logging in or signing up Operational Risk Yerramraju Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 4296 Category: Education License: All Rights Reserved Like it (5) Dislike it (0) Added: July 08, 2009 This Presentation is Public Favorites: 3 Presentation Description No description available. Comments Posting comment... By: benyah (7 month(s) ago) Great presentation. Kindly sent a copy to my email address jbenyah@gmail.com Thanks Saving..... Post Reply Close Saving..... Edit Comment Close By: benyah (7 month(s) ago) Wonderful presentation. Saving..... Post Reply Close Saving..... Edit Comment Close By: djawad_b (14 month(s) ago) Hello An excellent presentation. I would appreciate if you could send me a copy please to my email: djawad_b@hotmail.com Thank you. Saving..... Post Reply Close Saving..... Edit Comment Close By: Eshansh (14 month(s) ago) Hello Sir Very nice and informative presentation covering a lot of aspects, would be grateful if you would send a copy at Eshansh@gmail.com Thankyou Saving..... Post Reply Close Saving..... Edit Comment Close By: maria_papa (16 month(s) ago) Really helpfull! Thank you! Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Operational Risk Management : Operational Risk Management Dr. B. Yerram Raju, Regional Director, Professional Risk Managers’ International Association, Hyderabad Chapter www.prmia.org Acknowledgement : Acknowledgement David Millar, CEO, PRMIA, Wilmington, De, USA PRMIA global Survey on Operational Risk, July 2008 BearingPoint, UK – Risk Centre Jorg Hoshagen, Head of KPMG’s Basel Initiative C-EBS (The Committee of European Banking Supervisors) Survey of OR, July 2008 (www.c-ebs.org Charles Andrews: Global Business Development: 01.06.2008) Agenda : Agenda What is Operational Risk? Definition Some notable operational losses Basel II and Operational Risk Key Drivers in Implementation Key Risk Indicator Programmes Risk Mitigants Some Modeling techniques in use The Seven pitfalls Definition : Definition Regulatory definition “The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” People Risk Processes Risk Technology Risk External Risk Some notable operational losses : Some notable operational losses Slide 6: “Business is all about taking and managing risk. What is bad is: risk that is mismanaged, misunderstood, mispriced and unintended.” - Courtesy:Royal Bank of Canada Drivers of risk management : Drivers of risk management Regulatory drivers Local Regional Global Business drivers Increased profitability Reduced losses Improved reputation (customers, public and analysts) Credit agency ratings Stick and Carrot With the objective of managing risk, not eliminating it Regulatory drivers : Regulatory drivers Business drivers : Business drivers Developments in Risk Management – people, process and systems considerations Types of Risk : Developments in Risk Management – people, process and systems considerations Types of Risk Can we categorise risks? : Can we categorise risks? Strategic Risks Financial Risks Procedural Risks Credit Market Pricing Interest Rate Liquidity Asset & Liability Systemic Operational Disaster Fraud Terrorism Project Contractual Regulatory Reputational Pandemic Legal Environment Government Enterprise Risk Other Risks Risk assessments, indicators, controls and loss event data Business decisions Poor direction Competition New technology Basel II Risk Coverage : Basel II Risk Coverage Strategic Risks Financial Risks Operational Risk Credit Risk Market Risk – Pricing, Interest Rate, Liquidity Asset & Liability Systemic Disaster Fraud Terrorism Project Contractual / Legal Regulatory Reputational Pandemic Environment Government Enterprise Risk Other Risks Risk assessments, indicators, controls and loss event data Business decisions Poor direction Competition New technology Risk needs to be Categorised:Basel II : Risk needs to be Categorised:Basel II Credit Risk Counterparty categorisation, loan description, probability of default, expected loss, loss given default. Market Risk Trade details, market variables, probability calculations. Operational Risk Risk categories, event categories, probabilities, controls (descriptions, costs, effectiveness, etc), expected losses, unexpected losses, actual losses, indicators, responsibilities and authourisations, etc. Operational risk categorisation frameworks can be complex : Operational risk categorisation frameworks can be complex + Risk Indicators (KRIs) Financial risk management environment : Financial risk management environment Daily trans-action data 5 years transaction data Core processing systems Capital calculations,risk metrics, ALM, etc Internal ratings, etc High-tech, fast throughput, transaction processing Operational risk management environment : Operational risk management environment Getting risk data from the … … bottom (the point of incident) … to the top (for analysis) … is key. EVENTS RISKS MITIGATION ASSESSMENT FEEDBACK … through layers of management … Technical implications : Technical implications Financial (credit, market, liquidity, etc) risk Real-time High availability High performance requirements Automated input, few users Very large amounts of relatively simple data Kept for a long time (5 years) Data comes from existing core systems Non-financial (operational) risk Once a day for input, once a month for reporting Low performance requirements Manual input, many users Relatively small amounts of fairly complex data Kept for a very long time (at least five years) New data collection systems need to be developed Risk catalogue for Business Unit A : Risk catalogue for Business Unit A People Risk Incompetence Inadequate Head Counts Key Personnel Management Communication Process Risk A. Model Risk Model or Methodology Error Pricing or Mark-to-Model Error Availability of Loss Reserves Model Complexity B. Transaction Risk Execution Error Booking Error Collateral, Confirmation, Matching, and Netting Error Product Complexity C. Operations Control Risk Limit Excelances Volume Risk Security Risk Position Reporting Risk Profit and Loss Reporting Risk Technology Risk Systems Failure Network Failure Systems inadequacy Compatibility Risk Supplier/Vendor Risk Internal Politics Conflict of Interest Lack of Cooperation Collusion and Connivance Fraud Capacity Risk Valuation Risk Erroneous Disclosure Risk Fraud Programming Error Data Corruption Disaster Recovery Risk Systems Age Systems Support X Developments in Risk Management – people, process and systems considerations Risk and Capital : Developments in Risk Management – people, process and systems considerations Risk and Capital What is capital? : Assets Investments Capital Liabilities The net worth of a business; i.e. the amount by which its assets exceed its liabilities Gearing Leverage Gearing Leverage Equity Debt Earnings Balance Sheet What is capital? Capital covers risk … : Capital covers risk … Source: after Marshall, Operational Risks, 2001 Severity of Loss Frequency of Loss Expected Losses Unexpected Losses Catastrophic Losses Pricing Debt/Bond Holders Equity Capital Risks Reserve Financing Non Financial Firms – Risk Cover Banks are very different : Assets Investments Capital Liabilities Equity Debt Earnings Balance Sheet Banks are very different Bank assets are risk assets Bank liabilities are deposits Gearing Leverage Gearing Leverage Bank capital most exposed to asset value changes A different level of risk cover … : A different level of risk cover … Severity of Loss Frequency of Loss Expected Losses Unexpected Losses Catastrophic Losses Pricing Public Risks Economic Capital Financial Firms – Risk Cover Debt/Bond Holders Cross-border implications : Cross-border implications 1.There is no international jurisdiction. Regulations (global or local) implemented by local courts or regulators. 