Operational disasters in financial institutions have grabbed any number of headlines in newspapers around the world in the last few years - as the case studies on our Wheel of Misfortune demonstrate.

For managers, these tales of incompetence, corruption and simple bad luck are both entertaining and disconcerting.

Disconcerting because, as the tally has risen, it's become clear that gross operational error and failure is much less isolated from the problem of day-to-day management than the financial industry had imagined.

Researchers now reckon that catastrophic events are the visible part of a wider spectrum of cover-ups, "near misses", and costly but undramatic events that plague most firms - and signal a failure in risk management practice and technology.

Operational risk has also turned out to be more costly in terms of capital than most institutions realised - recent estimates put it at 25% or more of risk capital. And that's rising, as operational risk emerges from beneath New Economy business models such as Internet banking, electronic trading and the outsourcing of core bank functions.

Meanwhile, as our scroll-over timeline explains, the regulators of international banking are about to ask major banks to set aside specific amounts of capital for operational risk. It's part of their long-term project to tie capital charges more directly to risk-taking.

Bank regulators are not alone in demanding a new approach. Corporate governance experts and stockmarket analysts have begun to address disingenuous questions to all sorts of financial institutions. Shouldn't top executives be able to name any "sudden death" risks that their firm is exposed to? Or at least have some idea of the scale of potential operational losses in their industry?

Top executives are themselves wondering whether decisions based on risk-adjusted return on capital (RAROC) might be flawed if operational risk is not taken into account. Might they simply exchange business lines with transparent market or credit risks for those with hidden risks?

All this explains why controlling operational risks at business-line level - simply "getting it right"- is no longer enough for many professionals. But, so far, financial institutions lack a framework of methodologies and tools to push operational risks through a coherent risk management cycle.

Operational Risk Management Cycle
1. Identify and assess	7. Assume risk
2. Analyse risk controls	8. Assume but reduce frequency
3. Rank/score/measure/track	9. Assume but mitigate severity
4. Cost	10. Assume but risk finance
5. Contextualise and communicate	11. Avoid/Remove
6. Monitor	12. Transfer

 
In this piece of the Risk Jigsaw, we'll tell how the financial industry - led by bankers and their regulators - is constructing that framework.

Some of the new ideas have grown out of established risk management disciplines in financial institutions such as Audit and Market Risk, while others are drawn from activities as diverse as healthcare and the space industry.

As we go along, we'll explain the new concepts that are driving operational risk management, hear from some Expert Witnesses, and offer links to key information points on the web.

Saying what you mean - the definitional problem
Defining operational risk sounds easy - it's the risk of something going unexpectedly wrong! Bankers add the caveat "outside of market and credit risk" because they already have specialist risk managers for these areas.

But general definitions are less useful when a manager or regulator tries to do something about enterprise-wide operational risk - such as improve operational risk controls across the board, or reserve capital against operational risk.

Counting something, or controlling it, means putting a line around it. Soon, regulators and RAROC analysts will need to decide whether to include, say, strategic business risks or reputational risk in their allocation of regulatory and enterprise-wide capital.

And managers will need to know whether their assessment of operational risk in a business line should include, say, the risk of a trader misunderstanding a sophisticated financial model. Some experts are sure model risk should be included, while others are sure it forms a more natural component of market risk - the button below maps out some other tricky boundary clashes.

Luckily, busy practitioners can sidestep this industry debate by selecting a suitable definition from those below. For the moment, there's really no "right" general definition save one that's boldly drawn and fits the purpose.

Basle Committee on Banking Supervision
BBA/ISDA/RMA
Informal industry definition

Definitions developed by industry bodies and regulators have some practical advantages, so let's take a closer look at the components of operational risk as defined by the London-based British Bankers Association - a body that has been active in developing standard approaches to operational risk.

For the BBA, "Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events."

Patching up processes
Historically, most financial institutions have built expert "ways of doing things" to achieve their objectives - whether that's administering a checking account in the retail business, or confirming the details of a million-dollar swap transaction in the money markets.

