June event - Operational risk management - IT Career


Published on

The 2nd seminar of Friends4Growth in Ho Chi Minh city with Prof. Enoch Ch'ng from SMU - Singapore Management University.

Together We Grow
Friends4Growth is a group of young professionals, who share a common passion to learn and grow more in their career through formal and informal educational opportunities. The group was founded by Vietnamese national Le Tran, a Wharton MBA Class of 2009.

The Friends4Growth mission is as follows:

- Be a place for young professionals to exchange and enhance knowledge
- Bring educational opportunities to members by providing access to well-known professors, business leaders and industry experts
- Provide information of universities around the world to members with intention to study abroad
- Share experience in studying, job search, working and living outside Vietnam

To achieve its mission, the group organizes various activities on a monthly basis to its members, such as:

- Seminars on various industry topics, with a sponsorship of the Singapore Management University.
- Coffee chats with experienced professionals from more developed economies
- Q&A sessions covering overseas life and work from seasoned experts

Website: www.friends4growth.com
Join us at: http://facebook.com/friends4growth and http://vn.linkedin.com/in/friends4growth
If you have any inquiry, please contact us at info@friends4growth.com

Published in: Economy & Finance, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

June event - Operational risk management - IT Career

  1. 1. What do financial institutions know about operational risk? Enoch CHNG Associate Professor of Information Systems (Education) & Director, SIS Programs in Financial Services (TOPS) School of Information Systems Singapore Management University8/3/2012 1
  2. 2. Outline • Learning from Mishaps – Examples of Operational Failures in Financial Industry – Lessons Learnt • Defining Operational Risk • Managing Operational Risk – Assessment of Operational Risk – General Considerations – Process Design and Mapping, Reliability Theory, etc – Ops Risk and Total Quality Management (TQM) • Basel III and Measurement of Operational Risk • Concluding Remarks8/3/2012 2
  3. 3. Examples of Operational Failures in Finance • Barings (Singapore, 1995) • Sumitomo (New York, 1996) • NatWest (London, 1997) • LTCM (Greenwich, 1998) • HIH Insurance (Sydney, 2000) • Cantor Fitzgerald (New York, 2001) • Allied Irish Bank (Baltimore, 2002) • Mizuho (Tokyo, 2005) • Société Générale (Paris, 2007) • TD Ameritrade (January 2008) • UBS rogue trader scandal (London, Sep 2011) • JPM Hedge Loss (London, 2012)8/3/2012 3
  4. 4. Features of Mishaps LTCM NatWest Sumitomo Barings ? 1998 1997 1996 1995 Loss (USD 4.4 0.2 2.6 1.3 ? bn) Loss in % 44% negligible 45% 100% ? cap Time to Fast 3 yrs 10 yrs 3 yrs ? mishap Market External Mistaken Trigger Margin call ? conditions audit sending Loss events with a long time-lag usually require an additional external trigger event to make the losses apparent.8/3/2012 4
  5. 5. Rogue Trading • Frequency and Severity • Sequence of Events – Quite frequent and very severe. – Usually starts small and very innocuous (cover up of an error), but then may continue for many • Where does it occur? years (while expanding) before – US, Europe, Singapore, South being discovered. America, … – Warning signs are not heeded. – Far-flung branch office. – Management inaction. • Profile • How to avoid? – Relatively young or star traders. – Internal audits and controls (with – Gambling persona. separate lines of reporting), – Seemingly profitable business unit. regular internal transfers, – Internal pressure to bring in high mandatory vacations, … returns.8/3/2012 5
  6. 6. Human Error • There are many examples of very common human errors (example in FX: USD-Euro vs Euro-USD trade). • Frequency and Severity – quite often and severe. • Important factors: Experience, Workload. Why does a human error much more often result • How to avoid: Well designed information in a loss rather than in a systems with error-correcting feedback, gain ? additional checking by independent people. • Complexities in information system design: – Requirements of having real time feed of market data. (Not easy, especially not when stock is very lightly traded or when trading is very volatile). – Information may have to be fed into a neural net in order to detect anomalies. Neural net has to provide feedback in real time.8/3/2012 6
  7. 7. Outline • Learning from Mishaps – Examples of Operational Failures in Financial Industry – Lessons Learnt • Defining Operational Risk • Managing Operational Risk – Assessment of Operational Risk – General Considerations – Process Design and Mapping, Reliability Theory, etc – Ops Risk and Total Quality Management (TQM) • Basel III and Measurement of Operational Risk • Concluding Remarks8/3/2012 7
  8. 8. One Way of Looking at Risks in Banking Equity Risk Specific Risk Trading Risk Market Risk Interest Rate Risk Gap Risk General Currency Risk Market Risk Credit Risk Commodity Risk Liquidity Risk Banking Transaction Counterparty Risks Risk Risk Operational Risk Portfolio Concentration Issuer Risk Risk Legal Risk Money Transfer Risk Reputational Risk Value Error Risk Systems Risk Clearance Risk Model Risk8/3/2012 8
