FRBSF Economic Letter
2002-02; January 25, 2002
What Is Operational Risk?
Western Banking Quarterly is a review of banking
developments in the Twelfth Federal Reserve District, and includes FRBSF's
Regional Banking Tables.
It is normally published in the Economic Letter on the fourth Friday
of January, April, July, and October
Financial institutions are in the business of risk management and reallocation,
and they have developed sophisticated risk management systems to carry
out these tasks. The basic components of a risk management system are
identifying and defining the risks the firm is exposed to, assessing their
magnitude, mitigating them using a variety of procedures, and setting
aside capital for potential losses. Over the past twenty years or so,
financial institutions have been using economic modeling in earnest to
assist them in these tasks. For example, the development of empirical
models of financial volatility led to increased modeling of market risk,
which is the risk arising from the fluctuations of financial asset prices.
In the area of credit risk, models have recently been developed for large-scale
credit risk management purposes.
Yet, not all of the risks faced by financial institutions can be so
easily categorized and modeled. For example, the risks of electrical failures
or employee fraud do not lend themselves as readily to modeling. Such
risks are typically categorized under the rubric of "operational
risk." In this Economic Letter, we review the current status of operational
risk management by financial institutions, particularly commercial banks,
and the corresponding regulatory capital requirements proposed by the
Basel Committee on Banking Supervision (BCBS).
Defining operational risk
Although the definitions of market risk and credit risk are relatively
clear, the definition of operational risk has evolved rapidly over the
past few years. At first, it was commonly defined as every type of unquantifiable
risk faced by a bank. However, further analysis has refined the definition
considerably. As reported by BCBS (September 2001), operational risk can
be defined as the risk of monetary losses resulting from inadequate or
failed internal processes, people, and systems or from external events.
Losses from external events, such as a natural disaster that damages
a firm's physical assets or electrical or telecommunications failures
that disrupt business, are relatively easier to define than losses from
internal problems, such as employee fraud and product flaws. Because the
risks from internal problems will be closely tied to a bank's specific
products and business lines, they should be more firm-specific than the
risks due to external events.
Measuring operational risk
A key component of risk management is measuring the size and scope of
the firm's risk exposures. As yet, however, there is no clearly established,
single way to measure operational risk on a firm-wide basis. Instead,
several approaches have been developed. An example is the "matrix"
approach in which losses are categorized according to the type of event
and the business line in which the event occurred. In this way, a bank
can hope to identify which events have the most impact across the entire
firm and which business practices are most susceptible to operational
Once potential loss events and actual losses are defined, a bank can
hope to analyze and perhaps even model their occurrence. Doing so requires
constructing databases for monitoring such losses and creating risk indicators
that summarize these data. Examples of such indicators are the number
of failed transactions over a period of time and the frequency of staff
turnover within a division.
Potential losses can be categorized broadly as arising from "high
frequency, low impact" (HFLI) events, such as minor accounting errors
or bank teller mistakes, and "low frequency, high impact" (LFHI)
events, such as terrorist attacks or major fraud. Data on losses arising
from HFLI events are generally available from a bank's internal auditing
systems. Hence, modeling and budgeting these expected future losses due
to operational risk potentially could be done very accurately. However,
LFHI events are uncommon and thus limit a single bank from having sufficient
data for modeling purposes. For such events, a bank may need to supplement
its data with that from other firms. Several private-sector initiatives
along these lines already have been formed, such as the Global Operational
Loss Database managed by the British Bankers' Association.
Although quantitative analysis of operational risk is an important input
to bank risk management systems, these risks cannot be reduced to pure
statistical analysis. Hence, qualitative assessments, such as scenario
analysis, will be an integral part of measuring a bank's operational risks.
Mitigating operational risk
In broad terms, risk management is the process of mitigating the risks
faced by a bank, either by hedging financial transactions, purchasing
insurance, or even avoiding specific transactions. With respect to operational
risk, several steps can be taken to mitigate such losses. For example,
damages due to natural disaster can be insured against. Losses arising
from business disruptions due to electrical or telecommunications failures
can be mitigated by establishing redundant backup facilities. Losses due
to internal reasons, such as employee fraud or product flaws, are harder
to identify and insure against, but they can be mitigated with strong
internal auditing procedures.
Since operational risk management will depend on many firm-specific factors,
many managerial methods also are possible and will probably be put in
place over time. However, some general principles, such as good management
information systems and contingency planning, are necessary for effective
operational risk management. BCBS (December 2001) laid out a framework
for managing operational risk at internationally active banks; this framework
also could be more broadly applied to other types of financial institutions.
The framework consists of two general categories. The first includes
general corporate principles for developing and maintaining a bank's operational
risk management environment. For example, a bank's governing board of
directors should recognize operational risk as a distinct area of concern
and establish internal processes for periodically reviewing operational
risk strategy. To foster an effective risk management environment, the
strategy should be integral to a bank's regular activities and should
involve all levels of bank personnel.
The second category consists of general procedures for actual operational
risk management. For example, banks should implement monitoring systems
for operational risk exposures and losses for major business lines. Policies
and procedures for controlling or mitigating operational risk should be
in place and enforced through regular internal auditing.
Capital budgeting for operational risk
Banks hold capital to absorb possible losses from their risk exposures,
and the process of capital budgeting for these exposures, including operational
risk, is a key component of bank risk management. In parallel with industry
developments, BCBS proposed in 2001 that an explicit capital charge for
operational risk be incorporated into the new Basel Capital Accord. At
first this capital charge would apply to internationally active banks.
The Committee initially proposed that the operational risk charge constitute
20% of a bank's overall regulatory capital requirement, but after a period
of review, the Committee lowered the percentage to 12%. The final version
of the Basel Accord is tentatively scheduled for a year-end 2002 release.
To encourage banks to improve their operational risk management systems,
the new Basel Accord also will set criteria for implementing more advanced
approaches to operational risk. Such approaches are based on banks' internal
calculations of the probabilities of operational risk events occurring
and the average losses from those events. The use of these approaches
will generally result in a reduction of the operational risk capital requirement,
as is currently done for market risk capital requirements and is proposed
for credit risk capital requirements. These criteria and the new capital
regulations will require bank supervisors to conduct evaluations of operational
risk management systems on a regular basis. As noted by BCBS, these supervisory
evaluations would be complemented greatly by public disclosure sufficient
to allow independent assessments by market participants.
Operational risk is intrinsic to financial institutions and thus should
be an important component of their firm-wide risk management systems.
However, operational risk is harder to quantify and model than market
and credit risks. Over the past few years, improvements in management
information systems and computing technology have opened the way for improved
operational risk measurement and management. Over the coming few years,
financial institutions and their regulators will continue to develop their
approaches for operational risk management and capital budgeting.
Jose A. Lopez