The fi rst step to make people willing to invest money and effort in internal control
systems is to increase managers’ awareness of operational risk and its sources and poten-
tial consequences. Even for a small bank that adopts a simpler approach for operational
risk capital requirements, a clear map of operational risk sources can be extremely useful,
since major problems often derive from potential risks that had been entirely neglected.
A second objective is to support top managers’ decisions by providing a clearer picture
of the real pro tability of different businesses. Such a picture would be partial and some-
times misleading if it were based on market and credit risk alone. Existing empirical
studies suggest that operational loss severity may differ across business lines, even if they
are unable to confi rm the statistical signifi cance of these differences due to limited data
and the issues deriving from potential reporting bias (de Fontnouvelle et al. 2003; de
Fontnouvelle, Rosengren, and Jordan 2004). At a lower hierarchical level, understanding
the impact of existing products on operational risk could also help business unit managers
create a more careful product pricing strategy (Anders and van der Brink 2004). Finally,
operational risk measurement can support decisions concerning risk mitigation through
insurance in those cases where it can be used effectively (e.g., losses from external
5.3 Quantifying Operational Risk: Building
the Data Sources
While the general aim of operational risk management is not primarily to measure opera-
tional risk but to reduce and control it by anticipating potential causes of operational
events and improving a bank’s systems and processes whenever possible and convenient,
quantifi cation of operational risk is clearly important. We consider here the case of a bank
willing to quantify economic capital for operational risk and also willing to exploit this
effort in order to comply with the AMA requirements. As a consequence, the bank
may sometimes consider deviating partially from Basel II prescriptions while in any case
being able to calculate an operational risk capital that might be compliant with AMA
The fi rst issue to consider is clearly the construction of the data set to feed quantita-
tive models. As described earlier, the main sets of data that can (and according to Basel
II should) be used in conjunction are:
An internal loss database
External loss databases
Scenario analysis
Factors refl ecting the business environment and internal control systems
The fi rst two datasets are objective but backward looking, since they focus only on
losses that had already occurred in the bank or elsewhere. The other two are forward
looking in nature. The Basel Committee (2006a, §676) stresses that in an AMA frame-
work, “in addition to using loss data, whether actual or scenario-based, a bank’s fi rm-
wide risk assessment methodology must capture key business environment and internal
control factors that can change its operational risk profi le.” This is typically performed
by de ning key risk indicators (KRIs) for each process and business unit, as the conse-
quence of an operational risk–mapping process aimed at identifying and anticipating
potential risk sources. Since risk mapping may also represent a relevant starting point

Get Value at Risk and Bank Capital Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.