lecture 16 - operational risk management
TRANSCRIPT
-
8/7/2019 Lecture 16 - Operational Risk Management
1/66
Lecture 16
Operational Risk
Management
-
8/7/2019 Lecture 16 - Operational Risk Management
2/66
A growing desire has emerged to organize thecomponents of operational risk into what
Hubner et al. (2003) call a coherent structural
framework
-
8/7/2019 Lecture 16 - Operational Risk Management
3/66
Haunbenstock (2003) identifies thecomponents of the operational risk framework
as:
(i) strategy, (ii) process,
(iii) infrastructure, and
(iv) the environment
-
8/7/2019 Lecture 16 - Operational Risk Management
4/66
Strategy:
development of a risk management strategy; development of risk management culture;
definition of management roles and
responsibilities; ensuring that an appropriate management
and control structure is in place
-
8/7/2019 Lecture 16 - Operational Risk Management
5/66
The risk management framework: Process
The process involves the day-to-day activitiesrequired to understand and manage operational risk,
given the chosen strategy.
The process consists of
(i) risk and control identification,
(ii) risk measurement and monitoring,
(iii) risk control/mitigation, and (iv) process assessment and evaluation.
-
8/7/2019 Lecture 16 - Operational Risk Management
6/66
Process : Risk and control identification
Risk identification starts with the definition of operational riskto provide a broad context for potential threats
The best way to identify risk is to talk to people who live with
it on a daily basis
The degree of risk is typically defined as frequency and
severity, rated either qualitatively or quantitatively
Mestchian (2003) suggests a decomposition of operational
risk into process, people risk, technology, and external risk
Then these risk can be identified as low, medium, or high in
different business activities like in Table on the next slide, or
with frequency or severity like in Figure 2, one slide next
-
8/7/2019 Lecture 16 - Operational Risk Management
7/66
Risk identification
-
8/7/2019 Lecture 16 - Operational Risk Management
8/66
Risk assessment of activities
a
-
8/7/2019 Lecture 16 - Operational Risk Management
9/66
ORF : Process - Identification
Risk identification should also include monitoring of theexternal environment and industry trends, as new risks
emerge continuously
(ii) Control identification
The identification of controls is part of the identificationprocess, as it complements the identification of risk.
Controls include:
management oversight,
information processing, activity monitoring,
automation,
process controls,
-
8/7/2019 Lecture 16 - Operational Risk Management
10/66
segregation of duties, performance indicators
and policy and procedures
The control framework defines the appropriate approach to
controlling each identified risk
(iii) Risk Mitigates
Risk mitigators include
training,
insurance programs,
diversification and
outsourcing
-
8/7/2019 Lecture 16 - Operational Risk Management
11/66
Insurance, which is a means of risk control/mitigation, istypically applied against the large exposures where a loss
would cause a charge to earnings greater than that
acceptable in the risk appetite
For the purpose of risk identification, the Federal Reserve
System (1997) advocates a three-fold risk-rating scheme that
includes (i) inherent risk, (ii) risk controls, and (iii) composite
risk.
Inherent risk (or gross risk) is the level of risk without
consideration of risk controls, residing at the business unitlevel
-
8/7/2019 Lecture 16 - Operational Risk Management
12/66
-
8/7/2019 Lecture 16 - Operational Risk Management
13/66
For example, when weak risk management is applied to lowinherent risk, the resulting risk is low/moderate composite risk
On the other extreme, when strong risk management is
applied to high inherent risk, the composite risk will bemoderate/high
Illustration is given in the figure on next slide
-
8/7/2019 Lecture 16 - Operational Risk Management
14/66
The FRSs classification of inherent and composite risks
-
8/7/2019 Lecture 16 - Operational Risk Management
15/66
(iv) Risk measurement As risks and controls are identified, risk measurement
provides insight into the magnitude of exposure, how well
controls are operating and whether exposures are changing
and consequently require attention
The borderline between identification and measurement is
not clear, however, Haubenstock (2003) identifies the
following items as relevant to the measurement of operational
risk a. Risk drivers, which are measures that drive the inherent
risk profile and changes in which indicate changes in the risk
profile
-
8/7/2019 Lecture 16 - Operational Risk Management
16/66
T
hese include transaction volumes, staff levels, customersatisfaction, market volatility, the level of automation
b. Risk indicators, which are a broad category of measures
used to monitor the activities and status of the control
environment of a particular business area for a given risk
category.
