Operational risk

from Wikipedia, the free encyclopedia

Under operational risk refers to a company risks that are outside of typical business risks occur and damage can cause. In banking (since January 2007) and insurance (since January 2009) in particular, there are regulations that stipulate how to deal with operational risks.

General

Entrepreneurial activity is exposed to a multitude of risks, which can be divided into entrepreneurial and operational risks. The entrepreneurial risks include, for example, the risk of faulty production , product liability or the debtor risk (see also: risk report ). In addition, however, there are still risks that can also lead to damage, for example from organizational or communicative weaknesses . These are the so-called operational risks. Since they were often observed at credit institutions and had led to damage that threatened the very existence of some of them, a legal regulation was considered necessary. At the same time, operational risks were also discussed in the insurance sector.

Operational risks in banking

The high losses in the banking system from non-banking risks were the trigger for legislative measures. In banking, no consideration was given to the fact that operational risks behave asymmetrically, so that their presence does not necessarily lead to higher earnings opportunities.

history

Between 1994 and 1999, credit institutions incurred an estimated $ 12 billion in losses due to internal errors alone. The share of operational risks in the overall risk of banks is generally estimated to be between 25% and 35%; in their annual reports, major German banks assumed between 10% ( WestLB AG ) and 18.5% ( Deutsche Bank ) for 2005 .

Some spectacular cases with high media impact can be assigned to operational risks:

The developments at Herstatt-Bank , Barings Bank and Société Générale have shown that losses in proprietary trading were caused by unexpected, negative market movements, which the responsible traders did not report to the responsible bodies of the bank, but concealed. This is essentially human error due to misconduct, because work instructions require the escalation of important information to higher hierarchical levels. In addition, in these cases there was also an overrun because the existing dealer limits were not adhered to.

Legal regulation

Basel II took up these operational risks for the first time in February 2003 and ensured legal implementation in participating countries around the world. This took place in Germany in January 2007 initially through Section 269 (1) SolvV a. F. Since the Capital Adequacy Ordinance (CRR) has adopted these regulatory provisions since January 2014 , there is now the legal definition of operational risk in Art. 4 Para. 1 No. 52 CRR. Operational risk is therefore the “risk of losses caused by the inappropriateness or failure of internal processes, people and systems or by external events, including legal risks”.

The synoptic comparison with the former SolvV shows that the two provisions do not completely match. In relation to the SolvV, strategic and reputational risks are no longer mentioned in the Capital Adequacy Ordinance.

  • Strategic risk is the danger that long-term potential for success is incorrectly assessed, not further developed or not newly developed. This includes the know-how or the motivation of the employees, IT competence, problem solutions or product developments, but also the loss of profitable bank customers or the violation of antitrust law . Strategic risks are associated with a high level of uncertainty and are difficult to quantify. That was the reason for their omission.
  • Reputational risks can arise from all types of risk . Reputational risk is the danger that a bank will damage its reputation as a result of negative public perception . For example, a significant loan default , which is one of the typical bank credit risks (for example, the large loans from SMH Bank to IBH Holding ), can also damage the bank's reputation. Reputation risks are also difficult to quantify because of the lack of time and were no longer included in operational risk due to the Capital Adequacy Ordinance.

The Basel Committee on Banking Supervision makes the rather general requirement:

“Banking regulators need to ensure that banks have internal controls that are appropriate to the nature and scope of their business. This includes precise rules for the delegation of powers and responsibilities, the separation of functions that relate to entering into obligations for the bank, the disposal of funds and the accountability of its assets and liabilities, the coordination of these functions, the safeguarding of assets as well appropriate independent internal and external auditing and compliance functions to review these regulations ... "

More specifically, this requirement is expressed in the sentence: “The supervisory authorities should ensure that management ensures effective internal control and audit procedures. In addition, business policy principles should be established for managing or reducing operational risk. The banking supervisory authorities should ensure that the banks have adequate and well-tested plans for the resumption of the operation of all important IT systems, with alternative options in another location in order to be prepared for operational disruptions. "

content

The operational partial risks can be systematized as follows from the legal definition:

