The 2nd seminar of Friends4Growth in Ho Chi Minh city with Prof. Enoch Ch'ng from SMU - Singapore Management University.
Friends4Growth
Together We Grow
--------------------------------------------------
Friends4Growth is a group of young professionals, who share a common passion to learn and grow more in their career through formal and informal educational opportunities. The group was founded by Vietnamese national Le Tran, a Wharton MBA Class of 2009.
The Friends4Growth mission is as follows:
- Be a place for young professionals to exchange and enhance knowledge
- Bring educational opportunities to members by providing access to well-known professors, business leaders and industry experts
- Provide information of universities around the world to members with intention to study abroad
- Share experience in studying, job search, working and living outside Vietnam
To achieve its mission, the group organizes various activities on a monthly basis to its members, such as:
- Seminars on various industry topics, with a sponsorship of the Singapore Management University.
- Coffee chats with experienced professionals from more developed economies
- Q&A sessions covering overseas life and work from seasoned experts
Website: www.friends4growth.com
Join us at: http://facebook.com/friends4growth and http://vn.linkedin.com/in/friends4growth
If you have any inquiry, please contact us at info@friends4growth.com
What financial institutions know about operational risk
1. What do financial institutions know about operational risk?
Enoch CHNG
Associate Professor of Information Systems (Education) &
Director, SIS Programs in Financial Services (TOPS)
School of Information Systems
Singapore Management University
8/3/2012 1
2. Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 2
3. Examples of Operational Failures in Finance
• Barings (Singapore, 1995)
• Sumitomo (New York, 1996)
• NatWest (London, 1997)
• LTCM (Greenwich, 1998)
• HIH Insurance (Sydney, 2000)
• Cantor Fitzgerald (New York, 2001)
• Allied Irish Bank (Baltimore, 2002)
• Mizuho (Tokyo, 2005)
• Société Générale (Paris, 2007)
• TD Ameritrade (January 2008)
• UBS rogue trader scandal (London, Sep 2011)
• JPM Hedge Loss (London, 2012)
8/3/2012 3
4. Features of Mishaps
LTCM NatWest Sumitomo Barings
?
1998 1997 1996 1995
Loss (USD
4.4 0.2 2.6 1.3 ?
bn)
Loss in %
44% negligible 45% 100% ?
cap
Time to
Fast 3 yrs 10 yrs 3 yrs ?
mishap
Market External Mistaken
Trigger Margin call ?
conditions audit sending
Loss events with a long time-lag usually require an additional external trigger
event to make the losses apparent.
8/3/2012 4
5. Rogue Trading
• Frequency and Severity • Sequence of Events
– Quite frequent and very severe. – Usually starts small and very
innocuous (cover up of an error),
but then may continue for many
• Where does it occur? years (while expanding) before
– US, Europe, Singapore, South being discovered.
America, … – Warning signs are not heeded.
– Far-flung branch office. – Management inaction.
• Profile • How to avoid?
– Relatively young or star traders. – Internal audits and controls (with
– Gambling persona. separate lines of reporting),
– Seemingly profitable business unit. regular internal transfers,
– Internal pressure to bring in high mandatory vacations, …
returns.
8/3/2012 5
6. Human Error
• There are many examples of very common
human errors (example in FX: USD-Euro vs
Euro-USD trade).
• Frequency and Severity – quite often and
severe.
• Important factors: Experience, Workload. Why does a human error
much more often result
• How to avoid: Well designed information in a loss rather than in a
systems with error-correcting feedback,
gain ?
additional checking by independent people.
• Complexities in information system design:
– Requirements of having real time feed of
market data. (Not easy, especially not when
stock is very lightly traded or when trading is
very volatile).
– Information may have to be fed into a neural
net in order to detect anomalies. Neural net
has to provide feedback in real time.
8/3/2012 6
7. Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 7
8. One Way of Looking at Risks in Banking
Equity Risk Specific Risk
Trading Risk
Market Risk Interest Rate Risk
Gap Risk General
Currency Risk Market Risk
Credit Risk
Commodity Risk
Liquidity Risk
Banking Transaction Counterparty
Risks Risk Risk
Operational Risk Portfolio
Concentration Issuer Risk
Risk
Legal Risk
Money Transfer Risk
Reputational
Risk Value Error Risk
Systems Risk
Clearance Risk
Model Risk
8/3/2012 8
9. Definition of Operational Risk
• Early work resorted to a negative definition of 'other risks' – all risks
except credit, market and interest rate risk in the banking book.
