Amidst the context of vibrant economic development and significant adaptation of digital transformation of businesses in Vietnam in recent years, professional risk management plays a cru
INTRODUCTION
Rationale of the thesis
The banking industry faces many opportunities and challenges due to the complex global economic fluctuation At the beginning of 2022, the global economy has finally started to recover by economic reopening after the pandemic However, the Russia – Ukraine war has significantly impacted the global market, from rising oil and food prices to inflation The US Federal Reserve Bank (FED) and most central banks of other countries have implemented tightening monetary policies, increasing interest rates to fight inflation As a result, economic growth is reduced, facing the risk of recession In such a financial background, Vietnam’s economy is also significantly affected, especially in the banking industry In 2022, the banking industry faced significant challenges of market liquidity shortage due to increased interest rates to curb inflation and stabilize exchange rates, as well as the effects of handling some violations related to corporate bonds These challenges are a test of the stability of the corporate governance framework, the level of professionalism in risk management, and the quality of capital safety
In the context of such vibrant economic development in recent years, many new risks have emerged from both outside and inside the economy Risk management ability became more critical and necessary for Vietnam commercial banks to overcome difficulties in such a global economic situation Besides impacts from the global economy, Vietnam's commercial banks will face new challenges along with unknown threats from digital transformation activities or the opening of the post-Covid economy that allows foreign market penetration With recent difficulties in the financial market, many banks have revealed weaknesses in risk control practices Although there are many warnings by domestic and international experts and technical support projects about banking risk management issues, the outcomes did
2 not meet expectations, which urged banks to enhance their risk management capabilities
The issue of banking risks is always given special attention to research and analysis by banks in developed countries, even in a stable economic context With such severe impacts from both outside and inside, banking activities face various risks, including credit, interest, liquidity, operational risks, and emerging risks Credit risk is highly considered the most important one among the listed risks In fact, 70 to
90 percent of Vietnamese banking income comes from credit activities, which explains why credit risk is highly paid attention Underestimating other types of risk management can lead to the consequences that when there are significant fluctuations in the financial market, a series of banks fall into the risk of liquidity loss Based on the existing challenges, operational risk deserves the most consideration and attention Operational risks are the risk of loss due to causes such as people, incomplete or improper operation of processes, systems, and external objective events The deficiency in managing operations risks can seriously cause financial or non-financial losses (reputation, law obligations, etc.) for commercial banks Therefore, rigidly controlling and managing risks in internal banking operations is essential in maintaining stability in bank operations against influences from the current economic context Due to continuous policy changes for adaptation, commercial banks will inevitably have shortcomings in monitoring and ensuring the safety of internal banking operations Many legal violations in banking activities occur due to poor performance in operational risk management According to the Financial and Monetary Market Magazine in Vietnam, there have been violations related to corporate bond investment activities The fact shows that operational risk management practice at Vietnamese commercial banks is still limited and must be adequately, professionally invested, and built
Operational risk management should be enhanced and reformed reasonably and realistically in the context of world economic integration, modern technology
3 applications, and the global financial crisis However, up to now, there are only a few studies have researched this subject based on the current economic context, and it is more challenging to apply in practice Besides, the Global Petrol Sole Member Limited Commercial Bank (GPbank) operates on a small scale, with human resources and technology limitations Although GPBank's operational risk management has been fully formed and meets basic requirements, the management practice must be implemented thoroughly and strictly To be fully prepared to cope with the coming unexpected changes in the economy, suitable and professional strategies are necessary to improve operational risk management effectiveness in GPBank's operation Based on the above, I chose the topic “Operational risk management at Global Petrol Sole Member Limited Commercial Bank.”
Research objectives and research questions
The study aims to show the current state of GPbank operational risk management, indicating limitations in managing methods and proposing solutions to improve the effectiveness of active risk management With that target, the thesis will answer the following questions:
● What are operational risks at GPBank?
● How does GPBank perform operational risk management at the bank-wide level?
● What are solutions for GPBank to improve the efficiency of operational risk management?
Research subjects and research scope
The research will focus on the management of the headquarters department, which specializes in monitoring and handling operational risks The Risk Management and Compliance division mainly supervises and manages risks arising from bank operations For a realistic vision, the analysis will be limited to GPBank's operational risk management
4 status from 2020 - 2022 Because that period of time best reflects GPBank's risk management capacity when facing many substantial changes from external events.
Research Method
The research will analyze and evaluate GPBank's management quality in controlling operational risks using qualitative methods Research data will be collected directly from annual reports and documents related to risk management policies, processes, and actual statistics stored and circulated at the Risk Management Department and GPBank.
Research contributions
When researching operational risk management at a specific commercial bank such as GPBank, the research will be considered as a reference source for future research about operational risk management in particular and risk management at commercial banks in general The study will illustrate a comprehensive vision of operational risk management at GPBank to induce its importance in maintaining and developing banks Besides the literature contribution, the thesis will help GPBank detect weaknesses and deficiencies in its procedures and performance that serve the bank's plan of development in the future.
