Operational Risk 101: The Basic Definitions

By now, you’ve probably had enough of people telling you just how important corporate governance and operational risk management is. Regulators, consultants, software vendors, external auditors and the like have been saying that if you don’t spend a lot of time and money on corporate governance and operational risk management, you will surely suffer great peril – you might even end up in jail.

Never mind the fact that none of them can even define what a KPI (Key Performance Index) is or even what a loss event is, you still need an army of consultants to perform an unnecessary and costly mapping of your processes and that expensive bit of technology to capture and report the KPI and loss events, whatever they turn out to be.

So where do we find ourselves after all the fear, spending, and preparation? According to a recent poll,^I 70 per cent of you believe that you’ll have sound operational risk management in place by the magic Basel II date of January 2007.^II The same poll, however, also indicates that 83 per cent of you still are pretty unclear of just what operational risk is, much less how to manage it.^III

Don’t feel bad if your one of the 83 per cent, you know enough about operational risk to know you don’t know much. That is probably a lot more than the other 17 per cent.

No matter what camp you are in, there is no need to panic. Over the course of this series of articles, we will do our best to build a sound theoretical framework for corporate governance and operational risk management that can actually be implemented and for far less than the GDP of a small third-world country.

While frameworks tend to be a bit dry – even the word ‘framework’ sounds exceedingly dull – hopefully, you’ll be pleasantly surprised to find this framework intuitive and rather user friendly. And to make the whole exercise more enjoyable, we’ll build this framework in the context of real world examples, ones that you might find surprising, shocking, and more often than not, rather amusing.

What is Operational Risk and Why Should I Care?

OK, the easy answer is Basel II and Sarbanes Oxley. We’ll get into some of the nuances those regulations a bit later, but regulations aside, is operational risk something you should really worry about? To better answer this question, let’s look at a few of the better known operational failures:

Drexel Burnham Lambert (my alma mater) – went out of business because the existing controls were so poor, executive management couldn’t prove to itself, much less the regulators, that nobody had done anything wrong^IV

Kidder Peabody – went out of business because Joe Jett knew how to arb the trade date and settlement date accounting systems. It didn’t hurt that his immediate supervisors were part of the bonus pool^V

Orange Country – lost $1.7bn because its treasurer, Robert Citron, thought he was a big-time trader and not simply the trusted custodian of public funds. Although the county didn’t have the proper controls to monitor Citron’s trades, for the most part, Wall St. took the blame^VI

NYSE – for 10 months, the NYSE had to close early to allow member firms to process trades due to a ‘paperwork crisis’ resulting from a lack of back-office automation^VII

NASDAQ – twice the market had to close because squirrels ate through electrical cables at its primary processing center. While it was a major embarrassment to the exchange, on both occasions, the squirrels did pay the ultimate price. That was at least some comfort^VIII

Citigroup – has paid over $3bn (pre-tax) with another $7bn in reserves related to in fines, penalties, and settlements through the first nine months of 2004 arising from a wide-variety of regulatory, statutory, and policy violations since 2000. ^IX The closing of Citi’s private bank in Japan by Japanese regulators cost the jobs of three members of Citi’s management committee^X

9/11 – caused an estimated $58bn in direct damage just to the insurance industry, and a loss of 1.2 per cent points to US real GDP in 2002^XI

At first glance, it is hard to see how all of these events are related. Some were preventable given proper planning and controls. Some were, in any reasonable sense, unavoidable.

However, in all cases, the size of the immediate losses and the extent of the long-term damage to reputations could have been greatly reduced with effective corporate governance and operational risk management.

What is Operational Risk?

While various regulators have their own unique twists on operational risk, the Bank of International Settlements, through its Basel II Accords is the most widely accepted.^XII In the Accords, operational risk is defined as:

While this definition appears straightforward enough, in actually, it is the veritable can of worms. First of all, most of the terms in the definition need definitions themselves. What is a loss. While the concept seems simple – the amount of money it costs you if there is an operational failure, does it cover all costs?

Is it the cost to replace a failed disk drive, the cost associated with a failed trade that resulted from the failed drive, or the cost to replace the entire application because the hardware is no longer current and should be replaced? Do I start accruing losses from the time the drive failed, the time that I realized that it failed, or the time realized the losses in the financial statement? In a later article, we will dissect each of the key terms in the Basel II definition, but for now, let’s stick to the intent of the definition.

Basically, the above definition states that banks lose money because of operational failures. That is not too surprising, every enterprise in every industry does. However, what concerns the regulators is the size of the losses. When you consider that in 2004, Citigroup has paid or has in reserve over $10bn representing more than 33 per cent of that year’s profits, their concerns are not totally unfounded.

