OpRisk Data and Governance

In this chapter, we describe the seven operational risk event types projected by Basel II. We summarize the collection and reporting of internal operational loss data and thresholds and reporting of expected operational losses. The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.

In operational risk management, the application of scenario analysis will be described and assessed. Furthermore, the challenges and biases which can come about when applying scenario analysis will also be described and this will include a comparison of the common operational risk profiles of companies in different sectors of finance. Finally, an explanation of the operational risk governance’s role and impact of a company’s organizational structure to risk governance shall be provided in the chapter.

OpRisk Taxonomy

The conception, naming, and classification of organisms into groups are what taxonomy involves. Due to the regular encounter of new risks, taxonomy has been popular in managing risk. Prior to embarking on taxonomy, a comprehensive risk mapping activity must be undertaken, which involves going through the details of every major process in the company.

Despite risk classification being the basis of the risk management pyramid, companies still struggle with basic risk classification which happens to be the starting point in a robust risk management structure. The risk taxonomy exercise is driven by companies in the following three ways:

  1. Cause-driven approach: The reasons leading to operational losses are the basis of risk classification and it usually follows the old definition of OpRisk whereby it is defined as a function of people, systems, and external events.
  2. Impact-driven approach: The financial effect of operational losses is the basis of the classification. Most firms applying this classification technique rarely invest heavily in OpRisk management but just use it for information retrieval from their systems.
  3. Event-driven classification: This is very popular among large companies and involves the classification of risks based on OpRisk events. It is the classification adopted by the Basel Committee.

The following sections provide a detailed study of the seven Basel II event types necessary for the Advanced Measurement Approach (AMA).

Execution, Delivery, and Process Management (EDPM)

Losses from failed transaction processing including counterparties and vendors challenges are encompassed by the EDPM loss event type.

The frequency of losses in this type of event is high and can be attributed to some very common factors in a surrounding where lots of transactions are processed daily by banks, ranging from human errors to miscommunications, and many more.

Clients, Products, and Business Practices (CPBP)

CPBP risk type loss events are very common and sometimes large, especially in the U.S. The losses include customer and counterparties disputes, regulatory fines due to improper business practices or wrong advice, and many more.

Companies based in the U.S. regularly encounter this type of risk since litigation is common and can be significant to offshore entities.

Business Disruptions and System Failures (BDSF)

In a large firm, this event type can be hardly spotted. For instance, some financial losses would be incurred in a company due to a system crash and they would most probably be classified as EDPM losses.

External databases often reflect the hardships encountered in capturing this type of event as a very low number of events can be attributed to this type of risk.

External Frauds

These are third party- or outsider-committed frauds against the company. They range from system hacking to credit card frauds.

Firms dealing with a lot of clients, especially retail companies, are prone to this type of event on a regular basis.

Internal Fraud

The frauds committed or attempted by employees of a company are referred to as internal frauds and it is one of the least frequent OpRisk loss types as most companies have very complicated control measures.

However, cases like positions mismarking by traders are common, especially for assets for which it is difficult to establish an accepted MTM price. They are usually low-frequency cases with high-severity.

Employment Practices and Workplace Safety (EPWS)

Compared to European and Asian countries, this risk type is very common in America and can either be attributed to old-fashioned labor laws or a litigation culture against employers.

In businesses like investment banking, employment challenges are quite critical. This is because these highly-compensated employees often work as advisers to large corporations, and millions of dollars can be lost through litigations or the loss of key personnel.

Damage to Physical Assets (DPA)

These losses come mostly from natural disasters. Losses in this risk type are rarely collected by most firms since they are often too small or incredibly large.

The Elements of OpRisk Framework

The following are the elements applicable in all frameworks of OpRisk:

  1. Internal loss data
  2. Factors of business environment and internal control
  3. External loss data
  4. Scenario analysis

Internal Loss Data

A gross loss of money due to an operational loss event is called operational loss and entails all costs of an operational loss event apart from opportunity costs, revenues foregone, costs related to the management of risks, and enhancements on expenses to stop future operational losses from occurring.

The losses should be classified in accordance with the Basel Seven Categories and mapped to the business units of the company. There is heavy regulation in the collection and maintenance of the data due to their importance for the OpRisk framework. According to the Basel II regulations, a minimum of five years of data should be collected.

The collection of large data volumes in different formats and geographical locations poses significant problems in ensuring the security of the data feeds and making sure the data can be backed up and restored in case of an accident.

Setting a Collection Threshold and Possible Impacts

The loss collection threshold set up by most companies is in accordance with the Basel Regulations. However, the establishment of a business unit’s risk profile is significantly affected by this decision of setting a collection threshold and is usually the case in businesses with many daily transactions, e.g., equities or asset management.

In most events, a business unit’s risk profile can be biased by disregarding some small losses, thereby affecting the OpRisk capital.

Completeness of Database (Under-Reporting Events)

An OpRisk in the collection of OpRisk data should be avoided when data from disparate sources is gathered. A firm that fails to give proof of loss data flowing to the central databases with a high degree of reliability will not be allowed to employ techniques that are more advanced for risk level assessment, as referred by the Basel Committee on Banking Supervision’s documentation(2006).

