Operational Risk Management In Banking Activity

A multitude of factors can create operational risks, and the possible financial losses that can be resulted in are important. The appearance of various prudential regulations for appropriate operational risk management, in a short period of time, contributed to the inclusion of this risk as one of the most significant risks in the banking sector. This paper presents the operational risk elements, the steps in the process of risk management, and the causes of operational risks. In a case study of a Romanian bank, prudential regulations in the field of operational risks and methods for calculating the minimum capital needed for operational risks are presented and highlighted. Crisis simulations are viewed as an integrated part of operational risk management. An overview of the evolution of the minimum operational risk capital requirement calculated in the Romanian banking system for the period 2008-2018 was carried out in parallel with the evolution of the operational risk’s minimum capital requirement calculated in the European banking sector. This study concludes that the basic indicator method is primarily used for the estimation of the minimum capital requirement for operational risks in 2018. However, a steady increase in the percentage of the standardized approach used and the percentage of the use of the advanced measurement approach was observed during the period studied.

supervisory authorities for the development of prudential regulations and for the instruments used in the process of supervision and continuous evaluation of banks.
It is well known that any activity carried out by a credit institution involves the occurrence of risks, especially the operational risk. The operational risk events can be generated in all bank processes and operations, and all the assets and activities of a bank are, in one way or another, the subject of operational risks.
The financial losses caused by the materialization of the operational risk events and the weakening of the financial stability of the credit institutions have drawn an increased attention to this risk, both from the point of view of banks, and from the point of view of the supervisory authorities.
This paper presents the component elements of operational risks, the stages in operational risk management, along with the causes of this risk. The most important prudential regulations in the field and the calculation methods for the minimum capital requirement for operational risks are presented and materialized in a case study conducted by the author for a bank in Romania. Crisis simulations for operational risks can influence the analysis of the capital planning process, a fact highlighted by another case study conducted by the author. The article continues with the presentation of an analysis of the evolution of the minimum capital requirement for the operational risk calculated in the Romanian banking system, from 2008 to 2018.

Component elements of operational risks and their management
An operational risk is that risk of loss registration that results either from the use of inadequate processes, persons or internal systems that have not fulfilled their function properly, or from external events, as defined by the Basel Committee. Neifar and Jarboui (2017) mentioned that considering the major technological progress in banking activities, globalization and deregulation, operational risks are one of the most important banking risks.
All possible sources of risk generation can be divided into 4 broad categories: human actions, inadequate functioning of software and hardware systems, inadequate functioning of internal processes, and external events.
Among the components of operational risks are legal risks, model risks, information technology risks and uncontrollable risks, being also an important link between operational risks and other risks, such as strategic risks and reputational risks.
The legal risk can be generated by both internal and external factors. The main factors that generate this risk are the improper application or non-application of the legal and contractual provisions by the employees, the non-correlation of the internal regulations with the legislative changes in the field, internal fraud, legal actions formulated by clients, employees, creditors or formulated by bank, as well as external fraud.
Information technology risk is the most important component of operational risks. The computer system not only represents the network of computers and telecommunications, but also includes all electronic computing, printing, display devices, systems and protocols for communications, security, storage units, and all associated data and activities (computers, servers, network environments, telephones, faxes, printers, programs and data for creating, recording, processing, storing, receiving, displaying, and transmitting information in an electronic format).
Model risk can be materialized after using decisions based mainly on the results of internal models, the loss being caused by errors in the development, implementation or use of these models.
The uncontrollable risk is that risk for which the institution has no possibility to prevent its occurrence. External events such as natural disasters, terrorist actions or vandalism are included in this category. For this category of risks, a bank must create business continuity and disaster recovery plans, which should include stipulations related mainly to the definition of crisis situations, the crisis management model, roles and responsibilities, the system of business continuity management, critical activities and recovery times of activities at the level of organizational structures, communication strategy in crisis situation, business continuity plan testing, plan testing and test performance.
Like any risk, the operational risk must be evaluated from 3 points of view: from the perspective of the causes that can materialize it, from the perspective of the events and from the perspective of the impact. Also, according to Lu. (2013), the operational risk management involves the following steps: risk identification, risk analysis, risk mitigation and risk monitoring.

