Operational Risk E-Book

Table of Contents

Title Page

Copyright Page

Dedication

Preface

About the Authors

CHAPTER 1 - Operational Risk Is Not Just “Other” Risks

EFFECTS OF GLOBALIZATION AND DEREGULATION: INCREASED RISK EXPOSURES

EXAMPLES OF HIGH-MAGNITUDE OPERATIONAL LOSSES

OPERATIONAL LOSSES IN THE HEDGE FUND INDUSTRY

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 2 - Operational Risk: Definition, Classification, and Its Place among ...

WHAT IS RISK?

DEFINITION OF OPERATIONAL RISK

OPERATIONAL RISK EXPOSURE INDICATORS

CLASSIFICATION OF OPERATIONAL RISK

TOPOLOGY OF FINANCIAL RISKS

CAPITAL ALLOCATION FOR OPERATIONAL, MARKET, AND CREDIT RISKS

IMPACT OF OPERATIONAL RISK ON THE MARKET VALUE OF BANK EQUITY

EFFECTS OF MACROECONOMIC ENVIRONMENT ON OPERATIONAL RISK

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 3 - Basel II Capital Accord

THE BASEL COMMITTEE ON BANKING SUPERVISION

THE BASEL CAPITAL ACCORD

PILLAR I: MINIMUM CAPITAL REQUIREMENTS FOR OPERATIONAL RISK

PILLAR II: CAPITAL ADEQUACY AND REGULATORY PRINCIPLES

PILLAR III: MARKET DISCIPLINE AND PUBLIC DISCLOSURE

OVERVIEW OF LOSS DATA COLLECTION EXERCISES

THE ROLE OF INSURANCE

COMPLIANCE WITH BASEL II IN PRACTICE

IMPLEMENTING BASEL II: SOME GENERAL CONCERNS

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 4 - Key Challenges in Modeling Operational Risk

OPERATIONAL RISK MODELS

SPECIFICS OF OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 5 - Frequency Distributions

BINOMIAL DISTRIBUTION

GEOMETRIC DISTRIBUTION

POISSON DISTRIBUTION

NEGATIVE BINOMIAL DISTRIBUTION

NONHOMOGENEOUS POISSON PROCESS (COX PROCESS)

ALTERNATIVE APPROACH: INTERARRIVAL TIMES DISTRIBUTION

EMPIRICAL ANALYSIS WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

APPENDIX: BASIC DESCRIPTIVE TECHNIQUES FOR DISCRETE RANDOM VARIABLES

REFERENCES

CHAPTER 6 - Loss Distributions

NONPARAMETRIC APPROACH: EMPIRICAL DISTRIBUTION FUNCTION

PARAMETRIC APPROACH: CONTINUOUS LOSS DISTRIBUTIONS

EXTENSION: MIXTURE LOSS DISTRIBUTIONS

A NOTE ON THE TAIL BEHAVIOR

EMPIRICAL EVIDENCE WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

APPENDIX: BASIC DESCRIPTIVE TECHNIQUES FOR CONTINUOUS RANDOM VARIABLES

REFERENCES

CHAPTER 7 - Alpha-Stable Distributions

DEFINITION OF AN ALPHA-STABLE RANDOM VARIABLE

USEFUL PROPERTIES OF AN ALPHA-STABLE RANDOM VARIABLE

ESTIMATING PARAMETERS OF THE ALPHA-STABLE DISTRIBUTION

USEFUL TRANSFORMATIONS OF ALPHA-STABLE RANDOM VARIABLES

APPLICATIONS TO OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

APPENDIX: CHARACTERISTIC FUNCTIONS

REFERENCES

CHAPTER 8 - Extreme Value Theory

BLOCK MAXIMA MODEL

PEAK OVER THRESHOLD MODEL

ESTIMATING THE SHAPE PARAMETER

ADVANTAGES AND LIMITATIONS OF EXTREME VALUE THEORY

EMPIRICAL STUDIES WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 9 - Truncated Distributions

REPORTING BIAS PROBLEM

TRUNCATED MODEL FOR OPERATIONAL RISK

EMPIRICAL STUDIES WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 10 - Testing for the Goodness of Fit

VISUAL TESTS FOR THE GOODNESS OF FIT

COMMON FORMAL TESTS FOR THE GOODNESS OF FIT

EMPIRICAL STUDY WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

APPENDIX: HYPOTHESIS TESTING

REFERENCES

CHAPTER 11 - Value-at-Risk

INTUITIVELY, WHAT IS VaR?