Processes of a more or less formal kind surround many of the risky activities of a bank. Some are routines performed by humans while others are part of the core infrastructure of the institution. The button below lists some key processes surrounding a capital markets trader.

Key Processes - from hire to fire

Connecting a discrete set of actions into a procedure, and than a formal process, offers huge benefits to financial institutions - as it does to manufacturing industries - in terms of scaling, risk control and standardisation.

Processes also help to defuse risk by institutionalising skills that would otherwise reside in a single individual. But processes can make a firm vulnerable in other ways.

Few employees understand a complex bank process as a whole, so the implications of sloppiness or breakdowns in the process chain are often unclear. And devious individuals find a process easier to exploit than a savvy manager because there's no immediate "sense check" of their actions.

Meanwhile, because turning a procedure into a process is usually associated with an increase in business line volumes and notional amounts at the expense of profit margins, processes tend to concentrate and leverage any existing operational risks. If something goes wrong, it goes wrong big time.

This cycle continues as processes speed up and are automated using the institution's computer systems - automation tends to improve consistency but it does not guarantee that the underlying process is structurally safe.

In financial institutions, most processes are designed with audited fail-safes and checking procedures. These might be built into the process itself or take the form of independent monitoring by risk control groups such as Compliance.

But because processes interact with other risky variables - the external environment, business strategy, people - it's difficult to sound the all clear. For example, are the fail-safes and "checks and balances" of the process appropriate now that the firm has opened offices in a new jurisdiction?

Given the new products a firm has introduced, could the firm suffer a massive loss if a step in the procedure is compromised? Does the process efficiently manage transactions that are exceptions to the norm, or are staff barely coping? Is risk information flowing from the process to decision-makers speedily enough to match market developments?

These questions help to show why the problem of risk managing processes has become more urgent over the over the last ten years as the rate of change in the financial industry has accelerated.

Institutions have automated processes, re-engineered them after mergers and acquisitions, and adapted them to improvements in industry-wide infrastructure and communications capabilities. Increasingly, banks have been rewarded with high margins for entering immature markets where, by definition, safe processes are not yet established.

They have also extended their activities overseas - beyond the easy reach of their established process infrastructure and monitoring capabilities.

And they have introduced new processes to monitor underlying processes - New Product Approval Process and formal Technology Audits being only two examples.

The problem with people
It's said that the greatest asset of a services business goes up and down in the office lift every day. But like any other asset, people are a source of risk as well as reward.

Until recently, the risk associated with the staff of financial institutions was largely thought of in terms of simple fraud. The figures here remain eye-opening - FBI statistics for 1998 show that some 32% of convictions for crimes against US financial institutions involved bank employees. The internet age has also opened up a new frontier for fraudsters.

But people also cause damage to institutions through incompetence, error, bad decision-making and rule breaking.

And institutions can become dangerously dependent on key individuals, or on teams that are suffering a high staff turnover rate. As we explain below, some firms are starting to identify this kind of key dependency and to monitor business lines for the key people risk indicators.

Even in the case of fraud, greed in its simplest form is not always the most important factor. Traders who exceed their trading limits - rogue traders - often seem to incur the most damaging losses as they try to gamble themselves back into a break-even position.

The original rule-breaking might be motivated by an attempt to improve a bonus, but it's the fear of discovery and its consequences that encourages traders to go for double-or-quits.

That's why, as our next Expert Witness explains, there's increasing interest in the psychology of risk and decision taking.

Modern electronic trading and information systems can help by physically preventing certain actions as well as by automatically reporting infringements to risk managers and escalating key information through the management hierarchy. These increasingly intelligent process control tools help to turn reliance on people into reliance on properly designed systems.

But even where a business line or market has the electronic infrastructure to make this kind of monitoring practical - many derivatives markets, for example, continue to rely on phone and fax trading - people risk is reduced, not removed.

