operations risk management power point presentation

OPERATIONAL RISK MANAGEMENT

09/04/23 1

What is Operational Risk?

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events (The Basel II Capital Accord)

FORMERLY any risk but market and credit risks

It is NOT a brand new stuff and it is the risk that affects all businesses

Operational risk is inherent in carrying out a process/ operational activity.

09/04/23 2

Classification of Operational Risks

High

Frequency

Low

Impact

High

Frequency

High

Impact

Low

Frequency

Low

Impact

Low

Frequency

High

Impact

Operational risk events are classified by two factors:

frequency – how often the event occurs

impact – the amount of the losses resulting from the event

09/04/23 3

Fre

qu

ency

Impact


Generally, operational risk management focuses on only two of these event types:

Low frequency / high impact (LFHI)

High frequency / low impact (HFLI)

Why?

09/04/23 4


High frequency/low impact events are managed to improve business efficiency. These events tend to be readily understood and are viewed as ‘the cost of doing business’.

Examples?

09/04/23 5

Expected loss verses unexpected loss

Expected loss is the loss incurred as a bank conducts its normal business.

Can be simply defined as the cost of doing business

The only way to totally prevent them is to cease doing business.

09/04/23 6

Expected loss versus unexpected loss

A bank uses statistical methods to predict its expected losses.

In short, the firm uses past data and experience to predict the future.

A simple method of calculating expected loss is to compute the mean (average) of the actual losses over a given time and accept this as the likely future level.

09/04/23 7

Expected loss verses unexpected loss

A firm may also attempt to ‘predict’ its unexpected losses using statistics, much like the way that is used to predict expected losses.

The problems are the past data may not available and therefore to calculate unexpected loss a firm uses:

available internal data

external data from other firms

data from operational risk scenarios

09/04/23 8

Operational risk event categories

The simplest way of understanding operational risk in banks is to categorize it as anything but credit risk or market risk.

However, this is a very broad definition and does not help manage operational risk.

Generally, operational risk events can be subdivided into:

internal process risk

people risk

systems risk

external risk

legal risk09/04/23 9

Internal Process Risk

Internal process risk is defined as the risk associated with the failure of a bank’s processes or procedures.

During a bank’s day-to-day operations, staff follow preset working practices.

These procedures and policies will include all the checks, and controls required to ensure that customers are correctly served and the bank remains within the laws and regulations by which it is governed

09/04/23 10

Internal Process Risks

Internal process risk events include:

documentation – inadequate, insufficient or wrong

lack of controls

marketing errors

misselling

money laundering

incorrect or insufficient reporting (e.g. regulatory)

transaction error

Reviewing and improving a bank’s internal processes as part of operational risk management can improve its efficiency. Errors often occur when a process is complicated, disorganized or easily circumvented, all of which are also inefficient business practices.

09/04/23 11

Risk Management Process Feedback Loop

09/04/23 12

1. Identify, assess and prioritize risks

2. Develop strategies to measure risk

3. Design policies and procedures to mitigate risks

4. Implement and assign

responsibility

5. Test effectiveness and evaluate

results

6. Revise policies and procedures

FRAMEWORK• Risk strategy,

tolerance

• Roles and responsibilities

• Policies and procedures

• Risk definition and categorization

FRAMEWORK• Risk strategy,

tolerance

• Roles and responsibilities

• Policies and procedures

• Risk definition and categorization

MEASUREMENT• Estimation of annual

losses – cost of operational failure

• Estimation of VaR – risk capital

• Estimation of scores representing quality of internal controls

MEASUREMENT• Estimation of annual

losses – cost of operational failure

• Estimation of VaR – risk capital

• Estimation of scores representing quality of internal controls

PROCESSES• Loss data collection

• Risk indicator data collection

• Control self-assessment

• Risk assessment and analysis

• Workflow

• Automatic notification

• Follow up action

PROCESSES• Loss data collection

• Risk indicator data collection

• Control self-assessment

• Risk assessment and analysis

• Workflow

• Automatic notification

• Follow up action

REPORTING• Integrated MIS

reporting

• Awareness of exposures

• Knowledge of controls quality

• Cost benefit analysis

• Improved risk mitigation and transfer strategy

REPORTING• Integrated MIS

reporting

• Awareness of exposures

• Knowledge of controls quality

• Cost benefit analysis

• Improved risk mitigation and transfer strategy

There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit

Management & Control Quality

Eco

no

mic

Pro

fit

The universe of operational risks spans causes, events and consequences

Insufficient trainingInsufficient training

CAUSES EVENTS CONSEQUENCES

Lack of managementsupervision

Lack of managementsupervision

Inadequateauditing procedures

Inadequateauditing procedures

Inadequate security measures

Inadequate security measures

Poor HRpolicies

Poor HRpolicies

Poor systemsdesign

Poor systemsdesign

Inadequate segregation of duties

Inadequate segregation of duties

ExternalFraud

ExternalFraud

Employment Practices & Workplace Safety

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Clients, Products & Business Practices