2.International implications are enforced by: Agreement by local bodies that they will implement international regulations (i.e. Basel II but also such as transport regulations), sometimes with local variations A local regulator imposing regulations on the local branch of an overseas company so that the implications extend to the home country and other branches, i.e. money laundering regulations, Anti-Money Laundering Act, Australia’s Foreign Trade Practices Act, etc An overseas company taking advantage of national facilities (i.e. listing on their stock exchange) which then convey obligations across the whole company, i.e. Sarbanes-Oxley Bank Capital … : Bank Capital … … differs from a non financial firm’s capital: it protects against future, unidentified risks and losses while enabling the bank to operate at the same level. … strengthens the stability and soundness of the (international) banking system and, if applied universally, the competitive inequality among banks is diminished. So banks simply need to cover themselves against the risk of insolvency due to losses exceeding allocated capital. Banks manage risks; regulators decided on an arbitrary capital to risk asset ratio: there is no correct answer. “Capital adequacy” for banks was conceived in 1988 (the Cooke Committee, to become the Basel Committee on Banking Regulations and Supervisory Practices). But Basel Capital Adequacy is not all : … Regardless of capital approaches all Basel II compliant organisations must develop: an appropriate risk management environment, risk identification, assessment, monitoring and mitigation/control, regular independent evaluation of policies, procedures and practices, and make sufficient public disclosure to allow the market to assess their approach to operational risk management. But Basel Capital Adequacy is not all Developments in Risk Management – people, process and systems considerations Current Implementation considerations : Developments in Risk Management – people, process and systems considerations Current Implementation considerations Implementation : Implementation Risk theories and regulations A risk culture Processes, tools and capital allocation Rollout considerations Ongoing maintenance and improvement Commitment : Commitment Commitment on risk management is needed from: Owners/shareholders The Board Senior management Departmental managers Audit, asset and liability management and compliance Human resources Staff Geographies Why are Risk Cultures important? : Why are Risk Cultures important? Risks are managed by people People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes People must apply the appropriate risk management standards to the best of their ability Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm. Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures. Building a risk culture : Building a risk culture An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management. It includes both an enterprise-wide risk and an internal control culture It requires clear lines of responsibility, segregation of duties and effective internal reporting It requires high standards of ethical behaviour at all levels Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture It is the responsibility of both the board and senior management Attributes of a risk management culture : Attributes of a risk management culture Attention is paid to quantifiable and unquantifiable risks. All risks are identified, reported and quantified. Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting. Risk management is accepted as everyone’s responsibility. Risk managers have teeth. The enterprise avoids what it doesn’t understand. Uncertainty is accepted. Risk managers are monitored. Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success. The risk culture is defined, the risk appetite is understood. Source: Operational Risk Management, PWC, November 2003 (abbreviated) Examples of staff risk culture : Examples of staff risk culture All staff know: What a risk control or risk event is Why they exist What their risk responsibilities are Prime and alternative reporting routes What happens to their reports What was the result of “their” event’s mitigation What the institution’s risk status is (overall and their part) How it is improving (or getting worse) What their risk training plan is An Instance : An Instance UTI Dividend warrants issued through a leading public sector bank in North East got encashed in down South – Karnataka and Andhra Pradesh by opening dummy accounts. Here is the OR – related to people and technology. How much people know of instruments and technology is important. Examples of management risk culture : Examples of management risk culture All Board and senior management know: What the institution’s risk policy is What their risk appetite is What their own risk responsibilities are What major risk controls have been infringed or what risk events have taken place What cumulative risk situation have accumulated What the institution’s risk status is How it is improving (or getting worse) What the business impacts are … and finally : … and finally Talk to the supervisors Regulations are interpreted and implemented by regulators, central banks and supervisors They will have national interpretations – and local preferences and good practices They are responsible for cross-border cooperation and interpretation They will set implementation practices – rule and regulation based – or risk and principle based Because commitment to the regulations is their primary function, whereas, for the bank it is a secondary activity Developments in Risk Management – people, process and systems considerations … and what of the future? : Developments in Risk Management – people, process and systems considerations … and what of the future? What has the sub-prime crisis taught us? : What has the sub-prime crisis taught us? We have not solved liquidity risk How to model it? What is its impact on credit and market risk? How to put capital aside? Are Rating Agencies the right measurement? Are they trustworthy? They