Operational Risk: An Overview

Dr. Richa Verma Bajaj

1 1
 Risk, Return and Capital
• Risk is related to amount of capital that the firm requires to achieve a sufficient level
of protection against adverse circumstances.

• Risk is used to adjust the returns from business activities to determine whether
activities are adding value to business.

2
Risk, Return and Capital

3
4
• Basel Committee view,
“It is clear that operational risk differs from other banking risks in that it is
typically not directly taken in return for an expected reward but exists in the
natural course of corporate activity and that this affects the risk management
process”.

5 5
 Market Risk Credit Risk Operational Risk

Level of Observation Trading Desk-Treasury and Loan Portfolio- Credit Through out the Bank-
Market risk Department Business Lines

Risk Categories Interest/FX Segments Loss Event Categories

Portfolio Elements Securities Loans Processes

Mitigation Derivatives as hedging Credit Risk mitigants Insurance as risk mitigant

mechanism

Quantifiable exposure Yes Yes Difficult

6 6
Operational Risk Measurement and Management: BLET
Matrix

7
 Operational Risk Management Framework

Operational Risk Identification through Risk

Mapping
Where (Business Lines)
Why (Event Types)

Inputs for Operational Event/loss data collection

Internal Loss Data
External Loss Data
Scenario Analysis
Business Environment and Internal Control Factors
(BEICFs): Self Assessment and Key Risk Indicators
(KRIs)

Measurement of Operational losses

Estimation of Expected and
Unexpected Losses

Risk Adjusted Performance Measurement (RAPM)

focus on risk adjusted return on capital (RAROC)

8
Basel and RBI Consultation Process

Basel • New Basel Capital Framework (1999)

• Basel II Accord (2006)
• Standardized Approach of Operational Risk (Basel III) (2017)
Committee

Reserve • Guidance note on Management of Operational Risk (2005)

Bank of • Guidelines on The Standardised Approach (TSA)/Alternative Standardised
Approach (ASA) (2010)
India (RBI) • Guidelines on Advanced Measurement Approach (AMA) (2011)
 Mckinsey June 2012
Why Financial Institutions should worry about managing their
operational risk?

• Direct Financial Impact

• Impact on Market Capitalization
• Regulatory Sanctions

10
 Definition of Operational Risk (Basel II)
Operational risk is defined as “the risk of loss resulting from inadequate or failed internal
process, people and systems or from external events.” (BCBS, 644)

Why a loss happened?

11 11
Causes & Consequences: We tend to only focus on the loss Events without giving
serious thought to their cause AND their consequences.

Events (What Happened?)

Cause Internal Fraud (IF)
(Why did event happen?) External Fraud (EF)
People Employment Practices and Workplace Safety (EPWS)
Process Clients, Products & Business Practices (CPBP)
System Damage to Physical Assets (DPA)
External Events Business Disruption and System Failures (BDSF)
Execution, Delivery & Process Management (EDPM)

Effects (What are the consequences?)

12 12
s
 Loss Event Type Category (Annex-9)
Event Type Category Definition
Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent
regulations, the law or company policy, excluding diversity / discrimination events, which
involves at least one internal party.
External Fraud Losses due to acts of a type intended to defraud, misappropriate
property or circumvent the law, by a third party.
Employment Practices Losses arising from acts inconsistent with employment, health or safety laws or agreements,
and Workplace Safety from payment of personal injury claims, or from diversity / discrimination events.

Clients, Products & Losses arising from an unintentional or negligent failure to meet a professional obligation to
Business Practices specific clients (including fiduciary and suitability requirements), or from the nature or design of
a product.
Damage to Physical Losses arising from loss or damage to physical assets from
Assets natural disasters or other events
Business Disruption and Losses arising from disruption of business or system failures
system failures

Execution, delivery & Losses from failed transactions processing or process management, from relations with trade
Process Management counterparties and vendors

13 13
Examples: Event Classification

14
 A loss event is an operational loss event is determined by the causes rather than
consequences of an event.

Absa Group Limited (Absa), hackers stole R530 000 by hacking 10 Absa clients' bank
accounts

The bank provides internet banking service and many of the bank’s clients have availed this.
Two months back, hackers sent emails to many of the bank’s client which contained type
of computer virus called a Trojan horse, which downloads automatically as soon as email
is opened. This resulted in giving away security cods such as passwords, account no. and
PINs to him and he managed to steal money from customer’s bank account.

