Operational Risk Management - PowerPoint PPT Presentation


PPT – Operational Risk Management PowerPoint presentation | free to view - id: 136c56-MjZkY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Operational Risk Management


David Millar, CEO, PRMIA, Wilmington, De, USA. PRMIA global Survey on Operational Risk, July 2008 ... Stay attuned to industry dynamics. ... – PowerPoint PPT presentation

Number of Views:4179
Avg rating:3.0/5.0
Slides: 74
Provided by: byerra


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Operational Risk Management

Operational Risk Management
  • Dr. B. Yerram Raju,
  • Regional Director,
  • Professional Risk Managers International
  • Hyderabad Chapter
  • www.prmia.org

  • David Millar, CEO, PRMIA, Wilmington, De, USA
  • PRMIA global Survey on Operational Risk, July
  • BearingPoint, UK Risk Centre
  • Jorg Hoshagen, Head of KPMGs Basel Initiative
  • C-EBS (The Committee of European Banking
    Supervisors) Survey of OR, July 2008
  • Charles Andrews Global Business Development

  • What is Operational Risk?
  • Definition
  • Some notable operational losses
  • Basel II and Operational Risk
  • Key Drivers in Implementation
  • Key Risk Indicator Programmes
  • Risk Mitigants
  • Some Modeling techniques in use
  • The Seven pitfalls

  • Regulatory definition
  • The risk of loss resulting from inadequate or
    failed internal processes, people, and systems or
    from external events.
  • People Risk
  • Processes Risk
  • Technology Risk
  • External Risk

Some notable operational losses
  • Business is all about taking and managing risk.
  • What is bad is risk that is mismanaged,
    misunderstood, mispriced and unintended.
  • - CourtesyRoyal Bank of Canada

Drivers of risk management
  • Regulatory drivers
  • Local
  • Regional
  • Global
  • Business drivers
  • Increased profitability
  • Reduced losses
  • Improved reputation (customers, public and
  • Credit agency ratings

Stick and
  • With the objective of managing risk, not
    eliminating it

Regulatory drivers
Business drivers
Developments in Risk Management people,
process and systems considerations Types of
Can we categorise risks?
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Procedural Risks
Other Risks
  • Credit
  • Market Pricing
  • Interest Rate
  • Liquidity
  • Asset Liability
  • Systemic
  • Operational
  • Disaster
  • Fraud
  • Terrorism
  • Project
  • Contractual
  • Regulatory
  • Reputational
  • Pandemic
  • Legal
  • Environment
  • Government
  • Business decisions
  • Poor direction
  • Competition
  • New technology

Basel II Risk Coverage
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Operational Risk
Other Risks
  • Credit Risk
  • Market Risk Pricing, Interest Rate, Liquidity
  • Asset Liability
  • Systemic
  • Disaster
  • Fraud
  • Terrorism
  • Project
  • Contractual / Legal
  • Regulatory
  • Reputational
  • Pandemic
  • Environment
  • Government
  • Business decisions
  • Poor direction
  • Competition
  • New technology

Risk needs to be CategorisedBasel II
  • Credit Risk
  • Counterparty categorisation, loan description,
    probability of default, expected loss, loss given
  • Market Risk
  • Trade details, market variables, probability
  • Operational Risk
  • Risk categories, event categories, probabilities,
    controls (descriptions, costs, effectiveness,
    etc), expected losses, unexpected losses, actual
    losses, indicators, responsibilities and
    authourisations, etc.

