Operational risk

Goals

The objectives of operational risk management may have different scale and priority (depending on the entity that sets such goals).

For the state and society, the goal of managing operational risks in banks and companies is, above all, ensuring the stability of the economy.

For the owners and management of a particular organization, practical goals are important, the achievement of which carries economic benefits and is amenable to unambiguous quantitative or qualitative assessment.

So, in practice, the management of companies usually sets the following groups of goals:

1. Minimization of losses of the organization (including the elimination of imperfect processes);
2. Ensuring business stability;
3. Ensuring the capital adequacy to cover future losses (the most accurate assessment of future losses);
4. Improving the status of an organization (to improve the conditions for attracting resources, to obtain various favored regimes, to increase the rating, for example, before an IPO ).

Tasks

For the management of the organization, the transparency and clarity of the tasks that will contribute to the achievement of the above objectives is important. Thus, in practice, the management of companies usually sets tasks for the implementation of the following tools (or components) in operational risk management in an organization:

1. Effective incident handling (effective incident management system).
2. Identification of risks and their elimination (risks identification and elimination system).
3. Organization of early warning risk (an early warning system):
   • Risk self-assessment (risk and control self-assessment - RCSA);
   • Monitoring of key risk indicators (key risk indicators - KRIs);
   • Monitoring key performance indicators of risk management (key performance indicators - KPIs);
   • Monitoring key risk controls (key control indicators - KCIs);
   • Scenario risk analysis and stress testing (scenario analysis, stress tests);
   • Analysis of external losses from operational risks (external loss data analysis);
   • Maintenance and evaluation of risk maps (risk register) (risk maps);
   • Calculation of the size of operational risk (calculation of the operation risk - VaR OpRisk).
4. Ensuring business continuity.
5. Coordination of the work of all departments in managing their risks (coordination all units of managing their risks).
6. System of reports and forecasts, maintaining a risk base (risks database and reports).
7. Monitoring compliance with risk minimization standards.

The scheme of goals and objectives of operational risk management (taking into account practical priorities for the management of organizations) is shown in the figure to the right.

The main operational risk factors are related to:

• with accidental or deliberate actions of people or organizations directed against the interests of the organization, including non-compliance with the requirements of the legislation and the internal rules and procedures provided for;
• with the imperfection of the organizational structure (distribution of responsibilities of departments and employees), procedures and procedures, as well as their documentation, ineffective internal control, etc .;
• with malfunctioning systems and equipment;
• with external circumstances beyond the control of the organization.

Personnel risk is the risk of losses associated with mistakes and illegal actions of Bank employees, their inadequate qualifications, excessive workload, inefficient organization of labor in the Bank, etc.

Process risk - the risk of losses associated with errors in the processes of conducting operations and settlements on them, their accounting, reporting, pricing, etc.

The risk of systems is the risk of losses due to the imperfection of the technologies used in the Bank - insufficient capacity of the systems, their inadequacy in relation to the operations, roughness of data processing methods, or poor quality or inadequacy of the data used, etc.

Risks of the external environment — the risks of losses associated with changes in the environment in which the Bank operates — changes in legislation, politics, economics, etc., as well as risks of external physical interference with the organization’s activities.

Categories of types of operational risk events according to Basel II ^[2] :

• Internal Fraud (Internal Fraud)
• External Fraud (External Fraud)
• Employment Practices and Workplace Safety
• Clients, products and business rules (Clients, Products, & Business Practice)
• Damage to Physical Assets
• Business Disruption & Systems Failures
• Managing Execution, Delivery, and Processes (Execution, Delivery, & Process Management)

ORX classification:

Depending on the level in the hierarchy, organizations highlight corporate level risks, business unit risks, division risks.

Basel II provides the following approaches to assessing the operational risk of banks:

• Basic Indicator Approach (BIA, Basic Indicator Approach)
• Standardized Approach (TSA) and Alternative Standardized Approach (ASA)
• Advanced approaches (AMA, Advanced Measurement Approach), which include approaches such as:
  • Internal Measurement Approach (IMA, Internal Measurement Approach)
  • Loss Distribution Approach (LDA, Loss Distribution Approach)
  • Script Modeling Approach (SBA, Scenario-based approach)
  • Approach scorecards or scoring approach (SCA, Scorecard Approach)

At the end of 2015, after discussions in its working groups, the Basel Committee on Banking Supervision (BKBN) decided on the upcoming withdrawal of the AMA from Basel II, as it did not meet expectations for its simplicity and comparability. It is supposed to be replaced by one universal standardized approach based on a single model combining sufficient sensitivity with acceptable simplicity and comparability.

