Learning objectives
After studying this chapter, you should be able to:
1 Outline the process of operational risk management starting with identifying and benchmarking risk
2 Identify and analyse risk factors and loss events and differentiate between external and internal risk factors
3 Describe the process to identify loss events, starting with brainstorming, moving to defining events, and finally screening events
4 Understand and describe the process of risk and control self-assessment (RCSA) and key risk indicators (KRI) and internal loss data (ILD)
5 Understand the three-pillar structure of the Basel II Capital Accord as well as Principles 6, 7, 8, and 9 and how they impact operational risk management
As we have seen, failures to appropriately manage operational risk have catastrophic consequences. The case studies outlined in Chapter 3 are rare and, at times, extreme events but they underline the importance of strong operational risk management. The dramatic nature of these events may hide or minimise the potential impact of smaller loss events that may happen every day at financial institutions. Depending on their frequency and severity, smaller loss events could bleed a bank slowly but seriously, a death of a thousand paper cuts. Avoiding these smaller but more frequent events is also a key task of operational risk managers and the goal of any operational risk management strategy.
This chapter starts out by examining the process of operational risk management, taking into consideration the reality that the scope of operational risk can be extremely wide. It starts out by outlining the process of operational risk management and the path towards defining incidents and loss events. Benchmarking operational risk is a process that can be divided into several clear steps, starting with identifying critical processes and resources to describing them and evaluating them against specific benchmarks determined based on the strategic objectives of the bank.
An effective benchmark requires something to benchmark against it. Managers, whether directly involved in operational risk management or otherwise, should have a firm grasp of operational risk factors and loss events. Risk factors can be found in most business areas, from the market and credit risk exposures associated with foreign currency operations to the often-unpredictable customer behaviour that impacts dealing services.
Each risk factor can lead to loss events and, here again, there are multiple categories. Loss events range from fraud—whether internal or external—to failures of execution and even employment practices. Useful processes such as risk and control self-assessment (RCSA), the use of key risk indicators (KRI), and internal loss data (ILD) are all-important.
Finally, we begin the discussion of the regulatory framework that guides the management of operational risk. This is a discussion that will continue in later chapters but it is an important one. The development of regulation on operational risk management continues to evolve. Although operational risk is as old as the banking industry itself, the process of regulating it is about a decade and a half old and serious efforts affecting Hong Kong banks are more recent than that, from the Basel II accords that came out in 1998 and were updated in 2006.
Here we discuss the three pillars that support the Basel II approach to operational risk management including minimum capital requirements, supervisory review of capital adequacy, and public disclosure as well as some of the most relevant principles built into these pillars.
By its very nature, operational risk can be very broad. Earlier definitions of the term tended to include all types of risk not included under market risk or credit risk. This broad approach created a very specific challenge for operational risk managers as it left them with the difficult task of determining where operational risk was found and how to measure it.1 This leads to the first practical problem that operational risk analysts and managers have to tackle: The development of an operational risk management framework that includes benchmarks for operational risk. In order to develop a framework for operational risk management, it is necessary to have a greater understanding of operational risk and of the operational risk management process.
Although there are some general principles, these benchmarks are rarely generic in nature. Rather, they need to be tailor made for every institution and should match the bank’s strategic objectives. Once the benchmark has been decided, the next step is to identify process and resource risks, risk factors, and loss events. Finally, these are categorised into meaningful groupings to allow comparisons and analyses.
At its most basic level, the conduct of operational risk management involves several activities, including the following:
Below we discuss the process of identifying and measuring risk and launch into a discussion of how to mitigate and predict risk. Later chapters will address other parts of the process, such as transferring risk, changing the form of risk, and allocating capital to cover operational risk factors.
Even the best, most careful and comprehensive operational risk management framework is useless if risks are not effectively benchmarked and identified. Because there are several categories of operational risk that require specific consideration, the process of identifying risk may require input from multiple functions across a bank and from multiple levels of management.
But, because every bank and AI is different, it is also necessary to consider both general risks and risks specific for particular operations. A bank expanding into new geographic areas with different regulations and even approaches to regulation, for example a Hong Kong bank opening branches across Mainland China, may have several layers of risk that may not have any impact on a strictly local bank in either Mainland China or Hong Kong. Thus, operational risk managers should take the nuances of their operations into consideration and should work to benchmark operational risk in a way that fits the operations of a particular bank or other AI.
Benchmarking involves several steps: identifying critical processes and resources, describing critical processes and resources, and evaluating the processes against specific benchmarks.
