UNIT – 3

Operational Risk
&
Credit Risk
 Definition of Operational Risk
“The risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events”. -The Bank for International Standards (BIS)

This definition covers legal risk (including fines, penalties and punitive(disciplinary) damage
resulting from regulatory actions, as well as private settlements), but excludes reputation risk.

“Operational risk is the risk of losses caused by flawed or failed processes, policies,
systems or events that disrupt business operations.” (Cause and Effect)
 Operational Risk

1. Definitions of Operational Risk according to the Basel Committee on Banking

Supervision, Basel operational risk event types:

Internal Fraud, External Fraud, Employment Practices and Workplace Safety,

Clients, Products, & Business Practice, Damage to Physical Assets,

Business Disruption & Systems Failures, Execution, Delivery & Process

Management, Operational Risk Policy,

Basel provides the following seven operational risk event types, with examples of where and how
they might arise.

Internal fraud Losses due to acts of a type intended to defraud,

misappropriate property or circumvent regulations, the law or
company policy, (excluding diversity/discrimination events),
which involves at least one internal party

External fraud Losses due to acts of a type intended to defraud,

misappropriate property or circumvent the law by a third party

Employment practices Losses arising from acts inconsistent with employment, health
and workplace safety or safety laws or agreements, from payment of personal injury
claims or from diversity and discrimination events
Clients, products and Losses arising from an unintentional or negligent failure to meet a
business practices professional obligation to
specific clients (including fiduciary and suitability requirements), or
from the nature or design of a
product

Damage to physical Losses arising from loss or damage to physical assets from natural
assets disaster or other events

Business disruption Losses arising from disruption of business or system failures

and systems failures

Execution, delivery, Losses from failed transaction processing or process management,

and process from relations with trade counterparties and vendors
management
 Financial Crime Legislation:
1. The global financial services industry provides an essential role in the facilitation of
international commerce.

2. Unfortunately, it also has the potential to enable the financial proceeds of crime to be
moved around the world quickly and easily.

3. The nature of the industry means that there are sometimes opportunities for unscrupulous
practitioners to make money through dishonest means, at the expense of clients or other
market participants.
Therefore, in most jurisdictions there are strict rules in place, enforceable through
national and international legal systems, to:
a. prohibit certain undesirable practitioner behaviours, collectively known as
market abuse;
these fall into two overlapping categories
i. – insider information & market manipulation

b. oblige financial services firms to monitor financial transactions and report any
that appear suspicious, to reduce the likelihood of criminal proceeds being
moved around the system;
c. these also fall into two related categories

i. – money laundering and terrorist financing.

 These fall into two overlapping categories - money laundering and terrorist financing.

Examples of insider information market abuse include:

1. Insider dealing – when an insider (eg, a member of staff) deals on the basis of
information which is not known to the market.

2. Improper disclosure – where an insider improperly disclosing inside information to

another person.

3. Improper dissemination – giving out information that conveys a false or misleading

impression about an investment or the issuer of an investment where the person doing
this knows the information to be false or misleading.
Money laundering
Money laundering is the process of turning ‘dirty’ money (money derived from
criminal activities) into money which appears to be from legitimate origins.

Dirty money is difficult to invest or spend, and carries the risk of being used as
evidence of the initial crime.
Laundered money can be invested and spent with less risk of incrimination.
There are three stages to a successful money laundering operation:
1. Placement
2. Layering
3. Integration

1. Placement –
1. This is the introduction of dirty money into the financial system.
2. Typically, this involves placing the criminally-derived cash into a bank or building
society account, a bureau de change or any other type of enterprise which routinely
accepts large amounts of cash.
2. Layering –
1. This involves moving the placed money around the system in order to make it difficult
for the authorities to link the placed funds with the ultimate beneficiary of the money.

2. This might involve buying and selling foreign currencies, shares or bonds in rapid
succession, investing in collective investment schemes, insurance-based investment
products or moving the money from one country to another.x

3. Integration –
1. At this final stage, the layering has been successful and the ultimate beneficiary
appears to be holding legitimate funds (ie, clean rather than dirty money).
2. The money is regarded as ‘integrated’ into the legitimate financial system.
Terrorist financing
Terrorist financing refers to activities that provide financial support to terrorists
or terrorist groups.
Many of the requirements of national and international anti-terrorism legislation
on financial services firms are similar to the AML provisions described above,
and involve:
• customer identification
• record keeping
• reporting suspicious activity.
A person generally commits an offence if he enters into, or is linked with, an
arrangement that facilitates the retention or control of terrorist funds.
 Risk Management Responses to
Financial Crimes
1. Educating staff on the risks to:
• society, if financial crimes are committed
• the firm, if placed under regulatory censure
• the individual, of a custodial sentence or heavy fine.
2. Putting systems and controls in place to mitigate the risk of occurrence.
3. Monitoring staff compliance with the internal rules and the external legal and regulatory
stipulations.
4. Escalating behavioural exceptions to a specific individual or committee for investigation.
5. Penalising contravention with the rules and if necessary informing the relevant authorities.
Operational Risk and its Consequential
Effects
When an operational risk materializes, it often causes other risk issues too.
These typically include:
1. Reputational risks – if clients or the media become aware of the issue
and it tarnishes the firm’s reputation.

2. Compliance (or regulatory) risks – certain process failures will result,

for example, in customers not being treated fairly. This in turn is a
regulatory breach and could result in fines or other sanctions being
applied by the regulator.
Cont...
Credit risks – areas in the credit function where operational risk issues can lead
to losses are:
a. data errors causing inadvertent credit limit breaches

b. lack of adequate monitoring and/or analysis or misinterpretation of a counterparty’s

financial statements due to a lack of training or incompetence

c. legal risk, including the inability to enforce contracts in credit-related areas such as
the posting of collateral

d. failing to carry out suitable credit checks on counterparties, or wrongly assuming that
credit rating agencies always get ratings right.
Cont…
4. Market risks – an undetected error in the portfolio management system might
lead to a breach of a market risk limit.

5. Liquidity risks – a process breakdown in the finance department could lead to

the firm having insufficient liquidity to pay staff salaries.

