Risk management systems are commonly employed by firms, which may include financial institutions, resource-based corporations, trading organizations, governments, and other users, for example, to make informed decisions in assessing and managing the risks associated with the operations of these users.
In modern financial and regulatory environments, effectively measuring and managing market risk, credit risk and operational risk is vital in the development of a comprehensive risk management system. Many organizations have implemented procedures that successfully address market risk and, to some extent, credit risk. However, managing operational risk presents special challenges, since the sources of data required to measure operational risk are often limited, and since there is a lack of industry-accepted methodologies to measure such risk.
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, systems or external events. This definition may be extended for non-regulatory purposes to encompass legal risk and strategic risk (i.e. the risk of making a poor business decision). Some of the most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform (i.e. address risk events) in a timely manner or cause the interests of a financial institution to be compromised in some other way (e.g. staff exceeding their authority or conducting business in an unethical or risky manner). Major publicized losses at financial institutions in recent years illustrate the enormity of loss events resulting from the failure of or non-existence of operational risk management systems. Major losses caused by information technology systems failures, disasters, and rogue trading, for example, have cost financial institutions and firms vast sums of money, diminished shareholder value, and tarnished their reputation with the general public.
Recent studies have suggested that the operational risk exposure in the banking industry is substantial and growing. For instance, KPMG Consulting Inc. published an analysis entitled “Operational Risk Becomes a Capital Problem” (May 10, 2000) which found that operational risk accounts for approximately 40% of a financial institutions overall risk. Reflecting the growing importance of operational risk, the Basle Committee on Banking Supervision (BCBS) has recently established new capital proposals that will require financial institutions to implement robust systems for the collection and monitoring of operational risk data. The BCBS is part of The Bank of International Settlements (BIS), an international organization which fosters international monetary and financial cooperation, and serves as a bank for central banks. The BCBS proposes implementing three new methods for calculating the operational risk capital charge for financial institutions, namely:                (a) Basic Indicator Approach;        (b) Standardized Approach; and        (c) Advanced Measurement Approach (AMA).        
Under the Basic Indicator Approach, financial institutions must hold capital for operational risk equal to a fixed percentage of an indicator of size, or risk, such as gross income. Under the Standarized Approach, the required capital for a financial institution as a whole is the aggregate of the required capital amounts for all business lines within the organization, as calculated individually using a similar methodology to the Basic Indicator Approach. The AMA is a more sophisticated method that allows each institution to implement its own measurement method for operational risk. As an incentive for implementing operational risk management systems, BIS has proposed that as financial institutions move from the Basic Indicator method along the continuum of increasingly sophisticated models for calculating the operational risk, they will be rewarded with a lower capital charge. Further, BIS mandates that failure to comply with its new policies will be result in a variety of supervisory actions, including increased oversight, senior management changes, and the requirement of additional capital.
In theory, the desire not to tie up capital should provide a powerful incentive for financial institutions to monitor and reduce operational risk. Despite being aware that operational risk has been increasing in the banking industry, many banks are only in the early stages of developing a framework for measuring and managing operational risk. This reluctance to adopt operational risk management systems may be largely be attributed to the lack of effective risk measurement models and methodologies.
Various approaches have been developed for modeling operational risk. The majority of these models provide only a firm-wide view of operational risk, and are unable to effectively manage risk exposure at the business unit level. For example, the Capital Asset Pricing Model (CAPM) is a top-down model which provides an overview of a firm's operational risk exposure by focusing only on major operational failures (e.g. disasters).
A further hindrance to the development and adoption of operational risk management systems is the limited availability of loss process data. While a growing number of financial institutions are collecting and analyzing operational loss event data, it is clear that there has been no industry standard for the accumulating such data. Such data collection is vital for the assessment of operational risk at individual institutions.
Accordingly, there is a need for a system and method of measuring and managing operational risk that is capable of providing an assessment of risk exposure throughout all levels of a firm. There is a further need for a flexible operational risk management system that can be adapted to support new operational risk capital calculation models and methodologies, and new sources of loss process data, as they appear.