Mera Pakistan

This document will help you to understand operational risk, its sources, and its highly adverse impacts on institution. It will also enable you to understand 'The Operational Loss Data' and its levels.

Operational Risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, People and system and External events. Types of Operational Risks are:

-          Internal operational risks

-          External operational risks

(A) INTERNAL OPERATIONAL RISK

It is a failure in the course of operating the business. The institution uses people, processes and technology to achieve business plan and any one of these factors may experience a failure of some kind.

The Internal Factors includes Employees, Business Processes, Relationship, Technology and etc.

(B) EXTERNAL OPERATIONAL RISK

It arises from environmental factors, such as a new competitor which changes the business paradigm, a major political and regulatory regime change and other inherent factors, which are outside the control of the institution.

The External Factors that influence an institution includes Political, Taxation, Regulatory, Societal, Competitive Pressure, Natural Disasters and etc.

HOW INTERNAL AND EXTERNAL FACTORS PRODUCES OPERATIONAL RISK EVENTS ?

People Risk: The risk of a loss intentionally or unintentionally caused by an employee i.e. employee error, employee misdeeds or involving employees, such as in the area of employment disputes. This risk class covers internal organizational problems and losses.

-          Employee Errors: General transaction errors, incorrect routing of transaction, etc.

-          Human Resource Issues: Employee unavailability, hiring/firing, etc.

-          Personal Injury – Physical Injury: Bodily injury, health and safety, etc.

-          Personal Injury – Non–Physical Injury: Libel/defamation/slander, discrimination/harassment, etc.

-          Wrongful Acts: Fraud, trading misdeeds, etc.

Process Risk Risks related to the execution and maintenance of transactions, and the various aspects of running a business, including products and services.

-          Business Process: lack of proper due diligence, inadequate/problematic account reconciliation, etc.

-          Business Risks: Merger risk, new product risk, etc.

-          Errors and Omissions: Inadequate/problematic security, inadequate/problematic quality control, etc.

-          Specific Liabilities: Employee benefits, employer, directors and officers, etc.

Relationships Losses arising from the relationship or contact that a firm has with its clients, shareholders, third parties, or regulators.

-          Legal/Contractual: Securities law violations, legal liabilities, etc.

-          Negligence: Gross negligence, general negligence, etc.

-          Sales Discrimination: Lending discrimination, client discrimination, etc.

-          Sales Related Issues: Churning, sales misrepresentation, high pressure sales tactics, etc.

-          Specific Omissions: Failure to pay proper fees, failure to file proper report, etc.

Technology The risk of loss caused by a piracy, theft, failure, breakdown or other disruption in technology, data or information; also includes technology that fails to meet business needs.

-          General Technology Problems: Operational error – technology related, unauthorized use/misuse of technology, etc.

-          Hardware: Equipment failure, inadequate/unavailable hardware, etc.

-          Security: Hacking, firewall failure, external disruption, etc.

-          Software: Computer virus, programming bug, etc.

-          Systems: System failures, system maintenance, etc.

-          Telecommunications: Telephone, fax, etc.

External The risk of loss due to damage to physical property or assets from natural or non–natural causes. This category also includes the risk presented by actions of external parties, such as the perpetration of fraud, or in the case of regulators, the execution of change that would alter the firm’s ability to continue operating in certain markets.

-          Disasters: Natural disasters, non–natural disasters, etc.

-          External Misdeeds: External fraud, external money laundering, etc.

-          Litigation/Regulation: Capital control, regulatory change, legal change, etc.

People often think that operational risk have no reasonable impact on institution’s profit. They also think that operational losses are very small amounts. Question arises if one should ignore these losses and concentrate on primary job activity only?

IF YES! THEN YOU ARE WRONG!!!

Operational losses do impact on institution! Operational losses are high bulk amounts when aggregated at the end of year! One should always keep in mind that operational loss management is part of job! It defines the most effective way to perform the job!

OPERATIONAL LOSS EVENT

-          An operational loss event describes a situation when institution faces operational losses as a result of an activity.

-          The activity can be performed in branch operations, product development, treasury operations, finance operations, HR operations, Credit operations, Trade operations etc.

Operational losses are categorized into three categories. These categories are termed as Levels.

LEVEL MATRIX

NATURE OF EVENTS

The above defined events at level-3 are classified on two bases: CAUSE and EFFECT. Remember that Basel Accord sets out rules for calculation of minimum regulatory capital by using a Risk Weighted Framework.

Basel-II inspects operational risk from both views:

-          It analyzes the cause of event and how it did happen; and

-          It analyzes the effect of that event.

Effects are observed:

-          From monetary aspect and

-          From non-monetary aspects.

