i
ACKNOWLEDGEMENTS
I would like to express my thanks to the teachers of the Vietnam University of
Commerce, for their kind assistance and creating every favourable condition for me to finalize
this report.
Particularly, I owe to much Mr Dr Vu Manh Chien – my tutor at University for spending
much time and energy in guiding me through the research and helping me complete this report.
It is a great pleasure to thank all collogues at LienVietPostBank who helped me write my
dissertation successfully, who created favourable conditions for me to complete this internship.
Many thanks to my close friends for their true care and assistance in sharing knowledge
during the education and implementation of this dissertation.
Finally, I would like to show my gratitude to my family for so much care, worry about
me all the three years studying at the university.
ii
Table of contents
ACKNOWLEDGEMENTS ii
List of tables v
INTRODUCTION 1
1. Research context 1
2. Reasons of subject choice 1
3. Research objectives 2
4. Research object and limits 3
5. Dissertation structure 3
CHAPTER 1: THEORETICAL FRAMEWORK ON OPERATIONAL RISK
MANAGEMENT IN BANKING 4
1. Operational risk in banking sector 4
1.1. Definition of operational risk 4
1.2. Classification of operational risks 4
1.3. Consequences of operation risk 6
2. Operational risk management in the bank 6
2.1. Operational risk management 6

2.1.1. Conception of risk management 6
2.1.2. Conception of operational risk management 8
2.2. Role of operational risk management 8
2.3. Literature review on operational risk management 10
2.4. Operational risk measurement according Basel II 12
2.5. Operational risk management according Basel II 14
3. Content of operational risk management in commercial banks 16
3.1. Identifying operational risk 16
3.2. Operational risk measurement 17
3.3. Developing and implementing operational risk management 18
3.4. Reporting operational risks 18
3.5. Controlling operational risks 18
3.6. Allocating capital to operational risk management 19
CHAPTER 2: RESEARCH METHODOLOGY 20
iii
1. Introduction of research field of LienVietPostBank 20
1.1. Brief outline and history 20
1.2. Scope of business 20
1.3. Key indicators 21
1.4. Bank’s strategic position: SWOT Analysis 22
2. Collecting and processing data 25
2.1. Phases of research 25
2.2. Secondary data collection method 25
2.3. Primary data collection method: 26
2.4. Processing data 26
CHAPTER 3: OPERATIONAL RISK MANAGEMENT AT LIENVIETPOSTBANK 27
1. Identifying the factors resulting operational risks 27
1.1. Cause related to personnel 27
1.2. Cause of IT errors 27
1.3. Cause by procedures, regulations 28

1.4. Other factors 28
2. Quantifying operational risk of LienvietPostBank according to Basel II 28
2.1. Quantifying by the basic approach 28
2.2. Quantifying by the standardized approach 30
3. Analyzing the operational risk management at LienvietPostBank 32
3.1 Legal framework for operational risk management 32
3.2. Actual operational risk management at LienvietPostBank 35
3.2.1. Applied method 35
3.2.2. Actual operational risk management at Lien Viet Postbank 37
4. Recommendations for LienvietPostBank’s operational risk management 41
CONCLUSION 45
1. Research contributions 45
2. Research limits and perspectives 46
BIBLIOGRAPHY 47
iv
List of tables
Table 1: Key financial indicators of Lien Viet Postbank 21
Figure 1: Phases of research 25
Table 2: Financial report of LienVietPostBank from 2010- 2012 29
Table 3: Profit by each field of the LienVietPostBank 31
Table 4: Provision for operational risks according to the standardized approach 32

v
INTRODUCTION
1. Research context
International integration opens opportunities for the Vietnamese banking sector to
approach the international financial level and standards. However, these tendencies that imply
global competitions, demand that Vietnamese banks must meet the requirements of business
management in general and of risk management in particular at international standards. Recently,
since more importance has been attached by Vietnamese commercial banks on risk management,

including credit risk, liquidation risk, interest rate risk, etc., up to now a fairly good foundation in
terms of both knowledge and resources has been built in this topic. Nevertheless, operational risk
management has only been being cared for, studied, and carried out over the past few years in
our country.
In general, operational risks are related to many elements such as human beings, internal
systems, procedures and external events. These are very diverse and constantly changeable,
hence operational risks usually occur in almost all important banking operations. Researchers in
several advanced nations have calculated that the effect of operational risks from normal banks
accounts for 10% of operating profit. In addition, operational risks also have considerable impact
on the bank’s reputation. In the current development trend, operational risks are a big problem
due to the operating environment is becoming more and more complex, ever-growing illegal acts
under the conditions of international integration and work pressure, which entail higher and
higher performance as well as the loyalty of employees and the whole-heartedness of the
management; the more and more dependence on technology, along with the ever-increasing rate
and volume of transactions are also the elements that bring an increase in operational risks.
So, in reality, operational risk management is ever more pressing under the conditions for
international integration of Vietnamese commercial banks.
2. Reasons of subject choice
I choose the subject on operational risk management is for a number of reasons:
Firstly, business operations are becoming more and more complex; the competition
pressures between banks are growing, together with the increasing criticality of risks. Subject to
each specific way of approaching, banking business risks can be divided into different types,
however, under the most common classification, according to Basel Commission, banking risks
involve three basic types: Credit risk; market credit; and operational risk. Vietnam commercial
banks are gradually approaching such concepts and have step by step managed these types of
risks according to normal banking practice.
Secondly, there have been not many research on operational risk at commercial banks
published in Vietnam qualified for application to or serving as grounds for formulating or
completing the commercial bank management procedures. One of the very few most recent
relevant works as such was the Master’s Dissertation on “Operational risk management at

