Operational Risk Management

1
Operational RiskManagement

• Group 4 Dao Bao Khanh
• Nguyen Tien Dung
• Quach Hong Trung
• Nguyen Thi Bich Ngoc

2
AGENDA

• What is Operational Risk?
• Operational Risk Management
• Common drivers for Op.Risk Management
• Corporate Governance
• Operational Risk in Banking
• Principles in Op.Risk under Basel II
• Required Proactive Op. Risk Management

3
Risk Belongs to Business

• Without risk no reward
• Risk must be commensurate with expected reward
• Risk can be managed and its impact reduced
• Risk awareness must result
• in action
• Reduction of risk
• Transfer of risk
• Elimination of risk

4
Operational Risk

• Operational Risk is everywhere
• You cannot manage what you cannot see
• Ignoring operational risk will eventually result
  in accidents and losses

Financial Times, 2 June 2004
5
What is Operational Risk?

• Operational risk is the risk of loss resulting
  from inadequate or failed internal processes,
  people and systems or from external events
  (defined by Basel II).
• Category of Op.risk including
• Internal fraud
• External fraud
• Employment practices workplace safety
• Clients, products business practices
• Damage to physical assets
• Business disruption system failures
• Execution, delivery process management
• Includes legal risk.
• Excludes reputational and business/strategic risk.

6
Operational Risk Management

• Operational Risk Management is all about
• good management
• avoiding losses
• increasing returns

7
Common Drivers for OpRisk Management

• Attention of the regulatory community and the
  recentrevision to the Basel Capital Accord.
• Recognition of the size of these risks and
  therefore a desire to implement a more consistent
  and complete framework to manage them
• Formalization of what OpRisk is - its categories,
  etc. - at a firm level and at an industry level
• Focus on corporate governance

8
How do we Manage our Risk?

• You cannot manage any risk in isolation
• You should
• Establish your appetite for risk
• Define a desired risk profile in terms of that
  appetite
• Manage risks and exposures within that risk
  profile and its thresholds

9
Corporate Governance
Your corporate governance structure sets the
scene for all risk activity, resulting in a risk
profile
Business Execution
10
Operational Risk in banking

• No agreed upon universal definition of
  operational risk in banking.
• risk not categorized as market or credit risk
• risk of loss arising from various types of human
  or technical error.
• risk with settlement or payments risk and
  business interruption, administrative and
  legal risks.
• Op.risk in banking not limited to traditional
  back office activities, but encompassed the
  front office and any aspect of the business
  process in banks.

11
Measurement of Op.Risk

• Few banks have formal measurement systems
• Banks identified risk factors as measures of
  internal performance (internal audit ratings,
  volume, turnover) rather than external factors
  (market price movements, change in borrowers
  condition)
• gt uncertainty caused by absence of a direct
  relationship between risk factors and size and
  frequency of losses.
• Measuring op.risk requires estimating
  probability of operational loss event and
  potential size of the loss.

12
Risk Monitoring

• Banks have forms of monitoring system for op.risk
  than have formal op.risk measures.
• Monitor operational performance measures volume,
  turnover, settlement fails, delays and errors.
• Banks currently reviewing their risk
  methodologies to accommodate improved measurement

13
Control of operational risk

• Techniques used internal controls and internal
  audit process gtprimary means to control op.risk
  in banking
• Various methods of banks
• established form of operational risk limits,
• the importance of contingent processing
  capabilities to mitigate operational risk.
• established a provision for operational losses
  similar to traditional loan loss reserves
• explored the use of reinsurance to cover
  operational losses.

14
Policies and Procedures

• Banks set goal of developing a common
  architecture or framework to harmonize policies
  and procedures across businesses.
• Develop new product review process involving
  business, risk management and internal control
  functions.
• update risk evaluation and assessments of quality
  of controls as products and activities change

15
Internal Control

• Internal controls major tool for managing
  operational risk in banks.
• Most operational risk events associated with
  internal control weaknesses or lack of
  compliance with existing internal control
  procedures.
• Technique of self-assessment used to evaluate
  Op.risk
• Activate internal audit system
• Audit committee ensure independent financial and
  internal control functions

16
Following are requirements under Basel II to be
eligible for Advanced Measurement Approaches for
Op.Risk (AMA) application.
17
Sound Principles in OpRisk Management -1

