The document discusses various approaches to mitigating operational risk exposure beyond Basel II compliance. It outlines opportunities to integrate insurance, alternative risk transfer solutions like captives, and capital market products to optimize an organization's overall operational risk management in line with its risk appetite and tolerance. The presentation also examines US regulatory expectations and qualifying criteria for recognizing different risk mitigation techniques for capital relief purposes.
The Coffee Bean & Tea Leaf(CBTL), Business strategy case study
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
1. Mitigating Operational Risk Exposure:
Risk Transfer Solutions
ABA OPERATIONAL RISK MANAGEMENT FORUM
April 17th 2008
Michel Rochette, MBA, FSA
ENTERPRISE RISK ADVISORY, LLC
2. Topics
• Context and recent developments
• Opportunities to go beyond Basel II compliance
• Op risk mitigation environment:
– Self mitigation
– Self insurance
– Risk transfer:
• Insurance mitigation
• Alternative risk transfer: Captives
• Capital markets solutions
• Case: Insurance mitigation optimization
3. Context:
“Regulators are becoming concerned that banks
may seek to manage the [Operational Risk
Capital] charge rather than to manage the risk
itself”
Susan Schmidt Bies, Federal Reserve Board Governor
New York, March 29, 2006
4. Reminder: Sound Practices Paper-BIS 2003
• Development of an appropriate op risk mgt environment:
– Board level & management with clearly defined roles.
• Risk Management:
– Identification
– Assessment
– Mitigation & monitoring
– All material activities, products, processes and systems
covered
– Monitor operational risk profile
– Policies/processes/procedures to manage the risk
– Must chose appropriate risk mitigation strategies in light
of their risk appetite.
5. Operational Risk: Basel II Compliance View
Basel II
Internal processes
Strategic Attracting & retaining talent
System failure Operational
Competition
Internal/External Fraud
Managing organizational change
Employment practices: Health &
Risks
M&A/business diversification Safety / Loss of Key People
New product strategy Clients/products/Business practices
New market strategy External incident
Outsourcing and supplier chain Legal impact included
Governance of risk Insurance allowed as mitigant
Interest rates Brand/Reputation
Credit environment Corporate social responsibility
Liquidity Production volumes/pricing
FX environment Loss of Intellectual property
Equity environment Other risk mitigation integrated
Financial liabilities
Financial Business
6. Operational Risk: ERM View
Basel II
Internal processes
Strategic Attracting & retaining talent
System failure Operational
Competition
Internal/External Fraud
Managing organizational change
Employment practices: Health &
Risks
M&A/business diversification Safety / Loss of Key People
New product strategy Clients/products/Business practices
New market strategy External incident
Outsourcing and supplier chain Legal impact included
Governance of risk Insurance allowed as mitigant
Interest rates Brand/Reputation
Credit environment Corporate social responsibility
Liquidity Production volumes/pricing impact
FX environment Loss of Intellectual property
Equity environment Other risk mitigation integrated
Financial liabilities
Financial Business
7. AON 2007 Global Risk Survey
Most risks are operational!
Damage to Reputation 48%
Business interruption 70%
Third party liability 75%
Distribution or supply chain failure 63%
Market environment 35%
Regulatory/legislative changes 41%
Failure to attract or retain staff 55%
Market risk 56%
Physical damage 77%
Merger/acquisition/restructuring 69%
Failure of disaster recovery plan 65%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
8. US Regulators’ Expectations: AMA
• Risk-Based Capital Standards.
– Applies to IRB and AMA only at this time.
– Banks with $250 billion US+ in consolidated assets. –Core –
– Other banks may adopt this new framework: - Opt–in -
– Standardized approach for general banks will be finalized in Q1-
2008 with qualifying criteria.
• Compliance and op risk must be analyzed together:
– Definition of loss is consistent with Basel II including legal losses.
– Legal loss: litigation, settlements, fines resulting from failure to
comply with laws, regulations, prudent ethical standards,
contractual obligations in any aspect of the bank’s business.
– May also explain industry interest to implement GRC/ERM.
