Welcome to Banking Quest

OPERATIONAL RISK

Banks

• 1995: Barings Bank sinks due  to USD 1.4 bn due to unauthorized trading. 
• 2001: Allied Irish Bank loses USD 691 mio( same reason.)
• 2003: National Bank of Australia loses AUD 180 million
• 2007: Societe Generale lost USD 7.5 billion due to fraud
• 2007-2008: Subprime   crisis brings  down the   wealth of the  whole   world
•  European debt crisis, which began with a deficit in Greece in late 2009, and the 2008–2011 Icelandic financial crisis, 
• 2019 :Failure of  PM Coop Bank-INR 65 Bn –Loans to HDIL not repaid- bank coverup2
• 2020: Yes Bank-  Tight monetary policy/ shocks from demonetisation, GST, RERA, massive collapse of IL&F, etc -High reliance on bulk deposits-the cost of funds high
• 2023- Failure of First Signature  Bank, Silicon Valley Bank

List Of  Seven Largest Bank Failures 

Definition of Operational Risk (Basel II)

• Operational risk is defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It includes legal &  compliance  risk, but excludes strategic and reputation risk.

Reasons behind Operational Risk

• Increasing use of automated technology
• Emergence of E-Commerce
• Expansion in banking activities
• Increasing customer demands
• Emergence of new products and services 
• Evolving outsourcing arrangements
• Increasing focus by regulators on legal, fraud and compliance issues
• Climate  Risk
• ESG Requirements
• Outsourcing
• M&As/ Demergers
• AML/CFT risk

Top Risks  as per Risk.Net- 2022

• IT Disruption
• Data  Compromise
• Resilience  Risk
• Theft & Fraud
• Third  Party Risk
• Conducts  Risk
• Regulatory Risk
• Org.Change
• Geopolitical  Risk
• Employee  well being
• And mine--- Geobio Political risk

Operational Events - Process

• Incorrect transactions 
• Collateral management failure
• Compliance Issues
• Accounting and taxation errors
• Inadequate record-keeping or documentation
• Data entry errors

Operational Events - People

• Fraud
• Employee illness and injury
• Workers compensation claims
• Discrimination claims
• Insufficient employee capacities
• Problems relating to recruiting or retaining staff

Operational Events – Systems

• Hardware and/or software failure
• Unavailability and questionable integrity of data
• Unauthorized access to information and systems security
• Telecommunication problems
• Computer hacking or viruses
•  CryptoCoins

Operational Events – External Events

• Operational failure at suppliers or outsourced operations 
• Fire or natural disaster
• Terrorism
• Theft, robbery caused by anybody outside the organization

Principles 1-3 Developing an Appropriate Risk Management Environment

• Principle- 1: Approval of Board of Directors
• Principle- 2: Independent Audit Function
• Principle-3: Implementation by Senior Management
• Risk Strategy/Policy
• Organization Structure
• Organizational Culture
• Internal Controls

Risk Strategy/Policy

• Bank’s strategy for operational risk governance demands a proper management framework.
• Risk strategy varies on the basis of size, sophistication, nature and complexity of activities.
• Framework should be designed as per risk appetite or tolerance level of each business unit 
• Each business line has to comply with the overall risk strategy of a bank

Principles 4-7 Operational Risk Management Process

• Principle- 4: Proper Identification and Assessment of Operational Risk
• Principle- 5: Regular Monitoring and Reporting
• Principle-6: Proper Mitigation and Control
• Principle-7: Establishment of Contingency and business continuity plan

Tools for Assessment

• Key Risk Indicators: It is a measure that attempts to identify potential operational exposures before they happen and raise signals if they go outside an established threshold. It serves as a predictive tool which helps to monitor changes in the operational risk profile of that process 
• Risk Control Self Assessment: It is a way of identifying and mapping operational risks to organizational and process structures. It analyze internal controls from a risk perspective in order to detect, manage and report weaknesses in controls.
• Operational Loss Database: A database used for collecting, evaluating and reporting operational loss events within the organization

Key Risk Indicators

• Percentage Absenteeism resulting from Illness or Injury
• Number of Vacant Positions
• Percentage of staff turnover
• Percentage training cost against budget

Linkages

Linkage used as a common language for analyzing operational risk by efficiently identifying, assessing and reporting operational risk related information 