6. Investment risks – carelessness on the part of a fund manager, coupled with a

process that contains no subsequent checking, could cause a mandate limit
breach.
 Operational Risk Policy

1. A firm needs to have a written operational risk policy that defines

a. a coherent, consistent approach to the firm’s operational risk management.
2. It provides a ‘roadmap’
a. to move the organisation from what might be a fragmented, non-strategic approach
to operational risk management,
b. to a comprehensive, firmwide methodology that uses a common risk language
throughout the organisation.
3. The policy defines the operational risk methodology, or framework, within which the
firm will operate.
 Building Operational Risk Framework
1. Risk-Appetite: Defining the firm’s operational risk appetite

2. Risk Identification: Defining the methodology used to identify and categorise the operational risks
that exist in the organisation

3. Risk Measurement: Defining the methodology used to measure and assess the significance of the
identified risks

4. Risk Mitigation:
a. Assigning responsibility to line managers for owning the mitigating actions required to
reduce risk exposures to within the risk appetite
b. Assigning responsibility for monitoring the effects of the mitigating actions
 Cont…
5. Risk Reporting: Establishing the reporting and escalating mechanisms for risk issues to
all levels of the organization in order to ensure transparency, and aid the
decision-making process.

6. Follow-up: The process of developing an operational risk policy is cyclical and

continuous, maturing in line with the firm’s growing understanding of its operational
risk profile.
Case: Tesco Accounting Scandal

Background:
Tesco is a British multinational grocery and general merchandise retailer,
headquartered in the United Kingdom. It is one of the world's largest retailers,
operating in various countries and serving millions of customers. The
company had a reputation for strong growth and profitability.

The Scandal:
In September 2014, Tesco announced that it had overstated its profits by £263
million ($422 million) due to accounting irregularities. The company initially
revealed that it had recognized income from suppliers earlier than it should
have, leading to an inflated presentation of profits. This overstatement
represented a significant misrepresentation of Tesco's financial performance.
Key Points:

Profit Overstatement: The accounting scandal involved the improper

recognition of commercial income from suppliers. This income was
recognized before it was actually earned, artificially inflating Tesco's reported
profits.

Internal Investigation: Tesco launched an internal investigation, led by

Deloitte and Freshfields, to uncover the extent of the issue. The investigation
revealed that profit overstatements had been occurring for an extended period,
leading to cumulative misstatements.

Impacted Financials: The overstatement of profits had a direct impact on

Tesco's financial statements, affecting its reported profitability and financial
position.
Regulatory Scrutiny: The scandal attracted the attention of regulatory authorities,
including the UK's Financial Reporting Council (FRC) and the Serious Fraud
Office (SFO). These bodies launched investigations into the matter.

Leadership Changes: The scandal led to significant leadership changes within

Tesco. The CEO at the time, Philip Clarke, stepped down, and the company faced
challenges in restoring investor confidence.

Reputational Damage: The scandal caused substantial reputational damage to

Tesco. It eroded investor trust, damaged the company's brand image, and led to a
decline in its stock price.

Financial Penalties: As a result of the investigations, Tesco faced regulatory fines

and legal settlements. The Financial Conduct Authority (FCA) imposed a £129
million ($206 million) fine on Tesco in 2017.
Key Points for Analysis:
Inadequate Internal Controls:
● The Tesco case highlights how inadequate internal controls can create
opportunities for operational risk to materialize.
● The company's financial controls were found to be insufficient to detect and
prevent fraudulent activities related to revenue recognition.

Human Error and Fraud:

● Operational risk can stem from human errors and, in some cases, fraudulent
activities.
● In the Tesco case, employees were involved in manipulating financial
records to boost profits, highlighting the importance of strong governance
and ethical behavior.
Supply Chain Complexity:
Tesco's supply chain intricacies and relationships with suppliers played a role in
the accounting scandal.
Understanding how operational risk can arise from supply chain complexities is
crucial for risk management.

Reputational Impact:
The scandal had severe consequences for Tesco's reputation, leading to a loss of
investor confidence, legal investigations, and regulatory fines.
Reputational risk is a critical aspect of operational risk and can have far-reaching
implications.

Risk Mitigation?
Areas Addressed by An Operational Risk Policy

1. The operational risk policy a document that

a. outlines a firm’s strategy and objectives for operational risk management
b. distinguishes between other risk areas, such as market and credit risk, is clarified.

2. To meet the prime objectives of operational risk management the risk policy and its
associated standards should address the following areas:
● identification of key officers
● roles and responsibilities
● segregation of duties
● cross-functional involvement and agreement.
 Identification of Key Officers
It is important for firms to identify and empower those individuals who are given
key responsibilities in the management of operational risk.
Key officers will include the following:
1. Line managers: Responsible for monitoring and reporting to the board.
2. Senior business managers: Responsible for operational risks within their areas
of the business.
3. The risk management group: Responsible for the firm’s overall financial risk.
4. Risk representatives or risk champions (staff): To monitor a department’s
operational risks on behalf of the owning manager.
Roles and Responsibilities
1. The risk policy should include
a. clear lines of authority,

b. identify key risk officers to carry out prescribed actions, and

c. define their roles and responsibilities.

2. Awareness and authority:

a. Staff throughout the organization need to know precisely what is expected of them, and why.

b. If they are accountable for managing risk, they also require the necessary control and
authority to be able to take action and implement risk reduction plans.
3. Non-compliance:
a. The risk policy should also make clear the consequences of non-compliance for staff not
observing the policy.
 Segregation of Duties

1. Segregation of duties between the trading and support functions,

a. such as front-office, operations, accounting and risk monitoring.
2. Research and Decision making division separated from accounting and
transaction execution division.
Cross-Functional Involvement and Agreement

The policy should promote collaboration between functions, departments and

divisions, because many operational risks occur as a result of ownerless or
unnoticed boundary errors.

