操作风险定义的历史轨迹
对操作风险的定义向来是每一统一的标准,直到巴塞尔银行监管协会(BCBS)的定义出现,但是它们的定义也有很多缺点,下面列表整合了文献和各机构对操作风险的定义。
- Rao and Dev (2006): the negative definition, Medova and Kyriacou(2001) and Jameson (1998) agree; Buchelt and Unteregger (2004) disagree
- The Group of Thirty (1993): uncertainty related to losses resultingfrom inadequate systems or controls, human error or management
- Bankers Trust: all dimensions of decentralized resources-clientrelationship, personnel, the physical plant, property and assets for whichBankers Trust is responsible, as well as technology resources
- Barclays Bank: fraud, failures in controls and the like
- Chase Manhattan: the risk rising from activities associated withtheir fiduciary dealings, execution, fraud, business interruption, settlement,legal/regulatory, and the composition of fixed costs
- The Commonwealth Bank of Australia (1999): all risks other thancredit and market risk, which could cause volatility of revenues, expenses andthe value of the Bank’s business
- Shepheard-Walwyn and Litterman (1998) at a seminar at the FederalReserve Bank of New York: operational risk can be seen as a general term thatapplies to all the risk failures that influence the volatility of the firm’scost structure as opposed to its revenue structure
- British Bankers’ Association (1997): the risks associated with humanerror, inadequate procedures and control, fraudulent and criminal activities;the risks caused by technological shortcomings, system breakdowns; all riskswhich are not banking and arising from business decisions as competitiveaction, pricing, etc; legal risk and risk to business relationships, failure tomeet regulatory requirements or an adverse impact on the bank’s reputation;external factors include: natural disasters, terrorist attacks and fraudulentactivity, etc
- Tripe (2000): operational risk is the risk of operational loss
- Lopez (2002): every type of unquantifiable risk faced by a bank
- Crouchy (1998): the risk that external events, or deficiencies ininternal controls or information systems,will result in a loss-whether the lossis anticipated to some extent or entirely unexpected
- Crouchy (2001): the risk associated with operating a business; therisk that there will be a failure of people, processes, or technology withinthe business unit
- Halperin (2001): loose-limbed concept that includes potential lossesfrom business interruptions, technological failures, natural disasters, errors,lawsuits, trade fixing, faulty compliance, fraud and damage to reputation,often intangible fallout from these events
- BCBS (1998): the most important types of operational risk involvebreakdown in internal controls and corporate governance; and that suchbreakdowns can lead to financial losses through error, fraud, or failure toperform in a timely manner or cause the interests of the bank to be compromisedin some other way, for example, by its dealers, lending officers or other staffexceeding their authority or conducting business in unethical or risky manner;major failure of information technology systems or events such as major firesor other disasters
- Robert Morris Associates (1999): the direct or indirect lossresulting from inadequate or failed internal processes, people and systems, orfrom external events
- BCBS (2004): the risk arising from inadequate or failed internalprocesses, people and systems or from external events; BBA provides furtherdetails
- BCBS (2007): the risk of direct or indirect loss resulting frominadequate or failed internal processes, people and systems or form externalevents (including legal risk)
- Marshall and Heffes (2003) cite Peyman Mestchian, head of riskmanagement as SAS UK: the threat coming from such factors as people, processesand internal systems, as well as external events unrelated to market and creditrisk
- Mestchian (2003) decomposes the BCBS definition into 4 components
- Process risks, such as inefficiencies or ineffectiveness in thevarious business processes within the firm. These include value-drivingprocesses, such as sales and marketing, product development and customersupport, as well as value-supporting processes such as IT, HR, and operations
- People risks, such as employee error, employee misdeeds, employeeunavailability, inadequate employee development, and recruitment
- Technology (or system) risks, such as the system failures caused bybreakdown, data quality and integrity issues, inadequate capacity, and poorproject management
- External risks, such as the risk of loss caused by the actions ofexternal parties (e.g., competitor behavior, external fraud, and regulatorychanges) as well as macroeconomic and socioeconomic events
- Critique of BCBS definition: Turing (2003) too broad; Herring (2002)omits basic business risk (Kuritzkes and Scott, 2002), indirect costs andreputational risk; Hadjiemmanuil (2003) no consensus; Thirlwell (2002)measurable not what causes banks to fail
- IFCI Financial Risk Institute (2000): the risk of unexpected lossesarising from deficiencies in a firm’s management information, support andcontrol systems and procedures; while legal risk is the risk that a transactionproves unenforceable in law or has been inadequately documented or Turing(2003) defines legal risk as the risk that one is unable to enforce rightsagainst, or rely on obligations incurred by, counterparty in the event of adefault or a dispute
- Turing (2003)
- The risk that deficiencies in information systems or internalcontrols will result in unexpected loss
- The risk that a firm will suffer loss as a result of human error ordeficiencies in systems or controls
- The risk run by a firm that its internal practices, policies, andsystems are not rigorous or sophisticated enough to cope with untoward marketconditions or human or technological errors
- The risk of loss resulting from errors in the processing oftransactions/breakdown in controls/errors or failures in system support
- Vinella and Jin (2005): the risk that the operation will fail tomeet one or more operational performance targets, where the operation can bepeople, technology, processes, information and the infrastructure supportingbusiness activities. Based on this definition, they also define the fundamentaloperational objective as operating within a targeted level of operational riskand in full compliance with regulatory and corporate guidelines, maximizeoperational performance while simultaneously minimizing cost. They argue thatthe BCBS’s definition is a special case of their generalized definition whenthe failure to meet an operational performance target results in a directmonetary loss. They further argue that while it is consistent with thedefinition of the BCBS, their definition has several advantages. First, it tiesoperational risk to distinct components of the operation via the operationalperformance targets. Second, it becomes possible, by using this definition, tomeasure operational risk in terms of operational performance metrics and targetlevels, as the probability that a component of the operation will fail to meetits target levels. Third, firms have substantial resources to define, capture,and report operational performance within the operation that can be used toestimate operational risk under their definition.
