Operational risks by banks have never been recognised till BASEL II imposed on banks to look forward. Take a look at the broad canvas of Operational risks applicable for banks
2. What Is Wrongly Believed in Operational Risk
“What can be new about managing operational risk? It has
been managed ever since modern day banks were born.”
– CEO of a bank
“Operational risk never brought down a bank; it has always
been credit or market risks.”
– A Board Director in a Bank
•
3. What went wrong across the globe – The circle of
misfortune
3
Many of these have risk management tools in place & are wedded
to sophisticated technology – But ???
Source: ERisk.Com
5. The Paradox that all enterprise would face
“Controls deter growth”
OR
“Growth undermines control”
A great challenge to overcome
5
6. But most unfamiliar losses have occurred in the recent years due to this risk
– Baring collapse, Sumitomo losses, GTB debacle
– Credit Card losses, Arthur Andersen episode
– Payment frauds, money laundering
• What has changed in operational risk horizon?
– Exponential growth in transaction volumes; new and specialised
operational processes
– Constantly evolving and more dependence on technology
– Demanding customers and quick turnaround time
– eCommerce
– Competitive pressures on costs
– Complex financial products
– New practices – securitisation, outsourcing
These developments have forced Operational Risk recognised as a separate
risk discipline – to be measured and risk capital cover provided
6
What paved the way for Operational Risk recognition
7. Definition of Operational Risk
Basel Committee
• “The risk of loss resulting from inadequate or failed internal
Processes, People and Systems or external events”
(excluding strategic and reputational risk)
Organisation Specific
• Organisations can modify the above definition with deletions
or emphases that will reflect their individual circumstances (may
include strategic & reputational risk
“Operational risk is not simply about measurement, or providing for
capital charges,
It’s about the management of ‘PPT’ (Processes, People and Technology)
8. Operational risks culminate into operational loss :
Definitions
Indirect vs. Direct
• Direct Impact on the P&L accounts e.g. operational errors, cash loss
• Indirect Impact in the P&L accounts e.g. loss of client due to poor levels of
service, technology downtime
Expected vs. Unexpected
• Expected losses are typically covered in yearly provisions e.g. credit card fraud,
loan losses, NPA provisioning
• Unexpected losses e.g. financial penalty from the regulator - has to be covered
through economic capital
Budgeted vs. Non Budgeted
• Budgeted loss e.g. connected to non reconciliation of bank books, contingent
liability
• Non Budgeted e.g. attrition of key staff and knowledge
“Operational losses are essentially another indicator telling
us how the system of risk management is working or not
working”
9. Basel Proposals on Operational Risk – The Three Pillars
• Pillar 1: Minimum capital requirements (Measurement)
–Spectrum of options: Basic Indicator, Standardised and Internal
Measurement (AMA) approaches
–Higher the options higher will be the sophistication and risk modelling
• Pillar 2: Supervisory review (Qualitative assessment)
–Framework and methodology for estimating capital
–Management of risk: Senior management involvement, policies,
processes, internal controls, reporting, reviews and internal audit
• Pillar 3: Market discipline (Disclosure)
–To include disclosure on risk management policies and practices, risk
events and losses, estimated risk levels, economic capital allocation
–A Bank will be judged, over a period of time, by the quality of disclosures
11. Risk Identification, Assessment, Treatment and Mitigation
11
Risk Prioritization, treatment
& Mitigation
• Prioritize Risks based on Inherent
Risk assessment, Control
Effectiveness
• Prepare risk-control-classification
3D matrix
• Focus Management Attention on
the Significant / Systemic Risks
• Evolve risk treatment action
agenda.
• Create / Track Action Plans to
Address Risk Mgt Gaps
• Develop residual risk transition
map and integrate with risk
reporting process.
Key Risk Indicators &
Integration
• Based on Risk Drivers identify
Critical, Few, Multi-Dimensional
Key Risk Indicators
• Focus on Leading KRIs for
Indications of Rising Risk Levels
• Ensure Coordination Between the
Operational Risk Initiatives, and
Ongoing Business Processes.
• Set up process and automation to
track KRIs
Risk Identification
& Assessment
• Business Unit level process
mapping and process hierarchy.