• Latest definition:
– The risk of loss resulting from inadequate or failed internal processes, people
and systems or from external events, including those adversely affecting
reputation, legal enforcement of contracts and claims.
– Excludes strategic, business and systemic risk. However they are often
captured simply as operational risk.
Operational Risk ≠ Total Risk – Market Risk – Credit Risk
8/3/2012 9
11. Causal Analysis and Risk Management
Symptoms Risk Mitigation
Causally related
events
Root cause events Risk Prevention
8/3/2012 11
12. Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 12
13. Operational Risk Taxonomy
Employee
Internal Acts
Relations
Employment
Safe environment -
People Practices &
workers & 3rd party
Workplace Safety
Clients, Products
and Business Diversity &
Practices discrimination
Execution, Delivery
Processes & Process
Management
Systems IT and Utilities
Damage to or Loss
of Assets
External Events
External Acts
8/3/2012 13
15. Operational Risk Management
Objectives “Must Have” Elements
• To generate a broader understanding of • An agreed conceptual framework that
operational risk issues at all levels of the firm provides:
that touch on key areas of risk. – a definition of operational risk;
– identification of the key components of
• To enable the organization to anticipate risks operational risk;
more effectively. – the role and responsibilities of the function;
– its organizational fit within risk management and
the firm as a whole;
• To change behavior in order to reduce
– its operating principle
operational risk and to enhance the “culture of
– its approach to measurement; and its approach to
control” within the organization. reporting results.
• To provide objective information so that
• A systems and data architecture that provides
services offered by the organization take timely, comprehensive and consistent
account of operational risks. information for decision taking and risk
evaluation.
• To provide support in ensuring that adequate
due diligence is shown when carrying out
mergers and acquisitions. • The resources, i.e. management and people.
• To provide objective measurements of • The necessary tools, e.g. techniques for
performance. measurement.
• To avoid potential catastrophic losses.
8/3/2012 16
17. Three Lines of Defense Model
Area Purpose Role
3rd Line of Defense
Independent
Audit function will Provide independent assurance on
Assurance
Provide independent challenge
challenge the key Internal/External Audit key controls and reporting &
processes employed
& assurance
overall or policy framework
by the business
Established Provide the infrastructure and the
committee OR Policies OR Framework & Reporting
analysis to aid oversight and challenge
Governance & Oversight
Endorsed Built
2nd Line of Defense
structures and in respect of OR policies,
reporting
framework and reporting
Ops risk function acts
as overall owners of
Oversight & Provide oversight & challenge
OR policy and control OR Managers
Challenge Provide expert advice
assurance processes
1st Line of Defense
The business is
Manage OR
responsible for day to Establish a suitable risk & Identify risks improvement actions,
The Business
day risk management, control environment. Implement controls, Reporting on
Front Line
and testing of Test key controls progress/incidents
controls (Sox)
8/3/2012 18
18. Potential Risk/Failure Points in Insurance
Standard Fraudulent Processing
Expenses Expenses Errors
The significant sources
Covered of operational risk are
Losses
implicitly included in
regulatory and rating
Fraudulent Total Expenses agency capital models.
Total Losses
Losses
Processing
Errors
Underwriting Financial
Errors Statements
Policy
Premium Regulatory /
Pricing Rating Agency
Total Premium Capital Models
Processing
Errors
8/3/2012 19
19. Sequential Activities and its Relationship to Reliability Theory
• When a number of activities in a product has to be done in series, then the
“survival” probabilities have to be multiplied.
– Assume 3 activities in series; each one having a probability of 0.9 of being done
correctly. The probability of the entire product done correctly is
0.9 x 0.9 x 0.9 = 0.73
• Example
– Independent Verification
o Independent verification of all activities reduces probabilities of errors and potential fraud.
What is optimal redundancy?
– Parallel Checking (Independent)
o If an activity has a 0.1 probability of error, an independent verification with the same
probability of error, reduces the overall error rate to 0.01.
o If the parallel activity is negatively correlated with the first activity, then overall error rate is
even lower; if it is positively correlated with the first activity, then it is higher than 0.01.