COMPOUND OPERATIONAL LOSS MODELS AND DERIVATION OF OPERATIONAL VaR

VaR SENSITIVITY ANALYSIS

BACKTESTING VaR

BENEFITS AND LIMITATIONS OF VaR AND ALTERNATIVE RISK MEASURES

EMPIRICAL STUDIES WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 12 - Robust Modeling

OUTLIERS IN OPERATIONAL LOSS DATA

SOME DANGERS OF USING THE CLASSICAL APPROACH

OVERVIEW OF ROBUST STATISTICS METHODOLOGY

APPLICATION OF ROBUST METHODS TO OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

CHAPTER 13 - Modeling Dependence

THREE TYPES OF DEPENDENCE IN OPERATIONAL RISK

LINEAR CORRELATION

ALTERNATIVE DEPENDENCE MEASURE: RANK CORRELATION

COPULAS

USING COPULAS TO AGGREGATE CREDIT, MARKET, AND OPERATIONAL RISKS

EMPIRICAL STUDIES WITH OPERATIONAL LOSS DATA

SUMMARY OF KEY CONCEPTS

REFERENCES

Index

Copyright © 2007 by Anna S. Chernobai, Svetlozar T. Rachev, and Frank J. Fabozzi. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

Wiley Bicentennial Logo: Richard J. Pacifico

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at www.wiley.com.

eISBN : 978-0-470-41054-7

.

ASCTo my husband, Makan, and my parents

STRTo the memory of my parents, Nadezda Rachevaand Todor Rachev

FJFTo my wife, Donna, and children, Francesco,Patricia, and Karly

Preface

The field of risk management has it origins in the insurance industry. In the 1980s, risk management in manufacturing firms took hold with the adoption of total quality management. It was not until the 1990s that the field of risk management received greater recognition for its importance in financial and nonfinancial corporations. In 1993, for example, GE Capital designated a chief risk officer (CRO), James Lam, charged with the responsibility of managing all aspects of the firm’s risks, including back-office operations. Today, most major firms have as part of their corporate executive staff an individual with the title of CRO who in some cases have a direct line reporting to the board of directors.

As further evidence of the growing importance of the field of risk management, today there are designations that can be earned to identify risk management specialists, just as with accountants (CPAs) and asset managers (CFAs). For example, the Global Association of Risk Professionals (GARP), founded in 1996 and with roughly 58,000 members from more than 100 countries, awards the Financial Risk Management (FRM) certificate upon the completion of a series of examinations. Universities offer not only courses on risk management, but also degrees in the area of financial engineering, with risk management being a major part of the curriculum. The number of books published each year on various aspects of risk management continues to grow. The interest in risk management by the general public is evidenced by the appearance of Peter Bernstein’s book in 1996, Against the Gods: The Remarkable Story of Risk, on the bestseller list in North America and Europe and subsequently translated into 11 languages. Each year at least one new journal appears dedicated to some aspect of risk management.

Often in financial institutions when there is a discussion of risk managment, the two major risks identified are credit risk and market risk. Risks not attributable to either of these two risks are labeled other risks and, unfortunately, do not receive the same level of attention as credit risk and market risk. As we explain in Chapter 1, a number of prominent financial institutions have been shaken by losses in excess of $1 billion each in the past couple of decades. Even worse, many of these failures resulted in bankruptcies. None of these losses, however, were due to credit risk or market risk. Rather, they were attributable to operation risk, one of the risks that has been historically lumped into other risks. The irony is that operational risk, which is at the core of these high-profile failures, appears to be, at least in part, a byproduct of the recent rapid technological innovation, revolutionary advances in information network, financial deregulation, and globalization.

The banking system has faced the painful reality that it is not sufficiently prepared to handle operational risk. Many banks now share the opinion of Roger Ferguson (who served as the vice chairman of the board of governors of the Federal Reserve System from 2001 to 2006), who said in 2003, “In an increasingly technologically driven banking system, operational risks have become an even larger share of total risk. Frankly, at some banks, they are probably the dominant risk.”

As a drastic countermeasure, the Basel Committee for Banking Supervision introduced an amendment to the Basel Capital Accord to support operational risk with regulatory capital and outlined several measurement approaches in 2001. The implementation of the Basel II Capital Accord is expected to begin in January 2007 for all internationally active banks (with a few exceptions and some transitional adjustments).

This brings us to the purpose of this book. With the Basel II deadline approaching, risk managers are overwhelmed with gathering and absorbing the literature related to operational risk modeling and management. In this book, we have summarized all important empirical studies based on real operational loss data (a good number of which have not yet been published in journals) and have further supplemented them with discussions of relevant theoretical background, with the intention of providing the reader with a comprehensive and up-to-date package of practical tools for modeling operational risk. We believe the contents of this book will relieve the risk manager of the burden of collecting, reading, and assessing the literature on operational risk measurement and its implications.

In the first two chapters of this book, we review major operational loss-related banking failures and discuss the concept and specifics of operational risk. Chapter 3 is devoted to the discussion of the three pillars of the Base II Capital Accord and Chapter 4 explains the main challenges that exist in modeling operational risk. Throughout the rest of the book, Chapters 5 to 13, we concentrate on addressing these challenges one by one and discussing the proposed solutions.

We require minimum quantitative background from the reader and have tried to maintain a balanced discussion of the quantitative and practical sides of the topic. All chapters are self-explanatory, and whenever possible, important statistical concepts are illustrated with examples. The chapters after Chapter 4 have a distinct structure: They begin with a summary of the essential statistical and mathematical tools relevant to the topic covered in the chapter, followed by a discussion of the implementation of these tools in practice with real data as reported in empirical studies. At the end of every chapter, we provide an extensive list of references for further reading.

