operations risk management power point presentation
DESCRIPTION
TRANSCRIPT
OPERATIONAL RISK MANAGEMENT
09/04/23 1
What is Operational Risk?
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (The Basel II Capital Accord)
FORMERLY any risk but market and credit risks
It is NOT a brand new stuff and it is the risk that affects all businesses
Operational risk is inherent in carrying out a process/ operational activity.
09/04/23 2
Classification of Operational Risks
High
Frequency
Low
Impact
High
Frequency
High
Impact
Low
Frequency
Low
Impact
Low
Frequency
High
Impact
Operational risk events are classified by two factors:
frequency – how often the event occurs
impact – the amount of the losses resulting from the event
09/04/23 3
Fre
qu
ency
Impact
Classification of Operational Risks
Generally, operational risk management focuses on only two of these event types:
Low frequency / high impact (LFHI)
High frequency / low impact (HFLI)
Why?
09/04/23 4
Classification of Operational Risks
High frequency/low impact events are managed to improve business efficiency. These events tend to be readily understood and are viewed as ‘the cost of doing business’.
Examples?
09/04/23 5
Expected loss verses unexpected loss
Expected loss is the loss incurred as a bank conducts its normal business.
Can be simply defined as the cost of doing business
The only way to totally prevent them is to cease doing business.
09/04/23 6
Expected loss versus unexpected loss
A bank uses statistical methods to predict its expected losses.
In short, the firm uses past data and experience to predict the future.
A simple method of calculating expected loss is to compute the mean (average) of the actual losses over a given time and accept this as the likely future level.
09/04/23 7
Expected loss verses unexpected loss
A firm may also attempt to ‘predict’ its unexpected losses using statistics, much like the way that is used to predict expected losses.
The problems are the past data may not available and therefore to calculate unexpected loss a firm uses:
available internal data
external data from other firms
data from operational risk scenarios
09/04/23 8
Operational risk event categories
The simplest way of understanding operational risk in banks is to categorize it as anything but credit risk or market risk.
However, this is a very broad definition and does not help manage operational risk.
Generally, operational risk events can be subdivided into:
internal process risk
people risk
systems risk
external risk
legal risk09/04/23 9
Internal Process Risk
Internal process risk is defined as the risk associated with the failure of a bank’s processes or procedures.
During a bank’s day-to-day operations, staff follow preset working practices.
These procedures and policies will include all the checks, and controls required to ensure that customers are correctly served and the bank remains within the laws and regulations by which it is governed
09/04/23 10
Internal Process Risks
Internal process risk events include:
documentation – inadequate, insufficient or wrong
lack of controls
marketing errors
misselling
money laundering
incorrect or insufficient reporting (e.g. regulatory)
transaction error
Reviewing and improving a bank’s internal processes as part of operational risk management can improve its efficiency. Errors often occur when a process is complicated, disorganized or easily circumvented, all of which are also inefficient business practices.
09/04/23 11
Risk Management Process Feedback Loop
09/04/23 12
1. Identify, assess and prioritize risks
2. Develop strategies to measure risk
3. Design policies and procedures to mitigate risks
4. Implement and assign
responsibility
5. Test effectiveness and evaluate
results
6. Revise policies and procedures
FRAMEWORK• Risk strategy,
tolerance
• Roles and responsibilities
• Policies and procedures
• Risk definition and categorization
FRAMEWORK• Risk strategy,
tolerance
• Roles and responsibilities
• Policies and procedures
• Risk definition and categorization
MEASUREMENT• Estimation of annual
losses – cost of operational failure
• Estimation of VaR – risk capital
• Estimation of scores representing quality of internal controls
MEASUREMENT• Estimation of annual
losses – cost of operational failure
• Estimation of VaR – risk capital
• Estimation of scores representing quality of internal controls
PROCESSES• Loss data collection
• Risk indicator data collection
• Control self-assessment
• Risk assessment and analysis
• Workflow
• Automatic notification
• Follow up action
PROCESSES• Loss data collection
• Risk indicator data collection
• Control self-assessment
• Risk assessment and analysis
• Workflow
• Automatic notification
• Follow up action
REPORTING• Integrated MIS
reporting
• Awareness of exposures
• Knowledge of controls quality
• Cost benefit analysis
• Improved risk mitigation and transfer strategy
REPORTING• Integrated MIS
reporting
• Awareness of exposures
• Knowledge of controls quality
• Cost benefit analysis
• Improved risk mitigation and transfer strategy
There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit
Management & Control Quality
Eco
no
mic
Pro
fit
The universe of operational risks spans causes, events and consequences
Insufficient trainingInsufficient training
CAUSES EVENTS CONSEQUENCES
Lack of managementsupervision
Lack of managementsupervision
Inadequateauditing procedures
Inadequateauditing procedures
Inadequate security measures
Inadequate security measures
Poor HRpolicies
Poor HRpolicies
Poor systemsdesign
Poor systemsdesign