Systems that are used by people are always vulnerable to compromise by them. And a real-time risk report delivered by a state-of-the-art system is of little use if managers do not react to it appropriately.

It's also difficult to enforce control through automatic systems when businesses are immature or when volumes have grown suddenly. Other kinds of financial business - such as advisory services or those dependent on third-party agency sales - are structurally reliant on people for expertise or distribution in a way that is difficult to engineer away.

That's why financial institutions have started to look at individual and group behaviour as a way of understanding risk. Researchers believe the reason why individuals break rules - more crucially, why their colleagues let them get away with it - is sometimes rooted in the corporate culture of an institution.

Does the institution reward success without looking closely at how it is achieved? Do senior managers favour dominant personalities and connive with the bullying of subordinates?

Making sure that reporting systems are independent of business lines, risk sensitive, automatic, consistent and secure is an important aspect of the control of operational risk. But in many cases on our Wheel of Misfortune, losses spiralled out of control because a compromised executive was high enough in the hierarchy to disguise the losses.

Often, the problem is a fatal reliance upon an individual by senior managers and committees, compounded by the reluctance of staff further down the reporting line to break rank and voice concern.

Increasingly, corporate governance rules around the globe are encouraging firms to establish formal mechanisms for individuals to step outside the normal reporting line - to blow the whistle on wrong doing that has either a social cost or a cost to shareholders.

And as our last Expert Witness mentioned, the way that groups of professionals take critical decisions is also coming under scrutiny. Many disastrous losses - often misleadingly recorded as credit and market risk losses - happen because a group of managers or an oversight committee take a decision in a way that, with hindsight, seems to ignore extreme risks in favour of attaining pre-agreed goals.

One palliative is to make sure the person or committee with the power to take action on the risk information understands what they are being told, and its implications. This is, in part, a problem of risk communication. The development of methodologies such as value-at-risk in recent years is, in part, an attempt to get to grips with this problem.

But confused or wrong-headed decisions are also rooted in poor corporate governance and tie in with the problem of enterprise-wide risk management.

From individual business lines to the core support functions of an institution, systems are the principal means for storing and managing vast amounts of transactional, financial and corporate data.

They are used to analyse that information, to automate all or part of many critical bank processes, and to communicate with customers.

It's a mistake to think of these systems as an interconnected whole. Instead, most institutions rely on a series of partially interconnected systems of various shape, size and age.

Often, management information systems or data warehouses are used to extract information from underlying systems and present it to managers to help them in making strategic and risky decisions.

Some of the most intractable system risks reside in the relationship between the system and an institution's business plans. Technicians cannot plan for flexibility in capacity, levels of redundancy or absolute levels of security without clear directions from business managers.

As business plans or volumes change, it's important that these decisions are revisited and that the firm as a whole monitors its system dependencies. If a system is left unaltered, a risk decision has been taken - albeit unconsciously.

Systems audits can help to make these tacit decisions more transparent, but they do not necessarily help managers in weighing up the risks and rewards of new system investments.

Some researchers believe that the new science of real options - the application of financial options concepts to the valuation of decisions about physical assets - will help managers in the future.

But at a more practical level, as our Expert Witness explains, the most pressing problem for senior managers is to identify, monitor and manage critical risks in the huge range of systems supporting their institution - including those supporting emerging e-commerce and multi-channel banking initiatives.

The most dramatic external risks are natural and man-made physical catastrophes such as the bombing of Canary Wharf, London's financial district, by terrorists in 1992.

The direct physical impact of these risks is insurable. But payouts cannot compensate for an interrupted relationship with a customer, or for the effect on future business plans or staff.

The problem of ensuring that a business can continue despite a physical catastrophe - business continuity - has evolved into a small industry.

Major banks now spend millions of dollars each year to ensure that, if disaster strikes, they can relocate within hours to a functional version of their main or trading offices - complete with IT systems that are constantly primed with back-up data from the bank.

