Operational Risk Management

In its broadest sense, risk means exposure to adversity. The Concise Oxford Dictionary defines risk to imply something bad, “the chance of bad consequence, loss, etc.” Webster’s defines risk in a similar manner to imply bad outcomes, “a measure of the possibility of loss, injury, disadvantage or destruction”. Following the Concise Oxford Dictionary, Vaughan (1997) defines risk as “a condition of the real world in which there is an exposure to adversity”.

In 1974, the German authorities ordered the immediate liquidation of Bankhaus Herstatt, a German commercial bank that, as a result of its closure, failed to deliver U.S. dollars to counterparties with whom it had previously struck foreign exchange deals. This event gave rise to the concept of “Herstatt risk”, which is a kind of operational risk associated with the settlement of foreign exchange transactions. Losses can result from Herstatt risk because currency trading requires the settlement of commitments in two independent national payment systems. The process typically involves the delivery of the currency sold before the receipt of the currency bought. Thus, the bank delivering the currency sold would lose if the bank buying this currency does not deliver the other currency (because of insolvency or liquidation, which is what happened in the Herstatt case). In this case, the selling bank effectively extends unsecured loan to the buying bank. How much of the loan will be recovered depends on the estate in the bankruptcy’s treatment of the bank’s dividend demand. For details of the Herstatt case, see BCBS (2004b, pp. 4 – 6).

Unlike the Basel I Accord, which had one pillar (minimum capital requirements or capital adequacy), the Basel II Accord has three pillars: (i) minimum regulatory capital requirements, (ii) the supervisory review process, and (iii) market discipline through disclosure requirements. Fischer (2002) argues that the three pillars should be mutually supporting. The effectiveness of the first pillar depends on the supervisor’s ability to regulate and monitor the application of the three approaches to the determination of the minimum regulatory capital, whereas wider public disclosure and market discipline will reinforce the incentives for sound risk management practices. The BCBS (2005b) notes that banks and other interested parties have welcomed the concept and rationale of the three pillars approach on which the Basel II Accord is based. The Committee also notes that it is critical for the minimum capital requirements of the first pillar to be accompanied by a robust implementation of the second and third pillars.

What is common between Nick Leeson and John Rusnak? Do they in any way have anything in common with Saddam Hussein? What is common among rogue trading, fraud, theft, computer hacking, industrial espionage, the onslaught of computer viruses, threats to personal privacy, loss of reputation, loss of key staff members, and the loss of information technology infrastructure? What is common among what happened to the Bank for Credit and Commerce International (BCCI) in 1993, Barings Bank in 1995, Diawa Securities in 1995, Bank of America in 2001, the Allied Irish Bank in 2002, the Central Bank of Iraq in 2003, and the Central Bank of Brazil in 2005? And what is common among Enron, Arthur Andersen, WorldCom, and HealthSouth? The general answer is simple: the names, (mal)practices, and events pertain to operational losses resulting from exposure to operational risk. To see the connections, let us examine these questions in turn.

The heterogeneity of operational risk makes it necessary to come up with a system for classifying it and identifying its components. Hubner, Laycock, and Peemoller (2003) argue that one important advance in the rapidly improving understanding of operational risk is that the disaggregation and classification of operational risk is being put on a more rational footing. All efforts to define, analyze, and interpret operational risk are based on endeavors to come up with collections of risk types and the losses associated with these risks. Disaggregation involves separating out the different components of a risk cluster into categories.

More than a century ago, the Irish mathematician and physicist Lord Kelvin (1842–1907) made the following statement (cited in King, 2001):

I often say when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind.

Lord Kelvin’s remarks relate to science, which is naturally more precise than trying to measure the “ghost” of operational risk. But before talking about the measurement of operational risk, it may be worthwhile to go back to 1707 when Britain, then the supreme naval force, lost four ships and 2000 sailors because of inadequate measurement. That happened on a foggy night of October that year, but there was no battle at sea then. Not knowing exactly where they were, the four ships under the command of Admiral Clowdisely Shovell smashed into the rocks of the Scilly Isles off the Southwest Atlantic coast of England. How did that happen under the watch of such an experienced admiral? He simply miscalculated his position (longitude and latitude) in the Atlantic because he did not have the instruments to do that, basing his calculations instead on an intellectual guess of the average speed of his ship.

The total loss distribution, from which the capital charge is calculated, is obtained by combining, using Monte Carlo simulations, the loss frequency distribution and the loss severity distribution. The following is a simple description of Monte Carlo simulations.

The management of operational risk is not a new idea, neither is it an activity that firms have not indulged in. On the contrary, firms have always striven to manage the risk of fire through insurance and fire safety measures. Furthermore, they have always had specialists who managed other kinds of operational risk, such as the lawyers and other legal specialists who are involved in managing legal risk and the structural engineers who look after buildings and structures. This is typically done both proactively (for example, by providing advice to management prior to signing a contract and by maintaining buildings) and reactively (by providing legal representation in a court of law, representing the firm in out-of-court settlements of disputes, and doing repair work on damaged structures).

In any study of operational risk, and the Basel II Accord that elevated it to explicit prominence, we are bound to encounter a number of critical questions pertaining to highly controversial issues encompassing a multitude of debatable topics. What we try to do in this chapter is to recount these questions, issues, and topics to find out how much we have learned by going through the previous eight chapters.