OPERATIONAL RISK

Operational risk is one of the most complex and broad risk faced by financial
institutions. Operation means processed systems which are used in the
organization. It is there in every nook and corner of the organization. It is not easy
to manage this risk.
Operational risk is faced by all types of organizations. No organization can avoid it.
Simpler organizations will face lower or simpler form of operational risk. A complex
organization will face greater or complex form of operational risk.
Operational risk always arises from deviations which come in business enterprise.
When organization deviates from planned path and actual performance does not
match with planned performance.
DEFINITION: it is a risk of loss resulting from inadequate or failed internal
process or people or system or any external event (like earthquake). This all
results in operational risk.
It affects the profitability position of the company. Operational risk can result in
lower business volume.

HOW IT EMERGED?
Operational risk was always there in the banking system. It has no doubt become
important suddenly because earlier selected financial products were offered,
interest rates were regulated etc.
But now technological advancements, geographical outreach, deregulated regimes,
plethora of financial services offered, complexity of products, complexity in
organization structure is there, so operational risk has become more prominent.

1.
2.
3.
4.

NATURE OF OPERATIONAL RISK FACED BY BANKS

Everywhere in the organization
Operational risk vary in components
It was always there, is there and will always be there.
Organizations which are undergoing change are more prone to operational
risk.

STEP I - SOURCES OF OPERATIONAL RISK

Sources of
operational
risk

Cause
based
classificatio
n

People
oriented
causes

Process
oriented
causes

Transaction
Based

Effect based
classificatio
n

Technology
oriented
causes

Event based
classificatio
n

External
causes

External
control
based

A. CAUSE BASED CLASSIFICATION

1. PEOPLE ORIENTED CAUSES: Some being cautiously done and some not
done cautiously. These are:

Wrong person appointed

Out of negligence (not cautious worker)
Insufficient training
Integrity (because if the basic nature of the person is corrupted, he will find
ways to steal or embezzle. This will result in operational risk.)

2. PROCESS ORIENTED CAUSES

Process
oriented
causes

Transaction
Based

Operationa
l control
based

(a) Transaction based

Business volume fluctuations
Organization complexity (More complex structure, more chances of
risk)
Product complexity
Major changes done in the organization
(b)Operational control based
Inadequate segregation of duties
Lack of management supervision
Inadequate procedures followed
3. TECHNOLOGY ORIENTED CAUSES
o Poor technology
o Obsolete applications (no use of computers)
o Lack of automation
o Not adequate information system
4. EXTERNAL CAUSES
o Operational loss due to third party
o Natural calamity
o Political instability

B. EFFECT BASED CLASSIFICATION

o
o

Any regulation compliance not done like tax evaded, not filed
documents with RBI will result in operational risk
Loss or damage to assets

C. EVENT BASED CLASSIFICATION

o

Internal fraud (like window dressing done)

o
o

Any damage to physical assets

Any amount of business disruption and system failure

STEP II - QUANTIFYING
OPERATIONAL RISK

OR

MEASURING

THE

It is the most difficult task to measure the operational risk. Behaviour pattern
of operational risk does not follow the statistically normal distribution pattern
and that makes it difficult to estimate the probability of an event resulting in
losses. There are three approaches to measure operational risk:
i.
The basic indicator approach
ii.
The standardized approach
iii.
Advanced measurement approach
Of these, basic indicator approach and standardized approach are based on income
generated. The advance measurement approach is based on operational loss
measurement.

The basic indicator approach: Banks using basic indicator approach

i.

must hold capital for operational risk equal to average over the previous
three years of a fixed percentage (15%)of positive annual gross income.
Figures for any year in which annual gross income is negative or zero should
be excluded from both the numerator and denominator while calculating the
average.
Capital Charge = Average Gross income of previous 3 years * 15%

The standardized approach: In the standardized approach, banks

ii.

activities are divided into 8 business lines: Corporate finance, trading and
sales, retail banking, commercial banking, payment and settlement, agency
services, asset management and retail brokerage.
Within each business line, gross income is a broad indicator that indicates the likely
scale of operational risk exposure within each of these business lines. The capital
charge for each business line is calculated by multiplying gross income by a factor
(Beta) assigned to that business line.
Business lines Beta Factors

Corporate finance 18%

Trading and sales 18%
Retail banking 12 %

Commercial Banking 15%

Payment and settlement 18%
Agency services 15%
Asset management 12%
Retail brokerage 12%
Capital Charge = Gross income of the bank * B factor of the
concerned business line
Consolidation of capital charge of all the 8 activities will be total capital
charge.

iii.

Advanced Measurement Approach

It is not based on the concept of gross income generated. It uses quantitative
and qualitative criteria for the measurement of risk.
It comprises of 3 components:
(a) Estimated probability of occurrence: This will be based on historical
frequency of occurrence and estimated likelihood of future occurrence.
(e.g. last year 10 persons defaulted so this year also there is a probability
that around 10 persons will default). Probability is mapped on a scale of 5
where:
1 implies negligible risk
2 implies low risk
3 implies medium risk
4 implies high risk
5 implies very high risk
(b) Estimated potential financial impact: This will be based on severity of
historical impact and estimated severity of impact from unforeseen
events. Probability is mapped on a scale of 5 as:
1 implies negligible risk
2 implies low risk
3 implies medium risk
4 implies high risk
5 implies very high risk
(c) Estimated impact of internal control: This will be based on historical
effectiveness of internal controls and estimated impact of internal control
on risks. It is estimated in percentage.
Thus, Estimated level of operational risk = Estimated probability of
occurrence * estimated potential of financial impact * estimated
impact of internal control
For example:
Probability of occurrence = 2 (medium)
Potential financial impact = 4 (very high)
Impact of internal controls = 50%

Estimated level of operational risk = 2 * 4 * (1-50%)

= 4 (this shows there is
operational risk)

high

level

of

STEP III POLICY FORMULATION

Board of directors formulate policy for operational risk. Overall responsibility
for framing, managing and implementing policy lies with the board of
directors. A proper organization structure for risk management has to be set
up. A committee has to be set up for dealing with operational risk.

STEP IV REPORTING
The top management has to make a report relating to the level of operating
risk prevailing in the organization. This report has to be submitted to RBI on
fortnightly basis.

STEP V MONITORING AND CONTROLLING

The data relating to operational risk has to be collected and techniques are to
be used to manage and control this risk.