Chapter 25

Operational Risk

Monique Miller

WR Managed Accounts LLC

INTRODUCTION AND CURRENT STATE OF KNOWLEDGE

An appropriate definition of operational risk has been debated in the financial community for decades. In the past, many have used an all-inclusive definition that classifies operational risk as any risk that is not categorized as market risk or credit risk. The Basel Committee on Banking Supervision came out with a definition of operational risk several years ago that has been generally adopted by the financial services industry, although its comprehensiveness continues to be debated. The Basel Committee, in consultation with the banking community, crafted the following definition: “Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.”1

No matter how it is defined, insufficient management of operational risk can be devastating to every type of organization. The highly publicized corporate scandals that led to the bankruptcies of Enron and WorldCom can be attributed in part to operational risk. Banks and trading firms spend tens of millions of dollars every year to manage and measure operational risk, and buy-side investors are demanding tighter controls and increased transparency from their investment managers in order to avoid fraud and other operations-related losses.

The emergence of more sophisticated financial products, coupled with economic and market factors such as globalization, a rise in electronic trading, and the growth of the hedge fund industry, has increased the potential for operational risk events and made it even more difficult to identify, measure, and manage risk. Complex derivative instruments, risk transfer markets, and the creation of illiquid over-the-counter products with their associated lack of transparency, contribute to increased risk and added difficulty in monitoring operational risk.

The best way for managers and investors to mitigate operational risk in this modern market environment is to recognize the warning signs for potential risk and understand that risks are interrelated. It is no longer appropriate to classify a risk event as only market-risk driven or credit-risk driven. Most loss events include an operational risk component. As financial products become more complex, so does the relationship across various risk types.

In order for an organization to measure, manage, and mitigate risks, the relationships among risk types and the interdependencies of a firm's business units must be recognized and understood. Risks within an organization should not be looked at as silos. A collaborative approach to risk management is required. Business processes should be coordinated, and staff should be well trained and have a thorough understanding of the business strategy, the market environment, and the complexity of financial instruments.

A BRIEF HISTORY OF THE BUSINESS OF OPERATIONAL RISK

As good business practice, financial institutions have always focused on efficiently managing people, processes, and procedures. The emergence of operational risk management as a business discipline arose in the 1990s as a result of some high-profile and highly publicized loss events, including the Barings Bank collapse.

In February 1995, Barings Bank, a respected institution with a long and profitable history, suffered a trading loss of US$1.3 billion, which was more than the bank's entire capital base. The bank was forced to declare bankruptcy and the trader who was responsible for the loss was sentenced to six and a half years in prison.2

The highly publicized collapse forced the financial community to focus on operational risk. At the time, it was unfathomable to the financial community that a single person's actions could cause such overwhelming harm to an established organization. Prior to the Barings collapse, it was unusual for management to be held responsible for tolerating loose internal controls and failing to act on warning signs for potential risks. The bank's collapse was a wake-up call for many managers to look inside their own organizations for similar deficiencies.

The loss occurred as a result of futures and options trading in the Nikkei index on the Singapore International Money Exchange by derivatives trader Nick Leeson. Leeson made unauthorized speculative trades in futures contracts that initially generated large profits for Barings. However, losses soon were incurred, and by the end of 1992 Leeson had lost £2 million. The losses escalated to over £200 million by the end of 1994.

There were many operational and management failures that contributed to the loss. One primary contributor was the lack of division of responsibilities within the bank. Because of cost-cutting measures implemented by Barings, Leeson had dual responsibility for settlements as well as trading. This enabled him to have access to the firm's operations, giving him the ability to conceal the losses over several years. Additionally, there were unclear reporting lines in the bank, and a failure to manage the trader in both his investment and noninvestment roles. Because the transactions were in derivative instruments, managers did not look into the unusual activity because of the complexity of the product. An internal audit report stated multiple deficiencies with respect to the segregation of duties, but management failed to implement the recommendations.

As a result of the Barings collapse and other loss events, financial industry professionals began to focus on the importance of operational risk and how to best manage risk in large organizations. In September 1998, the Basel Committee on Banking Supervision published a survey of 30 major banks. The following common themes arose with respect to operational risk:3

• Management oversight. Awareness of operational risk was increasing among senior management, but most felt that the primary responsibility for managing risk was with each individual business unit.
• Risk measurement and information systems. Awareness of operational risk as a separate risk category was just emerging at the time of the survey. Many banks were in the very early stages of developing a monitoring and measurement framework.
• Monitoring. Banks had monitoring processes for volume, turnover, errors, settlements, and so on, but few had taken the step of incorporating this data into formal operational risk measures.
• Control of operational risk. Internal controls and internal audits were seen as the most effective methods of controlling operational risk.
• Policies and procedures. Banks were actively reviewing their policies and procedures to see if they were adequate or could be expanded to mitigate risk.
• View of possible role of supervisors. There was a clear preference for qualitative management and the potential for supervisors to mitigate risk and raise awareness of potential risks across the organization.

