1. Introduction
Establishing an efficient risk management process is vital for banks that operate complex businesses to avoid significant financial losses. Banks risk management processes have tended to concentrate on the quantification of risks. The models for operational risk have commonly included the loss distribution approach as set out by Anghelache et al. (Reference Anghelache, Cozmâncǎ and Radu2011), Li et al. (Reference Levin2009) and Shevchenko (Reference Santomero2010). Some approaches used extreme value theory to quantify the fat tails found in operational risk losses (Embrechts et al., Reference Ellis and Herbert2003; Gourier et al., Reference Goumagias, Cabras, Fernandes, Li, Nucciarelli, COWLING, Devlin and Kudenko2009; Dahen et al., Reference Cilliers2010).
Traditional statistical techniques, no matter how advanced, implicitly assume the events operate in a stable environment, where current outcomes can be expected to be repeated over time, and hence allow a distribution to be derived. But actually banks operate in a complex adaptive system (CAS) with a constantly changing environment (Kurtyka, Reference Kauffman1999) and hence traditional statistical analysis is unreliable as a predictor of future outcomes. Furthermore, statistical analysis may not assist with the identification of the characteristics of operational risk events that would be important to risk managers in their quest to reduce operational risk losses to acceptable levels.
This paper is concerned with applying an analytical technique that allows for complexity and change in the underlying environment and determines the pattern of characteristics of operational risk events that have occurred in EU and US banks over the period 2008–2014. The purpose of the analysis is not to determine a distribution to model capital required for regulatory purposes but to determine if there is consistency in the characteristics driving the operational risk events. The paper is structured as follows: in section 2, we discuss the characteristics of a CAS, in section 3, we outline the methodology and analysis, in section 4, we present our data and in section 5, we present the results of the analysis. In section 6, we discuss the implications of these findings and share our conclusions on the effectiveness and usefulness of the approach.
2. Characteristics of CASs
In this section, we will discuss the characteristics of a CAS and why the financial system in which banks operate can be described as a CAS. Different authors (Dooley, Reference Dahen, Dionne and Zajdenweber1997; Mitleton-Kelly, Reference Mauboussin2003; Benbya & McKelvey, 2006; Ellis & Herbert, Reference Ehrlich and Raven2011) outline the characteristics and principles of CAS, and we will discuss these principles briefly and present our criteria for financial systems to be considered as CAS.
2.1. CAS
CAS occur in natural systems like ecosystems (Levin, Reference Kurtyka1998) and artificial systems such as stock markets (Mauboussin, Reference Li, Feng and Chen2002). The concepts mentioned in the literature as to what defines a CAS include:
-
1. There should be a large number of agents inside the system. The behaviour of the agents, when the agents in the system become numerous enough, will become impractical to be described by conventional means (Cilliers, Reference Camin and Sokal1998).
-
2. The agents should be interrelated and interactive. The connectivity and interdependence of agents is one reason of why complex behaviour arises within a system and between a system and its environment (Mitleton-Kelly, Reference Mauboussin2003), and makes it impossible to deduce the outcome for the system by analysing the agents individually (Ellis & Herbert, Reference Ehrlich and Raven2011).
-
3. The agents could be organised and structured, but it is unnecessary for every agent to be organised and structured (Arthur et al., Reference Arthur1997).
-
4. Local-level interactions of individual agents will result in the emergence of the system-level outcome. The result of emergence means the whole system has more properties than the sum of each component, and the system cannot be predicted from the local-level interaction outcomes alone (Arthur et al., Reference Arthur1997).
-
5. There is no strict boundary between a CAS and the environment in which it exists. A CAS will change as the environment changes to ensure the best fit. Also, as it is a part of the environment, its change will modify the environment and this process will continue. Although the environment and system are distinguished from each other, from a CAS view they cannot be strictly distinguished, as Mitleton-Kelly (Reference Mauboussin2003) argues, ‘there is no dichotomy or hard boundary between the two’.