Where possible, cross-functional teamwork should be encouraged

(notwithstanding the need for segregation of duties) through incentives,
education and a supportive organisational structure.
Operational Risk Framework
Identification and Assessment of Risk
a. Self Assessment
b. Key risk indicators
c. risk and control assessment workshops
d. Loss data casual trend analysis
e. Audit reviews
f. External loss data (where available)
Management of risk and reduction of potential impact
and likelihood of occurrence

1. Reducing the likelihood

a. Expected risk occurrence
b. Insurance policies are in place
c. Clear ownership of risk
d. Risk controls in place
e. Set up risk indicators/alerts
2. Reducing of impact
a. Speedy escalation to senior management if necessary
b. Power to risk owner to draw immediate resources
 Operational Risk Management
Once the high level risk policy has been agreed, a risk management
framework must be implemented to enable the risk management
function to achieve its aims.
The following figure describes a typical framework, which, starting and
ending with the operational risk policy, includes the following stages:
● Risk identification
● Risk measurement and assessment –
● Management and control –
● Risk monitoring –
● Risk reporting –
● Operational risk policy
Cont…
1. Risk Identification – clearly identify the firm’s risks.

2. Risk measurement and assessment – score the impact and the likelihood of the
risk against pre-defined criteria.

3. Management and control – ensure that appropriate controls are in place to

mitigate the risk.
Put actions in place for under-controlled risks.
Ensure that ‘real-time’ escalation mechanisms are set up, with pre-defined
thresholds that define how high up the chain of command the limit breaches
or loss incidents should be escalated.
Ensure that remediation work is owned and tracked to completion.
4. Risk monitoring – monitor the risk and control indicators and other
risk management information (MI), and act before they ever reach their
predefined danger limits.

5. Risk reporting – reporting of risk MI should include indicators, the

risks and controls to which they relate, and incidents – ideally both
losses and near misses. Pre-defined danger limits should be defined by
setting triggers and limits on the data.

6. Operational Risk Policy – lessons learned during the operation of the

risk framework are used to update the policy.
 Operational Risk Identification
Identifying and categorising operational risks helps firms to establish their risk profile and
appetite for risk.
A helpful starting point for defining a firm’s operational risk categories might be to use the
definition of operational risk itself, ie, process risks, people risks, system risks, external
events.
These can then be divided into further sub-categories.
 Operational Risk Identification
Categorising the risks will enable:
• the provision of more succinct management risk information, grouped by risk category, rather
than simply a list of individual risks
• a better understanding of where in particular the firm’s operational weakness lie:
• processes
• systems
• people, or
• vulnerability to external events
• a sound basis for operational risk capital allocation across the different categories
• a common language for discussing, assessing and managing risk that allows clear and
transparent
communication and decision-making.
 Self-Assessment Risk Identification
Self-assessment as a single method of measurement has limitations because:
• it is subjective, and is therefore open to abuse and manipulation by managers. For this reason
it should be independently validated – for example by internal audit or a risk officer who does
not report to the head of the department, and
• combining the scores received from the participants for each risk into a single score for that
risk can be difficult – it is not obvious whether an average score should be used, or some
alternative approach that takes into account, and tries to understand the reasons for, any
outlying scores.
Firms use a variety of approaches to overcome these weaknesses.
A common approach is to assemble key staff in a workshop and brainstorm the risks to their
departmental objectives.
This enables a debate to occur and a consensus to emerge on the impacts and likelihoods
assigned to each risk.
Application of Risk Categorisation
● It was suggested earlier that categorising a firm’s risks can be advantageous.
● A common approach to risk categorisation is the use of operational risk causes: process, people,
systems and external events.
● The following table illustrates this approach with some examples of risks that fall under each of
the causes.
Operational Risk Assessment and Measurement
The reasons for measuring and assessing operational risk are to:
● establish a quantitative baseline for improving the control environment –
knowing how much the firm might save by avoiding the risk is a useful
input to the business case for upgrading processes and controls
● provide an incentive for risk management and the development of a strong
risk culture
● improve management decision-making; by knowing the size of their risks,
managers are in a better position to decide how much risk they wish to take
● satisfy regulators and shareholders that a firm is adopting a proactive and
transparent approach to risk management, and
● make an assessment of the financial risk exposure that can be used for
capital allocation purposes.
Methods of Assessment

Impact and Likelihood

Assessment

Bo

sis
tto

ly
m-

na
oA
Up

ari
An

en
aly

Sc
sis
1. Impact and Likelihood Assessment

One of the simplest methods of assessing risk is the creation of an impact and likelihood
assessment. This enables risks to be ranked in order of their severity.
The assessment may be subjective (using the experience of the professionals involved) or
objective (being supported by historical data) – or both. In either event, the severity ranking
decision depends on two criteria: the likelihood of the risk being realised and the magnitude
of the impact.

Likelihood Probability Ratings

The likelihood of the risk can be represented as a range of probabilities that correspond to a
rating.
For example, depending on the business area being measured, the following ratings might
be used:
Likelihood Probability Ratings
Very low
• not likely to occur within the next ten years
• rating score = 1
Low
• likely to occur within the next three to ten years
• rating score = 2
Medium
• likely to occur within the next two to three years
• rating score = 3
High
• likely to occur within the next year
• rating score = 4
Impact Loss Ratings

The impact of the risk is the potential loss if the risk occurs. This can be represented as a monetary
range,
and also assigned a rating. For example:
Very low
• under £1,000
• rating score = 1
Low
• £1,000 to £10,000
• rating score = 2
Medium
• £10,000 to £50,000
• rating score = 3
High
• above £50,000
• rating score = 4
There is no ‘correct’ number of impact and likelihood scoring bands, although using four of
each, as in the example above, is common. However, regardless of the number of bands, it is
helpful to use an even number in order to prevent risks being scored ‘medium’ (ie, the middle
value) by default.
The overall risk score is the product of the likelihood rating scores and the impact rating scores:

Risk score = likelihood score × impact score

The risks can then be ranked by their score. In addition, each risk can then be plotted on a heat
map according to its score, as shown in the following figure. The heat map can be coloured red,
amber, yellow and green to give an indication of which risks are inside or outside of risk
tolerance.
Advantages of an impact and likelihood assessment are the following:

• It provides a simple method for viewing the range of risks the business faces.
• It provides an evaluation of the effectiveness of the control environment if gross and net risk scores are
plotted separately.
• It focuses management attention on the most important risks.
• It can be used with minimal hard data: if historical loss data is not available, a useful subjective view can still
be obtained.
• It can capture a wide range of risk possibilities – from large, strategic risks to everyday, more detailed issues.
For this reason it can be effective at all levels of an organisation.
• It encourages a risk-aware culture and a more transparent risk environment. In order to maintain the risk
profiles, a culture of continuous assessment is needed. This encourages line staff and risk managers to work
closely and allows good practice to be adopted more easily.
2. Scenario analysis
● Scenario analysis is a ‘top-down’ method of
highlighting potential risk combinations in order
to allow preventative action to be taken.