Structure of Thesis
Chapter 4: Research findings and recommendations
LITERATURE REVIEW
Operational risk in commercial banks
Commercial banks are financial intermediaries specializing in currency trading and banking activities for profit Commercial banks' primary revenue is from lending activities, and the enormous cost of commercial banks is interest paid on customer deposits Through two main banking activities, commercial banks can continuously create a majority monetary circulation through banks Furthermore, commercial banks also act as service providers with diverse financial services suitable for different needs Commercial banks' activities are increasing in number along with the development of the economy and the customer's demands Every economic entity can be a bank customer: businesses, individuals, domestic and foreign investors The diversification of numerous banking activities leads to the occurrence of different types of risks
In every business, risk always goes along with profit; the greater the profit, the higher the risk Risk basically exists in forecasting potential incidents that may happen and lead to adverse outcomes Series of corporate disasters, catastrophic natural disasters, man-made mistakes have increased organizations’ awareness of risk and its consequences Notably, there are famous scandals such as the Enron scandal (2001), the Lehman Brothers scandal (2008), the most recent being the collapse of Silicon Valley Bank (SVB) in 2023 In Vietnam, there have also been major scandals in the banking industry that caused serious damage, related to operational violations and fraudulent appropriation of assets such as the scandal at Vietinbank in 2014, the scandal at Vietinbank in 2014, ACB Bank in 2012 and Ocean Bank in 2017 Many severe enterprise scandals highlighted the fact that “no economy, no company and industry is immune from financial scandals” (Mandala, 2018) As a result, the concept of risk and risk management becomes more crucial in organizational governance
6 theory The arising risk awareness leads to various risk definition The U.S Securities and Exchange Commission defines risk in finance as “the degree of uncertainty and potential financial loss inherent in an investment decision” The Economic Times described the risk as “the future uncertainty about deviation from expected earnings or expected outcomes” The definition of risk is also illustrated in studies in terms of the relationship between risk and business In decision making theory, risk is defined as “reflecting variation in the distribution of possible outcomes, their likelihoods, and their subjective values” (March & Shapira, 1987) Risk can be seen as a “potential problem” that results from making a particular decision (Charette, 1990) In the process management, risk is integrated in business process models both at the overall process level and at the activity level In business process model context, risk is described as the probability with which an error will lead to an (unwanted) consequences (Michael & Michael, 2005) The authors also provided the risks taxonomy in business process models in terms of built-time risks and run-time risks (Michael & Michael, 2005)
In Vietnamese bank industry, risk is officially defined by the State Bank of Vietnam (SBV) through Circular No 13 in 2018 According to the Circular 13, risk refers to the potential losses (financial losses and non-financial losses) that reduce income and equity, leading to a decrease in capital adequacy ratio or hindering the ability to achieve business goals of commercial banks and foreign bank branches In fact, banking risks can appear in every banking business, such as payment, credit, deposits, foreign currency, investment, etc.… that can be classified into risk categories Risks that commercial banks commonly meet during the operating process are credit risks, exchange risks, interest risks, liquidity risks, market risks, operational risks, etc Commercial banks frequently face high-risk rates and highly profitable banking activities as targeting profit The materiality risks have been specified in Circular No 13 of the State Bank of Vietnam: Regulations on internal control systems of commercial banks and foreign bank branches, including liquidity risk, credit risk, operational risk, market risk, and interest risk In which, operational risk is simply
7 identified as the uncertainties when performing daily business activities, procedures, and systems and not include reputational and strategic risks (Segal, 2024)
2.1.2 Operational risk in commercial banks
In the corporate context, operational risk was previously introduced for businesses as listed in the major risk categories Operational risk is inherent in all banking activities, products, and services The operational risk is the potential loss resulting from ineffective or failed internal processes, personnel, systems, or external events that impede business operations (Vicente, 2004) In other words, the operational risk results from the inadequacy in the management process, including ignored problems and control shortcomings The risk describes internal issues that can lead to organizational breakdown and negatively impact the businesses’ income and reputation
Within the banking industry, the term “operational risk” has recently been elevated and standardized as a distinct risk in the bank’s risk profiles by the Basel Committee on Banking Supervision (BCBS) Previously, operational risk was defined in a general and broad manner as non-financial risks Since the global financial crisis 2008, financial institutions have focused on improving risk control ability; however, they have failed in operational risk because of its complexity In
2014, BCBS proposed amending the operational risk framework to have a more standardized approach to replace the past general indication The BCBS’s working paper has defined operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or external events’’ (Basel Committee on Banking Supervision, 2001) Accordingly, operational risk captures business continuity plans, environmental risk, crisis management, process systems, and operations risk, people-related risks and health and safety, and information technology risks Significantly, the definition also indicates a clearer view of the scope of operation risk; strategic and reputational risks are not included In detail,
8 strategic risk refers to the loss arising from a bank's strategy decision, and reputational risk is reputation-related loss due to failure in banking operations or external events
Moreover, due to the variety of meanings of operational risk, banks are allowed to self-define the term for internal purposes as long as they incorporate the essential components of the Committee's definition According to the provisions of Clause 27, Article 2 of Circular 41/2016/TT-NHNN (effective from January 1, 2020) regulating capital adequacy ratios for banks and foreign bank branches, operational risk is due to inadequate or erroneous internal regulations, human factors, system errors, or failures due to external factors causing financial losses and negative non-financial impacts on the bank (including legal risks) (State Bank of Vietnam, 2016) Operational risk does not include reputation risk and strategic risk a) Characteristics
Based on the stated definition, operational risk is expressed based on four main elements: people, processes, systems, and external events For commercial banks, operational risk is demonstrated through failure to meet these four criteria: human error, system failure, inadequate internal processes, and changes in the market The human factors that cause operational risk include unintended working mistakes, illegal behaviors, insufficient staffing or training, or poor management The operational risks related to systems review the IT system errors, data loss, wireless disconnection that can impede the bank's daily financial activities Risks arising from external events are hardly uncontrollable and detected due to events that coming from outside the banks such as natural disasters, political events,… Operational risks related to internal processes are stated to be the most challenging risk to identify and detect as it requires strong commitment and willingness of management (Marija, 2013) The author indicated that the challenging point of this type of operational risk is due to moral hazard problem The global financial crisis of 2008 was the most obvious example of operational risk in internal processes Charles Ferguson, the director of the documentary film “Inside Job,” believes that the root cause of the 2008
9 crisis was the removal of policies that controlled the industry's operations and the laxity in operations supported by Wall Street's "tycoons" that made banks accept trade risk for profit (Son, 2018) Therefore, the above operational risk drivers shows that characteristics of operational risk are hardly clarified for general identification and detection
According to the Federal Deposit Insurance Corporation (FDIC), an independent agency created by the US Congress to maintain stability and public confidence in the nation’s financial system, each bank has its recognition of operational risk characteristics, including size, sophistication, nature, and complexity, for internal management purposes (FDIC, 2019) Therefore, the risk features are illustrated differently based on the bank’s products and activities The Bank Negara Malaysia, the Central bank of Malaysia, has shown the ideas of characteristics of operational risks based on its idiosyncratic, multifarious, fat-tailed distribution and difficult to model (Bank Negara Malaysia, 2019) (Figure 2.1)
Figure 2.1 Characteristics of Operational Risk
Source: Financial Stability Review – Second Half 2019 – Bank Negara Malaysia b) Classification
Operational risk is inherent in all parts of the bank's operation, from the personnel to the system Therefore, the presence of operational risks becomes highly varied For example, human error, fraud, cybersecurity events, breakdown systems, or pandemics, Significantly, the BCBS has classified the seven major types of operational risk events: internal fraud, external fraud, employment practices, and workplace safety; clients, products, and business practices; damage to physical assets; business disruption and system failures; execution, delivery, and process management (FDIC, 2019) (Figure 2.2)
Figure 2.2 Loss event types and Examples
Source: Federal Deposit Insurance Corporation (FDIC): Operational Risk Management:
Cschlatter (2023) has listed the top five emerging risks for banks in 2024 that should be concerned, such as cybersecurity threats, technological disruptions, regulatory compliance, and talent management (CSchlatter, 2023) Among the top operational risks, cybersecurity threats remain the top concern for enterprises due to the fast-changing digital transformation Cyber risks have substantially impacted many fields, especially the financial and banking sectors In the context of the Fourth
Industrial Revolution (Industry 4.0), developing business activities with digital products and services has become a critical factor in improving the banks’ competitiveness The opportunities and profits from digital transformation go along with potential threats and technological-related risks Based on the top 10 operational risks survey with benchmarking from Risk.net, the cyber risks have been distinct into two subcategories: information security and IT disruption Information security has become the top fear across the financial sector when standing in the top spot category for operational risks in the 2023 Risk.net survey (Clancy, 2023) Cyber risks become indistinguishable due to the variety of forms of cyber-attacks on financial institutions'
