Book 3. Operational Risk

FRM Part 2

OR 1. Introduction to Operational Risk and Resilience

Presented by: Sudhanshu

Module 1. Operational Risk Categories

Module 2. Operational Risk Characteristics

Module 1. Operational Risk Categories

Topic 1. Operational Risk Management (ORM) Framework

Topic 2. Event-Driven Risk Categories (Basel II)

Topic 3. Seven Categories of "Level 1" Loss Events

Topic 4. Types of Risks Within ORM Framework

Topic 1. Operational Risk Management (ORM) Framework

  • Definition (Basel Committee): Operational risk is “the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events.”
  • ORM Framework – Four-Step Cycle:
    1. Risk Identification: Identifying all risks negatively impacting firm's business goals. Techniques: group brainstorming and interviewing staff.
    2. Risk Assessment: Assessing probability and severity of identified risks. Tools:

      • Scenario analysis

      • Stress testing

    3. Risk Mitigation: Reducing high-probability and severity risks. Methods:

      • Internal controls

      • Insurance

      • Exposure minimization​

    4. ​​Risk Monitoring: Tracking and verifying ORM performance. Tools:
      • ​Key Risk Indicators (KRIs)
      • Incident reporting
  • ​The cycle is iterative—restarts with remedial actions after monitoring.

Practice Questions: Q1

Q1. During which step of the risk management process would scenario analysis most likely be used?
A. Risk mitigation.
B. Risk monitoring.
C. Risk assessment.
D. Risk identification.

Practice Questions: Q1 Answer

Explanation: C is correct.

Risk assessment involves determining the probability and severity of the risks identified as a means of prioritization. It must also be considered that both probability and severity will likely change over time and depend on the situation.
Tools such as stress testing and scenario analysis would be used in this step.

Topic 2. Event-Driven Risk Categories (Basel II)

  • Basel II Framework: Provides seven "Level 1" loss event categories adopted by most firms for ORM requirements

  • Comprehensive Coverage: Seven categories designed to capture all potential operational risks within organizations

  • Category-Specific Modeling: Loss event data modeling approaches differ for each of the seven risk categories

  • Consistency Over Accuracy: Similar events must be categorized the same way; consistent classification more important than perfect accuracy

  • Risk Mapping Requirement: Firms need comprehensive risk-mapping exercise detailing every major organizational process

  • Variable Impact: Severity and frequency of losses vary dramatically across the different risk categories.

Topic 3. Seven Categories of "Level 1" Loss Events

  • Seven Basel II "Level 1" Categories:

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Risk classification must be consistent to maintain ORM effectiveness.
Category Examples Frequency Severity
Internal Fraud (IF) Employee defalcation, employees bypassing internal controls Low Low
External Fraud (EF) Credit card fraud, losses from hacking High Low
Employment Practices and Workplace Safety (EPWS) Employee termination and discrimination Moderate Low
Clients, Products, Business Practices (CPBP) Client complaints, regulatory fines High Very High
Damage to Physical Assets (DPA) Weather-related events, negligence Low Low
Business Disruption and System Failures (BDSF) IT problems, service interruptions Low Low
Execution, Delivery, and Process Management (EDPM) Clerical errors, insuffficient documentation High High

Practice Questions: Q2

Q2. Which of the following Basel II event risk categories most likely results in the greatest loss severity for a financial institution?
A. External fraud (EF).
B. Client, products, and business practices (CPBP).
C. Employment practices and workplace safety (EPWS).
D. Execution, delivery, and process management (EDPM).

Practice Questions: Q2 Answer

Explanation: B is correct.

Based on bank operational loss data for 2014–2019, CPBP accounted for 52% of loss severity (very high loss severity), which was by far the greatest of the seven types. It was followed by EDPM, which accounted for 27% of loss severity (high loss severity).