Stages in the Operational Risk Management Process
A number of factors relate directly to the definition and identification of operational risks, such as: development of banking technologies and practices, increasingly frequent use of automated technologiesdecreasing the risk of manual processing error, while increasing the risk of the informational system by using electronic trading systems, risk of internal and external fraud, the involvement of a large number of personnel in complex activities that require a higher training, but also a higher concentration on the current activities, the mobility of the regulatory framework and the need to adapt quickly to its requirements.
The principles of an operational risk management policy must take into account:

i)
Identification of sources of risk, ii) Assessment of potential losses, iii) Monitoring, iv) Managing exposures to operational risks, as shown in Figure 1. Each product or service offered by the bank, any technical system and any processing flow used must be evaluated in terms of operational risks. Once the sources of the materialization of the risk have been identified, the credit institution must evaluate the degree of exposure to the operational risks, thus deciding the acceptable level of risk. This degree of exposure is evaluated taking into account both the volume and the complexity of the processes and operations carried out by the bank. Also, at this stage of the evaluation, the degree of sensitivity of the information systems is considered in order to establish the maximum acceptable duration of remediation of the deficiencies or the duration of failure of these systems, so that the productivity of the institution won't be affected or limited.
Operational risk monitoring is a continuous process that must be carried out both at the level of each flow or each operation (for the rapid detection of deficiencies that can lead to the occurrence of the risk and their correction), as well as at the level of the entire bank. This stage also involves establishing key operational risk indicators ( Figure 2) and limits for them, with the purpose of identifying risk exposures, before these risks turn into losses. Keeping under control/mitigating risk implies, among other things, that if certain risks cannot be managed or controlled, the credit institution can decide whether to accept them or to diminish or cease their activity that generates such risks, being transferred to the category of uncontrollable risks.

Fig. 2: Key Operational Risk indicators (author's creation)
Banking practices involve the management/control of the operational risk according to the frequency of the events that can generate the risk and according to their severity, as shown in the table below:

Contributory factors and causes of operational risks
The concept of operational risks is a general one that encompasses a number of other important risks. This risk is not only generated by the current operations of a bank. The main categories of factors and causes of operational risks are divided into nine categories, as follows: quality of employees, quantity of employees, internal communication, customer, model errors, external or caused by third parties, providers, IT systems and equipment and utilities. Chernobai et al. (2020) show that the magnitude and the frequency of operational risk events increased significantly with bank complexity.
For a better example, a number of contributing factors and causes of operational risks are presented in the boxes below ( Figure. 3 a, b, c).
The multitude of factors generating the operational risk led to the creation of subdivisions of this risk. These sub-divisions include the risk of internal fraud, the risk of external fraud, the risk generated by employment and safety practices, the risk of damage to tangible assets, the risk associated with customers, products and business practices, the risk of business interruption and improper operation of systems and the risk generated by the execution, delivery and process management.

Prudential regulations in the field of operational risks
The diversification of the transaction types and the increase of their volume, the innovation in the financial field, as well as the territorial extension and, implicitly, the need for personnel in the banking system created the premises for increasing the probability of materializing the operational risk. Thus, the prudential regulations of the banking activity, with emphasis on maintaining an appropriate capital adequacy, have undergone a continuous evolution according to the economic-financial events that have manifested worldwide. Barakat and Hussainey (2013) mentioned that the determinants of the quality of risk reporting in banks must explicitly consider how the governance, regulation and supervision of the bank interact in this context. In this regard, in 2004, the Basel Committee published the Basel II Agreement (its full version being published in July 2006), whose main contribution is the introduction of the minimum capital requirements for credit risk, market risk and operational risk, in contrast to the Basel I Agreement, which took the credit risk, only, into account when assessing the adequacy of capital. This is the moment when the operational risk became the third most important risk in the banking activity.
The Basel II Agreement is built on 3 pillars, (1) minimum capital requirements, (2) prudential supervision process and (3) market discipline, thus creating a close connection between them.

