Thèse

772 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
772
On SlideShare
0
From Embeds
0
Number of Embeds
198
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Thèse

  1. 1. Mastère Spécialisé en Management des Systèmes d'Information & Technologies Specialised Master in Management Information and Technology MSIT 2003 Professional Thesis Information System Environment for the Operational Risk Management BNP Paribas Corporate and Investment Banking Information Technologies and Operations HEC- Hautes Etudes Commerciales Ecole des Mines de Paris Chi-Pheng Chung
  2. 2. Information System Environment for the Operational Risk Management EXECUTIVE SUMMARY..................................................................................................................4 SUBJECT.........................................................................................................................................4 STRUCTURE....................................................................................................................................4 SUMMARY.......................................................................................................................................4 1. BASEL CAPITAL ACCORD PRESENTATION .......................................................................7 HISTORY OF THE BASEL CAPITAL STANDARDS....................................................................................7 WHY UPGRADING?..........................................................................................................................7 OBJECTIVES OF THE NEW ACCORD...................................................................................................8 STRUCTURE ...................................................................................................................................9 BASEL 2 PRACTICAL ISSUES.......................................................................................................10 3. OPERATIONAL RISK MEASUREMENT METHODOLOGIES..........................................12 DEFINITION OF OPERATIONAL RISK..................................................................................................12 THE MEASUREMENT METHODOLOGIES....................................................................................12 1. THE BASIC INDICATOR APPROACH.............................................................................................13 2.THE STANDARDISED APPROACH..................................................................................................14 THE ALTERNATIVE STANDARDISED APPROACH .....................................................................16 ..................................................................................................................................................17 3.ADVANCED MEASUREMENT APPROACH (AMA)...........................................................................18 (I) QUALITATIVE STANDARDS..............................................................................................18 (II) QUANTITATIVE STANDARDS............................................................................................19 AMA soundness standard...............................................................................19 Detailed criteria..............................................................................................19 Internal data....................................................................................................20 External data...................................................................................................21 Scenario analysis............................................................................................21 Business environment and internal control factors.........................................21 (III) RISK MITIGATION........................................................................................................22 (IV) SUMMARY .................................................................................................................23 Key Characteristics.........................................................................................23 Implementation...............................................................................................24 Challenges......................................................................................................24 Benefits..........................................................................................................24 Conclusion.....................................................................................................25 4. CASE STUDY: OPERATIONAL RISK AT BNP PARIBAS-CIB CORE BUSINESS............26 BNP PARIBAS IN BRIEF (AS OF THE 31ST DECEMBER 2002) ..............................................................................................................................................................26 Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 2/40
  3. 3. Information System Environment for the Operational Risk Management THE SITUATION..............................................................................................................................28 PART 1........................................................................................................................................29 GUIDELINES......................................................................................................................29 PART 2........................................................................................................................................30 PART 3 (EXTRA)...........................................................................................................................31 ANSWERS..........................................................................................................................................32 PART 1........................................................................................................................................32 OPERATIONAL RISK CONSTRAINTS.......................................................................................32 OPERATIONAL RISK PROCESS..............................................................................................32 AMA METHOD................................................................................................................33 STAKES............................................................................................................................33 PART 2........................................................................................................................................34 BENCHMARK SUMMARY......................................................................................................34 WHAT SORT OF REPORTING DATA BASE TO DEPLOY?................................................................35 Database.........................................................................................................35 Key information.............................................................................................36 Future Optimisation/ Enhancement................................................................37 Technical Difficulties.....................................................................................37 OPERATIONAL RISK GLOBAL POLICY...................................................................................37 HOW TO BRING EVERYONE TO FOLLOW THE POLICY?...............................................................38 HOW TO CONVINCE? .........................................................................................................38 PART 3 (EXTRA)..........................................................................................................................38 CONCLUSION...................................................................................................................................39 REFERENCES...................................................................................................................................40 ANNEX................................................................................................................................................41 Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 3/40
  4. 4. EXECUTIVE SUMMARY SUBJECT This case study is about the Operational Risk historical incident loss data at the BNP Paribas Corporate and Investment Banking-CIB core business. STRUCTURE This paper first presents an overall summary of the Basel 2 accord from a regulatory point of view then from the industry one. Secondly, the Operational Risk will be treated the way same, regulatory aspect then the industrial one. Thirdly, focus is made on the capital calculation methods and particularly on the Advanced Measurement Approach, which includes the historical incident loss data base. Finally, the case study starts and evolves around this very data base and the way BNP Paribas Corporate and Investment Banking-CIB core business manages it. SUMMARY This entire debate here is about capital. Banks want to keep this reserve of inactive money as low as possible. Meanwhile regulators want to make sure that unexpected losses won’t bring banks to their knees and in turn the whole economy. Basel 1988 Accord is not a strategic or competitive risk management advantage, it is a regulatory measure impacting all the majors banks world-wide. It is intended to set sufficient capital aside to cover-up unexpected losses, that may arise from credit or market activities. Eventually, it will be replaced by Basel 2 Accord, also known as the McDonough ratio. Its purpose is the same as its predecessor. However, the performance credit risk models were so high, that it enabled banks to lower their capital. In order to sustain a significant level of capital, regulators introduced a new type of risk, the Operational Risk.
  5. 5. Introduction A bank is no different from any other company, in the sense that if in the event of a bankruptcy, it should be able to pay back government taxes, suppliers, customers, employees and any other third parties involved. Investments in physical assets such as properties are often used to ensure that in such cases, these can be sold in order to honour debts. However, before reaching such a dramatic stage, a reserve of cash money, or also called capital, is used as a buffer. So, in the case of a severe computer attack disrupting all banking operations, this capital is immediately at hand to rebuild whatever was damaged and therefore restart the activities and also allow the bank to continue living, which in turns imply work for employees, stability in the economy to a certain extent and so on. Indeed, what are the odds of a successful severe computer attack? How much is at stake? In one word, what are the risks? Notice also that this particular case is in no way related to core business activities. Therefore, bad investments for instant would not come under this category of risk, The Operational Risk. In more general terms, it is the risk related to the loss resulting from inadequate or failed internal processes, people and systems or from external events. However, the capital allocated to risks were first normalised to the banking industry with the 1998 Basel Accord. The way to calculate the risk over capital ratio, The Cooke ratio, mainly takes into account the credit and the market risk capitalisation. Nowadays, at the light of an energy trading company financial scandal and the terrorist attacks on a major market place coupled with the reduction in risk capitalisation through elaborated risk models, there is a speed up in the process to update this accord to Basel 2. The new McDonough ratio, which is to eventually replace the Cooke ratio, adds the operational risks and allows different calculation method for different risks. As it is the case for the market risk since 1996, the credit and the operational risk can be evaluated as a basic indicator, as a standardised or as an advanced approach on the different business line of the bank. Also, This new accord is based on 3 pillars: the Minimum Capital Requirement, Supervisory Review Process and the Market Discipline.
