Published on



Published in: Business, Economy & Finance


  1. 1. Mitigating Operational Risk Exposure:Risk Transfer SolutionsABA OPERATIONAL RISK MANAGEMENT FORUMApril 17th 2008 Michel Rochette, MBA, FSA ENTERPRISE RISK ADVISORY, LLC
  2. 2. Topics • Context and recent developments • Opportunities to go beyond Basel II compliance • Op risk mitigation environment: – Self mitigation – Self insurance – Risk transfer: • Insurance mitigation • Alternative risk transfer: Captives • Capital markets solutions • Case: Insurance mitigation optimization
  3. 3. Context: “Regulators are becoming concerned that banks may seek to manage the [Operational Risk Capital] charge rather than to manage the risk itself” Susan Schmidt Bies, Federal Reserve Board Governor New York, March 29, 2006
  4. 4. Reminder: Sound Practices Paper-BIS 2003• Development of an appropriate op risk mgt environment: – Board level & management with clearly defined roles.• Risk Management: – Identification – Assessment – Mitigation & monitoring – All material activities, products, processes and systems covered – Monitor operational risk profile – Policies/processes/procedures to manage the risk – Must chose appropriate risk mitigation strategies in light of their risk appetite.
  5. 5. Operational Risk: Basel II Compliance View Basel II Internal processes Strategic Attracting & retaining talent System failure Operational Competition Internal/External Fraud Managing organizational change Employment practices: Health & Risks M&A/business diversification Safety / Loss of Key People New product strategy Clients/products/Business practices New market strategy External incident Outsourcing and supplier chain Legal impact included Governance of risk Insurance allowed as mitigant Interest rates Brand/Reputation Credit environment Corporate social responsibility Liquidity Production volumes/pricing FX environment Loss of Intellectual property Equity environment Other risk mitigation integrated Financial liabilitiesFinancial Business
  6. 6. Operational Risk: ERM View Basel II Internal processes Strategic Attracting & retaining talent System failure Operational Competition Internal/External Fraud Managing organizational change Employment practices: Health & Risks M&A/business diversification Safety / Loss of Key People New product strategy Clients/products/Business practices New market strategy External incident Outsourcing and supplier chain Legal impact included Governance of risk Insurance allowed as mitigant Interest rates Brand/Reputation Credit environment Corporate social responsibility Liquidity Production volumes/pricing impact FX environment Loss of Intellectual property Equity environment Other risk mitigation integrated Financial liabilitiesFinancial Business
  7. 7. AON 2007 Global Risk Survey Most risks are operational! Damage to Reputation 48% Business interruption 70% Third party liability 75%Distribution or supply chain failure 63% Market environment 35% Regulatory/legislative changes 41% Failure to attract or retain staff 55% Market risk 56% Physical damage 77% Merger/acquisition/restructuring 69% Failure of disaster recovery plan 65% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
  8. 8. US Regulators’ Expectations: AMA • Risk-Based Capital Standards. – Applies to IRB and AMA only at this time. – Banks with $250 billion US+ in consolidated assets. –Core – – Other banks may adopt this new framework: - Opt–in - – Standardized approach for general banks will be finalized in Q1- 2008 with qualifying criteria. • Compliance and op risk must be analyzed together: – Definition of loss is consistent with Basel II including legal losses. – Legal loss: litigation, settlements, fines resulting from failure to comply with laws, regulations, prudent ethical standards, contractual obligations in any aspect of the bank’s business. – May also explain industry interest to implement GRC/ERM.
  9. 9. AMA – Designing Compliant Policies Policy minimum Additional requirements requirements – cover must be linked to specific – be provided by underwriters with operational risk/s. a claims paying ability rated in – appropriate discounts to the one of the three highest value of the policies must be categories calculated for: – an initial term of at least one • the cancellation terms of the year and a residual term of more policy, if less than 1 year than 90 days; • any uncertainty or delay in – have a minimum notice period the payment of claims; for cancellation of 90 days; • Instances where the residual – have no exclusions or limitations term of a policy is less than based upon regulatory action or one year. The discount for the receiver or liquidator of a becomes 100 percent in the failed bank. last 90 days of the policy period.
