Operational Risk and Event Risk

Operational risk is the risk of losses resulting from inadequate or unsatisfactory internal processes, people, systems, or external events. It is not a "fashionable" risk (like credit or market risk), but one of the most destructive: Société Générale lost €4.9 billion due to rogue trader Jérôme Kerviel (2008), Knight Capital went bankrupt in 45 minutes because of an algorithm error ($440 million, 2012), JPMorgan "London Whale" — $6.2 billion (2012), Wells Fargo fake accounts — $3 billion in fines and reputational damage (2016). Basel II/III require banks to set aside capital for operational risk, and this area is rapidly developing with the growing significance of cyber risks.

Classification of Operational Risks

Basel typology — 7 categories of events:

1. Internal fraud. Unauthorized transactions, theft, intentional distortion of reporting.
2. External fraud. Theft, hacking, phishing, cybercrimes from outside.
3. Employment practices and workplace safety. Discrimination, harassment, violations of labor laws.
4. Damage to clients, products, business practices. Misselling, violations of fiduciary duty, money laundering.
5. Damage to physical assets. Natural disasters, terrorist attacks.
6. System failures and business disruptions. IT outages, infrastructure failures.
7. Process management. Errors in transaction processing, documentation, suppliers.

8 business lines (Basel):

1. Corporate finance.
2. Trading & Sales.
3. Retail banking.
4. Commercial banking.
5. Payments and settlements.
6. Agency services.
7. Asset management.
8. Retail brokerage.

Matrix 7×8 = 56 cells, each — a separate loss model. The regulator requires data for ≥ 10 years from the OpRisk database.

Capital Models for Operational Risk

Basel II — three approaches (by complexity):

1. Basic Indicator Approach (BIA). Capital = 15% × average gross income for 3 years. Simplest. Used by small banks.

2. Standardized Approach (TSA). Each business line has its own coefficient β (12–18%). Capital = Σ β_i × gross income_i.

3. Advanced Measurement Approach (AMA). Internal models:

Loss Distribution Approach (LDA). For each cell (category, line):

• Frequency: N ~ Poisson(λ) or NegBin (for overdispersion).
• Severity: X ~ LogNormal or GPD (for heavy tails).
• Total annual loss in cell: S = Σ X_i.

Capital = VaR_{0.999}(Σ_cells S) for a 1-year horizon. Sum across cells, taking dependencies into account (often through copula).

Basel III — transition to SMA (Standardised Measurement Approach, 2017-2023). AMA canceled due to opacity and low comparability of models from different banks. SMA: Capital = BI × ILM (Internal Loss Multiplier), where BI (Business Indicator) is a function of the bank’s size, ILM — coefficient based on historical losses.

Features of Operational Risk Assessment

Problems:

• Few data for tails. Truly large losses are rare (1-2 times per decade per bank) → insufficient for calibrating the severity distribution.
• External data (consortium data). ORX (Operational Riskdata eXchange) — international consortium of 100+ banks sharing (anonymized) loss data. Helps calibrate the tail.
• Scaling. External data are not identical to the bank's portfolio — normalization required to organization size (by revenue, assets).
• Non-stationarity. Risk profile changes over time (new products, new threats — cyber).

Numerical Example

Bank with OpRisk loss database: 50 events over 5 years.

• 40 events < $1M.
• 8 events $1-10M (average $4M).
• 2 events > $10M (one $25M, one $50M).

Step 1. Frequency: λ̂ = 50/5 = 10/year → N ~ Poisson(10).

Step 2. Severity. Fitting LogNormal for 40 events (body): μ_body = 13.5 (e^13.5 ≈ $700K), σ_body = 1.2. Fitting GPD for 10 tail events (above $1M = u): ξ̂ = 0.45 (heavy tail), σ̂ = $3M.

Step 3. Composite model: combined severity X = LogNormal·1{X<u} + GPD-tail·1{X≥u}.

