a higher standard for risk professionals the new basel capital accord background, basics,...
TRANSCRIPT
A Higher
Standard
for Risk
Profession
als
www.prmia.
org
The New Basel Capital Accord
Background, basics, implementation problems and some
solutions – from a Pillar II & operational risk view
– David Millar, COO, PRMIA
A Higher Standard for Risk
Professionals
www.prmia.
org
Basel II – created by the Bank for International Settlements
The original cross-border financial institution,– Members are the central banks or monetary authorities of 54
countries plus the European Central Bank
Advisory, not regulatory– Formulates supervisory standards and best practice,– Has no supranational authority (with local supervisors),– Through committees of national experts - makes
recommendations to the financial community aimed at strengthening the international financial system,
– Members agree to adopt standards as basis of their regulatory processes (at varying levels),
– Used by most of the rest of the world, and their regulators– Accepted by banking community as standard of good practice
(and of a desirable counter-party).
A Higher Standard for Risk
Professionals
www.prmia.
org
• Basel Capital Accord (Basel I),– In 1988 the Basel Committee on Banking Supervision
recommended a risk-weighted capital ratio for internationally active banks,
– This set minimum standards of capital adequacy,
• A “New Capital Accord” (Basel II) proposed in 1999,– Extended to cover regulatory and disclosure
requirements,
– Final (reviewed) version released November 2005 (over 100 countries to implement - but in the US say it is still under discussion)
– Complete Accord will take effect from 2007 (earliest participants)
Created standards on capital
A Higher Standard for Risk
Professionals
www.prmia.
org
Calculated based on credit, market and operational risk.
Disclosure & Market Discipline
Supervisory Review Process
1 2 3
CapitalRequirements
Operational control and compliance with Pillar 1
requirements.
Capital adequacy and risk control processes and
results will be disclosed.
Many options on approach to calculation of capital
requirements.
Only varies on Pillar 1 approach, otherwise must
comply with all.
Requirements are common to all regulated firms.
Implications on, and requirements for, systems, processes & people
BASEL II overview
The Three Pillars
A Higher Standard for Risk
Professionals
www.prmia.
org
Diversified General Industrial Group
Domestic Bank
Securities Firm
Holding Company
Internationally Active Banking Group
Internationally Active Bank
Internationally Active Specialist Bank
(1)
(2)
(3) (4)
Special Purpose Vehicles
1) Boundary of predominantly banking group. Basel II applied at this level on a consolidated basis, i.e. up to holding company level
Financial Enterprise-wide
(2), (3) & (4) : Basel II also applied at lower levels to all internationally active banks on consolidated basis.
A Higher Standard for Risk
Professionals
www.prmia.
org
Pillar 1 requirements
Pillar 1 • Defines capital requirements,
• Credit/market risk are major issues for all, operational risk-derived capital requirements an issue for major players,
• Complex considerations for large global institutions (risk and resulting capital requirements calculated at a transaction level),
• Simpler for medium/small firms (can simply be a factor of a business volume indicator such as total revenue or funds under management),
• Object is (at least in early years) not to create extra costs for firms but to reward those who manage their financial risk well.
A Higher Standard for Risk
Professionals
www.prmia.
org
Basic Intermediate Advanced
Credit Risk
‘Standardised’
Successor to the 1988 Accord with some additional
sensitivities.
‘Foundation’ ‘Advanced’
Internal Ratings-based Approaches
Portfolio split by category of exposure
– input from institution and
supervisor.
As for Foundation but all parameters
calculated by institution.
Market Risk
No major change to current approach
Operational Risk
‘Basic Indicator’
Capital charge based on single risk indicator.
‘Standard’
Capital charge based on sum of 8 Business Line risk indicators, each calculated by defined industry standards ( α ).
‘Advanced Measurement’Capital charge by
Business Line, internally calculated and variable on level
of risk ( β ).
Choice in capital approach
Progressive adoption
Fragmented adoption
A Higher Standard for Risk
Professionals
www.prmia.
org
Pillar 2 requirements
Pillar 2 • Is a supervision and standards issue,
• Governance and operational risk management, the establishment of a risk culture in a firm, are the main components,
• A minimum level is required by all firms,
• Requires procedures, standards and systems – incident management is essential,
• Applies stricter standards regarding risk history and the use of external loss event data bases to those wishing to use the advanced methods of capital requirements calculations,
• Allows supervisors to vary (increase?) the capital requirements.
A Higher Standard for Risk
Professionals
www.prmia.
org
1. Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.
2. Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.
3. Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.
4. Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.