  10. 10. Insurers’ Claims Paying Abilities Standards & Poor Moody’s Fitch Best Long-Term Insurer Financial Long-Term Insurance Financial Insurance Financial Strength Financial Strength Ratings Strength Rating Strength Ratings Ratings Ability to pay under insurance Company’s ability to meet its Ability to meet obligations on Financial strength and ability policies and contracts in senior policyholder claims and a timely basis. to meet ongoing obligations accordance with their terms. obligations. to policyholders. A A A B++, B+ Source: UK FSA
  11. 11. US Regulatory Criteria for Other Mitigant • Regulators are open to other risk mitigant approaches if: – FI must calculate its operational risk exposure. – Mitigant must be able to absorb losses with sufficient certainty. – Must receive prior written approval. • Mitigant must cover potential operational losses in a manner consistent with holding regulatory capital. • Regulators will consider other risk mitigant in due course on “ the basis of growing experience”. – Insurance industry has that experience. – Not necessary to reinvent the wheel. – European regulators are taking a fresh analysis of op risk mitigant.
  12. 12. Managing Operational Risk Beyond Compliance • Opportunity: – Operational risk is viewed horizontally – end-to-end process -, originating within some business units but impacting the value of the whole organization. – Operational risk takes into account: • direct, indirect and opportunity losses. • a forward-looking and risk-based approach. • Regulatory (Basel II): – Losses related to people, process, systems and external events. – Focuses only on direct losses including legal claims (litigation, settlement & fines). – Excludes reputation and business aspects. – For many companies, most of their value comes from their reputation.
  13. 13. Managing Operational Risk: Improved Performance • Firms can better estimate their company-wide operational risk tolerance on their financial value, not just their regulatory capital. • Firms can assess the cost/benefit of implementing “controls” to reduce their operational risk exposure within their desired risk tolerance, thus better managing their economic capital. • Firms can better integrate insurance, other op risk mitigant, compliance in the overall op risk framework instead of keeping them separate. • Firms can create financial incentives for business units to invest time/money/efforts to manage the operational risk under their control by : – Integrating its cost in prices of product. Usually not done at this time. – Measuring performance taking into account operational risk capital allocated. RAROC type measures.
  14. 14. Managing Operational Risk: Improve your Business • Firms become more resilient to operational risk shocks. Can turn around more quickly. • Firms can better communicate to their stakeholders both in advance and after a major operational risk shock: – Can demonstrate that they are in control! → reputation. – Firms gained market share by managing and communicating well an operational risk failure. • Firms keep operational risk on their radar screen continuously – forward looking – instead of thinking about it when an event happens. Frequency of major disruptions is decreasing. • Improved internal communications: – Just relying on your “quants” to assess operational risk without the involvement of the business units create moral hazard.
  15. 15. Operational Risk Mitigant Environment Purely Self Insurance/ Yearly Insurance/ Profit/Internal Insurance/ART Controls Capital Mkts Expected Unexpected Catastrophic
  16. 16. Benefits of Integrating Operational Risk Mitigant • Business perspective: – Your institution is NOT in the business of managing op risk. → Low TOLERANCE for this risk. – Insurance is in the business of managing op risk. → APPETITE for op risk. – These businesses are complementary, should work together and be more integrated internally. – This trend is observed more and more. • Regulatory perspective: – “Agencies will take into account whether a particular operational risk mitigant covers potential operational losses in a manner equivalent to regulatory capital”. – Mitigant would cover insurance and other approaches subject to certain minimum qualifying criteria.
  17. 17. Universe of Op. Risk Mitigation: Characteristics • Internal management: controls – Implemented without much consideration of the costs involved. – Embedded in the AMA calculations through control effectiveness scores. • Self insurance: – Calculating and allocating regulatory capital for op risk is a form of self insurance by banks. – “Insurance” is direct if calculated by AMA. – “Insurance” is indirect if embedded in the regulatory credit capital as traditionally done by banks in the general regulatory rules. • Insurance: – Always existed. – Private and public solutions. – Not integrated very often with operational risk groups. – Standard policies don’t always match. – Optimization of the insurance buying decision in relation to the operational risk exposure is not usually done.
