Operational%20Risk%20Management - PowerPoint PPT Presentation

About This Presentation

Title:

Operational%20Risk%20Management

Description:

Lecture 16 Operational Risk Management – PowerPoint PPT presentation

Number of Views:476

Avg rating:3.0/5.0

Slides: 67

Provided by: yola341

Category:

more less

Transcript and Presenter's Notes

Title: Operational%20Risk%20Management

1
Lecture 16

Operational Risk Management

A growing desire has emerged to organize the
components of operational risk into what Hubner
et al. (2003) call a coherent structural
framework

Haunbenstock (2003) identifies the components of
the operational risk framework as
(i) strategy,
(ii) process,
(iii) infrastructure, and
(iv) the environment

4
Strategy

development of a risk management strategy
development of risk management culture
definition of management roles and
responsibilities
ensuring that an appropriate management and
control structure is in place

5
The risk management framework Process

The process involves the day-to-day activities
required to understand and manage operational
risk, given the chosen strategy.
The process consists of
(i) risk and control identification,
(ii) risk measurement and monitoring,
(iii) risk control/mitigation, and
(iv) process assessment and evaluation.

6
Process Risk and control identification

Risk identification starts with the definition of
operational risk to provide a broad context for
potential threats
The best way to identify risk is to talk to
people who live with it on a daily basis
The degree of risk is typically defined as
frequency and severity, rated either
qualitatively or quantitatively
Mestchian (2003) suggests a decomposition of
operational risk into process, people risk,
technology, and external risk
Then these risk can be identified as low, medium,
or high in different business activities like in
Table on the next slide, or with frequency or
severity like in Figure 2, one slide next

7
Risk identification
8
Risk assessment of activities

9
ORF Process - Identification

Risk identification should also include
monitoring of the external environment and
industry trends, as new risks emerge continuously
(ii) Control identification
The identification of controls is part of the
identification process, as it complements the
identification of risk.
Controls include
management oversight,
information processing,
activity monitoring,
automation,
process controls,

segregation of duties,
performance indicators
and policy and procedures
The control framework defines the appropriate
approach to controlling each identified risk
(iii) Risk Mitigates
Risk mitigators include
training,
insurance programs,
diversification and
outsourcing

Insurance, which is a means of risk
control/mitigation, is typically applied against
the large exposures where a loss would cause a
charge to earnings greater than that acceptable
in the risk appetite
For the purpose of risk identification, the
Federal Reserve System (1997) advocates a
three-fold risk-rating scheme that includes (i)
inherent risk, (ii) risk controls, and (iii)
composite risk.
Inherent risk (or gross risk) is the level of
risk without consideration of risk controls,
residing at the business unit level

Inherent risk depends on (i) the level of
activity relative to the firms resources, (ii)
number of transactions, (iii) complexity of
activity, and (iv) potential loss to the firm
Composite risk (or residual risk or net risk) is
the risk remaining after accounting for inherent
risk and risk mitigating controls
The Federal Reserve System (1997) provides a
matrix that shows composite risk situation based
on the strength of risk management (weak,
acceptable, strong) and the inherent risk of the
activity (low, moderate, high)

For example, when weak risk management is applied
to low inherent risk, the resulting risk is
low/moderate composite risk
On the other extreme, when strong risk management
is applied to high inherent risk, the composite
risk will be moderate/high
Illustration is given in the figure on next slide

14
The FRSs classification of inherent and
composite risks
15

(iv) Risk measurement
As risks and controls are identified, risk
measurement provides insight into the magnitude
of exposure, how well controls are operating and
whether exposures are changing and consequently
require attention
The borderline between identification and
measurement is not clear, however, Haubenstock
(2003) identifies the following items as relevant
to the measurement of operational risk
a. Risk drivers, which are measures that drive
the inherent risk profile and changes in which
indicate changes in the risk profile

These include transaction volumes, staff levels,
customer satisfaction, market volatility, the
level of automation
b. Risk indicators, which are a broad category of
measures used to monitor the activities and
status of the control environment of a particular
business area for a given risk category.
The difference between drivers and indicators is
that the former are ex ante whereas the latter
are ex post
Examples of risk indicators are profit and loss
breaks, failed trades and settlements and systems
reliability

c. The loss history which is important for three
reasons (i) loss data are needed to create or
enhance awareness at multiple levels of the firm
(ii) they can be used for empirical analysis and
(iii) they form the basis for the quantification
of operational risk capital
d.Causal models which provide the quantitative
framework for predicting potential losses.
These models take the history of risk drivers,
risk indicators and loss events and develop the
associated multivariate distributions.
The models can determine which factor(s) have the
highest association with losses

e. Capital models, which are used to estimate
regulatory capital as envisaged by Basel II.
f. Performance measures which include the
coverage of the self-assessment process, issues
resolved on time, and percentage of issues
discovered as a result of the self assessment
process
(v) reporting
Reporting is an important element of measurement
and monitoring