-
6. Feedback occurs when some outputs of the system re-join the system as input. There can be reinforcing (positive) feedback that leads to change and balancing (negative) feedback that maintains stability of the system (Mitleton-Kelly, Reference Mauboussin2003). Johnson (Reference Gourier, Farkas and Abbate2004) argued that decentralised systems, i.e. CAS, rely on feedback for growth and self-organisation. Feedback provides the system with a way of adapting to the changing environment and hence survival. As an example, the financial system has faced positive feedback from what was deemed inappropriate selling of products and has had to adapt its product development and distribution management to meet community expectations of appropriate behaviour.
-
7. The co-evolution effect also makes the system and environment change in conjunction with the activities of agents. Ehrlich & Raven (Reference Dooley1964) introduced the concept of co-evolution to describe the response of one species to the evolutionary change of another species. As a consequence, it is difficult to predict the system result by observing the individual agents in the system.
-
8. The connectivity and endogenous force of ‘far from equilibrium’ will lead to the evolution of the system and hence the system can survive and thrive. Socially formed organisations, such as financial institutions, require energetic input to stay unchanged (Berg, Reference Benbya and Mckelvey2013).
-
9. CAS allow withdrawal and entry of agents from and to the system. Kauffman (Reference Johnson1993) claimed that continuous withdrawals and entry of agents in a CAS will provide the force for adaptation by the system.
2.2. Financial institutions as CASs
The organisational structure of financial institutions varies, however, banks, as well as many other financial institutions, often consist of the following departments:
-
1. Treasury department;
-
2. Loan department;
-
3. Accounting department;
-
4. Risk management department;
-
5. Administration department;
-
6. IT department;
-
7. Legal and compliance department;
-
8. Human resource department;
-
9. Operating units, e.g., retail banking, wholesale banking and fund management.
These departments interact with each other in managing the activities of the bank and some of these functions may exist in multiple departments, increasing the complexity of the bank’s operations.
3. Cladistics analysis
Cladistics is the classification method developed in biology to hypothesise relationships between organisms. This method is widely applied to non-biological systems, including the study of language (Rexová et al., Reference Mitleton-Kelly2006), business (Goumagias et al., Reference Farris2014), organisational behaviour (Witt & Schwesinger, Reference Witt and Schwesinger2013) and other fields.
3.1. Maximum parsimony
To analyse the interrelationships of the characteristics of the operational risk events, we used the maximum parsimony methodology, which chooses the solution that uses the least number of steps needed to explain a relationship or phenomenon (Farris, Reference Embrechts, Furrer and Kaufmann1983), which in our case is the cladistics tree that best represents the grouping of characteristic involved in a group of operational risk events. In this research, Camin–Sokal parsimony (Camin & Sokal, Reference Berg1965) is adopted for constructing the cladogram. The maximum parsimony constructs the relationships between the risk events such that there are minimum branches and mathematically, by enumerating all possible trees, the one with the minimum parsimony score is the most parsimonious tree where the parsimony score PS is defined as
$$PS(T,A){\,\equals\,}\mathop{{\min }}\limits_{\lambda } \mathop{\sum}\limits_{\{ u,v\} \in E} {{\rm diff}(u,v)} $$
4. Data and Analysis
The data used in this paper were provided by ORIC InternationalFootnote 1 . This database provides reports on operational risk losses from the banking industry and insurance industry for various countries and is based on publicly available data which introduces the risk of misclassification from poorly described events. We extracted data for US and EU banks from 2008 to the middle of 2014. After filtering and cleaning the data, the US data contains 1,371 unique risk events and EU data contains 770 unique risk events.
Both the US market and EU market were analysed in this study. The analysis includes both cumulative time periods and individual years. The time periods for analysis are set as 2008–2010, 2011–2012 and 2013–2014. We also analysed separately events related to “Big banks” only and “extreme events”. “Big banks” were defined as banks with total assets of >$100,000 million with the data provided by The Banker (Reference Shevchenko2013) and “extreme events” were defined as events with losses over $100 million. Events were classified according to the name of the bank at the time of the event, so events occurring prior to a takeover would be allocated to the original bank, but events occurring after the merger or takeover would be classified by the new entity name. Figures 1 and 2 show the number of events involved in each time period for the various analyses carried out.