Vietnam commercial banks” by author Nguyen Hoai Linh, Economics University, Vietnam
National University, Hanoi, which provides an overview of operational risk management at
Vietnam commercial banks, some assessments on the advantages, shortcomings of the operation
1
risk management that the author has conducted researches on the banking industry as a whole,
from that to propose a number of solutions and suggestions thereof.
Thirdly, studies in Vietnamese on this subject are often characterized by some
orientations, recommendations at macro level, rather than going down into detail on the situation
of Vietnamese commercial banks. Specifically, the solutions as proposed by the work above
include: To improve the effectiveness, performance of the legal framework, financial institution
in operational risk management at Vietnam commercial banks; to enhance the internal
management capacity of commercial banks; to restrict the banking organizational structure’; to
strengthen the financial ability…, are the targets every bank wishes to achieve. Nonetheless, the
contents for implementing industrial have not yet been detailed by the author to reach such
targets. This is also the general situation of research works at the present time, when there are too
many solutions served as “guidelines” whilst lacking the detailed contents which can enable the
researching entity to carry out the solutions. Thus, the author has realized that there should be
further research works which are more practical and associated with specific commercial banks.
Fourthly, from many years’ experience practicing at LienvietBank, I have had the chance
of working in Risk Management Division of the bank, in specifying on the operational risk. I
have found that the operational risk management there needs to be further improved in such
contents as the procedure for operating risk management for credit, capital trading, fund
operations, etc. Therefore, it is not only the actual situation of theoretical studies on this matter
that is lacking a lot of important contents and should be elucidated but also even Vietnam
commercial banks in general and Lien Viet Joint-Stock Bank in particular still need to have
studies or researches which are practical and immediately applicable to the management process.
Under such practical conditions and wishing to apply the theories his has learned from
the postgraduate program at Vietnam University of Commerce, I have decided to choose
“Operational risk management at Lien Viet Joint-Stock Bank” as the subject of this dissertation.
The research questions are formulated as following:

- How can a bank quantify its operational risk based?
- Which causes lead to operational risk in the bank?
- Which factors affect the operational risk management activities of the bank?
- Which methods to measure and evaluate operational risks in the bank? And what are
their performances?
3. Research objectives
This research aims at the following specific objectives:
- Complete the basic theoretical system of risk management and operational risk
management based on meta-analysis of local and international researches;
- In-depth research on the theory system and the theories of operational risk
management at commercial banks based on analysis of the theoretical research specialized in
banking – finance and actual operations of Vietnamese commercial banks.
- Synthesis and presentation of operational risk management models at commercial
banks which have been developed and applied globally; assessment of applicability at
Vietnamese commercial banks;
2
- Research on operational risk management applied at Lien Viet Commercial Joint
Stock Bank including: define responsibilities and authorities of individuals and units related to
operational risk management ; identify the costs, losses that can occur from the operation
- Evaluate the effectiveness, advantages and limitations of the operational risk
management at Lien Viet Commercial Joint Stock Bank in recent years;
- Propose solutions to complete the operational risk management at Lien Viet
Commercial Joint Stock Bank.
- Change the perceptions of bank leaders in a positive way about the role of operational
risk management at commercial banks
4. Research object and limits
- Research object: operational risk management in banking
- Research field: Lien Viet Commercial Joint Stock Bank
- Documental research: document on operational risk management in Lien Viet
Commercial Joint Stock Bank from 2010 to 2013; annual reports, thematic reports on

operational risk
- Practical limit: observation and practical work at the bank
- Interview: interview with manager, staff in the risk management department, the
people directly involved in operational risk management
5. Dissertation structure
This dissertation is structured in three chapters as follows:
• Chapter 1: Theoretical framework on operational risk management in banking
• Chapter 2: Research methodology
• Chapter 3: Operational risk management at LienVietPostBank
3
CHAPTER 1: THEORETICAL FRAMEWORK ON OPERATIONAL RISK
MANAGEMENT IN BANKING
1. Operational risk in banking sector
1.1. Definition of operational risk
The most popular definition of operational risk appeared for the first time in Robert
Morris Associates et al. (1999), where operational risks were defined as direct or indirect
damages from the insufficient or unsuccessful internal procedures by human and system, or
external events. Initially, this definition was adopted by Basel Committee; nevertheless reference
of indirect damages was excluded as measurement was very difficult. Therefore, operational
risks were defined by Basel (2004) as consequences likely to occur from the insufficient or
unsuccessful internal procedures by human and system, or external events. However, this
definition described the definition as “broadly as completely useless” or ignored basic business
risks (Herring, 2002; Turing, 2003).
Vinella and Jin (2005) gave another definition of operational risks. They defined
operational risks as “risks in which operation cannot meet one or more objects of operation
performance, the causes may be personnel, technology, procedures, information and support for
infrastructure business activities”. They believed that the definition by Basel was a special case
of their definition when the failure to meet the operation performance object constituted a loss of
money. Once more time, there was no specific reference to the role of the external elements in
this definition. To date, however, the definition by Basel has still been applied at major banks or

credit institutions as a standard definition of operational risks.
Operational risks arise from ineffectiveness of information systems, from technical
errors, from internal control errors, from unintended events or other operational issues that can
lead to unexpected loss or reputation issues. The scope and duration of operational risk is very
large, the risk can occur at any time during the operation of the bank. According to Basel II,
operational risk is the risk of direct or indirect loss due to inadequacy or failure of the processes,
people and internal systems, or from external events. Operational risk includes legal risk, but
excludes strategic risk and reputation risk.
Thus, the operational risk is caused by following factors: processes, people, systems,
external events and other issues. These factors are shown as follows: processes, people, systems,
and external factors These factors affect all business operations of the bank. Therefore
operational risk exists in all of the services and business operations of the bank, which is why
there are a lot of issues related to operational risks such as: business strategy, policies,
operational procedures, organization, operations, operational support, human resources,
infrastructure, information technology, control measures and the audit work.
1.2. Classification of operational risks
In 2006, Basel Committee for banking supervision announced a literature revue of
internal tools for measuring capital and capital standards, known as Basel II Capital Accord,
herein under referred to as Basel II (2006). Basel II was intended to introduce a new approach to
4
risks in the banking industry. The new regulations combined requirements for minimum capital
with market assessment, supervision and standards to pose a procedure for better managing risks
in order to minimize the overall risks of organization.
Basel II employs to a larger extent the risk assessments provided by banks’ internal
systems. Basel II definitions of kinds of risks together with core business areas as found in a
banking organization as follows (Unchiaşu, 2009):
• Credit risk is defined as risks related to contact with customer as individual borrower or
partners and level of investment portfolio;
• Operation risks are damage risks resulted from insufficient or unsuccessful internal
procedures for the reasons of personnel and systems or external events. Operation risks involve