After benchmarking, what then? The next step is to discover the risks that can hinder process performance and resource utilisation. To break down risk factors and loss events by processes and resources requires interviewing experienced line managers and senior supervisors.
It is best to start with neutral questions such as which factors outside their control affect the output of the process. Few people like to admit that things can go wrong on their watch, and that the reason for a problem could be in their own unit. It is important, though, to ascertain in which department the manager believes the loss event does originate and then crosscheck the response against the belief of managers in that unit. Disagreements suggest confusion about responsibilities, controls, and how the process works—all of which need to be cleared up to avert a real operational disaster. Also, a complacent “no problem here” attitude could be hiding potential disaster.
During open-ended unstructured interviews, managers should be asked about their risk priorities and exposures, as well as industry or competitive trends. This contextual information frames subsequent risk analysis. Prioritising directs attention to risk management. It is unlikely that all of the company’s risks can be completely captured, but it is possible to have a focused search for critical risk factors and loss events associated with core processes and resources.
There are two types of risk factors: external and internal. External risk factors are usually price-related with (generally) direct impacts that are assumed to drive fluctuations in the firm’s revenues or asset values. Internal risk factors have indirect effects on profits and losses or asset values by changing the losses associated with particular events.
The precise choice of risk factors depends on the particular business unit, and analysts should be careful to avoid any preconceived notions of where operational risks lie. Backward-looking analysis of historical internal and external losses combined with interviews with experienced line managers will suggest factors that may drive losses in a particular process area.
In some cases, more forward-looking techniques can be used. Designed experiments can systematically identify which risk factors are most important on the output of the process. Such experiments can be used, for example, to infer how changes in the levels of staffing in different parts of the organisation affect errors, or how changes in staff incentives affect performance levels.
Exhibit 4.1 lists the typical risk factors that affect different aspects of banking operations, which are often used as inputs for operational risk models.
Christopher Marshall, Measuring and Managing Operational Risks in Financial Institutions (Singapore: John Wiley & Sons, 2001), 169.
Business area | Critical risk factors |
Forex operations | Market risk exposure, credit risk exposure (mainly OTC derivatives) |
Commercial banks | Credit risk exposure, interest-rate risk exposure |
Retail banking | Credit risk exposure, interest-rate risk exposure |
Private banking/asset management | Exposures to change in financial markets (revenues partly driven by portfolio value) Exposure to financial market sentiment (greater portfolio activity in bull markets generates more fee income) Credit risk exposure (loans to private clients) |
Investor relations | State of the market, number of investors |
Planning | Market volatility, number of customers and competitors |
Sales and marketing | Market volatility, customer demand, staff morale, number of customers and competitors |
Underwriting | Market volatility, customer demand, number of customers and competitors |
Lending | Interest rate volatility, customer demand, competitor behavior |
Deposit-taking | Interest rate volatility, customer demand, competitor behavior |
Trade finance | Economic performance, interest-rate volatility, customer demand, competitor behavior |
Corporate finance | Economic performance, interest-rate and exchange-rate volatility, customer demand, competitor behavior |
Payments transmission | Investment of technology, volume of business, quality of service |
Card services | Use of technology, volume of business, quality of service |
Financial accounting | Volume and diversity of business |
Claims | Volume of business, quality of service |
Premium accounting | Volume of business, customer demand, quality of service |
Treasure management | Market volatility, corporate strategy |
Dealing | Market volatility, customer behavior |
New product development | Market volatility, competitor actions, corporate strategy |
Compliance | Volume and diversity of business and regulation |
Once general risk factors have been identified, the next step is to identify specific loss events. This process consists of brainstorming, defining, and screening the occurrences that may damage a resource or degrade process output through higher costs, lower quality, throughput and availability, and higher obsolescence.
Loss events can also be broken down into categories, from the more general to the specific. Here again, the BCBS recommends banks map ILD to the first category of events.2 The BCBS definitions for each of these top tier events, help map out each one.
Each of these events and the definitions included in Annex 9 of the Basel II document of June 2006 are listed below:
At times, a single loss event may fall under more than one category, as we could see in the case studies outlined in Chapter 3. Loss events in each category can be lead to both large and small losses and there are thousands of examples, many of which bankers have to deal with on an almost daily basis to prevent high frequency small loss events from seriously denting the bottom lines of their operations.
