Vol. 40 (Number 6) Year 2019. Page 21
JANTSCH, Leonardo 1; SOLANA-GONZÁLEZ, Pedro 2; VANTI, Adolfo A. 3
Received: 14/10/2018 • Approved: 27/01/2019 • Published 18/02/2019
ABSTRACT: The management of corporate risks by evidence of loss events of operational risk in financial institutions is analyzed to the control of operational risk. The research context includes 100 financial institutions in eleven Brazilian states. The results show the indicators that present a high correlation with the categories of losses due to "inadequate practices related to customers, products and services", "external frauds", "poor of safety of the workplace and labor demands", establishing themselves as potential risk factors. |
RESUMEN: La gestión de riesgos corporativos por la evidencia de eventos de pérdidas en instituciones financieras es analizada para el control del riesgo operacional. El contexto de la investigación contempla 100 instituciones financieras que operan en once estados brasileños. Los resultados señalan los indicadores que presentan una alta correlación con las categorías de pérdidas por "prácticas inadecuadas relativas a clientes, productos y servicios", "fraudes externos", "demandas laborales y seguridad deficiente en el trabajo ", estableciéndose como potenciales factores de riesgo. |
For Gitman (1997) and Damodaran (2008), the definition of risk is related to uncertainties and Knight (1964) emphasizes that the difference between both is in the greater probability of the risk of being measured. Holton (2004) broadens Knight's approach by positioning risk also with Exposure, that is, exposure as a proposition from which the result is uncertain but can be estimated. Azizan, Samad, & Woon (2011) describe that, for the theory of finance, the measurement of a company's risk is produced by the covariance of the return of its assets to the market portfolio, which is measured by the beta in the Capital Assets Pricing Model (CAPM).
Crouhy, Galay, & Mark (2008) classify the risks into the following categories: market risk, credit risk, liquidity risk, legal and regulatory risk, business risk, strategic risk, reputational risk and operational risk. However, the work is focused in this last one and according to the RMA (2000, p. 2), the operational risk is related to direct or indirect losses resulting from inadequate or deficient internal processes, people and systems or external events. In this context, it is in which companies are exposed to risks and operational risk management becomes part of the management actions on the possible causes for this risk, called risk factors. Therefore, the research problem consists of knowing which operational indicators justify the operational risk losses. To answer this research question, the objective of this work was to verify the correlation between the operational indicators and the losses resulting from the operational risks evidenced.
This work contributes to the academic field by looking for evidence of loss events derived from operational risk in the business context, expanding works like Eckert, & Gatzert (2017) and, considering that the frequency and magnitude of this event have increased significantly in financial institutions (Chernobai, Ozdagli, & Wang, 2017). Additionally, it presents an evaluation of suggested operational variables and their correlation with these events in financial institutions. According to Barakat and Hussainey (2013), the information on operational risks are internal and usually not regulated by norms or assessments of rating agencies.
This article is configured in five sections: in the first one, the theme is introduced, showing the contextualization, its relevance and objectives. In the second, the literature review is undertaken to address corporate and operational risk management. In the third, the methodology used is presented, considering the phase of data collection with the subsequent quantitative analysis. In the fourth section the results and discussions of the evidences found are presented. The fifth section develops the final considerations, to end with the references used.
Crouhy, Galay, & Mark (2008) classify risks into the following categories: market risk, credit risk, liquidity risk, legal and regulatory risk, business risk, strategic risk, reputational risk and operational risk. In this way:
1. Market risks are those related to changes in market prices of assets, liabilities and other financial instruments, such as fixed income securities, equities, options, swaps and commodities;
2. Credit risk, derived from the risk of payment liquidation, which causes a variation of the values for loans and receivables;
3. Operational risk, related to risks of losses resulting from internal processes, people, systems or external events;
4. Legal risk, derived from the breach of the rules, legal and regulatory principles, for example, legal, tax, social security or labour;
5. Liquidity risk, derived from the non-matching of term, indexer, currency and value between payments and collections.
Thompson (2003, p. 31) already stated that risk managers adopt their particular point of view on risk management, imposing their own knowledge on business decisions. The companies are also responsible for risk management along with compliance, improving the generation of information and the security of their systems (Drew, 2007). A converging point among these authors is the perception that each line of business is aware of its own risks and particularities, being of them the fundamental responsibility of developing and maintaining an effective internal control (Tarantino, 2006).