Operational risk categorisation frameworks can be
Risk Indicators (KRIs)
Financial risk management environment
High-tech, fast throughput, transaction processing
Internal ratings, etc
5 years transaction data
Capital calculations,risk metrics, ALM, etc
Daily trans-action data
Core processing systems
Operational risk management environment
Getting risk data from the
bottom (the point of incident)
to the top (for analysis) is key.
through layers of management
Technical implications
  • Financial (credit, market, liquidity, etc) risk
  • Real-time
  • High availability
  • High performance requirements
  • Automated input, few users
  • Very large amounts of relatively simple data
  • Kept for a long time (5 years)
  • Data comes from existing core systems
  • Non-financial (operational) risk
  • Once a day for input, once a month for reporting
  • Low performance requirements
  • Manual input, many users
  • Relatively small amounts of fairly complex data
  • Kept for a very long time (at least five years)
  • New data collection systems need to be developed

Risk catalogue for Business Unit A
People Risk Incompetence Inadequate Head
Counts Key Personnel Management Communication
Internal Politics Conflict of Interest Lack of
Cooperation Collusion and Connivance Fraud
Process Risk A. Model Risk Model or
Methodology Error Pricing or Mark-to-Model
Error Availability of Loss Reserves Model
Complexity B. Transaction Risk Execution
Error Booking Error Collateral,
Confirmation, Matching, and Netting
Error Product Complexity
Capacity Risk Valuation Risk Erroneous Disclosure
Risk Fraud
C. Operations Control Risk Limit
Excelances Volume Risk
Security Risk Position
Reporting Risk Profit and Loss
Reporting Risk
Technology Risk Systems Failure Network
Failure Systems inadequacy Compatibility
Risk Supplier/Vendor Risk
Programming Error Data Corruption Disaster
Recovery Risk Systems Age Systems Support
Developments in Risk Management people,
process and systems considerations Risk and
What is capital?
The net worth of a business i.e. the amount by
which its assets exceed its liabilities
Gearing Leverage
Gearing Leverage
Assets Investments
Balance Sheet
Capital covers risk
Non Financial Firms Risk Cover
Unexpected Losses
Expected Losses
Catastrophic Losses
Frequency of Loss
Equity Capital
Debt/Bond Holders
Reserve Financing
Severity of Loss
Source after Marshall, Operational Risks, 2001
Banks are very different
Bank assets are risk assets
Bank capital most exposed to asset value changes
Gearing Leverage
Gearing Leverage
Assets Investments
Bank liabilities are deposits
Balance Sheet
A different level of risk cover
Financial Firms Risk Cover
Expected Losses
Unexpected Losses
Catastrophic Losses
Frequency of Loss
Economic Capital
Debt/Bond Holders
Severity of Loss
Cross-border implications
  • 1.There is no international jurisdiction.
    Regulations (global or local) implemented by
    local courts or regulators.
  • 2.International implications are enforced by
  • Agreement by local bodies that they will
    implement international regulations (i.e. Basel
    II but also such as transport regulations),
    sometimes with local variations
  • A local regulator imposing regulations on the
    local branch of an overseas company so that the
    implications extend to the home country and other
    branches, i.e. money laundering regulations,
    Anti-Money Laundering Act, Australias Foreign
    Trade Practices Act, etc
  • An overseas company taking advantage of national
    facilities (i.e. listing on their stock exchange)
    which then convey obligations across the whole
    company, i.e. Sarbanes-Oxley

Bank Capital
  • differs from a non financial firms capital it
    protects against future, unidentified risks and
    losses while enabling the bank to operate at the
    same level.
  • strengthens the stability and soundness of the
    (international) banking system and, if applied
    universally, the competitive inequality among
    banks is diminished.
  • So banks simply need to cover themselves against
    the risk of insolvency due to losses exceeding
    allocated capital.
  • Banks manage risks regulators decided on an
    arbitrary capital to risk asset ratio there is
    no correct answer.
  • Capital adequacy for banks was conceived in
    1988 (the Cooke Committee, to become the Basel
    Committee on Banking Regulations and Supervisory

But Basel Capital Adequacy is not all
  • Regardless of capital approaches all Basel II
    compliant organisations must develop
  • an appropriate risk management environment,
  • risk identification, assessment, monitoring and
  • regular independent evaluation of policies,
    procedures and practices,
  • and make sufficient public disclosure to allow
    the market to assess their approach to
    operational risk management.

