Page 55 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 55

Unit 4: Risk Analysis




                                                                                                Notes
             

             Caselet     Operational Risk Management — How Banks can
                         Manage the Unknown

                      HAT if suddenly ATMs stopped vending crisp notes, bank branches closed for
                      few days, the data centre of major banks shut down, busy operations in dealing
             Wrooms of major banks come to a halt and banking personnel don’t reach their
             offices.
             This is not a doomsday scenario but what actually happened during the Mumbai floods.
             Uncertainty has crept into our lives. In technical parlance, we can call the risk involved in
             running daily operations “operational risk”, or op-risk, for short.
             In the banking industry, op-risk is as old as banking itself. The banking landscape has
             undergone a sea change and is becoming more complex in terms of volume of business,
             product innovation, financial engineering, new market practices, fast and rapid technology
             innovation, deregulation, consolidation of banks and increasing competition among banks.
             This has increased probability of failure or mistakes from the operations point of view; it
             has increased the focus on managing op-risk.
             The new BIS guidelines, generally known as “Basel II Accord”, recognises this and places
             increased emphasis on op-risk management. The Basel committee defines op-risk as the
             risk “of loss resulting from inadequate or failed internal processes, people and systems or
             from external  events”. This definition includes legal  risk, but excludes strategic  and
             reputation risk. As banks move towards implementing Basel II norms, they need to evolve
             an internal framework for effective management of op-risk.

             Depending on the size, complexity  and  organisational structure of  bank, a  five-step
             approach can be used for building a robust op-risk framework:
             (a)  Identification of operational risk through event framework

             (b)  Analysing the causes of events
             (c)  Risk mapping
             (d)  Risk measurement and control
             (e)  Management of operational risk and, thereby, capital management.

             To start with, banks, as part of identification, should classify and capture all operational
             losses in the form of “events”. Events are nothing but  “occurrences” or  “happenings”.
             Banks should start accumulating data on events that have occurred in the past and also
             identify potential events.
             All events should be defined with attributes, such as, frequency of event, severity, loss
             amount, reason for loss, date of discovery of loss and date of occurrence.
             Banks can adopt the seven type of events suggested by Risk Management Group (RMG)
             of Basel committee for one of their quantitative studies (QIS-2) which includes internal
             fraud, external fraud, employment practices and work safety, client products and business
             services, damages to physical assets, business disruption and system failures and execution
             delivery.

                                                                                 Contd...




                                           LOVELY PROFESSIONAL UNIVERSITY                                   49
   50   51   52   53   54   55   56   57   58   59   60