What financial institutions know about operational risk

What do financial institutions know about operational risk?

Enoch CHNG
Associate Professor of Information Systems (Education) &
Director, SIS Programs in Financial Services (TOPS)
School of Information Systems
Singapore Management University

8/3/2012 1

Outline

• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt

• Defining Operational Risk

• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)

• Basel III and Measurement of Operational Risk

• Concluding Remarks

8/3/2012 2

Examples of Operational Failures in Finance

• Barings (Singapore, 1995)
• Sumitomo (New York, 1996)
• NatWest (London, 1997)
• LTCM (Greenwich, 1998)
• HIH Insurance (Sydney, 2000)
• Cantor Fitzgerald (New York, 2001)
• Allied Irish Bank (Baltimore, 2002)
• Mizuho (Tokyo, 2005)
• Société Générale (Paris, 2007)
• TD Ameritrade (January 2008)
• UBS rogue trader scandal (London, Sep 2011)
• JPM Hedge Loss (London, 2012)

8/3/2012 3

Features of Mishaps

LTCM NatWest Sumitomo Barings
?
1998 1997 1996 1995

Loss (USD
4.4 0.2 2.6 1.3 ?
bn)

Loss in %
44% negligible 45% 100% ?
cap

Time to
Fast 3 yrs 10 yrs 3 yrs ?
mishap

Market External Mistaken
Trigger Margin call ?
conditions audit sending

Loss events with a long time-lag usually require an additional external trigger
event to make the losses apparent.
8/3/2012 4

Rogue Trading

• Frequency and Severity • Sequence of Events
– Quite frequent and very severe. – Usually starts small and very
innocuous (cover up of an error),
but then may continue for many
• Where does it occur? years (while expanding) before
– US, Europe, Singapore, South being discovered.
America, … – Warning signs are not heeded.
– Far-flung branch office. – Management inaction.

• Profile • How to avoid?
– Relatively young or star traders. – Internal audits and controls (with
– Gambling persona. separate lines of reporting),
– Seemingly profitable business unit. regular internal transfers,
– Internal pressure to bring in high mandatory vacations, …
returns.

8/3/2012 5

Human Error

• There are many examples of very common
human errors (example in FX: USD-Euro vs
Euro-USD trade).

• Frequency and Severity – quite often and
severe.

• Important factors: Experience, Workload. Why does a human error
much more often result
• How to avoid: Well designed information in a loss rather than in a
systems with error-correcting feedback,
gain ?
additional checking by independent people.

• Complexities in information system design:
– Requirements of having real time feed of
market data. (Not easy, especially not when
stock is very lightly traded or when trading is
very volatile).
– Information may have to be fed into a neural
net in order to detect anomalies. Neural net
has to provide feedback in real time.

8/3/2012 6

Outline

– Lessons Learnt





8/3/2012 7

One Way of Looking at Risks in Banking

Equity Risk Specific Risk
Trading Risk
Market Risk Interest Rate Risk
Gap Risk General
Currency Risk Market Risk
Credit Risk
Commodity Risk
Liquidity Risk
Banking Transaction Counterparty
Risks Risk Risk

Operational Risk Portfolio
Concentration Issuer Risk
Risk
Legal Risk
Money Transfer Risk
Reputational
Risk Value Error Risk

Systems Risk

Clearance Risk

Model Risk

8/3/2012 8

Definition of Operational Risk

• Early work resorted to a negative definition of 'other risks' – all risks
except credit, market and interest rate risk in the banking book.

• Latest definition:
– The risk of loss resulting from inadequate or failed internal processes, people
and systems or from external events, including those adversely affecting
reputation, legal enforcement of contracts and claims.
– Excludes strategic, business and systemic risk. However they are often
captured simply as operational risk.