Developments in Risk Management people,
process and systems considerations Current
Implementation considerations
Risk theories and regulations
Processes, tools and capital allocation
Rollout considerations
Ongoing maintenance and improvement
A risk culture
  • Commitment on risk management is needed from
  • Owners/shareholders
  • The Board
  • Senior management
  • Departmental managers
  • Audit, asset and liability management and
  • Human resources
  • Staff
  • Geographies

Why are Risk Cultures important?
  • Risks are managed by people
  • People can apply standards with greater or lesser
    degrees of efficiency or they can make mistakes
  • People must apply the appropriate risk management
    standards to the best of their ability
  • Regulators appreciate that the best standards and
    guidelines are only effective if implemented
    correctly and with diligence and enthusiasm.
  • Regulators will therefore test an organisations
    risk culture along with its risk standards, best
    practices, capital robustness and disclosure

Building a risk culture
  • An internal risk culture is the sum of the
    individual and corporate values, attitudes,
    competencies and behaviour that determine
    commitment to and style of risk management.
  • It includes both an enterprise-wide risk and an
    internal control culture
  • It requires clear lines of responsibility,
    segregation of duties and effective internal
  • It requires high standards of ethical behaviour
    at all levels
  • Although a framework of formal, written policies
    and procedures is critical, it needs to be
    reinforced through a strong control culture
  • It is the responsibility of both the board and
    senior management

Attributes of a risk management culture
  • Attention is paid to quantifiable and
    unquantifiable risks.
  • All risks are identified, reported and
  • Awareness of risk through performance
    measurement, risk-adjusted pricing, pay
    structures and forecasting.
  • Risk management is accepted as everyones
  • Risk managers have teeth.
  • The enterprise avoids what it doesnt understand.
  • Uncertainty is accepted.
  • Risk managers are monitored.
  • Risk management is not to stop people from taking
    risks but to create value, by enhancing the
    chances of success.
  • The risk culture is defined, the risk appetite is

Source Operational Risk Management, PWC,
November 2003 (abbreviated)
Examples of staff risk culture
  • All staff know
  • What a risk control or risk event is
  • Why they exist
  • What their risk responsibilities are
  • Prime and alternative reporting routes
  • What happens to their reports
  • What was the result of their events mitigation
  • What the institutions risk status is (overall
    and their part)
  • How it is improving (or getting worse)
  • What their risk training plan is

An Instance
  • UTI Dividend warrants issued through a leading
    public sector bank in North East got encashed in
    down South Karnataka and Andhra Pradesh by
    opening dummy accounts.
  • Here is the OR related to people and
  • How much people know of instruments and
    technology is important.

Examples of management risk culture
  • All Board and senior management know
  • What the institutions risk policy is
  • What their risk appetite is
  • What their own risk responsibilities are
  • What major risk controls have been infringed or
    what risk events have taken place
  • What cumulative risk situation have accumulated
  • What the institutions risk status is
  • How it is improving (or getting worse)
  • What the business impacts are

and finally
  • Talk to the supervisors
  • Regulations are interpreted and implemented by
    regulators, central banks and supervisors
  • They will have national interpretations and
    local preferences and good practices
  • They are responsible for cross-border cooperation
    and interpretation
  • They will set implementation practices rule and
    regulation based or risk and principle based
  • Because commitment to the regulations is their
    primary function, whereas, for the bank it is a
    secondary activity

Developments in Risk Management people,
process and systems considerations and
what of the future?
What has the sub-prime crisis taught us?
  • We have not solved liquidity risk
  • How to model it?
  • What is its impact on credit and market risk?
  • How to put capital aside?
  • Are Rating Agencies the right measurement?
  • Are they trustworthy?
  • They are paid by the sellers of instruments
  • Rating agency arbitrage
  • Is operational risk-derived capital enough?
  • Is bad rating an op risk?
  • Is bad loan management an op risk?

