Moosa FMII2007

Operational Risk: A Survey
BY IMAD A. MOOSA
Operational risk has, in a relatively short period of time, risen from non-recognition
to prominence as the culprit for spectacular corporate collapses. This paper surveys the
mushrooming literature on the subject, covering the definition, classification, characteris-
tics, modeling and management of operational risk. It is concluded that operational risk is a
controversial topic that will generate a significant amount of research in the years to come.
I. INTRODUCTION
Operational risk is the risk of losses arising from the materialization of a wide vari-
ety of events including fraud, theft, computer hacking, loss of key staff members,
lawsuits, loss of information, terrorism, vandalism and natural disasters. It has
been receiving increasingly significant attention from the media, regulators and
business executives, as financial scandals keep on surfacing (for example, Enron
and Parmalt) and because operational loss events have become the major cause of
spectacular business failures (for example, Barings Bank and Long-Term Capital
Management). The trend towards greater dependence on technology, more inten-
sive competition, and globalization have left the corporate world more exposed to
operational risk than ever before. In a particular reference to the banking industry,
Buchelt and Unteregger (2004) argue that the risk of fraud and external events
(such as natural disasters) has been around ever since the beginning of banking
but it is technological progress that has boosted the potential of operational risk.
Likewise, Halperin (2001) argues that “operational risk has traditionally occupied
a netherworld below market and credit risk” but “headline-grabbing financial fi-
ascos, decentralized control, the surge in e-commerce and the emergence of new
products and business lines have raised its profile”. 1
The detrimental consequences of exposure to operational risk cannot be over-
stated. Blunden (2003) argues that operational risk is as likely to bring a company
to its knees as a market collapse, and in many cases it is clearly within management
1
Market risk results from fluctuations in financial prices, whereas credit risk arises because of the
possibility of default by borrowers. Operational risk, therefore, results from almost everything else. To
emphasize the importance of operational risk relative to market risk, Parsley (1996, p 74) wonders “what
is the use of having state-of-the-art market risk measurement tools if one rogue trader can bankrupt
your institution in a matter of weeks”. On similar lines, Kingsley et al. (1998) argue that “the value at
risk, risk scenario analysis and risk-adjusted performance measures, on which senior managers now
rely in much of the financial industry, are potentially misleading if they ignore operational risk”.

C 2007 The Authors. Journal compilation c 2007 New York University Salomon Center, Financial Markets, Insti-
tutions & Instruments, V. 16, No. 4, November. Published by Blackwell Publishing, Inc., 350 Main St., Malden, MA
02148, USA, and 9600 Garsington Road, Oxford OX4 2DQ, UK.
168 Imad A. Moosa
control, but it is not fully understood or exploited. 2 While market risk has tradition-
ally caught the attention of financial institutions, operational risk is increasingly
considered more seriously, perhaps as being more detrimental than market risk
and credit risk. Studies of large operational loss events in the U.S. by Cummins
et al. (2006) and Wei (2006) show that a bank (or a financial institution in general)
can suffer a market value decline in the days surrounding the announcement of a
large loss that is significantly larger than the loss itself.
Many reasons have led to the increasing significance of operational risk but,
broadly speaking, some recent developments are conducive to the materialization
of operational loss events. These include the growth of e-commerce, mergers and
consolidations, the use of automated technology, the growing use of outsourcing
arrangements, and the increasing complexity of financial assets and trading pro-
cedures. Ong’s (2002) top three of the updated list of the “top 10 reasons why
so many people are interested in operational risk” are (i) it is sexy, hot and com-
pletely nebulous; (ii) people think they have already conquered both market risk
and credit risk; and (iii) operational risk is a convenient catch-all “garbage dump”
for all kinds of possible risks. The greater interest of the regulators in operational
risk (enshrined in the Basel II Accord) can be attributed to the changing risk profile
of the financial services sector, which has resulted from the growth in e-business
activity and reliance on technology. The Basel Committee on Banking Supervision
(BCBS, 1999) expresses the view that operational risk is “sufficiently important
for banks to devote the necessary resources to quantify”.
The objective of this paper is to survey the recent literature on operational risk.
The starting point is to define operational risk, which is not straightforward, then the
criteria of classifying operational risk are discussed. The controversy concerning
the distinguishing features of operational risk is examined, then we move on to
a discussion of the importance of, and the problems associated with, operational
risk modeling. Two more sections are devoted to the classification of operational
risk models and the examination of selected relevant empirical work. Measuring
regulatory capital against operational risk is discussed next before moving on to
the topic of operational risk management. The final section contains some final
thoughts and concluding remarks.
II. THE DEFINITION OF OPERATIONAL RISK

Allen and Bali (2004) note that defining operational risk is easier said than done,
and this is perhaps why it is dubbed “Risk X” by Metcalfe (2003). Likewise,
Crouchy (2001) suggests that operational risk is a fuzzy concept because “it is
hard to make a clear-cut distinction between operational risk and the normal un-
certainties faced by the organization in its daily operations”. Following the Barings
Bank fiasco, the financial industry started to recognize rogue trading and the like
2
Moosa (2007a) argues that indicative of the misunderstanding of operational risk are four miscon-
ceptions that are commonly found in the academic and professional literature. These misconceptions
will be discussed later on in this paper.
Operational Risk: A Survey 169
as a separate risk category, comprising types of risk that could not be classified
as either credit risk or market risk. Hence, it was (and still is) rather tempting to
define operational risk negatively as any risk that is not market risk or credit risk.
Rao and Dev (2006) argue that “it was not uncommon, five years ago, to consider
OR as a residual”, and that “everything other than credit risk or market risk was,
by default, OR”.
However, defining operational risk in this negative manner as a residual item
is difficult to work with, in the sense that it cannot be used for the purpose of
operational risk measurement. Buchelt and Unteregger (2004) agree with this
view, asserting that the negative definition of operational risk is hardly suitable for
identifying its scope precisely, although it indicates (to a certain extent) what might
be meant. However, Medova and Kyriacou (2001) are convinced that thinking of
operational risk as “everything not covered by exposure to credit and market risk”
remains prevalent amongst practitioners. This view is also held by Jameson (1998)
who indicated that the definition most frequently given in telephone interviews was
“every risk source that lies outside the areas covered by market risk and credit risk”.
Viewing it as a residual is probably a reflection of the lack of understanding and
the diversity of operational risk.
Early definitions of operational risk appeared in the published literature of ma-
jor international banks and other bodies in the 1990s before the Basel Commit-
tee adopted its official definition that is currently used for regulatory purposes. 3
The Group of Thirty (1993) defined operational risk as “uncertainty related to
losses resulting from inadequate systems or controls, human error or manage-
ment”. The Commonwealth Bank of Australia (1999) came up with the broad
definition that operational risk is “all risks other than credit and market risk, which
could cause volatility of revenues, expenses and the value of the Bank’s busi-
ness”. An early definition of operational risk came up in a seminar at the Federal
Reserve Bank of New York when Shepheard-Walwyn and Litterman (1998) char-
acterized operational risk as “a general term that applies to all the risk failures
that influence the volatility of the firm’s cost structure as opposed to its revenue
structure”. Note, however, the sharp difference between the last two definitions:
in the definition of the Commonwealth Bank of Australia, operational risk im-
pinges upon both the revenue and cost sides of the business, but in the definition
of Shepherd-Walwyn and Litterman it affects the cost side only. This contrast
gives rise to the question if operational risk is one-sided, which is a controver-
sial issue that will be examined in detail later on. Finally, an early definition
that identifies internal and external sources of operational risk has been put for-
ward by Crouchy et al. (1998) who suggested that operational risk is “the risk
that external events, or deficiencies in internal controls or information systems,
will result in a loss- whether the loss is anticipated to some extent or entirely
unexpected”.
3
That is, for the purpose of calculating the regulatory capital against operational risk as stipulated by
Pillar 1 of the Basel II Accord.
170 Imad A. Moosa
The earlier definitions of operational risk indicate a lack of agreement on what it

is all about and probably a severe degree of misunderstanding of the concept. 4 This
is also indicated by some other vague and hardly useful definitions that have been
put forward. For example, Tripe (2000) suggested that “operational risk is the risk
of operational loss”, thus describing water as water. Lopez (2002) suggested that
operational risk is “every type of unquantifiable risk faced by a bank”, which is the
antithesis of measuring regulatory capital against operational risk as required by
the Basel II Accord. Crouchy (2001) defines operational risk as “the risk associated
with operating a business”, which amounts to confusion between operational risk
and operations risk. 5
The most common (and reasonable) definition of operational risk first appeared
in Robert Morris Associates et al. (1999), who defined operational risk as “the
direct or indirect loss resulting from inadequate or failed internal processes, people
and systems, or from external events”. Initially, the Basel Committee adopted this
definition as it was, but reference to indirect losses was eliminated subsequently
for the purpose of quantifying regulatory capital, since these losses are difficult
to measure. 6 Thus, the BCBS (2004a) defines operational risk as “the risk arising
from inadequate or failed internal processes, people and systems or from external
events”. This definition, which is based on the underlying causes (sources) of
operational risk (or rather operational losses), includes legal risk but excludes
business and reputational risk.
The BCBS’s definition of operational risk has not been accepted without chal-
lenge from academics and practitioners. To start with, Turing (2003) describes the
definition as “so broad as to be totally unhelpful”. Herring (2002) criticizes the
definition on the grounds that it omits altogether basic business risk. Thus, while
Turing claims that the definition is too broad, Herring argues that it is rather narrow.
But then, Cagan (2001) is critical of the Robert Morris Associates et al. (1999)
definition on the grounds that it is narrow, although it is much broader than the
BCBS’s definition. Instead, Cagan argues strongly for an alternative definition that
can do a better job in guiding the data collection and risk management processes.
She describes a desirable alternative definition as a definition that “encompasses
qualitative concerns and can be used as a best practices signpost”.
Hadjiemmanuil (2003) describes the Basel Committee’s attempt to define op-
erational risk as being “deeply flawed” because “it is not based on generally ac-
cepted understanding of operational risk since there is no consensus on this issue
4
Writing less than ten years ago, Webb (1999) argued that there was no consensus in the industry on
a precise definition of operational risk and that such a consensus was unlikely to emerge in the near
future.
5
Operational risk is a broader term than operations risk, the latter pertaining to the operational risk
associated with value-driving operations such as foreign exchange trading and settlement.
6
The BCBS (2001b) classifies losses into “would be included”, “should be included”, and “would not
be included”. The first category includes costs incurred to fix an operational risk problem, payments to
third parties and write-downs. The second category includes near misses, latent losses and contingent
losses. The third category includes the costs of improvement in controls, preventive action and quality
assurance, and investment in new systems.
in the banking industry”. He also describes the definition as being “opaque” and
“open-ended”, because it fails to specify the component factors of operational risk
or its relation to other forms of risk. The definition, according to Hadjiemmanuil
(2003), leaves unanswered many questions concerning the exact range of loss
events that can be attributed to operational failures. Thirlwell (2002) argues that
the BCBS’s definition represents a “measurable view of operational risk if you are
trying to come up with something which is quantifiable, but not good if you think
about what causes banks to fail”. 7
Vinella and Jin (2005) come up with yet another definition of operational risk,
of which (they claim) the BCBS’s definition is a special case. They define opera-
tional risk as “the risk that the operation will fail to meet one or more operational
performance targets, where the operation can be people, technology, processes,
information and the infrastructure supporting business activities”. They argue that
the BCBS’s definition is a special case of their “generalized” definition when the
failure to meet an operational performance target results in a direct monetary loss.
Again, there is no specific mention of the role of external factors in this definition.
Is the definition of operational risk such a critical issue that triggers so much
disagreement? One view is that to measure something, we must first define it. But
Lam (2003) argues against being “fussy” about the definition of operational risk as
it does not serve any purpose as far as operational risk management is concerned.
This is why the first step in his “ten steps to operational risk management” is
“define it and move on”. Lam’s underlying argument is that “many institutions do
not get off the ground because too much time is spent trying to come up with the
perfect definition of operational risk”. The problem, however, lies in the concept of
a “perfect definition”. One thing that we know is that we have to choose between
comprehensiveness (idealism) and pragmatism, with the latter seemingly the better
choice. 8
III. THE CLASSIFICATION OF OPERATIONAL RISK