• The corporate governance structure establishes
  the risk appetite of the firm.
• It must encompass all elements of risk and should
  enforce both risk measurement and risk management
• Primary tool
• Risk policy

18
Sound Principles in OpRisk Management -2

• Risk management and measurement must incorporate
  aspects such as
• Business Continuity Planning (BCP)
• outsourcing management
• legal issues
• compliance issues
• mergers and acquisitions
• stakeholder communication

19
Sound Principles in OpRisk Management -3

• The firm must have a coherent and standardised
  risk framework, supported by specific risk
  management objectives
• Tools
• Risk policy
• Procedures manuals

20
Sound Principles in OpRisk Management -4

• There must be
• clear ownership of risk
• clear limits on delegated authority
• clear responsibility for ensuring compliance
• periodic independent checks

21
Sound Principles in OpRisk Management -5

• The program must pass the Use Test, i.e. be
  integral to all business activity
• No part of the business must be above the
  law,i.e. exempt from policy and procedures
  compliance
• Business feedback must be incorporated to ensure
  smooth and efficient operation

22
Sound Principles in OpRisk Management -6

• Risk management is not a project
• Risk management must be a real-time process,
  providing information on a timely basis as to
• the nature of exposure the firm faces
• the quantified exposure

23
Sound Principles in OpRisk Management -7

• The risk management process must be supported by
• credible
• accurate
• comprehensive
• timely reporting

24
Sound Principles in OpRisk Management -8

• When estimating the impact of a loss, all
  relevant elements should be included, such as
• rework
• lost time
• impacts on dependent business activity
• compensation payments
• etc

25
Sound Principles in OpRisk Management -9

• The performance measurement and reward systems in
  use should
• reflect the overall risk management culture
• encourage compliance with the risk appetite of
  the firm

26
Sound Principles in OpRisk Management -10

• Every employee or representative should be
  considered a risk manager
• However, the most senior level of executives must
  accept that they carry risk responsibility (and
  liability)

27
Required Proactive Operational Risk
Management
28
Priorities

• Banks priorities for the next 6 to 24 months are
  set on regulatory compliance
• Often, operational risk management is confused
  with or mistaken for modeling operational risk
  capital
• where is the value for the business?
• Tasks and scopes
• Risk Management is all about avoiding losses
• Basel II is all about capital adequacy
• Sarbanes Oxley is all about transparency

29
Operational Risk Management

• Operational risk management is about managing the
  exposure to the frequency and severity of
  expected as well as unexpected losses.
• The value added to a firm varies according to the
  level of ambition in the management process
• Firms merely investing in components to gather
  data to measure regulatory capital will add
  little value.
• Those investing in a firm-wide approach to the
  operational risk management process will succeed
  in optimizing their investment.

30
Loss Distribution and Management Tools

• What does the shape of a loss distribution really
  look like?
• Where in the curve can we apply the most
  effective management tools?

31
Internal Losses

• Once burnt, twice shy
• Once a loss occurs
• fix the holes to prevent recurrence
• analyze the incident
• Biggest mistake Secrecy
• after corrective measures have been implemented,
  be open about it
• use the incident for internal training purposes

32
Internal Losses

• Collecting loss data for statistical purposes
  allows predicting expected losses
• Internal losses can never cover the whole curve
• Occasional data points in the UL area give but an
  indication of the shape of the curve

33
External Losses

• Large loss events generally get reported in the
  press
• Often, the exact background is not known, but
• the story can mostly be reconstructed
• the approximate loss can be narrowed down
• Sources
• Newspapers
• Public databases with qualitative case analyses
• Industry talk
• Problems
• Reliability (different sources may vary)
• Completeness

34
External Losses

• Collecting loss data for modeling purposes allows
  completing the shape of the curve
• Sources External subscription databases
  Loss data consortia
• Problems
• In the UL range, history is a poor proxy for the
  future
• Completeness and quality of external data

35
Best Practice in Loss Data Collection

• Best practice is limited, mostly enforced by
  Basel II
• No agreed minimum threshold
• different consortia have different threshold
• some institutions argue relevance when deciding
  on threshold
• The focus of loss data collection is mostly on
  modeling
• Narrative loss data find their way into scenarios

36
How Do You Know

• Financial institutions are always under cost
  pressure
• where to invest
• where to reduce cost
• where to focus
• Comparing risk levels in the industry can help
  find
• areas where your risk deviates from the industry
• impending changes in risk for the industry as a
  whole
• structural deficiencies
• possibly systemic risks (?)

