DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT

Description:

DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT. Neil Brown. Managing Director ... CP140 (Insurers) February 2003 (advance of Prudential Sourcebook in 2004) ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 22
Provided by: lorrai1
Category:

less

Transcript and Presenter's Notes

Title: DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT


1
DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT
Neil Brown Managing Director Global Head of Risk
Management Product Control 16 April 2003
2
RISK AND CONSEQUENCES
  • ...only the foolhardy make choices based on the
    probability of an outcome without regard to its
    consequences....
  • ...only the pathologically risk-averse make
    choices based on the consequences without
    considering the probability involved...
  • Peter Bernstein

3
CONSULTATIVE PAPERS
  • CP140 (Insurers) February 2003 (advance of
    Prudential Sourcebook in 2004)
  • CP142 (Asset Managers) 2004 (parts into
    Prudential Sourcebook, parts into Senior
    Management, Systems Controls)
  • Should reflect common practices at prudently
    managed firms and that many firms already meet
    it
  • Risk Identification / Risk Management / Risk
    Control

4
CONSULTATIVE PAPERS Risk Identification
  • Nature of firms customers / products /
    activities / distribution
  • Design / implementation / operation of processes
    / systems
  • Risk Culture
  • HR management practices
  • Operating environment political / legal /
    technological / market structure

5
CONSULTATIVE PAPERS Risk Management
  • People resourcing / training / succession
    planning
  • Systems IT platform minor manual error to major
    systemic error
  • External BCP
  • Outsourcing external / internal still need to
    manage
  • Fraud / Money Laundering
  • Legal interpretation / enforcement of contracts
  • Group Risks assessment of other parts of Group

6
CONSULTATIVE PAPERS Risk Controls
  • Improving Risk Culture
  • Corporate Governance - structure
  • Audit Trail / Evidence
  • Insurance ?

7
OPERATIONAL RISK FRAMEWORK
  • Establish specific accountability, policies
    controls
  • Clearly document procedures and map process flows
  • Ensure segregation of duties
  • Ensure access controls to assets / data privacy
  • Ensure audit trails / evidence
  • Ensure continuity and disaster recovery
  • Review approve control processes

8
OPERATIONAL RISK FRAMEWORK
  • Event / Loss database / Self assessment
  • Quantification of risk exposure?
  • Control identification / mapping
  • Quantification of mitigation / net exposure?
  • Identification of control improvements
  • Action tracking process

9
Make the important measurable and not the
measurable important.
10
KEY INPUTS TO OPRISK MANAGEMENT PROCESS
  • Building Blocks
  • Risk Reviews
  • Business Process Mapping
  • Control Self Assessment
  • Internal and External audit reports
  • Errors and Breaches Report
  • Compliance Monitoring programme
  • MIS data

11
KEY DELIVERABLES
  • Risk reviews / Process Maps / CSA action items.
  • Investigation of major errors and breaches.
  • Oversight of audit / BCP / ISO
  • Resolution and/or escalation of issues.

12
MANAGEMENT REPORTING
  • Key Risk Indicator / Key Control Indicator
    Reporting
  • Control Improvement Plans
  • Loss Data Reporting
  • Audit Tracking
  • Other Management Reporting

13
SOME MYTHS SURROUNDING OPERATIONAL RISK
  • Quantification is still nascent, and is only part
    of the issue
  • Loss data is context dependent
  • Well run firms will suffer from small sample
    problem in modelling OpRisk losses
  • Massive losses build over time
  • Improve controls
  • Evaluate relevance of EVT
  • Insurance is potentially an additional mitigation
  • Quantification of OpRisk is sufficient to
    mitigate it
  • Any data is better than no data
  • Well run firms will be more certain about the
    probability and severity of an OpRisk Loss
  • Massive losses require EVT to model them
  • Insurance is an alternative to measuring and
    managing OpRisk exposures

14
COMPARING OPRISK WITH MARKET RISK AND CREDIT RISK
Market Risk Credit Risk Operational Risk
Risk position Quantifiable exposure Yes Yes Difficult1
Risk position Exposure measure Position Risk sensitivity Money lent Potential exposure Difficult no ready position equivalent available1
Completeness Portfolio completeness Known Known Unknown
Context dependency Context dependency Low Medium High
Context dependency Data frequency High Medium Low1
Measurement validation Risk assessment VAR Stress testing Economic risk capital Rating models Loss models Economic risk capital No industry consensus top-down scenarios may be useful
Measurement validation Accuracy Good Reasonable Low
Measurement validation Testing Adequate data for backtesting Backtesting difficult to perform over short term Results very difficult to test over any time horizon
Usage issues Usage issues Instability of underlying price volatility Correlation instability in stressed markets Many issues correlations, ratings through time, data lumpy Results could be misleading distraction effect false reliance lack of cause and effect redundant systems
Summary Market risk models well established and proven tools Using models considered reasonable but should be used with care Models appear flawed
1 Unlikely other than for certain high frequency
low loss events, eg. operations losses.
15
OPERATIONAL RISK MODELS
  • Gross Income
  • Simple, cheap,transparent, no loss data required,
    verifiable
  • Backward looking, not indicative of risk,
    penalise well-run firms
  • Full Scorecard Approach
  • Understands processes, uses firm knowledge, uses
    historical data, incentivises
  • Very costly, bureaucratic, subjective
  • EVT
  • Relevant part of loss distribution
  • Ignores most of distribution, large losses not
    one-off events, small sample problem choice of
    threshold (how rare is rare)?

