An Integrated Framework for Measuring and Managing Operational Risk Sam Harris Director SAS Financial Services Strategy February 17, 2004 Copyright © 2003, SAS Institute Inc.
Download ReportTranscript An Integrated Framework for Measuring and Managing Operational Risk Sam Harris Director SAS Financial Services Strategy February 17, 2004 Copyright © 2003, SAS Institute Inc.
An Integrated Framework for Measuring and Managing Operational Risk Sam Harris Director SAS Financial Services Strategy February 17, 2004 Copyright © 2003, SAS Institute Inc. All rights reserved. Agenda I Introduction II The Elements of an Integrated Approach III Definition and Categorization Issues IV Collecting Loss Data V Standards for Control Assessment and Indicators VI Causal Modeling VII VaR Modeling Under the AMA VIII VaR Calculation IX Management Applications Copyright © 2003, SAS Institute Inc. All rights reserved. 2 I) Introduction Copyright © 2003, SAS Institute Inc. All rights reserved. II) The Elements of An Integrated Framework Copyright © 2003, SAS Institute Inc. All rights reserved. At the most fundamental level managing operational risk involves understanding ones risks and how to manage them RISKS What type of risks do I face? Which are the largest risks? CONTROLS How well are these risks being managed? Managers need a set of tools to help them accurately measure/assess their operational risks and the quality of their corresponding internal controls Copyright © 2003, SAS Institute Inc. All rights reserved. 5 There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit REPORTING • Integrated MIS reporting MEASUREMENT Economic Profit • Estimation of cost of operational failure PROCESSES • Loss data collection FRAMEWORK • Risk indicator data collection • Roles and responsibilities • Control selfassessment • Policies and procedures • Risk assessment and analysis • Risk strategy, tolerance • Automatic notification • Definition and categorization • Workflow • Estimation of VaR – risk capital • Integration of Cost and Risk measures with CSA and risk indicator scores • Awareness of exposures • Understanding of loss trends • Improved risk mitigation and transfer strategy • Cost benefit analysis • Follow up action Management & Control Quality Copyright © 2003, SAS Institute Inc. All rights reserved. 6 An integrated operational risk management program consist of five key elements Internal and External Loss Data - actual loss events that have taken place Indicator Data - measurable variable that are believed to be correlated with performance, losses, or loss variability Key performance indicators Loss (risk) indicators Exposure (scale) indicators Control Assessment Data - assessments based on pre-specified criteria believed to be indicative of control quality Value at Risk Figures - monetary estimates of risk capital based on a quantitative model Risk Assessment Figures - monetary estimates of risk capital based on disciplined assessment process Copyright © 2003, SAS Institute Inc. All rights reserved. 7 Risk Matrix for Loss Data (Descriptive Statistics) Corporate Finance CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY 362 123 25 36 33 150 2 731 Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215 Number TOTAL Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976 Trading & Sales Number Mean Standard Deviation 50 53,189 8,541 4 78,084 13,463 35 5,184 5,768 50 85,335 11,835 46 85,101 5,184 210 1,869 368 3 134,517 35,315 398 66,322 10,464 Retail Banking Number 45 4 32 45 42 189 3 360 Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690 Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417 Commercial Banking Number Mean Standard Deviation 41 43,083 6,918 3 63,248 10,905 28 4,199 4,672 41 69,121 9,586 37 68,932 4,199 170 1,514 298 2 108,959 28,605 322 53,721 8,476 Payment & Settlements Number 37 3 26 37 34 153 2 292 Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349 Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628 Agency Services Number Mean Standard Deviation 44 46,529 7,472 4 68,308 11,777 31 4,535 5,045 44 74,651 10,353 40 74,446 4,535 184 1,635 321 2 117,675 30,893 349 58,018 9,154 Asset Management Number 40 3 28 40 36 165 2 314 Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217 Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238 Retail Brokerage Number Mean Standard Deviation 48 50,252 8069 4 73,773 12719 33 4,898 5449 48 80,623 11182 44 80,402 4898 198 1,766 347 3 127,090 33365 378 62,660 9886 Insurance Number Total 43 4 30 43 39 179 2 340 Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394 Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897 Number Mean Standard Deviation 710 45,653 7,331 152 67,021 11,555 268 4,450 4,950 384 73,245 10,158 351 73,044 4,450 1,598 1,604 315 21 115,459 30,311 3,484 56,926 8,981 Copyright © 2003, SAS Institute Inc. All rights reserved. 8 Risk Matrix for Control Assessment (Scores 0-100) INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL Corporate Finance Score 55 56 75 56 33 50 23 56 Trading & Sales Score 50 45 53 50 46 21 32 39 Retail Banking Score 45 47 66 45 42 18 36 36 Commercial Banking Score 41 32 78 41 37 17 25 32 Payment & Settlements Score 37 39 76 37 34 15 29 29 Agency Services Score 44 48 56 44 40 18 22 34 Asset Management Score 40 61 68 40 36 16 21 31 Retail Brokerage Score 48 56 74 48 44 19 31 37 Insurance Score 43 42 65 43 39 17 29 34 Total Score 45 45 68 48 35 18 28 38 Copyright © 2003, SAS Institute Inc. All rights reserved. 