How much money did your institution lose due to operational risk in 2001? It's easy to get an answer for credit losses, but not so for operational risk. Still, there are ways to do so. This installment shows you how.
Operational risk event data is the history of incidents that originated from operational risk causes. Leading institutions develop these databases to form the basis for analysis and quantification. The database primarily contains out-of-pocket losses but may also contain "near misses" and pending losses awaiting finalization. The new Basel Accord defines loss databases as a key component of good operational risk management and one of the criteria that an institution must meet to be eligible to use advanced capital models.
Why collect operational loss data? There are three basic reasons to collect a history of loss data.
1. To create or enhance awareness at multiple levels of organization. A basic understanding of exposure and loss experience is a prerequisite for comprehensive and effective operational risk management. A record of losses--accumulating into an aggregated picture of the losses per year by risk and business--provides the baseline for analysis and the value proposition for improvement.
2. The data can be used for empirical analysis. What is happening, what events are repeating, for which products, at what control point, for what causes? This analysis can help direct corrective action to improve the control environment. It also lets experience confirm the qualitative analysis of inherent and actual exposure.
3. The data forms the basis for quantification. The latest thinking in capital models, as verified by the new Basel recommendations, uses loss data and actuarial techniques as the basis to quantify operational risk capital. This is equally applicable for top-down and bottom-up approaches. A three- to-five-year loss history will be required for institutions to be eligible to use advanced models for the new Basel Accord.
A Data Collection Strategy
The loss event data we seek is spread throughout the company and affects almost every line item of the P&L statement. A comprehensive data collection program implies significant changes in the way the organization captures and processes loss data. The process described below is illustrated in Figure 1.
What data to collect. To support analysis and quantification, the key data elements to be captured are as follows:
* Date (discovered, booked).
* Description (a few lines describing the event and causes. It should be understandable by others for learning purposes and to meet standards of sharing events with a loss consortium).
* Event and possibly effect categories (for example, the Basel categories or internal categories that can be mapped to them).
* Contributing causes (for example, human error, weak controls, security, training, information technology).
* Total original amount (by effect category).
* Recoveries (for example, operational, legal and insurance, separately identified).
* Business line (internal product/business hierarchy with granularity sufficient to support internal reporting and modeling--for example, to support economic capital and mapping to the standard Basel business lines).
* Control point (where the loss occurred, for example, with customer, pricing, risk approval, trade desk, trade capture, confirmation, operations, settlement, GIL reconciliation).
* How discovered (for example, client, business area, finance, audit, regulator).
* Indicators in effect--both basic scaling indicators and key risk indicators. (This data can then be used to assess correlations between indicators, events, and losses.)
A central loss database. Experience shows that the general ledger (G/L) is not an adequate tool for collecting loss data. Operational risk management requires substantially more detail and reporting and analysis (sorting capabilities) than is supported by ledger systems. …