Operational%20Risk%20Management - PowerPoint PPT Presentation

About This Presentation



Lecture 16 Operational Risk Management – PowerPoint PPT presentation

Number of Views:476
Avg rating:3.0/5.0
Slides: 67
Provided by: yola341


Transcript and Presenter's Notes

Title: Operational%20Risk%20Management

Lecture 16
  • Operational Risk Management

  • A growing desire has emerged to organize the
    components of operational risk into what Hubner
    et al. (2003) call a coherent structural

  • Haunbenstock (2003) identifies the components of
    the operational risk framework as
  • (i) strategy,
  • (ii) process,
  • (iii) infrastructure, and
  • (iv) the environment

  • development of a risk management strategy
  • development of risk management culture
  • definition of management roles and
  • ensuring that an appropriate management and
    control structure is in place

The risk management framework Process
  • The process involves the day-to-day activities
    required to understand and manage operational
    risk, given the chosen strategy.
  • The process consists of
  • (i) risk and control identification,
  • (ii) risk measurement and monitoring,
  • (iii) risk control/mitigation, and
  • (iv) process assessment and evaluation.

Process Risk and control identification
  • Risk identification starts with the definition of
    operational risk to provide a broad context for
    potential threats
  • The best way to identify risk is to talk to
    people who live with it on a daily basis
  • The degree of risk is typically defined as
    frequency and severity, rated either
    qualitatively or quantitatively
  • Mestchian (2003) suggests a decomposition of
    operational risk into process, people risk,
    technology, and external risk
  • Then these risk can be identified as low, medium,
    or high in different business activities like in
    Table on the next slide, or with frequency or
    severity like in Figure 2, one slide next

Risk identification
Risk assessment of activities
  • a

ORF Process - Identification
  • Risk identification should also include
    monitoring of the external environment and
    industry trends, as new risks emerge continuously
  • (ii) Control identification
  • The identification of controls is part of the
    identification process, as it complements the
    identification of risk.
  • Controls include
  • management oversight,
  • information processing,
  • activity monitoring,
  • automation,
  • process controls,

  • segregation of duties,
  • performance indicators
  • and policy and procedures
  • The control framework defines the appropriate
    approach to controlling each identified risk
  • (iii) Risk Mitigates
  • Risk mitigators include
  • training,
  • insurance programs,
  • diversification and
  • outsourcing

  • Insurance, which is a means of risk
    control/mitigation, is typically applied against
    the large exposures where a loss would cause a
    charge to earnings greater than that acceptable
    in the risk appetite
  • For the purpose of risk identification, the
    Federal Reserve System (1997) advocates a
    three-fold risk-rating scheme that includes (i)
    inherent risk, (ii) risk controls, and (iii)
    composite risk.
  • Inherent risk (or gross risk) is the level of
    risk without consideration of risk controls,
    residing at the business unit level

  • Inherent risk depends on (i) the level of
    activity relative to the firms resources, (ii)
    number of transactions, (iii) complexity of
    activity, and (iv) potential loss to the firm
  • Composite risk (or residual risk or net risk) is
    the risk remaining after accounting for inherent
    risk and risk mitigating controls
  • The Federal Reserve System (1997) provides a
    matrix that shows composite risk situation based
    on the strength of risk management (weak,
    acceptable, strong) and the inherent risk of the
    activity (low, moderate, high)

  • For example, when weak risk management is applied
    to low inherent risk, the resulting risk is
    low/moderate composite risk
  • On the other extreme, when strong risk management
    is applied to high inherent risk, the composite
    risk will be moderate/high
  • Illustration is given in the figure on next slide

The FRSs classification of inherent and
composite risks
  • (iv) Risk measurement
  • As risks and controls are identified, risk
    measurement provides insight into the magnitude
    of exposure, how well controls are operating and
    whether exposures are changing and consequently
    require attention
  • The borderline between identification and
    measurement is not clear, however, Haubenstock
    (2003) identifies the following items as relevant
    to the measurement of operational risk
  • a. Risk drivers, which are measures that drive
    the inherent risk profile and changes in which
    indicate changes in the risk profile

  • These include transaction volumes, staff levels,
    customer satisfaction, market volatility, the
    level of automation
  • b. Risk indicators, which are a broad category of
    measures used to monitor the activities and
    status of the control environment of a particular
    business area for a given risk category.
  • The difference between drivers and indicators is
    that the former are ex ante whereas the latter
    are ex post
  • Examples of risk indicators are profit and loss
    breaks, failed trades and settlements and systems

  • c. The loss history which is important for three
    reasons (i) loss data are needed to create or
    enhance awareness at multiple levels of the firm
    (ii) they can be used for empirical analysis and
    (iii) they form the basis for the quantification
    of operational risk capital
  • d.Causal models which provide the quantitative
    framework for predicting potential losses.
  • These models take the history of risk drivers,
    risk indicators and loss events and develop the
    associated multivariate distributions.
  • The models can determine which factor(s) have the
    highest association with losses

  • e. Capital models, which are used to estimate
    regulatory capital as envisaged by Basel II.
  • f. Performance measures which include the
    coverage of the self-assessment process, issues
    resolved on time, and percentage of issues
    discovered as a result of the self assessment
  • (v) reporting
  • Reporting is an important element of measurement
    and monitoring

