for computation of EL & UL unless Banks can
establish that it has accounted for EL.
•All operational risks may not be measured – so the model parameters
should be as granular as possible.

14. Operational risk monitoring through key indicators
Key Performance Indicators
• KPIs are a measure that demonstrates a movement in the likelihood or
the impact of a risk – they can be seen as events that raise a warning
about a risk.
Key Control Indicators
• KCIs are a measure demonstrating a change in the effectiveness (e.g,
design and performance) of a control
Key Risk Indicators
• A combined measure of a KPI and KCI that are linked to the residual
impact of the risk with likelihood of the risk occurring.

15. Risk:
Loss of key personnel
Control:
Adequate remuneration & motivation packages,
performance incentive/ Bonus Pool
KPI:
Number of staff leaving without a planned
successor
KRI:
Number of staff leaving without a planned successor due to remuneration / bonuses not
being sufficient
Risk:
Clients default on loans
Control:
Daily monitoring, Audit procedures,
Collateral cover
KPI:
Number of loans executed for clients
who have defaulted in the past
KCI:
Number of clients identified with
insufficient collateral cover
KRI:
Number of loans executed for clients who have defaulted in the past who do not have
sufficient collateral cover
KCI:
Number of employees kept as a result of
remuneration change / bonus payment
Example KPI, KCI and KRIs

16. Operational risk measurement
Are the processes
cost efficient to
reduce day-to-day
operational losses
Design an appropriate risk
measurement methodology
• Create loss tracker database for identification of risk source at
points of incidence contributing to losses
• Corporate dashboard for high level risk monitoring
• Assess a feasibility of using scorecard model for risk measures
Tool
development
Technology & data –base
support
• Design database to track the losses & drawing correlations &
appropriate data-flow design for identified KRIs
• Data architecture at points of incidence, ensuring data integrity,
facilitating data simulation and analysis
• Scope of integration of models/ solutions with the I.T structure &
network system
Where to focus
R.M. resources
How effective are
internal controls
How integrated is
I.T. the system

17. Loss Event Database
Loss events are not the loss happenings. Just like an
archaeological process one has to dig out the historical
loss events.
The monitoring and the analysis of loss events will provide
the basis for independently validating the risk assessment
and indicator tracking process in addition to providing
foundation for quantification of risks.

18. How we do it?
Indirect and direct losses loss events should be identified, tracked and
classified by:
• Event type (in accordance to Basel definition)
Risk class/category and risk strategy
Root cause
Loss/Outcome
Process/Activity/ risk owner
Business or management Unit
Internal losses must be supplemented with external loss event data to
complete the tail of distribution

19. 19
Risk Rating Improvements post mitigation is the way
forward
Risk Transition
Risk Risk Description Inherent
risk rating
Inherent
Risk
Score
Treatment
option
Residual risk
rating
Residual
risk
score
1 Industry trend may influence the
fortune of the company resulting
into default
HIGH 3 MITIGATE COMFORT 1
2
Improper collection of market
information for structuring
instruments may result in the
wrong product design affective
business
HIGH 3 MITIGATE ALERT 2.5
3
Low importance in targeting
new clients leading to
stagnation of business growth.
HIGH 3 MITIGATE ALARM 4.5
4
Delay in decision making may
lead to unsatisfied clients and
loss of repeat / additional
business
HIGH 3 ACCEPT ALARM 3
5 Change of interest rate may
erode the value of the portfolio
HIGH 3 ACCEPT ALERT 2.25

20. The tangible benefit of ORM
Costs vs. Potential Improvements post mitigation
20
6,250
4,688
3,125
1,563
0
-1,563
Before control After control Value
1 2 3 4 5
Loss/ Revenue/ Value Derived (INR 000s)
Risk
3,4,5 Loss data
1,2 Revenue data

21. Can we derive commercial advantage from investment in
operational risk management?
Judge by yourself
• Reduces operational errors by ensuring right control and alerts =
Impairing the bottom line
• Winning new business through clear articulation of risk
management approach to investment consultants and trustees =
Pillar 3 matters a lot
• Reduces cost of control by appropriate resource allocation =
Scorecard approach and RCM paves the way
• Reduces capital charges = The boon

22. Less tangible but valuable benefits of a robust framework
• Enables the development of a consistent risk perspective,
language and culture across the organisation hierarchy
• Develops risk awareness and a focus on cost/benefit analysis
• Risk weighted decision system facilitated.
• Creates and enforces accountability
• Allows identification, measurement and validation of risk
appetite
• Control not for control sake - risk taking becomes more
ingrained in corporate decision system
• Provides a repository and knowledge transfer - source for
internal and external best practices

23. 23
Incentives To Be Proactive
 Less sophisticated approaches will result in increased
capital charges, leading to inefficient use of capital
and lower return on equity
 Preempt costly regulatory directives
 Avoid challenges to business expansion, mergers and
acquisitions
 Risk management practices adopted by leading
institutions may be considered “best practices” by
regulators
 Potential negative reputational impact leading to loss
of shareholder confidence (through disclosure)
 The market (peers, rating agencies, shareholders) will
“judge” an institution on the choice of approach
 Avoidance of sub-optimal practices which lead to loss
of competitive advantage

24. Contact
treatrisk@gmail.com
www.treatrisk.com
www.treatrisk.wix.com/info
Follow and like us at
Facebook: www.facebook.com/treatrisk
Twitter: www.twitter.com/treatyourrisk
Google+: www.google.com/+treatriskplus
LinkedIn: www.in.linkedin.com/in/treatrisk
Join our blog forum
www.treatrisk.blogspot.in