Operational Risk & Basel Ii


Published on

Javed H siddiqi
Soneri Bank Ltd

Operational Risk & Basel Ii

  1. 1. Operational Risk & Basel II
  2. 2. Defining & Understanding Operational Risk “ Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” -Basel Committee on Banking Supervision
  3. 3. Defining & Understanding Operational Risk
  4. 4. Defining & Understanding Operational Risk
  5. 5. Defining & Understanding Operational Risk
  6. 6. Defining & Understanding Operational Risk
  7. 7. Defining & Understanding Operational Risk <ul><li>What risks are we talking about?? </li></ul><ul><ul><li>A loan goes bad! </li></ul></ul><ul><ul><li>Bank suffers losses on outstanding forward contracts. </li></ul></ul>
  8. 8. Defining & Understanding Operational Risk “ More than 80% of our Credit risk is really just Operational risk.” Senior Risk Officer, Large German Bank
  9. 9. Defining & Understanding Operational Risk If a severe operational risk event is accounted for under credit risk, the loss may very well be reported, and the economic capital number may even be adjusted to help ensure appropriate capital coverage. However, this is unlikely to lead to appropriate management decisions. The resulting (incorrect) credit risk increase will almost certainly result in a reduction of loans in a region or to an industry sector or client – but seldom will result in the credit process redesign that is actually needed.
  10. 10. <ul><li>1988 Capital Accord </li></ul><ul><ul><li>Too simplistic </li></ul></ul><ul><ul><li>Subject to manipulations </li></ul></ul><ul><ul><li>Encouraged more risk taking </li></ul></ul><ul><ul><li>Leading banks, using sophisticated models realized that they were ‘over capitalized’ and lobbied for a more risk sensitive capital framework. </li></ul></ul>Basel II – Evolution of Ops Risk
  11. 11. <ul><li>The New Accord </li></ul><ul><ul><li>Basel II is based on the fundamental principal that risk capital should be based on level of risk (i.e., risk sensitive). </li></ul></ul><ul><ul><ul><li>Incentive: Requiring banks to hold capital based on their actual level of risk banks would give banks an incentive to reduce their level of risk </li></ul></ul></ul><ul><ul><ul><li>Lessons from past experience (in market risk): risk measurement improves risk management. </li></ul></ul></ul>Basel II – Evolution of Ops Risk
  12. 12. Basel II – Evolution of Ops Risk Supervisory Review Market Discipline Providing a flexible, risk-sensitive capital management framework Minimum Capital Requirements Basel II Three Pillars
  13. 13. Basel II – Evolution of Ops Risk Minimum Capital Requirement Risk-weighted Exposures Market Risk No Change Major Changes New element added Risk of losses in on and off balance sheet positions arising from movements in market prices Credit Risk Potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms Operational Risk Risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or external events
  14. 14. Basel II – Evolution of Ops Risk PILLAR 1 Minimum Capital Requirements PILLAR 2 Supervisory Review PILLAR 3 Market Discipline Risk Weights Definition of Capital Credit Risk Operational Risk Market Risk Standardized Approach Internal Ratings Based Approach Asset Securitization Basic Indicator Approach Standardized Approach Advanced Measurement Approach Foundation Approach Advanced Approach Standardized Approach Internal Ratings Based Approach Alternate Standardized Approach Balance the flexibility and freedom given to banks
  15. 15. Basel II – Evolution of Ops Risk Based upon Business Line Gross Income Beta Based upon an institutional Gross Income Alpha Based upon Loss Distribution Approach. Scenarios or Risk Drivers & Controls Basic Indicator Standardized Advanced Minimum for all banks Minimum for large banks Target for leadings But also requires adherence to a set of “Sound Practices”
  16. 16. Basel II – Evolution of Ops Risk
  17. 17. Basel II – Evolution of Ops Risk
