1 / 45

Building a Modern Risk Management Department Seminar

Learn about the different types of operational risk in financial services and how to effectively manage them. Explore the components and measurement of operational risk, as well as its importance in the modern risk management department.

tpoling
Télécharger la présentation

Building a Modern Risk Management Department Seminar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Modern Risk Management Department Seminar Financial Services Volunteer Corps (FSVC) January 19 – 22, 2009 Tripoli, Libya

  2. Day Two Period 11 AM to 12:25 PM

  3. What is Operational Risk?

  4. Specific Risk Types • Credit Risk • The risk that a financial institution makes a loss as a result of less than full payment of an obligation • Market Risk • Risk of loss due to changes in market prices or variables • Operational Risk • Historically: “Other risks” • More precisely (Basel II): “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”

  5. Typical “Economic” or “Risk” Capital Allocation for Risk Market Risk 10 - 30% Credit Risk 50 - 60% Operational and Business Risks 10 - 30%

  6. A Consensus Definition of Operational Risk “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events“ This (Basel II) definition includes legal risk but excludes strategic and reputational risk

  7. Risk Event Cause Effect Definition of Operational Risk Operational risk is the risk of direct or indirect loss due to failed or inadequate processes, people or systems, or exposure to external events. Risk is articulated in terms of three components: A risk event is the observable situation or incident of risk. There are seven categories of risk events under which all operational risk can be classified. Cause is the business condition that allowed the risk to occur. As mentioned in the definition above, causes generally fall into two categories: internal problems or external matters such as exposure to external environment changes. Effect is the consequence that the risk has. The effect can be measured on a qualitative (high, low) or quantitative manner (dinar amount, number of transactions impacted).

  8. Categories of cause, risk event and effect are utilized to assist in risk identification and assessment Basel uses 7 categories of operational events that have been commonly adopted by the industry: Some companies include legal, reputation and/or compliance within the scope of operational risk management. • Execution, delivery and process management • Clients, products and business practices • External fraud • System failures • Internal fraud • Employment practices and workplace safety • Damage to physical assets

  9. Operational Risk • It’s a traditional Type of Risk • Often equated with “Common Sense” • Often equated with “Operations Risk” • Often thought of as Back-Office Risk • Historically, it’s the subject of unclear thinking WHY ???

  10. Here’s Why • Not defined • No taxonomy of components • Not measured; no data • No benchmarks • No specified language/“jargon” • No formal reporting • No specific regulatory framework • No specialized managers • No credentials • No specific training

  11. Basel II – Operational Risk • Main Components • Measurement • Management

  12. Role of Measurement • You can’t manage what you can’t measure • Now have generally understood, quite specific, categories of Operational Risk • Front, middle, back-office sources • Internal, external sources • Banks now have data collection process and event loss & frequency databases • Early stage histories / time series • Access to external databases • Management reporting: detailed & consolidated • Usually data by product line, geography, legal entity • Increasingly with benchmarks and peer analytics • Data is now being intensively reviewed

  13. It looked like we were on our way Sound Practices, Principle 5: Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.

  14. Personnel • Policies • Reporting • Training Management Today • Product Lines / Lines of Business have Ops Risk staff • Major geographies have Ops Risk staff • Risk Management Organization has Ops Risk staff • Beginning recognition as risk specialty with a body of knowledge • Issued and adopted • Used by Internal Audit and Supervisory Reviews • In place • Early stage but improving quickly • Conferences - - we are all here today • Tools

  15. Mindset Inherent Risk Controls Residual Risk

  16. Risk Management Itself: Evolution and Intelligent Design Until now: • Credit and Market Risk Management has been focused on customers and counterparties. • Operational Risk Management has been focused on internal factors and events. • This is a primitive structure • This is the profession of “control” • “Risk Management” includes “control”, but great value is still to come from an external focus. The big payoff is in managing the risk : reward equation.

  17. The Importance of Operational Risks Deregulation & globalisation of financial services Activities of Banks (& their risk profiles) more diverse & complex Growing sophistication of financial technology Recent experience makes it clear that risks other than credit and market risks can be substantial: • Life insurance & pension mis-selling (U.K.) • Underwriting/research conflicts (U.S.) • Madoff Ponzi Scheme (Global) • “Moral Hazards” (Various) • Satyam Computer (India) • Barings (Singapore + U.K.) • Enron & Worldcom (U.S.) • 9/11 (U.S.) • Allfirst (Allied Irish) (Ireland) • Parmalat (Italy)

  18. Whichever way you look, operationally we are becoming more complex and inter-dependent…. Statutory, Regulatory & Contractual Economic, Cultural & Political Business strategy Partnering, alliances, outsourcing & joint ventures Diversification Globalisation Technology Concentration