- Cagan (2001): operational risk is the risk of business disruption,control failures, errors, misdeeds or external events, and is measured bydirect and indirect economic loss associated with business interruption andlegal risk costs, and also by “immeasurables” such as reputation risk costs
操作风险的分类
对操作风险的分类至少可以从三个方面进行:第一是起因(cause),第二是BCBS定义的事件类型(event types),第三是操作风险的影响(effect),举个例子来说,外部欺诈(event)就是由人员(cause)引起并会造成法律诉讼成本(effect)的事件,内部欺诈(event)是由内部流程(cause)引起并会造成资产缩水(effect)的事件,结算失败(event)是由系统或软件(cause)引起并会造成补偿金支付(effect)的事件。
- Cause: people risk; process risk; system (or technology) risk; externalrisk (external fraud such as external money laundering, natural disasters suchas floods, and non-natural disasters such as arson)
- The person doing the activity makes an error
- The process that supports the activity is flawed
- The system that facilitated the activity is broken
- An external event occurs that disrupts the activity
- Event: BCBS event types
- Effect: the legal and accounting forms of consequential losses
- Direct loss before or after direct recovery, the financial effect ofa loss event includes all out-of-pocket expenses associated with an operationalloss event but does not include opportunity costs, forgone revenue, or costsrelated to measures implemented to prevent subsequent operational losses. Low frequency, low severity : do nothing; High frequency, lowseverity: may do nothing. However, they canaccumulate to the point where the severity becomes larger, such as if ittriggers a loss of reputation. E.g., settlement errors and credit card fraud.Occurrence results in efficiency losses; Medium frequency, medium severity, can cause a dramatic increase inexpenses, demanding liquidity; Low frequency, highseverity: analyze by scenario testing. Handled byplanning for these in advance and/or by financing risk such as by purchasinginsurance. E.g., rogue trading, major lawsuits, terrorism and natural disasters. Occurrence can adversely affect the capital of the firm, severely harm itsreputation or in extreme situations even threaten its existence, causing solvencyissues; High frequency, high severity: take risk control measures. May finance risk such as by purchasing insurance.
- Indirect or nonfinancial loss which is excluded by BCBS’s definition: Reputational loss; Positive or negative externality to other firms within the industry; Errors; Risk ratings; Risk scores; Other performance indicators
操作风险的管理与其他风险相比较
适用于任何风险管理的一般逻辑步骤顺序 | 操作风险的对应步骤 |
Risk organizational& governance structure set policies, procedures & processes formanaging risk, define risk tolerance to various risks in terms of what theorganization is willing & able to bear | |
识别 Identification, setof procedures for identification of risks along different bank processess risks in terms of what theorganization is willing & able to bear | With independence,capacity (adequately staffed w/ adequate resources), & professionalcompetence & due diligence to identify and analyze causes of various operationalrisk events. Then estimating the frequency and severity of risk events |
评估或测量Assessment/measurement, set of procedures for quantification based onadvanced methods and approachesperationalrisk events. Then estimating the frequency and severity of risk events | Analyze variousidentified risk events and measure their impacts on business operations by asound quantitative approach that will reveal the distributions of lossfrequency and loss severity. It is at this step that different models enter |
监控或限制 Monitoring/limitation,set of controls and limitation instruments which minimize the impact ofoperational riskslossfrequency and loss severity. It is at this step that different models enter | Key performance indicators:are we achieving our desired level of performance? Key risk indicators: how’sour risk profile changing, is it within our desired tolerance levels? Key controlindicators: are ourorganization’s internal controls effective? |
企业全面风险监控 Integration | Riskstrategy, integration with market and credit risk |
跟帖中继续 操作风险的特点(而非操作风险数据的特点)