Operational risk have always ignored by Banks as they thought Credit and market risks can cause catastrophe. But history of misfortunes taught us different lessons. Controls and internal audit have long been construed as guard till BASEL II dictates forced banks to look with insight. Understand the dimension of ORM in this presentation.
2. !
“I had always assumed - I had no reasons to doubt -
that our controls were in good shape and reflected
management’s desire to run a very tight ship”
!
John Dove, director of Barings
3. “You want a valve that doesn’t leak and you try
everything possible to develop one. But the
real world provides you with a leaky valve.
You have to determine how much leaking
you can tolerate”
!
- NASA Scientist
4. What can go wrong – The circle of misfortune
4
Many of these have risk management tools in place & are wedded
to sophisticated technology – But ???
Source: ERisk.Com
9. Basel II – The trigger for survival
Minimum
Capital
Requirements
Supervisory
Review
Market
Discipline
Introduces a three pillar approach to calculating regulatory
capital in order to encourage better risk management practices
Brings in the need for risk quantification & modelling for
estimating capital charge.
!
Capital should not be regarded as substitute of fundamentally
weak risk management & control system.
9
10. What Is Wrongly Believed in Operational Risk
“What can be new about managing operational risk? It has
been managed ever since modern day banks were born.”
– CEO of a bank
!
!
“Operational risk never brought down a bank; it has always
been credit or market risks.”
– A Board Director in a Bank
•
11. B u t m o s t u n f a m i l i a r l o s s e s h a v e o c c u r r e d i n t h e r e c e n t years due to this risk
– Baring collapse, Sumitomo losses, GTB debacle
– Credit Card losses, Arthur Andersen episode
– Payment frauds, money laundering
• What has changed in operational risk horizon?
– Exponential growth in transaction volumes; new and specialised
operational processes
– Constantly evolving and more dependence on technology
– Demanding customers and quick turnaround time
– eCommerce
– Competitive pressures on costs
– Complex financial products
– New practices – securitisation, outsourcing
!
These developments have forced Operational Risk recognised as a separate
risk discipline – to be measured and risk capital cover provided
11
What Is New About Operational Risk
12. Definition of Operational Risk
Basel Committee
• “The risk of loss resulting from inadequate or failed internal
Processes, People and Systems or external events”
(excluding strategic and reputational risk)
Organisation Specific
• Organisations can modify the above definition with deletions
or emphases that will reflect their individual circumstances (may
include strategic & reputational risk
“Operational risk is not simply about measurement, or providing for
capital charges,
It’s about the management of ‘PPT’ (Processes, People and Technology)
13. Operational loss definitions
I n d i r e c t v s . D i r e c t
• Direct Impact on the P&L accounts e.g. operational errors, cash loss
• Indirect Impact in the P&L accounts e.g. loss of client due to poor levels of
service, technology downtime
Expected vs. Unexpected
• Expected losses are typically covered in yearly provisions e.g. credit card fraud,
loan losses, NPA provisioning
• Unexpected losses e.g. financial penalty from the regulator - has to be covered
through economic capital
Budgeted vs. Non Budgeted
• Budgeted loss e.g. connected to non reconciliation of bank books, contingent
liability
• Non Budgeted e.g. attrition of key staff and knowledge
“Operational losses are essentially another indicator telling
us how the system of risk management is working or not
working”
14. Basel Proposals on Operational Risk – The Three Pillars
• Pillar 1: Minimum capital requirements (Measurement)
– Spectrum of options: Basic Indicator, Standardised and Internal
Measurement (AMA) approaches
– Higher the options higher will be the sophistication and risk modelling
!
• Pillar 2: Supervisory review (Qualitative assessment)
– Framework and methodology for estimating capital
–Management of risk: Senior management involvement, policies,
processes, internal controls, reporting, reviews and internal audit
!
• Pillar 3: Market discipline (Disclosure)
– To include disclosure on risk management policies and practices, risk
events and losses, estimated risk levels, economic capital allocation
– A Bank will be judged, over a period of time, by the quality of
disclosures
15. 15
!
Capital charge = g x EL
Basel Proposals – The Measurement
g factor set by regulators for each
business line / risk type combination
EL (Expected Loss) = EI x PE x LGE
PE = probability of loss event, LGE =
loss given that event
Based on business
line / risk type
combination
(set by regulators)
Capital charge = β x EI
β factor based on business line
(determined by regulators)
Based on business
line
(set by regulators –
8 such)
Capital charge = α x EI
α fixed charge in percentage terms
(determined by regulators)
Gross Revenue
(Proxy for scale of
OR exposure)
Basic
Standardized
Internal
Measurement
(AMA)
Exposure Indicator (EI) Capital Charge Factor
The more complex the approach chosen, the lower the capital
16. Likely Choice of Approach – G10
Operational risk management is yet to gain momentum across the BFS
spectrum. But advanced countries have marched up the trajectory.