  9. 9. Definition of Operational Risk • Early work resorted to a negative definition of other risks – all risks except credit, market and interest rate risk in the banking book. • Latest definition: – The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including those adversely affecting reputation, legal enforcement of contracts and claims. – Excludes strategic, business and systemic risk. However they are often captured simply as operational risk. Operational Risk ≠ Total Risk – Market Risk – Credit Risk8/3/2012 9
  10. 10. Operational Risk Varies by Business Types8/3/2012 10
  11. 11. Causal Analysis and Risk Management Symptoms Risk Mitigation Causally related events Root cause events Risk Prevention8/3/2012 11
  12. 12. Outline • Learning from Mishaps – Examples of Operational Failures in Financial Industry – Lessons Learnt • Defining Operational Risk • Managing Operational Risk – Assessment of Operational Risk – General Considerations – Process Design and Mapping, Reliability Theory, etc – Ops Risk and Total Quality Management (TQM) • Basel III and Measurement of Operational Risk • Concluding Remarks8/3/2012 12
  13. 13. Operational Risk Taxonomy Employee Internal Acts Relations Employment Safe environment - People Practices & workers & 3rd party Workplace Safety Clients, Products and Business Diversity & Practices discrimination Execution, Delivery Processes & Process Management Systems IT and Utilities Damage to or Loss of Assets External Events External Acts8/3/2012 13
  14. 14. Basic Operational Risk Factors • People risk • • Incompetency Fraud, … • Process risk • Model/methodology error • Mark-to-model error, …. – Model risk • Execution error – Transaction risk • Product complexity • Booking error – Operational control risk • Settlement error • Documentation/contract risk, ... • Exceeding limits • Technology risk • Security risks • Volume risks, … • System Failure • Programming error • Information risk • Telecommunication failure, …8/3/2012 15
  15. 15. Operational Risk Management Objectives “Must Have” Elements • To generate a broader understanding of • An agreed conceptual framework that operational risk issues at all levels of the firm provides: that touch on key areas of risk. – a definition of operational risk; – identification of the key components of • To enable the organization to anticipate risks operational risk; more effectively. – the role and responsibilities of the function; – its organizational fit within risk management and the firm as a whole; • To change behavior in order to reduce – its operating principle operational risk and to enhance the “culture of – its approach to measurement; and its approach to control” within the organization. reporting results. • To provide objective information so that • A systems and data architecture that provides services offered by the organization take timely, comprehensive and consistent account of operational risks. information for decision taking and risk evaluation. • To provide support in ensuring that adequate due diligence is shown when carrying out mergers and acquisitions. • The resources, i.e. management and people. • To provide objective measurements of • The necessary tools, e.g. techniques for performance. measurement. • To avoid potential catastrophic losses.8/3/2012 16
  16. 16. Framework (giving a view both backwards and forwards)8/3/2012 17
  17. 17. Three Lines of Defense Model Area Purpose Role 3rd Line of Defense Independent Audit function will Provide independent assurance on Assurance Provide independent challenge challenge the key Internal/External Audit key controls and reporting & processes employed & assurance overall or policy framework by the business Established Provide the infrastructure and the committee OR Policies OR Framework & Reporting analysis to aid oversight and challenge Governance & Oversight Endorsed Built 2nd Line of Defense structures and in respect of OR policies, reporting framework and reporting Ops risk function acts as overall owners of Oversight & Provide oversight & challenge OR policy and control OR Managers Challenge Provide expert advice assurance processes 1st Line of Defense The business is Manage OR responsible for day to Establish a suitable risk & Identify risks improvement actions, The Business day risk management, control environment. Implement controls, Reporting on Front Line and testing of Test key controls progress/incidents controls (Sox)8/3/2012 18
  18. 18. Potential Risk/Failure Points in Insurance Standard Fraudulent Processing Expenses Expenses Errors The significant sources Covered of operational risk are Losses implicitly included in regulatory and rating Fraudulent Total Expenses agency capital models. Total Losses Losses Processing Errors Underwriting Financial Errors Statements Policy Premium Regulatory / Pricing Rating Agency Total Premium Capital Models Processing Errors8/3/2012 19