legal risks, referred to as legal loss or damage resulted from wrong action by the bank or its
employees, equivocal with regard to requirements and legal effects, ineffective in relation with
the national legal system;
• Market risks is defined as risks of losing potential finance as a result from any adverse
change of the market such as interest rates, exchange rates;
• Interest rate risks involve all interest rate values of banks and refer to all adjustments of
relevant due interest rate data;
• Liquidation risks are risks in which: banks won’t receive assets that meet all borrowers’
obligations at reasonable expenses;
• Reputation risks: reputation is an invaluable, invisible asset but of high value; negative
public opinions constitute considerable risks which result in the loss of supporting resources or
customers;
• Strategy risks are possible negative effect on the revenue and capital of banks resulted
from erroneous, inadequate decisions on business and development strategies and insufficient
human resources to meet strategic objectives and with changes in the industry.
Also, based on the factors affecting operational risk or in other words, based on the
causes of operational risk, operational risk can be divided into the following types:
- Risk caused by internal issues
o Risk caused by bank employees
o Risk caused by regulations, business process:
o Risk from support system
o Risk from other support systems
- Risk caused by external issues:
o Risk caused by fraud, theft or crime of external objects such as: theft, robbery,
forgery of papers, forgery of checks
o Risks caused by external events or natural disaster (earthquakes, floods,
hurricanes, etc.) causing damage to the business operations of the bank.
o Risk caused by changes in documents, government regulations and relevant
5
departments or new regulations affecting business operations of the bank

1.3. Consequences of operation risk
Operational risks exist in every area of the economy and in every effort made by human
beings. Operational risks can be found in the health sector, in means of transport, in energy
industry, banking, education, and almost all activities. In some areas, in order to increase
sensitivity to risks, due to governmental regulations, advanced procedures have been carried out
to identify special risks to their activities. Nevertheless, operational risks exist when activities
take place, despite the fact that they are under our control or not. This truth has been aware of by
managers in a series of activities (Doebli et al., 2003).
On March 14, 2010, the Sunday Times published a summary of a 2200-page report
following up the collapse of Lehman Brothers in Wall Street (Sunday Times, 2010). The 158-
year-old bank went bankrupt in September 2010. The court-designated appraiser realized that
Lehman had exaggerated property values and ignored or rejected the control over risks of the
company on a regular basis. So, one can imagine how heavy is the effect of the consequences of
operational risks on banks and credit institutions. Operational risks not only cause damages to
banks in terms of finance but also exert great effect on the prestige, trade names of banks. Some
frequent consequences caused by operational risks include:
✓ For marketing and sales activities: Operational risks may drive banks to the state that
when launching new products the infrastructure is unsuitable as resulted from improper
application of new product approval processes.
✓ For payment activities: The consequences banks have to increase may include failure
to make payment as per customer request or payments to the wrong beneficiaries.
✓ For IT: The consequences banks have to increase may be the state of losing control
over the system or the database stops functioning.
✓ For financial operations: The consequences of operational risks may involve erroneous
asset evaluation, incomplete statements of profit and loss, non-compared accounting items.
✓ For personnel management: The consequences of operational risks may involve acts of
breaching laws in the issue relating to labour contract termination…
✓ For bank prestige: Bad treatment towards customers will result in loss of customers or
bad bank prestige and the consequences are loss of capital or decrease in profit of the bank.
2. Operational risk management in the bank

2.1. Operational risk management
2.1.1. Conception of risk management
According to Basel (2004), risk management is a continuous process needs to be carried
out at all levels of a financial institution and mandatory requirements for financial institutions to
achieve the set goals and maintain the ability to exist and financial transparency. Basel (2004)
also stressed on different risks would lead to failures of banks in a mature economy. While
experiences of each country are characterized by their uniqueness, research on history of banking
crises in different countries over the world has shown that poor management of the risk
6
categories that have been concretized in banking catalyst has failed in most cases. Further, the
report also pointed out that risk management in most banks in the world was restricted to
compliance with the regulations imposed by supervision agencies. It was also revealed that many
banks did not have the idea how to go in implementing risk management procedures,
notwithstanding the existing detailed instructions for the same countries among many others.
Risk management can be described as optimizing risk management expenses carried out
not to damage any management area, including business philosophy, organizational culture, as
well as some business functions of financial institutions. It represents the central part of strategic
management and business management of any commercial organization (Barjaktarović, 2009).
The focus of effective risk management is to determine and minimize risks. The goal of
risk management involves:
• The entity’s ability to achieve profit growth and optimization;
• Effective operation within a dangerous environment;
• Combination of activities within a legal framework.
Risk management is a continuous and ever-growing process, is part of organizational
strategy and the implementation of this strategy. All business entities develop their instructions
for risk management. Risk management process involves the following steps (Barjaktarović,
2009):
• Defining risk management process goals so as to decide what banks expect from the
program. The primary goal is to protect the performance of organizations. The second goal is to
protect the legitimate rights of employees.

• Determining risk – risk management must reveal the risks that firms are exposed to.
Determining risks is a period of the risk management process, in which risks within the system
are screened and classified. Basic risk classification in relation with operations of business
organizations involves:
- An important threat that leads to the bankruptcy of economic organizations.
- An important threat that threats liquidation of business entity, with negative effects (or
by loans from commercial banks or by increasing efforts to collect debtors’ overdue bad debts).
- Inconsiderable risks, without affecting important operations, in practical examples, they
do not pose a threat to liquidation and solvency of entity.
• Assessing risks involves the entire process of analyzing and assessing risks. Potential
loss and possible loss are determined by experts. Analysis involves determining, describing, and
assessing risks. Risk analysis results can be used for collecting risk documentation to evaluate
the importance of each risk and to provide a series of tools for determining priorities for risk
regulations and make it possible to classify; each risk is determined by its relative importance.
Risk assessment is important for the decision-making process. Furthermore, banks need to build
their internal and external risk systems for reporting the existence of risks.
• Considering options, replacements and selecting resources for risk management,
including the two solutions: financial risks and the link of available assets included for
regulations of losses arising from the remaining risks after the use of techniques for controlling
risks.
7
There are some methods of controlling risks (Barjaktarović, 2009): risk control approach,
risk avoidance approach, risk reduce approach, financial risk approach, risk maintenance
approach, and risk transfer approach.
Assessing and reviewing are a continuous function of risk management, including
assessing and adjusting activities related to risk management. Changes of risks are by time, i.e.
they would disappear or the new ones will appear.
2.1.2. Conception of operational risk management
Operational risk management is the process in which financial institutions conduct
activities affecting operational risk, including the establishment of the organizational structure,

