Operational Risk and

The New Basel Accord

by Padraic Walsh
October 2003
Contents
Introduction 1

What Is Operational Risk? 2

Sources of Operational Risk 3

What the Regulators Say About Operational

Risk 5

Ten Sound Practices for the Management

and Supervision of Operational Risk 6

Developing an Appropriate Risk

Management Environment 6

Basel II Rules for Capital Required

to Underpin Operational Risk 9

Basic Indicator Approach 10

The Standardized Approach 10

Advanced Measurement Approach 10

An Operational Risk Management

Framework 12

Hyperion’s Solution: A Complete

Operational Risk Management Offering 13

Supporting Hyperion Operational Risk

Management Modules 13

Hyperion Operational Risk Management:

From Discovery to Resolution 14

Self-Assessment Module 14
Key Risk Indicator Collection Module 16

Loss Event Collection Module 17

Statistical Analysis 18

Scenario Analysis 19

Summary 20

A Road Map to Business Performance

Management for Financial Institutions 20

About the Author 21

About Hyperion 21
 Regulators Board OR Committee OR Managers Business Managers

Reporting - Scorecarding and Dashboards

Operational
Risk
Solutions Control Risk KRI Loss Event Statistical Analysis
Self-Assessment Management Management Solutions

Workshops Business Experts Business Managers Risk Managers

Figure 1. Hyperion Operational Risk Management.

Introduction
The management of specific operational risks in financial institutions is not a new practice.
What is new is the emergence of operational risk as a comprehensive process to manage the
increased complexity in financial institutions. The increasing number of high-profile operational
risk cases1 has left no doubt in the minds of bank managers and regulators that risk systems
and risk-adjusted performance measures are potentially unreliable if they ignore operational
risk. Shareholders, employees, rating agencies, equity analysts and other stakeholders are
demanding focused operational risk information. Operational risk management is no longer
the poor cousin on the risk management catwalk.

Regulators, including the Basel Committee on Banking Supervision, have firmly thrust opera-
tional risk management onto center stage by imposing, for the first time, an explicit operational
risk capital charge to support their “soundness in banking” objective under what has become
known as the Basel II framework, due to be implemented in just over two years.2

Regulators recognizing both the importance and the embryonic nature of operational risk
management relative to the more developed credit risk and market risk disciplines, have
wisely introduced a carrot and stick approach. Regulators noted the nature of operational risk
management with its limited metrics, multiple causal and contributory factors, and variety
of event types. They have now devised a framework and a system of regulatory incentives to
encourage boards of directors and senior management to develop industry best practice opera-
tional risk systems. Sophisticated operational risk management requires less bank capital under
the new regulatory regime, and is now a key differentiator and a major source of competitive
advantage. Bank managers can therefore generate a better return to shareholders by adopting
robust operational risk management solutions.

At a recent operational risk conference in New York, Roger Cole, a member of the Federal
Reserve Board of Governors and chairman of the Risk Management Group of the Basel
Committee on Banking Supervision, said:

“To address the difficulties presented by the very nature of the risk, the designers
of operational risk measurement frameworks have to be more innovative, take
bigger steps into new territory, and be willing to step away from traditional (and
comfortably familiar) techniques than their counterparts in the credit and market
risk arenas. Tremendous creativity and insight have been brought to bear on the
issue of operational risk management.”

1
Barings and Daiwa (1995), Morgan Grenfell (1997), FNB Keystone, Rep Nat NY and Superior Bank (2001), J.P.Morgan Chase, Allied
Irish Banks and Bank of America (2002)
2
The Basel II framework is a new process that determines the amount of risk capital financial institutions are required to hold as a
result of business risks undertaken. It is due to be implemented in 2006. However, banks must have processes in place by 2004 to
meet Basel II stipulations. 1
 Reporting
Processes • Loss Event and Risk Indicators
• Self-Assessment • Event Analysis

Economic Profit
• Data Collection • Risk Maps

Framework • Loss Event • Escalation

• Procedures • Risk Indicators • Cost Benefits

• People • Process Gap Analysis • Capital at Risk

• Appetite • Remedial Plans • Integrated Reporting

• Risk Reduction Initiatives • Dashboards
• Process Improvement

Quality of Operational Risk Management

Figure 2. Value from investment in an operational risk management solution.

Operational risk management solutions offer value far beyond an opportunity to reduce
regulatory capital. Operational risk management solutions provide bankers with a comprehen-
sive process that will enable them to understand, quantify and manage operational risk in
a structured manner, thus adding to the bottom line. A comprehensive solution includes a
framework for managing operational risk, a method of documenting and correcting the
weaknesses in business processes and an efficient reporting suite that will deliver tailored
relevant information to all levels throughout the organization. Best-practice operational risk
management solutions demand a comprehensive structured approach with dedicated
resources, both human and technical. Boards of directors are realizing with increasing concern
that investment in operational risk management solutions are inevitable and the sooner the
process begins, the sooner the rewards from the investment can be achieved.

The deadline for Basel II is fast approaching and banks will need to have made substantial
progress by the end of the current financial year if they are going to meet the exacting
timetable. Firms who have not already made substantial progress on Basel II preparations
will find it increasingly difficult and expensive to catch up as scarce resources become even
scarcer as the deadline gets nearer.

What Is Operational Risk?