37
Example 1

• Credit card defaults became a worry for senior
  management as the business was not profitable
  enough
• In a major effort, you have reduced credit card
  defaults by 70 (and going)
• Where do you stop?

38
Example 1

• Compare your default rates with those of other
  banks
• Is it still worth the extra effort?
• How much more cost/benefit can you achieve?

39
Example 2

• Your credit card defaults are going up
• Where is it getting serious?
• Where do we take decisive action?

40
Example 2

• In comparison with peers, we recognize when our
  data exceed the benchmarks
• Management can now decide on action plan
• Defaults do not need to get out of hand

41
What is a Scenario?

• A scenario may be defined as an outline,
  description or model of a sequence of unexpected
  or adverse events.
• Scenarios vary in detail according to the level
  of the organisation at which they are researched
  and focussed, but are generally made up of
  similar components.
• Scenarios are described using event types and may
  detail the causes and potential impacts of the
  event, should it actually crystallise.
• Scenarios may also include a causal analysis,
  along with expected direct and indirect impacts,
  particularly those of a reputational nature.

42
Uses for Scenario Analysis

• Management
• Use scenarios to understand risk and ensure
  management is prepared if adverse events occur
• No limit on the number of scenarios
• Capital
• Use scenarios to get data points
• Focus is on the tail of the distribution
• Usually 30 to 40 scenarios

43
Developing Scenarios

• Four primary approaches
• Loss Data-driven approach use internal and
  public loss data to identify possible scenarios
• Risk-driven approach evaluate actual potential
  risks and select a range on severity
• Control-driven approach evaluate existing
  controls and measure impact of failure
• Expert Opinion-driven approach brainstorm
  possible worst-case situations which the
  business will have to deal with

44
Practical Implementation Challenges

• The most common implementation challenges lie in
• Unclear definition
• Unclear scope
• Unclear purpose
• Individual agendas
• In short
• Credibility
• Acceptance

45
So What is the Solution?

• Most firms started with a pure Loss Distribution
  Approach (LDA) for economic / regulatory capital
• Some started with Scenario Based Approach (SBA)
  due to lack of data
• Many are now converging onto a Hybrid Measurement
  Approach (HMA), including both LDA and SBA
  concepts

46
HMA - The Future Best Practice?

• An HMA model can leverage the best of both
  approaches
• Internal data can be used to develop the body of
  the loss distribution
• Data generated from scenario analysis can be used
  to fill any gaps in these data, as well as to
  drive modelling of the tail of the distribution
• Loss data can be used to determine loss frequency
  and scenario data to determine loss severity
• KRI data can be used to monitor changes in the
  risk profile relevant for the scenario

47
Uses for Scenarios (1)

• Risk Management
• Evaluation of exposure to risks and/or
  effectiveness of controls under specific
  conditions
• General risk management
• Supporting risk and control assessment
• Risk Transfer/Mitigation
• Crisis and Business Continuity Management
• Training and Education

48
Uses for Scenarios (2)

• Risk Measurement
• Calculation of Economic or Regulatory Capital
  Requirements
• Economic Capital (99.9 confidence level, 1 year
  time horizon)
• Expected Loss
• Unexpected Loss for worst 1 year in 10 (UL10)
• Other percentiles of the loss distribution where
  necessary
• Effects of insurance on capital (for cost /
  benefit analysis)

49
The Use of Scenarios - Comparison

• Risk Management
• Bottom up
• Focus on UL10 events
• Understand risks
• Ensure management is prepared to deal with
  challenges
• May be run decentrally
• No limit on number
• Generally to be tested
• No correlation issues

• Capital Management
• Top down
• Focus on tail events
• Get data points
• Need senior people to make a proper assessment
• Centrally run
• Limited number (20-25)
• Designed for worst case
• Generic and high level

50
Scenario Analysis vs RCSA

• Scenario Analysis
• Understand a specific risk in sufficient detail
  to enable management to be properly prepared to
  deal with the event
• Focus is end-to-end processing
• Assumes risks identified, explores what else
  could go wrong from then on
• Explores root cause of loss event
• How would we respond?

• RCSA
• Objective is identification of the high level
  risks associated with a specific unit, division
  or product area
• Focus on individual process
• Risks are identified and briefly described
• May not have associated root cause analysis
• What are we exposed to?

51
(No Transcript)