Fixing operational risk capital: Five challenges for modelling operational risk

Fixing operational risk capital: Five challenges for modelling operational risk

Abstract Image of Business People's Busy Life

By Michael Grimwade, Head of Operational Risk Management, International, MUFG Securities.

About the Author

Michael Grimwade has worked in Operational Risk management for over 20 years. He is Head of Operational Risk Management for MUFG’s international securities businesses, and until recently he was a Board member of the Institute of Operational Risk. In 2014, he received an award from the IOR for his “Contribution to the discipline of Operational Risk Management” and in 2016 RiskBooks published his book entitled “Managing Operational Risk: New Insights & Lessons Learnt”.

Disclaimer: The content of this article reflects his personal views rather than those of MUFG.


Whilst Operational Risk capital models are more than 20 years old[1], the Basel Committee’s new proposals will remove their use for calculating Pillar 1 capital. They may still be used, however, for Pillar 2 capital, hence in this article, Michael Grimwade, highlights five underlying challenges presented by Operational Risk to both regulatory and economic capital models that are only now becoming more fully understood in the aftermath of the Financial Crisis. Understanding and addressing these challenges is a prerequisite for “Fixing Op Risk capital”.


1.   Beyond 1 in 1,000 years does not mean “never”

Losses close to or beyond the 99.9th percentile, whilst really improbable, are not impossible. This is problematic as Loss Distribution Approach (LDA) models primarily use historical internal loss data to model separately frequency and severity distributions for different categories of Operational Risk. The unprecedented spike in Operational Risk losses that occurred in the aftermath of the Financial Crisis therefore not unsurprisingly led to large increases in the Operational Risk capital requirements of AMA firms using LDA models. This impact can be observed for one universal bank, by comparing its economic Operational Risk capital for 2006, which it calculated using a model that it believed was “consistent” with Basel II and its AMA capital requirement in 2016:

  •  2006: Economic capital of $5.7billion. In the preceding decade the Firm had suffered 8 losses >$0.1billion that were in the public domain. The ratio of capital : largest loss is ~2 x; whilst
  • 2016: AMA Pillar 1 capital of $32billion. The Firm had suffered a further 32 losses >$0.1billion that are in the public domain. The ratio of capital : largest loss ($13billion) remains quite consistent at ~2½ x (see Figure 1).

Figure 1: Illustration of a loss distribution overlaid on a Firm’s large losses (>$0.1bn) from 1997 to 2006 and also 2007 to 2016 and their capital requirements.

This illustrates how for this universal bank its Operational Risk capital has increased 6 fold, as a result of inputting into the model more and larger Operational Risk losses. From the outside the model seems to have operated quite consistently across this period i.e. the relationship between capital and the largest loss suffered remains quite consistent. Consequently, a key challenge for firms and regulators alike is how to model objectively very large losses (e.g. $13billion) which may already be very extreme, and avoid calculating capital in excess of the 99.9th percentile.

2. Operational Risk losses are sensitive to economic cycles

In the late 1990s, when Basel II was being formulated, large Operational Risk losses generally appeared to be random events[1], but looking over the last quarter of a century it’s possible to see that there have been a number of spikes in losses associated with economic shocks[2] e.g. the unexpected increases in US dollar interest rates in 1994; the bursting of the bubble in 2001 / 02 and most notably the Global Financial Crisis (see Figure 2). The importance of this sensitivity to economic shocks is now becoming more fully appreciated after the most recent crisis.

Figure 2: Analysis of losses > $0.1bn for 30 G-SIBs + 1 former G-SIB from 1989 to Q3 2017 [4].

Analysing the nature of these large losses reveals the contribution of Credit Risk (and to a much lesser extent Market Risk) to these events i.e. just over 50% of the value of these Operational Risk losses are driven by Credit Risk, for example, the underlying losses that led to the multi-billion US dollar MBS settlements were credit defaults on residential mortgages.

So given that Operational Risk seems to behave rather like Credit Risk i.e. most of the time losses occur randomly punctuated by large spikes coinciding with economic shocks, this begs the question as to how should historical Operational Risk losses be split between Pillar 1 and Pillar 2B capital?

3. After an economic shock losses come in waves

By analysing the losses suffered by a sample of 13 large banks (a subset of the 31 firms used in Figure 2, which generally disclosed their annual litigation charges) after the Financial Crisis it is possible to see that losses from different risk types came in sequential and overlapping waves, i.e:

  • 2008: Market Risk losses peak, as measured by negative trading revenues;
  • 2009: Credit Risk losses peak, as measured by impairment charges; and
  • 2013: Operational Risk losses peak, as measured by litigation charges / regulatory settlements.[5]

Figure 3: Profile of trading losses (Market Risk), impairments (Credit Risk) and litigation charges / regulatory settlements (Operational Risk) for 13 banks.