Initially (2014–2015), the New Standardized Approach (NSA) was considered as such an approach, the main difference of which from the BIA was the replacement of gross income (Gross Income, GI) as the basis for determining the size of operational risk on Business indicator (Business Indicator, BI).

Later, BKBN considered proposals for the implementation of the Standardized Measurement Approach ( SMA ), the main points of which were described in the “Standardized Measurement Approach for operational risk” advisory document (d355, March 2016, http: //www.bis. org / bcbs / publ / d355.htm ). An unofficial Russian translation of this document was made by an initiative group of Russian risk managers and posted on the website of the Association of Russian Banks: http://arb.ru/b2b/discussion/podkhod_k_standartizirovannomu_izmereniyu_operatsionnn_riska-10005402/ .

The key innovation of SMA was that, in addition to the Business Component Component (BI Component), reflecting the industry’s average operational risk, the Loss Component was included in the model, taking into account the specific operational risk characteristics of a particular bank according to its internal loss statistics for recent years (no less than 5 years). A number of other innovations were also introduced into the model (replenishment of BI components, changes in some calculation formulas, introduction of a number of restrictions, etc.).

DKBN in December 2017 adopted a new methodology for standardized assessment of operational risk for calculating capital adequacy as part of the Basel III: Finalising post-crisis reforms program (Chapter IV "Minimum capital requirements for operational risk"). However, not all innovations previously proposed in SMA are reflected in the final version of the document: https://www.bis.org/bcbs/publ/d424.htm . The unofficial Russian translation of Chapter IV of this document was made by the initiative group of Russian risk managers: http://www.dvbi.ru/risk-management/Basel .

As indicated in the preamble of this document, the introduction of this approach into practice (as well as most of the other described approaches) is planned from January 2022.

The Bank of Russia and Basel documents provide three types of entities that manage operational risks (three lines of defense) ^[3] :

1st line of defense - all divisions and employees of the organization (they work with operational risks at the place of its origin).

The 2nd line of defense is the entity that coordinates the entire operational risk management system as a whole.

The 3rd line of defense is an internal audit unit that performs an independent audit of the operational risk management system.

Quite often, in practice, disputes arise as to whom to attribute to the second line of defense. Thus, in addition to the operational risk division, the security service, the compliance service, and other service units (not business units) write to the second line of self-defense. They substantiate such a position by the fact that they establish mandatory rules for all on the relevant risks supervised by them, and therefore take up the role of coordinator in relation to such units within the scope of their functions. First, the plurality of coordinators of the system contradicts the principle of unity of command, according to which the final coordinator of the system (responsible) should be one subject. Secondly, the multiplicity of subjects in the second line of defense contradicts the requirements of regulatory documents (see the link above). Thirdly, the fact that the security service, the compliance service and other service departments establish mandatory rules for core risks for all is not an argument in this case, since if this rationale is further developed, the internal audit unit (3rd line) protection) must then “move” to the first line, since it will also have safety or compliance requirements in place.

On the one hand, to comply with the logical requirement of unity of command of the system coordinator, enshrined in the regulatory documents, and on the other hand, the requirements of the divisions that manage the core risks of their removal to the second line of defense often use conditional separation of two “subregions” within the first line of defense (conditionally 1.1 and 1.2.). So in line 1.1. includes business units, and line 1.2. Includes profile risk owners.

The scheme of the entities managing operational risks (taking into account the features of the first line of defense) is presented in the diagram on the right.

First line of defense

Organizations themselves determine the types of those responsible, their number and the particular distribution of rights and obligations within each line of defense. Below is one of the possible variants of such a distribution, which corresponds to the diagram on the right.

The first “line of defense” includes the process of managing operational risks at the level of each organizational unit, its processes, tools and resources (a decentralized approach).

As part of the first line of defense in organizational units, operational risks are managed by:

• risk coordinators;
• incident experts;
• recorders.

Risk coordinators

Risk coordinators are employees who are responsible for organizing the management of operational risks of a particular department and regional employees who are functionally subordinate to this department. Risk coordinators are the head of the department and the staff appointed by him to perform the duties of the risk coordinator.