• Risk driver Identification and
arriving at risk inventory
• Assessment of impact and
likelihood of risks
• Risk assessment and
classification
• Control effectiveness testing and
risk control map
12. Risk Monitoring and calibration
12
Monitoring of Key Risk
Indicators
• Gather and Track KRIs
• Establish Escalation Thresholds,
Static and Dynamic Thresholds
• Begin Trend Analysis to Identify
Rising Risk Levels Prior to Loss
Events Occurring
• Integrate KRIs into Risk
Management Processes to
Identify Trends, Evaluate Risk
Environment of Company
• Integrate with residual risk
transition framework
• Realign the risk reporting system
Loss Event Tracking
• Put up distinctive process to
differentiate loss with loss events
• Develop Op Risk Event capture
• Identify, Track, and Classify Direct
/ Indirect Loss Events among
several dimensions, including
Event Type, Risk Category, Root
Cause, Outcome / Loss Type, etc.
• Supplement Internal Losses with
External Loss Event Data to
Complete Distribution Tail
• Ensure full technology back up and
integration with the MIS
architecture
Calibration and measure
• Ensure Quality Control Over RCM,
KRIs, and Loss Events
• Integrate and Leverage Root
Cause Analysis into Process
• Develop Reporting to Ensure
Management has Ability to Monitor
Risk Environment
• Apply Statistical Methods to
Generate Distributions providing
for Data Limitations
• Set stage for AMA approach with
key inferences from the statistical
tools applied.
• Identify measurement roadmap
13. Risk Measurement (AMA)
•Left to the Banks. But must demonstrate that it captures potentially severe
tail loss events.
13
•While different methodologies will exist for risk quantification, data and
certain calculation elements will be common. Must have and maintain
rigorous procedure for model development and validation.
•Must be consistent with the loss event types defined under the accord.
•The model must provide for computation of EL & UL unless Banks can
establish that it has accounted for EL.
•All operational risks may not be measured – so the model parameters
should be as granular as possible.
14. Operational risk monitoring through key indicators
Key Performance Indicators
• KPIs are a measure that demonstrates a movement in the likelihood or
the impact of a risk – they can be seen as events that raise a warning
about a risk.
Key Control Indicators
• KCIs are a measure demonstrating a change in the effectiveness (e.g,
design and performance) of a control
Key Risk Indicators
• A combined measure of a KPI and KCI that are linked to the residual
impact of the risk with likelihood of the risk occurring.
15. Risk:
Loss of key personnel
Control:
Adequate remuneration & motivation packages,
performance incentive/ Bonus Pool
KPI:
Number of staff leaving without a planned
successor
KRI:
Number of staff leaving without a planned successor due to remuneration / bonuses not
being sufficient
Risk:
Clients default on loans
Control:
Daily monitoring, Audit procedures,
Collateral cover
KPI:
Number of loans executed for clients
who have defaulted in the past
KCI:
Number of clients identified with
insufficient collateral cover
KRI:
Number of loans executed for clients who have defaulted in the past who do not have
sufficient collateral cover
KCI:
Number of employees kept as a result of
remuneration change / bonus payment
Example KPI, KCI and KRIs
16. Operational risk measurement
Are the processes
cost efficient to
reduce day-to-day
operational losses
Design an appropriate risk
measurement methodology
• Create loss tracker database for identification of risk source at
points of incidence contributing to losses
• Corporate dashboard for high level risk monitoring
• Assess a feasibility of using scorecard model for risk measures
Tool
development
Technology & data –base
support
• Design database to track the losses & drawing correlations &
appropriate data-flow design for identified KRIs
• Data architecture at points of incidence, ensuring data integrity,
facilitating data simulation and analysis
• Scope of integration of models/ solutions with the I.T structure &
network system
Where to focus
R.M. resources
How effective are
internal controls
How integrated is
I.T. the system
17. Loss Event Database
Loss events are not the loss happenings. Just like an
archaeological process one has to dig out the historical
loss events.
The monitoring and the analysis of loss events will provide
the basis for independently validating the risk assessment
and indicator tracking process in addition to providing
foundation for quantification of risks.
18. How we do it?
Indirect and direct losses loss events should be identified, tracked and
classified by:
• Event type (in accordance to Basel definition)
Risk class/category and risk strategy
Root cause
Loss/Outcome
Process/Activity/ risk owner
Business or management Unit
Internal losses must be supplemented with external loss event data to
complete the tail of distribution
19. 19
Risk Rating Improvements post mitigation is the way
forward
Risk Transition
Risk Risk Description Inherent
risk rating
Inherent
Risk
Score
Treatment
option
Residual risk
rating
Residual
risk
score
1 Industry trend may influence the
fortune of the company resulting
into default
HIGH 3 MITIGATE COMFORT 1
2
Improper collection of market
information for structuring
instruments may result in the
wrong product design affective
business
HIGH 3 MITIGATE ALERT 2.5
3
Low importance in targeting
new clients leading to
stagnation of business growth.