9. AMA – Designing Compliant Policies
Policy minimum Additional requirements
requirements – cover must be linked to specific
– be provided by underwriters with operational risk/s.
a claims paying ability rated in – appropriate discounts to the
one of the three highest value of the policies must be
categories calculated for:
– an initial term of at least one • the cancellation terms of the
year and a residual term of more policy, if less than 1 year
than 90 days; • any uncertainty or delay in
– have a minimum notice period the payment of claims;
for cancellation of 90 days; • Instances where the residual
– have no exclusions or limitations term of a policy is less than
based upon regulatory action or one year. The discount
for the receiver or liquidator of a becomes 100 percent in the
failed bank. last 90 days of the policy
period.
10. Insurers’ Claims Paying Abilities
Standards & Poor Moody’s Fitch Best
Long-Term Insurer Financial Long-Term Insurance Financial Insurance Financial Strength Financial Strength Ratings
Strength Rating Strength Ratings Ratings
Ability to pay under insurance Company’s ability to meet its Ability to meet obligations on Financial strength and ability
policies and contracts in senior policyholder claims and a timely basis. to meet ongoing obligations
accordance with their terms. obligations. to policyholders.
A A A B++, B+
Source: UK FSA
11. US Regulatory Criteria for Other Mitigant
• Regulators are open to other risk mitigant approaches if:
– FI must calculate its operational risk exposure.
– Mitigant must be able to absorb losses with sufficient certainty.
– Must receive prior written approval.
• Mitigant must cover potential operational losses in a manner
consistent with holding regulatory capital.
• Regulators will consider other risk mitigant in due course on “
the basis of growing experience”.
– Insurance industry has that experience.
– Not necessary to reinvent the wheel.
– European regulators are taking a fresh analysis of op risk mitigant.
12. Managing Operational Risk Beyond Compliance
• Opportunity:
– Operational risk is viewed horizontally – end-to-end process -,
originating within some business units but impacting the value of
the whole organization.
– Operational risk takes into account:
• direct, indirect and opportunity losses.
• a forward-looking and risk-based approach.
• Regulatory (Basel II):
– Losses related to people, process, systems and external events.
– Focuses only on direct losses including legal claims (litigation,
settlement & fines).
– Excludes reputation and business aspects.
– For many companies, most of their value comes from their
reputation.
13. Managing Operational Risk: Improved Performance
• Firms can better estimate their company-wide operational risk
tolerance on their financial value, not just their regulatory capital.
• Firms can assess the cost/benefit of implementing “controls” to
reduce their operational risk exposure within their desired risk
tolerance, thus better managing their economic capital.
• Firms can better integrate insurance, other op risk mitigant,
compliance in the overall op risk framework instead of keeping them
separate.
• Firms can create financial incentives for business units to invest
time/money/efforts to manage the operational risk under their control
by :
– Integrating its cost in prices of product. Usually not done at this
time.
– Measuring performance taking into account operational risk capital
allocated. RAROC type measures.
14. Managing Operational Risk: Improve your Business
• Firms become more resilient to operational risk shocks. Can turn
around more quickly.
• Firms can better communicate to their stakeholders both in advance
and after a major operational risk shock:
– Can demonstrate that they are in control! → reputation.
– Firms gained market share by managing and communicating well an
operational risk failure.
• Firms keep operational risk on their radar screen continuously –
forward looking – instead of thinking about it when an event
happens. Frequency of major disruptions is decreasing.
• Improved internal communications:
– Just relying on your “quants” to assess operational risk without the
involvement of the business units create moral hazard.
16. Benefits of Integrating Operational Risk Mitigant
• Business perspective:
– Your institution is NOT in the business of managing op risk. →
Low TOLERANCE for this risk.
– Insurance is in the business of managing op risk. → APPETITE for
op risk.
– These businesses are complementary, should work together and
be more integrated internally.
– This trend is observed more and more.
• Regulatory perspective:
– “Agencies will take into account whether a particular operational
risk mitigant covers potential operational losses in a manner
equivalent to regulatory capital”.
– Mitigant would cover insurance and other approaches subject to
certain minimum qualifying criteria.
17. Universe of Op. Risk Mitigation: Characteristics
• Internal management: controls
– Implemented without much consideration of the costs involved.
– Embedded in the AMA calculations through control effectiveness
scores.
