Section 3: Operational Risk Measurement

1. Concept of Operational Risk

1. Definition
Operational risk refers to the potential for loss resulting from inadequate or failed
internal processes, people, systems, or external events. It includes a wide range of
non-financial risks that arise from everyday business operations. Unlike credit and
market risk, which are more quantitative and finance-driven, operational risk
originates from the organizational environment, employee behavior, system
vulnerabilities, or unforeseen incidents like cyberattacks or natural disasters. These
risks are difficult to model and may not always have immediate financial implications
but can result in substantial long-term losses.

2. Importance
Operational risk is crucial to manage because it affects the internal stability and
resilience of an organization. Effective control over operational risk helps prevent
disruptions, regulatory penalties, and reputational damage. With increasing digital
dependency, even minor operational failures can trigger cascading effects, impacting
customer trust and compliance status. Managing this risk ensures smooth functioning,
minimizes unexpected costs, and enhances strategic agility in uncertain environments.
It is also a key requirement under Basel II and III risk frameworks for capital adequacy.

3. Features
●​ Non-financial in Origin: Operational risk often stems from human error, system
breakdowns, or external disruptions rather than market movements or borrower
defaults.
●​ Pervasive Across Functions: Every department—HR, IT, sales, compliance—is
exposed to operational risks, making it a firm-wide concern.
●​ Difficult to Quantify: Many losses (like reputational harm) are hard to assign
monetary value.
●​ Cannot Be Fully Eliminated: Unlike some financial risks, operational risks can
only be reduced, never entirely removed.
●​ Reactive and Preventive Elements: It involves both post-incident mitigation and
proactive control environments.
4. Examples
●​ IT System Failure: A major banking server crashes during peak hours, preventing
transactions.
 ●​ Internal Fraud: An employee manipulates accounting records for personal gain.
●​ Cyber Breach: Sensitive customer data is leaked due to weak cybersecurity
protocols.
●​ Natural Disaster: A flood damages physical infrastructure and causes days of
business closure.

2. Identification of Operational Risk

1. Definition
Risk identification is the first and most critical step in operational risk management. It
refers to systematically spotting, recognizing, and documenting potential sources of
operational failure before they turn into actual losses. This process ensures that no
significant threat goes unnoticed and that suitable control measures can be designed.
Risk identification must be ongoing and dynamic, adapting to organizational changes,
technology upgrades, and external threats.

2. Methods of Identification
●​ Risk Control Self-Assessment (RCSA): Business units assess their own
processes to identify risks and weak controls, creating a bottom-up risk view.
●​ Process Mapping: Detailed visual documentation of workflows helps reveal
bottlenecks, redundancies, or vulnerable stages within a process.
●​ Incident Reporting: Historical loss or near-miss data is analyzed to understand
trends and recurring failure points.
●​ Scenario Analysis: Hypothetical but plausible events (e.g., system hack,
regulatory raid) are simulated to test the organization's response capacity.
3. Tools Used
●​ Risk Registers: Centralized databases that record all known operational risks,
their ratings, and mitigation strategies.
●​ Control Checklists: Lists of key control points within a process, helping
standardize monitoring practices.
●​ Internal Audit Reports: Regular audit feedback provides insights into process
weaknesses and compliance gaps.
●​ Heat Maps: Visual tools that categorize risks based on impact and probability,
helping prioritize response.
4. Importance
Early identification prevents risks from escalating into crises. It allows for timely
allocation of resources to high-risk areas and enhances risk transparency across
business lines. Moreover, documented identification serves as a foundation for
measurement and monitoring, helping to comply with internal policies and external
regulatory demands. A proactive identification culture empowers employees to
recognize issues early, making the organization more resilient and agile.

3. Drivers of Operational Risk

1. People Risk
This arises from human behavior—errors, negligence, lack of training, or deliberate
misconduct. Employees may make mistakes due to fatigue, poor supervision, or
outdated SOPs. Fraud or collusion by insiders also falls into this category. For
example, a trader hiding losses or a clerk accidentally transferring funds to the wrong
account. People risk is dynamic and heavily influenced by morale, training, and ethical
tone.

2. Process Risk
Faulty or inefficient business processes are a key driver of operational risk. If
workflows are not well documented or overly complex, they lead to errors and
inefficiencies. For instance, missing checks in a loan approval process could result in
fraudulent disbursements. Process risks increase with decentralization, inconsistent
practices, and poor standardization.