The classification of operational losses (resulting from exposure to operational
risk) can be based on three alternative criteria: the causes of operational failure,
the resulting loss events, and the legal and accounting forms of consequential
losses. In any episode of operational losses, one has to distinguish among the three
dimensions of the episode: the cause, the event and the effect (consequence). For
example, external fraud (the event) is caused by people (the cause) and results
in a legal liability the effect). 9 If the cause is the criterion of classification, it
7
It is, therefore, a matter of comprehensiveness versus pragmatism. Should the definition be as com-
prehensive as possible, or should it be sufficiently narrow to allow quantification?
8
For a comprehensive listing of the definitions of operational risk and comments on them, see Moosa
(2007b).
9
In accordance with the BCBS’s definition of operational risk, which excludes indirect losses, the
financial effect of a loss event includes all out-of-pocket expenses associated with an operational loss
event but does not include opportunity costs, forgone revenue, or costs related to measures implemented
to prevent subsequent operational losses (BCBS, 2003c, p 5).
172 Imad A. Moosa
would include people risk, process risk, system (or technology) risk and external
risk. For instance, external risk includes external fraud (such as external money
laundering), natural disasters (such as floods) and non-natural disasters (such as
arson).
An alternative to the cause as a criterion for classifying operational risk is to
use event type. One perceived advantage of an event-based classification is that it
makes the operational risk manager’s task easier, as losses can be considered to ma-
terialize in an event. The BCBS has developed a matrix of seven broad categories
of loss events that are further broken down into sub-categories and related activity
examples. The categories include internal fraud (such as embezzlement); exter-
nal fraud (such as forgery); employment practices and workplace safety (such
as discrimination); consumers, products and business practices (such as money
laundering); damage to physical assets such as terrorism); business disruption and
system failure such as power outage); and execution, delivery and product man-
agement (such as missing legal documents). This classification is similar to the
typology of hazards used by the insurance industry.
Peccia (2003) suggests that a classification based on causes is prone to errors
and misunderstanding and that a more appropriate schema is the classification
of losses by the area of impact on the results, as the ultimate objectives is to
explain the volatility of earnings arising from the direct impact of losses on the
financial results. The problem is that the causes and effects of operational loss
events are often confused. Operational risk types, such as human risk and system
risk, constitute the cause (not the outcome) of risk, as the latter is the monetary
consequence. However, it will be argued later that classifying loss events by cause
rather than consequence makes it easier to distinguish operational loss events from
market and credit loss events.
IV. THE DISTINGUISHING FEATURES OF OPERATIONAL RISK

Having gone through the classification of operational risk, it seems that its first
feature is bound to be diversity. The diversity of operational risk makes it difficult
to limit the number of dimensions required to describe it. Buchelt and Untreg-
ger (2004) describe operational risk as “a highly varied and interrelated set of
risks with different origins”. Milligan (2004) describes operational risk as the risk
that “includes everything from slip-and-fall to the spectacular collapse of Barings
Bank”. Likewise, The Economist (2003) describes operational risk as “the risk of
all manner of mishaps and foul-ups, from a lost document to a bomb blast”. The
BCBS (2003c, p 6.) implies the diversity of operational risk by stating that “it can
occur in any activity, function, or unit of the institution”. Hoffman (1998) implicitly
recognizes the characteristic of diversity, arguing that operational risk “transcends
all business lines, and span front-, middle- and back-office operations”, and that
it is “broader that the realm of conventionally insured risks”. It would be rather
difficult to argue against the proposition that diversity is indeed a distinguishing
feature of operational risk.
de Koker (2006) identifies two features of operational risk that distinguish it

from credit risk (and market risk). The first is that there is no simple equivalent
in the case of operational risk to the concept of risk exposure, in the sense that
operational risk is not related closely to any financial indicator. The second of
these features is that the distribution of operational risk is more fat-tailed than
that of credit risk. Rao and Dev (2006) identify another distinguishing feature of
operational risk that pertains to its management, arguing that (unlike credit risk and
market risk) operational risk depends more strongly on the culture of the business
units. Yet another characteristic is identified by Kaiser and Kohne (2006) who
argue that operational risk is more endogenous than market risk and credit risk,
which means that the opportunities from risk mitigation are often bigger in the
case of operational risk.
While there is no disagreement on the features presented so far, another three
features are controversial, including the features of being one-sided, idiosyncratic
and indistinguishable from other kinds of risk. To start with, it is typically suggested
that operational risk is “one-sided” in the sense that it is an undesired by-product
of daily business operations, which implies that the risk-return trade off associated
with market risk has no equivalence in the case of operational risk. In his critique of
the Basel II Accord, Herring (2002) describes operational risk as being “downside
risk”. Crouchy et al. (2004) suggest a similar idea, arguing that “by assuming
more operational risk, a bank does not expect to yield more on average” and that
“operational risk usually destroys value for all claimholders”. A similar idea is put
forward by Buchmuller et al. (2006) who suggest that “operational risk is usually
not taken to create a profit”. Lewis and Lantsman (2005) argue that operational
risk is one-sided because “there is a one-sided probability of loss or no loss”.
Alexander (2003b) distinguishes between operational risk, on the one hand, and
market risk and credit risk, on the other, by suggesting that operational risk is
mostly on the cost side, whereas the revenue side is associated with market risk
and/or credit risk. Crouchy et al. (2004) take it for granted that “there is no reward
in the form of higher returns from bearing operational risk”. As we have seen,
the definition of operational risk suggested by Shepheard-Walwyn and Litterman
(1998) and the Commonwealth Bank of Australia (1999) indicate that operational
risk is one-sided and two-sided, respectively. All of these views mean that while
it is possible to obtain a higher rate of return by assuming more market or credit
risk, this is not possible with operational risk.
The view that operational risk is one-sided is disputable because the underlying
arguments are difficult to buy. By taking on operational risk, firms earn income
while being exposed to the risk of incurring operational losses if and when a loss
event materializes. No one can dispute the possibility of operational losses in any
of the business lines suggested by the Basel Committee, such as underwriting (cor-
porate finance), investment advice (retail banking) and trade finance (commercial
banking). Likewise, no one can dispute the proposition that banks expose them-
selves to operational risk in these business lines because the underlying activities
generate income. Why would a bank provide custodial services, for example, given
174 Imad A. Moosa
that this activity involves operational risk? The answer is simple: this activity gen-
erates fee income. Hence, it is bizarre to claim that operational risk is not taken
for profit.
The argument that operational risk leads to loss or no-loss situations can be
demonstrated to be invalid by considering examples from outside the world of
business. People accept to be exposed to loss or no-loss situations because they
believe that some risks are worth taking, given the potential reward. We take
planes although we might find ourselves in loss or no-loss situations when the
plane is hijacked or, for some reason, it loses its tail fin (almost certainly a loss
outcome in the second case). People still work for banks, knowing that they may
find themselves in loss or no-loss situations when armed robbers take hold of a
bank. We still take cruise ships, exposing ourselves to situations where we might
find ourselves stranded in the middle of the ocean, contemplating the possibility
of being eaten by sharks. The same applies to people practicing extreme sports,
and just think about those who run with the bulls in the narrow streets of a small
Spanish town every summer (lunacy or thrill seeking, involving risk-reward trade
off?). In all cases, it is a matter of choice: we deliberately take on risk for the sake
of potential reward, and in this sense risk cannot be one-sided. Being in a loss
or no-loss situation is the materialization of the unfavorable outcome or the bad
side of risk. This argument is even more compelling with respect to the business
world. Firms take on operational risk in their day-to-day operations because these
operations generate income. Increasing the size of operations and going into new
operations lead to more operational risk and more return. Is not this genuine risk-
return trade-off?
Turning to the proposition that operational risk is idiosyncratic (in the sense that
when it hits one firm, it does not spread to other firms), Lewis and Lantsman (2005)
describe operational risk as being idiosyncratic because “the risk of loss tends to
be uncorrelated with general market forces”. This, the argument goes, is not a
characteristic of market risk and credit risk: a market downturn affects all firms,
and a default by the customers of one firm affects its ability to meet its obligations
to other firms. Danielsson et al. (2001) use the proposition that operational risk
is idiosyncratic to criticize the Basel II Accord, arguing that there is no need to
regulate operational risk because it is idiosyncratic.
The view that operational risk is idiosyncratic is rather strange, because it implies
the following. When a bank incurs losses from loan default or market downturn, its
ability to meet its obligations to other banks will be affected, but this is not the case
when a bank incurs losses because of the unauthorized activities of a rogue trader.
Does this mean that other banks were not affected by the spectacular operational
failures of Barings Bank in 1995 and Long-Term Capital Management in 1998? 10
And what about the 1974 (operational) failure of Bankhaus Herstatt, which has
led to the establishment of the Basel Committee on Banking Supervision whose
10
The operational failure of Long-Term Capital Management attracted the attention of the Federal
Reserve because of concern about its systemic effects.
activities have contributed to the widespread interest in operational risk? The

liquidation of Bankhaus Herstatt adversely affected other banks as it failed to meet
its obligations to them. It is true that not all bank failures are systemic, as pointed out
by the BCBS (2004b), stating explicitly that apart from the Herstatt case, German
bank failures have not been systemic in the sense that they affected individual
banks only. But this applies to market risk and credit risk as much as it applies to
operational risk. Some credit and market loss events are systemic, but others are not
so. Then, one has to remember that bank regulation aims at avoiding catastrophic
events with adverse ramifications for other banks. The very requirement of Basel
II that banks should hold regulatory capital to protect themselves from rare but
fatal operational loss events is indicative of the belief of the Basel Committee that
operational risk can be systemic.
The view put forward by Lewis and Lantsman (2005) that, unlike operational
risk, credit risk and market risk are systemic because they are related to the state
of the economy is also disputable because operational risk too is related to the
state of the economy. The underlying idea here is that when the economy is in
recession, financial markets decline while the incident of default rises, which
means that all firms will suffer the consequences. But this proposition is as valid
for operational risk as it is valid for market risk and credit risk. When the econ-
omy is in recession, there is more of the risk of legal action associated with em-
ployee termination and counterparty bankruptcies. On the other hand, incidents
of credit card fraud become more frequent when the economy is booming, as
people indulge in credit card-based shopping sprees. Allen and Bali (2004) make
the general proposition that operational loss events incorporate cyclical compo-
nents that are correlated with the systematic risk factors such as macroeconomic
fluctuations. Allen and Turan (2007) use equity returns to present evidence on
the cyclical components of operational risk. Operational risk is not idiosyncratic
because these phenomena, which are related to the macroeconomy, affect all
firms. 11
Another proclaimed feature of operational risk is that it is not distinguishable
from market risk and credit risk, in the sense that it may be difficult to separate
the loss events attributed to the three kinds of risk. For example, a trader takes a
short position on an asset just before a market upturn, which leads to trading losses
when the price of the asset rises. This may or may not be a market risk loss event.
If the trader takes the position by following the specified trading guidelines, then
this is a purely market risk loss event. But if the trader takes this position when
the guidelines do not allow short positions on the asset, then this is an operational
risk loss event. Likewise, Kaiser and Kohne (2006) argue that “a large number of
losses in the credit area cannot be considered as genuine credit risk, as they result
from events in the whole area of operational risk”. As an example of cases like
that, they mention default cases in which the process leading the lending decision
is not performed correctly.
11
Moosa (2007a) argues that operational risk will not be idiosyncratic in the presence of groupthink.
176 Imad A. Moosa
Whether or not an event is to be classified as an operational loss event is (or

should be) determined by the causes rather than the consequences of the event.
Rebonato (2007, p 88) argues that although trading positions were often part of
the chain of events that led to the most notorious losses, they are more often than
not “accessories to the crime rather than the ultimate culprits”. Kaiser and Kohne
(2006) argue that the assignment of loss events to risk types “should basically be
driven on the basis of causes”. In the Barings case, for example, it was an adverse
market move that generated the loss but the cause was operational risk (fraud
and inadequate supervision). The distinguishing factor between pure market and
credit losses and those linked to operational risk must be the cause (for example,
whether or not there is a breach of trading guidelines). 12 Distinguishing operational
loss events from credit and market loss events is not as difficult as it is typically
portrayed.
V. OPERATIONAL RISK MODELING: IMPORTANCE

