Operational Risk Management A Complete Guide for Banking and Fintech By Philippa X. Girling

Operational Risk Management A Complete Guide for Banking and Fintech By Philippa X. Girling

CHAPTER 1

Definition and Drivers
of Operational Risk
This chapter examines the definition of operational risk and its role in the
management of risks in the financial services sector, including fintechs and
digital and traditional banks. It outlines the formal adoption of operational
risk management for regulated banks under the Basel II framework. The
requirements to identify, assess, control, and mitigate operational risk are
introduced, along with the four causes of operational risk—people, process,
systems, and external events—and the seven risk types. The definition is
tested against the 2012 London Olympics. The different roles of operational
risk management and measurement are introduced, as well as the role of
operational risk in an enterprise risk management framework.
THE DEFINITION OF OPERATIONAL RISK
What do we mean by operational risk?
Operational risk management had been defined in the past as all risk
that is not captured in market and credit risk management programs. Early
operational risk programs, therefore, took the view that if it was not market
risk, and it was not credit risk, then it must be operational risk. However,
today a more concrete definition has been established, and the most commonly

used of the definitions can be found in the Basel II regulations. The
Basel II definition of operational risk is:
. . . the risk of loss resulting from inadequate or failed processes,
people and systems or from external events.
This definition includes legal risk, but excludes strategic and
reputational risk.

Let us break this definition down into its components. First, there must
be a risk of loss. So for an operational risk to exist there must be an associated

loss anticipated. The definition of “loss” will be considered more fully
when we look at internal loss data in Chapter 7, but for now we will simply
assume that this means a financial loss.
Next, let us look at the defined causes of this loss. The preceding definition

provides four causes that might give rise to operational risk losses.
These four causes are (1) inadequate or failed processes, (2) inadequate or
failed people (the regulators do not get top marks for their grammar, but
we know what they are getting at), (3) inadequate or failed systems, or (4)
external events.
While the language is a little awkward (what exactly are “failed people”?,

for example), the meaning is clear. There are four main causes of
operational risk events: the person doing the activity makes an error, the
process that supports the activity is flawed, the system that facilitated the
activity is broken, or an external event occurs that disrupts the activity.
With this definition in our hands, we can simply look at today’s newspaper or

at the latest online headlines to find a good sample of operational
risk events. Failed processes, inadequate people, broken systems, and violent
external events are the mainstays of the news. Operational risk surrounds us
in our day-to-day lives.
Examples of operational risk in the headlines in the past few years
include egregious fraud (Madoff, Stanford), breathtaking unauthorized trading

(Société Générale and UBS), shameless insider trading (Raj Rajaratnam,
Nomura, SAC Capital), stunning technological failings (Knight Capital, the
Nasdaq Facebook IPO, anonymous cyber-attacks), and heartbreaking external

events (hurricanes, tsunamis, earthquakes, terrorist attacks, and a global
pandemic). We will take a deeper look at several of these cases throughout the book.
All of these events cost firms hundreds of millions, and often billions, of
dollars. In addition to these headline-grabbing large operational risk events,
firms constantly bleed money due to frequent and less severe events. Broken
processes and poorly trained staff can result in many small errors that add
up to serious downward pressure on the profits of a firm.
The importance of managing these types of risks, both for the robustness
of a firm and for the systemic soundness of the industry, has led regulators
to push for strong operational risk frameworks and has driven executive
managers to fund and support such frameworks.
Basel II is the common name used to refer to the “International Convergence

of Capital Measurement and Capital Standards: A Revised 

Operational Risk Management A Complete Guide for Banking and Fintech By Philippa X. Girling