  6. 6. Introduction In this report we will first explain what sort of banking group are affected by the New Basel Accord and what are the views of the industry. Secondly, we will focus on the operational risk aspect. Once again, first regulatory-wise and then industry-wise. The third part will be describing the calculation methods and will be focusing on the Advanced Measurement Approach. Finally, we will see an example of the historical incident data base in a major European bank and the information that can be extracted from this base. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 6/40
  7. 7. 1. BASEL CAPITAL ACCORD PRESENTATION HISTORY OF THE BASEL CAPITAL STANDARDS The driving forces for the 1988 Basel Capital Accord was the concern of the Governors of the G10 Central Banks that the capital of the world’s major banks had become dangerously low after persistent erosion through competition and the Latin American debt crisis. The 1988 Accord established minimum levels of capital that helped to strengthen the soundness and stability of the international banking systems and enhanced competitive equality among internationally active banks. The merits of the Accord were widely recognised and during the 1990’s it became an accepted world standard, with well over 100 countries applying the Basel framework to their banking system. As a result, the two objectives of adequate capital levels and the creation of a “more level playing field” were achieved. WHY UPGRADING? Since the implementation of the 1988 Accord and later amendments, capital ratios of nearly all internally active banks have increased substantially, thus reinforcing the solidity of the international banking system. The widespread adoption in many countries fostered competitive equality. However, the financial world has evolved significantly during the past ten years, to the point where a bank’s capital ratio, calculated using the current Accord, may not always be a good indicator of its financial condition. The current risk weighting of assets results, at best, is a crude measure of economic risk, primarily because degrees of credit risk exposure are not sufficiently calibrated to differentiate adequately borrowers’ differing default risks. For example, a loan to a corporate borrower rated AAA would attract the same regulatory capital of 8% as a loan to a borrower rated BB, regardless of the obviously very different default risk as indicated in the rating. Top quality loans require relatively high capital underpinning. Therefore, from a return-on-capital point of view, it has become less lucrative to hold such low risk assets. It is because of this and other business technical reasons that there was a need for an upgrade to the New Basel Capital Accord.
  8. 8. Basel Capital Accord Presentation The scope of application of the new accord will be applied to internationally active banks. “Banks” meaning the whole banking group, it includes entities at various levels, such as the parent or holding company, and also subsidiaries with significant particitpation. OBJECTIVES OF THE NEW ACCORD  Continue to promote safety and soundness in the financial system. The new framework should at least maintain the current overall level of capital in the system.  Continue to enhance competitive equality.  To constitute a more comprehensive approach to addressing risks.  To contain capital approaches that are appropriately sensitive to the degree of risk involved in a bank’s positions and activities.  To focus on internationally active banks, although its underlying principles should be suitable for application to banks of varying levels of complexity and sophistication. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 8/40
  9. 9. Basel Capital Accord Presentation STRUCTURE Three Basic 1) Minimum Capital How capital adequacy is measured Requirements Total capital / (Credit risk + Market risk + Operational risk) = Capital ratio Approaches to measure Credit risk Standardised Approach (a modified version of the existing approach, considering external ratings) Internal Rating Based Approach Foundation Approach Advanced Approach Approaches to measure Market risk (unchanged 1996 amendment) Standardised Approach Internal Models Approach Approaches to measure Operational risk Basic Indicator Approach Standardised Approach Advanced Measurement Approach 2) Supervisory Supervisors are responsible for evaluating banks’ internal processes Review Process which are: Board and Senior Management oversight Sound capital assessment (current/future strategic capital planning) Comprehensive assessment of risks 3) Market Discipline Disclosure requirements and recommendations (Disclosure Rules) Structure of capital Risk exposures and assessment Credit risk, market risk, operational risk Explanation of grading systems Details on industry sectors, counterpart types, maturity distribution, amount of impaired loans, allowance for credit losses, provisions Organisation of credit risk management function and definitions Break down of portfolio by ratings (internal or external) for each segment Probability of default estimates for each rating category Ex-post performance as an indication of quality and reliability of system Credit risk mitigation techniques, treatment of collateral Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 9/40
  10. 10. BASEL 2 PRACTICAL ISSUES A change in international rules on bank capital is inevitable. Most banks, at least in Europe, seem resigned to this, even though for some it will mean big increases in capital requirements. However, Basel 2 will not take effect before January 2007. In France, 82% of the banks see Basel 2 as a regulatory constraint, versus 73% for the rest of Europe. Meanwhile, they do not exclude the fact that is it an opportunity to implement a better risk management. This point of view is also shared by 87% of banks from ten countries in Europe. Also, 57% of them are expecting a change in their competitive position, and half of which are anticipating to modify their product portfolio. The average impact seems acceptable: a decrease in charges for many classes of credit risk, offset by a totally new charge for operational risk. That leaves the overall minimum regulatory in the banking system about the same as now. In addition, national regulators will be expected to add more charges to keep their banks well above the minimum. But the devil is in the detail. Hardly any bank represents the average. Many banks specialising in areas such as Securities Custody and Asset Management will be heavily impacted. On the other hand, banks that focus on retail and small business lending may see their capital charges fall by 20%. However, it is agreed by the industry that Basel 2, compared to the previous accord, is taking banks’ regulatory capital closer to “economic capital”, the theoretically ideal cushion against unexpected losses. Though, criticism rises. Some fears that the process is too difficult to put in place and too expensive to make any economic sense but only for the biggest banks. While some others claim that it does not go far enough and does not allow evolving techniques to get closer to the economic capital. There is another ambiguous point, the discretion to national regulators. The Basel Committee is spending as much time to co-ordinate its own supervisor as it is with banks.
  11. 11. Basel 2 Practical Issues A first example is between America and Europe. There would be only ten American banks concerned by Basel 2, with an extra ten adopting the regime on a voluntary basis. While the rest would still follow the more simple previous accord, with a few local enhancements. Across the Atlantic, the European Union is committed to write Basel2 into the EU law and therefore to apply it to all banks or investment firms regardless of the size and scope. Another example of inconsistencies is within Europe. The discretion of the national regulator may give plenty of scope to favour their national champions. Within the Euro area, they might even try to use their powers as an instrument of macro-economic policy. Deprived of the means to modify interest or exchange rates, these supervisors may be tempted to exercise selective flexibility. The third consultative document emitted by the Basel Committee has not yet produced a definite accord. Lobbying from banks is still trying to bias the final version to their favour. The Committee includes thirteen different countries, of which France, Germany, Japan, Switzerland, United Kingdom and the United States; and standing on common ground will not be an easy task. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 11/40
  12. 12. 3. OPERATIONAL RISK MEASUREMENT METHODOLOGIES DEFINITION OF OPERATIONAL RISK Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. The measurement methodologies There are three methods for calculating operational risk capital charges. Their level of sophistication is related to their risk sensitivity: 1. Basic Indicator Approach; 2. Standardised Approach; Alternative Standardised Approach 3. Advanced Measurement Approach (AMA). Banks are encouraged to use the appropriate approach as they develop more sophisticated operational risk measurement systems and practices. A bank will be permitted to use the Basic Indicator or Standardised Approach for some parts of its operations and the Advanced Measurement Approach for others provided certain minimum criteria are met. However, a bank will not be allowed to choose to revert to a simpler approach once it has been approved for a more advanced approach without supervisory approval. In addition, if a supervisor determines that a bank, using a more advanced approach, no longer meets the qualifying criteria for this approach, it may require the bank to revert to a simpler approach for some or all of its operations, until it meets the conditions specified by the supervisor for returning to a more advanced approach.
  13. 13. 1. THE BASIC INDICATOR APPROACH Banks using the Basic Indicator Approach must hold capital for operational risk equal to a fixed percentage (denoted alpha) of average annual gross income over the previous three years. The charge may be expressed as follows: KBIA = GI x α Where: KBIA = the capital charge under the Basic Indicator Approach GI = average annual gross income over the previous three years α = 15% which is set by the Committee, relating the industry wide level of required capital to the industry wide level of the indicator. Gross income is defined as net interest income plus net non-interest income. It is intended that this measure: (i) Should be gross of any provisions (e.g. for unpaid interest); (ii) Exclude realised profits/losses from the sale of securities in the banking book; (iii) Exclude extraordinary or irregular items as well as income derived from insurance. As a point of entry for capital calculation, there are no specific criteria for the use of the Basic Indicator Approach. Nevertheless, banks using this approach are encouraged to comply with the Committee’s guidance on Sound Practices for the Management and Supervision of Operational Risk, February 2003.