● It uses the experience of business professionals to

capture possible scenarios that have occurred in
the past, or may result in loss in the future.

● By investigating these scenarios, perhaps through

stressing (ie, exaggerating) a particular aspect of
each scenario, preventative measures can be taken
to reduce their risk of occurrence.
 3. Bottom-Up Analysis
The bottom-up measurement approach seeks to analyse the individual risks and
adequacy of controls across business processes.

It is called ‘bottom-up’ because it builds up a detailed profile of the risks that occur in
each area, aggregating them to provide overall measures of exposure for departments,
divisions or the firm as a whole.

It uses the experience of line managers and staff, coupled with loss data as its source
of information, so the resultant measures contain both qualitative and quantitative
elements.
 Key Risk Indicators (KRIs)
❖ Having produced a list of risks, and having then ranked them in order of severity, the firm can
designate the top ‘x’ risks as its key risks.

❖ It is then possible to obtain data that describes the current status of those key risks, and to define
upper and lower acceptable limits on the behaviour of this data. This approach provides indicators
on a series of (KRIs).

❖ For example, if one of the key risks is ‘Loss of Key Staff’, then it might be felt that certain factors
will influence the likelihood of this risk occurring.

❖ These factors might include:

• General staff turnover as a proxy for key staff turnover.
• Percentage of undocumented processes (ie, processes that are only known by certain ‘key’ staff).
• Salary gaps identified by the annual salary benchmarking tests.
Plotting the indicator levels each month results in a graph such as the
figure below:
Case Study
Let us assume that ‘rising numbers of outstanding confirmations’ has been identified as a key risk. In order
to define key risk indicator(s) on this risk we need to know a little about the way in which the confirmations
process works.
Financial transactions should be ‘confirmed’ with clients before they are settled. Confirmation ensures that
the counterparty recognises the transaction and agrees with the legal, economic and settlement terms – thus
allowing any discrepancies to be resolved before the trade is settled.
Confirmations can be made by telephone and in writing and their format is usually agreed through a legal
agreement signed by the two parties involved as part of the set-up activity. For some products, such as listed
instruments that use a central exchange or counterparty, the confirmation process can be standardised to such
an extent that a high degree of computer automation is possible.
For products that are not dealt via an exchange, such as over-the-counter (OTC) derivatives, confirmations
are performed as part of a bilateral agreement between the trading parties. They typically use hardcopy
documents that follow certain pre-defined formats to help reduce the risk of error and legal ambiguity.
Operational risk exists in the trade confirmation process to the extent that transaction errors
are not spotted, or because errors or delays are introduced into the settlement process.

KRIs for the trade confirmation process might include:

• length of time taken to formalise a legal agreement
• number of confirmations not yet agreed with the counterparty
• number and type of confirmation errors found in the checking process
• time taken for counterparties to return confirmations.
 Historical Loss Data
Loss data evaluation is important in mapping the actual losses experienced by the firm back to a sensible
categorisation system. Once the data has been collected (from either internal or external sources) it can
be used in the measurement process, using benchmarking or statistical methods.

For instance, a ‘loss distribution’ curve may be created that records the value of all material (direct)
losses in a particular risk category over a time period of, say, three years. By analysing this curve (using
similar value-at-risk (VaR) techniques), some prediction of future losses can be made within specified
confidence limits. The major difference will be the shape of the curve and, specifically, the ‘fat tail’
which reflects the fact that losses are not ‘normally distributed’ – extremely high impact losses occur
only very rarely.
Practical Obstacle

Some of the practical obstacles to implementing an operational risk management framework:

• Data collection constraints – in practice, it is very difficult to build a truly comprehensive data set. Apart from the
general lack of data, system constraints and a lack of standardisation mean that the
required data feeds from disparate sources cannot be easily developed. There is also relatively little availability of
industry-wide data, as this depends on firms ‘self reporting’ and, by definition, it is not
straightforward to gain an understanding of high impact, low-frequency events. Firms may also not be allowed to report
for legal disclosure reasons.
• Cultural constraints – business heads need to be convinced of the value that operational risk management (ORM) will
bring. If not implemented in a well-structured manner, it is often seen as a cost to the business, and even a nuisance,
rather than a real asset. Consequently, many firms have
rolled out risk management frameworks little by little – attempting to gain the confidence and support of one area before
moving on to another.
• Resource and cost constraints – firms continually underestimate the amount of time and resources required to
implement identification and measurement systems. In an era of tight cost control, resource constraints put a limit on
how quickly or comprehensively implementation is carried out.
• Indicator constraints – it can be difficult to design risk indicators that monitor the full range of risks. There is a natural
Managing Operational Risk

Refers to activities and decisions that are intended to control, reduce,

eliminate or optimise a risk.

Operational risk management techniques.

1. A Risk Register and its Core Features
2. Methods for Managing Operational Risk Exposure
3. Operational Risk Mitigation
4. Operational Loss Data
 Risk Register and its Core Features
● Having identified and assessed various operational risks faced by the
firm, and then ranked the risks to decide the priority order for mitigation,
the next stage in the process would be the construction of a risk register,
also known as a risk log.
● There is no widely accepted definition of what a risk register should look
like.
● The actual content and format of a risk register will depend on the level
within the organisation for which it is being constructed, and the risk
types to which it refers.
A risk register could consist of a list of identified risks, linked to the business
objectives, processes or products whose success would be threatened if the risk
materialised.

The overall risk score is used to sort the risks so that the list runs from the most
significant to the least significant.

Each risk would be assigned to an owner or lead person – ideally a member of

staff or perhaps a department – and then the mitigating actions would be listed,
along with their deadlines for completion.

‘assurance’, and ‘oversight’, refer to the mechanisms used by the firm to provide
an objective view about the quality of each risk’s management.