Top six lessons learned by global banks
  • Liquidity is king. Why the market seriously
    underestimated the paramount importance of
  • Risk must be embedded institutionally. How risk
    is now everyones business and that this shift in
    attitude will demand deep cultural change.
  • Stay attuned to industry dynamics. Buoyant
    markets and complacency diverted attention from
    predictable cyclical corrections and their
    devastating impact.
  • Dont underestimate the people factor. Learn
    how the crisis highlighted the need for skilled
    people who can exercise seasoned judgment across
    functions and on the front lines.
  • Prepare for the unexpected. Investment is needed
    in comprehensive predictive models and new
    approaches to scenario-planning and
  • Avoid over-reliance on rating agencies.
    Respondents indicated that they can no longer
    afford to bypass their own independent analyses
    and unquestioningly accept the findings of
    third-party rating agencies.
  • Source Ernst Young Survey June 2009

Risk models have not yet been tested
  • First banks move to advanced methods in 2008
  • No one is comparing model performance
  • Will the US come into line?
  • Can Basel survive double standards?
  • Does scenario testing work?
  • How long before we have sufficient data?
  • Will models be rated? Is so, by whom?

A global operational risk standard?
  • There is no common practice for
  • Risk and event categorisation
  • Risk assessment
  • Global operational risk databases are limited
  • ORX, what else?
  • How to compare bank v bank?
  • How do we merge operational risk data?
  • Cross-border comparison

  • Seven Deadly Sins

1. Waiting for regulators to provide detailed
guidelines and lay out an implementation road map
  • A notice from regulator would at best provide
    additional direction in Basel II implementation
  • Delaying for want of guidelines would only delay
    putting on mat the loss data for the last five
  • Doing bare minimum would not help as risk would
    be only waiting in one corner to hit the
  • Advance preparation would speed up a robust
    compliance framework.

2.Failure to understand overlap among regulatory
initiatives or dealing with them in Silos
  • Basel II is but one compliance task towering over
    financial institutions.
  • Focusing on identifying risk of loss and managing
    the residual risk that can never be fully
    controlled as their level of granuality differs
    require the same set of actions.
  • Linkages among the Risk adjusted Return on
    Capital (RAROC) and the guidelines of the
    regulator on Economic Capital need to be
  • Regulations cannot be treated in isolation

3. Failure to link technology, information, risk
management and business
  • Knowing the linkage between sets of risk data,
    credit data and finance data is a critical step
    in developing a road map for Basel II
  • Basel II is fundamentally a business problem that
    cannot be tackled with technology alone
    Commensurate changes in business process and
    culture are essential.
  • Ask the Question What business problem am I
    trying to solve with the Basel II?

4. Building Basel II infrastructure without data
and technical architecture and road maps
  • Collection and integration of data in
    unprecedented depth and detail
  • What definitions do you use for the treatment of
    loss events?
  • One calls a loss internal fraud and another
    external fraud and the third refers to systemic
  • Lack of consistent classifications impairs data

5. Failure to generate the internal support for
smoother implementation
  • Risk Management is traditionally synonymous with
    audit which in itself is a scoring effort.
    Business units have therefore been wary of
    providing too much information and airing dirty
    laundry, fearing potential negative consequences
    of such disclosure.
  • Top-down mandate is vital in gaining the
    organizational participation
  • E.g., Fulfillment of OR requirements includes
    conducting scenario analysis to identify and
    capture high-severity, low frequency loss events.
  • It is important for leadership to be out in front
    of the effort.

6. Underestimating Cultural Change Basel II
  • Risk assessment is integral to almost everything
    individuals do. Yet organisations often treat
    risk as an adjunct added on at the end of a
    process Lets do a risk assessment and see
    where we are. This approach is inadequate in
    todays environment. Risk must be factored at the
    beginning of any initiative and must remain focus
  • The CRO should also be a chief communication

  • Ask yourself the question how many institution
    wide problems were caused due to internal fights
    and office politics?