  14. 14. 2.THE STANDARDISED APPROACH In the Standardised Approach, banks activities are divided into eight business lines and are affected a Business Lines Beta(β) Factors : 1- Corporate Finance :18% 2- Trading and Sales :18% 3- Retail Banking :12% 4- Commercial Banking :15% 5- Payment and Settlement :18% 6- Agency Services :15% 7- Asset Management :12% 8- Retail Brokerage :12% Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines. The capital charge for each business line is calculated by multiplying gross income by a beta factor assigned to that business line. Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line. It should be noted that in the Standardised Approach gross income is measured for each business line, not the whole institution, i.e. in Corporate Finance, the indicator is the gross income generated in the Corporate Finance business line. The total capital charge is calculated as the simple sum of the regulatory capital charges across each one of the business lines. The total capital charge may be expressed as: KTSA = Σ (GI1-8 x β 1-8) Where: KTSA = the capital charge under the Standardised Approach
  15. 15. Operational Risk Measurement Methodologies The Standardised Approach GI1-8 = the average annual level of gross income over the past three years, as defined above in the Basic Indicator Approach, for each of the eight business lines β1-8 = a fixed percentage, set by the Committee, relating the level of required capital to the level of the gross income for each of the eight business lines. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 15/40
  16. 16. The Alternative Standardised Approach The creation of an alternative standardised approach (ASA) is intended for banks that cannot make a complete distinction between their business lines, as requested in the standard approach. It s up to the discretion of national authority that can choose to allow a bank to use the ASA, provided the bank is able to satisfy its supervisor by assuming that this alternative approach provides an improved basis by, for example, avoiding double counting of risks. Under the ASA, the operational risk capital charge/methodology is the same as for the Standardised Approach except for two business lines - Retail Banking and Commercial Banking. For these business lines, loans and advances - multiplied by a fixed factor .m. - replaces gross income as the exposure indicator. The betas for Retail and Commercial Banking are unchanged from the Standardised Approach. The ASA operational risk capital charge for Retail Banking (with the same basic formula for Commercial Banking) can be expressed as: KRB = βRB x m x LARB Where KRB is the capital charge for the Retail Banking business line βRB is the beta for the Retail Banking business line LARB is total outstanding retail loans and advances (non-risk weighted and gross of provisions), averaged over the past three years. m is 0.035 For the purposes of the ASA, total loans and advances in the Retail Banking business line consists of the total drawn amounts in the following credit portfolios: Retail, SMEs treated as Retail, and Purchased Retail Receivables. For Commercial Banking, total loans and advances consists of the drawn amounts in the following credit portfolios: Corporate, Sovereign, Bank, Specialised Lending, SMEs treated as Corporate and Purchased Corporate Receivables. The book value of securities held in the banking book should also be included.
  17. 17. Operational Risk Measurement Methodologies Alternative Standardised Approach Under the ASA, banks may aggregate Retail and Commercial Banking (if they wish to) using a beta of 15%. Similarly, those banks that are unable to disaggregate their gross income into the other six business lines can aggregate the total gross income for these six business lines using a beta of 18%. As under the Standardised Approach, the total capital charge for the ASA is calculated as the simple sum of the regulatory capital charges across each of the eight business lines. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 17/40
  18. 18. 3.ADVANCED MEASUREMENT APPROACH (AMA) (i) Qualitative standards A bank must meet the following qualitative standards before it is permitted to use an AMA for operational risk capital: a) Independent Operational Risk Management Function responsible for the design and implementation of the bank’s Operational Risk Management framework. b) The bank’s internal operational risk measurement system must be closely integrated into the day-to-day risk management processes. For instance, this information must play a prominent role in risk reporting, management reporting, internal capital allocation, and risk analysis. The bank must have techniques for allocating operational risk capital to major business lines and for creating incentives to improve the management of Operational Risk throughout the firm. c) There must be regular reporting of operational risk exposures and loss experience to business unit management, Senior Management, and to the Board Of Directors. d) The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system. e) Auditors must perform regular reviews of the operational risk management processes and measurement systems and of the independent operational risk management function. f) The validation of the operational risk measurement system by external auditors and/or supervisory authorities must include the following:  Verifying that the internal validation processes are operating in a satisfactory manner.  Making sure that auditors and supervisory authorities are in a position to have easy access
  19. 19. Operational Risk Measurement Methodologies Advanced Measurement Approach (ii) Quantitative standards AMA soundness standard The Committee is not specifying the approach used to generate the operational risk measure, but it must be able to demonstrate that its approach captures potentially severe tail loss events. Banks must have and maintain rigorous procedures for operational risk model development and independent model validation. The Committee will review progress in regard to operational risk approaches by the end of 2006. Detailed criteria This section describes quantitative standards that will apply to internally-generated operational risk measures: 1) Supervisors will require the sum of expected loss (EL) and unexpected loss (UL). That is, to base the minimum regulatory capital requirement on UL alone, the bank must be able to demonstrate to the satisfaction of its national supervisor that it has measured and accounted for its EL exposure. 2) Measurement system must be sufficiently granular to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates. 3) Risk measures for different operational risk estimates must be added for purposes of calculating the regulatory minimum capital requirement. However, the bank may be permitted to use internally determined correlations in operational risk losses. The bank must validate its correlation assumptions. 4) Measurement system key features: These elements must include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems. A bank needs to have a credible, transparent, well-documented and verifiable process. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 19/40
  20. 20. Operational Risk Measurement Methodologies Advanced Measurement Approach Internal data The tracking of internal loss event data for the foundation of empirical risk estimates, as a mean of validating the inputs and outputs of the bank's risk measurement system or as the link between loss experience and risk management and control decisions. Banks must have documented procedures for assessing the on-going relevance of historical loss data. Risk measures must be based on a minimum of five-year observation period. But, when first implementing the AMA, a three-year historical data window is acceptable. To qualify for regulatory capital purposes, a bank's internal loss collection processes must meet the following standards:  To assist in supervisory validation  Capture all material activities and exposures from all appropriate sub-systems and geographic locations.  A bank should collect information about gross loss amounts, the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event.  A bank must develop specific criteria for assigning loss data arising from an event in a centralised function. Operational risk losses that are related to credit risk and have historically been included in banks, credit risk databases (e.g. collateral management failures) will continue to be treated as credit risk for the purposes of calculating minimum regulatory capital under the New Accord. Therefore, such losses will not be subject to the operational risk capital charge. Nevertheless, for the purposes of their internal operational risk databases, banks must record all operational risk losses consistent with the scope of the definition of operational risk. Any losses related to credit risk must then also be separately identified (e.g. flagged) as such within their internal operational risk databases. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 20/40
