What is Risk Management?
What are the types of Risk?
What is Operational Risk?
Why Operational Risk Mgt ?
How to identify & monitor Operational Risk?
How to measure Operational Risk?
How to mitigate and control Operational Risk?
Risk – probability of a loss or of a danger. The concept of risk
combines the probability of an event occurring with the impact that
event may have & its various circumstances of happening.
Risk Management (RM) is the identification, assessment, and
prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the
realization of opportunities.
RM is thus a tool to create business value through an integrated
process of identification, estimation, assessment, and controlling
Defined as the complete set of policies and procedures which
organizations have in place to manage monitor and control their
exposure to risk
Its main objectives are to protect the institution from
unacceptable losses, to make optimal use of capital
It has assumed lot of importance in present scenario when
there is heightened awareness of risk.
More than a regulatory reporting exercise.
Should not be viewed as a defensive activity.
Requires Senior Management’s involvement.
The first Basel Accord, known as Basel I, was issued
in 1988 and focuses on the capital adequacy of
Originally developed to cover credit risk capital
Assets sorted into four categories based on risk
8% capital requirement.
Amended in 1996 to include market risk capital
Basel II - Introduced in 2004, as
Basel I - the existing framework introduced in 1988 -
• Basel I felt to be inadequate for evaluating the
felt to be inadequate for evaluating the risks in the evolving financial system
risks which was in becoming the evolving more complex, financial innovative and system diversified.
becoming Hence Basel II was developed more as the complex, answer to this requirement.
• Hence Basel II was developed as the answer to
Basel II addressed not only credit & market risk
capital but also operational risk capital.
Basel II – the Three Pillars
PILLAR 1 PILLAR 2 PILLAR 2
Just think of the following scenarios –
What if your signature was forged on your stolen cheque and amount was
fraudulently withdrawn from your account,
Suddenly the bank’s branches close for a few days on account of floods,
The system server is down during the peak working hours,
Your fund transfer was successfully done but transferred to the wrong
Busy operations in dealing rooms of major banks come to a halt?
Global OR Events (External)
Catastrophic losses on account of OR Events (External):
i)9/11 - Terrorist attack on WTC
ii)26/07 – Mumbai Floods
iii)26/11 – Mumbai Terror Attacks
iv)11/03 – Japan – Earthquake, Tsunami
(2011) and Nuclear Crisis
Global OR Events (Financial losses)
Financial Losses due to OR Events :
ii)1999 – Ketan Parekh Scam –Illegal borrowings from GTB &
others by pledging shares as collaterals (GTB collapse)
iii)2008 – Societe Generale – 2nd largest Bank in France
lost € 4.9 bn by the fraudulent future trader
iv)2009 – Satyam Scam – Fudging of accounts by its
founder – Biggest Corp Fraud of Rs.8000 crores
v)2010 – Citibank Fraud –Mutli-crore (Rs.400 cr) fraud by RM
– luring HNIs to invest in bogus Invst schemes –36%
vi) 2013 - Cybercrime syndicate committed fraud through compromised POS
terminal across Europe. 36000card holders in 16 countries affected
vii) 2013- USD 45 million prepaid card fraud. (2 Middle East banks affected)
viii) 2014 – INR 250 crores scam in public sector Bank in India wherein the branch manager
and a private person allegedly took loan using forged documents on behalf of seven private
companies which had deposits in the bank.
Barrings Bank – The incident involved loss of roughly $1.25 bn
due to unauthorized trading activities during 1993 to 1995 of a
single, relatively junior trader named Nick Leeson.
Leeson, who was supposed to be running a low-risk limited return
arbitrage business for Barrings in Singapore, was actually taking
increasingly large speculative positions in Japanese stocks &
interest rate futures and options. He was taking positions on
behalf of fictitious customers, booking losses to non-existent
Losses happened because of movement of market variables not
in favour of Leeson’s positions. – Market risk vs Ops risk?
Ops risk losses often contingent on
This particular case is classified under Operational Risk
because it involved –
Fraud - Unauthorized trading (Internal fraud), forging
signature, non disclosure, criminal breach of trust etc.
The Failure of Internal Controls
• No clearly laid down reporting lines
• Several managers responsible for monitoring Leeson’s
performance did not do their job (Not questioning the
unexpected sources of profit )
• No segregation of front and back office activities
• No comprehensive review of Leeson’s funding requirements
How Operational Risks is defined?
Basel II has defined Operational Risk as - “ the risk of
loss resulting from inadequate or failed
- internal processes,
- people and
- systems or
- from external events”.
