1
Building a Modern Risk Management Department Seminar
Financial Services Volunteer Corps (FSVC)January 19 – 22, 2009Tripoli, Libya
2
Day Two
Period 11 AM to 12:25 PM
3
What is Operational Risk?
4
Specific Risk Types
1. Credit Risk
– The risk that a financial institution makes a loss as a result of less than full payment of an obligation
2. Market Risk
– Risk of loss due to changes in market prices or variables
3. Operational Risk
– Historically: “Other risks”
– More precisely (Basel II): “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”
5
Typical “Economic” or “Risk” Capital Allocation for Risk
Credit RiskCredit Risk50 - 60%50 - 60%
Market RiskMarket Risk10 - 30%10 - 30%
Operational and Business RisksOperational and Business Risks10 - 30%10 - 30%
6
A Consensus Definition of Operational Risk
“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events“
This (Basel II) definition includes legal risk but excludes strategic and reputational risk
7
Definition of Operational RiskOperational risk is the risk of direct or indirect loss due to
failed or inadequate processes, people or systems, or exposure to external events.
Risk Event
EffectCause
Risk is articulated in terms of three components:
Cause is the business condition that allowed the risk to occur. As mentioned in the definition above, causes generally fall into two categories: internal problems or external matters such as exposure to external environment changes.
A risk event is the observable situation or incident of risk. There are seven categories of risk events under which all operational risk can be classified.
Effect is the consequence that the risk has. The effect can be measured on a qualitative (high, low) or quantitative manner (dinar amount, number of transactions impacted).
8
Basel uses 7 categories of operational events that have been commonly adopted by the industry:
Some companies include legal, reputation and/or compliance within the scope of operational risk management.
Categories of cause, risk event and effect are utilized to assist in risk identification and assessment
Execution, delivery and process management
Clients, products and business practices
External fraud
System failures
Internal fraud
Employment practices and workplace safety
Damage to physical assets
9
Operational Risk
•It’s a traditional Type of Risk
–Often equated with “Common Sense”–Often equated with “Operations Risk”–Often thought of as Back-Office Risk
•Historically, it’s the subject of unclear thinking
WHY ???
10
Here’s Why
• Not defined
• No taxonomy of components
• Not measured; no data
• No benchmarks
• No specified language/“jargon”
• No formal reporting
• No specific regulatory framework
• No specialized managers
• No credentials
• No specific training
11
Basel II – Operational Risk
Main Components
•Measurement
•Management
12
Role of Measurement
• You can’t manage what you can’t measure• Now have generally understood, quite specific, categories of
Operational Risk– Front, middle, back-office sources– Internal, external sources
• Banks now have data collection process and event loss & frequency databases
• Early stage histories / time series
• Access to external databases
• Management reporting: detailed & consolidated
• Usually data by product line, geography, legal entity
• Increasingly with benchmarks and peer analytics
• Data is now being intensively reviewed
13
It looked like we were on our way
Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.
Sound Practices, Principle 5:
14
Board of Directors
CRO/ CCO/ CFO
CEO
Risk Measurement
AML & RelatedPolicies and Procedures
Operational Risk
Risk Policies& Procedures
Risk Management
Fines, Penalties, LegalExpenses & other
Out of Pocket
Reputation LossOpportunity Costs
Credit Risk Market/ Price RiskCapital
Calculations
ImplementRisk
“Framework”P&L Results
Set RiskTolerances
Business Practices,Clients, Products
CompliancePolicies & Procedures
Other 6 Basel LossEvent Categories
Board of Directors
CRO/ CCO/ CFO
CEO
Board of Directors
CRO/ CCO/ CFO
CEO
Risk Measurement
AML & RelatedPolicies and Procedures
Operational Risk
Risk Policies& Procedures
Risk Management
Fines, Penalties, LegalExpenses & other
Out of Pocket
Reputation LossOpportunity Costs
Credit Risk Market/ Price RiskCapital
Calculations
ImplementRisk
“Framework”P&L Results
Set RiskTolerances
Business Practices,Clients, Products
CompliancePolicies & Procedures
Business Practices,Clients, Products
CompliancePolicies & Procedures
Other 6 Basel LossEvent Categories
15
Management Today
Product Lines / Lines of Business have Ops Risk staff Major geographies have Ops Risk staff Risk Management Organization has Ops Risk staff Beginning recognition as risk specialty with a body of knowledge
Issued and adopted Used by Internal Audit and Supervisory Reviews
In place
Early stage but improving quickly Conferences - - we are all here today
• Personnel
• Policies
• Reporting
• Training
• Tools
16
Mindset
Inherent Risk
Controls
Residual Risk
17
Risk Management Itself: Evolution and Intelligent Design
Until now:
Credit and Market Risk Management has been focused on customers
and counterparties. Operational Risk Management has been focused on internal factors and
events.
