CHAPTER 1
Definition and Drivers of Operational Risk

This chapter examines the definition of operational risk and its role in the management of risks in the financial services sector, including fintechs and digital and traditional banks. It outlines the formal adoption of operational risk management for regulated banks under the Basel II framework. The requirements to identify, assess, control, and mitigate operational risk are introduced, along with the four causes of operational risk-people, process, systems, and external events-and the seven risk types. The definition is tested against the 2012 London Olympics. The different roles of operational risk management and measurement are introduced, as well as the role of operational risk in an enterprise risk management framework.

THE DEFINITION OF OPERATIONAL RISK

What do we mean by operational risk?

Operational risk management had been defined in the past as all risk that is not captured in market and credit risk management programs. Early operational risk programs, therefore, took the view that if it was not market risk, and it was not credit risk, then it must be operational risk. However, today a more concrete definition has been established, and the most commonly used of the definitions can be found in the Basel II regulations. The Basel II definition of operational risk is:

. the risk of loss resulting from inadequate or failed processes, people and systems or from external events.

This definition includes legal risk, but excludes strategic and reputational risk.1

Let us break this definition down into its components. First, there must be a risk of loss. So for an operational risk to exist there must be an associated loss anticipated. The definition of "loss" will be considered more fully when we look at internal loss data in Chapter 7, but for now we will simply assume that this means a financial loss.

Next, let us look at the defined causes of this loss. The preceding definition provides four causes that might give rise to operational risk losses. These four causes are (1) inadequate or failed processes, (2) inadequate or failed people (the regulators do not get top marks for their grammar, but we know what they are getting at), (3) inadequate or failed systems, or (4) external events.

While the language is a little awkward (what exactly are "failed people"?, for example), the meaning is clear. There are four main causes of operational risk events: the person doing the activity makes an error, the process that supports the activity is flawed, the system that facilitated the activity is broken, or an external event occurs that disrupts the activity.

With this definition in our hands, we can simply look at today's newspaper or at the latest online headlines to find a good sample of operational risk events. Failed processes, inadequate people, broken systems, and violent external events are the mainstays of the news. Operational risk surrounds us in our day-to-day lives.

Examples of operational risk in the headlines in the past few years include egregious fraud (Madoff, Stanford), breathtaking unauthorized trading (Société Générale and UBS), shameless insider trading (Raj Rajaratnam, Nomura, SAC Capital), stunning technological failings (Knight Capital, the Nasdaq Facebook IPO, anonymous cyber-attacks), and heartbreaking external events (hurricanes, tsunamis, earthquakes, terrorist attacks, and a global pandemic). We will take a deeper look at several of these cases throughout the book.

All of these events cost firms hundreds of millions, and often billions, of dollars. In addition to these headline-grabbing large operational risk events, firms constantly bleed money due to frequent and less severe events. Broken processes and poorly trained staff can result in many small errors that add up to serious downward pressure on the profits of a firm.

The importance of managing these types of risks, both for the robustness of a firm and for the systemic soundness of the industry, has led regulators to push for strong operational risk frameworks and has driven executive managers to fund and support such frameworks.

Basel II is the common name used to refer to the "International Convergence of Capital Measurement and Capital Standards: A Revised Framework," which was published by the Bank for International Settlements (BIS) in Europe in 2004.

The Basel II framework set out new risk rules for internationally active financial institutions that wished to continue to do business in Europe. These rules related to the management and capital measurement of market and credit risk introduced a new capital requirement for operational risk. In addition to the capital requirement for operational risk, Basel II laid out qualitative requirements for operational risk management, and so a new era of operational risk management development was born.

The Basel II definition of operational risk has been adopted or adapted by many financial regulators and firms and is now generally accepted as the standard. It has been incorporated into national regulations across the globe with only minor adaptations and is consistently referred to by regulators and operational risk managers. Many regulators have simply adopted the Basel definition into their national regulatory frameworks as is, but it is interesting to note that the Office of the Comptroller of the Currency (OCC) has adopted a definition that underscores the impact of operational risk on a bank's resiliency as well as on its financial condition:

Operational risk is the risk to current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.2 [emphasis added]

JPMorgan Chase has adapted the definition as follows:

Operational risk is the risk associated with an adverse outcome resulting from inadequate or failed internal processes or systems; human factors; or external events impacting the Firm's processes or systems. It includes compliance, conduct, legal, and estimations and model risk.3

Deutsche Bank applies the European Banking Authority's Single Rulebook definition, which closely matches the original Basel II definition:

Operational risk means the risk of losses stemming from inadequate or failed internal processes, people and systems or from external events. Operational risk includes legal risks, but excludes business and reputational risk and is embedded in all banking products and activities.4

Under the Basel II definition, legal events are specifically included in the definition of operational risk, and a footnote is added to further clarify this:

Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.5

This is a helpful clarification, as there is often some tension with the legal department when the operational risk function first requests information on legally related events. This is something that will be considered in more detail later in the section on loss data collection.

The Basel II definition also specifically excludes several items from operational risk:

This definition includes legal risk, but excludes strategic and reputational risk.6

These nuances in the Basel II definition are often reflected in the definition adopted by a firm, whether or not they are governed by that regulation. However, these exclusions are not always applied in operational risk frameworks.

For example, some banks have adopted definitions of operational risk that include reputational risk. For example, Citi's definition includes reputational risk:

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people or systems, or from external events. It includes the reputation and franchise risk associated with business practices or market conduct that the Company undertakes.7

Operational risk has some similarities to market and credit risk. Most importantly, it should be actively managed, because failure to do so can result in a misstatement of an institution's risk profile and expose it to significant losses.

However, operational risk also has some fundamental differences from market and credit risk. Operational risk, unlike market and credit risk, is typically not directly taken in return for an expected reward. Market risk arises when a firm decides to take on certain products or activities. Credit risk arises when a firm decides to do business with a particular counterparty. In contrast, operational risk exists in the natural course of corporate activity. As soon as a firm has a single employee, a single computer system, a single office, or a single process, operational risk arises.

While operational risk is not taken on voluntarily, the level of that risk can certainly be impacted by business decisions. Operational risk is inherent in any enterprise, but strong operational risk management and measurement allow for that risk to be understood and either mitigated or accepted.

We will be looking at ways that operational risk management and measurement can meet the underlying need to accomplish five tasks:

1. Identifying operational risks.
2. Assessing the size of operational risks.
3. Monitoring and controlling...