9 Integrated Risk-Control Matrix Corporate Finance Previous VaR Prev/Current Score Final Capital Copyright © 2003, SAS Institute Inc. All rights reserved. INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY 21,000,000 36,000,000 62,000,000 50 55 19,000,000 60 58 35,000,000 75 71 65,000,000 CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL 75,000,000 124,000,000 86,000,000 36,000,000 362,000,000 61 61 75,000,000 45 55 104,000,000 50 52 83,000,000 50 55 32,000,000 50 55 326,000,000 10 III) Definition and Categorization Issues Copyright © 2003, SAS Institute Inc. All rights reserved. The first step is to define one’s risks Transaction Execution Settlement Technological Inadequate Supervision Information Key Management Lack of Resources Theft Reputation Criminal Relationship Fraud Insufficient Training Rogue Trader People Fiduciary Compliance Physical Assets Legal/Regulatory Customer Poor Management Copyright © 2003, SAS Institute Inc. All rights reserved. Fixed Cost Structures Strategic Business Interruption 12 The universe of operational risks spans causes, events and consequences CAUSES EVENTS Inadequate segregation of duties Insufficient training Lack of management supervision Inadequate auditing procedures Inadequate security measures • • • Poor systems design CONSEQUENCES Legal Liability Internal Fraud Regulatory, Compliance & Taxation Penalties External Fraud Loss or Damage to Assets Employment Practices & Workplace Safety Restitution Clients, Products & Business Practices Loss of Recourse Damage to Physical Assets Write-down EFFECTS Monetary Losses Business Disruption & System Failures Reputation Execution, Delivery & Process Management Business Interruption OTHER IMPACTS Forgone Income Poor HR policies Copyright © 2003, SAS Institute Inc. All rights reserved. 13 What are the standards for defining and categorizing operational risk? Management information - Grouping of like items (homogenous risk types) to facilitate the management of risk and assignment of controls on the basis of natural boundaries Statistical Consistency - Mutually exclusive (uncorrelated) and exhaustive (comprehensive), homogenous distributions Logical Consistency - Copyright © 2003, SAS Institute Inc. All rights reserved. Examples must be consistent with definitions 14 Event risk categories are represented in a three tier hierarchy Primary Internal Fraud Losses due to acts of type intended to defraud misappropriate property, or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party Secondary Unauthorized Activities Theft & Fraud External Fraud Theft & Fraud Losses due to acts of type intended to defraud misappropriate property, or circumvent regulations, or the law by a third party Systems Security Employment Practices and Workplace Safety Employee Relations Losses arising from acts inconsistent with employment health or safety laws, or agreements, from payment of personal injury claims, or from diversity/discrimination events. Copyright © 2003, SAS Institute Inc. All rights reserved. Safe Environment Diversity and Discrimination Activity Examples Transactions not reported (intentional), Transaction type unauthorized (w/monetary loss), Mismarking of position (intentional) Fraud/credit fraud, worthless deposits, Theft, extortion, embezzlement, robbery, Misappropriation of assets, Malicious destruction of assets, Forgery, Check kiting, Smuggling, Accountant takeover, impersonation, Tax noncompliance, evasion (willful), Bribes/Kickbacks, Insider trading (not on firm's account) Theft/Robbery Forgery Check kiting Hacking damage, Theft of information (w/monetary loss) Compensation, benefit, termination issues, Organized labor activity, Poaching General liability (slip and fall, etc), Employee health & safety rules events, Workers' compensation All forms of discrimination 15 Event risk categories are represented in a three tier hierarchy Primary Clients, Products & Business Practices Secondary Suitability, Disclosure & Fiduciary Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients including fiduciary and suitability requirements), or from the nature or design of a product. Selection, Sponsorship & Exposure Advisory Activities Improper Business or Market Practices Product Flaws Damage to Physical Assets Disasters and other events Activity Examples Fiduciary breaches - guideline violations, Suitability - disclosure issues (know your customer etc.), Retail consumer disclosure violations, Breach of privacy, Aggressive sales, Account churning, Misuse of confidential information, Lender liability, Failure to investigate client per guidelines, Exceeding client exposure limits Disputes over performance of advisory activities Antitrust, Improper trade/market practices, Market manipulation, Insider trading (on firm's account), Unlicensed activity, Money Laundering Product defects (unauthorized), Model errors Natural disaster losses, Human losses from external sources (terrorism, vandalism) Losses arising from loss or damage to physical assets from natural disaster or other events. Business Disruption and System Failures Losses arising from disruption of business or systems failures Copyright © 2003, SAS Institute Inc. All rights reserved. Systems Hardware, Software, Telecommunications Utility outage/disruptions 16 Event risk categories are represented in a three tier hierarchy Primary Execution, Delivery & Process Management Secondary Transaction Capture, Execution & Maintenance Losses from failed transaction processing or process management, from relations with trade counter parties and vendors or from systems failures. Monitoring and Reporting Customer Intake and Documentation Customer/Client Account Management Trade Counter parties Vendors and Suppliers Copyright © 2003, SAS Institute Inc. All rights reserved. Activity Examples Miscommunication, Data entry, maintenance, or loading error, Missed deadline or responsibility, Model/system misoperation, Accounting error, entity attribution error, Other task