In the preceding chapters, we calculated the capital that the bank should hold to cover the credit and market risks caused by trading or holding securities. However, the bank should also hold capital to cover other risks. To understand the nature of these risks, consider nonfinancial institutions, such as industrial companies and software companies. Although such companies are not primarily focused on trading or holding securities, they do hold a large amount of capital. For such a nonfinancial institution, the capital is the sum of all the assets minus the liabilities, where the assets are typically not securities, but production equipment.
Industrial companies hold such capital so they can continue to operate if there are fluctuations in sales, accidents, mistakes, or legal action against the company. The companies are expected to compensate their shareholders with a return on capital that is commensurate with the risks. Banks have similar risks from being in business, and should hold appropriate capital and plan to compensate their shareholders. In practical terms, this requires the bank to estimate the amount that could be lost due to operating risks. This estimate is used to ensure that it has an excess of assets over liabilities to absorb such losses, and ensure that the business units charge their customers a sufficient amount to make each business profitable for the shareholders.
Operational-risk capital accounts for between 10% to 25% of the overall capital held by a bank; but for individual business lines, such as retail brokerage and advisory work, all of the required capital may be for operating risks. The banking industry is just beginning to understand how to measure and manage operating risks. In this chapter, we discuss the definitions of risk that are currently being used, the leading approaches for measuring operating risk, and the New Basel Accord for operational-risk capital.
Until recently, operating risk was defined simply as risks other than credit and market risks. Now, as the industry has begun to focus on operating risk, several often confusing and contradictory definitions have arisen. One problem is that practitioners use the terms operating, operational, and operations risk to mean slightly different things. As illustrated in Figure 24-1, operations risk is a subset of operational risk, which in turn is a subset of operating risk.
To minimize the confusion in this discussion, we will use different names for each set of risks. We shall use the term processing risk to be synonymous with operations risk, failure risk to be synonymous with operational risk, and company risk to be synonymous with operating risk.
Operations or processing risk covers losses from the back-office operations of processing trades and information. It includes losses from the following sources:
• Incorrectly entering trades
• Losing information on trades
• The failure of a computer system, such as a quotes system or an order-routing system
• The accidental destruction of a database
• Losses due to the failure of a vendor to correctly perform outsourced processing functions
The term may also be used to cover losses due to internal or external fraud that were possible because of poor processing procedures.
FIGURE 24-1 The Relationship Between Operating, Operational, and Operations Risk
Operational or failure risk is defined by the New Basel accord as follows: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Failure risk includes losses from the following:
• Processing risks
• Human mistakes by traders, such as buying 100,000 shares instead of 10,000 shares, or using the wrong parameters in a pricing model
• Fraud by employees, such as employees covering up losses, placing unauthorized trades, or transferring money into their own bank accounts
• Fraud by external criminals, such as illegal withdrawals from automatic teller machines
• Mistakes in applying laws, such as mistakenly thinking that the bank holds rights to collateral that turns out not to be legally enforceable, or misunderstanding terms of a securitization agreement
• Mistakes or misconduct by staff, such as unfairly exploiting customers leading to legal action against the bank
Operating or company risk encompasses all the risks faced by a nonfinancial company, including the following:
• Processing risks
• Failure risks
• Business risks due to changes in the competitive environment, such as the introduction of a new product by a competitor
• Business risks due to miscalculation in the amount of costs or revenue associated with a new product
• Business risks due to falls in income caused by customers’ responses to changes in the market.
Clearly, operating risk is not just one type of risk; it is a general term used to cover many different sources of risk.
Given the very diverse nature of the risks, it is not surprising that there is no single effective methodology for estimating the required capital. A good risk-measurement framework should do two things:
1. It should measure the absolute level of risk to allow pricing and capital assignment from an estimate of the expected loss and the economic capital.
