Once any operational risk present in the company has been detected and measured, the company may decide to allocate resources to reduce that risk. Like all other risks, operational risk can be reduced, or even almost mitigated, but as in the case of the other risks, this entails a cost. The risk
can be reduced both in the frequency with which losses occur and in the magnitude of losses when they occur.
Suppose a negotiating board of a broker agency wants to install a system that captures “front-office” operations and moves them directly to the
“back-office.” This avoids the possibility of human error and therefore reduces operational risk losses. The agency will buy the system if the benefits outweigh the costs. To assess whether this is the case or not, imagine that the same board performs an interest rate swap operation in five years and this product produces a large number of cashflows that may be the source of potential errors. Similarly, at the beginning the operation needs to be confirmed by the counterparty and, moreover, must be assessed in order to attribute the benefit to the business unit. Payments made by the swap must be computed accurately and, in this regard, errors may arise, from late payments to major problems such as hedging failures or the fraudulent behaviour of a“trader.”Thus, analysing the potential benefits of this system and of avoiding such errors, it can be concluded whether it is beneficial to purchase that system or not.
In general, it can be said that operational risk can be reduced, or even mitigated, in many ways. The first is by methods of internal control which, roughly, involve:
• Separation of duties: employees in charge of commission operations must not carry out trade settlement or accounting operations.
• Dual inputs: inputs must be verified by two different sources.
• Reconciliations: the results or outputs must be verified by different sources. In the case of a“trading”board, these sources can be“trader”
profit estimates and confirmation by“middle-office”.
• Warning systems: important dates, maturities, liquidations and so on should be entered on a calendar in order to provide a reminder before the deadline.
• Amendments control: any amendment must be subject to the same controls as the original process.
• Confirmations: the ticket of the operation must be verified by the counterparty that provides an independent comparison.
• Price check: to evaluate positions, prices are available from external sources; this implies that an institution must be able to internally assess transactions before undertaking them.
• Authorisations: the counterparty must be provided with a list of people authorised to negotiate and a list of possible transactions.
• Settlement: the payment process itself may indicate whether some terms have been recorded incorrectly.
• Internal/external audits: such operations provide information about potentially weak areas in the structure of the organisation or business unit.
As indicated, these internal control methods are very useful and often partially mitigate operational risk, but it is very difficult to achieve its total mitigation; therefore, if the aim is to achieve a greater degree of mitiga- tion, the only option is to resort to external methods. Traditionally, operational risk has been mitigated through insurance, but more recently there has been a tendency to use financial hedges based on financial derivatives on operational risk events such as the weather, theft and the like.
13.3.1 Insurance
Insurance is the traditional instrument for mitigating operational risk.
Traditional insurance is based on compensating the individual who contracts it if a certain operational risk event occurs; for example, if there is a fire in a warehouse, fire insurance indemnifies the owner of the warehouse based on the value of the goods that have been burnt, or if hail spoils the harvest, the insurance pays the farmer for the difference in production between this year and last year.
Despite the obvious advantages of this type of instrument, when reducing operational risk several problems arise. One of these problems is the moral hazard, which is the risk of the insurance beneficiary behaving in a different way than they would if there were no insurance because if they are hedged against the consequences of an operational risk event, less care is taken to minimise the probability of the event occurring. For
example, if they havefire insurance, the warehouse is less careful regarding precautions to minimise the chances of a fire occurring (flammable materials, smoking regulations, etc.), or a bank with theft insurance consequently takes increasingly lax security measures.
This change of attitude increases the risk for insurance companies and therefore these companies hedge the moral hazard in several ways, one of which is known as a deductible (or excess). The company introduces a clause in the insurance contract making the policyholder responsible for paying the specified first portion of losses. At other times the company introduces a coinsurance provision which means that the company pays a certain percentage less than 100 % of losses that exceed the deductible.
Likewise, there is almost always a policy limit, that is, a limit to the insurer’s obligations.
Adverse selection is one of the biggest problems for insurance compa- nies. This phenomenon occurs when the insurer cannot distinguish between “good” and “bad” policyholders and offers the same price to everyone, inadvertently attracting the worst customers. Companies hedge themselves against this problem by using varying premiums depending on the information obtained about the policyholder over time but, as with moral hazard, in the absence of perfect information, this risk can never be completely removed.
Since it is not possible to elimiate fraud completely in this type of transaction, meaning that the policyholder requests more compensation from the company than the cost incurred by the damage, since the insurance company is unable to verify the actual loss suffered accurately.