Inadequate segregation of duties
Inadequate segregation of duties
ExternalFraud
ExternalFraud
Employment Practices & Workplace Safety
Employment Practices & Workplace Safety
Clients, Products & Business Practices
Clients, Products & Business Practices
Damage to Physical Assets
Damage to Physical Assets
Business Disruption & System Failures
Business Disruption & System Failures
Execution, Delivery & Process ManagementExecution, Delivery & Process Management
Internal Fraud
Internal Fraud
Regulatory, Compliance & Taxation Penalties
Regulatory, Compliance & Taxation Penalties
RestitutionRestitution
Loss of RecourseLoss of Recourse
ReputationReputation
Business InterruptionBusiness Interruption
EFFECTSMonetary Losses
OTHERIMPACTSForgoneIncome
•
•
•
Write-downWrite-down
Loss or Damage to Assets
Loss or Damage to Assets
Legal LiabilityLegal Liability
Using internal and external loss data can calculate Value at Risk
INDIVIDUALLOSS EVENTS
RISK MATRIX FOR LOSS DATA
VARCALCULATION
TOTAL LOSSDISTRIBUTION
74,712,345
74,603,709
74,457,745
74,345,957
74,344,576
167,245
142,456
123,345
113,342
94,458
•
•
•
LOSS DISTRIBUTIONS
Frequencyof events
Frequencyof events
Severity of loss
Severity of loss
43210
40-50
30-40
20-30
10-20
0-10
INTERNAL
FRAUD EXTERNAL
FRAUD
EMPLOYMENT PRACTICES & WORKPLACE
SAFETY
CLIENTS, PRODUCTS &
BUSINESS PRACTICES
DAMAGE TO PHYSICAL ASSETS
EXECUTION, DELIVERY & PROCESS
MANAGEMENT
BUSINESS DISRUPTION AND
SYSTEM FAILURES TOTAL
Corporate Finance Number 36 3 25 36 33 150 2 315
Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215
Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976
Trading & Sales Number 50 4 35 50 46 210 3 441
Mean 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322
Standard Deviation 8,541 13,463 5,768 11,835 5,184 368 35,315 10,464
Retail Banking Number 45 4 32 45 42 189 3 397
Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690
Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417
Commercial Banking Number 41 3 28 41 37 170 2 357
Mean 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721
Standard Deviation 6,918 10,905 4,672 9,586 4,199 298 28,605 8,476
Payment & Settlements Number 37 3 26 37 34 153 2 321
Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349
Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628
Agency Services Number 44 4 31 44 40 184 2 386
Mean 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018
Standard Deviation 7,472 11,777 5,045 10,353 4,535 321 30,893 9,154
Asset Management Number 40 3 28 40 36 165 2 347
Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217
Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238
Retail Brokerage Number 48 4 33 48 44 198 3 417
Mean 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660
Standard Deviation 8069 12719 5449 11182 4898 347 33365 9886
Insurance Number 43 4 30 43 39 179 2 375
Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394
Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897
Total Number 435 36 302 435 399 1,812 24 3,806
Mean 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926
Standard Deviation 7,331 11,555 4,950 10,158 4,450 315 30,311 8,981
Annual Aggregate Loss ($)Mean 99th Percentile
VaR Calculator
e.g.,Monte Carlo
Simulation Engine
VaR Calculator
e.g.,Monte Carlo
Simulation Engine
Composite control assessment/indicator scores can be used to modify capital figures
0
Current score
VAR
CONTROL ASSESSMENT/INDICATOR
SCORE
Adjustment for Quality of
Current Control Environment
Adjustment for Quality of
Current Control Environment
CAPITAL
190190100210210
Previous score 50
Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change
What does it tell us?
09/04/23 17
Basel II Approaches on Operational Risk
09/04/23 18
•Basic Indicator•Standardized
•Advanced Measurement
•OPERATIONAL
•Standardized•Foundation IRB•Advanced IRB
•CREDIT
The Basic Indicator Approach
Banks using the Basic Indicator Approach must hold capital for operational risk equal to the average over the previous three years of a fixed percentage (denoted alpha) of positive annual gross income.
Figures for any year in which annual gross income is negative or zero should be excluded from both the numerator and denominator when calculating the average.
09/04/23 19
The charge may be expressed as follows:
09/04/23 20
The Standardized Approach
In the Standardized Approach, banks’ activities are divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage.
Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines.
The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.
Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line.
It should be noted that in the Standardized Approach gross income is measured for each business line, not the whole institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line
09/04/23 21
Standardized Approach
09/04/23 22
Standardized Approach
09/04/23 23
Mapping Business Lines
09/04/23 24
?
Advanced Measurement Approaches (AMA)
Under the AMA, the regulatory capital requirement will equal the risk measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria.
Use of the AMA is subject to supervisory approval.
A bank adopting the AMA may, with the approval of its host supervisors and the support of its home supervisor, use an allocation mechanism for the purpose of determining the regulatory capital requirement
09/04/23 25
List of reference
Basel II: Revised international capital framework. Bis.org. Retrieved 2013-06-06.
Jump up Solvency - European Commission. Ec.europa.eu. 2012-11-26. Retrieved 2013-06-06
09/04/23 26