Mr.Alok Tiwari - INDIAN BANKS' ASSOCIATION
Download
Report
Transcript Mr.Alok Tiwari - INDIAN BANKS' ASSOCIATION
OPERATIONAL RISK
Issues &
Challenges
March 9, 2007
Partners in Risk & Compliance
Table of Contents
ORM Framework and its Components
Single Biggest Challenge
Self Assessment – Issues & Challenges
KRI – Issues & Challenges
LDM – Issues & Challenges
AMA – Issues & Challenges
Partners in Risk &
2
ORM Framework - Components
Risk Causes
•
•
•
•
Process
People
Systems
External
Event Frequency
99.99%
Confidence level
RISK
EXPECTED
LOSS
UNEXPECTED
LOSS
CATASTROPHIC
LOSS
Effect Severity
Risk Governance
Operational Risk Definition/ Governance/ Policies
Strategic Diagnostic Study
Risk Management
1. Self Assessments
(SA)
Risk & Control Self Assessment (RCSA )
Key Risk Indicator (KRI)
2. Key Risk Indicator
Loss Data Capture
3. Loss Data
Management
(LDM)
Loss Data Analysis
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
4. Risk Mitigation
Programmes
Internal Control Supervision
BCP/DRP
Risk Measurement
Partners in Risk &
Loss
Provisioning
Gross Income Allocation to calculate
capital under SA
AMA Capital calculation using LDA,
SBA & HMA
3
ORM Framework - Components
Risk Causes
•
•
•
•
Process
People
Systems
External
Event Frequency
99.99%
Confidence level
RISK
EXPECTED
LOSS
UNEXPECTED
LOSS
CATASTROPHIC
LOSS
Effect Severity
Risk Governance
Operational Risk Definition/ Governance/ Policies
Strategic Diagnostic Study
Risk Management
1. Self Assessments
(SA)
Risk & Control Self Assessment (RCSA )
Key Risk Indicator (KRI)
2. Key Risk Indicator
Loss Data Capture
3. Loss Data
Management
(LDM)
Loss Data Analysis
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
4. Risk Mitigation
Programmes
Internal Control Supervision
BCP/DRP
Risk Measurement
Partners in Risk &
Loss
Provisioning
Gross Income Allocation to calculate
capital under SA
AMA Capital calculation using LDA,
SBA & HMA
4
Single Biggest Challenge
“Operational risk is very different”
Market Risk
Credit Risk
Operational Risk
Quantifiable
exposure
Yes
Yes
Difficult
Exposure measure
Position; risk
sensitivity
Money lent, Potential
exposure
Difficult – no ready
equivalent position
available
Portfolio
completeness
Known
Known
Unknown
Context dependency
Low
Medium
High
Data frequency
High
Medium
Continuous
Applicable for
departments
Treasury and Market
risk
Credit Department
Through out the
Bank
Testing
Adequate data for
back testing
Back testing difficult
to perform over short
term
Results very difficult
to test over any time
horizon
Risk Position
Completeness
Context dependency
& data
Relevance
Measurement &
Validation
Partners in Risk &
5
Self Assessment Issues & Challenges
Decision for approach: Bottom up vs Top down
Rationalizing roles and responsibilities
Assigning responsibility and accountability for operational risk without
impacting effectiveness and efficiency
Overlaps of ORM with other risk control areas such compliance, audit etc
Awareness among the employees of the bank with respect to the
benefits of operational risk management
Creating blame free environment – encouragement to identify lacks in
the existing controls
Partners in Risk &
6
Self Assessment - Top Down Vs Bottom up
Pros
Easy of Implementation
Cons
Lacks granularity
Pros
Offers complete drill down of risk
assessment
Cons
Partners in Risk &
Misses “big picture”
7
Segregation of Roles & Responsibilities
Business
Line
Department 1
Department 2
Department 3
BORM
BORM
BORM
RP
RP
RP
Direct Reporting
Indirect Reporting
Working Relationship
Partners in Risk &
Compliance
Operational
Risk
Audit
BORM – Business Operational Risk Manager
RP - Representative
8
Awareness & Change in Culture
Purpose
A Sense of Direction
Monitoring &
Learning
Commitment
A Sense of identity
and values
A Sense of evolution
Action
Capability
A Sense of
competence
Partners in Risk &
Change of culture where people are encouraged to report risks rather than
hide it
All business units should capture losses in a consistent framework rather
than their individual way
Carrot / Stick approach
9
Key Risk Indicators - Issues & Challenges
Suitability and relevance of the KRI ( Quality over Quantity)
No means to consistently relate the occurrence of Loss events and the location
of the problem
Plenty of indicative data is available in various MIS, but the relevance is never
tested
Difficult in implementing across the organisation as it requires an
interface with various source systems