Operational Risk ≠ Total Risk – Market Risk – Credit Risk

8/3/2012 9

Operational Risk Varies by Business Types

8/3/2012 10

Causal Analysis and Risk Management

Symptoms Risk Mitigation

Causally related
events

Root cause events Risk Prevention

8/3/2012 11

Outline

– Lessons Learnt





8/3/2012 12

Operational Risk Taxonomy

Employee
Internal Acts
Relations

Employment
Safe environment -
People Practices &
workers & 3rd party
Workplace Safety

Clients, Products
and Business Diversity &
Practices discrimination

Execution, Delivery
Processes & Process
Management

Systems IT and Utilities

Damage to or Loss
of Assets
External Events

External Acts

8/3/2012 13

Basic Operational Risk Factors

• People risk •
•
Incompetency
Fraud, …

• Process risk • Model/methodology error
• Mark-to-model error, ….
– Model risk
• Execution error
– Transaction risk • Product complexity
• Booking error
– Operational control risk • Settlement error
• Documentation/contract risk, ...

• Exceeding limits
• Technology risk • Security risks
• Volume risks, …

• System Failure
• Programming error
• Information risk
• Telecommunication failure, …

8/3/2012 15

Operational Risk Management

Objectives “Must Have” Elements

• To generate a broader understanding of • An agreed conceptual framework that
operational risk issues at all levels of the firm provides:
that touch on key areas of risk. – a definition of operational risk;
– identification of the key components of
• To enable the organization to anticipate risks operational risk;
more effectively. – the role and responsibilities of the function;
– its organizational fit within risk management and
the firm as a whole;
• To change behavior in order to reduce
– its operating principle
operational risk and to enhance the “culture of
– its approach to measurement; and its approach to
control” within the organization. reporting results.

• To provide objective information so that
• A systems and data architecture that provides
services offered by the organization take timely, comprehensive and consistent
account of operational risks. information for decision taking and risk
evaluation.
• To provide support in ensuring that adequate
due diligence is shown when carrying out
mergers and acquisitions. • The resources, i.e. management and people.

• To provide objective measurements of • The necessary tools, e.g. techniques for
performance. measurement.

• To avoid potential catastrophic losses.

8/3/2012 16

Framework (giving a view both backwards and forwards)

8/3/2012 17

Three Lines of Defense Model

Area Purpose Role
3rd Line of Defense

Independent
Audit function will Provide independent assurance on

Assurance
Provide independent challenge
challenge the key Internal/External Audit key controls and reporting &
processes employed
& assurance
overall or policy framework
by the business

Established Provide the infrastructure and the
committee OR Policies OR Framework & Reporting
analysis to aid oversight and challenge

Governance & Oversight
Endorsed Built
2nd Line of Defense

structures and in respect of OR policies,
reporting
framework and reporting

Ops risk function acts
as overall owners of
Oversight & Provide oversight & challenge
OR policy and control OR Managers
Challenge Provide expert advice
assurance processes
1st Line of Defense

The business is

Manage OR
responsible for day to Establish a suitable risk & Identify risks improvement actions,
The Business
day risk management, control environment. Implement controls, Reporting on
Front Line
and testing of Test key controls progress/incidents
controls (Sox)

8/3/2012 18

Potential Risk/Failure Points in Insurance

Standard Fraudulent Processing
Expenses Expenses Errors

The significant sources
Covered of operational risk are
Losses
implicitly included in
regulatory and rating
Fraudulent Total Expenses agency capital models.
Total Losses
Losses

Processing
Errors
Underwriting Financial
Errors Statements

Policy
Premium Regulatory /
Pricing Rating Agency
Total Premium Capital Models
Processing
Errors

8/3/2012 19

Sequential Activities and its Relationship to Reliability Theory

• When a number of activities in a product has to be done in series, then the
“survival” probabilities have to be multiplied.
– Assume 3 activities in series; each one having a probability of 0.9 of being done
correctly. The probability of the entire product done correctly is
0.9 x 0.9 x 0.9 = 0.73

• Example
– Independent Verification
o Independent verification of all activities reduces probabilities of errors and potential fraud.
 What is optimal redundancy?

– Parallel Checking (Independent)
o If an activity has a 0.1 probability of error, an independent verification with the same
probability of error, reduces the overall error rate to 0.01.
o If the parallel activity is negatively correlated with the first activity, then overall error rate is
even lower; if it is positively correlated with the first activity, then it is higher than 0.01.

8/3/2012 20

Why TQM or 6-Sigma?