8/3/2012 20
20. Why TQM or 6-Sigma?
Size of Operation Learning from Other Industries
• Bank of America has to process daily • From the Manufacturing industry:
approximately 30,000,000 checks. – Shingo systems (Poka-yoke systems)
The number of checks not processed – Statistical Process Control (SPC)
correctly is less than 100. – Deming’s 14 points
• A major investment bank in NY • From the Aviation industry:
processes daily approximately – Near-Miss reporting systems
10,000 Forex trades. The number of – Checklists
trades with minor errors less than
100. The number of trades with a
medium size error less than 1. • From the Health Care Industry:
– Note: each trade may be subject to a – Second opinions
number of amendments or – Knowledge system software
exceptions
8/3/2012 21
21. Variations/Variability
• Process variability is inevitable
In control Not in control
– Human variability
– Machine or System variability
Assume process is
OK Type II error
• How much variability is too much? OK
– Assignable variations
o Can be traced to a specific reason
Take corrective
o Should be eliminated Type I error OK
action
– Natural or random variations
o Form a pattern that can be described
as a distribution
o We say that the process is “in control”
when there are only natural variations
8/3/2012 22
22. Specification Limits vs. Performance Limits
An Undesirable Situation A Very Undesirable Situation
performance performance
specification
specification
A Vulnerable Situation A Very Desirable Situation
performance performance
specification specification
8/3/2012 23
23. Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 24
24. How is Operational Risk Measured?
• Quantitative Approach
– Statistical
– Historical Too rigid
– Internal/External Failures Relevancy?
– Monte Carlo Simulation
• Qualitative Approach
– Based on self-assessments
Too judgmental
• Either approach on its own does not tell No reference points
the whole story
8/3/2012 25
25. Basel III – Operational Risk
• Basic Indicator Approach (BIA)
– The operational risk capital charge under BIA is calculated as a fixed percentage of the
average over the previous three years of positive annual Gross Income (GI).
– Percentage is currently set at 15%
• Standardized Approach (SA)
– Banks activities are divided into 8 Business lines (Corporate Finance, Trading, Retail
Banking, etc.)
– Each Business line has its own GI; again we look at the GIs over the last three years.
– The capital charge for each business line is multiplied by a factor that is specified for
that business line.
– Factor for each business line is somewhere between 12 and 18%.
• Advanced Measurement Approaches (AMA)
– the Internal Measurement Approach (IMA)
– the Score Card Approach (SCA)
– the Loss Distribution Approach (LDA)
8/3/2012 26
26. Basel III Specific Criteria
• Supervisory guidelines have been established for the Advanced
Measurement Approach governing 33 principles in 4 separate categories.
Supervisors will assess banks against each of these guidelines.
Governance Data & Reporting (cont’d)
1. Roles and responsibilities 18. External loss data policy
2. Board of Director oversight 19. Management review of external data
3. Appropriate resources 20. Thresholds
4. Independent function 21. Boundaries
5. Risk and Exposure reporting
6. LOB responsibility Environment
7. LOB alignment with firm-wide policy 22. Business environment and control factors
8. Firm-wide policies and procedures 23. Comparison of loss experience
24. Scenario analysis policy
Data & Reporting
9. Firm-wide exposure reporting Capital Measurement
10. Senior management reporting 25. Analysis framework
11. Internal controls minimum standards 26. Documented assumptions
12. Data sufficiency 27. Calculated elements
13. Definition 28. Treatment of EL
14. Collection and modification standards 29. Diversification / correlation assumptions
15. Loss history time series 30. Insurance offset
16. Data mapping 31. Data management
17. Loss data capture policy 32. Verification
33. Independent testing
8/3/2012 27
27. Variables In Foreign Exchange Trade
Stage I Stage II Stage III Stage IV Stage V
(Before order Match or (Before Financial (Before Settlement (Before Value Date) (Before Terms
Broker Verification) Confirmation) Confirmation) (open trade) Confirmation)