Damage to Physical Assets

Damage to Physical Assets

Business Disruption & System Failures

Business Disruption & System Failures

Execution, Delivery & Process ManagementExecution, Delivery & Process Management

Internal Fraud

Internal Fraud

Regulatory, Compliance & Taxation Penalties

Regulatory, Compliance & Taxation Penalties

RestitutionRestitution

Loss of RecourseLoss of Recourse

ReputationReputation

Business InterruptionBusiness Interruption

EFFECTSMonetary Losses

OTHERIMPACTSForgoneIncome

•

•

•

Write-downWrite-down

Loss or Damage to Assets

Loss or Damage to Assets

Legal LiabilityLegal Liability

Using internal and external loss data can calculate Value at Risk

INDIVIDUALLOSS EVENTS

RISK MATRIX FOR LOSS DATA

VARCALCULATION

TOTAL LOSSDISTRIBUTION

74,712,345

74,603,709

74,457,745

74,345,957

74,344,576

167,245

142,456

123,345

113,342

94,458

•

•

•

LOSS DISTRIBUTIONS

Frequencyof events

Frequencyof events

Severity of loss

Severity of loss

43210

40-50

30-40

20-30

10-20

0-10

INTERNAL

FRAUD EXTERNAL

FRAUD

EMPLOYMENT PRACTICES & WORKPLACE

SAFETY

CLIENTS, PRODUCTS &

BUSINESS PRACTICES

DAMAGE TO PHYSICAL ASSETS

EXECUTION, DELIVERY & PROCESS

MANAGEMENT

BUSINESS DISRUPTION AND

SYSTEM FAILURES TOTAL

Corporate Finance Number 36 3 25 36 33 150 2 315

Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215

Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976

Trading & Sales Number 50 4 35 50 46 210 3 441

Mean 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322


Retail Banking Number 45 4 32 45 42 189 3 397

Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690


Commercial Banking Number 41 3 28 41 37 170 2 357

Mean 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721


Payment & Settlements Number 37 3 26 37 34 153 2 321

Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349


Agency Services Number 44 4 31 44 40 184 2 386

Mean 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018


Asset Management Number 40 3 28 40 36 165 2 347

Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217


Retail Brokerage Number 48 4 33 48 44 198 3 417

Mean 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660

Standard Deviation 8069 12719 5449 11182 4898 347 33365 9886

Insurance Number 43 4 30 43 39 179 2 375

Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394


Total Number 435 36 302 435 399 1,812 24 3,806

Mean 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926


Annual Aggregate Loss ($)Mean 99th Percentile

VaR Calculator

e.g.,Monte Carlo

Simulation Engine

VaR Calculator

e.g.,Monte Carlo

Simulation Engine

Composite control assessment/indicator scores can be used to modify capital figures

0

Current score

VAR

CONTROL ASSESSMENT/INDICATOR

SCORE

Adjustment for Quality of

Current Control Environment

Adjustment for Quality of

Current Control Environment

CAPITAL

190190100210210

Previous score 50

Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change

What does it tell us?

09/04/23 17

Basel II Approaches on Operational Risk

09/04/23 18

•Basic Indicator•Standardized

•Advanced Measurement

•OPERATIONAL

•Standardized•Foundation IRB•Advanced IRB

•CREDIT

The Basic Indicator Approach

Banks using the Basic Indicator Approach must hold capital for operational risk equal to the average over the previous three years of a fixed percentage (denoted alpha) of positive annual gross income.

Figures for any year in which annual gross income is negative or zero should be excluded from both the numerator and denominator when calculating the average.

09/04/23 19

The charge may be expressed as follows:

09/04/23 20

The Standardized Approach

In the Standardized Approach, banks’ activities are divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage.

Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines.

The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.

Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line.

It should be noted that in the Standardized Approach gross income is measured for each business line, not the whole institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line

09/04/23 21

Standardized Approach

09/04/23 22

Standardized Approach

09/04/23 23

Mapping Business Lines

09/04/23 24

?

Advanced Measurement Approaches (AMA)

Under the AMA, the regulatory capital requirement will equal the risk measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria.

Use of the AMA is subject to supervisory approval.

A bank adopting the AMA may, with the approval of its host supervisors and the support of its home supervisor, use an allocation mechanism for the purpose of determining the regulatory capital requirement

09/04/23 25

List of reference

Basel II: Revised international capital framework. Bis.org. Retrieved 2013-06-06.

Jump up Solvency - European Commission. Ec.europa.eu. 2012-11-26. Retrieved 2013-06-06

09/04/23 26

operations risk management power point presentation

Documents