As stated in the definition on the previous page, operational risk emanates both from inside and outside of a bank. Examples of operational risk include the following :
- Internal and External Fraud
- Acts intended to defraud, misappropriate property, or circumvent laws and regulations. Examples include intentional misreporting of positions, employee theft, insider trading on an employee’s own account, robbery, forgery, check kiting and damage from computer hacking. For more information, review the Fraud Tool in the Meeting Materials.
- Employment Practices and Workplace Safety
- Acts inconsistent with employment, health or safety laws or agreements, or that result in payment of personal injury claims or claims relating to diversity/discrimination issues. Examples include workers’ compensation claims, violation of employee health and safety rules, organized labor activities, discrimination claims and general liability (for example, a customer slipping and falling at a branch office).
- Clients, Products and Business Practices
- Unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product.
- Examples include fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering and sale of unauthorized products.
- Damage to Physical Assets
- Loss or damage to physical assets resulting from natural disaster or other external events.
- Examples include terrorism, vandalism, earthquakes, fires and floods.
- Business Disruption and System Failures
- Disruption of business or system failures includes events that keep processes or transactions from completing as expected.
- Examples include hardware and software failures, telecommunication problems and utility outages. For more information, review the discussion on Information Technology (IT) in the Meeting Materials.
- Execution, Delivery and Process Management
- Failed transaction processing or process management, and relations with trade counterparties and vendors.
- Examples include data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty nonperformance and vendor disputes. For more information, review the discussion on Payment Systems Risk (PSR) in the Meeting Materials.
- New laws, regulatory change, changing economic and competitive conditions.
From the list, do you notice anything about the nature of operational risk as opposed to other major risks which banks face? Unlike credit, liquidity and market risk, operational risks tend to be less standardized or less systematic, and the bank’s risk exposure can be small or large depending upon circumstances.
To bring home this point, who knows when an earthquake, tornado or hurricane will strike and what the extent of damage will be upon the bank and its operations? Who knows when an employee will fall off of a ladder while trying to retrieve a box from a high shelf, how seriously they will be hurt by the fall and what claims will be made against the bank? Who knows when a construction worker will dig through a cable that cuts power to the bank and what the outage will mean for the bank?
Yet, despite the uncertainty surrounding the timing of and damage done by operational risk events, banks are expected to—and must—control their exposure to them.