IT systems such as ransomware attacks, phishing attacks through emails or links, which cause severe illegal IT system intrusions leads to data leakages and financial losses James Yates, a chief executive officer at asset manager Shard Capital, believes that the explosion of artificial intelligence and technology available to imitate voice and image increases the hard level of fighting cyber criminals (Clancy, 2023) National Vulnerability Database shows that the level of cybersecurity vulnerability at financial institutions globally has continuously increased over the years (Figure 2.3) The number of illegal intrusion cases globally in the economic and banking sectors also tends to increase (Figure 2.4) The cyber-attacks can cause data breach, data loss, financial losses, reputation collapse and even business disruption for any firms, especially firms at financial market infrastructure
Figure 2.3 Vulnerability level of cyber security in the world
Figure 2.4 Number of cyber-attacks in the banking and finance sector globally
Operational risk management in commercial banks
2.2.1 Risk management in commercial banks
Risk management is a crucial process based on a combination of probability theory and risk theory The Havard Business Insights defined risk management as the systematic process of identifying, assessing, and mitigating threats or uncertainties to an organization's capital, earnings, and operations (Gibson, 2023) Raghavan (2003) states risk management is the proactive action in the present for the future (Raghavan, 2003) To be simple, risk management involves controlling change before it becomes a problem Risk management also covers the relationship between various business risks and the potential domino effect they may have on an organization's strategic
14 objectives (Tucci, 2023) Risk management program emphasizes the anticipating and understanding risk across an organization The performance of risk management does not aim at eliminating risk but preserving value and choosing worth-taken risk Especially, banks are “risk machines” as it take risks, transform and embed in products and services (Bessis, 2015) Therefore, the risk management concept is implemented bank-wide and across all business lines
According to the State Bank of Vietnam, banking risk management practices should follow the basic principles:
● The principle of risk acceptance: Bank managers need to accept risk at an acceptable level if they hope to receive appropriate income from their professional activities The risk prevention strategy needs to be built after having risk level assessments in specific businesses Thus, the first principle of risk management is to identify the allowance risks Accepting the level and type of banking risks is essential for regulating their adverse effects in risk management
● The principle of permissible risk management: The principle requires the majority of risks in the “allowance risks package” must be able to be regulated in the management process, regardless of its objective and subjective circumstances With only these types of risk, the banks can use all their capabilities to adjust Risks that cannot be adjusted must be transferred to the insurance companies
● The principle of independent management of separate risks: The risks are separate and independent Therefore, the loss caused by a specific type of risk in the “allowance risks package” is not associated with the possibility of the appearance of other risks Due to its independent nature, each type of risk needs to be managed and regulated separately
● The principle of compatibility between the allowable level of risk and income level is the foundation of the risk management theory The banks are only
15 allowed to accept levels of risk, which must not be higher than appropriate income levels That means all types of risks with higher-than-expected return levels must be eliminated
● The principle compatibility between the level of allowed risk and financial capacity: The value of losses that the bank expects from the risks must be consistent with the amount of capital the bank can set aside for losses when they occur When risk occurs, it leads to loss of income, reducing the bank's profit potential and future development pace Therefore, the value of losses must be consistent with the bank's reserve capital level The bank must determine the appropriate (forecast) level, including risks that cannot be transferred to partners or outside insurance companies
● The principle of economic efficiency: The primary purpose of banking risk management is to regulate the adverse effects of risks when they occur Along with this, the bank's cost of regulation must be lower than the value of losses due to bank risks that are likely to occur and even at the highest level when they occur
● The principle of the rationality of time: The longer the existence of a banking operation, the greater the margin of risk, the ability to regulate its harmful effects, and the lower the economics of risk management When these operations are required, the bank must ensure a necessary level of additional income not only for profit but also to offset costs to regulate the impact of risks in the market if they happen
● The principles of suitability with the bank's overall strategy: The risk management system needs to be based on the general criteria of the bank's development strategy as well as the policies governing each separate activity of the bank
● The principle of the transfer of all disallowed types of risk: This principle requires that the types of risks included in the "allowable risk package" must have high probability/transversality Types of risks incompatible with the
16 bank's ability to regulate negative consequences when they occur or are inconsistent with the specific requirements of the bank's operating strategy and operating policies should be removed from the “allowable risk package.” In other words, they are only included when there is a high likelihood of transfer to external partners or insurance companies
Banks can build their separate banking risk management policy based on the above nine principles Risk management must be considered part of the banks’ general operating strategies Furthermore, the risk management process requires a remote prevention system and solutions for regulating pessimistic impacts on the bank’s financial condition a) Risk management model: The Three Lines of Defense model
The Three Lines of Defense model has been mentioned multiple times in the documentary of the Basel Committee, the Bank for International Settlements (BIS), and the Institute of Internal Auditors (IIA) In fact, the concept of the three lines of defense was initially developed by the IIA in 2013 (IIA, 2013) (Figure 2.5) It is now the most widely used standard for allocating control and risk management duties to an organization's business functions The model helps to improve the banks’ corporate governance in the duties of risk management by classifying the participation of all members of the banking system into three different lines It also ensures that all banking business risks are identified, controlled, and mitigated The degree of formality involved in implementing these three lines of defense will vary depending on the bank's nature, size, complexity, and risk profile of its operations
17 Figure 2.5 The Three Lines of Defense Model
Source: The Three Lines of Defense Model in IIA Position Paper in 2013
● The first line of defense: Risk management in management controls and internal control measures at direct business units such as branches, business units, customer specialists, and operating units at headquarters
RESEARCH METHODOLOGY
Research Methodology
The primary objective of the thesis is to research and analyze the current situation of operational risk management at GPBank, a commercial bank in Vietnam with a small business scale and 100% state-owned capital, and have recommendations for improving the bank's existing difficulties and shortages The thesis also demonstrates the general circumstance of operational risk management performance at small-scale commercial banks in Vietnam, whether operational risk management is fully implemented and complies with the government's regulations In times of economic turmoil, risk management becomes an extremely important topic for commercial banks to operate stably and be able to respond to external impacts Among the material risks frequently mentioned in research articles such as credit risk or liquidity risk, operational risk needs more attention in the current economic context In the time of adopting new technology and transforming business methods in banks, there will be the existence of new kinds of operational risk, which results in emphasizing the importance of banks' risk management capabilities Therefore, operational risk management is chosen as the main topic for the thesis During the research process, the targeted research object is one of the small-scale banks under State Bank's management that needs special attention Some of those banks have been transferred to large banks for restructuring GPBank has a fortune to be transferred to carry out restructuring in the future Therefore, GPBank is considered a suitable subject to be researched The research methodology is chosen based on the research subject and objectives The research aims at one specific subject - GPBank and one ultimate research purpose is to evaluate GPBank's operational risk management performance Based on the bank scale and the amount of data that can be analyzed, the thesis will be conducted using the qualitative research method to be able to make statements and assessments most objectively and not only by theory but also by practical experiences The research method will go through the following stages: collecting
28 data, analyzing data, evaluating the analyzed results, and ultimately giving recommendations (Figure 3.1)
Figure 3.1 The Research Methodology Process
Data collection
The data was collected from various sources consisting of clearly verified internal and external information Particularly, the data was collected from GPBank's current regulations, processes, policies, and periodic reports (annual reports, 6-month reports, monthly reports) on the Bank’s operational risk management performance Additionally, the research had access to external sources from official articles, blogs, topics, and financial websites to research Vietnam commercial banks to guidelines, documentaries of Basel Committee, relevant research about foreign banks, and international articles, and websites Besides, the research scope will be limited to the period of the most recent three years, from 2020 to 2022 The time from 2020 to 2022 is said to be the most volatile time for the economy in general and the banking industry in particular due to the onset of the pandemic in 2020
On the other hand, the qualitative nature of the research was demonstrated through in-depth interviews with 14 employees with years of experience at GPBank from the Risk Management and Compliance division The interviews were performed as a semi-structured interview with 7 questions in 20 minutes The interviewees are
• Operational risk/operational risk management theory and reality situation in
• GPBank’s operational risk management regulations and policy
• Analyzing GPBank’s actual performance through the Bank’s records
• Inplementing in- depth interviews with GPBank’s staffs from Risk
• Indicating achievements and limitations in GPBank’s operational risk management performance
• Giving evaluations on the finding results comprehensively
• Giving solutions and recommendation for GPBank
• Giving recommendations for the SBV and governments
14 employees of the Risk Management Department The subjects selected for the interview are people who have had years of working at GPBank and years of experience in risk management The given questions focus on the idea of operational risk management in GPBank during the term of 2020-2022.