• Self insurance:
– Calculating and allocating regulatory capital for op risk is a form of
self insurance by banks.
– “Insurance” is direct if calculated by AMA.
– “Insurance” is indirect if embedded in the regulatory credit capital
as traditionally done by banks in the general regulatory rules.
• Insurance:
– Always existed.
– Private and public solutions.
– Not integrated very often with operational risk groups.
– Standard policies don’t always match.
– Optimization of the insurance buying decision in relation to the
operational risk exposure is not usually done.
18. Universe of Op. Risk Mitigation: Characteristics
• Alternative Risk Transfers (ART):
– Used by companies to mitigate risks that the traditional
insurance markets cannot cover.
– Probably already used by some of your institutions without
your knowledge!
– Covers services like Captives for op risks like workers comp
and external events.
• Capital markets solution:
– In existence for some op risks, mostly external events.
– Some op risks are securitized like CAT Bonds.
– Cover both risk transfer and risk finance solutions.
– More talk in the industry about op risk derivatives.
20. Self Mitigation: Annual Profits/Internal Controls
• Estimate distribution of op risk exposure:
– Gross op risk exposure
– Exposure net of internal control business factors – “internal
mitigant”
• Regulation: FI must obtain an estimate of EOL:
– Expected and predictable average annual op risk losses for
a given risk category.
– Can be covered by op risk “offsets”
• Internal business practices.
• Reserves if allowed by GAAP.
• FI should compare cost of internal business practices and
average annual losses in order to maximize company
value.
22. Self Insurance Mitigation
• Estimate distribution of op risk exposure:
– Gross op risk exposure
– Exposure net of internal control business factors – “internal
mitigant”
• Regulation:
– FI must self insure to a 99.9% 1-yr VAR, UOL.
– Existing regulatory rules - general rules - cover op risk indirectly in
the credit risk capital rule.
• Traditionally, rule of thumb was that 20% of credit losses were
in fact operational risk, not credit risk.
– If your bank is AMA or non AMA, you pay for op risk!
– If AMA, op risk capital will be explicit, credit capital will be reduced.
– If not AMA and not managing op risk, your credit capital will be
higher.
23. Self Insurance (AMA) vs. Insurance
• AMA Op risk capital: • Underwriting of Insurance use the same
– Internal and external loss data with elements:
recoveries of at least 5 years. – Company internal loss data.
– Control Environment – External data from Insurance
– Scenarios for unexpected situations. industry loss database with loss
–Forward looking component of development factors: recoveries
AMA. extend more than 5 years.
– Dependence allowed only if can be – Forward looking assessment based
justified. on industry knowledge
– Brokers assess dependence through
insurance quotes.
• Other qualifying criteria: • Bank’s diversified risk groups:
– Internal op risk group – internal risk management
– Validation – Insurance brokers
– Ongoing qualification – IT/project management groups
– Documentation – Validation done annually when
– Collection of loss data. insurance renews.
– Already collecting loss data.
• Boundaries between credit and • Insurance underwriting would assess
operational root cause.
– Treated as credit risk losses
25. US Op Risk Requirements vs. Insurance
• Definition of op risk loss: • Insurance is to indemnify:
– All expenses associated with – Regulatory definition of loss
a loss event except: is similar to insurance
• Opportunity loss definition of loss.
• Foregone revenues
• Costs to
enhance/correct/prevent
future op. risk events.
• Insurers pricing methods:
• No prescribed methodology:
– ALL use LDA
– Most banks use LDA.
– EOL = Deductible
– UOL = What insurers usually
pay.
• Op. Risk Capital is like self- • Insurance is contingent
insuring the risk. capital to your bank.
26. US Regulatory Limitations of Insurance
• Risk Based Capital Relief of insuring some op risk exposure,
MAXIMUM of:
– Op. Risk Exposure adjusted for qualifying op risk mitigant
minus offsets (if, any)
– 80% * (op risk exposure – offset ).
• Implications:
– If your institution is an AMA, regulatory relief of integrating
mitigant is limited but not the business benefit.
– If your institution is not AMA, better managing op risk will
reduce your “indirect” op risk capital that is embedded in the
credit capital through a better management of the
premiums/costs of your traditional insurance overages.