the construction of policies system and methods of operational risk management. Thereby they
can deploy the process of risk management including identifying, measuring, assessing,
monitoring and controlling operational risks in order to ensure the minimization of risks.
Effective operational risk management does not mean the total elimination of risks. Risks
can still occur but only in the predicted levels that the banks can control.
The purpose of operational risk management is to understand the level of operational risk
of the system, the organization, to find the cause of the risk, to distribute the resources to support
and identify external and internal trend, thereby it helps to predict and limit risk. The operational
risk management enables banks to prevent fraud, minimize errors in the transaction process,
maintain the integrity of internal control
2.2. Role of operational risk management
The separate supervision systems for financial institutions in different states would
reduce the reliance of the global financial domain since, as Davies (2001) and Merton (1993)
pointed out, the separate supervision approach for the financial domain cannot guarantee the
supervision over a sole area without integrating into a global supervision network.
Out of the negative aspects of the supervision approach of the financial sector as
mentioned above, there should be uniform rules of supervision for the financial system. It would
help to strengthen the supervision of the personal finance sector, in close relations with the
global financial system. Basel Committee for Banking Supervision, International Payment Bank,
provided a uniform means for the function above. Apart from national requirements for
supervision in the financial domain, it provides suggestions related to the formation of a
supervision system and its components for the financial sector.
In analyzing the effects of supervision organizations, it should be noted that assessment
of effects as such may contain contradictions. First and foremost, it should be stressed that the
most important reason for setting up supervision organizations is to guarantee stability for the
financial sector. Stability is beneficial to all members of the financial sector. Nevertheless, the
negative effects of agencies supervising the operations of financial institutions should be taken
into consideration. The supervision of financial institution, such elements as instructions and
punishments would create a certain environment for financial institution. Environment has the
meaning of restrictions on the freedom of banking operations, since financial institutions are the

object of economics. Such restrictions are presented through the frameworks gathering
operations for financial institution as imposed by supervision agencies. The frameworks as
established are mandatory to all members of the financial sector operating in the same area (e.g.
commercial banks, life insurance companies…), without subject to the details of their activities
8
(size, strategy…)
The existing environment of the members in the financial domain determines the growing
interest of banks in the performance of internal procedures. Stein (2000) noted that the increasing
complexity of banking and internal procedures was the cause of the increasing number of errors
inside the bank system. This might discontinue the banking operations and might lead to a
banking crisis. The above mentioned causes have forced banking managers to pay more and
more attention to operational risk management. According to Kuhn (2003), operational risk
management performance exerted great effects on competitive capacity and success in the
banking market.
Besides the efforts made by banking managers to control overall operational risks, more
and more attention is being paid by financial institution to posing requirements for operational
risk management. The heaviest damages related to operational risks amounted to USD 2.6 billion
(the Japanese financial institution Sumitomo).
The data collected has shown that the threat from operational risks and their serious
consequences made the supervision agencies of financial institution acknowledge that
operational risks among the most important risks in the banking domain. Supervision agencies
thus should consider that as the threats generated from reality of operational risks were
underestimated, thus damages in connection with lack of care for risk management in operations
of banks are likely to occur.
The necessity to increase attention in managing operational risks management and
supervision management has ground from a statement by Schmitz (2001). He said that
operational damages were unacceptable in a weak economic environment. This statement reflects
the nature of the appearance of operational risks. Not subject to economic environment,
operational risks are avoidable by adhering to banking procedures.
Based on analysis of the nature and operational risk management, Schmitz (2001) made a

list of issues relating to the growing interest in the requirement for operational risk management.
He also differentiated the strengths of operational risk management, with the importance of
operational risk management: the attention to paying money for operational risk management is
not enough, thus supervision of operational risk management should be deeper examined in the
way of posing specific requirements for operational risk management in the banking domain.
Fulfilling supervision of operational risk management may constitute a substantial tool for
protection in the financial domain against the crisis caused by sources of operational risks.
As observed from researches in some developing countries, operational risks might have
caused damage to 10% of the operating profit of banks. According to a survey of CEOs of
American banks in 2010, 63% of them answered that one of the important causes leading to
crisis was the poor management of operational risks.
A research in Australia quantified operational risks, which represented about 20 - 23% of
the general risk total. In Vietnam, there has been to date no researches or data with quantified
nature concerning the damages caused by operational risks. Anyway, as to some experts, the rate
of damage caused by ORs might have been even higher than that of Australia.
Some opined that, only after a long time could quite a few commercial banks in the home
country care about credit risks, then market risks whereas very few paid attention to operational
risks. The occurrence of this risks not only causes damages to banks in terms of material and
9
human resources but also affects their prestige, hence the role played by operational risk
management more and more necessary and significant.
2.3. Literature review on operational risk management
Generally there are not many studies on operational risk management. The case study
should include: Basel (Basel, 2003) which has identified the basic operation of operational risk
management. Crouhy et al. (2001) and Alexander (2003) which have developed a classification
system of problems in operational risk management; Hoffman (2002) that has introduced the
optimal method for operational risk management based on the analysis of 20 large enterprises;
Jorion (2003) that has analyzed actual operational risk management of several banks.
• Alexander (2003), in his book of Operational Risk: Regulation, Analysis and
Management, brings together contributions from the world’s leading experts to identify today’s

