The First Line of Defense in Operational Risk Management – The Perspective of the Business Line

The Basel Committee wrote in its update of the “Principles for the Sound Management of Operational Risk” in June 2011 that the first line of defense is business line management. This underlines the continuous development from (ex-post) operational risk controlling to (ex-ante) operational risk management. From the point of view of a business line, this “active” operational risk management can be achieved by reuse of concepts from quantitative quality management together with a fundamental understanding of the underlying “power law” characteristics of operational risk loss distributions.

In an integrated cycle, five steps are combined. 1. Definition of an operational risk strategy (to accept and manage, to reduce, to mitigate, to avoid) and awareness for specifics of operational risk. 2. Measurement of operational risk (loss distribution) with special regard to the asymptotic tail of the distribution and the limits of measurement. 3. Analysis of measured operational risk indicators with consequences for the business line. 4. Management process for the implementation of improvements along the whole hierarchy. 5. Controlling of results achieved by the business line management and, respectively, critical review of the fundamental assumptions of the entire approach. This “active” approach to operational risk management takes into account that a business line such as transaction banking with, for example, more than four billion high-volume payment transactions and more than seven million international and high-value transaction per year brings along operational risk generically, which has to be managed starting from “the first line of defense.” Consequently, the essential success factors are a broad understanding of the fundamental features of operational risk, open communication, and a permanent learning process for staff and management of the business line.

The Basel Committee published its update of the “Principles for the Sound Management of Operational Risk” [BIS (2011)] in June 2011. It reflects the extended knowledge and experience in operational risk management since the first version of the “Sound Practices for the Management and Supervision of Operational Risk” [BIS (2003)] in February 2003. In particular, this update points out that “common industry practice for sound operational risk governance often relies on three lines of defense – (i) business line management, (ii) an independent corporate operational risk management function and (iii) an independent review.” From the perspective of a business line, i.e., “the first line of defense,” this viewpoint emphasizes an extension from (ex-post) operational risk controlling to include (ex-ante) management of operational risk.

This paper describes the contribution of this “the first line of defense” to the whole framework of operational risk (OpRisk, for short) management – of course, together and aligned with the other two lines. It is beyond the scope of this paper to discuss the various aspects and issues concerning controlling and quantitative modeling of operational risk, which have been discussed for more than a decade: from King (2001) and Cruz (2002) to recent overviews such as Gregoriu (2009) and Embrechts and Hofert (2011). Nevertheless, the whole framework of OpRisk including loss data collection exercises, quantitative impact studies, statistical methodologies, and best practices from other industries can be applied at the “first line of defense” and (re)used for the day-to-day defense against losses resulting from problems in internal processes, people and systems, external events, and – more and more obvious – from complex correlation of internal issues and external events.

One of those valuable assets in the framework is Basel Committee’s “Results from the 2008 Loss Data Collection Exercise for Operational Risk” (LDCE2008). As for the rest of this paper, only selected aspects, sometimes simplified and tailored for pragmatic implementation, will be exploited for the business line OpRisk management. But already an initial look at the aggregated OpRisk loss data provides insight into the essentials for the business line.