🏦 Operational Risk Management
Keeping the Bank’s Engine Running Smoothly
🎯 The Big Idea
Imagine a bank is like a giant kitchen where chefs (employees) cook meals (provide services) for customers. What could go wrong?
- A chef could make a mistake with the recipe
- Someone could sneak in and steal ingredients
- The oven could break down
- A customer could get food poisoning and sue
Operational Risk is all the bad things that can happen because of:
- People making mistakes or doing bad things
- Systems breaking down
- Processes going wrong
- External events like disasters
🌟 Our Kitchen Analogy
Throughout this guide, we’ll think of the bank as a busy restaurant kitchen:
| Kitchen | Bank |
|---|---|
| Chefs | Employees |
| Recipes | Procedures |
| Ovens & Equipment | Computer Systems |
| Health Inspector | Regulators |
| Thieves | Fraudsters |
📖 Operational Risk Overview
What Is It?
Operational Risk = Anything that can go wrong inside the bank (not counting market crashes or loans going bad).
Think of it this way: If a chef burns the soup, that’s an operational problem. If customers stop coming because of a recession, that’s a different kind of risk.
The Four Troublemakers
graph TD A["Operational Risk Sources"] --> B["👥 People"] A --> C["⚙️ Processes"] A --> D["💻 Systems"] A --> E["🌪️ External Events"] B --> B1["Mistakes<br>Fraud<br>Lack of Training"] C --> C1["Bad Procedures<br>Missing Steps"] D --> D1["Computer Crashes<br>Software Bugs"] E --> E1["Hackers<br>Natural Disasters"]
Real Example
The $6 Billion Mistake 🎯
In 2012, a trader at JPMorgan made bad trades that lost the bank over $6 billion. How?
- Poor oversight (people problem)
- Weak controls (process problem)
- Risk models didn’t catch it (system problem)
🕵️ Fraud Risk
What Is Fraud?
Fraud is when someone tricks the bank to steal money or gain an advantage.
It’s like a chef who:
- Takes food home without paying
- Charges customers extra and keeps the difference
- Lets their friends eat for free
Two Types of Fraud
graph LR A["🕵️ Fraud Risk"] --> B["Internal Fraud"] A --> C["External Fraud"] B --> B1["Employees stealing"] B --> B2["Fake expense reports"] B --> B3["Unauthorized trades"] C --> C1["Customer scams"] C --> C2["Identity theft"] C --> C3["Check fraud"]
Real Examples
Internal Fraud 🔴
A bank employee creates fake accounts in customers’ names to meet sales targets. They earn bonuses for accounts the customers never wanted.
External Fraud 🔵
Criminals send emails pretending to be the bank, tricking customers into giving up their passwords. They then empty the accounts.
How Banks Fight Fraud
| Defense | How It Works |
|---|---|
| Two-person rule | Two people must approve big transactions |
| Transaction monitoring | Computers watch for unusual patterns |
| Background checks | Screen employees before hiring |
| Customer verification | Confirm identity before big changes |
💻 Cyber Risk
What Is It?
Cyber Risk is the danger of bad guys attacking through computers.
Imagine your kitchen has a smart lock. What if:
- Someone hacks the lock and breaks in?
- A virus makes all your ovens explode?
- Hackers steal all your secret recipes?
The Cyber Threat Landscape
graph TD A["💻 Cyber Threats"] --> B["🎣 Phishing"] A --> C["🦠 Malware"] A --> D["🔒 Ransomware"] A --> E["🌊 DDoS Attacks"] B --> B1["Fake emails<br>trick employees"] C --> C1["Viruses that<br>steal data"] D --> D1["Lock your files<br>demand payment"] E --> E1["Flood systems<br>crash website"]
Real Example
The Bangladesh Bank Heist 💰
In 2016, hackers broke into Bangladesh’s central bank and tried to steal $1 billion! They sent fake messages through SWIFT (the banking message system) to transfer money. They got away with $81 million before being caught.
What went wrong?
- Cheap network equipment ($10 switches!)