Source: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, Updated November 2005
Basel’s four principles of supervisory review
A Higher Standard for Risk
Professionals
www.prmia.
org
Developing an appropriate Risk Management Environment
1 Involvement of the board of directors.
2 Effective internal audit - operationally independent, trained staff.
3 Senior management to run the operational risk management framework.
Risk Management: Identification, Assessment, Monitoring, Mitigation
4 Identify/assess operational risk in products, processes and systems.
5 Implement processes monitor operational risk profiles and losses.
6 Have policies and procedures to control and/or mitigate operational risks.
7 Have in place contingency and business continuity.
Role of Supervisors
8 Require framework to identify, assess, monitor and control operational risk.
9 Evaluate policies, procedures and practices related to operational risk.
Role of Disclosure
10 To disclose approach to operational risk management to market.
Source: Sound Practices for the Management and Supervision of Operational Risk, Feb 2003, abridged
Basel’s 10 principles of operational risk
A Higher Standard for Risk
Professionals
www.prmia.
org
Pillar 3 requirements
Pillar 3 • Market discipline is the disclosure of all the Pillar 1 and Pillar 2 activities (quantitative and qualitative) including significant incidents,
• Simple in practice but many legal concerns,• Reinforces capital regulation and other
supervisory efforts to promote safety and soundness in banks and financial systems,
• Imposes strong incentives on banks to conduct their business in a safe, sound and efficient manner,
• Allows market participants to assess key pieces of information on the scope of application, capital, risk exposures, risk assessment and management processes, and hence the capital adequacy of the institution.
A Higher Standard for Risk
Professionals
www.prmia.
org
Requirements of disclosure (market discipline)
Disclosures in the New Basel Capital AccordScope of Application Strong recommendations
Capital Strong recommendations
Credit Risk - general Strong recommendations
Credit Risk – Standardised Approach Requirements
Credit Risk Mitigation Techniques Requirements
Credit Risk – IRB Approaches Requirements
Market Risk Strong recommendations
Operational Risk Strong recommendations, requirements in future
Interest Rate Risk in the Banking Book Strong recommendations
Capital Adequacy Strong recommendations
Asset Securitisation Requirements
External Credit Assessment Institution (ECAI) Recognition
Requirements
Supervisory Transparency Strong recommendations
A Higher Standard for Risk
Professionals
www.prmia.
org
Disclosure of operational risk
Probable operational risk areas also to be disclosed:• Assessment techniques• Risk recording, monitoring and reporting techniques• Risk culture procedures• Major risk events• Cumulative risk events above threshold• Risk mitigation processes• Operational risk capital calculation approach• Total operational risk capital• Capital impact of above risks reported
A Higher Standard for Risk
Professionals
www.prmia.
org
Disclosure benefits• A strong marketing position, providing that:
– The news is not all bad,
– The audience understands the message,
– The message is consistent,
– The message is “believable”.
• Improved trading benefits, providing that:– Disclosed details match market rumour,
– Disclosure is ahead of public knowledge,
– Rating agency views are consistent.
• Strengthened relationship with your supervisor.
• Strong public image.
A Higher Standard for Risk
Professionals
www.prmia.
org
Disclosure concerns• Knowing what needs to be disclosed
• Uniformity – the “level playing field”
• Demonstrating compliance and “good citizenship” but not disclosing too much
• Impact of bad news, or perceived bad news on share or counterparty positions
• Flooding the market with information
• Legal position – counterparty, shareholder, supervisor
• Coordination with accounting standards
• Privacy rulings
A Higher Standard for Risk
Professionals
www.prmia.
org
Capital considerations
• The financial “group” assessed as a single unit.• Supervisors are extending requirements to most firms.• The bulk of the capital cost is from credit risk.• Restrictions on granularity of capital approach.• Capital pegged to the original levels for 2 years.• It may be possible to end up having to allocate more capital
under the Standardised Approach (with its extra requirements) than under the Basic Approach!
• Concern from regulators regarding Internal Ratings-Based (IRB) approach models.
• A floor of 90% in year 1 (2008) and 80% in year 2, but talk of “keep the floors in place beyond 2009 if necessary”.
• Supervisors may apply bank-by-bank floors and apply a single scaling factor should overall banking capital decline.
• 5 years data (3 initially) needed.
A Higher Standard for Risk
Professionals
www.prmia.
org
• Pillar 2 has two objectives:– compliance to the higher approaches to capital
calculations,– sound integrated risk management systems and
controls.