But this cannot remove the vulnerability of institutions to public or financial market infrastructure. A recent and dramatic example of this was the systems failure at the London Stock Exchange in the summer of 2000 which prevented the exchange from opening.

Fundamental social and technological trends can also threaten institutions - from a rise in general fraud to sustained attacks on corporate web sites by external hackers and fraudsters.

In the summer of 2000, the UK's financial services regulator Howard Davies echoed the concerns of regulators around the world when he claimed that banks systems were being "probed for weaknesses hundreds of times a day"- and that there was sometimes insufficient segregation between the internal systems of banks.

But regulators are themselves a source of external risk. An unforeseen shift in the regulatory or political environment can ruin the profitability of an institution, or leave it vulnerable to catastrophic litigation.

But most of these functions have responsibility for specific risks, services or business lines. They cannot give a firm a wide-angle view of its operational risks.

The reasons why institutions and experts think this wider view is important tend to vary according to individual priorities. But the most pressing are the efficient monitoring of critical risks across an organisation, the interaction of risks, risk measurement and the efficient use of capital, and corporate support for risk-reducing investments at business-line level.

Some leading financial institutions have established specific operational risk managers at a senior level to give them this wider view - the purist approach, in that the operational risk function can then itself be checked over by the institution's internal audit group.

Other firms have extended the remit of internal audit to include operational risk management, arguing that their audit group has to hand the skills, infrastructure and manpower to take action on operational risk.

Some firms report that giving internal audit a wider remit makes the function more efficient. Rather than simply ensuring that the proper reporting and control procedures are in place in each unit, audit can take a more active view of risk/reward and reduce duplicated checks and controls.

Whatever the framework, taking the wider view means bringing together information about risk in a consistent fashion so that corporate management and the specific owners of the risk can take action. The button opposite offers easy access to some of the new information management tools that are being marketed to help managers do this more efficiently.

One interesting aspect of these tools is that by making approaches to operational risk control and measurement more consistent within and across firms, they also make it easier for firms to benchmark their risk standards and publish this information to external audiences of regulators, investors - and key customers.

Dependencies often arise out of the interplay between business plans, process design and system architecture - which means that senior managers and business line managers must be involved in risk identification as well as risk management solutions.

And because a disaster would affect the whole firm, senior managers need to understand enough about the risks and their relationships to take the right decision.

It's not just a question of identifying physical dependencies. Many firms have begun to bring together groups of experts to discuss all the various risks in their part of a financial business line or process.

These structured discussions are different from most traditional forms of risk audit in financial institutions because they concentrate not on checking control procedures, or on the filling in of periodic reports, but on risk identification, the promotion of risk awareness in business line personnel, and detailed risk scenario building.

Risk scenarios are important because they help managers to work through what might happen if a particular mishap occurred. These "what if" scenarios are often simply descriptive and hypothetical. But some institutions are experimenting with more formal, quantitative techniques that model firms as systems.

The approaches include applying the latest scientific ideas on network topologies and complexity theory.

At the moment, though, it's difficult to apply this kind of sophisticated analysis to whole firms - so it's mainly being used to track down dependencies in specific business lines and processes.

Take the case of a failure to process a transaction of some kind. In institutions that process large volumes of transactions, these failures are relatively frequent. Firms are likely to be able to gather significant data on the more common low-impact costs associated with these breaks - fines, penalties, reimbursement to customers or counterparties, cost of mending the transaction, and so on.

Other kinds of medium-impact risk, such as significant bank fraud, are more difficult for banks to analyse because they do not have enough data on loss and frequency within the institution to support a valid statistical analysis. This is not always because data do not exist - sometimes it's a question of availability and quality.

For example, in the US bank fraud and money laundering data is already gathered systematically by the regulatory authorities. But it was only in October 2000, after pressure from industry associations, that the US Treasury's Financial Crimes Enforcement Network indicated it might publish the data periodically in association with the American Banking Association.

It is not yet clear whether the data will be released with enough contextual detail to make it useful for quantifying the risk of different kinds of fraud in different kinds of institutions.

