Search My Blog
 About Donald

Don founded Kamakura Corporation in April 1990 and currently serves as its chairman and chief executive officer where he focuses on enterprise wide risk management and modern credit risk technology. His primary financial consulting and research interests involve the practical application of leading edge financial theory to solve critical financial risk management problems. Don was elected to the 50 member RISK Magazine Hall of Fame in 2002 for his work at Kamakura. Read More

 Now Available

An Introduction to Derivative Securities, Financial Markets, and Risk ManagementAdvanced Financial Risk Management, 2nd ed.

 Contact Us
Kamakura Corporation
2222 Kalakaua Avenue

Suite 1400
Honolulu HI 96815

Phone: 808.791.9888
Fax: 808.791.9898

Americas, Canada
James McKeon
Director of USA Business Solutions
Phone: 215.932.0312

Andrew Zippan
Director, North America (Canada)
Phone: 647.405.0895
Asia, Pacific
Clement Ooi
President, Asia Pacific Operations
Phone: +65.6818.6336

Australia, New Zealand
Andrew Cowton
Managing Director
Phone: +61.3.9563.6082

Europe, Middle East, Africa
Jim Moloney
Managing Director, EMEA
Phone: +

Tokyo, Japan
3-6-7 Kita-Aoyama, Level 11
Minato-ku, Tokyo, 107-0061 Japan
Toshio Murate
Phone: +03.5778.7807

Visit Us
Linked In Twitter Seeking Alpha

Careers at Kamakura
Technical Business Consultant – ASPAC
Asia Pacific Region
Business Consultant – ASPAC
Asia Pacific Region


Kamakura Risk Manager Data Expert
Europe, North America, Asia & Australia 



Kamakura Blog

Aug 26

Written by: Donald van Deventer
8/26/2009 3:01 AM 

For many years, “operational risk” was an area of risk management of great interest but lacking in a theoretical and conceptual framework that would place operational risk in the context of an integrated approach to enterprise wide risk management.  Indeed, to many, “operational risk” was a table of losses for specific events and not much else.  This is the operational risk equivalent of credit risk modeling with loss given default statistics but no default probabilities.

Two recent papers by Kamakura’s research director Robert Jarrow show that operational risk is an insurance event that has strong parallels in modeling in other risk disciplines: default/no default, prepay/don’t prepay, pay on a fire insurance policy/don’t pay, pay on a life insurance policy/don’t pay.  Both of these papers are available on Kamakura’s website

  • Jarrow, Robert A. “Operational Risk,” Journal of Banking and Finance 32 (2008), pp. 870-879.
  • Jarrow, Robert A., Jeff Oxman, and Yildiray Yildirim, “The Cost of Operational Risk Insurance,” Cornell University and Kamakura Corporation working paper, May 2008 (updated August 2008).

In these papers, Professor Jarrow and his co-authors show that the occurrence of an operational risk event can be modeled using credit risk parallels.  Using the same “reduced form” approach as in credit risk, prepayment risk, and other insurance events, Professor Jarrow shows how to simulate the occurrence of an operational risk event, how to calculate related cash flows, and how to value the resulting cash flow stream in the context of a full mark to market of the firm’s value.  This approach has already been implemented for practical use.

To motivate our discussion of best practice operational risk management, we will use a “low tech” operational risk, bank robberies, as an example.  Statistics for the occurrence of bank robberies in the United States, collected by the Federal Bureau of Investigation, are reported in the following table for 2006 from:

As shown in this chart, operational risk can fall into mutually exclusive categories like these three categories of bank robberies:
  • Robberies
  • Burglaries (entry of bank or theft from bank during non-business hours)
  • Larcenies (theft not involving direct confrontation between offender and bank employees or customers)

Since common factors can influence these four mutually exclusive outcomes for one potential burglary, Professor Jarrow and best practice implementation rely on multinomial logit to model the probability of one “bank robbery event” in these four mutually exclusive classes:

  • No bank robbery event
  • Bank robbery event, robbery
  • Bank robbery event, burglary
  • Bank robbery event, larceny

As shown in the chart above, the probability of a bank robbery event varies by the type of financial institution:

  • Commercial banks
  • Mutual savings banks
  • Savings and loan associations
  • Credit unions
  • Armored carrier companies

The probability of bank robbery events varies also by the number of branches, the size of the branch, and its location. 
Whether or not there is a recovery of value from the gross loss in the event of a bank robbery event also varies by the nature of what is stolen:
As noted in the chart, 8% of the bank robbery events resulted in no losses.  In an operational risk event like a bank robbery event, recovery is a possibility.  The chart below shows that full or partial recovery of losses was reported in 20% of the bank robbery events:
Many operational risk events have a strong degree of seasonality, as this chart shows for bank robbery events both by day of the week and time of day:
The probability of an operation risk can depend on the physical nature and location of the institution, as these statistics show for bank robbery events;
Even more important, operational risk events can show a strong degree of cyclicality over time, because macroeconomic forces can be important drivers of their occurrence.  Rogue traders, for example, are only a problem (a) when the trade is over permitted limits and (b) the trade is losing money.  The following chart shows the variation in the bank robbery event “robberies” by number in the United States since 1978:


In order to model the various explanatory variables that drive the probability of an operational risk event, logistic regression is a possible choice:
Logistic regression is an excellent choice for binary events like default/no default, occur//don’t occur, but as we saw in the case of operational risk events like bank robbery, there are a number of mutually exclusive types of bank robbery event.  For this reason, a multinomial logit implementation is the best general implementation for operational risk:
For an introduction to the multinomial logit concepts, please see the Kamakura blog for August 24, 2009, “Recent Advances in Asset and Liability Management: An Introduction to Multinomial Logit.” 

As show above using U.S. bank robbery statistics, the amount of recovery in an operational risk event is not always zero.  In best practice implementations, the logistic regression formula is used to drive the recovery rate, conditional on the occurrence of an operational risk event.  The recovery rate can be driven by some or all of the same factors that drive the probability of the operational risk event.  Also as shown in the FBI bank robbery statistics, the operational risk gross losses depend on the nature of the loss event.  For a comprehensive implementation of operational risk events, best practice is a full multiperiod simulation with macro factors driving operational risk probabilities and recoveries up and down.

For institutions taking this best practice approach, operational risk is no longer an orphan in enterprise risk management.  Seen in this context, operational risk is one more member in the family of fully integrated enterprise risk management.

Donald R. van Deventer
Kamakura Corporation
Honolulu, August 26, 2009