The risk management approach is to maintain a sustainable value creation process for shareholders in an information model for the global management of corporate or business risks, the ERM (Enterprise Risk Management) that derives from the change of paradigm in the perception of risk as result of several scandals with repercussions in corporate governance and cases of financial mismanagement in which companies are forced to be more proactive in addressing issues related to risk.
Thus, ERM is defined as the risk identification and analysis process through an integrated perspective of the whole company through a common framework for all types of corporate risks, structured and disciplined in the alignment of strategy, processes, people, technologies and knowledge with the objective to assess and manage the uncertainties faced by the company and add value.
The ERM stands out in the management of non-systematic (specific) risk, through a structure of business risk management by which the increase in value of the companies occurs through the development of the strategic concept of risk premium (Azizan, Samad, & Woon, 2011). The risk premium, for Brezeanu et al. (2011), is related to risk management strategies, especially from the point of view of financial resources.
The investment projects that are not supported by internal resources need recourse to capital or external debt and this situation determines additional costs in terms of agency conflicts. The creditors expect a premium, through yields, according to the risk profile of the company, which determines the increase in the cost of the debt and the decrease in the value of the company. Therefore, risk management tools represent the support for maximizing the value of the company and the reduction of the cost of capital, becoming essential in the context of capital market integration. These concepts are evidenced from the observation that the higher leverage is equivalent to strong corporate governance mechanisms and normally they are not used in companies based on self-financing.
Doyle, Ge, & McVay (2007) report that internal control is a major focus of regulatory changes within the scope of the Sarbanes-Oxley Act, being the year 2002 the first time all those registered in the Securities and Exchange Commission (SEC) went on to publicly disclose material weaknesses of their internal controls in the financial statements. The material weakness in internal control is defined as a significant deficiency, or a combination of significant deficiencies, that result in a non-remote probability that a relevant distortion will occur or not be detected in the annual or interim financial statements. In this study, the authors characterize that the insufficiencies of internal control are more probable in small, less profitable, more complex, those that present fast growth or are in phase of restructuring companies. Ashbaugh-Skaife, Collins, & Kinney (2007) also investigated the economic factors that expose the company to internal control risk. The authors identified that the companies that report deficiencies in internal controls have more complex operations, have experienced recent organizational changes, have a greater number of layoffs from auditors or have fewer resources for internal control.
Liebenberg, & Hoyt (2003) infer that an ERM program benefits companies, increasing profits and decreasing price volatility, reducing external capital costs, increasing capital efficiency and creating synergies between different risks management activities. Depending on the level of control that is necessary, companies can choose to create a specialized management position, the Chief Risk Officer (CRO), which is responsible for the implementation and coordination of the ERM. It is evident that companies with greater financial leverage are more likely to appoint a CRO. This result is consistent with the hypothesis that companies appoint CROs to reduce the information asymmetry in relation to the current risk profile of the company and the risk expected by the interested parties.
Azizan, Samad, & Woon (2011) develop a conceptual structure based on the argument extracted from the theory of value maximization, postulating that the implementation of the ERM program by companies can create value for shareholders. The authors argue that the ERM leads to benefits that include optimizing the risk profile / return of the company, increasing profitability, reducing the volatility of profits and increasing competitiveness.
All the tangible and intangible benefits resulting from the implementation of the ERM program lead to a lower cost of capital and contribute to the performance of the business, by the valorisation of the shares price. The reduction in the cost of capital is due to the reduction of the risk premium, as a result of the specific risk reduction, non-systematic. Thus, the improvement related to the price of shares occurs because investors are willing to pay more for the perception of lower risk. These two causal relationships represent the creation of value from the ERM program (Azizan, Samad, & Woon, 2011).
The model presented by Chatterjee et al., 1999 focuses on tactical risk, strategic risk and regulatory risk. Investors are exposed to several classes of specific risks of the company, being that the risk premium is the sensitivity of the expected returns to the macroeconomic uncertainties of a company.
