Institutional operational risk

2024 Author: Howard Calhoun | [email protected]. Last modified: 2023-12-17 10:16

Business is full of risks. They meet here and there. One of the most likely is operational risk. What does he represent? How is operational risk managed? What affects its value?

General information

And we'll start with the terminology. Operational risk is the risk of loss due to an error/inadequate action on the part of the organization's employees, system failures or external events. These include reputational, strategic and legal losses. That is, operational risk is associated with the implementation of the business functions of the enterprise. It is used to indicate the risk of additional costs due to the inconsistency in the nature and scale of the credit structure, violation of the requirements of current legislation, procedures for interacting with banking institutions. For example, it can include a violation of a bank employee, unintentional or purposeful illegal actions on his part, a failure in the operation of functional / automated systems due to external influence.

Depending on the origin, internaland external risks. They, in turn, are divided into classes. Internal risks include everything related to people, processes and systems. Let's look at a few examples. The actions of employees can cause harm? The threat. Are there flaws in business processes? The threat. Failure of information systems? The threat. External risks are catastrophes, security (physical, data), disruption of relationships with customers and counterparties, as well as from regulatory authorities. Let's look at examples for these cases. Fires and terrorist attacks can happen? The threat. Can low-quality or false information, goods, services, technologies disrupt interaction with customers and counterparties? The threat. Will fakes, thefts, attacks, break-ins, etc. undermine the position of the organization? The threat. Will changes in legislation and regulatory framework force additional activities? Threat.

Essence and types

If you want to avoid something, you need to know it in person. The world is evolving and becoming more complex. Because of this, the danger from operational risks increases. Basel II is taken as a reference for further information. According to him, operational risks include everything that can lead to material damage to the organization due to incorrect (or failure to perform the necessary) actions of personnel, external influences, erroneous processes, and the like. They themselves do not sign, and there are no tips on how to organize an effective fight against them. The main purpose of Basel II is to calculate the amount of coverage for them. In addition, there is a strong management system, the task of which is to help reduce the likelihood of operational risks. This document provides that the management and the board of directors should take over the function behind them. And it is they who are responsible for reporting on operational risks and the amount of current damage. From this point of view, two types are distinguished: those that directly or indirectly depend on a person, and force majeure circumstances. The latter include earthquakes, hurricanes, mudflows, landslides, and so on. With the first, everything is much more diverse. So, there are four main groups:

1. Deliberate actions. These include fraud and other deliberate actions that lead to damage.
2. Unintentional acts. This is a choice of technology that is not fully developed, erroneous unintentional actions of employees, inadequate performance by managers of their duties.
3. Technical risks that are directly or indirectly related to human activities. This is a failure in the network, external communications, breakdown of machine tools and the like.
4. Program risks that are directly or indirectly related to human activities. This is a failure in telecommunications and / or computer equipment.

Practical Implementation Specifics

As people in the know can attest, operational risk management actually differs a lot from theoretical advice. In particular, the situation is quite rarewhen management takes on problematic issues that are caused by malfunctions in the information system. It is practiced to transfer such work to specialists with lower qualifications. This approach often leads to even greater losses. This is important, if only because operational risk is one of the three most important and significant. Also in practice, such subspecies are often found:

1. The risk of leakage or destruction of information that is necessary for the formation of organizational processes. It implies intentional or accidental deletion of files in an automated information system. These actions can lead to a serious failure and the inability of the commercial structure to fulfill its obligations to customers.
2. Risk of using biased or falsified (fake) data. An example would be a non-real payment order. Although there are more complex options. For example, using a previously transferred payment when one of the participants is substituted.
3. Risk of problems with providing objective and up-to-date information to clients. As a rule, this is due to the operation of computer systems.
4. Risk of transmitting information that is disadvantageous to the organization. Examples include rumours, slander, compromising information on senior officials, leakage of valuable documents (with subsequent exposure to the media) and the like.

Causes and how to deal with them

It just so happens that an organization's operational risk doesn't just happen. Anythe problem has its root. The main reasons include the following:

1. Lack of qualifications and lack of a serious approach to training and professional development. The human factor can greatly influence the organization and is most often the source of problems. So, many companies are unable to properly use the available capabilities of information systems. This is exacerbated by the limited level of knowledge of ordinary users.
2. Not given due attention to information security and ignore the real threats that come from this sector. Ignorance by the governing bodies, insufficient funding, lack of measures to increase the level of system reliability, etc., only exacerbate the situation.
3. Low quality, as well as insufficient development of procedures aimed at preventing risks. Also, few people care about the existence of an adequate policy and job description in the field of security. Because of this, in crisis situations, confusion and ignorance of employees can exacerbate the problem.
4. Inefficient information asset protection system. It is enough for an attacker to find one weak spot, and this should already be enough to cause serious damage. It is best if defense in depth is provided.
5. A large number of weaknesses in automated systems and various software products, if untested software is used. For an attacker, this is a real gift.

