a higher standard for risk professionals the new basel capital accord background, basics,...

A Higher

Standard

for Risk

Profession

als

www.prmia.

org

The New Basel Capital Accord

Background, basics, implementation problems and some

solutions – from a Pillar II & operational risk view

– David Millar, COO, PRMIA

A Higher Standard for Risk

Professionals

www.prmia.

org

Basel II – created by the Bank for International Settlements

The original cross-border financial institution,– Members are the central banks or monetary authorities of 54

countries plus the European Central Bank

Advisory, not regulatory– Formulates supervisory standards and best practice,– Has no supranational authority (with local supervisors),– Through committees of national experts - makes

recommendations to the financial community aimed at strengthening the international financial system,

– Members agree to adopt standards as basis of their regulatory processes (at varying levels),

– Used by most of the rest of the world, and their regulators– Accepted by banking community as standard of good practice

(and of a desirable counter-party).


Professionals

www.prmia.

org

• Basel Capital Accord (Basel I),– In 1988 the Basel Committee on Banking Supervision

recommended a risk-weighted capital ratio for internationally active banks,

– This set minimum standards of capital adequacy,

• A “New Capital Accord” (Basel II) proposed in 1999,– Extended to cover regulatory and disclosure

requirements,

– Final (reviewed) version released November 2005 (over 100 countries to implement - but in the US say it is still under discussion)

– Complete Accord will take effect from 2007 (earliest participants)

Created standards on capital


Professionals

www.prmia.

org

Calculated based on credit, market and operational risk.

Disclosure & Market Discipline

Supervisory Review Process

1 2 3

CapitalRequirements

Operational control and compliance with Pillar 1

requirements.

Capital adequacy and risk control processes and

results will be disclosed.

Many options on approach to calculation of capital

requirements.

Only varies on Pillar 1 approach, otherwise must

comply with all.

Requirements are common to all regulated firms.

Implications on, and requirements for, systems, processes & people

BASEL II overview

The Three Pillars


Professionals

www.prmia.

org

Diversified General Industrial Group

Domestic Bank

Securities Firm

Holding Company

Internationally Active Banking Group

Internationally Active Bank

Internationally Active Specialist Bank

(1)

(2)

(3) (4)

Special Purpose Vehicles

1) Boundary of predominantly banking group. Basel II applied at this level on a consolidated basis, i.e. up to holding company level

Financial Enterprise-wide

(2), (3) & (4) : Basel II also applied at lower levels to all internationally active banks on consolidated basis.


Professionals

www.prmia.

org

Pillar 1 requirements

Pillar 1 • Defines capital requirements,

• Credit/market risk are major issues for all, operational risk-derived capital requirements an issue for major players,

• Complex considerations for large global institutions (risk and resulting capital requirements calculated at a transaction level),

• Simpler for medium/small firms (can simply be a factor of a business volume indicator such as total revenue or funds under management),

• Object is (at least in early years) not to create extra costs for firms but to reward those who manage their financial risk well.


Professionals

www.prmia.

org

Basic Intermediate Advanced

Credit Risk

‘Standardised’

Successor to the 1988 Accord with some additional

sensitivities.

‘Foundation’ ‘Advanced’

Internal Ratings-based Approaches

Portfolio split by category of exposure

– input from institution and

supervisor.

As for Foundation but all parameters

calculated by institution.

Market Risk

No major change to current approach

Operational Risk

‘Basic Indicator’

Capital charge based on single risk indicator.

‘Standard’

Capital charge based on sum of 8 Business Line risk indicators, each calculated by defined industry standards ( α ).

‘Advanced Measurement’Capital charge by

Business Line, internally calculated and variable on level

of risk ( β ).

Choice in capital approach

Progressive adoption

Fragmented adoption


Professionals

www.prmia.

org


Pillar 2 • Is a supervision and standards issue,

• Governance and operational risk management, the establishment of a risk culture in a firm, are the main components,

• A minimum level is required by all firms,

• Requires procedures, standards and systems – incident management is essential,

• Applies stricter standards regarding risk history and the use of external loss event data bases to those wishing to use the advanced methods of capital requirements calculations,

• Allows supervisors to vary (increase?) the capital requirements.


Professionals

www.prmia.

org

1. Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

2. Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate supervisory action if they are not satisfied with the result of this process.

3. Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.

4. Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

Source: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, Updated November 2005

Basel’s four principles of supervisory review


Professionals

www.prmia.

org

Developing an appropriate Risk Management Environment

1 Involvement of the board of directors.

2 Effective internal audit - operationally independent, trained staff.

3 Senior management to run the operational risk management framework.

Risk Management: Identification, Assessment, Monitoring, Mitigation

4 Identify/assess operational risk in products, processes and systems.

5 Implement processes monitor operational risk profiles and losses.

6 Have policies and procedures to control and/or mitigate operational risks.

7 Have in place contingency and business continuity.

Role of Supervisors

8 Require framework to identify, assess, monitor and control operational risk.

9 Evaluate policies, procedures and practices related to operational risk.

Role of Disclosure

10 To disclose approach to operational risk management to market.

Source: Sound Practices for the Management and Supervision of Operational Risk, Feb 2003, abridged

Basel’s 10 principles of operational risk


Professionals

www.prmia.

org


Pillar 3 • Market discipline is the disclosure of all the Pillar 1 and Pillar 2 activities (quantitative and qualitative) including significant incidents,

• Simple in practice but many legal concerns,• Reinforces capital regulation and other

supervisory efforts to promote safety and soundness in banks and financial systems,

• Imposes strong incentives on banks to conduct their business in a safe, sound and efficient manner,

• Allows market participants to assess key pieces of information on the scope of application, capital, risk exposures, risk assessment and management processes, and hence the capital adequacy of the institution.


Professionals

www.prmia.

org

Requirements of disclosure (market discipline)

Disclosures in the New Basel Capital AccordScope of Application Strong recommendations

Capital Strong recommendations

Credit Risk - general Strong recommendations

Credit Risk – Standardised Approach Requirements

Credit Risk Mitigation Techniques Requirements

Credit Risk – IRB Approaches Requirements

Market Risk Strong recommendations

Operational Risk Strong recommendations, requirements in future

Interest Rate Risk in the Banking Book Strong recommendations

Capital Adequacy Strong recommendations

Asset Securitisation Requirements

External Credit Assessment Institution (ECAI) Recognition

Requirements

Supervisory Transparency Strong recommendations


Professionals

www.prmia.

org

Disclosure of operational risk

Probable operational risk areas also to be disclosed:• Assessment techniques• Risk recording, monitoring and reporting techniques• Risk culture procedures• Major risk events• Cumulative risk events above threshold• Risk mitigation processes• Operational risk capital calculation approach• Total operational risk capital• Capital impact of above risks reported


Professionals

www.prmia.

org

Disclosure benefits• A strong marketing position, providing that:

– The news is not all bad,

– The audience understands the message,

– The message is consistent,

– The message is “believable”.

• Improved trading benefits, providing that:– Disclosed details match market rumour,

– Disclosure is ahead of public knowledge,

– Rating agency views are consistent.

• Strengthened relationship with your supervisor.

• Strong public image.


Professionals

www.prmia.

org

Disclosure concerns• Knowing what needs to be disclosed

• Uniformity – the “level playing field”

• Demonstrating compliance and “good citizenship” but not disclosing too much

• Impact of bad news, or perceived bad news on share or counterparty positions

• Flooding the market with information

• Legal position – counterparty, shareholder, supervisor

• Coordination with accounting standards

• Privacy rulings


Professionals

www.prmia.

org

Capital considerations

• The financial “group” assessed as a single unit.• Supervisors are extending requirements to most firms.• The bulk of the capital cost is from credit risk.• Restrictions on granularity of capital approach.• Capital pegged to the original levels for 2 years.• It may be possible to end up having to allocate more capital

under the Standardised Approach (with its extra requirements) than under the Basic Approach!

• Concern from regulators regarding Internal Ratings-Based (IRB) approach models.

• A floor of 90% in year 1 (2008) and 80% in year 2, but talk of “keep the floors in place beyond 2009 if necessary”.

• Supervisors may apply bank-by-bank floors and apply a single scaling factor should overall banking capital decline.

• 5 years data (3 initially) needed.


Professionals

www.prmia.

org

• Pillar 2 has two objectives:– compliance to the higher approaches to capital

calculations,– sound integrated risk management systems and

controls.