The duty of the risk coordinator is to organize and monitor the implementation of the following risk procedures by the employees of their department and regional staff:

1. Effective work with incidents.
2. Identification of risks and their elimination.
3. Maintain risk early warning tools.
4. Business Continuity.
5. Coordination of the work of all functionally supervised employees in managing their risks.
6. Maintaining a system of reports and risk forecasts.
7. Control compliance with risk minimization standards.

Incident Experts

Incident experts are employees of organizational units (located in the Central or Head Office, regional and other divisions) who, within their authority, deal with the consequences of incidents that have occurred.

The duty of the incident expert is to organize and carry out effective work with incidents (their identification, damage minimization, investigation, report on the implementation of measures) and assistance to the risk coordinator and risk manager in the organization of risk procedures.

Registrars

Registrars are all employees of the divisions, as they can detect incidents and problems that cause operational risk as part of the performance of their functions. The duty of the registrar is to promptly inform the incident expert and the risk coordinator about the detected incident, problem or risk (or to register them).

The listed subjects of the first line of defense, of course, exist in all departments of the organization, as each department in the current state already conducts proceedings with incidents, carries out methodological and technological improvements to its processes, ensures interchangeability of employees (within the framework of business continuity), etc. If these departments are not properly formalized, risk managers provide assistance to this unit for their respective clearance and training.

Second line of defense

The second “line of defense” includes the process of coordinating the operational risk management system as a whole, checking data and reports on operational risks, organizing the activities of risk committees, and reporting to the management of the organization (centralized approach).

Within the second line of defense, operational risks are managed by:

• risk committee;
• risk director (or vice chairman of risk);
• risk managers (operational risk unit employees).

Risk Committee

Комитет по рискам (или иной комитет, наделенный соответствующими полномочиями — далее — комитет по рискам).

Комитет по рискам (в рамках управления операционными рисками) — это высший коллегиальный орган, который принимает решения о действиях организации в отношении тех или иных рисков (в том числе операционных). Председателем комитета по рискам обычно является директор по рискам с правом вето на любые решения комитета.

Права комитета по рискам (в рамках управления операционными рисками):

1. Разрешает разногласия, возникающие в ходе процесса управления операционными рисками. Принимает решения по операционным рискам красной зоны, а также менее значимым рискам, когда они были эскалированы до уровня комитета.
2. Утверждает методологию управления операционными рисками для обеспечения общего понимания рисков.
3. Утверждает уровень операционного риска на год — риск-аппетит организации (пороговый риск в части разработки и утверждения мер по его минимизации).
4. Инициирует разработку стратегий, политики и основополагающих подходов к управлению операционными рисками организации и представляет их на согласование в Правление организации.
5. Осуществляет постоянный мониторинг соответствия подходов к управлению операционными рисками принятой стратегии.
6. Утверждает отчеты по управлению операционными рисками, подлежащими включению в отчет для Правления организации.
7. Инициирует разработку эффективных мер и осуществляет последующий контроль над операционными рисками в рамках заседаний комитета.
8. Утверждает сферу компетенции подразделений по управлению операционными рисками, а также обеспечивает наличие у них достаточных ресурсов и соответствующего доступа к информации для эффективного осуществления своих функций.

Директор по рискам

Директор по рискам (в рамках управления операционными рисками) — это лицо, которое принимает решения о действиях организации в отношении операционных рисков, относимых к рискам желтой зоны, а также по рискам зеленой зоны в случаях, когда они были эскалированы до уровня директора по рискам. Директор по рискам отвечает также за организацию управления операционными рисками во всей организации и за эффективность управления операционными рисками.

Риск-менеджеры

Риск-менеджеры — это сотрудники, которые отвечают за организацию управления операционными рисками во всей организации (в каждом подразделении и каждым сотрудником). Риск-менеджерами являются все сотрудники подразделения по операционным рискам.

Обязанность риск-менеджера — организовать и контролировать выполнение в каждом департаменте и подразделении организации следующих риск-процедур:

1. Эффективная работа с инцидентами.
2. Выявление рисков и их устранение.
3. Функционирование системы раннего предупреждения рисков.
4. Обеспечение непрерывности деятельности.
5. Координация всей работы в управлении операционными рисками.
6. Система отчетов и прогнозов, поддержание базы рисков.
7. Контроль соблюдения стандартов минимизации рисков.

Третья линия защиты

Третья «линия защиты» включает в себя процесс независимого контроля и регулярного аудита эффективности всей системы управления операционными рисками и контроля её соответствия требованиям ЦБ РФ и Базельского комитета.