The tactical risk is mainly established on information asymmetries, based on the assumption that investors have an aversion to surprises in obtaining profits. In this way, investors will demand lower risk premiums from companies that can minimize it. Companies use three types of actions to reduce tactical risk: financial actions (results management, governance and liquidity), hedge, and real options (for example, investment expansion). The direct connection to the risk premium considers that the liquidity of the shares influences the uncertainty, that is, the more liquid an action is, the lower the risk premium. The direct connection with macroeconomic risk occurs considering that investors demand lower risk premiums from companies that effectively use hedges. Hedges are contingent commitments that reduce the sensitivity of the company's future profits due to the cyclical and random variations in the price of the goods that the company considers essential for its value chain (Chatterjee et al., 1999).
The strategic risk is driven by market imperfections for resources and sales, and relates the use of resources and commitment to performance, based on the uncertainties of achieving their objectives. The strategic risk is related to the probability that a company can isolate its benefits from macroeconomic and industry specific shocks. The strategy to reduce this risk considers that companies have options to shape the market forces and, in the process, to gain advantage, exploiting the existing imperfections and / or looking for the creation of new opportunities (Chatterjee et al., 1999).
The regulatory risk refers to the forces that hold the institutional norms, postulating that the relationship between the majority of tactical and strategic actions and the risk premium of a company is temporary. Over time, the competition will erode the ability of both to reduce the risk premium, to the extent that these actions have no effect. In this context, it is necessary to ensure that their tactical and strategic actions are contemplated in the rules and institutional rules of the company, making them institutionalized activities. Consequently, regulatory risk is defined as the risk premium that a company incurs for not complying with any of its institutionally expected standards (Chatterjee et al., 1999).
For risk management, the COSO-ERM and ISO 31000:2018 (International Organization for Standardization) stand out. Knechel (2007) emphasizes that companies must also have this context. It established the need to emphasize business risk, without neglecting the fundamental objectives of auditing the financial statements and identify the material risks of distortions. In the post-Enron era, Gavious (2007) described the auditor's agency problems, whereby auditors (the agents) are being hired and paid for their services by administrations (the directors).
Operational risk is related to unexpected losses due to internal problems such as Systems, People, Controls, Processes, Technologies, unauthorized Activities, Hacker invasions, poor definition of segregation of functions, etc., which may even derive from external situations (Chorafas, 2004).
Operational risk is the associated risk with the operation of a business and can be divided into operational failure risk and strategic operational risk. The risk of operational failure is internal to the business unit and arises from the potential for failure during the business operation. The company uses people, processes and technology to achieve their business plans, and for any of these factors a failure of some kind can occur.
The strategic operational risk is derived from environmental factors, external to the business unit, such as a new competitor, a large change of political and regulatory regime, earthquakes and other factors that are beyond the control of the company. It also arises from new strategic initiatives of importance, such as the development of a new line of business or even the redefinition of an existing line of business (Crouhy, Galai, & Mark, 2001).
For Lewis (2003) the operational risk must consider the risk related to the companies that collaborate in the supply chain. The fundamental characteristics of performance, such as quality, cost and dependence are defined by the relationship with suppliers. With the reduction in the number of suppliers there is a clear benefit, but also a great dependence has its risks. If the supplier does not respond to expectations, the company will be affected if it does not find an alternative to supply its need.
In the case of financial institutions, the Basel Committee (BCBS, 2006) defined operational risk as "the risk of loss of inadequacy or internal failure resulting from processes, people and systems or from external events". The definition includes legal risk, understood as the exposure to fines, sanctions or indemnities derived from supervisory actions by the regulatory authority and extrajudicial agreements.
