In 1999, the Basel Committee created sensation among the banking community by announcing its intention to include operational risks in its new regulatory capital requirements,¹ along with traditional credit and market risks. Although at that time banks were already well aware of the increase in operational risks caused by the deregulation, computerization, and sophistication of their activities, they initially met the bank supervisors' proposal with skepticism. On one hand, banks claimed that operational risks were an inescapable part of doing business in the financial sector, in contrast to credit and market risks, which are taken purposely and can be hedged against. On the other hand, banks argued that operational risks were difficult to identify and monitor and that large losses were often the results of events not previously recognized as risks.

Yet, facing the growing materialization of operational risks,² the Basel Committee persisted, and in 2006, asked the banks to develop better frameworks for managing operational risks while introducing capital requirements for those risks. Though most of the credit institutions finally accepted and agreed with this decision, questions remained on how to measure operational risks and what risks were to be measured. Some of them will certainly remain unpredictable events against which banks can shield themselves only by building up predetermined capital buffers. But may not most operational risks be identified, measured, and controlled, as well as subject to optimal allocation of capital, such as credit and market risks? Besides, to what extent the internal audit function may help banks securing their operational risk management system and their evaluation of regulatory capital linked to operational risk?

The Basel Committee adopted, in 2001, a common industry definition of operational risk, different from the too broad “neither credit risk nor market risk” and the too narrow “risks arising only from operations” definitions. The first one encompasses, among others, strategic, commercial, and reputational risks, which are not, properly speaking, directly linked to operational risks. The second one is concerned only with incidents linked to processes such as making payments or securities settlements but does not take into account incidents related to people or external events, such as penalties for unfair dismissals, losses incurred by rogue traders, and natural disasters. The definition chosen for operational risks, namely “the risks of direct or indirect losses resulting from inadequate or failed internal processes, people and systems or from external events,” focuses on the causes of operational risks, which is appropriate, according to the Basel Committee, for “both risk management, and, ultimately, measurement.”

Bank supervisors therefore considered that operational risks could and should be measured. To do so, they offered the credit institutions three methodologies, each adapted to a specific risk's profile, to evaluate their regulatory capital. The first and simplest methodology is the basic indicator approach (BIA), where operational risk capital is set equal to 15% of the average gross income³ for the whole bank over the previous 3 years. The standardized approach (STA) is based on the first methodology, but offers a more refined calculus of the operational risk capital. Banking activities are split between eight institutional business lines, and their average gross income over the past 3 years is multiplied by a “beta factor,” fixed by the Basel Committee, and then summed up to determine the total capital.⁴ This approach requires the bank to implement efficient risk management and loss-collecting systems in parallel. The advanced measurement approach (AMA) is based on internal models, validated by the local supervisor, used to produce a probability distribution of losses, relying on internal and external loss data, and analysis of scenarios, with a confidence level of 99.9% over 1 year. The estimation of this “value at risk” has to be done for each of the eight business lines combined with the seven categories of operational risks identified by the Basel Committee, which makes 56 combinations.⁵ The operational risk capital is meant to cover either expected and unexpected loss, or only the latter, if a bank can prove that it already covers expected loss through its pricing policy, its reserves, or provisions. Besides, an AMA bank can reduce its operational capital requirements by entering into assurance contracts.

The Basel Committee designed these three approaches with decreasing capital requirements depending on their level of sophistication, as incentives for banks to adopt the AMA for operational risks. In its “2008 Loss Data Collection Exercise,” realized only 1 year after the official implementation of the Basel regulations in 2007, the Basel Committee found that, among the 119 participating credit institutions, 35% were already using the AMA, 43% the TSA, and only 22% the BIA. Moreover, it reported that operational risk capital for non-AMA banks was effectively higher than for AMA banks when reported to gross income: 15% for BIA banks, between 12% and 18% for TSA banks, and only 10.8% for AMA banks.

From an internal audit perspective, the choice of the approach is crucial and determines the nature and scope of our work when controlling an operational risk function.

For instance, for a BIA bank, internal auditors have only to make sure in the first place that the institution has defined and effectively implemented an “operational risks policy” compliant with local regulation. In France, it comes to the regulation “CRBF 97-02,” which covers all the risk management topics for banking institutions, among others operational risk. It requires, for instance, that any fraud or loss exceeding 0.5% of the core capital should be declared to the regulatory authority. Besides, the BIA bank risk management organization has to be broadly consistent with the Principles for the Sound Management of Operational Risk published in 2003 by the Basel Committee.⁶ Internal auditors therefore control the existence of a suitable environment for risk management (i.e., involvement of the hierarchy, regular and independent audit of the risk system) and the implementation of an effective operational risk management system, which has to be presented in the annual reports of the BIA bank.

The audit of an operational risk management function and determination of regulatory capital for STA and AMA banks are much more complicated and will be discussed more in detail later.

