The many transformations in the banking industry in the last decades and the series of banking scandals and collapses have emphasized the relevance of operational risk to the extent that the phenomenon has drawn the attention of banking supervisory authorities, practitioners and scholars. The appearance of operational risk can be linked to several elements of change, such as the growing sizes of institutions and their greater organizational complexity as well as of the emergence of new products and business lines; the technological change and the development of e-commerce and e-banking; the more intensive competition and globalization of the financial market. Finally, not least, the recent international financial crisis certainly represents another source of operational risk: its occurrence evidenced several flaws in the organization as, for example, internal controls that should have prevented failures in lending and securitization were not in place. Loan officers failed to identify healthy borrowing firms, rejecting their legitimate loan applications. At the same time, loan officers failed to detect borrowing firms that were heading towards bankruptcy and approved their illegitimate loan applications. Such occasional miscalculations eventually turned into financial losses for the banks. Additionally, securitizations contributed to transmit the operational risk from one bank to another, creating a domino effect and a systemic risk. Consequently, the financial crisis further evidenced the importance of banks having an effective operational risk management that could ensure financial stability, at both individual and systemic levels.
The need to strengthen controls over operational risks highlights the initiatives of the Basel Committee on Banking Supervision carried out between 2001 and 2006 (Basel 2), aimed at including operational risk in the international regulatory framework. Such initiatives covered a key role in setting a universal definition of operational risk: until then, operational risk had included any risk that did not fall within the category of market or credit risk, clustering residual and heterogeneous risks. The Basel 2 framework defines it as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
This definition includes legal risk, but excludes strategic and reputational risks. The same sources of operational risk are identified in the current UE prudential regulation (Capital Requirements Regulation—CRR — 575/2013 and Capital Requirements Directive—CRD—36/2013).
Hence, both provisions (Basel 3 and UE legislation) outline a clear causal definition of operational risk that inevitably involves a strict analysis of the processes, systems, people and external events, which represent the possible sources of operational losses.
Compared to other types of risk, operational risk presents some quite distinctive features. First of all it is generally a one-side risk; it tends not to be correlated with the expected return; it is transversal to the whole banking activity, is not easy to be transferred and/or hedged and is not correlated with the bank’s size and/or its volume of business. Moreover, while some losses are clearly the result of operational risk, for others it is less clear whether they should be classified as operational risk or other risk categories, thus raising the problem of boundary operational losses.
Accordingly, the prudential regulation provides some details on the matter to prevent overestimates, double counting or improper reductions of capital requirements. The definition of the boundary between operational risk and other risks (credit and market risks) has been identified by the industry as a fundamental issue towards the consistent collection and modelling of operational risk loss data. Likewise, the definition of operational risk boundaries that distinguish it from other types of risk such as strategic, reputational and compliance risks help avoid overlaps in risk management caused by similarities among the types of risks.
While the complexity of the definition of operational risk and scope represents a crucial matter and is constantly the object of interest for the financial community, great attention is also given to the calculation of operational risk capital requirements. Particularly, the current regulatory framework (Basel 3 and UE CRR 285/2013) provides multiple methods for calculating operational risk own funds and aims to ensure correspondence between the degree of refi nement of the approach to the level of an intermediary’s risk exposure, to limit the burden of regulation on smaller banks and to formally acknowledge at supervisory level the improvements adopted by banks in operational risk management practices. To this end, alternative approaches have been set out for calculating operational risk capital requirements, each of which incorporates different levels of risk-sensitivity and requires distinct degrees of sophistication: the basic indicator approach, the standardized approach (and the alternative standardized approach) and the advanced measurement approach. In a continuously changing context, the implementation of operational risk standards is still being monitored by the supervisory authority. In particular, the Basel Committee has recently provided comprehensive guidance regarding the qualitative requirements that should be observed to achieve more rigorous and comprehensive operational risk management. The Basel Committee has also proposed a review of the operational risk capital framework. In order to address a number of weaknesses of the current framework and at the same time ensure the objective of balancing simplicity, comparability and risk sensitivity, the proposal aims to introduce a revised methodology, the standard methodology approach, which should replace the existing standardized approaches for calculating operational risk capital as well as the advanced approach, thereby simplifying signifi cantly the regulatory framework. In this evolving scenario, both at regulatory and operating level, the organizational, mitigation and measurement issues are more and more crucial. Banks therefore need to develop, implement and maintain a sound operational risk management framework. This hence requires that banks introduce and foster a strong operational risk management culture throughout the whole organization. Moreover, the implementation of a sound operational risk management entails the need for an in-depth analysis of multiple business processes and sub-processes, phases, and activities. Such need reflects the interdependence between the operational risk exposure and the structure of a bank’s governance and organization, which has been observed in several cases of financial collapses where losses mainly associated with internal fraud were specifically connected to supervisory and operational failure on behalf of the board of directors and senior management. On the other hand, the focus on organization arises in response to the need of combining measurement systems with efficient and adequate control units for operational risk management. In