GOLD, the Global Operational Loss Database, established by the British Bankers Association in 2000, is celebrating its 25th anniversary, cementing its place as the oldest operational risk data source globally.
Foreword
In 1789, Benjamin Franklin wrote about the certainty of death and taxes. He no doubt should have added operational risk, as it has always been a fundamental part of life. Financial services have evolved greatly since Franklin’s time, yet institutions continue to face the ongoing challenge of identifying and managing operational risk effectively. A plethora of articles, books, research papers, regulatory statements, and more continue to be written about operational risk – either highlighting institutions’ lack of resilience amid emerging threats or showcasing commentators as masters of hindsight. So, where does GOLD fall on this spectrum?
When financial regulators in Basel formally recognised operational risk for capital measurement purposes in the 1990s, corporate governance across the financial sector took on a whole new dimension. The ‘quants’, who used mathematical models to measure risk based on institutional data, were left scratching their heads when it came to operational risk loss data. If such data existed within their own institutions, it was often limited, leaving internal models wanting.
At the time, I was leading the statistics function at the British Bankers’ Association (BBA) when the idea of a shared database was proposed within the banking industry. After providing assurances about anonymity and data security, I had the privilege of launching the world’s first global operational risk loss database, under the GOLD acronym.
While the additional data certainly enhanced capital adequacy models, the BBA philosophy held that industry loss data should primarily be used to improve the management of operational risk – supporting better scenario analysis and controls assessment, rather than serving just as an input for calculating capital charges. However, the loss categories defined by Basel lacked the reporting scope and granularity required to understand event causality, control failures, and impacts.
At one of the very early international operational risk conferences, Mike Finlay and I felt we were on compatible journeys. The operational risk taxonomies and reporting platform developed by RiskBusiness initially led to collaboration with the BBA before transitioning to full implementation with GOLD members and eventual ownership in 2022, following the BBA’s merger with several other industry trade associations that changed its direction.
As operational risk threats to financial firms and their third parties continue to evolve daily, stronger defences and mitigation practices depend on the collective awareness that comes from shared industry knowledge. Twenty-five years may be just a blip in the long history of financial services, but the GOLD database was established at a crucial time. It continues to demonstrate its value to institutions – whether in management culture, balance sheet resilience, share price, or reputation.
David Dooks, Statistics Director, British Bankers Association; Director, Data and Research (retired), UK Finance
Introduction
2000 was a seminal year, serving not just as the change in millennium, but as the birth year for operational risk or, as some now refer to the discipline, non-financial risk. It witnessed the release of the first and second consultative papers on what is commonly referred to as Basel II, the International Convergence of Capital Measurement and Capital Standards – A Revised Framework, which gave us a new risk type, operational risk, defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.
The definition was causal focussed (the risk of loss resulting from..) and was accompanied by two other data sets which, while the subject of many industry debates over the ensuing years, gave structure to the industry, namely the so-called business lines (which may be considered as analogous to industry sub-types) and the infamous loss event types (or, as they are more broadly known, risk categories).
Basel II also, through the Advanced Measurement Approach (AMA) to Pillar 2 capital estimation, created a need for firms to have access to external loss data (Basel II at 665: a bank’s internal measurement system must reasonably estimate unexpected losses based on the combined use of internal and relevant external loss data, scenario analysis and bank-specific business environment and internal control factors). The British Bankers Association reacted to industry discussion on this topic and launched GOLD, the Global Operational Loss Database, the financial services industry’s very first and oldest data consortium for sharing operational risk data.
Fast forward 25 years, and the landscape has changed significantly. The AMA is essentially no more, many firms have learned, some the hard way, that despite all efforts, exposure to operational risk can never be accurately estimated, primarily due to the “people” aspects firmly embedded in it, while advances in technology with its accompanying cyber risks and continuously changing regulatory compliance obligations have introduced a whole new dimension to operational risk. The question often posed is, what is the relevance of external data today, if not for modelling? The answer lies in the very philosophy on which the BBA founded GOLD – external data should primarily be used to improve the management of operational risk.
In its 25th year, GOLD continues to grow, combining new members with new risk categories, combined with libraries of scenarios, public loss events, risk, control and performance metrics and even regulations, collectively aimed at helping its members improve risk management.
Mike Finlay, Chief Executive, RiskBusiness
Fundamentals of GOLD
On joining GOLD, member firms undertake to submit their internal operational risk events quarterly in arrears into the consortium datapool, where such events are subjected to quality assurance, anonymised and then co- mingled to create the GOLD database. While a minimum event amount of €10,000 is advocated, the majority of members submit both losses and unexpected gains, often at amounts below the minimum threshold and increasingly, reflecting the growth in technology and business disruption-type events, so-called “near misses” or events with no direct financial consequence.
Submitted events are classified using the GOLD Taxonomy and reflect the risk category into which the event falls (at level 4 in the classification hierarchy), the primary (and optionally, any secondary) causal types, the primary (and optionally, any secondary) failing control types which contributed to the manifestation of the event, geographic location information (continent, region and country), the process type or business function where the event originated, optionally the process type or business function where the event was discovered, the business line and product type to which the event relates and additional information relating to the currencyImpact type and any recovery type (if applicable).
Following submission of events in the month following each calendar quarter end, the GOLD analytical team review the quality assurance process, address any identified discrepancies in the event classification, then publish the submission cycle by the end of the second month after the calendar quarter end, distributing a standard GOLD submission report to all members. This is followed by a quarterly data analyst forum to discuss any aspects of thesubmission cycle which may need clarification.
Twenty-five years in summary
When anyone looks at operational risk data, the first question that is normally asked is “what happened?”, which, from a data analysis perspective, translates into which risk category is in play. By splitting the GOLD data into five-year buckets, three significant trends are easily observed: business disruption and system failures and execution, delivery and process management are both growing in terms of the percentages of events falling into these categories, while external fraud has decreased significantly.
The next most common question is “why did the events happen?”, which can be translated as into which causal types occurred to give rise to the events. Again, by splitting the GOLD data into five-year buckets, external factors is currently declining, while technology and processes are increasing significantly. While the number of people increased over the first 15 years, it has remained relatively constant over the last 10 years.
The GOLD Taxonomy defines 17 process types (or business functions) at level 1, with 95 process types at level 2. The level 1 process types are divided into four groups: strategic processes, oversight processes, transactional processes and support processes. If we look at where the majority of events over the past 25 years originated, 4 of the 5 most common process types at level 1 fall broadly into the transactional group, with just 1 in the support processes group. Overall, the majority of losses originate in the payments and settlements area, closely followed by transaction execution and then transaction processing. The most significant support process type is human resources.
Download the free GOLD 25th anniversary summary report >>>
