Transcript Mr.Alok Tiwari - INDIAN BANKS' ASSOCIATION

OPERATIONAL RISK
Issues &
Challenges
March 9, 2007
Partners in Risk & Compliance
Table of Contents
 ORM Framework and its Components
 Single Biggest Challenge
 Self Assessment – Issues & Challenges
 KRI – Issues & Challenges
 LDM – Issues & Challenges
 AMA – Issues & Challenges
Partners in Risk &
2
ORM Framework - Components
Risk Causes
•
•
•
•
Process
People
Systems
External
Event Frequency
99.99%
Confidence level
RISK
EXPECTED
LOSS
UNEXPECTED
LOSS
CATASTROPHIC
LOSS
Effect Severity
Risk Governance
Operational Risk Definition/ Governance/ Policies
Strategic Diagnostic Study
Risk Management
1. Self Assessments
(SA)
Risk & Control Self Assessment (RCSA )
Key Risk Indicator (KRI)
2. Key Risk Indicator
Loss Data Capture
3. Loss Data
Management
(LDM)
Loss Data Analysis
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
4. Risk Mitigation
Programmes
Internal Control Supervision
BCP/DRP
Risk Measurement
Partners in Risk &
Loss
Provisioning
Gross Income Allocation to calculate
capital under SA
AMA Capital calculation using LDA,
SBA & HMA
3
ORM Framework - Components
Risk Causes
•
•
•
•
Process
People
Systems
External
Event Frequency
99.99%
Confidence level
RISK
EXPECTED
LOSS
UNEXPECTED
LOSS
CATASTROPHIC
LOSS
Effect Severity
Risk Governance
Operational Risk Definition/ Governance/ Policies
Strategic Diagnostic Study
Risk Management
1. Self Assessments
(SA)
Risk & Control Self Assessment (RCSA )
Key Risk Indicator (KRI)
2. Key Risk Indicator
Loss Data Capture
3. Loss Data
Management
(LDM)
Loss Data Analysis
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
4. Risk Mitigation
Programmes
Internal Control Supervision
BCP/DRP
Risk Measurement
Partners in Risk &
Loss
Provisioning
Gross Income Allocation to calculate
capital under SA
AMA Capital calculation using LDA,
SBA & HMA
4
Single Biggest Challenge
“Operational risk is very different”
Market Risk
Credit Risk
Operational Risk
Quantifiable
exposure
Yes
Yes
Difficult
Exposure measure
Position; risk
sensitivity
Money lent, Potential
exposure
Difficult – no ready
equivalent position
available
Portfolio
completeness
Known
Known
Unknown
Context dependency
Low
Medium
High
Data frequency
High
Medium
Continuous
Applicable for
departments
Treasury and Market
risk
Credit Department
Through out the
Bank
Testing
Adequate data for
back testing
Back testing difficult
to perform over short
term
Results very difficult
to test over any time
horizon
Risk Position
Completeness
Context dependency
& data
Relevance
Measurement &
Validation
Partners in Risk &
5
Self Assessment Issues & Challenges
 Decision for approach: Bottom up vs Top down
 Rationalizing roles and responsibilities
 Assigning responsibility and accountability for operational risk without
impacting effectiveness and efficiency
 Overlaps of ORM with other risk control areas such compliance, audit etc
 Awareness among the employees of the bank with respect to the
benefits of operational risk management
 Creating blame free environment – encouragement to identify lacks in
the existing controls
Partners in Risk &
6
Self Assessment - Top Down Vs Bottom up
Pros

Easy of Implementation
Cons

Lacks granularity
Pros

Offers complete drill down of risk
assessment
Cons

Partners in Risk &
Misses “big picture”
7
Segregation of Roles & Responsibilities
Business
Line
Department 1
Department 2
Department 3
BORM
BORM
BORM
RP
RP
RP
Direct Reporting
Indirect Reporting
Working Relationship
Partners in Risk &
Compliance
Operational
Risk
Audit
BORM – Business Operational Risk Manager
RP - Representative
8
Awareness & Change in Culture
Purpose
A Sense of Direction
Monitoring &
Learning
Commitment
A Sense of identity
and values
A Sense of evolution
Action
Capability
A Sense of
competence
Partners in Risk &

Change of culture where people are encouraged to report risks rather than
hide it

All business units should capture losses in a consistent framework rather
than their individual way