• But all regulated organisations must develop:– an appropriate risk management environment,– risk identification, assessment, monitoring and

mitigation/control,– regular independent evaluation of policies, procedures

and practices.• … and make sufficient public disclosure to allow the market

to assess their approach to operational risk management.

Capital adequacy is not all


Professionals

www.prmia.

org

• Even if you go for the Basic Approach to Operational Risk-derived Capital:-

– A risk assessment culture must be created,

– Credit and operational risks must be monitored,

– Risk must be tracked,

– A risk trend history must be created,

– Risk actions must be disclosed.

… and all will be required from as early as 1 Jan 2007 depending on country and type of firm.

Regardless of Pillar 1 approach

“… additional capital would not be the only answer as capital is not a substitute for appropriate risk assessment practices or adequate internal control processes.” Nicholas Le Pan, Chairman of the Basel Committee’s Accord Implementation Group, March 2004.


Professionals

www.prmia.

org

Implementation

Risk theories and regulations

A risk culture

Processes, tools and capital allocation

Rollout considerations

Ongoing maintenance and

improvement


Professionals

www.prmia.

org

From financials to processes• Credit/market risk relatively mature (liquidity

risk is a mystery!)• Operational risk still immature• We have little real experience in:

– Specifying itWhat is it? How to recognise and classify it?

– Setting it upInvolving the users, gaining commitment, regulatory approval, etc

– Rolling it outCollecting accurate data

– Maintaining itFeedback – correcting errors – changing classifications – renewing systems, etc


Professionals

www.prmia.

org

The Pillar II Maze


An operational risk culture

Pro

cesses,

tools

,

cap

ital allocati

on

Create the framework

Ensuring clean data

User acceptanceRegulatory

approval

Feedback

Updating the system

User involvement

How much data to collectCleaning

old data Risk Culture

Pilla

r 1 a

nd

III

im

ple

men

tati

on

s


Professionals

www.prmia.

org

10 implementation issuesProcesses, systems and capital allocations are easy – the problems are the “people issues”:1. Creating the framework – consensus on the right risk

categorisation structure2. Getting user involvement – the necessary amount from the

right people3. Deciding on how much data to collect – too little = poor

statistics, too much = inaccurate data4. Gaining regulatory approval – different

interpretations/numerics in different jurisdictions5. Building a risk culture – everyone knows what risk is6. Achieving user acceptance – “why am I doing this?” “I have

better things to do!”7. Ensuring clean data –completing data correctly8. Integrating feedback and statistics – to improve the system9. Cleaning previous data – which may be incomplete10.Updating the system – changing processes, risk categories

(framework) and upgrading systems


Professionals

www.prmia.

org

An operational risk framework

+ Risk Indicators (KRIs)


Professionals

www.prmia.

org

Example of risk categorisation (Merrill Lynch Capital)

• 52 risks grouped into categories

PeopleFinancialCreditReporting & ControlCustomer Suitability &

ServicingExternalTechnologyLegal/RegulatoryReputational (!)

• Employee Fraud• Resource Management• Involuntary Downsizing /

Restructuring / Constrained Resources

• Loss of Key Individuals / Teams• Lack of Training/Experience /

Knowledge / Ability• Knowledge Capital Risk• Efficiency Risk• Leadership Risk• Authority / Limit Risk• Performance Incentives Risk• Change Readiness Risk• Alignment Risk

People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.

People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.


Professionals

www.prmia.

org

What is a loss event?

• Any actual occurrence which causes material loss to an organisation.

• Any actual occurrence which nearly causes material loss to an organisation (a “near miss”).

• Any actual occurrence which is considered likely to cause a material loss in the future (a “predictive incident”).

• Any actual occurrence which, cumulatively with other events, does or could cause a material loss (“causal risk” events).


Professionals

www.prmia.

org

How to recognise a loss event?• Experience – “It has happened before”,• Judgement – “I know the business and I think this

event will jeopardise its future”,• Effect – “We experienced a loss and this is what

caused it”,• Impression – “This nearly caused a loss”,• Comparison – This matches a previous event which

caused a loss”,• Chaining – “This event, although apparently

innocuous, caused another loss event to happen”,• Regulation – “I am told this is a significant event

which could cause a loss or impact the market”,• Cultural – “This is against public morals and laws so

ought to be a risk and may be a loss”.