Data analysis
The data analysis will cover the following contents:
- Analysis of the operational risk management performance at GPBank through GPBank’s operational risk management framework, procedure, and policy with relevant annual/monthly/daily reports, statistics, and indications
- Analysis of GPBank’s employees’ perspectives regarding the practical experience of operational risk management implementation at GPBank through an in-depth interview
With the collected statistics, the data will be processed using Excel and synthesized using tables, charts, and diagrams to provide the most objective vision The research conducted 14 interviews with selected participants to have an intuitive view of the actual situation of the bank's current risk management method and from there, draw out the strengths and difficulties in the management method based on the participants’ working experiences All responses from interviewees are personal and subjective Therefore, to ensure the confidentiality and privacy of the participants, the names of the interviewees will be encrypted, specifically from P1 to P15 (Appendix A)
RESEARCH FINDINGS AND RECOMMENDATIONS
GPBank - Global Petro Sole Member Limited Commercial Bank
● Company name: Global Petro Sole Member Limited Commercial Bank
● Website: www.g-bank.com.vn
Global Petroleum Commercial Joint Stock Bank (GP.Bank), formerly known as Ninh Binh Rural Commercial Joint Stock Bank, was established in late 1993 to receive deposits and lend to farmers in Ninh Binh province.
On November 7, 2005, Ninh Binh Rural Commercial Joint Stock Bank was officially transformed into an Urban Joint Stock Bank, operating in Hanoi, and renamed Global Petroleum Commercial Joint Stock Bank (GPBank) GPBank's headquarters is located at
109 Tran Hung Dao, Hoan Kiem District, Hanoi On July 7, 2015, Global Petroleum Commercial Joint Stock Bank officially transformed its operating model into Global Petroleum Single Member Limited Liability Commercial Bank In just about 17 years, from
1993 to 2010, GPBank had a remarkable development with charter capital from 300 billion VND to 3018 billion VND, which continued to increase in the following years Currently, GPBank is a bank 100% owned by the government To the present time, GPBank has full capabilities to serve and provide professional products and services that meet customers’
31 basic demands with a widespread network system, a variety of products and services, qualified personnel, and modern technology as follows:
GPBank's business network is constantly expanding with 01 Head Office, nearly 80 branches/transaction offices/savings funds nationwide, and a team of more than 1,400 professionally trained employees The head office is located at No 109 Tran Hung Dao, Hoan Kiem District, Hanoi
GPBank provides a full range of international financial and banking services such as savings - deposits, guaranteed credit, international payments, financial services - study abroad, foreign currency trading, card services, money transfer services, Internet Banking services, Mobile Banking and many other banking services based on advanced technology platforms to maximize customer benefits
● Demand deposit: standard demand deposit, graduated interest rate according to balance
● Time deposit: standard time deposit, ladder interest rate according to deposit balance, intelligent savings, flexible terms, accumulated savings, floating interest rate, and super floating interest rate
● Other forms of savings: Current deposits, remittance savings deposits, promissory notes, certificates of deposit
● Short-term, medium, and long-term loans in VND and foreign currencies
● Loans for repair, construction & home purchase
● Loans to support individual businesses
● Loans to mortgage savings books and valuable documents
● Loans to GPBank employees & organizations
- Payment deposit account: Western Union fast money transfer service, Money transfer service
- Other products and services for individual customers: Receive and pay savings deposits and valuable papers at home; Asset deposit, safe locker rental, financial leasing;
● Limited lending: Credit limit, reserve credit limit, overdraft limit
● One-time loans and installment loans; loan customers decide the interest rate
● Lending capital to purchase fixed assets
● Export payment: o Export letter of credit (L/C) service: Confirmation of export L/C/ L/C notification and L/C amendment (if any); Transfer and payment of export L/C o Export Collection Service
● Import payment: o Import collection service o Import L/C service: Open L/C/ Amend L/C/ Cancel L/C; issue guarantee / Authorization to receive goods according to L/C / Endorsement of bill of lading; Confirmation and payment of import L/C
● Payment deposit account: Organizational deposit account, individual deposit account, deposit account of co-account holders
● Demand and term deposit accounts and deposit products: savings, promissory notes, bonds, certificates of deposit,
● Other deposit accounts: Cheque account, money transfer account, loan account, etc
- Foreign currency trading: Buy/Sell spot (SPOT), forward (FORWARD) foreign currency, swap (SWAP), option (Option) foreign currency
● Current deposits - Stepped interest rate
● Investment deposits with flexible principal withdrawal
- E-Bank: Internet Banking, GP.Ecom; GP.SMS
● Receive demand and term deposits from economic organizations and residents in VND and foreign currencies
● Receive savings deposits in diverse and attractive forms: Non-term and term savings in VND and foreign currencies, Step-up savings, Wealth-building savings, and Flexible principal withdrawal savings
● Short-term, medium, and long-term loans in VND and foreign currencies, overdraft loans
● Co-financing and syndicated loans for projects
● Direct payment loans to serve the production of small and medium enterprises
● Joint venture capital contribution, association with credit institutions and financial institutions domestically and internationally
● Investing in capital markets and domestic and international currency markets
● International guarantee: Guarantee for purchasing goods on deferred payment/foreign loan; Guarantee for participation in bidding; Guarantee for contract performance; Guarantee for deposit; Guarantee for delivery and receipt of goods; and other forms of guarantee
● Issuing and paying import letters of credit; Notification, confirmation, and payment of import letters of credit
● Collection of import and export (Collection), Sight draft collection (D/P), and acceptance draft collection (D/A)
● Domestic and international money transfers
● Western Union quick money transfer
● Payment of authorized receipts, authorized payments, and checks
● Paying salaries to businesses via accounts and ATMs
● Buy and sell foreign currency (Spot, Forward, Swap ); Buy and sell valuable documents (government bonds, treasury bills, commercial papers )
● Collect and pay cash in VND and foreign currency Rent safes; Store and preserve gold, silver, gems, valuable papers, and patents
● Issuing and paying domestic credit cards and international credit cards
● Services of ATM cards, cash cards, linked cards Internet Banking, SMS Banking, GP.E Com
● Fast interbank transfer via card number 24/7 on Internet Banking and at transaction counters
● Deposit money into e-wallets such as Shoppe Pay, Viettel Pay, Zalo Pay, and MoMo through the Napas payment gateway to shop for goods and pay for utility services such as phone topping, paying utility bills, interbank transfer, purchase of movie tickets, airline tickets,
● Brokerage, proprietary trading, underwriting, portfolio management, investment and financial consulting
● Receive, manage, and exploit foreclosed assets through Debt Management and Asset Exploitation Company
GPBank pays excellent attention to attracting and building new human resources, focusing on gathering young human resources with formal training from universities and experienced labor sources in the banking sector Over 97% of GPBank's employees have university or postgraduate degrees and are proficient in professional skills.
