Transcript Slide 1

Building a Modern Risk
Management Department
Seminar
Financial Services Volunteer Corps (FSVC)
January 19 – 22, 2009
Tripoli, Libya
1
Day Two
Period 11 AM to 12:25 PM
2
What is Operational Risk?
3
Specific Risk Types
1. Credit Risk
–
The risk that a financial institution makes a loss as a result of
less than full payment of an obligation
2. Market Risk
–
Risk of loss due to changes in market prices or variables
3. Operational Risk
–
Historically: “Other risks”
–
More precisely (Basel II): “the risk of loss resulting from
inadequate or failed internal processes, people and systems,
or from external events”
4
Typical “Economic” or “Risk”
Capital Allocation for Risk
Market Risk
10 - 30%
Credit Risk
50 - 60%
Operational and Business Risks
10 - 30%
5
A Consensus Definition of Operational Risk
“the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events“
This (Basel II) definition includes legal risk but excludes strategic
and reputational risk
6
Definition of Operational Risk
Operational risk is the risk of direct or indirect loss due to failed or
inadequate processes, people or systems, or exposure to external events.
Risk is articulated in terms of three components:
Risk
Event
Cause
Cause is the business condition that allowed the risk
to occur. As mentioned in the definition above,
causes generally fall into two categories: internal
problems or external matters such as exposure to
external environment changes.
A risk event is the observable situation or
incident of risk. There are seven
categories of risk events under which all
operational risk can be classified.
Effect
Effect is the consequence that the risk
has. The effect can be measured on a
qualitative (high, low) or quantitative
manner (dinar amount, number of
transactions impacted).
7
Categories of cause, risk event and
effect are utilized to assist in risk
identification and assessment
Basel uses 7 categories of operational events that have been
commonly adopted by the industry:
 Execution, delivery and process management
 Clients, products and business practices
 External fraud
 System failures
 Internal fraud
 Employment practices and workplace safety
 Damage to physical assets
Some companies include legal, reputation and/or compliance within
the scope of operational risk management.
8
Operational Risk
•It’s a traditional Type of Risk
–Often equated with “Common Sense”
–Often equated with “Operations Risk”
–Often thought of as Back-Office Risk
•Historically, it’s the subject of unclear thinking
WHY ???
9
Here’s Why
• Not defined
• No taxonomy of components
• Not measured; no data
• No benchmarks
• No specified language/“jargon”
• No formal reporting
• No specific regulatory framework
• No specialized managers
• No credentials
• No specific training
10
Basel II – Operational Risk
Main Components
•Measurement
•Management
11
Role of Measurement
•
•
You can’t manage what you can’t measure
Now have generally understood, quite specific, categories of
Operational Risk
– Front, middle, back-office sources
– Internal, external sources
•
Banks now have data collection process and event loss &
frequency databases
•
•
•
•
•
•
Early stage histories / time series
Access to external databases
Management reporting: detailed & consolidated
Usually data by product line, geography, legal entity
Increasingly with benchmarks and peer analytics
Data is now being intensively reviewed
12
It looked like we were on our way
Sound Practices, Principle 5:
Banks should implement a process to regularly monitor operational risk
profiles and material exposures to losses. There should be regular
reporting of pertinent information to senior management and the board of
directors that supports the proactive management of operational risk.
13
Board of Directors
CEO
CRO/CCO/CFO
Credit Risk
Implement
Risk
“Framework”
Set Risk
Tolerances
Operational Risk
Risk Management
Capital
Calculations
P&L Results
Market/Price Risk
Risk Measurement
Risk Policies
& Procedures
Other 6 Basel Loss
Event Categories
Business Practices,
Clients, Products
Compliance
Policies & Procedures
AML & Related
Policies and Procedures
Fines, Penalties, Legal
Expenses & other
Out of Pocket
Reputation Loss
Opportunity Costs
14
Management Today
• Personnel




Product Lines / Lines of Business have Ops Risk staff
Major geographies have Ops Risk staff
Risk Management Organization has Ops Risk staff
Beginning recognition as risk specialty with a body of knowledge
• Policies
 Issued and adopted
 Used by Internal Audit and Supervisory Reviews
• Reporting
 In place
• Training
 Early stage but improving quickly
 Conferences - - we are all here today
• Tools
15
Mindset
Inherent Risk
Controls
Residual Risk
16
Risk Management Itself:
Evolution and Intelligent Design
Until now:
 Credit and Market Risk Management has been focused on customers
and counterparties.