The major problem with the Basel II definition of operational risk, however, is that it focuses on predicting the amount of future losses due to operational failure and not how to prevent them. To be compliant, you need only estimate the likelihood and size of future operational losses and set aside capital to cover a portion of that risk, not reduce your risk exposure.

To make operational risk management truly useful, we need a definition of operational risk that, while completely consistent with Basel II, can help us lower operational risk exposure, not simply measure it. It turns out, that is not that hard to do.

As a first step, let’s look at the basic goal of any operation.

In other words, operating with an acceptable level of expected losses due to operational failure, produce the highest quality at the lowest cost – can’t argue with that. While this may not seem earth shattering, we have actually established the crucial link between quality, cost, and risk. It may be possible to keep cutting costs and maintain quality in the short run, but once you have reached operational efficiency, in the long-run, cost cutting will lead to higher costs due to operational failures – as some firms, most notably Citigroup, have begun to find out.^XIV

Although we may have established the important connection between quality, cost, and risk, we still need to come up with a definition of operational risk that is preventative and not simply diagnostic. To do this, we need to transform the definition of operational risk from the risk of financial losses, to one based on the risk that one or more components of operation will fail to meet their quality and cost targets. In other words, we must express operational risk in terms of multiple operational performance metrics rather than a single financial metric, cost.^XV We can do this with a slight reworking of the definition of operational risk.

So Where have We Gotten and Where are We Going?

In just a few small steps, we have transformed operational risk from an intuitive, yet difficult concept to implement, into one that is easily implemented, measured, and managed. But more importantly, one that can provide true insight into the state of your operations, not simply the likelihood of future losses.

This may not seem like much now, but as we shall see in future articles, with a few other simple definitions, we will be able to explicitly tie the performance of even the smallest part of your operations – a single process, person, system, policy, etc. – to its impact on your bottom line. Now that should definitely be something worth waiting for.

^IFerry, John. ‘Banks making big op risk advances, says Fitch’, Risk.net Website, June 2004.
^IIThe Federal Reserve as set January, 2007 as the implementation deadline for Basel II compliance
^IIIIn the poll of the 50 top financial institutions presented in the article, only 13 per cent had collected internal operational risk data indicating they didn’t know what data to capture. See note 1.
^IVTechnically, DBL went under because it could not roll $110MM in commercial paper. However, it was management’s insecurities and uncertainties about the extent of possible regulatory violations that many of the executives blame as the real cause. Ironically, three years of investigation by regulators after the collapse of DBL failed to turn up any major violations
^VVinella, Peter. ‘Joseph Jett’s Phantom Bets’, Derivative Strategies, May 1999.
^VIJorion, Philippe. ‘Big Bets Gone Bad’ Academic Press, 1995.
^VIIThe exchange closed early from July 7, 1969 until May 4, 1970 to allow firms to work out trades manually. See NYSE Website (www.nyse.com/marketinfo/p1020656068262.html?displayPage=%2Fmarketinfo%2Fmarketinfor.html) and Risk Glossary Website (www.riskglossary.com/articles/united_states_financial_regulation.htm)
^VIIINASDAQ was brought down in 1987 and 1994 by squirrels chewing through power cables. See ‘Squirrels Bring Down NASDAQ Again’. The Risk Digest Website, (catless.ncl.ac.uk/Risks/16.30.html#subj1.1)
^IXPress Release ‘Citigroup Reaches Settlement on WorldCom Class Action Litigation for $1.64 Billion After-Tax’, Citigroup Website, May 10, 2004. (www.citigroup.com/citigroup/press/2004/040510a.htm)
^XPacelle, Mitchell.'”Citigroup Ousts Three Top Officials’, The Wall Street Journal, October 20, 2004.
^XILooney, Robert. ‘Economic Costs to the United States Stemming From the 9/11 Attacks’, Strategic Insights, Center for Contemporary Conflict, Naval Post Graduate School, August 2002. (www.ccc.nps.navy.mil/si/aug02/homeland.asp)
^XIIInternational Convergence of Capital Measurement and Capital Standards: a Revised Framework’, Basel Committee On Banking Supervision, Bank of International Settlement, June 2004 (Basel II)
^XIII‘International Convergence of Capital Measurement and Capital Standards: a Revised Framework’, Basel Committee On Banking Supervision, Bank of International Settlement, June 2004 (Basel II)
^XIVMany firms, particular Citigroup, have been drastically cutting costs as a means to improve earnings over the past four years. In many cases, however, this has resulted in a much higher operational risk exposure and ultimately a greater number of operational failures and associated losses
^XVActually, under Basel II, cost is not even a true metric since it lacks the necessary definition.

Comments are closed.