The importance of operational risk management emerged as a priority in the banking community, and in June 1999 the Basel committee called for capital charges for operational risks as part of its proposed Capital Adequacy Framework. By the time the Basel II committee released the revised framework in November 2005, operational risk measurement had evolved into a growing discipline with an industry focus on how to best quantify risk.

In the years following the release, the international banking community made strides in improving risk management. Most large banks began using sophisticated calculations for operational risk measurement and relied on detailed databases to monitor both internal and external loss events.

Unfortunately, these measures failed in predicting and protecting against the unparalleled losses that occurred as a result of the 2007–2009 financial crisis. In fact, inadequate operational risk controls on the part of financial institutions and rating agencies contributed significantly to the crisis. Financial institutions clearly did not do enough to stress-test their internal valuation models and to monitor the size and concentration of risks on their books. Clearly, management should have done more to oversee and understand the risks being taken in their various business units.

OVERVIEW OF SUBJECT

Although the Basel II framework and the efforts leading up to the policies were helpful in focusing the industry on the importance of operational risk issues, recent history has taught us that firms need to do more to understand the sources of risk and the interdependencies across risk types. In the effort to mitigate risk, financial engineering has contributed to the establishment of risk transfer markets, hedging products, and increasingly sophisticated financial instruments. But along with this innovation, additional sources of risk and new relationships across risk types have developed. The added complexities that arise from new markets, products, and players must be addressed, and extreme scenarios must be considered when assessing potential losses.

The Joint Forum of the Basel Committee, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors recognizes the new risk landscape, noting that “risk concentrations at most financial conglomerates are still chiefly identified, measured and managed within separate risk categories and within business lines.”4 The Joint Forum refers to this type of risk identification as “silo management.”

The Joint Forum identifies “second order effects” that should be incorporated into a firm's risk management policy. These are “indirect effects to a firm(s) exposure(s) caused by a change in economic or financial market conditions, from a shock or change in policy. This can be within a risk category or from contagion from one risk category to another risk category.”5

The Joint Forum acknowledges that organizations’ efforts to integrate risks across business lines have led to growth in risk transfer markets (such as asset-backed securities and collateralized debt obligations), which could make identifying and measuring risk even more complex through the introduction of new risk exposures. The report goes on to note that certain risk measurement and mitigation techniques may not be adequate in stressful markets.

This became apparent during the recent credit crisis. Most risk models did not take into account the added liquidity risk that emerged as credit markets became stressed. Additionally, models failed to predict contagion across asset classes and geographic regions. As credit facilities froze in late 2007 and 2008, international stock markets also became stressed, causing additional losses.

A white paper published by Algorithmics further analyzes the relationship between risk types, specifically operational risk and market risk.6 The paper observes that there are spikes in the number and severity of reported operational risk loss events in times of high market volatility. Operational loss events are generally recorded at the time they are discovered (which corresponds to times of high market stress), but the action that caused the loss generally takes place over a long period of time. The paper concludes that increased market volatility enhances the probability that a loss event will be detected, or may increase the severity of a loss, but does not increase the number of operational risk events. The report goes on to note that volatile market environments often lead to increased oversight and controls in financial institutions, which could also increase the likelihood that a loss would be discovered.

This was the case in identifying the Bernard Madoff Ponzi scheme. The volatility of the overall markets and investor liquidation requests contributed to exposing the fraud. Despite whistle-blower complaints to the Securities and Exchange Commission (SEC) and other regulators that it was mathematically impossible to achieve the consistent gains that Madoff reported to investors, and the contention that Madoff's three-person accounting firm would not have been able to process the high frequency of transactions made in a legitimate fund of that size, the regulators did little to investigate. The Ponzi scheme probably started in the late 1980s or early 1990s, but the fraud was not exposed until the end of 2008 when Madoff had difficulties meeting $7 billion in redemption requests.