HIGH 3 MITIGATE ALARM 4.5
4
Delay in decision making may
lead to unsatisfied clients and
loss of repeat / additional
business
HIGH 3 ACCEPT ALARM 3
5 Change of interest rate may
erode the value of the portfolio
HIGH 3 ACCEPT ALERT 2.25
20. The tangible benefit of ORM
Costs vs. Potential Improvements post mitigation
20
6,250
4,688
3,125
1,563
0
-1,563
Before control After control Value
1 2 3 4 5
Loss/ Revenue/ Value Derived (INR 000s)
Risk
3,4,5 Loss data
1,2 Revenue data
21. Can we derive commercial advantage from investment in
operational risk management?
Judge by yourself
• Reduces operational errors by ensuring right control and alerts =
Impairing the bottom line
• Winning new business through clear articulation of risk
management approach to investment consultants and trustees =
Pillar 3 matters a lot
• Reduces cost of control by appropriate resource allocation =
Scorecard approach and RCM paves the way
• Reduces capital charges = The boon
22. Less tangible but valuable benefits of a robust framework
• Enables the development of a consistent risk perspective,
language and culture across the organisation hierarchy
• Develops risk awareness and a focus on cost/benefit analysis
• Risk weighted decision system facilitated.
• Creates and enforces accountability
• Allows identification, measurement and validation of risk
appetite
• Control not for control sake - risk taking becomes more
ingrained in corporate decision system
• Provides a repository and knowledge transfer - source for
internal and external best practices
23. 23
Incentives To Be Proactive
Less sophisticated approaches will result in increased
capital charges, leading to inefficient use of capital
and lower return on equity
Preempt costly regulatory directives
Avoid challenges to business expansion, mergers and
acquisitions
Risk management practices adopted by leading
institutions may be considered “best practices” by
regulators
Potential negative reputational impact leading to loss
of shareholder confidence (through disclosure)
The market (peers, rating agencies, shareholders) will
“judge” an institution on the choice of approach
Avoidance of sub-optimal practices which lead to loss
of competitive advantage
24. Contact
treatrisk@gmail.com
www.treatrisk.com
www.treatrisk.wix.com/info
Follow and like us at
Facebook: www.facebook.com/treatrisk
Twitter: www.twitter.com/treatyourrisk
Google+: www.google.com/+treatriskplus
LinkedIn: www.in.linkedin.com/in/treatrisk
Join our blog forum
www.treatrisk.blogspot.in
Hinweis der Redaktion
Operational risk was never a big risk in banks, unlike in manufacturing, process industries; banking was a relatively simple business, dealing in just one commodity – money. Things have changed!
Key risks are due to technology and competitive pressure on costs
There were 4 key factors to why these occurred:
Control Failure - People by passed the normal controls taking short cuts / manual workarounds
Culture - there was a lack of enthusiasm or commitment to risk management
Management - there was no / or lack of effective process to identify and manage risks
Governance - there was lack of independent challenge from strong management and audit committee
Operational risk was never a big risk in banks, unlike in manufacturing, process industries; banking was a relatively simple business, dealing in just one commodity – money. Things have changed!
Key risks are due to technology and competitive pressure on costs
Root Cause
Analysis of why the loss occurred eg poor communication, manual keying error, failure of systems, clarity around roles and responsibilities etc.
Loss/Outcome
Financial loss, through clients leaving, errors hit the bottom line, reduced revenue due to reputational harm caused, compensation payments to clients
Process/Activity
Such as in an investment house Front Office (order generation Execution), Middle Office (Front office Support, trade input) or the back office (cash management)
Business/Management unit
Such as production, S&M or different desks in an investment house such as Equities. Fixed Income, this though is subjective in nature depending on the organisation and the business units that are involved.
No more “one size fits all” framework like the previous Accord.
Choice of available options subject to approval of respective bank’s supervisory authority
Main Document
p.2, Insurance Subs.
Overview Document
p.11, Insurance Subs.