The Operational Risk Management Process: Implementation of an OR Management Model

Transcription

1 The Operational Risk Management Process: Implementation of an OR Management Model dr. Aleksandra Brdar Turk ABSTRACT In the last decades, operational risk (OR) management has advanced to become an integral part of financial and other institutions' overall risk management processes. It is especially important for those institutions where OR events manifest as high-severity / lowfrequency events causing significant distress on the company's operations. Within the Internal Capital Adequacy Assessment Process (ICAAP) required by Basel II, financial institutions must develop and use internal risk assessment and management information systems to efficiently assess their economic capital requirement. This approach can also be used for the efficient management of operational risk. In the paper we describe the key steps in building such a system, starting from OR management strategy, methodology and policies, which are incoporated into the overall risk management strategy and processes. We follow by describing the key elements of the OR database - the most important part of the system. We continue by describing the analytical potential of the system, including monitoring, reporting, scenario analysis and back-testing. We finally highlight the possibilities of using the system in non-financial companies, especially in the fields of high-technology and IT. INTRODUCTION In the last decade, risk management has witnessed an increase in the importance of operational risk among other types of risks, rising from the position of being an»other risk«to being considered equally important as credit and market risks the two risk categories deemed to be the most important in the financial industry. Alongside companies and financial institutions, regulatory provisions have also started focusing on operational risk, imposing significant demands on financial institutions in order for them to establish mechanisms which will enable them to capture, analyze and include operational risk into their risk management systems, finally resulting in a capital charge and continuous management of operational risk. The main reasons for operational risk coming into focus is a powerful growth of the financial markets in the last twenty years, the increasing deregulation and globalization, the growing organizational complexity of financial institutions, their corporate and capital partnerships, which increase their overall exposure to risk, as well as the intense development of financial services, which are becoming more accessible to a wider circle of investors. On the other hand, financial products are becoming more and more complex, especially with the immense growth of structured financial products, which contributed to the growth of the derivatives markets to 708 trillion USD in 2010 (BIS, 2011). Not to be ignored are also the case studies that in the last two decades have filled textbooks on operational risk failures, including Chase Manhattan & Drysdale Securities, Kidder Peabody, Barings Bank, Allied Irish Bank, Société Générale and the latest to come to fame, UBS Warburg. In the European directives for risk management in banking and insurance (Basel II and Solvency II), operational risk is given a greater consideration, the methods for its identification, measurement and management are explored and it is included in the calculation of minimum capital requirements for banks. The regulatory capital adequacy framework, as described by BIS in the 2010 Annual report, envisages»a gradual convergence of the operational risk discipline towards a narrower band of effective risk management and measurement practices«. In December 2010, the Basel Committee on Banking Supervision issued revised versions of its guidelines for the management and supervision of operational risk and of its supervisory guidelines for the advanced measurement approaches in the field of operational risk management. Both documents, as well as the overall development of worldwide regulatory requirements, not only in banking, but also in asset management and insurance, consistently draw attention to the importance of operational risk management. Operational risk can be defined as the risk remaining after eliminating market, credit, interest and exchange risks (Allen, Bali, 2007). The Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk (BIS, 2004; Van Greuning, Bratanovic, 2003). It is in the New Basel Accord (BIS, 2004) that operational risk is given a greater consideration and the methods for its identification, measurement and management are explored. It is also in this Accord that AcademyPublish.org Risk Assessment and Management 219