  19. 19. Sequential Activities and its Relationship to Reliability Theory • When a number of activities in a product has to be done in series, then the “survival” probabilities have to be multiplied. – Assume 3 activities in series; each one having a probability of 0.9 of being done correctly. The probability of the entire product done correctly is 0.9 x 0.9 x 0.9 = 0.73 • Example – Independent Verification o Independent verification of all activities reduces probabilities of errors and potential fraud.  What is optimal redundancy? – Parallel Checking (Independent) o If an activity has a 0.1 probability of error, an independent verification with the same probability of error, reduces the overall error rate to 0.01. o If the parallel activity is negatively correlated with the first activity, then overall error rate is even lower; if it is positively correlated with the first activity, then it is higher than 0.01.8/3/2012 20
  20. 20. Why TQM or 6-Sigma? Size of Operation Learning from Other Industries • Bank of America has to process daily • From the Manufacturing industry: approximately 30,000,000 checks. – Shingo systems (Poka-yoke systems) The number of checks not processed – Statistical Process Control (SPC) correctly is less than 100. – Deming’s 14 points • A major investment bank in NY • From the Aviation industry: processes daily approximately – Near-Miss reporting systems 10,000 Forex trades. The number of – Checklists trades with minor errors less than 100. The number of trades with a medium size error less than 1. • From the Health Care Industry: – Note: each trade may be subject to a – Second opinions number of amendments or – Knowledge system software exceptions8/3/2012 21
  21. 21. Variations/Variability • Process variability is inevitable In control Not in control – Human variability – Machine or System variability Assume process is OK Type II error • How much variability is too much? OK – Assignable variations o Can be traced to a specific reason Take corrective o Should be eliminated Type I error OK action – Natural or random variations o Form a pattern that can be described as a distribution o We say that the process is “in control” when there are only natural variations8/3/2012 22
  22. 22. Specification Limits vs. Performance Limits An Undesirable Situation A Very Undesirable Situation performance performance specification specification A Vulnerable Situation A Very Desirable Situation performance performance specification specification8/3/2012 23
  23. 23. Outline • Learning from Mishaps – Examples of Operational Failures in Financial Industry – Lessons Learnt • Defining Operational Risk • Managing Operational Risk – Assessment of Operational Risk – General Considerations – Process Design and Mapping, Reliability Theory, etc – Ops Risk and Total Quality Management (TQM) • Basel III and Measurement of Operational Risk • Concluding Remarks8/3/2012 24
  24. 24. How is Operational Risk Measured? • Quantitative Approach – Statistical – Historical  Too rigid – Internal/External Failures  Relevancy? – Monte Carlo Simulation • Qualitative Approach – Based on self-assessments  Too judgmental • Either approach on its own does not tell  No reference points the whole story8/3/2012 25
  25. 25. Basel III – Operational Risk • Basic Indicator Approach (BIA) – The operational risk capital charge under BIA is calculated as a fixed percentage of the average over the previous three years of positive annual Gross Income (GI). – Percentage is currently set at 15% • Standardized Approach (SA) – Banks activities are divided into 8 Business lines (Corporate Finance, Trading, Retail Banking, etc.) – Each Business line has its own GI; again we look at the GIs over the last three years. – The capital charge for each business line is multiplied by a factor that is specified for that business line. – Factor for each business line is somewhere between 12 and 18%. • Advanced Measurement Approaches (AMA) – the Internal Measurement Approach (IMA) – the Score Card Approach (SCA) – the Loss Distribution Approach (LDA)8/3/2012 26
  26. 26. Basel III Specific Criteria • Supervisory guidelines have been established for the Advanced Measurement Approach governing 33 principles in 4 separate categories. Supervisors will assess banks against each of these guidelines. Governance Data & Reporting (cont’d) 1. Roles and responsibilities 18. External loss data policy 2. Board of Director oversight 19. Management review of external data 3. Appropriate resources 20. Thresholds 4. Independent function 21. Boundaries 5. Risk and Exposure reporting 6. LOB responsibility Environment 7. LOB alignment with firm-wide policy 22. Business environment and control factors 8. Firm-wide policies and procedures 23. Comparison of loss experience 24. Scenario analysis policy Data & Reporting 9. Firm-wide exposure reporting Capital Measurement 10. Senior management reporting 25. Analysis framework 11. Internal controls minimum standards 26. Documented assumptions 12. Data sufficiency 27. Calculated elements 13. Definition 28. Treatment of EL 14. Collection and modification standards 29. Diversification / correlation assumptions 15. Loss history time series 30. Insurance offset 16. Data mapping 31. Data management 17. Loss data capture policy 32. Verification 33. Independent testing8/3/2012 27