В третьей линии защиты, операционными рисками управляет подразделение по аудиту, а именно аудиторы.

Аудиторы

Обязанность аудитора (в рамках управления операционными рисками) — осуществлять текущий независимый контроль и регулярный аудит эффективности всей системы управления операционными рисками и её соответствия требованиям ЦБ РФ и Базельского комитета, а также давать заключения о соответствии или несоответствии с замечаниями, которые должны быть устранены.

Российская практика:

Ограбление инкассаторов Сбербанка в Перми. Общая сумма похищенного составила порядка 250 млн рублей.

У инкассаторов Московского Кредитного Банка похищено около 12 млн рублей

СКР окончательно обвинил экс-главу Росбанка Голубкова в коррупции

В Краснодаре из офиса МТС-Банка похищено 20,5 млн рублей

Обыски по делу о хищении у Россельхозбанка 1,2 млрд рублей проходят в Москве и Новосибирске

Экс-глава оренбургского филиала РСХБ обвиняется в причинении банку ущерба на 100 млн рублей

In St. Petersburg, collectors carrying 200 million rubles shot each other

In Moscow, a branch of Sberbank stole an ATM with 8 million rubles

Sberbank employee stole 2 million rubles from client’s account

In the north of Moscow collapsed roof of the building of Rosprombank

The police arrested 13 people who abducted 70 million rubles using an Internet virus

In Dagestan, 2 billion fake rubles were seized from counterfeiters

The former head of the branch of VTB in Kemerovo received three years in prison for theft of 345 million rubles

Six employees of GE Money Bank died in a plane crash near Kazan

In Moscow, the attacker tried to pay off a fake bill in the bank for 100 million rubles

In Perm, a bomb bomb was evacuated from the central office of Sberbank

TCS Bank became the largest exchange fall of the year among banks

Fire in the building of the Russian Post on Warsaw highway (May 2013)

Western practice:

BARINGS PLC - 1995, USD 1.3 billion - unauthorized trading by Nick Leighson.

Mizuho Securities - December 2005 (USD 250 million) - trade error (sold 620 thousand shares for 1 yen instead of selling 1 share for 620 thousand yen) - the sold shares are 4 times the amount of the company's shares in circulation; syndrome of "fat finger" (those. errors during exchange operations).

SG - 2008, 4.9 billion Euros, net of taxes (or 6.3 billion before taxes). The reasons are: • unauthorized trading, fake hedging, risk measured / assessed on a post-tax basis, password management and knowledge of control mechanisms • Weak control mechanisms; “Culture of tolerance”, ignoring warning signals • structure of encouraging traders…. etc..

UBS - write-off of substandard loans related to losses in case of default (over $ 38 billion), S & P lowered the rating to AA due to “omissions in risk management”. Without a capital increase or a level 1 capital adequacy ratio, it will fall to 7% (the PR in terms of credit risk loss).

The US Mortgage Crisis - registration of mortgages on mortgages is not in the registries of local authorities, but in the Electronic Registration System owned by banks (64 million mortgages).

The operational risk management system is a set of organizational, methodological, informational tools aimed at preventing possible operational risks, minimizing negative consequences and preventing repeated incidents of operational risk.

Operational risk management is designed to reduce the losses of organizations from various types of operational risk incidents, to provide the company's management with a system to form “action plans to prevent operational risks” and “action plans in case of operational risk incidents”.

Principles of Operational Risk Management

The Basel Committee established the following basic principles of operational risk management in a credit institution ^{[4] [5]} :

Principle 1. The key role of the board of directors in the formation and maintenance of a developed operational risk management culture at all levels of the organization

Principle 2. Banks should create, implement and use a management system that is fully integrated into the overall risk management process.

Principle 3. The board of directors should develop and analyze a risk management system and exercise control over the executive bodies;

Principle 4. The board of directors should establish risk appetite and acceptable risk levels.

Principle 5. The executive body should develop and present to the board of directors a clear, effective and reliable management structure with well-defined, transparent and consistent areas of competence. The executive body is responsible for the consistent implementation and application of principles, processes and operational risk management systems in accordance with the risk appetite and the acceptable level of risk.

Principle 6. The executive should ensure the identification and assessment of operational risk with a view to a clear understanding of the nature and risk factors.

Principle 7. The executive body must ensure that innovations are approved in light of operational risks.

