June event - Operational risk management - IT Career

Enoch CHNG

Associate Professor of Information Systems (Education) & Director, SIS Programs in Financial Services (TOPS)

School of Information Systems

Singapore Management University

What do financial institutions know about operational risk?

8/3/2012 1

Outline

• Learning from Mishaps

– Examples of Operational Failures in Financial Industry

– Lessons Learnt

• Defining Operational Risk

• Managing Operational Risk

– Assessment of Operational Risk – General Considerations

– Process Design and Mapping, Reliability Theory, etc

– Ops Risk and Total Quality Management (TQM)

• Basel III and Measurement of Operational Risk

• Concluding Remarks

8/3/2012 2

Examples of Operational Failures in Finance

• Barings (Singapore, 1995)

• Sumitomo (New York, 1996)

• NatWest (London, 1997)

• LTCM (Greenwich, 1998)

• HIH Insurance (Sydney, 2000)

• Cantor Fitzgerald (New York, 2001)

• Allied Irish Bank (Baltimore, 2002)

• Mizuho (Tokyo, 2005)

• Société Générale (Paris, 2007)

• TD Ameritrade (January 2008)

• UBS rogue trader scandal (London, Sep 2011)

• JPM Hedge Loss (London, 2012)

8/3/2012 3

http://www.google.com/url?url=http://www.bbc.co.uk/news/uk-18372878&rct=j&sa=X&ei=bjrXT8q-F87LrQe4vqD8Dw&ved=0CCIQpwIwAA&q=kweku+adoboli&usg=AFQjCNET_Yv8LWnn0-r4BfJzhbVYMPRxWg

http://commons.wikipedia.org/wiki/File:Humpback_stellwagen_edit.jpg

Features of Mishaps

8/3/2012 4

LTCM

1998

NatWest

1997

Sumitomo

1996

Barings

1995 ?

Loss (USD bn)

4.4 0.2 2.6 1.3 ?

Loss in % cap

44% negligible 45% 100% ?

Time to mishap

Fast 3 yrs 10 yrs 3 yrs ?

Trigger Market

conditions External

audit Mistaken sending

Margin call ?

Loss events with a long time-lag usually require an additional external trigger event to make the losses apparent.

Rogue Trading

• Frequency and Severity

– Quite frequent and very severe.

• Where does it occur?

– US, Europe, Singapore, South America, …

– Far-flung branch office.

• Profile

– Relatively young or star traders.

– Gambling persona.

– Seemingly profitable business unit.

– Internal pressure to bring in high returns.

• Sequence of Events

– Usually starts small and very innocuous (cover up of an error), but then may continue for many years (while expanding) before being discovered.

– Warning signs are not heeded.

– Management inaction.

• How to avoid?

– Internal audits and controls (with separate lines of reporting), regular internal transfers, mandatory vacations, …

8/3/2012 5

Human Error

• There are many examples of very common human errors (example in FX: USD-Euro vs Euro-USD trade).

• Frequency and Severity – quite often and severe.

• Important factors: Experience, Workload.

• How to avoid: Well designed information systems with error-correcting feedback, additional checking by independent people.

• Complexities in information system design: – Requirements of having real time feed of

market data. (Not easy, especially not when stock is very lightly traded or when trading is very volatile).

– Information may have to be fed into a neural net in order to detect anomalies. Neural net has to provide feedback in real time.

8/3/2012 6

Why does a human error much more often result in a loss rather than in a

gain ?

Outline



– Lessons Learnt








8/3/2012 7

One Way of Looking at Risks in Banking

8/3/2012 8

Banking Risks

Market Risk

Credit Risk

Liquidity Risk

Operational Risk

Legal Risk

Reputational Risk

Equity Risk

Interest Rate Risk

Currency Risk

Commodity Risk

Transaction Risk

Portfolio Concentration

Risk

Trading Risk

Gap Risk

Issuer Risk

Counterparty Risk

Specific Risk

General Market Risk

Money Transfer Risk

Value Error Risk

Systems Risk

Clearance Risk

Model Risk

• Early work resorted to a negative definition of 'other risks' – all risks except credit, market and interest rate risk in the banking book.

• Latest definition:

– The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including those adversely affecting reputation, legal enforcement of contracts and claims.

– Excludes strategic, business and systemic risk. However they are often captured simply as operational risk.