Step 4. Monte Carlo (100,000 year simulations):

• Simulate N ~ Poisson(10).
• For each of N events — draw X from the composite distribution.
• S_year = Σ X.

Empirical distribution of S:

• E[S] = $9M.
• σ(S) = $25M.
• VaR_{0.999}(S) ≈ $180M. This is OpRisk Capital under AMA.
• VaR_{0.99}(S) ≈ $80M.

Comparison with BIA. If the bank’s gross income is $500M/year: Capital_BIA = 15% × $500M = $75M.

AMA gives $180M — significantly higher due to the heavy tail (takes into account the “possibility” of a $200M+ event not yet occurred).

Cyber Risk

Growing category of operational risk. Features:

• Extremely heavy tails (ξ > 0.5 for the size of breaches).
• Systematic: one vulnerability can impact the whole industry (NotPetya 2017, Log4Shell 2021).
• Correlation with other risks (cyber-related financial fraud).

Famous catastrophes:

• WannaCry (May 2017): £92M NHS UK loss, $4–8 billion globally.
• NotPetya (June 2017): $10+ billion globally (Maersk, FedEx, Merck).
• SolarWinds (December 2020): compromise of 18,000+ organizations.
• Colonial Pipeline ransomware (May 2021): paid $4.4M, stoppage 6 days.
• MOVEit (2023): >2,000 organizations, 60+ million records.

Cyber insurance market: $14B premiums (2022) → projected $34B (2031). Exclusions: war, critical infrastructure (war exclusion activated by Lloyd’s in 2023 after the conflict in Ukraine).

FAIR (Factor Analysis of Information Risk). Quantitative cyber model: Risk = threat frequency × probability of success × scale of harm. Each component — Monte Carlo sampling → distribution of expected losses.

Management of Operational Risk

Key Risk Indicators (KRI). Leading metrics:

• IT-system availability (% uptime).
• Number of transaction errors per 1000.
• Staff turnover (especially in trading, IT security).
• Backlog in operations.
• Failed audit findings.

Threshold KRI values → early-warning for escalation.

RCSA (Risk and Control Self-Assessment). Once per year, business lines:

• Identify key risks.
• Assess inherent risk (without controls).
• Describe existing controls.
• Assess residual risk (with controls).
• Gap analysis → action plan.

Operational loss data collection. All events above threshold ($5K-$25K) are recorded in the database with categorization. Used to calibrate models.

Real Applications

• Société Générale 2008. Jérôme Kerviel opened unauthorized positions of €50 billion (notional). Loss €4.9 billion upon unwinding. Lesson: trading limits controls, IT security, four-eyes principle.
• JPMorgan "London Whale" 2012. Bruno Iksil, synthetic credit positions. Loss $6.2 billion. Lesson: model risk, supervision.
• Wells Fargo fake accounts 2016-2018. 3.5 million fake client accounts under sales target pressure. Fines $3+ billion, CEO fired. Lesson: incentive misalignment.
• Knight Capital 2012. HFT algorithm deployment error. Loss $440M in 45 minutes. Bankruptcy. Lesson: deployment processes, kill switches.
• Credit Suisse Archegos 2021. $5.5 billion loss from family office Bill Hwang. Lesson: counterparty risk, margin requirement transparency.

Assignment. Bank with historical OpRisk-loss database: 50 events over 5 years. Frequency N ~ Poisson(λ = 10/year). Severity: 40 events distributed LogNormal(μ = 13.5, σ = 1.2), 10 events above $1M distributed GPD(ξ = 0.45, σ = $3M, threshold = $1M). (a) In Python fit the parameters of the distributions (statistics given, check them). (b) Implement Monte Carlo (100,000 simulations of the year) for the distribution of total annual loss S. (c) Compute E[S], σ(S), VaR_{0.99}, VaR_{0.999}. (d) Compare with BIA capital (15% of gross income = $500M/year). (e) Sensitivity: how will VaR_{0.999} change with ξ = 0.6 (heavier tail)? with the addition of one extra $100M event over 5 years?