AND PROBLEMS
Operational risk models encompass a variety of statistical and econometric models
designed to measure the regulatory and economic capital to be held against opera-
tional risk, as well as models designed to study its causes and consequences. Peccia
(2003) argues that modeling operational risk has become important because the
environment in which banks operate has changed dramatically. Operational risk
modeling is needed to provide the management of a firm with a tool for making
better decisions about the desirable level of operational risk to take. Bocker and
Kluppelberg (2005) suggest that the only feasible way to manage operational risk
successfully is by identifying and minimizing it, which requires the development
of adequate quantification techniques. Fujii (2005) points out that quantifying op-
erational risk is a prerequisite for the formulation of an effective economic capital
framework. Consiglio and Zenois (2003) emphasize the importance of operational
risk models by attributing some widely-publicized loss events to the use of in-
adequate models rather than anything else. Actually, Giraud (2005) attributes the
collapse of Long-Term Capital Management in large part to “model bias in the
risk management process”. Holmes (2003) argues that even if operational risk
modeling is not scientific or reliable, it may force firms to carry more capital and
encourage better behavior.
There is also the regulatory requirement of the Basel II Accord that an oper-
ational risk model is needed to be in a position to use the advanced measure-
ment approach (AMA), which is attractive because it presumably results in lower
12
This is why the cause of the loss is a better classification criterion than either the event or the effect.
Kaiser and Kohne (2006) argue against the complete assignment of losses to exactly one type of risk,
because it is “neither correct nor useful”. Instead, they argue for the split of losses amongst different
kinds of risk. For example, the portion of credit losses resulting from inadequate collateral management
should be assigned to operational risk. The problem here is how to estimate this portion. Moreover, if
sound collateral management prevents a would-be defaulter from obtaining a loan, then bad collateral
management would be the only cause for the loss, in which case this default would result in a pure
operational loss.
regulatory capital than under the other two approaches (the basic indicators ap-
proach and the standardized approach). Indeed, it is arguable that one advantage
of operational risk modeling is that the resulting models allow the firm to meet the
regulatory requirements.
Not everyone is so enthusiastic about the relevance of operational risk modeling
to operational risk management, however. Rebonato (2007, p xvi) argues that
“although the quantitative approach remains the high route to risk management, a
lot of very effective risk management can be done with a much simpler approach”,
describing the latter as being “a measurable and meaningful approximation to the
quantitatively correct answer”. In particular, Rebonato is skeptical about the ability
of risk managers to move from the probabilistic assessment of risk to decisions.
He also argues against the use of internal models for the purpose of meeting
regulatory requirements. Likewise, Herring (2002) argues that operational risk
models are insufficiently reliable to replicate the approach used with market risk to
the case of operational risk. This point has also been made by the Shadow Financial
Regulatory Committee (2001), Altman and Saunders (2001) and Llewellyn (2001).
Currie (2004) lists the potentially unintended consequences arising from the use
of operational risk models for practical risk management purposes, including (i)
false reliance, (ii) management of the model rather than reality, (iii) misdirected
focus, (iv) misdirected resources, (v) discouragement of the “whistle-blowers”,
and (vi) blissful ignorance.
It is perhaps the case that objections to the use of the quantitative approach to
operational risk management are motivated by the problems encountered by any
endeavor to model operational risk. Referring to the modeling techniques sug-
gested by the Basel Committee’s advanced measurement approach, Davis (2005,
p 1) argues that the implementation of this approach “could easily turn into a night-
mare”. Hughes (2005) expresses the view that “the challenge on the operational
risk side has turned out to be vastly more complex and elusive than originally envis-
aged”. To start with, finding a proper and universally-accepted definition for this
kind of risk, is problematical as we have seen. But even if an acceptable definition
were available, there are other serious problems.
A serious problem is that of data availability (or rather unavailability). Muzzy
(2003) highlights this problem by arguing that “anyone venturing into operational
risk management has quickly learned that the process is doomed without robust
data”. This is because there is in general an absence of reliable internal operational
loss data, but that is not all. Publicly-available operational loss data pose unique
modeling challenges, the most important of which is that not all losses are reported
in public (which means that they will not appear on publicly-available external
databases). 13 de Fontnouvelle et al. (2006) argue that if the probability that an
operational loss is reported increases as the loss amount increases, there will be a
13
External operational loss databases report operational loss events that make it to the media, but these
represent a tiny fraction of the total number of operational loss events experienced by a typical bank.
Credit card fraud is probably the most frequent loss event experienced by banks (see, for example,
BCBS, 2003a), but these are not reported in the media, because most of them are not high-profile
events.
178 Imad A. Moosa
disproportionate number of very large losses relative to smaller losses appearing in

external databases. 14 Allen and Bali (2004) suggest that operational risk databases
tend to suffer from underrepresentation of low-frequency, high-severity events.
Haas and Kaiser (2004) note that low-frequency, high-severity events, which by
definition are much less likely to occur, are often kept confidential (therefore,
unreported or misclassified under credit or market risk losses).
One solution to the data availability problem is to augment internal data with
external data on the operational losses incurred by other firms. Frachot and Roncalli
(2002) discuss why and how internal and external operational loss data are mixed
by distinguishing between frequency data and severity data. According to Rao and
Dev (2006), data mixing involves two issues: scaling (to account for differences
in size) and appropriateness (to account for differences in business structure). 15
While Wei (2007) argues that external data are extremely useful for rare events,
making it possible to model the tail distribution, Frachot and Roncalli (2002) put
forward the view that mixing internal and external severity data is “almost an
impossible task” because no one knows which data generating process is used to
draw external severity data. They further argue that merging internal and external
data gives spurious results that tend to be over-optimistic regarding the actual
severity distribution. Resorting to soft data obtained from scenario analysis and
scorecards does not solve the problem, as there is no means of adjusting the
calculations for qualitative factors except in “an ad hoc manner” and because such
a procedure does not have a solid theoretical foundation (Rao and Dev, 2006). A
similar view is held by Peccia (2004) who refers to the use of external data and
scenario analysis as “ad hoc patches”.
Another problem associated with operational risk modeling arises from the
cyclicality of risk and loss events. Allen and Bali (2004) argue that extrapolating
the past to measure future risk may be flawed if there are cyclical factors that impact
operational risk measures. Although historical data on operational risk gathered
during an economic expansion may not be relevant for a period of recession, it
is a typical practice to ignore cyclical factors and extend an unadjusted trend
line into the future. Allen and Bali (2004) suggest that the cyclical components
of operational loss events are correlated with macroeconomic fluctuations, while
Allen and Turan (2007) provide evidence on the presence of cyclical components
of operational risk.
Yet another problem is the assumption to be made about the correlation of oper-
ational loss events. Frachot, Roncalli and Salmon (2004) cast doubt on the validity
of the proposition that operational risk losses occur simultaneously, as implied by
the Basel II Accord, describing it as being “rather dubious and hardly supported
14
See Moosa (2007b) on internal and external operational loss databases.
15
The issues of scaling and appropriateness are dealt with by Na et al. (2005) and Peizer (2003). Na
et al. propose a scaling mechanism that can be used to mix internal and external data. Peizier, however,
casts considerable doubt on the usefulness of external operational loss data by wondering about the
relevance of an exceptional loss incurred by an Indian broker to the operational risk distribution of an
asset manager based in Manhattan.
by empirical evidence”. Kaiser and Kohne (2006) argue that this assumption is
particularly troublesome because a simple summation of high percentile VARs
implies the simultaneous occurrence of several worst-case scenarios. The prob-
lem, however, is that it is difficult to assess the level of correlation between different
risk types and/or business units because of the lack of historical data. Powojowski
et al. (2002) express the view that although some correlation exists between oper-
ational losses, modeling this correlation is not an easy task. This problem invites
subjectivity and bias if banks wish to minimize their regulatory capital against
operational risk.
VI. THE CLASSIFICATION OF OPERATIONAL RISK MODELS

In general, operational risk models are classified into top-down models and bottom-
up models, both of which rely on historical data. Bottom-up models are based on
an analysis of loss events in individual processes, whereas top-down models start at
the firm level, moving down to the business lines. Haubenstock and Hardin (2003)
argue that the bottom-up approach is preferred because of the degree of subjectivity
in the allocation process and the lack of a good risk proxy across businesses.
Likewise, Gelderman et al. (2006) argue that a limitation of the top-down approach
is that it does not indicate clearly how to manage and control the outcomes of the
model, and this is why the bottom-up approach tends to be more prevalent in
practice. Allen and Bali (2004) argue that many of the bottom-up models that are
designed to measure operational risk from a cost perspective can produce spurious
results. For example, if a firm institutes operational risk managerial controls, costs
will generally increase, in which case the estimates generated by a bottom-up model
would indicate increased risk when it should actually decrease if the controls are
effective. Moreover, bottom-up models often suffer from overdisaggregation in
that they break production processes into individual steps that may obscure the
broader picture. Finally, bottom-up models rely on the subjective data provided
by employees who are under scrutiny and therefore have little incentive to be
forthcoming. They further note that bottom-up models may be appropriate for the
purpose of risk diagnostics and the design of internal managerial controls, whereas
top-down models may be effective in estimating economic capital requirements.
Currie (2004) calls for the concurrent use of top-down and bottom-up models to
calculate operational risk capital requirements.
Smithson and Song (2004) classify operational risk models under three ap-
proaches: (i) the process approach, (ii) the factor approach, and (iii) the actuarial
approach. In the process approach, the focus is on the individual processes that
make up operational activities, which means that models falling under the process
approach are necessarily bottom-up models. This approach encompasses causal
models, statistical quality control and reliability analysis, connectivity analysis,
Bayesian belief networks, fuzzy logic, and system dynamics. In causal networks,
historical data are used to work out statistics for the behavior of the components in
the past, which makes it possible to identify the problem areas. Statistical quality
180 Imad A. Moosa
control and reliability analysis, which is rather similar to causal networks, is used
widely to evaluate manufacturing processes. In connectivity analysis, the emphasis
is on the connections between the components of the process.
The second approach is the factor approach, whereby an attempt is made to
identify the significant determinants of operational risk, either at the firm level
or lower levels (individual business lines or processes). Hence, operational risk is
estimated as

m
OR = α + βi Fi + ε (1)
i=1
where Fi is risk factor i. The factor approach covers risk indicators, CAPM-like
models and predictive models. In the risk indicators approach, a regression-based
technique is used to identify risk factors such as the volume of operations, audit
ratings and employee turnover. CAPM-like models, which are also known as arbi-
trage pricing models and economic pricing models, are used to relate the volatility
of returns to operational risk factors. In predictive models, discriminant analysis
and similar techniques are used to identify the factors that lead to operational
losses.
The third approach is the actuarial approach, whose focus is the loss distribu-
tion associated with operational risk. Wei (2007) argues that the actuarial approach
seems to be the natural choice to quantify operational risk by estimating the fre-
quency and severity distributions separately. 16 This approach, which will be de-
scribed in more detail later on, covers the following techniques: (i) the empirical
loss distributions technique, (ii) the parameterized explicit distributions approach,
and (iii) the extreme value theory (EVT).
VII. EMPIRICAL STUDIES OF OPERATIONAL RISK