are paid by the sellers of instruments Rating agency arbitrage Is operational risk-derived capital enough? Is bad rating an op risk? Is bad loan management an op risk? Top six lessons learned by global banks : Top six lessons learned by global banks Liquidity is king. Why the market seriously underestimated the paramount importance of liquidity. Risk must be embedded institutionally. How risk is now everyone’s business and that this shift in attitude will demand deep cultural change. Stay attuned to industry dynamics. Buoyant markets and complacency diverted attention from predictable cyclical corrections and their devastating impact. Don’t underestimate the “people factor.” Learn how the crisis highlighted the need for skilled people who can exercise seasoned judgment across functions and on the front lines. Prepare for the unexpected. Investment is needed in comprehensive predictive models and new approaches to scenario-planning and stress-testing. Avoid over-reliance on rating agencies. Respondents indicated that they can no longer afford to bypass their own independent analyses and unquestioningly accept the findings of third-party rating agencies. Source: Ernst & Young Survey June 2009 Risk models have not yet been tested : Risk models have not yet been tested First banks move to advanced methods in 2008 No one is comparing model performance Will the US come into line? Can Basel survive double standards? Does scenario testing work? How long before we have sufficient data? Will models be rated? Is so, by whom? A global operational risk standard? : A global operational risk standard? There is no common practice for: Risk and event categorisation Risk assessment Global operational risk databases are limited ORX, what else? How to compare bank v bank? How do we merge operational risk data? Cross-border comparison Slide 42: Seven Deadly Sins 1. Waiting for regulators to provide detailed guidelines and lay out an implementation road map : 1. Waiting for regulators to provide detailed guidelines and lay out an implementation road map A notice from regulator would at best provide additional direction in Basel II implementation Delaying for want of guidelines would only delay putting on mat the loss data for the last five years Doing bare minimum would not help as risk would be only waiting in one corner to hit the institution Advance preparation would speed up a robust compliance framework. 2.Failure to understand overlap among regulatory initiatives or dealing with them in Silos : 2.Failure to understand overlap among regulatory initiatives or dealing with them in Silos Basel II is but one compliance task towering over financial institutions. Focusing on identifying risk of loss and managing the residual risk that can never be fully controlled as their level of granuality differs require the same set of actions. Linkages among the Risk adjusted Return on Capital (RAROC) and the guidelines of the regulator on Economic Capital need to be understood Regulations cannot be treated in isolation 3. Failure to link technology, information, risk management and business : 3. Failure to link technology, information, risk management and business Knowing the linkage between sets of risk data, credit data and finance data is a critical step in developing a road map for Basel II Basel II is fundamentally a business problem that cannot be tackled with technology alone; Commensurate changes in business process and culture are essential. Ask the Question: What business problem am I trying to solve with the Basel II? 4. Building Basel II infrastructure without data and technical architecture and road maps : 4. Building Basel II infrastructure without data and technical architecture and road maps Collection and integration of data in unprecedented depth and detail What definitions do you use for the treatment of loss events? One calls a loss internal fraud and another external fraud and the third refers to systemic error. Lack of consistent classifications impairs data accuracy. 5. Failure to generate the internal support for smoother implementation : 5. Failure to generate the internal support for smoother implementation Risk Management is traditionally synonymous with audit which in itself is a scoring effort. Business units have therefore been wary of providing too much information and airing dirty laundry, fearing potential negative consequences of such disclosure. Top-down mandate is vital in gaining the organizational participation E.g., Fulfillment of OR requirements includes conducting scenario analysis to identify and capture high-severity, low frequency loss events. It is important for leadership to be out in front of the effort. 6. Underestimating Cultural Change Basel II requires : 6. Underestimating Cultural Change Basel II requires Risk assessment is integral to almost everything individuals do. Yet organisations often treat risk as an adjunct added on at the end of a process: ‘Let’s do a risk assessment and see where we are.’ This approach is inadequate in today’s environment. Risk must be factored at the beginning of any initiative and must remain focus throughout. The CRO should also be a chief communication officer. Slide 49: Ask yourself the question: how many institution wide problems were caused due to internal fights and office politics? Ask yourself these questions as well: : Ask yourself these questions as well: Through your current finance and accounting systems, do we know for sure where we are generating the greatest revenue for the least amount of risks that we take? How quickly can the institution conform to the regulator’s directives (e.g., FAS 133) without unduly taxing its resources an disrupting its day-to-day business operations? Can the institution leverage its current resources and technology and enter into a new market without unduly incurring additional expenses? If the answer is negative, there is operational risk in the headline risk categories involving people, process and technology. In the past three years, did the increase in expenditure result in increase in market share or revenue to the institution? If the answer is negative again there is OR involving inefficiency and misallocation of precious resources 7. Not correctly factoring Basel II into merger and acquisition strategy : 7. Not correctly factoring Basel II into merger and acquisition strategy Financial institutions look at mergers and acquisitions in different ways. Some aspire to acquire. Others look forward to being absorbedly a larger operation. A deal may fail because of Basel II related issues The Institution may miss out on business value of becoming a more attractive M&A candidate through meeting the rigors of Basel II Operational Risk Process Models : Operational Risk Process Models How to develop and operational risk process models? What are the specific quantitative and qualitative tools used by companies today? How to link these tools