  18. 18. <ul><li>Basic Indicator Approach </li></ul><ul><ul><li>Under BIA the capital charge for operational risk is a fixed percentage of average positive annual gross income of the bank over the past three years. </li></ul></ul><ul><ul><li>Gross income is defined as the sum of net interest income and net non-interest income and shall be arrived at before accounting for: </li></ul></ul><ul><ul><ul><li>(i) Provisions, including those for credit impairment; </li></ul></ul></ul><ul><ul><ul><li>(ii) operating expenses </li></ul></ul></ul><ul><ul><ul><li>(iii) realized profits/ losses from the sale of securities </li></ul></ul></ul><ul><ul><ul><li>(iv) extraordinary items, </li></ul></ul></ul><ul><ul><ul><li>(v) income derived from insurance. </li></ul></ul></ul><ul><ul><li>No qualifying criteria but banks are expected to follow SBP guidelines on risk management. </li></ul></ul>Basel II – SBP Guidelines
  19. 19. <ul><li>The Standardized Approach </li></ul><ul><ul><li>banks divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment &settlement, agency services, asset management, and retail brokerage </li></ul></ul><ul><ul><li>Within each business line, gross income to serves as a proxy for the scale of business operations and thus the operational risk exposure </li></ul></ul><ul><ul><li>The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line. </li></ul></ul><ul><ul><li>The total capital charge is calculated as the three-year average of the simple summation of the regulatory capital charges across each of the business lines in each year. </li></ul></ul>Basel II – SBP Guidelines
  20. 20. Basel II – SBP Guidelines <ul><li>The Standardized Approach </li></ul>12% Retail brokerage 12% Asset management 15% Agency services 18% Payment and settlement 15% Commercial banking 12% Retail banking 18% Trading and sales 18% Corporate finance Beta Factors Business Lines
  21. 21. <ul><li>The Alternative Standardized Approach </li></ul><ul><ul><li>Under the ASA, the operational risk capital charge /methodology is the same as for the Standardized Approach except for two business lines – retail banking and commercial banking. For these business lines, loans and advances – multiplied by a fixed factor ‘m’ replaces gross income as the exposure indicator. </li></ul></ul><ul><ul><li>K RB = b RB x m x LARB </li></ul></ul><ul><ul><li>Where </li></ul></ul><ul><ul><li>K RB is the capital charge for the retail banking business line </li></ul></ul><ul><ul><li>b RB is the beta for the retail banking business line </li></ul></ul><ul><ul><li>LARB is total outstanding retail loans and advances (non-risk weighted and gross of provisions), averaged over the past three years and </li></ul></ul><ul><ul><li>m is constant the value of which is 0.035 </li></ul></ul>Basel II – SBP Guidelines
  22. 22. <ul><li>The Alternative Standardized Approach </li></ul><ul><ul><li>Under the ASA, banks may aggregate retail and commercial banking (if they wish to) using a beta of 15%. Similarly, those banks that are unable to disaggregate their gross income into the other six business lines can aggregate the total gross income for these six business lines using a beta of 18%, with negative gross income treated as described above </li></ul></ul>Basel II – SBP Guidelines
  23. 23. <ul><li>Advanced Measurement Approach </li></ul><ul><ul><li>Under the AMA, the regulatory capital requirement will equal the risk measure generated by the internal operational risk measurement system of institutions, using the quantitative and qualitative criteria for the AMA. </li></ul></ul>Basel II – SBP Guidelines
  24. 24. <ul><li>TSA – Qualifying Criteria </li></ul><ul><ul><li>BoD oversight. </li></ul></ul><ul><ul><li>Separate Operational Risk management function. </li></ul></ul><ul><ul><li>Tracking ops loss data </li></ul></ul><ul><ul><li>System of reporting ops risk exposure </li></ul></ul><ul><ul><li>Well documented ORM, with policies and procedures. </li></ul></ul><ul><ul><li>Periodic review to validate the ORM </li></ul></ul><ul><ul><li>Regular review by external auditors. </li></ul></ul>Basel II – SBP Guidelines