After extensive consultation with the industry over a four-year period, the most widely
accepted definition of operational risk today is “the risk of loss resulting from inadequate or
failed internal processes, people and systems or from external events. This definition includes
legal risk, but excludes strategic and reputational risk.3” Under new regulatory rules, each
bank will be allowed to adopt its own definition of operational risk. These individual defini-
tions are subject to the requirement that they provide a clear understanding of what is meant
by operational risk, consider the full range of material risks facing the bank and capture the
most significant causes of severe operational losses.4

In arriving at the definition, the regulators recognized that the exact approach for operational
risk management that a bank chooses “will depend on a range of factors, including its size
and sophistication and the nature and complexity of its activities.” Notwithstanding individual

3
Para 607 Consultative Document April 2003 from Basel Committee of Banking Supervision
4
Deutsche Bank defines operational risk as the potential for incurring losses in relation to employees, project management, contractual
specifications and documentation, technology, infrastructure failure and disasters, external influences and customer relationships.

2
differences, the new regime demands clearly documented strategies and oversight by the board
and senior management, a strong operational risk culture and internal control culture5 (includ-
ing, among other things, clear lines of responsibility and segregation of duties), effective
internal escalation and reporting, and contingency planning.

Achieving an appropriate operational risk culture requires a determined, comprehensive initia-

tive driven by the board of directors that reaches all levels in the organization. Operational
risk management needs to be seen as an integral part of generating sustainable shareholder
value rather than just a mere problem-solving exercise. This latent view reflects a new under-
standing of the relationship between managed risk and improved business performance. A good
operational risk management system can significantly enhance an organization’s economic per-
formance by linking risk management to the achievement of corporate goals. However, a good
operational risk management system is not just a set of software programs that calculate risk
and capital. Operational risk affects everybody in an organization and the benefits will only
accrue if there is genuine buy-in and understanding throughout the entire organization.

Sources of Operational Risk

The complex nature of operational risk is due to the dynamic environment in which the risk
occurs. This environment includes the interaction of five key areas:

• People
• Process
• Systems
• Business strategy
• Business environment

Business Strategy

Process

People Systems

Figure 3. Sources of operational risk.

Operational risk does not occur in a vacuum; no single failure will ever result in an operational
risk loss. The challenge is to work out the contributory factors.

5
Operational risk culture is the combined set of individual and corporate values, attitudes, competencies and behavior that determine a
firm’s commitment to and style of operational risk management.

3
 People Risk

This is perhaps the most dynamic of all sources of operational risk. Internal controls are often
blamed for operational breakdowns, whereas the true cause of many operational losses can be
traced to people failures. Every CEO has argued that people are the most important resource
in his or her bank, yet the difficulty in measuring and modeling people risks has often led
management to shy away from the problem when it comes to evaluating this aspect of opera-
tional risk. Operational risk losses can occur due to worker compensation claims, violation of
employee health and safety rules, organized labor activities and discrimination claims. People
risks can also include inadequate training and management, human error, lack of segregation,
reliance on key individuals, lack of integrity, honesty, etc. In a people risk case, the Financial
Services Authority (FSA) fined ABN Amro £900,000 in April 2003 for “serious compliance fail-
ures.” According to the FSA, the compliance environment within a financial institution is a fun-
damental protection against the spread of poor standards of conduct. ABN Amro failed to
provide adequate resources for its compliance function, which resulted in the absence of robust
compliance. In July 2003, JP Morgan Chase agreed to pay €135 million and Citigroup agreed
to pay €120 million to the Securities and Exchange Commission for their roles in Enron’s
manipulation of its financial statements.

The changing nature of banking – with many bank branches evolving into sales outlets –
is leading to a general reduction in banking skills and, in some cases, bank competencies.
This changing environment needs to be accompanied by higher awareness of what can go
wrong and provision of risk mitigation techniques to reduce the possibility of surprises and
income volatility.

Process Risk

Financial institutions operate a myriad of processes to deliver their products to customers.

Process risk can arise at any stage in the value chain. For example, marketing material can be
mailed to the wrong customers, account opening documentation can turn out not to be robust,
transactions can be processed incorrectly, etc. Changes in legislation can render processes that
were previously compliant out of compliance. Pension legislation changes in the UK caused a
number of companies to mis-sell pensions due to a lack of training in new procedures. The total
cost to the financial services sector in the UK to rectify the problem was estimated in excess
of £10bn! In another case in the U.S. in February 2003, Met Life and others had to pay $9 million
by way of settlement in a reverse mortgage class action case.6

Unexpected volumes of new business can be a source of operational risk. There are numerous
examples of new product launches that either failed or were seriously compromised due to the
bank not being able to cope with the demand for its new product. In the flurry to get to market,
key processing requirements were overlooked. Remedial action is usually very costly both in
terms of time, money and goodwill.

Systems Risk

The growing dependence of financial institutions on IT systems is a key source of operational

risk. Data corruption problems, whether accidental or deliberate, are regular sources of embar-
rassing and costly operational mistakes. One bank made payments in excess of $150 million
before a computer program patch involving a change in decimal points was found to have been
incorrectly tested. Only IT people (who are sometimes far removed from the banking business)
understand the technology behind many new banking systems. One consequence of the widen-
ing gap between end users and IT staff is an increased number of system failures and conse-
quential operational risk losses. Another example of a system risk failure was discovered in
February 2003 by staff at Provident Financial Group when they were testing the installation of

6
Washington Post, February 8, 2003

4
a new financial model. As a result, Provident was forced to subtract $70.3 million from earnings
statements released in the previous six years. The error was described by the chief financial
officer as a “dumb mistake – not intentional fraud.” Nonetheless, at least nine requests for class
action lawsuits have been filed.

Business Strategy Risk

Business re-engineering is an ever-present phenomenon in most institutions today. This may be

driven by a new focus on a market segment, cost-cutting projects, a recent merger, a change in
management or a host of other reasons. Whatever the reason for a change in business strategy,
most major operational risk incidents happen during a period of change in a business. This
could result in a change in staffing levels, a significant change in volumes of transactions as a
result of a merger, new product launches or new computer programs being introduced.
Management’s attention has been diverted to deal with change and “temporarily” either taken
their eye off the ball or as a recent report on a major operational loss said, “Management was
asleep at the wheel.”