Methods for calculating the minimum capital requirement for operational risks
The minimum capital requirement for the operational risk of a credit institution must be optimally calculated so that it plays a protective role and allows a rapid absorption of potential losses.
The provisions of the Agreement propose three approaches for calculating the minimum capital requirements for operational risks: basic indicator approach, standardized approach and advanced measurement approach.
In case of using the Basic Indicator Approach (BIA), the credit institutions will determine the capital requirement by applying a percentage of 15% to the gross average income of the last three years. The relevant indicator is calculated as the sum of the following items, extracted from the profit and loss account: a) Interest income and similar income, including those related to fixed income securities; b) Interest expenses and assimilated expenses; c) Income from shares and other securities with variable incomes; d) Income from commissions; e) Commissions expenses; f) Net profit or loss from financial operations; g) Other operating incomes.
In the case of the Standardized Approach (SA), the operations of the banks will be divided by types of activities, to which the percentages established by the Committee apply (12%, 15% and 18% According to Basel Committee, this new approach must be implemented by January 1, 2022 and is applicable to all banks operating internationally; however, supervisory institutions can apply this approach also to local credit institutions. If they opt for the Advanced Measurement Approach (AMA), banks may use internal risk assessment systems, which require validation from supervisory authorities.

Fig. 5: The degree of sensitivity and complexity of the models (author's creation)
The figure above ( Figure 5) illustrates the degree of sensitivity and complexity of the models. Thus, it can be stated that the use of a more complex method can more accurately quantify the operational risk impact on the bank's activity, and the minimum capital requirement can be calculated with greater accuracy.

Case Study
To illustrate that the use of a more complex method can more accurately quantify the impact of operational risks on the bank's activity, and the minimum capital requirement can be calculated with greater accuracy, the case of one of the Top 5 banks in the Romanian banking system will be analyzed.
According to the Transparency Report for the year 2018, published on the website of the credit institution, the minimum capital requirement for the operational risk was in the amount of 588,487 thousand lei, this value being resulted from the use of the AMA. Thus, it can be concluded that a bank offering a wide range of products and services for clients, with multiple categories of activities, must pay greater attention to the accuracy of calculations of the minimum capital requirement, by creating internal models to include both internal and external data, macroeconomic evolutions, business environment and control factors.

Crisis Simulations -Early Warning Tools
On the line of prudential supervision, based on the legislation and regulations in force, the National Bank of Romania continuously evaluates the risk profile and the viability of credit institutions. This assessment is done by identifying the risks to which credit institutions are exposed or can be exposed, by monitoring the key indicators, analyzing the business model and evaluating the internal governance and the control system.
Regulation of the National Bank of Romania no. 5/2013 devotes an entire section to operational risks, drawing clear and welldefined lines on the aspects of this risk. Thus, the Regulation stipulates the obligation of credit institutions to carry out properly crisis simulations for operational risks and to consider the extent to which crisis scenarios for operational risks influence the analysis of the capital planning process. Also, credit institutions are required to carry out assessments at the level of historical and hypothetical, but plausible, operational risk events, whose probability of production is low, but which causes a major negative impact.
Crisis simulations for operational risks are performed based on the evaluation of Operational Risk Events (ORE). In this regard, starting from the database of operational risk events, respectively from the results of the annual risk self-assessment process, the bank analyzes the impact of recording some losses from open operational risk events (including legal risks, information technology risks, model risks and uncontrollable risks). The bank, thus, considers the extent to which the crisis scenarios for the operational risk and the global exposure of the bank to the operational risk can impact the profitability of the bank.
The crisis simulations should be performed according to the nature, extent and complexity of the bank's activity, as well as according to its risk profile.
Depending on the frequency of occurrence of operational risk events and their degree of severity, credit institutions may simulate changes such as: increasing financial losses from labor disputes, increasing financial losses from interruptions of information systems, increasing losses caused by natural disasters, increasing the losses caused by external events (vandalism, for example) or increasing the losses caused by the use of inappropriate models.
Performing regular crisis simulations may warn the credit institution of weaknesses that may affect its profitability, solvency or compliance with the regulatory framework, and the bank's management structure may provide recommendations for remedial measures or actions, where appropriate.