  21. 21. Operational Risk Measurement Methodologies Advanced Measurement Approach External data Measurement system must use relevant external data. Scenario analysis A bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high severity events. Over time, such assessments need to be validated and re-assessed through comparison to actual loss experience to ensure their reasonableness. Direct losses from events or accidents are measured by statistical means. However, indirect losses such as unrealised revenues stemming from bad reputation related to exposed fraud of an employee cannot be measured in the same way. There are no objective data on these indirect losses. In this case, it is necessary to use Scenario Analysis based on assumptions on how often and what severity these indirect losses bring about. In addition, some events or accidents do not always occur according to loss history. When there are possibilities that it could occur according to the loss experience of peer banks, these potential losses could be measured by Scenario Analysis. Business environment and internal control factors In addition to using loss data, risk assessment methodology must capture key business environment and internal control factors must meet the following standards:  the factors should be translatable into quantitative measures that lend themselves to verification.  the various factors need to be well reasoned.  The framework and each instance of its application must be documented and subject to independent review within the bank and by supervisors.  Over time the process need to be validated through comparison to actual internal loss experience, relevant external data, and appropriate adjustments made. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 21/40
  22. 22. Operational Risk Measurement Methodologies Advanced Measurement Approach (iii) Risk mitigation The recognition of insurance mitigation will be limited to 20% of the total operational risk capital charge. A bank’s ability to take advantage of such risk mitigation will depend on compliance with the following criteria:  The insurance provider has a minimum claims paying ability rating of A.  The insurance policy must have an initial term of no less than one year.  The insurance policy has a minimum notice period for cancellation and non- renewal of the contract.  The insurance policy has no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed bank.  The insurance coverage has been explicitly mapped to the actual operational risk loss exposure of the institution.  The insurance is provided by a third party entity.  The framework for recognising insurance is well reasoned and documented.  The bank discloses the reduction of the operational risk capital charge due to insurance. A bank’s methodology for recognising insurance under the AMA also needs to capture the following elements through discounts in the amount of insurance recognition:  The residual term of a policy, when less than one year, as noted above.  A policy’s cancellation and non-renewal terms.  The uncertainty of payment as well as mismatches in coverage of insurance policies. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 22/40
  23. 23. Operational Risk Measurement Methodologies Advanced Measurement Approach (iv) Summary Key Characteristics This approach is the method of capital calculation that have the most potential to be the closest to the economic capital.  Risk Sensitive − Low risk activities require less capital for operational risk. − Capital reflects operational risks for size and scope of bank’s activities: − Banks with low risk business or less activity need less capital for operational risk. − Banks with better controlled environments require less capital for operational risk. − Banks with well developed risk mitigation hold less capital for operational risk.  Flexible: − Own methodologies reflective of their business. − Use a combination of internal/external data, and scenario analysis to determine capital. − Capital allocation can be integrated into scorecards, risk indicators, warning systems and audit scores used to measure and monitor operational risk.  Rewards investment in better control environments: − Actions that reduce losses also reduce capital. − Actions that reduce the likelihood or severity of extreme events can reduce capital. − Actions that mitigate risk can reduce capital.  Results in Appropriate Capital: − AMA is not a capital tax. − Capital allocation changes with risk profile of organization. − Capital allocation changes as industry improves the measuring, monitoring, and mitigation of operational risk. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 23/40
  24. 24. Operational Risk Measurement Methodologies Advanced Measurement Approach Implementation  Internal statistical model is the basis for calculating Operational Risk exposure and capital charge.  Four Components of an AMA − Operational Loss Data (Internal/ External). − Scenarios. − Risk Self Assessments. − Key Risk Indicators. Challenges  Greater complexity / resource commitment than exposure indicator approaches − Numerous modeling issues / decisions need to be made by bank: − Incorporation of external data. − Appropriate distributional assumptions. − Incorporation of risk mitigation. − Scenario Analysis. − Qualitative assessments require improved rigor. − Identification of risk indicators that highly correlate with operational losses.  Combine quantitative techniques and qualitative factors into a comprehensive methodology. Benefits  Banks investing in AMA methodology are already seeing benefits: − Reduce both expected losses and volatility of earnings. − Measuring losses allows identification of causal factors for operating losses. − Provides framework for addressing extreme outcomes. − Allows comparison of investment in controls, investment in technology, investment in insurance, or self insuring with capital. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 24/40
  25. 25. Operational Risk Measurement Methodologies Advanced Measurement Approach − Reduces distortions in decision making and performance evaluation from omitting capital for operational risk. Conclusion  Exposure indicator approaches are relatively easy to implement but lack risk focus and proper incentive structure.  AMA requires additional effort but reinforces banks’ existing risk management objectives, practices and results in a more accurate allocation of capital: − Risk-sensitive. − Flexible. − Rewards investment in controls / reducing op risk. − Well integrated with banks’ existing risk management processes. − Not a capital tax. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 25/40
  26. 26. 4. CASE STUDY: OPERATIONAL RISK AT BNP PARIBAS-CIB CORE BUSINESS • BNP Paribas in brief • The situation • Answers BNP PARIBAS IN BRIEF (AS OF THE 31ST DECEMBER 2002)  The most profitable bank in the Euro zone, in terms of net income  A net banking income of Euro 16,8 billion down 3,8% and an operating result in down 10,4% in comparison to 2001.  A return on equity of 13,5% and income ratio of 65,2%  BNP Paribas posted net income of Euro 2,83 billion in 2002  With a presence in 87 countries BNP Paribas has a staff of 87 700 employees including 66 000 in Europe BNP Paribas top core businesses with their respective part in the total net banking income are as follow: Corporate Investment and Banking: 30% BNP Paribas is of one the largest Corporate And Investment Bank of European origin and has a strong presence in Paris and London. The Group is ranked number one in several market segments in Europe and Asia and also has a very strong franchise in the United States. The depth and breadth of its international network allows the Group to satisfy the needs of multinationals, financial institutions, governments and investors throughout the world. Net Banking Income : Euro 5.146Billion Employees : 12.300
  27. 27. Case Study : Operational Risk at BNP Paribas BNP Paribas in Brief Private Banking and Asset Management: 13% Present world-wide, it is a core business under rapid expansion. It regroups five core businesses, collecting, managing, increasing clients' assets and wealth—combining them with services. The Private Banking, Asset Management, Insurance, Securities Services, and Real Estate métiers are business lines whose markets have high potential, and in which the pole has placed strong ambition for development. With more than 8,000 employees, the pole is positioned amongst the top French, European, and world-wide players. Net Banking Income : Euro 2.209Billion Employees : 10.300 French Retail Banking: 57% With a network of 2300 branches across France and new distribution channels offering both electronic and telephone services, BNP PARIBAS distributes banking products and services to 6 million clients and one-third of all French small businesses. It is also a leader in Visa bank cards, a leader in online banking and a leader in private banking (as part of a joint venture with Private Banking and Asset Management) It also includes Investment Retail Banking and Special Finance Services among its most profitable divisions. Net Banking Income : Euro 9.549Billion Employees : 59.800 Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 27/40
  28. 28. THE SITUATION You just found a new job. You were in the ‘Group Risk Management’ for the Credit Risk. Your job was to do to an ultimate check on files in order to validate corporate loans. You were also aware that the New Basel Accord started their rounds of talks last week. However, you just received a phone call from the ‘Group Human Resources’ asking you to set up an Operational Risk cell in Paris for the Corporate Banking and Investment core business. It is the first time you ever heard about such a risk, but you decide that it is a new challenge and take up the position. Here you are packing and on your way to your new office. Your direct hierarchy will be the head of the Information Technology and Operations of the Corporate Banking and Investments core business, you will be also co-ordinating the workflow among all the business lines and the Group Risk Management- Operational Risk department.