3. System Risk
System risk involves IT infrastructure, databases, and software applications. Failures in
these areas can paralyze operations—such as a core banking application crash during
transaction processing. System risks also include cyber threats, unauthorized access,
and outdated legacy platforms that can't support modern compliance requirements.

4. External Events
These are outside the firm’s control but have severe impacts—natural disasters,
pandemics, terrorism, and supply chain breakdowns. Even if internal processes are
strong, such events can lead to service disruption, asset damage, or workforce
unavailability. Firms must build contingency and business continuity plans to
counteract these.

5. Cultural & Ethical Factors

An organization’s culture defines how seriously operational risks are taken. In a poor
culture, risks are ignored, and shortcuts are normalized. Employees may underreport
incidents, tolerate unethical behavior, or circumvent controls. A strong risk culture
promotes transparency, accountability, and ethical behavior across all levels.

4. Approaches to Operational Risk Measurement

Definition
Approaches to operational risk measurement are methods used by financial
institutions to quantify and manage potential losses arising from failures in internal
processes, people, systems, or external events.

Types of Approaches
1.​ Basic Indicator Approach (BIA)
2.​ Standardized Approach (SA)
3.​ Advanced Measurement Approach (AMA)

Explanation
Basic Indicator Approach: Banks hold capital for operational risk as a fixed
percentage (usually 15%) of their annual gross income. It's simple but doesn't reflect
actual risk exposure.

Standardized Approach: Categorizes banking activities and applies different

percentages to each business line's income, offering a slightly more risk-sensitive
measure.

Advanced Measurement Approach: Uses internal data, external data, scenario

analysis, and loss event modeling to estimate the capital requirement, offering the
most accuracy but also complexity.

These approaches help banks align their capital reserves with the level of operational
risk they face.

5. Managing Operational Risk

Definition
Managing operational risk involves identifying, assessing, monitoring, and mitigating
risks arising from business operations.

Components
1.​ Risk Identification & Assessment
2.​ Control & Mitigation Strategies
3.​ Monitoring and Reporting Systems
Importance
●​ Protects institutions from internal failures and fraud.
●​ Enhances customer trust and regulatory compliance.
●​ Ensures smooth operations and business continuity.

Explanation
Operational risk is managed through strong internal controls, audits, training,
contingency plans, and risk culture. Management should implement automated
monitoring systems, enforce accountability, and constantly update risk registers.
Periodic stress testing and scenario analysis are also essential to assess worst-case
impacts.

6. Insurance as a Risk Management Tool

Definition
Insurance transfers the financial burden of operational risk events (like fire, theft,
cyberattacks) from a firm to an insurer in exchange for a premium.

Types
1.​ Property Insurance
2.​ Cyber Insurance
3.​ Liability Insurance
4.​ Business Interruption Insurance
Features
●​ Risk transfer
●​ Premium-based model
●​ Coverage limits and exclusions

Importance
●​ Reduces potential financial losses
●​ Ensures business recovery after incidents
●​ Offers legal and reputational protection

Explanation
Insurance cannot eliminate risk but provides a safety net. For example, cyber
insurance can cover data breach costs. Firms must assess coverage terms carefully
and maintain documentation. It complements but does not replace strong internal
controls.
7. Hedging Using Derivatives
Definition
This refers to using financial instruments like options, futures, or swaps to offset
potential losses from operational risks indirectly affecting financial performance.

Examples of Derivatives
1.​ Interest Rate Swaps
2.​ Currency Forwards
3.​ Commodity Futures

Use Case in Operational Risk

●​ Protect against losses from price volatility or delayed payments.
●​ Hedge against business disruption in supply chains.

Explanation
While derivatives are typically used for market or credit risk, they can be linked to
operational exposures like cost inflation, utility interruptions, or delayed projects. A
company expecting delayed shipments might hedge through commodity futures to
stabilize costs.

8. Application of VaR in Operational Risk

Definition
Value at Risk (VaR) is used to estimate the maximum loss due to operational failures
over a given time period with a certain confidence level.

Features
●​ Quantitative estimate
●​ Time horizon-based
●​ Confidence interval (e.g., 99%)

Importance
●​ Quantifies potential extreme losses
●​ Helps allocate capital more efficiently
●​ Supports regulatory and internal reporting

Explanation
VaR in operational risk often uses historical loss data and Monte Carlo simulations. It
helps institutions understand “worst-case” losses from operational errors, frauds, or
system failures and plan capital accordingly.

