islamic finance (the regulatory challenge) || measuring operational risk

CHAPTER 11Measuring Operational Risk

Elisabeth Jackson-Moore

1. I N T R O D U C T I O N

U p until very recently, operational risk was felt to be inherentin all banking operations but impossible to quantify, difficult

to measure even qualitatively, and so subjective in its managementand control. The decision by the Basel Committee to include a capitalallocation for operational risk in its New Capital Accord (November2005), generally known as Basel II, focused minds. Over the lastfive years, especially, banks around the world have begun to collectdata on operational losses and to develop systems based on this, andexternal data, to allow them to model the occurrence and severityof losses and to use these models to estimate their economic capitalrequirement.1 Interestingly, though, in a recent survey carried outby the Risk Management Association, the main reasons given forinvesting in operational risk were to improve performance, reduceoperational losses, increase accountability and improve governance,and protect against the loss of reputation. Meeting Basel II regulatoryrequirements was of least importance. Prompted by the Basel Com-mittee, banks have become aware of the importance of measuring,managing, and controlling their operational losses.

In January 2006 the Islamic Financial Services Board (IFSB) issuedits first two standards on risk management in Islamic financialinstitutions and capital adequacy for Islamic financial institutions.Operational risk, its management, and its use in calculating risk-basedcapital form part of these standards.

237

Islamic Finance: The Regulatory ChallengeEdited by Simon Archer and Rifaat Ahmed Abdel Karim

Copyright © 2007 John Wiley & Sons (Asia) Pte. Ltd.

238 Islamic Finance: The Regulatory Challenge

The IFSB Standard No. 1 covers guiding principles for risk manage-ment in institutions offering Islamic financial services. While referringto the definition of operational risk used by the Basel Commit-tee – namely, the risk of loss resulting from inadequate or failedinternal processes, people, and systems, or from external events – italso highlights additional operational risks faced by Islamic finan-cial institutions. These it defines as the risks relating to Shari’ahcompliance and those associated with the institutions’ fiduciaryresponsibilities toward different fund providers.

The IFSB Standard No. 2 covers capital adequacy for institutionsoffering Islamic financial services. It states that the measurement ofcapital to cater for operational risk may be based on either theBasic Indicator Approach or the Standardized Approach as set out inBasel II. Under the Basic Indicator Approach, a fixed percentage of15% of annual average gross income, averaged over the previous threeyears, is set aside. Under the Standardized Approach, this percentagevaries, according to the line of business (LOB), from 12% to 18%,being 18% for corporate finance, trading and sales, and payment andsettlement, 15% for commercial banking and agency services, and12% for retail banking, asset management, and retail brokerage. Asthe LOBs into which institutions offering Islamic financial services(IIFS) are organized are different from the above, the IFSB proposedthat, at the present stage, the Basic Indicator Approach be used byIIFS, which requires the setting aside of a fixed percentage of averageannual gross income over the previous three years. However, subjectto the supervisory authority defining the applicable business lines,the supervisory authority may allow IIFS in its jurisdiction to applythe Standardized Approach in which a percentage (12%, 15%, or18%) of gross income is to be set aside according to the businesslines.

The intention of the Basel Committee in framing its proposalsis that banks should be encouraged to move, over time, to themore sophisticated measures, leading ultimately to the AdvancedManagement Approach (AMA), providing that certain requirementsare met. In theory, the capital needed by those banks that can showgreater sensitivity to the risks, and which have adopted more refinedmeasurement systems and practices, should be less.

While the IFSB focused on two additional areas of operational riskfor Islamic institutions, it is intuitively an important consideration forIslamic banks. Some of the issues have been raised in earlier chapters,

Measuring Operational Risk 239

but are worth repeating here:

• Islamic banking began in the form we see today as recently asthe mid-1970s; as a result, the systems, processes, and productsare all relatively recent developments and have not yet reachedthe mature position where the major problems and risks havebeen identified and eliminated.

• Islamic (that is, Shari’ah-compliant) products are mainlycontract-based and so intrinsically more vulnerable to docu-mentation error and legal risk.

• Islamic products also tend to be more complex than theirconventional counterparts, requiring more processing steps andhence leaving more room for error.2

• Islamic banks typically hold more physical assets on theirbalance sheets than conventional banks and are exposed tooperational risks associated with these.

• Computer software used by IIFS is inherently less robust thanthe well-tested and proven packages developed for conventionalbanks. These packages are inappropriate for many of theoperations of Islamic institutions.

• There is a shortage of skilled bankers who are also versed inIslamic Shari’ah, leading to increased ‘‘people’’ risks.