with economic capital allocation? What are the actions management can take to mitigate operational risk? The Overall Process : The Overall Process Step1: Establish the objectives and requirements of key stakeholders Step2: Identify the core process that supports these objectives Step3: Define performance and risk metrics, including goals and MAPs (Mgt Authorization Processes) Step 4: Implement organizational and risk mitigation strategies Specific Tools : Specific Tools Loss incident data base Control self-assessment Risk mapping Key Risk Indicators Regulatory Capital : Regulatory Capital Top Down vs. Bottom Up Approaches Proposed Capital Formulas The Loss Distribution Approach Proposed Capital Relief Formula Top Down vs. Bottom Up Capital : Top Down vs. Bottom Up Capital TOP DOWN Start with a given aggregate capital amount for the industry Allocate this to risk source: market, credit and operational Allocate each piece to individual financial institutions BOTTOM UP Identify each source of risk Develop a method for measuring it’s magnitude Derive capital from this measure The Regulatory Capital “Ball Park” : The Regulatory Capital “Ball Park” The regulators have already indicated the ball park for regulatory operational risk capital They’ve said the existing Accord already implicitly contemplates operational risk Therefore, aggregate regulatory capital should not change with the new capital accord In September the BIS suggested that 12% appeared to be a reasonable amount of total existing regulatory capital to associate with operational risk Proposed Capital Approaches : Proposed Capital Approaches Basic Indicator top down Standardized ? Internal Measurement ? Loss Distribution bottom up Basic Indicator Approach : Basic Indicator Approach KBIA = EI*? Where KBIA = the capital charge under the Basic Indicator Approach EI = the level of an exposure indicator for the whole institution,provisionally gross income ? = a fixed percentage, set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator Slide 60: Banks using the Basic Indicator Approach have to hold capital for operational risk equal to a fixed percentage (denoted alpha) of a single indicator. The current proposal for this indicator is gross income. Analysis of QIS data: Basic Indicator Approach (Based on 12% of Minimum Regulatory Capital) For the Basic Indicator Approach, alphas are calculated as 12 percent of minimum regulatory capital divided by gross income. Business Lines : Business Lines Corporate Finance Trading & Sales Retail Banking Commercial Banking Payment and Settlements Agency Services & Custody Retail Brokerage Asset Management Standardized Approach : Standardized Approach KTSA = ?(EI1-8*?1-8) Where: KTSA = the capital charge under the Standardized Approach EI1-8 = the level of an exposure indicator for each of the 8 business lines ?1-8 = a fixed percentage, set by the Committee, relating the level of required capital to the level of the gross income for each of the 8 business lines The total capital charge is calculated as the simple summation of the regulatory capital charges across each of the business lines. Analysis of QIS data: the Standardized Approach (Based on 12% of Minimum Regulatory Capital) The Operational Risk Matrix : The Operational Risk Matrix BUSINESS LINES EVENT TYPES Corporate Finance Internal Fraud Trading & Sales External Fraud Retail Banking Employment Practices Commercial Banking Clients, Products ... Payment and Settlements Damage to Physical … Agency Services & Custody Business Disruption ... Retail Brokerage Execution … Asset Management Examples of Operational Risk : Examples of Operational Risk Business Area: Processes Potential Risks: Breach of mandate Incorrect/untimely transaction capture, execution and settlement Loss of client assets Mis-pricing Incorrect asset allocation Compliance issues Corporation action errors Stock lending errors Accounting and Taxation errors Inadequate record keeping Subscription and redemption errors Examples of Operational Risk : Examples of Operational Risk Business Area: People Potential Risks: Unauthorised trading Insider trading Fraud Employees illness and injury Discrimination Claims Compensation, benefit and termination issues Problems recruiting or retaining staff Organised labour activity Other legal issues The Internal Measurement Approach : The Internal Measurement Approach KIMA = ?(EIij*PEij*LGEij*?ij) Where: KIMA = the capital charge under the Internal Measurement Approach EIij = the level of an exposure indicator for each business line and event type combination PEij = the probability of an event given one unit of exposure, for each business line and event type combination LGEij = the average size of a loss given an event for each business line and event type combination ?ij = the ratio of capital to expected loss for each business line and event type combination ?ij could be an industry-wide number developed by the regulator, or it could be an institution specific number developed by individual institutions. The Loss Distribution Approach : The Loss Distribution Approach Background Used by the Most Sophisticated Banks Requires Advanced Knowledge and Lots of Data Brief Overview Requires plenty of data Based on the Collective Risk model Is as much an art as it is a science Graphical illustration of requited capital An LDA Requires Plenty of Data : An LDA Requires Plenty of Data 1. Severity ----Frequency ----Time Trigger 2. Loss Event Type Risk Transfer / Relief Indicator (s) e.g. Premiums / Limits 3. Gross Loss -Type of Relief / Policy -Exposure Indicator (s) -Adjusted Net Loss (Discounted Currency adjusted incl. Risk Transfer) 4. Business Line -Loss Effect Type The Collective Risk Model : The Collective Risk Model C = X1 + X2 + X3 + … XN Where N is the frequency distribution And X is the severity distribution And C is the aggregate loss distribution A separate model should be fit for each homogeneous grouping of data; hopefully these might correspond to the business line / event type combinations stipulated by regulators the model has some nice mathematical properties E[C] = E[N] * E[X] VAR[C] = E[N] * VAR[X] + E[X]2 * VAR[N] Assuming N is Poisson: VAR[C] = E[N] * ( VAR[X] + E[X]2 ) Art More than Science : Art More than Science External Data Scenario Analysis Expert Opinion Adjustments for Changes in Risk Management Policies Adjustments for Insurance Desired Cultural Attitudes : Desired Cultural Attitudes Accountability Integrity Focus on standards Continuous and open communication Intolerance for non-compliance Consistent decisions Teamwork To Sum up… : To Sum up… Effective Management of ‘OR’ would help in minimizing regulatory capital Validation is one of the greatest challenges Ratings reflect a bank’s assessment of a borrower’s ability to perform under adverse economic circumstances Do not underestimate cultural changes : Thank you www.prmia.org You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Operational