Operational Risk Management

Identify, assess, and mitigate operational risk with this practical and authoritative guide

In the newly revised second edition of Operational Risk Management: A Complete Guide for Banking and Fintech, accomplished risk executive and expert Philippa Girling delivers an insightful and practical exploration of operational risk in organizations of all sizes. She offers risk professionals and executives the tools, strategies, and best practices they need to mitigate and overcome ever-present operational risk challenges that impact business in all industries.

This latest edition includes:

• Insight into how operational risk can be effectively managed and measured in today's digital banking age.
• Updates on the latest regulatory guidance on operational risk management requirements in all aspects of the operational risk framework.
• Updates on the new Basel II capital modeling methodology for operational risk.
• New explorations of operational risk events in recent years including the impact of the global Covid-19 pandemic.
• Updated case studies including large events at Wells Fargo, Credit Suisse and Archegos Capital Management.

Ideal for executives, managers, and business leaders, Operational Risk Management is also the perfect resource for risk and compliance professionals who wish to refine their abilities to identify, assess, mitigate, and control operational risk.

Preface xiii

Acknowledgments xv

Chapter 1 Definition and Drivers of Operational Risk 1

The Definition of Operational Risk 1

2012 London Olympics: A Case Study 5

Operational Risk Management and Operational Risk Measurement 9

Drivers of Operational Risk Management 13

Key Points 14

Review Questions 14

Notes 15

Chapter 2 The Regulatory Push 17

History of the Basel Accords 17

Rules of the Accords 22

Adoption of Basel II in Europe 27

Adoption of Basel II in the United States 27

Impact of the Financial Crisis 29

Basel III 34

Key Points 36

Review Questions 36

Notes 37

Chapter 3 The Operational Risk Framework 39

Overview of the Operational Risk Framework 39

The Foundations of the Framework 40

The Four Data Building Blocks 42

Measurement and Modeling 44

Reporting 44

Risk Appetite 45

Key Points 45

Review Questions 46

Note 46

Chapter 4 Operational Risk Governance 47

Role of Governance 47

First Line of Defense 50

Second Line of Defense 51

Third Line of Defense 63

Risk Committees 66

Key Points 68

Review Questions 69

Notes 69

Chapter 5 Culture and Awareness 71

Winning over the Firm 71

Marketing and Communication 72

Agile 73

Training 75

Planning 76

The “Use Test” 82

Key Points 84

Review Question 84

Note 84

Chapter 6 Policies and Procedures 85

The Role of Policies, Procedures, Guidelines, and Standards 85

Best Practices 88

Operational Risk Policy 88

Sample Operational Risk Policy 89

Sample Standards, Procedures, and Guidelines 95

Key Points 97

Review Question 97

Note 97

Chapter 7 Internal Operational Risk Event Loss Data 99

Operational Risk Event Data 99

Internal Loss Data or Internal Operational Risk Events 100

Risk Event Categories 103

Using the Basel Risk Categories 112

Minimum Operational Risk Event Data Standards 113

Where Should Operational Risk Event Data Be Collected? 129

When Should Operational Risk Event Data Be Collected? 130

How Should Operational Risk Event Data Be Collected? 130

Key Points 132

Review Questions 132

Notes 134

Chapter 8 External Loss Data 135

External Operational Risk Event Data 135

Sources of External Loss Event Data 136

Challenges of External Data 139

Key Points 147

Review Question 148

Notes 148

Chapter 9 Key Risk Indicators 149

Key Risk Indicators 149

Selecting Kris 153

Thresholds 154

Kri Standards 154

Kri Challenges 155

Metrics Examples 155

Key Points 161

Review Question 161

Note 161

Chapter 10 Risk and Control Self-Assessments 163

The Role of Assessments 163

RCSA Methods 166

RCSA Scoring Methods 169

RCSA Best Practices 173

Key Points 178

Review Question 179

Note 179

Chapter 11 Scenario Analysis 181

Role of Scenario Analysis 181

Scenario Analysis Approaches 183

Scenario Analysis Output 192

Key Points 195

Review Questions 195

Notes 196

Chapter 12 Capital Modeling 197

Operational Risk Capital 197

Basic Indicator Approach 199

Standardized Approach 202

Advanced Measurement Approach 208

Insurance 221

Future of Capital Requirements: Basel III 223

Key Points 235

Review Questions 236

Notes 236

Chapter 13 Reporting 239

Role of Reporting 239

Operational Risk Event Reporting 241

Risk and Control Self-Assessment Reporting 247

Key Risk Indicator Reporting 248

Scenario Analysis Reporting 249

Capital Reporting 249

Action Tracking Reporting 250

A Consolidated View 253

Dashboards 253

Key Points 253

Review Question 255

Chapter 14 Risk Appetite 257

The Role of Risk Appetite 257

Regulatory Expectations 259

Implementing a Risk Appetite Framework 264

Monitoring Operational Risk Appetite 268

Risk Appetite Today 272

Key Points 272

Review Question 273

Notes 273

Chapter 15 Reputational Risk and Operational Risk 275