misperformance, Delivery failure, Collateral management failure, Reference data maintenance Failed mandatory reporting obligation, Inadequate oversight, Inaccurate external report (loss incurred) Client permissions, disclaimers missing, Legal documents missing, incomplete Unapproved access given to accounts (includes inadvertent access to one party on a joint account) Incorrect client records (loss incurred), Negligent loss or damage of client assets Nonclient counter party misperformance, Misc. nonclient counter party disputes Outsourcing, Vendor disputes 17 IV) Collecting Loss Data Copyright © 2003, SAS Institute Inc. All rights reserved. Three sources of loss data may be considered Internal Data – data drawn directly from the entity whose risk is being measured; this is the most relevant data set, but such data is generally insufficient for most modeling and statistical analysis purposes because of the small sample size External Pooled Data – public and non-public data drawn from a loss data sharing consortium; this data is less relevant than internal data, but offers larger sample allowing for more accurate modeling/statistical analysis External Public Data – data drawn from public sources; less relevant than internal data, contains a larger set of “tail events,”but subject to numerous biases – so cannot be used directly for modeling. While one would expect that consortium data will eventually prove to be more useful than external public data, this will only be true if these initiatives reach critical mass and the data is honestly reported and consistently categorized Copyright © 2003, SAS Institute Inc. All rights reserved. 19 A formal process for collecting loss event data must be implemented Copyright © 2003, SAS Institute Inc. All rights reserved. 20 Loss data needs to be adjusted for inflation and scaled for size Inflation adjustment: $10 million loss in 1990 = $12.4 million loss in 2001 Scale Adjustment: $10 million loss when a $2 billion (revenue) bank = $13.2 million loss when a $6 billion bank1 R ScaledLoss LDB cur R pre LDB Rcur R pre n 3Shih, n Actual Loss experienced by bank Current Revenue of bank Previous Revenue of bank Scaling co-efficient determined by regression analysis J., A. Samad-Khan and P. Medapa, “Is the Size of an Operational Loss Related to Firm Size,” Operational Risk (January 2000) Copyright © 2003, SAS Institute Inc. All rights reserved. 21 V) Standards for Control Assessment and Indicators Copyright © 2003, SAS Institute Inc. All rights reserved. Identifying relevant control issues and indicators requires a disciplined process that begins with identifying losses and their underlying causes RISKS LOSSES Internal Fraud 167,245 142,456 123,345 113,342 94,458 RISKS LOSSES CAUSES CONTROL ISSUE Segregation of duties Vacation policy Data manipulation Data Integrity CAUSES INDICATOR Staff Training Budget EDPM 74,712,345 32,603,709 457,745 5,345,957 44,576 Insufficient training Lack of management supervision Number of Reconciliation Errors Number of Customer Complaints Risks are manifested in losses Copyright © 2003, SAS Institute Inc. All rights reserved. 23 A control assessment scorecard system must be relevant, consistent and objective Relevance - The control issues must be relevant to a business line and risk Answer choices - The answer choices should be consistent Weighting - The control issues must be weighted according to relevance Scale - All scores must be converted to a consistent scale, e.g., 0 to 100 Normalization - The process for normalizing scores must be theoretically valid Transparency - The process must be transparent to allow for buy in and to identify opportunities for improvement Validation - Responses must be validated to avoid “gaming” the system Copyright © 2003, SAS Institute Inc. All rights reserved. 24 Risk indicators must be validated through empirical analysis Issue Indicator Description Systems System Downtime Number of minutes per month system is offline Data Quality Processing Errors % of transactions with errors Scale Employees Number of Employees Scale Level of Employee Knowledge Transactions Number of Transactions Employee Experience Average months of experience per employee Yt t 1t X 1t ... nt X nt t In order for an indicator to be a true risk indicator, there must be empirical evidence (from econometric analysis) supporting a relationship between the indicator and loss frequency or loss severity Copyright © 2003, SAS Institute Inc. All rights reserved. 25 VI) Causal Modeling Copyright © 2003, SAS Institute Inc. All rights reserved. Should we use loss data for causal modeling? Suppose we have identified all the “causal factors” associated with one hundred loss events Case No Loss Amount System Down 1 2 3 4 5 96 97 98 99 100 10,000 10,000 10,000 10,000 10,000 10,000 10,000 10,000 10,000 10,000 Inadequate Segregation of Duties Inappropriate Reconciliation Procedures TOTAL 100 1,000,000 Copyright © 2003, SAS Institute Inc. All rights reserved. 80 40 30 27 We can summarize this information as follows: System Down Inadequate Segregation of Duties Inappropriate Reconciliation Procedures Issue & Loss* Issue & Loss Issue & Loss 80% 40% 30% *Number of times issue was observed/number of loss events (in %) Copyright © 2003, SAS Institute Inc. All rights reserved. 28 However, we must identify how many of these “causal factors” existed when losses did not take place (10,000 cases) Case No Loss Amount System Down 101 102 103 104 105 10,096 10,097 10,098 10,099 10,100 0 0 0 0 0 0 0 0 0 0 Inadequate Segregation of Duties Inappropriate Reconciliation Procedures TOTAL 10,000 Copyright © 2003, SAS Institute Inc. All rights reserved. 