The target audience of our book is expected to be broad, consisting of practitioners, students, and academics who are willing to learn about operational risk and its recent developments. The book can also serve as a test for graduate seminars and specialized MBA courses. The wide range of topics coverd in this book will equip the reader with an essential understanding of the statistics of operational risk and the challenges in their real-world implementation.

We would like to acknowledge the support received in the preparation of this book. Anna Chernobai’s research was supported by various sources of assistance from Syracuse University, University of California at Santa Barbara, and University of Karlsruhe. Svetlozar Rachev’s research was supported by grants from the Division of Mathematical, Life and Physical Sciences, College of Letters and Science, University of California at Santa Barbara, and the Deutschen Forschungsgemeinschaft.

Anna S. Chernobai Svetlozar T. Rachev Frank J. Fabozzi

About the Authors

Anna S. Chernobai is an Assistant Professor of Finance in the Martin J. Whitman School of Management at Syracuse University, New York. She earned her Ph.D. in statistics and applied probability in 2006 from the University of California at Santa Barbara. Her doctorate thesis focused on statistical modeling of operational risk in financial institutions. Professor Chernobai also holds a master’s degree in economics and finance from the Warwick Business School, the University of Warwick, and a master’s degree in economics from the University of California at Santa Barbara.

Svetlozar (Zari) T. Rachev completed his Ph.D. in 1979 from Moscow State (Lomonosov) University, and his Doctor of Science Degree in 1986 from Steklov Mathematical Institute in Moscow. Currently he is Chair-Professor in Statistics, Econometrics and Mathematical Finance at the University of Karlsruhe in the School of Economics and Business Engineering. He is also Professor Emeritus at the University of California, Santa Barbara, in the Department of Statistics and Applied Probablity. He has published seven monographs, eight handbooks and special-edited volumes, and more than 250 research articles. Professor Rachev is cofounder of Bravo Risk Management Group specializing in financial risk-management software. Bravo Group was recently acquired by FinAnalytica, for which he currently serves as Chief-Scientist.

Frank J. Fabozzi is Professor in the Practice of Finance in the School of Management at Yale University. Prior to joining the Yale faculty, he was a Visiting Professor of Finance in the Sloan School of Management at MIT. Professor Fabozzi is a Fellow of the International Center for Finance at Yale University and on the advisory council for the Department of Operation Research and Financial Engineering at Princeton University. He is the editor of the Journal of Portfolio Management and an associate editor of the the Journal of Fixed Income. He earned a doctorate in economics from the City University of New York in 1972. In 2002, Professor Fabozzi was inducted into the Fixed Income Analysts Society’s Hall of Fame. He earned the designation of Chartered Financial Analyst and Certified Public Accountant. He has authored and edited numerous books in finance.

CHAPTER 1

Operational Risk Is Not Just “Other” Risks

Until very recently, it has been believed that banks are exposed to two main risks. In the order of importance, they are credit risk (counterparty failure) and market risk (loss due to changes in market indicators, such as equity prices, interest rates, and exchange rates). Operational risk has been regarded as a mere part of “other” risks.

Operational risk is not a new concept for banks. Operational losses have been reflected in banks’ balance sheets for many decades. They occur in the banking industry every day. Operational risk affects the soundness and operating efficiency of all banking activities and all business units.

Most of the losses are relatively small in magnitude—the fact that these losses are frequent makes them predictable and often preventable. Examples of such operational losses include losses resulting from accidental accounting errors, minor credit card fraud, or equipment failures. Operational risk-related events that are often more severe in the magnitude of incurred loss include tax noncompliance, unauthorized trading activities, major internal fraudulent activities, business disruptions due to natural disasters, and vandalism.

Until around the 1990s, the latter events have been infrequent, and even if they did occur, banks were capable of sustaining the losses without major consequences. This is quite understandable because the operations within the banking industry until roughly 20 years ago have been subject to numerous restrictions, keeping trading volumes relatively modest, and diversity of operations limited. Therefore, the significance of operational risk (whose impact is positively correlated with income size and dispersion of business units) has been perceived as minor, with limited effect on management’s decision-making and capital allocation when compared to credit risk and market risk. However, serious changes in the global financial markets in the last 20 years or so have caused noticeable shifts in banks’ risk profiles.

In the course of the last two decades, the global financial industry has been highlighted by several pronounced trends, which have been in response to increased investors’ appetites. The global financial system has been characterized by globalization and deregulation, accelerated technological innovation and revolutionary advances in the information network, and an increase in the scope of financial services and products. Globalization and financial deregulation have been working to effectively put together the world’s dispersed financial markets into a unified complex network.