This pattern in losses (see Figure 3) is consistent with the earlier analysis that showed a relationship between some Operational Risk losses and Credit Risk, and to a lesser extent Market Risk. An explanation for this is that when firms behave inappropriately by mis-selling or misrepresenting investment products or hedges, they essentially grant their customers and investors a “Real Option” – the right to claim redress if they suffer a loss. Hence, these Real Options can be triggered by economic shocks that cause investors and customers to suffer losses, and consequently they then sue their banks, due to their misconduct, effectively turning their own Market and Credit Risk losses into Operational Risk losses for their banks.

As a consequence, when conducting stress testing firms need to be able to model both these sensitivities of Operational Risk to economic shocks, and hence Market and Credit Risks, and also the differing timescales over which these losses crystallise.

4. Tomorrow’s losses are often driven by yesterday’s controls

Analysing the loss events used in Figure 2, highlights that whilst some Operational Risk events can be sudden generally there are long lags between discovery and settlement (see Figure 4). As Operational Risk is very diverse, these lags can vary for different categories of risks i.e:

  1. Most categories of Operational Risks crystallise almost immediately, upon discovery e.g. internal & external fraud, systems’ failures and processing errors (coloured BLUE in the graph below); followed by
  2. Idiosyncratic CP&BP losses have average lags of ~3 years between discovery and settlement e.g. AML fines, market / benchmark manipulation and PPI (GREEN); and finally
  3. Cyclical CP&BP losses that are linked to economic shocks e.g. MBS litigation and the mis-sale of swaps (RED) – these reveal the longest lags.

Figure 4: Historical lags between discovery & settlement for losses >$0.1bn for 31 banks.  

This illustrates how some of the largest losses that firms may suffer in the future may well be driven by the culture and control frameworks of their firms (or firms that they have acquired) over the previous decade. So regulatory and economic capital models need to reflect both how:

  • Current controls may make firms vulnerable to risks that crystallise suddenly, such as, a cyber and terrorist attacks and fat-fingered typing; and also how
  • Past control frameworks may make them vulnerable to claims of historical mis-sale, for example, of derivatives, insurance products and investments.

The other consequence of these long lags, is that often when a legal or regulatory settlement is finally reached, the firm’s P&L is unaffected, as it has already fully provided for the loss over the course of the preceding years.

5. Dynamic, with the emergence of new threats

Maybe as a result of its diversity, Operational Risk seems uniquely dynamic, with the emergence of new threats. These threats should not be considered in isolation but are instead interconnected in complex ways which may re-enforce their impacts by creating feedback loops (see Figure 5). These emerging threats will also crystallise in differing periods and they are a mixture of the transient (e.g. any dislocation caused by Brexit) and the permanent, such as the rise of cyber-crime.


Figure 5: The interrelationships of different emerging threats and trends [6].

So a firm’s capital planning should ideally reflect the quantum of these emerging threats; how they translate into Operational Risks; the existence of correlations and feedback loops and the timescales over which they will crystallise.


Reviewing the financial statements of a sample of AMA banks (a further subset of the 13 firms used in Figure 3 i.e. four TSA firms have been excluded), since 2008 demonstrates the significance of Operational Risk in terms of both losses and Pillar 1 capital requirements (see Figure 6) i.e. it represents ~20% of both large losses (>$0.1bn) and RWAs.

Figure 6: Analysis of losses and RWAs for 9 AMA banks since 2008

The ongoing debate about Operational Risk capital reflects both its growing significance and also the challenges of implementing regulatory and economic capital modelling methodologies which are comparable, risk sensitive and simple for such a diverse and complex risk, which is:

  1. Capable of leading to the occurrence of extremely large and improbable loss events;
  2. Generally idiosyncratic over time but is also clearly sensitive to economic shocks;
  3. Often linked to Market and Credit Risk and this, combined with the length of regulatory and legal processes, can lead to considerable lags in Operational Risk losses crystallising;
  4. Driven by either historical or current cultures and control frameworks, depending on the specific nature of particular Operational Risks e.g. historical misconduct claims vs zero day cyber-attacks; and
  5. Dynamic, with the emergence of a complex range of interconnected new threats.


[1] Probably the first Operational Risk capital model was developed by Bankers Trust in 1996.
[2] Although with some industry-wide patterns e.g. breaches of AML / sanctions (“Modelling operational risk capital: the inconvenient truth”, Patrick McConnell, Journal of Operational Risk).
[3] Other researchers have also made this observation e.g. “Cluster model relies on op risk ‘storms’”,, 1st May, 2017.
[4] The data has been sourced from the IBM Algo FIRST dataset. The losses are attributed to the year of discovery rather than settlement. It represents ~900 years of loss data.
[5] Most banks did not disclose the total value of their Operational Risk losses consistently over this period, however, these 13 banks did generally disclose their annual charges for litigation, which includes compensation payments and regulatory settlements. These charges are a major component of the industry’s total Operational Risk losses.
[6] Source “Managing Operational Risk: New Insights & Lessons Learnt” by M Grimwade and published by RiskBooks. Five of these groups reflect the World Economic Forum’s (2014) high-level risk categories i.e.: political change, societal change, new technology, macroeconomics and environmental change.