2 operational risk is included in the calculation of minimum capital requirements for banks. According to Marshall (2001), the development of a comprehensive operational risk management system which includes identification, evidence, analysis and use of operational risk management data, is the basis for the use of advanced measurement methods in a financial institution for the purpose of determining capital requirements as proposed by the Accord. The management of operational risk is especially important for those institutions where operational risk events manifest as highseverity - low-frequency events which cause significant distress on the company's operations. This is especially true for financial institutions, but it is our opinion that operational risk events can cause significant damage to companies in other industries as well. The companies that most frequently feel the impact of operational risk events are young developing companies in highly technological industries and sectors, where systenic and technology risks are crucial factors in their development. For example, in a mobile-phone operator or a web-based or web-integrated company, a faliure in the company's information system or of another supporting system can cause a total shut-down of all production processes and of services rendered, resulting in enormous direct and opportunity losses. For a struggling company, trying to establish its position in the rising market, this can mean the fatal act. Combined with financial shocks in the form of loss of revenue and, consequently, loss of R&D sources and a plummeting stock price, the company can quickly go underwater or become a hostile takeover target. Within the Internal Capital Adequacy Assessment Process (ICAAP) required by Basel II, financial institutions must develop and use internal risk assessment and management information systems to efficiently assess their economic capital requirement. This approach can also be used for the efficient management of operational risk. THE BASIS OF AN OPERATIONAL RISK MANAGEMENT SYSTEM Internal Capital Adequacy Assessment Process The Internal Capital Adequacy Assessment Process (ICAAP) is one of the key supervisory elements in Basel II. Its goal is to ensure capital adequacy of a financial instution in relation to the risks it is exposed to and the use and improvement of risk management techniques. The supervision and management of risk is increasingly becoming a strategic and comprehensive task that requires the inclusion of all managerial levels, all processes, business areas and organisational units. The ICAAP requires financial institutions to prove that it has an adequate and effective internal mechanism for the identification and management of all relevant risks as well as a management information system that enables a correct assesment and establishment of the financial institution's capital adequacy. Four crucial elements in any ICAAP are: 1. assessment (identification and measurement) of the risks a bank is, or may be, exposed to; 2. application of mitigation techniques that may help to lower capital requirements; 3. stress-testing techniques; 4. role of the board of directors and management. Basel II requires that risks are presented to, and discussed by, the board to ensure its acceptance and understanding. Basel II also requires a bank to maintain capital ratios and convince the regulator. Risk models and capital are only part of this. A financial institution must also consider any other internal risks that the firm may face which may result in losses such as fraud, rogue trading, or strategy failure. Starting from these key elemtns of ICAAP as described above, we can derive the key steps in building an efficient operational risk management system, which are: - a comprehensive operational risk management strategy, supported by the overall corporate risk management strategy at all managerial levels of the company; - operational risk management methodology and policies, incoporated into the overall risk management strategy and processes; - building the operational risk database; - collection of data and the analysis, monitoring, reporting, scenario analysis and back-testing; - inclusion of operational risk assesment into capital adequacy requirements; - continuous improvement, adaptation and development of operational risk model and management strategy. Unfortunately, the quality of an operational risk management system can only be determined by its use, by testing the quality of gathered data and of forecasts made on the basis of such data by comparing them to actual data arising from continuing operations. Obviously, it is imperative that in such a data gathering operation all levels of business be included by reaching a consensus of all levels of management in the company. The problem with such data analysis models lies in extreme events, which are rare by nature and my have not yet occurred in the recent history of a financial institution, e.g. in the last 10 years. A logical, albeit erroneous, conclusion one would make based on such data is that extreme events do not happen and will not happen in the future, which may affect the underestimation of minimal capital requirements or capital reserves. AcademyPublish.org Risk Assessment and Management 220

3 The inclusion of an operational risk management model in such circumstances is advised in the case of companies with a short historical data background due to either their short history or only recent development of a data gathering system or in the case of institutions which, due to changes in legislation, mode of operation, political or macroeconomic systems, consider any gathered data as an unreliable base for the development of such a model. The model can be then used as the source for the operational risk database (Brdar Turk, 2009). Risk Management Strategy and the Right Place for Operational Risk Every company should be well aware of the role risk management plays in its path to success and proliferation. Apart from the financial sector, this is also valid for all other companies, indiscriminating between industries, bewteen global and local players, fastgrowing or slow-paced companies, niche or mass-marketers. The comprehensive risk management system of any company starts with a risk