Ask yourself these questions as well
  • Through your current finance and accounting
    systems, do we know for sure where we are
    generating the greatest revenue for the least
    amount of risks that we take?
  • How quickly can the institution conform to the
    regulators directives (e.g., FAS 133) without
    unduly taxing its resources an disrupting its
    day-to-day business operations?
  • Can the institution leverage its current
    resources and technology and enter into a new
    market without unduly incurring additional
    expenses? If the answer is negative, there is
    operational risk in the headline risk categories
    involving people, process and technology.
  • In the past three years, did the increase in
    expenditure result in increase in market share or
    revenue to the institution? If the answer is
    negative again there is OR involving inefficiency
    and misallocation of precious resources

7. Not correctly factoring Basel II into merger
and acquisition strategy
  • Financial institutions look at mergers and
    acquisitions in different ways. Some aspire to
    acquire. Others look forward to being absorbedly
    a larger operation.
  • A deal may fail because of Basel II related
  • The Institution may miss out on business value of
    becoming a more attractive MA candidate through
    meeting the rigors of Basel II

Operational Risk Process Models
  • How to develop and operational risk process
  • What are the specific quantitative and
    qualitative tools used by companies today?
  • How to link these tools with economic capital
  • What are the actions management can take to
    mitigate operational risk?

The Overall Process
  • Step1 Establish the objectives and requirements
    of key stakeholders
  • Step2 Identify the core process that supports
    these objectives
  • Step3 Define performance and risk metrics,
    including goals and MAPs (Mgt Authorization
  • Step 4 Implement organizational and risk
    mitigation strategies

Specific Tools
  • Loss incident data base
  • Control self-assessment
  • Risk mapping
  • Key Risk Indicators

Regulatory Capital
  • Top Down vs. Bottom Up Approaches
  • Proposed Capital Formulas
  • The Loss Distribution Approach
  • Proposed Capital Relief Formula 

Top Down vs. Bottom Up Capital  
  • Start with a given aggregate capital amount for
    the industry
  • Allocate this to risk source market, credit and
  • Allocate each piece to individual financial
  • Identify each source of risk
  • Develop a method for measuring its magnitude
  • Derive capital from this measure

The Regulatory Capital Ball Park 
  • The regulators have already indicated the ball
    park for regulatory operational risk capital
  • Theyve said the existing Accord already
    implicitly contemplates operational risk
  • Therefore, aggregate regulatory capital should
    not change with the new capital accord
  • In September the BIS suggested that 12 appeared
    to be a reasonable amount of total existing
    regulatory capital to associate with operational

Proposed Capital Approaches  
  • Basic Indicator    top down
  • Standardized       ?
  • Internal Measurement    ?
  • Loss Distribution    bottom up

Basic Indicator Approach 
  • KBIA EI?  
  • Where 
  • KBIA    the capital charge under the Basic
    Indicator Approach 
  • EI           the level of an exposure indicator
    for the whole institution,provisionally gross
  •  ?   a fixed percentage, set by the Committee,
    relating the  industry-wide level of required
    capital to the industry-wide level of the

  • Banks using the Basic Indicator Approach have to
    hold capital for operational risk equal to a
    fixed percentage (denoted alpha) of a single 
    indicator.  The current proposal for this
    indicator is gross income.
  • Analysis of QIS data Basic Indicator Approach
      (Based on 12 of Minimum Regulatory Capital) 
  •  For the Basic Indicator Approach, alphas are
    calculated as 12 percent of minimum regulatory
    capital divided by gross income.