Basel II has clarified that OR includes legal risk but
specifically excludes strategic & reputational risks.
ORM – Why?
It has been believed that banks are exposed to two main risks - Credit risk
and Market risk
Serious changes in the global financial markets in the last 20 years have
caused noticeable shifts in banks’ risk profile – globalization and
deregulation, technological innovation and advances in the information
network, and an increase in the scope of financial services and products –
OR occur in the banking industry every day. Most of the losses are small in
magnitude (frequent/predictable/ preventable) and some are severe in
magnitude of loss.
Loss due to OR events are far reaching and catastrophic
OR - Significant in Recent Years
Economy is fragile
Loss due to OR events are far reaching and catastrophic
Historic OR events exhibit that they are totally distinct from one
another – either globally or in our Bank
History proves whoever puts in place BCP/Risk Mitigants manage
OR events better than others
Banks need to move towards advanced approaches for calculation
of OR capital
Advanced approaches involve statistical method of calculation of
The term Operational Risk Management (ORM) is
defined as a continual cyclic process which includes
risk assessment, risk decision making, and
implementation of risk controls, which results in
acceptance, mitigation, or avoidance of risk.
Loss Data Collection Exercise and Analysis
Conduct of RCSA (Risk and Control Self-Assessment)
Tracking of KRIs (Key Risk Indicators) at Branch level
and Bank level.
What is loss data?
Collection of loss data
Historical loss experience provides meaningful information
for assessing bank’s exposure to OR
The Bank undertakes the Loss Data Collection exercise on
a half yearly basis and has loss event data base since 1st
Analysis of Loss data is undertaken by RMD on a half-yearly
basis and the findings along with mitigation measures are
submitted to CORM/R.Com
LDRT (Loss Data Reporting Template) introduced since
01.01.2012 for Reporting/Accounting of OR Loss incidents
Tracking OR loss incidents on real-time basis through SAS
OR Monitor (EGRC)
Mapping Of Loss Data As Per Basel Business Lines
Loss event type
EL1 EL2 EL3 EL4 EL5 EL6 EL7
BUSINESS LINES Internal
s & Buz
due to natural
Corp Fin BL1
T & S BL2
Retail Bkg BL3
Comm. Bkg BL4
P & S BL5
Agency Serv BL6
Asset Mgt BL7
Retail Brkge BL8
Measuring OR - Findings
Natural Disasters (such as Fire,
Terrorist attack etc.
Minor accounting errors, leakage
of income, routine mistakes
(available from internal audit)
Low Frequency High Frequency
Risk and Control Self Assessment (RCSA)
RCSA is a risk management program where risks and controls are
examined and assessed to provide reasonable assurance to management
that business objectives will be met.
1. self assessment exercise - list out all activities that are susceptible to
OR - List out the main business lines, products/processes in each of
these business lines, then list out the risks associated with each of
these products/processes (combination of experience, judgement,
intuition and past losses)
2. Evaluate: Risk (in terms of frequency and severity) and arrive at
3. Evaluate: Controls (in terms of Control Design Effectiveness & Control
Operating Effectiveness) and arrive at Residual Risk.
Key Risk Indicators (KRIs)
RCSA exercise helps in identification and design of appropriate Key Risk
(KRIs) are early warning signals, which enable management to monitor
and mitigate operational risks that are reaching beyond acceptable levels.
Example of KRIs would be –For branches; number of days, day end cash
did not tally, number of days cash retention limit was breached, number of
days ATM cash tally did not happen.
They also provide a backward looking view on risk events, so lesson
can be learned by the past.
They are one of the Basel recommendations for Sound Operational
Tracking of KRIs - How it is done ?
Bank level KRIs : Presently 15 KRIs covering Treasury, IT and
HR tracked quarterly by the respective departments.
Branch level KRIs : Presently 25 KRIs covering domestic
branches tracked quarterly by Concurrent Auditors and ZO Risk
Management Cell Officials. 20 KRIs covering foreign branches.
The Branch level KRIs helps in identifying High/ Medium/Low
Risk Rating branches.
The KRIs are tracked and reported to Operational Risk
Management Cell in RMD who in turn analyze the results and
report to the Senior Management.
Zones are also advised to conduct workshops to sensitize high
risk branches in order to strengthen internal control measures
in these branches.