Cause, Event and Effect Types

Events

Internal Fraud, Employee Practices and Workplace Safety, Damage to Physical Assets, Process Management, External Fraud, Clients, Products & Business Practices, Business Disruptions and Systems Failures

Cause

• • People
  • System
  • Process
  • External

Effects

Legal Liability, Loss to assets, Regulatory Compliance & Taxation Penalties, Reputation, Business/Strategic Impacts

Principle- 8-9 Role of Supervisors

• Banks should have a sound internal process to :
• Evaluate risks
  • Determine the adequacy of their capital base
  • Monitor and report their risk exposures & asses how the changing risk profile affects the need for capita
• If sound processes are absent in the bank, the supervisors could increase capital charge. In case of any threat to any bank, the supervisors should suggest better techniques to manage the risk
• Supervisors should conduct direct or indirect evaluation of bank’s, policies, procedures and practices related to risk 

Principle 10 Role of Disclosure

Banks should disclose their:

1. Overall risk profile
2. Qualitative and quantitative information about Credit, Market, Interest rate & Operational risks and exposures
3. Risk measurement processes
4. Risk management strategy

The objective is to allow investors to understand the relationship between the bank’s risk profile and its capital

Operational Risk - Reporting

• Reporting to  Board of Directors through Risk Management Committee and Operational Risk Management Committee every Quarter
  • Consolidated list of Operational Losses for the half year/year ended….
  • Statement of Loss events  & Operational losses
  • Statement of Near Miss Operational losses

Benefits of Operational Risk Management

• Improve operating efficiency
• Reduce earning volatility 
• Improve reputation
• Advance the external rating 
• Enhance the performance measurement by linkage to risk sensitivity
• Proper Capital Allocation

Probability/Impact 

Probability

1- Rare = once every 10 years

2- Unlikely = every year

3- Possible = once a month

4- Likely = once a week

5- Almost certain = every day

Impact

1- Insignificant = INR< 1,000 

2- Minor =  INR1,000  - 10,000

3- Moderate = INR 10,000 - 100,000 

4- Major = INR100,000 - 1 mio 

5- Catastrophic = INR> 1 mio

Operational Risk Vs Other Risks

Case # 1: Societe Generale

• trader carries out trades beyond his permitted trading limit.
• The total exposure he created peaked at about USD 74 billion. He successfully hid his overtrading for two years.
• This happened in the Head Office; not in a remote or obscure office
• On at least 75 occasions Risk Monitors of the bank raised the flag.
• Corrective actions were not forthcoming because

- Jerome Kerviel was in profit on some of those occasions

- Inspectors/Seniors did not understand the complex products

- On one occasion he himself was asked to draft the reply

• The exposure was detected during the year-end, after global markets had grown wobbly.
• Soc Gen’s decision to wind down outstandings immediately turned out to be wise: initially they were criticized for panicking.
• Total losses booked by Soc Gen: USD 7 billion
• This is a classic case of Operational Risk: process failure

JAN 16 – 23; The final push to a wobbling market

Case # 2 : KfW

• KfW had a prior contracted Swap trade with Lehman Brothers
• KfW had to pay Euros 300 million under the swap and receive USD in exchange as would be the case in swaps: where two parties exchange cash flows
• KfW had set up an automated Monday morning payment through the CLS
• While assessing KfW’s exposure to Lehman on the weekend when the crisis at Lehman came to a boil, various exposures were considered, assessed and quantified.
• No one bothered to check on this automated payment which appears to have been set up on the Friday before.
• On Monday morning before people realized what had happened funds were transferred into CLS and could not be reversed or pulled back.
• Euro 300 m USD 430+ m had been paid in to Lehman minutes before its insolvency
• The other leg of the swap, the payment from Lehman never came through as the firm went into liquidation. This is a settlement risk (subset of Credit / Counterparty risk)
• In this case there was in the first instance a flawed assessment of the (settlement) risk of insolvency. 
• The Operational Risk aspect is a debate.
• Of KfW’s total exposure to Lehman this one transaction represents 60%.
  