Business Lines 
  • Corporate Finance
  • Trading Sales
  • Retail Banking
  • Commercial Banking
  • Payment and Settlements
  • Agency Services Custody
  • Retail Brokerage
  • Asset Management

Standardized Approach 
  • KTSA ?(EI1-8?1-8)  
  • Where 
  • KTSA   the capital charge under the Standardized
  • EI1-8   the level of an exposure indicator for
    each of the 8 business lines 
  • ?1-8    a fixed percentage, set by the
    Committee, relating the level of required capital
    to the level of the gross income for each  of the
    8 business lines 
  •  The total capital charge is calculated as the
    simple summation of the regulatory capital
    charges across each of the business lines.
  • Analysis of QIS data the Standardized Approach
      (Based on 12 of Minimum Regulatory Capital)

The Operational Risk Matrix 
  •     Corporate Finance   Internal
  •     Trading Sales    External
  •     Retail Banking    Employment
  •     Commercial Banking   Clients, Products
  •     Payment and Settlements   Damage to Physical
  •     Agency
  • Custody 
    Business Disruption ...
  •     Retail Brokerage    Execution
  •     Asset Management

Examples of Operational Risk
  • Business Area Processes
  • Potential Risks
  • Breach of mandate
  • Incorrect/untimely transaction capture, execution
    and settlement
  • Loss of client assets
  • Mis-pricing
  • Incorrect asset allocation
  • Compliance issues
  • Corporation action errors
  • Stock lending errors
  • Accounting and Taxation errors
  • Inadequate record keeping
  • Subscription and redemption errors

Examples of Operational Risk
  • Business Area People
  • Potential Risks
  • Unauthorised trading
  • Insider trading
  • Fraud
  • Employees illness and injury
  • Discrimination Claims
  • Compensation, benefit and termination issues
  • Problems recruiting or retaining staff
  • Organised labour activity
  • Other legal issues

The Internal Measurement Approach 
  • KIMA ?(EIijPEijLGEij?ij)  
  • Where
  • KIMA   the capital charge under the Internal
    Measurement Approach
  • EIij    the level of an exposure indicator for
    each business line and event type combination
  • PEij   the probability of an event given one
    unit of exposure, for each business line and
    event type combination
  • LGEij   the average size of a loss given an
    event for each business line and  event type
  • ?ij    the ratio of capital to expected loss for
    each business line and event type combination
  •     ?ij could be an industry-wide number
    developed by the regulator, or it could be an
    institution specific number developed by
    individual institutions.

The Loss Distribution Approach 
  • Background
  • Used by the Most Sophisticated Banks
  • Requires Advanced Knowledge and Lots of Data
  • Brief Overview
  • Requires plenty of data
  • Based on the Collective Risk model
  • Is as much an art as it is a science
  • Graphical illustration of requited capital

An LDA Requires Plenty of Data 
  • 1. Severity
  • ----Frequency 
  • ----Time Trigger 
  • 2. Loss Event Type 
  • Risk Transfer / Relief Indicator (s) 
    e.g. Premiums / Limits 
  • 3. Gross Loss 
  • -Type of Relief / Policy 
  • -Exposure Indicator (s) 
  • -Adjusted Net Loss
  • (Discounted Currency adjusted incl. Risk
  • 4. Business Line 
  • -Loss Effect Type

The Collective Risk Model 
  • C X1 X2 X3 XN
  • Where N is the frequency distribution
  • And X is the severity distribution
  • And C is the aggregate loss distribution
  • A separate model should be fit for each
    homogeneous grouping of data hopefully these
    might correspond to the business line / event
    type combinations stipulated by regulators
  • the model has some nice mathematical properties
  • EC EN EX
  • Assuming N is Poisson VARC EN ( VARX
    EX2 )

Art More than Science 
  • External Data
  • Scenario Analysis
  • Expert Opinion
  • Adjustments for Changes in Risk Management
  • Adjustments for Insurance

Desired Cultural Attitudes 
  • Accountability
  • Integrity
  • Focus on standards
  • Continuous and open communication
  • Intolerance for non-compliance
  • Consistent decisions
  • Teamwork

To Sum up
  • Effective Management of OR would help in
    minimizing regulatory capital
  • Validation is one of the greatest challenges
  • Ratings reflect a banks assessment of a
    borrowers ability to perform under adverse
    economic circumstances
  • Do not underestimate cultural changes


Thank you www.prmia.org
About PowerShow.com