15 15
 Loss Event Type Category (Annex-9)
Event Type Category (Level-1) Categories (Level-2) Activity Example (Level – 3)

Internal Fraud Unauthorized Activity, Theft and Fraud Transaction not reported, Fraud, Bribe

External Fraud Theft and Fraud, System Security Theft/robbery, Hacking damage, theft of information

Employment Practices and Workplace Safety Employee Relation, safe environment Compensation, termination issue, workers
compensation

Clients, Products & Business Practices Suitability, Disclosure & Fiduciary, Improper Breach of privacy, failure to investigate client per
Market Practices guidelines, exceeding client exposure limits

Damage to Physical Assets Disaster & other Events Natural disaster losses, terrorism

Business Disruption and system failures Systems Hardware, software

Execution, delivery & Process Management Transaction Capture, Execution, Customer Data entry error, Failed mandatory reporting obligation,
Documentation, Vendor & Suppliers legal documents missing

16 16
 Data Puddle: An Issue
• Data ‘puddles’ occur when the loss event being analysed can be correctly classified into
more than one risk category. Example:

- The Officer breached the control limits related to portfolio, sector or borrower unit. (Internal Fraud/
CPBP)

17 17
 Taxonomy: From Definition to Causes

Loss Data Collection Exercise, 2008

90
80
70
60
50
40
30
20
10
0
People Process System External Events

Frequency (%) Severity (%)

18
 Taxonomy: To Loss Event Type Category

Loss Data Collection Exercise, 2008

60
50
40
30
20
10
0
IF EF EPWS CPBP DPA BDSF EDPM

Frequency (%) Severity (%)

19
• The data breach of 2017 was the cyber attack on credit reporting
agency Equifax, which compromised personal information including
names, social security numbers, driving license numbers, credit card
numbers and personal documents, relating to an estimated 145
million individuals.
• SAS Software (From March 2011-13)
• Clients, products and business practices event leads to highest losses
(Amount)

21
 Taxonomy: To effect types
• P&L Effect (in case of operational risk loss events).
• Reputation Damage
• Near Misses

22 22
• The teller paid a cheque of Rs. 1,00,000 with single signature in the account. In actual,
the operational instruction were joint. Later on, the branch official approached the
customer and requested the second signatory to sign the cheque and the issue was
solved.

• In a branch, the branch manager allowed an unauthorized temporary overdraft of Rs. 1

lakhs in an account. Unfortunately, the amount is not recovered and the account turned
NPA.

• A branch had given advance of Rs. 50,000 for cultivation purpose and the borrower
returned the amount as per agreed terms. Again the loan of Rs 50,000 was given against
collateral (land). Later the customer’s brother visited the branch and had inform the
officials that the collateral is joint property and gave the letter to branch stating that he
will not pay any liability.

23 23
A bank’s spokesman said the programming errors have caused the bank
accounts of 823 customers to be credited with $924,844,208.32 each.
Though the error was corrected and all funds were recovered. But this
considered to be the largest such error in banking history.

24
 Profile of Losses on the basis of Basel Assets Class
• Under Basel II, risk weights vary depending upon Assets Class. The broad classification
is ‘Wholesale Banking’ and ‘Retail Banking’. RBI guidelines suggests that the
mapping of activities into business lines for operational risk capital purposes must be
consistent with the definitions of business lines used for regulatory capital calculations
in other risk categories, i.e. credit and market risk.