The problem of data discussed previously has undoubtedly restricted the ability
of researchers to conduct empirical studies on the measurement, causes and con-
sequences of operational risk. This point is made explicit by Wei (2007) who
suggested that “quantification of operational risk has been hindered by the lack
of internal and external data on operational losses”. In this section, a selection of
these studies are reviewed.
To deal with the data problem, Allen and Bali (2004) estimate an operational
risk model for individual financial institutions using a monthly time series of stock
returns over the period 1973–2003. The model is represented by the following
OLS regression
16
Wei (2007) argues for the actuarial approach in preference to other approaches. For example, he
suggested that Bayesian networks (proposed by Alexander (2003a), Cruz (2003b), and Giudici and
Bilotta (2004)) introduce subjectivity and that copula-based models (proposed by Bee (2005) and
Embrechts et al. (2003)) require abundant data.
rt = α0,t + α1,t x1t + · · · + α22,t x22t + βt rt−1

4
3
+ γi,t FFit + πi,t Ri,t + εt (2)
i=1 i=1
where rt and r t−1 are the monthly current and lagged equity returns; xit (i =
1, 2, . . . , 22) is the first difference of the 22 variables used to represent credit
risk, interest rate risk, exchange rate risk and market risk; FFit represent the three
Fama-French (1993) factors as well as a momentum factor; and Rit represents
three alternative industry factors measured as the average monthly return for each
industry sector. The residual term from equation (2) is taken to be a measure
of operational risk. The coefficients were estimated using a rolling window of
50 months to yield results indicating that the ratio of the residual (operational risk)
to total stock return is 17.7%, with considerable monthly variance. This finding
suggests that financial firms have considerable levels of residual operational risk
exposure that has been left relatively unmanaged.
de Fontnouvelle et al. (2006) address the problem of sample selection bias using
an econometric model in which the truncation point for each loss (that is, the value
below which the loss is not reported) is modeled as an unobserved random variable.
By using two external operational loss databases to estimate the loss distribution
and estimate the capital charge, they conclude that the regulatory capital held
against operational risk often exceeds that held against market risk. They also
conclude that supplementing internal data with external data on extremely large
events could result in a significant improvement in operational risk models.
de Fontnouvelle et al. (2004) used loss data covering six large internationally-
active banks as part of the BCBS’s (2003a) operational risk loss data exercise to
find out if the regularities in the loss data make consistent modeling of operational
losses possible. Their results turned out to be consistent with the publicly reported
operational risk capital estimates produced by banks’ internal economic capital
models. Moscadelli (2005) analyzed data from the BCBS’s exercise, performing
a thorough comparison of traditional full-data analyses and extreme value meth-
ods for estimating loss severity distributions. He found that extreme value theory
outperformed the traditional methods in all of the eight business lines proposed by
the BCBS. He also found the severity distribution to be very heavy-tailed and that
a substantial difference exists in loss severity across business lines. In a similar
study, Wei (2007) utilized data from the OpVar database to estimate the aggregate
tail operational risk exposure, implementing a Bayesian approach to estimate the
frequency distribution, while estimating the severity distribution by introducing a
covariate. He concluded that “the main driving force of the capital requirement is
the tail distribution and the size of a bank”.
In another study, Wei (2003) examined operational risk in the insurance industry.
By using data from the OpVar operational loss database, he found results indicating
that operational loss events have a significantly negative effect on the market value
182 Imad A. Moosa
of the affected firms and that the effect of operational losses goes beyond the
firm experiencing the loss event. The conclusion derived from this study is that
“the significant damage of market values of both the insurers and the insurance
industry caused by operational losses should provide an incentive for operational
risk management in the U.S. insurance industry”.
In a more recent study, Wei (2006) examined the impact of operational loss
events on the market value of announcing and non-announcing U.S. financial
institutions using data from the OpVar database. The results reveal significantly
negative impact of the announcement of operational losses on stock prices. He
also found that the declines in market value to be of a larger magnitude than
the operational losses causing them, which supports the conjecture put forward
by Cummins et al. (2006). A significant contagion effect was also detected. By
using data from the same source, Cummins et al. (2006) conducted an event study
of the impact of operational loss events on the market values of U.S. banks and
insurance companies, obtaining similar results to those obtained by Wei (2006).
They found losses to be proportionately larger for institutions with higher Tobin’s
Q ratios, which implies that operational losses are more serious for firms with
strong growth prospects.
VIII. MEASURING REGULATORY CAPITAL AGAINST

OPERATIONAL RISK
The Basel II Accord suggests three methods for calculating regulatory opera-
tional risk capital (the capital charge): (i) the basic indicators approach (BIA), (ii)
the standardized approach (STA), and (iii) the advanced measurement approach
(AMA). As banks become more sophisticated, they are encouraged to move along
the spectrum of available approaches, enticed by the prospects of holding a lower
capital charge under the AMA. However, the use of the AMA is conditional upon
the satisfaction of certain eligibility criteria, as outlined in BCBS (2004a).
No eligibility criteria are required as a prerequisite for using the BIA because
this approach represents the “default position”, as it is designed for small domestic
banks. According to this approach, banks must hold capital against operational risk
that is equal to the average of the previous three years of a fixed percentage (α)
of positive annual gross income, which means that negative gross income figures
must be excluded. Hence
n
α Yi
i=1
K = (3)
n
where K is the capital charge, Y is positive gross income over the previous three
years and n is the number of the previous three years for which gross income is
positive. The parameter α is determined by the Basel Committee.
Accepting the proposition that some financial activities are more exposed than
others to operational risk (at least in relation to gross income), the BCBS divides
banks’ activities into eight business lines: corporate finance, trading and sales,
retail banking, commercial banking, payment and settlement, agency services,
asset management and retail brokerage. Within each business line, gross income
is taken to be a proxy for the scale of the business operation and hence a likely
measure of the extent of operational risk (as in the BIA). 17 The capital charge for
each business line is calculated by multiplying gross income by a factor (β) that is
assigned to each business line. The total capital charge is calculated as a three-year
average of the simple sum of capital charges of individual business lines in each
year. Hence

3
8
α max βjYj, 0
t=1 j=1
K = (4)
3
where β j is set by the Basel Committee to relate the level of required capital to
the level of gross income for business line j.
The BCBS (2004a) suggests that if banks move from the BIA along a continuum
towards the AMA, they will be rewarded with a lower capital charge. 18 The reg-
ulatory capital requirement is calculated by using the bank’s internal operational
risk model. One of the objectives of the Basel II Accord is to align regulatory
capital with the economic capital determined by the banks’ internal models, which
can be achieved by using the AMA. 19 Under this approach, banks must quantify
operational risk capital requirements for seven types of risk and eight business
lines, a total of 56 separate cells, where a cell is a combination of business line
and event type. These estimates are aggregated to obtain a total operational risk
capital requirement for the bank as a whole, thus ignoring correlation.
The problem is that it is not quite clear what the AMA comprises. For example,
Chapelle et al. (2004) define the AMA as encompassing “all measurement tech-
niques that lead to a precise measurement of the exposure of each business line of
a financial institution to each category of operational loss event”. It is sometimes
described as encompassing three versions: the loss distribution approach (LDA),
17
Using gross income as an indicator of operational risk has been criticized. For example, Herring
(2002) argues that gross income has no tenuous link to operational risk, but Dowd (2003) argues that
it is the least bad option. Although the BCBS (2001c) has suggested other indicators (such as annual
average assets, annual settlement throughput and total funds under management), the Basel II document
(BCBS, 2004a) defines regulatory capital in terms of gross income only. When an indicator other than
income is used, this is sometimes known as the alternative standardized approach (Moosa, 2007b).
18
This is indeed a problematical feature of Basel II because only large, internationally-active banks
will be allowed to use the AMA. One reason why the U.S. has decided to delay the implementation
of Basel II is complaints by small U.S. banks that the Accord would put them in a weak competitive
position relative to larger banks.
19
Economic capital is the amount of capital that a firm (or a unit within the firm) must hold to protect
itself with a chosen level of certainty (confidence level) against insolvency due to unexpected losses
over a given period of time (for example, one year). Regulatory capital, on the other hand, is the
capital prescribed by the regulator. Economic capital is typically determined by an internal model of
the underlying firm.
184 Imad A. Moosa
the scenario-based approach (SBA) and the scorecard approach (SCA). The basis
of classification here is the nature of the data required to implement the procedure:
while the LDA depends on historical data (hence, it is backward-looking), the
other two approaches are forward-looking because hypothetical futuristic data is
collected from “expert opinion” via scenario analysis and scorecards. For example,
Andres and van der Brink (2004) list the three approaches as separate versions of
the AMA and go on to illustrate a scenario-based AMA. Likewise, Kuhn and Neu
(2004) describe the AMA as being dependent on internal or external data or expert
knowledge, meaning that they are separate approaches.
On the other hand, it is sometimes claimed that the scenario-based and score-
card approaches are not really separate versions of the AMA, but rather means for
collecting data to supplement the historical data used with the LDA. For exam-
ple, Currie (2004) describes the AMA as involving the estimation of unexpected
losses based on a combination of internal and external data, scenario analysis and
bank-specific environment and internal controls. Reference to scenario analysis
and internal controls implies that the scenario-based approach and the scorecard
approach are used to collect data to supplement the internal and external data used
in the LDA. Likewise, Kalyvas et al. (2006, pp 123–124) argue that the AMA
measurement system must take into account internal data, external data, scenario
analysis, and internal controls and business environment factors. Haubenstock and
Hardin (2003) outline the steps involved in the LDA, which is used to calculate
the capital charge from internal and external data. Then they list some additional
steps, including the development of scenarios for stress testing and incorporating
scorecards and risk indicators. The implication here is that the scenario-based ap-
proach and the scorecard approach are used to adjust the capital charge calculated
by using the LDA. Reynolds and Syer (2003) mention, as separate approaches, the
IMA, LDA and SCA, but not the SBA, and the same idea is expressed by Kuhn and
Neu (2005). This is in contrast with Fujii (2005) who explains how the “scenario-
based advanced management approach (AMA) provides solutions to some of the
problems [of the LDA]”. Chapelle et al. (2004) argue that while the AMA could
encompass any proprietary model, the most popular AMA methodology is by far
the LDA. 20
The Basel Committee seems to accept the two possibilities of regarding scenario-
based analysis as a separate version of the AMA and a means of collecting sup-
plementary data for the LDA. In BCBS (2003c), it is stated that scenario-based
analysis may be used as an input or may form the basis of an operational risk analyt-
ical framework, particularly when internal data, external data and the assessment
of the business environment and internal controls are inadequate (that is, when the
SBA and SCA are unimplementable). But only the view that the SBA and SCA are
used as supplementary procedures is expressed in the 2001 working paper on the
regulator treatment of operational risk (BCBS, 2001c). This document describes a
20
It is not clear how the LDA is by far the most popular methodology, given that it is initially unavailable
for regulatory purposes and that it is extremely difficult to implement.
sound (operational) risk management system as involving the use of internal data,
relevant external data, scenario analysis and factors reflecting the business envi-
ronment and internal control system. This is Currie’s description of the AMA and
also that of Giudici (2004) who interprets this statement as implying that the AMA
should take into account internal and external data, scenario-based expert opinion
and causal factors reflecting the business environment and control systems. Alter-
natively, Chernobai and Rachev (2004) argue that the Basel Committee (BCBS,
2001d) suggests five methodologies for the measurement of regulatory capital:
(i) the basic indicators approach, (ii) the standardized approach, (iii) the internal
measurement approach, (iv) the scorecard approach, and (v) the loss distribution
approach. But no matter whether the scorecard and scenario based approaches are
separate versions of the AMA or just a means for collecting supplementary data,
they both suffer from the problem of subjectivity and bias because the data are
collected from the so-called “expert opinion”. Rebonato (2007, p 45) argues that
if an expert is held responsible when things go badly under his watch, but not
correspondingly rewarded if things turn out to be better than expected, it is not
difficult to imagine in which direction his predictions will be biased.
In BCBS (2001b), two versions of the AMA are proposed, the LDA and the
internal measurement approach (IMA), which is the same classification used by
Kalyvas et al. (2006). 21 The difference between the two approaches is that the
IMA is used to estimate unexpected loss by relating it to expected loss, whereas the
LDA is used to estimate unexpected loss from the total loss distribution. The BCBS
(2001b) makes it clear that the loss distribution approach “will not be available at
the outset of the New Basel Capital Accord”. Initially, the AMA will take the form
of the IMA, under which the capital charge for cell ij will be calculated as

