implementing operational risk in an enterprise risk management framework implementing operational...

Implementing Operational Risk in an

Enterprise Risk Management Framework Implementing Operational Risk in an

Enterprise Risk Management Framework

William GonyerManaging [email protected]

William GonyerManaging [email protected]

2

Broad Street Banking I Operational Risk Management

Session OutlineSession Outline

Operational Risk as a component to ERM; BIS II defined and as template to an ORM

program; The Pillars of Hercules and Basel II’s European

Flavor; One Man’s Struggle for European Convergence; Campaign Promises, a Big Stick and the art of

moral suasion; ORM for Less than Million Euros; COSO, SOX and the World Today.

3


How Does ORM Fit Within ERM as Defined?How Does ORM Fit Within ERM as Defined?

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

4


Operational RiskOperational Risk

Is a pragmatic approach to many of the risks covered within an ERM framework. OR is defined by Bank for International Settlement as “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events.”

Targeted for banking institutions by the BIS. Three “Pillars”: minimum capital requirements,

supervisory review of capital adequacy and public disclosure.

5


Pillar 1 – Minimum Capital RequirementsPillar 1 – Minimum Capital Requirements

Capital is calculated using the amount of the institution’s available capital as the numerator and risk-weighted assets as the denominator. The minimum capital ratio is 8%:

Risk-weighted assets come from credit and market activities and Basel II introduced the added component of Operational Risk.

6


Weighing the Assets of Operational Risk Weighing the Assets of Operational Risk

Basel II provided three methods for calculating the Operational Risk component the capital equation:

Basic Indicator Approach;

Standardized Approach; and

Advanced Measurement Approaches (AMA).

7


The Basic Indicator ApproachThe Basic Indicator Approach

Under the basic indicator approach the “weight of the asset” is calculated using the three year average of gross income multiplied by a fixed charge of 15%.

This approach is intended for a financial institution with less complex operations.

8


The Standardized ApproachThe Standardized Approach

Under the standardized approach the gross income of a defined business unit is multiplied by a percentage associated with the type of business:

Corporate finance 18%

Trading and sales 18%

Retail banking 12%

Commercial banking 15%

Payment and settlement 18%

Agency services 15%

Asset management 12%

Retail brokerage 12%

9


Advanced Measurement Approaches Advanced Measurement Approaches

A financial institution utilizes its own risk measure generated by its Operational Risk measurement system.

The specific methodology must be approved by its regulatory supervisor.

10


Pillar IIPillar II

Supervisory review of capital adequacy

Capital adequacy is something we are all familiar with but in the broker/dealer industry there is no specific requirement to calculate a capital component for OR.

Experience shows that in the distant past regulators looked to a multiple of regular required capital to cover undisclosed risk as an informal buffer. The buffer served as a discussion point with the regulator.

11


Pillar IIIPillar III

Market Discipline

Public disclosure is limited for the broker/dealer industry as there is no specific requirement for adoption of an Operational Risk program, its capital nor its disclosure requirements.

There are however, requirements under Generally Accepted Accounting Principles that material, expected losses be disclosed.

12


The implementation processThe implementation process

13


Implementation Case StudyImplementation Case Study

Implementation began in August 2001 at the US subsidiary of a fully licensed “universal bank” in France where implementation was a (regulatory) requirement.

Ixis was an investment bank with two US registered B/D subsidiaries. The bank’s headcount was about 350, with a balance sheet of approximately $45 billion in assets and revenue of $340 million. By the end of implementation, organic growth had increased headcount to 500, assets totaled $60 billion and revenue exceeded $500 million .

14


Management Buy In – The Key to Any Successful Implementation

Management Buy In – The Key to Any Successful Implementation

Ixis’ management was very decentralized in that departmental management had significant authority within functional domains and budgetary constraints.

There was a management committee of up to 7 members.

There were 17 departmental cost centers. These two groups were the focus of attention to sell the

program and establish strategic and operational mandates.

15


Background and PreparationBackground and Preparation

The OR compliance manager provided a briefing on the requirements and sample self-assessment questionnaires.

An intensive study of the BIS information on the subject from their website provided additional context for the self-assessment and OR measurement requirements.

Contacts were made with departments who were working together to perform the self assessment at the bank’s capital markets sister company in Paris.

In consultation with the CEO, the OR team put together a plan for local implementation along with a budget for the next year.

16


Implementation of OR ProgramImplementation of OR Program

Armed with Head Offices’ compliance requirement and the CEO’s buy-in, a 7 to 8 member working group was established to build the Self Assessment of OR questionnaire.

The departments heads of this group were selected based on a number of factors:

Department HC and budget;

Functional risks within departmental domains; and

Departmental manager’s relative influence or expected importance for the OR program’s success.

17


Factors Considered for Committee MembersFactors Considered for Committee Members

These factors relate to the OR definition “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events” such as the department headcount and budget and the risks associated with the department’s responsibilities.