Professionals

www.prmia.

org

What to do with a loss event?• Record the event,

• Measure or assess the effect (cost) of the event,

• Allocate the event to an owner,

• Allocate the event to a part of the organisation

• Report the event to the appropriate person (or possibly external body),

• Start a risk mitigation process (what to do so that this does not happen in the future),

• Identify linked (“causing or caused”) risk events,

• Update corporate risk statistics,

• Update company procedures and standards (if necessary).


Professionals

www.prmia.

org

Loss event categories (COSO) – Internal Factors

Infrastructure • Availability of assets • Capability of assets • Access to capital • Complexity • Mergers/ acquisitions Personnel • Employee capability • Fraudulent activity • Health and safety • Judgment • Malfeasance • Security practices • Sales practices

Process • Capacity • Design • Execution • Suppliers/ dependencies Technology • Data

Acquisition – Maintenance - Distribution - Confidentiality - Integrity

• Data and system availability • Capacity • System

Selection – Development - Deployment - Reliability


Professionals

www.prmia.

org

Loss event categories (COSO) – External Factors

Economic • Capital

availability • Credit

Issuance Default Concentration

• Liquidity Market Funding Cash flow

• Market Commodity

prices Interest rate Unemployment Indices Exchange rate Equity valuation Real estate

values

Business • Brand/ trademark • Competition • Consumer

behaviour • Counterparty • Fraud • Industry standards • Ownership

structure • Publicity • Product relevance Technological • Electronic

commerce • External data • Emerging

technology

Natural Environment • Biodiversity • Emissions, effluents & waste • Energy • Fire • Natural disaster (earthquake,

flood, etc.) • Sustainable development • Transport • Water Political • Governmental changes • Legislation • Public policy • Regulation Social • Demographics • Corporate citizenship • Environmental stewardship • Privacy


Professionals

www.prmia.

org

Example of IT control categories (COSO)

IT management

Steering committee provides oversight, monitoring, and reporting of information technology activities and improvement initiatives.

IT infrastructure

Controls for system definition, acquisition, installation, configuration, integration and maintenance, i.e. SLAs, BCP, tracking network performance and scheduling of computer operations, approval of new acquisitions, access to software, automated reconciliations, parity bit detection, incidents tracking, system logging, and review of data changes.

Security management

Protect against inappropriate access and unauthorized use. Examples are passwords access at all levels, firewalls and virtual private networks.

Software acquisition, development & maintenance

Controls over software acquisition and implementation including documentation requirements, user acceptance testing, stress testing, project risk assessments, access to code, segregated development/test environments, authorization of changes, review of processes and protocols.

The Committee of Sponsoring Organisations of the Treadway Commission – www.coso.org


Professionals

www.prmia.

org

Basel offers a (partial) frameworkOperational risk

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk but excluding strategic and reputational risk

Internal fraudExternal fraud Employment practicesClients, products, business practicesDamage to physical assetsBusiness disruption and system failures – Execution, delivery and process (middle) management

Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk


Professionals

www.prmia.

org

But Basel is not the only definition

People

Employee Fraud / Malice (criminal)Un-authorised Activity / Rogue Trading / Employee

MisdeedEmployment LawWorkforce DisruptionLoss or Lack of Key Personnel

Processes

Payment / SettlementDelivery RiskDocumentation or Contract RiskValuation / PricingInternal / External ReportingComplianceProject Risk / Change ManagementSelling Risks

Systems

Technology / Investment RiskSystems Development and ImplementationSystems CapacitySystems FailuresSystems Security Breach

External

Legal / Public LiabilityCriminal ActivitiesOutsourcing / Supplier RiskInsourcing RiskDisasters and Infrastuctural Utilities failuresRegulatory RiskPolitical / Government Risk An European Bank definition


Professionals

www.prmia.

org

There is no “correct” categorisation• “Whilst it is helpful to see the 'Basel' risk categories referred to

here, many banks do not use these categories in their day-to-day operational risk management or even in collating loss event information. They may be able to map, but the categories are seen by many to be regulator-imposed rather than reflecting risk management practice” British Bankers Association

• There is no clear consensus in the industry on the structure of risk categorisation.

• There is no common ground at all on risk events, controls and indicators

• So you build what is seems the best and most relevant to your institution

• But everyone is an expert when it comes to risk categorisation!