Operational Risk ≠ Total Risk – Market Risk – Credit Risk

Definition of Operational Risk

8/3/2012 9

Operational Risk Varies by Business Types

8/3/2012 10

Causal Analysis and Risk Management

8/3/2012 11

Symptoms

Causally related events

Root cause events

Risk Mitigation

Risk Prevention

Outline



– Lessons Learnt








8/3/2012 12

Operational Risk Taxonomy

8/3/2012 13

People

Internal Acts

Employment Practices &

Workplace Safety

Employee Relations

Safe environment - workers & 3rd party

Diversity & discrimination

Clients, Products and Business

Practices

Processes Execution, Delivery

& Process Management

Systems IT and Utilities

External Events

Damage to or Loss of Assets

External Acts

Basic Operational Risk Factors

8/3/2012 15

• People risk

• Process risk

– Model risk

– Transaction risk

– Operational control risk

• Technology risk

• Incompetency • Fraud, …

• Model/methodology error • Mark-to-model error, ….

• Execution error • Product complexity

• Booking error • Settlement error • Documentation/contract risk, ...

• Exceeding limits

• Security risks

• Volume risks, …

• System Failure • Programming error • Information risk • Telecommunication failure, …

Operational Risk Management

Objectives

• To generate a broader understanding of operational risk issues at all levels of the firm that touch on key areas of risk.

• To enable the organization to anticipate risks more effectively.

• To change behavior in order to reduce operational risk and to enhance the “culture of control” within the organization.

• To provide objective information so that services offered by the organization take account of operational risks.

• To provide support in ensuring that adequate due diligence is shown when carrying out mergers and acquisitions.

• To provide objective measurements of performance.

• To avoid potential catastrophic losses.

“Must Have” Elements

• An agreed conceptual framework that provides: – a definition of operational risk;

– identification of the key components of operational risk;

– the role and responsibilities of the function;

– its organizational fit within risk management and the firm as a whole;

– its operating principle

– its approach to measurement; and its approach to reporting results.

• A systems and data architecture that provides timely, comprehensive and consistent information for decision taking and risk evaluation.

• The resources, i.e. management and people.

• The necessary tools, e.g. techniques for measurement.

8/3/2012 16

Framework (giving a view both backwards and forwards)

8/3/2012 17

Three Lines of Defense Model

8/3/2012 18

Area Purpose Role

3rd

Lin

e o

f D

efen

se

Ind

epen

den

t

Ass

ura

nce

Audit function will

challenge the key

processes employed

by the business

Internal/External Audit Provide independent challenge

& assurance

Provide independent assurance on

key controls and reporting &

overall or policy framework

2n

d L

ine

of

Def

ense

Go

vern

ance

& O

vers

igh

t

Established

committee

structures and

reporting

OR Policies

Endorsed

OR Framework & Reporting

Built

Provide the infrastructure and the

analysis to aid oversight and challenge

in respect of OR policies,

framework and reporting

Ops risk function acts

as overall owners of

OR policy and control

assurance processes

OR Managers Oversight &

Challenge

Provide oversight & challenge

Provide expert advice

1st

Lin

e o

f D

efen

se

Man

age

OR

The business is

responsible for day to

day risk management,

and testing of

controls (Sox)

The Business

Front Line

Establish a suitable risk &

control environment.

Test key controls

Identify risks improvement actions,

Implement controls, Reporting on

progress/incidents

Potential Risk/Failure Points in Insurance

8/3/2012 19

Covered

Losses

Fraudulent

Losses

Processing

Errors

Total Losses

Policy

Premium

Processing

Errors

Total Premium

Standard

Expenses

Fraudulent

Expenses

Total Expenses

Processing

Errors

Underwriting

Errors

Financial

Statements

PricingRegulatory /

Rating Agency

Capital Models

The significant sources of operational risk are implicitly included in regulatory and rating agency capital models.

Sequential Activities and its Relationship to Reliability Theory

• When a number of activities in a product has to be done in series, then the “survival” probabilities have to be multiplied.

– Assume 3 activities in series; each one having a probability of 0.9 of being done correctly. The probability of the entire product done correctly is

0.9 x 0.9 x 0.9 = 0.73

• Example

– Independent Verification

o Independent verification of all activities reduces probabilities of errors and potential fraud.