LEVEL 1

This is the broadest level. It contains 7 basic categories of operational losses. It means, whenever a institution faces operational losses, it must be categorized in one of these 7 segments.

1.       Internal fraud

2.       External fraud

3.       Employment practices & workplace safety

4.       Clients, products & business practices

5.       Damage to physical assets

6.       Business disruption & system failures

7.       Execution, delivery, & process management

Lets now look at these categories in connection with the Operational Loss Levels

1)            INTERNAL FRAUD

Event type level 1: Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity / discrimination events, which involves at least one internal party.

Event Type Level 2:

-          Unauthorized Activity

-          Theft and Fraud

Event Type Level 3 Activity Example

-          Transaction not reported (Intentional)

-          Fraud / credit fraud / worthless deposits

-          Theft / extortion / embezzlement / robbery

-          Misappropriation of assets

-          Forgery

-          Check kitting

-          Smuggling

-          Account take - over / impersonation / etc

-          Insider trading (not on firm's account)

2)        EXTERNAL FRAUD

Event type level 1: Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

Event Type Level 2

-          Theft and Fraud

-          Systems Security

Event Type Level 3 Activity Example

-          Theft / Robbery

-          Forgery

-          Check kiting

-          Hacking damage

-          Theft of information (w / monetary loss)

3)        EMPLOYMENT PRACTICES AND WORKPLACE SAFETY

Event type level 1: Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events.

Event Type Level 2

-          Employee Relations

-          Safe Environment

-          Diversity & Discrimination

Event Type Level 3 Activity Example

-          Compensation, benefit, termination issues

-          Organized labor activity

-          General liability (slip and fall, etc)

-          Employee health and safety rules events

-          Workers compensation

-          All discrimination types

Event type level 1 :

4)        CLIENTS, PRODUCTS AND BUSINESS PRACTICES

Event type level 1: Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

-          Suitability Disclosure & Fiduciary

-          Improper business or market practices

-          Product Flaws

-          Selection Sponsorship & Exposure

-          Advisory Activities

Event Type Level 3 Activity Example

-          Fiduciary breaches / guideline violations

-          Suitability / disclosure issues (KYC etc)

-          Retail customer disclosure violations

-          Breach of privacy

-          Aggressive sales

-          Account churning

-          Misuse of confidential information

-          Lender liability

-          Anti trust

-          Improper trade / market practices

-          Market manipulation

-          Insider trading (on firm's account)

-          Unlicensed activity

-          Money laundering

-          Product defects (unauthorized, etc)

-          Model errors

-          Failure to investigate client per guidelines

-          Exceeding client exposure limits

-          Disputes over performance of advisory activities

5)        DAMAGES TO PHYSICAL ASSETS

Event type level 1: Losses arising from loss or damage to physical assets from natural disaster or other events.

Event Type Level 2

-          Disaster and other events

Event Type Level 3 Activity Example

-          Natural disaster losses

-          Human losses from external sources

-          terrorism, vandalism

6)        BUSINESS DISRUPTION AND SYSTEM FAILURES

Event type level 1: Losses arising from disruption of business or system failure.

Event Type Level 2

-          Systems

Event Type Level 3 Activity Example

-          Hardware

-          Software

-          Telecommunication

-          Utility outage / disruptions

7)        EXECUTION, DELIVERY AND PROCESS MANAGEMENT

Event type level 1: Losses from failed transaction processing or process management, from relations with trade counterparties and vendors.

Event Type Level 2

-          Transaction Capture, Execution and Maintenance

-          Monitoring and Reporting

-          Customer Intake and Documentation

-          Customer/ Client Account  Management

-          Trade Counterparties

-          Vendors and Suppliers

Event Type Level 3 Activity Example

-          Miscommunication

-          Data entry, maintenance or loading error

-          Missed deadline or responsibility

-          Model /  system disoperation

-          Accounting error / entity attribution error

-          Other task mis-performance

-          Delivery failure

-          Collateral management failure

-          Reference Data Maintenance

-          Failed mandatory reporting obligation

-          Inaccurate external report (loss incurred)

-          Client permission / disclaimers missing

-          Legal documents missing / incomplete

-          Unapproved access given to accounts

-          Incorrect client records (loss incurred)

-          Negligent loss or damage of client assets

-          Non-client counterparty mis-performance

-          Miscellaneous non-client counterparty  disputes

-          Outsourcing

-          Vendor disputes

Incident reporting is extremely important in order to assess operational risk. Without such reporting, it would become very hard to analyze operational losses in the institution for any given time period. If incidents are reported truly and regularly, institution management would be able to:

-           Identify areas where losses are occurring frequently.

-           Identify problematic processes.

-           Can take measures to minimize theses losses.