Mitigating controls are ways in which the likelihood and impact of a risk are
reduced.
In summary the risk register’s should consist of
• objectives, processes or products affected by this risk
• description of risk
• risk ranking
• lead person or department
• action plan
• target and completion dates
• sources of assurance and oversight (which may or may not be the lead person or
department)
• mitigating controls, their effectiveness and owner(s).
Methods for Managing Operational Risk
Exposure
❖ Once risks have been identified and measured, the firm can take action to
address those risks that fall outside of its risk appetite.
❖ Transferring risk can be achieved in a number of ways, such as outsourcing
or insurance.
❖ If the level of a particular risk is unacceptable, and managing it to within
acceptable levels would be too costly, then it may simply need to be avoided.
❖ In practical terms this could involve:
❖ • withdrawing from a business
❖ • changing a product offering
❖ • deciding not to take on new business through planned mergers or
acquisitions.
Operational Risk Mitigation
Common methods for operational risk mitigation:
1. controls
2. business continuity and contingency planning
3. outsourcing
4. insurance
5. information and cyber security
6. physical security
7. financial reserves
8. risk awareness training
9. data protection
1. Controls
Operational Controls in the Trade Process

Key controls in the trade confirmation process therefore might include:

• ensuring that a legal agreement covering confirmation protocol is in place before
trading
• front-office sign-off of the economic terms of each trade
• a back-office confirmation check
• daily follow-up actions to counterparties which have not returned written
confirmations.

In general, controls fall into certain broad categories, the most common of which are
‘preventative’ and
‘detective’.
Preventative controls

They attempt to tackle the root causes of risk and are most effective when incorporated
within processes at the outset by anticipating a risky outcome. Technology solutions are
often used as a key means of implementing preventative controls.
For example, a key preventative control is the provision of individual IT passwords and
system access control for all staff.

Other examples of preventative controls are:

• the setting up and ongoing maintenance of procedures to prevent unauthorised
actions and errors
• the use of training to reduce the likelihood of human error arising from a lack of
expertise
• the use of systems to automate processes that eliminate risks caused by human error.
Detective controls

● detect errors once they have occurred, and quality assurance checks fall under
this category.

● It is important to remember that processes frequently change.

● If the control structure is not reviewed and assessed as part of this change, it is
possible that potential risks are introduced that are not coveredby adequate
controls.

● The identification of these control gaps is a key objective of the ORM function.
Business Continuity Planning (BCP) and
Disaster Recovery (DR)
● A business continuity plan (BCP) which deals with the premises and
people aspects – where will staff work if their main site is out of
action?

● Disaster recovery (DR) procedures which deal with the IT and other
infrastructure required to keep the business running.

In order to construct robust BCP and DR solutions, a thorough analysis of

the causes of potential disruption is required, ranging from minor mishaps
to major catastrophes.
• fire
• power failure
• civil unrest and strikes
• terrorism.

The BCP and DR solutions must be subject to regular testing and any shortcomings
brought to the required standard.
As well as thoroughly testing the BCP and DR arrangements, firms also need to define
crisis management teams (CMTs), and the methods to be used for both crisis management
and business resumption.
CMTs also benefit from periodic rehearsals of potential disasters so that they can practice
how to respond to them.
 Outsourcing
A firm may choose to outsource some aspects of its business to a third
party with specific expertise in managing certain risks.

This option of risk management is gaining popularity with financial

institutions.
However, it is important to remember that a firm only transforms the risk
from, say, direct process management, to managing the quality of the
outsourced process.
 Insurance
● Another common method of transferring risk is to purchase insurance
cover.
● Insurance policies can be constructed to cover losses due to fire, theft
and losses caused by human error.
● When taking out insurance, a firm needs to be very clear what the
insurance will pay out for and when it will pay out.
● Insurance policies often cover litigation risk but because the legal
process can be complex, and therefore slow, a policy that pays out only
after judgment has been made may be too late to save the firm if it has
already suffered substantial losses.
 Information and Cyber Security
Information and cyber security continues to be high on most corporate agendas in
response to the increasing threat from cyber criminals.

A firm should categorise the types of information which it receives and processes so
that appropriate steps can be taken to protect it regardless of the medium.

For example, personal staff or customer information needs greater care than a report
downloaded from the internet which is already in the public domain.
 ‘10 Steps To Cyber Security’
1. Information risk management regime
2. Secure IT systems
3. Network security
4. Penetration testing
5. Managing user privileges
6. User education and awareness
7. Incident management
8. Malware prevention
9. Monitoring
10. Home and mobile working
Physical Security

The operational risks associated with physical security can be reduced by firms
making often quite simple arrangements, including, for example:
• vetting all staff and contractors for previous criminal records
• visible ID cards for all staff
• sign-in for all visitors to the building
• remaining vigilant and preparing for external threats such as protests or marches,
especially those aimed at financial services firms.
 Risk Awareness Training

Risk awareness training for all relevant staff should be given by the firm to
help staff understand the principle of reducing the likelihood of risk
occurring, and the key role which they play in achieving this.
Details of the training being given, and attendance, should be recorded and
tracked by the operational risk function.
 Data Protection

Organisations processing personal data on a large scale need to appoint an

independent, adequately qualified data protection officer charged with overseeing
the firm’s data protection strategy and implementation to ensure compliance with
GDPR requirements.
Credit Risk
 Credit risk

• A credit risk is risk of default on a debt that may arise

from a borrower failing to make required payments.

• In the first resort, the risk is that of the lender and

includes lost principal and interest, disruption to cash
flows, and increased collection costs.
 Key Components of Credit Risk
1. Counterparty Risk - the probability that the other party in an investment, credit,
or trading transaction may not fulfill its part of the deal and may default on the
contractual obligations.
a. Default Risk, Exposure Risk, Recovery Risk (Collateral Risk)

2. Issuer Risk- risk of the issuer's insolvency, changing of credit and other ratings
of the issuer, bringing suits or claims against the issuer that may result in dramatic
decrease of value of the issuer's securities or failure to redeem the debt securities.

3. Concentration Risk- refers to an exposure with the potential to produce losses

large enough to threaten a financial institution's health or ability to maintain its core
operations.
Counterparty and Issuer Risk Exposure

Settlement risk
● is the possibility that one or more parties will fail to deliver on the terms of a
contract at the agreed-upon time.
● Settlement risk is a type of counterparty risk associated with default risk, as well
as with timing differences between parties.