  19. …resulting in greater focus on Operational Risk by financial services providers, government & others… • Financial Services (Banks, Insurance Companies, Fund Managers) • Specialist Operational Risk functions • Framework, policy, measurement and monitoring • Capital allocation for operational risk – now happening • Loss, event and near-miss data collection & analysis • Extensive, ‘what if’, scenario analysis • Business continuity testing and crisis management training • Executive and Board Risk Committees • Government • Consumer protection • Corporate Governance • Basel II • Standards & Guidelines • Others • Reputation indices • Rating Agencies • Sustainability

  20. DATA & TOOLS

  21. General use of: Use of: Operational Risk Tools • Self Assessments • Key Risk Indicators • Scenarios • Loss Databases • Line of Business Mapping • External Benchmarking • Self Assessment / Audit Congruence

  22. SELF-ASSESSMENTS

  23. Risk and Control Self-Assessments are a key component of an Operational Risk Framework Phase 3 Phase 1 Phase 2 Framing the Business Context Risk Identification Risk Assessment Risk Response Strategy Business Areas describe their objectives and processes Business Areas identify risks to business objectives and associated details Business Areas assess identified risks Business Areas determine response strategies and mitigation plans Objective • Business Unit Scope • Business Objectives • Business Processes • Business Process Maps (high-level) • Risk Events • Potential Causes • Potential Effects • Key Controls • Categorization • Net Likelihood and Impact Assessment • Control Effectiveness Assessment • Risk tolerance • Risk response decisions • Initial mitigation strategy Results • Risk Management Committee reviews scope to ensure coverage • QA sessions with RM Committee • Senior Business Leader sign-off • Senior Business Leader sign-off of deliverables Controls • QA sessions with Risk Management Committee • Program Office facilitates cross unit risk identifications

  24. Self Assessments – How They are Used • Business Units/Lines of Business • Identify and mitigate operational risks • Report control deficiencies and track their remediation • Monitor changes in the control environment • Assess the operational risk profile • Manage operational risk • Regulatory compliance • Process reengineering • Risk Quantification • Qualitative adjustments to operational risk capital

  25. A Strategy for risk response is determined for each risk Accept: Risk is low or costs to further mitigate outweigh the risk Mitigate: Risk is outside risk appetite and/or cost beneficial to mitigate Reduce – Institute actions to create new controls, to improve control effectiveness, to re-engineer processes, etc. Share – Share risk exposure through the purchase of insurance policies, etc. Reject – End product or service offerings or cease execution of certain processes, thereby eliminating the associated risks Monitor/Assess: Requiresfurther research before a response decision is made

  26. Risk appetite highlights unacceptable risks HLOB NET RISK MAP Likelihood 10+ Times a Day Once a Day Once a Week Once a Month 01 Once a Quarter 02 Once per 6 Months 05 09 06 08 04 07 10 Once per Year 11 03 One every 10 Years 12 One every 100 Years > One every 100 Years Impact (in LYD 1,000) LYD 1 LYD 1,000 LYD 10 LYD 100 LYD 500 LYD 2,500 LYD 5,000 LYD 10,000 LYD 50,000 LYD 100,000

  27. Revisit: Why Adopt an RCSA Program? • Reduced losses and reputational damage - improved likelihood of achieving business objectives and greater business resilience • Better business decisions based on strong risk management analytics • Identification of potential opportunities for control reductions/efficiency improvements • Effective board reporting, based on enterprise-wide aggregation of risks, comparative and trend analyses • Increased risk awareness across the organization & better communication about risk • Safety and soundness objectives

  28. But, many firms struggle to achieve the desired “return on investment” from RCSAs • Business not engaged, low buy-in • Cannot flexibly aggregate results • Adds to already complex set of control review programs businesses must manage • Does not produce strong data for management decision making • Does not identify potential overinvestment in controls • Sustained risk management culture not realized

  29. Key Risk Indicators (KRIs)

  30. What are Key Risk Indicators (KRIs)? KRIs are a set of measures used to monitor risks and controls, and that are hopefully predictive to changes in the operational risk profile and/or the potential for operational events Key objectives of KRIs include: • Provide early warning signals • Used to estimate levels of risk • Designed to show risk level changes and trends • Enable actions that prevent material loss or incident • Used in escalation criteria for risk management

  31. Key Business Indicators Key Performance Indicators Key Risk Indicators Key Risk Indicators are a subset of overall business metrics • Key Business Indicators • Top level metrics associated with business performance (e.g., earnings per share, revenue growth, charge-offs, cost per account, etc.) • Key Performance Indicators • A broader set of indicators aligned with performance of a business unit or process • Typically viewed in a scorecard • Includes efficiency metrics (e.g., productivity) • Key Risk Indicators • Can be aligned with a process or risk event • Typically viewed in a dashboard • More frequent, predictive, and actionable in nature