  25. 25. <ul><li>AMA – Quantitative Standards </li></ul><ul><ul><li>SBP is not specifying the approach or distributional assumptions used to generate the operational risk measure for regulatory capital purposes. However, bank must be able to demonstrate that its approach captures potentially severe ‘tail’ loss events. </li></ul></ul><ul><ul><li>The AMA soundness standard provides significant flexibility to banks in the development of an operational risk measurement and management system. However, in the development of these systems, banks must have and maintain rigorous procedures for operational risk model development and independent model validation. </li></ul></ul>Basel II – SBP Guidelines
  26. 26. <ul><li>AMA – Detailed Criteria </li></ul><ul><ul><li>Any internal operational risk measurement system must be consistent with the scope of operational risk and the loss event types defined in the document. </li></ul></ul><ul><ul><li>Capital requirement as the sum of expected loss (EL) and unexpected loss (UL), unless bank can demonstrate that it is adequately capturing EL in its internal business practices. </li></ul></ul><ul><ul><li>The risk measurement system must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates. </li></ul></ul><ul><ul><li>The bank must validate its correlation assumptions using appropriate quantitative and qualitative techniques. </li></ul></ul>Basel II – SBP Guidelines
  27. 27. <ul><li>AMA – Detailed Criteria Cont’d </li></ul><ul><ul><li>Any operational risk measurement system must have certain key features; to include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems. </li></ul></ul><ul><ul><li>A bank needs to have a credible, transparent, well-documented and verifiable approach for weighting these fundamental elements in its overall operational risk measurement system. </li></ul></ul>Basel II – SBP Guidelines
  28. 28. <ul><li>AMA – Internal Loss Data tracking </li></ul><ul><ul><li>Internal loss data is most relevant when it is clearly linked to the institution’s current business activities, technological processes and risk management procedures. </li></ul></ul><ul><ul><li>assessing the on-going relevance of historical loss data, including those situations in which judgment overrides, scaling, or other adjustments may be used </li></ul></ul><ul><ul><li>minimum five-year observation period of internal loss data. When the bank first moves to the AMA, a three-year historical data window is acceptable. </li></ul></ul>Basel II – SBP Guidelines
  29. 29. <ul><li>AMA – Internal Loss Data tracking </li></ul><ul><ul><li>Bank must be able to map its historical internal loss data into the relevant level 1 supervisory categories. </li></ul></ul><ul><ul><li>The internal loss data must be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. </li></ul></ul><ul><ul><li>A bank must have an appropriate de minimis gross loss threshold for internal loss data collection </li></ul></ul><ul><ul><li>Aside from information on gross loss amounts, a bank should collect information about the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event. </li></ul></ul>Basel II – SBP Guidelines
  30. 30. <ul><li>AMA – Internal Loss Data tracking </li></ul><ul><ul><li>Treatment of Operational risk losses that are related to credit risk </li></ul></ul><ul><ul><li>Operational risk losses that are related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital and will therefore be subject to the operational risk capital charge. </li></ul></ul>Basel II – SBP Guidelines
  31. 31. <ul><li>AMA – External Data </li></ul><ul><ul><li>The operational risk measurement system of bank must use relevant external data (either public data and/or pooled industry data), especially when there is reason to believe that the bank is exposed to infrequent, yet potentially severe, losses. </li></ul></ul><ul><ul><li>External data should include data on actual loss amounts, information on the scale of business operations where the event occurred, information on the causes and circumstances of the loss events to assess the relevance of the loss event for other banks </li></ul></ul><ul><ul><li>must have a systematic process for determining the situations for which external data must be used and the methodologies used to incorporate the data (e.g. scaling, qualitative adjustments etc. </li></ul></ul>Basel II – SBP Guidelines