  29. 29. Case Study : Operational Risk at BNP Paribas The Situation PART 1 After only a week in this new building, you have kept yourself informed of the new regulations. You are asked to give a presentation about the Operational Risk to your direct boss and to all the heads of the business lines. The content is sent to you from GRM-OR by email and using a text format. Give a presentation of 10mins giving sufficient credibility of why Operational Risk should be taken seriously by the bank and why the AMA calculation method is more suitable than the others. Guidelines “ Hi, Here are the main topics you should address in your presentation. 1) Operational Risk’s Management Constraints: regulatory, technical and budgetary constraints, strategic orientations, software application and business needs 2) Operational Risk Process: Communication, Organisation, Measure Analysis and business processes 3) AMA method 4) Stakes: Respect of regulatory requirements Standardisation of incident management Reporting to the highest management Decrease in annual losses Minimising regulatory capital, Optimising the economic capital Regards.” Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 29/40
  30. 30. Case Study : Operational Risk at BNP Paribas The Situation PART 2 This presentation is done and some of them are more convinced than others. Typically, the businesses related to trade were already aware and were considering this type of risk. Whereas the other businesses are still sceptical about it. You receive an email from GRM-OR. It explains that one of the component, the historical data base, will have to gather incidents for 3 years. So there is no time to waste and you decide to present an implementation plan of this database. You ask yourself these questions: a) Make a summary of the benchmark for Operational Risk (Annex). Focus on the work done so far, strategy about the methodology, organisation, authority and historical data base. b) What sort of reporting data base to deploy? 1) Quick first or long elaborated? 2) What are the key reporting information From the base? For the reports? 3) What are the future optimisation? 4) What about the technical difficulties? Different servers around the world, no internet connection everywhere. c) A global policy; it is a good idea to communicate about Operational Risk different procedures to everyone, but what to mention? And how to suit specific needs? d) How to convince everyone to report incidents? What about the reluctant ones? Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 30/40
  31. 31. Case Study : Operational Risk at BNP Paribas The Situation PART 3 (EXTRA) You have now designed a basic framework of the topics to be included in an Operational Risk Report. You gathered opinions from different staff working on the same subject. They made few comments but they all globally agreed on the format . This framework was also validated by your direct superior, who is the Head of some 3000 IT people around the world. He agreed with the central operational risk management to ‘lend’ them few IT teams, so that they could develop their own solutions. However, these teams would still be under their original department’s control. When you took position, 6months ago, you informed the central operational risk management that you will draft a typical reporting tool. It would be a preliminary analysis of the incidents recorded in the database. It would eventually be programmed, so that of a simple click, tables and graphs would be made available in no time and to any authorised staff, trained or not to database queries. You receive a reply from the central operational risk management telling you that all their IT teams are all booked for other purposes. You thought that you could do it yourself, but they did not even decide which developing tool to use, while they were providing reports for one of your sub department in a remote territory. Anyhow, it means that the reporting still needs to be made manually, which takes a few days and are not foul-proof. There is also a question of staff, who would agree to perform such a detailed, sensitive and repetitive duty? Meanwhile, you need to set up committees based on this reporting to inform the Heads of territories and departments about their incidents. What would you do about the development of this report? Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 31/40
  32. 32. ANSWERS PART 1 Operational Risk Constraints Regulatory Strategic Orientations Business Needs Operational Risk Management Constraints Technical Budgetary Software Solutions Operational Risk Process Management Communication Efficient communication about priorities and risk assessments Organisation Define a central management and an organisation to take decision in line with the global policy and business risks Measure & risk Define methods/ tools to identify risks from the Analysis top and business levels Business Processes Integrate risk assessment in business processes Operations
  33. 33. Case Study : Operational Risk at BNP Paribas Answers AMA Method Historical External Loss Historical Data Data Internal Loss Data Advanced Measurement Approach Business Forward Environment Scenario Looking Data and Internal Analysis Data Control Factors Insurance Stakes Respect of regulatory requirements Standardisation of incident management Reporting to the highest management Decrease in annual losses Minimising regulatory capital, Optimising the economic capital Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 33/40
  34. 34. Case Study : Operational Risk at BNP Paribas Answers PART 2 Benchmark summary Barclays Bank PLC  Barclays has virtually completed the formulation of sound operational risk policies, procedures and practices throughout the bank.  Barclays has decided to outsource some activities. The ones considered uneconomic and which do not add value to its client relationships, such as cheque and mortgage processing.  Selecting which risks to retain and which to outsource or insure Deutsche Bank AG  Operational risk framework has been developed.  Deutsche Bank has developed a matrix structure for operational risk management, involving both divisional and regional operational risk officers.  The bank is using internal data for the higher frequency events; however, for the lower- frequency high-impact events it is using external, publicly available industry data Risk- reward relationship HSBC Holdings plc  Given its size and diversity, HSBC Group has adopted a strong controls.  Each business unit is responsible for determining its own approach to risk management.  Reporting to senior management. This is underpinned by internal audit investigations and recommendations, to which line management is required to produce and implement appropriate action plans.  Companies and business lines within the Group are given the flexibility I NG Bank N.V.  ING Bank has set up operational risk committees (ORCs) in all regions and major countries, and is extending this concept to the remaining business units.. These ORCs, chaired by General Management, are responsible for monitoring operational risks and ensuring that appropriate actions are taken. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 34/40
  35. 35. Case Study : Operational Risk at BNP Paribas Answers Lloyds TSB Bank Plc  The loss database has now been designed and will be implemented during the first quarter of 2004.  Uniform methodology  Responsibility of the individual business units. Swedbank ( ForeningsSparbanken)  In early 2000, the group set up a dedicated Group Operational Risk department composed of four people.  Enable the bank to move from quarterly to real-time reporting above SEK50,000 for approximately two years. Track record of eight years of loss data collection. Going forward, the group plans to expand its data collection to "near misses" which are currently only collected on an ad hoc basis.  The group’s data categorisation is in line with the approach suggested by the British Bankers Association (BBA): a risk profile is created for each business unit based on four fundamental risk elements (personnel, processes, systems, and external events). What sort of reporting data base to deploy? Database At BNP Paribas, the quick solution was chosen. The argument put forward was that incident reporting was given priority. There was no time to waste to gather incidents in order to comply with the regulatory 3-year incident history. The tool currently in place can reach every user of the internal electronic mail system. It is the most common application after the Intranet. A migration to a web based reporting tool is being rolled out. Nowadays, the data base is polluted by information not always consistent and efforts are being made to change these behaviours. Improvements in the reporting tool are currently developed. The strategy about new version releases is questionable and often hardly reaches a consensus, but still pushed by the centralised unit. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 35/40
  36. 36. Case Study : Operational Risk at BNP Paribas Answers Key information Database information: Incidence / Discovery/ Creation date Status (In Process/ Submitted for Approval/ Approved) Type (Gain/ Loss/ Near Miss/ Opportunity Cost/ Undetermined) Estimated/ Final /Impacted Amount Event, Cause Business/ Country Reporting information : 0°/Summary- P&L impact: give a quick idea of the incident situation 1°/ Dates Monthly trend per type of date: make sure the required delay are respected late reports and late approvals: highlight troublesome incidents 2°/ Incidents Types: identify potential loss situations 3°/ Amounts Estimated amounts versus Final amounts: potential financial losses "Loss amounts" by size: low frequency-high impact incident analysis 4°/ Events and Causes: why did it happened? Is it recurrent? How to prevent it? Are the action plans effective? 5°/ P&L Approach Losses and Gains by Activities/Territory: Amount lost to date 6°/ Operational Risk Approach incidents< 15k€ Small incidents by Activity & Territory: identify concentration of incidents Near-Misses split by activities: identify potential losses Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 36/40
