OPERATIONAL RISK Issues & Challenges March 9, 2007 Partners in Risk & Compliance

2 Table of Contents ORM Framework and its Components Single Biggest Challenge Self Assessment – Issues & Challenges KRI – Issues & Challenges LDM – Issues & Challenges AMA – Issues & Challenges

Partners in Risk & Compliance 3 ORM Framework - Components 4.Risk Mitigation Programmes Integrated Reporting ( SA, KRI & LDM), New Product & Activity ( including Outsourcing) BCP/DRP Risk Causes Process People Systems External Event Frequency 99.99% Confidence level CATASTROPHIC LOSS Effect Severity EXPECTED LOSS UNEXPECTED LOSS RISK Risk Governance Operational Risk Definition/ Governance/ Policies 1.Self Assessments (SA) Strategic Diagnostic Study Risk & Control Self Assessment (RCSA ) Loss Provisioning Gross Income Allocation to calculate capital under SA Loss Data Capture Loss Data Analysis 3.Loss Data Management (LDM) Risk Management 2.Key Risk Indicator Key Risk Indicator (KRI) AMA Capital calculation using LDA, SBA & HMA Internal Control Supervision Risk Measurement

Partners in Risk & Compliance 4 ORM Framework - Components 4.Risk Mitigation Programmes Integrated Reporting ( SA, KRI & LDM), New Product & Activity ( including Outsourcing) BCP/DRP Risk Causes Process People Systems External Event Frequency 99.99% Confidence level CATASTROPHIC LOSS Effect Severity EXPECTED LOSS UNEXPECTED LOSS RISK Risk Governance Operational Risk Definition/ Governance/ Policies 1.Self Assessments (SA) Strategic Diagnostic Study Risk & Control Self Assessment (RCSA ) Loss Provisioning Gross Income Allocation to calculate capital under SA Loss Data Capture Loss Data Analysis 3.Loss Data Management (LDM) Risk Management 2.Key Risk Indicator Key Risk Indicator (KRI) AMA Capital calculation using LDA, SBA & HMA Internal Control Supervision Risk Measurement

Partners in Risk & Compliance 5 Single Biggest Challenge “Operational risk is very different” Market RiskCredit RiskOperational Risk Risk Position Quantifiable exposure Yes Difficult Exposure measure Position; risk sensitivity Money lent, Potential exposure Difficult – no ready equivalent position available Completeness Portfolio completeness Known Unknown Context dependency & data Context dependencyLowMediumHigh Data frequencyHighMediumContinuous Relevance Measurement & Validation Applicable for departments Treasury and Market risk Credit Department Through out the Bank Testing Adequate data for back testing Back testing difficult to perform over short term Results very difficult to test over any time horizon

Partners in Risk & Compliance 6 Self Assessment Issues & Challenges Decision for approach: Bottom up vs Top down Rationalizing roles and responsibilities Assigning responsibility and accountability for operational risk without impacting effectiveness and efficiency Overlaps of ORM with other risk control areas such compliance, audit etc Awareness among the employees of the bank with respect to the benefits of operational risk management Creating blame free environment – encouragement to identify lacks in the existing controls

Partners in Risk & Compliance 7 Self Assessment - Top Down Vs Bottom up Pros Easy of Implementation Cons Lacks granularity Pros Offers complete drill down of risk assessment Cons Misses “big picture”

Partners in Risk & Compliance 8 Segregation of Roles & Responsibilities BORM Department 3Department 2Department 1 Operational Risk Compliance Audit RP Direct Reporting Indirect Reporting Working Relationship BORM – Business Operational Risk Manager RP - Representative Business Line

Partners in Risk & Compliance 9 Awareness & Change in Culture Change of culture where people are encouraged to report risks rather than hide it All business units should capture losses in a consistent framework rather than their individual way Carrot / Stick approach Monitoring & Learning A Sense of evolution Purpose A Sense of Direction Capability A Sense of competence Commitment A Sense of identity and values Action