management strategy (Andersen, 1998; Cruz, 2002; Marshall, 2001). It sets the strategic principle the company will incorporate in its operations when dealing with all types of risk. The strategy, which could also be called a risk management policy, methodology or framework, must first and foremost identify and define all types of risk that affect the company in question. It represents a map of all risk factors and the power of their influence on the company's operations. The second part of the strategy includes the risk management methodology: it sets forth the tools for the identification, measurement and monitoring of risk factors, data collection for risk events, their analysis and reporting, internal controls and system maintenance, as well as the organizational layout of these risk management processes and the personal responsibilites for each of them. Amongst the identified risks which affect the operations of the company, every company will surely list operational risk. As operational risk causes losses resulting from inadequate or failed internal processes, people and systems or from external events, the association only with financial companies is misplaced, as these risks arise in manufacturing, high-end production, sales or services companies as well. The events that have caused many of the financial institutions failures in the last two decades show that operational risk is a key factor in the industry, but also indicates that it is much more widespread then managers would like to consider. Even having an operational risk management system in place does not guarantee an effective shield against operational risk events if the system is not being operated as it should be, if the people operating it are not aware of the nature of the risk being managed, the severity of the event, the extent or the ramifications of procedures not being followed or followed consciously, as was the case in the losses incurred by Société Générale in 2007 (Société Générale, 2008). It is our goal to show that a simple and effective operational risk management system can be constructed to ensure an effective shield against the low-frequency / high-severity events that are characteristics of operational risk loss events. This system can then be extended and developed further to either be used other risks as a separate system or to include all types of risk into a comprehensive centralized risk management system of a company. Benefits of Data-Based Operational Risk Management Systems The operational risk loss event data processing system that is incorporated into a comprehensive company-wide risk management system ensures a consistent and extensive dataset on operational risk loss event in the entire company and can be used for the assessment and modeling of operational risk impact on the company processes. It also enables a company to include the impact of operational risk loss events in the development of new businesses, products or services by enabling the development team to simulate or model the impact of loss events on a new business before it is developed and launched. The results of these simulations can then be used in the overall cost-benefit analysis of the new business and included in the final decision on the launch or rejection of the new business. An operational risk loss event data processing system allows the delivery of consistent and comprehensive risk management reports to the senior and top management, including data from the whole company, across processes and organizational units. In the case of a loss event, it enables faster communication and a methodologically sound damage assessment, which, in turn, enables the management to take adequate actions to reduce and/or mitigate the damage and to undertake preventive actions and measures to avoid similar events in the future. Lastly, it also enables internal and external auditors, regulators and other interested third parties much easier and simpler access to risk event data, which surely helps in the overall assessment of the adequacy of the internal operational (and any other, in fact) risk monitoring and control system of the company (Marshall, 2001). THE OPERATIONAL RISK DATABASE Identification of Operational Risk Factors A company must set forth a narrow, operational framework for the management of operational risk within the company. It starts with identifying all risk factors that influence the operations of the company. These factors represent the key elements of the risk AcademyPublish.org Risk Assessment and Management 221

4 management model or system as it allows the company to focus on the true causes of operational risk and prevent or at least mitigate the effects of loss events. The Basel II classification of operational risk aside, large financial institutions still like to define operational risk slightly differently, always starting from their own organizational, process or business specifics. An example is Deutsche Bank, where the operational risk is defined as potential for incurring losses in relation to employees, project management, contractual specifications and their documentation, technology, infrastructure failure and disasters, external influences and customer relationships (DB, Annual report 2005). The Securities and Exchange Commission defined in 2003 operational risk as potential losses due to lack of controls within the organization in the following areas: unidentified limit breaches, unauthorized trading, fraud in trading or backoffice operations, inexperienced