Figure 1 Number of events for the US market.
Figure 2 Number of events for the EU market.
The “US with Basel based” and “EU with Basel based” show the number of events analysed with a characteristics set derived from Basel II (Basel Committee on Banking Supervision, 2006). The “US with Derived” and “EU with Derived” shows the number of events involved based on a set of characteristics derived from the data set. Both characteristic sets consist of drivers and descriptive characteristics. The drivers are the characteristics that will lead to an operational risk event and the descriptive characteristics are the characteristics that help to understand the factors involved but do not lead to the risk events. There are six descriptive characteristics for both the characteristics sets, namely, “Multiple people”, “Single person”, “Credit card”, “Big banks involved”, “ATM” and “Derivatives”. The characteristics set derived from Basel II (Basel Committee on Banking Supervision, 2006) is slightly modified to the actual Basel risk types, e.g., the “Safe environment” is not included because there is no event caused by “Safe environment” issues. The analysis includes all unique “combinations” of characteristics, therefore for the different characteristic sets the number of events involved in the analysis is different. This also meant the number of events in particular time periods may be different to the total time period. The “Basel based” and “Derived” characteristics and set out in Tables A.1 and A.2 in Appendix A.
Several software programs are able to perform cladistics analysis using the maximum parsimony algorithm, and in this study we used software from Systemic ConsultFootnote 2 .
Figure 3 presents an example of the output of the cladistics analysis. This tree is read from left to right. The left most characteristic, i.e. “Internal fraud”, can be thought of as the “Level 1” characteristic and occurs for a group of risk events. These Level 1 characteristics are important, as whilst all the characteristics leading to a risk event must occur for that risk event to occur, if an institution can break the chain of linking characteristics, then the risk event would not occur. Given the Level 1 characteristics are those characteristics that are common to several risk events, then it is logical to concentrate on managing these systemic characteristics to mitigate risk events occurring. The Level 2 characteristics, i.e., “Multiple people” and “Single person” are not as systemic as the Level 1 characteristic, and the Level 3 characteristics in this figure, i.e., “Poor controls”, “Crime” and “Big banks involved” are the un-systemic characteristic for each event. One characteristic can appear in different places and at different levels, i.e., in this tree, “Crime” appears at Level 3 for different events. In this analysis, we will concentrate on deriving the Level 1 characteristics and establishing their stability, a necessary prerequisite to their being an efficient target for risk mitigation. Some care is needed in interpreting the results as we are analysing events from multiple banks and this may include differences in terminology to describe the events, which if present may result in an incorrect combination of events. It is also possible that some events have not been recorded as the data relies upon self-reporting by the banks.
Figure 3 An example of cladistics tree.
5. Result
The cladistics trees resulting from the analysis are large and difficult to show on an A4 page, so the results of the analysis are summarised in Appendix B for only the cumulative periods 2008–2014Footnote 3 , and two illustrative branches of the US and EU trees for the period 2008–2014 are also shown.
5.1. Data with Basel-based characteristics
Figures A.1 and A.2 in Appendix B present the summary of the trees for the US markets and EU markets with Basel-based characteristics from 2008 to 2014. We have summarised the significant Level 1 characteristics, which are the characteristics that emerge on the left-hand side of each tree, in Figures 4–7. The significant Level 1 characteristics are those that account for more than 5% of the total events. Figures 4 and 6 show the Level 1 characteristics over cumulative periods and Figures 5 and 7 show the Level 1 characteristics for independent periods. We have analysed the events using both independent periods and cumulative periods to ascertain the stability of the Level 1 characteristics as independent periods may have bias from different numbers of events and also from the timing of reporting of events. The highlighted Level 1 characteristics in Figures 4–7 indicate the Level 1 characteristics relating to more than 5% of the operational risk events.