The National Monetary Council 3,380 Resolution of June 29, 2006, establishes eight categories of events for operational risk, including risks derived from relevant outsourced services, characterized according to the provisions of the Basel Committee (BCBS, 2003):
1) Internal frauds: actions of employees that involve intentional errors, theft or action for their own benefit;
2) External frauds: actions executed by external agents to the institution related to theft, falsification or attack to the computer system;
3) Labour demands and poor workplace safety: compensations paid arising from work activities. Being example of them, the labour actions, infractions related to the health of the employees, breach of safety rules, discriminatory acts and other situations of civil responsibility;
4) Inappropriate practices related to customers, products and services: involve breaches of the relationship of trust between the client and the institution, inappropriate use of confidential information of the client, practice of improper commercial activities, incentive or coexistence with money laundering practices and sale of unauthorized products;
5) Damages to own physical assets or in use by the institution: actions of terrorism, vandalism, earthquakes, fires and floods;
6) Those that imply the interruption of the institution's activities: caused by internal or external factors, related to strikes, telecommunications problems and interruptions of public services;
7) Failures in information technology systems: are derived from failures in hardware and software systems;
8) Failures in execution, compliance with deadlines and management of the activities in the institution: are derived from errors in the data entry process, failures in the management of guarantees for operations, incomplete documentation, access to the customer account by unauthorized persons, contracts with third parties and suppliers.
This study is an analysis based on annual data of operational losses of financial institutions and operational indicators related to transactions, customers and employees. The procedure for obtaining data was developed by documentary technique, based on reports from the management systems of the analysed institutions.
The research question is treated through a quantitative approach, with the objective of measuring the relationship between the loss data and the operational indicators selected in the sample. The treatment of data uses the application of the statistical method, in this case, the correlation, estimating the percentage of the variations of the dependent variables that are explained by the independent variables.
Regarding the selection of the population, data from 100 financial institutions operating as a group in eleven Brazilian states were considered, being these: Rio Grande do Sul, Santa Catarina, Paraná, São Paulo, Mato Grosso do Sul, Mato Grosso, Tocantins, Pará, Goiás and Rio de Janeiro. The financial information was obtained through a specific system of institutions, developed with the function of recording operational losses.
The system of data capture of the accounting system was carried out through the identification of accounts that represent damages for the institution, such as: labour, civil and tax processes, frauds, compensations and fines, among others. Operational indicators were obtained in conjunction with the management of human resources (employees), the attention channels (transactions) and the customer register (clients).
The data includes the period from 2009 to 2014, being treated and stored in the Excel sheet. The losses data of the 100 financial institutions were annually consolidated in the losses categories, representing the occurrence of six categories. These categories follow the Resolution 3,380 of the National Monetary Council, of 06/29/2006, as described in section 2.2 of this work.
Operational indicators were collected in collaboration with the business areas, through reports provided by Business Intelligence (BI) systems. Considering the categories to be analysed, the indicators are presented as follows:
1) Number of employees: it is considered as justification for losses based on inadequate management, frauds, qualification for the performance of the function or intentional or unintentional human failures. The data was separated into employees that act directly in the operating units and total employees, with the aim to evaluate if there are differences between these two groups.
2) Number of transactions: it is considered as justification for losses derived from processes and technology systems, linked to the level of automation, internal regulation or efficiency in the control of processes. They are separated in face-to-face transactions, along to the boxes of the institutions, or electronic, by self-service in ATM or Internet banking.
3) Number of clients: it is considered as justification for losses based on risks associated with external factors derived from customer operations.
Finally, considering the data obtained, the Eviews software was used for the correlation calculus. The processed data are presented in the next section.
Considering the results of this research, the first positive aspect to be highlighted is related to the existence of structured loss data that led to the analysis. According to the National Monetary Council 3,380 Resolution of June 29, 2006, it is find that the institutions under investigation have an operational risk management structure, so it was possible to obtain a standardized historical basis for the entire sample.
The occurrences of found losses were classified and renamed in the following categories:
• Internal frauds and external frauds, for which the nomenclatures were maintained
• Labour lawsuits and deficient security of the workplace, called "Labour Demands";
• Inappropriate practices related to clients, products and services, called "Clients Practices";
• Failures in information technology systems, called "IT Failures";
• Failures in the execution, compliance with deadlines and management of the activities in the institution, called "Failures in Activities".
If this context is compared with the findings of Hora, & Klassen (2013), an appropriate scenario was identified considering that the operational similarity has a significant influence on the group of companies and their risk managers to acquire knowledge about the causes that led to the operational loss, using this knowledge for its management.