Professionals

www.prmia.

org

Categorisation can be a “one-off” process

1

2

3

4

5

etc

Merge two risk types into one 1

3a

3b

4

5

etc

Split one risk type into two or

?

Reclassification after

collecting data is not

easy!


Professionals

www.prmia.

org

A good framework needs acceptance

• The framework is simple to use – and small enough to assure a common interpretation

• All managers accept it is the right framework• The regulators accept it is the right framework• It matches (or can be transposed into) any common

risk database(s) being used• All staff – levels, locations, functions, cultures -

understand it and find it easy to collect data• It satisfies all parts of the institution• The right amount of data is being collected• It caters for future situations – business change,

regulatory change, environmental change


Professionals

www.prmia.

org

How to efficiently categorise

There is no simple answer – and you have to get it right first time!


Professionals

www.prmia.

org

10 implementation issues

1. Creating the framework – consensus on the right risk categorisation structure

2. Getting user involvement

3. Deciding on how much data to collect

4. Gaining regulatory approval

5. Building a risk culture

6. Achieving user acceptance

7. Ensuring clean data

8. Integrating feedback and statistics

9. Cleaning previous data

10.Updating the system


Professionals

www.prmia.

org

Building a risk culture - what is it?An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management.

• It includes both an enterprise-wide risk and an internal control culture

• It requires clear lines of responsibility, segregation of duties and effective internal reporting

• It requires high standards of ethical behaviour at all levels• Although a framework of formal, written policies and

procedures is critical, it needs to be reinforced through a strong control culture

• It is the responsibility of both the board and senior management


Professionals

www.prmia.

org

Examples of staff risk culture

• All staff know:

What a risk control or risk event is

Why they exist

What their risk responsibilities are

Prime and alternative reporting routes

What happens to their reports

What was the result of “their” event’s mitigation

What the institution’s risk status is (overall and their part)

How it is improving (or getting worse)

What their risk training plan is


Professionals

www.prmia.

org

Examples of management risk culture

• All Board and senior management know:What the institution’s risk policy is

What their risk appetite is

What their own risk responsibilities are

What major risk controls have been infringed or what risk events have taken place

What cumulative risk situation have accumulated

What the institution’s risk status is

How it is improving (or getting worse)

What the business impacts are


Professionals

www.prmia.

org

Why are Risk Cultures important?• Risks are managed by people

• People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes

• People must apply the appropriate risk management standards to the best of their ability

• Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm.

• Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures.


Professionals

www.prmia.

org

Attributes of a risk management culture

1. Attention is paid to quantifiable and unquantifiable risks.

2. All risks are identified, reported and quantified.

3. Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting.

4. Risk management is accepted as everyone’s responsibility.

5. Risk managers have teeth.

6. The enterprise avoids what it doesn’t understand.

7. Uncertainty is accepted.

8. Risk managers are monitored.

9. Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success.

10.The risk culture is defined, the risk appetite is understood.

Source: Operational Risk Management, PWC, November 2003 (abbreviated)


Professionals

www.prmia.

org

Risk culture roll-out• Plan from start

• Involve all relevant management (line and HR)

• Customise to “your” operational risk management solution

• Consider all methods

Classroom training, web training, road shows, e-mail campaigns, etc

• And media

Posters, portals, newsletters, etc

• Demonstrate commitment

Involve senior management

Accreditation for the training can be an important facilitator

Performance and statistics

• Gain supervisor/regulator comfort (theirs)


Professionals

www.prmia.

org

10 implementation issues

1. Creating the framework – consensus on the right risk categorisation structure

2. Getting user involvement

3. Deciding on how much data to collect

4. Gaining regulatory approval

5. Building a risk culture

6. Achieving user acceptance

7. Ensuring clean data

8. Integrating feedback and statistics

9. Cleaning previous data

10.Updating the system


Professionals

www.prmia.

org

Success means negotiating the maze!


An operational risk culture

Pro

cesses,

tools

an

d c

ap

ital

allocati

on

Create the framework

Ensuring clean data

User acceptanceRegulatory

approval

Feedback

Updating the system

User involvement

How much data to collectCleaning

old data

A Higher

Standard

for Risk

Profession

als

www.prmia.

org

Thank you

David Millar Chief Operating [email protected]

a higher standard for risk professionals the new basel capital accord background, basics,...

Documents