28. ART: Captive
A captive is a dynamic, flexible insurance tool that exists
primarily to reduce the cost of a company’s overall
exposure to retained risk by underwriting and funding
selected risks of its parent and affiliates.
Captives take many forms but most are single-parent
entities that insure risks of their affiliates and sometimes
related third parties
Unless reinsurance markets are accessed, captives are
NOT risk transfer vehicles.
Not considered insurance companies by NAIC.
29. Client Captives by Industry
Services (i.e. Education, Health, Legal, Recreation) 23.2%
Finance, Insurance and Real Estate 23%
Manufacturing 22.6%
Utilities, Transport and Comms. 10.5%
Retail Trade 7.6%
Construction 5%
All others 8.2%
Source: AGIM 2006 Captive Statistics
Global Total: 1,386
Source: AGIM 2006 Captive Statistics
Note: Industry sectors as per global SIC codes
30. Benefits of Captives
Manage business risk exposures
Reduce the cost of risk retention
Provide difficult to obtain coverage: fill the gaps in
standard commercial insurance.
Augment capacity
Generate underwriting capacity
Co-ordinate international insurance programs
Capture insurance-related profits
Improve risk management especially for non
traditional risks are captives are tailored.
Achieve state tax efficiencies
Access reinsurance market.
31. Types of Captives vs. Op Risk
• TRIA: External Events
• Employee Personal Lines: People Risk
• Property Risk: External Events
• Environmental Liabilities: Legal risk of many op risk.
• Product liability: Product flaws of op risk
• Could tailor op risk to captives.
Enterprise Risk Advisory, LLC @
33. Capital Markets Solutions- Overview
Type Insurance Risk transfer: Contingent
Securitization/ Capital (CAT
ILS/Exotic Ins Bond for
Structures/Op liquidity)
Risk Derivative
Credit Quality Varies by Collaterisation Varies by
counterparty counterparty
Term One-year Single/multi yr. Single/multi yr.
Payment Indemnity Index based Pre defined,
Trigger timely issuance
of securities
Covered Perils Virtually any op Natural/man- Natural/man
risk made risks made risks.
34. Capital Markets Solution: Aon’s CLIP
Overall operational risk capital
Exposure
Capital optimisation
Catastrophic Loss Insurance Group Capital
Programme Optimisation
Earnings volatility reduction
Insurance Programme
Business level P&L
Captive Management
Retained exposures / capital
BU Deductibles
Type of risk
35. CLIP structure
• Key characteristics
– Coverage linked to event types
– Probability of coverage
• 70% - 80%
– Policy duration
• Multi - year
– Claims Protocol, addressing
• Clarity of coverage
• Payment timeliness
– Minimum security rating A
– Price driven by underlying exposures
36. Traditional Insurance vs. CLIP
Traditional Insurance CLIP
Limited capacity
• Catastrophe excess solution
• Access to significant capacity
Wording difficult to map
• Insuring clauses as per your
In excess of 40 exclusions event types
Negligible regulatory capital relief • Fewer exclusions
Performance • Claims protocol and broader
coverage
Average period from Act Start to Payment: 2,215 days
Average period from Act Start to Payment: 2,215 days • CatEPut provides capital
injection while insurance
liability determined
817
817 1242
1242 156
156
Average period from Settlement to payment: 156 days • Maximum regulatory capital
Loss event to claim Claim made to settlement Settlement to payment relief
37. Summary of Risk Transfer Solutions
Type of Exposure Level of Exposure Risk Solution Advantages
Yearly Profits/Internal Operating Group focus
Low Efficient
controls
Expected
Yearly
Medium Cash flow
profits/controls/Art
Diversification
High Art, Self Insure, Insurance Pooling
Established Mechanism
Unexpected
Capital markets, Long-term
Catastrophic government, insurance & Access to very large
capital market hybrid pool of capital
38. Insurance Mitigation Optimization
“Severity is painful, frequency is lethal.”
Greg Case, CEO Aon
World Insurance Forum, Dubai, March 2008
39. Qualitative Mapping:
• Benefits:
– Reduce mismatch & uncertainty of payments → lower discounts of
insurance in the AMA calculations → lower regulatory capital.
• How:
– Aligning op. risk and insurance terminologies.