Principle 8. The executive body should organize regular monitoring of operational risk, including the reporting system of departments.

Principle 9. The presence of a reliable system of internal control, as well as an appropriate system to reduce or transfer risk.

Principle 10. Development of plans for ensuring continuity and recovery in the event of operational risks.

Principle 11. Information published by the bank should allow stakeholders to evaluate its approach to managing operational risk.

Operational Risk Management Methods

• Risk audit of operations, procedures and activities
• Collection and analysis of internal and external data on operational risks
• Monitoring Key Risk Indicators (KRI)
• Assessment (including scenario analysis) and operational risk self-assessment by business units
• Regulation of business processes (internal rules and procedures)
• Monitoring compliance with laws and internal rules and procedures
• Control of information technology risks
• Training and improvement of personnel motivation system
• Automation of business processes, including individual (standard) control procedures
• Regular internal reporting of operational risks
• Development of plans for ensuring continuity of activities and actions in case of implementation of operational risks
• Operational risk insurance
• Outsourcing of individual functions

Key indicators of operational risk

The key indicator of operational risk (KRI, in the Russian version - KIR or KIOR) - an indicator used to monitor and predict the facts of the implementation of operational risk.

Key risk indicators are used to regularly (at different intervals - depending on the key risk indicator) monitoring of exposure, risk exposure and sources (causes) of losses.

Examples of key risk indicators are: staff turnover, the number of equipment failures, equipment downtime, the number of correctional orders, the number of violations of the law, internal documents, etc.

Motivation system

Without motivation, it is impossible to expect sincere participation of people in the management of operational risks. Stimulation can be encouraging or disciplining, refers to the leadership and to ordinary employees of the bank.

For senior management, a bonus system of remuneration in the form of bank shares received can be implemented in proportion to the time worked without significant and disastrous operational cases. Well-designed, simple and clear reporting of operational risks also provides a certain incentive in the development and support of operational risk management.

At the grassroots level, it is necessary to develop material and moral incentives for operational risk management both for individual employees and for groups (divisions). Their inclusion is possible as the maintenance of a quality system, but this question remains in the creative field of teamwork of the operational risk manager with the personnel department. The literature provides, for example, the definition of the best bank unit, taking into account work on operational risks.

In order to increase the culture of working with operational risks, this issue is often included in the team building agenda under the guise of various game tasks, presentations and competitions. For example, there may be reviews of humorous clips on the topic of interaction problems between departments (operational risk - processes, personnel). These clips can be prepared in advance by the units, viewed on team building by the whole team. The creators of the funniest videos can be awarded with valuable prizes.

The effectiveness of operational risk management depends largely on how the operational risk division is organized and on what quantitative and project goals (KPI) it has.

An example of the organizational structure of the operational risk division and its KPI is shown in the figure to the right (such a structure is justified mainly for large organizations with a total of one thousand people).

The division of employees into departments (or groups) presented in the diagram is mainly due to the incompatibility of knowledge, skills, and interests necessary to perform the tasks of the departments.

Risk Identification Unit

Thus, the department for identifying and eliminating risks (department 2 in the diagram) is employees who have interests and deep knowledge in the field of methodology and operational activities. By type, these employees are humanitarians. They have extensive experience in various departments of the bank, they know all the banking processes and their weak points, they know the risks - these are the most expensive employees.

Risk Early Warning Division

The department for early warning of risks (department 3 in the diagram) is employees who have interests and deep knowledge in the field of statistical analytics and reporting. By type, these employees are “techies” - mathematics. They are experienced in collecting and analyzing large amounts of data, mathematical trend detection, identification of their causes, programming, for example, in the SAS Enterprise Guide or SPSS Clementine / Modeler, or other tools. These are also highly paid employees.

Incident Management Coordination Unit

The incident management department in the divisions (department 1 in the diagram) consists, first of all, of the group of “methodologists-trainers” (those who coordinate the activities of all the divisions and teach how to work with risks and incidents (these are less “expensive” employees) ). Secondly, this department consists of a group of employees “stream checking incidents” without deep skills and knowledge (these are the most “low-cost” employees). By type, these are pronounced “restless extroverts-peacemakers” who have experience of successful interaction with other employees.

• Basel II
• Banking risk
• Management of risks
• Fraud
• Information Security
• Compliance control
• Insurance
• Black swan (theory)
• Phishing
• Controlling
• Stress testing