Case # 3: Bear Stearns / Orchid Chem

• Orchid is a leading pharma company in India.
• The company was an attractive investment target for FIIs: Bear Stearns had a large stake in Orchid
• In the meantime, promoters of Orchid Chemicals wanted to increase the stake in their own company. They placed their shares of Orchid in pledge with Religare/ Indiabulls / ILFS and borrowed money
• In March 2008 Bear Stearns got caught in the sub-prime crisis and was facing insolvency
• In a desperate bid to raise cash and stave off the crisis, Bear sold its global holdings
• In one swift action they sold about 1 million shares of Orchid, causing the share to slide from Rs. 330/- to about Rs. 200/-.
• Lenders to the promoters panicked:value of the shares held by them had plunged by 44%.
• To protect their credit exposure they sold shares held in pledge to recoup their loans. The share   price plunged further to Rs. 110/-.
• Competitors of Orchid took this opportunity to build  up stakes negating the promoters goals
• This incident shows the fragility of marketable securities held as credit risk mitigant
• It also shows the interconnected nature of risk in the modern world

Case # 4: Mizuho / Tokyo Stock Exchange

• J-Com was a newly listed company on Tokyo Stock Exchange
• The company wanted to initiate trade in its shares on the debut date
• A broker (Mizuho) was asked to put in a trade of 1 share to be traded at Yen 600,000
• By mistake the broker placed a sell order for 600,000 shares at 1 Yen
• (The total shares in J-Com were only 15,000 so the order was a naked short)
• Other traders spotted the mistake and bought, knowing what they were doing.
• The difference between 1 share at Y 600K and 600K shares at Y 1: Y 40 billion; 330    million dollars
• The dealer ignored warning signs from the trading system; there was no price limit set for J-Com shares because the share was new and limits were not known
• Operational Risk events involving trading/ treasury always seem to cause mega-losses

And finally

“No amount of complex  modeling can substitute  for good judgment about unknowns!”

 Frank Knight

Incident Reporting, RCSA etc. OR Incident Reporting Format

• Date of Incident :
• Date of Reporting Incident :
• Name of the Branch / Unit :   
• Region :
• Description of Incident : (not more than 4-5 points)

Creating a Risk Register

• This short and simple exercise will set the stage for a structured walkthrough of the ORM Process, including, what is  known as the RCSA: .

Suppose  you are provided with two excel sheets:

• One sheet focuses on processes in consumer finance
• The other focuses on processes in transaction banking
• The rows in each list out the steps/ processes/ sub processes for the particular product.
• The columns require operations staff to provide their opinion on risks, whether they are under control, and if not what possible action can be taken to mitigate the risk.

What you have to do

Step 1

• Pick a  small process/sub process (an area of work within your  bank)
• List out the steps as rows in the excel
• What in your opinion can go wrong at every step / stage?
• Provide your opinion on what you think is the control level at each stage

Step 2

• You may have an internal audit report, a client inspection report, an error report or a customer satisfaction report. What is required is any one report which captures/ reports on INCIDENTS: observed data from the shop floor in terms of specific events.
• Examine the observations in the report and compare it with the process control level which in your opinion already existed. 
• Does the incident/observation align to the level of control which in your opinion already existed?
• Contd

• Please keep the two steps separate. 
• Avoid selecting Step 1 on the basis of what you might already know about Step 2. 
• Better still, pick samples which highlight differences rather than paper them over. 
•  Keep an open mind.
• It is a learning session and the focus is on sharing information for the limited purpose of learning only.
• Let us discuss and find out!

Calculation of  ORC  as  per New  Standardized  Approach

1.ORC= Business  Indicator  Component X Internal Loss Multiplier

            (BIC)                                              X (ILM)

2.BIC- Progressive  Measure of Income  that  increases with a  Bank’s  Size

Serves as  a  baseline  Cap. Requirement

Calculated  by multiplying marginal  coefficients ( determined  by regulator based  on the  size of BI)

Contd

3.  BI-  Financial   Stmt. based  proxy  for 3  elements: (average for  last 3  years)

- Interest , Lease, Dividend- ( Abs  value)

- Services  Component  - Absolute  values

- Financial Component-Absolute value (Net P&L on Trading Book) + Absolute Value (Net 

P&L on. Banking Book)

4.ILM-Risk Sensitive  component capturing the bank’s internal losses

Proportional to the  ratio of loss component &  BIC where LC is  15x the  average  annual  op. risk   losses  over the  last 10  years

 Risk weighted  assets  = ORC*12.5

 All banks need  to  disclose each BI sub- item for   each  year 

 Illustration:

For smaller banks in the bucket 1 category and bucket 2 & 3 banks with less  than 5 year data, and  ILM less than 1 , ORC = BIC