Operational Risk: A Multi-Layered Problem Presented to the London Chapter of The Professional Risk Managers’ International Association and International Swaps and Derivatives Association London, England March 7, 2005 Presented by David M. Rowe, Ph.D. Executive Vice President for Risk Management SunGard
Basel Capital Accord – Brief History U.S. Bank Capital Ratios – Depression thru WWII Post-War Recovery thru early 1960s Mid-60s thru Mid-70’s Mid-70s thru Late-80’s
Basel Capital Accord – Brief History Basel 1 Proposed: 1986 Effective: 1988 Credit Risk
Overview of risk weights The Basel I Approach Claim Sovereigns Assessment Corporates Comm. Banks OECDNon-OECD 0%100% 20% 100% OECDNon-OECDAll 50% Multi-National Development Banks All Secured Residential Mortgages Required data could largely be from financial reporting systems.
Basel Capital Accord – Brief History Bank Capital Ratios – Depression thru WWII Post-War Recovery thru early 1960s Mid-60s thru Mid-70’s Mid-70s thru Late-80’s
Basel Capital Accord – Brief History Bank Capital Ratios – Depression thru WWII Post-War Recovery thru early 1960s Mid-60s thru Mid-70’s Mid-70s thru Late-80’s Late-80s forward
Basel Capital Accord – Brief History Basel 1.5 Proposed: 1993 Effective: 1998 Credit Risk + Market Risk Basel 1 Proposed: 1986 Effective: 1988 Credit Risk
Basel Capital Accord – Brief History April, 1993 –Initial “prescriptive” proposal. April, 1995 –Proposed allowing use of internal market risk models for calculation of regulatory capital (subject to supervisory review and approval.) Jan 1, Market risk amendment took effect with internal VaR models as a major source of risk estimates. Basel I Market Risk Amendment
Basel Capital Accord – Brief History Basel 1.5 Proposed: 1993 Effective: 1998 Credit Risk + Market Risk Basel 1 Proposed: 1986 Effective: 1988 Credit Risk Basel 2 Proposed: 1999 Effective: 2007 Credit Risk (Enhanced) + Market Risk (No change) + Op Risk (New) Key sources of required work for affected banks. Op Risk (New)
Men of Influence Jack Welch Long-time CEO of GE W. Edwards Deming
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. The Operational Risk Pyramid
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Operational Processes Money Transfer, ATMs, Deposit Processing Statement Preparation Trade Processing Market VaR Calculation Credit Decisions P&L Calculation Front ePI Collateral Manager Adaptiv Reech
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Control & Risk Self-Assessment
The Deming Perspective Special Causes - these are often easily assignable: changes of operator, shift, or procedure, for example. They can often be identified, and sometimes solved by local operators. Common Causes - remain after special causes have been eliminated. They are due to the design, or the operation of the process or system. They may be identified by the operators, but only management authority can eliminate them.
Self-Assessment – One Model Define Process Quality Objectives ( Elective or Mandated) Define Threats to Achievement Document Control Portfolio Evaluate Risk Transfer/Insurance Estimate Residual Risk of Loss Acceptable? Optimal? Yes No Re-examine objectives and/or control design & risk transfer: develop action plan Yes Monitor and Review Periodically No Based on the CARDdecisions, Inc. Model
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Key Risk Indicators
Commensurable - capable of being measured by a common standard. Appropriate - suitable for a particular condition, occasion or place. An important challenge of risk management is balancing the conflicting needs for both commensurable and appropriate risk measures. Commensurable Versus Appropriate Measures
The trade-off between commensurable and appropriate risk measures is quite severe. Unexpected Loss
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Key Risk Indicators (Appropriate Metrics) Staff Turnover Settlement Failures ¥ ? € Computer Breakdowns Customer Complaints Electronic Security Breaches Internal Limit Violations
Time Performance Process is Under Control 68.2% 27.2% 4.3% 0.3%
Time Performance Any One Point in the Red Zone 68.2% 27.2% 4.3% 0.3%
Time Performance Two Out of Three Points in the Orange Zone 68.2% 27.2% 4.3% 0.3%
Time Performance Four Out of Five Points Beyond the Green Zone 68.2% 27.2% 4.3% 0.3%
Time Performance Eight or More Points on One Side of Zero 68.2% 27.2% 4.3% 0.3%
Time Performance Six or More Points With a Common Trend 68.2% 27.2% 4.3% 0.3%
Time Performance 14 or More Points That Oscillate Up and Down 68.2% 27.2% 4.3% 0.3%
Time Performance Eight or More Points Outside the Green Zone 68.2% 27.2% 4.3% 0.3%
Time Performance 15 or More Points Inside the Green Zone 68.2% 27.2% 4.3% 0.3%
Key Risk Indicators (Appropriate Metrics) Define relevant Key Risk Indicators (Risk Management Association) Map these to broad OpRisk causes Compare performance across similar operations Monitor KRIs over time using Statictical Process Control techniques as an early warning system.