• But all regulated organisations must develop:– an appropriate risk management environment,– risk identification, assessment, monitoring and
mitigation/control,– regular independent evaluation of policies, procedures
and practices.• … and make sufficient public disclosure to allow the market
to assess their approach to operational risk management.
Capital adequacy is not all
A Higher Standard for Risk
Professionals
www.prmia.
org
• Even if you go for the Basic Approach to Operational Risk-derived Capital:-
– A risk assessment culture must be created,
– Credit and operational risks must be monitored,
– Risk must be tracked,
– A risk trend history must be created,
– Risk actions must be disclosed.
… and all will be required from as early as 1 Jan 2007 depending on country and type of firm.
Regardless of Pillar 1 approach
“… additional capital would not be the only answer as capital is not a substitute for appropriate risk assessment practices or adequate internal control processes.” Nicholas Le Pan, Chairman of the Basel Committee’s Accord Implementation Group, March 2004.
A Higher Standard for Risk
Professionals
www.prmia.
org
Implementation
Risk theories and regulations
A risk culture
Processes, tools and capital allocation
Rollout considerations
Ongoing maintenance and
improvement
A Higher Standard for Risk
Professionals
www.prmia.
org
From financials to processes• Credit/market risk relatively mature (liquidity
risk is a mystery!)• Operational risk still immature• We have little real experience in:
– Specifying itWhat is it? How to recognise and classify it?
– Setting it upInvolving the users, gaining commitment, regulatory approval, etc
– Rolling it outCollecting accurate data
– Maintaining itFeedback – correcting errors – changing classifications – renewing systems, etc
A Higher Standard for Risk
Professionals
www.prmia.
org
The Pillar II Maze
Risk theories and regulations
An operational risk culture
Pro
cesses,
tools
,
cap
ital allocati
on
Create the framework
Ensuring clean data
User acceptanceRegulatory
approval
Feedback
Updating the system
User involvement
How much data to collectCleaning
old data Risk Culture
Pilla
r 1 a
nd
III
im
ple
men
tati
on
s
A Higher Standard for Risk
Professionals
www.prmia.
org
10 implementation issuesProcesses, systems and capital allocations are easy – the problems are the “people issues”:1. Creating the framework – consensus on the right risk
categorisation structure2. Getting user involvement – the necessary amount from the
right people3. Deciding on how much data to collect – too little = poor
statistics, too much = inaccurate data4. Gaining regulatory approval – different
interpretations/numerics in different jurisdictions5. Building a risk culture – everyone knows what risk is6. Achieving user acceptance – “why am I doing this?” “I have
better things to do!”7. Ensuring clean data –completing data correctly8. Integrating feedback and statistics – to improve the system9. Cleaning previous data – which may be incomplete10.Updating the system – changing processes, risk categories
(framework) and upgrading systems
A Higher Standard for Risk
Professionals
www.prmia.
org
An operational risk framework
+ Risk Indicators (KRIs)
A Higher Standard for Risk
Professionals
www.prmia.
org
Example of risk categorisation (Merrill Lynch Capital)
• 52 risks grouped into categories
PeopleFinancialCreditReporting & ControlCustomer Suitability &
ServicingExternalTechnologyLegal/RegulatoryReputational (!)
• Employee Fraud• Resource Management• Involuntary Downsizing /
Restructuring / Constrained Resources
• Loss of Key Individuals / Teams• Lack of Training/Experience /
Knowledge / Ability• Knowledge Capital Risk• Efficiency Risk• Leadership Risk• Authority / Limit Risk• Performance Incentives Risk• Change Readiness Risk• Alignment Risk
People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.
People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.
A Higher Standard for Risk
Professionals
www.prmia.
org
What is a loss event?
• Any actual occurrence which causes material loss to an organisation.
• Any actual occurrence which nearly causes material loss to an organisation (a “near miss”).
• Any actual occurrence which is considered likely to cause a material loss in the future (a “predictive incident”).
• Any actual occurrence which, cumulatively with other events, does or could cause a material loss (“causal risk” events).
A Higher Standard for Risk
Professionals
www.prmia.
org
How to recognise a loss event?• Experience – “It has happened before”,• Judgement – “I know the business and I think this
event will jeopardise its future”,• Effect – “We experienced a loss and this is what
caused it”,• Impression – “This nearly caused a loss”,• Comparison – This matches a previous event which
caused a loss”,• Chaining – “This event, although apparently
innocuous, caused another loss event to happen”,• Regulation – “I am told this is a significant event
which could cause a loss or impact the market”,• Cultural – “This is against public morals and laws so
ought to be a risk and may be a loss”.