Topic 4. Types of Risks Within ORM Framework

  • Legal Risk: Potential losses from enforcement issues or non-fulfillment of contractual agreements

    • Most legal risks originate from EPWS events (Type 3) and EDPM events (Type 7)

    • Centers on legal consequences when contracts cannot be properly executed or enforced

    • Creates measurable financial losses through legal proceedings and contract failures

  • Compliance Risk: More specific than legal risk, focuses on following appropriate policies and procedures

    • Lack of compliance primarily seen in CPBP events (Type 4) with substantial monetary fines
    • Related monetary fines have increased substantially over the past 10 years
    • Many firms established dedicated compliance departments to manage this specific risk

  • Reputational Risk: More subjective risk involving reputational loss from significant operational events

    • Requires prevention methods and post-incident management strategies
    • Can be direct risk in specific contexts (product specialization, geographic regions)
    • Sometimes assumed deliberately in hopes of achieving greater profitability

    • Loss from bad strategic choices or poor implementation.

  • Strategic Risk: Poor strategic decisions OR inadequate implementation of good strategies

    • Common denominator is senior management quality and decision-making capability
    • Performance impacted by personnel experience, information reliability, and governance strength
    • Important subset of operational risk due to management's critical role in financial institutions

Module 2. Operational Risk Characteristics

Topic 1. Characteristics of Operational Risks

Topic 2. Operational Resilience: Framework Overview

Topic 3. Regulatory Expectations: UK

Topic 4. Regulatory Expectations: U.S.

Topic 5. Regulatory Expectations: BCBS

Topic 6. Regulatory Expectations: Other Regulators

Topic 1. Characteristics of Operational Risks

  • Operational risks have five general attributes: (1) heterogeneous, (2) idiosyncratic, (3) heavy tailed, (4) interconnected, and (5) dynamic, each of which presents challenges in managing operational risk.

  • Heterogeneous

    • Heterogeneous nature requires extensive diligence to organize risks into useful categories
    • Even within major risk types, significant differences exist (minor typos vs. million-dollar transcription errors)
    • Operational risks arise differently with varying implications and loss distributions

    • Encompasses diverse risks from minor credit card fraud to major physical asset losses from weather events

  • Idiosyncratic
    • Cannot be centralized like other financial risks; distributed throughout the organization
    • Must be managed by each individual employee through error prevention and minimization
    • Robust firm-level controls and procedures enable employees to mitigate much operational risk themselves
    • Despite traditional risk management efforts, idiosyncratic nature ensures some operational risk always remains
  • Heavy Tailed
    • Many minor losses (service fees, credit card fraud) with few major losses (rogue trading, cyberattacks)
    • Significant left-tail skew where major losses are infrequent but considerably higher than median
    • Minor risks can be treated as business costs; major loss potential cannot be ignored
    • Fat tails and excess kurtosis complicate quantification with limited historical precedent
  • Interconnected
    • Many operational risks correlate due to shared causes like control weaknesses and human error
    • Operational risks connect to financial risks (credit and market) through various channels
    • Risk events that begin as one type but affect another (e.g., trading errors creating market losses)
    • Operational risks interact with other risks in unknown, complicated, and difficult-to-quantify ways
  • Dynamic
    • Operational risks constantly change with business practices within firms and across industries
    • Financial industry fines increased substantially in recent years, causing unexpected operational losses
    • Shift from manual to electronic banking created new cyber fraud operational risks
    • Dynamic nature makes operational risks difficult to model or quantify in advance
    • Risk managers must adopt reactive rather than proactive strategies for operational risk management

Topic 1. Characteristics of Operational Risks

Practice Questions: Q1

Q1. Which of the following characteristics of operational risk best identifies the concept that operational risk cannot be fully eliminated through traditional methods, such as hedging?
A. Dynamic.
B. Idiosyncratic.
C. Heterogeneous.
D. Interconnected.

Practice Questions: Q1 Answer

Explanation: B is correct.

Idiosyncratic risk refers to the idea that operational risk cannot be fully eliminated through traditional methods such as avoidance, hedging, or insurance and that there will always be some residual risk.

Topic 2. Operational Resilience: Framework Overview

  • Definition: The ability of firms to anticipate, react and recover from business disruptions.
  • Key Components

    • Business Continuity: Minimize disruptions to business processes.