  32. 32. <ul><li>AMA – Scenario analysis </li></ul><ul><ul><li>A bank must use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events. </li></ul></ul><ul><ul><li>Scenario analysis should be used to assess the impact of deviations from the correlation assumptions embedded in the bank’s operational risk measurement framework, in particular, to evaluate potential losses arising from multiple simultaneous operational risk loss events </li></ul></ul>Basel II – SBP Guidelines
  33. 33. <ul><li>AMA – Business environment and internal control factors </li></ul><ul><ul><li>In addition to using loss data, whether actual or scenario-based, institution’s firm-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile. </li></ul></ul><ul><ul><li>These factors will make institution’s risk assessments more forward-looking, more directly reflect the quality of the bank’s control and operating environments </li></ul></ul>Basel II – SBP Guidelines
  34. 34. <ul><li>AMA – Risk Mitigation </li></ul><ul><ul><li>Under the AMA, banks are allowed to recognize the risk mitigating impact of insurance in the measures of operational risk used for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total operational risk capital charge calculated under the AMA. </li></ul></ul><ul><ul><li>to take advantage of such risk mitigation will depend on compliance with the certain criteria </li></ul></ul>Basel II – SBP Guidelines
  35. 35. <ul><li>Fundamental problem </li></ul><ul><ul><li>“ In the field of operational risk management, it’s hard to find good data. Internal loss data seem to be insufficient and external loss data are affected by reporting biases and numerous idiosyncratic factors ” </li></ul></ul>AMA-Uses and misuses of Loss Data
  36. 36. <ul><li>Major issues with loss data </li></ul><ul><ul><li>Most institutions don’t have a lot of internal loss data. </li></ul></ul><ul><ul><li>Many operational loss data sets have very “long tails” </li></ul></ul><ul><ul><li>In summary, internal data is insufficient to be used in a meaningful manner. </li></ul></ul><ul><ul><li>To address this problem, many institutions have chosen to supplement their internal loss data with external loss data </li></ul></ul>AMA-Uses and misuses of Loss Data
  37. 37. <ul><li>Problems with external loss data-Pooled </li></ul><ul><ul><li>Idiosyncratic factors </li></ul></ul><ul><ul><ul><li>size, </li></ul></ul></ul><ul><ul><ul><li>controls, </li></ul></ul></ul><ul><ul><ul><li>culture, </li></ul></ul></ul><ul><ul><ul><li>business processes, </li></ul></ul></ul><ul><ul><ul><li>legal </li></ul></ul></ul><ul><ul><ul><li>environment and </li></ul></ul></ul><ul><ul><ul><li>geographic location </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  38. 38. <ul><li>Problems with external loss data - Public </li></ul><ul><ul><li>Reporting biases </li></ul></ul><ul><ul><ul><li>misreporting </li></ul></ul></ul><ul><ul><ul><li>Non reporting </li></ul></ul></ul><ul><ul><ul><li>Threshold </li></ul></ul></ul><ul><ul><ul><li>Lack of necessary details </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  39. 39. <ul><li>Problems with external loss data </li></ul><ul><ul><li>Does this mean external data is ‘useless’?? </li></ul></ul><ul><ul><li>No!. Insurance industry has been successfully using external data to calculate expected loss rates and the volatility (confidence intervals) around these estimates. </li></ul></ul><ul><ul><li>This suggests that there may be scientific ways of addressing these data problems. </li></ul></ul>AMA-Uses and misuses of Loss Data
  40. 40. AMA-Uses and misuses of Loss Data
  41. 41. <ul><li>Analysis of a typical set of internal data </li></ul><ul><ul><li>If you were to take the internal data from a bank with many years of loss experience and plot it as a histogram, it would probably resemble the graphical illustration in the previous slide. </li></ul></ul><ul><ul><li>This histogram reveals following facts; </li></ul></ul><ul><ul><ul><li>that the loss data are collected above a certain threshold </li></ul></ul></ul><ul><ul><ul><li>that there is a distinct “body” and “tail” to this distribution and </li></ul></ul></ul><ul><ul><ul><li>that the tail region contains a number of “outliers.” </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  42. 