G 10 countries and equivalents
Commenced with the Standardised Approach initially:
– Required to provide EI data (gross income) by business line
– Need to have strong oversight of operational risk management framework
– Regulator to provide the beta factor but banks need to track loss data
– Satisfactory Pillar 2 compliance, policy and documentation
Only a handful to qualify for the Advanced Measurement Approach (AMA):
– Required to provide EI data (new deal volumes, trading volumes, transaction numbers
and volumes, value of fixed assets, value of assets under management) by business line
– Determine probability of a loss event (PE), based on internal loss data
– Determine Loss Given Event (LGE), based on internal loss data
– Regulator to provide the gamma factor
– Ability to choose Standardised or AMA Approach for individual bus lines
– Need strong oversight structure, robust loss event database, strong internal control
system, risk reporting
17. Appropriate Approach –Outside G10
• Basic Approach likely to be adopted by all for considerable
time.
• Large domestic banks active internationally may choose the
Standard Approach – which will have both Pillar 1 and Pillar
2 implications. The strategy would be
– Setting up MIS to produce required data in a reliable and consistent
manner
– Improving management of all aspects of operations to acceptable
international benchmarks
– Establishing Operational Risk management framework and processes
throughout the organisation simultaneously to meet Pillar 2
requirements
18. Pillar 2 - Regulator’s Approach to ORM under AMA
• Pillar 2 focuses on qualitative aspects, which although at
supervisory level, but the value proposition is tremendous. Key
focus of regulators would be
–Choice of framework
–Process for assessing overall capital
–Effectiveness of risk management process
–Monitoring, risk reporting, data flow and other systems/data quality
issues
–Procedures for the timely tracking and effective resolution of risk
exposures and loss events
–Internal controls, reviews and audit
–Effectiveness of mitigation efforts
–Validation by external auditors/ supervisor
–Documentation of policy, oversight system & controls
19. What Does That Mean for a Non - G10 Bank
• Clearly setting up process to capture loss events and the
corresponding losses.
• Creating historical database of loss events
• Setting up MIS to produce required data in a reliable and consistent
manner
• Improving management of all aspects of operations, particularly in the
use of technology, to acceptable international benchmarks
• Establishing Operational Risk management framework and processes
throughout the organisation simultaneously to meet Pillar 2 requirements
• Making sure the processes for credit risk capital reduction is not missed
– Improve credit risk management practices, including use of good internal credit
rating models to qualify for minimum capital based on Internal Rating-Based
(Foundation) approach
– Clearly establishing interlinkages of credit risk with the operational risks arising
out of credit processes.
21. 21
Step 1: Framework Development – Key Principles
Governance
Oversight Structure
Articulates why the company is
creating an Operational Risk
Management Group and what the
expectations of the group are
• Management’s vision / agenda
• Operational risk management’s
mission statement
• Guiding principles
• Goals and objectives
• Organization structure
• Implementation strategy
Common Language
Helps create transparency and allows the organization to
begin to create a common lens through which the
organization can discuss and manage operational risk
• Risk definitions and categorization
• Risk assessment and quantification language
• Operational risk classifications
• Setting a risk attitude across the organisation
• Risk tolerance levels and limits
Clearly define and articulate each
constituent’s role and responsibilities with
respect to risk management throughout the
organization
• Board of Directors, senior
management through to staff
responsibilities
• Reporting and escalation processes
• Quality control
•Integration with other risk management
functions
• Embedded in organization’s core
processes
• Realign the MIS and dashboards with
risk language
Operational Risk
Management
Framework
Change Management
Helps create a positive environment to support sustainable change which includes new
processes, organizational structures, and new technologies
• Top Management/ CEO Sponsorship
• Linking and leveraging major change activities
• Creating value at each level of the organization
• Integrate performance measurement with Economic Capital, planning and
budgeting, people effectiveness, management reporting, and assurance
activities
• Cultural integration through training and education
• Communication to Business Lines of the vision, roles and responsibilities, value
propositions, quick wins, and long term successes – ensure buy-in
22. Step-2 Risk Identification, Assessment, Treatment and Mitigation
22
Risk Prioritization, treatment
& Mitigation
!
• Prioritize Risks based on
Inherent Risk assessment,
Control Effectiveness
• Prepare risk-control-classification
3D matrix
• Focus Management Attention on
the Significant / Systemic Risks
• Evolve risk treatment action
agenda.
• Create / Track Action Plans to
Address Risk Mgt Gaps
• Develop residual risk transition
map and integrate with risk
reporting process.
!
Key Risk Indicators &
Integration
!
• Based on Risk Drivers identify
Critical, Few, Multi-Dimensional
Key Risk Indicators
• Focus on Leading KRIs for
Indications of Rising Risk Levels
• Ensure Coordination Between the
Operational Risk Initiatives, and
Ongoing Business Processes.