Measuring Operational Risk
Operational Risk is comparatively difficult to
However, as Operational Risk impact is positively
correlated with income size and dispersion of
business units – capital charge for OR is
calculated as %age of Gross Income
Calculation of Capital Charge on OR
Basel Committee on Banking Supervision [BCBS]
has put forward three methods for calculating
operational risk capital charge:
Three approaches –
Basic Indicator Approach (BIA)
The Standardised Approach (TSA)
Advanced Measurement Approaches (AMA)
Three Approaches for ORCC
Gross income per
regulatory line as
business line 12, 15
or 18% of the
indicator as capital
charge equals sum
of charge per
measures based on
Internal loss data,
External loss data,
and BECIFs .
risk mitigation -
insurance – upto
Usage of GI as proxy indicators
BIA and TSA – simpler approaches - but charge more
Risk indicator based on income level (Gross Income)
and not on risk exposures.
BIA- one size fits all, doesn’t consider risks separately
for different activities.
TSA: Ambiguity in BL descriptions – activity allocations
to Business Lines (BL) with lower Beta.
Negative Gross Income allowed to be off set against
Inputs for AMA
Under AMA, banks are required to incorporate four key data
inputs/elements in capital modeling:
1) Internal loss data
2) External loss data
3) Scenario analysis data
4) Business environment and internal control factors
(BE factors: Employee attrition, Growth factor, Product complexity.
IC factors: RCSA scores, Key risk indicators, Internal audit ratings and
Operational risk appetite.
Estimated capital is scaled up/ down based on BE factors & IC factors).
Modeling Approach in AMA
Being an evolving area, regulators have given
flexibility of selecting modeling methodology to the
Some of the Approaches used:
Loss Distribution Approach (LDA)
Scenario Based Approach (SBA)
OpVaR model (illustrative)
Source data Modeling Simulations Aggregation
External loss data
& Impact –
(business line wise)
OR Capital Adequacy-Economic Capital
Eg: If the bank has a Maximum loss (Op Var) of 100 & Expected loss (mean) of 20,
then , Economic Capital = 100 – 20 = 80
AMA: Key challenges
Non-availability of historical data in majority of cells and
dependence on scenarios in the absence of India specific external
Incorporation of correlation among scenarios.
Incorporation and identification of BEICF elements in the capital
Back-testing of OpVaR computation.
Mitigating Operational Risk
Damages due to natural disasters, fire, etc – INSURANCE
Losses from Disruptions – electricity / telecommunication –
Losses due to internal reasons - STRONG INTERNAL
OR Events leading to severe business disruption –
Business Continuity Plans (BCPs)
[Mitigants put in place to be reviewed periodically to ensure
contingency strategies remain consistent with current
operations, risk & threats, resiliency requirement and to
facilitate BC with minimum loss of time.]
OR - Organizational setup [ORMF]
Board of Directors
Risk Management Committee of the Board (R.Com)
Committee for Operational Risk Management (CORM)
Operational Risk Management Department (ORMD)
Business Operational Risk Managers (BORM)
Support Group - Operational Risk Management
RMD set-up at ZOs/LCBs/DOs/Foreign Centres
Business Line OR Management (Branch Level)
BOI Progress in ORM I – Comprehensive ORM
The Operational Risk Management policy has been framed
considering various regulatory guidelines issued from time to
time. This policy document describes the approach to
Operational Risk Management within the Bank as part of
Enterprise-wide Risk Management and also to comply with
the regulatory guidelines.
ORM Policy covers-
Scope & Applicability
Operational Risk Management Framework – Governance
structure, three lines of defence, roles and responsibilities
Operational Risk Management Process
Sound Industry Practice
BOI Progress in ORM II – Business Line Mapping
Mapping of products to business lines through
Bank`s total products(aggregating more than 100
in Deposits, Advances, Remittances &
Miscellaneous Services have been mapped to
Business Lines as per Basel II norms
Mapping of income & expenses for capital
charge computation under TSA – automated
BOI Progress in ORM III - RCSA
Risk & Control Self Assessment (RCSA)
11 Risk Registers covering all the products and
processes in all the Business Units and Support
functions have been prepared to aid in Risk and
Control Self Assessment (RCSA) exercise.
RCSA exercise done online using SAS system.
Sample Retail Banking Assets Risk register
BOI Progress in ORM IV - KRIs
Key Risk Indicators (KRIs)
Key Risk Indicators (KRIs) are revised based on the RCSA results
and in all there are 60 KRIs (15 Bank level, 25 Domestic branch
level and 20 Foreign branch level).
Revised KRIs are tracked and analyzed and reported to Senior
Management on a quarterly basis.
BOI Progress in ORM V – Loss data collection
Loss Data Collection
Loss data reported using “Loss Data Reporting Template
Reporting process will be automated with help of SAS
from January 2014.
