value insights

Measuring Financial Operational Risks- Valutrics

The Basel Committee on Banking Supervision defines Operational Risk (OR): “The risk that deficiencies in information systems or internal controls will result in unexpected loss. The risk is associated with human error, system failures and inadequate procedures and controls”

OR is intrinsically connected to all banking activities, from lending to securities trading and underwriting, from payment services to investment banking. This simply means that a bank cannot avoid this type of risk.
OR, contrary to market and credit risks, is not taken on a voluntary basis but is simply a natural consequence of the different activities performed by a financial institution. Indeed, a bank can avoid a specific type of market risk by closing (or avoiding) trading positions which are sensitive to that market specific factor; alternatively, it could hedge that specific exposure by trading a derivative instrument. OR is different from other banking risks because of the lack of hedging instruments. Indeed, while in recent years a number of financial institutions and insurance companies have started to offer risk transfer instruments which allow to hedge losses arising from some specific (and mainly external) events, a liquid secondary market for the OR hedging does not yet exist.
OR relates to its nature of “pure risk” as opposed to “speculative risks”. while for interest or market risks, risk originates from the volatility of returns, which in turn may lead to either positive results (profits) or negative ones (losses), OR (like casualty risks covered by insurance policies) does not give rise to return variability but simply to the possibility of losses.
OR does not involve an increasing relationship between risk and expected returns. In fact, while in the case of financial risks (such as interest rate, market or credit risks) higher risks are typically associated to higher expected returns, this is not the case for OR.

Main criteria of OR measurement system
Measuring OR requires an appropriate mapping process of the bank’s – and eventually of other banks – historical losses to the relevant risk factors. This allows one to build an adequate database, which can then be used to measure OR accurately. Second, measuring OR requires to distinguish between an expected loss component, which should be covered by adequate provisions, and an unexpected loss component, which should be covered by the bank’s equity capital. Finally, an appropriate OR measurement system should be aimed at estimating the amount of economic capital absorbed by this type of risk. This implies that the measurement system should be consistent with the criteria (time horizon, confidence level, etc.) used by the bank for the measurement of the other types of risks.

The problems which are typically faced by a bank trying to measure OR include:
• The first problem comes from the fact that some of the events related to OR tend to produce losses which are difficult to quantify. Take the example of a bank whose franchise has been negatively affected by a regulatory change. Quantifying the loss requires an estimate of the negative impact of such change on the bank’s future earnings, which could be quite difficult.
• A second problem is related to the fact that some of the OR events are quite rare. This means that an individual bank has a limited direct experience of such losses. This in turns makes it quite difficult to estimate the probability distribution of these events in a statistically significant way.

A bank may then decide to turn to pooled data, like those recorded in publicly available databases: however, this is likely to pose several challenges. First, and most significant, not all losses are reported publicly. Also, as larger losses are more likely to have been reported, a positive relationship may exist between the loss amount and the probability that it is included in public data sources. If such a relationship exists, then the data are not a random sample from the population of all operational losses, but rather a biased sample containing a disproportionate number of very large losses. Statistical inference based on such samples can yield biased parameter estimates: namely, the presence of too many large losses is likely to lead to an upward- biased estimate of the bank’s exposure to OR.

To avoid such a problem, banks may decide to pool together their internal databases on operational losses, subject to a mutual confidentiality commitment (see the introduction to this part of the book).
• A third problem relates to the low reliability of past historical data for the estimate of both the probability and the loss size of future OR events. Take, e.g., losses originated by errors in the IT systems for interbank payments or international securities settlement. These kind of loss events have become less and less frequent over time thanks to technological and organizational progress. Their historical frequency is therefore a bad proxy for their future probability; conversely, past data may underestimate the threat posed by new classes of operational risks, like those related to hackers and computer crime.
• Finally, OR measurement is negatively affected by the fact that it has become “fashionable” only in rather recent times. Indeed, banks all over the world started to seriously analyse this type of risk and collect relevant data only in the late 90’s. OR measurement therefore suffers from a relative lack of statistically significant time series of loss data, which are needed to estimate expected and unexpected losses. Indeed, the lack of reliable internal operational loss data has often prevented banks from improving the statistical techniques used for OR measurement. Due to the unavailability of adequate databases, many banks are still to achieve proper risk quantification models covering operational risk.

Operational Risks Measurement Steps

Identifying the risk factors
The first phase in OR measurement requires to estimate the relevant risk factors. This means defining a list of the events which the bank would consider as part of OR. This phase is particularly important as it should also allow to build a common language across the different business units of the bank.

Mapping and estimating risk exposure of business units
The second phase requires to map, to the factors identified in the first phase, the various business lines and activities carried out by individual business units. This means that one needs to identify all relevant OR events for each business unit. For example, it is quite likely that “internal fraud” events play a major role for the trading unit, while being almost irrelevant for the securities placement business.
This phase is similar to the “risk factor mapping” process that banks have to carry out regarding financial risks.
(i) for each business unit, the relevant risk factors;
(ii) for each business line with in a business unit, one or more exposure indicators (EI) representing its vulnerability to different risk factors. These EIs could be P&L variables, such as gross operating income, or balance sheet aggregates, like total asset under management.