In addition, insurance can generate a conflict of interest, in the sense that the expert evaluating the damages suffered as a result of the operational risk event is paid by the insurance company and therefore has an incentive to declare fewer losses than actually occurred. Simi- larly, insurers are not always responsible for the operational risk event occurring. The best example of this was 9/11, when the insurance companies of both the towers and the planes initially refused to pay compensation based on the fact that the damage came from a terrorist attack, although one of the main causes of planes crashing or sky- scrapers collapsing is a terrorist attack. Another example is the case of insurance against the breakage of windows, where policyholders are not
paid if breakage occurs as a result of riots, even though riots are one of the main causes of broken windows.
13.3.2 Financial Hedges
Due to the problems previously indicated, the mitigation of some oper- ational risk events has now begun to be carried out through financial hedging instead of insurance. Thesefinancial hedges are based on deriv- atives whose underlying asset is the operational risk event, such as tem- perature, rain and so on. These derivatives have greatly expanded in the operational risk mitigation industry, as they have been developed to hedge catastrophic risks, usually meteorological, seismic and the like. A classic example is the derivative that pays the buyer a certain amount of money for the days that the National Institute of Meteorology declares that the temperature in a given geographical area is above a given temperature and, in doing so, the farmer can protect against drought. This can also be carried out in terms of days of rain, hail, frost and so on.
The primary advantage of this type of hedging is that it avoids many of the aforementioned problems. The main reason is that the payoff function is objective, that is, it is not based on a subjective estimate of losses. In the previous example it was established that hedging pays a certain amount of money for the days when the National Institute of Meteorology declares that the temperature in a given geographical area is above a given tem- perature; thus, this payment function does not depend on the views of an expert paid by the insurance company or on what the policyholder claims, and therefore it avoids moral hazard because payments do not depend on loss. It also eliminates the possibility of events occurring in which the insurance company avoids being liable for loss because the damages are not evaluated by their experts. Fraud and conflict of interest are also avoided because an independent third party with objective measures, in this example the National Institute of Meteorology, states how much must be paid and when.
However, despite these obvious advantages, these products also have disadvantages compared to insurance. Their main drawback is that since their payoff function is not directly linked to the loss, they are not always
effective in hedging it. That is, in the above example, if a farmer concerned about possible drought contracts a derivative that pays a specified amount of money for the days when the National Institute of Meteorology declares that the temperature in a given geographical area is superior to a given temperature, their payment has no relation to the losses suffered by drought, which may be much higher than the payments received; therefore the effectiveness of hedging may be very low.
13.4 Approach to Operational Risk in Basel II:
Determination of Regulatory Capital
Although this book is about risk management in an industrial company and, as already indicated, the Basel II Accord is an international agreement for the regulation of risks assumed by banks, this section will summarise very briefly what this agreement states regarding operational risk, as it can be useful in other types of businesses.
Banking regulation in general, and this agreement in particular, estab- lish minimum capital requirements which must include liabilities of a credit institution depending on the risks assumed, including operational risk. In this sense, this agreement provides three methods for calculating capital requirements for operational risk: the Basic Indicator Approach (BIA), the Standardised Approach (SA) and the Advanced Methods Approach (AMA).
• The Basic Indicator Approach (BIA)is the simplest of all and must be applied to entities by default. With this approach, the capital require- ment for operational risk is equal to 15 % of gross revenues for the preceding three years. For this calculation, gross income is defined as total net income from interest, also known as net interest income, which is defined as the excess income from loans minus interest paid on deposits and other instruments used forfinance loans plus non-interest income.
• The Standardised Approach (SA) is very similar to the BIA, but slightly more complex. In this approach, entities are required to divide
their activities into eight lines of business: corporate finance, trading and sales, retail banking, commercial banking, payment and settle- ment, agency services, asset management and retail brokerage. The average gross income in recent years for each business line is multiplied by a “beta”factor for each line of business and the result is added to obtain the total amount of capital (Table13.2).
In order to use this method, the entity must demonstrate that it has systems to distribute income among business lines and the central bank must give permission. Similarly, conditions are established which must be met for a bank to use the standard method:
– The credit institution must have an operational risk management function which is responsible for identifying, assessing, monitoring and controlling operational risk.
– They must keep track of the relevant losses by business line and create incentives to improve operational risk.
– Losses due to operational risk must be reported regularly by the credit institution.
– The system of operational risk management should be well documented.
– Management processes and operational risk assessment systems must be subject to independent periodic reviews by internal auditors; they must also be subject to periodic review by external auditors, supervisors or both.
Table 13.2 “Beta”factors (Author’s own composition)
Business line “Beta”factor
Corporatefinance 18 %
Trading and sales 18 %
Retail banking 12 %
Commercial banking 15 %
Payment and settlement 18 %
Agency services 15 %
Asset management 12 %
Retail brokerage 12 %
• Finally, by using the Advanced Models Approach (MA), the capital requirement for operational risk is calculated internally by the bank through the use of qualitative and quantitative criteria. In this case the central bank must give permission and conditions are established which must be met for a bank to use the advanced models approach (MA).
14
Liquidity Risk