Operational Risk Management Framework

Typical Nature of Operational Risk

Embedded risk

Operational risk differs from the other risk types because it is not a transaction-risk but a risk embedded in processes, people and systems and due to external events (refer also to Basel-definition). It is an embedded risk which can not be captured and measured like credit, market, life and property & casualty risk. Inertia, greed, lack of memory, overconfidence, lack of discipline, etc are factors which cannot be easily (ex-ante) measured and reported. Examples of incidents which were affected by such factors are: Barings Bank, Prudential US, Metlife, Allied Irish Bank, Daiwa, Sumitomo, Dexia/Legiolease, Aegon/Spaarbeleg, etc.

Unstable risk

Operational risk is not measurable in a stable way over a given time period, and is also not a risk which grows proportionally (or linear) with the (nominal) size of activities. Operational risk can be very unstable and grow exponentially in a short period. Small activities can have high risk, and vice versa. Well-known examples are Barings Singapore or ABN Amro Sarphatistraat which were activities which looked small from the outside (low number of FTE’s) but appeared to generate sizeable losses nonetheless.

Hidden risk

The costs due to operational risk are high but difficult to trace or anticipate because the costs or losses are accounted for in an accounting framework which currently does not isolate costs or losses due to operational risk. The hidden or invisible character leads to underestimation of the risk (e.g. information security). In some cases the risk even can lead to (unwanted) profits (e.g. money laundering) before surfacing as a problem. An example is the Republic money laundering incident.

Inherent risk

A large part of operational risk is inherent to the business in which we are engaging (e.g. OTC equity derivatives is more complex than FX spot) and inherent to management processes (e.g. MTP processes are primarily revenue and costs driven, much less risk driven).

Reputational Risk

Operational risk can have first order effects, i.e. risk of loss due to security failure, IT failure, etc, but also second order effects, i.e. reputational damage. Reputational risk is a second order risk because it often presents itself as the consequential effect of a first order operational risk which materialises and then leads to additional damage in the form of damage to reputation. Reputational damage is much more difficult to measure but not less important. Basel does not require separate measurement due to the measurement-complexities. However, for internal risk management purposes reputational risk is explicitly recognised as an important part of operational risk, i.e. as 2nd order effect.