  • A Key objective of reporting is to communicate
    the overall profi le of operational risk across
    all business lines and types of risk.
  • There are two alternative ways of reporting to a
    central database as shown in Figure
  • One way is indirect reporting where there is a
    hierarchy in the reporting process, which can be
    arranged on a geographical basis.
  • Otherwise, direct reporting is possible where
    every unit reports directly to a central database

  • a

  • Reporting methods
  • Checklists are probably the most common approach
    to self-assessment
  • Structured questionnaires are distributed to
    business areas to help them identify their level
    of risk and related controls
  • The response would indicate the degree to which a
    given risk affects their areas.
  • It would also give some indication of the
    frequency and severity of the risk and the level
    of risk control that is already in place
  • The narrative approach is also used to ask
    business areas
  • to define their own objectives and the resulting

  • The workshop approach skips the paperwork and
    gets people to talk about their risks, controls,
    and the required improvements
  • Lam (2003b) identifies two schools of thoughts
    with regard to quantitative and qualitative
    measures of risks
  • (i) the one believing that what cannot be
    measured cannot be managed, hence the focus
    should be on quantitative tools
  • and (ii) the other, which does not accept the
    proposition that operational risk can be
    quantified effectively, hence the focus should be
    on qualitative approaches

  • Lam (2003b) warns of the pitfalls of using one
    approach rather than the other, stipulating that
    the best practice operational risk management
    incorporates elements of both.
  • (vi) Risk control/mitigation
  • When risk has been identified and measured, there
    are a number of choices in terms of the actions
    that need to be taken to control or mitigate risk
  • These include (i) risk avoidance, (ii) risk
    reduction, (iii) risk transfer, and (iv) risk
    assumption (risk taking)

  • Risk avoidance can be quite difficult and may
    raise questions about the viability of the
    business in terms of the risk-return relation
  • A better alternative is risk reduction, which
    typically takes the form of risk control efforts
    as it may involve tactics ranging from business
    re-engineering to staff training as well as
    various less extensive staff and/or technical
  • Cost-benefit analysis may be used to assist in
    structuring decisions and to prevent the business
    from being controlled out of profit

  • a

  • a

  • a

People issues
  • the relevant type and calibre of people are
  • there are adequate levels of training and
    development of the staff
  • the staff have the skill levels that are
    appropriate to the tasks assigned to them

Technology issues
  • adequate systems to support the various product
  • systems are available for management information
    and reporting
  • there is communication infrastructure to support
    the operation
  • data warehouses that allow integration and
    consolidation of information and data across the

  • tools and systems available for managing market
    risk across the organization
  • enterprise-wide credit monitoring and credit risk
    management systems.

Themes in risk management framework
  • There are four fundamental themes that are
    critical for establishing and maintaining a
    comprehensive and effective risk management
  • 1 The ultimate responsibility for risk
    management must be with the board of directors.
    They need to ensure that organization structure,
    culture, people and systems are conducive to
    effective risk management. The requirements for
    risk management must be defined and established
    by those charged with overall responsibility for
    running the business

  • 2. The board and executive management must
    recognize a wide variety of risk types, and
    ensure that the control framework adequately
    covers all of these. As well as including market
    and credit risks, it should include operations,
    legal, reputation and human resources risks, that
    do not readily lend themselves to measurement

  • 3. The support and control functions, such as the
    back and middle offices, internal audit,
    compliance, legal, IT and human resources, need
    to be an integral part of the overall risk
    management framework
  • 4. Risk management objectives and policies must
    be a key driver of the overall business strategy,
    and must be implemented through supporting
    operational procedures and controls.

  • a

  • a

  • a

  • a

  • Operational risk can be minimized in a number of
    ways Internal control methods consist of
  • 1. Separation of functions
  • Individuals responsible for committing
    transactions should not perform clearance and
    accounting functions
  • 2. Dual entries
  • Entries (inputs) should be matched from two
    different sources, that is, the trade ticket and
    the confirmation by the back office.

  • 3. Reconciliations
  • Results (outputs) should be matched from
    different sources, for instance the traders
    profit estimate and the computation by the middle
  • 4. Tickler systems
  • Important dates for a transaction (e.g.,
    settlement, exercise dates) should be entered
    into a calendar system that automatically
    generates a message before the due date.

  • Controls over amendments Any amendment to
    original deal tickets should be subject to the
    same strict controls as original trade tickets.
  • External control methods consist of
  • 1. Con?rmations Trade tickets need to be
    con?rmed with the counterparty, which provides an
    independent check on the transaction.
  • 2. Veri?cation of prices To value positions,
    prices should be obtained from external sources.
    This also implies that an institution should have
    the capability of valuing a transaction in-house
    before entering it.

  • 3. Authorization The counterparty should be
    provided with a list of personnel authorized to
    trade, as well as a list of allowed
  • 4. Settlement The payment process itself can
    indicate if some of the terms of the transaction
    have been incorrectly recorded, for instance, as
    the ?rst cash payments on a swap are not matched
    across counterparties.
  • 5. Internal/external audits These examinations
    provide useful information on potential weakness
    areas in the organizational structure or business

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a

  • a
Write a Comment
User Comments (0)
About PowerShow.com