• There are risks, as identified by the IFSB, in Shari’ah complianceand also arising from the nature of investment accounts andother funding sources. These are not risks found in conventionalinstitutions.

• There are still further risks, in all these areas, as a result of therapid growth in Islamic finance over the last few years that canstrain resources.

• Insurance has been a significant mitigant of operational lossesfor conventional banks; it is not clear to what extent Islamicbanks have been able to employ this practice given the relativelylow use and scope of Islamic insurance (takaful) at present.(Many Islamic banks may use conventional insurance in theabsence of other suitable products.)

It is, of course, true that most Islamic banks do not have the risksassociated with the more complex derivative products and tradingactivities that are a significant feature of the most sophisticatedconventional banks today, and it is these products and operationsthat have generally given rise to the most significant, catastrophic,loss events (from Barings to Allfirst).


At present, there is no data to suggest that the greater risks we seearising as a consequence of the operations of Islamic banks actuallylead to more operational losses than seen in their conventional coun-terparts. It may be that the lack of traded product complexity morethan compensates for other risks. However, as a result of the many,somewhat unique, operational risks, there is an especial need for IIFSto identify, measure, monitor, and control their operational risks, andfor supervisors to take account of them in setting the parameters forcapital adequacy purposes.

2. B A S E L C O M M I T T E E – L O S S D A T AC O L L E C T I O N E X E R C I S E

As the Basel Committee has been refining its proposals for a revisedcapital adequacy regime it has been collecting data from financialinstitutions, through a series of quantitative impact surveys, in orderto marry their risk-based capital adequacy proposals with the actualrisk experience of banks. In 2001, as part of the second survey (QIS2-Tranche 1), banks were asked to provide information on capitalallocation for operational risks. A second exercise (QIS2-Tranche 2)focused on information about individual loss events. In 2002, theRisk Management Group of the Basel Committee launched a furthersurvey named the Operational Risk Loss Data Collection Exercise(LDCE). The results of the LDCE confirmed that the industry hadmade progress in its operational risk data collection efforts. Whilethere was evidence of clustering around certain business lines andevent types, perhaps the most striking feature was the large variationin the number of events reported, partly attributed to gaps in datacollection. For the 89 participating banks the number of individualloss events ranged from just one event to more than 2,000. Forty-ninebanks reported 200 or fewer loss events, while eight banks reportedover 1,000 individual loss events. Results of the exercise have beenpresented in various ways, generally tabulated by line of business andevent type.3 Overall conclusions show that most loss events occurredin retail banking, with over 61% of reported incidents; however,these losses only accounted for 29% of monetary losses, very similarto the level reported for commercial banking. Most events relatedto external fraud (42%), although this was followed by execution,delivery, and process management (35%) with this latter event-group


topping the list in monetary terms (29%) followed by damage tophysical assets (24%).4

Of the 89 banks participating in the 2002 LDCE, 60 pro-vided information on their economic capital calculation. Of these60 banks, 47 provided information on economic capital for oper-ational risk, which on average was 15% of the total economiccapital. However, the ratio varied considerably across banks, withthe minimum amount being 0.09% and the maximum 41%. Manyof the banks provided information by business line, and here retailbanking stood out with a mean value of over 45%. The reportpoints out, though, that the apparent concentration in retail bank-ing probably reflects business focus as much as the inherent degreeof operational risk in retail banking activities. Further, differencesin the definition of economic capital and in calculation method-ologies could make the data submissions not fully comparable andtherefore contribute to non-risk-related differences across businesslines.

This average value of 15% has been adopted for the Basic Indi-cator Approach, despite the fact that this will be only a very roughapproximation of the appropriate level for many banks. (The firstconsultative paper suggested 20%, while the second revised this num-ber down to 12%.) Under the final proposals, capital equal to 15% ofannual gross income averaged over three years should be set aside foroperational risk. As banks improve their measurement techniques, itis likely that further revisions will be made to the percentage. Thisis also true for the percentages proposed under the StandardizedApproach. The 18% level is set for LOBs that account for the highestseverity of loss, but the percentages of 18%, 15%, and 12% are stillvery crude buckets at this stage in the development of operational riskmeasurement and management.

Because the percentages proposed are still so arbitrary, even thoughthe LOBs may not seem entirely appropriate for Islamic institutions,it could be that an appropriate mapping exists and would be animprovement over the flat rate of 15%. However, if the amountof capital required for operational risk is ever to be more than anarbitrary number for Islamic institutions, priority must be given tomeasuring operational risk and recording loss data. Preferably thisshould be done on a global basis for all Islamic finance institutions tocommon standards, as it seems likely that only by such aggregationcan realistic conclusions be drawn.