  18. 18. Universe of Op. Risk Mitigation: Characteristics • Alternative Risk Transfers (ART): – Used by companies to mitigate risks that the traditional insurance markets cannot cover. – Probably already used by some of your institutions without your knowledge! – Covers services like Captives for op risks like workers comp and external events. • Capital markets solution: – In existence for some op risks, mostly external events. – Some op risks are securitized like CAT Bonds. – Cover both risk transfer and risk finance solutions. – More talk in the industry about op risk derivatives.
  19. 19. Operational Risk Mitigant Environment Yearly Profit/Internal Controls Expected Unexpected Catastrophic
  20. 20. Self Mitigation: Annual Profits/Internal Controls • Estimate distribution of op risk exposure: – Gross op risk exposure – Exposure net of internal control business factors – “internal mitigant” • Regulation: FI must obtain an estimate of EOL: – Expected and predictable average annual op risk losses for a given risk category. – Can be covered by op risk “offsets” • Internal business practices. • Reserves if allowed by GAAP. • FI should compare cost of internal business practices and average annual losses in order to maximize company value.
  21. 21. Operational Risk Mitigant Environment Purely Self Insurance Expected Unexpected Catastrophic
  22. 22. Self Insurance Mitigation • Estimate distribution of op risk exposure: – Gross op risk exposure – Exposure net of internal control business factors – “internal mitigant” • Regulation: – FI must self insure to a 99.9% 1-yr VAR, UOL. – Existing regulatory rules - general rules - cover op risk indirectly in the credit risk capital rule. • Traditionally, rule of thumb was that 20% of credit losses were in fact operational risk, not credit risk. – If your bank is AMA or non AMA, you pay for op risk! – If AMA, op risk capital will be explicit, credit capital will be reduced. – If not AMA and not managing op risk, your credit capital will be higher.
  23. 23. Self Insurance (AMA) vs. Insurance • AMA Op risk capital: • Underwriting of Insurance use the same – Internal and external loss data with elements: recoveries of at least 5 years. – Company internal loss data. – Control Environment – External data from Insurance – Scenarios for unexpected situations. industry loss database with loss –Forward looking component of development factors: recoveries AMA. extend more than 5 years. – Dependence allowed only if can be – Forward looking assessment based justified. on industry knowledge – Brokers assess dependence through insurance quotes. • Other qualifying criteria: • Bank’s diversified risk groups: – Internal op risk group – internal risk management – Validation – Insurance brokers – Ongoing qualification – IT/project management groups – Documentation – Validation done annually when – Collection of loss data. insurance renews. – Already collecting loss data. • Boundaries between credit and • Insurance underwriting would assess operational root cause. – Treated as credit risk losses
  24. 24. Operational Risk Mitigant Environment Insurance Expected Unexpected Catastrophic
  25. 25. US Op Risk Requirements vs. Insurance • Definition of op risk loss: • Insurance is to indemnify: – All expenses associated with – Regulatory definition of loss a loss event except: is similar to insurance • Opportunity loss definition of loss. • Foregone revenues • Costs to enhance/correct/prevent future op. risk events. • Insurers pricing methods: • No prescribed methodology: – ALL use LDA – Most banks use LDA. – EOL = Deductible – UOL = What insurers usually pay. • Op. Risk Capital is like self- • Insurance is contingent insuring the risk. capital to your bank.
  26. 26. US Regulatory Limitations of Insurance • Risk Based Capital Relief of insuring some op risk exposure, MAXIMUM of: – Op. Risk Exposure adjusted for qualifying op risk mitigant minus offsets (if, any) – 80% * (op risk exposure – offset ). • Implications: – If your institution is an AMA, regulatory relief of integrating mitigant is limited but not the business benefit. – If your institution is not AMA, better managing op risk will reduce your “indirect” op risk capital that is embedded in the credit capital through a better management of the premiums/costs of your traditional insurance overages.