Carrot / Stick approach
9
Key Risk Indicators - Issues & Challenges
 Suitability and relevance of the KRI ( Quality over Quantity)
 No means to consistently relate the occurrence of Loss events and the location
of the problem
 Plenty of indicative data is available in various MIS, but the relevance is never
tested
 Difficult in implementing across the organisation as it requires an
interface with various source systems
 To always represent a KRI from a system value is challenging, hence finding
surrogates and the relevance of surrogates
 Difficult to compare KRIs across different institutions with different
trigger points and risk appetite
 Difficult to estimate the trigger points of each identified KRI
 No observable best practice
Partners in Risk &
10
Relevance of KRI
System Down
Inappropriate reconciliation procedures
When a loss happened
80%
30%
When no loss happened
90%
30%
System up
Loss
Partners in Risk &
System down
Total
20
80
100
No Loss
1,000
9,000
10,000
Total
1020
9,080
10,100
P (L) Given system down =
80/9080 = 0.88%
P (L) Given system up
20/1020 = 1.96%
=
11
Interface with source systems and surrogate finding
Having Interface with so many systems and also finding the appropriate metric which represents the
“key Risk” is a challenge. Finding surrogates to represent “Key Risks” has become a normal
phenomenon
Central Liability Tracking
System
Loan System
NPA System
Murabaha Finance System
Letter of Credit System
Letter of Guarantee System
Accounting System
HR System
Relationship (Collateral)
Management System (RMS)
CENTRAL
SOURCE
SYSTEM
ETL
layer
(for
values
of KRI)
KRI
(May or may
not represent
the Key Risk
which is
supposed to be
reflected by the
indicator)
Kondor Global +
Capital Market System
Kondor Plus
Treasury
Partners in Risk &
12
Loss Data Management - Issues & Challenges
 Setting up a consistent loss data collection process
 Creating blame free environment – encouragement to report losses
 Threshold determination
 Lack of adequate internal loss history
 The sanctity of the available data as it is not in sync with the actual
booked losses
 Differentiating between event (loss incident ) and a non event ( near
miss)
 Difference of opinion in defining loss events and near misses
 Difference of opinion in treating the recovery
Partners in Risk &
13
Threshold Determination
 Determining threshold for capture of losses
 Once a threshold is decided, mostly losses are not reported at the estimated
loss amount is just below the threshold amount
 Not deciding the threshold and capturing all losses is also Herculean as many
insignificant events populate the loss database which are irrelevant and
already factored in the cost of doing business
 Different accounting treatment for both loss and recovery and hence the
reconciliation problems
Partners in Risk &
14
Event vs Non Event
 If the full recovery happens within 5 days ( for example) the event is
considered to be a non event
 Full recovery after 5 days is also considered to be a non event and
classified as rapidly recovered loss
 Different accounting treatment for both loss and recovery and hence the
reconciliation problems
 Many banks also classify the non event as near misses, on the other
hand there are banks who independently define near misses and keep it
separate from non events
 Some banks also keep the recovery option open for ever and even if the
recovery happens after years it is not included as a loss as it is recovered
 Lack of consistent guidelines for capture and treatment of internal
losses, hence cannot be compared across internationally active banks
Partners in Risk &
15
AMA Issues & Challenges
 AMA must use all four input factors:
 Internal data :
 The challenges associated with the collection of internal loss data
 External Data:
 No proper guidance on use of external data
 No specific rules for making the external data relevant for the bank
 Scenario Analysis:
 No established market standards
 Can be done either by developing internal scenarios or using external scenarios
 Business Environment & Internal control factors
 Not directly integrated in the loss distribution
 No proper rules or benchmark for validating correlation assumptions
among various events
 Capital figures cannot be compared across banks internationally
Partners in Risk &
16
Linkages among the Building Blocks
Group Risk
Risk Governance Framework
Business Unit /
Line Management
Objectives/Processes
Loss Data
Mgmt
Regular
Monitoring &
Reporting
Self
Assessment
Strategic
Diagnostic
(Top Down)
Control Effectiveness,
Testing & Findings
Risk & Control
Self Assessment
(Bottom up)
Findings
Key Risk
Indicators
Risk Events
Preventing Losses
Action Plan
Controls
Test Results
Analysis & Case Management
Partners in Risk &
17
Thank you
Confidentiality clause
This document is confidential. No part of it may be circulated or reproduced outside without express approval of Aptivaa Consulting.© Aptivaa Consulting 2007.