8
7
K = γij E ij Pij L ij (5)
i=1 j=1
where i = 1, 2, . . . , 8 represent business lines and j = 1, 2, . . . , 7 represents event

type, E is an exposure indicator, P is the probability of a loss event and L is the
loss given event. Thus Eij Pij Lij is the expected loss in cell ij. The parameter γ ij is
used to translate expected loss into unexpected loss, such that the capital charge
is equal to the unexpected loss (the maximum amount of loss per holding period
within a certain confidence interval). 22 The summation over business lines and
event types indicates that no allowance is made for correlation because of the
21
Alexander (2003b) argues that the IMA is rooted in the LDA, in the sense that it provides an analytical
solution whereas the LDA uses Monte Carlo simulation. Likewise, Frachot et al. (2001) view the IMA
as “an attempt to mimic LDA through a simplified, easy-to-implement way”.
22
The parameter γ will be provided by the regulator for each business line/event type. E is a measure of
exposure to operational risk, which the Basel Committee will standradise on the basis of the individual
bank data. P and L, which will be provided by banks on the basis of internal models, are respectively
the probability of occurrence of a loss event and the proportion of the exposure that will be lost if and
when a loss event materializes.
186 Imad A. Moosa
difficulty of estimating a 56×56 correlation matrix. To capture the risk profile

of an individual bank which is invariably different from that of the industry as a
whole), equation (5) is modified to

8
7
K = γij E ij Pij L ij Rij (6)
i=1 j=1
where R is the risk profile index (1 for the industry). For a bank with a fat tail
distribution, R > 1 and vice versa.
The loss distribution approach is described by the BCBS (2001b) as being a
“more advanced version of the internal methodology”, but the Basel Committee
makes it clear that this approach will not be used at this stage. If and when (if at
all) it is used, two provisions are designed to make it easier to implement: (i)
correlations will not be considered, and (ii) the structure of the business lines and
event types will be determined by the bank itself. 23 This approach is different
from the IMA in that it allows a direct estimation of unexpected losses without
specifying the gamma factor.
Under the LDA, the total loss distribution, from which the capital charge is cal-
culated, is obtained by combining (by using Monte Carlo simulations) the loss fre-
quency distribution and the loss severity distribution. The distributions are selected
and parameterized on the basis of historical data and sometimes supplemented by
scenario analysis and expert opinion. Typically, the choice falls on the Poisson dis-
tribution for frequency and some thick tail distribution (such as the lognormal and
gamma distributions) for severity. The capital charge for cell ij is then calculated
as being equal to the unexpected loss, which is the difference between the 99.9th
percentile and the mean of the distribution, which means
Pr(L > OpVAR + E L) = 0.001 (7)
where EL is the expected loss (the mean of the distribution). This definition appears
to be what is embodied in the Basel II Accord as long as the underlying bank can
demonstrate that it has adequately provided for expected losses. This is because
one of the quantitative standards that the users of the AMA must satisfy is that
regulatory capital must be calculated as the sum of the expected loss and unexpected
loss unless it can be demonstrated that the expected loss is adequately captured in
the internal business practices, in which case regulatory capital is meant to cover
the unexpected loss only. 24
23
One of the proclaimed advantages of the AMA is that it results in lower capital charges than the basic
indicators approach and standardized approach. Failure to allow for the effect of correlation produces
higher capital charges than otherwise. There seems to be some contradiction here unless there are other
reasons why the AMA would produce lower capital charges. This issue is discussed in detail by Moosa
(2007c), who concludes that the subjectivity of the AMA is the most likely reason for this outcome.
24
Frachot, Moudoulaud and Roncalli (2004) argue that there is ambiguity about the definition of
the capital charge, hence suggesting two other definitions: (i) the 99.9th percentile of the total loss
If correlation among risk categories is assumed to be perfect (that is, losses occur
at the same time) the capital charge for the whole firm is calculated by adding up
the individual capital charges for each risk type/business line combination. This is
what will be done initially if and when the LDA is adopted for regulatory purposes
(although it can be used for the calculation of economic capital). On the other
extreme, the assumption of zero correlation among risk categories (that is, they are
independent of each other) means that the firm-wide capital charge is calculated
by compounding all distribution pairs into a single loss distribution for the firm.
This is done by calculating the total loss produced by each iteration of the Monte
Carlo simulations.
In between the two extremes of assuming perfect correlation and zero correlation
is the alternative of allowing for the explicit modeling of correlations between the
occurrences of loss events. This indeed is the most difficult procedure. The problem
here is that correlation, which is a simple form of the first moment of the joint
density of two random variables, does not capture all forms of dependence between
the two variables (it is a measure of linear association between the two variables).
Another problem with correlation is that it varies over time. This is why it is more
appropriate for this purpose to employ the copula, which is used to combine two
or more distributions to obtain a joint distribution with a prespecified form of
dependence. 25
In general, the capital charge (that is, regulatory capital or the regulatory
capital requirement) is calculated from the total loss distribution by using the
concept of value at risk (VAR). However, the use of the concept of value
at risk to measure operational risk capital charges has not escaped criticism.
For example, Hubner et al. (2003) argue against using a “VAR-like figure”
to measure operational risk, stipulating that although VAR models have been
developed for operational risk, questions remain about the interpretation of the
results. Another problem is that VAR figures provide an indication of the amount
of risk but not of its form (for example, legal risk as opposed to technology risk).
Moreover, the estimates of VAR can vary substantially with the underlying model.
For example, Kalyvas and Sfetsos (2006), who consider the issue of whether
the application of “innovative internal models” reduces regulatory capital, find
that the use of extreme value theory produces a lower estimate of VAR than the
variance-covariance, historical simulation and conditional historical simulation
methods.
distribution, and (ii) a definition that considers only losses above a threshold. Evidence for this ambi-
guity is provided by Wei (2007) who makes it explicit that “banks’ capital charge should be equal to
at least 99.9% quintile of their entire annual aggregate loss distribution in excess of expected losses”.
It seems that Wei has missed the qualifying statement “unless it can be demonstrated that the expected
loss is adequately captured in the internal business practices”.
25
Rosenberg and Schuermann (2006) show how the copula can be used for the purpose of integrated
risk management by constructing joint distribution for market, credit and operational risk. The power
of the copula, they argue, lies in its ability to capture a rich dependence structure. However, Wei (2007)
argues that a drawback of copula-based models is the data requirement. For a discussion of the pros
and cons of copulas relative to correlation, see Moosa (2007b).
188 Imad A. Moosa
Some doubts have been raised about the use of the 99.9th percentile to mea-
sure value at risk, which is recommended by the Basel Committee. For example,
Alexander (2003b) argues that the parameters of the total loss distribution cannot
be estimated precisely because the operational loss data are incomplete, unreliable
and/or subjective. This makes the estimation of risk at the 99.9th percentile im-
plausible. Alexander argues that regulators should ask themselves very seriously
if it is sensible to measure the capital charge on the 99.9th percentile. Even worse,
Rebonato (2007) argues that the 99.9th percentile is a meaningless concept.
While Chernobai et al. (2006) argue that “all statistical approaches become
somewhat ad hoc in the presence of incomplete data”, they suggest four alterna-
tive approaches to the estimation of the frequency and severity distributions by
distinguishing between censored and truncated data. Data are censored when the
number of observations that fall in a given set is known, but the specific values of the
observations are unknown. Data are said to be truncated when observations that fall
in a given set are excluded. Thus, censored data affect the estimation of the severity
distribution, not the frequency distribution, whereas both are affected by truncated
data. The evidence on the effect of truncated data is mixed. Moscadelli et al. (2005)
highlight the potential drawbacks of neglecting the existence of thresholds in the
measurement process, suggesting that one way to circumvent this problem is to
reconstruct the shape of the lower part of the distribution by fitting the collected
data and extrapolating down to zero. Mignola and Ugoccioni (2007), on the other
hand, argue that neglecting events below the loss data collection threshold does
not lead to large errors in the aggregated expected loss quintiles and unexpected
loss for threshold values up to fairly large percentiles of the severity distribution.
Generally speaking, operational risk is much more difficult to quantify than
market risk and credit risk, which have much more well-behaved loss distributions
compared with operational risk. But one may ask the question why it is that op-
erational risk is more difficult to measure than credit risk, given that the concepts
on which measurement is based (the concepts of loss frequency and loss severity)
are equivalent to concepts of frequency of default and the loss given default. de
Koker (2006) points out that despite these similarities, operational risk is difficult
to measure because of two characteristics of operational risk that we discussed
earlier in this paper: the absence of a good proxy for operational risk exposure and
the fat-tail characteristic of the loss distribution. 26
IX. THE MANAGEMENT OF OPERATIONAL RISK

