All banks are subject to financial and operational risks. While most bankers are acutely aware of the potential impact of financial risks such as, interest rate shifts, exchange rate movements, etc. the area of operational risk is often less well understood. Operational risk - as distinct from financial risk -represents pure risk. A pure risk is one in which there are only two possible outcomes - loss or no loss. Whereas financial risks may lead to financial rewards, operational risks involve no opportunity for gain; as non-occurrence of an operational loss means only maintenance of the status quo. In addition, unlike financial risks, operational risks are purely human in nature and are a function of an organization being a bank. Crime, Losses, litigations, and adverse regulations are purely human in origin and may have no direct relationship with conditions in global financial markets.

The purpose of this guide is to assist directors and senior management in understanding the nature of operational risk and the management techniques which may be used to manage this risk. Since one of the most effective forms of minimizing a bank's exposure to operational risks through the implementation of a strong program of internal controls, this Guide is designed to be used in conjunction with SAMA's Internal Contrail Guidelines for Commercial Banks Operating in the Kingdom of Saudi Arabia (1989), Disaster Recovery Planning Guideline for the Saudi Banks (1993) and the Guidelines on Physical Security for Saudi Banks (1995). This is essential for developing an integrated program of operational risk control and management. While much of the material in this Guide is oriented towards conventional insurance, its ultimate purpose is to address the issues of identification and analysis of the full spectrum of operational risks encountered by a bank and to discuss the various methods both internal and external - which may be used to finance these risks.

In order for operational risk to be effectively managed and financed it is necessary that banks accomplish three functions.

• 1.1    Identify and Analyze Risks: Only those risks which have been identified may be successfully controlled. The components of operational risks are deeply embedded in an institution's business structure. These are often difficult to isolate and identify, and constantly change as the bank's business and the policies, systems and procedures which support it change. It is ironic that banks have evolved stringent policies and standards as well as complex analytical models for the analysis of financial and market risk but often ignore the operational risk exposure inherent in their day to day operations. Therefore, it is critical that senior management ensures that a formal program of operational risk analysis is in place within the bank at least equal in management visibility and rigour with that used for analyzing and controlling financial and market risk exposure.

• 1.2    Select and Implement Risk Management Techniques: Operational risks are most effectively controlled through integration of various risk control methods. The incidence of fraud may be controlled through rigorous training of personnel, fraud prevention and detection program, effective operational management, and internal auditing and, finally, through the Bankers Blanket Bond (BBB) and Financial Institution Bond (FIB). Litigation risks associated with professional liability may be dealt with through careful product risk analysis and training of personnel prior to implementation of sale or marketing programs, close attention to contractual indemnities with customers and, finally through a program of Professional Indemnity Insurance.

All of these strategies involve the careful analysis, selection, integration, and management of risk assumption, risk avoidance, control and transfer tools (including insurance) based on a thorough knowledge of the bank's business lines and operational risk exposures.

• 1.3    Managing and Evaluating Operational Risk Management: The management of operational risk is one of the major functions of the Board of Directors of any bank. Therefore, it is incumbent upon the Board to ensure that operational risks are being properly identified, analyzed, controlled, and managed. This should be done by the Board through a periodic review of the performance of operational risk management within the bank in much the same manner as it reviews the effectiveness of financial and market risk management activities. On an annual basis the Board of Directors, or the Audit Committee, should receive the results of an internal review of the Risk Management Function. Furthermore at least once every 5 years, or more frequently if appropriate, an independent review of risk management activity must be conducted, and reported to the Board.