- No firewall
- Weak passwords
- Attack happened on a weekend when fewer people were watching
Cyber Defense Layers
Think of it like protecting a castle:
- Moat = Firewalls (keep attackers out)
- Walls = Encryption (scramble data so thieves can’t read it)
- Guards = Monitoring (watch for intruders 24/7)
- Training = Teach employees to spot phishing
- Backups = Keep copies of data in case of ransomware
📊 Model Risk
What Is a Model?
A model is a formula or computer program that helps banks make decisions.
It’s like a recipe calculator that tells chefs:
- “If a customer has X income, they can borrow Y dollars”
- “This investment will probably return Z percent”
What’s Model Risk?
Model Risk = The recipe calculator gives wrong answers!
graph TD A["📊 Model Risk"] --> B["Bad Inputs"] A --> C["Bad Formula"] A --> D["Wrong Use"] B --> B1["Garbage data<br>= garbage output"] C --> C1["Math errors<br>Wrong assumptions"] D --> D1["Using a cake recipe<br>to make soup"]
Real Example
The 2008 Financial Crisis 📉
Banks used models that said:
“House prices will always go up!”
Based on this, they made risky mortgage loans. When house prices crashed, the models were proven spectacularly wrong. Banks lost trillions of dollars.
Managing Model Risk
| Step | What It Means |
|---|---|
| Validation | Have independent experts check the model |
| Testing | Try the model with extreme scenarios |
| Documentation | Write down all assumptions |
| Monitoring | Check if model predictions match reality |
| Limits | Don’t trust any model 100% |
⚖️ Legal Risk
What Is It?
Legal Risk = The bank could get sued or break the law!
It’s like a restaurant that:
- Gets sued for food poisoning
- Breaks health codes
- Violates labor laws
Sources of Legal Risk
graph TD A["⚖️ Legal Risk"] --> B["Lawsuits"] A --> C["Contracts Gone Bad"] A --> D["Regulation Violations"] B --> B1["Customers sue<br>for losses"] B --> B2["Employees sue<br>for discrimination"] C --> C1["Unclear terms<br>lead to disputes"] D --> D1["Breaking rules<br>means big fines"]
Real Example
Wells Fargo Fake Accounts 📝
Wells Fargo employees opened millions of fake accounts. Result?
- $3 billion in fines
- CEO fired
- Reputation destroyed
- Years of lawsuits
Reducing Legal Risk
- Clear contracts - Write agreements carefully
- Legal review - Lawyers check new products
- Training - Employees know the rules
- Documentation - Keep records of everything
- Insurance - Protection against lawsuits
📋 Compliance Risk
What Is It?
Compliance Risk = Breaking the rules set by regulators.
Think of the health inspector visiting your kitchen. If they find violations, you get:
- Fines
- Bad publicity
- Maybe they shut you down!
Difference from Legal Risk
| Legal Risk | Compliance Risk |
|---|---|
| Breaking any law | Breaking financial regulations |
| Often involves lawsuits | Usually means fines from regulators |
| Can be accidental | Expected to be prevented |
Key Regulations Banks Must Follow
graph TD A["📋 Compliance Areas"] --> B["Anti-Money Laundering"] A --> C["Know Your Customer"] A --> D["Consumer Protection"] A --> E["Data Privacy"] B --> B1["Stop criminals<br>cleaning dirty money"] C --> C1["Verify who<br>customers really are"] D --> D1["Fair treatment<br>honest marketing"] E --> E1["Protect customer<br>information"]
Real Example
HSBC Money Laundering 💸
HSBC failed to stop drug cartels from laundering money through their accounts. The penalty?
- $1.9 billion fine
- Years of extra monitoring
- Reputation damage worldwide
Building a Compliance Culture
- Tone from the top - Leaders must care about rules
- Training - Everyone knows what’s required
- Monitoring - Systems catch violations early
- Reporting - Easy way to flag problems
- Consequences - Rule-breakers face penalties
📏 Operational Risk Measurement
Why Measure?