16
OPERATIONAL RISK MODELS
  • Bayesian Networks
  • Cause/effect and control become apparent, prior
    probabilities based on firm knowledge and
    experience, estimates easy to update, scenario
    analysis easy, simplifies complex processes,
    networks are firm specific
  • Complexity (require strong documentation),
    interpretation of results requires expertise,
    costly and time consuming (versus benefit?)
  • Monte Carlo simulation
  • Handles complex systems, produces appropriate
    loss distribution, can be dynamic, precision
    increased by increasing number of simulations
  • Larger the system the slower the process,
    complexity leads to few really understanding a
    complex system, choice of events to populate
    distribution key (GIGO), costly and time
    consuming (versus benefit?)

17
EXTERNAL DATA
  • Useful
  • For external risks
  • For information on HOW an event can occur
  • A reminder of relevance of OpRisk
  • Not Useful
  • To augment a small data set
  • For any data are better than no data argument

18
VALIDATION
  • Validation of OpRisk models is a major issue
  • Current published approaches do not address the
    completeness of portfolio issue
  • Causes of large losses are generally complex, the
    result of several factors so ability to predict
    future large losses based on previous ones is
    reduced
  • Much easier to predict for operations processing
    losses where, generally, few factors often cause
    loss
  • Context dependency issue Lack of cause and
    effect
  • As yet no proven predicative link between past
    and future events
  • Lack of sufficient relevant data System (firm,
    organization unit within firm) changes in
    character before adequate data is accumulated to
    validate a model
  • Sufficient data only available for the
    high-frequency, low-impact loss events But
    these events would not drive the capital charge

19
PRACTICAL ISSUES FROM USING OPRISK MODELS
  • Basel 2 proposed Basic and Standard approaches
  • Current approaches could be misleading Current
    basic indicator and standardized approaches base
    the OpRisk capital charge on a single indicator
    such as gross income
  • In general, more profitable institutions have
    less OpRisk can invest in good people, systems,
    training
  • Eg. compare with airlines more profitable
    airlines generally safer
  • Single indicators could lead to dysfunctional
    accounting practices and perverse incentives
  • Some evidence that OpRisk losses of the same
    magnitude happen to big and small firms
  • Proposed OpRisk quantification approaches
  • False reliance attempting to summarize all
    OpRisk into single measure managing by analogy
    to market risk and credit risk could be
    misleading and dangerous
  • May give impression of being in control to senior
    management/owners when in reality model
    generating misleading results
  • Misleading output May cause senior
    management/owners to take actions that reduce
    OpRisk per the model, but not in reality
    Actions may actually increase real risk
  • Lack of cause and effect If the model does not
    predict all causes and effects accurately,
    incorrect management decisions could be the
    result
  • Distraction effect Focus on quantification will
    divert important resources from other work
  • Potentially reduces the focus on sound risk
    management practices (Pillars 2 and 3)

20
SUMMARY
  • Encourage innovation of best practices
  • Current state of thinking for both OpRisk
    measurement and OpRisk management still evolving
  • Rules need to remain flexible to offer banks
    incentives to continue development in this area
  • OpRisks are highly context dependent causes of
    large losses are generally complex
  • The higher the context dependency the less the
    past will be a good indicator for the future
  • No evidence yet to suggest that OpRisk is
    amenable to measurement to same extent as market
    risk or credit risk. No validated models that
    link back to underlying risk drivers
  • Many of the current approaches could create a
    false sense of security distract resources from
    other work
  • If models had been in place in the past, how many
    material adverse OpRisk events would have been
    prevented?
  • CS approach Focus resources on shrinking those
    holes
  • (1) Devote OpRisk resources into improving OpRisk
    management practices and tools, rather than
    quantification
  • (2) CSs current Economic Risk Capital approach
    is to ensure management awareness of OpRisk and
    to integrate into overall risk capital process
  • (3) Most areas will use blend of tools - no
    silver bullet - lots of old fashioned management
    of people, MIS, systems, controls, etc.

21
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com