The banking history is littered with cases where merger strategies have gone horribly wrong
and integration problems far exceeded the expected benefits of integration. In the 1980’s and
early 1990’s many European banks sought their fortunes by buying into the U.S. market only to
find that the crisis in the residential real estate market and the economy generally forced them
to reverse their strategies.

Business Environment Risk

Banks tend to have the least control over this source of operational risk yet it still needs to be
managed. Business environment risk can arise from unanticipated legislative changes such as
consumer affairs, physical threats such as bank robberies, terrorist attacks, natural disasters
and financial report changes. The most striking example of environmental risk is the effects of
the terrorist attack in New York in September 2001. In addition to the personal devastation
caused, the insurance industry now puts the financial cost of these event at almost €100bn.

New competitive threats such as faster delivery channels, new products, new entrants and the
ever-increasing rationalization of the banking industry are driving banks to become much more
nimble-footed. The flexibility required to remain in the game leads some banks to take short-
cuts that eventually expose them to some new source of operational risk.

What the Regulators Say About

Operational Risk
Regulators throughout the world recognize the difficulty that banks have with operational risk.
In particular, they accept the unique nature of the risk is institution-specific. Under the auspices
of the Banking Supervision Committee in the Bank of International Settlements, a framework has
been developed for managing operational risk.

This framework is based on ten sound practices for the management and supervision of
Operational Risk.7 In parallel, the regulators are at the final stages of a process for determining
the amount of capital that a bank must provide in order to underpin the unique operational
risks within its organization. Final rules are expected in late 2003.

The capital requirements are set out in a paper known as the New Basel Accord or Basel II. 8
Basel II deals with the capital adequacy requirements, supervisory framework and reporting
7
See paper developed by the Basel committee called “Sound Practices for the Management and Supervision of Operational Risk,”
February 2003, available at http://www.bis.org/

5
 requirements relating to the wider risk-taking aspects within banks including credit risk, market
risk and operational risk.

Ten Sound Practices for the Management and Supervision of Operational Risk
(Developed by the Bank of International Settlements)

Appropriate Risk Management Environment

1. Operational risk is a distinct category – board-level framework and risk strategy

2. Operational risk is subject to a comprehensive audit and trail
3. Senior management to implement framework

Risk Management

4. Identity and access operational risk in new and existing products, activities, processes and
systems. Includes self-assessment, risk indicators and risk mapping
5. Processes to monitor operational risk or losses by senior management and board
6. Policies and procedures to control and mitigate risks; operational risk progress towards
stated objectives
7. Contingency and business continuity plans

Role of Supervisors

8. Ensure effective operational risk framework

9. Independent evaluation of policies and procedures on an ongoing basis

Role of Disclosure

10. Sufficient disclosure to permit market participants to access operational risk

Developing an Appropriate Risk Management Environment

Principle 1: The board of directors should be aware of the major aspects of the bank’s operational
risks as a distinct risk category that should be managed, and it should approve and periodically
review the bank’s operational risk management framework. The framework should provide a
firm-wide definition of operational risk and lay down the principles of how operational risk is to
be identified, assessed, monitored and controlled/mitigated.

Implications for Financial Institutions

• Board to approve implementation of operational risk framework

• Board to give clear guidance on framework to senior managers
• Approve relevant policies developed by management
• Clear internal appropriate definition of operational risk
• Risk appetite defined including extent of risk transfer
• Policies developed to identify, assess, monitor and control/mitigate operational risk
• Appropriate management structure in place
• Framework to articulate key processes to manage operational risk
• Framework to be regularly reviewed in line with best practices

8
Published by the Basel Committee on Banking Supervision, April 2003, available at http://www.bis.org/

6
Principle 2: The board of directors should ensure that the bank’s operational risk management
framework is subject to effective and comprehensive internal audit by operationally independent,
appropriately trained and competent staff. The internal audit function should not be directly
responsible for operational risk management.

Implications for Financial Institutions

• Independent audit function – separate from operational risk management function

• Audit to periodically verify effectiveness of operational risk framework
• Audit not to have direct operational risk responsibilities

Principle 3: Senior management should have responsibility for implementing the operational risk
management framework approved by the board of directors. The framework should be consis-
tently implemented throughout the whole banking organization, and all levels of staff should
understand their responsibilities with respect to operational risk management. Senior manage-
ment should also have responsibility for developing policies, processes and procedures for manag-
ing operational risk in all of the bank’s material products, activities, processes and systems.

Implications for Financial Institutions

• Management to translate framework into verifiable policies and procedures

• Senior management to assess appropriateness of management oversight
• Operational risk/audit functions resourced with qualified technical staff
• Policy to be clearly communicated to all levels
• Operational risk staff to communicate with credit risk and market risk staff
• Remuneration policy to be consistent with risk appetite
• Well-documented procedures for high volume processes

Risk Management: Identification, Assessment, Monitoring and Mitigation/Control

Principle 4: Banks should identify and assess the operational risk inherent in all material products,
activities, processes and systems. Banks should also ensure that before new products, activities,
processes and systems are introduced or undertaken, the operational risk inherent in them is sub-
ject to adequate assessment procedures.