  37. 37. Case Study : Operational Risk at BNP Paribas Answers 7°/ No incident reported List of Business Lines and Territories with no incident declared: give hints about the ones not following the global policy 8°/ Incidents mapping "Activities / Territories" concentration Causes & Events mapping by Activities/Territories 9°/ Loss allocation Matrix: which back/front office pay the bill Future Optimisation/ Enhancement  Cross-functionality: Need to gather information of the same user and the related transactions Jurisdiction  Human: Estimation input as correct value to calculate the right capital  Processes: Map the internal processes controls with the database incidents  Overall: Better incident management, therefore risk capital closer to economic capital. Technical Difficulties The countries influenced by slow/non-existent internet are extremely few. Generally, the activities that takes place there are backed up on a bigger platform elsewhere. Incident reporting takes the form of a simple Excel sheet with required fields set by Group Risk Management- Operational Risk- GRM-OR. They are sent on a daily or weekly basis. Operational Risk Global Policy The global policy is decided in the centralised Operational Risk department GRM-OR with strong interactions with all the businesses. It then sets a common set of rules in line with the regulations. It includes:  Process to enter incidents  Process to validation Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 37/40
  38. 38. Case Study : Operational Risk at BNP Paribas Answers  Incident reporting threshold  Required delays  Explanation of tools vocabulary  What is an incident suitable to input  Role of different actors in the reporting process (e.g. correspondent makes sure of the consistency of the data) Also, in order to suit every business line needs, the global policy sets a minimum criteria. It is after up to the businesses to customise them to match their own needs. E.g. the reporting threshold is set to be €20.000 in the global policy, but the corporate banking set it to €15.000. How to bring everyone to follow the policy? Financial incentives to input incidents? No. The Operational Risk correspondents are the most senior staff (e.g. Secretary General) in the territories. They are in charge of communicating and put in place the global policy. They use a top to down approach. How to convince? It is a regulatory requirement to set aside capital. If it can be proven that the incident management is good enough and the inherent risk well identified, then financial contributions for the capital from the business line will be lowered. PART 3 (EXTRA) This dispute involved the Heads of these 2 departments. However, it is still going on as this paper is being written. A solution that might be taken is to develop it internally to the CIB department. However, it would pass over the co-ordination purpose of the central operational risk management. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 38/40
  39. 39. CONCLUSION This paper is mainly treating the functional aspects of a report dedicated to the Operational Risk Management. It exposes a summary of the regulatory requirements, opinions from external point of view and its application in a leading French bank. Within the AMA, the historical database is the first of the 4 components to be in place. It is the most tangible and therefore the most practical to assign explicit requirements. Whereas the others, there is still a strong need to identify their specifications, validate them group-wide, find a common ground and develop reporting tools to eventually integrate all of them together in order to have a sound operational risk management system. Finally and above all, the accord has not even been finalised yet. All the planning still depend on last minute changes. Many discussions around the AMA are still taking place. However, the main framework has been set up. The delay added by these extra talks is indeed precious time for banks to enhance their existing systems and plans. From an information system point of view, the most interesting aspects are how or what sort of applications will be developed for the 4 AMA components individually, and in turn, how will they all be integrated together in order to form a single application handling extremely various type of data and interconnecting them following different processes.
  40. 40. Conclusion REFERENCES • Bank of International Settlements (2001): ”Sound Practices for the Management and Supervision of Operational Risk”, Basel Document. • Bank of International Settlements (April 2003): ”Consultative Documents: The New Basel Capital Accord”, Basel Document. • BNP Paribas (2002):”Annual Report”. • Federal Reserve Bank of Boston (Nov 2001): ”Operational Risk and the New Basel Accord, Presentation. • Jameson R. (Feb 2002):”The True Cost of Operational Risk”, ERisk.com, Article. • Jimenez C.& Merlier P. (April 2003) : “Modeliser les Risques Operationnels”, Risque & Prudentiel, Article. • Madar P.&Pennzio (July 2003): “Bâle II et IAS/IFRS, Tirer Profit des Nouvelles Regles”, Risque & Prudentiel, Article. • Lutz W. (July 2001):”Operational Risk, Capital Requirements, and Incentives”, Essay. • O’Neil P. (Feb 2003):”Survey Says…”, BNP Paribas, Article. • PriceWaterhouseHouse: ”Operational Risk- The New Frontier”, Presentation. • Robert Huebert (Dec 2001):”The Qualitative Analysis of Operational Risk”, Deutsche Bank, Presentation. • Ripault M.& Look I. (April 2003): “Les Enjeux du Risque Operationnels pour les Brokers”, Risque & Prudentiel, Article. • Sanderarajan S. (April 2003):” Risk IT- Banking on Basel- Strategies for competitive advantage”, Anz IT, Presentation. • The Economist (May 2003): “Deep Impact”, Article. • The Economist (Jimenez C.& Merlier P. (April 2003) : “Modeliser les Risques Operationnels”, Risque & Prudentiel, Article. • William J. McDonough (Sept 2002): ”Completing the Journey to the New Basel Accord”, Speech in Cape Town, South Africa. Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 40/40
  41. 41. ANNEX Barclays Bank PLC Barclays Bank is making significant efforts to improve its risk culture and reduce the level of losses resulting from operational risks. We believe the actions being taken could lead to an enhancement in the quality and stability of earnings. Barclays publicly stated aim is to achieve top quartile total shareholder return (TSR) on a sustained basis. In practice, this has in recent years required a return on economic capital of about 14%. Risk appetite is defined through a Board of Directors’ statement, with standards for managing risk and Key Risk Indicators reviewed by a board committee. The bank identifies four principle types of risk: credit; market; A&L, liquidity and pricing risk; and other risks, which include operational, legal, tax and compliance. During 2002, Barclays re-organised and upgraded its risk function, and appointed a new Group Risk Director. With regard to development of operational risk management, Barclays has virtually completed the formulation of sound operational risk policies, procedures and practices throughout the bank. Improvements are being made to the systems and reporting infrastructure. With regard to extreme risks that could potentially have a high impact upon the bank, but which by their very nature have a low probability of occurring, Barclays has implemented an early warning management information system (involving key performance and key risk indicators, traffic light and dash board systems, and escalation mechanisms). Areas for further consideration include data integrity, together with improvements in interpretation and perception, particularly with regard to holistic risk processes. The bank has begun the process of enhancing the efficiency and effectiveness of operational risk management. In response to Pillar 1 of Basel 2, Barclays has decided to adopt the advanced measurement approach (AMA). This should lead to a lower regulatory capital requirement; however, the bank has yet to fully evaluate expected gains. Barclays has decided to outsource activities, such as cheque and mortgage processing, which is uneconomic and does not add value to its client relationships. Operational risk profiling (i.e. selecting which risks to retain and which to outsource or insure) remains at an early stage. The market for effective ’alternative risk transfer’ solutions remains limited. Insurance, although used in the past has yet to be actively developed as an operational risk profiling tool. We view positively the fact that Barclays has been moving into a more focused and effective risk-based structure, concerned with adding value. We recognise the continuous efforts being made by Barclays to embed operational risk management throughout the bank. Our assessment of the progress made is that it is sound. Looking to the future, we would expect to see further efforts relating to cost-benefit analysis as the bank moves more into
  42. 42. stage two of development. Failure to maintain the current dynamism could potentially result in ossifying bureaucracy, although we see no reason why this should happen.