This is a primitive structure
This is the profession of “control”
“Risk Management” includes “control”, but great value is still to come from an external focus. The big payoff is in managing the risk : reward equation.
18
The Importance of Operational Risks
Recent experience makes it clear that risks other than credit and market risks can be substantial:
Deregulation & globalisation of
financial services
Growing sophistication of
financial technology
Activities of Banks (& their risk
profiles) more diverse & complex
•Life insurance & pension mis-selling (U.K.)
•Underwriting/research conflicts (U.S.)
•Madoff Ponzi Scheme (Global)
•“Moral Hazards” (Various)
•Satyam Computer (India)
•Barings (Singapore + U.K.)
•Enron & Worldcom (U.S.)
•9/11 (U.S.)
•Allfirst (Allied Irish) (Ireland)
•Parmalat (Italy)
19
Whichever way you look, operationally we are becoming more complex and inter-dependent….
Technology
Concentration
Globalisation
Diversification
Business strategy
Statutory, Regulatory & Contractual
Economic, Cultural & Political
Partnering, alliances, outsourcing & joint ventures
20
…resulting in greater focus on Operational Risk by financial services providers, government &
others…Financial Services (Banks, Insurance Companies, Fund Managers)
• Specialist Operational Risk functions• Framework, policy, measurement and monitoring• Capital allocation for operational risk – now happening• Loss, event and near-miss data collection & analysis• Extensive, ‘what if’, scenario analysis• Business continuity testing and crisis management training• Executive and Board Risk Committees
Others•Reputation indices•Rating Agencies•Sustainability
Government•Consumer protection•Corporate Governance •Basel II •Standards & Guidelines
21
DATA & TOOLS
22
Operational Risk Tools
Self Assessments
Key Risk Indicators
Scenarios
Loss Databases
General use of:
Use of:
Line of Business Mapping
External Benchmarking
Self Assessment / Audit Congruence
23
SELF-ASSESSMENTS
24
Risk and Control Self-Assessments are a key component of an Operational Risk Framework
Framing the
Business Context
Risk Response
Strategy
Risk
Assessment
• Risk Events• Potential Causes• Potential Effects• Key Controls• Categorization
• Business Unit Scope• Business Objectives • Business Processes • Business Process
Maps (high-level)
• Net Likelihood and Impact Assessment
• Control Effectiveness Assessment
• Risk tolerance• Risk response
decisions• Initial mitigation
strategy
Risk
Identification
Phase 2Phase 1 Phase 3
Business Areas describe their objectives and processes
• Risk Management Committee reviews scope to ensure coverage
• QA sessions with RM Committee
• Senior Business Leader sign-off
Business Areas identify risks to business objectives and associated details
Business Areas assess identified risks
• QA sessions with Risk Management Committee
• Program Office facilitates cross unit risk identifications
Business Areas determine response strategies and mitigation plans
• Senior Business Leader sign-off of deliverables
Objective
Results
Controls
25
Self Assessments – How They are Used
• Business Units/Lines of Business
– Identify and mitigate operational risks– Report control deficiencies and track their remediation – Monitor changes in the control environment– Assess the operational risk profile– Manage operational risk– Regulatory compliance– Process reengineering
• Risk Quantification– Qualitative adjustments to operational risk capital
26
Mitigate: Risk is outside risk appetite and/or cost beneficial to mitigate
Reduce – Institute actions to create new controls, to improve controleffectiveness, to re-engineer processes, etc.
Share – Share risk exposure through the purchase of insurance policies, etc.