An example from Asia is the Japanese “Big Bang” financial deregulation reform, launched in 1998 by then Prime Minister Ryutaro Hashimoto, as a response to a prolonged economic stagnation that started with the burst of the bubble economy in late 1989 to early 1990. Financial reform was aimed at the liberalization of banking, insurance, and stock exchange markets and boosting the competition of the Japanese financial market relative to the European and American markets, and to regain the status of one of the world’s major financial centers.

As for the United States, an example is the Financial Services Act of 1999. The bill repealed the 1933 Glass-Steagall Act’s restrictions on bank and securities firm affiliations and allowed affiliations among financial service companies, including banks, registered investment companies, securities firms, and insurance companies—formerly prohibited under the Bank Holdings Act of 1956. It also called for the expansion of the range of financial services allowed by banks.

Several reforms have taken place in Europe. In October 1986, the London Stock Exchange underwent a radical change in organization, the Big Bang (a title later adopted for the Japanese financial reform). It eliminated fixed commissions on security trades and allowed securities firms to act as brokers and dealers. It also introduced automated screen-based trading, enabling the movement away from the traditional market floor. Another prominent example is the formation and expansion of the European Union, and adoption of a single currency, the euro. The purpose of the union is to relax financial barriers and break down trading constraints, and achieve integration on cultural, economic, and political levels. In Eastern Europe, the collapse of the Soviet regime in the early 1990s created a massive new market for capital flows.

Financial globalization due to financial liberalization has caused players in the financial and business sectors across the world economies to be subject to an unprecedented degree of competition, from both domestic and foreign counterparts. Liberalized trade has given customers and investors choices and opportunities they did not have before. This has resulted in the development of new financial products, instruments, and services. Securitization has turned otherwise illiquid instruments into tradeable commodities. Privatization has turned thousands of former state enterprises into private ventures and competitors for risk capital. New derivative instruments have been offered to provide for powerful hedging tools against various market and credit-related risks.

Financial deregulation has coincided with (or, perhaps, in many cases has triggered) a number of remarkable technological innovations including the development of the Internet, leading to revolutionized banking activities such as online banking, growth of e-commerce, and e-mail services. An immediate consequence of this development is a breakthrough in the means and speed at which the financial information is obtained and shared by investors, calling for a higher degree of transparency and market disclosure about banks’ business practices.

As a side-effect of these global financial trends and policies, outsourcing, expansion of the scope of financial services, and large-scale mergers and acquisitions (M&A) have become more frequent around the globe. These, in turn, inevitably result in an elevated exposure of the financial institutions to various sources of risk. As a simple example, increased use of computer-based banking services is vulnerable to viruses and computer failures, and credit card fraud. When business units expand, this requires additional employees—this may increase the number of errors committed and increase the hazard of fraudulent activities.

Newly developed and optimized financial products (such as derivatives and securitized products) now provide better protection against market risk and credit risk. Furthermore, previously nonexistent or insignificant risk factors have become a large (or larger) part of the complex risk profiles of financial institutions. Yet some of these risks have not been adequately addressed. Without exaggeration, operational risk is the most striking of all, and has been the subject of heated discussions among risk managers, regulators, and academics in the last few years. As Roger W. Ferguson, Vice Chairman of the Board of Governors of the Federal Reserve System, stated, “In an increasingly technologically driven banking system, operational risks have become an even larger share of total risk. Frankly, at some banks, they are probably the dominant risk.”1 Major banks share the same view. As an example, a report by the HSBC Group (2004) states that “... regulators are increasingly focusing on operational risk ... This extends to operational risk the principle of supporting credit and market risk with capital, since arguably it is operational risk that potentially poses the greatest risk.”2

Another important impact of globalization is the effect of culture. Culture is an important basis for trust. Internal control practices that prove effective in Asia may fail in Europe or the United States. Using an example from van den Brink (2002), while it is common in Europe and North America to give one staff member the code of the safe and another staff member the key, the same procedure in Indonesia would be perceived by senior management as being mistrusted. Or, as another example, in Japan it is uncommon to say no to or argue with senior management. As we will see later in this chapter, many large-scale operational losses are a result of misuse of trust and responsibility.

Sophisticated instruments and techniques have been developed to manage low- and medium-magnitude losses that are due to market-related and credit-related financial risks. However, recent experiences from the financial market suggest that cash-flow fluctuations of a larger scale, which are more likely to be incurred by the institution/bank’s operation practices rather than market or credit risk related factors, have not been well-managed.3 To support this view, in 1999 the Basel Committee pointed out “the growing realisation of risks other than credit and market risks which have been at the heart of some important banking problems in recent years.”4

The world financial system has been shaken by a number of banking failures over the last 20 years, and the risks that particularly internationally active banks have had to deal with have become more complex and challenging. More than 100 operational losses exceeding $100 million in value each, and a number of losses exceeding $1 billion, have impacted financial firms globally since the end of 1980s.5There is no question that the cause is unrelated to market or credit risks, which we noted earlier are the two major risk factors that banks had been believed to face. Such large-scale losses have resulted in bankruptcies, mergers, or substantial equity price declines of a large number of highly recognized financial institutions. Here are a few examples of such losses that occurred in the 1990s.6

On December 6, 1994, a prosperous district in California, Orange County, surprised the markets by declaring bankruptcy. The treasurer, Robert Citron, was entrusted with a $7.5 billion commingled portfolio managed on behalf of the county schools, cities, districts, and the county itself. Investors perceived Citron as a financial wizard who could deliver high returns on their funds during a period of low short-term interest rates by investing in mortgage derivative products that had a substantial exposure to interest rate changes (i.e., securities with a high effective duration). The portfolio performed well when interest rates were declining; however, when rates increased in early 1994, the portfolio blew up. Losses reaching $1.7 billion, forcing Orange County into bankruptcy.

