January 25, 2002
« More Economic Letters
What Is Operational Risk?
Jose A. Lopez
Western Banking Quarterly is a review of banking developments in the Twelfth Federal Reserve District, and includes FRBSF’s Regional Banking Tables. It is normally published in the Economic Letter on the fourth Friday of January, April, July, and October
Financial institutions are in the business of risk management and reallocation, and they have developed sophisticated risk management systems to carry out these tasks. The basic components of a risk management system are identifying and defining the risks the firm is exposed to, assessing their magnitude, mitigating them using a variety of procedures, and setting aside capital for potential losses. Over the past twenty years or so, financial institutions have been using economic modeling in earnest to assist them in these tasks. For example, the development of empirical models of financial volatility led to increased modeling of market risk, which is the risk arising from the fluctuations of financial asset prices. In the area of credit risk, models have recently been developed for large-scale credit risk management purposes.
Yet, not all of the risks faced by financial institutions can be so easily categorized and modeled. For example, the risks of electrical failures or employee fraud do not lend themselves as readily to modeling. Such risks are typically categorized under the rubric of “operational risk.” In this Economic Letter, we review the current status of operational risk management by financial institutions, particularly commercial banks, and the corresponding regulatory capital requirements proposed by the Basel Committee on Banking Supervision (BCBS).
Although the definitions of market risk and credit risk are relatively clear, the definition of operational risk has evolved rapidly over the past few years. At first, it was commonly defined as every type of unquantifiable risk faced by a bank. However, further analysis has refined the definition considerably. As reported by BCBS (September 2001), operational risk can be defined as the risk of monetary losses resulting from inadequate or failed internal processes, people, and systems or from external events.
Losses from external events, such as a natural disaster that damages a firm’s physical assets or electrical or telecommunications failures that disrupt business, are relatively easier to define than losses from internal problems, such as employee fraud and product flaws. Because the risks from internal problems will be closely tied to a bank’s specific products and business lines, they should be more firm-specific than the risks due to external events.
A key component of risk management is measuring the size and scope of the firm’s risk exposures. As yet, however, there is no clearly established, single way to measure operational risk on a firm-wide basis. Instead, several approaches have been developed. An example is the “matrix” approach in which losses are categorized according to the type of event and the business line in which the event occurred. In this way, a bank can hope to identify which events have the most impact across the entire firm and which business practices are most susceptible to operational risk.
Once potential loss events and actual losses are defined, a bank can hope to analyze and perhaps even model their occurrence. Doing so requires constructing databases for monitoring such losses and creating risk indicators that summarize these data. Examples of such indicators are the number of failed transactions over a period of time and the frequency of staff turnover within a division.
Potential losses can be categorized broadly as arising from “high frequency, low impact” (HFLI) events, such as minor accounting errors or bank teller mistakes, and “low frequency, high impact” (LFHI) events, such as terrorist attacks or major fraud. Data on losses arising from HFLI events are generally available from a bank’s internal auditing systems. Hence, modeling and budgeting these expected future losses due to operational risk potentially could be done very accurately. However, LFHI events are uncommon and thus limit a single bank from having sufficient data for modeling purposes. For such events, a bank may need to supplement its data with that from other firms. Several private-sector initiatives along these lines already have been formed, such as the Global Operational Loss Database managed by the British Bankers’ Association.
Although quantitative analysis of operational risk is an important input to bank risk management systems, these risks cannot be reduced to pure statistical analysis. Hence, qualitative assessments, such as scenario analysis, will be an integral part of measuring a bank’s operational risks.
In broad terms, risk management is the process of mitigating the risks faced by a bank, either by hedging financial transactions, purchasing insurance, or even avoiding specific transactions. With respect to operational risk, several steps can be taken to mitigate such losses. For example, damages due to natural disaster can be insured against. Losses arising from business disruptions due to electrical or telecommunications failures can be mitigated by establishing redundant backup facilities. Losses due to internal reasons, such as employee fraud or product flaws, are harder to identify and insure against, but they can be mitigated with strong internal auditing procedures.
Since operational risk management will depend on many firm-specific factors, many managerial methods also are possible and will probably be put in place over time. However, some general principles, such as good management information systems and contingency planning, are necessary for effective operational risk management. BCBS (December 2001) laid out a framework for managing operational risk at internationally active banks; this framework also could be more broadly applied to other types of financial institutions.
The framework consists of two general categories. The first includes general corporate principles for developing and maintaining a bank’s operational risk management environment. For example, a bank’s governing board of directors should recognize operational risk as a distinct area of concern and establish internal processes for periodically reviewing operational risk strategy. To foster an effective risk management environment, the strategy should be integral to a bank’s regular activities and should involve all levels of bank personnel.
The second category consists of general procedures for actual operational risk management. For example, banks should implement monitoring systems for operational risk exposures and losses for major business lines. Policies and procedures for controlling or mitigating operational risk should be in place and enforced through regular internal auditing.
Banks hold capital to absorb possible losses from their risk exposures, and the process of capital budgeting for these exposures, including operational risk, is a key component of bank risk management. In parallel with industry developments, BCBS proposed in 2001 that an explicit capital charge for operational risk be incorporated into the new Basel Capital Accord. At first this capital charge would apply to internationally active banks. The Committee initially proposed that the operational risk charge constitute 20% of a bank’s overall regulatory capital requirement, but after a period of review, the Committee lowered the percentage to 12%. The final version of the Basel Accord is tentatively scheduled for a year-end 2002 release.
To encourage banks to improve their operational risk management systems, the new Basel Accord also will set criteria for implementing more advanced approaches to operational risk. Such approaches are based on banks’ internal calculations of the probabilities of operational risk events occurring and the average losses from those events. The use of these approaches will generally result in a reduction of the operational risk capital requirement, as is currently done for market risk capital requirements and is proposed for credit risk capital requirements. These criteria and the new capital regulations will require bank supervisors to conduct evaluations of operational risk management systems on a regular basis. As noted by BCBS, these supervisory evaluations would be complemented greatly by public disclosure sufficient to allow independent assessments by market participants.
Operational risk is intrinsic to financial institutions and thus should be an important component of their firm-wide risk management systems. However, operational risk is harder to quantify and model than market and credit risks. Over the past few years, improvements in management information systems and computing technology have opened the way for improved operational risk measurement and management. Over the coming few years, financial institutions and their regulators will continue to develop their approaches for operational risk management and capital budgeting.
Jose A. Lopez
More Economic Letters
Opinions expressed in FRBSF Economic Letter do not necessarily reflect the views of the management of the Federal Reserve Bank of San Francisco or of the Board of Governors of the Federal Reserve System. This publication is edited by Sam Zuckerman and Anita Todd. Permission to reprint must be obtained in writing.
Please send editorial comments and requests for reprint permission to