• Set up process and automation to
track KRIs
Risk Identification
& Assessment
!
• Business Unit level process
mapping and process hierarchy.
• Risk driver Identification and
arriving at risk inventory
• Assessment of impact and
likelihood of risks
• Risk assessment and
classification
• Control effectiveness testing
and risk control map
23. Step-3 Risk Monitoring and calibration
23
Monitoring of Key Risk
Indicators
!
• Gather and Track KRIs
• Establish Escalation Thresholds,
Static and Dynamic Thresholds
• Begin Trend Analysis to Identify
Rising Risk Levels Prior to Loss
Events Occurring
• Integrate KRIs into Risk
Management Processes to
Identify Trends, Evaluate Risk
Environment of Company
• Integrate with residual risk
transition framework
• Realign the risk reporting
system
Loss Event Tracking
!
• Put up distinctive process to
differentiate loss with loss events
• Develop Op Risk Event capture
• Identify, Track, and Classify Direct
/ Indirect Loss Events among
several dimensions, including
Event Type, Risk Category, Root
Cause, Outcome / Loss Type, etc.
• Supplement Internal Losses with
External Loss Event Data to
Complete Distribution Tail
• Ensure full technology back up
and integration with the MIS
architecture
Calibration and measure
!
• Ensure Quality Control Over
RCM, KRIs, and Loss Events
• Integrate and Leverage Root
Cause Analysis into Process
• Develop Reporting to Ensure
Management has Ability to
Monitor Risk Environment
• Apply Statistical Methods to
Generate Distributions providing
for Data Limitations
• Set stage for AMA approach with
key inferences from the statistical
tools applied.
• Identify measurement roadmap
24. Step 4 A - Risk Measurement (AMA)
•Left to the Banks. But must demonstrate that it captures potentially severe
tail loss events.
•While different methodologies will exist for risk quantification, data and
certain calculation elements will be common. Must have and maintain
rigorous procedure for model development and validation.
•Must be consistent with the loss event types defined under the accord.
•The model must provide for computation of EL & UL unless Banks can
establish that it has accounted for EL.
•All operational risks may not be measured – so the model parameters
should be as granular as possible.
24
25. Step 4 B- Risk Measurement (AMA)
•Banks may use, subject to satisfaction of supervisor, correlation of
operational risk losses across operational risk estimates – this would
reduce aggregate capital charge.
•Minimum five year observation of internal loss data.
•Must also use external data for some risk events and perform scenario
analysis for high severity events – this will enable testing of internal loss
distribution & correlation estimate.
•Sophisticated solution may include some actuarial modeling, bayesian
modeling, complexity modeling and market pricing based valuation
methods
!
25
27. Operational risk monitoring through key indicators
Key Performance Indicators
• KPIs are a measure that demonstrates a movement in the likelihood or
the impact of a risk – they can be seen as events that raise a warning
about a risk.
Key Control Indicators
• KCIs are a measure demonstrating a change in the effectiveness (e.g,
design and performance) of a control
Key Risk Indicators
• A combined measure of a KPI and KCI that are linked to the residual
impact of the risk with likelihood of the risk occurring.
29. Risk:
Loss of key personnel
Control:
Adequate remuneration & motivation packages,
performance incentive/ Bonus Pool
KPI:
Number of staff leaving without a planned
successor
KRI:
Number of staff leaving without a planned successor due to remuneration / bonuses not
being sufficient
Risk:
Clients default on loans
Control:
Daily monitoring, Audit procedures,
Collateral cover
KPI:
Number of loans executed for clients
who have defaulted in the past
KCI:
Number of clients identified with
insufficient collateral cover
KRI:
Number of loans executed for clients who have defaulted in the past who do not have
sufficient collateral cover
KCI:
Number of employees kept as a result of
remuneration change / bonus payment
Example KPI, KCI and KRIs
30. Operational risk measurement
Are the processes
cost efficient to
reduce day-to-day
operational losses
Design an appropriate risk
measurement methodology
• Create loss tracker database for identification of risk source at
points of incidence contributing to losses
• Corporate dashboard for high level risk monitoring
• Assess a feasibility of using scorecard model for risk measures
Tool
development
Technology & data –base
support
• Design database to track the losses & drawing correlations &
appropriate data-flow design for identified KRIs
• Data architecture at points of incidence, ensuring data integrity,
facilitating data simulation and analysis
• Scope of integration of models/ solutions with the I.T structure &
network system
Where to focus
R.M. resources
!
How effective are
internal controls
!
How integrated is
I.T. the system
31. Loss Event Database
Loss events are not the loss happenings. Just like an
archaeological process one has to dig out the historical
loss events.
The monitoring and the analysis of loss events will provide
the basis for independently validating the risk assessment
and indicator tracking process in addition to providing
foundation for quantification of risks.