Pre settlement risk

● Pre-settlement risk is the possibility that one party in a contract will fail to meet
its obligations under that contract, resulting in default before the settlement
date.
● This default by one party would prematurely end the contract and leave the
other party to experience loss if they are not insured in some way.
Systematic Risk

Systematic risk refers to the risk inherent to the entire market or market
segment.

Systematic risk, also known as undiversifiable risk, volatility risk, or market

risk, affects the overall market, not just a particular stock or industry.
 Credit Risk Boundary Issues
• Internal processes – the efficiency and effectiveness of the credit administration
operations, including:
• prescribed management policies and procedures monitoring documentation
• adequacy of controls over all back-office procedures
• contractual requirements
• legal covenants
• collateral management.

• Systems – the accuracy and timeliness of credit risk information provided to

management information systems..

• People – adequate segregation of duties.

Credit Risk Measurement Techniques

• credit exposure
• credit risk premium
• credit ratings.

Credit exposure is the amount that can potentially be lost if a debtor

defaults on its obligations.
It is used to quantitatively assess the severity of credit risk from:
• counterparties, and • portfolios.
Credit exposure consists of two parts:
1. current exposure, and
2. potential future exposure.

The current exposure is the current obligation outstanding which is normally

fairly straightforward to calculate.

Potential future exposure is an estimate of the likely loss at some point in the
future and this is harder to calculate because of uncertainty arising from:
• credit facilities which banks make available to companies – and, by their
nature, these are often not actually drawn down until the company is in
financial trouble
• financial instruments which have different future economic values
according to circumstances which have not yet arisen, such as changes in
interest rates.
Credit Risk Premium
● A credit risk premium is the difference between the interest rate a firm pays
when it borrows and the interest rate on a default-free security, such as a
government bond.

● The premium is the extra compensation the market or financial institution

requires for lending to a firm that has a risk of defaulting.

● As an obligor’s credit risk increases, lenders demand a higher credit risk

premium through an increase in the amount of interest paid.

● This increase is necessary to offset the heightened probability that the loan
will not be repaid in accordance with its terms.
 Credit Ratings
There is a strong relationship between credit risk premium and credit rating.
In theory, the higher the rating is, the more creditworthy the obligor is and the
lower the obligor’s risk premium.

This means that the cost of borrowing will be less for a higher rated firm as a
reflection of its lower likelihood to default.

From the perspective of potential investors and lenders, one measure of a firm’s
credit risk is its credit rating. A credit rating is an expression of a firm’s
creditworthiness and financial health.

An independent credit rating agency will assign a credit rating to companies based
on ‘numeric’ factors, such as the analysis of the company’s financial statements.
Role and Influence of Credit Rating
Agencies

Enable nations
Provide credit Depict the
Help investors Encourage and states to
scores to likelihood of
make well entities to pay sell bonds to
companies, borrower to
informed on time and investors in
nations, and default or
investment clear off their domestic and
fixed income repay a loan
decisions duties regularly international
debt securities with interest
markets
Credit rating agencies in India
1. CRISIL (Credit Rating Information Services of India Limited)

2. ICRA (Investment Information and Credit Rating Agency) Limited

3. CARE (Credit Analysis and Research Limited)

4. India Ratings and Research Pvt. Ltd.

5. Brickwork Ratings India Pvt Ltd.

6. Acuite Ratings and Research Limited

7. SMERA Ratings Limited

8. Infometrics Valuation and Rating Pvt Ltd

 Factors affecting Credit Ratings
Past repayment behavior

Loan portfolio

Market Reputation

Future prospects of Business

Merits of Credit rating

Freedom of
Helps in Investment Choice of
Investment Assurance of safety
Decision Instruments
Decisions

Dependency on Continuous Good Corporate

Easy to Raise Fund
Rating Monitoring Image

Lower the Cost of Easy and Lowers Help Non-popular Rating Facilitates
Public Issue Cost of Borrowing Companies Growth
Demerits of credit rating

Non-disclosure of Important
Possibility of Biasness Problems for New Company
Information

Rating is not Certificate of

Static in Nature Difference in Rating Grades
Soundness
Counterparty Credit Risk and
Applications in Practice
The key issues relating to counterparty credit risk and
applications in practice:
Probability of default (PD),
Loss given default (LGD),
Exposure at default (EAD),
Recovery rates (RR),
credit events, maturity, wrong way risk, non-performing assets
For credit risks associated with loan defaults, we can say that:
Expected loss (EL) = PD x EAD x LGD

where:
PD = Probability of Default (%)
EAD = Exposure at Default (Amount)
LGD = Loss Given Default (%)
These terms will be explained in more detail, as will the following related
credit risk concepts:
• credit events
• maturity.
When a counterparty defaults on payment, the loss to the bank is not necessarily the total of what the
counterparty owes.

For example, if New bank lent ABC Co. £500 million, and ABC then defaulted, how much would
Newbank lose?

• New bank may have a guarantee in place with ABC and may be able to reclaim some of that
amount through the legal process. In addition, ABC may have placed collateral with Newbank
which would offset some of loss to the bank.

• If the actual loss is £300 million then the loss given default (LGD) would be 60% (LGD is
expressed as a percentage).
 Probability of default (PD) & Exposure at
default (EAD)
The probability of default (PD) of a borrower or group of borrowers is a measure
of the likelihood of failing to pay what they owe.
• The bank will estimate the probability of default using historical experience and
empirical evidence.
• The higher the default probability estimate, the higher the interest rate the
lender will charge the borrower to compensate for the higher default risk.

The exposure at default (EAD) is the amount which a bank will be exposed to in
the future at the point of a potential default.
 EAD and Maturity
EAD will also depend on the maturity, or ‘time to completion’, of the loan
arrangements.

The longer the time to maturity, the larger is the probability that the credit quality
will decrease, as the obligor has both an increased opportunity and perhaps an
increased need to draw down the remaining credit line.

When a bank’s counterparty defaults, the bank may lose all the market value of the
position, but often a certain ‘recovery value’ is to be found through bankruptcy
proceedings or other agreed settlement.

