We'll begin by looking at the Op risk management setup. First, we're going to talk about the sources of Op risk, and explore how it's managed. Op risk is embedded in financial institutions, and compose a threat to their performance. The importance of information, and system technology has expanded exponentially in financial institutions, making the management of these systems critically important. While technology has facilitated improvements in the measurement, and management of Op risk, the same technological advancements that are reshaping the financial industry in areas such as FinTech are leading to ever greater exposure to operational, and systems risk. This means that financial institutions, and regulators must continue to improve their ability to manage, and mitigate Op risk. Risk management in institutions is divided into three lines of defense. The first line of defense is the business line. Functions that own, and manage risk. They're the risk-takers, managers of business functions know firsthand the risks they face, they have the knowledge, and experience to manage the risk, and there are business lines effectively and efficiently. There are also the best position to decide how to allocate scarce risk capital most efficiently. The second line of defense for the risk management and compliance functions, they work closely with business line managers to ensure that each group, and the institution as a whole maintain agreed risks limits, and risk management systems. The third line of defense is internal audit. They provide independent assurance that business line management, and risk management are complying with the policies, and limits set by the institution, senior management, and board of directors. The most important lines of defense are management controls, and internal control measures instituted by the business line managers, but all three lines of defense are needed to ensure an effective risk management system. Regulatory bodies such as the Basel Committee on Banking Supervision, have defined Op risk narrower. Op risk includes the risk of losses from inadequate or failed internal processes, people, systems, and from external events. This includes legal risks such as fraud, but excludes strategic, and reputational risks, it excludes the most important Op risk, business risk which covers all the other risks besides credit, and market that could cause volatility, and the revenues, expenses, profitability, and value of a bank's business. Also excluded as the largest business risks for financial institutions, reputational risk. Reputational risk is a key asset of most financial institutions, it's difficult to quantify reputational risk, but as an example, you can look at the files that were paid by large banks during the last 10 years for various reputational disasters such as the libor fraud, the foreign exchange trading fraud, and the opening of millions of unauthorized customer accounts by Wells Fargo. He funds over a 100 billion dollars. Other reputational risk include market manipulation, and ethical risk in retail lending practices such as redlining. Historically the regulatory focus has been on credit risk, but with the update to basil one and 1995, the focus was widened to credit, and market risk. Op risk was added in 2004, but residual risks such as strategic, and reputational risks, were excluded from the castle to Framework. Credit and market risks are specific to the financial industry versus Op risk, which is a general business risks with unique features in banking and finance. Op risk is not tied to prophets directly like credit, and market risk, but as embedded in the normal course of business activity, credit, and market risks are the source of most of the profits made by banks and their lending and trading businesses. Op risk is not product-specific and is not tied to revenue sources directly, but it is still a key factor in maintaining and growing profitability at financial institutions. Op risk can be found in every function of a business, in this way, Op risk management is closest to enterprise risk management. To create an Op risk management framework, you need to create a detailed risk profile for each functional area of the business, these profiles are created by business heads, and senior management with the assistance of the risk management function. Now we're going to look at some of the main sources of operational risk. Op risk breaks down into three categories, process risks or risks of execution, delivery, business disruption, and system failure. Conduct risks, which are risks related to the businesses relationship to his clients, it's products its business practices, employment practices, and internal factor fraud. Lastly, we're external risks which come from the external theft and fraud, and damage to physical assets. Example of these for banks include credit card fraud, and money laundering. Specific Op risk include inappropriate business practices or market conduct. Also business selection where there is an inadequate due diligence or failure to adhere to credit market or operas policies and limits, and Infrastructure adequacy which can limit a business's ability to grow. Financial integrity includes poor accounting, record keeping or reporting, and noncompliance with laws and regulations. Other Op risk include information security, which is the failure to safeguard customer proprietary information. Business continuity risk is the inability to continue in business during a catastrophic event, also inappropriate employment practices or workplace environment. Last, vendor management, which is the risk of using a third party whose own poor practices become the responsibility of the business that hired them. Here are the basil categories of Op risk go on with the business practices, and events that cause each risk. Major categories include internal fraud, external fraud, and systems hacking by outsiders, and employment practices, and workplace safety, and damage to physical assets. Other categories are client products, and business practices, which includes suitability, and fiduciary breaches and failure to know your customer, and your customers customer, and improper business, and market practices, such as market manipulation. Business disruption is caused by system failures, such as a failure of hardware or telecommunications and software. Execution, delivery and Process management includes transactions monitoring, reporting customer intake documentation, and vendor, and third party outsourcing failures. Over the last five years, there's been a dramatic upward trend in the number of internet related crimes reported to the FBI. Losses related to these transactions have increased from about a billion dollars a year in 2015 up to more than $3 billion a year in 2019. On the other hand, the number of theft and fraud loss events has decreased, and monetary losses have decreased from about $28 billion in 2018 to just 15 billion in 2019. As a number of theft and fraud related events has remained constant, it looks like this is a case where banks have been successful in controlling their financial exposure to events, but not successful in decreasing the absolute number of events. Another important source of Op risk is outsourcing, and using third-party vendors. The main risk identified by financial firms include cybersecurity, information security, business continuity, resilience, and reputational risk. Next, we're going to explore the evolution in practice of Op risk as a formal discipline of risk management.