Large-scale internal fraud is relatively rare among banks with strong ORM and multiple checks and balances but it is very difficult to eliminate it altogether. The case study in Chapter 3, involving the French Bank Société Générale (SocGen) and its rogue trader Jérôme Kerviel could be considered an example of internal fraud. After all, Kerviel did fake order and took advantage of internal weaknesses. However, Kerviel did not personally benefit from those trades.
A case in Hong Kong in 1985 may better illustrate how internal fraud may impact a bank. The ultimate and complete failure of the Overseas Trust Bank in Hong Kong in June 1985 represented the successful completion of one of the earliest investigations by Hong Kong’s Independent Commission Against Corruption (ICAC). In 1985, the government took over the bank, the third largest local bank, and injected HKD2 billion (US$256 million) to shore it up. The ICAC found two reasons for the collapse. The first was that directors had engaged in a series of reckless loans for their own speculation or their own businesses. The second resulted from the activities of a criminal and his group that resulted in a cheque kiting scheme that generated as much as US$10 million a day. The bank did not take action to prevent a scandal but instead covered it up, using false loans to cover up the cheque kite losses. By the time of the collapse the loans and interest amounted to US$89.5 million.3
Another example of internal fraud involved the former directors of Ka Wah Bank and an investigation launched in 1986. A former director of the bank was involved in securing and cashing in on loans made out to business associates or employees of associated companies, who were often unaware of their involvement. Eventually, the former director was sentenced to two years’ imprisonment.4
External fraud is also an issue, one that often affects bank customers who rely on the bank to provide a certain level of security. The issue is one that the HKMA is constantly working on. In June 2011, the HKMA issued a circular to individual AIs outlining the implementation details for chip-based technology in Automated Teller Machines (ATMs) and ATM cards. Between 2013 and 2015, cardholder protection should be significantly enhanced through a series of new security controls. By the end of February 2013, for example, AIs were expected to upgrade their ATMs to support chip-based authentication. In turn, they were also expected to replace all bank and credit cards linked to bank accounts by the end of March 2014 and by 2015 for the remaining cards. Some of these measures were outlined in a press release in October 2012. The HKMA noted at the time that ATM fraud is not a significant problem in Hong Kong but “it is important for Hong Kong to stay at the forefront of the technology and be in line with the international trend.” ATM cards with chips that work in conjunction with more traditional magnetic strips help prevent ATM fraud. At a more practical level, Hong Kong banks also set withdrawal limits outside Hong Kong to zero for all ATM cards, leaving it up to customers to reset those limits. The aim of these policies was to better manage the risk of external fraud associated with ATMs, which is the most common point of contact between customers and banking institutions.5
Issues associated with employment practices and workplace safety can also lead to operational risk loss events. These events are not necessarily unique to banks but may apply to all organisations that hire employees, particularly those who hire in large numbers. One issue that merits consideration for banks in Hong Kong is the disparity of employment laws between Hong Kong, which bases its laws and regulations on the English legal system and is famously flexible, and Mainland China, which has stricter rules that often favor employees and unions.
These risks are international, however. In September 2012, two law firms in the U.S. filed suit against Sterling Savings Bank for denying overtime pay to mortgage loan officers and other mortgage origination employees. The lawsuit involved both Sterling Savings Bank and Golf Savings Bank, which merged with Sterling in 2010. The lawsuit claimed employees were expected to work more than 40 hours per week without overtime pay. Still in the courts, the case illustrates not only the dangers of not tracking employment practices but also how banks may be found liable for issues that existed in entities that they acquire or merge with.
Operational risk events may also arise from business practices that have an impact on clients or operations. The case study outlined in Chapter 3 involving DBS Bank and the inadvertent destruction of safe deposit boxes is a case in point. Through distraction or neglect, bank staff and contractors allowed 83 safe deposit boxes still in use to be destroyed. The cost to the bank of that single incident was in the tens of millions of dollars.
Another example was the protracted dispute in Hong Kong over “Lehman mini-bonds,” structured investment products that many small investors bought ahead of the collapse of the investment firm from 16 different banks.6 Investors were warned of the dangers of the bonds in large prospectuses that few read. When Lehman Brothers collapsed at the launch of the global financial crisis, investors were left holding worthless bonds. A settlement reached in 2011 suggests investors got back between 85% and 96.5% of the value of the purchases, but only after years of protests outside of banks across the city. The outcome not only cost the banks that sold the products but also their reputations, regardless of any small print included in the contracts.