order to achieve a comprehensive approach to operational risk, banks should also have appropriate mitigation and transfer strategies. In reference to this aspect, it is important that banks understand the extent to which risk mitigation instruments (e.g. insurance policies) truly reduce the operational risk exposure, transfer the risk to another business sector of financial system or create new risks. Regulators recognize risk transfer or insurance as a mitigation tool only for the advanced approach and the eligibility of the instruments is subject to specific requirements. Such opportunity has underlined in particular the strategic importance of insurance portfolio management in banks. The development of the use of insurance within the operational risk management may in fact contribute to the reduction of the capital charge and the economic impact linked to the operational losses. On the other side, there are a number of challenges, such as the difficulty in measuring the extent of insurance’s mitigating effect and the need to effectively match insurance products with operational losses (insurance mapping). Lastly, a sound operational risk framework depends on the adequacy, completeness and accuracy of the data used for building the measurement model. The degree of flexibility that banks have had in operational risk modelling has fostered the development over the years of a variety of methods. Currently, these may be linked to two categories, namely the loss distribution approach and the scenario-based approach. The former is derived from the actuarial science; it is a rather widespread practice but yet presents some methodological limitations. One, for example, is the assumption that the past is a reliable representation of the future, which may result both in under-representing the events that never occurred in recent memory and for which data is not available, and in over-representing the events that happened very frequently in the past and that have already been mitigated. In order to overcome the methodological limitations of the Loss Distribution Approach (LDA), the best practices tend to combine this approach with the Scenario-Based Approach (SBA), which sums the knowledge of experts who demonstrate a deep understanding of the bank’s business, threats and vulnerabilities and who make the operational risk calculation more responsive to the existing business processes and ensure that the bank is attending to its key operational risks. This way qualitative and quantitative approaches are combined to build loss distributions for individual and aggregate operational risk exposure, incorporating experts’ opinion of risk correlations and dependencies. The great complexity connected with a proactive management of the operational risk may represent an obstacle to its development by smaller banks. There is no doubt that in the case of small financial institutions the operational risk takes on a secondary role compared to other risks, more closely associated with typical banking activity (e.g. credit risk). This can be mainly due to the low degree of diversification of the activities carried out by smaller banks, which decreases the operational risk exposure and consequently the need to employ human, financial and technological resources in sophisticated systems of operational risk management. Nevertheless, it is crucial to examine how small-sized banks manage their operational risk exposure in order to understand the most important gaps and shortcomings and hence identify the opportunities of improvement for helping to create a level playing field. Although there are differences in the operational risk management depending on the size of the bank, it is possible to point out that the operational risk management is still generally at a stage of development, and calls for a greater commitment and awareness for a proactive management. This may be supported also by the disclosure requirements (Pillar 3). The current regulatory framework requires banks to provide accurate and comprehensive disclosure of their operational risk profile; in particular, banks are asked to disclose the approaches for the assessment of their own funds requirements. The present book is divided into a total of eight chapters. The following chapter (Chap. 2) “The operational risk: an overall framework” describes the specific features of operational risk, as well as its origin and main sources. It also draws particular attention to the similarities and differences with other risks—credit, market, strategic, reputational and compliance risks.
The third chapter “The regulatory framework” analyses the main features of all the approaches for calculating the capital requirement for operational risk, highlighting critical issues of each approach. Finally, it provides a short description of the most recent initiatives of the Basel Committee; noteworthy is the recent new standardized measurement approach for operational risk proposed by the committee, as part of the broader objective of balancing simplicity, comparability and risk sensitivity.
The fourth chapter “Operational risk management: organizational and governance issues” examines the organizational and governance issues related to the measurement and control of operational risk, focusing on the key functions involved (e.g. committee, operational risk functions), on the interrelationship between the operational risk function and other functions (internal audit and compliance), as well as on the role of reporting and IT.
The fifth chapter “Operational risk mitigation: strategies and tools” provides a description of the regulatory framework of the operational risk mitigation techniques, focusing particularly on insurance, the main operational issues of their use as operational risk mitigants, with an emphasis on the most relevant impacts on the banks’ operational risk management. Finally, it reviews the most widespread instruments available to banks, both traditional and innovative ones.
The sixth chapter “Operational risk modelling : focus on the loss distribution and scenario based approaches ” aims at analysing the specific features of both the methodologies, highlighting strengths and weaknesses of each. As it is not possible to state which approach is the best in absolute terms, according to the best practices, the combined use could be the preferable choice.
The seventh chapter “Operational risk: evidence from Italian cooperative banks” reports the results of a survey on a sample of Italian cooperative banks. The survey explores different research areas: organizational aspects, measurement methods, Second Pillar, insurance coverage, and trade associations/outsourcing.
The eighth (and the last) chapter “Disclosure on OR: evidence from a sample of Italian banks” illustrates the degree of disclosure of the operational risk management; in particular, it reports the evidence of a survey on a sample of listed banks in Italy, focused on the following areas of investigation: general aspects, organizational structure, measurement systems, control, mitigation and transfer systems, and capital.