Citron either did not understand the interest rate exposure of his portfolio because he was unacquainted with the risk/return of the securities in the portfolio or he ignored the magnitude of the risk exposure, believing he could correctly forecast the direction of interest rates. In any case, there were no systems in place to monitor the portfolio’s exposure to changes in interest rates. Orange County illustrates combination of lack of expert risk oversight and incompetence.7

In February 1995, Barings Bank declared bankruptcy. Barings Bank was the United Kingdom’s oldest merchant bank, founded in 1762. Nick Leeson, who was appointed the general manager of the Barings Futures subsidiary in Singapore in 1993, was assigned to exploit low-risk arbitrage opportunities that would leverage price differences in similar equity derivatives on the Singapore Money Exchange (SIMEX) and the Osaka exchange markets. However, due to a lack of higher supervision, he was was given control over both the trading and back-office functions. He began taking much riskier positions by trading different amounts on contracts of different types on the two exchanges. The derivatives contracts on the Singapore and the Japanese foreign exchange markets were highly dependent on the market conditions in 1993 to 1994.

When the market became volatile, losses in Leeson’s trading account began to accumulate, forcing him to increase his bets in an attempt to recover losses. He created a special secret account to keep track of his losses, account 88888. This account had originally been set up to cover up a mistake made by an inexperienced member of the trading team, which led to a loss of £20,000. Leeson then used this account to cover his mounting trading losses.

Finally, the Nikkei index dropped sharply after the January 17, 1995, Kobe earthquake in Japan, and the losses exceeded $1 billion. The fraud was only exposed when Nick Leeson failed to show up at work at his Singapore office in February 1995; he was attempting to flee from Kuala Lumpur to England in order to escape the tough Far Eastern justice system. The bank was unable to sustain the loss and announced bankruptcy. Here is an extract from Leeson’s book Rogue Trader (1997, pp. 2-3), about his last trading day:

A month later, in March 1995, the bank was purchased by the Dutch Bank ING for £1 sterling! In November 1995 Nick Leeson was sentenced to 6.5 years in a Singaporean jail. This is another example of the dramatic consequences of internal fraud, unauthorized trading, and poor internal surveillance and control.8

On July 13, 1995, the executive vice president of Japan’s Daiwa Bank’s New York branch, Toshihide Iguchi, confessed (in a 30-page letter to the president of Daiwa Bank in Japan) that he had lost around $1.1 billion trading U.S. Treasury bonds. At the time of the incident, Daiwa was one of Japan’s top 10 banks and one of the world’s top 20 banks in terms of asset size. An astonishing part of the incident is that Iguchi’s illegal trading had been taking place over an 11-year period. Daiwa’s New York branch managed the custody of the U.S. Treasury bonds that it bought, as well as those that it bought on behalf of its customers, via a sub-custody account held at Bankers Trust. Through this account, interest on the bonds was collected and dispersed, and bonds were transferred or sold according to the wishes of either customers or the bank’s own managers.

When Iguchi lost a few hundred thousand dollars in his trading activities, he began selling off bonds in the Bankers Trust subcustody account to pay off his losses, falsifying Bankers Trust account statements so that they would not indicate that the securities had been sold. Throughout the 11 years he forged about 30,000 trading slips and other documents. When customers needed to be paid interest on bonds that had been sold without their knowledge, Iguchi would settle their accounts by selling off more securities and further altering more records. In total, Iguchi sold off roughly $377 million of Daiwa’s customers’ securities and $733 million of Daiwa’s own investment securities to cover his trading losses. Shortly after the incident came to surface in November 1995, the Federal Reserve ordered Daiwa Bank to end all of its U.S. operations within 90 days; by January 1996 Daiwa agreed to sell most of its U.S. assets of $3.3 billion to Sumitomo Bank and to sell off its 15 U.S. offices.

