Subscription Databases

These databases include descriptions and analyses of operational risk events that are gleaned from legal and regulatory sources and from news articles. They provide helpful data to assist with mapping the events to the appropriate business lines, risk categories, and causes. The mission of these external databases is to collect tail losses and so to provide examples of potential large exposures.

The data also provide insight into the types of events that have occurred in the industry, but that a firm may not yet have experienced itself.

Consortium Data

In addition to subscription-based external data services, there are consortium-based operational risk event services that provide central data repositories and benchmarking services to their members. ORX provides such a service to its 81 members.

ORX gathers operational risk event data from its banking members and produces benchmarking information. It applies quality assurance standards around the receipt and delivery of data to promote members' anonymity and to provide consistency in definitions.

Unlike news-based subscription services, ORX data does not suffer from the availability bias that skews subscription data, which relies on public sources of data. In contrast, all operational risk events that occur in the member institutions are provided anonymously into the database.

However, the ORX data relate only to a subset of financial services, those member banks that provide data to ORX.

ORX publishes reports that summarize the data. Table 8.1 is derived from ORX data and illustrates the number of losses and the amount of losses in euros for each business line and each risk category for the period of 2015–2020.

ORX uses slightly different business lines than the Basel business line categories, as they split out Retail Banking into two groups: Retail Banking and Private Banking. They also rename Payment and Settlement as Clearing and capture Corporate Items in a separate category. Also, instead of Damage to Physical Assets (DPA) and Business Disruptions and System Failure (BDSF) risk types, they use Disasters and Public Safety (DPS) and Technology and Infrastructure Failure (TIF) when categorizing losses.

To date, ORX has gathered more than 800,000 events that have cost their consortium members over €500 billion. The cost of operational risk is abundantly clear. This table shows that ORX business line data is dominated by Retail Banking events, both in size of losses and frequency of events.

To further understand the relative impact to the different businesses and from the different risk categories, it is helpful to take another look at this data in percentage format, as shown in Table 8.2.

From Table 8.2 we can see that over 61 percent of the total number of events is generated in the Retail Banking business area and most of those are in the External Fraud category.

Retail Banking also has a large share of the total costs of events, with over 36 percent of the total losses. Trading and Sales has more than 24 percent of losses, and Commercial Banking and Corporate Items follow, with about 14 percent and 13 percent, respectively.

It is clear that External Fraud and Execution, Delivery, and Process Management produce the greatest number of events, between them accounting for more than 60 percent of the number of events and 40 percent of the total costs.

Clients, Products, and Business Practices accounts for a little under 21 percent of the events but carries more than 45 percent of the total loss amount. This demonstrates that for the member banks of ORX, Clients, Products, and Business Practices events tend to be larger events. It is for this reason that many firms carefully investigate this category in scenario analysis to attempt to identify potential “fat-tail” events—that is, events that are infrequent but very large.

The data can also be used to visually represent the relative levels of operational risk in each business line, as shown in Figure 8.2.

Figure 8.2 clearly illustrates the relatively high levels of operational risk that exist today in the Retail Banking sector.

Société Générale and the External Event That Shook the Operational Risk World

This event was originally reported in IBM FIRST Risk Case Studies as follows:

In what the Wall Street Journal (1/24/2008) called a “singular feat in the world of finance” Societe Generale announced a €4.9 billion (USD $7.2 billion) loss on January 24, 2008, arising from the misdeeds of a single rogue trader. The bank characterized the largest rogue trading event to date as involving “elaborate fictitious transactions” that allowed Jerome Kerviel to circumvent its internal controls. The trades involved the arbitrage of “plain vanilla” stock-index futures. Mr. Kerviel had previously worked in a back office function and learned how to circumvent the bank's systems. Although he was initially characterized by the governor of the Bank of France as a “computer genius” later he was described as an unexceptional employee who worked very hard to conceal unauthorized trading positions, which SocGen estimated to have a value of €50 billion ($73.26 billion). The French Finance Ministry said that Kerviel's rogue trading started in 2005; he was allegedly given a warning at the time concerning trading above prescribed limits. In addition to the €4.9 billion trading loss, the French Banking Commission levied a €4 million fine against Societe Generale on July 4, 2008, bringing the total loss amount to €4,904,000,000. On October 5, 2010, a court in Paris sentenced Mr. Kerviel to three years' imprisonment, plus a two year suspended sentence and ordered him to repay €4.9 billion ($6.7 billion) to his employer.²

On October 24, 2012, a French appeals court upheld Kerviel's fraud conviction and lifetime trading ban.

This external event galvanized the operational risk world, as it clearly demonstrated the dangers that exist in unmitigated operational risk. In 2008, many firms were still engaged in developing their early operational risk frameworks and were often focused on first-run delivery of new reporting, new loss data tools, and new adaptations to their RCSA and scenario analysis programs. The regulatory requirements were paramount in many programs, with the business benefits being developed as rapidly as possible, but sometimes lagging behind the urgent regulatory pressures.