You can’t manage what you can’t measure! Banks need to know:
- How much money could we lose?
- How much capital should we hold for protection?
Three Approaches
graph TD A["📏 Measurement Approaches"] --> B["Basic Indicator"] A --> C["Standardized"] A --> D["Advanced"] B --> B1["Simple: 15% of<br>gross income"] C --> C1["Different %<br>for each business"] D --> D1[Bank's own<br>complex models]
1. Basic Indicator Approach (BIA)
The Simple Recipe:
Take 15% of average gross income over 3 years = Capital needed
Example: Bank makes $100 million per year → Hold $15 million for operational risk
2. Standardized Approach
Different business lines have different risk levels:
| Business Line | Beta Factor |
|---|---|
| Retail Banking | 12% |
| Commercial Banking | 15% |
| Trading | 18% |
| Asset Management | 12% |
3. Advanced Measurement Approach (AMA)
Banks use their own data and models to calculate risk. More complex but more accurate.
Key Components:
- Internal loss data (past problems)
- External loss data (industry events)
- Scenario analysis (“what if?”)
- Business environment factors
🎯 Key Risk Indicators (KRIs)
What Are KRIs?
Key Risk Indicators are early warning signals that something might go wrong.
It’s like dashboard lights in your car:
- 🔴 Engine light = Check the engine!
- ⛽ Fuel light = Fill up soon!
- 🌡️ Temperature light = Engine overheating!
Examples of Banking KRIs
graph LR A["🎯 Key Risk Indicators"] --> B["People KRIs"] A --> C["Process KRIs"] A --> D["System KRIs"] B --> B1["Staff turnover %"] B --> B2["Training completion %"] C --> C1["Failed transactions"] C --> C2["Customer complaints"] D --> D1["System downtime"] D --> D2["Cyber incidents"]
Setting Up Good KRIs
| Quality | What It Means | Example |
|---|---|---|
| Measurable | Can put a number on it | “5 system outages” |
| Predictive | Warns before problems | Rising complaints → future losses |
| Comparable | Can track over time | “Up 20% from last month” |
| Actionable | Can do something about it | “Need more training” |
Real Example: A KRI Dashboard
| KRI | Threshold | Current | Status |
|---|---|---|---|
| System uptime | >99.9% | 99.5% | 🟡 |
| Failed transactions | <0.1% | 0.08% | 🟢 |
| Staff turnover | <10% | 15% | 🔴 |
| Customer complaints | <50/week | 62 | 🔴 |
| Training completion | >95% | 88% | 🟡 |
Red items need immediate attention!
🎓 Putting It All Together
The Risk Management Cycle
graph TD A["1️⃣ IDENTIFY<br>Find the risks"] --> B["2️⃣ ASSESS<br>Measure them"] B --> C["3️⃣ CONTROL<br>Put defenses in place"] C --> D["4️⃣ MONITOR<br>Watch KRIs"] D --> E["5️⃣ REPORT<br>Tell management"] E --> A
Quick Summary
| Risk Type | What It Is | Key Defense |
|---|---|---|
| Operational Risk | Things going wrong inside the bank | Strong controls |
| Fraud Risk | People stealing or cheating | Two-person approval |
| Cyber Risk | Computer attacks | Firewalls + training |
| Model Risk | Wrong formulas | Independent validation |
| Legal Risk | Getting sued | Legal review |
| Compliance Risk | Breaking regulations | Training + monitoring |
🌟 Key Takeaways
- Operational risk is about internal failures - people, processes, systems
- Fraud can come from inside or outside the bank
- Cyber threats are growing - banks must defend constantly
- Models are helpful but can be dangerously wrong
- Legal and compliance failures bring huge fines
- Measure risk using standardized approaches
- Watch KRIs to catch problems early
💡 Remember: A well-run bank is like a well-run kitchen. Keep it clean, watch for trouble, and always follow the recipes (procedures)!
You’ve now completed the Operational Risk Management guide. You understand how banks protect themselves from internal failures and external threats! 🎉