Modernizing the Information Technology system is one of GPBank's top priorities to increase competitiveness and bring customers top banking services and utilities GPBank is one of the first banks to successfully apply T24 Core Banking System (Core Banking) software from the Swiss company Temenos, which can process over 10,000 transactions per
36 second Currently, GPBank is upgrading the core banking software T24 to version R9 - the latest version, T24-R9, helps the Bank optimize operational processes while maintaining integrity and flexibility to changes in the business b) Mission and values
GPBank aims to become a multi-functional, well-performing, and reliable retail bank Accordingly, GPBank has clarified its business strategies: building financial strength, promoting sustainable growth, and making safe and effective business investments; Creating and developing a world-class risk management system; modernizing the IT system; and building highly competent and professional human resources With the slogan “New trust, New value,” GPBank want to maintain its core values, including customer orientation, honesty, integrity and professional ethics, solidarity and respect, dynamism, creativity, professionalism, transparency, and modernity, brand building and protection, sustainable development coupled with social responsibility c) Organizational Structure
GPBank’s operational risk management performance
Figure 4.2 GPBank's Operational Risk Management Framework
- Board of Members (BoM): issue the operational risk management framework and risk management policy
- Risk Management Committee: assists and advises the Board of Members in approving and promulgating risk management policy and operational risk management framework The Committee works as an advisory committee to give proposals for supervising the CEO to accomplish its duties
- Personnel Committee: give advisory about the scale and structure of Board of Members and resolve arising human resources problems referring to the member position in the Board of Members, Board of Supervisors, and the CEO The council is also responsible for advising on terms of human resource policies
- Risk Council: advises the General Director to supervise individuals and units in implementing policies, risk limits, and instructions from the Board of Members
- Chief executive officer (CEO): issues the operational risk management procedure, amendments, and supplements; directs and gives approvals for proposals to handle and troubleshoot serious operational risk incidents arising from units; operates and builds operational risk management culture in the whole banking system; approve operational risk limits applicable in each period and other related tasks
- The three lines of defense in GPBank:
● The first line of defense is Branches and Units at the Headquarter that directly do business/perform operations (not included the Risk Management and Compliance Division)
The first line of defense functions is to actively identify, control, and mitigate operational risks while performing business transactions or daily work tasks Departments from the first line coordinate with relevant departments to execute and overcome operational risk incidents and timely report to the Risk management department when severe operational risk incidents cause widespread impacts
● The second line of defense is the Risk Management and Compliance Division (Risk management department, Internal Control department, Legal and Compliance department, and Policy department)
The second line of defense mission is to develop risk management policy and internal operational risk management regulation, measure and monitor risks at the whole-bank level, and comply with the provisions of law Notably, the Risk Management Department has the functions of being the focal point and intermediary working with the first line of defense, departments at the same line, the third line of defense, and reporting to senior leaders Specifically, the department receives and processes operational risk reports from the first line and coordinates with departments
39 at the same line to monitor units' compliance with allowed operational risk limits and issue warnings if there are any violations In addition, the department is responsible for developing and reviewing policies, regulations, processes, relevant risk lists, operational risk limits; implementing operational risk management culture, and many other related functions The personnel determination for the Risk Management department is 15 people, including 1 Head of department and 2 Deputy managers
● The third line of defense is Internal Audit
The third line is responsible for internal auditing through the process of exchanging information relevant to operational risk management and detecting operational risk incidents
GPBank has organized its risk management apparatus according to the three-line- of-defense model, in which the Risk Management and Compliance Division is identified as the unit that plays an extremely important role in the risk management of the entire bank
Figure 4.3 GPBank's operational risk management procedure in Three lines of defense
4.2.2 GPBank’s operational risk management procedure
GPBank implements operational risk management following the four steps in detail according to GPBank’s regulation of operational risk framework and procedures:
Figure 4.4 GPBank's operational risk management procedure
Figure 4.5 Self-identifying operational risks and assessing material operational risk procedure
The beginning identification step identifies potential and existing operational risks at GPBank, their causes, and the extent of the impact on the bank's business activities Units in the first line of defense (branches and direct business units at the Head Office) will be primarily responsible for identifying operational risks Following the principles of identification and operational risk management set out by the State Bank, GPBank identified operational risks in all products, business activities, business processes, information technology systems, and other management systems The risk identification must contain the following: types of operational risk incidents, businesses that incur operational risks, and responsible individuals and units GPBank identifies operational risks through the following tools:
• Results of review and analysis of all related tasks/work at the Unit and operational risks as the Unit itself discovered/self-identified possible risks;
• Findings of internal audit and independent audit, internal control inspection, and findings from Remote Monitoring of Departments/ Departments/ Professional Centers at Head Office (HO) for the Units' operations
• Internal and external operational risk incidents (ORIs) from official violation warning letters from the State Bank of Vietnam/General Director; violations information from external official sources on operational risks; violations from other credit institutions
Units of the first line of defense carry out operational risk identification according to two processes: the process of identifying operational risk incidents arising at the unit and the process of self-identifying operational risks and assessing material operational risks Self-identifying and assessing significant operational risks serves to continuously update operational risks arising inside and outside the bank for whole system Accordingly, GPBank has built a List of material operational risks for the entire bank to support the Units in identifying potential risks and providing
42 appropriate control measures Units rate intrinsic risks based on the severity and frequency of occurrence of operational risks To support the Unit in reporting, GPBank has established a set of indicators on the severity and frequency of operational risks (Table 4.1 and 4.2) Operational risks which are rated at medium, high, and very high levels are considered material operational risks The results are listed in the List of material operational risks of the entire bank, which is announced by the CEO The list covers the three-level material operational risks, causes, and accordingly control measures
Table 4.1 The risk severity level criteria
5 Very high Likely to cause a financial loss of over 100 million VND or equivalent foreign currency
4 High Likely to cause financial loss from 50 million VND to 100 million VND or equivalent foreign currency
3 Medium Likely to cause financial loss from 5 million VND to 50 million VND or equivalent foreign currency
2 Low Likely to cause financial loss from 1 million VND to 5 million VND or equivalent foreign currency
1 Very Low Likely to cause financial loss of less than 1 million VND or equivalent foreign currency
Table 4.2 The frequency of operational risk occurrence criteria
Level The occurrence frequency rank Quantitative criteria Qualitative criteria
5 Very high Occur once a week Very high occurrence possibility
4 High Occur once a month High occurrence possibility
3 Medium Occur once a quarter Medium occurrence possibility
2 Low Occur once a year Low occurrence possibility
1 Very Low Occur once in more than 1 year