The high-profile failure of the Bear Stearns hedge funds further illustrates the interdependence across risk types, and how market volatility can magnify operational losses. Bear Stearns had large losses in two of its hedge fund businesses. The High Grade Fund, which had $1 billion in assets, lost 5 percent in the beginning of 2007. The Enhanced Leverage Fund, which had $600 million in assets, lost 23 percent over the same time period. Both funds invested in bonds, mortgage-backed securities, collateralized debt obligations (CDOs), and hard-to-value exotic CDOs with investments backed by subprime mortgages. The Enhanced Leverage Fund, which was launched in the fall of 2006, invested in more risky tranches and took much more leverage than did the High Grade Fund.7

The hedge fund losses were largely attributed to market risk, credit risk, and liquidity risk factors, but operational risk factors also came into play. There were valuation issues for some of the more illiquid instruments that arose as the markets became stressed. The Algo First database of case studies reports that in a June 2007 investor letter, the fund revised its April loss from 6.5 percent to 18.97 percent. According to a BusinessWeek report in October 2007, many of the more illiquid instruments had historically been valued by the fund's management team “in the absence of readily ascertainable market values,”8 but the mispricings were not reported until a severe market event occurred.

In addition, the fund's decision to use a high leverage factor when investing in high-risk assets must also be questioned. The Enhanced Leverage Fund was launched because of the initial success of the High Grade Fund, which had enjoyed 40 consecutive months of growth as of January 2007. However, the risk profiles of the two funds were very different, particularly as the markets became stressed. Not only was the leverage “enhanced,” but the investments were much more exotic and illiquid in the newer fund.

As a result of the losses, in June 2007, Bear Stearns pledged $1.6 billion in loans to keep the High Grade Fund from collapsing, but did nothing to save the Enhanced Leverage fund. But the fall of the Enhanced Leverage Fund weakened the High Grade Fund, forcing both funds to file for bankruptcy in July 2007. The failure of the hedge funds caused reputational damage to Bear Stearns, which was one of many contributing factors to the firm's decline and subsequent bailout in March 2008.

MORE ON HEDGE FUNDS AND OPERATIONAL RISK

The hedge fund industry has grown precipitously in the past 20 years. There are currently more than 8,000 hedge funds with over $2 trillion in assets under management.9 The types of investors in hedge fund products have also changed over the past decade. As the hedge fund landscape becomes more institutionalized, more pension and institutional assets are moving into alternative investments. Additionally, new registered products are being developed for retail investors.

As the industry continues to grow, risk also increases. Because hedge funds typically use more sophisticated investment strategies than mutual funds do, they are considered to have higher market risk profiles. But because the industry is currently not required to disclose strategy or business model details, there is a higher potential for operational risk events. A Capco white paper published in 2003 reports that 50 percent of hedge fund failures are due to operational risk. The study found that the most common operational shortcomings have been the misrepresentation of investments, misappropriation of funds, unauthorized trading, and inadequate resources.10

The Asset Managers’ Committee of the President's Working Group on Financial Markets issued a best practices document in April 2008, stating:

We sought to identify and address key areas where best practices would most effectively promote investor protection and reduce systemic risk. These areas include:

Disclosure policies across funds vary, and, for this reason, it is often difficult for investors to interpret the information that is provided by hedge fund managers. Few funds provide position-level transparency, which makes it difficult for investors to monitor valuation policies or aggregate risk across funds. If more hedge funds continue to experience large operational losses, investors will push harder for increased transparency from their managers.

Because of this lack of transparency, many investors are moving toward managed accounts for their hedge fund investments. In a managed account structure, the hedge fund trades the strategy pari passu in a separate investor-owned account. This gives the investor greater transparency into the trading strategy, and the ability to aggregate risk exposures across investments in order to monitor guidelines. Although it is estimated that a significant amount of hedge fund growth will come from managed accounts, investors need to ensure that they are using the information effectively. It is not enough to have position-level detail if risk exposures are not properly aggregated, measured, and monitored.

Investors should scrutinize the performance differential between the benchmark fund and the separately managed account. If there is a tracking error or there are performance shortfalls in the managed account, investors should understand the source of the differences. There are cases where a hedge fund manager is unable to trade pari passu in a managed account due to capital constraints or liquidity factors. But operational risk can also arise in managed accounts in the form of broker or manager misallocations.

Whether investing in a managed account or a fund structure, proper investor due diligence is vital. While some hedge funds look more like investment banks, with significant infrastructure and large operations and technology staffs to support the varied business lines, most funds are small, and either outsource their operational functions or have small staffs to perform non-investment-related functions. Many industry groups have published due diligence questionnaires, which include recommendations for verifying processes and procedures, interviewing personnel, and ensuring that proper legal and compliance policies are in place. But investors should be aware that checking the boxes of a template is not sufficient due diligence; it is merely a starting point for more detailed examination.