  • Internal bank : personnel risks , process and structural risks as well as system and technology risks. Personnel risks include incorrect behavior on the part of bank staff as a result of negligent or deliberate failure to comply with internal and / or external regulations ( malicious deception , forgery of documents , fraud , embezzlement , breach of trust ). Losses that are not intentionally inflicted by employees are assigned to the “internal procedures” category (also known as “processes”). This includes transaction errors and errors caused by misunderstandings. Too much work intensification can also be a personnel risk. The other risks arise from inadequate or non-functioning processes or systems and infrastructures. The technical risk relates to possible losses that can be traced back to problems with technical systems (failure of the IT or telephone system). The organizational risk is the risk that unexpected losses may arise due to the operational process and organizational structure.
  • External events : These must have an impact on the bank and lead to damaging disruptions to the operational process there. The types of events range from power outages to bank robberies and hostage-taking , terrorist attacks to natural disasters .
  • Legal risks : can arise from incorrect or imprecise investment advice , contestable or void contract drafting or missing or incorrect disclaimer . These legal defects must materialize through legal disputes with the affected contractual partners through damage.

Differentiation from credit risk

Differentiation from other types of risk can cause difficulties in individual cases. The most common overlap concerns operational risks within credit risk . This means that a credit default was not caused by the actual credit risk, but rather by an operational risk. This can be due to internal or external causes.

Examples:

  • Employee errors : for example in the documentation, exceeding competence, granting credit to non-existent customers for their own benefit;
  • System failure : Immature or incomplete tools for monitoring risk or managing collateral;
  • internal processes : poor interfaces in the lending process;
  • External causes : Submission of falsified creditworthiness documents (pay slips / balance sheets)

In practice, the operational risk related to credit can ultimately be differentiated from the classic credit risk by whether the credit default can be attributed to a deterioration in creditworthiness (credit risk) or not (operational risk).

Measurement approaches in the area of ​​operational risks

At banks, operational risks, such as the loan portfolio, must be backed by equity . You can use three approaches when calculating your own funds requirements for operational risks. The various measurement approaches for operational risk increase in their progressiveness and complexity in nominal order: basic indicator approach , standard approach and advanced measurement approach ( AMA for short: internal measurement approach , loss distribution approach , scorecard approach ). While a number is determined for the entire group for the basic indicator approach, the standardized approach allows a distinction to be made between different business areas and correspondingly adjusted risk weights. Calculation formulas are already specified for both approaches in the Basel Capital Accord. The AMA, on the other hand, gives banks a great deal of leeway to determine their operational risks using their own measurement methods. It is also possible to combine the standard approach with the AMA. Both for the standard approach and for the AMA, due to the flexibility of both measurement approaches, there is a catalog of requirements, the requirements of which must at least be implemented in order to be able to use the respective measurement approach.

In general, the more ambitious approaches increase the complexity and risk sensitivity and the quantitative and qualitative requirements are higher. On the other hand, these approaches reduce the level of the capital adequacy requirement compared to the simple approaches.

The database represents a major problem in the practical implementation of ambitious approaches. Almost no bank has a sufficiently long data history that would allow operational risks to be measured on its own. Basel II therefore explicitly requires banks to use external data. On the one hand, such external databases can be bought from commercial providers who collect data professionally from press reports etc. On the other hand, institutes come together to form data consortia in which they exchange loss data with one another.

The requirements for this are specified in Regulation (EU) No. 575/2013 (Capital Adequacy Regulation) (Part 3, Title III) and Directive 2013/36 / EU (Capital Requirements Directive) ; the former is directly applicable law in Germany together with the German Banking Act .

  • The two standard approaches use items in the income statement . The simple standardized approach is only notifiable, while the alternative standardized approach requires approval.
  • The advanced measurement approach requires approval by BaFin .

Operational risks in insurance

The typical insurance risks can be divided into investment risks , underwriting risks and operational risks. A market study by KPMG from 2007 saw "considerable potential for improvement" in the operational risks in insurance companies. According to the study, the need for risk capital for operational risks in insurance companies is estimated at only 4.1%. For this reason, BaFin also dealt with the operational risk in insurance companies in a circular from January 2009 specifying the provisions of Sections 64a and 104a VAG . Section 64a VAG was adjusted accordingly in 2014. “Operational risk describes the risk of losses due to inadequate or failed internal processes or from employee and system-related or external incidents. Operational risk also includes legal risks, but not strategic and reputational risks. ”Strategic and reputational risks have also been excluded from operational risk for insurance companies. All other content materially corresponds to the legal definition of operational risks at banks.