The operational risks is identified based on the GPBank’s operational risk category (Table 4.3) The GPBank's operational risk category lists the 08 cases of operational risk and be considered as the operational risk Level 1 GPBank's operational risk portfolio is classified following the State Bank of Vietnam as well as Basel As soon as the operational risk incidents are detected, Units must proactively and quickly implement remedies and mitigate the arising losses; determine the cause, level of loss/severity, and incurring frequency of the detected risks In case of incurring severe operational risk incidents, individuals/units must report to the Leader’s Units or Head Office departments in the role of professional management Severe operational risk incidents must be reported to the Risk Management department within 02 working days from the detection day for recording and system- wide warnings implementation With non-severe operational risk incidents from the unit self-detection and the results from the Conclusions/Reports/Minutes of the Inspection/Audit Team, the summary report after identification and review must be sent to the Risk Management department on the 25th of the month
Table 4.3 GPBank’s operational risk category
Due to acts of fraud, appropriation of assets, violations of strategies, policies and internal regulations related to at least one individual of the Bank (including acts not in accordance with responsibilities, duties, violations of authority, theft, taking advantage of internal information for personal gain)
Due to acts of fraud and property appropriation committed by external parties without the assistance or collusion of individuals or departments of the Bank (including acts of theft, robbery, and card forgery, bank documents, infiltrating information technology systems to appropriate data and money)
3 Labor and workplace safety policies
Inappropriation with the labor contract, provisions of labor law, health and safety protection in the workplace
4 Customers, product supply processes and product characteristics
Unintentionally regulations violations related to customers, product supply processes, and product characteristics when performing assigned functions and tasks according to customer authority (including violations of information security, confidential information, violating regulations on anti-money laundering, and providing illegal products)
5 Damage, loss of property, tool and equipment Due to events of force majeure, human impacts and other events
6 Business interruption Due to technology system, information crash
7 Limitations, and inadequacies in the transaction process
Due to limitations in transaction control and management
8 Other operational risk Due to the customer's unintentional violation/ failure to comply with commitments and obligations to GPBank
Research findings
Operational risk management is built, implemented, and maintained in accordance with the nature, scale, and level of operational risk of GPBank and ensures compliance with the regulations of the State Bank of Vietnam and the law The four critical steps in the procedure of managing operational risk are accomplished adequately In general, the units/departments/centers have entirely performed their assigned functions and tasks when reports regarding operational risk management are updated regularly and on time GPBank has built a risk management framework, processes, regulations, and policies related to the bank's risk management and operational risk management based on Circular 13 of the State Bank of Vietnam (SBV) regulating internal control of commercial banks/foreign bank branches and Circular 41 of the SBV on capital adequacy ratio regulations
Following the Basel, GPBank has successfully built an organizational structure to implement risk management by applying the 3-line-of-defense model - a model considered a safety standard in management recommended internationally The tasks and responsibilities of each line are clearly and reasonably allocated to increase connectivity and coordination between units in management work The Risk Management and Compliance Division has adequately performed its role as an intermediary department in coordinating and reporting work tasks related to operational risks in accordance with GPBank's operational risk management model The operating framework and processes are explicitly demonstrated in detail, including the general work tasks, departments’ functions, and duties, to help the management procedure smoothly and effectively Besides, GPBank establishes an appropriate operational risk management culture to convey to all individuals the roles and responsibilities for operational risk management and enhance the spirit of implementing operational risk management in performing operations
Implementing GPBank's operational risk management still faces many limitations and difficulties with the Bank's current business situation Based on the analysis of GPBank's operational risk management performance from 2020 to 222, the majority of limitations and difficulties lie in applying operational risk management procedures involving human resources and the IT system
Firstly, GPBank still has significant limitations in human resources and personnel quality As a small-scale bank, human resources are limited to be appropriate with the bank’s capital, which means employees are required to multitask and departments are in charge of large amounts of work Multitasking employees raises the possibility of incurring errors in the working process, leading to increased operational risk incidents Based on the bank's business performance, the turnover rate is relatively high, leading to units lacking human resources and reducing work quality This can be considered as the main cause of operational risk incidents at GPBank Besides, operational risk management is significantly affected when inexperienced personnel are inadequate in monitoring and controlling when operational risks arise This is most clearly shown in the most crucial department in the operational risk management structure - The Risk Management department As reviewing the assigned functions and tasks with the staff numbers, this department is extremely lacking in human resources The Risk Management Department currently manages all types of risks arising at GPBank and does not have enough employees to establish specialized departments for material risks, including operational risks Accordingly, the employees have to multitask in the risk management work, including inexperienced employees This probably leads to looseness and inadequacy in management work Notably, the department is currently not capable of developing and advancing the bank's risk management procedure, especially in risk measurement work due to professional personnel shortages
Secondly, the information technology system is the most challenging problem for GPBank Currently, GPBank's information technology system is too old and outdated GPBank has only been approved by the State Bank of Vietnam for some urgent items to upgrade and repair the IT system to ensure the Bank's daily operations GPBank's database system is still very lacking, not synchronized, and does not meet the requirements in building risk measurement models for loss measurement GPBank does not have the resources to deploy operational risk management software Currently, reports still have to be done manually During operation, the T24, which has not been upgraded, still has uncontrolled incidents and the cause cannot be determined System security and security issues are not guaranteed, because there is no SIEM system to warn of cyber-attack incidents early GPBank does not have a plan to maintain continuous operations in case the IT system fails because there is no backup system or central disaster backup data Even though Corebank's data is backed up to devices outside the data center, there is no backup equipment infrastructure, so restoring operations in case the data center has a problem is impossible In today's challenging conditions, GPBank can only meet the minimum requirements of Circular 13 of SBV regarding methods and tools to identify, measure, monitor, and control risks based on existing resources
Thirdly, the operational risk-measuring tools applied at GPBank are still simple and not very effective compared to other large–scale banks Up to now, GPBank has only been able to deploy 2 out of 6 measurement tools according to regulations of the State Bank of Vietnam, which are Audit findings and Internal and external loss data collection In fact, most larger banks, such as Vietinbank and Agribank, have applied more appropriate measurement tools to increase the effectiveness of operational risk measurement Combining such quantitative and qualitative tools can level the verification of operational risk measurement results Although GPBank has collected the quantitative results from measuring the level of risk and loss through Audit findings and Internal and external data collection, the measurement results are limited and not highly authentic due to the independent application of tools
Last but not least, reports at GPBank are still being processed and stored manually due to database limitations According to GPBank's regulations, units must regularly carry out a large number of reports related to risk management work Implementing reports takes a lot of time and effort, especially for departments that synthesize data and report to senior leaders, such as the Risk Management department Accordingly, the effectiveness of risk management, such as operational risk management, is not guaranteed in terms of progress or quality.