Risk Yerramraju Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 4296 Category: Education License: All Rights Reserved Like it (5) Dislike it (0) Added: July 08, 2009 This Presentation is Public Favorites: 3 Presentation Description No description available. Comments Posting comment... By: benyah (7 month(s) ago) Great presentation. Kindly sent a copy to my email address jbenyah@gmail.com Thanks Saving..... Post Reply Close Saving..... Edit Comment Close By: benyah (7 month(s) ago) Wonderful presentation. Saving..... Post Reply Close Saving..... Edit Comment Close By: djawad_b (14 month(s) ago) Hello An excellent presentation. I would appreciate if you could send me a copy please to my email: djawad_b@hotmail.com Thank you. Saving..... Post Reply Close Saving..... Edit Comment Close By: Eshansh (14 month(s) ago) Hello Sir Very nice and informative presentation covering a lot of aspects, would be grateful if you would send a copy at Eshansh@gmail.com Thankyou Saving..... Post Reply Close Saving..... Edit Comment Close By: maria_papa (16 month(s) ago) Really helpfull! Thank you! Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Operational Risk Management : Operational Risk Management Dr. B. Yerram Raju, Regional Director, Professional Risk Managers’ International Association, Hyderabad Chapter www.prmia.org Acknowledgement : Acknowledgement David Millar, CEO, PRMIA, Wilmington, De, USA PRMIA global Survey on Operational Risk, July 2008 BearingPoint, UK – Risk Centre Jorg Hoshagen, Head of KPMG’s Basel Initiative C-EBS (The Committee of European Banking Supervisors) Survey of OR, July 2008 (www.c-ebs.org Charles Andrews: Global Business Development: 01.06.2008) Agenda : Agenda What is Operational Risk? Definition Some notable operational losses Basel II and Operational Risk Key Drivers in Implementation Key Risk Indicator Programmes Risk Mitigants Some Modeling techniques in use The Seven pitfalls Definition : Definition Regulatory definition “The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” People Risk Processes Risk Technology Risk External Risk Some notable operational losses : Some notable operational losses Slide 6: “Business is all about taking and managing risk. What is bad is: risk that is mismanaged, misunderstood, mispriced and unintended.” - Courtesy:Royal Bank of Canada Drivers of risk management : Drivers of risk management Regulatory drivers Local Regional Global Business drivers Increased profitability Reduced losses Improved reputation (customers, public and analysts) Credit agency ratings Stick and Carrot With the objective of managing risk, not eliminating it Regulatory drivers : Regulatory drivers Business drivers : Business drivers Developments in Risk Management – people, process and systems considerations Types of Risk : Developments in Risk Management – people, process and systems considerations Types of Risk Can we categorise risks? : Can we categorise risks? Strategic Risks Financial Risks Procedural Risks Credit Market Pricing Interest Rate Liquidity Asset & Liability Systemic Operational Disaster Fraud Terrorism Project Contractual Regulatory Reputational Pandemic Legal Environment Government Enterprise Risk Other Risks Risk assessments, indicators, controls and loss event data Business decisions Poor direction Competition New technology Basel II Risk Coverage : Basel II Risk Coverage Strategic Risks Financial Risks Operational Risk Credit Risk Market Risk – Pricing, Interest Rate, Liquidity Asset & Liability Systemic Disaster Fraud Terrorism Project Contractual / Legal Regulatory Reputational Pandemic Environment Government Enterprise Risk Other Risks Risk assessments, indicators, controls and loss event data Business decisions Poor direction Competition New technology Risk needs to be Categorised:Basel II : Risk needs to be Categorised:Basel II Credit Risk Counterparty categorisation, loan description, probability of default, expected loss, loss given default. Market Risk Trade details, market variables, probability calculations. Operational Risk Risk categories, event categories, probabilities, controls (descriptions, costs, effectiveness, etc), expected losses, unexpected losses, actual losses, indicators, responsibilities and authourisations, etc. Operational risk categorisation frameworks can be complex : Operational risk categorisation frameworks can be complex + Risk Indicators (KRIs) Financial risk management environment : Financial risk management environment Daily trans-action data 5 years transaction data Core processing systems Capital calculations,risk metrics, ALM, etc Internal ratings, etc High-tech, fast throughput, transaction processing Operational risk management environment : Operational risk management environment Getting risk data from the … … bottom (the point of incident) … to the top (for analysis) … is key. EVENTS RISKS MITIGATION ASSESSMENT FEEDBACK … through layers of management … Technical implications : Technical implications Financial (credit, market, liquidity, etc) risk Real-time High availability High performance requirements Automated input, few users Very large amounts of relatively simple data Kept for a long time (5 years) Data comes from existing core systems Non-financial (operational) risk Once a day for input, once a month for reporting Low performance requirements Manual input, many users Relatively small amounts of fairly complex data Kept for a very long time (at least five years) New data collection systems need to be developed Risk catalogue for Business Unit A : Risk catalogue for Business Unit A People Risk Incompetence Inadequate Head Counts Key Personnel Management Communication Process Risk A. Model Risk Model or Methodology Error Pricing or Mark-to-Model Error Availability of Loss Reserves Model Complexity B. Transaction Risk Execution Error Booking Error Collateral, Confirmation, Matching, and Netting Error Product Complexity C. Operations Control Risk Limit Excelances Volume Risk Security Risk Position Reporting Risk Profit and Loss Reporting Risk Technology Risk Systems Failure Network Failure Systems inadequacy Compatibility Risk Supplier/Vendor Risk Internal Politics Conflict of Interest Lack of Cooperation Collusion and Connivance Fraud Capacity Risk Valuation Risk Erroneous Disclosure Risk Fraud Programming Error Data Corruption Disaster Recovery Risk Systems Age Systems Support X Developments in Risk Management – people, process and systems considerations Risk and Capital : Developments in Risk Management – people, process and systems considerations Risk and Capital What is capital? : Assets Investments Capital Liabilities The net worth of a business; i.e. the amount by which its assets exceed its liabilities Gearing Leverage Gearing Leverage Equity Debt Earnings Balance Sheet What is capital? Capital covers risk … : Capital covers risk … Source: after Marshall, Operational Risks, 2001 Severity of Loss Frequency of Loss Expected Losses Unexpected Losses Catastrophic Losses Pricing Debt/Bond Holders Equity Capital Risks Reserve Financing Non Financial Firms – Risk Cover Banks are very different : Assets Investments Capital Liabilities Equity Debt Earnings Balance Sheet Banks are very different Bank assets are risk assets Bank liabilities are deposits Gearing Leverage Gearing Leverage Bank capital most exposed to asset value changes A different level of risk cover … : A different level of risk cover … Severity of Loss Frequency of Loss Expected Losses Unexpected Losses Catastrophic Losses Pricing Public Risks Economic Capital Financial Firms – Risk Cover Debt/Bond Holders Cross-border implications : Cross-border implications 1.There is no international jurisdiction. Regulations (global or local) implemented by local courts or regulators. 