Fixing the situation

And what to do? Numerous types of operating roomsrisks are threatening to materialize, so you should remember the old adage that the fish rots from the head. Therefore, it is necessary to start with a guide. You can implement the following items:

1. The top manager (board of directors) plays a key role in the formation of a management, control and protection system.
2. We need to create, implement and adequately apply seamless systems wherever they are needed and worth developing.
3. We need to work on the risk management system. After it is created, you need to analyze for the presence of vulnerabilities. You should also think about control over the executive bodies.
4. The top executive (board of directors) sets risk appetite limits.
5. The executive body should develop a clear, effective and reliable toolkit with transparent, consistent and meaningful areas of competence. It will be entrusted with the implementation of the basic principles, processes and systems involved in risk adjustment.
6. The executive body should identify and evaluate current problems, as well as formulate their nature and factors. In addition, let him provide the implementation of the developed innovations. Also, the executive body can be entrusted with the process of monitoring and controlling the reporting of individual units.
7. A reliable and comprehensive system of control and risk transfer/mitigation must be in place.
8. A plan should be developed to ensure the recovery and business continuity of the organization ifobvious problems.

Is that all?

Of course not. These are exclusively generalizing words in which fundamental points are considered. While working with specific situations, they will need to be tailored to existing conditions. Let's look at a small example. The bank has well-defined management procedures in place in the event that a credit risk threat materializes. Criteria are set for potential borrowers and collateral for loans is provided. An external specialist is engaged to assess the proposed collateral. And so the security was assigned a higher price than it actually costs in the market. So to say, the situation is developing in favor of the borrower. At the same time, the adequacy of the assessment was not rechecked within the bank. After a certain time, a situation arises when the borrower cannot repay the loan taken. The bank expects that it will be able to repay the arisen debt by selling the collateral. But in practice, it turns out that the market price can only cover half of the loan. The cause of this problem is non-compliance with procedures. After all, according to existing requirements, financial institutions must double-check the price of collateral. This is how operational risk increased, and after it, credit risk. And you can also remember how individual banks issue deliberately bad loans, violating all conceivable procedures. Such institutions quickly fall into the queue for liquidation. In this case, the connivance on the part of employees affects the magnitude of operational risk. Alas, it is extremely difficult to completely avoid such situations.problematic. It can only be minimized by introducing training, an effective control system and strict discipline.

Real examples

Things can happen in life that even the writers can't think of. There were situations when the level of operational risk simply went off scale, but this situation could not be identified for a long time. Let's look at some of the most impressive examples. There was such a person - Jerome Kerviel. Oh was a trader for the investment bank Société Générale. In 2007, he opened positions on the indices of European stock exchanges for futures. Seems like a common story. But the sum of the positions was about 50 billion euros! This is one and a half times the capitalization of the bank! How was Jerome able to do this? The fact is that before that he worked in the office and knew the work of the control mechanism well. It was discovered only at the end of January 2008. It was decided to close them as soon as possible. But the huge position size triggered a sell-off in the stock markets. Because of this, the bank lost 7.2 billion dollars (or 4.9 billion euros). Or one more example. There was a man like John Rusnak. He worked in the American branch of the largest bank in Ireland, the name of which is Allied Irish Bank. He was hired in 1993. In 1996, John began to carry out risky transactions with the Japanese yen. But they were unsuccessful, there were losses. But John managed to hide growing losses from partners. For example, in 1997, he lost $29.1 million. In 2001, the amount was already 300 million! To hide such losses, he forged statements. For his operations, this trader even managed to get bonuses in the amount of 433 thousand dollars. Everything came to light in 2001. At the time of opening, the total loss was $691 million. Smaller losses and operational risks are much more common than such large ones. In the age of automation, with the right approach, they can be significantly minimized.

External risks and their solutions

They arise during the relationship of the organization with the outside world. This can be robbery, theft, penetration by third parties into the information system, failure of infrastructure and natural disasters. Although, perhaps, the legislative environment should also be attributed. What operational risk assessment methods should be used to get an idea of the current situation? There are a number of recommendations for the general scheme of work. In addition, the calculation of operational risk can be made by mathematical models specially created for this purpose. So what needs to be done to create an effective management system that can deal with problems?

Action plan

First of all, you need to take care of adequate architecture. That is, if the problems are in the system itself, then, alas, even the best specialist will not be able to provide a satisfactory result. It must also be reasonable. Suppose there is a certain number of minor incidents that cost 10 thousand rubles a year. You can create a system that will 100% prevent them. But its cost100 thousand rubles. In this case, you should think about the appropriateness. Of course, if we are talking about theft or something similar, which will gradually grow in scale, then we cannot hesitate. After all, if you delay, then the operational risks of the enterprise can increase so much that they destroy the company. But to keep the system in general adequate condition, three methods will help:

1. Check self-assessment.
2. Key risk indicators.
3. Operational incident management.

Solving Problems

Many factors affect the magnitude of operational risk. The fewer of them, the better. Ideally, problems are solved before they arise. Therefore, the assessment of operational risk plays a significant role. How to spend it? First of all, you need to focus on control self-assessment. To paraphrase, this method can be called a frank conversation about problems. It is implemented in the form of employee surveys. Then there are key risk indicators. These indicators allow you to know about upcoming problems even before they manifest themselves in full force. Of course, if they are adequately selected and their data is collected. And closes the trinity is incident management. The purpose of this procedure is to investigate, identify the scope of problems and deal with them. If this is not done, then the company faces financial risks. Operational risk tends to increase over time. This must be remembered.