A Key objective of reporting is to communicate
the overall profi le of operational risk across
all business lines and types of risk.
There are two alternative ways of reporting to a
central database as shown in Figure
One way is indirect reporting where there is a
hierarchy in the reporting process, which can be
arranged on a geographical basis.
Otherwise, direct reporting is possible where
every unit reports directly to a central database

Reporting methods
Checklists are probably the most common approach
to self-assessment
Structured questionnaires are distributed to
business areas to help them identify their level
of risk and related controls
The response would indicate the degree to which a
given risk affects their areas.
It would also give some indication of the
frequency and severity of the risk and the level
of risk control that is already in place
The narrative approach is also used to ask
business areas
to define their own objectives and the resulting
risks

The workshop approach skips the paperwork and
gets people to talk about their risks, controls,
and the required improvements
Lam (2003b) identifies two schools of thoughts
with regard to quantitative and qualitative
measures of risks
(i) the one believing that what cannot be
measured cannot be managed, hence the focus
should be on quantitative tools
and (ii) the other, which does not accept the
proposition that operational risk can be
quantified effectively, hence the focus should be
on qualitative approaches

Lam (2003b) warns of the pitfalls of using one
approach rather than the other, stipulating that
the best practice operational risk management
incorporates elements of both.
(vi) Risk control/mitigation
When risk has been identified and measured, there
are a number of choices in terms of the actions
that need to be taken to control or mitigate risk
These include (i) risk avoidance, (ii) risk
reduction, (iii) risk transfer, and (iv) risk
assumption (risk taking)

Risk avoidance can be quite difficult and may
raise questions about the viability of the
business in terms of the risk-return relation
A better alternative is risk reduction, which
typically takes the form of risk control efforts
as it may involve tactics ranging from business
re-engineering to staff training as well as
various less extensive staff and/or technical
solutions.
Cost-benefit analysis may be used to assist in
structuring decisions and to prevent the business
from being controlled out of profit

28
People issues

the relevant type and calibre of people are
available
there are adequate levels of training and
development of the staff
the staff have the skill levels that are
appropriate to the tasks assigned to them

29
Technology issues

adequate systems to support the various product
lines
systems are available for management information
and reporting
there is communication infrastructure to support
the operation
data warehouses that allow integration and
consolidation of information and data across the
organization

tools and systems available for managing market
risk across the organization
enterprise-wide credit monitoring and credit risk
management systems.

31
Themes in risk management framework

There are four fundamental themes that are
critical for establishing and maintaining a
comprehensive and effective risk management
framework
1 The ultimate responsibility for risk
management must be with the board of directors.
They need to ensure that organization structure,
culture, people and systems are conducive to
effective risk management. The requirements for
risk management must be defined and established
by those charged with overall responsibility for
running the business

2. The board and executive management must
recognize a wide variety of risk types, and
ensure that the control framework adequately
covers all of these. As well as including market
and credit risks, it should include operations,
legal, reputation and human resources risks, that
do not readily lend themselves to measurement

3. The support and control functions, such as the
back and middle offices, internal audit,
compliance, legal, IT and human resources, need
to be an integral part of the overall risk
management framework
4. Risk management objectives and policies must
be a key driver of the overall business strategy,
and must be implemented through supporting
operational procedures and controls.

Operational risk can be minimized in a number of
ways Internal control methods consist of
1. Separation of functions
Individuals responsible for committing
transactions should not perform clearance and
accounting functions
2. Dual entries
Entries (inputs) should be matched from two
different sources, that is, the trade ticket and
the confirmation by the back office.

3. Reconciliations
Results (outputs) should be matched from
different sources, for instance the traders
profit estimate and the computation by the middle
office
4. Tickler systems
Important dates for a transaction (e.g.,
settlement, exercise dates) should be entered
into a calendar system that automatically
generates a message before the due date.

Controls over amendments Any amendment to
original deal tickets should be subject to the
same strict controls as original trade tickets.
External control methods consist of
1. Con?rmations Trade tickets need to be
con?rmed with the counterparty, which provides an
independent check on the transaction.
2. Veri?cation of prices To value positions,
prices should be obtained from external sources.
This also implies that an institution should have
the capability of valuing a transaction in-house
before entering it.

3. Authorization The counterparty should be
provided with a list of personnel authorized to
trade, as well as a list of allowed
transactions.
4. Settlement The payment process itself can
indicate if some of the terms of the transaction
have been incorrectly recorded, for instance, as
the ?rst cash payments on a swap are not matched
across counterparties.
5. Internal/external audits These examinations
provide useful information on potential weakness
areas in the organizational structure or business
process.