2.International implications are enforced by: Agreement by local bodies that they will implement international regulations (i.e. Basel II but also such as transport regulations), sometimes with local variations A local regulator imposing regulations on the local branch of an overseas company so that the implications extend to the home country and other branches, i.e. money laundering regulations, Anti-Money Laundering Act, Australia’s Foreign Trade Practices Act, etc An overseas company taking advantage of national facilities (i.e. listing on their stock exchange) which then convey obligations across the whole company, i.e. Sarbanes-Oxley Bank Capital … : Bank Capital … … differs from a non financial firm’s capital: it protects against future, unidentified risks and losses while enabling the bank to operate at the same level. … strengthens the stability and soundness of the (international) banking system and, if applied universally, the competitive inequality among banks is diminished. So banks simply need to cover themselves against the risk of insolvency due to losses exceeding allocated capital. Banks manage risks; regulators decided on an arbitrary capital to risk asset ratio: there is no correct answer. “Capital adequacy” for banks was conceived in 1988 (the Cooke Committee, to become the Basel Committee on Banking Regulations and Supervisory Practices). But Basel Capital Adequacy is not all : … Regardless of capital approaches all Basel II compliant organisations must develop: an appropriate risk management environment, risk identification, assessment, monitoring and mitigation/control, regular independent evaluation of policies, procedures and practices, and make sufficient public disclosure to allow the market to assess their approach to operational risk management. But Basel Capital Adequacy is not all Developments in Risk Management – people, process and systems considerations Current Implementation considerations : Developments in Risk Management – people, process and systems considerations Current Implementation considerations Implementation : Implementation Risk theories and regulations A risk culture Processes, tools and capital allocation Rollout considerations Ongoing maintenance and improvement Commitment : Commitment Commitment on risk management is needed from: Owners/shareholders The Board Senior management Departmental managers Audit, asset and liability management and compliance Human resources Staff Geographies Why are Risk Cultures important? : Why are Risk Cultures important? Risks are managed by people People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes People must apply the appropriate risk management standards to the best of their ability Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm. Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures. Building a risk culture : Building a risk culture An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management. It includes both an enterprise-wide risk and an internal control culture It requires clear lines of responsibility, segregation of duties and effective internal reporting It requires high standards of ethical behaviour at all levels Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture It is the responsibility of both the board and senior management Attributes of a risk management culture : Attributes of a risk management culture Attention is paid to quantifiable and unquantifiable risks. All risks are identified, reported and quantified. Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting. Risk management is accepted as everyone’s responsibility. Risk managers have teeth. The enterprise avoids what it doesn’t understand. Uncertainty is accepted. Risk managers are monitored. Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success. The risk culture is defined, the risk appetite is understood. Source: Operational Risk Management, PWC, November 2003 (abbreviated) Examples of staff risk culture : Examples of staff risk culture All staff know: What a risk control or risk event is Why they exist What their risk responsibilities are Prime and alternative reporting routes What happens to their reports What was the result of “their” event’s mitigation What the institution’s risk status is (overall and their part) How it is improving (or getting worse) What their risk training plan is An Instance : An Instance UTI Dividend warrants issued through a leading public sector bank in North East got encashed in down South – Karnataka and Andhra Pradesh by opening dummy accounts. Here is the OR – related to people and technology. How much people know of instruments and technology is important. Examples of management risk culture : Examples of management risk culture All Board and senior management know: What the institution’s risk policy is What their risk appetite is What their own risk responsibilities are What major risk controls have been infringed or what risk events have taken place What cumulative risk situation have accumulated What the institution’s risk status is How it is improving (or getting worse) What the business impacts are … and finally : … and finally Talk to the supervisors Regulations are interpreted and implemented by regulators, central banks and supervisors They will have national interpretations – and local preferences and good practices They are responsible for cross-border cooperation and interpretation They will set implementation practices – rule and regulation based – or risk and principle based Because commitment to the regulations is their primary function, whereas, for the bank it is a secondary activity Developments in Risk Management – people, process and systems considerations … and what of the future? : Developments in Risk Management – people, process and systems considerations … and what of the future? What has the sub-prime crisis taught us? : What has the sub-prime crisis taught us? We have not solved liquidity risk How to model it? What is its impact on credit and market risk? How to put capital aside? Are Rating Agencies the right measurement? Are they trustworthy? They are