lecture 16 - operational risk management

8/7/2019 Lecture 16 - Operational Risk Management

1/66

Lecture 16

Operational Risk

Management


2/66

A growing desire has emerged to organize thecomponents of operational risk into what

Hubner et al. (2003) call a coherent structural

framework


3/66

Haunbenstock (2003) identifies thecomponents of the operational risk framework

as:

(i) strategy, (ii) process,

(iii) infrastructure, and

(iv) the environment


4/66

Strategy:

development of a risk management strategy; development of risk management culture;

definition of management roles and

responsibilities; ensuring that an appropriate management

and control structure is in place


5/66

The risk management framework: Process

The process involves the day-to-day activitiesrequired to understand and manage operational risk,

given the chosen strategy.

The process consists of

(i) risk and control identification,

(ii) risk measurement and monitoring,

(iii) risk control/mitigation, and (iv) process assessment and evaluation.


6/66

Process : Risk and control identification

Risk identification starts with the definition of operational riskto provide a broad context for potential threats

The best way to identify risk is to talk to people who live with

it on a daily basis

The degree of risk is typically defined as frequency and

severity, rated either qualitatively or quantitatively

Mestchian (2003) suggests a decomposition of operational

risk into process, people risk, technology, and external risk

Then these risk can be identified as low, medium, or high in

different business activities like in Table on the next slide, or

with frequency or severity like in Figure 2, one slide next


7/66

Risk identification


8/66

Risk assessment of activities

a


9/66

ORF : Process - Identification

Risk identification should also include monitoring of theexternal environment and industry trends, as new risks

emerge continuously

(ii) Control identification

The identification of controls is part of the identificationprocess, as it complements the identification of risk.

Controls include:

management oversight,

information processing, activity monitoring,

automation,

process controls,


10/66

segregation of duties, performance indicators

and policy and procedures

The control framework defines the appropriate approach to

controlling each identified risk

(iii) Risk Mitigates

Risk mitigators include

training,

insurance programs,

diversification and

outsourcing


11/66

Insurance, which is a means of risk control/mitigation, istypically applied against the large exposures where a loss

would cause a charge to earnings greater than that

acceptable in the risk appetite

For the purpose of risk identification, the Federal Reserve

System (1997) advocates a three-fold risk-rating scheme that

includes (i) inherent risk, (ii) risk controls, and (iii) composite

risk.

Inherent risk (or gross risk) is the level of risk without

consideration of risk controls, residing at the business unitlevel


12/66


13/66

For example, when weak risk management is applied to lowinherent risk, the resulting risk is low/moderate composite risk

On the other extreme, when strong risk management is

applied to high inherent risk, the composite risk will bemoderate/high

Illustration is given in the figure on next slide


14/66

The FRSs classification of inherent and composite risks


15/66

(iv) Risk measurement As risks and controls are identified, risk measurement

provides insight into the magnitude of exposure, how well

controls are operating and whether exposures are changing

and consequently require attention

The borderline between identification and measurement is

not clear, however, Haubenstock (2003) identifies the

following items as relevant to the measurement of operational

risk a. Risk drivers, which are measures that drive the inherent

risk profile and changes in which indicate changes in the risk

profile


16/66

T

hese include transaction volumes, staff levels, customersatisfaction, market volatility, the level of automation

b. Risk indicators, which are a broad category of measures

used to monitor the activities and status of the control

environment of a particular business area for a given risk

category.

The difference between drivers and indicators is that the

former are ex ante whereas the latter are ex post

Examples of risk indicators are profit and loss breaks, failedtrades and settlements and systems reliability


17/66

c. The loss history: which is important for three reasons: (i)loss data are needed to create or enhance awareness at

multiple levels of the firm; (ii) they can be used for empirical

analysis; and (iii) they form the basis for the quantification of

operational risk capital

d.Causal models: which provide the quantitative framework

for predicting potential losses.

These models take the history of risk drivers, risk indicators

and loss events and develop the associated multivariate

distributions.

The models can determine which factor(s) have the highestassociation with losses


18/66

e. Capital models, which are used to estimate regulatorycapital as envisaged by Basel II.

f. Performance measures: which include the coverage of the

self-assessment process, issues resolved on time, andpercentage of issues discovered as a result of the self

assessment process

(v) reporting Reporting is an important element of measurement and

monitoring


19/66

A Key objective of reporting is to communicate the overall profile of operational risk across all business lines and types of

risk.

There are two alternative ways of reporting to a central

database as shown in Figure

One way is indirect reporting where there is a hierarchy in the

reporting process, which can be arranged on a geographical

basis.

Otherwise, direct reporting is possible where every unit

reports directly to a central database


20/66

a


21/66

Reporting methods: Checklists are probably the most common approach to self-

assessment

Structured questionnaires are distributed to business areas to

help them identify their level of risk and related controls

The response would indicate the degree to which a given risk

affects their areas.