Recommendations
From analyzing the current state of operational risk management at GPBank, limitations have been realized, such as lack of personnel, no specialized personnel in risk management, inadequate information technology system and database, impractical operational risk management tools and methods, and manual reporting methods To improve the limitations that GPBank is facing, the following recommendations are made based on the actual business situation of GPBank
Regarding human resources, GPBank should prioritize the bank’s personnel quality due to the less requirement of financial factors instead of being concerned about the lack of human resources GPBank can take advantage of existing human resources to open internal training courses about risk management and material risk management for new employees taught by experienced senior leaders This increases the personnel's understanding of risk management and the work quality The training courses have been implemented successfully at some lage banks such as Vietcombank According to the Vietcombank Digital News, Vietcombank successfully organized training courses on operational risk management in 2023 for all employees to enhance awareness of operational risk prevention to avoid causing financial losses and legal issues affecting Vietcombank's reputation Regarding the lack of personnel in critical operational departments such as Risk Management, banks can consider department expansion and restructuring only after receiving capital support GPBank should also review the criteria for evaluating employees based on
70 error frequency and strictly take corrective measures to raise employee awareness in compliance work On the other hand, GPBank should focus on developing the personnel quality of the Information Technology division, such as providing relevant professional training courses and recruiting additional IT technical employees To improve the shortage of human resources, GPBank needs to create a healthy working environment, a young organizational culture, reasonable remuneration, and related communication work to improve business reputation and attract talents
Regarding the IT system, the bank can only meet the basic requirements of current daily activities in the present business situation However, with the Bank's current capacity, the information technology system needs to be continuously maintained and upgraded to prevent rising operational risks temporarily
Regarding the operational risk measurement tools, leading banks are adopting data-driven risk measurement and shifting detection tools from subjective control assessments to real-time monitoring Potential applications of analytics are being used to renovate the operational risk detection and measurement (McKinsey & Company, 2020) In the present time, GPBank still follow the old way method with subjective assessments To advance risk management quality, GPBank should establish a group to be in charge of research and build risk measurement tools such as key risk indicators (KRIs) to advance the quality of risk measurement A KRI is a predictive index of current or future risks that is observable or measurable to provide early indicators of increased risk to developing hazards in different areas of the business (Effective risk management solutions for businesses, 2020, Integrated Business Electronic Magazine) Combining qualitative indicators and quantitative indicators to collect more value for loss databases
Regarding the reporting system, GPBank can consider advancing the bank’s database and using data analysis tools such as SQL to increase data usage efficiency Synthesizing and handling data will be more accurate if support from analyzing tools
71 exists This recommendation is for reference as it requires significant financial investment for training employees and building systems
In the process of digital transformation in general, especially in the rapidly developing digital payment context, credit institutions, including GPBank, are also facing many new forms of operational risks The direction and support of the State Bank play an extremely important role for banks like GPBank in the current context Specifically, new criminal methods and tricks that impact operational safety can be updated and warned regularly and promptly to prevent risks and enhance operational safety Moreover, banks will need specialists to manage new specific risk types in the process of digitization progresses To create favorable conditions for banks like GPBank to have opportunities to develop, training programs in terms of risk management to enhance expertise are extremely necessary Activities in the domestic and foreign business environment are full of fluctuations, along with adverse changes in natural factors that impact all activities of commercial banks The current economic context requires increased attention to risk management in banking operations and must be identified as one of the critical tasks in the banking development process Furthermore, operational risk management has become even more urgent for banks after the Covid-19 pandemic because of the global economic recession and political upheavals Understanding the importance of operational risk management in coping with unpredictable external fluctuations, the thesis wants to provide a perspective on the current state of operational risk management at a developing small-scale Vietnamese commercial bank - GPBank From there, indicating the strengths and weaknesses in the bank's risk management in general and operational risk management in particular Especially with the economy in the recovery phase after the pandemic, banks need to be equipped to be able to respond to risks from external impacts and maintain stable operations
CONCLUSION
Discussion
Based on the above research findings, the thesis has identified the concepts of risk management, operational risk management, and related concepts In addition, the thesis clearly shows the current status of operational risk management at GPBank through subjective and objective perspectives Specifically, the thesis has provided the most comprehensive view of the current status of operational risk management at GPBank from the management framework, management process, and operational risk reporting to the insider's perspective who directly performs management work In general, operational risk management at GPBank has been performed adequately and stably in the past three years (2020 - 2022) Operational risk management steps are fully and meticulously implemented by the entire bank Arising operational risks are still within the "allowable risk package" and do not violate any risk limits following the State Bank's principles on risk management
Based on the principles set by Basel for implementing operational risk management, GPBank's operational risk management system can be responsive, including building distinct procedures and regulations for operational risks, implementing a consistent risk management strategy across the entire bank, and establishing adequate internal information flow GPBank's processes, regulations, and operational risk management framework are fully developed and comply with the regulations of the State Bank and the laws of Vietnam The three-line-of-defense model at GPBank is similar to other commercial banks Therefore, GPBank's operational risk management model is basically no different from other commercial banks However, the findings revealed that GPbank's operational risk management has only fulfilled the requirements set out by the State Bank of Vietnam at the primary level and has not been able to approach Basel's capital standards Due to limitations in capital and human resources, GPBank's measurement tools are quite simple, subjective, and not highly authentic compared to large banks such as Vietinbank or
MSB Correspondingly, control measures are still loose and inconsistent If compared with Vietcombank's internal training programs about operational risk management, the establishment of GPBank's operational risk management culture is still elementary and ineffective, which resulted in GPBank's operational risk incidents Besides, the findings also show that information technology limitations are the biggest problem causing GPBank's operating disruption and also the biggest obstacle to GPBank's development during the period of the digital transformation explosion Currently, GPBank cannot meet the requirements of building separate software for risk management like MSB, and all relevant work tasks are still being executed semi- manually The findings emphasized that GPBank's current competence cannot confront cyber attacks and new emerging risks when there is no backup plan for the
IT system Furthermore, the outdated IT system inhibits the bank’s capability to improve and develop its risk management model
The given recommendations emphasized leveraging GPBank's existing resources to maintain and improve operational risk management effectiveness based on the bank's current context In other words, the recommendations focus on GPBank's current capability and can be used as a reference when there is a restructuring plan in the future.
Research contributions
For GPBank, the research becomes a useful reference source for bank improvement and development The analysis results have shown strengths and weaknesses that need to be improved in the current situation of operational risk management at GPBank This helps the bank have a comprehensive perspective and perceive weaknesses that need to be improved Moreover, the given recommendations can help the bank have more reference sources for its business development
For the banking major, the research contributes to increasing awareness of operational risk management and its importance in running business operations In addition, GPBank's research on operational risk management will be a useful reference source for small-sized banks with similar backgrounds
For theory contribution, the thesis has introduced the concept of operational risk management in Vietnamese commercial banks and provided opinions and assessments on the current status of operational risk management at a specific bank
An example of the application of the three lines of defense model in risk management was clearly revealed Moreover, the thesis has pointed out the performance of different operational risk measurement tools, including audit findings and internal and external data collection.
