By LD Mahat, Risk Management Specialist
Risk may be defined as the probability of incurring a loss or damage because of actual outcome being different from the expected outcome. This means that, broader the range of possible outcomes, the greater the risk. Risk is the major constraint on investment whilst return on investment is the major opportunity or benefit generated by it.
Risks are inherent in any kind of business. Risks and uncertainties form an integral part of banking industry which by nature entails taking risks. Therefore, risk management assumes more importance in banking industry as this industry exists for the purpose of taking risk.
Nepal Rastra Bank (NRB) has issued Risk Management Guidelines for guiding commercial banks on risk management systems that are expected to be in place. Capital Adequacy Framework as well as Risk Management Guidelines issued by NRB prescribes approach for measurement and computing capital requirements for operational risk.
The Basel Committee on Banking Supervision defined operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. Operational Risk is the risk associated with human error, system failures, and inadequate controls and procedures in information systems or internal controls that will result in losses. Operational risk is a Bank’s exposure to losses arising from mistakes (such as computer failure and breach of regulations) and conspiracies (including loan fraud and embezzlement) that affect its day-to-day business. Examples of operational risks are as follows:
- Any risk that is not categorized as market or credit risk;
- A risk of loss arising from various types of human or technical error;
- Risk associated with settlement or payment risk and business interruption and legal risk;
- Risk of fraud by employees and outsiders; unauthorized transaction by employees and errors relating to computer and telecommunication systems;
- The potential exposure to missed opportunity or to unexpected financial, reputational, or other damage resulting from the way in which an organization operates and pursues its business objectives.
Operational risk arises due to inadequate control systems, operational problems and breaches in internal controls, fraud and unforeseen catastrophes resulting in unexpected losses for a bank. Many of the operational-risk-related functions such as regulatory compliance, finance management, frauds, IT, legal, and insurance are carried out by the staff and thus human resource itself becomes a cause for operational risk. Financial losses could also arise from external events such as fires and other disasters.
Identification of Operational Risk
Banks are expected to identify and assess the operational risks in all the existing products and services and systems before formulating a clear-cut policy. Such identification is a must before a new product or process or system is introduced and a fool-proof system should be in place to avoid the damages that may be caused on account of human or system failure.
Operational risk should take into account the human element especially on placement, competency, work environment, rotation/turnover. Banks should address process risk arising out of transaction processing, errors in execution of transactions, complexity of procedures etc. while formulating the policy. Sometimes violations of controls and internal control procedures, exceeding of limits, money laundering activities, systems risk also arise on account of the technology, systems and securities failure, programming error and communications failure. In addition, reputational risk that may arise out of customer claim, staff-claim and regulators’ claim may have to be addressed.
Measurement of Operational Risk
Operational risk is perceived to be highly capable of impacting business lines that have high volume and high turnover coupled with low margins. The “Survey of Operational Risk” carried out by PricewaterhouseCoopers in 1997 in the banking industry revealed that high levels of loss occurred in the areas of system failures, criminal acts, legal action, erroneous funds transfer, business interruption costs and damage to assets.
The quantification of operational risk is difficult, as it is difficult to build a clear mathematical or statistical link between individual risk factors and the likelihood of a loss. Data limitations and lack of analytical tools are contributing factors.
Banks often resort to the process of risk assessment in terms of “high, medium and low” rather than attempts at quantitative measurement. The accumulated experience indicates that there are two broad categories of operational losses: first is the frequent, small operational losses that may result from human error, which are quite common to all businesses; and second, major operational risk losses resulting from actions beyond the delegated authority or outside the laid down procedures. The latter losses are of low probability but their impact could be very large and any attempt to measure operational risk must focus on these two areas.
Approaches for Operational Risk Capital Assessment
The Basel Committee has proposed three methods for calculating operational risk capital charges based on this definition:
Basic Indicator Approach
This is the most basic approach for which no qualifying criterion has been fixed. Under this approach, banks have to maintain capital for Operational Risk equal to the average over the previous three years of a fixed percentage (denoted as alpha) of positive annual gross income. Figure for any year in which annual gross income is negative or zero, should be excluded from both the numerator and denominator when calculating the average. Basel has set `fixed percentage alpha’ at 15%.
NRB has prescribed this approach for measurement of operational risk. NRB shall review the capital requirement produced by this approach for general credibility, especially in relation to a bank’s peers and in the event that credibility is lacking, appropriate supervisory action under Review Process shall be considered.