3. T O O L S U S E D T O I D E N T I F Y A N D M E A S U R EO P E R A T I O N A L R I S K S

Partly as a result of the focus given to operational risk by Basel II,many consultancy firms have developed various methodologies foridentifying and measuring operational risk in banking institutions andthe largest banks have been using their own, and external resources,to tune their systems. For many it has been the first time that anyattempt has been made either to collect data or to identify risk areas,or at least to formalize the structure. At this point, no one method hasbecome the preferred method and most banks are using combinationsof techniques to hone their systems. This disparity in approach isprobably one of the reasons behind the varied responses to the LDCE.

Key to the success of any approach is ensuring that there is ‘‘buy-in’’ to it throughout the organization, from board members to staffin all business units. Top management must develop a culture thatencourages full cooperation by everyone, so ensuring the integrity ofthe systems and processes that are established. There are a number ofways in which the organizational structure can be set up; much willdepend on the size of the institution and the existing risk managementframework. However, operational risk experts will be needed for anysuccessful implementation, and it has often been found helpful toassign responsibility for operational risk to someone in each businessunit, with accountability resting with the head of the business unit.

Several surveys have been carried out to ascertain the latest trendsin operational risk management.5 The results show that most ofthe institutions surveyed have adopted some form of self-assessmenttechnique. These can take many forms and, although time-consuming,can easily be applied by institutions of all shapes and sizes. In general,they are used in a bottom-up approach, focusing on business areas,with managers and staff in these areas identifying potential risks andoften scaling these risks. Some still regard these techniques as toosubjective, and in many banks the process is still a manual one, eventhough software is readily available to assist in the implementation.Risks can be classed in a simple way by likelihood of occurrence andby likely severity of loss. These classifications can then be mappedagainst the institution’s risk tolerance with the aim of bringing downthose risks that lie outside these tolerance levels by changing processes,systems, and/or people.

Key risk indicators (KRIs) are being used increasingly by manyinstitutions, often as a top-down method of identifying trouble spots


in the organization. The approach tries to use both qualitative andquantitative factors in a predictive rather than a causal way. Indicatorscan be identified at the LOB level. They can include such measuresas transaction volumes, portfolio size, staff numbers, and IT budgets.Some banks are collecting hundreds of potential indicators. Thesefactors are tracked over time and regressed against loss data. Thisbecomes an iterative process, with the variables being modified overtime so that the indicators provide some early warning of potentiallosses. Many consultants offer services in this area; in addition, others,such as the Risk Management Association, have been active in poolinginformation provided by member institutions who are able to shareexperiences.6

Key to any methodology, however, is the data collection process.Most banks are still at an early stage in developing this. Banks are stilllearning what information is required about each incident in order touse it in the most constructive way. Some of the questions asked are:

• What cut-off should be employed?• What causal data are needed?• What to do when there is overlap with credit or market risk?• Should ‘‘near miss’’ incidents be recorded – indeed, how to

define a ‘‘near miss’’?• Are indirect losses also monitored?• What about incidents that in fact lead to direct or indirect

gains?

While there are no right or wrong answers to these questions, it isclear that banks need to institute an incident management mechanism,rather than a simple data collection process.

While it is unlikely that most Islamic institutions will be in aposition to model their loss data in a way that would qualify for theAdvanced Measurement Approach as described in Basel II for sometime, it is important that the information collected should be capableof being used in such a model in the future. One of the main problemsfacing the ‘‘modelers’’ today is not how to treat the low-impact/high-frequency events for which several normal-related distributions areappropriate, but rather how to model the high-impact/low-frequencyones. At present, extreme value theory (EVT) is being tested, but itseems unlikely that this will have high predictive power for the typesof events that cause most concern – the fraudulent managers, recklesslenders, and rogue – or even careless – traders.


4. E X T E R N A L D A T A

Reference was made earlier to the need for Islamic institutions tocome together and pool information on operational risks in order toarrive at a body of data that is sufficiently robust to allow mean-ingful scale factors to be applied to the calculation of the capitalrequirement for LOBs. The need for a larger pool of data is notlimited to Islamic institutions, and some regulators are collectingnational data, as are some bank associations. In addition, there area number of vendors who have collected loss information from pub-licly available sources.7 This data poses certain challenges, as not alllosses are publicly disclosed. It seems likely that the probability of aloss being publicly reported will increase as the amount of the lossincreases, although there will be significant variation across countriesdepending on the size and importance of the banking system in thatcountry. However, while banks will hope to have no more thana handful of high-impact events, these databases will gather manymore and so can provide useful information on the important ‘‘tail’’in the loss distribution. These external databases have focused onlosses in the United States, Europe, and Japan, and so have rela-tively few entries that relate to Islamic institutions. Indeed, a fairlyrecent search only produced references to losses incurred in the after-math of the collapse of Bank of Credit and Commerce International(BCCI).