Research limitations
The thesis still has some limitations As operational risk is a topic that does not receive as much attention as other material risks, official information sources and research articles in Vietnam are still limited In addition, the research object is a bank belongs to Sate Bank’s management with a small scale of operation and a simple organizational structure This leads to limited sources of information and analytical data As a result, the thesis encountered many difficulties in the process of collecting information about the research object as well as the research topic.
Bank Negara Malaysia (2019) Operational Risk Losses among Financial Institutions
Remained Small but Emerging Risks Warrant Close Vigilance FINANCIAL STABILITY REVIEW - SECOND HALF 2019, 32-34 Retrieved from Bank Negara
Malaysia: https://www.bnm.gov.my/documents/20124/2724391/fsr2019h2_en_ch1d.pdf
Basel Committee on Banking Supervision (2001, Septemner) Working Paper on the
Regulatory Treatment of Operational risk Retrieved from Bank for International
Settlements: https://www.bis.org/publ/bcbs_wp8.pdf
Bessis, J (2015) Risk Management in Banking Wiley
Charette, R (1990) Applications Strategies for Risk Analysis New York: McGraw Hill
Clancy, L (2023, March 10) Top 10 operational risks: Focus on cyber risk Retrieved from
Risk.net: https://www.risk.net/risk-management/7956208/top-10-operational-risks- focus-on-cyber-risk?check_logged_in=1
CSchlatter, C (2023, September 26) Top 5 operational risks for banks in 2024 Retrieved from Intuition: https://www.intuition.com/top-5-operational-risks-for-banks-in- 2023/#introduction
Dang, T A., Tran, Q N., & Tran, T Q (2019) Operational Risk Management Under Basel
II at Vietnam Maritime Commercial Joint Stock Bank Vietnam's economy in 2018 and prospects for 2019 25, pp 354 - 379 Vietnam: NEU
FDIC (2019) Operational Risk Losses among Financial Institutions Remained Small but
Emerging Risks Warrant Close Vigilance Financial Stability Review - Second Half of 2019, 32
FDIC (2019) Operational Risk Management: An Evolving Discipline Financial Stability
Gibson, K (2023, 10 24) What is risk management & Why is it important? Retrieved from
Havard Business School: https://online.hbs.edu/blog/post/risk-management
Ha, G (2013, May 17) VIB experts share Risk Management experiences Retrieved from
Dantri: https://dantri.com.vn/tai-chinh-dau-tu/chuyen-gia-vib-chia-se-kinh-nghiem- quan-tri-rui-ro-1369204667.htm
IIA (2013) The Three Lines of Defense in Effective Risk Managment and Control IIA
Position Paper, 1-7 Retrieved from The Institute of Internal Auditors:
76 https://theiia.fi/wp-content/uploads/2017/01/pp-the-three-lines-of-defense-in- effective-risk-management-and-control.pdf
Mandala, T (2018, June 20) Risk Management Theories Retrieved from Linkedin : https://www.linkedin.com/pulse/risk-management-theories-teddie-mandala/
March, J G., & Shapira, Z (1987) Managerial Perspectives on Risk and Risk Taking
Marija, K (2013) Operational Risk – Challenges for Banking Industry EA, 46, 40-52
Retrieved from Core: https://core.ac.uk/download/pdf/33812252.pdf
McKinsey & Company (2020, April 13) The future of operational-risk management in financial services Risk & Resilience, p para 6
Michael, M., & Michael, R (2005) Integrating Risks in Business Process Models ACIS
2005 Proceedings (pp 3 - 5) Sydney: AIS Electronic Library (AISeL)
Nguyen, D T (2015, 10) Operational risk management at Vietnam Joint Stock Commercial
Bank For Industry And Trade Journal of banking science and training, pp 41-51
Phan, Y (2021, 10 21) Difficulties in operational risk management at Vietnamese commercial banks Retrieved from Financial and monetary market magazine: https://thitruongtaichinhtiente.vn/kho-khan-trong-quan-ly-rui-ro-hoat-dong-tai- ngan-hang-thuong-mai-viet-nam-37570.html
PwC Luxembourg (n.d.) Operational Risk Management Retrieved from PwC: https://www.pwc.lu/en/operational-risk-management.html
Raghavan, R S (2003, February) Risk Management in Banks Chartered Accountant, 842
Retrieved from https://un.uobasrah.edu.iq/lectures/1784.pdf
RiskOptics (2022) What is Operational Risk Management? Retrieved from RiskOptics: https://reciprocity.com/resources/what-is-operational-risk- management/#:~:text=Operational%20risk%20management%20(ORM)%20is,data
Schulz, J.-F., & Funaro, D (2018, July 10) How Banks Can Manage Operational Risk
Retrieved from Bain & Company: https://www.bain.com/insights/how-banks-can- manage-operational- risk/#:~:text=Operational%20risk%20(OR)%20is%20the,processes%2C%20syste ms%20or%20external%20events
Segal, T (2024, March 3) Operational Risk: Overview, Importance, and Examples
77 https://www.investopedia.com/terms/o/operational_risk.asp#toc-operational-risk- vs-other-types-of-risk
Smith, E (2020, February 26) The Barings collapse 25 years on: What the industry learned after one man broke a bank Retrieved from CNBC: https://www.cnbc.com/2020/02/26/barings-collapse-25-years-on-what-the-industry- learned-after-one-man-broke-a-bank.html
Son, M (2018, September 15) The "expensive" Global Economic Crisis of 2008 Retrieved from VNExpress: https://vnexpress.net/cuoc-khung-hoang-kinh-te-toan-cau-dat-do- nam-2008-3809531.html
State Bank of Vietnam (2016) Circular No 41/2016/TT-NHNN of the State Bank of
Vietnam: Regulations on capital adequacy ratios for banks and foreign bank branches Retrieved from Government Electronic Information Portal: https://vanban.chinhphu.vn/default.aspx?pageid'160&docid8256
Thanh, P T., & Ha , D T (n.d.) Corporate governance and operational risk management at Vietnamese commercial banks Retrieved from State Bank of Vietnam: https://www.sbv.gov.vn/webcenter/contentattachfile/idcplg?dDocName=SBV2818 23&filename(3589.doc
To, D T (2020) Trends in technology application in banking risk management: Difficulties and challenges Electronic information portal of the Ministry of Finance
Tucci, L (2023, September) What is risk management and why is it important? Retrieved from TechTarget: https://www.techtarget.com/searchsecurity/definition/What-is- risk-management-and-why-is-it-important#:~:text=is%20it%20important%3F- ,Risk%20management%20is%20the%20process%20of%20identifying%2C%20ass essing%20and%20controlling,errors%2C%20accidents%20and%2
Vicente, V (2004, February 16) Operational Risk Management: Overview and Guide
Retrieved from AuditBoard: https://www.auditboard.com/blog/operational-risk- management/