Reject – End product or service offerings or cease execution ofcertain processes, thereby eliminating the associated risks
Monitor/Assess: Requires further research before a response decision is made
A Strategy for risk response is determined for each risk
•
•
Accept: Risk is low or costs to further mitigate outweigh the risk
27
Risk appetite highlights unacceptable risks
LY
D 1
LY
D 10
LY
D 100
LY
D 500
LY
D 1,000
LY
D 2,500
LY
D 5,000
LY
D 10,00 0
LY
D 50,00 0
LY
D 100 ,0 00
Impact (in LYD 1,000)Impact (in LYD 1,000)
10+ Times a Day
Once a Day
Once a Week
Once a Month
Once a Quarter
Once per 6 Months
Once per Year
One every 10 Years
One every 100 Years
> One every 100 Years
LikelihoodLikelihood
01
03
0405 06 070809 1011
12
HLOB NET RISK MAP
02
28
Revisit: Why Adopt an RCSA Program?
• Reduced losses and reputational damage - improved likelihood of
achieving business objectives and greater business resilience
• Better business decisions based on strong risk management analytics
• Identification of potential opportunities for control reductions/efficiency
improvements
• Effective board reporting, based on enterprise-wide aggregation of
risks, comparative and trend analyses
• Increased risk awareness across the organization & better
communication about risk
• Safety and soundness objectives
29
But, many firms struggle to achieve the desired “return on investment” from RCSAs
• Business not engaged, low buy-in
• Cannot flexibly aggregate results
• Adds to already complex set of control review programs businesses must manage
• Does not produce strong data for management decision making
• Does not identify potential overinvestment in controls
• Sustained risk management culture not realized
30
Key Risk Indicators (KRIs)
31
What are Key Risk Indicators (KRIs)?KRIs are a set of measures used to monitor risks and controls, and that are hopefully predictive to changes in the operational risk profile and/or the potential for operational events
Key objectives of KRIs include:
• Provide early warning signals
• Used to estimate levels of risk
• Designed to show risk level changes and trends
• Enable actions that prevent material loss or incident
• Used in escalation criteria for risk management
32
Key Risk Indicators are a subset of overall business metrics
Key Risk Indicators
• Can be aligned with a process or risk event
• Typically viewed in a dashboard
• More frequent, predictive, and actionable in nature
Key Performance Indicators
• A broader set of indicators aligned with performance of a business unit or process
• Typically viewed in a scorecard
• Includes efficiency metrics (e.g., productivity)
Key Business Indicators
• Top level metrics associated with business performance (e.g., earnings per share, revenue growth, charge-offs, cost per account, etc.)
Key Performance
Indicators
Key Risk Indicators
Key Business Indicators
33
1Inventory Existing Metrics
6Establish
KRI Control Plan
2Assess
KRI Gaps
3Design KRIs
5Develop
KRI Dashboard
4Validate
KRIs
Establishing Key Risk Indicators involves six major steps
Root Causes Weig
hting
File
rece
ipt in
dicat
or
(% re
ceive
d/se
nt)
CSM
canc
ellat
ion ra
te
by p
rodu
ct ($
per
AOF
)
Partn
er cr
edit r
epor
t (n
umbe
r by $
am
ount
)
Days
to cr
edit m
etric
(c
onta
ct to
cred
it)
File not received by BP 20% 9 1 1 1Complete file not received by BP 10% 3 1 1 1BP credits to wrong cardholder account 30% 0 1 9 0BP credits incorrect amount 30% 0 3 9 1
Overall Rating 2.10 1.50 5.70 0.60
Potential Key Risk Indicators
What existing metrics could be potential KRIs?
How well do these existing metrics cover the risk drivers?
What new KRIs do I need to develop to address any gaps?
KRI Metric Name
Risk EventDrivers: Cause; Control or Other
Reporting Frequency
Time Lag Between Data Collection & Reporting
Trigger Limits
Escalation Procedure OwnerKRI Dashboard Recipients
Last Updated
How well do each of these KRIs correlate to the risk event?
What type of graphical report should I use to monitor these KRIs?
What actions do I need to take to implement this KRI?
F10 Flowdown
Mean
+3 Std Dev
+2 Std Dev
+1 Std Dev
-1 Std Dev
-2 Std Dev
-3 Std Dev
0.00%
0.50%
1.00%
1.50%
2.00%
2.50%
3.00%
3.50%
4.00%
Week Ending
Flo
wd
ow
n
03/09/01-11/02/01:
Mean = 1.85%
Std Dev = 0.57% *As of the w eek ending 11/30/2001, Fraud is responsible for F10 f low dow n.