Figure 4 Significant Level 1 characteristics for events in US markets (cumulative periods).
Figure 5 Significant Level 1 characteristics for events in US markets (independent periods).
Figure 6 Significant Level 1 characteristics for events in EU markets (cumulative periods).
Figure 7 Significant Level 1 characteristics for events in EU markets (independent periods).
Figure 4 shows the significant Level 1 characteristics that emerge consistently over the cumulative periods in the US banking industry are “Theft and fraud (Internal)”, “Theft and fraud (External)”, “Systems security”, “Improper practice”, “Multiple people”, “Single person” and “Big banks involved”.
Figure 5 shows the significant Level 1 characteristics for the independent periods for the US banks are “Theft and fraud (Internal)”; “Theft and fraud (External)”; “Systems security”; “Improper practice” and “Big banks involved”.
Figure 6 shows the significant Level 1 characteristics for the EU banks over cumulative periods are “Theft and fraud (Internal)”; “Theft and fraud (External)”; “Systems security”; “Improper practice” and “Big banks involved”.
Figure 7 shows the significant Level 1 characteristics for the EU banks over independent periods are “Theft and fraud (Internal)”; “Theft and fraud (External)”; “Systems security”; “Improper practice” and “Big banks involved”.
From these figures we can observe that
-
1. Consistent Level 1 characteristics leading to operational risk losses have been “Theft and fraud (Internal)”, “Theft and fraud (External)”, “Systems security” and “Improper practice”. Both the US and EU markets show similar significant Level 1 characteristics. Also, the Level 1 characteristics are stable throughout the observed period.
-
2. The emergence of the “Big banks involved” characteristic as a significant characteristic is indicative that big banks often are involved in more operational risk events than small banks which may well be a result of their size and number of transactions. This may well just be reflecting the greater diversity of the bigger banks and their consequent exposure to operational errors but may also reflect a bias in the data. As a descriptive characteristic, “Big banks involved” emerges in all the trees for both the EU and US as a Level 1 characteristic.
-
3. The consistency of the key characteristics across time and across the two markets shows that in the US and EU banking industry, the major characteristics, i.e., the drivers of operational losses are the same.
5.2. Data with derived characteristics set
We have derived a set of characteristics based on the descriptions of the operational risk events to overcome the perceived shortcomings of using the Basel-based characteristic set. This section discusses the results for the US and EU data with a characteristics set used for Australian banks in Li (2017). The derived characteristic set was established by reading the descriptions of the events and establishing the set of characteristics which were then tested by running the software to observe if the “trees” were formed parsimoniously. It is of course possible that another set of characteristics could be derived. Figures A.3, A.4, A.5 and A.6 in Appendix B show the summary for trees for the US markets and EU markets with derived characteristics from 2008 to 2014. Figures 8–11 show the Level 1 characteristics for cumulative and independent periods.
Figure 8 Significant Level 1 characteristics for events in US markets (cumulative periods, derived characteristics).
Figure 9 Significant Level 1 characteristics for events in US markets (independent periods, derived characteristics).
Figure 10 Significant Level 1 characteristics for events in EU markets (cumulative periods, derived characteristics).
Figure 11 Significant Level 1 characteristics for events in EU markets (independent periods, derived characteristics).
Figure 8 shows the significant Level 1 characteristics are “Regulatory issues”, “Legal issues”, “Internal fraud”, “External fraud” and “Big banks involved”.
Figure 9 shows the significant Level 1 characteristics are “Regulatory issues”, “Multiple people”, “Poor controls”, “Legal issue”, “Internal fraud”, “Crime”, “External fraud”, “Misleading information”, “Computer hacking” and “Big banks involved”.
Figure 10 shows the significant Level 1 characteristics are “Big banks involved”, “Crime”, “Internal fraud”, “Misleading information”, “Poor controls” and “Regulatory issues”.
