Operational risk management for the banking industry

Introduction

The banking industry faces unique operational risks due to the nature of its operations and the regulatory environment. Banks must manage risks associated with credit operations, market activities, liquidity management, and compliance with regulatory requirements.

To address these challenges, banks employ comprehensive operational risk management frameworks. These frameworks incorporate risk identification, assessment, mitigation, and monitoring processes tailored to the specific risks faced by banks, including fraud, system failure, and more.

>> Read “What is a Risk Management Framework?”

Operational risk categories

In support of its definition of operational risk, the Basel Committee on Banking Supervision (BCBS) set out a list of seven categories that banks can use when classifying operational risk events. These broad categories are used for reporting details of the number and value of risk events at a more senior level, but business and operations management use more granularity when identifying areas of actual or potential operational loss.

Internal fraud

This refers to losses incurred due to actions by one or more internal parties intended to:

Defraud a bank
Misappropriate information or assets
Circumvent internal processes/policies or external regulations

It is divided into two subcategories:

Unauthorized activity: This includes, for example, the intentional failure to record transactions and the execution of unauthorized transactions.
Theft and fraud: Examples here include theft (whether related to cash, physical goods, or intellectual property), misappropriation of assets, identity theft, fraud, bribery, insider trading (not on the firm’s account), forgery, and wilful tax evasion.

The internal fraud category also covers instances of rogue trading, one of the most high-profile operational risk events of recent times.

Internal fraud includes unauthorized activity, theft, and fraud.

External fraud

This is similar to internal fraud, but where actions are undertaken by one or more third parties. Again, it includes two subcategories:

Theft and fraud: Examples include theft, identify theft, card fraud, and check kiting.
Systems and security: This includes hacking and the theft of data/information.

The external fraud category also covers cybercrime, which is a major concern for banks and many other organizations these days.

This is similar to internal fraud, but where actions are undertaken by one or more third parties.

Employment practices & workplace safety

This relates to losses arising from the failure to comply with employment laws/agreements or health and safety requirements. It also covers losses arising from diversity/discrimination events.

Employee relations: This covers losses due to compensation, termination, or benefit disputes. It also includes losses arising from organized labor activities, such as strikes.
Safe operating environment: Examples of risk events here include accidents at work and health and safety rule violations
Diversity and discrimination: This subcategory covers losses that arise from all incidents of actual or claimed discrimination.

Clients, products, & business practices

This relates to losses arising from unintentional or negligent failure to meet obligations to clients/customers or as a result of the design of a product or service. It includes the following subcategories:

Suitability, disclosure, and fiduciary: This includes events such as disclosure failures, misuse of client information, account churning, and the sale of unsuitable products (know your customer/KYC).
Improper business or market practices: This covers activities such as breaches of antitrust, market manipulation, insider trading (on the firm’s account), unlicensed activities, and money laundering.
Product flaws: Risk events here include product defects and incorrect/incomplete documentation.
Selection, sponsorship, and exposure: This covers, for example, losses related to the failure to investigate a client before entering into a relationship and losses related to breaches of client limits.
Advisory activities: This simply relates to the failure to deliver appropriate advice.

This category relates to losses arising from unintentional or negligent failure to meet obligations to clients/customers or as a result of the design of a product or service.

Damage to physical assets

This covers losses arising from damage to physical assets, whether due to human error, deliberate actions, or natural disasters. Subcategories here are:

Disasters and other events: Examples include losses arising from natural disasters such as hurricanes and earthquakes, as well as losses from events such as fires and floods.
Human actions: This covers damage arising from acts such as terrorism, vandalism, and hacking.

Business disruption & system failures

This covers losses arising from disruption of business or system failures. Examples of event risks in this category include:

Hardware and software failures
Telecommunication problems
Utility outages

Disruption of business or system failures are a type of operational risk.

Execution, delivery, & process management

This refers to losses from:

Failed transaction processing or process management
Relations with trade counterparties and vendors

It includes several subcategories:

Transaction-related: This includes losses related to incorrect date capture, data entry errors, and transaction processing errors.
Monitoring and reporting: Losses may arise due to inaccurate or late reporting, both internally and to regulators.
Customer/client intake and management: Examples here include documentation errors in the customer onboarding process, incorrect customer recordkeeping, and loss or damage to customer assets.
Trade counterparties: Underperformance or disputes arising from interactions with nonclient counterparties could lead to losses.
Vendors and suppliers: Relationships with vendors or suppliers, including outsourcing partners that are responsible for managing bank processes, are also a source of potential losses.

Best practices for managing operational risk in banking

Managing operational risk in banks requires the following:

Clarity on risk appetite and tolerance: Defining a clear risk appetite and tolerance level helps organizations identify acceptable levels of risk and establish appropriate risk mitigation strategies.
Ways of measuring operational risk: It is vital to identify more than one way of measuring operational risk due to the wide scope and varying subjectivity of risk types.
Means to identify & assess operational risk: As listed above, these includes tactics like Risk maps and emerging risks analysis.
A range of approaches for managing operational risk: There are a number of broad approaches a bank can adopt, including accept or tolerate the risk, take action to reduce the risk, transfer the risk to a third party, or avoid/exit the risk altogether.
Regular monitoring & reporting of operational risk: In addition to regular reports (such as daily performance reports) monitored by management and operations staff, monthly operational risk reports are often submitted to risk committees at business unit, divisional, group, and board level.

>> Read “Understanding Banking Regulatory Requirements for Operational Risk Management”

There must also be a continual process of learning from internal and external risk events, whether losses are incurred or not, to ensure that appropriate action is taken where necessary to:

Update risk appetite, policies, processes, and controls
Make investments in systems or people to reduce the risk of such events occurring and/or their impact

These strategies to identify, assess, and manage operational risks are vital for banks to minimize the risks they face and remain resilient in the changing business environment.