For many kinds of medium-frequency, medium-impact risk, however, there are simply no readily available databases of loss. So one of the most exciting developments in operational risk is the emergence of banking industry initiatives to solve this problem.

In the summer of 2000, the British Bankers Association announced that over 20 financial firms were joining together to collect data on operational risk events. By autumn 2000, some of the firms were actually supplying their internally collected data to the BBA, using the association's standard categorisation of loss and risk types.

The BBA pools the data and removes any identifying tags before republishing the complete dataset to contributing banks.

A similar venture, MORE, has been set up by Connecticut-based risk consultancy NetRisk, with the support of industry associations and various Canadian and US banks.

The most important feature of both these efforts is the attempt to produce a rich but standard set of data that will help banks quantify risk and link it to root causes, while at the same time preserving bank confidentiality.

These initiatives should help the banking industry to put numbers against the operational risks that are frequent and also those that are unexpected. But they will not solve the problem of the most extreme and infrequent events.

Extremely high impact, but low frequency, risks pose a different kind of problem. This kind of loss is difficult to conceal from shareholders, and is often reported in the press, so some data is publicly available. Bringing this data together in a consistent form is a significant task, but a number of consultancies - listed in our Operational Risks Tools button above - offer such public loss databases as packages.

But the real problem is that, even at an industry level, there are not enough extreme events of a particular type to allow the statistical modelling of their frequency or severity. Most firms respond to these extreme risks through attempting to prevent them or by insuring against them, rather than by reserving specific amounts of capital against them.

But they can't be ignored in the numbers game, or institutions will be building a blind spot for the most deadly risks of all. The regulators are also keen that these risks are accounted for in the total levels of capital available to the financial industry.

One of the cutting-edges of operational risk research is therefore the application of a body of theory known as Extreme Value Theory to the scarce data that is available on catastrophic risks. Although highly technical, EVT offers some hope that it will become possible to put meaningful figures against the risk of massive operational failure.

But EVT cannot help solve a more fundamental data problem. Data takes time to collect and it often has to be aggregated across institutions to make the sample large enough for statistical analysis.

Some experts point out that aggregate historical data cannot help banks identify the risks specific to their institution, or the risks that are lie in wait over the horizon of the data sample.

For example, in a business line that depends upon the safe handling of transactions, some key quantitative risk indicators might include the ratio of reported transaction "breaks" or failures compared to transaction volumes, the ratio of transaction volume to trained staff, and the ratio of system downtime to uptime.

After all, a back-office operation with high volumes, skeleton staff and poor systems would seem more likely to make operational errors than a similar low-volume operation with longer-serving employees and a robust systems infrastructure.

Quantitative risk indicators can be transformed into weighted components of a more general risk scorecard for a business line or whole firm with the help of expert judgement. But this introduces a subjective element into the measurement.

So some leading banks are starting to apply statistical techniques, such as discriminant analysis and principal components analysis, to explore the relationship between a risk indicator and loss levels, and to weight the indicator's relative importance within a larger set of indicators.

In an ideal world, all operational risk indicators would be quantitative, and their weighting within the overall risk score of a business line would be decided statistically, and backtested.

Operational risk modelling would end up looking something like advanced credit modelling - a series of weighted risk ratios back-tested against the available data.

In the real world, some bankers say it's difficult to avoid assessing operational risk using qualitative factors. That's why the new science of quantitative operational risk management sometimes begins to sound like the rather older art of risk auditing - armed with new information management tools and risk/reward concepts.

Indeed, some practitioners argue that risk managers who try to track operational risk at group level should simply incorporate audit scores for each business line into their enterprise-wide risk assessments.

The tension between quantitative and qualitative assessments of risk is likely to be a continuing theme in operational risk management. The problem is at its greatest in business lines and support functions such as fund management or legal risk that that rely heavily on individual expertise and integrity.