What is optimal redundancy?

– Parallel Checking (Independent)

o If an activity has a 0.1 probability of error, an independent verification with the same probability of error, reduces the overall error rate to 0.01.

o If the parallel activity is negatively correlated with the first activity, then overall error rate is even lower; if it is positively correlated with the first activity, then it is higher than 0.01.

8/3/2012 20

Why TQM or 6-Sigma?

Size of Operation

• Bank of America has to process daily approximately 30,000,000 checks. The number of checks not processed correctly is less than 100.

• A major investment bank in NY processes daily approximately 10,000 Forex trades. The number of trades with minor errors less than 100. The number of trades with a medium size error less than 1.

– Note: each trade may be subject to a number of amendments or exceptions

Learning from Other Industries

• From the Manufacturing industry:

– Shingo systems (Poka-yoke systems)

– Statistical Process Control (SPC)

– Deming’s 14 points

• From the Aviation industry:

– Near-Miss reporting systems

– Checklists

• From the Health Care Industry:

– Second opinions

– Knowledge system software

8/3/2012 21

Variations/Variability

• Process variability is inevitable

– Human variability

– Machine or System variability

• How much variability is too much?

– Assignable variations

o Can be traced to a specific reason

o Should be eliminated

– Natural or random variations

o Form a pattern that can be described as a distribution

o We say that the process is “in control” when there are only natural variations

8/3/2012 22

In control Not in control

Assume process is OK

OK Type II error

Take corrective action

Type I error OK

Specification Limits vs. Performance Limits

8/3/2012 23

performance

specification

An Undesirable Situation

performance

specification

A Very Undesirable Situation

performance

specification

A Vulnerable Situation

performance

specification

A Very Desirable Situation

Outline



– Lessons Learnt








8/3/2012 24

How is Operational Risk Measured?

8/3/2012 25

• Quantitative Approach

– Statistical

– Historical

– Internal/External Failures

– Monte Carlo Simulation

• Qualitative Approach

– Based on self-assessments

• Either approach on its own does not tell the whole story

Too rigid Relevancy?

Too judgmental No reference points

Basel III – Operational Risk

• Basic Indicator Approach (BIA)

– The operational risk capital charge under BIA is calculated as a fixed percentage of the average over the previous three years of positive annual Gross Income (GI).

– Percentage is currently set at 15%

• Standardized Approach (SA)

– Banks activities are divided into 8 Business lines (Corporate Finance, Trading, Retail Banking, etc.)

– Each Business line has its own GI; again we look at the GIs over the last three years.

– The capital charge for each business line is multiplied by a factor that is specified for that business line.

– Factor for each business line is somewhere between 12 and 18%.

• Advanced Measurement Approaches (AMA)

– the Internal Measurement Approach (IMA)

– the Score Card Approach (SCA)

– the Loss Distribution Approach (LDA)

8/3/2012 26

Basel III Specific Criteria

• Supervisory guidelines have been established for the Advanced Measurement Approach governing 33 principles in 4 separate categories. Supervisors will assess banks against each of these guidelines.

8/3/2012 27

Governance 1. Roles and responsibilities

2. Board of Director oversight

3. Appropriate resources

4. Independent function

5. Risk and Exposure reporting

6. LOB responsibility

7. LOB alignment with firm-wide policy

8. Firm-wide policies and procedures

Data & Reporting 9. Firm-wide exposure reporting

10. Senior management reporting

11. Internal controls minimum standards

12. Data sufficiency

13. Definition

14. Collection and modification standards

15. Loss history time series

16. Data mapping

17. Loss data capture policy

Data & Reporting (cont’d) 18. External loss data policy

19. Management review of external data

20. Thresholds

21. Boundaries

Environment 22. Business environment and control factors

23. Comparison of loss experience

24. Scenario analysis policy

Capital Measurement 25. Analysis framework

26. Documented assumptions

27. Calculated elements

28. Treatment of EL

29. Diversification / correlation assumptions

30. Insurance offset

31. Data management

32. Verification

33. Independent testing

Variables In Foreign Exchange Trade

8/3/2012 28

Stage I

(Before order Match or Broker Verification)

Stage II

(Before Financial Confirmation)

Stage III

(Before Settlement Confirmation)

Stage IV

(Before Value Date)

(open trade)

Stage V

(Before Terms Confirmation)