  32. Develop KRI Dashboard Establish KRI Control Plan 3 Design KRIs Inventory Existing Metrics Assess KRI Gaps 5 1 2 6 4 Validate KRIs Establishing Key Risk Indicators involves six major steps What existing metrics could be potential KRIs? How well do these existing metrics cover the risk drivers? What new KRIs do I need to develop to address any gaps? How well do each of these KRIs correlate to the risk event? What type of graphical report should I use to monitor these KRIs? What actions do I need to take to implement this KRI?

  33. How do I implement Key Risk Indicators in my area • Identify your area of focus (process- or risk event-based) • Risk events identified above your risk threshold • Business processes with the highest risk exposure • Determine your project strategy for KRI implementation • Stand-alone initiative • Part of a larger business metrics redesign project • A workstream as part of a risk mitigation project in that area • Identify appropriate resources and expand their KRI skills as needed • Leverage the KRI methodology to develop and validate your Key Risk Indicators • Change control: Periodically revisit your KRIs, trigger limits, and escalation procedures

  34. Event Collection

  35. The goal is to improve the understanding of operational breakdowns and reduce their impact Through the consistent categorization and analysis of these events we will increase our ability to prevent reoccurrences of operational events. Other benefits include: • Identify “hot spots” where event frequency/impact exceed expected error rates • Improve the accuracy of our self-assessments and subsequent allocation of resources to address these risks • Quantify the potential benefits of risk reduction projects • Provide a tool for sharing learning across the bank • Support the modeling of capital held against operational risk

  36. A thorough process collects detailed information about operational events, their causes, effects, and resolution to support analysis Event Details • Text Description of Event, including cause, effect, and actions taken to recover customers and process • Business Areas effected • Business Area responsible for event • Process causing event • Date(s) of occurrence, detection, resolution, containment, and date reported Effects • Financial effects tracked include the cost to fix, direct losses, impact to future revenue streams, and increased charge-offs • Customer effects include the number of parties impacted, type of customer (applicant, customer, solicitee) and how they were effected • Regulatory effects include the specific regulations that may have been impacted by event Causes • Standardized causes are tracked for each event • Multiple contributing causes and 1 root cause are tracked Resolution • Detailed steps taken to recover the customers or money • Detailed steps taken to recover the process • Does not include long term mitigation.

  37. A data collection strategy needs resources and control Key components of a data collection strategy: • Determine responsibility for each risk category in each business area or staff function • Provide interfaces to extract as much data as possible from production systems • Many events will not be captured, provide for individual data entry • Allow business area “approval” prior to release • Set up G/L codes for each event type in each business area/function. Enforce usage • Central op risk group reviews events, categorization and descriptions • Events need to pass through loss database to get paid and get recorded in G/L • Reconcile G/L to loss database to assure that no events bypassed the loss database • Analyze the sources of events to learn from experience • Provide access to the database to business areas/functions • Provide regular reporting to the businesses and senior management

  38. Using External Data Supplement internal data • Fill in distributions for line of business and product type where insufficient data exists As a direct input into the capital model A source of information for building scenarios Supports risk management in many ways: • Risk identification • Control assessments and development • Planning and scenario analysis: if it has happened before elsewhere, it could happen to this firm Note: Discussion today of the use of external data is necessary to understand the theory. External data is often not available in countries such as Libya.

  39. Scenario Analysis

  40. Scenario Analysis

  41. Expected Loss/Unexpected Loss Stylized Representation of Risk Quantification Mean Operational Risk Capital Probability 99.9% UOL EOL Aggregate Losses

  42. Expected Loss/Unexpected Loss Expected Loss (EL) • High frequency, low value events • Data typically readily available at bank • Banks view Expected Losses as a cost of business that must be managed • Varying measures – ‘observed’ and statistical (mean, mode, median) • Estimating EL is a part of the budgetary process • EL is a meaningful number, but not usually significant when compared to unexpected losses Unexpected Loss (UL) • Low frequency, high value events – tail events • Data typically not available internally • Data must be supplemented (external data and/or scenario analysis) • Largest losses will drive capital quantification process

  43. Payment Systems Risk

  44. Payment Systems Risk • Most frequently: • Cash • Securities • Flows • One way • Exchange of value • Depositories • Risks • Finality • Simultaneity • Recoverability • Complications • Crossborder • Cross time-zones • Cross currencies • Real time/Gross versus Net Settlement • Physical vs. Clearing House/Electronic • Central Counterparties

More Related