best practices for measuring and managing operational risks, and assessing them in the broader
context of all risk.
• Basel (1998, 2003, 2004): Basel I explicitly covered only two types of risks in the
definition of risk weighed assets: credit risk and market risk. Other risks were presumed to be
covered implicitly in the treatments of these two major risks. In Basel II the definition of risk-
weighed assets is modified. Basel II approach for calculating risk-weighed assets provides
improved bank assessments of risk making, resulting more meaningful capital ratios. The pillar
one is modifying the definition of risk-weighed assets in Basel II and has two primary elements:
substantive changes to the treatment of credit risk relative to Basel I and the introduction of an
explicit treatment of operational risk resulting in a capital measure of operational risk.
• Chapelle et al. (2004), in their article on “Basel II and Operational Risk: Implications
for risk measurement and management in the financial sector”, analyze the implications of the
Advanced Measurement Approach (AMA) for the assessment of operational risk put forward by
the Basel II Accord. Their results suggest that substantial savings can be achieved through active
management techniques, although the estimated effect of a reduction of the number, frequency or
severity of operational losses crucially depends on the calibration of the aggregate loss
distributions.
• Chorafas (2003), in the book of Operational Risk Control with Basel II: Basic
Principles and Capital Requirement, provides a sound methodology for operational risk control.
He explains why and how information technology is a major operational risk and shows how to
integrate cost control in the operational risk perspective. Details analytical approaches to
operational risk control, to help with scorecard developments are also presented.
• Colnanba and Giudici (2004)’s article Statistical models for operational risk
management is an overview research on some of the operational risk management model, with
calculation of some necessary indicators about capital and factors of safety based on Basel II
standards applied to all types of banks, especially the banks that have operations network in
many countries. This research has shown that operational risk management at banks in recent
years is more and more interested by experts and banking supervisors due to the explosion of e-
commerce, business merger and acquisition (M & A) in large scale and heavy reliance of
banking activities in the automation technology This leads to a variety of derivatives in

banking operation and an increasing demand of more active and more effective risk management
system.
10
• Hoffman (2002)’s book of Managing Operational Risk: 20 Firmwide Best Practices
Strategies can be considered as a definitive guide to managing operational risk in financial
institutions. It covers all the bases from the basics of what operational risk is to how to design
and implement sophisticated operational risk management systems.
• King (2001)’ book of Operational Risk, Measurement and Modelling concentrates on
measurement of risk in order to provide the needed feedback for managing and mitigating it.
Using both theoretical and practical material, the author lays out a foundation theory that can be
applied and refined for application in the financial sector and beyond which includes a new
technique called Delta-EVT (trademark).
• Samad-Khan (2006)’s research Stress Testing Operational Risk began by an
observation: the banks always face with three major types of risk: credit risk, operational risk,
market risk and credit risk; people always think credit risk is the biggest concern of the banks.
Then, the author pointed out: 80% of the credit risks are actually operational risks. In fact, an
effective operational risk management system can even helps the bank to save more than the
profits it generates. The author launched an operational risk measurement model based on annual
statistics losses due to operational risk model using Monte Carlo calculations formula.
In Vietnam, a few years ago, operational risk management was still a relatively new
problem for commercial banks. Despite many efforts, nowadays Vietnam has not yet established
a formal framework for operational risk management. State Bank of Vietnam has issued a
circular No. 13/2010/TT-NHNN dated 20/05/2010 and Circular No. 19/2010/TT-NHNN
27/09/2010, Circular No. 22/2011 / TT-SB dated 30/08/2011 amending and supplementing
Circular No. 13 regulating prudential ratio of credit institutions on the basis of Basel II.
However, commercial banks still expect the State Bank to promulgate specific regulations
guiding the implementation of risk management on all aspects, from setting policies, regulations
and procedures to measurement approaches, minimum capital requirements for operational risk
and provisioning mechanism of operational risk.
• Nguyen Hoai Linh (2012), “Operational risk management at commercial banks in

Vietnam”, Dissertation for Master in Economics, Department of Banking and Finance,
University of Economics Da Nang. This dissertation has presented general issues related to
operational risk management. In the research, MA Nguyen Hoai Linh has given a basic
theoretical background on operational risk management in the commercial banking system with
the method of determining the operational risk under the agreements Basel II
• Nguyen Thi Thuy Hang (2012) on “Operational Risk Management for Commercial
Banks in Vietnam”. This scientific article published at Banking magazine, has pointed out the
essential contents to be implemented when conducting Operational risk management at
commercial banks in Vietnam. The contents include: (i) Establish and improve Operational risk
management framework including Operational risk management policies according to
international standards; (ii) the application of Operational risk management framework that has
been developed with gradual stages, strictly compliance with the regulations on quality.
• Pham Huy Hung, Chairman of Vietnam Joint Stock Commercial Bank For Industry
And Trade (2010) with “Approaches of market risk management at commercial banks in
Vietnam”, Scientific Research. This research has shown the current status of market risk
management at commercial banks in Vietnam in general and at the Vietnam Joint Stock
11
Commercial Bank For Industry And Trade in particular.
• Pham Thi Trung (2008), in the Dissertation for Master entitled “Improve risk
management systems at Military Commercial Joint Stock Bank”, has generally presented the
international practices of risk management in the operation of commercial banks.
In practice, managing operational risks have been applied by many banks in the world
management. AMA (Advanced Measurement Approach) has been used in many banks in USA,
Europe, Japan and Australia. Results of research conducted by Basel Committee on 121 banks in
17 countries until the end of 2009 concluded that capital operational risks of 28 banks using
AMA were at a lower level than that of banks without using AMA (10.8% against 12- 18%).
Over 50% of Spanish banks has renovated their operations and organization for the aim
of operational risk management by setting up a separate section specializing in operational risk,
renovated their reporting system and applied up-to-date technology.
Some banks make full use of resources from outside for operational risk management,