2. It should show managers what they must do if they want to reduce the risks and therefore reduce the corresponding capital charge. This requires a granular bottom-up model showing the specific sources of risk. The model must create the right incentives. An example of a measurement approach with a poor incentive structure is to base the operational-risk charge on noninterest expenses. If the bank’s operational-risk capital is allocated on the basis of noninterest expenses, a manager could reduce the capital charge by reducing the number of staff. This is a poor incentive structure because reducing staff would typically increase the actual operating risk.
We use these two principles to assess the different approaches that are being developed. The risk-estimation approaches can be categorized as either qualitative, structural, actuarial, or a blend of all three. We discuss examples of each.
Qualitative approaches use management’s judgment to detect sources of risk. They are typically based on surveys or questionnaires to be filled out by management and operations staff within each department. The questionnaires include questions on historical events, the current state of the system, and the manager’s main concerns.
Historical events of interest are any financial losses, charge-offs, or write-downs, and any events that were close misses and could have led to losses. The questionnaire should also get an indication of the amount of low-level mistakes that occur without leading to losses, such as the number of trades that fail to be settled on the first attempt.
Questions on the current state seek to show the reliability of the system and the amount of stress that it is under. The reliability of the system depends on the level of automation and the quality of the staff. Danger signs include high levels of manual entry, records kept on paper or spreadsheets, multiple systems, inexperienced staff, high turnover rates for staff, and large amounts of overtime being worked. The risk also depends on the complexity of the operation. If the operation has many different, tailored products traded across many geographies, it will tend to have more failures and mistakes. The questionnaires also typically cover each department’s monitoring and control policies, including its disaster-recovery plan.
Some banks use the results of the questionnaire to assign judgmental scores to each department, and to assign operating-risk capital based on those scores. However, when such qualitative decisions affect measured profitability and bonuses, the approach is quickly called into question.
Qualitative approaches are useful because they focus management’s attention on the risks in question and allow the incorporation of the bank management’s best understanding of the bank’s processes, the weak links, and the consequent risks. The major disadvantage is that the process is time-consuming and open to misuse if a manager wants to reduce the perceived risks and the capital charge in his or her department. Also, if the question is not on the list, the risk may be missed.
Structural approaches require a model of causality that defines a set of linkages between observable information and the probability of loss events. The structural approach is very good for showing managers where they should concentrate their efforts to reduce the risks. Although this is not possible for all operational risks, some well-defined risks lend themselves to this approach. As an illustration of the structural approach, we discuss the structural assessment of processing risk and business risk.
One approach to estimating processing risk is to build a map of the process, then examine which links in the process could fail, and the consequent losses. The effort required to build the process map will often show management where they should concentrate their attention. This is especially useful for complex legacy systems whose origins predate the IT staff who maintain and operate them.
The map can be used to estimate the loss given an event (LGE) by manually tracing through the map and asking what would happen if each link failed. To quantify the expected loss, it is necessary to have an estimate of the probability of each link’s failing. For failures that happen more frequently than once per year, it is relatively easy to collect probability information. The probability of less-frequent events must be based on management’s judgment or the experience of other banks. Systems with backup plans should be assessed using the probability of an initial failure and the probability that the backup will work, given the initial failure.
Manual examination of the process map can work for relatively simple processes to calculate the expected loss. However, to estimate the probability distribution for a complex process, it is necessary to build the process map into a simulation model.
Business risk arises because changes in the market can affect the volume of business that the bank has, and the level of fees that it can charge. For example, when the market falls, retail customs make fewer trades, and a broker’s income from commissions will fall.
This risk can be assessed by a relatively simple model that relates the level of the market, the response of the customers, and the consequent amount of fees. For example, if the fees were fixed, and the volume of retail customer trades fell by 2% every time the market fell by 1%, the annual volatility of the earnings would depend on the volatility of the market:
σFee Income = F × 2 × σMarket, annual × 0:6
The factor of 0.6 converts from year-end volatility to an average yearly volatility. This is used because fee income depends on the average market over the year, not just the value on the last day. With our usual simplified assumptions about VaR, σMarket, annual can be calculated as daily VaR, divided by 2.32, and multiplied by the square root of the number of trading days:
This approach to estimating the volatility of earnings is explained further in “Institution-Level Risk Measurement for Asset Managers,” Marrison, C.I., Risk, September 2001.