42. <ul><li>Analysis of a typical set of internal data </li></ul><ul><ul><li>The figures actually represents two different risk classes. </li></ul></ul><ul><ul><ul><li>The body consists mainly of execution errors (primarily high-frequency/ low-severity losses), and </li></ul></ul></ul><ul><ul><ul><li>the tail consists mainly of losses from other (primarily low-frequency/high-severity) risk classes </li></ul></ul></ul><ul><ul><ul><li>However, if one were to examine data from the high-severity classes in a large external loss database, one would observe that the data in these data sets are continuously distributed. In other words, these so-called outliers actually do follow a distribution of their own. </li></ul></ul></ul><ul><ul><ul><li>However, if we were limited to using internal data alone, we would have to wait several thousand years (in a static risk environment) to get to that distribution. </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  43. 43. <ul><li>Analysis of external data </li></ul><ul><ul><li>There are, broadly speaking, three types of external data — public data, insurance data and consortium data. </li></ul></ul><ul><ul><li>Public Data </li></ul></ul><ul><ul><ul><li>These data are drawn from publicly available information: newspaper reports, regulatory filings, legal judgments, etc. </li></ul></ul></ul><ul><ul><ul><li>Contain size based reporting bias. </li></ul></ul></ul><ul><ul><ul><li>Because of this reporting bias, one cannot extrapolate frequency or severity parameters directly from the data. </li></ul></ul></ul><ul><ul><li>Insurance Data . </li></ul></ul><ul><ul><ul><li>Insurance data represent losses that have been submitted as claims to insurance companies. </li></ul></ul></ul><ul><ul><ul><li>These data are captured only in risk classes where the insurance company has offered insurance coverage. </li></ul></ul></ul><ul><ul><ul><li>Vendor does not reveal the identity of the firms that experienced the losses. </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  44. 44. <ul><li>Analysis of external data </li></ul><ul><ul><li>Consortium Data . </li></ul></ul><ul><ul><ul><li>These are pooled sets of internal data submitted by member organizations </li></ul></ul></ul><ul><ul><ul><li>The advantage of consortium over public data is that consortium data are not subject to public (media) reporting biases. </li></ul></ul></ul><ul><ul><li>Disadvantages are; </li></ul></ul><ul><ul><ul><li>In some organizations, internal reporting is not yet comprehensive; </li></ul></ul></ul><ul><ul><ul><li>because consortium data are obtained from many organizations, categorization tends to be less consistent. </li></ul></ul></ul><ul><ul><ul><li>Consortium data represents only a subset of the loss data universe, </li></ul></ul></ul>AMA-Uses and misuses of Loss Data
  45. 45. <ul><li>“ Relevance” in the Context of External Data </li></ul><ul><ul><li>The Basel II requires that banks use “relevant” external data in their models. </li></ul></ul><ul><ul><li>Making external loss data relevant in connection with the bank’s internal loss data, following points need to be considered. </li></ul></ul><ul><ul><ul><li>Cautiously consider scaling individual loss data to the size of one’s institution </li></ul></ul></ul><ul><ul><ul><li>Be wary of scaling individual losses to the quality of one’s internal control environment. </li></ul></ul></ul><ul><ul><ul><li>Don’t try and select “relevant” data points from an external database based on the question, “Could this loss happen to me, given my internal control structure?”. </li></ul></ul></ul>AMA-Uses and misuses Loss Data
  46. 46. <ul><li>“ Relevance” in the Context of External Data </li></ul><ul><ul><li>Think carefully before selecting “relevant” data points from an external database based on the question, “Is this organization similar to my organization in terms of control quality?” </li></ul></ul>AMA-Uses and misuses Loss Data
  47. 47. Categorizing Operational Losses Transaction Inadequate Supervision Reputation Insufficient Training Compliance Poor Management Execution Information Relationship Unauthorized Activities Legal Fixed Cost Structures Settlement Key man Theft Fraud Fiduciary Customer Business Interruption Technological Lack of Resources Criminal Rogue Trader Physical Assets Sales Practices People