Another consideration was the departmental manager’s relative influence or expected importance for the OR program’s success.

18


Selling OR to ManagementSelling OR to Management

The following rationale helped convince working group or committee members of the value of the OR program and their active participation:

A better idea that we direct the program rather than have HO define local implementation;

Better to establish a local process for management of capital requirements than accept a HO push-down;

An opportunity to perform a company-wide self-assessment Individual departments get a 2 for 1 – as risks are defined and acted

upon audit findings diminished with OR budget footing the bill. Departments don’t get penalized for weaknesses related to the risks identified.

19


Self Assessment of Operational Risk Self Assessment of Operational Risk

The working group began the development of a baseline self-assessment questionnaire. The questions were categorized according to the BIS table “Detailed Loss Event Type Classification.” A key objective for the self-assessment was that it follow the BIS classification and that the end product questionnaire would quantify loss risk and produce an “heat map” by business lines. Business lines were based on departments which aligned with the business types of BIS on page 8 of the presentation.

20


Loss Event TypesLoss Event Types

BIS classifies loss events in the following Level I Categories: Internal Fraud External Fraud Employment Practices and Workplace Safety Clients, Products & Business Practices Damage to Physical Assets Business Disruption and System Failures Execution, Delivery & Process Management

Theses events are defined and broken down further into Levels 2 & 3 having greater detail at each succeeding level.

21


The Questionnaire and the Heat MapThe Questionnaire and the Heat Map

The working group defined risks along the guidelines established from the BIS guidance including the Loss Event Type Categories. Additionally we established the definitions of the control processes.

The result was put into MS Excel as questions with boxes that indicated control over the specific event derived from the question and quantification of losses under normal operations and those of very severe events.

In the background a worksheet quantified both the control and loss severity as two points on scatter chart which was the heat map.

The heat map was divided into 4 quadrants: low loss and good control, high loss and good control, low loss and low control and high loss and low control.

22


Answer Scoring

By employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type.

• External Service External Service Provider Failure Provider Failure

• External FraudExternal Fraud

• RegulatoryRegulatory

• Compliance with Policies, Compliance with Policies, Procedures, and Practices Procedures, and Practices

• Key Control Key Control Effectiveness Effectiveness

• Customer Customer Risk Management Risk Management

• External CatastropheExternal Catastrophe

Ability to Control Risk

Imp

act of Risk

23


Results of the QuestionnaireResults of the Questionnaire

Action plans were put in place in cases where the expected loss was high and control was low – thus fulfilling the 2 for 1 commitment on areas of weakness (no audit finding.)

Key indicator reports were created to address the most frequent smaller losses and the high losses. The indictors were specific to each department and agreed as to report frequency. Indicators included things like fails, aged open items and audit recommendations that had not been addressed.

Each department assigned indicator and event monitoring and reporting staff . Typically this was the department head’s deputy.

Loss events were entered into a HO system by the departmental staff responsible for monitoring and reporting of Key Indicators.

24


ORM Management and OrganizationORM Management and Organization

25


ORM Roles & ResponsibilitiesORM Roles & Responsibilities

The Board of Directors – Head of OR reported to the Audit Committee of the BOD twice annually.

Management – Head of OR at Managing Director level. Risk Managers – each department assigned OR monitoring and reporting to a senior staff member - typically a VP or a Director. This liaison staff was supported by a second staff member to provide back-up for absences etc.

26


ORM Roles & Responsibilities - ContinuedORM Roles & Responsibilities - Continued

Dedicated Staff – From 2001 to 2006 there was no authorized headcount, rather the department was staffed using temporary staff for major projects and cost allocations from each department for Risk Managers and support staff – typically 5 to 15% of a fully charged staff, while no charges were allocated to small departments. 25% of OR Head’s departmental cost (including admin staff) was allocated to the project, and system administration support was provided by a junior officer in the audit team. Key indicator chase and follow-up was performed by either the OR Head or admin support. Significant loss events were often followed up by audit staff as audit issues and thus not charged to OR.

27


The Obligatory COSO SlideThe Obligatory COSO Slide

The eight components

of the ERM framework

apply equally to OR…

28


ORM RecapORM Recap

Operational Risk is a component of Enterprise Risk Management.

Basel II with its rich European taste provides excellent guidance for a comprehensive Operational Risk program.

A good program can be put in place for an organization of 250 – 1,000 headcount using a combination of in place and temporary resources.

29


ORM RecapORM Recap

Gentle and persistent persuasion is required to bring a program like ORM from seed to fruit.

Selection of committee, work group or internal partners for program such as ORM is critical. As is carrying through on campaign promises. The corollary is don’t do a George Bush I “read my lips no new taxes.”

implementing operational risk in an enterprise risk management framework implementing operational...

Documents