A Higher Standard for Risk
Professionals
www.prmia.
org
What to do with a loss event?• Record the event,
• Measure or assess the effect (cost) of the event,
• Allocate the event to an owner,
• Allocate the event to a part of the organisation
• Report the event to the appropriate person (or possibly external body),
• Start a risk mitigation process (what to do so that this does not happen in the future),
• Identify linked (“causing or caused”) risk events,
• Update corporate risk statistics,
• Update company procedures and standards (if necessary).
A Higher Standard for Risk
Professionals
www.prmia.
org
Loss event categories (COSO) – Internal Factors
Infrastructure • Availability of assets • Capability of assets • Access to capital • Complexity • Mergers/ acquisitions Personnel • Employee capability • Fraudulent activity • Health and safety • Judgment • Malfeasance • Security practices • Sales practices
Process • Capacity • Design • Execution • Suppliers/ dependencies Technology • Data
Acquisition – Maintenance - Distribution - Confidentiality - Integrity
• Data and system availability • Capacity • System
Selection – Development - Deployment - Reliability
A Higher Standard for Risk
Professionals
www.prmia.
org
Loss event categories (COSO) – External Factors
Economic • Capital
availability • Credit
Issuance Default Concentration
• Liquidity Market Funding Cash flow
• Market Commodity
prices Interest rate Unemployment Indices Exchange rate Equity valuation Real estate
values
Business • Brand/ trademark • Competition • Consumer
behaviour • Counterparty • Fraud • Industry standards • Ownership
structure • Publicity • Product relevance Technological • Electronic
commerce • External data • Emerging
technology
Natural Environment • Biodiversity • Emissions, effluents & waste • Energy • Fire • Natural disaster (earthquake,
flood, etc.) • Sustainable development • Transport • Water Political • Governmental changes • Legislation • Public policy • Regulation Social • Demographics • Corporate citizenship • Environmental stewardship • Privacy
A Higher Standard for Risk
Professionals
www.prmia.
org
Example of IT control categories (COSO)
IT management
Steering committee provides oversight, monitoring, and reporting of information technology activities and improvement initiatives.
IT infrastructure
Controls for system definition, acquisition, installation, configuration, integration and maintenance, i.e. SLAs, BCP, tracking network performance and scheduling of computer operations, approval of new acquisitions, access to software, automated reconciliations, parity bit detection, incidents tracking, system logging, and review of data changes.
Security management
Protect against inappropriate access and unauthorized use. Examples are passwords access at all levels, firewalls and virtual private networks.
Software acquisition, development & maintenance
Controls over software acquisition and implementation including documentation requirements, user acceptance testing, stress testing, project risk assessments, access to code, segregated development/test environments, authorization of changes, review of processes and protocols.
The Committee of Sponsoring Organisations of the Treadway Commission – www.coso.org
A Higher Standard for Risk
Professionals
www.prmia.
org
Basel offers a (partial) frameworkOperational risk
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk but excluding strategic and reputational risk
Internal fraudExternal fraud Employment practicesClients, products, business practicesDamage to physical assetsBusiness disruption and system failures – Execution, delivery and process (middle) management
Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk
A Higher Standard for Risk
Professionals
www.prmia.
org
But Basel is not the only definition
People
Employee Fraud / Malice (criminal)Un-authorised Activity / Rogue Trading / Employee
MisdeedEmployment LawWorkforce DisruptionLoss or Lack of Key Personnel
Processes
Payment / SettlementDelivery RiskDocumentation or Contract RiskValuation / PricingInternal / External ReportingComplianceProject Risk / Change ManagementSelling Risks
Systems
Technology / Investment RiskSystems Development and ImplementationSystems CapacitySystems FailuresSystems Security Breach
External
Legal / Public LiabilityCriminal ActivitiesOutsourcing / Supplier RiskInsourcing RiskDisasters and Infrastuctural Utilities failuresRegulatory RiskPolitical / Government Risk An European Bank definition
A Higher Standard for Risk
Professionals
www.prmia.
org
There is no “correct” categorisation• “Whilst it is helpful to see the 'Basel' risk categories referred to
here, many banks do not use these categories in their day-to-day operational risk management or even in collating loss event information. They may be able to map, but the categories are seen by many to be regulator-imposed rather than reflecting risk management practice” British Bankers Association
• There is no clear consensus in the industry on the structure of risk categorisation.
• There is no common ground at all on risk events, controls and indicators
• So you build what is seems the best and most relevant to your institution
• But everyone is an expert when it comes to risk categorisation!