25
 0
10
20
30
40
50
60
Corporate
Finance

Trading and
Sales

Retail
Banking

Commercial
Banking

Payment and
Frequency (%)

Settlement

Agency
Services
Severity (%)

Assets
Loss Data Collection Exercise, 2008

Management

Retail
Brokerage

Unallocated
26
• As per Basel II, how many types of business lines are identified in
BLET matrix?
• A: Seven
• B: Eight
• C: Six
• D: Four
• Recognition of insurance mitigation as percentage of operational risk
capital charge under Advanced approach i.e. AMA is limited to:
• A: 10 percent
• B: 15 percent
• C: 20 percent
• D: 12 percent
• Amount withdrawn from customer account through lost ATM card,
which was reportedly informed to ATM cell for hot listing, but not
done. This incidence will be classified as:
• A: EDPM
• B: EF
• C: CPBP
• D: IF
• Which among the following topped in the list in causing operational
risk to banks in the world as per survey of Risk professionals in 2019:
• A: People
• B: Process
• C: External Events
• D: System
It includes legal risk, but excludes strategic and reputation risk.

Legal Risk includes, but not limited to, the risk of loss resulting from failure to comply
with laws, prudent ethical standards and contractual obligation. It also includes the
exposure to litigation from all aspects of an institution's activities.

Strategic risk is the current and prospective impact on earnings or capital arising from
adverse business decisions, improper implementation of decisions, or lack of
responsiveness to industry changes.

“Reputational risk is the potential that negative publicity regarding an institution’s

business practices, whether true or not, will cause a decline in the customer base, costly
litigation, or revenue reductions”. Board of Governors of the Federal Reserve System (2004)

31 31
• One bank official is held for fraud every four hours in a public sector bank (PSB),
an analysis of data compiled by The Times of India, based on a Reserve Bank of
India (RBI) report, revealed.
• Financial Stability Report, called frauds in banks and financial institutions as
“one of the emerging risks to the financial sector.”

• “In a number of large value frauds, serious gaps in credit underwriting

standards were evident,” the RBI said, adding that some of the gaps include
lack of continuous monitoring of cash flows and cash profits, diversion of
funds, double financing and general credit governance issues in banks.
• 53,334 cases of bank frauds have been recorded in last 11 fiscal years,
involving an amount of Rs 2.05 lakh crore with ICICI bank, SBI and
HDFC Bank reporting the highest numbers of frauds, according to RBI.

34
•ICICI showed the highest number of fraud cases of 6,811, involving Rs 5,033.81 crore.
•SBI: 6,793 frauds of Rs 23,734.74 crore.
•HDFC: 2,497 cases of Rs 1,200.79 crore.
•Bank of Baroda: 2160 cases of Rs 12,962.96 crore.
•PNB: 2,047 frauds of Rs 28,700.74 crore.
•Axis Bank: 1,944 frauds involving RS 5,301.69 crore.
•Bank of India: 1,264 frauds of Rs 5978.96 crore.
•Standard Chartered Bank: 1,263 cases involving Rs 1221.41 crore.
•Canara Bank: 1,254 cases of Rs 5553.38 crore.
•Union Bank of India: 1,244 frauds of Rs 11,830.74 crore.
•Kotak Mahindra: 1,213 cases involving Rs 430.46 crore.
•Indian Overseas Bank: 1,115 frauds involving Rs 12,644.7 crore.
•Vijaya Bank: 639 cases involving Rs 1,748.9 crore.
•OBC: 1040 cases of Rs 5,598.23 crore.
•Yes Bank: 102 cases of Rs 311.96 crore
•United Bank of India: 944 cases of Rs 3052.34 crore.
•State Bank of Mysore: 395 cases of Rs 742.31 crore.
•State Bank of Patiala: 386 cases of Rs 1178.77 crore.
•Punjab and Sind Bank: 276 cases of Rs 1154.89 crore.
•UCO Bank: 1081 frauds of Rs 7104.77 crore.
•Tamilnad Mercantile Bank: 261 cases of Rs 493.92 crore.
•Lakshmi Vilas Bank: 259 frauds Rs 862.64 crore.
•State Bank of Travancore: 274 cases of Rs 694.61 crore.
•Jammu and Kashmir Bank: 142 cases of Rs 1639.9 crore.
•Industrial Finance Corp of India: 9 cases of Rs 671.66 crore.
•Dhanlakshmi Bank: 89 cases of Rs 410.93 crore. 35
Trends relating to GNPAs Ratio and Rate of Recovery for Banks in India

36