Implications for Financial Institutions

• Risk identification should consider internal and external factors

• In addition to assessing risks banks need to assess vulnerability to risks
• Self-assessment tools can be used in conjunction with workshops
• Inherent risks should be ranked before and after controls are exercised
• Scorecards can be used to quantify risks and allocate capital
• Risk maps can be used to map risk by type
• Risk indicators need to be defined and collected on a monthly basis
• Loss events will need to be collected and stored by frequency and severity
• Loss events should include external data as well as internal data

7
 Principle 5: Banks should implement a process to regularly monitor operational risk profiles and
material exposures to losses. There should be regular reporting of pertinent information to senior
management and the board of directors that supports the proactive management of operational risk.

Implications for Financial Institutions

• Regular and prompt monitoring of events required to prevent escalation

• Early warning indicators of future losses (the “pressure points” where weaknesses can be
recognized), such as high growth rates, to be identified and tracked. Thresholds to be set for
early warning indicators or key risk indicators
• Regular internal reporting containing internal and external data as well as compliance
• Reports to fully reflect identified problem areas and prompt remedial action
• Audit to verify reports with respect to timeliness, accuracy and relevance
• Boards to receive high-level information to assess operational risk profile

Principle 6: Banks should have policies, processes and procedures to control and/or mitigate mate-
rial operational risks. Banks should periodically review their risk limitation and control strategies
and adjust their operational risk profile accordingly using appropriate strategies, in light of their
overall risk appetite and profile.

Implications for Financial Institutions

• Decision required on whether to mitigate/control risks or bear them

• If risks cannot be controlled – accept risk or reduce or withdraw from business activity
• Need reviews on progress towards objectives
• Compliance checking with management controls
• Policies, processes and procedures regarding resolution of noncompliance issues
• Approvals to be documented to ensure management accountability
• Policies reinforced via strong risk culture
• Appropriate segregation of duties with no conflicts of interest
• Close monitoring, strong access controls, appropriate staff training / expertise
• Identification of low margin business
• Regular reconciliation of transactions and accounts

• Special emphasis on new activities, products and markets, and geographically distant outlets
• Examination of risk mitigation tools such as insurance
• Disaster recovery plans for critical processes
• Examine potential deficiencies in third-party vendor products

Principle 7: Banks should have in place contingency and business continuity plans to ensure their
ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

Implications for Financial Institutions

• Identify critical business processes

• Identify alternative mechanism for service resumption
• BCP to be tested regularly
8
Role of Supervisors

Principle 8: Banking supervisors should require that all banks, regardless of size, have an effec-
tive framework in place to identify, assess, monitor and control/mitigate material operational
risks as part of an overall approach to risk management.

Implications for Supervisors

• Ensure operational risk management frameworks are consistent with complexity of the indi-
vidual bank
• Responsibility to encourage deficient banks to take appropriate action

Principle 9: Supervisors should conduct, directly or indirectly, regular independent evaluation of a

bank’s policies, procedures and practices related to operational risks. Supervisors should ensure
that there are appropriate mechanisms in place that allow them to remain apprised of develop-
ments at banks.

Implications for Supervisors and What They Should Review

• Effectiveness of processes and control mechanisms

• Methods for monitoring and reporting operational risk profile
• Procedures for issue resolution
• Process for ensuring integrity of operational risk processes
• Effectiveness of risk mitigation
• Quality of disaster recovery plans
• Process for assessing operational risk capital adequacy versus risk and capital targets
• Relevant internal bank reports to be circulated to supervisors

Principle 10: Banks should make sufficient public disclosure to allow market participants to assess
their approach to operational risk management.

Implications for Financial Institutions

• Disclosure policy to be agreed upon by the board

• Timely and frequent public disclosure required
• Little prescription of public reporting for operational risk but must be sufficient so that
outside interested parties can form a view

Basel II Rules for Capital Required to

Underpin Operational Risk
Depending on the level of sophistication of individual banks, Basel permits three methods;
the basic indicator approach, the standardized approach and the advanced measurement
approach. Banks are encouraged to move along the spectrum of approaches and will be allowed
to use a combination of approaches for different business lines. Once an approach is chosen, a
bank will not be permitted to revert to a less sophisticated approach. More sophisticated
approaches permit greater benefits.

9
 Basic Indicator Approach

• Essentially, this uses gross income as a proxy for operational risk.

• The capital charge is 15% of the average of gross income for the last three years.
• Entry point: Banks are encouraged to comply with sound practices guide.

The Standardized Approach

Again, gross income is a proxy measure but in this case it is broken out by eight standard busi-
ness-lines each, with a different beta factor to calculate capital.

Business Lines Beta Factors

Corporate finance 18%

Trading and sales 18%

Retail banking 12%

Commercial banking 15%

Payment and settlement 18%

Agency services 15%

Asset management 12%

Retail brokerage 12%

Figure 4. Eight business lines and the corresponding betas.

• Total capital is the sum of the product of the relevant gross income and the beta factor.
• Banks, at the national supervisor’s discretion, may be permitted to substitute an alternative
measure in the case of retail and commercial banking. In this case, the volume of outstanding
loans will be multiplied by the beta factor and the result multiplied by 3.5%. This method,
known as the alternative standardized approach (ASA) was introduce to eliminated double
counting of risks.
• In order to qualify for the standard approach, a set of minimum entry standards is required.

Advanced Measurement Approach

• More exacting quantitative and qualitative entry standards are required before a bank is permit-
ted to qualify as an advanced measurement approach bank. These are set out in Para 626 to
636 in the Third Consultative Paper published by the Basel Committee in April 2003.
• The Basel Committee does not prescribe an exact capital required methodology under the
advanced measurement approach. An attempt was made to develop a prescriptive formula
(known as the internal measurement approach) but this was abandoned in April 2003 as it was
not risk-sensitive enough. Banks are encouraged to develop their own methods provided the
measure calculates capital that covers both expected loss and unexpected loss. The industry
is gravitating to a method known as the loss distribution approach.