In the model above, the customer behavior is very simple. In reality, the behavior will be nonlinear and time dependent; e.g., customer trades will drop off if the market falls and then stays low for several months. If the behavior of the customers is known, the risk can be easily calculated using a simulation. In the simulation, random values for the market are generated and the customer’s response is calculated for each case.
Business volumes and profitability can also be affected by competitive pressures. These are much more difficult to quantify, and if a structural model is used, it must be based on a model of the trends in the external market or rely more on management’s intuition as to what could happen. In this case, the model simply provides a structured way of guessing.
Actuarial approaches make minimal assumptions about the underlying causes and mechanism of losses. They simply note that losses tend to occur, and try to estimate some of the parameters of the loss distribution. Actuarial approaches have the disadvantage of not identifying the sources of risk, but have the advantage of including all the risks, not just the ones that management can identify. We discuss actuarial estimation using the residual and analog approaches.
If we return to the definition of operating risk as losses arising from risks other than market risk and credit risk, the residual approach automatically suggests itself. If we can get a history of losses and subtract the losses due to market and credit risks, then by definition, what remains is a history of losses due to operating risks. The history can be used to estimate the probability distribution of operating-risk losses. This approach is useful as a cross-check on the other approaches, but the residual method is not very accurate. One problem is that because market and credit risks are often much larger than operating risks, any mistake in calculating the credit- and market-risk losses will have a large effect on the calculated values for operating risk.
A different residual approach is to look at a series of banks, calculate their required economic credit and market-risk capital given their ratings, and then subtract these amounts from the actual capital that they hold. The remaining capital theoretically should be the overall operating-risk capital required by the bank to maintain its rating. This approach has multiple problems. One is that it is even more difficult to calculate capital accurately than to get clean historical-loss data, so the errors in the residual will tend to be larger. Another problem is that it is difficult to calculate economic capital reasonably without all the detailed internal information held by each bank, although this may be less of a problem if banks start to publish their economic-capital numbers, as suggested by the Basel accord.
The analog method avoids the problem of needing to assess market and credit risk accurately by looking at the capital held by companies whose main risk is operating risk, namely nonfinancial companies. The ideal is to find companies that have the same sort of processes as the bank but do not take credit and market risks; e.g., companies that process data such as payroll and tax information can be used to characterize the risk in the bank’s processing activities. Similarly, the capital held by pure asset-management companies can be used to estimate the operating-risk capital for the bank’s fee-based businesses, such as private banking.
Once such analogous companies have been identified, their capital is calculated as a ratio of some indicator of scale, such as gross revenue, net income, or number of employees. The operating-risk capital for the bank is then calculated according to the same measure of scale for the bank. For example, if the measure of scale was gross revenue, the operating risk capital would be estimated as follows:
It is difficult to find nonfinancial companies whose operations are the same as those of a bank, so the calculated capital should be averaged across the results from several similar companies. If there is a difference in credit rating between the company and the bank, the capital should be adjusted. This adjustment may be based on the relative distance to default (D) for each grade. The final estimate for the bank’s operating-risk capital would be as follows:
The main difficulties with this method are finding suitable companies and the fact that it misses those risks that are unique to financial companies, such as fraud by traders. Although the approach can give an estimate of the total operating-risk capital for a business unit, unlike the structural approaches, it does not give the manager a reasonable way of reducing the amount of operating-risk capital. For example, the manager is unlikely to want to reduce gross revenue to reduce the capital charge.
The approaches most favored by the Basel Committee combine judgment, structure, and loss experience. The two main approaches can be described as historical loss mapping and key risk indicators. As banks start to collect data for both of these metrics, the hope is that they can be combined.