 Operational Risk Management has been focused on internal factors and
events.
 This is a primitive structure
 This is the profession of “control”
 “Risk Management” includes “control”, but great value is still to
come from an external focus. The big payoff is in managing the
risk : reward equation.
17
The Importance of Operational Risks
Deregulation &
globalisation of
financial services
Activities of Banks
(& their risk profiles)
more diverse &
complex
Growing
sophistication of
financial
technology
Recent experience makes it clear that risks other than credit and market
risks can be substantial:
•Barings (Singapore + U.K.)
•Life insurance & pension mis-selling (U.K.)
•Enron & Worldcom (U.S.)
•Underwriting/research conflicts (U.S.)
•9/11 (U.S.)
•Madoff Ponzi Scheme (Global)
•Allfirst (Allied Irish) (Ireland)
•“Moral Hazards” (Various)
•Parmalat (Italy)
•Satyam Computer (India)
18
Whichever way you look, operationally we are
becoming more complex and inter-dependent….
Statutory, Regulatory
& Contractual
Economic, Cultural &
Political
Business strategy
Partnering, alliances,
outsourcing & joint
ventures
Diversification
Globalisation
Technology
Concentration
19
…resulting in greater focus on Operational Risk
by financial services providers, government &
others…
Financial Services (Banks, Insurance Companies, Fund Managers)
• Specialist Operational Risk functions
• Framework, policy, measurement and monitoring
• Capital allocation for operational risk – now happening
• Loss, event and near-miss data collection & analysis
• Extensive, ‘what if’, scenario analysis
• Business continuity testing and crisis management training
• Executive and Board Risk Committees
Government
•Consumer protection
•Corporate Governance
•Basel II
•Standards & Guidelines
Others
•Reputation indices
•Rating Agencies
•Sustainability
20
DATA & TOOLS
21
Operational Risk Tools
General use of:
 Self Assessments
 Key Risk Indicators
 Scenarios
 Loss Databases
Use of:
 Line of Business Mapping
 External Benchmarking
 Self Assessment / Audit Congruence
22
SELF-ASSESSMENTS
23
Risk and Control Self-Assessments are a key
component of an Operational Risk Framework
Phase 1
Objective
Results
Controls
Phase 3
Phase 2
Framing the
Risk
Risk
Business Context
Identificat
ion
Assessme
nt
Business Areas describe
their objectives and
processes
Business Areas
identify risks to
business objectives
and associated details
•
•
•
•
•
•
•
•
•
Business Unit Scope
Business Objectives
Business Processes
Business Process
Maps (high-level)
• Risk Management
Committee reviews
scope to ensure
coverage
• QA sessions with RM
Committee
• Senior Business
Leader sign-off
Risk Events
Potential Causes
Potential Effects
Key Controls
Categorization
Business Areas assess
identified risks
• Net Likelihood and
Impact Assessment
• Control Effectiveness
Assessment
• QA sessions with Risk
Management Committee
• Program Office
facilitates cross unit risk
identifications
Risk
Response
Strategy
Business Areas
determine response
strategies and
mitigation plans
• Risk tolerance
• Risk response
decisions
• Initial mitigation
strategy
• Senior Business
Leader sign-off of
deliverables
24
Self Assessments – How They are Used
•
Business Units/Lines of Business
–
–
–
–
–
–
–
•
Identify and mitigate operational risks
Report control deficiencies and track their remediation
Monitor changes in the control environment
Assess the operational risk profile
Manage operational risk
Regulatory compliance
Process reengineering
Risk Quantification
– Qualitative adjustments to operational risk capital
25
A Strategy for risk response
is determined for each risk
•
Accept: Risk is low or costs to further mitigate outweigh the risk
•
Mitigate: Risk is outside risk appetite and/or cost beneficial to mitigate
Reduce – Institute actions to create new controls, to improve control
effectiveness, to re-engineer processes, etc.