10
Loss Distribution Approach

• Under this approach, banks will calculate two distributions: one for frequency and one for
severity
• Frequency distributions are usually binomial, negative binomial or poisson
• Event severity distributions are wider in choice: log normal, Pareto, Weibull or
inverse Gaussian
• A compound distribution is calculated using Monte Carlo simulation
• Estimate the mean and the 99.9 percentile from the resulting distribution
( =1 year Value at Risk)
• Mean is Expected Loss
• Difference between 99.9 percentile Value at Risk and Expected Loss = Unexpected Loss =
Capital charge
While many institutions will begin with either the basic indicator approach or the standardized
approach, the loss distribution approach is emerging as the consensus best practice approach
for a number of reasons.

• The Basel Committee has moved away from a previously mooted approach called the
internal measurement approach on the grounds that it is not now deemed to be sufficiently
credible. This leave the loss distribution approach as the front-runner under the advanced
measurement approach.
• The loss distribution approach is theoretically the most robust method developed to date.
Although it is more complex than the other approaches, it is likely to provide the most
efficient use of economic capital, particularly with institutions that have the resources to
implement it.
• When implemented, the loss distribution approach will reduce expected losses and volatility
of earnings, and allow identification of causal factors for operating losses.
• The loss distribution approach provides a framework for addressing extreme outcomes.
It also allows comparisons of investment controls and reduces distortions in decision making
and performance evaluation that can happen if the capital attributable to operational risk is
crudely measured or omitted.

11
 An Operational Risk Management
Framework
Loss Management Setup
Loss Event
Reporting and
Analysis
Self-Assesment
Process
Collect Loss
Continous Improvement
Event Data

Process Gap
Analysis
Collect and
Monitor KRIs
Assessment

Figure 5. Operational Risk Management Process.

Figure 5 depicts the entire operational risk management process. It includes an initial setup
stage, an assessment stage, a process improvement stage and, finally, a loss management stage.

The setup stage involves detailing the institution’s risk appetite, developing high-level policy
and allocating resources. This is a top-down process, conducted at board of director and senior
management level.

At the assessment stage, specific operational risks are identified and assessed for broad policy
compliance/acceptability. This is very much a bottom-up exercise. The most common strategy
takes the form of an internal self-assessment exercise where local business managers identify
and score risks associated with their business.9 The diverse nature of operational risk demands
that the self-assessment exercise be conducted in a structured forum and it is essential that a
mechanism be available to record the outcome in a “firm-wide” consistent fashion. Most banks
start the self-assessment process with a structured workshop where senior business managers
and their key support staff identify key risks to the achievement of business goals.10 These key
risks (up to 50 per business unit) are then ranked in order of importance and they are (subse-
quently) subjectively scored on two dimensions: likelihood and severity.11 Each of the (50) risks
needs to be classified and mapped to the Basel II risk event types for subsequent reporting
under the capital adequacy rules. The process of classifying and mapping the risks needs to be
carried out and stored in a structured manner. In addition to recording the business risks, risk
managers need to record and classify key risk indicators. Key risk indicators need to be mapped
to the identified risks to provide management with an early warning mechanism of future risk.
Self-assessment and identification of key risk indicators are not one-time exercises. Management
needs to identify processes that contain excessive risk and those that contain high, but accept-
able risk, on an ongoing basis.

The process improvement stage entails making a decision on whether to retain or mitigate risk.
The decision is usually taken only after some cost benefit analysis is performed, often requiring
operational modeling. Once a decision is taken to reduce operational risk, a remedial action

9
See scenario analysis further on in this paper.
10
Identification of key risks usually involves a prior process of identifying business goals and the key business processes (or critical suc-
cess factors) that are required to deliver the goals.
11
Likelihood could for instance be Almost certain, Likely, Possible, Unlikely and Rare while Severity will depend on the nature of the risk
12 e.g. Financial classifications could run through Catastrophic, Significant, Moderate, Minor, Minimal.
plan needs to be assigned to designated individuals and its progress needs to be tracked. Unless
the remedial action plans are interfaced with the self-assessment solution, the process of track-
ing action plan progress becomes cumbersome.

Finally, a loss management stage takes place. This stage involves monitoring the ongoing level
of key risk indicators, and recording individual loss events (to at least the level of detail
required by Basel II). It requires management to analyze and report actual losses in a manner
that focuses action on areas that need immediate attention. The analysis of actual losses is also
used to validate the results from the self-assessment process by identifying areas where the
level of loss events does not correlate with the self-assessment results. Loss event data will be
used to validate the relevance of key risk indicators on a regular basis. Where possible, the two
processes (key risk indicators and loss events), should be performed on a single platform.
Finally, the loss event data (which includes both internal and external data) is used to calculate
the operational value at risk and hence the Basel II capital requirement. Banks need an efficient
solution to gather and store loss events/key risk indicators. The information must be easily
accessible and reportable in a way that enables business owners to manage loss events from
“discovery to resolution.”

In summary, integrated operational risk management requires a solution that facilitates self-
assessment, tracks key risk indicators, captures loss events, performs statistical analysis and
reports to management on the entire operational risk process, including progress towards
agreed operational risk objectives.

Hyperion’s Solution: A Complete

Operational Risk Management Offering
Hyperion, the leader in Business Performance Management software, has been supplying solu-
tions to global banks for over 15 years. Understanding that bankers require a holistic solution
to operational risk, Hyperion’s vision encompasses every aspect of operational risk. While its
solution does address the Basel II requirements, Hyperion believes it is more important for
bankers to stem the “shareholder value leakage” caused by operational risk incidents than
merely to seek compliance with a regulatory ratio. Banks can gain, much more from managing
their operational risks effectively than simply satisfying regulators demands.

