1

Building a Modern Risk Management Department Seminar

Financial Services Volunteer Corps (FSVC)January 19 – 22, 2009Tripoli, Libya

2

Day Two

Period 11 AM to 12:25 PM

3

What is Operational Risk?

4

Specific Risk Types

1. Credit Risk

– The risk that a financial institution makes a loss as a result of less than full payment of an obligation

2. Market Risk

– Risk of loss due to changes in market prices or variables

3. Operational Risk

– Historically: “Other risks”

– More precisely (Basel II): “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”

5

Typical “Economic” or “Risk” Capital Allocation for Risk

Credit RiskCredit Risk50 - 60%50 - 60%

Market RiskMarket Risk10 - 30%10 - 30%

Operational and Business RisksOperational and Business Risks10 - 30%10 - 30%

6

A Consensus Definition of Operational Risk

“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events“

This (Basel II) definition includes legal risk but excludes strategic and reputational risk

7

Definition of Operational RiskOperational risk is the risk of direct or indirect loss due to

failed or inadequate processes, people or systems, or exposure to external events.

Risk Event

EffectCause

Risk is articulated in terms of three components:

Cause is the business condition that allowed the risk to occur. As mentioned in the definition above, causes generally fall into two categories: internal problems or external matters such as exposure to external environment changes.

A risk event is the observable situation or incident of risk. There are seven categories of risk events under which all operational risk can be classified.

Effect is the consequence that the risk has. The effect can be measured on a qualitative (high, low) or quantitative manner (dinar amount, number of transactions impacted).

8

Basel uses 7 categories of operational events that have been commonly adopted by the industry:

Some companies include legal, reputation and/or compliance within the scope of operational risk management.

Categories of cause, risk event and effect are utilized to assist in risk identification and assessment

Execution, delivery and process management

Clients, products and business practices

External fraud

System failures

Internal fraud

Employment practices and workplace safety

Damage to physical assets

9

Operational Risk

•It’s a traditional Type of Risk

–Often equated with “Common Sense”–Often equated with “Operations Risk”–Often thought of as Back-Office Risk

•Historically, it’s the subject of unclear thinking

WHY ???

10

Here’s Why

• Not defined

• No taxonomy of components

• Not measured; no data

• No benchmarks

• No specified language/“jargon”

• No formal reporting

• No specific regulatory framework

• No specialized managers

• No credentials

• No specific training

11

Basel II – Operational Risk

Main Components

•Measurement

•Management

12

Role of Measurement

• You can’t manage what you can’t measure• Now have generally understood, quite specific, categories of

Operational Risk– Front, middle, back-office sources– Internal, external sources

• Banks now have data collection process and event loss & frequency databases

• Early stage histories / time series

• Access to external databases

• Management reporting: detailed & consolidated

• Usually data by product line, geography, legal entity

• Increasingly with benchmarks and peer analytics

• Data is now being intensively reviewed

13

It looked like we were on our way

Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.

Sound Practices, Principle 5:

14

Board of Directors

CRO/ CCO/ CFO

CEO

Risk Measurement

AML & RelatedPolicies and Procedures

Operational Risk

Risk Policies& Procedures

Risk Management

Fines, Penalties, LegalExpenses & other

Out of Pocket

Reputation LossOpportunity Costs

Credit Risk Market/ Price RiskCapital

Calculations

ImplementRisk

“Framework”P&L Results

Set RiskTolerances

Business Practices,Clients, Products

CompliancePolicies & Procedures

Other 6 Basel LossEvent Categories

Board of Directors

CRO/ CCO/ CFO

CEO

Board of Directors

CRO/ CCO/ CFO

CEO

Risk Measurement

AML & RelatedPolicies and Procedures

Operational Risk

Risk Policies& Procedures

Risk Management

Fines, Penalties, LegalExpenses & other

Out of Pocket

Reputation LossOpportunity Costs

Credit Risk Market/ Price RiskCapital

Calculations

ImplementRisk

“Framework”P&L Results

Set RiskTolerances

Business Practices,Clients, Products

CompliancePolicies & Procedures

Business Practices,Clients, Products

CompliancePolicies & Procedures

Other 6 Basel LossEvent Categories

15

Management Today

Product Lines / Lines of Business have Ops Risk staff Major geographies have Ops Risk staff Risk Management Organization has Ops Risk staff Beginning recognition as risk specialty with a body of knowledge

Issued and adopted Used by Internal Audit and Supervisory Reviews

In place

Early stage but improving quickly Conferences - - we are all here today

• Personnel

• Policies

• Reporting

• Training

• Tools

16

Mindset

Inherent Risk

Controls

Residual Risk

17

Risk Management Itself: Evolution and Intelligent Design

Until now:

Credit and Market Risk Management has been focused on customers

and counterparties. Operational Risk Management has been focused on internal factors and

events.