However, when the news hit of Kerviel's audacious activities and their multibillion-dollar impact on his firm, many heads of operational risk found themselves in front of their executive management being asked the urgent question: “Could that happen here?”

This was a classic large operational risk event in that it resulted from numerous control failings. Kerviel's job was to make arbitrage trades that would result in small gains, but he began taking unauthorized “directional” positions starting in 2005, and these grew in size until he was discovered in January 2008.

Reports on the events suggest that Kerviel may have been more motivated by a sense of pride than an attempt to defraud the firm. His unauthorized activities did not result in secret transfers into his bank account; they resulted in huge positions at the bank.

At one point, Kerviel's activities allegedly resulted in gains for the firm that have been estimated to have been as high as €1 billion in 2007. It has been suggested that he realized that these gains were too large to explain, and so he pursued a strategy to reduce them. That strategy, it is alleged, resulted in losses of €1.5 billion by February 2008. The adverse market conditions that existed when Société Générale discovered the unauthorized trading and unwound the positions resulted in the loss growing to €4.9 billion.

This is an extreme example of how an operational risk event can be exacerbated by a market risk event.

IBM FIRST Risk Case Studies provides an in-depth prose analysis of the event based on extensive press reviews. The highlights of the many contributing factors that are alleged can be summarized as follows:

1. Kerviel engaged in extensive unauthorized activities in order to demonstrate his prowess as a trader rather than to defraud the bank.
2. He was insufficiently supervised and at times had no supervisor at all.
3. He had worked in the middle and back offices prior to becoming a trader and used his knowledge of those controls to ensure that his activities were not detected.
4. He gained password access to back office systems that allowed him to manipulate data and approve his own trades.

It is alleged that many red flags were raised but were ignored or were dismissed as unimportant.

The head of the Bank of France, Christian Noyer, said that Mr. Kerviel managed to breach “five levels of controls.” The controls were identified in the earlier Mission Green report³ and included cancelled or modified transactions; transactions with deferred dates; technical (internal) counterparties; nominal (non-netted exposures) and intra-month cash flows. In addition, the second and more detailed Mission Green report⁴ identified a host of supervisory lapses, organizational gaps, and warning signs that were never heeded.⁵

It is alleged that there were numerous other red flags that were not heeded including:

1. Kerviel requested an unusually high bonus due to his above-market returns.
2. He frequently breached limits, and despite being reprimanded for this in the past, was able to continue to do so.
3. Concerns were raised by EUREX regarding his trading volume but were dropped after a response from Kerviel satisfied their concerns.
4. At least 75 compliance alerts were raised but were dismissed when Kerviel supplied minimal, and sometimes forged, documentation to explain his unusual activity.
5. Kerviel never took his vacation time, allowing him to be on-site to continue to maintain and conceal his unauthorized activities.
6. The bank had to rely on manual processing due to inadequate technology to support the increasing volumes in the market.
7. Net cash flows were monitored, whereas monitoring of nominal flows might have revealed the unauthorized activity.

IBM FIRST Risk Case Studies categorized this event, as shown in Table 8.3.

ORX also provides a news service, and they categorized this event as shown in Figure 8.3.

The industry responded to this event with energy. Operational risk teams met with senior management, as executive teams and boards asked whether such an event could happen at their firm. Perhaps for the first time, the possible size of an operational risk event was fully appreciated, and the operational risk function had an opportunity to demonstrate its relevance and importance.

Fraud risk assessments were conducted in many firms, and numerous control improvements were implemented. Mandatory vacation policies were written and enforced. Passwords were disabled for employees who had moved to new roles. Supervisory oversight was reviewed.

Industry forums were held as operational risk managers compared notes on how best to minimize the risk that such an event could happen in the industry again. As an external data point, the event galvanized many aspects of operational risk frameworks across the industry and also paved the way for how to respond to future serious events.

Work plans were drawn up to evaluate the current state of the controls that had failed at Société Générale and to kick off work to remediate any control gaps that might be uncovered. RCSAs and scenario analysis were updated in the unauthorized trading aspects of internal fraud. Working groups were formed, board packs prepared, and external event tracking was enhanced. As IBM FIRST Risk Cases notes in its longer description of the event:

The AFP press agency reported (October 8, 2010) that Société Générale's own efforts to enhance its internal controls in the wake of the event were estimated to have cost the bank at least 150 million euros over a three-year period.

The Société Générale event shocked the financial services industry, and turned the spotlight on to operational risk. However, only three years later another startlingly similar event occurred at UBS, and since the financial crisis, we have seen several very large events occur; these incidents are discussed in the case studies in Chapter 18.

1. Which of the following statements best describes the value of using external database sources?
   1. Consortium data provide a full data set for a bank to use for benchmarking.
   2. Subscription data sources provide a full data set for a bank to use for benchmarking.
   3. A combination of subscription and consortium data provides a full data set for a bank to use for benchmarking.
   4. Consortium and subscription data provide helpful information on external loss data trends that can help inform a bank's operational risk framework.