1

The objective of operational risk management is the same as for credit, market and liquidity risks that is to find out the extent of the financial institution’s operational risk exposure; to understand what drives it, to allocate capital against it and identify trends internally and externally that would help predicting it.

Failure to understand and manage operational risk, which is present in virtually all banking transactions and activities, may greatly increase the likelihood that some risks will go unrecognized and uncontrolled.

2

Corporate Governance Corporate Governance

• Board of Directors to provide guidance, approve and periodically review bank’s OR management framework

• Senior management to translate framework into specific policies, processes and procedures consistently and comprehensively

• Establishment of independent OR management function

Identification and AssessmentIdentification and Assessment

• OR identification based on process/activity maps, and loss data collection• Development of forward-looking early warning indicators and self-

assessments• OR quantification, based on data sources and scenario analysis• Validation and back-testing of results

Control andMitigation

Control andMitigation

• Internal control policies, processes, procedures and systems• Incorporation in budgeting, strategy and business applications• Evaluation of alternative risk mitigants

MonitoringMonitoring

• Systematic tracking of loss events, KRIs and CRSA scores• Timely, accurate, relevant and periodic MIS and other (e.g. ‘heat map’)

reporting • Education and communication workshops, Forums etc.

* Largely based on ‘Sound Practices for the Management and Supervision of Operational Risk’, Basel Committee on Banking Supervision (February 2003).

3

EVENT-TYPE CATEGORY (LEVEL 1) DEFINITION

CATEGORIES (LEVEL 2)

ACTIVITY EXAMPLES (LEVEL 3)

Transactions not reported (intentional) Trans type unauthorized (w/ monetary loss)

Unauthorized Activity

Mismarking of position (intentional)

Fraud/ credit fraud/ worthless deposits Theft/ extortion/ embezzlement/ robbery Misappropriation of assets Malicious destruction of assets Forgery Check kiting Smuggling Account take-over/ impersonation/ etc. Tax non-compliance/ evasion (willful) Bribes/ kickbacks

Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party

Theft and Fraud

Insider trading (not on firm's account)

Theft/ Robbery Forgery

Theft and Fraud

Check kiting

Hacking damage

External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

Systems Security Theft of information (w/ monetary loss)

* Based on Basel Committee’s OR loss event classification

4

EVENT-TYPE CATEGORY (LEVEL 1) DEFINITION

CATEGORIES (LEVEL 2)

ACTIVITY EXAMPLES (LEVEL 3)

Compensation, benefit, termination issues Employee Relations Organized labor activity

General liability (slip and fall, etc.) Employee health & safety rules events

Safe Environment

Workers compensation

Employment Practices and Workplace Safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/ discrimination events

Diversity & Discrimination

All discrimination types

Fiduciary breaches/ guideline violations Suitability/ disclosure issues (KYC, etc.) Retail consumer disclosure violations Breach of privacy Aggressive sales Account churning Misuse of confidential information

Suitability, Disclosure & Fiduciary

Lender Liability

Antitrust Improper trade/ market practices Market manipulation Insider trading (on firm's account) Unlicensed activity

Improper Business or Market Practices

Money laundering

Product defects (unauthorized, etc.) Product Flaws Model errors

Failure to investigate client per guidelines Selection, Sponsorship & Exposure Exceeding client exposure limits

Clients, Products & Business Practices

Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product

Advisory Activities Disputes over performance of advisory activities

5

EVENT-TYPE CATEGORY (LEVEL 1) DEFINITION

CATEGORIES (LEVEL 2)

ACTIVITY EXAMPLES (LEVEL 3)

Damage to Physical Assets

Natural disaster losses

Losses arising from loss or damage to physical assets from natural disaster or other events

Disasters and other events

Human losses from external sources (terrorism, vandalism)

Business Disruption and System Failures

Hardware

Software Telecommunications

Losses arising from disruption of business or system failures

Systems

Utility outage/ disruptions

Execution, Delivery & Process Management

Miscommunication

Data entry, maintenance or loading error Missed deadline or responsibility Model/ system misoperation Accounting error/ entity attribution error Other task misperformance Delivery failure Collateral management failure

Transaction Capture, Execution & Maintenance

Reference Data Maintenance

Failed mandatory reporting obligation Monitoring and Reporting Inaccurate external report (loss incurred)

Client permissions/ disclaimers missing Customer Intake and Documentation Legal documents missing/ incomplete

Unapproved access given to accounts Incorrect client records (loss incurred)

Customer/ Client Account Management

Negligent loss or damage of client assets

Non-client counterparty misperformance Trade Counterparties Misc. non-client counterparty disputes

Vendors & Suppliers Outsourcing

Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

Vendor disputes

* Based on Basel Committee’s OR loss event classification

6

ThreePillars

Minimum capitalrequirements

Supervisory reviewprocess

Market discipline

Risk weightedassets

Definition ofcapital

Credit riskOperational

riskMarketrisks

Standardized Approach

InternalRatings-based

Approach

BasicIndicatorApproach

StandardizedApproach

AdvancedMeasurementApproaches

StandardizedApproach

ModelsApproach

CoreCapital

SupplementaryCapital

7

The Advanced Measurement Approach is the most advanced of the three options. Under this approach, each firm calculates it own capital requirements, by developing and applying its own internal risk measurement system. As with the Standardized Approach, the firm must meet certain qualifying criteria, and the risk measurement system must be validated by the regulator before it will be allowed to take advantage of the AMA.

In calculating operational risk capital charges, Basel II sets out three different methods which may be adopted.

The Basic Indicator Approach is the simplest of the three approaches, and will be the default option for most firms. It applies a calculation based on the firm's income to determine its capital requirements.

The Standardized Approach relies on calculations based on income, but with different percentages applying across different business lines. To be able to take advantage of the Standardized Approach, firms will have to meet certain qualifying criteria.

8

Loss Data Collection Framework

- Collection of Losses

- Validity of Losses

- Analysis of Losses - Tailored Insurance Policies - Risk Sensitive Control Framework

Risk and Control Mitigation Framework

- Identification of Risk & Control

- Mitigation of Control (i.e mitigating risk and hence reducing loss)

9

10