e.g. ING Group hired IBM for operational risk management, and Citibank used the CLS
(continuous linked settlement) software. Citibank implemented operational risk management as
per the standards and policies on risks and control on the basis of self-assessment of risks.
Operations of departments, sections were regularly determined, assessed to arrive at decisions to
adjust and alter operations to minimize operational risks. Activities as such were documented
and announced at banks. Main risk measurement indexes were thoroughly and detailly
determined, and this was good condition for Citibank to carry on operational risk management.
The framework of operational risk management has also been flexibly employed to
accommodate to the specific conditions of each country, each bank. The above management
framework was concretized by DBS (Singapore) as follows:
Operational risks were analyzed from two angles: frequency of occurrence and extent of
effect. From that, DBS determined the way of organizing and formulating programs for
minimizing operational risks such as international audit, international insurance. At DBS, the
tools and techniques for operational risk management were used for self-assessing, managing
events, analyzing risks and reporting.
2.4. Operational risk measurement according Basel II
According to the Basel Committee, there are three approaches to calculate capital
requirements for operational risk, correspond to gradual the level of complexity and risk
sensitivity: (i) The Basic index approach; (ii) Standardization approach; and (iii) Advanced
measurement approach (AMA).
• The basic index approach
The banks that use Basic index approach must maintain equity capital for operational risk
so that it corresponds with a certain fixed ratio (symbol: α) of the average annual gross profit,
within 3 years. The capital is calculated by the following formula:
K
BIA
= GI x α
In which:
K
BIA

: capital requirements in the Basic Index method.
12
GI: average annual gross profit of the three previous years.
α = 15%. This rate is set by the Basel Committee, which reflects the relationship between
the amount of capital required by the entire sector with the overall index.
Gross profit is calculated as net interest income plus net fee income.
New Basel Agreement does not set out specific required conditions to apply The Basic
Index Approach for the bank. However, banks using this method are encouraged to follow the
guidance of the Basel Committee on Good Practices for Operational Risk Management and
Supervision, February 2003.
• Standardization Approach
According to Standardization Approach, banking operations are divided into eight service
segments: corporate finance, trading & sales, retail banking, commercial banking, payment,
agent service, assets management and retail brokerage.
In each service segment, gross profit includes several indexes reflecting the operational
scale of that service segment. Therefore, they also reflect the level of operational risk of each
service segment. Capital requirements for each service segment are calculated by multiplying the
gross profit with a coefficient (β) applied to that service segment. β coefficient reflects industry-
wide correlation between the losses from operational risk recognized in the actual situation and
the scale of the industry’s gross profit for each type of service. It should be noted that, in the
Standardization Approach, the gross profit is measured in each service segment, not in the whole
bank, namely: in the segment of corporate finance, this index shows full Gross profit earned
from corporate finance operations of the bank.
Total capital requirement is calculated by summing the capital requirements of each
service segment. Total capital requirement can be expressed by the following formula:
K
TSA
= Σ (GI
1-8
x β

1-8
)
In which:
K
TSA
: Capital requirements according to Standardization Approach.
GI
1-8
: Average gross annual profit of the last three years, determined as in the Basic
index approach above, for each one of the 8 operational segments.
β
1-8
: Fixed percentage prescribed by the Basel Committee, which reflects the relationship
between the amount of capital required and gross profit of each operational segment. Details of
the value of β as follows:
β coefficient for each operation segment.
Corporate Finance (β1): 18%
Trading and Sales (β2): 18%
Retail banking (β3): 12%
Commercial bank (β4): 15%
Payment (β5) 18%
Service Agency (β6) 15%
13
Asset Management (β7) 12%
Retail brokerage (β8) 12%
• Advanced Measurement Approach (AMA)
According to Basel (2006), this eventual approach is for financial institution to set up a
system for measuring internal operational risks with the use of a standard for quality evaluation,
in which cost of capital shall be calculated by the organization as total of the estimated losses
(EL) and unexpected losses (UL). The banks can only apply the AMA after being approved by

Banking Management Agencies.
The following equation represents ways of calculating cost of capital as per AMA
approach:
=∑(EL +UL)
: Requirements of capital as per advanced approach
EL : Estimated losses
UL : Unexpected losses
To be eligible to apply Standardization Approach or AMA, banks need to prove to Bank
management agency that:
- Board of Management and Senior Executive of the bank, as the case may be, can play
an active role in supervising risk management activities.
- The bank must have an operational risk management system based on a proper principle
and implemented in a comprehensive and synchronized way.
- The Bank must have adequate resources for the use of the selected approach in the main
operational segments, as well as in the field of accounting and auditing.
AMA model is very flexible, can be applied flexibly in all bank’s specific model, but the
most popular AMA model is Loss Distribution Approach (or LDA).
2.5. Operational risk management according Basel II
Basel Committee is a banking supervision committee founded by the G10 central banks
in 1975 under the sponsorship of International Payment Bank. Basel Committee is intended to
set up general frameworks for controlling risks and supervising safety for international banks.
The important goal as set by Basel Committee is to narrow the gap in supervising safety for
banking operations in the internal aspect, with the two main principles: “Don’t leave any bank
unsupervised and supervision must ensure completeness”.
Basel II Convention (2004), with the meaning of international framework, standard of
risk management in business operations of commercial banks, has been applied and achieved
high results. Basel II Convention has touched upon a totally new content in banking risk
management, namely “operational risks”. The Convention covers three main issues: Demand for
minimum capital; procedure for checking, supervising; rules for market.
According to Basel II (2004), operational risks are threats of losses due to insufficient or

14
non operational internal procedures; due to personnel and systems; or due to external events.
This definition includes legal risks but excludes strategic risks and prestige risks. At the same
time, it proposes three key measures for operational risk: Basic criteria approach (1 criterion
applied in a provision); Standardized approach (multiple criteria applied in a provision);
Advanced internal measurement approach AMA (for banks applying internal models).
Also, the Convention also puts forward ten rules of operational risk management for
commercial banks as follows:
• Board of Directors should be aware of the main aspects of banking operational risks as
a separate form of risk which must be managed, viewed on a periodical manner. Within the
framework, there should be a definition of operational risks and principles on what operational
risk should be like so as to determine, assess, follow up and control/reduce.
• Board of Directors must ensure that the bank’s risk management operations rely on the
effectiveness and comprehensiveness of the internal audit system, employees are properly trained
and capable of working independently. Internal audit function is not responsibility for controlling
operational risk directly.
• Senior managers should be responsible for implementing rules for operational risk
management with approval from the Directorate. The rules above should be in a consistent
manner throughout the bank’s organization, and all the levels and staff should be aware of their
responsibility for operational risk management. Senior managers should also have responsibility
to draw up policies, procedures for operational risk management in all the bank’s products.
• Banks should determine and assess the operational risks inherent in all their products,
operations, procedures and systems. Banks should also ensure that before new products,
operations, systems are introduced or carried out, the operational risks inherent in them must
have been fully evaluated.
• Banks should carry out a procedure on a regular basis for following up operational
risks. Should have periodical reports with necessary information for senior managers and Board
of Directors to support operational risk management.
• Banks should have policies, procedures for controlling and minimizing operational
risks. Should consider reducing operational risks and strategies for controlling, adjusting their