personnel and unstable or unprotected and accessible information systems. With the introduction of Solvency II, the European Commission has established that the calculation of capital adequacy indicators must be executed by taking into consideration all of the important groups of risk, including operational risk, which includes inadequate or ineffective internal processes, people, systems or external factors. With the increase of business volume in a company an increase of business complexity follows, usually accompanied by an increase of personnel, which causes the level of operational risk exposure to rise and, consequently, also increases the probability of an error in the ongoing processes. The exposure to operational risk can be measured by several indicators (BIS, 2001a): - gross sales income; - volume of all businesses (transactions) or new business; - assets under management; - number of transactions; - number of employees; - employee working experience (measured in years); - capital structure (capital-to-debt ratio); - incurred losses from operational risk loss events; - paid insurance claims from operational risk loss events. In regards to the different types of operational risk loss events we can classify them according to the following criteria (Chernobai et al., 2007): Internal and external losses the classification distinguishes between losses caused by internal or external factors (eg. personnel events, such as work-related injuries, internal fraud, unauthorized trading or errors, process or technological failures for the former vs. external fraud, theft, information system breaches, acts of terrorism or acts of nature for the latter). Direct and indirect losses the company differentiates the losses according to the connection between the source or cause of the loss event and the loss incurred. For example, a trading book loss is a direct loss, resulting from unauthorized trading or wrong broker decision in a bearish market. On the other hand, an opportunity loss on lost business, near-miss losses or contingency losses are indirect losses. It should be noted at this point, that the Basel Accord only deals with direct losses. However, it is the author s opinion that indirect, especially near-miss and contingency losses should also be considered and included in the operational risk loss event database, as models used to predict potential future losses from such a database would benefit and experience increased accuracy in their predictions. Expected and unexpected losses the former being losses that, historically, occur regularly and frequently for a financial institution (or other company) and are losses of smaller amounts (eg. personnel errors); while the latter being unpredictable losses from events such as natural disasters, acts of terrorism or extensive internal fraud or theft. Loss severity and frequency it is a standard classification to categorize operational risk losses into the following four classes: - low frequency / low severity losses, - high frequency / low severity losses, - low frequency / high severity losses, - high frequency / high severity losses. Following the quantitative studies in the fields of banking and insurance (see for eg. (Chernobai et. al., 2007) as well as the industry consensus one can ascertain that the fourth group of high frequency / high severity losses does not exist, nor is it rational or efficient to set up internal controls against the first group of low frequency / low severity losses as the costs of such systems would by far exceed the benefits. The two groups of events that should be monitored and managed are therefore high frequency / low severity losses, which can be managed by sound operational practices, clear procedures and internal monitoring systems and mechanisms, and low frequency / high severity losses, which can cause severe financial distress or destabilization of the institution, potentially resulting in its illiquidity, insolvency and bankruptcy (Bradley, Taqqu, 2003). AcademyPublish.org Risk Assessment and Management 222

5 Loss Event Characteristics Regardless of their source or directionality, operational risk events are fundamentally different from market or credit risk events. One of their most important distinctions is their historical rarity. According to BIS s Quantitative Study (2000) the largest banks only held historical data on operational risk events for the last five or six years, which also only included quality and reliable data. One would question the reliability of the analyses based on such small samples. In their study, Baud, Frachot in Roncalli (2002) exposed the problem of left-truncated data in bank s databases which only included loss events exceeding a certain $ amount (eg. $ 1 million) as well as the problem of a positive correlation between the size of the institution and incurred losses. They proposed, and BIS in 2004 included such a recommendation in its documents, that external loss data should be included in such databases. Another proposed solution is to include near-miss data (Chernobai et al., 2007). The second important characteristic of operational risk loss events is the erratic nature of their occurrence. Operational risk loss events occur discreetly and (apparently) independently from each other, emulating a Poisson process, which differs significantly from eg. market risk events, which can be monitored in regular intervals, eg. intra-day or weekly when calculating the market value of trade book positions. The