Loss accounted using Finacle P&L Heads: PLOE061
(frauds) & PLIP034 (non-frauds)
Loss data collection since 2008. We have six years loss
BOI Progress in ORM VI – Analysis of high value loss events
Analysis of high value loss events
Fraud analysis is undertaken on a periodical basis
by Fraud Risk Management Department.
Operational Risk Management Cell analyses loss
events above Rs.50 lakhs in terms of failure of
controls, systems, process and people and
suggests mitigation measures to control/prevent
such loss events. This analysis is then reported to
the Senior Management .
BOI Progress in ORM VII – BCP & DRM
Business Continuity Plan
Disaster Recovery management
Bank's Data Center is located at CBD Belapur and DR
site in Bangalore which are in different seismic zones.
Data at both the sites is always in mirrored status which
ensures uninterrupted services to customers.
Bank has Global Processing Center at Singapore for all
overseas centers which ensures centralized monitoring
BOI Progress in ORM VIII - Audit
Risked Based Internal Audit
Bank has migrated to Risked Based Internal Audit
from 01/04/2007 and the assessment is being
done based on exposure of the branches to
various types of risks like Operational Risks,
Credit Risks, Compliance Risks, Earning Risks.
Technology Risks etc. Suitable mitigating
measures are initiated immediately on the receipt
of requisite report.
BOI Progress in ORM IX – IT Risks
IT Risks & Cyber Crime prevention
Bank has put in place comprehensive
Information System Security Policy.
Bank has appointed Chief Information System
Security Officer dealing exclusively with the
system security and risks related to IT and cyber
Bank has introduced Information Security Portal
on Bank's website which alerts all concerned
about the IT Risk threats on an ongoing basis.
BOI Progress in ORM X
New Product Group
Any new product/process is first passed through a
Sub-Group called “Product Group” before
submission to Committee on Operational Risk
Management (CORM) for clearance and to
ED/CMD/Board for approval.
Risk Assessment Questionnaire for New Product/Process
BOI Progress in ORM XI
KYC & AML Policies
Bank has put in place elaborate KYC &
KYC is being done for deposit & credit
customers as well as those effecting
remittances from the Bank
The Bank has also purchased AML
BOI Progress in ORM XII
Employee Fraud Prevention
Maker Checker concepts & Dual Control
Adequate Remuneration & compensation to
staff commensurate with performance
Various Staff incentive schemes
Appropriate Training & Guidelines
Documented Service conditions & Service
BOI Progress in ORM XIII
Unauthorized Activity Control
Laid down procedures & guidelines
Delegated Powers for credit & Non credit
System of Noting & Reporting of
sanctions to next higher authority
BOI Progress in ORM XIV
Employee Practice & Work Place Safety
Documented HR Policy for appointment,
transfer, promotion, placement and
Adherence to all local labour & industrial
Proper Succession Planning
Redressal of staff grievances through
Direct communications to staff by Top
BOI Progress in ORM XV
Outsourcing Risk Management
Laid down procedures for selection of
panel of vendors
Fool Proof agreement documents
Periodic Review of outsourcing
BOI Progress in ORM XVI
Effective security measures put in place
to safeguard banking assets
Security Guards, CCTVs, Burglar
Alarms, Smoke Detectors, Fire Proof
vaults and cabinets for documents
storage, insurance etc.
BOI Progress in ORM XVII
Ops Risks embedded in other risks :-
Cash Management – Cash retention limit, Cash van
management including transit insurance, Counterfeit
Credit Mgt-Timely review & inspections, Vetting of
documents by advocates, Up to date maintenance of
Treasury Mgt – Front & Back office control, Exposure
limits, Stop Loss limits
Investment Mgt – ALCO committee for fresh
investments/review of existing investments.
Marketing –Deployment of trained staff with full
Operational Risk if the most important of all risks as it involves
managing the unknown! Most difficult to quantify & manage!
ORM framework must be closely integrated into the day-to-day
risk management processes of the bank.
Use ORM tools (loss data, RCSA, KRI) to gather information
and perform analysis to report findings to Senior Management
for business decision making.
ORM to identify those risks which needs to be taken and those
which needs to be insured.
Spreading Risk culture in the Organization is important for
successful implementation of Operational Risk Management
Framework in the Organization.
My Contact Number :-
Direct :BOI -HO RMD 022 66684974
E mail : firstname.lastname@example.org
Hinweis der Redaktion
Pillar I : Established different approaches for capital charge computation: Cr risk : Standardised, FIRB & AIRB; Ops Risk:BIA,TSA & AMA; Mkt risk: Standardised approach & IMA