Figure 11 shows the significant Level 1 characteristics are “Big banks involved”, “Crime”, “Internal fraud”, “External fraud”, “Legal issues”, “Poor controls” and “Regulatory issues”.
From the above we can observe that
-
1. The Level 1 characteristics that emerge for the US market are “Big banks involved”, “Poor controls”, “Regulatory issues”, “Legal issues”, “Internal fraud” and “External fraud”. These characteristics not only emerge in each period, but also for the entire period. The significant characteristics that emerge for the EU market are “Big banks involved”, “Poor controls”, “Regulatory issues”, “Legal issues”, “Internal fraud” and “Crime”.
-
2. Although the Level 1 characteristics for the EU and US markets are the same, the two markets show some different patterns for the Level 1 characteristics over time. “Regulatory issues” is not a Level 1 characteristic in the US from 2008–2010, while in the EU, “Regulatory issues” is always a significant Level 1 characteristic. This may reflect lower standards of supervision of the US market before the Global Financial Crisis (GFC).
-
3. The common drivers for EU and US markets are poor controls, regulatory issues and internal fraud, which may well indicate that
-
a. Banks, in both their daily management and business activities, are weak in process control, and
-
b. Historically, banks may not have paid sufficient attention to regulations or had weak compliance processes.
-
-
4. Comparing the common key Level 1 characteristics of US and EU with derived characteristics to the key Level 1 characteristics with Basel-based characteristics, “Regulatory issues” and “Legal issues” emerge from the analysis using the derived characteristics. These characteristics relate to external factors which are not included in the Basel-based characteristics, and this limits the usefulness of the analysis using Basel-based characteristics.
5.3. Big banks in EU and US
We have considered the operational risk losses separately for “Big banks” to ascertain if there are any significant differences between the characteristics of operational risk events for big banks and smaller banks. Figures A.7 and A.8 in Appendix B show the summary of trees for big banks in the US and EU markets from 2008 to 2014 and the results are summarised in Figures 12–15.
Figure 12 Significant Level 1 characteristics for big banks in US Markets (Cumulative periods).
Figure 13 Significant Level 1 Characteristics for big banks in US markets (separate periods).
Figure 14 Significant Level 1 characteristics for big banks in EU markets (cumulative periods).
Figure 15 Significant Level 1 characteristics for events related to big banks in EU markets (separate periods).
Figure 16 Significant Level 1 characteristics for extreme events in US markets (cumulative periods).
Figure 17 Significant Level 1 characteristics for extreme events in US markets (separate periods).
Figure 18 Significant Level 1 characteristics for extreme events in EU markets (cumulative periods).
Figure 19 Significant Level 1 characteristics for extreme events in EU markets (separate periods).
Figure 12 shows the significant Level 1 characteristics for loss events associated with big banks in the US over cumulative periods are “Poor controls”, “Regulatory issues”, “Legal issues”, “Internal fraud”, “External fraud” and “Misleading information”.
Figure 13 shows the significant Level 1 characteristics for loss events associated with big banks in the US over independent periods are “Crime”, “External fraud”, “Internal fraud”, “Legal issue”, “Misleading information”, “Poor controls” and “Regulatory issues”.
Figure 14 shows the significant Level 1 characteristics for big banks in the EU over cumulative periods are “Internal fraud”, “Legal issues”, “Multiple people”, “Poor controls” and “Regulatory issues”.
Figure 15 shows the significant Level 1 characteristics for the big banks in the EU for separate years are “Crime”, “Internal fraud”, “Legal issues”, “Multiple people”, “Poor controls” and “Regulatory issues”.
The main Level 1 drivers for the US and EU big banks are then very similar, being, “Poor controls”, “Internal fraud”, “Legal issues”, “Regulatory issues” and “Misleading information”. These characteristics are similar to the characteristics found for the whole market. Hence, it could be argued that the big banks in their daily management process do not present any significant difference from the whole market in terms of characteristics that result in operational risk events. This would also indicate that the big banks are not superior to the smaller banks in terms of controls as is often claimed (Santomero, Reference Rexová, Bastin and Frynta1997).