– Aligning your internal risk language and insurance policy wording.
– Assess coverage taking into account exclusions to your
operational risk framework.
– In some cases, insurance will cover more than the regulatory
definition of op risk.
• Ex. Business Interruption insurance covers loss of business,
which is clearly excluded from the regulatory definition.
– Take into account public sources of insurance as well:
• Workers Compensation
• US Terrorism Coverage
• US flood insurance
40. Ex. Of Mapping of Insurance to Op. Risk
Event Type Level 1 Event Type Level 2 Mapping to Policies
Internal Fraud Unauthorized
Unauthorised activity 1st ~ BBB, UT
3rd ~ PI
Theft & fraud 1st ~ BBB, Cyber, Property
3rd ~ PI
External Fraud Theft & fraud 1st ~ BBB, Cyber, Property
3rd ~ PI
Systems Security 1st ~ BBB, Cyber, Property
3rd ~ PI
Employment Practices & Workplace Employee Relations 3rd ~ EPL, GL
Safety Safe Environment – Employees 3rd ~ EL, GL
Safe Premises – Invitees 3rd ~ GL
Diversity & Discrimination 3rd ~ PI, GL
Clients, Products & Business Practices Suitability, Disclosure & Fiduciary 3rd ~ PI, Cyber
Improper Business / Market Practices 3rd ~ PI, Cyber, GL
Product Flaws 3rd ~ PI, GL
Selection, Sponsorship & Exposure 3rd ~ PI
Advisory Activities 3rd ~ PI, Cyber
Damage to Physical Assets Disasters & Other Events 1st ~ Property
Business Disruption & Systems Failure Systems Failure 1st ~ Property, Cyber, BBB
3rd ~ Cyber
Execution, Delivery & Process Transaction Capture, Execution & Maintenance 3rd ~ PI
Management Monitoring & Reporting 3rd ~ PI
Customer Intake, Documentation 3rd ~ PI
Customer Account Management 3rd ~ PI, Cyber
Trade Counter-parties 3rd ~ PI
Vendors & Suppliers 3rd ~ PI, GL
41. Qualitative Insurance Mapping: Privacy Breach
• Events covered by the policy:
– Costs of Computer Damage itself
• Maps to Business Disruption and systems failures
exposure.
– Costs to notify and reimburse clients for losses
– Costs to repair credit damage of clients
– Costs to reimburse credit card companies
– Costs to cover crisis management:
• creating websites
• Set up call centers to inform the public
• Hiring public relations firms
• More coverage than regulatory op risk definition.
– Costs to cover litigation/fines of privacy laws/regulators
• Not part of operational regulatory definition but would be
part of your compliance department!
• All would map External Fraud-Systems Security-Theft of
Information exposures.
42. Quantitative Mapping:
• Assess frequency of op risk exposure and frequency of
payment by insurance.
• This reflects policy wording and exclusions.
• Insurance is based on fortuity.
• Assess severity of op risk loss to ultimate reimbursement by
insurance. This is based on definition of covered op risk losses
–single loss or aggregate loss - and by the insurance loss
development factors.
• Some insurance coverage have better “hedge ratio” than
others.
– Ex. Flood insurance pays better than fraud related policies.
• Assess timing of op risk loss to timing of payment by insurance.
– Insurance being based on indemnification, time necessary to
estimate loss.
– Impact of insurance on your liquidity position.
43. Ex. of Payout Discount
• Analysis of historical Bankers’ Blanket Bond claims
Average period from loss event to payment: 330 days
69 237 24
Average period from settlement to payment: 24 days
0% 20% 40% 60% 80% 100%
Loss event to claim Claim made to settlement Settlement to payment
Source: Aon claims data – 175 claims
44. Insurance Mitigation: Overall Mitigation Benefit
OpRisk Measurement
11%
10%
9%
8%
7%
Distribution 6%
of Risks 5%
4%
3%
2%
1%
0%
0
20
40
60
80
0
10
0
12
0
14
0
16
0
18
0
20
0
22
0
Pre-Management
24
0
26
Loss Value
0
Post-Management
28
0
30
0
Post-Mitigation
32
0
34
0
36
0
38
0
40
The tail may still be fat, but the curve is flatter