0 9000 4000 1000 29 In order to understand which causal factors are relevant one has to compare the issue rates when losses occurred to the issue rates when losses didn’t occur Number of Cases System Down 100 10,000 80 9000 Losses No Loss Inadequate Segregation of Duties 40 4000 Inappropriate Reconciliation Procedures 30 1000 4040 1030 TOTAL Total 10,100 System Down Issue & Loss Issue & No Loss* 80% 90% 9080 Inadequate Segregation of Duties Issue & Loss 40% Issue & No Loss* 40% Inappropriate Reconciliation Procedures Issue & Loss Issue & No Loss* 30% 10% *Number of times issue was observed/number of events without losses (in %) Copyright © 2003, SAS Institute Inc. All rights reserved. 30 The true probabilistic relationships can be calculated as follows: Loss No Loss System Up 20 1000 System Down 80 9000 Total 100 10,000 Total 1020 9080 10,100 P(L) Given System Down = 80/9080 = 0.88% P(L) Given System Up = 20/1020 = 1.96% Copyright © 2003, SAS Institute Inc. All rights reserved. 31 VII) VaR Modeling Under the AMA Copyright © 2003, SAS Institute Inc. All rights reserved. Definitions: The expected loss is the mean annual aggregate loss and unexpected loss represents the volatility above this mean at a specified confidence level Probability Total Loss Distribution Expected Loss (cost) Unexpected Loss (VaR) Mean 99th percentile Annual Aggregate Loss ($) Copyright © 2003, SAS Institute Inc. All rights reserved. 33 VaR is primarily driven by low frequency, high severity events Probability Total Loss Distribution for Trading & Sales Total Loss Distribution for Retail Banking VaR T&S VaR RB Mean T&S Mean RB 99th percentile RB 99th percentile T&S Annual Aggregate Loss ($) Copyright © 2003, SAS Institute Inc. All rights reserved. 34 Using internal and external loss data can calculate VaR RISK MATRIX FOR LOSS DATA INDIVIDUAL LOSS EVENTS LOSS DISTRIBUTIONS 74,712,345 74,603,709 74,457,745 74,345,957 74,344,576 • • • TOTAL LOSS DISTRIBUTION Frequency of events Corporate Finance Number Mean INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL 36 3 25 36 33 150 2 315 35,459 56,890 56,734 1,246 89,678 44,215 52,056 3,456 Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976 Trading & Sales Number Mean Standard Deviation 50 53,189 8,541 4 78,084 13,463 35 5,184 5,768 50 85,335 11,835 46 85,101 5,184 210 1,869 368 3 134,517 35,315 441 66,322 10,464 Retail Banking Number 45 4 32 45 42 189 3 397 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690 Standard Deviation Mean 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417 Commercial Banking Number Mean Standard Deviation 41 43,083 6,918 3 63,248 10,905 28 4,199 4,672 41 69,121 9,586 37 68,932 4,199 170 1,514 298 2 108,959 28,605 357 53,721 8,476 Payment & Settlements Number 37 3 26 37 34 153 2 321 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349 Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628 Agency Services Number Mean Standard Deviation 44 46,529 7,472 4 68,308 11,777 31 4,535 5,045 44 74,651 10,353 40 74,446 4,535 184 1,635 321 2 117,675 30,893 386 58,018 9,154 Asset Management Number Mean 167,245 142,456 123,345 113,342 94,458 VAR CALCULATION 40 3 28 40 36 165 2 347 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217 Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238 Retail Brokerage Number Mean Standard Deviation 48 50,252 8069 4 73,773 12719 33 4,898 5449 48 80,623 11182 44 80,402 4898 198 1,766 347 3 127,090 33365 417 62,660 9886 Insurance Number Mean 43 4 30 43 39 179 2 375 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394 Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897 Number Mean Standard Deviation 435 45,653 7,331 36 67,021 11,555 302 4,450 4,950 435 73,245 10,158 399 73,044 4,450 1,812 1,604 315 24 115,459 30,311 3,806 56,926 8,981 Mean Total 0 2 3 4 Severity of loss Mean 99th Percentile Annual Aggregate Loss ($) 0-10 Copyright © 2003, SAS Institute Inc. All rights reserved. 1 VaR Calculator e.g., Monte Carlo Simulation Engine 1020 2030 3040 4050 35 Composite control assessment/indicator scores can be used to modify capital figures VAR CONTROL ASSESSMENT/INDICATOR SCORE CAPITAL Adjustment for Quality of Current Control Environment 210 190 100 Current score Previous score 50 0 Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change Copyright © 2003, SAS Institute Inc. All rights reserved. 36 Adjustments to capital take place at the cell level, based on the change in composite control scores RISK MATRIX FOR CAPITAL Corporate Finance Previous VaR Prev/Current Score Final Capital Copyright © 2003, SAS Institute Inc. All rights reserved. INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY 21,000,000 36,000,000 62,000,000 50 55 19,000,000 60 58 35,000,000 75 71 65,000,000 CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL 75,000,000 124,000,000 86,000,000 36,000,000 362,000,000 61 61 75,000,000 45 55 104,000,000 50 52 83,000,000 50 55 32,000,000 50 55 326,000,000 37 Internal data generally does not contain a sufficient number of the tail events to accurately describe that part of the distribution, therefore one needs to supplement internal data with external data Number of Events Internal data cannot describe this part of the distribution Size of Loss Copyright © 2003, SAS Institute Inc. All rights reserved. 