Global Risk Guard
Tool for the identification, assessment, monitoring and management of operational risks


Operational Risk


The Basel Committee (2004) defines Operational Risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

The committee indicates that this definition excludes systemic risk, legal risk and  reputational risk.

During the 1990s, financial firms and other corporations focused increasing attention on the emerging field of financial risk management. This was motivated by concerns about the risks posed by the rapidly growing OTC derivatives markets; publicized financial losses, including those of Barings Bank, Orange County and Metallgesellschaft; regulatory initiatives, especially the Basel Accords.

During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the decade progressed, this shifted to techniques of measuring and managing credit risk. By the end of the decade, firms and regulators were increasingly focusing on risks "other than market and credit risk." These came to be collectively called operational risks. This catch-all category of risks was understood to include, employee errors, systems failures, fire, floods or other losses to physical assets, fraud or other criminal activity.

Firms had always managed these risks. The new goal was to do so in a more systematic manner. The approach would parallel—and be integrated with—those that were proving effective with market risk and credit risk.

The task appeared daunting. Financial institutions and regulators had had to dedicate considerable resources to managing market risk and credit risk, and those were well-known, narrowly-defined risks. Operational risk was anything but well defined. People disagreed about the specific contingencies that should be considered operational risks—should legal risks, tax risks, management incompetence or reputational risks be included? The debate was more than academic. It would shape the scope of initiatives to manage operational risk.

Another problem was that operational contingencies don't always fall into neat categories. Losses can result from a complex confluence of events, which makes it difficult to predict or model contingencies. In 1996, the Crédit Lyonnais trading floor was destroyed by fire. This might be categorized as a loss due to fire. It might also be categorized as a loss due to fraud—investigators suspect employees deliberately set the fire in order to destroy evidence of fraud.

The Basel Committee outlined basic practices in a (February 2003) paper Sound Practices for the Management and Supervision of Operational Risk. That paper, together with efforts by researchers and risk managers at major banks have helped to shape emerging risk management practices for operational risk.

Most operational risks are best managed within the departments in which they arise. Information technology professionals are best suited for addressing systems-related risks. Back office staff are best suited to address settlement risks, etc. However, overall planning, coordination, and monitoring should be provided by a centralized operational risk management department. This should closely coordinate with market risk and credit risk management departments within an overall enterprise risk management framework.

Contingencies broadly fall into two categories:

  • those that occur frequently and entail modest losses;
  • those that occur infrequently but may entail substantial losses.

Accordingly, operational risk management should combine both qualitative and quantitative techniques for assessing risks. For example, settlement errors in a trading operation's back office happen with sufficient regularity that they can be modeled statistically. Other contingencies affect financial institutions infrequently and are of a non-uniform nature, which makes modeling difficult. Examples include acts of terrorism, natural disasters, and trader fraud.

Qualitative techniques include:

  • loss event reports,
  • management oversight,
  • employee questionnaires,
  • exit interviews,
  • management self assessment, and
  • internal audit.

Quantitative techniques have been developed primarily for the purpose of assigning capital charges for banks' operational risks. Much work in this field was performed by regulators developing the Basel II accord on bank capital adequacy. Early results were reported in a (January 2001) consultative document, which was included in a package of documents outlining the proposed Basel II accord. Extensive industry feedback on that document lead the committee to issue a follow-up (September 2001) working paper on operational risk. A subsequent (April 2003) consultative document made further modifications to Basel II. The final Basel II accord was released in 2004.

Basel II allows large banks to base operational risk capital requirements on their own internal models. This has spawned considerable independent research into methods for measuring operational risk. Techniques have been borrowed from fields such as actuarial science and engineering reliability analysis.

Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modeled using techniques developed for property & casualty insurance. Contingencies that arise more frequently are more amendable to statistical analysis.

Statistical modeling requires data. For operational contingencies, two forms of data are useful:

  • data on historical loss events, and
  • data on risk indicators.

Loss events run the gamut—settlement errors, systems failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution's reputation). There are three ways data on loss events can be categorized:

  • event
  • cause
  • consequence

For example, an event might be a mis-entered trade. The cause might be inadequate training, a systems problem or employee fatigue. Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm's reputation. Any event may have multiple causes or consequences. Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the frequency with which certain causes are associated with specific events and consequences. Even with no further analysis, such matrices can identify for management areas for improvement in procedures, training, staffing, etc.