  27. 27. Operational Risk Mitigant Environment ART Expected Unexpected Catastrophic
  28. 28. ART: Captive A captive is a dynamic, flexible insurance tool that exists primarily to reduce the cost of a company’s overall exposure to retained risk by underwriting and funding selected risks of its parent and affiliates. Captives take many forms but most are single-parent entities that insure risks of their affiliates and sometimes related third parties Unless reinsurance markets are accessed, captives are NOT risk transfer vehicles. Not considered insurance companies by NAIC.
  29. 29. Client Captives by Industry Services (i.e. Education, Health, Legal, Recreation) 23.2% Finance, Insurance and Real Estate 23% Manufacturing 22.6% Utilities, Transport and Comms. 10.5% Retail Trade 7.6% Construction 5% All others 8.2% Source: AGIM 2006 Captive StatisticsGlobal Total: 1,386Source: AGIM 2006 Captive StatisticsNote: Industry sectors as per global SIC codes
  30. 30. Benefits of Captives Manage business risk exposures Reduce the cost of risk retention Provide difficult to obtain coverage: fill the gaps in standard commercial insurance. Augment capacity Generate underwriting capacity Co-ordinate international insurance programs Capture insurance-related profits Improve risk management especially for non traditional risks are captives are tailored. Achieve state tax efficiencies Access reinsurance market.
  31. 31. Types of Captives vs. Op Risk • TRIA: External Events • Employee Personal Lines: People Risk • Property Risk: External Events • Environmental Liabilities: Legal risk of many op risk. • Product liability: Product flaws of op risk • Could tailor op risk to captives. Enterprise Risk Advisory, LLC @
  32. 32. Operational Risk Mitigant Environment Insurance/ Capital Mkts Expected Unexpected Catastrophic
  33. 33. Capital Markets Solutions- Overview Type Insurance Risk transfer: Contingent Securitization/ Capital (CAT ILS/Exotic Ins Bond for Structures/Op liquidity) Risk Derivative Credit Quality Varies by Collaterisation Varies by counterparty counterparty Term One-year Single/multi yr. Single/multi yr. Payment Indemnity Index based Pre defined, Trigger timely issuance of securities Covered Perils Virtually any op Natural/man- Natural/man risk made risks made risks.
  34. 34. Capital Markets Solution: Aon’s CLIP Overall operational risk capital Exposure Capital optimisation Catastrophic Loss Insurance Group Capital Programme Optimisation Earnings volatility reduction Insurance Programme Business level P&L Captive Management Retained exposures / capital BU Deductibles Type of risk
  35. 35. CLIP structure • Key characteristics – Coverage linked to event types – Probability of coverage • 70% - 80% – Policy duration • Multi - year – Claims Protocol, addressing • Clarity of coverage • Payment timeliness – Minimum security rating A – Price driven by underlying exposures
  36. 36. Traditional Insurance vs. CLIP Traditional Insurance CLIP Limited capacity • Catastrophe excess solution • Access to significant capacity Wording difficult to map • Insuring clauses as per your In excess of 40 exclusions event types Negligible regulatory capital relief • Fewer exclusions Performance • Claims protocol and broader coverage Average period from Act Start to Payment: 2,215 days Average period from Act Start to Payment: 2,215 days • CatEPut provides capital injection while insurance liability determined 817 817 1242 1242 156 156 Average period from Settlement to payment: 156 days • Maximum regulatory capitalLoss event to claim Claim made to settlement Settlement to payment relief
  37. 37. Summary of Risk Transfer Solutions Type of Exposure Level of Exposure Risk Solution Advantages Yearly Profits/Internal  Operating Group focus Low  Efficient controls Expected Yearly Medium  Cash flow profits/controls/Art  Diversification High Art, Self Insure, Insurance  Pooling  Established Mechanism Unexpected Capital markets,  Long-term Catastrophic government, insurance &  Access to very large capital market hybrid pool of capital
  38. 38. Insurance Mitigation Optimization “Severity is painful, frequency is lethal.” Greg Case, CEO Aon World Insurance Forum, Dubai, March 2008