Estimating risky events probability
The third phase of the measurement process requires to estimate a probability of occurrence for each risk factor/business unit combination. This estimate may be based on different techniques and data sources depending on whether loss events are frequent, so that internal bank data are likely to be enough to allow a statistically significant estimate, or events, in which case other data sources need to be identified.

The former events typically tend to generate relatively low losses: hence, they are generally labelled as “high frequency low impact (HFLI) events”. Conversely, less frequent events are often associated with more significant losses and therefore are called “low frequency high impact (LFHI) events”.
The probability of each different type of OR event (that is, of each business unit/risk factor combination) can be estimated subjectively by the bank’s management, based either on qualitative judgement or a formal rating system. Such ratings capture the relevance of a given specific risk factor for the individual business unit, business line or activity, i.e., their vulnerability to the risk factor. Such a rating system can then be used, just as for credit ratings, to quantify the probability of occurrence associated with different rating classes.

The synthetic judgements or ratings assigned to each business unit should reflect both the intrinsic risk of the BU and the level and quality of the controls in place. Indeed, the introduction of a more effective system of internal controls should, other things equal, lead to a better rating and therefore a lower risk.

The main shortcoming of this “risk quantification” phase is that it is mostly based on the managers’ subjective appraisal of risks. This can be mitigated in two ways:
• the exposure indicators and the risk levels assigned to each business unit should reflect a consensus within the banking industry; in other words, while each bank may have a different risk profile as compared to the industry average, industry data should always be used as a benchmark to assess the credibility of the valuation process;
• the valuation of each business unit risk profile should be performed by an independent unit, such as the internal audit department, based on rigorous, objective and well-defined criteria, which have to be consistent with the best market practices and applied in a uniform way to all the bank’s business units; these criteria should be made explicit and periodically updated.
Finally, it is important to highlight that, while based on subjective judgement and discretionary valuations, the approach described above is relatively flexible and can be easily tailored to the organizational complexity of the bank, taking account of its risk profile and the quality of the controls in place.

Estimating the losses
The distinction between HFLI and LFHI events is also relevant for the fourth phase of the OR measurement process, i.e. when one wants to estimate the average loss associated to each type of risky event. Indeed, once the probability of each event (“probability of event” – PE) has been estimated, a measure of the loss in the case of an event (“loss given event” – LGE) is needed to quantify the expected loss.
The loss given event can be expressed as either a monetary amount – average dollar loss – or a percentage of the exposure indicator. In the latter case it is called loss given event rate (LGER).

Probability of event (PE): Internal audit reports, Internal historical events data, Management reports, Experts’ opinions (Delphi techniques), Vendors’ estimates, Budgets, Business plans,

Loss given event (LGE): Management interviews, Internal historical loss data, Historical loss data from other banks or consortium data series, Industry benchmark, External estimates (consultants, data providers, vendors, etc.)

Estimating expected loss
The fifth phase of the measurement process builds on the data obtained in the previous three phases and is aimed at estimating the expected loss (EL). This is given by the product of three variables: (i) the exposure indicator (EI), the probability of the event (PE), and (iii) the expected loss given event rate (LGER).
The choice of the appropriate exposure indicator must be consistent with that of the loss given event rate. Indeed, LGER should represent the percentage of EI which would get lost – on average – in case the risky event occurs.

Estimating unexpected loss
The sixth phase of the measurement process requires to estimate the OR unexpected loss. This, just as for market and credit risk, depends on the volatility of OR losses. Two business units may be characterized by a similar OR expected loss but present a different degree of uncertainty, i.e. different unexpected losses.
UL can be estimated: (i) for the bank as a whole, based on internal historical data series, (ii) separately for each business unit, based once again on internal data, (iii) separately for each risk factor using external data time series coming from pooled databases or from external providers, (iv) separately for each business unit and for each risk factor, using a combination of internal and external historical data.

Approaches (i) and (ii) are more likely to be adopted for HFLI events, while approaches (iii) and (iv) generally represent the only available option a bank can resort to for the measurement of LFHI events. External data are generally rescaled based on the bank’s exposure indicators and further adjusted to account for the effectiveness of its risk control systems.
When no historical loss data are available, an alternative simplified approach assumes that losses are binomially distributed, that is, that only two possible outcomes exist at the end of the risk horizon: either the loss event occurs or not.

