Operational risk Study Guide

📖 Core Concepts Operational Risk – loss from failed processes, people, systems, or external events (excludes strategic risk, includes legal risk). Operational Risk Management (ORM) – continuous cycle: identify → assess → decide (accept, mitigate, avoid) → implement controls. Risk Tolerance – the maximum operational loss an organization is willing to bear while meeting its objectives. Three‑Lines‑of‑Defence – governance model where line 1 (business), line 2 (risk/compliance), and line 3 (internal audit) overlap with ORM. Basel II Event Types – standardized list of loss categories (e.g., internal fraud, external fraud, business disruption). Capital Calculation Approaches – methods to determine regulatory capital for operational risk (Basic Indicator, Standardized, AMA, SMA). --- 📌 Must Remember Definition – “loss caused by inadequate or failed internal processes, people, systems, or external events.” Scope – fraud, security breaches, privacy violations, legal liabilities, environmental incidents. Characteristics – not diversifiable, cannot be eliminated, managed within a risk‑tolerance band. Basel III SMA – applies from 1 Jan 2022; uses 10‑year loss history (net of recoveries/insurance). Basic Indicator Approach – capital = α × Total Revenue, where α = 15 % (standard Basel parameter). Standardized Approach – capital = Σ (Revenueᵢ × Risk‑weightᵢ) across business lines. AMA Techniques – Internal Measurement, Loss Distribution, Scenario‑based, Scorecard. --- 🔄 Key Processes ORM Process Identify risk events & sources. Measure/quantify exposure (loss data, indicators). Monitor key risk indicators (KRIs) & loss events. Report to governance (risk committees, board). Implement controls (mitigate/avoid). Review & improve. Capital Calculation (Basic Indicator Example) Collect annual total revenue. Apply fixed percentage (α = 15 %). Result = operational risk capital requirement. SMA Calculation (high‑level) Gather net loss data for the past 10 years. Compute the Business Indicator (BI) from revenue. Apply the SMA formula (BI‑based component + Loss Component). --- 🔍 Key Comparisons Internal vs. External Fraud Internal: employee misappropriation, tax evasion, bribery. External: hacking, theft of information, third‑party forgery. Basic Indicator vs. Standardized Approach BIA: single % of total revenue → quick, low data demand. Standardized: revenue by business line × risk‑weight → more risk‑sensitive, higher data need. AMA vs. SMA AMA: internal models, requires regulatory approval, data‑intensive. SMA: standardized, uses historical loss data, mandatory for all banks after 2022. Market/Credit Risk vs. Operational Risk Market/Credit: quantitative models (VaR, PD/LGD). Operational: qualitative + limited quantitative data, higher uncertainty. --- ⚠️ Common Misunderstandings “Operational risk is strategic risk.” – Incorrect; strategic risk is excluded. “All operational losses are covered by insurance.” – Not true; only net losses after recoveries may be used in SMA. “Higher capital always means lower risk.” – Capital reflects regulatory requirement, not the actual risk level. “Vendor risk is a separate risk category.” – It is a subset of operational risk (external dependency). --- 🧠 Mental Models / Intuition “Process‑People‑Systems Triangle” – Any loss can be traced to a weak side of the triangle; strengthening the weakest side reduces overall operational risk. “Cost‑Benefit Tolerance Curve” – Plot cost of control vs. expected loss reduction; choose the point where marginal cost > marginal benefit (risk‑tolerance boundary). “Loss Distribution as a Tail” – Think of operational loss data as a heavy‑tailed distribution; extreme events dominate capital needs (focus on tail modeling). --- 🚩 Exceptions & Edge Cases Legal risk inclusion – Basel definition counts legal risk, but strategic and reputational risks are excluded. Net loss usage in SMA – If recoveries/insurance cover > 50 % of a loss, the net amount may be zero, reducing SMA capital. Business lines with zero revenue – Under the Standardized Approach, a line with no revenue contributes zero capital, regardless of risk events. --- 📍 When to Use Which Quick, low‑resource check → Basic Indicator Approach. Detailed, business‑line sensitive analysis → Standardized Approach. Sophisticated institutions with rich loss data → AMA (if regulator permits). All banks post‑2022 (mandatory) → SMA (no choice). Vendor‑heavy firms → Emphasize vendor‑risk assessment within ORM framework. --- 👀 Patterns to Recognize Event‑type clustering – Losses often group into Basel‑II categories; spotting the cluster can guide risk‑weight selection. Seasonal spikes – Physical‑asset damage (e.g., natural disasters) shows seasonal patterns; adjust monitoring accordingly. Employee‑error cascades – Small data‑entry errors can trigger larger process failures; look for “root‑cause” links. --- 🗂️ Exam Traps Mistaking “strategic risk” for “operational risk.” – Remember strategic risk is excluded. Using total revenue instead of business‑line revenue for the Standardized Approach. – Each line has its own risk weight. Assuming AMA is always superior. – It may be rejected by regulators if data/validation are insufficient. Over‑relying on SMA for risk‑management insight. – SMA is a regulatory capital tool, not a substitute for internal risk‑control analysis. ---