operations to conform to the overall risk strategy.
• Banks should have provision and plans for continuous business to ensure their
uninterrupted operations and to minimize damages in case of operational risk occur.
• Bank supervisors should request all banks, irrespective of their sizes, to have an
effective formwork for determining, assessing, following up and controlling/minimizing their
operations as part of the overall approach towards risk management.
• Supervisors should conduct, either directly or indirectly, regular independent
assessments of policies, procedures and practices related to banking operations. Should ensure
that there are proper mechanisms available onsite which permit to strengthen the development of
banks.
• Banks should carry out properly and announce their ways of approaching operational
risks so as to allow markets to participate in assessing such methodologies.
15
The ten rules can be summarized focusing the following four principles:
• Principle 1 (rules 1 - 3): Commercial Bank should develop a process assessing the
adequacy of minimum capital associated with their risk status, as well as a strategy to maintain
that adequacy.
• Principle 2 (rules 4 - 7): The authorities supervisory the safety of bank’s operations
should monitor and evaluate regularly the accuracy, consistent with the mechanism of assessing
the minimum capital adequacy of banks. In the case Commercial banks failed to meet the
minimum capital requirements, supervisor must carry out appropriate measures.
• Principle 3 (rules 8 - 9): The supervisor must have adequate tools to force banks to
maintain capital above the minimum capital adequacy.
• Principle 4 (rule 10): The supervisor should have instant intervention in order to
prevent inadequacy of commercial banks (with capital adequacy under 8%), as well as apply the
mechanism to require immediately offset of banks in the deficit capital compared to capital
adequacy.
The application of the provisions of Basel II will bring practical benefits for commercial
banks in the management of operational risk. These regulations will become a basic guide for a
commercial bank to build a risk management system, also for the supervisor of financial and

monetary activities to perform these functions: Build and issue the legal framework; monitor and
timely intervene to ensure the stability of the financial and monetary market on the basis of
transparency, sustainable development.
3. Content of operational risk management in commercial banks
3.1. Identifying operational risk
In commercial banks, all sections are responsible for carrying out assessment and
definition of risks so as to identify early and timely signs of risks during their operational
process, to analyze, determine the extent of effect and consequences that may increase.
Commercial banks identify operational risks in keeping with the contents: identifying possible
risks, causes of risks, causers of risks, extent of risks. Depending on their risk management
method, each bank has different identification operational risk methods. But generally the
identification of operational risk in commercial banks is implemented through 7 groups of risk
note as follows:
• Group of risks related to organizational structure, personnel and workplace safety.
Identifying of this group is carried out through:
+ Regular check, assessment of the model of organizational structure, with operational
sections of the bank.
+ Regular check, assessment of activities for recruiting, appointing personnel; assessing,
analyzing causes of personnel giving up their work, terminating labour contracts; assessing the
compliance with regulations, labour agreements, health and labour safety.
+ Collecting, assessing personnel qualifications, professions trained, work experiences,
work results, adherence to stipulations.
By analysis, assessment, banks can find out signs of risks such as risks from personnel;
16
risks from policies on recruitment, arrangement, appointment of personnel; risks from improper
compliance with laws on employees.
• Group of risks related to policies and internal regulations. Any bank during its
operation process also has to check its internal mechanism, policies, regulations in order to
detect, identify signs of risks such as:
+ Lack of incomplete, loose, non-concrete regulations, thus leaving gaps for the wicked

to avail themselves and causes damages to the bank.
+ There are overlapping or unviable, unreasonable provisions in documents, regulations,
thereby creating difficulties for implementers.
+ There are contents in documents, regulations not in line with current provisions of the
law.
• Group of risks related to internal fraud: In connection with this group, banks shall have
to identify signs of risks, for example, officers commit themselves or in collusion with customers
to commit illegal activities for the purposes of approaching assets, damaging the bank’s prestige.
• Group of risks related to external fraud: In this group of signs, banks have to identify
signs of risks caused by willful frauds, swindles of customers or other external people, for
instance acts of providing misinformation, counterfeiting transaction documents.
• Group of risk related to work process: Commercial banks carry out tasks of following
up, totaling up in a full, regular manner all errors occurring in the course of handling work of all
sections, identifying signs of risks such as carrying out operations beyond the powers, authority;
disobeying regulations, procedures; maintaining loose control…
• Group of risks related to information technology systems: this includes the bank’s
following up operations of the system (including hardware, system of security, transmission
lines, operational software…) to total up, follow up errors, defects, problems of the IT system
that have effects on the bank’s operations.
• Group of risks related to property damage: Identifying of this group includes the
bank’s examining; assessing the possibility of risks occurring resulted from sabotage, terrorism,
acts of gods, earthquakes, storms, floods, fire.
3.2. Operational risk measurement
Measuring operational risk consist to determine the level of different types of operational
risks. Operational risk is difficult to recognize, so the measurement is also very difficult. There
are two measurement methods commonly used which are qualitative and quantitative methods:
• Qualitative methods: analysis of evaluation and subjective review of each commercial
bank about the level of good-bad, big-small, severity of identified risk notes. Qualitative methods
are used to measure the risk related to the organizational model and workplace safety; related to
internal policies and procedures.