Figures for the year, in which annual gross income is negative or zero, should be excluded from both the numerator and denominator while calculating the average. In case where the gross income for all of the last three years is negative, 5% of total credit and investments net of specific provisions shall be considered as the capital charge for operational risk. For this purpose investments shall comprise of money at call, placements, investment in government securities and other investments irrespective of currency.
Similarly, in case of new banks who have not completed an year of operation and hence whose average gross income cannot be measured reliably, they shall also be required to compute their capital charge for operational risk vide the same approach as prescribed for banks with negative gross income. These banks may use the gross income approach from second year onwards. But, based on the reasonableness of the so computed capital charge for Operation Risk, during the first three years of operation, review process may require additional proportion of capital charge if deemed necessary.
The Gross Income is defined as net interest income plus net non-interest income. NRB has defined Gross Income as Net Interest Income + Commission and Discount Income + Other Operating Income + Exchange Fluctuation Income +/- Interest Suspense during the period.
The Standardized approach is a more complex approach and is a further refinement in the approach of the operational risk capital by dividing the banks’ activities into eight standardized business lines. Within each business line, the capital requirement is calculated by multiplying the average gross income generated by a business line over the previous three years by a factor beta assigned to that business line. While three business lines viz., Trading and Sales, Retail Banking, and Commercial Banking generate Interest Income, Profit on sale of assets, and Fee-based income; remaining five business lines viz., Corporate Finance, Payment and Settlement, Agency Services, Asset Management, and Retail Brokerage generate fee based income only. Ideally, Gross Income for Trading and Sales, Retail Banking, and Commercial Banking would be “Interest Income + Profit on sales + Fee-based Income – Weighted average cost of funding for these business lines”; whereas Gross Income for remaining business lines would be fee-based income only, as no funding cost is involved in these business lines. For a Bank to be eligible for the Standardized Approach, a number of qualitative standards must be met, including: Organization, management and control, audit, and systems.
Advanced Measurement Approach
This allows the capital charge to be derived from the bank’s own loss experiences, within a regulatory framework. The approach is expected to reduce the capital charge for well-managed Banks. It requires a number of more rigorous standards to be met, including maintaining a comprehensive operational risk `loss database’.
Under this method, banks are permitted to use their own internal model to calculate the required capital, subject to, of course, supervisory approval on the following:
- Active involvement of directors and senior management in the oversight of the operational risk management framework.
- Implementation of conceptually sound risk management system with integrity.
- Process of sufficient resources that are required to manage different business lines and to manage `control’ and `audit’ functions effectively.
Banks are required to estimate Expected Loss (EL) and Unexpected Loss (UL) at a 99.9th percentile confidence level over one year holding period using 5-year’s operational loss event data (internal as well as external) through statistical analysis. Sum of EL and UL will be the capital charge for Operational Risk.
Monitoring of Operational Risk
As per NRB directives, banks should develop a regular reporting of the information to senior management and the board of directors that supports the proactive management of operational risk. Senior Management should establish a program to:
• monitor assessment of the exposure to all types of operational risk faced by the bank;
• assess the quality and appropriateness of mitigating actions, including the extent to which identifiable risks can be transferred outside the bank; and
• ensure that adequate controls and systems are in place to identify and address problems before they become major concerns.
Monitoring assumes greater importance especially in the context of commercial banks adopting centralized banking solutions or core banking solutions whereby data processing or transaction processing is undertaken at a centralized hub. In such a scenario, the field level functionaries who originate the transaction will loose track of the monitoring role and when the data is processed elsewhere, the operational risk monitoring at the unit level remains weak. While no doubt, the unit level functionaries will be able to obtain reports at the end of the day of all the transactions processed for the branch, it will be too late to retrieve any fraudulent transactions that might have gone through. Hence, proper checks and balances, authorizations at the unit level before the transaction is processed will have to be put in place.
Controls and Mitigation of Operational Risk
While formulation of policy is the function of the top management, ongoing effective control and monitoring is a function of the line management and sound internal control is very important for a bank’s ability to meet its established corporate objectives and maintain financial viability. Banks should assess the feasibility of alternative risk limitation and control strategies. Banks should adjust their operational risk profile using appropriate strategies, in light of their overall risk appetite and profile. To be effective, control activities should be an integral part of the regular activities of a bank. A framework of formal, written policies and procedures is necessary; it needs to be reinforced through a strong control culture that promotes sound risk management practices.
The increased competition resulting out of deregulation and globalization are making banks’ activities more diverse and complex. Aggressive adoption of technology for delivering financial services has only landed banks in new zones of operational risk. Therefore, effective operational risk management is critical to the well-being of the bank.