Operational Risk under AMA - some fundamental issues

It is highly pertinent for banks which are going for Advanced Measurement Approaches (AMA) for assessment and management of operational risk to clearly understand and implement a framework for capturing loss events across business lines. However, reaching on a decision as what will be the exact approach and methodology to capture these events is easier said then done. Since the fundamental essence of AMA is based on the flexibility for the bank to decide on the exact approach and methodology, it brings in plenty of subjectivity and also discretion of national supervisors for allowing the AMA to be eligible for Capital calculation purpose.

A bank needs to face and resolve many micro-level issues once the overall framework is decided. Many a banks face issues related to availability of internal loss data and standardisation of the same. Another chicken-and-egg issue is that for starting the exercise of internal loss data collection, banks face many fundamental issues which ultimately go towards deciding on the overall framework as well. Below are few of such fundamental issues related to internal data and AMA

• How to take into account loss events in supporting departments like Information Technology, Human Resources and Administrative Services. These departments' loss events cut-across core business lines of a bank and hence loss amount allocation is not definitive. Also, its not very easy to allocate losses from each core-business line-wise for IT or HR related loss events as underlying all actual losses may not be captured. What is the best approach for this issue needs proper deliberation.
• Can qualitative measure be used to quantify probability of loss event in absence of sufficient historical loss data? How acceptable this method can be to national supervisors, if loss data is gradually used over few years to replace the qualitative model?
• Can gamma factor (used in Internal Measurement Approaches) be totally ignored if industry-wide initiative is not there to decide on gamma? How to factor in the effect of gamma in such a situation.
• How to standardise Potential loss events which are Low-frequency, High-impact? how low is low and how high is high?
• How to define and differentiate between near miss and potential loss events?

Expert and experienced professionals' ideas in these regards will be highly valuable for banks which are in the starting phase of Operational Risk assessment and management initiative.

Evolution of Operational Risk Management

An interesting article by Kris Lovejoy, VP of Consul RM.

Today's vision of Operational Risk Management is to optimize the performance of a business by understanding the effects of adverse operational losses on our business activities and assets so that we can insure against them by preparing for that 'rainy day.'

Traditionally, operational risk can be associated with the following:

• People: losses associated with intentional violation of internal policies by current or past employees.
• Process: losses that have been incurred due to a deficiency in an existing procedure, or the absence of a procedure. Losses can result from human error or unintentional failure to follow an existing procedure.
• Systems: losses that are caused by unintentional breakdowns in existing systems or technology.
• External: losses occurring as a result of natural or man-made forces, or the direct result of a third party's action.

What is the Status of Operational Risk Management in the World Today?
The answer to this question varies according to geographic region. In Europe, for example, there are often more formal, structured, enterprise-wide operational risk programs in the works. Why? Regulators there appear to have been more vocal about operational risk for the past decade, most likely in the wake of events like the Barings rogue trading incident and in reaction to the Basel II Capital Accord.

In the U.S., on the other hand, risk management efforts have been focused on tactical initiatives and activities: risk assessment and monitoring, risk mitigation and remediation, measurement, and monitoring within a business line, or around a specific operation. Often, efforts within this area are identified as security management efforts, which are often driven by the need to comply with minimum-security standards. Read the rest of article.