One of the most costly aspects of the entire data collection process is developing filters to capture operational issues and computing an eventual operational loss.

Variation of the OpRisk filter from bank to bank is dependent on the systems set in place. The OpRisk filter collects all cancellations or alterations made to a transaction. The OpRisk loss event and several other effects should then be computed by the filter.

Recoveries and Near Misses

For the purposes of computing capital, the use of recoveries is not a consideration as per the Basel II rules. In an effort to approximate losses that occur very rarely, the application of mitigation factors will be a futile effort in ensuring the reduction of losses. Therefore, gross losses should only be considered for OpRisk computation purposes.

Assume a monetary transfer by a bank to a party. A large internal loss will be rapidly recovered when all or part of the amount is recovered soon thereafter. This rapid recovery by the bank leads the bank to consider that only the loss net of the rapid recovery makes up an actual loss. However, a full rapid recovery is considered as a near miss.

Provisioning Treatment of Expected Operational Losses

Through general or specific provisions in the balance sheet, expected or computed credit losses can be recovered, which is not the same for credit risk. There is a high sophistication in the treatment of expected losses in OpRisk since its nature is multidimensional.

The rules to what might be subject to provisions have recently been made clearer with the issuing of IAS37 which established the following application of these general requirements:

  1. No recognition of a provision for future operating losses;
  2. In case of an erroneous contract, a provision should be recognized; and
  3. In the event of an enterprise having a detailed formal plan to restructure and raises a valid expectation for those affected, only then should a provision for costs restructuring be recognized.

Business Environment and Internal Control Environment Factors

OpRisk can be viewed as a control environment function. A fair control environment implies an OpRisk under control with a low probability of operational losses being incurred.

Risks in a company should be regularly assessed on the many settlement process steps and then regularly reported. To accomplish this responsibility, financial companies often apply the following tools: Risk Control Self Assessment (RCSA) and Business and Control Environment Programs.

Risk Control Self-Assessment (RCSA)

The view of experts on the status of each business process and sub-process is regularly asked by firms every 12 or 18 months and color-rated in accordance to the perceived status. Most firms consider the RCSA as the anchor of the OpRisk framework and most OpRisk activities are linked to this procedure.

In this program, inherent risk identification and assessment is the duty of the managers in the first phase. It involves making no inferences concerning controls embedded in the process as the assumption is that they are absent. Managers usually raise the following concerns in this phase: risk scenarios, exposure, and correlation to other risks.

The solutions to these concerns are provided by the specific inherent risks within the process of a business unit that must be assessed for determining the probability of occurrence and severity of the events.

With the understanding of these events, controls will be included in the framework of the RCSA and their effectiveness assessed to determine their efficiency in risk mitigation. When a company has a RCSA program as the core of the OpRisk framework, all other OpRisk initiatives under its OpRisk program are usually structured to feed the RCSA.

Key Risks Indicators (KRIs)

They are indicators often used as a proxy for the quality of control environment of a business. For instance, when an investment bank’s processing system’s quality is being reported, factors like system downtime and system slow time might be designed. They are extremely critical KRIs in the evaluation of OpRisk as they allow OpRisk models to have similar behaviors with those in market and credit risks.

However, establishing a few KRIs to give the correct depiction of the control environment is the best way the quality of these processes can be assessed. A special attention should be accorded to the KRI collection process. For the link between KRIs and losses to be displayed, an absolute reliability of the data is crucial.

The collection should be automated straight from the firm’s operational system to help create a more realistic reflection of a certain business’ infrastructure.

Establishing the assumptions of a particular business’ OpRisk profile is the first stage of the KRI collection process. Collecting the KRIs and loss data at the cost center level enables the performance of the disaggregation.

External factors like equity indexes and interest rates might also be considered for use by the modeler. A strong link can be commonly found between a stock market index and operational losses.

External Databases

Computation of regulatory capital according to the Basel Accord should be at 99.9% confidence level. This is equivalent to finding enough capital for losses protection in the worst year in a period of 1000 years.

Just like in insurance, applying the loss experiences of the company is a way the challenges can be overcome. Coming up with some reasonable measures for some risk types might be a struggle for banks and other financial institutions. The reason being that despite never being exposed to large losses, they understand that they are still under the risk of the loss happening eventually.

Scenario Analysis

This program is a framework pillar for a significant number of companies as it is a crucial OpRisk management and measurement tool. Expert opinions can be applied when gathering the scenario estimates as the approximations of the occurrence of losses in an extreme event is commonly communicated by experts.

Running scenarios workshops only apply to three approaches, namely: surveys, structured workshops, or individualized discussions. In the event of emerging risks, scenarios can be applied due to the lack of availability of the loss experience.

Converting these opinions into numbers is vital for the application of scenario analysis workshops to the OpRisk measurement and qualification efforts. After this conversion, its incorporation into the risk framework becomes the next issue.