  27. 27. Variables In Foreign Exchange Trade Stage I Stage II Stage III Stage IV Stage V (Before order Match or (Before Financial (Before Settlement (Before Value Date) (Before Terms Broker Verification) Confirmation) Confirmation) (open trade) Confirmation) 1. Elapsed Time 1. Elapsed Time 1. Notional 1. Notional 1. Elapsed Time 2. Historical Volatility 2. Historical Volatility 2. Potential OD Rates 2. Payment 2. Historical Volatility 3. Deviation from Average 3. Deviation from 3. Master Agreement Instruction 3. Deviation from Volatility Average Volatility (Provisions for Precedence Average Volatility 4. Mark-to-Market 4. Mark-to-Market Netting) 3. Potential OD rates 4. Mark-to-Market 5. Trader Error Ratio 5. Trader Error Ratio 4. Mark-to-Market 4. Mark-to-Market 5. Trader Error Ratio 6. Client Sensitivity 6. Client Sensitivity 5. Fail Recovery Time 5. Fail Recovery Time 6. Client Sensitivity 7. Sales Error Ratio 7. Regulatory Risk 6. Client Sensitivity 6. Client Sensitivity 7. Sales Error Ratio 8. Execution Method 7. Regulatory Risk 7. Regulatory Risk 8. Outgoing Confirm 9. Client Operating 8. Liquidity Risk 8. Liquidity Risk Method Infrastructure 9. Client Operating 9. Client Operation 9. Template 10. Incoming Confirm Infrastructure Infrastructure Precedence Method 10. Country Operating 10. Country Operating 10. Incoming Confirm 11. Outgoing Confirm Infrastructure Infrastructure Method Method 11. Operator Stage II 11. Operator Stage I 11. Product Complexity 12. Outgoing Conf 12. Product Complexity 12. Operator Stage III 12. Master Agreement Delay/Elapsed Time 13. Time to Settlement Approver Operator State II 13. Internal Credit Cutoff 13. Master Agreement Rating 14. Payment 14. Sales Error Ratio Instruction Precedence8/3/2012 28
  28. 28. From Tools for Risk Analysis to OpVaR Calculation of Calculation of Exposure Calculation of Actual PEs & Actual PEs & Reporting Base (EIs) OP VaR LGEs LGEs Internal Loss History Industry Actual Project- Loss Loss ed Loss OpVaR History Rates Rates RAROC Scenario Analysis Stress OpVaR Scenario Report Key Risk Drivers (KRDs)8/3/2012 29
  29. 29. Outline • Learning from Mishaps – Examples of Operational Failures in Financial Industry – Lessons Learnt • Defining Operational Risk • Managing Operational Risk – Assessment of Operational Risk – General Considerations – Process Design and Mapping, Reliability Theory, etc – Ops Risk and Total Quality Management (TQM) • Basel III and Measurement of Operational Risk • Concluding Remarks8/3/2012 30
  30. 30. OpRisk Management and Related Disciplines Total Quality Facilities Statistical Management Management Process Control Contingency Planning Actuarial Loss Model Insurance Operational Risk Financial Risk Management Management Reliability Risk Processes Engineering Operations & Management Audit Organization Internal Control8/3/2012 31
  31. 31. Proper Design of Incentive Systems • Incentives for the company – if company knows that risky assets will be sold there is less of an incentive to assess the risk carefully • Incentives for employees – immediate bonuses for the employee versus long term risk for the company8/3/2012 32
  32. 32. Black Swan Events − Mitigants • Not exposing oneself to large losses. – For instance, only buying options (so one can at most lose the premium), not selling them. • Performing sensitivity analysis on assumptions – This does not eliminate the risk, but identifies which assumptions are key to conclusions, and thus meriting close scrutiny. • Scenario analysis and stress testing – These are widely used in industry; they do not include unforeseen events, but emphasize various possibilities and what one stands to lose, so one is not blinded by absence of losses thus far. • Using non-probabilistic decision techniques – While most classical decision theory is based on probabilistic techniques of expected value or expected utility, alternatives exist which do not require assumptions about the probabilities of various outcomes, and are thus robust. These include minimax, minimax regret, and info-gap decision theory.8/3/2012 33
  33. 33. Operational Risk Management Framework Operational Risk Management Framework Management Agenda Understanding Operational Risk • Purpose&objectives • Operational Risk Taxonomy • Value proposition • Key Risks and Trends • Risk “appetite,” culture • Basel II Best Practices/Standards • Policies & guidelines Operational Risk Methodologies • Industry standards • Business Continuity Management • Regulatory standards • Technology Risk Assessment • Preventive, Detective Controls, Risk Organisation Structure Mitigation • Oversight structure • Control Self Assessment • Roles & responsibilities • Risk Measurement/Quantification Management Information System Methods • ORM system architecture Unified Risk Management Process8/3/2012 34
  34. 34. THE END Enoch CHNG Office: Rm 4003, SIS Phone: +65 68085155 Email: enochchng@smu.edu.sg8/3/2012 35