1. Introduction
As one of the three primary risks for commercial banks, operational risk has been incorporated into the risk management framework of the Basel II Accord [
1]. The Basel II Accord defines operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, systems, or external events. This definition includes legal risk, but excludes strategic risk and reputational risk.
In the operational management of commercial banks, operational risk can be multifaceted, with characteristics that are difficult to quantify and predict. Given the potentially significant financial and reputational losses that operational risk can cause to banks, it is necessary to propose a comprehensive and systematic approach to assess operational risk.
The Basel II Accord introduced the measurement of operational risk for the first time [
1]. The Accord prescribes three main measurement approaches: the basic indicator approach (BIA), the standardized approach (TSA), and the advanced measurement approach (AMA). With the release of the Basel III Accord, the basic indicator approach (BIA), the standardized approach (TSA), and the advanced measurement approach (AMA) have been integrated into a new approach known as the revised standardized approach [
2]. At the same time, many researchers have been actively applying various models for the quantitative assessment of operational risk. According to a systematic review by Cornwell et al. [
3], modern statistical and machine learning techniques dominate, including both supervised and unsupervised learning. Supervised learning methods, such as decision trees and artificial neural networks, are used for micro-level risk prediction, while unsupervised learning methods are primarily used for data organization and clustering. Traditional statistical approaches, such as the loss distribution approach (LDA) [
4,
5,
6], extreme value theory (EVT) [
7,
8,
9], copula functions [
10,
11], and Monte Carlo simulation [
12], are widely used in the literature. These methods are mainly applied in the banking sector due to the Basel II operational risk capital requirements. Within the family of graphical probabilistic models, Bayesian networks play a critical role in data-driven operational risk management (ORM) research, which is used to identify factors and causal pathways of ORM events [
13,
14,
15,
16,
17,
18]. Expert systems, such as system dynamics and analytic hierarchy processes [
19], are also widely adopted. Hybrid methods play a prominent role, sometimes spanning multiple model families, allowing researchers to flexibly select the most appropriate technology for the overall task, thereby enhancing the application effectiveness of each method [
20,
21,
22].
While the above methods are effective in the assessment of operational risk levels in commercial banks, they do have some limitations:
Most assessment methods are tailored to individual banks and lack a comprehensive understanding of operational risk across multiple banks or the entire banking industry. Consequently, these methods are primarily applicable to individual banks, with limited utility at the level of banking regulatory authorities.
Although some methods, such as the analytic hierarchy process (AHP) and the analytic network process (ANP), can be applied to cross-bank risk assessment, they often face challenges in determining appropriate importance values due to the abundance of evaluation criteria.
While existing methods can reasonably measure the magnitude of risk results, it is difficult to identify the underlying causes and types of risks. Providing useful and targeted recommendations to the bank management and regulatory bodies can be challenging.
Motivated by the above issues, this paper focuses on the assessment of operational risk across multiple banks. Specifically, we develop an integrated AHP-DEA method by combining the analytic hierarchy process (AHP) and data envelopment analysis (DEA). Then, we conduct an assessment of operational risks in three Chinese commercial banks using the proposed integrated AHP-DEA method, following a five-step process. Finally, we conduct a horizontal comparison of operational risks among these three banks and a detailed analysis of the risk-contributing factors associated with each bank, allowing us to make specific recommendations. The AHP-DEA method proposed in this paper can effectively address the limitations mentioned above for the following reasons:
The integrated AHP-DEA method is a systematic approach used for multi-criteria multi-alternative optimization decision making. It enables a simultaneous horizontal comparison of operational risks among commercial banks.
The method uses DEA to determine the importance values of specific rankings and then calculates the weighted sum of the rank votes to determine the importance values of the criteria, replacing the pairwise comparisons in the AHP. Therefore, it remains applicable even when faced with a large number of assessment criteria.
Operational risk assessment is a multi-criteria decision problem that involves the evaluation of internal processes, people, systems, and external events. By analyzing the importance values obtained from DEA for each assessment criterion, we can clearly identify risk contributors and then propose recommendations accordingly.
With this method, we aim to provide a more comprehensive and accurate solution for cross-bank operational risk assessment, and we anticipate that this integrated method will help bank management and regulators make more informed decisions.
The rest of this paper is organized as follows.
Section 2 reviews the literature on operational risk assessment criteria for commercial banks and previous studies on combining the AHP and DEA.
Section 3 provides a detailed introduction to the preference voting DEA method and introduces a method that integrates the AHP and preference voting DEA.
Section 4 presents a five-step procedure for evaluating operational risk levels in commercial banks. It demonstrates the application of the integrated AHP-DEA method to assess operational risk levels in three Chinese banks.
Section 5 discusses and elaborates on the empirical results, and
Section 6 presents the conclusion.
5. Discussion
Table 8 and
Table 10 display the importance values assigned by experts to the assessment criteria and sub-criteria for operational risk levels in commercial banks. The criteria are ranked as follows: people risk (0.418), system risk (0.175), internal process risk (0.162), external risk (0.143), and organizational risk (0.102). For the sub-criteria under each criterion, factors with global importance values equal to or greater than 0.05 are considered the most significant aspects of operational risk levels in commercial banks. The ranking for this is as follows: internal fraud (0.1921), negligence and non-compliance (0.1071), system security (0.1069), system failure (0.0680), employee business capabilities (0.0653), settlement payment errors (0.0546), and personnel stability (0.0540).
People risk is a crucial factor in operational risk for commercial banks, particularly in relation to internal fraud, negligence, and non-compliance. Therefore, effective management and considerable attention are required in order to address people risk, which remains the most significant factor in today’s operational risk management for commercial banks. Contrary to previous research conclusions, this study assigns a relatively high importance value to system risk, indicating that with the rapid growth of digital banking in China, system risk has become more prominent, highlighting the importance of system security in the digital era. Internal process risk, particularly in settlement and payment errors, is also a focal point due to the increasing scale and complexity of current banking operations. While external and organizational risks may be ranked lower in terms of importance value, they are equally important.