  48. 48. <ul><li>‘ Event’ based categorization </li></ul><ul><ul><li>BIS framework is designed to be event based approach. </li></ul></ul><ul><ul><li>While the risk universe consists of three independent dimensions; causes, events, consequences. </li></ul></ul><ul><ul><li>It’s more logical to look at ops losses in a cause/effect matrix framework. </li></ul></ul><ul><ul><li>Such an approach helps evolve better, valid and consistent controls </li></ul></ul>Categorizing Operational Losses
  49. 49. Categorizing Operational Losses CAUSES Inadequate segregation of duties Insufficient training Lack of management supervision Inadequate auditing procedures Inadequate security measures Poor systems design Poor HR policies EVENTS CONSEQUENCES Internal Fraud External Fraud Employment Practices & Workplace Safety Clients, Products & Business Practices Damage to Physical Assets Business Disruption & System Failures Execution, Delivery & Process Management Legal Liability Regulatory, Compliance & Taxation Practices Less of Damage to Assets Restitution Loss of Resources Write-down Reputation Business Interruption EFFECTS Monetary Losses OTHER IMPACTS Forgone Income
  50. 50. <ul><li>An operational risk framework </li></ul>Managing Ops Risk
  51. 51. <ul><li>An operational risk framework </li></ul><ul><li>operational risk strategy comprises both </li></ul><ul><ul><li>the “top-down” process of capital allocation and </li></ul></ul><ul><ul><li>clear guidance for the “bottom-up” processes of risk identification, assessment, management, reporting and supervision, and governance arrangements that constitute the management framework. </li></ul></ul><ul><li>Setting the risk tolerance/risk appetite </li></ul><ul><ul><li>Bottom up and top down approaches . </li></ul></ul>Managing Ops Risk
  52. 52. <ul><li>Organizational Structure </li></ul><ul><li>Two key goals need to be reflected in an organizational structure for operational risk: </li></ul><ul><ul><li>The agreement that operational risk cannot be confined to specific organizational units (unlike market risk) but remains largely the responsibility of line managers and some defined special or support functions (such as IT, HR, legal, internal audit, or compliance) </li></ul></ul><ul><ul><li>The division of duties among management, an (often to be established) independent risk management function, and internal audit. </li></ul></ul>Managing Ops Risk
  53. 53. Managing Ops Risk
  55. 55. Managing Ops Risk <ul><li>Reporting </li></ul><ul><li>Ops risk reporting has to cover two distinct aspects: </li></ul><ul><ul><li>Delivery of defined, relevant operational risk information to management and risk control </li></ul></ul><ul><ul><li>Reporting of information aggregated by risk category to business line management, the board and the risk committee. </li></ul></ul><ul><li>Whereas the first type of information contains predominantly “raw” data such as losses, near misses, indicators, and risk assessment results, the second reflects aggregated, structured, and often analyzed information designed to provide each level of management with what it needs to enable better operational risk management. </li></ul>
  56. 56. Managing Ops Risk <ul><li>Reporting Framework </li></ul>
  57. 57. Managing Ops Risk <ul><li>Reporting Framework </li></ul>
  58. 58. Managing Ops Risk <ul><li>Definitions, Linkages, and Structures </li></ul><ul><li>The development of definitions, linkages, and structures can help enable banks to efficiently identify, assess, and report such operational risk-related information. Definitions, linkages, and structures thus form the basis of consistent databases that can help enable banks to maintain data that remains meaningful over time. </li></ul><ul><li>The endeavor helps to clarify the scope of operational risk and avoid differing interpretations as well as identify sub-categories and boundaries with other areas of risk (especially credit and market). </li></ul><ul><li>Finally, comparisons between different sources of information (e.g., risk assessment, loss data collection, key risk indicators) can be conducted on a consistent basis, which leads to the ability to draw more powerful conclusions from the otherwise probably too-sparse data </li></ul>