Share
– Share risk exposure through the purchase of insurance policies, etc.
Reject – End product or service offerings or cease execution of
certain processes, thereby eliminating the associated risks
Monitor/Assess: Requires further research before a response decision is made
26
Risk appetite highlights unacceptable risks
Likelihood
HLOB NET RISK MAP
10+ Times a Day
Once a Day
Once a Week
Once a Month
Once a Quarter
01
Once per 6 Months
02
Once per Year
05 09 06 08 04
11
One every 10 Years
One every 100 Years
07 10
03
12
> One every 100 Years
Impact (in LYD 1,000)
27
Revisit: Why Adopt an RCSA Program?
•
Reduced losses and reputational damage - improved likelihood of
achieving business objectives and greater business resilience
•
Better business decisions based on strong risk management analytics
•
Identification of potential opportunities for control reductions/efficiency
improvements
•
Effective board reporting, based on enterprise-wide aggregation of
risks, comparative and trend analyses
•
Increased risk awareness across the organization & better
communication about risk
•
Safety and soundness objectives
28
But, many firms struggle to achieve the
desired “return on investment” from RCSAs
•
Business not engaged, low buy-in
•
Cannot flexibly aggregate results
•
Adds to already complex set of control review programs businesses must
manage
•
Does not produce strong data for management decision making
•
Does not identify potential overinvestment in controls
•
Sustained risk management culture not realized
29
Key Risk Indicators (KRIs)
30
What are Key Risk Indicators (KRIs)?
KRIs are a set of measures used to monitor risks and controls, and that
are hopefully predictive to changes in the operational risk profile and/or the
potential for operational events
Key objectives of KRIs include:
•
Provide early warning signals
•
Used to estimate levels of risk
•
Designed to show risk level changes and trends
•
Enable actions that prevent material loss or incident
•
Used in escalation criteria for risk management
31
Key Risk Indicators are a subset of
overall business metrics
Key Business Indicators
Key
Business
Indicators
• Top level metrics associated with business
performance (e.g., earnings per share,
revenue growth, charge-offs, cost per
account, etc.)
Key Performance Indicators
• A broader set of indicators aligned with
performance of a business unit or process
Key
Performance
Indicators
• Typically viewed in a scorecard
• Includes efficiency metrics (e.g., productivity)
Key Risk Indicators
Key Risk
Indicators
• Can be aligned with a process or
risk event
• Typically viewed in a dashboard
• More frequent, predictive, and
actionable in nature
32
Establishing Key Risk Indicators involves six major steps
1
Inventory
Existing
Metrics
2
Assess
KRI Gaps
How well do these existing
metrics cover the risk drivers?
3
Design
KRIs
What new KRIs do I need to
develop to address any gaps?
What existing metrics
could be potential KRIs?
4
Validate
KRIs
How well do each of these KRIs
correlate to the risk event?
Partner credit report
(number by $ amount)
Days to credit metric
(contact to credit)
Overall Rating
CSM cancellation rate
by product ($ per AOF)
20%
10%
30%
30%
File receipt indicator
(% received/sent)
Root Causes
File not received by BP
Complete file not received by BP
BP credits to wrong cardholder account
BP credits incorrect amount
Weighting
Potential Key Risk Indicators
9
3
0
0
1
1
1
3
1
1
9
9
1
1
0
1
2.10
1.50
5.70
0.60
Chart Title
14
12
10
8
6
5
Develop
KRI
Dashboard
What type of graphical report should
I use to monitor these KRIs?
4
2
0
0.0%
KRI Metric
Name
6
Establish
KRI Control
Plan
Risk Event
5.0%
10.0%
15.0%
Drivers: Cause; Reporting
Control or Other Frequency
20.0%
25.0%
Time Lag Between
Trigger
Data Collection &
Limits
Reporting
30.0%
35.0%
Escalation Procedure Owner
40.0%
KRI
Dashboard
Recipients
Last
Updated
What actions do I need to take to
implement this KRI?