It is easy to understand how banks may face losses from natural disasters or other events. The World Trade Center bombing of 1993, outlined in Chapter 3, is a case in point. There are myriad other examples, including the March 2011 earthquake and tsunami in Japan or the floods in Thailand in October of the same year that stopped entire cities.
Similarly easy to understand, although not always easy to prevent, are events linked to system failures. The disruptions to the trading system of the Tokyo Stock Exchange (see Chapter 3) is an example but there are myriad others around the world. In an event that combined system failures with interanal fraud, in October 1998, German bank Westdeutsche Genossenschafts-Zentralbank (WGZ-Bank), lost US$200 million after two employees used computers to defraud the bank over 16 months. The employees used a loophole in the bank’s system that allowed them to enter false intermediary values and profit from trading in securities. The fraud was discovered when an updated system was installed following changes in national legislation.
In October 2012, the banking systems of Lloyd’s bank in the UK failed, hitting 22 million customers of Lloyds TSB, Halifax, and Bank of Scotland. The outage lasted an hour on a Friday afternoon. In June 2012, 12 million customers at Royal Bank of Scotland were hit by a computer failure that left many without access to cash for days when payments—including salary payments—were not credited.7
Issues of execution, delivery, or process can also lead to myriad losses from simple mistakes due to flawed credit or investment decisions. These are typically small losses but may be more frequent, so risk management frameworks have to account for them and find ways to minimise them.
Subjective assessment makes sense if historical data (either external or internal) are unavailable, expensive, of poor quality, or not readily applicable to a particular circumstance. Subjective assessment therefore is most appropriate for rare, high-impact, or catastrophic losses for which there are limited data.
Employees at banks and other financial institutions can evaluate their own risks and controls either individually or as a group, through workshops, focus groups, and self-assessment questionnaires, among other techniques. One advantage of risk control self-assessment (RCSA) is that line managers are experts in their business function. Therefore, they can provide the best details on risk and controls in their units, and can be more efficient than outside experts in reviewing new functions.
The downside to RCSA is that line managers may resist change or, worse, try to hide their own weaknesses and those of their unit. There is also a danger that a focus group or workshop degenerates into a “complaint” session.
The scorecard approach, although highly qualitative, is also useful. Line managers complete the scorecards at regular intervals, say annually, and these are reviewed by a central risk function. Scorecards may relate to risks unique to a specific business line or risks that cut across business lines. They may address inherent risks, as well as the controls to mitigate them. In addition, scorecards may be used by banks to allocate economic capital to business lines in relation to performance in managing and controlling various aspects of operational risk
Operational risk managers use key risk indicators (KRIs) to determine how much risk is associated with a particular activity. KRIs are different from key performance indicators (KPI) in that the former are used to determine the possibility of an adverse impact while the latter helps measure how well something is doing. KRIs help determine how prone a particular organisation is to risk events, in this case operational risk. We have already considered some of these. They include the number of people in an organisation, the number of transactions it undertakes in a given period of time, capital-to-debt ratio, and others.
KRIs monitor the drivers of exposure associated with key risks. Both Basel and the HKMA guidelines provide some guidelines on KRIs banks should monitor.
It can also be useful to combine analysis of KRIs and analysis of KPIs to get some insight into operational weaknesses, which in turn can lead to operational failures and potential loss events. Banks and other authorized institutions can use escalation triggers as a self-warning mechanism, a gauge of risk levels that can keep operations within acceptable parameters and, if necessary, sound the alarms that ensure mitigation plans are put in place.
The HKMA says institutions should develop the right indicators to give management early warning of operational risk events as well as predictive information that can help risk managers identify potential sources of risk and act on those issues before they become problems.
Typical KRIs that banks track are selected from a range of indicators of operations and controls that are regularly tracked by various functions in a bank. The use of goals, limits, and escalation triggers on the appropriate KRIs can identify elevated levels of operational risk or a breakdown in operational risk management procedures before actual loss events occur.
Another important and useful tool to identify and assess operational risk is the collection and analysis of internal loss data (ILD). The BCBS suggests that this data “provides meaningful information for assessing a bank’s exposure to operational risk and the effectiveness of internal controls.”8
Basel II suggests banks map internal loss data into a series of business line and loss event categories, outlined in the June 2006 Basel II document. In this particular instance, the BCBS breaks down loss events and business lines into multiple categories, from the more general to the more specific. The BCBS recommends that banks, large banks in particular, map internal loss data to the first level of categories. A breakdown of these business lines is provided in the next chapter.