Estimating Capital at Risk against Operational Risks
The seventh and last phase of the OR measurement process involves the estimation of capital at risk. Indeed, while s represents the volatility of OR losses, capital at risk measures the amount of capital absorbed by operational risks, that is, the maximum potential loss due to OR, within a given confidence level and a given time horizon (usually one year).
Different approaches can be followed to estimate such measure. A first simplified approach is based on the following steps:
(i) assume a specific functional form for the probability distribution of OR losses and keep it unchanged for all business units;
(ii) from this distribution, obtain a capital multiplier k to be used to get the desired x-th percentile of the loss probability distribution;
(iii) estimate the capital at risk for each business unit

Operational Risks Management System
Operational Risks management system should not be aimed, as is the case for other banking risks, at the optimization of the risk-return profile, but rather at the minimization of the sources of this type of risk. Indeed, while an increase of the other types of risk is usually associated to an increase in expected profits, this is not necessarily the case for OR. However, a significant reduction in OR, while it might prove a very ambitious objective in practice, would require significant investments in risk prevention and control systems: hence, a policy aimed at minimizing OR is generally constrained by the amount of costs a bank would incur. Therefore, one needs to identify an optimal level of OR, below which the increase in costs would overcomes the benefits of risk reduction. In a way, one could argue that in the case of OR the risk-expected return trade-off typical of financial risks gets substituted by a risk-cost trade-off.

A second important objective of an OR management system should be to promote a virtuous incentive to risk reduction. For such an incentive to work, it is necessary to assess the amount of economic capital absorbed by each business unit due to OR: this amount of capital, together with those due to other risks, should in turn be used to estimate the business unit risk-adjusted performance, by including the OR capital in the denominator of each unit’s Raroc. This would lead to a decentralized system of incentives for OR reduction and, at the same time, promote the introduction of adequate risk control policies which rely both on the bank’s central services, such as the internal audit, and the individual business units activities.
Indeed, the relationship between OR and internal controls is twofold: on one side, the actual degree of OR is a function of the current control mechanisms; on the other side, the OR measurement system should promote new investments in control procedures, based on a strict cost/benefit analysis.
For each type of OR risk, the bank may decide to:

Keep OR
This means that the risk profile is considered to be consistent with the risk- taking capacity of the bank, that is, with its risk appetite and the equity capital available.
This option may be chosen also because of the costs that would be incurred if the bank were to further reduce OR or to transfer it. This is typically the case of high frequency low impact events (HFLI) and low frequency low impact events (LFLI). Indeed, the expected loss related to this type of events can be covered through adequate provisions. On the other side, given the low LGE the unexpected loss can be covered by the bank’s economic capital.

Insure OR
The possibility to buy insurance coverage for these types of risks is relatively recent and is related to product innovations introduced by some major insurance and reinsurance companies. Such insurance contracts are viewed as a form of “outsourcing”. This process is similar to what is occurring in the management of information systems, procurement, and real estate assets, which are increasingly being delegated to outside companies to which banks pay a fee or a rent. Similarly, the coverage of certain operational risks which are considered to be outside of the bank’s “core business” (i.e. management of financial risks) is being “outsourced” and entrusted to specialized companies (insurance firms). Insurance policies have been stipulated, for example, on losses deriving from the dishonesty/incompetence of personnel (known as bankers’ blanket bonds16) such as the unauthorized trading of securities; policies against claims for compensation advanced by customers; and insurance against the damage deriving to the bank or to third parties from the malfunctioning of IT and e-commerce systems. Insurance policies are typically used for low frequency and high impact events (LFHI), generally due to external factors, such as natural (earthquakes, floods, etc.), or political and regulatory ones (foreign exchange controls, regulatory changes, etc.)

The economic rationale underlying the trend toward risk transfer is based on two main advantages of an insurance contract: risk-pooling and cash flow smoothing. Risk diversification allows the pooling, through a unique “tank” of economic capital, of different risks which are imperfectly correlated. On the other hand, by transferring the OR losses to an external entity, a financial institution is able to achieve a higher stability of its cash flows, thereby improving earnings quality and reducing the cost of its capital. This in turn increases the market value of the bank’s capital and its price/book ratio, creating shareholders’ value. These benefits of “risk pooling” and “cash flow smoothing” are to some extent offset by some typical limitations of insurance contracts. First, while equity capital paid in by the shareholders is readily available, the “insurance capital” only represents a commitment to pay, the value of which depends on the creditworthiness of the insurance company; in a sense, then, operational risks are not really eliminated, but rather transformed into credit risks. This explains the importance usually attached to the credit rating of the insurance company.

Hedge OR
This kind of management policy is typically used for those risks which are seen as incompatible with the risk-taking capacity of the bank. Due to the lack of a complete market of derivative instruments, hedging is usually achieved through risk reduction policies based on significant investments in human resources, control processes, and IT systems. This option is used generally for high frequency high impact events (HFHI) due to bank-specific causes, not to external factors. Indeed, for this type of events insurance coverage would be made more difficult to achieve, more expensive, and less effective by the above mentioned moral hazard problems.

The Basel Committee defined several principles for the management of operational risk. These include:
• Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.
• Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.
• Banks should have policies, processes and procedures to control and/or mitigate material operational risks. Banks should periodically review their risk limita- tion and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile.
• Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.