33
How do I implement Key Risk Indicators in my area
1. Identify your area of focus (process- or risk event-based)
•
Risk events identified above your risk threshold
•
Business processes with the highest risk exposure
2. Determine your project strategy for KRI implementation
•
Stand-alone initiative
•
Part of a larger business metrics redesign project
•
A workstream as part of a risk mitigation project in that area
3. Identify appropriate resources and expand their KRI skills as needed
4. Leverage the KRI methodology to develop and validate your Key Risk
Indicators
5. Change control: Periodically revisit your KRIs, trigger limits, and escalation
procedures
34
Event Collection
35
The goal is to improve the understanding of
operational breakdowns and reduce their impact
Through the consistent categorization and analysis of these events we will
increase our ability to prevent reoccurrences of operational events. Other
benefits include:
•
Identify “hot spots” where event frequency/impact exceed expected
error rates
•
Improve the accuracy of our self-assessments and subsequent
allocation of resources to address these risks
•
Quantify the potential benefits of risk reduction projects
•
Provide a tool for sharing learning across the bank
•
Support the modeling of capital held against operational risk
36
A thorough process collects detailed information about
operational events, their causes, effects, and resolution
to support analysis
Event Details
Effects
• Text Description of Event, including cause,
effect, and actions taken to recover
customers and process
• Financial effects tracked include the cost to
fix, direct losses, impact to future revenue
streams, and increased charge-offs
• Business Areas effected
• Customer effects include the number of
parties impacted, type of customer
(applicant, customer, solicitee) and how
they were effected
• Business Area responsible for event
• Process causing event
• Date(s) of occurrence, detection,
resolution, containment, and date reported
• Regulatory effects include the specific
regulations that may have been impacted
by event
Causes
Resolution
• Standardized causes are tracked for
each event
• Detailed steps taken to recover the
customers or money
• Multiple contributing causes and 1 root
cause are tracked
• Detailed steps taken to recover the
process
• Does not include long term mitigation.
37
A data collection strategy needs resources and control
Key components of a data collection strategy:
•
Determine responsibility for each risk category in each business area or staff
function
•
Provide interfaces to extract as much data as possible from production systems
•
Many events will not be captured, provide for individual data entry
•
Allow business area “approval” prior to release
•
Set up G/L codes for each event type in each business area/function. Enforce
usage
•
Central op risk group reviews events, categorization and descriptions
•
Events need to pass through loss database to get paid and get recorded in G/L
•
Reconcile G/L to loss database to assure that no events bypassed the loss
database
•
Analyze the sources of events to learn from experience
•
Provide access to the database to business areas/functions
•
Provide regular reporting to the businesses and senior management
38
Using External Data
Supplement internal data
• Fill in distributions for line of business and product type where
insufficient data exists
As a direct input into the capital model
A source of information for building scenarios
Supports risk management in many ways:
• Risk identification
• Control assessments and development
• Planning and scenario analysis: if it has happened before
elsewhere, it could happen to this firm
Note: Discussion today of the use of external data is necessary to
understand the theory. External data is often not available in countries
such as Libya.
39
Scenario Analysis
40
Scenario Analysis
41
Expected Loss/Unexpected Loss
Stylized Representation of Risk Quantification
Mean
Probability
Operational Risk Capital
99.9%
EOL
UOL
Aggregate Losses
42
Expected Loss/Unexpected Loss
Expected Loss (EL)
 High frequency, low value events
 Data typically readily available at bank
 Banks view Expected Losses as a cost of business that must be managed
 Varying measures – ‘observed’ and statistical (mean, mode, median)
 Estimating EL is a part of the budgetary process
 EL is a meaningful number, but not usually significant when compared to
unexpected losses
Unexpected Loss (UL)
 Low frequency, high value events – tail events
 Data typically not available internally
 Data must be supplemented (external data and/or scenario analysis)
 Largest losses will drive capital quantification process
43
Payment Systems Risk
44
Payment Systems Risk
•
Most frequently:
– Cash
– Securities
•
Flows
– One way
– Exchange of value
– Depositories
•
Risks
– Finality
– Simultaneity
– Recoverability
•
Complications
– Crossborder
– Cross time-zones
– Cross currencies
– Real time/Gross versus Net Settlement
– Physical vs. Clearing House/Electronic
– Central Counterparties
45