The amount it is likely to recover is called the ‘recovery value’, or, expressed as a
percentage, the recovery rate (RR). RR = 100% – LGD
 Credit Events

It is important for firms to know when a credit risk has materialised because
that will trigger certain actions on the part of the bank and other creditors of
the bankrupt firm.

Although the term ‘credit event’ is a recognised industry trigger point, it does
not have a precise definition.

It is commonly understood to include bankruptcy, insolvency, receivership,

or simply a failure to meet payment obligations when due.

A credit event can also be simply a credit-rating downgrade.

 Wrong Way Risk
❖ Wrong way risk (which is often referred to as wrong way exposure) is defined by
the International Swaps and Derivatives Association (ISDA) as the risk that
occurs when ‘exposure to a counterparty is adversely correlated with the credit
quality of that counterparty’.

❖ This is because the nearer to default the counterparty moves, the lower the value
of its equities and hence the less they provide the required cover against default.
Non-Performing Assets
• Non-performing assets are loans whose repayments are not being made on time. If payments
are late for a short time, a loan is classified as past due.
• Once a payment becomes really late (usually 90 days), the loan is classified as
non-performing.

• A high level of non-performing assets compared to similar lenders may be a sign of problems,
as may a sudden increase in the level of non-performing assets.

• Some banks lend to higher-risk customers than others and, therefore, tend to have a higher
proportion of non-performing debt, but will compensate for this by charging borrowers higher
interest rates.

• Equally, where the loan is backed by security, a default will be less of a concern than in the
case of an unsecured loan.
Credit Risk Management - Credit Risk
Protection and Mitigation

Underwriting
Guarantees; Credit limits; Netting;
standards;

Insurance/credit Credit default

Collateral; Diversification;
derivatives; swaps;

Collateralised Loan sales and Central

debt obligations, securitisation; counterparties
 Underwriting Standards
Underwriting standards are the standards that financial institutions apply to
borrowers in to valuate their creditworthiness and, therefore, manage the risk of
default.
Evaluation requires specific knowledge of their business and includes:
• a review of the borrower’s cash flow and financial statements
• the consideration of earnings, profit margin and outstanding debt
• analysis of industry variables such as competitive pressures, product cycles
and future growth potential
• controlling the terms of the loan, eg, limiting loan size, establishing a
repayment schedule and requiring additional collateral for higher risk loans.
 Guarantees
❖ To make their bond issues more attractive to investors, many issuers arrange for
another organisation, generally one with very strong finances, to guarantee the debt.
❖ This means that if the issuer cannot pay the interest or capital from its own resources,
the guarantor will make the repayments.
❖ The investor, therefore, relies on the creditworthiness of the guarantor, as opposed to
that of the issuer, for security. This exposes the investor to the counterparty risk
associated with the guarantor.
❖ In the same way, smaller companies also make use of guarantees from third parties in
order to more easily obtain loans from banks.
❖ For the borrower there is a cost associated with obtaining a guarantee, but this would
be offset by the ability to gain access to lower-cost funding.
 Credit Limits

Credit limits are maximum limits for all aspects of credit exposure
set by financial institutions.

Firms need to establish overall credit limits at the level of:

• individual borrowers
• counterparties, and
• groups of connected counterparties.
 Netting Agreements

A netting agreement allows two parties that exchange multiple cash flows
during a given day to agree bilaterally to net those cash flows to one payment
per currency.

This reduces each party’s settlement risk, and also reduces transaction costs
and communication expenses.

To actually reduce risk, such agreements need to be sound and legally

enforceable.
The diagram above shows the end-of-day commitments between parties
A, B and C.
No netting agreement is in place.

If, for instance, party C defaulted on its commitments, the replacement

costs would be £4 million for party A and £6 million for party B.
The diagram above shows the same commitments but this time a netting agreement
exists between each party.
The cash flows shown above reflect the net obligation between each
party.
Now if party C defaults, the replacements costs would be only £2 million for party
A and £3 million for party B.
Collateral
Collateral is an asset held by a lender on behalf of an obligor, under certain
agreed conditions, as security for a loan.

It can be a physical asset (such as a house that secures a mortgage loan), or can
be in the form of cash or securities, and is used by the lender as a form of
insurance to reduce credit exposure to a counterparty.

In the event that the obligor defaults, the lender may retain the collateral.

Collateral is used to mitigate credit risk for a variety of transactions, such as

foreign exchange forwards, securities lending and derivatives.
A collateral arrangement can be:

• A unilateral arrangement means that one party gives collateral to the other.

• A bilateral arrangement allows for two-sided obligations, such as a swap or foreign

exchange forward. In this situation, both parties may post collateral for the value of
their total obligation to the other.

• A netted arrangement means that the net obligation may be collateralised so that, at
any point in time, the party which is the net obligor posts collateral for just the value
of the net obligation.

• In a typical arrangement, the collateral is periodically marked-to-market (ie, its

present value is calculated using current market prices/rates), and the amount
adjusted to reflect changes in value.
Diversification
Diversification can be used as a means of reducing portfolio credit risk by ensuring that the
portfolio is spread across borrowers in different, negatively correlated industry sectors that
have an inverse economic relationship to each other.

This approach enables institutions to avoid unacceptable concentrations of credit risk

because when one industry sector enters a downturn and its borrowers start to default, the
other sector might be booming.

The earnings of some of the loans in the portfolio will therefore offset the losses of others,
making it less likely that the portfolio will lose money overall.

The portfolio ‘highs’ will not be as high, but neither will the ‘lows’ be as low, and so the
volatility of returns will be lower.
Insurance and Credit Derivatives
In addition to loan-based instruments such as bonds, a range of ‘secondary’ instruments exist
which derive their value from an underlying loan or series of loans.

These are called credit derivatives, and the two most common types are the credit default swap
(CDS) and the collateralised debt obligation (CDO).

In the simplest form of CDS, the bank making a loan pays a premium to a third party that, in
turn, agrees to make the bank whole in the event of a default on the underlying loan or bond.