paid by the sellers of instruments Rating agency arbitrage Is operational risk-derived capital enough? Is bad rating an op risk? Is bad loan management an op risk? Top six lessons learned by global banks : Top six lessons learned by global banks Liquidity is king. Why the market seriously underestimated the paramount importance of liquidity. Risk must be embedded institutionally. How risk is now everyone’s business and that this shift in attitude will demand deep cultural change. Stay attuned to industry dynamics. Buoyant markets and complacency diverted attention from predictable cyclical corrections and their devastating impact. Don’t underestimate the “people factor.” Learn how the crisis highlighted the need for skilled people who can exercise seasoned judgment across functions and on the front lines. Prepare for the unexpected. Investment is needed in comprehensive predictive models and new approaches to scenario-planning and stress-testing. Avoid over-reliance on rating agencies. Respondents indicated that they can no longer afford to bypass their own independent analyses and unquestioningly accept the findings of third-party rating agencies. Source: Ernst & Young Survey June 2009 Risk models have not yet been tested : Risk models have not yet been tested First banks move to advanced methods in 2008 No one is comparing model performance Will the US come into line? Can Basel survive double standards? Does scenario testing work? How long before we have sufficient data? Will models be rated? Is so, by whom? A global operational risk standard? : A global operational risk standard? There is no common practice for: Risk and event categorisation Risk assessment Global operational risk databases are limited ORX, what else? How to compare bank v bank? How do we merge operational risk data? Cross-border comparison Slide 42: Seven Deadly Sins 1. Waiting for regulators to provide detailed guidelines and lay out an implementation road map : 1. Waiting for regulators to provide detailed guidelines and lay out an implementation road map A notice from regulator would at best provide additional direction in Basel II implementation Delaying for want of guidelines would only delay putting on mat the loss data for the last five years Doing bare minimum would not help as risk would be only waiting in one corner to hit the institution Advance preparation would speed up a robust compliance framework. 2.Failure to understand overlap among regulatory initiatives or dealing with them in Silos : 2.Failure to understand overlap among regulatory initiatives or dealing with them in Silos Basel II is but one compliance task towering over financial institutions. Focusing on identifying risk of loss and managing the residual risk that can never be fully controlled as their level of granuality differs require the same set of actions. Linkages among the Risk adjusted Return on Capital (RAROC) and the guidelines of the regulator on Economic Capital need to be understood Regulations cannot be treated in isolation 3. Failure to link technology, information, risk management and business : 3. Failure to link technology, information, risk management and business Knowing the linkage between sets of risk data, credit data and finance data is a critical step in developing a road map for Basel II Basel II is fundamentally a business problem that cannot be tackled with technology alone; Commensurate changes in business process and culture are essential. Ask the Question: What business problem am I trying to solve with the Basel II? 4. Building Basel II infrastructure without data and technical architecture and road maps : 4. Building Basel II infrastructure without data and technical architecture and road maps Collection and integration of data in unprecedented depth and detail What definitions do you use for the treatment of loss events? One calls a loss internal fraud and another external fraud and the third refers to systemic error. Lack of consistent classifications impairs data accuracy. 5. Failure to generate the internal support for smoother implementation : 5. Failure to generate the internal support for smoother implementation Risk Management is traditionally synonymous with audit which in itself is a scoring effort. Business units have therefore been wary of providing too much information and airing dirty laundry, fearing potential negative consequences of such disclosure. Top-down mandate is vital in gaining the organizational participation E.g., Fulfillment of OR requirements includes conducting scenario analysis to identify and capture high-severity, low frequency loss events. It is important for leadership to be out in front of the effort. 6. Underestimating Cultural Change Basel II requires : 6. Underestimating Cultural Change Basel II requires Risk assessment is integral to almost everything individuals do. Yet organisations often treat risk as an adjunct added on at the end of a process: ‘Let’s do a risk assessment and see where we are.’ This approach is inadequate in today’s environment. Risk must be factored at the beginning of any initiative and must remain focus throughout. The CRO should also be a chief communication officer. Slide 49: Ask yourself the question: how many institution wide problems were caused due to internal fights and office politics? Ask yourself these questions as well: : Ask yourself these questions as well: Through your current finance and accounting systems, do we know for sure where we are generating the greatest revenue for the least amount of risks that we take? How quickly can the institution conform to the regulator’s directives (e.g., FAS 133) without unduly taxing its resources an disrupting its day-to-day business operations? Can the institution leverage its current resources and technology and enter into a new market without unduly incurring additional expenses? If the answer is negative, there is operational risk in the headline risk categories involving people, process and technology. In the past three years, did the increase in expenditure result in increase in market share or revenue to the institution? If the answer is negative again there is OR involving inefficiency and misallocation of precious resources 7. Not correctly factoring Basel II into merger and acquisition strategy : 7. Not correctly factoring Basel II into merger and acquisition strategy Financial institutions look at mergers and acquisitions in different ways. Some aspire to acquire. Others look forward to being absorbedly a larger operation. A deal may fail because of Basel II related issues The Institution may miss out on business value of becoming a more attractive M&A candidate through meeting the rigors of Basel II Operational Risk Process Models : Operational Risk Process Models How to develop and operational risk process models? What are the specific quantitative and qualitative tools used by companies today? How to link these tools with economic