  43. 43. Deutsche Bank AG Deutsche Bank (rated Aa3/P-1/B) appears to be well positioned with regard to operational risk management. It has been pro-active in the Basel 2 process through participation in industry working groups and direct discussions with regulators. Deutsche Bank believes firmly that operational risk management is concerned with the effective running of a bank. Its aim is to embed a risk aware culture throughout. The bank has put in place policies together with divisional standards, and it is currently in the process of developing a risk profile document. An operational risk framework has been developed. This is actively being rolled out across the group. Deutsche Bank has developed a matrix structure for operational risk management, involving both divisional and regional operational risk officers. The development of supporting tools and techniques is seen as an ongoing process. Deutsche Bank will be adopting the Advanced Measurement Approach (AMA) as specified under Pillar 1 of the new Basel Capital Accord (Basel 2). However, due to insufficient clarity from the regulators, it remains uncertain what advantage this will produce with regard to a reduction in the regulatory capital requirement. The bank is currently collecting and analysing data. It expects to be able to show, in about three years time, how the effective management of operational risk has reduced the severity and frequency of losses. A loss distribution approach (LDA) to the quantification of operational risk is being adopted. However, data quality and sparseness represent limiting factors with regard to the development and validation of operational risk models. The bank is using internal data for the higher frequency events; however, for the lower-frequency high-impact events it is using external, publicly available industry data. Currently, one single loss distribution curve is being used for the group as a whole. It is intended to replace this top down approach with a bottom up approach in 2004, giving an analysis by business line and event type. Other issues to be addressed are correlation and qualitative fine-tuning. Moody’s believes that operational risk management within Deutsche Bank is soundly based and that solid progress is being made in a reassuringly cautious and questioning manner. We are of the opinion that quantification is a difficult area particularly given current limitations concerning the quality and sparseness of data. The use of external data for extreme events is questionable, since it ignores the culture and control environment of the bank. With regard to the future, the next major stage of development for Deutsche Bank may be to optimise the risk-reward relationship (possibly through cost-benefit analysis) and to actively seek improvement in the quality and stability of earnings.
  44. 44. HSBC Holdings plc Given its size and diversity, HSBC Group has adopted a strong controls based approach to operational risk management. HSBC considers responsibility lies in all levels within the Group i.e. in Group headquarters, in the local head office and in the line management of each business activity. HSBC’s control culture and philosophy emphasises individual accountability, within a framework prescribed in the Group standards manual (GSM) and functional instruction manuals (FIMs). Within this overarching framework, each business unit is responsible for determining its own approach to risk management. The Group uses the following definition for operational risk: "Operational risk is the risk of loss arising through fraud, unauthorised activities, error, omission, inefficiency, systems failure or from external events. It is inherent to every business organisation and covers a wide spectrum of issues." Monitoring is undertaken by regular reporting to senior management. This is underpinned by internal audit investigations and recommendations, to which line management is required to produce and implement appropriate action plans. Reporting is a combination of financial and loss incident reporting. The trigger for the reporting of a loss incident being a charge to the P&L account. Operational risk losses are consolidated and reconciled to the financial reporting systems. Near misses are also collected where it is considered significant lessons can be learnt. All Group companies are required to report aggregate operational risk losses and incidents over a pre-determined limit, on a quarterly basis. In addition, all major trading companies within the Group are required to review the effectiveness of internal controls, on an annual basis. HSBC focuses on management of operational risk and regards measurement as a secondary issue. Group Headquarters maintains oversight and control through three initiatives: 1. Operational risk loss data collection initiative Data collection began in January 2001 and has been implemented throughout the Group on a decentralised basis. Data is classified by various attributes, including event type, primary and secondary cause, business line and the country of loss. 2. Reporting of results of loss data collection A regular Group-wide operational risk report, which provides a summary of the Group’s operational risk loss experience and gives details of incidents over USD1 million, is provided to the Group Finance Director and is tabled at a Board Committee. 3. Feedback Feedback reports containing brief details of all incidents identified throughout the Group are distributed to the chief financial officers of the principal Group companies. Further details of incidents are provided where appropriate to relevant Group functions including Audit, Compliance, Legal, IT Security, Insurance, etc. Completeness checks are carried-out by making comparisons with other reports received by Group functions.
  45. 45. Given the size and complexity of the HSBC Group it is considered that a one size fits all approach is inappropriate. Therefore, different companies and business lines within the Group are given the flexibility to implement different approaches within the prescribed framework. With regard to the new Basel Capital Accord (Basel 2), permissibility of a mixed basis under Pillar 1 may be important. HSBC is watching the results of other banks concerning the development of the more sophisticated advanced measurement approaches (AMAs) but as yet its view is that "the jury is still out. HSBC is a solidly managed group, however, we believe that its thinking with regard to operational risk management is somewhat less advanced than is the case in other major banking groups. This reflects the fact that the Group took a decision not to participate actively in the development of AMAs, but rather to maintain a watching brief. Although the HSBC Group’s concentration on traditional accounting and reporting based systems could mean that it may lacks the speed of response of leading banks in this field, this is not, in our opinion, likely to be material to the success of the Group and in the longer term it could catch-up if it wishes to. Given its size and diversity HSBC Group benefits from a portfolio effect, which together with the substantial absolute level of its earnings, suggests that it has the capability to withstand substantial operational losses, should these arise.
  46. 46. ING Bank N.V. ING Bank has adopted a proactive stance towards operational risk management and has been actively involved in a number of industry working groups. Its view is that a professional operational risk management function and process is essential for ensuring the continuity and reputation of a bank. ING Bank has set up operational risk committees (ORCs) in all regions and major countries, and is extending this concept to the remaining business units.. These ORCs, chaired by general management, are responsible for monitoring operational risks and ensuring that appropriate actions are taken. By taking a proactive stance the bank is aiming to avoid surprises. This requires early detection of key risks. Incident information is considered essential to better understand operational risks, based on the idea of ‘how can you learn for the future if you do not understand the past.’ The approach taken is to understand the cost of risk, develop ‘lessons learnt’, and take appropriate mitigating action. ING Bank uses an array of tools and techniques including periodic risk & control self- assessments (RCSA), continuous risk awareness programmes, monthly key risk indicator (KRI) reports, a new-product approval process, and action tracking of audit findings. Risk tolerances are set, based upon impact. ING considers performance measurement to be essential in a large conglomerate since ‘if you cannot measure risk you cannot control it’. Fundamentally, ING believes that operational risk is about people. Risks, therefore, need to be allocated back to individual line managers in order to facilitate management control through accountability, responsibility and learning. ING is also extending its operational risk management process to ING Insurance. Economic capital is used to incentivise business unit managers. Capital investment, which increases the rate of return and reduces risk, attracts a lower capital charge. ING believes that RAROC (Risk Adjusted Return On Capital) is an ideal management tool being both a carrot and a stick. Economic incentivisation has been used quarterly since 1998 and is continuing to be enhanced. With regard to regulatory requirements, ING will be adopting the Advanced Measurement Approach (AMA) under Pillar 1 of the new Basel Capital Accord (Basel 2). The bank is currently using a combination of a Loss Distribution approach and Scorecard based approach since it believes that a combination of quantitative and qualitative tools and techniques may be required within the various business units, depending upon circumstances and future developments. The bank collects quarterly internal loss data. It also collects information on near misses, which it sees as an essential part of management and learning. External data is sourced from two commercial providers together with that from the ORX industry consortium, of which ING is a founder member. ING considers that external data, if used carefully, is appropriate for scenario analysis and benchmarking purposes. Moody’s believes that although ING Bank has chosen not to be in the vanguard in the field of operational risk management, its approach is well thought through and its management processes appear sound. Over the next twelve months, the key priorities for the bank are to further strengthen its organisation of operational risk management, rolling out operational risk committees (ORCs) to all business units, and enhancing operational risk tools and techniques.