In December 1996, Iguchi was sentenced to four years in prison and fined $2.6 million. The scandal led to Standard & Poors downgrading Daiwa from A to BBB and to Japan’s Ministry of Finance imposing restrictions on the bank’s activities for a year. In September 2000, a Japanese court in Osaka ordered 11 current and former Daiwa board members and top executives to pay the bank $775 million as a compensation to shareholders’ damages. This is yet another example of internal fraud and illegal trading.9

On February 6, 2002, Allied Irish Banks (AIB), Ireland’s second-biggest bank, discovered a large-scale and what the bank described as a “complex and very determined fraud” in its Baltimore-based subsidiary Allfirst. Total losses to AIB/Allfirst are estimated to have exceeded $700 million. A report stated that around 1997, John Rusnak, a trader, had lost a large amount of money on a misplaced proprietary trading strategy, repeatedly falsifying bank statements in an attempt to recoup losses. Rusnack did this by writing nonexistent options and booking the fictitious premium income as revenue, thereby getting himself into a loop of accruing even bigger losses. One weekend he failed to show up at work on Monday morning. As a result of his disappearance, the details of his fraudulent activities came to light. Rusnak, a U.S. citizen, was nicknamed a second Nick Leeson, and entered the league of the infamous rogue traders, together with Toshihide Iguchi. He was sentenced to 7.5 years in federal prison, and was barred for life from working in any financial services company. Amazingly, this case demonstrates how the lessons from Barings Bank’s collapse of almost a decade earlier had not been properly learned.10

The collapse of Enron Corporation has been the largest bankruptcy in U.S. history. The Enron Corporation was one of the world’s largest energy commodities and services companies. Enron was formed in July 1985 in Houston, Texas, by a merger of Houston Natural Gas and InterNorth of Omaha, Nebraska. Initially a natural gas pipeline company, Enron quickly entered the energy futures as energy markets were deregulated. It entered the European energy market in 1995.

On January 25, 2001, the stock price of Enron had reached its peak at $81.39 per share, and began to drop. Just two days earlier, on January 23, Enron’s CEO since 1985, Kenneth Lay, resigned. By the middle of August 2001, it fell to $43. At the same time, the new CEO, Jeffrey Skilling, quit his new job after six months, for “purely personal” reasons. In November the price per share fell below $10, and Enron announced $600 million in losses from 1997 to 2000. On December 2, when the share price finally hit zero, Enron filed for bankruptcy protection, making it the largest bankruptcy case in U.S. history. In the middle of January, Enron’s stock was formally delisted from the New York Stock Exchange.

The board of directors of Enron blamed the failure on poor information from the accountants and the management. An investigation into the case conducted by the Securities and Exchange Commission in 2002 suggested that Enron may have overstated its assets by up to $24 billion due to poor accounting practices.

A number of financial institutions were involved in the Enron case. Arthur Andersen, which was Enron’s auditing firm for 16 years, was charged with obstruction of justice for destroying some of the Enron’s documents in order to protect the firm, while on notice of a federal investigation, and were ordered to cease auditing publicly traded companies on August 31, 2002. Their losses due to the case were estimated at over $750 million. Merill Lynch has been accused of a conspiracy to help Enron hide its true state of financial affairs, and estimated its losses due to the involvement at over $80 million. Other banks involved in the scandal include NatWest (losses over $20 million), Citibank, JPMorgan Chase & Co., and Salomon Smith Barney, among others, were accused of lending Enron billions of dollars with the full knowledge that Enron was not reporting these loans as debt on its balance sheet. This is an example of losses due to legal liability in combination with fraudulent activities.11

In June 2005, MasterCard International Inc. in the United States announced that the names, banks, and account numbers of up to 40 million credit card holders were feared to have been accessed by an unauthorized user. It was revealed that a computer virus captured customer data for the purpose of fraud and may have affected holders of all brands of credit cards. This was one in a series of recent incidents involving security failures and external fraud. In the same month, Citigroup said United Parcel Service lost computer tapes with sensitive information from 3.9 million customers of CitiFinancial, a unit that provides personal and home loans. As of 2006, the final impact (and possible losses) have not been estimated yet.

On September 11, 2001, the heart of the U.S. financial center, New York’s World Trade Center, and the Pentagon became the targets of large-scale terrorist attacks. On the morning of September 11, two American Airlines jets were hijacked and used to crash into the Twin Towers of the World Trade Center, causing them to collapse about an hour later. Two other airlines were hijacked and one hit Pentagon; the other crashed in Pennsylvania. This dramatic unprecedented incident (referred to as 9/11), apart from its devastating civilian loss (for example, Cantor Fitzgerald alone lost 700 of its employees), resulted in tremendous property loss. The Bank of New York’s losses alone were estimated at $140 million. The financial losses due to 9/11 have been reported to be the costliest insured property loss in history, with current estimates of $40 billion to 70 billion. Other consequences have been business disruptions of the affected financial service companies, and a tremendous economic and political impact worldwide. This is a striking example of the damage to physical assets, business disruptions, and losses inflicted by external causes.

In the financial industry, banks are not the only ones concerned with operational risk. In recent years, numerous hedge fund failures have been linked to operational risk. Approximately $600 billion is invested in 6,000 or so hedge funds worldwide. In hedge funds, operational risk is defined as “risks associated with supporting the operating environment of the fund; the operating environment includes middle- and back-office functions such as trade processing, accounting, administration, valuation and reporting.”12

In 2002, Capco (the Capital Markets Company) studied the causes of hedge-fund failures based on 20 years of data on hedgefund failures. The results of the study showed that approximately 50% of the failures were due to operational risk, 38% to investment risk, 6% to business risks, and 6% to multiple risk sources.