Operational risk management is an activity that banks, and firms in general, have
indulged in for a long time or, as Kennett (2003) puts it, since “year dot”. This view
is shared by Buchelt and Unteregger (2004) who argue that long before the advent
of Basel II, financial institutions had put in place various control mechanisms and
26
The point on exposure is also raised by Bee (2006) who argues that “unlike losses caused by market
or credit events, operational losses are not related to underlying risk factors”.
procedures. It is arguable, therefore, that operational risk management is older

than credit risk management and market risk management. But just like the term
“financial risk”, appeared before the term “operational risk”, the term “financial
risk management” appeared before the term “operational risk management”.
It remains true, however, that operational risk management has been a set of
fragmented activities designed to deal with a wide variety of operational risks.
Given that the concept of operational risk was unknown some ten years ago, it is
not surprising that operational risk management is not yet an integrated process
that deals with operational risk as a generic kind of risk. Kennett (2003) attributes
the trailing of operational risk management behind the management of other kinds
of risk to several reasons, including the breadth of operational risk, the fact that it is
already managed implicitly, the lack of data, the fact that it affects the whole firm,
and the fact that a lot of tools and techniques are “more bleeding edges than cutting
edges”. But it is often claimed that the advent of the Basel II Accord has contributed
to the development of operational risk management. For example, Rao and Dev
(2006) argue that the AMA is as much about managing operational risk as of
measuring and calculating regulatory capital. They also refer to BCBS (2003d) as
listing ten “high-level” basic principles of operational risk management. Likewise,
Bolton and Berkey (2005) argue that the “Sound Practices paper provides an
excellent outline for designing an op risk management framework that can provide
tangible benefits that does not get distracted by the challenges of operational risk
modeling”.
The process of managing operational risk is different from those of managing
market risk and credit risk only in so far as operational is different from the
other two kinds of risk. Kaiser and Kohne (2006) argue that the distinctive feature
of operational risk may cause significant divergence of the individual steps of
operational risk management from the corresponding steps of market and credit risk
management. One important difference, however, is that it is much more difficult
to implement operational risk management on different hierarchical levels than in
the cases of market and credit risk management. Kaiser and Kohne attribute this
difficulty to the absence of a portfolio concept for aggregating the individual risk
categories that operational risk encompasses.
Kingsley et al. (1998) state the following objectives of operational risk manage-
ment (i) avoiding catastrophic losses, (ii) generating a broader understanding of
operational risk issues, (iii) enabling the firm to anticipate risk more effectively,
(iv) providing objective performance measurement, (v) changing behavior to re-
duce operational risk, (vii) providing objective information so that services offered
by the firm take account of operational risk, and (vii) ensuring that adequate due
diligence is shown when carrying out mergers and acquisitions. All of these ob-
jectives, it seems, fall under the headings “risk avoidance” or “risk reduction” but
operational risk management is more than that as it encompasses risk transfer and
risk financing. This is why the next issue to discuss is the role of insurance in
operational risk management as a means of risk transfer or, more correctly, risk
financing.
190 Imad A. Moosa
Insurance has always been used to mitigate various kinds of operational risk,
such as the risk of fire (damage to physical assets). Insurance companies have
been lobbying regulators to accept the idea of replacing (at least in part) regulatory
capital with insurance. Currently, a wide variety of insurance products (policies) are
available to banks, which include peril-specific products (such as computer crime
cover) and multi-peril products (such as the all-risk operational risk insurance), as
well as the traditional deposit insurance. There are, however, doubts about the role
of insurance in operational risk management. To start with, banks are (financially)
too big for insurance companies, which means that they cannot use insurance
effectively to cover all elements of operational risk. Cruz (2003a) identifies other
pitfalls with insurance for operational risk, including the following: (i) the limiting
conditions and exclusion clauses, which may impede payment in the event of
failure; (ii) delays in payment, which could result in serious damage to the claimant;
and (iii) the difficulty of determining the true economic value of insurance in the
absence of sufficient and appropriate data.
Brandts (2005) casts doubt on the ability of insurance to provide a “perfect
hedge” for operational risk, arguing that insurance compensation is often subject
to a range of limitations and exceptions. Specifically, he identifies three problems
(risks) with insurance: (i) the payment uncertainty resulting from mismatches in
the actual risk exposure and the insurance coverage; (ii) delayed payment, which
may result in additional losses; and (iii) the problem of counterparty risk resulting
from the possibility of default by the insurance company.
Young and Ashby (2003) are skeptical about the ability of insurance products
to go far enough in the current operational risk environment. The BCBS (2001b)
has expressed doubts about the effectiveness of insurance products, stating that “it
is clear that the market for insurance of operational risk is still developing”. And
although Basel II allows banks using the AMA to take account of the risk mitigating
impact of insurance in their regulatory capital calculations, some strict conditions
must be satisfied. In general, regulators have a problem with the proposition that
regulatory capital can be replaced (at least partially) with insurance. This is mainly
because regulators are skeptical about the feasibility of immediate payouts (which
is not what insurance companies are known for). There is also fear about the ability
of the insurers to get off the hook (completely or partially) through some dubious
clauses in the insurance policy.
A controversial issue is the claim that insurance is a key tool of risk trans-
fer, which Kaiser and Kohne (2006), for example, make explicit by stating that
“banks transfer risks by buying insurance policies”. However, taking insurance
does not really amount to risk transfer because the insured would still be ex-
posed to risk. Risk transfer in the strict sense occurs only if a firm outsources
the underlying activity to the insurer, which does not sound a good idea. Without
that, insurance provides financial cover, should risk assumption lead to losses.
Taking insurance, therefore, is not risk transfer but rather (external) risk financing
through the insurance company as an alternative to financing it through capital and
reserves.
Confusion between risk transfer and risk financing is quite conspicuous in the
BCBS (2003b) paper on operational risk transfer across financial sectors. The paper
makes it explicit that “banks already transfer operational risk through insurance”
(p 6) but then shifts to the use of phrases like “finance those losses”. On one page
(p 7), it is first stated that “the firm has used insurance to transfer some of the risk
of internal fraud loss”, but in the following paragraph the word “transfer” is no
longer used. Instead, it is stated that “the insurance policy provides benefits that act
as a form of contingent capital in the event of an insured loss”, while referring to
“catastrophic coverage to finance low-frequency, high-severity losses”. Actually,
the graphical illustration of the use of insurance to cover operational risk does
not use the word “transfer” at all. Instead, the title of Graph 1 is “financing of
fraud losses over a one-year period, no insurance”, whereas the title of Graph 2 is
“financing of fraud losses over a one-year period, with insurance”. So, is it transfer
or financing? Logic and pure common sense tell us that it is financing, not transfer.
The authors of the BCBS paper try to stick to the customary term of risk transfer,
but it is sometimes quite obvious that this is the wrong term to use, in which case
they shift to the correct term of “risk financing”. 27
X. CONCLUDING REMARKS
There is much more disagreement than agreement amongst academics and profes-
sionals about the concept of operational risk as well as its causes, consequences,
characteristics and management. While there is a consensus on the views that
operational risk is diverse and that it is difficult to measure, there are lingering
disagreements about the definition of operational risk, its classification and what it
should and should not include. A large number of definitions have been suggested,
ranging from those that are hardly informative to those that look more like descrip-
tions than definitions, and from those that are very narrow to those that encompass
anything that is not related to market risk and credit risk. Strangely perhaps, oper-
ational risk is the only risk type that has an official regulatory definition, the Basel
Committee’s definition (market risk and credit risk do not have official definitions,
perhaps because they are straightforward). But this official definition, motivated
by regulatory pragmatism rather than comprehensiveness, has been criticized by
those who think it is too narrow and those who think it is too broad. Controversy
has also arisen about the criteria of classifying operational risk, whether opera-
tional loss events should be classified according to cause (people or systems), event
(internal fraud or external fraud) or consequence (asset write-down or fines).
27
As a compromise, it may be possible to argue that insurance can be used to transfer the financial
effects of an operational loss event because the firm buying the insurance still experiences the event.
The term “risk financing” is more appropriate because the very basic principles of risk management
tell us that risk can be dealt with in a number of ways, including risk assumption, risk avoidance,
risk transfer, risk reduction and risk financing. Hence, we are talking about risk transfer versus risk
financing, which is more appropriate than talking about the transfer of risk versus the transfer of the
financial effects of a loss event.
192 Imad A. Moosa
Operational risk is not understood very well, and it seems that there is disagree-
ment about its proclaimed features. Some of the controversial issues pertain to the
proclaimed features that it is one-sided, it is idiosyncratic, indistinguishable from
other risks, and that it is transferable via insurance. This paper presented strong ar-
guments against what seems to be the conventional wisdom, expressing the views
that operational risk is not one-sided, is not idiosyncratic, is not indistinguishable
from other risks, and that it is not transferable via insurance.
There are also controversies about why and how operational risk should be mod-
eled and measured. But the most controversial issue is whether or not operational
risk should be regulated, as required by the Basel II Accord. To start with, there
is disagreement about the need for bank regulation in general, which is based on
the undisputable fact that banks command special importance in the domestic and
world economy, hence avoiding bank failures should be an objective of the reg-
ulators. However, there is significant skepticism about the role of regulation as a
means of achieving financial stability. For example, Kaufman and Scott (2000)
argue that regulatory actions have been double-edged, if not counterproductive.
Koehn and Santomero (1980) suggest that regulation does not necessarily accom-
plish the declared objective of reducing the probability of bank failure and that
a case could be put forward for the proposition that the opposite result can be
expected. Benston and Kaufman (1996) assert that most of the arguments that are
frequently used to support special regulation for banks are not supported by either
theory or empirical evidence. They also share the view that an unregulated system
tends to achieve an optimal allocation of resources. When it comes to Basel II as a
form of bank regulation, Barth et al. (2006) conclude that Basel II is some sort of
“one size fits all” kind of regulation, which they seem to be very skeptical about.
Their empirical results reveal that raising regulatory capital bears no relation to
the degree of development of the banking system, the efficiency of banks and the
possibility of experiencing a crisis.
Risk-based regulation (including Basel II) has been criticized severely. Daniels-
son et al. (2002) demonstrate that, in the presence of risk regulation, prices and
liquidity are lower, whereas volatility is higher, particularly during crises. They
attribute this finding to the underlying assumption of the regulator that asset returns
are exogenous, which fails to take into account the feedback effect of trading de-
cisions on prices. Danielsson (2003) argues that while the notion that bank capital
be risk sensitive is intuitively appealing, the actual implementation (in the form
of Basel II) may boost financial risk for individual banks and the banking system
as a whole. Danielsson and Zigrand (2003) use a simple equilibrium model to
demonstrate “what happens when you regulate risk”, showing that even if regu-
lation lowers systemic risk (provided that not too many firms are left out by the
regulatory regime, which is what will happen under Basel II), this can only be
accomplished at the cost of significant side effects.
The management of operational risk (and financial risk in general), as envis-
aged by Basel II, has been criticized by Rebonato (2007) on the grounds of dif-
ferences between regulators and risk managers. While regulators are concerned
about catastrophic events (represented by the 99.9th percentile of the loss distri-
bution), there is more to risk management than rare events because banks are also
concerned about the daily risk-return trade-off. Risk managers, therefore, should
not do things the same way as the regulators. If we accept the logic of this argu-
ment, the proclaimed novelty of the Basel II Accord of aligning regulatory capital
with economic capital is not a good idea after all. Regulatory capital is supposed
to protect banks from catastrophic events, whereas economic capital is what is
needed to run banks efficiently. Even more important, the argument goes, regu-
lators should not force banks to devote resources to the development of internal
models to calculate “numbers of dubious meaning” for regulatory purposes. The
recommendation is: keep it simple or let banks decide whether or not they want to
develop internal models. It would take a lot of people some convincing to dispute
the validity of this view.
Having gone through a somewhat detailed discussion of various aspects of oper-
ational risk, the inevitable conclusion is that operational risk is truly a controversial
topic, which has led to the emergence of a new strand of research that did not exist
some ten years ago. This survey, it is hoped, will serve as a concise introduction
to the topic as more and more academics and practitioners develop taste for it.
XI. REFERENCES
Alexander, C. 2003a. “Managing Operational Risks with Bayesian Networks.”
Pp. 285–294 in Operational Risk: Regulation, Analysis and Management, ed.
C. Alexander. London: Prentice Hall-Financial Times.
Alexander, C. 2003b. “Statistical Models of the Operational Loss.” Pp. 129–170 in
Operational Risk: Regulation, Analysis and Management, ed. C. Alexander.
London: Prentice Hall-Financial Times.
Allen, L. and T. G. Bali. 2004. “Cyclicality in Catastrophic and Operational Risk
Measurements.” Unpublished paper, City University of New York.
Allen, L. and G. B. Turan. 2007. “Cyclicality in Catastrophic and Operational Risk
Management.” Journal of Banking and Finance 31:1191–1235.
Altman, E. and A. Saunders. 2001. “Credit Ratings and the BIS Reform Agenda.”
Unpublished paper, New York University.
Andres, U. and G. J. Van Der Brink. 2004. “Implementing a Basel II Scenario-
Based AMA for Operational Risk.” Pp. 343–368 in The Basel Handbook, ed.
K. Ong. London:. Risk Books.
Barth, J., G. Caprio, and R. Levine. 2006. Rethinking Bank Regulation: Till Angels
Govern. New York: Cambridge University Press.
BCBS. 2001a. Basel II: The New Basel Capital Accord-Second Consultative Paper.
Basel: Bank for International Settlements.
BCBS. 2001b. Operational Risk: Supporting Document to the New Basel Accord.
BCBS. 2001c. Working Paper on the Regulatory Treatment of Operational Risk.
194 Imad A. Moosa
BCBS. 2003a. The 2002 Data Collection Exercise for Operational Risk: Summary
of the Data Collected. Basel: Bank for International Settlements.
BCBS. 2003b. Operational Risk Transfer Across Financial Sectors. Basel: Bank
for International Settlements.
BCBS. 2003c. Supervisory Guidance on Operational Risk: Advanced Measure-
ment Approaches for Regulatory Capital. Basel: Bank for International Settle-
ments.
BCBS. 2003d. Sound Practices for the Management of Operational Risk. Basel:
Bank for International Settlements.
BCBS. 2004a. Basel II: International Convergence of Capital Measurement and
Capital Standards: A Revised Framework. Basel: Bank for International Settle-
ments.
BCBS 2004b. Bank Failures in Mature Economies. Basel: Bank for International
Settlements.
Bee, M. 2005. “Copula-Based Multivariate Models with Applications to Risk
Management and Insurance.” Unpublished paper, Università degli Studi di
Trento.
Bee, M. 2006. “Estimating the Parameters in the Loss Distribution Approach: How
can we Deal with Truncated Data?” Pp. 123–144 in The Advanced Measurement
Approach to Operational Risk, ed. E. Davis. London: Risk Books.
Benston, G. J. and G. G. Kaufman. 1996. “The Appropriate Role of Bank Regu-
lation.” Economic Journal 106:688–697.
Blunden, T. 2003. “Scoreboard Approaches.” Pp. 229–240 in Operational Risk:
Regulation, Analysis and Management, ed. C. Alexander. London: Prentice
Hall-Financial Times.
Bocker, K. and C. Kluppelberg. 2005. “Operational VAR: A Closed-Form Ap-
proximation.” Risk December: 90–93.
Bolton, N. and J. Berkey. 2005. “Aligning Basel II Operational Risk and Sarbanes-
Oxley 404 Projects.” Pp. 237–246 in Operational Risk: Practical Approaches
to Implementation, ed. E. Davis. London: Risk Books.
Brandts, S. 2005. “Reducing Risk Through Insurance.” Pp. 305–314 in Opera-
tional Risk: Practical Approaches to Implementation, ed. E. Davis. London:
Risk Books.
Buchelt, R. and S. Unteregger. 2004. “Cultural Risk and Risk Culture: Op-
erational Risk after Basel II, Financial Stability Report 6.” http://www.
oenb.at/en/img/fsr 06 cultural risk tcm16–9495.pdf.
Buchmuller, P., M. Haas, B. Rummel, and K. Stickelmann. 2006. “AMA Imple-
mentation in Germany: Results of BaFin’s and Bundesbank’s Industry Survey.”
Pp. 295–336 in The Advanced Measurement Approach to Operational Risk, ed.
E. Davis. London: Risk Books.
Cagan, P. 2001. “Seizing the Tail of the Dragon.” FOW/Operational Risk July:18–
23.
Chapelle, A., Y. Crama, G. Hubner, and J. P. Peters. 2004. “Basel II and Operational
Risk: Implications for Risk Measurement and Management in the Financial
Sector.” Unpublished paper, National Bank of Belgium.
Chernobai, A. and S. Rachev. 2004. “Stable Modelling of Operational Risk.”