32. How we do it?
Indirect and direct losses loss events should be identified, tracked and
classified by:
• Event type (in accordance to Basel definition)
•Risk class/category and risk strategy
•Root cause
•Loss/Outcome
•Process/Activity/ risk owner
•Business or management Unit
•Internal losses must be supplemented with external loss event data to
complete the tail of distribution
33. Facilitating Operational Risk Measurement & modeling –
Residual Scorecard Model Approach
• Creation of database for
capturing loss events
• Setting the rating
parameters and rating logic
Information system to
evaluate the model
parameters, particularly
KRIs
• Methodology to forecast the
frequency & severity of
events maturing
• Looking through the
window of controls put and
the risk tolerance level set.
• Arriving at the residual
rating score
Loss Event
Data
Key Indicator
Data
Control
Effectiveness
Data
Residual Risk
Score
Risk
Tolerance
Window
Rating Logic
Residual
Risk
34. 34
Risk Rating Improvements - By Control
Risk Transition
Ris
k
Risk Description Inherent
risk rating
Inherent
Risk
Score
Treatment
option
Residual risk
rating
Residual
risk
score
1 Industry trend may influence
the fortune of the company
resulting into default
HIGH 3 MITIGATE COMFORT 1
2
Improper collection of market
information for structuring
instruments may result in the
wrong product design affective
business
HIGH 3 MITIGATE ALERT 2.5
3
Low importance in targeting
new clients leading to
stagnation of business growth.
HIGH 3 MITIGATE ALARM 4.5
4
Delay in decision making may
lead to unsatisfied clients and
loss of repeat / additional
business
HIGH 3 ACCEPT ALARM 3
5 Change of interest rate may
erode the value of the portfolio
HIGH 3 ACCEPT ALERT 2.25
Illustration
35. Costs vs. Potential Improvements - By Control
35
Loss/ Revenue/ Value Derived (INR 000s)
5,000
3,750
2,500
1,250
0
-1,250
Before control After control Value
1 2 3 4 5
Risk
3,4,5 Loss data
1,2 Revenue data
Illustration
37. Can we derive commercial advantage from investment in
operational risk management?
Judge by yourself
• Reduces operational errors by ensuring right control and alerts
= Impairing the bottom line
• Winning new business through clear articulation of risk
management approach to investment consultants and trustees =
Pillar 3 matters a lot
• Reduces cost of control by appropriate resource allocation =
Scorecard approach and RCM paves the way
• Reduces capital charges = The boon
38. Less tangible but valuable benefits of a robust framework
• Enables the development of a consistent risk perspective,
language and culture across the organisation hierarchy
• Develops risk awareness and a focus on cost/benefit analysis
• Risk weighted decision system facilitated.
• Creates and enforces accountability
• Allows identification, measurement and validation of risk
appetite
• Control not for control sake - risk taking becomes more
ingrained in corporate decision system
• Provides a repository and knowledge transfer - source for
internal and external best practices
39. The ORM Loop
Processes
give rise to
Risks
are mitigated by
Controls
act to reduce
are managed within
39
40. Expand the Agenda – Strategic Dimension of ORM
Strategic
Operational
Financial
Traditional
Control
Focus
What can go wrong? What has to go right?
Operational risks not mere for control but escalation to
achievement of strategic objectives
41. 41
Four Cardinal Principles : To influence
Risk Management is not for extinguishing risk
BUT about What & how much to take AND What
& How much not to take
Risk Management does not guarantee that there will be no SHOCKS
or SURPRISES
BUT to enhance Shock Absorption Capacity
Risk Management should lead to creation of economic capital
BUT Over-capitalisation is not desirable
Capital should not be regarded as substitutes for
Fundamentally weak risk management Processes &
internal control system
42. Incentives To Be Proactive
▪ Less sophisticated approaches will result in increased
capital charges, leading to inefficient use of capital
and lower return on equity!
▪ Preempt costly regulatory directives!
▪ Avoid challenges to business expansion, mergers and
42
acquisitions !
▪ Risk management practices adopted by leading
institutions may be considered “best practices” by
regulators!
▪ Potential negative reputational impact leading to loss
of shareholder confidence (through disclosure)!
▪ The market (peers, rating agencies, shareholders) will
“judge” an institution on the choice of approach !
▪ Avoidance of sub-optimal practices which lead to loss
of competitive advantage
43.
44. Contact
treatrisk@gmail.com
www.treatrisk.com
www.treatrisk.wix.com/info
!
Follow and like us at
Facebook: www.facebook.com/treatrisk
Twitter: www.twitter.com/treatyourrisk
Google+: www.google.com/+treatriskplus
LinkedIn: www.in.linkedin.com/in/treatrisk
!
Join our blog forum
www.treatrisk.blogspot.in
!