The most common operational losses that caused the failures follow:13

These four sources, according to the study, account for 41%, 30%, 14%, and 6% of all hedge fund failures, respectively.

Table 1.1 lists examples of prominent hedge funds that have had enforcement action taken against them in 2005, with a brief description of the alleged misdemeanors.

TABLE 1.1 Examples of hedge fund failures due to operational risk

• Financial institutions bear various operational losses on the daily basis. Examples are losses resulting from employee errors, internal and external fraud, equipment failures, business disruptions due to natural disasters, and vandalism.

• Operational risk affects the operational efficiency in all business units.

• Until recently, credit risk and market risk have been perceived as the two biggest sources of risk for financial institutions. Operational risk has been regarded as a mere part of “other” risks.

• The weight of operational risk in banks’ risk profiles has been elevated substantially as a side effect of financial deregulation and globalization policies.

• Serious banking failures in the last 20 years have demonstrated serious dangers of operational risk. More than 100 operational losses exceeding $100 million in value each and a number of losses exceeding $1 billion have occurred globally since the end of 1980s. Operational risk is also the source of approximately 50% of all hedge-fund failures. The task of managing operational risk has moved from being a minor issue to becoming a matter of survivability of financial institutions.

Adams, J. R., and Frantz, D. (1993), A Full Service Bank: How BCCI Stole Billions Around the World, Simon & Schuster, United Kingdom.

Banga, D. (2005), “Operational Risk and Hedge Fund Failures,” EDHEC Risk and Asset Management Research Centre.

Bank of England (1995a), “Report of the Banking Supervision. Inquiry into the Circumstances of the Collapse of Barings,” Bank of England, Her Majesty’s Stationery Office, London.

Bank of England (1995b), “The Bank of England Report into the Collapse of Barings Bank,” http://www.numa.com/ref/barings/bar00.htm.

Beaty, J., and Gwynne, S. C. (1993), The Outlaw Bank: A Wild Ride into the Secret Heart of BCCI, Random House Inc, Beard Books, United Kingdom.

BIS (1999), “A New Capital Adequacy Framework,” http://www.bis.org.

Bryce, R. (2002), Pipe Dreams: Greed, Ego, and the Death of Enron, PublicAffairs, New York.

Chew, L., “Not Just One Man—Barings,” IFCI Risk Institute report, http://riskinstitute.ch/137550.htm.

Crouhy, M., Galai, D., and Mark, R. (2001), Risk Management, McGraw-Hill, New York.

Cruz, M. G. (2002), Modeling, Measuring and Hedging Operational Risk, John Wiley & Sons, New York, Chichester.

de Fontnouvelle, P., DeJesus-Rueff, V., Jordan, J., and Rosengren, E. (2003), Using Loss Data to Quantify Operational Risk, Technical report, Federal Reserve Bank of Boston.

Eichenwald, K. (2005), Conspiracy of Fools: A True Story, Broadway Books, New York.

Fay, S. (1997), The Collapse of Barings, 1st ed., W. W. Norton & Company, New York.

FDIC (1995), “Regulators terminate the U.S. operations of Daiwa Bank, Japan,” http://www.fdic.gov.

Fox, L. (2003), Enron: The Rise and Fall, John Wiley & Sons, Hoboken, New Jersey.

Gapper, J., and Denton, N. (1996), All That Glitters: The Fall of Barings, Hamish Hamilton, London.

Irving, R. (1995), “County in Crisis,” Risk, Issue? pp. 27-33.

Jorion, P. (1998), “Orange County Case: Using Value-at-Risk to Control Financial Risk,” http://www.gsm.uci.edu/~jorion/oc/case.html.

Jorion, P., and Roper, R. (1995), Big Bets Gone Bad: Derivatives and Bankruptcy in Orange County, Academic Press, San Diego.

King, J. L. (2001), Operational Risk: Measurement and Modelling, John Wiley & Sons, New York.

Koernert, J. (1996), “The Collapse of Barings 1995. Financial Derivatives, Banking Crises and Contagion Effects,” Freiberg Working Papers 96/2.

Kundro, C., and Feffer, S. (2003a), “Understanding and Mitigating Operational Risk in Hedge Fund Investments,” A Capco White Paper.

Kundro, C., and Feffer, S. (2003b), “Valuation Issues and Operational Risk in Hedge Funds,” A Capco White Paper 10.

Lectric Law Library (1995), 11/95 Criminal Complaint & Indictment Against Daiwa Bank, http://www.lectlaw.com/files/cas60.htm.

Leeson, N. (1997), Rogue Trader, Time Warner, New York.

Leeson, N., and Tyrrell, I. (2005), Back from the Brink: Coping with Stress, Virgin Books, London.

Leith, W. (2002), “How to Lose a Billion,” The Guardian: Business. October 26 2002 issue.

