Question

A bank's operational risk includes the risk of very large losses because of employee fraud, natural disasters, litigation, and so on. Do you think operational risk is best handled by risk decomposition or risk aggregation?

Answer 1

An operational risk in a bank is the risk arising due to failed systems, internal processes, controls within a bank or due to external events like natural disasters, terrorist attacks etc. Banks usually set up an operational risk framework governance committee which ensures that operational risks relevant within each unit of bank is mapped to proper controls and adequate steps are taken to mitigate the risks to best possible extent.

As per rules and guidelines followed by a bank operational risk is more appropriately handled using risk decomposition. There are around 90 different kinds of operational risk proposed by BASEL committee. The governance committee within bank will monitor closely the operations of each unit and tag the relevant risks out of 90 risks prescribed by BASEL committee to each unit. The risks prevalent within each unit are further mapped to appropriate controls available in bank and accordingly a proper risk mitigation plan is drafted. This whole process of risk assessment within each unit is called Risk and Control Self Assessment (RCSA). So we can conclude that risk decomposition is more appropriate while handling different kinds of operational risks within bank.

At the same time risk aggregation technique is used to look at overall exposure to a bank from operational risk perspective. This overall exposure arising due to operational risk is used by bank for capital provisioning.