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Loss Data Collection
Loss data are not the only, or even the most important, source of early warning signals. Such data are necessary for evaluating the aggregate potential losses from operational failures. They need to be collected using a carefully controlled process to: – Assure reconciliation to financial statements. – Enrich the loss amounts with control failure details.
Loss Database - Workflow Process 1 Line employee (problem owner) accesses via Intranet 1 2 Loss Events are written to the DB. 2 3 Immediate notice to dept. management; triggers action 3 4 Reconciliation with Accounting (Compliance Officer) 4 5 Op Risk Manager does analysis, categorization and events control 5 6 Op Risk Reports are periodically distributed to management 6 Dept. Management
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators Analytics 5. Analytics Loss Data Collection
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. Analytics Expected loss Unexpected loss Stress loss Loss Distribution Approach EXTERNAL LOSSES
Operational Processes 1. Control & Risk Self-Assessment 2. Key Risk Indicators 3. Loss Data Collection 4. Analytics 5. The Operational Risk Pyramid
Principle 10 - Banks should make… … sufficient public disclosure to allow market participants to assess... (the banks’) operational risk exposure and the quality of … (the banks’) operational risk management... Basel Committee - Sound Practices Principle 3 - Information flows... reporting flows should enable senior management to monitor the effectiveness of the risk management system for operational risk … Principle 6 - Banks should implement… … a system to monitor, on an on-going basis, operational risk exposures and loss events by major business lines … Level 2 - Control and Risk Self-Assessment Level 3 - Key Risk Indicators Level 4 - Loss Data Collection
Three Approaches One Aggregate Indicator (Aggr. Gross Revenue) Basic Indicator Approach RC Op 12% Multiple Indicators (Gross Revenue by Bus. Unit) Standardised Approach RC Op < 12% RC Op << 12% Banks‘ Internal Data and Models Advanced Measurement Approaches Operational Risk Capital Requirement
Advanced Measurement Approaches Internal Measurement Approach Scorecard Approach All AMA‘s include: Controlled collection of loss data Meeting of qualitative regulatory requirements Regulatory review and approval of the capital model Quantitative requirements: multi-year loss data series. Qualitative requirements: periodic review of data quality and a disciplined approach to process quality control. Expected loss Unexpected loss Stress loss Loss Distribution Approach
Comply and minimize the regulatory burden/cost: –Minimize and justify minimum economic/regulatory capital –Don’t want to stand out vs. what everybody else is doing –Avoiding regulatory criticism / regulatory pressure is key These banks tend to use: –LDA (single most important number in terms of bank cost) –Internal LDB (you need to know where you’ve been) –Scenarios (in order to complement analysis where the LDA stops) What Motivation Is Driving ORM Development?
Genuine commitment to change the op risk profile of the organization: –avoid “Wall Street Journal events” –belief that ORM will lead to substantial performance improvement –strong internal conviction how things should be done –Desire and will to make a fundamental cultural change These banks tend to use: –C&RSA (beginning of a cultural change) –Scorecard Appr. (incentives drive desired behaviour) –KRI / KPI
We are where we are - but what measures can warn of potential future events? These banks tend to use: –KRI (as an early warning system) –Formal statistical process control methods –Scenario analysis –Stress-testing –Attempt to correlate losses with early warning indicators. What Motivation Is Driving ORM Development?
Scorecard Approach LDAScenario Analysis LDC Ext. losses Control & Risk SA KRI & Loss Correlation Influence Behaviour Assess Future Potential Risk Comply & Minimize Cost Motivation Data, systems, organizational requirements Business Continuity / DR Motivations and Strategies Functional Layers Identification Assessment Reports Evolution of Approaches Execution Recovery Senior Mgt. Engagement ORM Heatmap
Conclusions The operational risk capital charge began as a means of preventing lower aggregate capital requirements despite lower credit risk capital. Regulators quickly came to see it as a means of forcing improved process control on banks (most of which badly need it.) The OpRisk capital charge is likely to look rather like Pillar II with the teeth of Pillar I. That is, the actual charge is likely to reflect substantial supervisory discretion based on demonstrable improvements in process controls and disciplined execution.