It would also give some indication of the frequency and

severity of the risk and the level of risk control that is already

in place

The narrative approach is also used to ask business areas

to define their own objectives and the resulting risks


22/66

T

he workshop approach skips the paperwork and getspeople to talk about their risks, controls, and the required

improvements

Lam (2003b) identifies two schools of thoughts with regard to

quantitative and qualitative measures of risks

(i) the one believing that what cannot be measured cannot be

managed, hence the focus should be on quantitative tools

and (ii) the other, which does not accept the proposition that

operational risk can be quantified effectively, hence the focusshould be on qualitative approaches


23/66

Lam (2003b) warns of the pitfalls of using one approachrather than the other, stipulating that the best practice

operational risk management incorporates elements of both.

(vi) Risk control/mitigation

When risk has been identified and measured, there are a

number of choices in terms of the actions that need to be

taken to control or mitigate risk

These include (i) risk avoidance, (ii) risk reduction, (iii) risktransfer, and (iv) risk assumption (risk taking)


24/66

Risk avoidance can be quite difficult and may raise questionsabout the viability of the business in terms of the risk-return

relation

A better alternative is risk reduction, which typically takes the

form of risk control efforts as it may involve tactics ranging

from business re-engineering to staff training as well asvarious less extensive staff and/or technical solutions.

Cost-benefit analysis may be used to assist in structuring

decisions and to prevent the business from being controlledout of profit


25/66

a


26/66

a


27/66

a


28/66

People issues

the relevant type and calibre of people areavailable;

there are adequate levels of training anddevelopment of the staff;

the staff have the skill levels that areappropriate to the tasks assigned to them


29/66

Technology issues

adequate systems to support the variousproduct lines;

systems are available for management

information and reporting; there is communication infrastructure to

support the operation;

data warehouses that allow integration and

consolidation of information and data across

the organization;


30/66

tools and systems available for managingmarket risk across the organization

enterprise-wide credit monitoring and creditrisk management systems.


31/66

Themes in risk management framework

T

here are four fundamental themes that are critical forestablishing and maintaining a comprehensive and effective

risk management framework

1 The ultimate responsibility for risk management must be

with the board of directors. They need to ensure that

organization structure, culture, people and systems are

conducive to effective risk management. The requirements

for risk management must be defined and established by

those charged with overall responsibility for running thebusiness


32/66

2. The board and executive managementmust recognize a wide variety of risk types,

and ensure that the control framework

adequately covers all of these. As well as

including market and credit risks, it should

include operations, legal, reputation and

human resources risks, that do not readily

lend themselves to measurement


33/66

3. The support and control functions, such asthe back and middle offices, internal audit,

compliance, legal, IT and human resources,

need to be an integral part of the overall risk

management framework

4. Risk management objectives and policies

must be a key driver of the overall business

strategy, and must be implemented through

supporting operational procedures andcontrols.


34/66

a


35/66

a


36/66

a


37/66

a


38/66

Operational risk can be minimized in a numberof ways: Internal control methods consist of

1. Separation of functions

Individuals responsible for committing

transactions should not perform clearance andaccounting functions

2. Dual entries

Entries (inputs) should be matched from twodifferent sources, that is, the trade ticket and theconfirmation by the back office.


39/66

3. Reconciliations

Results (outputs) should be matched from different

sources, for instance the traders profit estimate and

the computation by the middle office

4. Tickler systems

Important dates for a transaction (e.g., settlement,

exercise dates) should be entered into a calendarsystem that automatically generates a message

before the due date.


40/66

Controlsoveramendments: Any amendment tooriginal deal tickets should be subject to the samestrict controls as original trade tickets.

External control methods consist of

1. Conrmations: Trade tickets need to be conrmedwith the counterparty, which provides anindependent check on the transaction.

2. Vericationofprices: To value positions, pricesshould be obtained from external sources. This alsoimplies that an institution should have the capabilityof valuing a transaction in-house before entering it.


41/66

3. Authorization: The counterparty should beprovided with a list of personnel authorized to trade,as well as a list of allowed transactions.

4. Settlement: The payment process itself canindicate if some of the terms of the transaction have

been incorrectly recorded, for instance, as the rstcash payments on a swap are not matched acrosscounterparties.

5.Intern

al/extern

al

audits

:T

hese examinationsprovide useful information on potential weaknessareas in the organizational structure or businessprocess.


42/66

a


43/66

a


44/66

a


45/66

a


46/66

a


47/66

a


48/66

a


49/66

a


50/66

a


51/66

a


52/66

a


53/66

a


54/66

a


55/66

a


56/66

a


57/66

a


58/66


59/66

a


60/66

a


61/66

a


62/66

a


63/66

a


64/66

a


65/66

a


66/66

a

lecture 16 - operational risk management

Documents