Each bank has its unique definition of operational risk. We reviewed a number of them and, founded on some banking experience, present the following elements of operational risk:
• Information technology systems risk.
• Human resources risk.
• Reputation risk.
• Compliance risk.
• Legal and documentation risk.
• External risk.
Information technology systems risk
Banks rely on information systems technology for the smooth functioning of business. The business of the mainstream banks is complex because they operate through a branch system over a large geographic area, have numerous clients and products on both the liability and asset segments of their balance sheets, and have to cope with complex accounting systems and to comply with stringent regulatory issues requiring myriad multifaceted returns.
Given this, information technology systems risk may be defined as a breakdown in the information systems' hardware and/or software that renders the retrieval of information unworkable or difficult or delays the retrieval of information, all of which can cause the cessation or delay of business. This definition can be expanded to include the delays caused by the implementation of new hardware or software or, at a lower level, the incorrect encoding of cheques.
The mitigation of information technology systems risk involves many elements ranging from organizational structure, delegation of responsibility, etc., to the use of external information technology to back up information and systems, suitably trained managers, the use of reliable vendors, etc.
The most important mitigation element of information technology systems risk is the disaster recovery system (DRS). An effectual DRS, which ensures that business can continue outside of the bank's main building, incorporates a back-up site in another part of the, or another, city, where the essential infrastructure is available. The site will provide the same front, middle and back office systems as exist in the main building, and therefore ensure that operations can be conducted.
Human resources risk
Humans manage the business of banking. Human resources risk (HRR) is the risk of insufficiency and/ or inadequacy of human capital resources. Insufficiency refers to not having sufficient human capital to run the business, and inadequacy refers to misdeeds of staff.
The most imperative feature of HRR is the principal-agent problem, and it applies at top management level. The mangers (agents) of businesses usually own just a fraction of the business. In most cases, the business is owned by the shareholders (principals) who are usually not employed by the business. This separation of control and ownership can lead to moral hazard, i.e. the agents may not always act in the best interest of the principals.
The management of human resources risk includes:
• Adequate training.
• Ongoing further education / skills improvement.
• Have in place the overlapping of skills to allow for sickness / maternity leave / annual leave / death (i.e. the uninterrupted availability of the key skills).
• Succession identification and training.
• A motivating reward system.
• A policy of disallowing key personnel being exposed to risk to life together (e.g. not flying on the same flight).
• Introduction of checks and balances in key functions.
• Reconciliation and segregation of duties (e.g. capturing, verifying and authorizing).
• A code of ethics that covers: business ethics, gifts and favors, confidentiality, etc.
• Auditors (internal and external) should monitor HR issues / processes.