38 SAS has built the largest, most accurate and comprehensive external public loss database SELECTED EXAMPLES BUSINESS LINE - LEVEL 1 BUSINESS LINE - LEVEL 2 LOSS AMOUNT ($M) EVENT RISK CATEGORY SUB RISK CATEGORY COUNTRY OF DOMICILE SETTLEMENT YEAR Nomura Securities International Incorporated Trading & Sales Sales 47.90 In July 1998, Nomura Securities International Inc, the US brokerage unit of Nomura Securities of Japan, reported that it had agreed to pay $47.9M in settlement of charges stemming from the Orange County's bankruptcy lawsuit. The suit was filed against the firm for investing municipal county funds in high risk derivatives and municipal bond trading that was illegal under California law. The Securities Exchange Commission reported that Nomura was one of the brokerage firms responsible for the county's bankruptcy. Orange County claimed to have lost $1.64 billion. The SEC stated that Nomura had lent the county huge sums of money, which it reinvested in search of high returns. Nomura also supplied the risky securities favoured by then county Treasurer and Tax Collector Robert L. Citron that plunged in value when interest rates rose sharply in 1994. The SEC also charged the firm for its role in underwriting key bonds for the county and accused Citron of illegally investing in volatile securities that were unsuitable for public funds. Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Japan 1998 ABN Amro Holding NV Agency Services Corporate Trust 141.00 In November 1998, ABN Amro Holding NV, a Netherlands full services bank and Europe's eighth largest banking firm, reported that it had realized a loss of 174M guilders ($141M) due to forgery, embezzlement and fraud perpetrated by four of its former employees. The four allegedly committed about 600 fraudulent transactions, making improper use of about 30 client accounts. The bank said that after uncovering the irregularities, it fired the employees and notified law enforcement officials in February, 1997. The transactions took place within the bank's trust department, whose functions included maintaining bank accounts for 600 to 800 clients living abroad. Its products included numbered bank accounts for clients whose identities were known only within the department. Employees also executed orders solely on the basis of telephone instructions. The bank said that, upon inspection, some packages in custody that supposedly contained diamonds turned out to contain false diamonds, and diamond shipment orders given by clients were sometimes accompanied by falsified invoices. Internal Fraud Theft & Fraud Netherlands 1998 Merrill Lynch & Company Trading & Sales Sales 100.00 In December 1997, Merrill Lynch & Co, a US broker-dealer, reported that it had agreed to pay $100M in fines to settle charges of price fixing on the Nasdaq stock market. Clients, Products Improper The Securities and Exchange Commission fined 30 Wall Street firms more than $910M in this regard. The lawsuit alleged that as many as a million investors lost billions & Business Business or Practices Market Practices of dollars because of collusion among the firms between 1989 and 1994. This collusion caused an artificial widening of spreads, the gap between the purchase and selling prices of stocks, thereby adding to dealer profits. The settlement also required the firms to improve trading policies and procedures. The case began in 1994, when the SEC and the Justice Department accused major Nasdaq dealers of conspiring to fix the bid-ask spreads on stock quotes resulting in extra costs to ordinary investors on their stock trades. Under the settlement, the brokerage firms with the most alleged violations agreed to pay higher fines. In making its original case, the SEC charged that major Nasdaq dealers harassed or refused to trade with others who tried to offer investors a better price for a stock. United States 1997 WGZ Bank Trading & Sales Proprietary Positions 200.37 In October 1998, Westdeutsche Genossenschafts-Zentralbank AG (WGZ-Bank), a German commercial bank, reported that it had realised a loss of DM 377 ($200.4M) due to computer fraud perpetrated by two employees over the past sixteen months. The bank has initiated a case against the two employees, who used a loophole in the bank's computer system for currency derivatives. They entered unrealistic intermediary values, which the system failed to document and managed to realise the profits in their derivative securities. The fraud was only discovered after the installation of an updated system, required under a new law, which eliminates the opportunity for such manipulation. Germany 1998 Korea First Bank Commercial Banking Commercial Banking 93.00 In April 1998, Korea First Bank, a South Korean commercial bank with operations in the US, reported that it had agreed to pay $93M in settlement of a lawsuit that charged it with wrongfully dishonoring its irrevocable letter of credits. The New York Appellate Court ruled in favour of CalEnergy Company Inc, a global energy company that manages and owns an interest in over 5000 megawatts of power generation capability among various facilities in operation, construction and development worldwide. Casecnan Water and Energy Company Inc, a subsidiary of Calenergy was executing a power project in the Philippines. Hanbo Corporation had been acting as the turnkey contractor and guarantor for the Casecnan project.KFB's letter of credit was issued as financial security for the obligations of Hanbo. The contract with Hanbo Corp. was terminated by Casecnan due to Hanbo's insolvency and other misperformance in the project, at which time Casecnan made an initial draw on the KFB letter of credit securing Hanbo's performance under the contract. Furthermore, Casecnan had made three susbsequent draws on the letter of credit, all of which were opposed by Hanbo and draws under the letter of credit were dishonoured by Korea First Bank. South Korea 1998 Citibank Commercial Banking Commercial Banking 30.00 In September 1999, Citibank, a US commercial bank with global operations and unit of Citigroup, reported that it had realized a loss of $30M due to credit fraud. The firm's UK branch was one of 20 financial institutions operating in the Middle East