In the application of the correlation tests, the findings correlate positively. The results presented in Table 1 reflect the correlation of the selected variables with the data of the constants. The highest correlation percentages, in each category of losses, are highlighted in order to facilitate the evidence.
Table 1
Correlation between the categories of operational losses and explanatory variables
Correlation |
Internal Frauds |
External Frauds |
Labour Demands |
Clients Practices |
IT Failures |
Failures in Activities |
Clients |
0.518416 |
0.91003 |
0.791948 |
0.931674 |
0.394921 |
0.645402 |
Electronic Transactions |
0.567712 |
0.920676 |
0.773878 |
0.93673 |
0.376671 |
0.668917 |
Face-to-face Transactions |
0.380084 |
0.777855 |
0.744935 |
0.881459 |
0.426519 |
0.527437 |
Total Transactions |
0.520362 |
0.89203 |
0.774998 |
0.934288 |
0.397438 |
0.639473 |
Employees of Operation |
0.473725 |
0.893907 |
0.777492 |
0.927958 |
0.417898 |
0.628224 |
Total Employees |
0.478235 |
0.86545 |
0.798068 |
0.936984 |
0.444874 |
0.632187 |
Source: Research data treated in the Eviews software
The "inadequate practices related to customers, products and services", represented by the column "Clients Practices", is the loss category with the strongest correlation with the indicators. In addition, there is a high degree of correlation with the indicators of "Total Employees" (0.936984), "Clients" (0.931674) and "Electronic Transactions" (0.93673).
For the other categories there are no robust correlation indicators, except the average correlations in "Internal Frauds" (0.567712) and "Failures in Activities" (0.668917) compared to "Electronic Transactions", as well as "IT Failures" (0.444874) compared to "Total Employees". It should be also considered that less expressive in monetary volumes are the loss categories, which may in some way to impact in the application of the tests.
Considering the research problem, it´s concluded that exist operational indicators that are substantially characterized as risk factors and justified in relation to the derived losses from operational risk. It can be verified by the results obtained, that the indicators of "Total Employees", "Clients" and "Electronic Transactions" presented a high correlation with the categories of losses due to improper practices related to clients, products and services, "External Frauds" and lawsuits labour and safety of the workplace. As a last aspect, the existence of correlation indicates a predictability on the occurrence of losses.
The risks derived from the operations are increasingly significant and the organizational management should worry about their occurrence. In this way, it is concluded that the correlations found represent a point of departure to be studied and extended by companies that are in a similar operational context.
As indicated by Crouhy, Galai, & Mark (2001), a part of the failures can be foreseen, and these risks have to be incorporated into the business plan, but there are also unexpected failures and, therefore, uncertain, which give rise to the operational risks.
The operational risk will require the allocation of sufficient capital to cover the unexpected component, generating anticipated demand for the increase of income and the constitution of reserves, or assuming the cost of insurance. For the company it is possible to estimate the losses that arise from the expected component of these failures. These aspects arise in the present investigation by the definition of the variables and the measurement of the correlations, propitiating estimates of losses based on future perspectives for the risk factors.
As suggestions for future works, the application of correlation analysis for losses and indicators in companies from other sectors is proposed. The comparison between operational losses with other variables is also proposed, such as, for example, hours of training and time of the employees in the company.
Ashbaugh-Skaife, H., Collins, D. W., & Kinney, W. R. (2007). The discovery and reporting of internal control deficiencies prior to SOX-mandated audits. Journal of Accounting and Economics, 44(1), 166-192.
Azizan, N. A., Samad, M. F. A., & Woon, L. F. (2011). A strategic framework for value enhancing enterprise risk management. Journal of Global Business and Economics, 2(1), 23-47.
Barakat, A., & Hussainey, K. (2013). Bank governance, regulation, supervision, and risk reporting: Evidence from operational risk disclosures in European banks. International Review of Financial Analysis, 30, 254-273.
BCBS (2003). Sound Practices for the Management and Supervision of Operational Risk. Basle Committee on Banking Supervision. Available in: http://www.bis.org/publ/bcbs96.pdf?noframes=1.
BCBS (2006). International Convergence of Capital Measurement and Capital Standards: A Revised Framework. Basle Committee on Banking Supervision. Available in: http://www.bis.org/publ/bcbs128.pdf.
