Now you know the different types of operational risks consisting of
1. Internal Fraud
2. External Fraud
3. Employment Practices and Workplace Safety
4. Clients, Products, and Business Practice
5. Damage to Physical Assets
6. Business Disruption and Systems Failures
7. Execution, Delivery, and Process Management
with each of these types branching into several subtypes. For example, the next level below Clients, Products, and Business Practice is
1. Advisory Activities
2. Improper Business or Market Practices
3. Product Flaws
4. Selection, Sponsorship & Exposure
5. Suitability, Disclosure & Fiduciary
and each subtype branching into several activities ( Basel calls the level 3 operational risk types activities). For example, Improper Business or Market Practices is subdivided into 28 subcategories with the following 10 accounting for over 85% of all losses
1. Failure in duty to shareholders
2. Lender liability
3. Market manipulation
4. Antitrust violation
5. Illegal trade
6. Money laundering
7. Tax evasion/non-compliance
8. Improper accounting practice
9. Improper service practice
10. False or incomplete reporting
We would like to know not only what types of operational risk we can be exposed to but also the level of exposure. Are banks exposed to the same amount of potential losses from internal fraud as they are to say Improper Business or Market Practices within Clients, Products, and Business Practices?
How would we answer this question? Well, we could construct a nice coherent logical narrative arguing that the exposure to Improper Business or Market Practices is less. That is one way, but the trouble with this approach is that for every narrative that argues that the risk from Improper Business or Market Practices is less an equally convincing coherent, and logical narrative can be constructed that argues the opposite. (By the way, this is the problem with thesis/conviction investing but that is the subject of another course). The only way to objectively establish whether the exposure to these different risk types is the same, higher, or lower is through data.
What kind of data and where is the data going to come from? Since 2000, most major banks have been collecting operational risk losses and classifying them into operational risk types that can be mapped into the Basel Types, along with other information about the loss such as the data of occurrence, the date of discovery the duration of the loss activity giving rise to the loss, the line of business and business activity that gave rise to the loss, the legal entity, the country, and other useful information. In addition, several industry associations, consortiums, and private data providers have been collecting and consolidating individual FI operational risk loss data into industry loss databases. We will explore these various databases in the future. For now, we are interested in how we can use such a database to determine the level of exposure to the different operational risk types.
One such database that we will be using throughout is the SAS Op Risk VaR Database, which is available by subscription. We will use this database to create an operational risk profile by which we mean a graphical representation of the frequency and severity of the exposure to each risk type. At the simplest level which is usually the best way to start and then through iterations, can be made as sophisticated as needed, is simply to plot the relative amount of total loss and the total number of loss occurrences for each operational risk type.
Here is an illustration.
Now we know that exposure to Clients, Products, and Business Practices is just under twice as likely as Internal Fraud and just other 5 times as severe. We can create a similar profile for any of the sublevels and determine the relative exposures for each of these. This is a low-resolution view of the ope risk profile. If there is enough data one could produce a high-resolution loss profile consisting of the actual loss frequency and severy distributions and combine total loss distributions for each of the loss types. But for now, this low resolution fits our purpose which at the moment is not to quantify the exposures to operational risk types but to understand the exposures that the industry, our bank, the lines of business, and even at the activity level, data availability permitting.
Assuming that the loss data used to generate this op risk profile is accurate, and in the future, we will explore the accuracy limitations of the various loss databases, we can say that the typical bank is mostly exposed to Clients, Products, and Business Practices, Internal Fraud, and External Fraud.
That is true for the typical or average bank. We say average because the profile was constructed from the loss experience of all the banks. (By all we mean all the banks included in the database).
But what is the operational risk profile of your bank, if your bank is not typical? You might say well just include your bank's loss experience to construct its operational risk profile and ignore all the other bank's loss data. That works if you have sufficient loss experience for each of the operational risk types. This is often not the case. So what to do?
For example, we may intuitively recognize that the operational risk profile of a bank that provides only Retail Banking would be different from a bank that provides mostly derivatives trading for corporate clients. That intuition stems from recognizing that Retail Banking involves high-volume, small-value transactions while corporate derivatives trading is the opposite: low-volume, high value. Also, Retail Banking clients, as a group, are likely less sophisticated than corporate clients, and other obvious differences. So based on this intuition we could expect that the Operational Risk Profiles of these two banks are very different. Similarly, if our intuition is right, banks that have multiple lines of business, (as is usually the case) consisting say of Retail Banking, Commercial Banking, and Trading and Sales, to name a few would have different risk profiles if the proportion of each of lines of business varies across the banks. For example, we would expect that a bank that derives 90% of its revenue from Retail Banking would have a risk profile similar to that of the Retail Banking line of business, whereas a bank that has a 50-50 split between Retail Banking and Commercial Banking would have an operational risk profile that is the average of the Retail Banking and Commercial Banking operational risk profiles.
However, this intuition may be wrong. Intuition serves only as a starting point. It needs to be tested with actual loss data and either disregarded or refined through iteration.
We have just described the application of Agile for creating an operational risk profile for our specific bank when we do not have sufficient losses for each of the operational risk types.
The database we have, in addition to identifying operational losses by Op Risk Types also identifies each loss by the line of business (LOB) in which the loss occurred and this allows us to test our intuition.
So, go ahead and construct the operational risk profile for a few of the different lines of business and determine if it varies by business line.
Before you proceed, it is important to take into account that Banks call the same LOB differently and these LOB may be combined differently with each bank. For example, some banks combine Retail Banking and Private bank into one group with each of these being divisions within the group, some keep them as separate LOBs, And how they spilt what is Retail Banking vs Private banking may also differ from bank to bank. To avoid inconsistency and confusion arising from how LOB are called or combined across different banks, the database adopts the 8 Standard Basel LOB (RLOB, R for Regulatory). Each of these RLOBs has subcomponent RLOBs, generally referred to as Level 2 RLOBs. For example, Retail Banking is further broken down into these 3 Level 2 Rlobs: Retail Banking, Cards Services, and Private Banking. Each of these is further broken down into Business Units and each of these is further broken down into specific activities. Similarly to operational risk types, by mapping a Bank’s LOB structure into the RLOBs we can consistently identify exposures at the individual RLOB level across Banks. https://www.bis.org/publ/bcbs128.pdf ( page 302)
With that consideration, go ahead and create a few operational risk profiles by RLOB and test the intuition.
When breaking down the RLOBs I still think there is some overlap, not necessarily with the activities, but who they serve. How do you account for clients who use multiple products in a MECE structure. Or is it already implied and the MECE will still work with overlapping components (clients) in the deeper layers?
It seems that we use Basel to categorize different risk types and our assignment is based on analyzing the data and then summarizing the main contributors of the risk losses. Since Basel is based on historical events, are there any other risk types that Basel is not able to capture?
For the assignment2, I got a question that when we measure loss in terms of business lines and operational risk type, but when it comes to creating a MECE for summary, it is hard to combine both in one MECE, because they are actually different perspective of the same loss.
Given that banks with different business models may have different risk profiles, I'm wondering how should a bank operating in multiple LOBs prioritize its risk management efforts? Should high-frequency, low-severity risks or low-frequency, high-severity risks be considered first?
For the past assignment, I noticed that the percentages of loss amount and the number of loss events can have significant differences. In that case, does it mean firms should have specific controls to separately controls for frequency and severity? Is it possible to control severity?