consequences of operational risk loss events are the next item worth mentioning. The effects of a loss event do not necessarily manifest immediately at the time of the event, but may remain hidden for a certain period and surface later. The results of analysis of data gathered at the time of the visible consequences of the event may be very different than the ones gained from an analysis of data that includes the time of the actual loss event. The first case is actually the usual practice in companies, connected to the inevitable financial statements that reflect any financial losses connected to the loss events and are usually one-time write-offs that companies usually book at the end of accounting periods and not immediately at the event occurrence. This may lead to an apparent seasonal event characteristic, which is, in reality, not present. The fourth important characteristic of operational risk loss events is their probability distribution function. It is significant to mention the uniquely positive (or negative) nature of loss event data, as we are only interested in (positive) operational risk losses. Therefore, only positive-defined or left-truncated probability distributions with values ranging from 0 onwards are suitable for modeling operational risk losses. Next, based on empirical data (see for eg. Cruz, 2002; Moscadelli, 2004; De Fontnouvelle et al., 2006) the losses are typically strongly asymmetrical, skewed to the right and concentrated around low values, as is shown in Figure 1, which, in turn, indicates fat right tails which makes leptokurtic distributions our distributions of choice, such as the Pareto, lognormal or Weibull (being the most commonly chosen distributions in empirical studies), as well as the Gumbel, GPD or GEV distributions (see for eg. Cruz, 2002; Moscadelli, 2004; Gustafsson, Thuring, 2007; Scandizzo, 2007; King, 2001; de Fontnouvelle et al., 2004). Figure 1: Typical operational risk loss probability distribution. Loss frequency Loss severity The last characteristic of operational risk loss events is their correlation. According to the Basel Accord methodology, capital reserves across the different financial institution s business areas are simply added to obtain the minimum capital requirement for the institution, without taking into consideration the different approaches for the calculation of the individual figures and without taking into consideration the effect of loss events across business lines and their mutual correlations. Naturally, the calculations needed to incorporate this effect may become heavily time-consuming and complex, but surely, the effect is not to be dismissed. Data Gathering Every identified loss event needs to be classified according to the key elements that describe the event in detail. All accompanying data also needs to be collected and input into the model or database for further analysis (Wahler, 2003). AcademyPublish.org Risk Assessment and Management 223

6 The first step is to identify all potential loss events that may influence the operations of the company. Apart from all previously gathered loss event data, it is advisable to make use of any comparable public data and employee and expert opinions that are involved in business processes on different managerial and operational levels in the company. The effect of these events on the company s operations is then assessed, including the immediate financial losses, the loss of reputation, loss of potential business and any legal consequences, as well as the human, information and other resources that would be needed to repair any damage incurred in the loss event. The second step is to define the classification and data collection methodology. Based on a conceptual analysis of such data a company can identify the key risk factors impacting its operations. It can also be used for the identification of high severity / low frequency data that influence the capital requirements for a financial company as well as for the low severity / high frequency loss events that influence the day-to-day operations which can be mostly prevented and thus a higher operational efficiency of business processes can be obtained. The classification of loss events is easily followed, but must be continuously monitored and adapted to changes in the company s processes. The way the company decides to classify operational risk loss event data is not important it may be by process impacted, risk source or cause, organizational responsibility, cost-carrier that bears the loss from the event, a pre-defined classification set forth by regulation or by inter-institutional consensus. The basic risk factors and loss events can then be grouped into categories as defined by Basel II. Building the Operational Risk Database The most important element of the operational risk management system is the operational risk database that includes the loss event tables with all the most important loss event details as well as other details on loss event prevention, mitigation and control actions. The following fields to be included in the loss event tables (adapted from Marshall, 2001): - standardized unique event code, - a detailed loss event description, - event timeline including start, end, duration, realization, impact and mitigation times, - assessment of financial and opportunity loss of the event, - processes impacted (actually or potentially) by the event, - processes that caused, impacted or controlled the development of the event, - other loss events caused, connected