By analysing events that lead to losses, whether large or small, banking institutions can glean useful insights into the causes of losses that can prove to be ultimately large. A thorough ILD database can help banking institutions determine whether control failures are isolated or systemic. In so doing, banks may also determine and monitor the contributions to credit caused by operational risk along with market risk related losses. In so doing, an institution can get a full and complete picture of its operational risk exposure.
The 1988 Basel Accord established a single set of capital adequacy standards for international banks of participating countries from January 1993. Now known as Basel I that Capital Accord set minimum capital standards for banks to guard against credit risk. In April 1993, market risk was included in the scope of risks subject to capital charge requirements. The accord was amended in 1996 to fine-tune the approach to market risk.
In 1998 the Basel committee reached a new agreement, now known as Basel II, which extended, and in some parts supplanted, Basel I to reflect the financial developments of the intervening years, especially the diversity of risks faced by banks. One Basel II document titled Operational Risk Management explored the importance of operational risk as a financial risk factor. No discussion on requirement of a capital charge against operational risk was made until 2001.
The final version of Basel II was issued in June 2006, with some updates released in July 2009 and June 2011. Under these guidelines, operational risk was subjected to a regulatory capital charge. This regulatory capital—estimated separately by every bank—is designed to reflect the exposure of each individual bank to operational risk. The accord defines and sets detailed instructions on the capital assessment of operational risk and proposes several approaches for banks to estimate the operational capital charge. It also outlines managerial and disclosure requirements.
Exhibit 4.2 shows the basic structure of Basel II, which features three pillars. Pillar I, which addresses minimum risk-based capital requirements, focuses on credit risk, market risk and operational risk. Pillar II deals with the supervisory review process. Pillar III deals with disclosure of strategies and processes to deal with operational risk.
Anna S. Chernobai, Svetlozar. T Rachev, Frank J. Fabozzi; Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis (New Jersey: John Wiley & Sons, Inc, 2007), 38.
As the exhibit shows, Basel II allows several methods to measure the capital charge that banks should put aside in risk capital to cover operational risk: the basic indicator approach (BIA), standardised approach (SA) and advanced measurement approaches (AMA).
The BCBS first put forth a framework of principles for operational risk management in February 2003, when it published Sound Practices for the Management and Supervision of Operational Risk. Three years later, the BCBS updated those principles in International Convergence of Capital Measurement and Capital Standards: A Revised Framework—Comprehensive Version. This later document is the one that is generally known as Basel II. But, as the BCBS noted in 2011, Basel II was written with the understanding that both the industry and its practices would continue to evolve and that knowledge of operational risk would expand. This expectation, along with the knowledge gathered through loss data collection, quantitative impact studies, and a whole gamut of reviews of issues of governance, data, and modelling led to a number of changes to the 2003 document and the publication, eight years later, of Principles of Sound Management of Operational Risk and the Role of Supervision.
The thrust of the 2011 document is to incorporate evolved practices of operational risk management into a single document that covers governance, the risk management environment, and the role of disclosure, the three pillars included in Basel II.9
Principles 6 and 7 fall under the second pillar. They deal with the identification and assessment of operational risk. These two principles put the onus on senior management of banks to first identify and assess operational risks present in a bank’s existing operations and to ensure that sufficient approval processes are in place for all new products that a bank may develop. The language of the principles is clear enough.
Principle 6 sets out the responsibilities of senior management in regards to existing risk. It says: “Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.”10
Principle 7 extends this principle onto any new products that a bank may introduce, underlining the importance of continuous assessment and management of operational risk. Principle 7 states: “Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.”11
Monitoring and reporting are important because operational risk management is a continuous process of response to changes in operational exposures. Risk managers should learn to recognise any structural changes that could make existing models and loss data outdated. The nature and extent of the operational risks that face the bank may have changed since they were last assessed and may need to be updated.
The 2011 document seeks to incorporate the most updated and sophisticated approaches to operational risk management. The document considers the importance of monitoring and reporting in Principle 8, which notes: “Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms should be in place at the board, senior management, and business line levels that support proactive management of operational risk.”12
In general, the first phases of operational risk management are passive. They focus on identifying and defining risks, developing tools to measure risk and possible losses, and collecting data. It is in the later phases of the operational risk management process that more proactive steps begin to take shape. This second phase may include more refined analysis aimed at understanding the causes of operational risk and attempting to limit the risk and mitigate its impact.13
In very simple terms, Principle 9 as stated by the BCBS in June 2011 sets out the basic groundwork for this second phase of any operational risk management framework. At this state, the focus is still on Pillar II and the operational risk management environment that banks should create to follow Basel II. Principle 9 states: “Banks should have a strong control environment that utilizes policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.”