But even techniques for awarding qualitative scores can be improved. For example, qualitative scoring can be linked more closely related to risk levels, rather than control levels. That is, the weighting given to each element of the control environment can be modified to reflect the severity of any loss given a failure of control, and the scoring can be made independent, and benchmarked for consistency.

Moving from measurement to capital allocation
Quantitative measures and improved scorecards can be used to compare the risk levels in different business lines, track risk trends, improve controls and prioritise risk management efforts. But some firms are also starting to use them to allocate portions of economic risk capital to particular business lines.

There are various ways to approach this problem. One is to work out the total capital the bank ought to set aside to cover operational risk by looking at the amounts of capital other banks set aside (the benchmarking methodology) or by a statistical analysis of industry-level operational losses in the relevant business lines.

Internal scorecards can then be used to adjust the portion of the capital charge allocated to each particular business line.

This mixed methodology is not the only approach to calculating or allocating capital for operational risk. In the past, firms that allocated capital to operational risk tended to use non-interest expense as a rule of thumb or, alternatively, examined the revenue/expense volatility associated with a business.

Into the future, many firms hope they will be able to a purely statistical/actuarial approach that links the analysis of data collected at business-line level to firm- and industry-wide loss and risk data.

But for the moment, scorecards have some practical advantages from the point of view of forward-looking line managers and enterprise-wide risk managers.

For a start, the cause of a high score is transparent because it can easily be traced back to the scores on the card. By contrast, if a business line is deemed "risky" because of historical or industry-wide data, it is often unclear what the manager can do to reduce the risk score.

So scorecards help motivate managers to reduce the amount of economic capital allocated to their business line by ironing out problem areas. Likewise, group managers can quickly establish stronger incentives for line managers to improve controls.

From risk insurance to alternative risk transfer
Some operational risks are impossible to engineer away or to risk manage adequately. Others are so difficult to identify and scale that an institution can never be sure that its internal risk management has been effective.

Where the potential losses seem likely to be of medium severity, a financial institution can reserve capital or use self-insurance techniques to mitigate their impact. But in the case of a catastrophic risk, institutions either have to accept the risk as part of doing business, or transfer the risk to external providers of risk capital.

Over the last few years, new kinds of insurance and alternative risk transfer mechanisms have held out hope that this kind of risk transfer will become more practical and cheaper.

Insurance has developed in two ways. Firstly insurance policies have developed to cover types of operational risk that are ill-served in traditional bank cover.

Our next Expert Witness believes an improved set of insurance products will offer a stiff challenge to some novel ideas that have recently been mooted within the banking industry - such as mutual insurance techniques.

Secondly, insurers have begun to offer coverall policies for extreme levels of risk, arguing that the massive amounts of capital available to insurers gives them a special role in managing catastrophic risk.

But critics of the insurance strategies for operational risk claim that the insurance market is an opaque and inefficient way of pricing risk. They say the delay and uncertainty associated with insurance payouts might destroy a wounded institution.

In the case of alternative risk transfer mechanisms, on the other hand, capital would already in the hands of the wounded bank. ART tools - so far only a concept in the financial institutions sector - would take the form of structured instruments sold to the capital markets by the bank itself.

For example, some time in the near future a financial institution might sell a special bond to investors that offered an above-market interest rate, with the stipulation that the bank would cease paying any interest on the billion-dollar principal in the event of an operational disaster.

The premium the bank had to pay to the market to accept this embedded option would be, in effect, the market price of its operational risk - and the world would have seen the first operational risk derivative for a financial institution.

Some investment bankers say this kind of traded market in operational risk would price major bank risks more efficiently than the traditional insurance market. But the banking industry's own internal insurance specialists are more cautious.

They say they are still trying to work out how well their existing insurance polices complement the risks the bank is running. They don't think they'll be in a position to understand the cost reduction and risk management benefits of new-fangled instruments for some time to come.

But it would be a pleasant irony if the derivatives technology that lay behind some of the most famous operational losses in the 1990s eventually helped to tame the most unpredictable piece of the risk jigsaw.