This is a primitive structure

This is the profession of “control”

“Risk Management” includes “control”, but great value is still to come from an external focus. The big payoff is in managing the risk : reward equation.

18

The Importance of Operational Risks

Recent experience makes it clear that risks other than credit and market risks can be substantial:

Deregulation & globalisation of

financial services

Growing sophistication of

financial technology

Activities of Banks (& their risk

profiles) more diverse & complex

•Life insurance & pension mis-selling (U.K.)

•Underwriting/research conflicts (U.S.)

•Madoff Ponzi Scheme (Global)

•“Moral Hazards” (Various)

•Satyam Computer (India)

•Barings (Singapore + U.K.)

•Enron & Worldcom (U.S.)

•9/11 (U.S.)

•Allfirst (Allied Irish) (Ireland)

•Parmalat (Italy)

19

Whichever way you look, operationally we are becoming more complex and inter-dependent….

Technology

Concentration

Globalisation

Diversification

Business strategy

Statutory, Regulatory & Contractual

Economic, Cultural & Political

Partnering, alliances, outsourcing & joint ventures

20

…resulting in greater focus on Operational Risk by financial services providers, government &

others…Financial Services (Banks, Insurance Companies, Fund Managers)

• Specialist Operational Risk functions• Framework, policy, measurement and monitoring• Capital allocation for operational risk – now happening• Loss, event and near-miss data collection & analysis• Extensive, ‘what if’, scenario analysis• Business continuity testing and crisis management training• Executive and Board Risk Committees

Others•Reputation indices•Rating Agencies•Sustainability

Government•Consumer protection•Corporate Governance •Basel II •Standards & Guidelines

21

DATA & TOOLS

22

Operational Risk Tools

Self Assessments

Key Risk Indicators

Scenarios

Loss Databases

General use of:

Use of:

Line of Business Mapping

External Benchmarking

Self Assessment / Audit Congruence

23

SELF-ASSESSMENTS

24

Risk and Control Self-Assessments are a key component of an Operational Risk Framework

Framing the

Business Context

Risk Response

Strategy

Risk

Assessment

• Risk Events• Potential Causes• Potential Effects• Key Controls• Categorization

• Business Unit Scope• Business Objectives • Business Processes • Business Process

Maps (high-level)

• Net Likelihood and Impact Assessment

• Control Effectiveness Assessment

• Risk tolerance• Risk response

decisions• Initial mitigation

strategy

Risk

Identification

Phase 2Phase 1 Phase 3

Business Areas describe their objectives and processes

• Risk Management Committee reviews scope to ensure coverage

• QA sessions with RM Committee

• Senior Business Leader sign-off

Business Areas identify risks to business objectives and associated details

Business Areas assess identified risks

• QA sessions with Risk Management Committee

• Program Office facilitates cross unit risk identifications

Business Areas determine response strategies and mitigation plans

• Senior Business Leader sign-off of deliverables

Objective

Results

Controls

25

Self Assessments – How They are Used

• Business Units/Lines of Business

– Identify and mitigate operational risks– Report control deficiencies and track their remediation – Monitor changes in the control environment– Assess the operational risk profile– Manage operational risk– Regulatory compliance– Process reengineering

• Risk Quantification– Qualitative adjustments to operational risk capital

26

Mitigate: Risk is outside risk appetite and/or cost beneficial to mitigate

Reduce – Institute actions to create new controls, to improve controleffectiveness, to re-engineer processes, etc.

Share – Share risk exposure through the purchase of insurance policies, etc.

