For many years, “operational risk” was an area of risk management of great interest but lacking in a theoretical and conceptual framework that would place operational risk in the context of an integrated approach to enterprise wide risk management. Indeed, to many, “operational risk” was a table of losses for specific events and not much else. This is the operational risk equivalent of credit risk modeling with loss given default statistics but no default probabilities.

Two recent papers by Kamakura’s research director Robert Jarrow show that operational risk is an insurance event that has strong parallels in modeling in other risk disciplines: default/no default, prepay/don’t prepay, pay on a fire insurance policy/don’t pay, pay on a life insurance policy/don’t pay. Both of these papers are available on Kamakura’s website www.kamakuraco.com:

- Jarrow, Robert A. “Operational Risk,”
*Journal of Banking and Finance*32 (2008), pp. 870-879. - Jarrow, Robert A., Jeff Oxman, and Yildiray Yildirim, “The Cost of Operational Risk Insurance,” Cornell University and Kamakura Corporation working paper, May 2008 (updated August 2008).

In these papers, Professor Jarrow and his co-authors show that the occurrence of an operational risk event can be modeled using credit risk parallels. Using the same “reduced form” approach as in credit risk, prepayment risk, and other insurance events, Professor Jarrow shows how to simulate the occurrence of an operational risk event, how to calculate related cash flows, and how to value the resulting cash flow stream in the context of a full mark to market of the firm’s value. This approach has already been implemented for practical use.

To motivate our discussion of best practice operational risk management, we will use a “low tech” operational risk, bank robberies, as an example. Statistics for the occurrence of bank robberies in the United States, collected by the Federal Bureau of Investigation, are reported in the following table for 2006 from:

- Robberies
- Burglaries (entry of bank or theft from bank during non-business hours)
- Larcenies (theft not involving direct confrontation between offender and bank employees or customers)

Since common factors can influence these four mutually exclusive outcomes for one potential burglary, Professor Jarrow and best practice implementation rely on multinomial logit to model the probability of one “bank robbery event” in these four mutually exclusive classes:

- No bank robbery event
- Bank robbery event, robbery
- Bank robbery event, burglary
- Bank robbery event, larceny

As shown in the chart above, the probability of a bank robbery event varies by the type of financial institution:

- Commercial banks
- Mutual savings banks
- Savings and loan associations
- Credit unions
- Armored carrier companies

The probability of bank robbery events varies also by the number of branches, the size of the branch, and its location.

Whether or not there is a recovery of value from the gross loss in the event of a bank robbery event also varies by the nature of what is stolen:

As noted in the chart, 8% of the bank robbery events resulted in no losses. In an operational risk event like a bank robbery event, recovery is a possibility. The chart below shows that full or partial recovery of losses was reported in 20% of the bank robbery events:

Many operational risk events have a strong degree of seasonality, as this chart shows for bank robbery events both by day of the week and time of day:

The probability of an operation risk can depend on the physical nature and location of the institution, as these statistics show for bank robbery events;

Even more important, operational risk events can show a strong degree of cyclicality over time, because macroeconomic forces can be important drivers of their occurrence. Rogue traders, for example, are only a problem (a) when the trade is over permitted limits and (b) the trade is losing money. The following chart shows the variation in the bank robbery event “robberies” by number in the United States since 1978:

In order to model the various explanatory variables that drive the probability of an operational risk event, logistic regression is a possible choice:

Logistic regression is an excellent choice for binary events like default/no default, occur//don’t occur, but as we saw in the case of operational risk events like bank robbery, there are a number of mutually exclusive types of bank robbery event. For this reason, a multinomial logit implementation is the best general implementation for operational risk:

For an introduction to the multinomial logit concepts, please see the Kamakura blog for August 24, 2009, “Recent Advances in Asset and Liability Management: An Introduction to Multinomial Logit.”

As show above using U.S. bank robbery statistics, the amount of recovery in an operational risk event is not always zero. In best practice implementations, the logistic regression formula is used to drive the recovery rate, conditional on the occurrence of an operational risk event. The recovery rate can be driven by some or all of the same factors that drive the probability of the operational risk event. Also as shown in the FBI bank robbery statistics, the operational risk gross losses depend on the nature of the loss event. For a comprehensive implementation of operational risk events, best practice is a full multiperiod simulation with macro factors driving operational risk probabilities and recoveries up and down.

For institutions taking this best practice approach, operational risk is no longer an orphan in enterprise risk management. Seen in this context, operational risk is one more member in the family of fully integrated enterprise risk management.

Donald R. van Deventer

Kamakura Corporation

Honolulu, August 26, 2009