The Basel Committee breaks down loss events into seven general categories:


Categories of Loss Events
Exhibit 1

Event-Type Category
(Level 1)


(Level 2)

Activities Examples
(Level 3)

Internal Fraud

Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity / discrimination events, which involves at least one internal party.

Unauthorized Activity

  • Transactions not reported (intentional)
  • Transaction type unauthorized (with monetary loss)
  • Mismarking of position (intentional)

Theft and Fraud

  • Fraud / credit fraud / worthless deposits
  • Theft / extortion / embezzlement / robbery
    Misappropriation of assets
  • Forgery
  • Check kiting
  • Smuggling
  • Account take-over / impersonation, etc.
  • Tax non-compliance / evasion (willful)
  • Bribes / kickbacks
  • Insider trading (not on firm's account)

External Fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

Theft and Fraud

  • Theft / robbery
  • Forgery
  • Check kiting

Systems Security

  • Hacking damage
  • Theft of information (with monetary loss)

Employment Practices and Workplace Safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events.

Employee Relations

  • Compensation, benefit, termination issues
  • Organized labor activities

Safe Environment

  • General liability (slips and falls, etc.)
  • Employee health & safety rules and events
  • Workers compensation

Diversity & Discrimination

All discrimination types

Clients, Products & Business Practice

Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

Suitability, Disclosure & Fiduciary

  • Fiduciary breaches / guideline violations
  • Suitability / disclosure issues (KYC, etc.)
  • Retail consumer disclosure violations
  • Breach of privacy
  • Aggressive sales
  • Account churning
  • Misuse of confidential information
  • Lender liability

Improper Business or Market Practices

  • Antitrust
  • Improper trade / market practice
  • Market manipulation
  • Insider trading (on firm's account)
  • Unlicensed activity
  • Money laundering

Product Flaws

  • Product defects (unauthorized, etc.)
  • Model errors

Selection, Sponsorship & Exposure

  • Failure t investigate client per guidelines
  • Exceeding client exposure limits

Advisory Activities

Disputes over performance or advisory activities

Damage to Physical Assets

Losses arising from loss or damage to physical assets from natural disaster or other events

Disasters and Other Events

  • Natural disaster losses
  • Human losses from external sources (terrorism, vandalism)

Business Disruption & Systems Failures

Losses arising from disruption of business or system failures


  • Hardware
  • Software
  • Telecommunications
  • Utility outage / disruptions

Execution, Delivery & Process Management

Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

Transaction Capture, Execution & Maintenance

  • Miscommunication
  • Data entry, maintenance or loading error
  • Missed deadline or responsibility
  • Model / system misoperation
  • Accounting error / entity attribution error
  • Other task misperformance
  • Delivery failure
  • Collateral management failure
  • Reference data maintenance

Monitoring & Reporting

  • Failed mandatory reporting obligation
  • Inaccurate external report (loss incurred)

Customer Intake & Documentation

  • Client permissions / disclaimers missed
  • Legal documents missing / incomplete

Customer / Client Account Management

  • Unapproved access given to accounts
  • Incorrect client records (loss incurred)
  • Negligent loss or damage of client assets

Trade Counterparties

  • Non-client counterparty misperformance
  • Misc. non-client counterparty disputes

Vendors & Suppliers

  • Outsourcing
  • Vendor disputes


  Source: Basel Committee (February 2003).

Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk. Examples of risk indicators a firm might track are:

  • amount of overtime being performed by back-office staff,
  • staffing levels,
  • daily transaction volumes,
  • employee turnover rates,
  • systems downtime.

From a modeling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.

Once operational risks have been—qualitatively or quantitatively—assessed, the next step is to somehow manage them. Solutions may attempt to

  • avoid certain risks,
  • accept others, but attempt to mitigate their consequences, or
  • simply accept some risks as a part of doing business.

Specific techniques might include: employee training, close management oversight, segregation of duties, purchase of insurance, employee background checks, exiting certain businesses, and the capitalization of risks. Choice of techniques will depend upon a cost-benefit analysis.




Operational Risk Papers on BIS

Operational Risk Papers

[Home] [Virtual Library] [Articles] [GRG Services] [Topics] [Internal Auditing] [Risk Management] [Asset Management] [IAS-IFRS] [Risk Jobs] [News] [Softwares] [Books] [Sponsors] [Links] [Contact Us] [Feedback] [Blog]

Copyright ©2005-2009 Global Risk Guard. All rights reserved. | Legal |