Table 15 presents a summary of the performance scores for three commercial banks based on different criteria. By combining data from
Table 12 and
Table 14, we can analyze the magnitude of operational risk and the variations in contributing factors among the three banks.
The study’s findings indicate that Bank C has an operational risk score of 3.1914, Bank B has a score of 3.1817, and Bank A has a score of 3.1199. Thus, this study asserts the operational risk profile of Bank C as the highest, followed by Bank B, with Bank A having the lowest operational risk profile.
In terms of people risk, Banks A and B have a higher level of people risk, while Bank C has a lower level of people risk. This is mainly due to the larger scale, extensive business scope, and complex financial transactions of Banks A and B, which expose them to higher risks of internal fraud, negligence, and non-compliance. Furthermore, as a joint-stock bank, Bank B may face greater competitive pressure, leading to a higher employee turnover rate, which further increases the risk. In contrast, Bank C is smaller in scale with simpler operations and lower employee turnover, thereby reducing people risk.
In terms of internal process risk, Banks A and B have a higher level of risk than Bank C due to their larger size and more complex operations. This complexity increases the likelihood of internal process errors, especially for Bank A, which is subject to more stringent regulatory and compliance requirements. In contrast, Bank C has simpler operations, resulting in lower internal process risk.
In terms of systemic risk, there is not much difference between the three banks. Modern banking institutions typically have similar levels of investment and management in information technology, resulting in relatively low risks related to system failure. Bank C, being smaller in scale with simpler operations and fewer customers, is less likely to be a primary target for cyber attacks, thereby reducing system security risk.
In terms of external risk, Bank C presents the highest level of risk, followed by Bank B, while Bank A presents the lowest level of risk. Bank C’s smaller scale may hinder its ability to conduct comprehensive credit assessments of borrowers, increasing the risk of external fraud. Furthermore, Bank C faces challenges in diversifying risks, making it more vulnerable to the impact of external events and increasing exposure to external competition and legal risks. In contrast, Bank A, being a state-owned bank, benefits from greater resources and government support, which reduces its external risk.
In terms of organizational risk, Bank B has the lowest organizational risk, while Banks C and A have relatively higher organizational risks. Bank B, being a joint-stock bank, places more emphasis on market orientation and competitiveness. It possesses a more flexible organizational culture and internal control system that enables better adaptation to market demands. In contrast, Bank A, being a state-owned bank, is susceptible to government intervention, with lower flexibility and incentive mechanisms. Bank C, being smaller in scale and facing intense competition, may encounter challenges in establishing a comprehensive internal control system and governance structure due to limited resources.
Therefore, customized recommendations can be made for different banks: for Bank C, strengthening preventive measures against external risks, especially unforeseen external events and external competitive risks, is recommended; for Bank B, the focus should be on mitigating people risks, especially personnel stability risks and internal fraud risks; and for Bank A, more attention should be paid to organizational risks, with an emphasis on cultivating organizational culture and making efforts to establish a flexible compensation system.
6. Conclusions
The scientific assessment of operational risk is crucial for the stable operation of commercial banks. However, most existing methods focus solely on risk assessment for individual banks and fail to elaborate on specific risk contributors. To address these challenges, this paper proposes an improved integrated AHP-DEA method. This method combines the strengths of the AHP and DEA, making it suitable for addressing the complexities of operational risk assessment, even when dealing with multiple assessment criteria and multiple commercial banks. We applied this method to assess the operational risk profiles of three Chinese commercial banks through a five-step process. Our analysis compares the operational risks of each company and provides detailed insights into their respective risk contributors, along with targeted recommendations. The following conclusions can be drawn: (1) people risk plays a crucial role in the operational risk assessment of Chinese commercial banks; (2) with the development of digital banking, the importance of system risk in the operational risk assessment has significantly increased; (3) different types of banks face different types and degrees of operational risk, which are closely correlated with factors such as their asset size and business complexity; and (4) political factors significantly affect the operational risk profiles of Chinese commercial banks, especially state-owned banks.
The main contributions of this paper are as follows. (1) This paper presents an integrated AHP-DEA method for cross-bank operational risk assessment, addressing the limitations of existing methods that primarily focus on risk assessment within individual banks. This fills a gap in the existing literature. (2) This paper improves the voting DEA method by replacing the original DEA model, increasing its reliability and applicability in commercial bank operational risk assessment. This enhancement improves the practicality and applicability of the method in addressing other multi-criteria decision-making problems. (3) This paper successfully applies the proposed model to assess operational risks in three Chinese commercial banks, revealing the specific risk characteristics faced by these banks. This analysis provides valuable decision support to bank management and regulatory authorities.
There are still limitations in this paper. We suggest some directions for future research. (1) Despite the adoption of widely accepted operational risk assessment standards, resource and time constraints prevented the coverage of all potential operational risk factors, which may lead to the neglect of certain indicators in the decision criteria. Therefore, future research could further investigate operational risk factors to ensure comprehensive assessment criteria. (2) The allocation of importance values may be affected by individual differences among experts. Therefore, it is necessary to establish a more authoritative team of experts to ensure the accuracy and reliability of assessment results. (3) The importance values of different factors may change over time and across regions. Therefore, it is worth considering the application of the proposed integrated method in other countries and regions in order to analyze the unique circumstances and dynamics that exist in different nations and geographic areas. Meanwhile, it is necessary to regularly update the conclusions to reflect industry changes, thereby enhancing the timeliness and reliability of the research’s practical application.