Case Study
Crisis simulations for operational risks can influence the analysis of the capital planning process as shown from the data in the table below (due to confidentiality clauses, the name of the bank will not be disclosed):  For the period 2012-2018, the relevant data for the operational risk events of a bank are presented: the gross financial impact, the recoveries, the realized financial impact, the non-materialized loss related to the closed events and the potential loss related to the calculation year.
For the operational risk events opened in 2018, the bank constituted a provision amounting to 1,072,572 lei (100% of the amount in dispute). The initial estimated loss chances are 80%.
The stress scenario considers 3 hypotheses: an increase with 25% of the estimated loss chances, an increase with 35% of the estimated loss chances and an increase with 50% of the estimated loss chances. In addition, for each hypothesis, the bank performs simulations by increasing the value of the potential loss by 25%, 35% and 50%, respectively. The results obtained are as follows:

Analysis on the minimum capital requirement for the operational risk calculated in the Romanian banking system
For this study, the annual data on operational risks published by the National Bank of Romania was used, based on which, the evolution of the minimum capital requirement for operational risk in the period 2008 -2018 was analyzed. Moreover, the evolution of the minimum capital requirement for operational risk in the European banking sector, from 2015 to 2019, was also analyzed using annual data from the European Central Bank.
Analyzing the Romanian banking system (Figure 6), between 2008 and 2018, most of the credit institutions used the Basic Indicator Approach (BIA) regarding the calculation of the minimum capital requirement for operational risks, while the other two approaches were used on a very small scale. It can be seen that since 2009, the share of the Standardized Approach (SA) utilization has increased considerably (from 3.03% to 12.5%), and, starting from 2011 up to 2017, the Standardized Approach (SA) and the Advanced Measurement Approach (AMA) had relatively equal weights, at values between 9.09% and 10.71%. Banks have understood the importance of proper operational risk management, thus developing advanced internal models.

Fig. 7: Distribution of credit institutions by approach -European Banking Sector, author's creation (data source: European Central Bank)
Even though in 2008, approximately 93% of the total minimum capital requirement for operational risks at the level of the Romanian banking system was calculated using the BIA, the increasing share of the capital calculated using the AMA may be due to the fact that the active banks on the Romanian market, which are subsidiaries of international institutions, are using the internal models elaborated at the level of the Group they belong to. Thus, in 2017, the capital requirement calculated with the aid of AMA represented about 39% of the total capital requirement for operational risks (Figure 8).

Fig. 8: Share of own funds requirement on Operational Risks depending on the approach -Romania, author's creation (Data source: National Bank of Romania)
From the same point of view, at the level of the European banking sector (Figure 9), the decrease of the share of the minimum capital requirement for the operational risk calculated using the BIA (from 8.27% in 2015 to 5.23% in 2018) in the total minimum capital requirement for the operational risk was also observed during the analyzed period. Thus, in 2018, 55.24% of the minimum capital requirement for operational risks was calculated using AMA (versus 34.23% in Romania) and 39.53% was calculated using SA (versus 3.85% in Romania).  The awareness of the financial impact that the materialization of operational risk events can have on the stability of both the bank and the banking system in Romania is equivalent to the interest for capital adequacy to the operational risk, translated by increasing the share of the capital demand for this risk in the total minimum requirements of capital, as can be seen below in Figure 10.

Fig. 10: Share of own funds requirements for Operational Risks in Total own funds requirements -Romania, author's creation (Data source: National Bank of Romania)
At the same time, in the process of supervision, the National Bank of Romania periodically evaluates the capital adequacy to risks for all credit institutions and issues warnings and, when appropriate, sanctions for cases where the level of capital was not correlated with the significant risks the banks are exposed to. In this regard, during requirement for operational risks are noted in the total minimum capital requirement, as can be seen in Figure 11. Thus, in 2018, the minimum capital requirement for operational risks in the European banking sector accounted 10.54% of the total minimum capital requirement, compared to the Romanian banking system, where the share was 14.01%.