Chart Title
0
2
4
6
8
10
12
14
0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0%
34
How do I implement Key Risk Indicators in my area
1. Identify your area of focus (process- or risk event-based)
• Risk events identified above your risk threshold
• Business processes with the highest risk exposure
2. Determine your project strategy for KRI implementation
• Stand-alone initiative
• Part of a larger business metrics redesign project
• A workstream as part of a risk mitigation project in that area
3. Identify appropriate resources and expand their KRI skills as needed
4. Leverage the KRI methodology to develop and validate your Key Risk Indicators
5. Change control: Periodically revisit your KRIs, trigger limits, and escalation procedures
35
Event Collection
36
Through the consistent categorization and analysis of these events we will increase our ability to prevent reoccurrences of operational events. Other benefits include:
• Identify “hot spots” where event frequency/impact exceed expected error rates
• Improve the accuracy of our self-assessments and subsequent allocation of resources to address these risks
• Quantify the potential benefits of risk reduction projects
• Provide a tool for sharing learning across the bank
• Support the modeling of capital held against operational risk
The goal is to improve the understanding of operational breakdowns and reduce their impact
37
A thorough process collects detailed information about operational events, their causes, effects, and resolution
to support analysis
Event Details
• Text Description of Event, including cause, effect, and actions taken to recover customers and process
• Business Areas effected
• Business Area responsible for event
• Process causing event
• Date(s) of occurrence, detection, resolution, containment, and date reported
Effects
• Financial effects tracked include the cost to fix, direct losses, impact to future revenue streams, and increased charge-offs
• Customer effects include the number of parties impacted, type of customer (applicant, customer, solicitee) and how they were effected
• Regulatory effects include the specific regulations that may have been impacted by event
Causes
• Standardized causes are tracked for each event
• Multiple contributing causes and 1 root cause are tracked
Resolution
• Detailed steps taken to recover the customers or money
• Detailed steps taken to recover the process
• Does not include long term mitigation.
38
Key components of a data collection strategy:
• Determine responsibility for each risk category in each business area or staff function
• Provide interfaces to extract as much data as possible from production systems
• Many events will not be captured, provide for individual data entry
• Allow business area “approval” prior to release
• Set up G/L codes for each event type in each business area/function. Enforce usage
• Central op risk group reviews events, categorization and descriptions
• Events need to pass through loss database to get paid and get recorded in G/L
• Reconcile G/L to loss database to assure that no events bypassed the loss database
• Analyze the sources of events to learn from experience
• Provide access to the database to business areas/functions
• Provide regular reporting to the businesses and senior management
A data collection strategy needs resources and control
39
Using External DataSupplement internal data
• Fill in distributions for line of business and product type where insufficient data exists
As a direct input into the capital model
A source of information for building scenarios
Supports risk management in many ways:• Risk identification• Control assessments and development• Planning and scenario analysis: if it has happened before
elsewhere, it could happen to this firm
Note: Discussion today of the use of external data is necessary to understand the theory. External data is often not available in countries such as Libya.
40
Scenario Analysis
41
Scenario Analysis
42
Expected Loss/Unexpected LossStylized Representation of Risk Quantification
Pro
bab
ilit
y
99.9%
Aggregate Losses
Mean
Operational Risk Capital
EOL UOL
43
Expected Loss/Unexpected LossExpected Loss (EL)
High frequency, low value events Data typically readily available at bank Banks view Expected Losses as a cost of business that must be managed Varying measures – ‘observed’ and statistical (mean, mode, median) Estimating EL is a part of the budgetary process EL is a meaningful number, but not usually significant when compared to
unexpected losses
Unexpected Loss (UL) Low frequency, high value events – tail events Data typically not available internally Data must be supplemented (external data and/or scenario analysis) Largest losses will drive capital quantification process
44
Payment Systems Risk
45
Payment Systems Risk• Most frequently:
– Cash – Securities
• Flows– One way– Exchange of value– Depositories
• Risks– Finality– Simultaneity– Recoverability
• Complications– Crossborder– Cross time-zones– Cross currencies– Real time/Gross versus Net Settlement– Physical vs. Clearing House/Electronic– Central Counterparties