Reject – End product or service offerings or cease execution ofcertain processes, thereby eliminating the associated risks

Monitor/Assess: Requires further research before a response decision is made

A Strategy for risk response is determined for each risk

•

•

Accept: Risk is low or costs to further mitigate outweigh the risk

27

Risk appetite highlights unacceptable risks

LY

D 1

LY

D 10

LY

D 100

LY

D 500

LY

D 1,000

LY

D 2,500

LY

D 5,000

LY

D 10,00 0

LY

D 50,00 0

LY

D 100 ,0 00

Impact (in LYD 1,000)Impact (in LYD 1,000)

10+ Times a Day

Once a Day

Once a Week

Once a Month

Once a Quarter

Once per 6 Months

Once per Year

One every 10 Years

One every 100 Years

> One every 100 Years

LikelihoodLikelihood

01

03

0405 06 070809 1011

12

HLOB NET RISK MAP

02

28

Revisit: Why Adopt an RCSA Program?

• Reduced losses and reputational damage - improved likelihood of

achieving business objectives and greater business resilience

• Better business decisions based on strong risk management analytics

• Identification of potential opportunities for control reductions/efficiency

improvements

• Effective board reporting, based on enterprise-wide aggregation of

risks, comparative and trend analyses

• Increased risk awareness across the organization & better

communication about risk

• Safety and soundness objectives

29

But, many firms struggle to achieve the desired “return on investment” from RCSAs

• Business not engaged, low buy-in

• Cannot flexibly aggregate results

• Adds to already complex set of control review programs businesses must manage

• Does not produce strong data for management decision making

• Does not identify potential overinvestment in controls

• Sustained risk management culture not realized

30

Key Risk Indicators (KRIs)

31

What are Key Risk Indicators (KRIs)?KRIs are a set of measures used to monitor risks and controls, and that are hopefully predictive to changes in the operational risk profile and/or the potential for operational events

Key objectives of KRIs include:

• Provide early warning signals

• Used to estimate levels of risk

• Designed to show risk level changes and trends

• Enable actions that prevent material loss or incident

• Used in escalation criteria for risk management

32

Key Risk Indicators are a subset of overall business metrics

Key Risk Indicators

• Can be aligned with a process or risk event

• Typically viewed in a dashboard

• More frequent, predictive, and actionable in nature

Key Performance Indicators

• A broader set of indicators aligned with performance of a business unit or process

• Typically viewed in a scorecard

• Includes efficiency metrics (e.g., productivity)

Key Business Indicators

• Top level metrics associated with business performance (e.g., earnings per share, revenue growth, charge-offs, cost per account, etc.)

Key Performance

Indicators

Key Risk Indicators

Key Business Indicators

33

1Inventory Existing Metrics

6Establish

KRI Control Plan

2Assess

KRI Gaps

3Design KRIs

5Develop

KRI Dashboard

4Validate

KRIs

Establishing Key Risk Indicators involves six major steps

Root Causes Weig

hting

File

rece

ipt in

dicat

or

(% re

ceive

d/se

nt)

CSM

canc

ellat

ion ra

te

by p

rodu

ct ($

per

AOF

)

Partn

er cr

edit r

epor

t (n

umbe

r by $

am

ount

)

Days

to cr

edit m

etric

(c

onta

ct to

cred

it)

File not received by BP 20% 9 1 1 1Complete file not received by BP 10% 3 1 1 1BP credits to wrong cardholder account 30% 0 1 9 0BP credits incorrect amount 30% 0 3 9 1

Overall Rating 2.10 1.50 5.70 0.60

Potential Key Risk Indicators

What existing metrics could be potential KRIs?

How well do these existing metrics cover the risk drivers?

What new KRIs do I need to develop to address any gaps?

KRI Metric Name

Risk EventDrivers: Cause; Control or Other

Reporting Frequency

Time Lag Between Data Collection & Reporting

Trigger Limits

Escalation Procedure OwnerKRI Dashboard Recipients

Last Updated

How well do each of these KRIs correlate to the risk event?

What type of graphical report should I use to monitor these KRIs?

What actions do I need to take to implement this KRI?

F10 Flowdown

Mean

+3 Std Dev

+2 Std Dev

+1 Std Dev

-1 Std Dev

-2 Std Dev

-3 Std Dev

0.00%

0.50%

1.00%

1.50%

2.00%

2.50%

3.00%

3.50%

4.00%

Week Ending

Flo

wd

ow

n

03/09/01-11/02/01:

Mean = 1.85%

Std Dev = 0.57% *As of the w eek ending 11/30/2001, Fraud is responsible for F10 f low dow n.