  59. 59. Managing Ops Risk <ul><li>Risk assessment </li></ul><ul><li>Risk assessment provides banks with a qualitative approach to identifying potential risks of a primarily severe nature </li></ul><ul><li>As a tool that helps enable identification –– risk assessment picks up where loss data collection leaves off. Indeed, it helps fill the knowledge gap left by backward looking and often sparse loss data and attempts to establish risk-sensitive and forward-looking identification of operational risk </li></ul><ul><li>the basic structure of a risk assessment is universal: a set of matrices identifying and assessing operational risk and its subcomponents in terms of likelihood and impact of occurrence, based on a defined risk appetite </li></ul>
  60. 60. Managing Ops Risk <ul><li>Risk assessment – A typical risk profile </li></ul>
  61. 61. Managing Ops Risk <ul><li>Key Risk Indicators </li></ul><ul><li>The bank should assess aspects of operational risk based on key risk indicators (KRIs) – factors that may provide early warning signals on systems, processes, products, people, and the broader environment. </li></ul><ul><li>Monitoring should also look at broader business related KPIs, to have a better understanding of future direction of the bank and related risks. </li></ul><ul><li>The monitoring mechanism should be devised in such a way that it enables the cross-referral of KRIs and makes for easy identification of correlations . </li></ul>
  62. 62. Managing Ops Risk <ul><li>Key Risk Indicators </li></ul><ul><li>The monitoring must show the KPIs as trends and not just as one-off figures. What is of interest to management is the ways in which the KPIs change over time and not just the absolute figures. </li></ul>
  63. 63. Managing Ops Risk <ul><li>KRIs – a scorecard approach </li></ul>
  64. 64. <ul><li>There are mature frameworks from other industries upon which the processes of Operational Risk Management could be based. </li></ul><ul><li>In particular, there are two risk management standards - AS/NZS 4360/2004 and COSO/ERM – that, alone or in combination, could satisfy the requirements of Basel II for systems that are ‘conceptually sound’; and </li></ul><ul><li>The adoption of operational risk management processes that are based on proven, practical and usable standards, should reduce the overall costs to the industry of complying with Basel II. </li></ul>‘ Standards’ based approach to Ops risk
  65. 65. <ul><li>The AS/NZS 4360: 2004 Framework </li></ul>‘ Standards’ based approach to Ops risk
  66. 66. <ul><li>The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: </li></ul><ul><ul><li>Establish the Context : for strategic, organisational and risk management and the criteria against which business risks will be evaluated. </li></ul></ul><ul><ul><li>Identify Risks : that could “prevent, degrade, delay or enhance” the achievement of an organisation’s business and strategic objectives. </li></ul></ul><ul><ul><li>Analyse Risks : consider the range of potential consequences and the likelihood that those consequences could occur. </li></ul></ul><ul><ul><li>Evaluate Risks : compare risks against the firm’s pre-established criteria and consider the balance between potential benefits and adverse outcomes. </li></ul></ul>‘ Standards’ based approach to Ops risk
  67. 67. <ul><li>The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: </li></ul><ul><ul><li>Treat Risks : develop and implement plans for increasing potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’. </li></ul></ul><ul><ul><li>Monitor and Review : the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies. </li></ul></ul><ul><ul><li>Communicate and Consult : with internal and external ‘stakeholders’ at each stage of the risk management process. </li></ul></ul>‘ Standards’ based approach to Ops risk
