HEWLETT-PACKARD
OPERATIONAL RISK MITIGATION - BEYOND
COMPLIANCE TO BASEL 2
Stuart Hotchkiss
Lead Security Consultant FSI,
HPS Consulting & Integration
SUMMARY
Operational risk can represent a higher residual
risk than any other type of risk and the potential
impact is sufficient to drive a company out of
business.
Although the Basel 2 accords are an excellent
way forward in the management of operational
risk and the reduction of operational losses to
acceptable levels, there is a danger that mere
compliance to the accords will persuade banks
that their operational risk is under control.
A potential consequence is that the opportunity
afforded by the Basel 2 accords is lost!
Alexander de Lange
HP Director International Sales-Capital
Markets-CEEMEA
The Basel accords
related to operational
risk are a
combination of the
objective and the
subjective – the
objective being the
loss database and
the subjective being
the regulators
judgement of the
degree of control.
The Basel accords related to operational risk
are a combination of the objective and the
subjective – the objective being the loss
database and the subjective being the
regulators judgement of the degree of control.
Both are equally important but the impact of
each is not equal – being out of control can be
devastating for clients, shareholders and
directors alike.
Most institutions are aiming for an Advanced
Measurement Approach where the capital
charge is based on historical losses, however,
looking at historical losses as a basis for future
losses is similar to treating a patients symptoms
and hoping the disease will go away. The
frameworks proposed for operational risk
control are complete but subjective and the
focus is likely to be on the data gathering side
rather than the fundamentals. This trend in the
financial services industry needs to be
corrected if regulators and business partners
are to believe that operational risk is under
control.
The disease of operational risk needs to be
treated bottom up rather than top down.
Some observations are that:
• Auditing and management controls will not
stop operational risk
• Operational risk is hard to predict and
modelling is of little use
• There needs to be a change in the
accounting culture related to OR
• Operational loss history tells a lot about the
past and little about the future
• Most risks come from the IT infrastructure
and its processes
INTRODUCTION
Operational risks are defined by the Basel
committee as those losses caused by people,
processes and technology. Specifically,
directors should:
• Provide specific accountability, policy and
control
• Review and approve security control
processes
• Take measures to authenticate and
authorise clients
• Ensure non-repudiation of transactions
• Ensure segregation of duties
• Ensure access control to assets
• Ensure audit trails exist
• Ensure data privacy
• Have adequate continuity and disaster plans
in place
Any one of these areas is a source of multiple,
and particularly operational, risks.
Of the three risk categories cited by the Basel
Committee, credit risk probably has the largest
numbers and for this reason, there is an
assumption that this represents the largest risk.
This is not true because credit risks are largely
deflected, avoided or mitigated in some way.
The residual risks are actually very low. A risk
manager can avoid credit risks by not extending
credit to existing clients. He can mitigate the
risk by insisting on insurance being paid by the
client to guard against his own insolvency and
can insist on payment conditions such that only
very healthy businesses of low risk can meet
them. Credit risk can also be modelled to avoid
risks or models used to provide very early
warnings of default.
Even in a well-managed company, market risk
can represent a major problem if there is
collusion that avoids management controls on
investments. In general, market risk, like credit
risk is characterized by choice. A risk manager
can decide into which markets he will go as he
can decide which credits he takes and in both
cases, can set a limit on exposure according to
his appetite for risk. Market risk can be
modelled with some success and correlation
between markets events can form some basis
for prediction and hence risk reduction or
avoidance. The other characteristic of market
and credit risk is that the loss is almost always
limited to the asset value or the amount at
stake.
Operational risk is different. Operational risk can
do the most damage in the best-managed
company. The reasons? The impact of an
operational risk event bears no relation to the
asset value at risk and the choice of risks to
accept or not does not exist in practice.
Modelling is of limited or no value.
FEDERATION OF EURO-ASIAN STOCK EXCHANGES YEARBOOK 2003/2004
PAGE 10