Chart Title

0

2

4

6

8

10

12

14

0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0%

34

How do I implement Key Risk Indicators in my area

1. Identify your area of focus (process- or risk event-based)

• Risk events identified above your risk threshold

• Business processes with the highest risk exposure

2. Determine your project strategy for KRI implementation

• Stand-alone initiative

• Part of a larger business metrics redesign project

• A workstream as part of a risk mitigation project in that area

3. Identify appropriate resources and expand their KRI skills as needed

4. Leverage the KRI methodology to develop and validate your Key Risk Indicators

5. Change control: Periodically revisit your KRIs, trigger limits, and escalation procedures

35

Event Collection

36

Through the consistent categorization and analysis of these events we will increase our ability to prevent reoccurrences of operational events. Other benefits include:

• Identify “hot spots” where event frequency/impact exceed expected error rates

• Improve the accuracy of our self-assessments and subsequent allocation of resources to address these risks

• Quantify the potential benefits of risk reduction projects

• Provide a tool for sharing learning across the bank

• Support the modeling of capital held against operational risk

The goal is to improve the understanding of operational breakdowns and reduce their impact

37

A thorough process collects detailed information about operational events, their causes, effects, and resolution

to support analysis

Event Details

• Text Description of Event, including cause, effect, and actions taken to recover customers and process

• Business Areas effected

• Business Area responsible for event

• Process causing event

• Date(s) of occurrence, detection, resolution, containment, and date reported

Effects

• Financial effects tracked include the cost to fix, direct losses, impact to future revenue streams, and increased charge-offs

• Customer effects include the number of parties impacted, type of customer (applicant, customer, solicitee) and how they were effected

• Regulatory effects include the specific regulations that may have been impacted by event

Causes

• Standardized causes are tracked for each event

• Multiple contributing causes and 1 root cause are tracked

Resolution

• Detailed steps taken to recover the customers or money

• Detailed steps taken to recover the process

• Does not include long term mitigation.

38

Key components of a data collection strategy:

• Determine responsibility for each risk category in each business area or staff function

• Provide interfaces to extract as much data as possible from production systems

• Many events will not be captured, provide for individual data entry

• Allow business area “approval” prior to release

• Set up G/L codes for each event type in each business area/function. Enforce usage

• Central op risk group reviews events, categorization and descriptions

• Events need to pass through loss database to get paid and get recorded in G/L

• Reconcile G/L to loss database to assure that no events bypassed the loss database

• Analyze the sources of events to learn from experience

• Provide access to the database to business areas/functions

• Provide regular reporting to the businesses and senior management

A data collection strategy needs resources and control

39

Using External DataSupplement internal data

• Fill in distributions for line of business and product type where insufficient data exists

As a direct input into the capital model

A source of information for building scenarios

Supports risk management in many ways:• Risk identification• Control assessments and development• Planning and scenario analysis: if it has happened before

elsewhere, it could happen to this firm

Note: Discussion today of the use of external data is necessary to understand the theory. External data is often not available in countries such as Libya.

40

Scenario Analysis

41

Scenario Analysis

42

Expected Loss/Unexpected LossStylized Representation of Risk Quantification

Pro

bab

ilit

y

99.9%

Aggregate Losses

Mean

Operational Risk Capital

EOL UOL

43

Expected Loss/Unexpected LossExpected Loss (EL)

High frequency, low value events Data typically readily available at bank Banks view Expected Losses as a cost of business that must be managed Varying measures – ‘observed’ and statistical (mean, mode, median) Estimating EL is a part of the budgetary process EL is a meaningful number, but not usually significant when compared to

unexpected losses

Unexpected Loss (UL) Low frequency, high value events – tail events Data typically not available internally Data must be supplemented (external data and/or scenario analysis) Largest losses will drive capital quantification process

44

Payment Systems Risk

45

Payment Systems Risk• Most frequently:

– Cash – Securities

• Flows– One way– Exchange of value– Depositories

• Risks– Finality– Simultaneity– Recoverability

• Complications– Crossborder– Cross time-zones– Cross currencies– Real time/Gross versus Net Settlement– Physical vs. Clearing House/Electronic– Central Counterparties