Historical loss mapping estimates the probability distribution of losses based on historical data. The process is as follows:
1. Historical data is collected on operating loss events within the institution and at other institutions. The information from other institutions may be either public information on losses they have suffered or anonymous information from many banks, pooled together by a consortium. Several consortiums of banks have agreed to pool their loss data anonymously in return for getting a better overall picture of the types of losses that banks face.
2. The loss data is classified according to the type of event that caused the loss, and the type of process and business unit in which the loss occurred. A measure of the size of the unit in which the loss occurred is also recorded, e.g., the total number of trades processed by the unit.
3. The bank’s own processes and business units are classified in the same way, and the losses in the database are applied to each business unit to estimate the expected loss and unexpected loss.
The main problem with this approach is that it is difficult to map external experience to the bank’s internal processes. A second problem is that the information does not include the fact that the bank’s processes may be better than the average of the industry. Despite these drawbacks, it is probably one of the best ways available for quantifying operating-risk.
Key risk indicators (KRIs) are quantifiable measures of the performance of the bank’s processes. If chosen well, changes in a KRI should correspond closely to a change in the probability of a loss. Key risk indicators for operational risk include the following:
• The volume of trades processed
• The number of trades that failed to settle when expected
• The volatility in the P&L compared with normal
• The size of differences between different accounting methods, e.g., the profitability reported by the trader and the profitability reported by the VaR calculator
• The rate of staff turnover
• The average hours of overtime per person
• The number of systems outages
One of the advantages in KRIs is that they are quantitative and objective, and can therefore be gathered automatically, or at least they can be more quickly produced than answers to qualitative questionnaires. They also have the advantage of being tailored to the bank and quickly showing management when there are changes in the bank’s operations.
KRIs are very useful as a management tool, but they will be less useful for quantifying economic capital until historical data has been gathered to show how KRIs are related to the losses that later occur. With such a linkage, KRIs are potentially one of the most useful metrics for measuring operating-risk capital. An intermediate step is to use KRIs as the scale factor to relate the experienced losses in a pool of banks to the anticipated losses in an individual bank. This would use an equation such as the following:
This is similar to the internal measurement approach being suggested by the Basel Committee for operational-risk capital.
A regulatory requirement for holding capital against operational (failure) risks is proposed by the Basel Committee for the New Capital Accord.1 The proposal is available at www.bis.org. The committee found it necessary to include an explicit calculation of capital for operational risks because as they more closely defined the capital for market and credit risks, they realized that there was no longer an implicit cushion for other risks. The operational-risk capital is controversial, but necessary if regulatory capital is to be measured in a similar way to economic capital.
The committee proposed that banks should adopt one, or a combination, of three alternative approaches for calculating operating-risk capital. The approaches differ in their levels of sophistication:
• The basic indicator approach
• The standardized approach
• The internal measurement approach
The basic indicator approach is very easy to implement, whereas the internal measurement approach is beyond the current capabilities of most or all banks. The committee intends that the more sophisticated approaches should be less conservative, and will on average require banks to hold less capital for operating-risks. This provides an additional incentive for banks to monitor and control their risks. We now discuss each of the approaches, concentrating on how the capital is calculated, and what the bank must do to be able to make the calculation.
The basic indicator approach takes an easily calculated indicator of the bank’s scale of activity and applies a multiplier to give the required regulatory capital. In January, 2001, the Basel Committee proposed that the indicator of activity should be the bank’s gross income, and that the multiplier should be 30%, giving the capital as follows:
Regulatory CapitalOperational = 0.3 × Gross Income
The value of 30% was proposed after the committee studied a small number of international banks. Many banks objected that this was too high, and it may be reduced in the final accord. To implement this approach, the bank simply needs to know its gross income.
The standardized approach allows for different indicators and multipliers for each of seven different lines of business. The lines of business and suggested indicators of scale are shown in Table 24-1.
