Operational Risk Management - Opportunities and Challenges Beyond Basel II
The Basel Committee on banking supervision notes that management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, reduce errors in transaction processing, and so on. However, what is relatively new is the view of operational risk management as a comprehensive practice comparable to the management of credit and market risk in principle, if not always in form.
The committee defines operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This includes legal risk but excludes strategic and reputation risks, though a significant operational loss can affect the reputation.
The Basel II Accord provides three methods for calculating operational risk capital charges:
(i) the basic indicator approach;
(ii) the standardised approach; and
(iii) the advanced measurement approach (AMA).
The approach for operational risk management for a bank will depend on various factors, like the size and sophistication of the bank and the nature and complexity of its business. However, clear strategies and oversight by the board of directors and senior management, a strong operational risk and internal control culture, effective internal reporting and contingency planning are crucial elements of an effective operational risk management framework for banks of any size.
Banks are expected to move along the spectrum of available approaches as they develop more sophisticated operational risk management systems and practices.
The qualification criteria for the standardized approach and AMA require a bank to satisfy its supervisor that it has implemented a sound operational risk management system; it has sufficient resources to support the approach and a system of oversight by directors and senior management. Under AMA, banks would be allowed to determine capital requirement based on their internal operational risk assessment subject to qualitative and quantitative standards set by the Basel Committee
For moving to the AMA, banks must track internal loss data and use it as the foundation of empirical risk estimates, as a means of validating the inputs and outputs of the risk management system. Internal loss data is most relevant when it is clearly linked to a bank’s current business activities, technological processes and risk management procedures. Banks must also use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events.
Operational risk management aims at reducing the frequency and severity of events leading to operational losses and maintenance of a robust control and monitoring system. The risks that have to be considered for measurement and mitigation are processing, legal, compliance and security risks.
The risk events that need to be considered include:
A bank’s strategy for operational risk must be aligned to the overall risk management strategy. The strategy drives the other components within the risk management framework. It has to provide clear guidance on risk appetite or tolerance, policies, and processes for day-to-day risk management. The organization structure follows strategy and when designing the operational risk management organizational structure, the bank’s overall risk management structure should serve as a guideline. Banks have to establish policies and framework and review them periodically to ensure alignment with regulatory requirements, business practices and individual business growth strategies. Information technology is the key enabler and foundation of the operational risk management framework. The systems, especially the back office systems, will need to accommodate a wide variety of operational risk information, without the need for re-keying, and interface with a variety of internal as well as external systems.
| STRATEGY |
| ORGANISATION STRUCTURE |
| POLICIES/FRAMEWORK |
| TECHNOLOGY |
While the common approach to operational risk management is centered on limiting risks and the downside, some banks have established sound practices and robust frameworks supported by technology to ensure effective management and control of operational risk. The former approach is more focused on measuring risk rather than mitigating it and the opportunities for banks adopting this approach to innovate, grow and compete in their business are limited. At the same time, the second category of banks have developed the ability to take on highly rewarding but potentially risky areas of business by systematic business processes and effective risk management practices.
Another common problem that some banks encounter is the failure to detect and act on new types of risks arising from introduction of new products or entry into new areas of business. Here again, a systematic approach to identification, measurement and mitigation of risks with effective use of technology is the solution.
Banks have to look at operational risk management as an opportunity for improving the internal processes and efficiencies that can lead to significant cost savings in addition to meeting the regulatory requirements on risk management. The opportunities to venture in to new and hitherto unexplored business with the improved risk taking abilities can outweigh the investment in the development of effective processes, infrastructure and technology.
Large banks typically have several legacy applications that have been developed to address specific areas of business or specific problems. These applications are generally not flexible and limit the banks’ ability to adapt to changes in the market, to introduce new products and services and to meet the ever increasing customer demands. The result is a high cost structure for regular maintenance of these applications, complex integrations and inefficient management of data stored by disparate systems. The silos within the organization also result in duplication of efforts and data. This makes the identification, control and mitigation of operational risks extremely complex and challenging.
However, it is impractical to replace all the legacy applications with one new-generation banking application. The practical solution is rather a combination of re-engineering and replacement. Banks need to undertake an analysis of the application portfolio and identify the ones that need replacement and the ones that need to be retained and re-engineered considering various aspects such as business strategy, criticality, technology preferences, etc.
In recent times, many large banks have started planning replacement of the disparate back office systems with new generation core banking solutions. The benefits are enormous – the consolidation and optimization of data storage, improved workflow and processes, interoperability and ease of integration with other internal and external systems. This provides the infrastructure and framework for implementing effective risk management systems, processes and enterprise wide visibility. The return on investment (ROI) as a result of improved efficiencies, elimination of redundancies and the ability to venture in to new areas of business combined with an effective risk management framework provides an excellent business case for banks to replace their legacy back office systems.
Banks have to look at operational risk management as an opportunity rather than a regulatory requirement. The approach for banks towards effective operational risk management varies depending on its size and complexity of business. Technology is a key enabler for successful implementation of effective operational risk management systems and large banks with disparate legacy applications and operations in silos need to seriously look at an approach combining re-engineering and replacement of back office systems.