to or influenced by the loss event, - a detailed analysis of loss event causes, including the most probable and accompanying (secondary) risk factors, - responsibility within the company (operational and managerial), - mitigating actions taken after the event. After the analysis of the data, the following additional data may be included in the loss event tables: - frequency distribution of loss event occurrence, - frequency distribution of loss event severity, - seasonal component or other external influence, - preventive actions that could be taken before the event to reduce or prevent loss and other comments. The database may be additionally extended to include external loss event data for comparable companies (if available), expert assessments and potential loss event data, as well as the afore-mentioned near-miss and opportunity losses. The database is the basis upon which the company can build a strong analytical system that includes automatic parameterization modules for risk event modeling and prediction, hypothesis testing, back-testing, scenario analysis, basic and advanced managerial reporting or management information system inputs. AcademyPublish.org Risk Assessment and Management 224

7 Figure 2: Operational risk data analysis system architecture. Operational Risk Monitoring And Reporting Once the operational risk database is set up, it is imperative that all the loss events be classified and data gathered and input into the database according to the risk monitoring protocol and methodology set forth by the company for the purpose of monitoring and reporting. Another very important aspect of ensuring the proper usage and effective results from the operational risk database is the regular maintenance of the whole risk management system, which also incorporates continuous learning and adaptation of the system, quantitative models used and of the database to reflect any changes in the company s internal and external environments, as is shown in Figure 3. AcademyPublish.org Risk Assessment and Management 225

8 Figure 3: Risk management maintenance, learning and development Report QUANTITATIVE RISK MEASUREMENT MODEL RESPONSE: analysis and implementation Identification and risk evaluation of operations and processes Risk analysis Risk management policy, protection measures' proposal Implementation LEARNING: identification, measurement and updates CURRENT OPERATIONS Risk event DATABASE Update of model Loss event examination Loss event occurrence Report Report Report The learning and development process is a loop consisting of two process groups: the first is the learning process that includes the identification, continuous monitoring and measurement of operational risk events, loss data gathering, database input and model updates. The second group is the response process that includes the analysis of risk events, risk management actions and their implementation in the company s continuing business operations. This group includes any quantitative operational risk models the company may be using for the modeling, prediction and advanced analysis techniques, such as scenario and sensitivity analysis. The most important element of an effective risk management system is the reporting protocols, including the immediate eventprompted reporting as well as the periodical system adequacy testing and analysis, the internal audit of quantitative modeling instruments used and the periodical business analysis (eg. SWAT or strategic analysis). The reports must be clear, complete, consistent, end-user and context-oriented, as analytical or as synthetic as it is adequate in regards to the level of reporting, timely, action-oriented and with as little redundancy as possible. The effectiveness of the reporting system can be increased by allowing end-users direct access to risk event data in a managerial information system and automatic reporting systems. ALTERNATIVE USES OF OPERATIONAL RISK MODELS Use of Operational Risk Model with Other Risks The operational risk management system from Figure 2 and loss event database can easily be adapted for use with other sources of risk, such as market and credit risks in financial institutions. Instead of using a proposed operational risk model to estimate frequency and severity distributions of loss events, the empirical historical data on returns and volatilities may be used as they are readily accessible by market data providers, as well as data on non-market assets, such as real-estate, including prices and estimates, can be used. The model can then be extended to include causal models, which study interdependencies and correlations between risk factors and events and can provide a deeper insight into risk factor impacts on the company's operations and help estimate and predict potential losses from these risks more accurately. The model can be adapted for credit risk management, as well. The data on credit portfolio historical returns and/or losses and the estimation of the probability distribution of credit losses or defaults can be input into the database. A comprehensive risk management system also means the integration of all fields of risk management into a sensibly connected whole that enables the management to take tactical and strategic decisions based upon a set of information that is as complete as possible and encloses all relevant data for a systematic view of the risk impact on the financial institution. This is possible with a centrally located risk event data processing unit and by the use of advanced analytical methods, such as scenario analysis, causal models and simultaneous multivariate regression models which enable the study of interdependencies between factors and correlations between events and event causes. Taking into consideration all the impacting risk factors and basing decisions on such grounds leads to a more efficient reduction of risk impact on the company as well as on a more efficient overall performance of risk management and core business processes avoiding unnecessary redundancies in risk controls, reporting, analysis etc. AcademyPublish.org Risk Assessment and Management 226