  39. 39. Qualitative Mapping: • Benefits: – Reduce mismatch & uncertainty of payments → lower discounts of insurance in the AMA calculations → lower regulatory capital. • How: – Aligning op. risk and insurance terminologies. – Aligning your internal risk language and insurance policy wording. – Assess coverage taking into account exclusions to your operational risk framework. – In some cases, insurance will cover more than the regulatory definition of op risk. • Ex. Business Interruption insurance covers loss of business, which is clearly excluded from the regulatory definition. – Take into account public sources of insurance as well: • Workers Compensation • US Terrorism Coverage • US flood insurance
  40. 40. Ex. Of Mapping of Insurance to Op. Risk Event Type Level 1 Event Type Level 2 Mapping to Policies Internal Fraud Unauthorized Unauthorised activity 1st ~ BBB, UT 3rd ~ PI Theft & fraud 1st ~ BBB, Cyber, Property 3rd ~ PI External Fraud Theft & fraud 1st ~ BBB, Cyber, Property 3rd ~ PI Systems Security 1st ~ BBB, Cyber, Property 3rd ~ PI Employment Practices & Workplace Employee Relations 3rd ~ EPL, GL Safety Safe Environment – Employees 3rd ~ EL, GL Safe Premises – Invitees 3rd ~ GL Diversity & Discrimination 3rd ~ PI, GL Clients, Products & Business Practices Suitability, Disclosure & Fiduciary 3rd ~ PI, Cyber Improper Business / Market Practices 3rd ~ PI, Cyber, GL Product Flaws 3rd ~ PI, GL Selection, Sponsorship & Exposure 3rd ~ PI Advisory Activities 3rd ~ PI, Cyber Damage to Physical Assets Disasters & Other Events 1st ~ Property Business Disruption & Systems Failure Systems Failure 1st ~ Property, Cyber, BBB 3rd ~ Cyber Execution, Delivery & Process Transaction Capture, Execution & Maintenance 3rd ~ PI Management Monitoring & Reporting 3rd ~ PI Customer Intake, Documentation 3rd ~ PI Customer Account Management 3rd ~ PI, Cyber Trade Counter-parties 3rd ~ PI Vendors & Suppliers 3rd ~ PI, GL
  41. 41. Qualitative Insurance Mapping: Privacy Breach • Events covered by the policy: – Costs of Computer Damage itself • Maps to Business Disruption and systems failures exposure. – Costs to notify and reimburse clients for losses – Costs to repair credit damage of clients – Costs to reimburse credit card companies – Costs to cover crisis management: • creating websites • Set up call centers to inform the public • Hiring public relations firms • More coverage than regulatory op risk definition. – Costs to cover litigation/fines of privacy laws/regulators • Not part of operational regulatory definition but would be part of your compliance department! • All would map External Fraud-Systems Security-Theft of Information exposures.
  42. 42. Quantitative Mapping: • Assess frequency of op risk exposure and frequency of payment by insurance. • This reflects policy wording and exclusions. • Insurance is based on fortuity. • Assess severity of op risk loss to ultimate reimbursement by insurance. This is based on definition of covered op risk losses –single loss or aggregate loss - and by the insurance loss development factors. • Some insurance coverage have better “hedge ratio” than others. – Ex. Flood insurance pays better than fraud related policies. • Assess timing of op risk loss to timing of payment by insurance. – Insurance being based on indemnification, time necessary to estimate loss. – Impact of insurance on your liquidity position.
  43. 43. Ex. of Payout Discount • Analysis of historical Bankers’ Blanket Bond claims Average period from loss event to payment: 330 days 69 237 24 Average period from settlement to payment: 24 days 0% 20% 40% 60% 80% 100% Loss event to claim Claim made to settlement Settlement to payment Source: Aon claims data – 175 claims
  44. 44. Insurance Mitigation: Overall Mitigation Benefit OpRisk Measurement 11% 10% 9% 8% 7% Distribution 6% of Risks 5% 4% 3% 2% 1% 0% 0 20 40 60 80 0 10 0 12 0 14 0 16 0 18 0 20 0 22 0 Pre-Management 24 0 26 Loss Value 0 Post-Management 28 0 30 0 Post-Mitigation 32 0 34 0 36 0 38 0 40 The tail may still be fat, but the curve is flatter
  45. 45. QuestionsMichel RochetteENTERPRISE RISK ADVISORY,