In its argument to convince banks to assign regulatory capital to operational risks, the Basel Committee listed more than 100 high-magnitude operational losses experienced by banks in the 1990s, each exceeding $100 million. Daiwa, Barings, and Allied Irish Bank were thus listed to have, respectively, lost $1.4 billion, $1 billion, and $ 700 million from fraudulent trading. Such scandals are still relevant today, with the Société Générale's € 4.9 billion loss in 2008 or the UBS's $ 2.3 billion loss in 2011, also from fraudulent trading. With these striking examples, one could be fallaciously led to believe that operational risks only concern major internal frauds and that the only way for a bank to create “robustness” against those “Black Swans” – to quote the best seller book of Taleb (2007) – is to build up large capital buffers. A this point, a distinction has to be made in terms of risks between the “unknown known” and the “unknown unknown,” or between risk and uncertainty to refer to the famous distinction made by Knight (1921). The first concept refers to situations where the outcomes are unknown but governed by probability distributions that are known (e.g., High-frequency but low-magnitude losses). It differs from the second one, where the outcomes are likewise unknown but governed by unknown probabilities (e.g., very low frequency but high magnitude losses).

In its “2008 Loss Data Collection Exercise,” the Basel Committee reported results which undermine this “Black Swan” concept about operational risks. Even though high-magnitude losses remain a reality, most of the losses, both in number and value, concentrate on numerous minor risks that come in the “unknown known” situation and thus can be modeled. Indeed, the institutions participating to this loss collection exercise submitted a total of 10.6 million internal losses with an overall loss amount of € 59.6 billion for a minimum of 3 years of recorded loss data prior to 2008.⁷ The losses of € 20,000 or more represented only 1.62% of the total number of losses but 89% of the overall loss amount, yet with the largest 20 losses accounting alone for € 17.6 billion, for example, 29.5% of the overall loss amount – this figure arguing for consideration of extreme values in operational risks loss models. Moreover, a typical bank⁸ experienced 0.82 losses per year of € 20,000 or more for each billion Euros in consolidated assets, with a total loss amount of € 155,555 for each billion Euros in consolidated assets.⁹ High-magnitude losses of more than $100 million at a typical bank accounted only for 0.02% of the number of loss and represented 41.79% of its total loss amount.¹⁰

Besides, the regulatory business line – as defined by the Basel Committee – with the highest loss frequency and total loss amount in the 2008 Loss Data Collection Exercise was retail banking.¹¹ It concentrated 55.8% of the number of losses, mostly due to external frauds, and also accounted for 32.0% of the total loss amount, mostly because of poor clients, products, and business practices, and to a much less extent to internal fraud. The second regulatory business line in loss amount reported was corporate finance, which accounted for 28% of the total loss amount, and again, but in a much larger way, because of poor clients, products, and business practices – and not all because of internal fraud.

From an internal audit point of view, the last two paragraphs are of high importance.

First, the minor operational losses, those lower than € 20,000, represent the majority of the incidents, especially in number but also in total value. So, there is a real issue in collecting all the operational losses. Indeed, the exhaustiveness and the quality of loss databases¹² are essential, on one hand, for AMA banks, which rely on them to estimate their regulatory operational capital, and, on the other hand, for STA banks, which should prove flawless on this topic if they are willing to be authorized to implement the AMA methodology. Internal auditors must therefore check with great attention the processes of gathering operational incidents and their filling in loss databases, to make sure of their exhaustiveness and of the quality of the collected information.¹³ But prior to that, internal auditors must ensure the existence, quality, and completeness of an updated and regularly back-tested operational risk mapping, which helps to identify and collect losses for an effective use thereafter, both in terms of capital calculation and risk management.¹⁴

Second, the prevalence of the risk related to poor practices in terms of clients, products, and business in retail banking and corporate finance is meaningful. This sort of operational risk could be defined as “unintentional or negligent failure to meet a professional obligation to clients and the use of inappropriate products of business practices.¹⁵” It covers, among other things, money laundering, insufficient advice, and abusive fees, three topics that are closely monitored by bank supervisor in the retail banking business line and often lead to lawsuits and regulatory fines. It covers also improper trading activities and the sale of unauthorized products, two major topics central for the corporate finance business line, where the activities of the front office are strictly framed by risk mandates, stating what is authorized from what is not, and setting relative and absolute limits to the operations. Internal auditors must therefore concentrate their efforts on those specific topics. In retail banking business lines, they could perform tests by sampling the treatment of suspected cases concerning anti-money laundering or check file of customer complaints or a list of sentences to identify any issue. In corporate finance business lines, internal auditors must ensure the existence and consistency of the risk mandates given to traders, check the observance of limits, and ensure that all products sold are actually part of the list of authorized products.

As viewed by most professionals, operational risk management is still in its infancy, even though the Basel Committee has succeeded in establishing an effective framework to identify, measure, and manage operational risk and allocate it regulatory capital. This incentive has made, indeed, the banks more aware of operational risk and led them to improve their processes and, more broadly, the way they are doing business. Yet, in this context as in many others, internal auditors are the rappel line that makes sure the regulatory prerequisites are met, for instance to evolve from one approach to another, and the main areas of risk are properly identified and controlled.