9 Use of Operational Risk Model in Large Institutions The size of the financial institution is irrelevant when discussing the basic concepts and fundamental principles of a comprehensive risk management system, but it does cause significant differences in the size and complexity of the model and of the analytical methods used within the model, causing large institutions to incur significant additional training, setup and maintenance costs at the expense of tackling complexity and a potential loss of focus within the data. The operations of a large institution can, alternatively, be subdivided into groups of similar processes (eg. business lines such as retail banking, institutional investors, treasury etc.) or different risks can be monitored across business segments but separate from each other. The use of parametric methods is also more suitable for smaller companies with a short or non-existing historical background in risk event data, while larger institutions probably already possess a fair amount of data to be analyzed. However an institution decides to set up its risk management model, it must take into consideration its organizational structure, the interactions between business processes, the identification of key risk factors and critical impact points in the business processes. Not all business processes are deemed to be included in the model if they are not affected by a certain type of risk this would cause unnecessary clouding and noise, as well as increased costs of data processing in the system for a questionable increase in result accuracy. On the other hand, no important business process or risk must be left out for the results to be adequate for decision-making, while still keeping the complexity of the model at sustainable levels. The differences between risk factors impacting different business segments and the interaction between business lines and factors must be taken in to consideration when creating business-oriented risk monitoring groups. Grouping similar business processes is advisable if the complexity of the model remains sustainable and the processes do not correlate significantly with each other and are, on the other hand, affected by similar risk factors (eg. accounting, maintenance, transport are not affected by market or credit risk, but are affected by similar operational risk factors, such as people error or technology failure). A non-complex model will be easy to maintain, input data, it will be easier to execute peer-comparison and gather external data, especially if the business processes exist outside the company as individual service providers (eg. transport firms). This approach enables the company to increase the quality of the model and keep it flexible to changes in the company's organizational structure or other internal or external environmental factors. It also lowers the model costs, including costs of building, using, adaptation and maintenance. Having several loss event databases and risk management models creates the need to consolidate results at a certain reporting level for the use by top management and strategic decision-making. Assuming the end-result of each model is a capital charge for a certain business line or risk factor, the Basel Accord's proposed use of the Loss Distribution Approach method can be applied, the method stating that total operational risk capital requirement is a sum of individual business lines' operational risk capital charge. This approach requires a consistent use of capital charge indicator, which should also be sub-additive. Thus it is our proposition to use Conditional VaR (CVar) or Estimated Shortfall (ES) which both exhibit this characteristic (Chernobai et al., 2007). Use of Operational Risk Model in Non-Financial Institutions An interesting alternative use of the proposed operational risk model is its use in non-financial institutions. The small fast-growing high-technology oriented companies are especially prone to operational risk influences where an operational risk event, such as technology failure, may cause irreparable damage to a struggling company in a growth phase. The fast pace of its operations also requires very fast risk event responses and mitigating actions. The problem with such young companies is twofold: first, the management's focus is usually mainly market-focused and less internally-focused, which usually means a lesser attention to building sound internal risk monitoring and managing practices. Obviously, it is not necessary to immediately develop sophisticated systems, but a minimum of monitoring and reporting is essential to avoid being severely crippled by operational risk influences which could have been prevented. Secondly, the historical background from which the company could build their risk management strategy and processes is virtually non-existent and is usually combined with a potentially