The Hyperion solution is based not only on the operational risk experience of the banking
industry, but also on its experience in dealing in operational risk in other fields, such as energy
and insurance. Hyperion started with the basic principles from the wider world of risk manage-
ment, within a framework of risk identification, measurement, management (mitigate and
control or exploit), and an ongoing monitoring process. It incorporated the ten sound practices
as outlined by Basel and developed the process a step further to enable operational risk man-
agers to optimize shareholder value. Following extensive discussions with its partners, banking
customers and regulators, Hyperion has developed the following solutions:

Supporting Hyperion Operational Risk Management Modules

• A self-assessment module
• A key risk indicator collection module
• A loss event collection module
• Statistical analysis and capital calculation
• A scenario analysis module

13
 Hyperion Operational Risk Management: From Discovery to Resolution

Hyperion Operational Risk Management offers a platform for the display, monitoring and
management of all operational risk and resulting losses. It draws together the entire universe
of operational risk information and allows users to view tailored reports based on any combina-
tion of self-assessment, key risk indicators, or loss event data. Operational risk can be viewed
and managed by business line, event type, location, severity, timelines, etc. Operational risk
management automatically escalates issues that have exceeded pre-defined thresholds, automat-
ically providing alerts, including e-mail notification to designated managers.

Hyperion’s Operational Risk Management supports management over the entire operational risk
cycle. The system can provide risk strategy maps and accountability maps. It can also create
initiatives that support and track agreed-upon remedial action plans from initial discovery to
the stage where identified issues are finally resolved.

Ongoing internal validation of the information is a unique feature of Hyperion Operational Risk
Management. Users can cross-correlate information from the self-assessment module, the
key risk indicator module and the loss event module to provide senior management with an
ongoing comfort that the three modules are reflecting a uniform message.

Hyperion Operational Risk Management contains a full audit trail that enables users to comply
with best industry standards and regulatory requirements.

Self-Assessment Module

This module is a Web-enabled tool available to all levels of the organization. It facilitates the
collection and storage of key business risks and their scores and key risk indicators and con-
trols for each business process. The module keeps track of absolute risk scores and control
risk scores and automatically links to approved remedial action plans, deliverables and mile-
stones. It supports organizational reporting hierarchies, any number of business processes
and activities.

Figure 6. Self-assessment.

14
For example, managers in the retail division of a bank can use this module to assess the likeli-
hood and severity of credit card fraud. The individual bank determines likelihood and severity
scores, and Hyperion can accommodate any number of calibrations. During a self-assessment
workshop, managers might agree that the likelihood of credit card fraud is “almost certain” but
that the severity might be “moderate.” The combined effects an almost certain/moderate event
will give what is know as an “absolute risk” score After consideration of associated controls
around the process, the likelihood score may be reduced to “likely,” but the severity might still
remain at “moderate.” The combination of likely/moderate will produce a lower risk score this
time known as a “controlled” score. At the same time managers in the wholesale division of the
same bank can use the module to assess the risk of inter-bank trading. In both cases manage-
ment can assess the impact of these very different risks. Senior management, and other inter-
ested parties, for example internal audit or fraud prevention units can monitor progress towards
agreed improvements.

Reporting is achieved in a flexible manner highlighting:

• Gaps in policy and sound practice

• Compliance with plans
• Business unit and group-wide operational risk ratings
The Hyperion self-assessment module is a means of communicating the outcome of an operational
risk workshop (and ongoing updates) in a structured and easily understood fashion. At the organi-
zational level, it takes the form of a risk chart – a top-level report highlighting operational hot
spots. Drilling down to business-unit level reveals a “unit heat chart.” A unit heat chart can be pro-
duced before and after control measures are applied to mitigate operational risks.

Identify Assess Mitigate

Acceptable Control
Risks

Identified
Risks
Transfer
Unacceptable
Key Risks
Risks

Unidentified
Risks Avoid

Figure 7. Risk segregation.

After reviewing the initial unit heat chart, management will need to consider countermeasures or
controls. The bank will need to consider the effect on the likelihood and severity of the counter-
measure and re-compute the unit heat chart. If a controlled risk is still not acceptable, it creates a
gap. Management must then decide on its strategy for that risk. It can either reject or accept the
risk. Rejection strategies could include further countermeasures, reduce exposure, avoid or transfer
the risk. Accept strategies could include retention or exploit operational risk. Hyperion’s solution
enables users to automatically drill down from the unit heat chart to the action plans to review
progress and escalate the issue if necessary. This key benefit enables management to view opera-
tional risk in an integrated fashion without having to access separate systems.

15
 Once a decision is made to change something as a result of the self-assessment process, it will
need to be implemented. This is supported by initiative tracking, scorecards, risk strategy maps,
risk accountability maps, dashboards and reports within Hyperion Operational Risk Management.
This provides management with relevant and timely information to continuously monitor total
operational risk and to establish process and activity performance goals and targets to meet
operational risk objectives.

Hyperion Operational Risk Management also supports cost benefit analysis and reduction
through its robust operational modeling capability.

Key Risk Indicator Collection Module

In order to measure and monitor the adequacy of the risk management strategies, each business
unit must identify key risk indicators, the “pressure points” where weaknesses can be recognized.
Key risk indicators will validate the effectiveness of the controls or act as an early warning system
to management. If the key risk indicator indicates that a process is falling short of specific targets,
it may highlight an operational issue that needs to be addressed. For example, the level of cus-
tomer complaints may act as a key risk indicator for customer satisfaction while an increase in
transaction errors may indicate inadequate training.