Pp. 139–170 in Operational Risk Modelling and Analysis, ed. M. Cruz. London:
Risk Books.
Chernobai, A., C. Menn, S. T. Rachev, S. Truck, and M. Moscadelli. 2006. “Treat-
ment of Incomplete Data in the Field of Operational Risk: The Effects on Param-
eter Estimates, EL and UL Figures.” Pp. 145–468 in The Advanced Measurement
Approach to Operational Risk, ed. E. Davis. London: Risk Books.
Commonwealth Bank of Australia. 1999. Annual Report. Sydney: Commonwealth
Bank of Australia.
Consiglio, A. and S. A. Zenios. 2003. “Model Error in Enterprise-wide Risk Man-
agement: Insurance Policies with Gurantees.” Pp. 179–196 in Advances in Op-
erational Risk: Firm-wide Issues for Financial Institutions (second edition).
London: Risk Books.
Crouchy, M. 2001. Risk Management. New York: McGraw Hill.
Crouchy, M., D. Galai, and R. Mark. 2004. “Insuring versus Self-Insuring Opera-
tional Risk: Viewpoints of Deposits and Shareholders.” Journal of Derivatives
12:51–55.
Crouchy, M., D. Galai, and R. Mark. 1998. “Key Steps in Building Consistent
Operational Risk Management and Measurement.” Pp. 45–62 in Operational
Risk and Financial Institutions, London: Risk Books.
Cruz, M. 2003a. “Operational Risk: Past, Present and Future.” Pp. 271–286 in
Modern Risk Management: A History, ed. P. Field. London: Risk Books.
Cruz, M. 2003b. Modelling, Measuring and Hedging Operational Risk. New York:
Wiley.
Cummins, J. D., C. M. Lewis, and R. Wei. 2006. “The Market Value Impact of
Operational Loss Events for US Banks and Insurers.” Journal of Banking and
Finance 30:2605–2634.
Currie, C. V. 2004. “Basel II and Operational Risk: An Overview.” Pp. 271–286
in Operational Risk Modelling and Analysis, ed. M. Cruz. London: Risk Books.
Danielsson, J. 2003. “On the Feasibility of Risk Based Regulation.” Unpublished
paper, London School of Economics.
Danielsson, J., P. Embrechts, C. Goodhart, C. Keating, F. Muennich, O. Renault,
and H. S. Shin. 2001. “An Academic Response to Basel II.” Unpublished paper,
LSE Financial Markets Group.
Danielsson, J., H. S. Shin, and J. P. Zigrand. 2002. “The Impact of Risk Regulation
on Price Dynamics.” Unpublished paper, London School of Economics.
Danielsson, J. and J. P Zigrand. 2003. “What Happens when You Regulate Risk?
Evidence from a Simple Equilibrium Model.” Unpublished paper, London
School of Economics
Davis, E. 2005. “Loss Data Collection and Modelling.” Pp. 1–2 in Operational
Risk: Practical Approaches to Implementation, ed. E. Davis. London: Risk
Books.
de Fontnouvelle, P., V. DeJesus-Rueff, J. Jordan, and E. Rosengren. 2006. “Capital
and Risk: New Evidence on Implications of Large Operational Losses.” Journal
of Money, Credit and Banking 38:1819–1846.
196 Imad A. Moosa
de Fontnouvelle, P., E. Rosengren, and J. Jordan. 2004. “Implications of Alternative

Operational Risk Modelling Techniques.” Unpublished paper, Federal Reserve
Bank of Boston.
de Koker, R. 2006. “Operational Risk Modelling: Where Do we Go from Here?”
Pp. in The Advanced Measurement Approach to Operational Risk, ed. E. Davis.
London: Risk Books.
Dowd, V. 2003. “Measurement of Operational Risk: The Basel Approach.”
Pp. 31–84 in Operational Risk: Regulation, Analysis and Management, ed. C.
Alexander. London: Prentice Hall-Financial Times.
Economist, The. 2003. “Deep Impact.” The Economist 8 May.
Embrechts, P., F. Lindskog, and A. McNeil. 2003. “Modelling Dependence with
Copulas and Applications to Risk Management.” Pp. 329–384 in Handbook of
Heavy Tailed Distributions in Finance, ed. S. Rachev. Amsterdam: Elseiver.
Fama, E. F. and K. French. 1993. “Common Risk Factors in the Returns on Stocks
and Bonds.” Journal of Financial Economics 33:3–56.
Frachot, A., P. Georges, and T. Roncalli. 2001. Loss “Distribution Approach for
Operational Risk.” Unpublished paper, Credit Lyonnais.
Frachot, A., O. Moudoulaud, and T. Roncalli. 2004. “Loss Distribution Approach
in Practice.” Pp. in The Basel Handbook, ed. K. Ong:. London: Risk Books.
Frachot, A. and T. Roncalli. 2002. “Mixing Internal and External Data for Man-
aging Operational Risk.” Unpublished paper, Credit Lyonnais.
Frachot, A., Roncalli, T., and Salmon, E. 2004. The Correlation Problem in Oper-
ational Risk, Working Paper, Credit Lyonnais.
Fujii, K. 2005. “Building Scenarios.” Pp. 169–178 in Operational Risk: Practical
Approaches to Implementation, ed. E. Davis. London: Risk Books.
Gelderman, M., P. Klaassen, and I. van Lelyveld. 2006. “Economic Capital: An
Overview.” Pp. 1–12 in Economic Capital Modelling: Concepts, Measurement
and Implementation, ed. I. van. Lelyveld. London: Risk Books.
Giraud, J. R. 2005. “Managing Hedge Funds’ Exposure to Operational Risks.”
Pp. in Operational Risk: Practical Approaches to Implementation, ed. E. Davis.
London: Risk Books.
Giudici, P. 2004. “Integration of Qualitative and Quantitative Operational Risk
Data: A Bayesian Approach.” Pp. 131–138 in Operational Risk Modelling and
Analysis: Theory and Practice, ed. M Cruz. London: Risk Books.
Giudici, P. and A. Bilotta. 2004. “Modelling Operational Losses: A Bayesian
Approach.” Quality and Reliability Engineering International 20:407–417.
Group of Thirty. 1993. Derivatives: Practices and Principles. Washington DC:
Group of Thirty.
Haas, M. and T. Kaiser. 2004. “Tackling the Inefficiency of Loss Data for the
Quantification of Operational Loss.” Pp. 13–24 in Operational Risk Modelling
and Analysis: Theory and Practice, ed. M. Cruz. London: Risk Books.
Hadjiemmanuil, C. 2003. “Legal Risk and Fraud: Capital Charges, Control and
Insurance.” Pp. 74–100 in Operational Risk: Regulation, Analysis and Manage-
ment, ed. C. Alexander. London: Prentice Hall-Financial Times.
Halperin, K. 2001. “Balancing Act.” Bank Systems and Technology 38:22–25.