TABLE 24-1 Scale Indicators for the Standardized Approach to Operating-Risk Capital
The total operational-risk capital for the bank is the sum of the indicators multiplied by a factor, β, for each line of business:
Here, i denotes an individual line of business. The values of βi for each business will be set by the regulators. To implement this approach, the bank needs to categorize each of its activities into one of the standard lines of business, and then calculate the scale indicator for that business. In most cases, this information is readily available, but there will be controversy about the indicators to be used and the values fixed for βi.
The internal measurement (IRM) approach keeps the definition of standard business lines, but takes two further steps. The first step is that it allows the risks within each business to be measured separately, with a separate indicator. It proposes six different types of risk, as follows:
• Write-downs
• Loss of recourse
• Restitution
• Legal liability
• Regulatory and compliance
• Loss or damage to assets
For each of the six risk types and each of the seven businesses, it proposes a different indicator and a different multiplying factor, m. The minimum regulatory capital would be the weighted sum of the indicators:
The second step of complication is that the multiplier, mi,j, would be made up of three components:
• The probability of an event (PE) given an indicator equal to one
• The loss given an event (LGE)
• A multiplying factor, gamma (γ)
The final formula for capital is therefore as follows:
The idea is that the term PEi,j × LGEi,j × Indicatori,j should be an estimate of the expected loss due to risk type j in business unit i. The factor γi,j would effectively convert from expected loss to capital.
In this framework, the regulators would set standard values for each of the 42 factors of γi,j, and the bank would estimate the other terms. This makes the measurement highly tailored to the bank, but gives it a difficult task in calculating PE and LGE.
To implement this approach, a bank would need to categorize its businesses into the 7 standard lines and then categorize its losses in each of the lines into 6 different types. In each of the 42 cells, it would then need to collect data on the indicator, all loss events, and the loss given each event. This is a significant amount of effort, and is probably not justified if it is simply to reduce the required capital. However, the process of collecting the data should give management better tools for managing and minimizing the losses that it actually suffers.
In the discussion above, we did not mention correlation. Data on operational loss experiences is currently so fragmented that it has not been possible to estimate correlations between different sources of operating-risks or between operating-risk and market and credit risks. As data-collection efforts proceed, this will become possible, and it is highly important because the amount of capital to be held depends strongly on the correlation.
Let us consider a simple calculation that will show the relative importance of operating risk compared with the other risks. Consider a bank that has losses from credit and market risks with a mean of $100 and a standard deviation of $80. On a stand-alone basis, let us assume that the losses from operating risks have a mean of $30 and a standard deviation of $20. The mean loss for the bank as a whole will be $130. The standard deviation of losses, for the bank as a whole will depend on the correlation (ρ) between the losses, as follows:
Table 24-2 shows the total standard deviation of the bank’s losses, assuming correlations of +0.5, 0, and −0.5. A negative correlation would mean that the operating risks peak when the bank has minimal losses on its portfolio. This may be the case if operating risks increase with the volume of trades, and the volume of trades increases in a rising market. The table also shows the amount of the bank’s total standard deviation that would be attributed to each risk according to the unexpected loss contribution.
If the correlation is +0.5, the amount of capital attributed to operating risks would still be high. If there is 0 correlation, the operating risks are swamped by the much larger credit and market risks. With negative correlation, the total amount of capital would be reduced, although the expected loss would remain at $130.
TABLE 24-2 Operating-Risk Capital as a Function of its Correlation with Other Risks
As banks focus their efforts on collecting data on operating-risk losses, it will become possible to make these adjustments for correlation and combine credit risk, market risk, and operating-risk, as we discuss in the next chapter.
In this chapter, we explored the concept of operational risk and the capital needed to cover it. In the final chapter, we discuss how to view all types of bank risk in an integrated fashion.
1. Operational Risk, Consultative Document, Basel Committee on Banking Supervision, January 2001.