Institutional investors have a fiduciary responsibility to understand the types of risks inherent in hedge funds and to ask questions to determine whether those risks are being managed to acceptable levels. Investors should be familiar with the hedge fund's structure and strategy and be able to identify inadequate resources, potential procedural shortcomings, or significant changes in operational controls. If an investor is uncomfortable with the lack of transparency in a particular fund, it may be better to pass on the investment or demand a separately managed account rather than incur the added risk.

A one-time due diligence effort is not sufficient. Investors need to periodically follow up to ensure that there is no investment style drift or change in operational processes. Investors should also be aware of material changes in personnel or third-party providers. It is an investor's responsibility to make sure that the appropriate operational controls are in place and to insist on adequate transparency and liquidity when making hedge fund investments.

MITIGATING OPERATIONAL RISK

As noted, regulators and investors have made significant efforts to identify and mitigate operational risk in recent years. But as we have seen, operational risk is often closely related to other portfolio risks and can be difficult to measure and monitor. Operational risk events have devastated large institutions as well as small investors. The challenge for managers and investors is to identify where those risks could potentially be present in order to limit exposure to losses.

The following list identifies the types of warning signs that managers and investors should be mindful of when assessing the potential for operational risk:

• Large-scale growth in a particular market or industry. Rapid growth can lead to market bubbles and infrastructure failures. In April 2008, the International Swaps and Derivatives Association, Inc. (ISDA)12 reported that the notional growth in the credit default swap market had risen 81 percent from the year prior.13 It is not surprising that the credit markets became stressed when there was bubble-type participation. As markets grow rapidly, it is often difficult for organizations to implement the appropriate technology, valuation processes, and infrastructure to support the business.
• Outsized profits can often mean outsized risks. The hedge fund Amaranth,14 which lost over $6 billion on natural gas spread trades in 2006, reportedly had made over $1 billion in its energy trading division the prior year. The fund was up in excess of 30 percent in the first four months of 2006, significantly more than similar multi-strategy funds. When the fund closed its doors in the fall of 2006, it was the largest hedge fund failure on record at the time. One contributing factor to the fund's failure was that the firm's risk models were unable to properly identify the unique risks inherent in trading calendar spreads in the energy markets. Risk managers should better evaluate the results of their models, and benchmark the results of several models, in order to properly assess the probability of loss in certain trading strategies.
• New market participants add new risks. In recent years, financial institutions have become more complex and have branched out from their traditional business lines. Hedge funds have become an important source of liquidity to international financial markets. Private equity funds are becoming increasingly involved in corporate governance, and investment banks are active in proprietary trading and in asset management. For many new entrants it takes time to develop robust infrastructure and staff to support the business functions. Operational risks can result due to lack of experience or commitment to a particular business line.
• Market complexity. As the field of financial engineering brings us new markets and products, often the complexity of these nascent markets can be a risk factor. Illiquidity, improper hedging, incorrect valuation, and inadequate infrastructure are all common problems when investing in new products.
• Business strategy. Sometimes the operational components of a particular business are in place but the overall business strategy is unsound and a source of operational risk. For example, Northern Rock’s15 growth strategy relied on capital market funding rather than on deposits. Because of the credit crisis and the dislocation in lending markets, the bank faced a major liquidity crisis.16
• Changes in investment environment or business cycle. Volatility shocks could expose operational risk events that remained hidden or were less severe in ordinary market environments.
• Crowding into a particular investment strategy. Often market participants have similar strategies or are invested in the same assets. In the case of a shock, there can be liquidity constraints that further magnify the impact of the event. This was the case in the summer of 2007, when there was a sharp rise in volatility in the equity markets. As many hedge funds (particularly quantitative strategies) started to unwind their positions to reduce risk, there were abnormal moves in some markets and sectors due to herding behavior and overcrowding in certain trades.
• Deep cost-cutting efforts. Institutions can increase operational risk by implementing cost-cutting measures. We saw in the Barings Bank case that Nick Leeson had oversight of support functions due to budgetary constraints. Very often organizations try to save money by moving operations to less expensive locations, hiring less qualified people, or failing to implement appropriate technology. This can be a costly mistake if it leads to an operational risk event.
• Risk culture. Particularly when making allocations to hedge funds, investors should understand and be comfortable with the risk culture of the firm. Some firms have sophisticated operational processes and understand the importance of managing risks. They apply leverage conservatively and do not take overly concentrated positions. Others do not manage their businesses to mitigate unnecessary risks. Due diligence can shed light on risk culture and help investors understand the inherent risks of the organization.