  68. 68. <ul><li>The COSO ERM Framework </li></ul><ul><ul><li>The COSO Enterprise Risk Management (ERM) – Integrated Framework defines ERM as a process, “effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” </li></ul></ul><ul><ul><li>The COSO/ERM Framework consists of eight ‘components’ organized by four ‘objectives’: Strategic; Operations; Reporting; and Compliance. As befits an ‘enterprise’ or ‘portfolio’ approach to risk management, the third dimension of this ERM matrix/cube is organizational: Subsidiary; Business Unit; Division, and Entity </li></ul></ul>‘ Standards’ based approach to Ops risk
  69. 69. <ul><li>The COSO ERM Framework </li></ul>‘ Standards’ based approach to Ops risk
  70. 70. <ul><li>The eight ‘components’ of the ERM process are (COSO 2004): </li></ul><ul><ul><li>Internal Environment : establishing the ‘tone’ of an organization, including “risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate”. </li></ul></ul><ul><ul><li>Objective Setting : ensuring that “management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite”. </li></ul></ul><ul><ul><li>Event Identification : identifying internal and external events that could impact the achievement of a firm’s objectives (both positively and negatively). </li></ul></ul><ul><ul><li>Risk Assessment : analysing risks “considering likelihood and impact, as a basis for determining how they should be managed.” </li></ul></ul><ul><ul><li>Risk Response : selecting ‘risk responses’ and developing “a set of actions to align risks with the entity’s risk tolerances and risk appetite”. </li></ul></ul><ul><ul><li>Control Activities : establishing and implementing policies and procedures “to help ensure the risk responses are effectively carried out.” </li></ul></ul><ul><ul><li>Information and Communication : identifying, capturing and communicating information that is relevant “in a form and timeframe that enable people to carry out their responsibilities.” </li></ul></ul><ul><ul><li>Monitoring : monitor the risk management process itself, modifying it as necessary. </li></ul></ul>‘ Standards’ based approach to Ops risk
  71. 71. <ul><li>Basel II and the standard frameworks </li></ul><ul><ul><li>Basel II identifies the responsibilities of the independent Operational Risk Management function as “developing strategies to identify, assess, monitor and control/ mitigate operational risk”. These responsibilities map directly onto the AS/NZS 4360 and COSO frameworks as shown in the table in the next slide. </li></ul></ul>‘ Standards’ based approach to Ops risk
  72. 72. <ul><li>Basel II and the standard frameworks </li></ul>‘ Standards’ based approach to Ops risk
  73. 73. <ul><li>Advantages of adopting a Standards Based Framework </li></ul><ul><ul><ul><li>Cost Savings </li></ul></ul></ul><ul><ul><ul><li>Risk Reduction </li></ul></ul></ul><ul><ul><ul><li>T raining and Education </li></ul></ul></ul><ul><ul><ul><li>Resources </li></ul></ul></ul><ul><ul><ul><li>Independent Expertise </li></ul></ul></ul><ul><ul><ul><li>IT Systems </li></ul></ul></ul><ul><ul><ul><li>Outsourcing </li></ul></ul></ul>‘ Standards’ based approach to Ops risk
  74. 74. <ul><li>Challenges </li></ul><ul><ul><li>Organizational Sponsorship </li></ul></ul><ul><ul><li>Business Line Buy-in and Resources </li></ul></ul><ul><ul><li>Coordination with Existing Control Initiatives </li></ul></ul><ul><ul><li>Development of Loss Databases </li></ul></ul><ul><ul><li>Well-Designed Methodologies and Models </li></ul></ul><ul><ul><li>Access to Appropriate Information and Reporting </li></ul></ul><ul><li>Mistaking Operational Risk for Market or Credit Risk </li></ul>Basel II - Challenges & pitfalls
  75. 75. <ul><li>Pitfalls </li></ul><ul><ul><li>Waiting for the regulators to provide detailed guidance and lay out an implementation road map </li></ul></ul><ul><ul><li>Failing to make the link between information, technology, risk management and the business </li></ul></ul><ul><ul><li>Attempting to build a Basel II infrastructure without data and technical architecture road maps </li></ul></ul><ul><ul><li>Underestimating the magnitude of cultural change that Basel II requires </li></ul></ul>Basel II - Challenges & pitfalls
  76. 76. <ul><li>THANKS! </li></ul>