To always represent a KRI from a system value is challenging, hence finding
surrogates and the relevance of surrogates
Difficult to compare KRIs across different institutions with different
trigger points and risk appetite
Difficult to estimate the trigger points of each identified KRI
No observable best practice
Partners in Risk &
10
Relevance of KRI
System Down
Inappropriate reconciliation procedures
When a loss happened
80%
30%
When no loss happened
90%
30%
System up
Loss
Partners in Risk &
System down
Total
20
80
100
No Loss
1,000
9,000
10,000
Total
1020
9,080
10,100
P (L) Given system down =
80/9080 = 0.88%
P (L) Given system up
20/1020 = 1.96%
=
11
Interface with source systems and surrogate finding
Having Interface with so many systems and also finding the appropriate metric which represents the
“key Risk” is a challenge. Finding surrogates to represent “Key Risks” has become a normal
phenomenon
Central Liability Tracking
System
Loan System
NPA System
Murabaha Finance System
Letter of Credit System
Letter of Guarantee System
Accounting System
HR System
Relationship (Collateral)
Management System (RMS)
CENTRAL
SOURCE
SYSTEM
ETL
layer
(for
values
of KRI)
KRI
(May or may
not represent
the Key Risk
which is
supposed to be
reflected by the
indicator)
Kondor Global +
Capital Market System
Kondor Plus
Treasury
Partners in Risk &
12
Loss Data Management - Issues & Challenges
Setting up a consistent loss data collection process
Creating blame free environment – encouragement to report losses
Threshold determination
Lack of adequate internal loss history
The sanctity of the available data as it is not in sync with the actual
booked losses
Differentiating between event (loss incident ) and a non event ( near
miss)
Difference of opinion in defining loss events and near misses
Difference of opinion in treating the recovery
Partners in Risk &
13
Threshold Determination
Determining threshold for capture of losses
Once a threshold is decided, mostly losses are not reported at the estimated
loss amount is just below the threshold amount
Not deciding the threshold and capturing all losses is also Herculean as many
insignificant events populate the loss database which are irrelevant and
already factored in the cost of doing business
Different accounting treatment for both loss and recovery and hence the
reconciliation problems
Partners in Risk &
14
Event vs Non Event
If the full recovery happens within 5 days ( for example) the event is
considered to be a non event
Full recovery after 5 days is also considered to be a non event and
classified as rapidly recovered loss
Different accounting treatment for both loss and recovery and hence the
reconciliation problems
Many banks also classify the non event as near misses, on the other
hand there are banks who independently define near misses and keep it
separate from non events
Some banks also keep the recovery option open for ever and even if the
recovery happens after years it is not included as a loss as it is recovered
Lack of consistent guidelines for capture and treatment of internal
losses, hence cannot be compared across internationally active banks
Partners in Risk &
15
AMA Issues & Challenges
AMA must use all four input factors:
Internal data :
The challenges associated with the collection of internal loss data
External Data:
No proper guidance on use of external data
No specific rules for making the external data relevant for the bank
Scenario Analysis:
No established market standards
Can be done either by developing internal scenarios or using external scenarios
Business Environment & Internal control factors
Not directly integrated in the loss distribution
No proper rules or benchmark for validating correlation assumptions
among various events
Capital figures cannot be compared across banks internationally
Partners in Risk &
16
Linkages among the Building Blocks
Group Risk
Risk Governance Framework
Business Unit /
Line Management
Objectives/Processes
Loss Data
Mgmt
Regular
Monitoring &
Reporting
Self
Assessment
Strategic
Diagnostic
(Top Down)
Control Effectiveness,
Testing & Findings
Risk & Control
Self Assessment
(Bottom up)
Findings
Key Risk
Indicators
Risk Events
Preventing Losses
Action Plan
Controls
Test Results
Analysis & Case Management
Partners in Risk &
17
Thank you
Confidentiality clause
This document is confidential. No part of it may be circulated or reproduced outside without express approval of Aptivaa Consulting.© Aptivaa Consulting 2007.