1. Elapsed Time

2. Historical Volatility

3. Deviation from Average Volatility

4. Mark-to-Market

5. Trader Error Ratio

6. Client Sensitivity

7. Sales Error Ratio

1. Elapsed Time



4. Mark-to-Market



7. Regulatory Risk

8. Execution Method

9. Client Operating Infrastructure

10. Incoming Confirm Method

11. Outgoing Confirm Method

12. Outgoing Conf Delay/Elapsed Time

13. Internal Credit Rating


1. Notional

2. Potential OD Rates

3. Master Agreement (Provisions for Netting)

4. Mark-to-Market

5. Fail Recovery Time


7. Regulatory Risk

8. Liquidity Risk

9. Client Operating Infrastructure

10. Country Operating Infrastructure

11. Operator Stage II

12. Product Complexity

13. Time to Settlement Cutoff

14. Payment Instruction Precedence

1. Notional

2. Payment Instruction Precedence

3. Potential OD rates

4. Mark-to-Market

5. Fail Recovery Time


7. Regulatory Risk

8. Liquidity Risk

9. Client Operation Infrastructure

10. Country Operating Infrastructure

11. Operator Stage I

12. Operator Stage III Approver

13. Master Agreement

1. Elapsed Time



4. Mark-to-Market




8. Outgoing Confirm Method

9. Template Precedence

10. Incoming Confirm Method

11. Product Complexity

12. Master Agreement Operator State II

From Tools for Risk Analysis to OpVaR

8/3/2012 29

Exposure Base (EIs)

Internal Loss

History

Industry Loss

History

Scenario Analysis

Project-ed Loss Rates

OpVaR Actual Loss

Rates

Calculation of Actual PEs &

LGEs

Calculation of OP VaR

RAROC

Reporting

Key Risk Drivers (KRDs)

OpVaR Report

Calculation of Actual PEs &

LGEs

Stress Scenario

Outline



– Lessons Learnt








8/3/2012 30

OpRisk Management and Related Disciplines

8/3/2012 31

Audit Operations Management

Facilities Management

Total Quality Management

Financial Risk Management

Insurance Operational Risk Management

Contingency Planning

Risk Processes & Organization

Internal Control

Reliability Engineering

Actuarial Loss Model

Statistical Process Control

Proper Design of Incentive Systems

• Incentives for the company

– if company knows that risky assets will be sold there is less of an incentive to assess the risk carefully

• Incentives for employees

– immediate bonuses for the employee versus long term risk for the company

8/3/2012 32

Black Swan Events − Mitigants

• Not exposing oneself to large losses.

– For instance, only buying options (so one can at most lose the premium), not selling them.

• Performing sensitivity analysis on assumptions

– This does not eliminate the risk, but identifies which assumptions are key to conclusions, and thus meriting close scrutiny.

• Scenario analysis and stress testing

– These are widely used in industry; they do not include unforeseen events, but emphasize various possibilities and what one stands to lose, so one is not blinded by absence of losses thus far.

• Using non-probabilistic decision techniques

– While most classical decision theory is based on probabilistic techniques of expected value or expected utility, alternatives exist which do not require assumptions about the probabilities of various outcomes, and are thus robust. These include minimax, minimax regret, and info-gap decision theory.

8/3/2012 33

Operational Risk Management Framework

8/3/2012 34

Operational Risk Management Framework

Management Agenda • Purpose&objectives • Value proposition • Risk “appetite,” culture • Basel II

Understanding Operational Risk • Operational Risk Taxonomy • Key Risks and Trends

Best Practices/Standards • Policies & guidelines • Industry standards • Regulatory standards

Operational Risk Methodologies • Business Continuity Management • Technology Risk Assessment • Preventive, Detective Controls, Risk

Mitigation • Control Self Assessment • Risk Measurement/Quantification

Methods

Organisation Structure • Oversight structure • Roles & responsibilities

Management Information System • ORM system architecture

Unified Risk Management Process

THE END

Enoch CHNG

Office: Rm 4003, SIS Phone: +65 68085155 Email: [email protected]

8/3/2012 35

mailto:[email protected]

Date post:	21-Nov-2014
Category:	Economy & Finance
Upload:	friends4growth-group
View:	885 times
Download:	3 times

June event - Operational risk management - IT Career

Economy & Finance