In this module a business or risk manager can record risk indicators that might have been iden-
tified in the self-assessment workshop. The risk indicators in the case of credit card fraud might
be credit authorization system downtime or the number of open customer disputed transac-
tions whereas the risk indicators in the case of inter-bank dealing might be late payment inter-
est charges, the number of outstanding unmatched confirmations or the number of limit breaches.

Key risk indicators are usually performance- or failure-based and can be key performance indi-
cators or key control indicators. Key risk indicators should be relevant, minimally correlated,
measurable and manageable in number. The business risk owner defines the key risk indicators
and acceptable target levels.

Hyperion’s key risk indicator tool can automatically source indicators from legacy systems or a
central database.

Figure 8. Key risk indicator module.

16
Loss Event Collection Module

This is another Web-enabled module available to all organizational business units that is capable of:

• Capturing both internal and external loss events (External loss events will need to be scaled for
both size and complexity of the individual bank in question.)
• Aggregating losses by employee, business unit, legal entity, country, group, as well as loss type
or loss category
• Capturing “near misses” that did not result in any operational loss
• Storing causation factors
• Storing the direct and indirect costs, such as “cost of carry” and remedial costs.
• While the system will capture all operational risk events irrespective of size, it is capable
of reporting only events above an agreed cut-off level
Hyperion’s solution captures not only the minimum loss event data as outlined by the Operational
Risk Implementation Advisory Group, but it also has the flexibility to add more data fields as
banks require.

Figure 9. Loss event collection module.

Using the loss event input module, unit operational risk staff who are responsible for gathering
actual loss events record such details as where and when the loss occurred, how it occurred,
who is responsible for it (and thus correcting the weakness). The module also allows interested
parties to enter comments and issues, including references to other operational risk actions that
might affect this risk type. Risk staff can also record the individual loss amounts, including
details of recoveries, if any. This data is then automatically consolidated with other unit’s data to
create a corporate loss database that can be analyzed centrally.

The module enables banks to take data feeds from internal or external systems and thus facili-
tates the input of external losses (which will need to be scaled) so that a complete relevant loss
database is constructed.

17
 Hyperion Operational Risk Management offers the key benefit of single instance reporting –
sending the same report to multiple interested parties, such as audit, compliance, fraud, insur-
ance group, operational risk managers, etc. Authorized interested parties can access the system
to raise issues and give an independent view of progress towards the final resolution of all out-
standing issues. This key benefit enables management to view the key inputs from all relevant
parties in one single source.

Statistical Analysis

In conjunction with our partners Hyperion has developed a statistical model to quantify operational
risk exposure and calculate operational risk capital. The solution includes:

• Supporting all three Basel II measures; Basic Indicator approach, The Standardized Approach
(including the latest proposed Alternative Standardized Approach) and the Advanced
Measurement Approach
• Mapping your organization to the agreed regulatory categories, allowing for internal
reorganizations
• Supporting proprietary and third-party analytical and simulation models for capital calcula-
tions
• Accepting external data and scaling it to any organization using any one of a number of
scaling factors, such as gross income, headcount, administration cost or total compensation
Individual losses are taken from the loss database (including external scaled losses where
appropriate). The losses are then classified by business line and event type according to the
Basel II guidelines. Within Hyperion, there is no restriction on the number of risk classifications
that a bank may use, but it is recommended that risk classifications are mapped to the Basel II
classifications for comparative purposes.

Individual Risk Matrix Loss Var Total Loss

Loss Events Loss Data Distributions Calculation Distribution

Frequency
74.712.345
of Events
74.603.709
74.457.745
VaR
74.346.957
Calculator
74.344.576 e.g.,
0 1 2 3 4 Monte
•
• Carlo
Simulation
•
Engine
167.245 Severity Mean 99th Percentile
142.456 of Loss Annual Aggregate Loss ($)
123.345
113.342
94.458

0 1 2 3 4

Figure 10. Statistical analysis business process flow.

18
Once losses have been classified, two distributions can be calculated: a frequency distribution
and a severity distribution. In the early stages of processing, sufficient data may not be avail-
able to calculate these distributions at business-unit level, and banks may need to run the
analysis at corporate level. When sufficient data are available, the distributions can be calcu-
lated for each business line and event type “cell.”

Finally, Hyperion can calculate a compound distribution or total loss distribution using a
Monte Carlo simulation engine and from this the operational risk capital is calculated.

Like all other components in Hyperion Operational Risk Management, the outputs from a
statistical engine are automatically fed into the reporting module.

Scenario Analysis

Scenario analysis is used to forecast operational losses and the events that caused them based
on the knowledge of business experts. It has both a quantitative and a qualitative aspect.
Scenario analysis can be used to supplement insufficient loss data, to provide a forward-looking
element in the capital assessment, and stress test the capital assessment. The most common
use is to supplement insufficient loss data and can be used at the early stages of operational
risk management.

Figure 11. Scenario analysis input.

Scenario analysis can be a top-down or a more detailed bottom-up exercise. The process is
similar to self-assessment; indeed some banks consider scenario analysis as an initial self-
assessment exercise.

19
 Summary
Until recently, operational risk was the poor cousin when compared to market risk or credit risk.
High-profile cases have firmly thrust operational risk into the limelight. Both encouraged and
threatened by regulatory developments, the banking industry has at last concentrated on a
structured and comprehensive approach to the management of operational risk. This ongoing
effort is one of the greatest challenges to bank management today. All banks that will be
impacted by the new regulations must begin preparing immediately. This includes ensuring that
operational risk is managed comprehensively and that the bank is capable of demonstrating a
robust solution to the regulators.