which were the victims of fraud. Madhav Patel, an Indian businessman, allegedly deceived the bank by using forged documents to secure letters of credit guaranteeing payment for bogus transactions. The alleged fraud came to light earlier this year when Patel's British registered firm, Solo Industries, ran into financial difficulties in the Middle East. Patel, who ran several metal smelting businesses in Dubai, secured letters of credit from the firm as well as other banks to guarantee payments on shipments of metal to the United Arab Emirates. Police believe the shipments were bogus and the money was diverted elsewhere. Patel moved to London after his business collapsed in May. He has since disappeared. Credit Suisse First Boston Corporation Corporate Finance Corporate Finance 4.00 Chase Manhattan Bank Payment and Settlement External Clients Phatra Thanakit Retail Brokerage Retail Brokerage - Secondary markets FIRM NAME DESCRIPTION Internal Fraud Systems Security Clients, Products Improper & Business Business or Practices Market Practices External Fraud Theft & Fraud United States 1999 In May 1997, Credit Suisse First Boston Corp., a US investment bank and unit of Credit Suisse Group, reported that it had agreed to pay $4M in a settlement with 33 former investment bankers in its municipal bond unit. The former employees claimed that the firm improperly refused to pay them annual bonuses when they were terminated. CSFB took the unusual step of offering no bonuses to laid off municipal bond investment bankers after the firm shut its municipal unit in 1995, even though the bankers had worked through 1994 and had generated profts for the company. At the same time, some bankers in the mortgage-backed securities unit were paid bonuses despite a loss of about $40M at that unit. Employment Practices and Workplace Safety Employee Relations Switzerland 1997 1.45 In January 1995, Chase Manhattan Bank, a US commercial bank, reported that it had agreed to pay $1.5M in settlement with a publishing company for having improperly endorsed checks used in an embezzlement scheme. Knight Publishing lost nearly $2M between 1985 and 1992 in a scheme run by Oren Johnson, a production supervisor at the newspaper. Johnson admitted authorizing the company to issue checks to Graphic Image, a commercial printing firm, for supplies that were never delivered. He split the money with two other men and all three pled guilty to mail fraud, money-laundering and conspiracy. Knight Publishing claimed Chase Manhattan should not have honored the checks because the endorser's name did not match the name on the checks. Execution, Delivery & Process Management Transaction Capture, Execution & Maintenance United States 1995 1.60 In November 1993, Phatra Thanakit, a Thailand brokerage firm, reported that it had agreed to pay 40M Bhat($1.6M) in fines as settlement of Securities Exchange of Thailand (SET) charges alleging violations of trading rules. The fine was levied over the firm's role in a technical error during trading operations. The firm, one of the five biggest brokers in the Thai stock market, was responsible for an error involving a sale order for 200 million shares in Ayudha Investment (AITCO) which had only 25 million shares outstanding. The firm said that one of its subbrokers placed a sell order for 2000 shares but a computer fault converted the order to 200 million shares. The company tried to cancel the order about 20 minutes after the order was placed on SET's computerized board and notified the exchange of the technical error. However, some 18 million shares, worth more than 2.3 billion baht, had already been matched with buying orders. The exchange called an emergency meeting at the end of the day's trading and decided to void the transactions for the 18 million shares. Business Disruption and System Failures Systems Thailand 1993 Copyright © 2003, SAS Institute Inc. All rights reserved. 39 There are several data issues to address in modeling operational value at risk • Internal data is the most relevant source of information for measuring operation risk, but it is generally insufficient • Internal and external data come from fundamentally different distributions and therefore cannot be merged directly • All operational loss data is collected above a threshold level, making it difficult to estimate parameters for modeling • Operational loss data are not well represented by traditional two parameter severity distributions, such as the Lognormal or Weibull. Kurtosis (in log terms) ranges from 3-7. • External data comes from many institutions of varying sizes, with differing processes, controls and cultures, that it amounts to nothing more that a “stew” Copyright © 2003, SAS Institute Inc. All rights reserved. 40 How can external data be relevant to my bank? • Size Bias – Larger institutions (and businesses) are likely to experience more losses than smaller institutions. These institutions are also likely to suffer larger losses. • Control Bias – Institutions with weak controls are more likely to be represented in the database because they experience more losses. These institutions are also likely to suffer more large losses than well controlled institutions. • Institutional Culture Bias – More aggressive institutions (and businesses) are likely to experience more losses than less aggressive institutions. These institutions are also likely to suffer larger losses. • Infrastructure/Technology Bias – Less technologically advanced institutions (and businesses) are likely to experience more losses than more advanced institutions. These institutions are also likely to suffer larger technology losses. • Media Bias – Large losses more likely to be reported than small losses. • Legal Environment Bias – The legal system in certain countries may lead to more frequent and/or larger losses. Copyright © 2003, SAS Institute Inc. All rights reserved. 