5. C O N C L U S I O N S

Operational risk is now recognized for what it is: an area that canlead to significant losses in all financial institutions, but one thatcan be measured and managed in an increasingly sophisticated andmeaningful way. While the various techniques being applied in bankstoday are still in their early stages of development, significant progresshas been made over the last five years.

It is never too early for a bank to start collecting data, and there canbe significant advantages in pooling information and using commondefinitions, standards, and methodologies. While no one approachcan provide all the answers, some of the simpler methods, althoughrequiring a commitment in staff time at the business unit level, canproduce useful insights into processes, people, and systems that canlead to improvements in all areas that can reduce the losses likely tobe faced as a result of operational risks.


A N N E X 1

Mapping of business lines as set out in Basel II

Level 1 Level 2 Activity groups

Corporate Corporate Finance Mergers and acquisitions, Underwriting,Privatizations, Securitization, Research,Debt (Government, High-yield), Equity,Syndications, IPO, Secondary PrivatePlacements

Finance Municipal/Government FinanceMerchant BankingAdvisory Services

Trading and Sales Fixed Income, Equity, ForeignExchanges, Commodities, Credit,Funding, Own Position Securities,Lending and Repos, Brokerage, Debt,Prime Brokerage

Sales Market MakingProprietary PositionsTreasury

Retail Banking Retail Banking Retail Lending and Deposits, BankingServices, Trust and Estates

Private Banking Private Lending and Deposits, BankingServices, Trust and Estates, InvestmentAdvice

Card Services Merchant/Commercial/Corporate Cards,Private Label and Retail

Commercial Commercial Project Finance, Real Estate, ExportFinance, Trade Finance, Factoring,Leasing, Lends, Guarantees, Bills ofExchange

Banking Banking

Payment and External Clients Payments and Collections, FundsTransfer, Clearing and SettlementSettlement

Agency Custody Escrow, Depository Receipts, SecuritiesLending (Customers), Corporate ActionsServices

Corporate Agency Issuer and Paying AgentsCorporate Trust

Asset Discretionary Fund Pooled, Segregated, Retail, Institutional,Closed, Open, Private EquityManagement Management

Non-discretionaryFund

Pooled, Segregated, Retail, Institutional,Closed, Open

ManagementRetail Retail Brokerage Execution and Full ServiceBrokerage


Event types: Levels 1 and 2

Event type: Level 1 Event type: Level 2

Internal Fraud Unauthorized activityTheft and fraud

External Fraud Theft and fraudSystems security

Employment Practices and Employee relationsWorkplace Practices Safe environment

Diversity and discrimination

Clients, Products, and Suitability, disclosure, and fiduciaryBusiness Practices Improper business or market practices

Product flawsSelection, sponsorship, and exposureAdvisory activity

Damage to Physical Disasters and other eventsAssets

Business Disruption and SystemsSystem Failures

Execution, Delivery, and Transaction capture, execution, and maintenanceProcess Management Monitoring and reporting

Customer intake and documentationCustomer/client account managementTrade counterpartiesVendors and suppliers

ENDNOTES1 See, for example, Deutsche Bank’s annual report for 2005 where 18.5% of their

economic capital is to cover operational risk.2 For instance, see the personal finance example given in McKinsey’s World Islamic

Banking Competitiveness Report 2005–2006 contrasting goods murabahah anda cash loan.

3 See Annex 1 for a description of levels 1 and 2 descriptors of LOBs and eventtypes.

4 See The 2002 Loss Data Collection Exercise for Operational Risk: Summary ofthe Data Collected, published by the Bank for International Settlements in March2003, for further details.

5 See, for example: Operational Risk Management & Basel II Implementation:Survey Results, Fitch Ratings, August 2004; Emerging Trends in Operational Riskwithin the Financial Services Industry, Raft International; Emerging Best Practicesfor Operational Risk Management at European Banks, Moody’s Investors Service,October 2004.

6 The Risk Management Association set up KRI Services in January 2005. It pro-vides subscribers with access to a KRI Library and KRI Benchmarking Services. Ithas established a number of Working Groups around the world and also organizesconferences on the issue.

7 See, for instance, the OpVantage database (a division of Fitch Ratings) or OpRiskGlobal Data, owned by the SAS Institute.

islamic finance (the regulatory challenge) || measuring operational risk

Documents