Given these risk factors, the most important tool organizations have in mitigating operational risk is a qualified and knowledgeable team. As noted, firms often try to save money on their operations by moving important business functions to remote locations or by hiring inexperienced staff to perform and manage noninvestment activities. Given the added complexity of the markets, the interdependencies of different types of risks, and the potential cost of an operational risk event, it is crucial that firms attract and train high-quality operational management and teams.

Risks across business lines are sometimes similar and should be aggregated. It is important to not silo risk exposures within particular businesses or departments. Risk managers should be familiar with the firm's strategies across all business units in order to perform comprehensive risk assessment.

It is important for firms to have robust technology and current databases to manage their business operations and their risks, but the systems are secondary to understanding how to properly use the technology and the information to evaluate risk. Risk managers use stress testing to measure what-if scenarios for market risk. Similar tests should be applied to operational risk management. But without thorough knowledge of potential risk indicators, or an understanding of the market environment, managers are unable to design the appropriate measures, ask the right questions, or recognize the warning signs of operational risk events.

Similarly, it is important that processes and procedures be documented and followed throughout the firm. However, it takes more than blindly following a procedure to mitigate operational risk. Staff should be well educated about the business in order to determine whether the processes are effective. Too often operational staff will go through the motions without thinking about why a particular procedure is being performed and how the various processes can be made better. Clerks and operational managers are in the best position to notice a rogue trading or other risk event. If staff members are not properly trained or compensated, it is unlikely that they will be proactive in helping to identify risks.

In order for firms to be effective in managing operational risk, they need to adopt the appropriate risk management culture. Risk committees with members from various departments, including some who are not investment professionals, should be formed to review the details of the business, the support infrastructure, and the risk management process. Risk management should be a priority across the entire organization, and risks should be aggregated across business lines.

It is the role of financial engineers to further develop risk methodologies, policies, and technology to appropriately measure and monitor risks in a changing market environment. As we learned from the recent market crisis, traditional risk management tools that rely on historical data are insufficient. The industry needs to move toward adaptive risk technology and analytics that utilize forward-looking measures that incorporate loss probabilities into the suite of risk measures.

NOTES

1. Basel Committee on Banking Supervision, Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework, November 2005.

2. Algo First database of operational risk case studies.

3. Basel Committee on Banking Supervision, Operational Risk Management, September 1998.

4. The Joint Forum, Cross-Sectoral Review of Group-Wide Identification and Management of Risk Concentrations. April 2008, 3.

5. Ibid., 4.

6. Cagan, Penny, and Yakov Lantsman, “The Cyclicality of Operational Risk: The Tracking Phenomenon Thesis: Dynamics in Number of Operational Risk Events Track Volatile Cycles in the Markets.” Algorithmics white paper.

7. Algo First database of operational risk case studies.

8. Goldstein, Matthew, and David Henry. 2007. “Bear Bets Wrong: Two Bear Stearns Hedge Funds Soured by Specializing in Exotic Securities and Unorthodox Practices; Then They Imploded and Helped Set Off a Global Credit Market Meltdown.” BusinessWeek, October 22.

9. Asset Managers’ Committee. 2008. “Best Practices for the Hedge Fund Industry: Report of the Asset Managers’ Committee to the President's Working Group on Financial Markets.” April 15.

10. Capco. 2003. “Understanding and Mitigating Operational Risk in Hedge Fund Investments,” Capco white paper (March).

11. Asset Managers’ Committee, “Best Practices for the Hedge Fund Industry.”

12. www.isda.org.

13. International Swaps and Derivatives Association, Inc. 2008. “Year-End 2007 Market Survey.” April 16.

14. Amaranth Advisors LLC was a $9 billion multi-strategy hedge fund founded by Nicholas Maounis, which was liquidated in 2006 after large losses in energy trading.

15. Northern Rock PLC is a British bank that in September 2007 received liquidity support from the Bank of England due to losses caused by the subprime credit crisis.

16. Algo First database of operational risk case studies.

ABOUT THE AUTHOR

Monique Miller's professional experience lies in investment management, research, and risk management. She is currently the Chief Operating Officer and a Principal at WR Managed Accounts LLC, a hedge fund managed account services and risk aggregation firm. Previously she was division head of a quantitative trading business at Caxton Associates, a New York–based hedge fund. Ms. Miller is on the board of directors of the International Association of Financial Engineers (IAFE) and a co-chair of the IAFE's Operational Risk Committee.