41 Internal and external loss data should be placed in separate matrixes (by business line and risk category) EXTERNAL EVENT RISK MATRIX Corporate Finance INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES 362 123 25 36 33 150 2 731 Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215 Number TOTAL Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976 Trading & Sales Number Mean Standard Deviation 50 53,189 8,541 4 78,084 13,463 35 5,184 5,768 50 85,335 11,835 46 85,101 5,184 210 1,869 368 3 134,517 35,315 398 66,322 10,464 Retail Banking Number 45 4 32 45 42 189 3 360 Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690 Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417 Commercial Banking Number Mean Standard Deviation 41 43,083 6,918 3 63,248 10,905 28 4,199 4,672 41 69,121 9,586 37 68,932 4,199 170 1,514 298 2 108,959 28,605 322 53,721 8,476 Payment & Settlements Number 37 3 26 37 34 153 2 292 Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349 Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628 Agency Services Number Mean Standard Deviation 44 46,529 7,472 4 68,308 11,777 31 4,535 5,045 44 74,651 10,353 40 74,446 4,535 184 1,635 321 2 117,675 30,893 349 58,018 9,154 Asset Management Number 40 3 28 40 36 165 2 314 Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217 Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238 Retail Brokerage Number Mean Standard Deviation 48 50,252 8069 4 73,773 12719 33 4,898 5449 48 80,623 11182 44 80,402 4898 198 1,766 347 3 127,090 33365 378 62,660 9886 Insurance Number Total 43 4 30 43 39 179 2 340 Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394 Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897 Number Mean Standard Deviation 710 45,653 7,331 152 67,021 11,555 268 4,450 4,950 384 73,245 10,158 351 73,044 4,450 1,598 1,604 315 21 115,459 30,311 3,484 56,926 8,981 Copyright © 2003, SAS Institute Inc. All rights reserved. 42 The only severity information one can obtain from external public data is relative information (model transferability) – assuming the biases are consistent across all categories EXTERNAL EVENT RISK MATRIX SEVERITY PARAMETERS IN LOG TERMS Corporate Finance INTERNAL FRAUD EXTERNAL FRAUD EXECUTION, DELIVERY & PROCESS MANAGEMENT 362 123 150 Mean 9 6 6 Standard Deviation 6 4 2 Number EXTERNAL EVENT RISK MATRIX SEVERITY PARAMETERS IN RELATIVE TERMS Corporate Finance INTERNAL FRAUD EXTERNAL FRAUD EXECUTION, DELIVERY & PROCESS MANAGEMENT Number 362 123 150 Mean 1.5 1 1 3 2 1 Standard Deviation Copyright © 2003, SAS Institute Inc. All rights reserved. 43 From internal data we seek pivot cells – those cells that have enough information to reliably calculate severity parameters INTERNAL EVENT RISK MATRIX Corporate Finance INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES 36 3 25 36 33 234 2 731 Mean 35,459 52,056 3,456 56,890 56,734 3 89,678 44,215 Number TOTAL Standard Deviation 5,694 8,975 3,845 7,890 3,456 2 23,543 6,976 Trading & Sales Number Mean Standard Deviation 50 53,189 8,541 4 78,084 13,463 35 5,184 5,768 50 85,335 11,835 46 85,101 5,184 210 1,869 368 3 134,517 35,315 398 66,322 10,464 Retail Banking Number 45 4 32 45 42 189 3 360 Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690 Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417 Commercial Banking Number Mean Standard Deviation 41 43,083 6,918 3 63,248 10,905 28 4,199 4,672 41 69,121 9,586 37 68,932 4,199 170 1,514 298 2 108,959 28,605 322 53,721 8,476 Payment & Settlements Number 37 3 26 37 34 153 2 292 Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349 Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628 Agency Services Number Mean Standard Deviation 44 46,529 7,472 4 68,308 11,777 31 4,535 5,045 44 74,651 10,353 40 74,446 4,535 184 1,635 321 2 117,675 30,893 349 58,018 9,154 Asset Management Number 40 3 28 40 36 165 2 314 Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217 Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238 Retail Brokerage Number Mean Standard Deviation 48 50,252 8069 4 73,773 12719 33 4,898 5449 48 80,623 11182 44 80,402 4898 198 1,766 347 3 127,090 33365 378 62,660 9886 Insurance Number Total 43 4 30 43 39 179 2 340 Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394 Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897 Number Mean Standard Deviation 710 45,653 7,331 152 67,021 11,555 268 4,450 4,950 384 73,245 10,158 351 73,044 4,450 1,598 1,604 315 21 115,459 30,311 3,484 56,926 8,981 Copyright © 2003, SAS Institute Inc. All rights reserved. 44 Using the pivot cell and relative parameter ratios from external data we can estimate severity parameter for all cells in a business line INITIAL INTERNAL EVENT RISK MATRIX INTERNAL FRAUD Corporate Finance EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT Number BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL 234 Mean 3 Standard Deviation 2 PARAMETER RATIOS FROM EXTERNAL EVENT RISK MATRIX Corporate Finance EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT INTERNAL FRAUD EXTERNAL FRAUD 1.5 1 1 3 2 1 Number Mean Standard Deviation FINAL INTERNAL EVENT RISK MATRIX INTERNAL FRAUD Corporate Finance EXTERNAL FRAUD Number Mean Standard Deviation Copyright © 2003, SAS Institute Inc. All rights reserved. EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES DAMAGE TO PHYSICAL ASSETS EXECUTION, DELIVERY & PROCESS MANAGEMENT 234 4.5 3 3 6 4 2 45 Determining the most appropriate frequency distribution Frequency is assumed to follow a generalized Poisson Process: • If Mean frequency = Variance => Poisson • If Mean frequency > Variance => Binomial • If Mean frequency < Variance => Negative Binomial (Mixed Poisson) Copyright © 2003, SAS Institute Inc. All rights reserved. 