Background Development
The history of Operational risk is not very old, its genesis lies in the banking system, before 1999 when Basel Committee took charge of defining the operational risk, it was considered as “Other Risk” than credit and market risk.
In 1999 the Basel Committee started first defining the operational risk because there was a need to put a capital charge exclusively for others risks which were not credit or market risk
In 2001 the Basel Committee for the first time defined “other risk” as operational risk, the building block of operational risk was “Cause” of potential loss events.
The operational risk was defined as a risk of loss resulting from inadequate or failed internal processes, people, and system or from external events. This definition included legal risk but excluded strategic and reputational risk.
The legal risk was falling under the operational risk category because of its indirect cause resulting from failing due to people, process, system or external events.
Cause
It is important to realize in the definition of operational risk that the cause is the building block of resulting risks; “cause” leads of “event” and event leads to “consequence”, the consequence could be leading to loss in financial terms, reputational terms or customer terms.
The cause is resulted by one or more out of the four factors, it is not possible to control the event; the only control able factor is the cause, consequence is the outcome. Consequence may be controlled either by controlling cause or, directly by applying the risk mitigation techniques. So the focus in the operational risk management is on controlling the cause or resulting consequences through risk mitigation technique.
Events
The Basel Committee have classified operational risk events into the seven categories as below
1. internal fraud
2. external fraud
3. execution delivery and process management
4. client products and business practices
5. accident and natural disaster
6. system
7. employment practices and workplace safety
These seven events may result either by one or more factors out of the four (People, Process, System or external events) factors.
Consequence
Consequence is the loss either in terms of financial loss, reputational loss or loss of customer impacting new business. The loss is measured in terms of likelihood and impact. Likelihood represents the possibility that a given event may occur, while the impact represents its effects. The likelihood and impact is assessed based on historical information, which could be coming from internal or external data sources.
In the quantification of operational risk, qualitative and quantitative risk assessment techniques are used. Where the data is not quantifiable, qualitative technique is used.
In the absence of loss data, it is difficult to model losses resulting from operational risk, therefore statistical application could be challenging. Therefore, Risk Control Self-Assessment exercise is used where each risks are assessed for likelihood and impact against its pre-defined tolerance limit/risk appetite within business. Control is to be provided to bring the risk back to limit.
Risk Control Self-Assessment (RCSA)
In operational risk for the purpose of risk identification and risk quantification, Risk Control Self-Assessment (RCSA) is used. The primary purpose of RCSA is to have register of all the operational risks within the business, look at its inherent risk, what controls can be placed so that the residual risk comes out within the risk tolerance limit of the company.
As discussed above, the impact of the operational risk could be financial, on customers and or reputational. The inherent risk is assessed in terms of likelihood and impact which could be any or all of the three areas.
Based on the cause of the risk, appropriate controls are placed so that the residual risks are not outside the risk appetite defined by the Company.
In the management of operational risk, risk control plays a key role. It is therefore very important to map correctly various causes of the risks, so that appropriate controls may be placed.
The residual risk is again assessed in a form of likelihood and impact, however, this time because of the controls applied; likelihood or impact or both should be lower than inherent corresponding components.
The controls placed to reduce the residual risk, which may be preventive or detective in nature. As seen above, if the controls are placed before occurring event, it’s a preventative control as it helps in reducing the impact of risk. However, if the controls placed are post event, they are detective in nature, which cannot reduce the impact of event.
In the operational risk, the way causes are driver of event similarly controls are most important treatment action to reduce the both likelihood and impact. There is a possibility that the controls are excessive, inappropriate or missing controls referred as lack of design effectiveness. While on the other hand when controls are poorly executed they lack operating effectiveness.
Summary
The area of operational risk is vast, this section has covered the fundamental building blocks of the operational risk. In the absence of available data for loss distribution modeling to quantify the operational risk, RCSA serve as risk by risk assessment within the different areas of business to address the key non-financial risks.