• Quantitative measurement methods: evaluation through the specific statistical of the
level of risk (probability), through the loss of specific types of identified risk notes. This method
is mainly based on the statistics of the Bank and is used to measure operational risk related to
areas such as information systems; internal or external fraud.
17
3.3. Developing and implementing operational risk management
Based on the results of the process to identify and measure risk, commercial banks need
to deploy effective management measures. First at all, banks ought to determine their
responsibility for operational risk management. Operational risk management should not be
construed as a task of a certain unit, but the assignment, responsibility of the banking system as a
whole. Particularly, employees will be those who need to be well aware of such kind of risk, and
their irresponsibility would result in unforeseeable consequences.
Once banks have determined their responsibility for risk management, risk managers of
banks must divide risk management in a clear and transparent manner. Operational risk
management is divided into three levels: Strategic level, macro level, and micro level.
The contents of operational risk prevention, minimizing approaches cover:
✓ Enacting, amending, supplementing to policies, regulations, operational procedures to
make them suitable
✓ Strengthening inspection, control over the compliance
✓ Operational education or training for personnel
✓ Plan for repairing, rectifying errors
✓ Acts of preventing risks or suspending activities that would cause risks
✓ Compiling scenario and carrying out Stress Testing, scheme for minimizing risks
before unexpected contingencies
✓ Checking, adjusting, promulgating, supplementing treatment sanctions against
offences in the operational process
✓ Taking out insurance or taking other measures to minimize risks
✓ Plans for capital allocation in precaution against operational risks.
3.4. Reporting operational risks
Operational risk management board must ensure that information about risk management

will be presented through a system of reports, made by persons in charge and sent in on time
according to a form or procedure that supports in monitoring and controlling assignment. Report
contents include the following information: serious operational risk encountered; incidents and
consequences of risks along with intentions to remedy; performance of the actions as set out;
detailed plan that is formed in preparation for recording any risk upon occurring; areas under
pressure where operational risks are likely to occur and steps of controlling operational risks.
3.5. Controlling operational risks
Banks need to be strengthened through risk control culture to promote efficient risk
management. Operational risk management is aimed at:
✓ improving the ability to identify early the risks that are not identified, controlled or
18
being disregarded;
✓ providing better assessment of the ability to accept the identified risks;
✓ formulating more effective replacement measures to control unacceptable risks;
✓ taking in an earlier and better manner actions to reduce risks and measures to avoid
losses.
3.6. Allocating capital to operational risk management
Moscadelli (2004), by using the data collected by RMGs in 2002 and handling the
statistic data, realized the relationship between the total average revenue and cost of capital for
each sector of operation. This contribution enables the possibility to calculate expenses through
the total average revenue for each sector of operation; nevertheless, it is still very difficult to
have values through annual reports of a financial institution. Both authors, Fontnouvelle et al.
(2003) and Moscadelli (2004) concluded that when analyzing, there are two obstacles: first, data
quality might be unclear; second, there exist losses in the operations that have not been registered
by financial institutions.
According to Basel Committee, there are three methods of calculating capital
requirements for operational risks, in sequence of gradual increase in complexity and sensitivity
to risks: (1) Basic Indicator Approach; (2) Standardized Approach; and (3) Advanced Measuring
Approach (AMA).
Along with the gradual development of complexity of their systems and operational risk

measuring rules, banks are encouraged shifting to the use of more complex measuring modes
among the array of approaches above. Criteria for a bank to be eligible to use Standardized
Approach and AMA involve:
✓ Banks operating on a globe scale and banks with high rates of risks (e.g. banks
specializing in payment operations) should apply the approaches so as to conform to the rates of
risks and complexity of banks. A bank will be permitted to apply Basic Indicator Approach or
Standardized Approach to some sectors of operation and AMA to others, provided that this bank
must meet the certain minimum criteria.
✓ Banks must not select to revert to a simpler measuring approach when having been
applying a more advanced approach, without approval from bank management bodies. In
addition, once it is determined by bank management bodies that a bank, that is applying an
advanced approach, no more meets the criteria for such as an approach, the bank may be
requested to revert to the application of simpler approaches to several or all areas of operation of
the bank until the bank satisfies the conditions as laid down by bank management bodies for
using any more advanced approaches.
19
CHAPTER 2: RESEARCH METHODOLOGY
1. Introduction of research field of LienVietPostBank
1.1. Brief outline and history
Name: LienViet Joint Stock Commercial Bank.
Abbreviated name: LienVietPostBank
Address: No. 32 Nguyen Cong Tru, 1 Ward, Vi Thanh City, Hau Giang Province
President of Board of Directors: Mr. Duong Cong Minh.
General Director: Mr. Le Hong Phong.
Tel: 0711.627 0668 / 04.62 668 668 Fax: 0711.358 1737 / 04.62 669 669
Website: www.lienvietbank.net
License No.: 91/GP-NHNN issued by State Bank of Vietnam on 28/03/2009.
LienViet Joint Stock Commercial Bank (LienVietPostBank), its forerunner:
LienVietBank, was established under License for Establishment and Operation No. 91/GP-
NHNN dated 28/03/2009 of Governor of the State Bank of Vietnam.

In 2012, with the investment of Vietnam Post and Telecom Corporation in
LienVietPostBank by the value of Vietnam Postal Savings Services Company (VPSC) and cash,
LienVietPostBank was permitted by the Prime Minister and Governor of the State Bank of
Vietnam to rename LienViet Joint Stock Commercial Bank. Along with this, Vietnam Post and
Telecom Corporation became the biggest shareholder of LienVietPostBank.
The shareholders as founders of LienVietPostBank include Him Lam Joint Stock
Company, Saigon Trading Group (SATRA) and Southern Airport Services Company (SASCO).
Currently, with its chartered capital of 6,460 billion dong, LienVietPostBank is one among the
ten biggest commercial banks in Vietnam.
Shareholders and strategic partners of LienVietPostBank include major financial-banking
institutions operating in Vietnam and abroad such as Vietnam Bank for Agriculture and Rural
Development (Agribank), Wells Fargo (USA), Credit Suisse (Switzerland), Oracle Financial
Services Software Limited…
LienVietPostBank has oriented to build its strong trade name based on promoting internal
forces, transparent and social-related operations.
1.2. Scope of business
In banking sector, the LienVietPostBank’s activities cover:
+ Mobilizing capital from activities of receiving money, issuing deposit money
certificates, bonds and valuable papers, borrowed capital from financial institutions, short-term
borrowed capital from State Bank of Vietnam, and other forms of capital mobilization as
stipulated;
20