Fig. 11: Share of own funds requirements for Operational Risks in Total own funds requirements -European banking Sector, author's creation (Data source: European
Central Bank) The multitude of factors contributing to the production of the operational risk, and the measures that can be applied along the lines of managing this risk are directed to several areas.
A first measure can be represented by the improvement of the process of identifying and collecting the operational risk events in order to report them in an efficient and standardized way, along with the revision of the operational risk indicators and the limits established for them.
From the human resources aspect, all banking institutions must pay attention to increasing the visibility and the degree of awareness of the operational risk at the level of the whole bank through courses dedicated to the persons responsible for its management/reporting and testing of all employees to establish the level of assimilation of the knowledge regarding the operational risk.
In the regulations area, banks must review the internal policies and regulations so that they are constantly aligned with the new requirements of the competent supervisory authorities.
Also, the constant updating/development and testing of disaster recovery plans and ensuring the continuity of the activity must be among the priorities of the banks.
The operational risk management and measurement system must also be constantly reviewed, in accordance with the regulatory requirements, not only with the evolutions of the financial-banking system and of the macroeconomic environment, but also with the development of the credit institution's own activity. Moreover, each new product or service, that the institution wants to promote, must have, in its analysis, the operational risk component.

Conclusions
The global financial crisis of the past decade contributed to increasing the awareness of the banking institutions regarding the importance of good risk management.
The multitude of factors that can generate the risk and the financial losses that it can bring to a credit institution, have led to the introduction of the operational risk (and its sub-categories) in the category of the three most important risks in the banking activity, beside the credit risk and market risk.
In the last 15 years, numerous regulations for operational risk management have been elaborated, the most important of these __________________________________________________________________________ ________________ Maria-Alexandra CRISTEA, Journal of Eastern Europe Research in Business and Economics, DOI: 10.5171/2021.969612 being the Basel II Agreement, whereby credit institutions are obligated to calculate the minimum capital requirements for operational risks, using 3 calculation methods, proposed within the same agreement: Basic Indicator Approach -BIA, Standardized Approach -SA and Advanced Measurement Approach -AMA. The calculation methodology is different for all the 3 methods. The Basic Indicator Approach -BIA is preferable to be used by the local credit institutions, whose activity is not very complex and whose portfolio of products and services is not sophisticated. Standardized Approach -SA assumes that the bank's operations are broken down by types of activities. In order to be able to use the standardized approach, banks must have adequate operational risk management systems that meet the minimum criteria imposed in Basel requirements, which makes this method more suitable for a mediumsized bank. The Advanced Measurement Approach -AMA is the most complex method of calculating the minimum capital requirement for operational risks and involves the elaboration of internal models, being used, generally, by internationally active banks, which are part of a group of financial institutions.
In the Romanian banking system, in 2018, the basic Indicator Approach -BIA is used mainly for the calculation of the minimum capital requirement for operational risks. However, during the analyzed period, the constant increase of the share of using the Standardized Approach -SA, as well as of the share of using the Advanced Measurement Approach -AMA, was observed.
The establishment of the minimum capital requirements is not sufficient for managing the operational risk. Banks use early warning tools, namely, crisis simulations. Regularly performing crisis simulations can warn the credit institution about weaknesses that may affect its profitability, solvency or compliance with the regulatory framework, and the bank's management may provide recommendations for remedial measures or actions where appropriate.
The efficient management of the operational risk must also consider the application of measures for the most important factors that can generate operational risk events: improving the process of identifying and collecting the operational risk events in order to report them in an efficient and standardized way, reviewing the operational risk indicators and the limits set for them, courses dedicated to the persons responsible for the management/reporting of the operational risk and testing all the employees to establish the level of assimilation of the knowledge regarding the risk, the constant alignment with the new requirements of the competent supervisory authorities, the constant updating/developing and testing disaster recovery plans and ensuring the continuity of the activity.
The continuous development of banking technologies and practices, the increasingly frequent use of automatic technologies, the digitalization of the banking system, as well as the fluctuation of personnel (present in most economic fields) are important factors that can generate operational risk events. The numerous studies in the field also show the importance of this risk and the continuous need to improve models, methods and tools for the identification, evaluation and efficient management of operational risks.
This article proposes future research topics, especially in the context of the coronavirus pandemic. Working from home, limiting faceto-face meetings, and giving up the use of physical documents as much as possible are just some of the measures taken by credit institutions to prevent the spread of the virus. In this respect, being in an unprecedented situation, the chances of operational risks have increased considerably.
Although each credit institution has Business Continuity Plans in case of disasters, the current reality could not be predicted and translated into action plans. Future research may study the evolution of the minimum capital requirement for operational risks in the context of the global pandemic and the response of the banking system to this health crisis.