Haubenstock, M. and L. Hardin. 2003. “The Loss Distribution Approach.”
Herring, R. J. 2002. “The Basel 2 Approach to Bank Operational Risk: Regulation
on the Wrong Track.” Unpublished paper, University of Pennsylvania.
Hoffman, D. G. 1998. “New Trends in Operational Risk Measurement and Man-
agement.” Pp. 29–44 in Operational Risk and Financial Institutions. London:
Risk Books.
Holmes, M. 2003. “Measuring Operational Risk: A Reality Check.” Risk 16:84–
87.
Hubner, R., M. Laycock, and F. Peemoller. 2003. “Managing Operational Risk.”
Pp. in Advances in Operational Risk: Firm-wide Issues for Financial Institutions.
London: Risk Books.
Hughes, P. 2005. “Using Transaction Data to Measure Operational Risk.”
Pp. 3–12 in Operational Risk: Practical Approaches to Implementation, ed.
E. Davis. London: Risk Books.
Jameson, R. 1998. “Playing the Name Game.” Risk: 11, 38–42.
Kalyvas, L. and A. Sfetsos. 2006. “Does the Application of Innovative Internal
Models Diminish Regulatory Capital?” International Journal of Theoretical
and Applied Finance 9:217–226.
Kaiser, T. and M. Kohne. 2006. An Introduction to Operational Risk. London:
Risk Books.
Kalyvas, L., I. Akkizidis, I. Zourka, and V. Bouchereau. 2006. Integrating Market,
Credit and Operational Risk: A Complete Guide for Bankers and Risk Profes-
sionals. London: Risk Books.
Kaufman, G. G. and K. Scott. 2000. “Does Bank Regulation Retard or Contribute
to Systemic Risk?” Unpublished paper, Loyola University Chicago and Stanford
Law School.
Kennett, R. 2003. “How to Introduce an Effective Risk Management Framework.”
Pp. 73–94 in Advances in Operational Risk: Firm-wide Issues for Financial
Institutions second edition). London: Risk Books.
Kingsley, S., A., Rolland, A. Tinney, and P. Holmes. 1998. “Operational Risk
and Financial Institutions: Getting Started.” Pp. 3–28 in Operational Risk and
Financial Institutions. London: Risk Books.
Koehn, M. and A. M. Santomero. 1980. “Regulation of Bank Capital and Portfolio
Risk.” Journal of Finance 35:1235–1244.
Kuhn, R. and P. Neu. 2004. “Adequate Capital and Stress Testing for Operational
Risk.” Pp. 273–292 in Operational Risk Modelling and Analysis, ed. M. Cruz.
London: Risk Books.
Kuhn, R. and P. Neu. 2005. “Functional Correlation Approach to Operational Risk
in Banking Organizations.” Unpublished paper, Dresdner Bank AG.
Lam, J. 2003. “A Unified Management and Capital Framework for Operational
Risk.” RMA Journal 58:26.
198 Imad A. Moosa
Lewis, C.M. and Y. Lantsman. 2005. What is a Fair Price to Transfer the Risk
of Unauthorised Trading? A Case Study on Operational Risk.” Pp. 315–356
in Operational Risk: Practical Approaches to Implementation, ed. E. Davis.
London: Risk Books.
Llewellyn, D. T. ed. 2001. Bumps on the Road to Basel: An Anthology of Basel 2.
London: Centre for the Study of Financial Innovation.
Lopez, J. A. 2002. “What is Operational Risk?” Federal Reserve Bank of San
Francisco Economic Letter January.
Medova, E. A. and M. N. Kyriacou. 2001. “Extremes in Operational Risk Man-
agement.” Unpublished paper, University of Cambridge.
Mestchian, P. 2003. “Operational Risk Management: The Solution is in the Prob-
lem.” Pp. 3–14 in Advances in Operational Risk: Firm-wide Issues for Financial
Institutions. London: Risk Books.
Metcalfe, R. 2003. “Operational Risk: The Empiricists Strike Back.”
Pp. 435–446 in Modern Risk Management: A History, ed. P. Field. London:
Risk Books.
Milligan, J. 2004. “Proritizing Operational Risk.” Banking Strategies 80:67.
Mignola, G. and R. Ugoccioni. 2007. “Effect of Data Collection Thresh-
old in the Loss Distribution.” Journal of Operational Risk 1 Winter:35–
47.
Moosa, I. A. 2007a. “Misconceptions about Operational Risk.” Journal of Oper-
ational Risk Winter:97–104.
Moosa, I. A. 2007b. Operational Risk Management. London: Palgrave.
Moosa, I. A. 2007c. “A Critique of the Advanced Measurement Approach to Reg-
ulatory Capital Against Operational Risk.” Unpublished paper, Monash Uni-
versity.
Moscadelli, M. 2005. “The Modelling of Operational Risk: Experience with the
Analysis of the Data collected by the Basel Committee.” Pp. 39–106 in Oper-
ational Risk: Practical Approaches to Implementation, ed. E. Davis. London:
Risk Books.
Moscadelli, M., A. Chernobai, and S. Rachev. 2005. “Treatment of Incomplete
Data in the Field of Operational Risk: The Effects on Parameter Estimates, EL
and UL Figures.” Operational Risk June:33–50.
Muzzy, L. 2003. “The Pitfalls of Gathering Operational Risk Data.” RMA Journal
85:58–62.
Na, H. S., L. C. Miranda, J. Van Den Berg, and M. Leipoldt. 2005. “Data Scal-
ing for Operational Risk Modelling.” ERIM Report Series ERS-2005–092-LIS,
December.
Ong, M. 2002. “The Alpha, Beta and Gamma of Operational Risk.” RMA Journal
85:34.
Parsley, M. 1996. “Risk Management’s Final Frontier.” Euromoney September:74–
75.
Peccia, A. 2003. “Using Operational Risk Models to Manage Operational Risk.”
Peccia, A. 2004. “An Operational Risk Ratings Model Approach to Better Mea-
surement and Management of Operational Risk.” Pp. in The Basel Handbook,
ed. K. Ong. London:. Risk Books.
Pezier, J. 2003. “A Constructive Review of the Basel Proposals on Operational
Risk.” Pp. 49–73 in Operational Risk: Regulation, Analysis and Management,
ed. C. Alexander. London: Prentice Hall-Financial Times.
Postlewaite, A. and X. Vives. 1987. “Bank Runs as an Equilibrium Phenomenon.”
Journal of Political Economy 95:485–491.
Powojowski, M., D. Reynolds, and H. J. H. Tuenter. 2002. “Dependent Events and
Operational Risk.” Algo Research Quarterly 5:65–73.
Rao, V. and A. Dev. 2006. “Operational Risk: Some Issues in Basel II AMA
Implementation in US Financial Institutions.” Pp. 273–294 in The Advanced
Measurement Approach to Operational Risk, ed. E. Davis. London: Risk Books.
Rebonato, R. 2007. “The Plight of the Fortune Tellers: Thoughts on the Quantitative
Measurement of Financial Risk,” Unpublished manuscript.
Reynolds, D. and D. Syer. 2003. “A General Simulation Framework for Op-
erational Loss Distributions.” Pp. 193–214 in Operational Risk: Regulation,
Analysis and Management, ed. C. Alexander. London: Prentice Hall-Financial
Times.
Robert Morris Associates, British Bankers’ Association and International Swaps
and Derivatives Association. 1999. Operational Risk: The Next Frontier.
Philadelphia: RMA.
Rosenberg, J. V. and T. Schuermann. 2006. “A General Approach to Integrated Risk
Management with Skewed, Fat-Tailed Risks.” Journal of Financial Economics
79:569–614.
Shadow Financial Regulatory Committee. 2001. “The Basel Committee’s Revised
Capital Accord Proposal.” Statement No 169, February.
Shepheard-Walwyn, T. and R. Litterman. 1998. “Building a Coherent Risk Mea-
surement and Capital Optmisation Model for Financial Firms.” Federal Reserve
Bank of New York Economic Policy Review October:171–182.
Smithson, C. and P. Song. 2000. “Quantifying Operational Risk.” Risk July:50–52.
Thirlwell, J. 2002. “Operational Risk: The Banks and the Regulators Struggle.”
Balance Sheet 10:28–31.
Tripe, D. 2000. “Pricing Operational Risk.” Unpublished paper, Massey University
Turing, D. 2003. “The Legal and Regulatory View of Operational Risk.”
Pp. 253–266 in Advances in Operational Risk: Firm-wide Issues for Financial
Institutions (second edition). London: Risk Books.
Vinella, P. and J. Jin. 2005. “A Foundation for KPI and KRI.” Pp. 157–168 in Op-
erational Risk: Practical Approaches to Implementation, ed. E. Davis. London:
Risk Books.
Webb, A. 1999. “Controlling Operational Risk.” Derivatives Strategy 4:17–21.
Wei, R. 2003. “Operational Risk in the Insurance Industry.” Unpublished paper,
University of Pennsylvania.
Wei, R. 2006. An Empirical Investigation of Operational Risk in the United States
Financial Sectors. University of Pennsylvania AAT 3211165.
200 Imad A. Moosa
Wei, R. 2007. “Quantification of Operational Losses Using Firm-Specific Infor-

mation and External Databases.” Journal of Operational Risk 1 Winter:3–34.
Young, B. and S. Ashby. 2003. “New Trends in Operational Risk Insurance for
Banks.” Pp. 43–58 in Advances in Operational Risk: Firm-wide Issues for Fi-
nancial Institutions (second edition). London: Risk Books.
XII. NOTES ON CONTRIBUTOR

Imad Moosa is Chair in Finance at Monash University. Professor Moosa received
his Ph.D. from the University of Sheffield, UK. Prior to joining the Department
in 2006, he was a Professor of Finance at La Trobe University and a Lecturer
in Economics and Finance at the University of Sheffield. Prior to becoming an
academic in 1991, Imad was employed as a professional economist and a financial
journalist for over ten years. Imad’s previous employment was as an economist at
the Financial Institutions Division of the Bureau of Statistics and the International
Monetary Fund Washington DC). Imad has formal training in model building, ex-
change rate forecasting and risk management at the Claremont Economics Institute,
Wharton Econometrics, and the Center for Monetary and Financial Studies.
Professor Moosa has published nine books and over 150 papers in international
journals. He has also written for the prestigious Euromoney magazine and has
served in a number of advisory positions, including his role as an economic advisor
to the U.S. Treasury.

Moosa FMII2007

Uploaded by

Copyright:

Available Formats

Moosa FMII2007

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Moosa FMII2007

Uploaded by

Copyright:

Available Formats

Operational Risk: A Survey

II. THE DEFINITION OF OPERATIONAL RISK

The earlier definitions of operational risk indicate a lack of agreement on what it

III. THE CLASSIFICATION OF OPERATIONAL RISK

IV. THE DISTINGUISHING FEATURES OF OPERATIONAL RISK

de Koker (2006) identifies two features of operational risk that distinguish it

activities have contributed to the widespread interest in operational risk? The

Whether or not an event is to be classified as an operational loss event is (or

V. OPERATIONAL RISK MODELING: IMPORTANCE

disproportionate number of very large losses relative to smaller losses appearing in

VI. THE CLASSIFICATION OF OPERATIONAL RISK MODELS

VII. EMPIRICAL STUDIES OF OPERATIONAL RISK

rt = α0,t + α1,t x1t + · · · + α22,t x22t + βt rt−1

VIII. MEASURING REGULATORY CAPITAL AGAINST

where i = 1, 2, . . . , 8 represent business lines and j = 1, 2, . . . , 7 represents event

difficulty of estimating a 56×56 correlation matrix. To capture the risk profile

Pr(L > OpVAR + E L) = 0.001 (7)

IX. THE MANAGEMENT OF OPERATIONAL RISK

procedures. It is arguable, therefore, that operational risk management is older

Chernobai, A. and S. Rachev. 2004. “Stable Modelling of Operational Risk.”

de Fontnouvelle, P., E. Rosengren, and J. Jordan. 2004. “Implications of Alternative

Halperin, K. 2001. “Balancing Act.” Bank Systems and Technology 38:22–25.

Wei, R. 2007. “Quantification of Operational Losses Using Firm-Specific Infor-

XII. NOTES ON CONTRIBUTOR

You might also like

rt = α0,t + α1,t x1t + · · · + α22,t x22t + βt rt−1