niche-marketing strategy, which also does not allow for peer-based external data. This creates significant difficulties in data collecting and analysis, but a parametric estimation model for risk event frequencies and impacts can still be set up. It is possible for such a company to acquire external expert assessment and have a model built to include in its initial risk management strategy and build it further as it develops, including actual risk event data as the events occur, extending and widening the model to include risk factors not considered before or analytical tools for a more effective data studying. CONCLUSION The rising awareness of the importance of operational risk management within financial institutions and the growing frequency of operational risk events that have caused financial and other companies significant losses or failures and bankruptcies confirms the importance of operational risk models and management systems that should be used in financial as well as other companies, especially in the fields of high-technology and IT, where operational risk is probably the most important type of risk affecting their day-to-day operations. AcademyPublish.org Risk Assessment and Management 227

10 We have illustrated the basic principles of building a comprehensive operational risk management system in a company, starting from the risk management strategy and policies, identifying key risk factors and describing their key characteristics for creating the key element of the system, the operational risk database and loss event tables. The system is then used for risk event monitoring, analysis and reporting, while a continuous maintenance (including adaptation) of the model must be practiced for it to be effective in strategic and tactical risk management which includes capital charge assessment in financial institutions or the creation of capital reserves in non-financial companies. The expansion of the system includes advanced analytical methods, such as sensitivity analysis, automatic parameterization modules for risk event modeling and prediction, hypothesis testing, back-testing, scenario analysis and causal models. These methods will inevitably increase the complexity of the model, which must, on the other hand, always be kept at a sustainable level, including expense-wise, for a company to have benefits that exceed the costs of the system. REFERENCES Allen, L., Bali, T. G. (2007).»Cyclicality in Catastrophic and Operational Risk Measurements«, Journal of Banking & Finance, Vol 31, No 4, pp Andersen, A. (1998). Operational risk and financial institutions. London: Risk Books. BIS Quarterly Review, September Basel: Bank For International Settlements (BIS). [ BIS Annual Report 2010/11, June Basel: Bank For International Settlements (BIS). [ Baud, N., Frachot, A., Roncalli, T. (2002). How to Avoid Over-estimating Capital Charge for Operational Risk? Working Paper. Paris: Crédit Lyonnais, Groupe de Recherche Opérationnelle. Bradley, B. O., Taqqu, M. S. (2003).»Financial Risk and Heavy Tails«, Heavy-tailed distributions in Finance, North Holland: Elseviere, pp Brdar Turk, A. (2009).»A Quantitative Operational Risk Management Model«, WSEAS Transactions On Business And Economics, Vol. 6, No. 5, pp Chernobai, A. S., Rachev, S. T., Fabozzi, F. J. (2007). Operational Risk. A Guide to Basel II Capital Requirements, Models and Analysis. Hoboken: John Wiley & Sons. Cruz, M. G. (2002). Modeling, Measuring and Hedging Operational Risk. Chicester: John Wiley & Sons. De Fontnouvelle, P., DeJesus-Rueff, V., Jordan, J., Rosengren, E. (2006).»Capital and Risk: New Evidence on Implications of Large Operational Losses«, Journal of Money, Credit & Banking, Vol. 38, No. 7, pp Deutsche Bank Annual Report [ Gustafsson, J., Thuring, F. (2007). Best Distribution for Operational Risk: A Computational Evaluation of Different Loss Distribution Assumptions. Working Paper. Social Science Research Network. [ International Convergence of Capital Measurement and Capital Standards: A Revised Framework. (2004). Basel: Bank For International Settlements (BIS), Basel Comittee on Banking Supervision. King, J. L. (2001). Operational Risk: Measurement and Modelling. Chichester: John Wiley & Sons. Marshall, C. L. (2001). Measuring and Managing Operational Risks in Financial Institutions: Tools, Techniques, and other Resources. Singapore: Wiley & Sons. Moscadelli, M. (2004). The Modelling Of Operational Risk: Experience With The Analysis Of The Data Collected By The Basel Committee. Economic Working Paper No Rome: Banca d'italia. Operational Risk. Consultative Document. (2001a). Basel: Bank For International Settlements (BIS), Basel Comittee on Banking Supervision. Scandizzo, S. (2007). The Operational Risk Manager's Guide. Tools and Techniques of the Trade. London: Risk Books. Société Générale Mission Green Summary report (2008). Paris: Société Générale General Inspection Department. AcademyPublish.org Risk Assessment and Management 228

11 U.S. Securities and Exchange Comission Annual Report [ Van Greuning, H., Brajnovic Bratanovic, S. (2003). Analyzing and Managing Banking Risk. A Framework for Assessing Corporate Governance and Financial Risk. Second edition. Washington (D.C.): World Bank. Wahler, B. (2003). Process-Managing Operational Risk: Developing a Concept for Adapting Process Management to the Needs of Operational Risk in the Basel II-Framework. Graduation Thesis. Frankfurt: Hochschule für Bankwirtschaft. AcademyPublish.org Risk Assessment and Management 229