Fraud was the highest-volume operational risk event suffered by large UK banks in 2017, though the cost of execution, delivery and process management failures was more burdensome.
Internal and external incidences of fraud accounted for 64% of all operational risk events at Barclays, Royal Bank of Scotland, Lloyds and Santander UK on average. However, these events made up just 14% of total losses in value.
RBS recorded the highest volume of fraud events, which made up 83% of its total, and Santander UK the lowest, with 50%. The respective costs associated with these events as a percentage of the banks’ totals were 6% and 42%.
On the other hand, execution, delivery and process management failures comprised just 20% of operational risk events, but 28% of total operational risk costs.
Santander UK reported 27% of total loss events in this category, the highest in the sample, and RBS the lowest, with 7%. The respective costs associated with these events as a percentage of the banks’ totals were 9% and 33%.
Business disruption and system failures – recently targeted by the Bank of England for regulatory scrutiny – accounted for just 1% of operational risk events on average, and 2% of loss values.
Standard Chartered disclosed data regarding loss values only. Execution, delivery and process management accounted for 36% of losses by value and fraud 22%. When included in the sample with the above-named banks, the average loss values attributable to execution, delivery, and process management as a percentage of the total increase to 29%.
HSBC did not disclose a breakdown of operational risk events by category or losses by value for 2017.
What is it?
Many banks disclose operational risk losses and event volumes broken down by categories set down in the Basel II framework. Basel standard-setters defined seven categories of operational loss event types: internal fraud; external fraud; employment practices and workplace safety; clients, products and business practices; damage to physical asset; business disruption and system failures; and execution, delivery and process management.
The business disruption and system failures category encompasses hardware, software, telecommunications and utility outages and disruptions. Execution, delivery and process management events include “losses from failed transaction processing or process management, from relations with trade counterparties and vendors”.
The calculations for RBS, Santander UK, Barclays and Lloyds are based on the volume and value of events where the associated loss is more than or equal to £10,000. Standard Chartered’s report did not disclose whether this threshold applied. Legal and conduct risks are excluded from the banks’ operational risk event templates.
Why it matters
Heightened scrutiny of non-financial risks is a theme bank executives have expounded on loudly for some time. The UK watchdog has also signalled its intention to scrutinise banks’ operational resilience, including firms’ ability to bounce back from technological disruptions, like those that afflicted TSB and RBS in recent years.
The top 10 operational risks 2018 survey conducted by Risk.net ranked IT disruptions as the number one risk, and fraud as number four. However, the above data suggests that disruption events still make up a tiny part of big banks’ overall operational risk profiles. This is not to say they can’t trigger huge losses, as the 2017 data also shows there is scant correlation between the volume of incidences and their related costs.
It’s also possible, of course, that some banks allocate losses related to business disruptions, such as technology failures or cyber attacks, to other categories. Perhaps a more granular operational risk taxonomy would help provide a clearer view of the modern bank’s vulnerabilities.
Get in touch
What explains the Bank of England's ramp up of activity surrounding business disruption and operational resilience, if the data shows that banks aren't experiencing massive losses due to these events? Let us know your thoughts by emailing email@example.com or tweeting @LouieWoodall or @RiskQuantum.