Common issues and bias scenarios: A number of biases is presented due to the fact that scenarios are often based on expert opinion. Since the biases are difficult to mitigate or avoid, they pose serious disadvantages to this process. These biases are:

  1. Presentation bias
  2. Availability bias
  3. Anchoring bias
  4. Huddle or anxiety bias
  5. Gaming
  6. Overconfidence and under-confidence bias
  7. Inexpert opinion
  8. Context bias

Some of the said challenges can be circumvented by using the Delphi Technique which has been broadly tested and broadly applied in several uses. A group of experts in each business should get together to approximate the occurrence of OpRisk at a given confidence level.

OpRisk Profile in Different Financial Sectors

Only after it has been established that there is diversification in the OpRisk profile across different models of businesses within a financial institution, splitting the financial institution into different lines of business is useful.


Given the significant differences, insurance can be divided into three different sectors namely: life insurance, health insurance, and property or casualty (P&C) insurance. The actuarial computation applied in P&C insurance is very similar to the one applied in OpRisk capital computation.

The overall current financial situation in the sector is similar to most sectors of finance with the financial crisis impacts still lingering. This effect can be encountered starting from low-interest rate environments that are negatively impacting profitability and company valuations and low sales and revenue.

The development of OpRisk frameworks by insurers is still at the early stages. The insurers face a number of OpRisks as a number of them got severe penalties for miss-selling their products to clients. In the retail sector, they are exposed to bad faith claims. The pressure made them become more diligent to catch up with banks in the creation of OpRisk frameworks that are more robust.

Asset Management

This industry experienced challenges not seen over a long period of time as it was accustomed to high margins and substantial profits. This new environment changed the industry as most asset managers were never worried about the expenses of running their operations or paid attention to the involved risks.

This harsh environment of the economy ensures managers create much more careful discipline around costs, risk management, and productivity. Asset managers are susceptible to all forms of risk but due to the nature of their business, the largest risk exposure a manager has is usually OpRisk.

In the recent past, departments have been set up by asset managers at a fast rate due to the need to focus on OpRisk. The higher focus from hedge fund regulators led to better OpRisk procedures.

Retail Brokerage

These days, broker-dealers can be roughly classified into online and brick-and-mortar brokers. The tendency of online brokers is to emphasize the convenience of trading from home while charging a reasonable trade fee. On the other hand, brick and mortar firms are the larger institutions that focus on a well-off customer base which understands the higher fees come with professional advice.

In the recent past, a dramatic transformation with the proliferation of complicated, high-speed trading firms has changed the way broker-dealers trade for their own accounts and their customer agents.

Technological uses are applied by customers in placing orders and trades in the markets with little or no substantive intermediation of their broker-dealers. Currently, with the application of automated high-speed algorithms, the placement rates can surpass 1000 orders per second.

There is an intensive exposure to OpRisk by broker-dealer firms. The brokers rarely hold large proprietary positions leading to limited lending with most exposure originating from potentially explosive system issues, execution errors, litigations with retail clients, and frauds.

Risk Organization and Governance

Having a good measurement system is of equal importance to understanding the lines of reporting and establishing a position of a solid risk organization on the company.

There is the necessity for the OpRisk manager to be working with the rest of the organization. The base of an effective OpRisk management framework is built on sound internal governance.

Organization of Risk Departments

The role of an organization in any large business cannot be undermined despite most of the times the evaluation being on models possessing complex formulas. Often, the success in implementing the OpRisk framework lies on having the right organization, and a company’s strength and degree of OpRisk framework development would be hinted by its design. The following are organizational designs applied by firms:

  1. Design I: Central risk function as coordinator
  2. Design II: Matrix reporting; the dotted lines
  3. Design III: Solid reporting lines to central risk management
  4. Design IV: Strong central risk management

Structuring a Firm-Wide Policy: Example of an OpRisk Policy

A company’s operational risk management framework is defined by a policy, and it includes governance structure, roles and responsibilities, and OpRisk management and measurement standards. A description of the OpRisk management programs is also provided.


The three lines of defense are often relied upon by the common industry practice for sound OpRisk governance. They are:

  1. Business line management
  2. An independent corporate OpRisk management function
  3. An independent review

If this defense model is applied by OpRisk, there is a variation in the structure and activities of the three lines of defense depending on the bank’s portfolio of products, processes, activities, and systems. Finally, the roles of the board of directors are often reinforced by the regulators.

Practice Questions

1) As a manager of an organization, it is important to ask yourself questions during risk control self-assessment. Which of the following is not a necessary concern?

  1. Risk scenario: Where are the potential weak points on each of these processes?
  2. Exposure: How big a loss could happen to my operation in the event of a failure?
  3. Delivery: How can we better handle customer delivery?
  4. Performance: How could a failure change my organization’s performance either financially or to its reputation?

The correct answer is C.

As far as risk is involved, it’s important to ask important questions that can help mitigate the risk. A question like “how can we better handle customers delivery?” is not one of them. Asking questions on different risk scenarios and exposure is necessary for combating risk likely to occur:

Risk scenario: Where are the potential weak points on each of these processes?

Exposure: How big a loss could happen to my operation in the event of a failure?

Performance: How could a failure change my organization performance either financially or its reputation?

Leave a Comment