  47. 47. Lloyds TSB Bank Plc Approach and Positioning The Lloyds TSB group has grown into its current form through mergers and acquisitions, which has resulted in a relatively decentralised structure, with numerous business units, each with their own risk profile. The group has, historically, taken a sound, realistic approach to operational risk management, and it recognises that there are increasing risks inherent in the current business environment. Working groups have been established to address the following key issues relating to operational risk: 1. Operational risk loss database The loss database has now been designed and will be implemented during the first quarter of 2004. As well as recording and categorising losses, the database will seek to include near misses and consider the causes of operational risk events. 2. An overall operational risk tool for the group The group is considering implementing a new uniform methodology for managing operational risk, to replace the existing variety of approaches present in different business units. 3. Regulatory Capital Approach The bank is presently working towards recognition to at least the standardised approach, with detailed consideration also being given to the AMA. With regard to positioning, Lloyds TSB has deliberately chosen not to be a prime mover so far. Instead, it has chosen to implement quickly those appropriate developments proven by other market participants to be effective, an approach which we see as valid, particularly for an organisation with a relatively low risk profile and conservative appetite for risk. Definition Lloyds TSB initially adopted Basel’s high level definition of operational risk (i.e. the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events). It is currently developing a more useful granular definition in line with its approach to operational risk management. Management and Reporting An enterprise wide risk management (EWRM) approach has been adopted. All risks are identified according to a number of drivers, of which operational risk is one, and which impact others. Risk management is seen as the responsibility of the individual business units. Regular business unit risk reviews are carried out, with support from the group risk function, and self assessments are completed by business units periodically. The Future Lloyds TSB is seeking to gradually bring about a cultural change within the group with regard to operational risk. It is proposing to introduce a more proactive, rather than reactive, stance and to move away from a zero tolerance style to one of informed flexibility. This will require a clear business case o be made for operational risk management.
  48. 48. Issues regarding governance and board involvement are also likely to need to be addressed, in order to bring about the cultural change associated with the further development of strong operational risk management procedures.
  49. 49. Swedbank ( ForeningsSparbanken) Summary and Conclusions Moody’s views the Swedbank’s group operational risk management as adequate. The group aims to be in line with best practices in that area - an objective which we expect it to achieve. Work is currently ongoing at a rapid pace with key milestones planned for 2004. The group’s focus is mainly on qualitative elements though data collection should in time favor quantitative content. Approach and Positioning Swedbank has adopted a bottom-up approach to operational risk management. The group ambitions to be on a par with recognized best banking practices in the Nordic region. Today, management focus is primarily on promoting awareness of operational risk issues throughout the group, notably through self-assessment workshops organized in collaboration with each of the group’s five business units (see Issuer Profile on Swedbank for details of the group’s business units). The group has been running a formal self-assessment program in its Swedish operations since 2001. Definition and Scope Swedbank does not aim to optimize its regulatory capital level through operational risk management. Management views the development of its operational risk framework in three stages: To ensure that the group has sound operational risk management systems, To optimize the cost/benefit of these procedures To address competitive strategic positioning. Management and Reporting Overall responsibility for operational risk management rests with the Board of Directors of Swedbank. In particular, the Board has approved group-wide instructions addressing basic management techniques and consolidated reporting, notably with the view of monitoring operational risk management initiatives in FIH and Hansapank. The Board has created a dedicated Committee, the Audit and Operational Risk Committee, to address this issue. Swedbank has had dedicated operational risk policy since 1998 which was recently updated. In early 2000, the group set up a dedicated Group Operational Risk department composed of four people. The department is responsible for establishing policies and procedures and ensuring efficient, independent risk monitoring. The Head of the department, also responsible for Group Security, reports directly to the Chief Executive Officer. Each business unit has a dedicated Operational Risk manager with line reporting to the business unit head and functional reporting to the Head of the Group Operational Risk team. Reporting Structure Currently, the Board of Directors receives operational risk reports from the group risk department on a semi-annual basis, supplemented by an annual presentation. The Chief Executive Officer and the Executive Management Committee receive reports on a quarterly basis. Reporting at the business unit level is currently being developed. Swedbank has adopted a two-phase approach to reporting, first targeting more qualitative reports and later aiming to include also quantitative content. Consultancy advice and guidance has been taken with regard to the use of key risk indicators (KRIs). A specific KRI project was run in Swedbank Markets last year which the group is currently replicating to the other four business units .
  50. 50. Infrastructure Systems are a combination of manual and IT elements. Further system development is being undertaken to provide a more robust infrastructure together with an enhanced IT environment. It is proposed to increase the level of IT, in order to enable the bank to move from quarterly to real-time reporting and to enable more information to be captured and made readily accessible. Data Quantification and Modeling Swedbank has been recording loss data for events exceeding SEK50,000 for approximately two years. The group however reports that its subsidiary Hansapank is rather more advanced with a track record of eight years of loss data collection. Going forward, the group plans to expand its data collection to "near misses" which are currently only collected on an ad hoc basis. The group’s data categorization is in line with the approach suggested by the British Bankers Association (BBA): a risk profile is created for each business unit based on four fundamental risk elements (personnel, processes, systems, and external events). These elements are then sub-divided, thus facilitating drill-down. Changes in each business unit’s risk profile are considered each year. Analysis of causality is progressing in line with data- capture and understanding. Tools and Techniques Swedbank is looking to implement a range of operational risk management tools and techniques throughout the group, including periodic self-assessment exercises, risk and vulnerability analysis, and key risk indicators. Progress is at a different stage throughout the group’s five business units. This is also true in respect of related aspects such as awareness, organizational readiness and reporting procedures. Regulatory Compliance Swedbank has decided to opt for the standardized approach under Pillar 1 of the new Basel capital accord (Basel 2). However, the group intends to further develop its operational risk management capability and may in time adopt more sophisticated measurement and quantification methods, of the AMA type, on a business unit basis, as warranted. Economic Capital A top priority for management, the group’s economic capital project pursues the following goals: - to improve management’s understanding of how and where risks are created in the group; - to quantify the size of the group’s risks; - to better price credit risk in lending transactions; - to understand the amount of capital required by type of risk and per business unit; - to compare business units’ performance using return on allocated economic capital; - to increase capital efficiency throughout the group; and - to lower risk-related losses owing to a more transparent view of the different risks. A preliminary study has been carried-out by consultants and implementation is expected to be completed by 2004. The group’s operational risk-related work is part and parcel of the overall economic capital project. Business units are incentivized to contribute to
  51. 51. lowering the group’s operational risk costs with a view to lowering the amount of economic capital they consume.
  52. 52. Fraud, Corruption and Financial Crime Swedbank has systems and procedures in place for dealing with fraud, corruption and financial crime which are regularly reviewed and updated. IT detection systems will are intended to become ncreasingly sophisticated through the use of artificial intelligence, including pattern theory. Management considers fraud a relatively more minor issue Swedbank. We understand that there are only about 20 internal cases of fraud per year and that these are of low value. Similarly, external frauds are of low value. With regard to money laundering, the bank reports about 80 to 100 events a year to the regulator. In that respect, the group is working on identifying transaction patterns a early warning signals of fraud. Contingency Planning At Swedbank, contingency planning is not the responsibility of the Group Operational Risk department but, instead, is coordinated centrally by Group Security (though both departments report to the same Executive Officer). A crisis management team exists. Each business unit has its own contingency plans; in addition, some business segments may also have a different contingency plan. With regard to IT, the group has a separate site with a capability of being up and running within 24 hours.

×