What Is Reputational Risk? 275

Reputational Impact 277

Regulatory Oversight of Reputational Risks 283

Reputational Risk Management Framework 284

Key Points 289

Review Question 289

Notes 290

Chapter 16 Operational Risk and Convergence 291

Operational Risk as a Catalyst for Convergence 291

Governance, Risk, and Compliance (GRC) 292

Converged or GRC Reporting 301

Key Points 302

Review Question 303

Notes 303

Chapter 17 Best Practices in Related Risk Management Activities 305

New-Product Approval 305

Supplier and Third-Party Risk Management 306

Legal Risk Management 307

Regulatory Risk Management 308

People Risk Management 308

Fraud Risk Management 309

Technology Risk Management 310

Climate Risk 311

Pandemic Planning 312

Strategic Risk 314

Key Points 316

Review Question 317

Notes 317

Chapter 18 Case Studies 319

JPMorgan Whale: Risky or Frisky? 319

Review Questions 324

Notes 339

Appendix: Answers to Review Questions 341

About the Author 351

About the Website 353

Index 355

PHILIPPA GIRLING, PhD, is Chief Risk Officer at Varo Bank N.A. She has over 25 years of experience in global financial services and is a recognized risk management leader who has authored two popular operational risk textbooks. She is a sought-after public speaker on enterprise risk management and digital transformation and was named as one of the decade’s “Top Fifty Faces of Operational Risk” in 2006.

Banks have worked with formalized operational risk frameworks for many years, but the banking industry’s digital transformation has given rise to new issues and entrants who require special consideration to manage their risks effectively. Modern risk executives and managers often find themselves struggling to offer assurances to senior managers of both traditional financial institutions and financial technology companies that operational risks are being effectively mitigated.

In the thoroughly updated Second Edition of Operational Risk Management: A Complete Guide for Banking and Fintech, veteran operational risk leader Dr. Philippa Girling explores the evolution of the operational risk regulatory framework as it has responded to some of the most notorious risk events over the last decade. The book offers a revised framework containing practical steps to ensure the effective identification, assessment, monitoring, and mitigation of operational risks.

Operational Risk Management provides risk professionals in banking and fintech with the tools, strategies, and best practices they need to respond to the ever-changing risk environment facing their organizations. It offers updates on the new Basel II capital modeling and risk framework methodologies for operational risk and explores new operational risk events from recent years, including the global COVID-19 pandemic. This latest edition also includes updated case studies covering significant events at DNB ASA, Credit Suisse, and Archegos Capital Management and considers the reputational fallout from the recent Australian banking scandals.

Few disciplines have matured as much—or as quickly—over the past decade as the management of operational risk. Both early-career and experienced operational risk professionals will find the techniques, frameworks, and concepts found in this book invaluable for effective and efficient risk mitigation. Combining practical insights drawn from decades of experience in the industry with rigorous theory and revealing case studies, this book is a must-read for any executive, manager, or business leader responsible for containing risk.

PRAISE FOR OPERATIONAL RISK MANAGEMENT

“From classical training of key concepts to tactical deployment methods, Philippa Girling navigates the nuances and complexities of operational risk management with ease and positions the practitioner to successfully implement a value-added program from the ground up.”

—Spyro Karetsos, Chief Compliance Officer, Google

“Basel II ushered in a new era of operational risk management and COVID-19 sealed its importance to business resiliency around the globe. Girling’s deep experience in financial services and operational risk management over these two decades brings a practitioner’s insights to effectively managing everything from GRC tools to scenario analysis. Whether you are a student of risk, senior manager or board member, Operational Risk Management is a must-read.”

—Nancy Foster, CEO, Risk Management Association

“Philippa Girling has provided a welcome addition to the literature about risk management in financial institutions. In addition to a thorough background on the principles involved, she is able to share the hands-on experience she has in every area of risk.”

—Kenneth Abbott, Professor, Baruch College and ex-CRO Americas, Barclays

“Philippa Girling has improved upon her already excellent text on operational risk in this second edition. This is a must-read for anyone seeking to build a sound operational risk management practice at their institution or improve upon an already existing program.”

—Kevin D. Oden, Managing Partner, Kevin D. Oden & Associates