46 Determining the most appropriate severity distribution Severity has been observed to have a Kurtosis (in log terms) in the range of 3-7. This suggests that using a log normal distribution would understate VAR, whereas using a Weibull distribution would overstate VAR. Distribution fitting through MLE – Maximum Likelihood Estimation: A process for directly estimating the density function which maximizes the likelihood (probability) of obtaining what was observed: Lognormal-Gamma Lognormal Burr Generalized Pareto Weibull Exponential Copyright © 2003, SAS Institute Inc. All rights reserved. 47 VIII) VaR Calculation Copyright © 2003, SAS Institute Inc. All rights reserved. Under the LDA approach the end result is a set of frequency and severity distributions for each business and risk category FREQUENCY DISTRIBUTION Probability 0 1 2 3 4 5 Number of Events SEVERITY DISTRIBUTION Monte Carlo Simulation Engine Probability Mean 99th Percentile Annual Aggregate Loss ($) Size of Loss ($) Copyright © 2003, SAS Institute Inc. All rights reserved. 49 Where insurance coverage exists, the retention levels and coverage limits may be factored into the simulation process Probability NO INSURANCE High Low $10 MM $500 MM $1 BN $500 MM $1 BN Loss Amount INSURANCE Probability High Low $10 MM Copyright © 2003, SAS Institute Inc. All rights reserved. Loss Amount 50 Using Monte-Carlo simulation one can simulate hypothetical losses SIMULATED LOSSES TOTAL LOSS FOR YEAR Iteration 1, 2 Losses $35,000 + $116,000 = $151,000 Iteration 2, 3 Losses $12,000 + $89,000 + 86,000 = $187,000 Iteration 3, 1 Loss $42,000 Copyright © 2003, SAS Institute Inc. All rights reserved. = $42,000 51 To determine VaR, we sort the simulation results by size and measure the value at the appropriate confidence level Commercial Banking Commercial Banking Commercial Banking Commercial Banking EDPM Internal Fraud External Fraud Systems 99.9% Confidence Level SUM 74,712,345 74,603,709 74,457,745 74,345,957 74,344,576 85,345,124 85,456,254 85,345,289 85,234,045 85,459,456 28,254,253 28,250,256 28,152,298 28,148,257 28,117,254 56,254,000 56,026,254 55,998,214 55,856,126 55,801,236 244,565,722 244,336,473 243,953,546 243,584,385 243,722,522 167,245 142,456 123,345 113,342 94,458 24,456 22,034 21,941 19,456 16,245 25,254 24,231 21,202 20,106 18,024 74,214 72,564 69,324 65,214 61,254 291,169 261,285 235,812 218,118 189,981 Copyright © 2003, SAS Institute Inc. All rights reserved. 52 Because all the large loss events are not likely to take place in the same year, the total VaR shows a diversification effect Commercial Banking Commercial Banking Commercial Banking Commercial Banking EDPM Internal Fraud External Fraud Systems DIVERSIFIED TOTAL 21,587,539 2,648,268 92,260,033 56,872,156 79,343,629 198,455,744 160,709,827 82,291,047 95,687,264 5,203,755 65,700,517 37,053,118 8,795,462 28,254,253 43,085,021 130,809,224 105,929,550 69,466,377 56,254,000 59,741,084 291,587,117 214,438,534 176,969,044 165,947,371 131,161,442 2,114,562 2,458,793 203,755 45,482 29,826 251,611 2,154,786 93,056 173,995 108,204 61,700 49,964 2,458,795 2,114,564 26,534 5,687,932 91,486 86,146 106,380 325,654 5,681,063 3,328,521 1,989,226 1,708,294 343,152 Copyright © 2003, SAS Institute Inc. All rights reserved. 99.9% Confidence Level 53 Through simulation one can calculate both VaR and the mean for each business line and risk category Corporate Finance VAR Theoretical Mean Observed Mean INTERNAL FRAUD EXTERNAL FRAUD EMPLOYMENT PRACTICES & WORKPLACE SAFETY CLIENTS, PRODUCTS & BUSINESS PRACTICES EXECUTION, DELIVERY & PROCESS MANAGEMENT BUSINESS DISRUPTION AND SYSTEM FAILURES TOTAL 86 15 25 36 250 21 433 4.3 0.23 1.3 5.2 22 3.2 49.33 4.5 1.2 0.15 3 20 3.5 41.35 Copyright © 2003, SAS Institute Inc. All rights reserved. 54 Control scores are used to adjust capital charges to provide an incentive for desired behavioral change Corporate Finance Internal Fraud External Fraud Employee Practices Business Practices EDPM Systems Total VaR 86 15 25 36 250 21 433 Previous Score 75 59 77 61 77 81 65 Current Score 76 62 79 62 81 80 68 Adjusted Capital Charge 83 12 23 34 236 23 411 Copyright © 2003, SAS Institute Inc. All rights reserved. 55 IX) Management Applications Copyright © 2003, SAS Institute Inc. All rights reserved. This approach can be used to help justify investments that may reduce operational risk The Trading and Sales Department considers purchasing a new back office processing system. Cost = $23.0 million CSA SCORE CURRENT NEW ESTIMATE Criminal 59 61 External 62 62 Employee Practices 61 61 Business Practices 64 64 Sales Practices 58 59 Systems 70 78 Transaction Processing 63 74 Unauthorized Activities 75 80 COST BENEFIT ANALYSIS Capital Savings $35 MM Hurdle Rate 15% Annual Benefit $5.25 MM Capital Cost Savings $26 MM Cost Of New System Over 5 Year > $23 MM Change Capital Copyright © 2003, SAS Institute Inc. All rights reserved. $345 $310 -$35 57 Simulation can be used to determine whether to purchase certain types of insurance coverage ISSUE Whether to purchase an unauthorized activities insurance policy: 500 million limit; 10 million deductible; cost $6.5 million Probability NO INSURANCE High COST BENEFIT ANALYSIS VaR Savings Low $10 MM $500 MM $1 BN Hurdle Rate 20% Annual Benefit INSURANCE Probability $50.0 MM $10 MM Cost Savings High $10 MM Cost Of Insurance > $6.5 MM Low $10 MM Capital VaR Estimate Copyright © 2003, SAS Institute Inc. All rights reserved. $500 MM No INS $150 $1 BN INS $100 Difference $-50 58 Copyright © 2003, SAS Institute Inc. All rights reserved. 59