Brezeanu, P., Essawi, M. S. A., Poanta, D., & Badea, L. (2011). Does Corporate Governance Impact Risk Management System? Theoretical and Applied Economics, 4(4), 49.
Chatterjee, S., Lubatkin, M. H., Lyon, E. M., & Schulze, W. S. (1999) Toward a strategic theory of risk premium: Moving beyond CAPM. Academy of Management Review, 24(3), 556-567.
Chernobai, A., Ozdagli, A. K., & Wang, J. (2017). Business complexity and risk management: evidence from operational risk events in US bank holding companies. Working Papers, Federal Reserve Bank of Boston, No. 16-16.
Chorafas, D. N. (2004). Operational risk control with Basel II: basic principles and capital requirements. Boston: Elsevier.
Conselho Monetário Nacional. Resolução 3.380 de 29 de junho de 2006. Available in: http://www.bcb.gov.br/pre/normativos/res/2006/pdf/res_3380_v3_P.pdf.
Crouhy, M., Galai, D., & Mark, R. (2001). Risk Management. New York: McGraw-Hill.
Crouhy, M., Galai, D., & Mark, R. (2008). Fundamentos da Gestão de Risco. Rio de Janeiro: Qualitymark.
Damodaran, A. (2008). Gestão estratégica do risco: uma referência para a tomada de riscos empresariais. Porto Alegre: Bookman.
Doyle, J., Ge, W., & McVay, S. (2007). Determinants of weaknesses in internal control over financial reporting. Journal of Accounting and Economics, 44(1), 193-223.
Drew, M. (2007). Information risk management and compliance - expect the unexpected. BT Technology Journal, 25(1), 19-29.
Eckert, C., & Gatzert, N. (2017). Modeling operational risk incorporating reputation risk: an integrated analysis for financial firms. Insurance: Mathematics and Economics, 72, 122-137. https://doi.org/10.1016/j.insmatheco.2016.11.005.
Gavious, I. (2007). Alternative perspectives to deal with auditors’ agency problem. Critical Perspectives on Accounting, 18(4), 451-467.
Gitman, L. J. (1997). Princípios de administração financeira (7th Ed.). São Paulo: Habra.
Holton, G. A. (2004). Defining risk. Financial Analysts Journal, 60(6), 19-25.
Hora, M., & Klassen, R. D. (2013). Learning from others’ misfortune: Factors influencing knowledge acquisition to reduce operational risk. Journal of Operations Management, 31(1), 52-61.
ISO 31000:2018. Risk management – Guidelines. International Organization for Standardization (ISO).
Knechel, W. R. (2007). The business risk audit: Origins, obstacles and opportunities. Accounting, Organizations and Society, 32(4), 383-408.
Knight, F. H. (1964). Risk, uncertainty and profit. New York: Sentry Press.
Lewis, M. A. (2003). Cause, consequence and control: towards a theoretical and practical model of operational risk. Journal of Operations Management, 21(2), 205-224.
Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management: Evidence from the appointment of chief risk officers. Risk Management and Insurance Review, 6(1), 37-52.
RMA (2000). Operational risk: the next frontier. The Journal of Lending and Credit Risk Management. Risk Management Association. Available in: http://logicmanager.com/pdf/operational_risk_management.pdf.
Tarantino, A. (2006). Manager's Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB's A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices and Case Studies. John Wiley & Sons. https://doi.org/10.1002/9781119202103.
Thompson, D. (2003). Risk Management: A brief history. Journal of Banking and Financial Services, 117(3), 30-32.
1. Researcher of Financial Economics and Risk Management. Unicred. Rio Grande do Sul, Brazil. ljantsch@gmail.com
2. Professor and researcher of Management & IT. Faculty of Business and Economics. University of Cantabria (UC), Spain. Degree in Computer Science and PhD in Industrial Engineering. pedro.solana@unican.es
3. Professor and researcher of Corporate Governance and IT, Administration, Accounting and Management Control. Postgraduate Program in Management of Public Organizations. Federal University of Santa Maria (UFSM), Brazil. PhD. In Business Management. adolfo.vanti@ufsm.br