Legacy operational risk solutions never existed until recently when a number of software houses
began to develop solutions. Most solutions only provide partial answers to the highly complex
problem of managing a problem that carries such a diverse array of issues.

A comprehensive solution must be capable of supporting financial institutions through every

stage in the development of their operational risk framework, no matter what part of the cycle
they have reached. The complete solution must support the dissemination of the operational
risk culture, facilitate collection collation of operational risk information, measure and present
operational risk information in a comprehensible manner to boards of directors, risk commit-
tees, business owners, risk managers and other interested parties such as audit and compliance.
A truly integrated operational risk solution will also allow managers to easily track and manage
any improvements that need to be made to people, processes, systems, strategy and the busi-
ness environment to reduce operational risk and accrue the benefit of a lower capital charge. In
the absence of a comprehensive solution, many millions of dollars will be wasted on “stop-start”
solutions that in the end will not satisfy regulatory requirements and like many other projects –
be consigned to posterity.

A Road Map to Business Performance Management for Financial Institutions

Business Performance Management is about driving reliable results and strategic focus through-
out the enterprise. Reliable results are a product of clearly communicated targets and actions to
employees, coupled with presenting progress and determining the best course for future
actions. The value of Business Performance Management achieved at a superior level is three-
fold: enhanced competitiveness, increased profitability and business risk reduction.

Financial institutions reviewing solutions meeting the requirements of the Basel II accord
should consider the shared, common goals of Business Performance Management with the
global accord.

Enhanced competitiveness translates to the need for greater agility in the banking marketplace
without increasing operational risk exposure due to an extremely sophisticated control environ-
ment. Equally important, an advantageous competitive position facilitates the lowering of capi-
tal reserve requirements, thus unlocking more capital for additional, incremental means of
revenue generation.

Finally, a financial institution that reduces its business risk with a superior operational risk
environment is rewarded with a higher credit/beta ratings by its investors.

Hyperion, the global leader in Business Performance Management, is the only provider of a com-
prehensive operational risk solution that covers all stages in the cycle. Its four modules, self-
assessment, key risk indicator, loss event and statistical analysis, are all part of an integrated
solution that truly enables banks to fully get their arms around operational risk.

In addition, Hyperion uniquely offers an integrated reporting suite and an initiative-tracking

tool that allows management at all levels in the organization to view operational risk as a
comprehensive process.
20
Hyperion is the most comprehensive solution on the market today. It was designed specifically
with the most up-to-date regulatory requirements in mind. It was built after extensive consulta-
tion with industry operational risk managers, bankers, regulators and IT specialists. It has both
the look and feel of designed for purpose solution.

Hyperion Operational Risk Management is built on open standards, making it easy to integrate
with existing third-party tools, databases, and messaging standards. It is designed specifically
to work in mixed-vendor environments. Hyperion offers enhanced scalability and lets financial
institutions roll out the software to as many users as necessary on a bank-defined timeline.
Thus banks can grow their own solutions at their own pace.

About the Author

Padraic Walsh has more than 30 years of financial risk management experience with the leading
Irish financial institution, the Bank of Ireland. This experience included a period in the bank’s
branch network and seven years as a senior manager in the Group Finance and Treasury and
International Banking divisions. He spent five years overseeing the initial Asset Liability func-
tion before heading Market Risk for six years. Padraic represented the Irish banks in Brussels
during the development of the regulatory framework for market risk (CAD1). Following that,
Padraic became head of Credit Risk at the bank’s Treasury division, with responsibility for credit
quality and upgrading the bank’s credit systems. During his time at the Bank of Ireland, he
spent extended periods in the UK, U.S. and Poland on various bank assignments and consulted
with Booze Allen Hamilton.

Now working as an independent risk consultant from the Invent Centre in Dublin City
University, Padraic specializes in preparing financial institutions for the forthcoming Basel II
regulations in credit and operational risk. He recently published an article in Finance magazine
on the latest CP3 developments and works as consultant with one of the Big Four accounting
firms, assisting them with Basel II diagnostics and strategy.

Padraic Walsh earned a bachelor’s degree in business from University College Dublin and a
master’s in treasury and investments from Dublin City University. He is a member of the
Chartered Association of Certified Accountants.

About Hyperion
Hyperion is the global leader in Business Performance Management software that enables com-
panies to translate strategies into plans, monitor execution and provide insight to improve
financial and operational performance. More than 6,000 customers worldwide use Hyperion's
Business Performance Management family of packaged and tailored applications and its leading
business intelligence platform. Hyperion has a network of more than 330 partners to provide
innovative and specialized Business Performance Management solutions and services.

Headquartered in Sunnyvale, California, Hyperion generated annual revenues of $510 million in

fiscal 2003. The company employs more than 2,200 people in 20 countries and is represented
in 16 additional countries through distributor relationships. Hyperion is traded under the
Nasdaq symbol HYSL. For more information, please visit www.hyperion.com,
www.hyperion.com/contactus or call 800 286 8000 (U.S. only).

21
Hyperion Worldwide Headquarters
Hyperion Solutions Corporation
1344 Crossman Avenue
Sunnyvale, CA 94089
Tel: +1 408 744 9500
Fax:+1 408 744 0400

www.hyperion.com

Product Information
Tel: 800 286 8000 (U.S. only)

Consulting Services
E-mail: northamerican_consulting
@hyperion.com

Education Services
E-mail: [email protected]

© 2003 Hyperion Solutions Corporation. All rights

reserved. Hyperion and the Hyperion “H” logo
are registered trademarks of Hyperion Solutions
Corporation. All other trademarks and company
names mentioned are the property of their
respective owners.
4030_0903KS_WP