Summary

This book outlines a complete and detailed description of one specific approach to modelling operational risk in accordance with Basel 2. However, the approach could easily be applied in the wider financial services sector. The author also offers some prototypical software to take you through the book's example.

In addition, he outlines some of the key qualitative aspects to operational risk management. A robust internal control framework is essential in complementing the quantitative approach.

Definition

Operational risk is as old as business itself. It is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

The author, the Chief Risk Officer (“CRO”) of Swiss Export Risk Insurance, starts his book by considering a general definition of risk, but notes a solid definition is lacking. In a modelling sense, risk is defined as a negative monetary outcome, stemming from a given source, described by its probability distribution or probability characteristics.

Basel 2 introduced capital requirements for operational risk, under which prescribed event types and lines of business must be considered. The original purpose of Basel 2, published initially in 2004, is to create international standards for banking regulators to use when creating regulations for capital standards to guard against the financial and operational risks banks face.

The assignment of a capital charge for operational risk under Basel 2 has led to the development of new and competing techniques for identifying, collecting, ranking and measuring operational risk for financial institutions.

Operational Risk Quantification

Basel 2 offers banks three main approaches to quantifying their exposure to operational risk, ranging in complexity. The most complex is the Advanced Measurement Approach (“AMA”), where a bank can use its own internal risk models to calculate the appropriate capital cushion for operational risk.

The AMA is essentially a loss distribution approach, by line of business, including allowance for correlation. Claudio Franzetti devotes a significant proportion of his book to providing a complete and detailed description of one specific model for the AMA.

Factors to Consider Prior to Modelling

All models rely on data. The author discusses data availability for modelling operational losses with a distribution approach and notes it is bound by both quality and quantity. Most financial institutions will supplement the paucity of their own data with industry data.

The author describes how dependencies exist both between lines of business and possibly also between different events. He suggests the easiest way to account for them is through copulas. However, the author notes the choice of copula and its parameters will always be subject to judgment, again due to the scarcity of data.

The Modelling Approach

The model outlined in Chapter 3 of the book complies with the requirements of the AMA and utilises Monte Carlo simulation. Simulation is chosen for several reasons, allowing for correlation is easier as are certain aspects of the modelling itself.

The author considers events first and proposes modelling different types of loss separately:

• • High frequency/Low Severity losses – model using an annual loss distribution by event

• • Low Frequency/High Severity losses – use a compound distribution, i.e. frequency severity approach, by event

• • Extreme Losses – use an enterprise-wide compound distribution.

Managing Operational Risk

In a service environment such as banking, people and their management need careful monitoring. It is impossible to develop a comprehensive ethical code that provides guidance for every single ethical dilemma. The author discusses various qualitative aspects of managing operational risk, including company culture, leadership, motivation of individuals and management style.

Operational Risk Framework

Basel 2 defines eight principles that management must address. This can be summarised as developing an appropriate risk management environment and operational risk process, and also covers the role of disclosure.

This book highlights the role of the Board of Directors, who should approve, and periodically review, the operational risk management framework. The tone is set at the top. Many companies delegate risk responsibilities to a Risk Committee, with line management often led by a CRO.

Operational Risk Process

The author notes this is defined as setting the objectives, identification, assessment, measurement, monitoring and communication, mitigation and control. Control is through monitoring, using policies, limits and regulatory requirements. Mitigation includes buying appropriate insurance coverage.

There must be regular reporting of operational risk exposures and loss experience to business unit management, senior management and the Board of Directors. The bank must have procedures for taking appropriate action according to the information produced within reports.

Internal control, implemented by the Board of Directors, management and other personnel, is a process designed to provide reasonable assurance regarding business effectiveness and efficiency, reliability of financial reporting and compliance with applicable laws and regulations.

A robust internal control process is a major component in managing operational risk. The author notes that audit, both internal and external, plays its role in assessing and validating the appropriateness of the operational risk and internal control framework.

Opinion

This book would be most useful for new entrants into the risk management arena, particularly in banking but also in financial services generally. For those thinking about operational risk for the first time, it would give some useful background and theory. For the more experienced in the operational risk field, it would serve better as a reference document.