This transaction resembles an insurance contract, where the insured pays a premium to a third
party (an insurance company) in return for a promise to make the insured whole in the event of
a loss.
Credit Default Swaps (CDSs)
As with other credit derivatives, institutions can use CDSs to increase or decrease their credit
exposure to a particular counterparty, for a particular period of time.
They are attractive because they allow financial institutions to:
• buy (or sell) a form of insurance to mitigate their (or the other party’s) credit risk
• improve their portfolio diversification by reducing undesirable credit risk
concentrations
• customise their credit exposure to another party without having a direct relationship
with them
• transfer credit risk without adversely affecting the customer relationship.

CDS contracts are an important innovation in credit risk mitigation, but they can also expose
the user to other types of risk such as operational, counterparty, liquidity and legal risks.
Example of a Credit Default Swap (CDS)

As we have seen, a CDS is a form of insurance against counterparty default. It is a bilateral

financial
contract in which one counterparty (the protection buyer) pays a periodic or one-off fee
(typically
expressed in basis points on the notional amount). This is in return for a payment by the other
counterparty (the protection seller) if a credit event (see above) ever occurs to some other
party, called
the reference entity or asset.
In the diagram above, Institution B purchases bonds (the reference asset) from Customer C
(the
reference entity). B then enters into a CDS with Institution A, whereby B pays A a fixed
periodic coupon,
or one-off fee, for the life of the swap. In return, if Customer C defaults due to a credit event,
A pays B the
default amount and the swap then terminates.
This provides B with protection against the possibility of C defaulting on its payments, as A
assumes the
credit risk. Institution B is exposed instead to the counterparty risk associated with Institution
A.
CDOs, Loan Sales and Securitisation

Lenders with loans on their balance sheets can create an income stream from those loans, assuming
that they continue to perform. Instead of simply relying on the underlying income stream as a source
of
revenue running for the length of the loan agreement, the lender can choose to sell the loans to
another
institution in order to receive an immediate ‘lump sum’ payment. This is a loan sale.
Another form of loan sale is securitisation, and the process involves a number of participants. The
‘originator’ is the firm whose assets are being securitised. The most common process involves an
‘issuer’
acquiring the assets from the originator and issuing bonds to finance the purchase of the securitised
loans. The income stream from the underlying loans is then used to repay the bondholders.
 Central Counterparties (CCPs)
The use of a central counterparty (CCP), or clearing house, is a method used by many exchanges
to reduce credit risk.
The clearing house acts as the guarantor of all transactions, limiting the exposure of its clearing
members by protecting them from defaults.
Rather than two members of an exchange being involved in a direct counterparty-to-counterparty
contract (and so assuming each other’s credit risk), the clearing house acts as a simultaneous
counterparty to each.
If one clearing member defaults, the clearing house will guarantee the performance of the
contract to the other member. CCPs also boost the scope for netting among the members of an
exchange.
For clearing houses to be able to reduce credit risk, they need to have significant resources to
cope with any potential defaults. They obtain these resources through capital supplied by:
• their members , • fees generated by the exchange, or • other parties that do not have a direct
relationship with their market.
Managing and Measuring Credit Risk

Credit
Factor Stress Segmentatio
Scoring
inputs testing n
systems

External Internal
Credit limits Impairment
ratings credit rating

Provisioning KPI s
 Credit Scoring Systems
Credit scoring systems include using questionnaires and standard credit request
application forms which are subsequently scored.

The questions are chosen to enable standardized credit profiles to be applied to new
applicants, and would include:
• age • credit history • occupation • years in current job • home owner or renting.

Credit scoring for firms would include the factor inputs described below.
Banks should also consider the results of stress testing as part of their overall credit
risk limit setting and monitoring processes.
 Factor Inputs

• Financial inputs - firm’s earnings, cash flow, asset values, liquidity,

leverage, financial size and debt capacity

• Non-financial inputs management quality, governance structure,

industry characteristics, country risk, credit rating.

• Extraordinary inputs - court actions, other one-off factors that

emerge from time to time and which could impact the firm’s ability to
honour its commitments.
 Stress testing
Identifying possible events or future changes in economic conditions that could
have unfavourable effects on a bank’s credit exposures, and assessing the bank’s
ability to withstand such changes.

Areas for stress testing which recommends that banks could ‘usefully examine’
are:
• Economic or industry downturns
• Interest rate and other market movements
• Market-risk events, and
• Liquidity conditions.
 Segmentation

Under Basel, retail banking attracts less capital compared to

commercial banking, and banks have to provide regulators with PD,
LGD, and EAD statistics for clearly differentiated segments of their
portfolios.

Segmentation should be based

(i) on credit scores (or some equivalent measure), and
(ii) on the time that the transaction has been on the bank’s books.
 External Ratings

Although the information provided by external rating agencies can be useful, it

is of limited value to the needs of a sophisticated credit risk management
function.

This is because it is often too historic and credit rating agencies have, to date,
been slow in their response to adverse events.

In addition, the output from the credit rating agencies may not be detailed
enough to fully meet the firm’s requirements and is not as sensitive to changes
as the firm’s own analysis.
 Internal Credit Rating
A well-structured internal risk rating system is a good means of differentiating the
degree of credit risk in the different credit exposures of a bank.

This allows more accurate determination of the overall characteristics of the credit
portfolio, concentrations, problem credits and the adequacy of loan loss reserves.

More detailed and sophisticated internal risk rating systems, used primarily at larger
banks, can also be used to determine internal capital allocation, pricing of credits, and
profitability of transactions and relationships.

In addition, it avoids the issue of ‘split ratings’, when a counterparty or financial

instrument attracts different external ratings (sometimes differing by several notches) by
different rating agencies.
Impairment
• Information about significant financial difficulties of the borrower (eg, as
indicated by liquidity or cash flow projections)

• An actual breach of contract (eg, delay in the borrower making principal or

interest payments)

• A high probability of bankruptcy or other financial reorganisation of the borrower

(eg, as indicated by a downgrading of credit status by a credit rating agency)

• The granting by the lender to the borrower, for economic or legal reasons relating
to the borrower’s financial difficulties, of a concession that the lender would not
otherwise consider.
 Provisioning

Loan impairment will result in a loss for the lending firm, and the firm
therefore needs to set aside an allowance for this loss in its accounts.

This is the equivalent of a manufacturing company’s allowance for returns

on goods sold, and is known as provisioning.