What is operational risk and why should we all care? A simple answer is because of the Basel Committee on Banking Standards (BCBS). The Basel III framework implements a single standardised approach for calculating operational risk-weighted assets. This will replace the three approaches currently permitted.

What’s it got to do with us? BCBS has stated that “A bank’s internal loss data must be comprehensive and capture all material activities and exposures from all appropriate subsystems and geographic locations.” In addition, banks are expected to have at least ten years’ worth of operational risk data to be used within the calculation as part of the standardised approach. Your job role is potentially going to have to evolve to meet the demands placed on your employer by these changes.

The proposed implementation date is 1 January 2023 (extended from 1 January 2022 because of the impact of Covid-19), and the clock is ticking! So perhaps gaining a better understanding of operational risk isn’t such a bad thing.
What is operational risk?

Although there is no one official definition, the most widely accepted definition is the one provided by the BCBS and the Bank for International Settlements (BIS) in their paper titled Principles for the sound management of operational risk: "Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."

BCBS and BIS include legal risk within their definition but exclude both strategic and reputational risk.

• People: You and me
• Process: The things that you and I do
• IT and systems: What we use
• External events: The real-world influences

Put bluntly: You are, I am, we are the operational risk. What we do and what we use is also part of operational risk. And we are all influenced by what is going on around us.
Operational risk is just another risk … isn’t it?

Risk is the chance or possibility of damage, loss, injury or adverse consequence. Simply put, something bad (adverse consequence) might (probability) happen in the future.

By taking the probability and combining it with the likely impact of the adverse consequence we can create a simple risk score. This makes a significant assumption in that there is a large amount of observable, repeatable data. This data is interpreted using mathematical and statistics models. Something might fit very well with how we view credit risk and market risk, but does it fit with operational risk?

Let’s look at uncertainty. This can be described as the feeling of not being sure what will happen in the future. We no longer have a large amount of observable, repeatable data to hand. We are now far more subjective in the opinions we form. It becomes far more difficult to plan or manage what might be happening in the future.

Operational risk is a one-way street for risk/reward For market and credit risk we have vast quantities of data and information at our fingertips. We can easily access such things as: daily stock prices, indices, macro-economic data (e.g. inflation, interest rates and GDP) and credit ratings. However, for operational risk, how much data and information do we have? In truth, very little. There are no truly publicly accessible repositories of operational risk data. We can find snippets of information, bits and pieces of data, but nothing like the global scale of data and information we have for credit and market risk.

So, should we be referring to operational risk, or would operational uncertainty sound like a better description?
Data isn’t the only difference

Operational risk is different to market and credit risk for reasons beyond the availability, or lack of data. Three main differences are:

• Knowledge levels

  Since the first person bartered three chickens for a goat, we’ve been exposed to market risk and credit risk. They’re ever-present elements within financial markets. We’ve spent millennia dealing with them and have developed a vast array of techniques and tools to manage and mitigate them.

  Operational risk has probably been around just as long, but it has never received the same focus and attention as its siblings. We’ve not developed the tools and techniques to manage it to the same levels as for credit and market risk. And because we weren’t paying that much attention, our knowledge levels are greatly lacking. It is only in recent times that this knowledge gap is starting to be addressed.

• Unique risk profiles

  Each financial institution is unique, which then creates a unique operational risk profile. Operational risk tends to be far more institution specific than either market or credit risk. If interest rates fall, then the impact is felt across the market, but if an employee of a firm presses the wrong button then [normally] the impact is felt by the institution alone.

• One-way street for risk versus reward

One of the core mantras within financial markets is that the higher the risk, the higher the expected reward.

This fits for both credit risk (high yield bonds will provide a higher return, but carry a greater probability of default than investment grade bonds) and market risk (the unicorn start-ups that become billion-dollar businesses amongst the tens, if not hundreds of thousands of failed start-ups versus the perceived stable blue-chip companies). The more operational risk that you take on, the only certainty is that you’ll ultimately lose. You don’t get rewarded for operational risk in the same way that you do for market and credit risk. Operational risk is a one-way street for risk/reward!

Dimes and disasters

There is little data on operational risk publicly available. However, one source is operational risk management association ORX. Unfortunately, it no longer makes as much data freely available as it used to. Its 2020 Annual Banking Loss Report provided data on the frequency and impact of operational risk events based on data collected from 97 banks globally. They reported over 59,000 losses greater than €20,000 with a total value greater than €15.8bn. The very small tip of the iceberg, but it’s better than nothing.

The ORX data for the number and value of losses above creates the following graph of the banking losses report for 2020 (2019 losses)

We get a ‘smile’. On the left, we have a large number (60.7%) of losses between €20,000 and €50,000, that account for only 6.9% of the €15.8bn. total. These are our dimes: high frequency, low impact events. On the right we have 0.2% (119 out of 59,437) of the loss events greater than €10m, accounting for 55.8% of the €15.8bn total losses. These are our disasters: low frequency, high impact events. To emphasise just how much of a disaster these events can be, the top ten events for 2019 as reported to ORX represent 28% of the €15.8bn total. That’s ten events totalling €4.4 billion!

Operational risk is dimes and disasters: the high frequency, low impact events that we’ve come to live with and accept as the price of doing business, and the low frequency, high impact events that we work on to mitigate and reduce any impact, with a hope that the capital reserves will be able to cope in a worst-case scenario.

A key set of tools in the battle against operational risk events are controls. To be in business means that we are exposed to inherent risks. We apply effective controls, and the result [hopefully] is that we are left with a level of residual risk that is within our risk appetite. The key word in the last sentence is ‘effective’ – controls alone are not the answer. The controls used must be effective if they are to address the dimes, or more specifically the disasters.

Swiss cheese anyone?

Controls are rarely used in isolation. Invariably we have multiple controls working together, but these are not infallible. Think of a control as a slice of Swiss cheese – the less effective it is the greater the holes in the slice. As we add more and more slices, we are aiming for the potential weakness in one control to be countered by the strengths in another control. But these are still slices of Swiss cheese and they do have holes in. What happens if our slices align themselves, so a hole runs all the way through our slices? Unlikely? Hence low frequency, but the impact might be high! We have our disaster, or Black Swan event.

Most people will have heard of the events at Société General in 2007–08, when a junior trader, Jérôme Kerviel’s actions resulted in losses reportedly valued at €4.9bn.

What happens if our slices of Swiss cheese align themselves, so a hole runs all the way through? In the subsequent investigations, various failings were identified as to how he had been able to commit the fraud. His access to various computer systems is often referred to as such a failing. But dig a little deeper and there is a control that is universally applied within financial institutions that was also breached. If you work in a financial institution you are typically required to take two weeks’ consecutive holiday in a year. This control is used to help identify potential fraud or malpractice. Kerviel had taken very little holiday. This fact was raised formally by a manager on four occasions, but never escalated. A simple control, but only effective if applied and properly monitored. Société General didn’t lose €4.9bn because a single control failed, but unfortunately for them, the slices of Swiss cheese aligned.

Not every control failure results in a loss, but each failure is another slice of Swiss cheese aligning for the Black Swan event.