9. Risk-Adjusted Performance Measurement (RAPM)

Definition
RAPM adjusts traditional performance metrics to reflect the level of risk taken to
generate returns.

Subtypes
1.​ VaR-Based Measures
2.​ Earnings-Based Measures
3.​ SVA (Shareholder Value Added)

(i) VaR-Based Measures

●​ Adjust performance based on the VaR of a business unit.
●​ Helps compare units with different risk levels.
●​ Encourages optimal risk-return balance.

(ii) Earnings-Based Measures

●​ Links operational efficiency to profit after accounting for risk.
●​ Includes metrics like Economic Value Added (EVA).
●​ Helps measure consistent long-term profitability.

(iii) Shareholder Value Added (SVA)

●​ Evaluates whether a business unit creates value above its cost of capital.
●​ Encourages value creation through responsible risk-taking.
●​ Used for bonus allocation and strategic planning.

10. Integrated Risk Management

Definition
A holistic framework that combines market, credit, operational, legal, and reputational
risk into a unified strategy.

Key Features
●​ Centralized risk oversight
●​ Unified reporting system
●​ Enterprise-wide risk culture

Benefits
●​ Improves firm-wide decision-making
 ●​ Reduces duplication in risk efforts
●​ Enhances resource allocation

Explanation
IRM ensures that risks are not managed in silos. An operational failure might trigger
reputational risk, so a comprehensive system ensures all impacts are considered.
Modern banks use ERM (Enterprise Risk Management) software to monitor integrated
risk metrics.

11. Legal Risk

Definition
Risk of loss from lawsuits, fines, or regulatory sanctions due to legal non-compliance
or failure in contractual obligations.

Examples
●​ Breach of contract
●​ Regulatory violations
●​ Intellectual property disputes

Importance
●​ Avoids financial penalties
●​ Maintains brand reputation
●​ Ensures long-term sustainability

Explanation
Legal risk is often a subset of operational risk. Firms must maintain proper legal
documentation, regulatory compliance teams, and legal audits to avoid such
exposures.

12. Reputational Risk

Definition
The risk of loss resulting from damage to a firm's reputation due to negative public
perception.

Causes
●​ Data breaches
●​ Ethical misconduct
●​ Service failures or fraud
Impact
●​ Decline in customer trust
●​ Loss in revenue
●​ Shareholder dissatisfaction

Explanation
It is difficult to quantify but can be more harmful than financial losses. Social media
and public sentiment tracking are now used by firms to monitor reputational health.

13. Accounting Risk

Definition
Risks arising from errors or frauds in financial reporting and accounting practices.

Examples
●​ Misstatement of earnings
●​ Incorrect asset valuation
●​ Fraudulent entries

Prevention
●​ Strong internal controls
●​ Independent audits
●​ Compliance with standards like IFRS or GAAP

14. Other Types of Risks

(i) Regulatory Risk
●​ Arises from changes in laws or non-compliance.
●​ Can result in penalties or loss of license.

(ii) Political Risk

●​ Caused by instability, government policy shifts, or international conflict.
●​ Impacts global operations and investment decisions.

15. Firm-Wide Performance and Risk

Definition
This focuses on evaluating how operational risks affect the overall performance of the
firm.

Metrics Involved
●​ Risk-Adjusted Return on Capital (RAROC)
●​ Cost of Risk
●​ Operational loss ratio

Explanation
Firms use risk dashboards to monitor how operational breakdowns (e.g., IT outages)
impact KPIs like sales, client churn, and productivity. This ensures timely risk
response.

16. Controlling Firm-Wide Risk

Definition
Establishing systems and policies that limit risk exposure across all departments and
business lines.

Tools Used
●​ Risk Control Self-Assessments (RCSA)
●​ Key Risk Indicators (KRIs)
●​ Internal audit and compliance

Explanation
Control frameworks like COSO or Basel help institutions design layered controls
across units. Training, accountability, and governance structures are key to firm-wide
risk containment.

17. Model Risk

Definition
Risk of loss from errors in financial models used for decision-making or risk
measurement.

Causes
●​ Wrong assumptions
●​ Incomplete data
●​ Over-reliance on quantitative tools

Mitigation
●​ Back-testing models
●​ Regular model validation
●​ Scenario analysis
Explanation
Inaccurate models may give false confidence about risk levels. Firms are now required
under Basel to document and stress test all models used in risk estimation.