capital allocation? What are the actions management can take to mitigate operational risk? The Overall Process : The Overall Process Step1: Establish the objectives and requirements of key stakeholders Step2: Identify the core process that supports these objectives Step3: Define performance and risk metrics, including goals and MAPs (Mgt Authorization Processes) Step 4: Implement organizational and risk mitigation strategies Specific Tools : Specific Tools Loss incident data base Control self-assessment Risk mapping Key Risk Indicators Regulatory Capital : Regulatory Capital Top Down vs. Bottom Up Approaches Proposed Capital Formulas The Loss Distribution Approach Proposed Capital Relief Formula Top Down vs. Bottom Up Capital : Top Down vs. Bottom Up Capital TOP DOWN Start with a given aggregate capital amount for the industry Allocate this to risk source: market, credit and operational Allocate each piece to individual financial institutions BOTTOM UP Identify each source of risk Develop a method for measuring it’s magnitude Derive capital from this measure The Regulatory Capital “Ball Park” : The Regulatory Capital “Ball Park” The regulators have already indicated the ball park for regulatory operational risk capital They’ve said the existing Accord already implicitly contemplates operational risk Therefore, aggregate regulatory capital should not change with the new capital accord In September the BIS suggested that 12% appeared to be a reasonable amount of total existing regulatory capital to associate with operational risk Proposed Capital Approaches : Proposed Capital Approaches Basic Indicator top down Standardized ? Internal Measurement ? Loss Distribution bottom up Basic Indicator Approach : Basic Indicator Approach KBIA = EI*? Where KBIA = the capital charge under the Basic Indicator Approach EI = the level of an exposure indicator for the whole institution,provisionally gross income ? = a fixed percentage, set by the Committee, relating the industry-wide level of required capital to the industry-wide level of the indicator Slide 60: Banks using the Basic Indicator Approach have to hold capital for operational risk equal to a fixed percentage (denoted alpha) of a single indicator. The current proposal for this indicator is gross income. Analysis of QIS data: Basic Indicator Approach (Based on 12% of Minimum Regulatory Capital) For the Basic Indicator Approach, alphas are calculated as 12 percent of minimum regulatory capital divided by gross income. Business Lines : Business Lines Corporate Finance Trading & Sales Retail Banking Commercial Banking Payment and Settlements Agency Services & Custody Retail Brokerage Asset Management Standardized Approach : Standardized Approach KTSA = ?(EI1-8*?1-8) Where: KTSA = the capital charge under the Standardized Approach EI1-8 = the level of an exposure indicator for each of the 8 business lines ?1-8 = a fixed percentage, set by the Committee, relating the level of required capital to the level of the gross income for each of the 8 business lines The total capital charge is calculated as the simple summation of the regulatory capital charges across each of the business lines. Analysis of QIS data: the Standardized Approach (Based on 12% of Minimum Regulatory Capital) The Operational Risk Matrix : The Operational Risk Matrix BUSINESS LINES EVENT TYPES Corporate Finance Internal Fraud Trading & Sales External Fraud Retail Banking Employment Practices Commercial Banking Clients, Products ... Payment and Settlements Damage to Physical … Agency Services & Custody Business Disruption ... Retail Brokerage Execution … Asset Management Examples of Operational Risk : Examples of Operational Risk Business Area: Processes Potential Risks: Breach of mandate Incorrect/untimely transaction capture, execution and settlement Loss of client assets Mis-pricing Incorrect asset allocation Compliance issues Corporation action errors Stock lending errors Accounting and Taxation errors Inadequate record keeping Subscription and redemption errors Examples of Operational Risk : Examples of Operational Risk Business Area: People Potential Risks: Unauthorised trading Insider trading Fraud Employees illness and injury Discrimination Claims Compensation, benefit and termination issues Problems recruiting or retaining staff Organised labour activity Other legal issues The Internal Measurement Approach : The Internal Measurement Approach KIMA = ?(EIij*PEij*LGEij*?ij) Where: KIMA = the capital charge under the Internal Measurement Approach EIij = the level of an exposure indicator for each business line and event type combination PEij = the probability of an event given one unit of exposure, for each business line and event type combination LGEij = the average size of a loss given an event for each business line and event type combination ?ij = the ratio of capital to expected loss for each business line and event type combination ?ij could be an industry-wide number developed by the regulator, or it could be an institution specific number developed by individual institutions. The Loss Distribution Approach : The Loss Distribution Approach Background Used by the Most Sophisticated Banks Requires Advanced Knowledge and Lots of Data Brief Overview Requires plenty of data Based on the Collective Risk model Is as much an art as it is a science Graphical illustration of requited capital An LDA Requires Plenty of Data : An LDA Requires Plenty of Data 1. Severity ----Frequency ----Time Trigger 2. Loss Event Type Risk Transfer / Relief Indicator (s) e.g. Premiums / Limits 3. Gross Loss -Type of Relief / Policy -Exposure Indicator (s) -Adjusted Net Loss (Discounted Currency adjusted incl. Risk Transfer) 4. Business Line -Loss Effect Type The Collective Risk Model : The Collective Risk Model C = X1 + X2 + X3 + … XN Where N is the frequency distribution And X is the severity distribution And C is the aggregate loss distribution A separate model should be fit for each homogeneous grouping of data; hopefully these might correspond to the business line / event type combinations stipulated by regulators the model has some nice mathematical properties E[C] = E[N] * E[X] VAR[C] = E[N] * VAR[X] + E[X]2 * VAR[N] Assuming N is Poisson: VAR[C] = E[N] * ( VAR[X] + E[X]2 ) Art More than Science : Art More than Science External Data Scenario Analysis Expert Opinion Adjustments for Changes in Risk Management Policies Adjustments for Insurance Desired Cultural Attitudes : Desired Cultural Attitudes Accountability Integrity Focus on standards Continuous and open communication Intolerance for non-compliance Consistent decisions Teamwork To Sum up… : To Sum up… Effective Management of ‘OR’ would help in minimizing regulatory capital Validation is one of the greatest challenges Ratings reflect a bank’s assessment of a borrower’s ability to perform under adverse economic circumstances Do not underestimate cultural changes : Thank you www.prmia.org