A Higher Standard for Risk
Professionals
www.prmia.
org
Categorisation can be a “one-off” process
1
2
3
4
5
etc
Merge two risk types into one 1
3a
3b
4
5
etc
Split one risk type into two or
?
Reclassification after
collecting data is not
easy!
A Higher Standard for Risk
Professionals
www.prmia.
org
A good framework needs acceptance
• The framework is simple to use – and small enough to assure a common interpretation
• All managers accept it is the right framework• The regulators accept it is the right framework• It matches (or can be transposed into) any common
risk database(s) being used• All staff – levels, locations, functions, cultures -
understand it and find it easy to collect data• It satisfies all parts of the institution• The right amount of data is being collected• It caters for future situations – business change,
regulatory change, environmental change
A Higher Standard for Risk
Professionals
www.prmia.
org
How to efficiently categorise
There is no simple answer – and you have to get it right first time!
A Higher Standard for Risk
Professionals
www.prmia.
org
10 implementation issues
1. Creating the framework – consensus on the right risk categorisation structure
2. Getting user involvement
3. Deciding on how much data to collect
4. Gaining regulatory approval
5. Building a risk culture
6. Achieving user acceptance
7. Ensuring clean data
8. Integrating feedback and statistics
9. Cleaning previous data
10.Updating the system
A Higher Standard for Risk
Professionals
www.prmia.
org
Building a risk culture - what is it?An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management.
• It includes both an enterprise-wide risk and an internal control culture
• It requires clear lines of responsibility, segregation of duties and effective internal reporting
• It requires high standards of ethical behaviour at all levels• Although a framework of formal, written policies and
procedures is critical, it needs to be reinforced through a strong control culture
• It is the responsibility of both the board and senior management
A Higher Standard for Risk
Professionals
www.prmia.
org
Examples of staff risk culture
• All staff know:
What a risk control or risk event is
Why they exist
What their risk responsibilities are
Prime and alternative reporting routes
What happens to their reports
What was the result of “their” event’s mitigation
What the institution’s risk status is (overall and their part)
How it is improving (or getting worse)
What their risk training plan is
A Higher Standard for Risk
Professionals
www.prmia.
org
Examples of management risk culture
• All Board and senior management know:What the institution’s risk policy is
What their risk appetite is
What their own risk responsibilities are
What major risk controls have been infringed or what risk events have taken place
What cumulative risk situation have accumulated
What the institution’s risk status is
How it is improving (or getting worse)
What the business impacts are
A Higher Standard for Risk
Professionals
www.prmia.
org
Why are Risk Cultures important?• Risks are managed by people
• People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes
• People must apply the appropriate risk management standards to the best of their ability
• Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm.
• Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures.
A Higher Standard for Risk
Professionals
www.prmia.
org
Attributes of a risk management culture
1. Attention is paid to quantifiable and unquantifiable risks.
2. All risks are identified, reported and quantified.
3. Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting.
4. Risk management is accepted as everyone’s responsibility.
5. Risk managers have teeth.
6. The enterprise avoids what it doesn’t understand.
7. Uncertainty is accepted.
8. Risk managers are monitored.
9. Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success.
10.The risk culture is defined, the risk appetite is understood.
Source: Operational Risk Management, PWC, November 2003 (abbreviated)
A Higher Standard for Risk
Professionals
www.prmia.
org
Risk culture roll-out• Plan from start
• Involve all relevant management (line and HR)
• Customise to “your” operational risk management solution
• Consider all methods
Classroom training, web training, road shows, e-mail campaigns, etc
• And media
Posters, portals, newsletters, etc
• Demonstrate commitment
Involve senior management
Accreditation for the training can be an important facilitator
Performance and statistics
• Gain supervisor/regulator comfort (theirs)
A Higher Standard for Risk
Professionals
www.prmia.
org
10 implementation issues
1. Creating the framework – consensus on the right risk categorisation structure
2. Getting user involvement
3. Deciding on how much data to collect
4. Gaining regulatory approval
5. Building a risk culture
6. Achieving user acceptance
7. Ensuring clean data
8. Integrating feedback and statistics
9. Cleaning previous data
10.Updating the system
A Higher Standard for Risk
Professionals
www.prmia.
org
Success means negotiating the maze!
Risk theories and regulations
An operational risk culture
Pro
cesses,
tools
an
d c
ap
ital
allocati
on
Create the framework
Ensuring clean data
User acceptanceRegulatory
approval
Feedback
Updating the system
User involvement
How much data to collectCleaning
old data
A Higher
Standard
for Risk
Profession
als
www.prmia.
org
Thank you
David Millar Chief Operating [email protected]