Partners in Risk & Compliance 10 Key Risk Indicators - Issues & Challenges Suitability and relevance of the KRI ( Quality over Quantity) No means to consistently relate the occurrence of Loss events and the location of the problem Plenty of indicative data is available in various MIS, but the relevance is never tested Difficult in implementing across the organisation as it requires an interface with various source systems To always represent a KRI from a system value is challenging, hence finding surrogates and the relevance of surrogates Difficult to compare KRIs across different institutions with different trigger points and risk appetite Difficult to estimate the trigger points of each identified KRI No observable best practice

Partners in Risk & Compliance 11 Relevance of KRI System DownInappropriate reconciliation procedures When a loss happened80%30% System upSystem downTotal Loss No Loss1,0009,00010,000 Total10209,08010,100 P (L) Given system down=80/9080=0.88% P (L) Given system up=20/1020=1.96% When no loss happened90%30%

Partners in Risk & Compliance 12 Interface with source systems and surrogate finding Having Interface with so many systems and also finding the appropriate metric which represents the “key Risk” is a challenge. Finding surrogates to represent “Key Risks” has become a normal phenomenon KRI (May or may not represent the Key Risk which is supposed to be reflected by the indicator) CENTRAL SOURCE SYSTEM ETL layer (for values of KRI) Treasury Kondor Global + Capital Market System Kondor Plus Relationship ( Collateral) Management System (RMS) Loan System Central Liability Tracking System NPA System Murabaha Finance System Letter of Credit System Letter of Guarantee System Accounting System HR System

Partners in Risk & Compliance 13 Loss Data Management - Issues & Challenges Setting up a consistent loss data collection process Creating blame free environment – encouragement to report losses Threshold determination Lack of adequate internal loss history The sanctity of the available data as it is not in sync with the actual booked losses Differentiating between event (loss incident ) and a non event ( near miss) Difference of opinion in defining loss events and near misses Difference of opinion in treating the recovery

Partners in Risk & Compliance 14 Threshold Determination Determining threshold for capture of losses Once a threshold is decided, mostly losses are not reported at the estimated loss amount is just below the threshold amount Not deciding the threshold and capturing all losses is also Herculean as many insignificant events populate the loss database which are irrelevant and already factored in the cost of doing business Different accounting treatment for both loss and recovery and hence the reconciliation problems

Partners in Risk & Compliance 15 Event vs Non Event If the full recovery happens within 5 days ( for example) the event is considered to be a non event Full recovery after 5 days is also considered to be a non event and classified as rapidly recovered loss Different accounting treatment for both loss and recovery and hence the reconciliation problems Many banks also classify the non event as near misses, on the other hand there are banks who independently define near misses and keep it separate from non events Some banks also keep the recovery option open for ever and even if the recovery happens after years it is not included as a loss as it is recovered Lack of consistent guidelines for capture and treatment of internal losses, hence cannot be compared across internationally active banks

Partners in Risk & Compliance 16 AMA Issues & Challenges AMA must use all four input factors: Internal data :  The challenges associated with the collection of internal loss data External Data:  No proper guidance on use of external data  No specific rules for making the external data relevant for the bank Scenario Analysis:  No established market standards  Can be done either by developing internal scenarios or using external scenarios Business Environment & Internal control factors  Not directly integrated in the loss distribution No proper rules or benchmark for validating correlation assumptions among various events Capital figures cannot be compared across banks internationally

Partners in Risk & Compliance 17 Linkages among the Building Blocks Loss Data Mgmt Group Risk Business Unit / Line Management Objectives/Processes Risk Events Self Assessment Key Risk Indicators Controls Test Results Action Plan Analysis & Case Management Control Effectiveness, Testing & Findings Preventing Losses Risk Governance Framework Findings Risk & Control Self Assessment (Bottom up) Strategic Diagnostic (Top Down) Regular Monitoring & Reporting

Thank you Confidentiality clause This document is confidential. No part of it may be circulated or reproduced outside without express approval of Aptivaa Consulting.© Aptivaa Consulting 2007.