Size of Operation Learning from Other Industries

• Bank of America has to process daily • From the Manufacturing industry:
approximately 30,000,000 checks. – Shingo systems (Poka-yoke systems)
The number of checks not processed – Statistical Process Control (SPC)
correctly is less than 100. – Deming’s 14 points

• A major investment bank in NY • From the Aviation industry:
processes daily approximately – Near-Miss reporting systems
10,000 Forex trades. The number of – Checklists
trades with minor errors less than
100. The number of trades with a
medium size error less than 1. • From the Health Care Industry:
– Note: each trade may be subject to a – Second opinions
number of amendments or – Knowledge system software
exceptions

8/3/2012 21

Variations/Variability

• Process variability is inevitable
In control Not in control
– Human variability
– Machine or System variability
Assume process is
OK Type II error
• How much variability is too much? OK

– Assignable variations
o Can be traced to a specific reason
Take corrective
o Should be eliminated Type I error OK
action
– Natural or random variations
o Form a pattern that can be described
as a distribution
o We say that the process is “in control”
when there are only natural variations

8/3/2012 22

Specification Limits vs. Performance Limits

An Undesirable Situation A Very Undesirable Situation

performance performance

specification
specification

A Vulnerable Situation A Very Desirable Situation

performance performance
specification specification
8/3/2012 23

Outline

– Lessons Learnt





8/3/2012 24

How is Operational Risk Measured?

• Quantitative Approach
– Statistical
– Historical  Too rigid
– Internal/External Failures  Relevancy?
– Monte Carlo Simulation

• Qualitative Approach
– Based on self-assessments

 Too judgmental
• Either approach on its own does not tell  No reference points
the whole story

8/3/2012 25

Basel III – Operational Risk

• Basic Indicator Approach (BIA)
– The operational risk capital charge under BIA is calculated as a fixed percentage of the
average over the previous three years of positive annual Gross Income (GI).
– Percentage is currently set at 15%

• Standardized Approach (SA)
– Banks activities are divided into 8 Business lines (Corporate Finance, Trading, Retail
Banking, etc.)
– Each Business line has its own GI; again we look at the GIs over the last three years.
– The capital charge for each business line is multiplied by a factor that is specified for
that business line.
– Factor for each business line is somewhere between 12 and 18%.

• Advanced Measurement Approaches (AMA)
– the Internal Measurement Approach (IMA)
– the Score Card Approach (SCA)
– the Loss Distribution Approach (LDA)

8/3/2012 26

Basel III Specific Criteria

• Supervisory guidelines have been established for the Advanced
Measurement Approach governing 33 principles in 4 separate categories.
Supervisors will assess banks against each of these guidelines.
Governance Data & Reporting (cont’d)
1. Roles and responsibilities 18. External loss data policy
2. Board of Director oversight 19. Management review of external data
3. Appropriate resources 20. Thresholds
4. Independent function 21. Boundaries
5. Risk and Exposure reporting
6. LOB responsibility Environment
7. LOB alignment with firm-wide policy 22. Business environment and control factors
8. Firm-wide policies and procedures 23. Comparison of loss experience
24. Scenario analysis policy
Data & Reporting
9. Firm-wide exposure reporting Capital Measurement
10. Senior management reporting 25. Analysis framework
11. Internal controls minimum standards 26. Documented assumptions
12. Data sufficiency 27. Calculated elements
13. Definition 28. Treatment of EL
14. Collection and modification standards 29. Diversification / correlation assumptions
15. Loss history time series 30. Insurance offset
16. Data mapping 31. Data management
17. Loss data capture policy 32. Verification
33. Independent testing

8/3/2012 27

Variables In Foreign Exchange Trade

Stage I Stage II Stage III Stage IV Stage V
(Before order Match or (Before Financial (Before Settlement (Before Value Date) (Before Terms
Broker Verification) Confirmation) Confirmation) (open trade) Confirmation)