    • Key Services: Identify and protect critical services.

    • Impact Tolerance Levels: Acceptable disruption time or time needed to recover from an incident.

    • Disruption Processes: Response planning, stakeholder confidence and effective communication during disruptions.

    • Feedback: Post-incident learning and enhancing the ability to deal with unexpected events with high impact.

Topic 3. Regulatory Expectations: UK

  • U.K. Regulations

    • Collaborative Framework: 2018 regulations developed jointly by UK Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England (BoE)
    • IT Service Focus: Primary emphasis on maintaining continuity of IT services following cyber security incidents
    • COVID-19 Adaptations: 2020 pandemic required further regulatory adjustments for increased work-from-home arrangements
    • Security Environment Shift: Regulations adapted to handle electronic transactions in less secure external/remote environments versus pre-pandemic internal systems

Topic 4. Regulatory Expectations: U.S.

  • U.S. Regulations

    • ​Operational Resilience Goal: 2020 Federal Reserve guidance positioned operational resilience as the major outcome of effective ORM frameworks
    • Governance Foundation: ORM framework starts with governance as the central element supported by key components
    • Dual Support System: Third-party risk management (supply chain resiliency) and scenario analysis (low-probability, high-severity events) provide critical support
    • Comprehensive Integration: Business continuity management, IT systems resiliency, and surveillance/monitoring work together to ensure operational resilience

Topic 5. Regulatory Expectations: BCBS

  • Basel Committee on Banking Supervision (BCBS) 7 principles of operational resilience 2021

    1. Governance
    2. Operational risk management
    3. Business continuity planning and testing
    4. Mapping interconnections and interdependencies
    5. Third-party dependency management
    6. Incident management
    7. Information and communications technology (ICT), including cybersecurity
  • Governance Integration: Principles 1 and 2 require banks to incorporate operational resilience into overall risk management using existing governance systems as foundation
  • Core Resilience Elements: Principles 3, 5, and 7 mandate business continuity plans, third-party dependency control, and ICT development for maximum resiliency
  • Incident Management Framework: Principles 4 and 6 require awareness of interconnections/interdependencies and established incident response/recovery processes for continuous service provision

Topic 6. Regulatory Expectations: Other Regulators

  • Key Regulatory Leaders: As of May 2022, UK, US, and BCBS serve as primary regulators providing operational resilience guidance
  • European Digital Focus: ECB's 2020 Digital Operational Resilience Act (DORA) promotes digital finance while managing risks through consistent EU-wide IT requirements
  • Singapore Remote Work Response: 2021 MAS-ABS publication addressed operational resiliency for pandemic-driven remote work, covering operations, IT, fraud, legal, and regulatory risks
  • Employee Education Priority: Singapore guidance emphasized need to educate WFH employees about changed work environments and new cyber/fraud risks

Practice Questions: Q2

Q2. To date, which of the following entities is least likely to be considered a key regulator to have issued official guidance for operational resilience?
A. Bank of England.
B. U.S. Federal Reserve.
C. European Central Bank.
D. Basel Commitiee on Banking Supervision.

Practice Questions: Q2 Answer

Explanation: C is correct.

To date, the United Kingdom (Bank of England, or BoE), the United States (Federal Reserve), and the BCBS are the three key regulators to have provided official guidance regarding operational resilience.

Practice Questions: Q3

Q3. Which of the following pairs of resilience principles directly address the issue of providing critical services with minimal or no disrupion?
A. Third-party dependency management; incident management.
B. Mapping interconnections and interdependencies; incident management.
C. Business continuity planning and testing; third-party dependency management.
D. Business continuity planning and testing; mapping interconnections and interdependencies.

Practice Questions: Q3 Answer

Explanation: B is correct.

Both Principle 4 (mapping interconnections and interdependencies) and Principle 6 (incident management) of the BCBS principles on operational resilience are directly concerned with the delivery of critical operations with minimal or no disruption.