McLean, B., and Elkind, P. (2003), Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron, Penguin Books, New York.

Rawnsley, J. (1995), Going for Broke: Nick Leeson and the Collapse of Barings Bank, HarperCollins, New York.

Shirreff, D. (1997), “Lessons from NatWest,” Euromoney.

Swartz, M., and Watkins, S. (2003), Power Failure: The Inside Story of the Collapse of Enron, Random House, New York.

Time Magazine (1997), “I Didn’t Set Out to Rob a Bank,” Time Magazine (6).

van den Brink, J. (2002), Operational Risk: The New Challenge for Banks, Palgrave, London.

CHAPTER 2

Operational Risk: Definition, Classification, and Its Place among Other Risks

In Chapter 1 we provided a few examples of operational loss events, with the intention of giving the reader a feel for what operational risk is all about. We have assumed that the reader is familiar with the notions of credit and market risks, and we mentioned that operational risk has been loosely defined as part of “other” risks. In this chapter, we formalize the notion of operational risk and the place it takes among other financial risks.

In finance risk is the fundamental element that affects financial behavior. There is no unique or uniform definition of risk, but this is not surprising: the definition depends on the context and the purpose for which one wishes to formulate the concept of risk. Broadly speaking, there are two ways to define risk:

The first definition, which is common in the economics literature, postulates that risk is a measure of uncertainty about the future outcomes, or, in other words, is a measure of dispersion of actual from expected future results. For example, in the context of an investment, risk is the volatility of expected future cash flows (measured, for example, by the standard deviation). Because of this uncertainty and because fluctuations in the underlying value may occur in either negative or positive direction, risk defined in this way does not exclude the possibility of positive outcomes. Hence, risk is not necessarily perceived as a negative concept.

The second definition suggests that risk has negative consequences. Risk is perceived as the probability of a negative deviation or sustaining a loss. More formally, risk is “a condition in which there is a possibility of an adverse deviation from a desired outcome that is expected or hoped for”14 and “an expression of the danger that the effective future outcome will deviate from the expected or planned outcome in a negative way.”15For example, insurance companies face the risk of having to pay out large claims to the insured, and banks are exposed to the risk of bearing losses due to adverse movements in market conditions (i.e., market risk) or losses due to inability of a counterparty or a borrower to perform on an obligation (i.e., credit risk).

In discussions of operational risk, the second definition is more appropriate. Of course, it is not entirely impossible that operational risk results in a gain for a bank. Examples may include certain employee errors. However, such outcomes are generally ignored for the purpose of operational risk modeling. We do not treat this case in this book.

We now need to distinguish operational risk from other categories of financial risk. Operational risk is, in large part, a firm-specific and nonsystematic risk.16Early publications of the Bank of International Settlements (BIS) defined operational risk as follows:17

Other definitions proposed in the literature include:

The formal definition that is currently widely accepted was initially proposed by the British Bankers Association (2001) and adopted by the BIS in January 2001. Operational risk was defined as

The industry responded to this definition with criticism regarding the lack of a clear definition of direct and indirect losses. A refined definition of operational risk dropped the two terms, hence finalizing the definition of operational risk as

This definition includes legal risk, but excludes strategic and reputational risk (these will be defined soon). The definition is “causal-based,” providing a breakdown of operational risk into four categories based on its sources: (1) people, (2) processes, (3) systems, and (4) external factors. According to Barclays Bank, the major sources of operational risk include operational process reliability, IT security, outsourcing of operations, dependence on key suppliers, implementation of strategic change, integration of acquisitions, fraud, error, customer service quality, regulatory compliance, recruitment, training and retention of staff, and social and environmental impacts.21

Large banks and financial institutions sometimes prefer to use their own definition of operational risk. For example, Deutsche Bank defines operational risk as

The Bank of Tokyo-Mitsubishi defines operational risk as

In October 2003, the U.S. Securities and Exchange Commission (SEC) defined operational risk as

The probability of an operational risk event occurring increases with a larger number of personnel (due to increased possibility of committing an error) and with a greater transaction volume. The following are examples of operational risk exposure indicators include:25

For example, larger banks are more likely to have larger operational losses. Shih, Samad-Khan, and Medapa (2000) measured the dependence between a bank size and operational loss amounts. They found that, on average, for every unit increase in a bank size, operational losses are predicted to increase by roughly a fourth root of that.26

Operational risk can be classified according to the following:

We discuss each one in the following subsections.

Operational losses can be internally inflicted or can result from external sources. Internally inflicted sources include most of the losses caused by human, process, and technology failures, such as those due to human errors, internal fraud, unauthorized trading, injuries, business delays due to computer failures or telecommunication problems. External sources include man-made incidents such as external fraud, theft, computer hacking, terrorist activities, and natural disasters such as damage to physical assets due to hurricanes, floods, and fires.

Many of the internal operational failures can be prevented with appropriate internal management practices; for example, tightened controls and management of the personnel can help prevent some employee errors and internal fraud, and improved telecommunication networks can help prevent some technological failures.