1. Elapsed Time 1. Elapsed Time 1. Notional 1. Notional 1. Elapsed Time
2. Historical Volatility 2. Historical Volatility 2. Potential OD Rates 2. Payment 2. Historical Volatility
3. Deviation from Average 3. Deviation from 3. Master Agreement Instruction 3. Deviation from
Volatility Average Volatility (Provisions for Precedence Average Volatility
4. Mark-to-Market 4. Mark-to-Market Netting) 3. Potential OD rates 4. Mark-to-Market
5. Trader Error Ratio 5. Trader Error Ratio 4. Mark-to-Market 4. Mark-to-Market 5. Trader Error Ratio
6. Client Sensitivity 6. Client Sensitivity 5. Fail Recovery Time 5. Fail Recovery Time 6. Client Sensitivity
7. Sales Error Ratio 7. Regulatory Risk 6. Client Sensitivity 6. Client Sensitivity 7. Sales Error Ratio
8. Execution Method 7. Regulatory Risk 7. Regulatory Risk 8. Outgoing Confirm
9. Client Operating 8. Liquidity Risk 8. Liquidity Risk Method
Infrastructure 9. Client Operating 9. Client Operation 9. Template
10. Incoming Confirm Infrastructure Infrastructure Precedence
Method 10. Country Operating 10. Country Operating 10. Incoming Confirm
11. Outgoing Confirm Infrastructure Infrastructure Method
Method 11. Operator Stage II 11. Operator Stage I 11. Product Complexity
12. Outgoing Conf 12. Product Complexity 12. Operator Stage III 12. Master Agreement
Delay/Elapsed Time 13. Time to Settlement Approver Operator State II
13. Internal Credit Cutoff 13. Master Agreement
Rating 14. Payment
14. Sales Error Ratio Instruction
Precedence
8/3/2012 28
28. From Tools for Risk Analysis to OpVaR
Calculation of Calculation of
Exposure Calculation of
Actual PEs & Actual PEs & Reporting
Base (EIs) OP VaR
LGEs LGEs
Internal
Loss
History
Industry Actual Project-
Loss Loss ed Loss OpVaR
History Rates Rates RAROC
Scenario
Analysis
Stress OpVaR
Scenario Report
Key Risk
Drivers
(KRDs)
8/3/2012 29
29. Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 30
30. OpRisk Management and Related Disciplines
Total Quality
Facilities
Statistical Management
Management
Process
Control
Contingency
Planning
Actuarial Loss
Model
Insurance Operational Risk Financial Risk
Management
Management
Reliability Risk Processes
Engineering Operations &
Management Audit Organization
Internal
Control
8/3/2012 31
31. Proper Design of Incentive Systems
• Incentives for the company
– if company knows that risky assets will be sold there is less of an incentive to
assess the risk carefully
• Incentives for employees
– immediate bonuses for the employee versus long term risk for the company
8/3/2012 32
32. Black Swan Events − Mitigants
• Not exposing oneself to large losses.
– For instance, only buying options (so one can at most
lose the premium), not selling them.
• Performing sensitivity analysis on assumptions
– This does not eliminate the risk, but identifies which assumptions are key to
conclusions, and thus meriting close scrutiny.
• Scenario analysis and stress testing
– These are widely used in industry; they do not include unforeseen events, but
emphasize various possibilities and what one stands to lose, so one is not blinded by
absence of losses thus far.
• Using non-probabilistic decision techniques
– While most classical decision theory is based on probabilistic techniques of expected
value or expected utility, alternatives exist which do not require assumptions about the
probabilities of various outcomes, and are thus robust. These include minimax, minimax
regret, and info-gap decision theory.
8/3/2012 33
33. Operational Risk Management Framework
Operational Risk Management Framework
Management Agenda Understanding Operational Risk
• Purpose&objectives • Operational Risk Taxonomy
• Value proposition • Key Risks and Trends
• Risk “appetite,” culture
• Basel II Best Practices/Standards
• Policies & guidelines
Operational Risk Methodologies • Industry standards
• Business Continuity Management • Regulatory standards
• Technology Risk Assessment
• Preventive, Detective Controls, Risk Organisation Structure
Mitigation • Oversight structure
• Control Self Assessment • Roles & responsibilities
• Risk Measurement/Quantification Management Information System
Methods • ORM system architecture
Unified Risk Management Process
8/3/2012 34
34. THE END
Enoch CHNG
Office: Rm 4003, SIS Phone: +65 68085155
Email: enochchng@smu.edu.sg
8/3/2012 35