The HKMA, in its own Supervisory Policy Manual for Operational Risk Management, deals with risk control and mitigation at greater length. It makes it clear that banks and other AIs should have policies, processes, and procedures to control and mitigate operational risk as well as systems in place to comply with “documented” internal policies.14
Operational risk management methods should be more than just passive policies that remain static over time. Rather, these risk management policies should be developed in such a way that they can adapt to the growth of the bank, changes in business activities, or new developments in the market. This includes such emerging items as new products, new operations in branches and subsidiaries, or entry into new markets.
This last item can be particularly important for Hong Kong banks, most of which are either developing new operations in Mainland China or expanding their operations there. At the same time, this exposure creates new risks associated with a changing regulatory environment. Many of these risks would, by necessity, fall under the category of operational risk.
A strong internal control system is key because, when well designed and enforced it can help protect the resources of an institution and comply with existing rules and regulations. At the same time, says the HKMA, “sound internal controls will also reduce the possibility of significant human errors and irregularities in internal processes and systems, and will assist in their timely detection when they occur.”
Contingency plans are also important to limit losses or severe disruptions to a bank’s operations in the event of a significant loss event. The HKMA says management should review contingency plans periodically and ensure they remain consistent with a bank’s current operations and business strategies. At the same time, these plans should be tested from time to time to ensure that institutions can execute their plans “in the unlikely event of a severe business disruption.”15
The BCBS also addresses issues in Principle 10, outlined in the June 2011 document. This principle states: “Banks should have resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption.”16
The overall message of both Basel II and the HKMA’s policies is that operational risk management should be fully integrated into a bank’s operations. Banks should first consider the risks they face in every part of its operations, develop ways to track and measure risks, and have policies in place to control them while ensuring they also have contingency plans in place to both mitigate risks, limit escalation, and have the ability to continue operating should a large loss event come to pass.
Bank for International Settlements; Principles for the Sound Management of Operational Risk; June 2011
Basel Committee on Banking Supervision, Basel II, Annex 9, pg. 105, www.bis.org/publ/bcbs128.pdf
Cruz, Marcelo; Modeling, measuring and hedging operational risk; Singapore: John Wiley & Sons 2002
Hong Kong Monetary Authority; Supervisory Policy Manual: Operational Risk Management; November 2005; Section 8
Marshall, Christopher; Measuring and Managing Operational Risks in Financial Institutions (Singapore: John Wiley & Sons, 2001)
1 Marcelo Cruz; “Modeling, measuring and hedging operational risk”; Singapore: John Wiley & Sons 2002; Pg. 9.
2 Basel Committee on Banking Supervision, Basel II, Annex 9, pg. 105, www.bis.org/publ/bcbs128.pdf.
3 http://www.kwok-manwai.com/Speeches/Corruption_Related_Fraud.html.
4 http://www.kwok-manwai.com/Speeches/Corruption_Related_Fraud.html.
5 http://www.hkab.org.hk/DisplayWhatsNewsAction.do?ss=1&id=1809.
6 “The good inside the bad”; The Economist” 31 March 2011.
7 Simon Read; “Lloyds banking systems failure hits 22m retail customers”; The Independent; 5 October 2012.
8 Basel Committee on Banking Supervision; Principles for the Sound Management of Operational Risk, June 2011, p. 11.
9 As identified in the June 2011 document Principles for the Sound Management of Operational Risk issued by the Bank for International Settlements.
10 Bank for International Settlements; “Principles for the Sound Management of Operational Risk”; June 2011; Pg. 6.
11 Ibid.
12 Bank for International Settlements; Principles for the Sound Management of Operational Risk; June 2011; Pg. 6.
13 Marcelo G. Cruz; Modeling, Measuring and Hedging Operational Risk; New Jersey: John Wiley & Sons, 2002. Pg. 11.
14 Hong Kong Monetary Authority; Supervisory Policy Manual: Operational Risk Management; November 2005; Pg. 24 – Section 7.4.
15 Hong Kong Monetary Authority; “Supervisory Policy Manual: Operational Risk Management”; November 2005; Pg. 29 – Section 8.
16 Bank for International Settlements; “Principles for the Sound Management of Operational Risk”; June 2011; Pg. 6.
18.118.200.95