According to Section 25a (1) of the KWG , credit institutions must have a proper business organization "which ensures compliance with the legal provisions to be observed by the institution and the economic necessities." A similar provision is contained in Section 23 VAG for insurance companies . The purpose of both regulations is to ensure legal conformity in these economically important sectors.

Management of operational risks

The current legal situation forces credit institutions and insurance companies to monitor operational risks through institutionalization in management . Banks and insurance companies can shift some operational partial risks onto insurance companies, which, however, entails higher insurance premiums - and thus profit reductions (in each case the balance is weighed: premium vs. reduction of the cost of capital). Insurance is an important instrument for the active management of operational risks by partially or fully compensating for damage. The following operational risks can be insured:

If banks and insurance companies want to bear all or part of these risks themselves by way of non- insurance, they must first identify their operational risks and take organizational precautions (by improving internal work instructions , staff training , redundancy systems ) in order to avoid damage. Any damage that occurs nevertheless must be recorded and - uninsured - charged to the income statement as an extraordinary expense . A damage analysis then ensures the investigation of the causes of damage and their future avoidance. The non-insurance also helps to avoid moral hazard , because damage arising from operational risk must be borne by oneself.

Individual evidence

  1. Annette Dölker, The operational risk in insurance companies , 2006, p. 1 ff.
  2. ^ Jean-Marc Piaz, Operational Risk Management bei Banken , 2002, p. 31
  3. Anna Chernobai / Christian Menn / Stefan Trück / Svetlozar T. Rachev, A note on the estimation and severity distribution of operational risk , in: Mathematical Scientist 30, 2005, p. 2.
  4. Marcelo G. Cruz, Modeling, Measuring and Hedging Operational Risk , 2002, p. 1.
  5. Carsten Steinhoff, Quantification of Operational Risks in Credit Institutions , 2008, p. 3 (FN 15)
  6. Carsten Steinhoff, Quantification of Operational Risks in Credit Institutions , 2008, p. 1.
  7. ^ John Holl, Risk Management Banks, Insurance Companies and Other Financial Institutions , 2011, p. 438 ff.
  8. Principles and recommendations for the management of operational risks , BIS, 2003, pp. 3–13
  9. a b Jan Roland Günter, Bankenrating , 2009, p. 66.
  10. PWC, Minimum Requirements for Risk Management in Insurance (MaRisk VA) , Newsletter 4, January 2009, p. 3.
  11. Ingmar Dransfeld, Operational Risks and Basel II , 2014, p. 11.
  12. Thomas Dittmar, Internal Markets in Banks , 2001, p. 26.
  13. a b KPMG, Risk Management and Solvency II at Insurance Companies , 2007, p. 10 ff.
  14. KPMG, Risk Management and Solvency II at Insurance Companies , 2007, p. 18.
  15. Minimum regulatory requirements for risk management (MaRisk VA) , BaFin circular 3/2009 (VA) of January 22, 2009, item 5: Risks
  16. Martin Schaaf, Risk Management and Compliance in Insurance Companies , 2010, p. 127.
  17. insurance these risks circulate within the primary insurance part to other, non-group insurance policies
  18. Thomas Kaiser, Marc Felix Köhne, Operational Risks in Financial Institutions , 2007, p. 127 f.

literature

  • Johannes Wernz: Bank Management and Control. Springer Nature, 2020, ISBN 978-3-030-42866-2
  • Andreas Peter, Johannes Wernz: Operational Risks , in: Risk Manager, Issue 23/2012, pages 11–18.
  • Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational Risk (German: Management of Operational Risks - Practical Recommendations for Banks and Banking Supervision) 2003
  • Christian Einhaus: Operational Risks - Basics of the Current Discussion , in: Die Sparkasse, 119 vol., Issue 11, November 2002, pp. 488–490.
  • Marc D. Grüter: Management of operational risks in banks , series of publications by the Center for Earnings-Oriented Bank Management , 2006, ISBN 3-8314-0790-8
  • Oesterreichische Nationalbank / Finanzmarktaufsicht (2005): Management of operational risk
  • Norbert Hofman, Bernd Malakowski: Approaches to the practice-oriented identification and assessment of operational risks , in: Risk Manager, Issue 21/2007, pages 12-17.
  • Hans Hinterhuber, Elmar Sauerwein, Christine Fohler-Norek: operational risk management , Vienna, 1998

Web links