5.4. Extreme events in US and EU markets
This section investigates the extreme operational risk events in the US and EU markets. Only the events with a recorded loss over US$ 100 million were taken into consideration. Figures A.9 and A.10 in Appendix B show the summary for the trees for extreme events in US markets and EU markets from 2008 to 2014. The results are summarised in Figures 16–19.
Figures 16 and 17 show the major Level 1 characteristics related to extreme events in the US market are “Internal fraud”, “Legal issue”, “Poor controls” and “Regulatory issues”.
Figures 18 and Reference Kurtyka19 show the significant Level 1 characteristics for cumulative periods and separate periods for extreme loss events related to banks in the EU are “Legal issue”, “Money laundering” and “Regulatory issues”.
The analysis of extreme events indicates:
-
1. The common Level 1 characteristics for the US and EU extreme events, “Legal issue” and “Regulatory issues”, appear in most cumulative and separate periods, indicating that “Regulatory issues” and “Legal issues” are the most common Level 1 characteristics that lead to extreme loss events.
-
2. Other major Level 1 characteristics for the US extreme events include “Misleading information”, “Internal fraud” and “Poor controls”. But the EU market extreme events show a different significant Level 1 characteristic as being “Money laundering”, indicating that there are differences in the drivers of extreme operational risk events in the US and EU. This possibly indicates differing business management approaches to extreme events, different attitudes to regulations or different attitudes of the regulators.
6. Conclusion and Discussion
We have applied a cladistics analysis to operational risk analysis to identify the stable key characteristics of operational risk events, which then assists management and regulators to better control operational risk events.
The present study is based on a large global data set that includes descriptions of the loss events from which the common characteristics for the loss events can be derived.
We explored the characteristics related to operational risk events for the whole industry as well as for the big banks and extreme events separately, and found that:
-
1. For both Basel-based characteristics and our derived characteristics set, the key characteristics of US and EU market are stable across time and region, but care is needed in interpreting this result as the underlying causes of these high level characteristics may well have been changing.
-
2. Compared to the whole market, big banks present similar key characteristics in operational risk events.
-
3. For extreme risk events, the characteristics across the US and EU are different.
What is of interest from this analysis is that it appears the main characteristics of operational risk events are the same across the world and across big and small banks, which would imply that the operational procedures and controls (or lack thereof) are the same, i.e., banking is truly a global uniform system.
The analysis provides a viable basis for banks to analyse their operational risk events and to then determine the common characteristics that can then be given attention by management to reduce the losses to the acceptable level taking into account the cost of doing so. The cladistics analysis provides an insight into the complicated financial world not available through traditional statistical analysis.
Acknowledgements
The authors would like to thank Joshua Corrigan, previously of Millimans and Dr Amandha Ganegoda, Operational Risk Manager at ANZ for their comments and support during the analysis undertaken for this paper. The authors would also like to thank Caroline Coombe from ORIC International for her support and access to the data.
Appendix A
Table A.1 Basel-based characteristics.
Table A.2 Derived characteristics.
Appendix B
Figure A.1 Result of analysis with Basel characteristics in US market, year 2008–2014.
Figure A.2 Result of analysis with Basel characteristics in EU market, year 2008–2014.
Figure A.3 Result of analysis with derived characteristics in US market, year 2008–2014.
Figure A.4 “Computer hacking” branch for US banks 2008–2014 with derived characteristics.
Figure A.5 Result of analysis with derived characteristics in EU market, year 2008–2014.
Figure A.6 “Misleading information” branch for EU banks 2008–2014 with derived characteristics.
Figure A.7 Result of analysis for “Big banks” in US market, year 2008–2014.
Figure A.8 Result of analysis for “Big banks” in EU market, year 2008–2014.
Figure A.9 Result of analysis for extreme events in US market, year 2008–2014.
Figure A.10 Result of analysis for extreme events in EU market, year 2008–2014.