1. Elapsed Time 1. Elapsed Time 1. Notional 1. Notional 1. Elapsed Time
2. Historical Volatility 2. Historical Volatility 2. Potential OD Rates 2. Payment 2. Historical Volatility
3. Deviation from Average 3. Deviation from 3. Master Agreement Instruction 3. Deviation from
Volatility Average Volatility (Provisions for Precedence Average Volatility
4. Mark-to-Market 4. Mark-to-Market Netting) 3. Potential OD rates 4. Mark-to-Market
5. Trader Error Ratio 5. Trader Error Ratio 4. Mark-to-Market 4. Mark-to-Market 5. Trader Error Ratio
6. Client Sensitivity 6. Client Sensitivity 5. Fail Recovery Time 5. Fail Recovery Time 6. Client Sensitivity
7. Sales Error Ratio 7. Regulatory Risk 6. Client Sensitivity 6. Client Sensitivity 7. Sales Error Ratio
8. Execution Method 7. Regulatory Risk 7. Regulatory Risk 8. Outgoing Confirm
9. Client Operating 8. Liquidity Risk 8. Liquidity Risk Method
Infrastructure 9. Client Operating 9. Client Operation 9. Template
10. Incoming Confirm Infrastructure Infrastructure Precedence
Method 10. Country Operating 10. Country Operating 10. Incoming Confirm
11. Outgoing Confirm Infrastructure Infrastructure Method
Method 11. Operator Stage II 11. Operator Stage I 11. Product Complexity
12. Outgoing Conf 12. Product Complexity 12. Operator Stage III 12. Master Agreement
Delay/Elapsed Time 13. Time to Settlement Approver Operator State II
13. Internal Credit Cutoff 13. Master Agreement
Rating 14. Payment
14. Sales Error Ratio Instruction
Precedence

8/3/2012 28

From Tools for Risk Analysis to OpVaR

Calculation of Calculation of
Exposure Calculation of
Actual PEs & Actual PEs & Reporting
Base (EIs) OP VaR
LGEs LGEs

Internal
Loss
History

Industry Actual Project-
Loss Loss ed Loss OpVaR
History Rates Rates RAROC

Scenario
Analysis

Stress OpVaR
Scenario Report
Key Risk
Drivers
(KRDs)

8/3/2012 29

Outline

– Lessons Learnt





8/3/2012 30

OpRisk Management and Related Disciplines

Total Quality
Facilities
Statistical Management
Management
Process
Control
Contingency
Planning

Actuarial Loss
Model

Insurance Operational Risk Financial Risk
Management
Management

Reliability Risk Processes
Engineering Operations &
Management Audit Organization

Internal
Control

8/3/2012 31

Proper Design of Incentive Systems

• Incentives for the company
– if company knows that risky assets will be sold there is less of an incentive to
assess the risk carefully

• Incentives for employees
– immediate bonuses for the employee versus long term risk for the company

8/3/2012 32

Black Swan Events − Mitigants

• Not exposing oneself to large losses.
– For instance, only buying options (so one can at most
lose the premium), not selling them.

• Performing sensitivity analysis on assumptions
– This does not eliminate the risk, but identifies which assumptions are key to
conclusions, and thus meriting close scrutiny.

• Scenario analysis and stress testing
– These are widely used in industry; they do not include unforeseen events, but
emphasize various possibilities and what one stands to lose, so one is not blinded by
absence of losses thus far.

• Using non-probabilistic decision techniques
– While most classical decision theory is based on probabilistic techniques of expected
value or expected utility, alternatives exist which do not require assumptions about the
probabilities of various outcomes, and are thus robust. These include minimax, minimax
regret, and info-gap decision theory.

8/3/2012 33

Operational Risk Management Framework

Operational Risk Management Framework

Management Agenda Understanding Operational Risk
• Purpose&objectives • Operational Risk Taxonomy
• Value proposition • Key Risks and Trends
• Risk “appetite,” culture
• Basel II Best Practices/Standards
• Policies & guidelines
Operational Risk Methodologies • Industry standards
• Business Continuity Management • Regulatory standards
• Technology Risk Assessment
• Preventive, Detective Controls, Risk Organisation Structure
Mitigation • Oversight structure
• Control Self Assessment • Roles & responsibilities
• Risk Measurement/Quantification Management Information System
Methods • ORM system architecture

Unified Risk Management Process

8/3/2012 34

THE END

Enoch CHNG
Office: Rm 4003, SIS Phone: +65 68085155
Email: enochchng@smu.edu.sg

8/3/2012 35

What financial institutions know about operational risk

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a What financial institutions know about operational risk

Semelhante a What financial institutions know about operational risk (20)

Último

Último (20)

What financial institutions know about operational risk