The difference between drivers and indicators is that the
former are ex ante whereas the latter are ex post
Examples of risk indicators are profit and loss breaks, failedtrades and settlements and systems reliability
-
8/7/2019 Lecture 16 - Operational Risk Management
17/66
c. The loss history: which is important for three reasons: (i)loss data are needed to create or enhance awareness at
multiple levels of the firm; (ii) they can be used for empirical
analysis; and (iii) they form the basis for the quantification of
operational risk capital
d.Causal models: which provide the quantitative framework
for predicting potential losses.
These models take the history of risk drivers, risk indicators
and loss events and develop the associated multivariate
distributions.
The models can determine which factor(s) have the highestassociation with losses
-
8/7/2019 Lecture 16 - Operational Risk Management
18/66
e. Capital models, which are used to estimate regulatorycapital as envisaged by Basel II.
f. Performance measures: which include the coverage of the
self-assessment process, issues resolved on time, andpercentage of issues discovered as a result of the self
assessment process
(v) reporting Reporting is an important element of measurement and
monitoring
-
8/7/2019 Lecture 16 - Operational Risk Management
19/66
A Key objective of reporting is to communicate the overall profile of operational risk across all business lines and types of
risk.
There are two alternative ways of reporting to a central
database as shown in Figure
One way is indirect reporting where there is a hierarchy in the
reporting process, which can be arranged on a geographical
basis.
Otherwise, direct reporting is possible where every unit
reports directly to a central database
-
8/7/2019 Lecture 16 - Operational Risk Management
20/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
21/66
Reporting methods: Checklists are probably the most common approach to self-
assessment
Structured questionnaires are distributed to business areas to
help them identify their level of risk and related controls
The response would indicate the degree to which a given risk
affects their areas.
It would also give some indication of the frequency and
severity of the risk and the level of risk control that is already
in place
The narrative approach is also used to ask business areas
to define their own objectives and the resulting risks
-
8/7/2019 Lecture 16 - Operational Risk Management
22/66
T
he workshop approach skips the paperwork and getspeople to talk about their risks, controls, and the required
improvements
Lam (2003b) identifies two schools of thoughts with regard to
quantitative and qualitative measures of risks
(i) the one believing that what cannot be measured cannot be
managed, hence the focus should be on quantitative tools
and (ii) the other, which does not accept the proposition that
operational risk can be quantified effectively, hence the focusshould be on qualitative approaches
-
8/7/2019 Lecture 16 - Operational Risk Management
23/66
Lam (2003b) warns of the pitfalls of using one approachrather than the other, stipulating that the best practice
operational risk management incorporates elements of both.
(vi) Risk control/mitigation
When risk has been identified and measured, there are a
number of choices in terms of the actions that need to be
taken to control or mitigate risk
These include (i) risk avoidance, (ii) risk reduction, (iii) risktransfer, and (iv) risk assumption (risk taking)
-
8/7/2019 Lecture 16 - Operational Risk Management
24/66
Risk avoidance can be quite difficult and may raise questionsabout the viability of the business in terms of the risk-return
relation
A better alternative is risk reduction, which typically takes the
form of risk control efforts as it may involve tactics ranging
from business re-engineering to staff training as well asvarious less extensive staff and/or technical solutions.
Cost-benefit analysis may be used to assist in structuring
decisions and to prevent the business from being controlledout of profit
-
8/7/2019 Lecture 16 - Operational Risk Management
25/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
26/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
27/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
28/66
People issues
the relevant type and calibre of people areavailable;
there are adequate levels of training anddevelopment of the staff;
the staff have the skill levels that areappropriate to the tasks assigned to them
-
8/7/2019 Lecture 16 - Operational Risk Management
29/66
Technology issues
adequate systems to support the variousproduct lines;
systems are available for management
information and reporting; there is communication infrastructure to
support the operation;
data warehouses that allow integration and
consolidation of information and data across
the organization;
-
8/7/2019 Lecture 16 - Operational Risk Management
30/66
tools and systems available for managingmarket risk across the organization
enterprise-wide credit monitoring and creditrisk management systems.
-
8/7/2019 Lecture 16 - Operational Risk Management
31/66
Themes in risk management framework
T
here are four fundamental themes that are critical forestablishing and maintaining a comprehensive and effective
risk management framework
1 The ultimate responsibility for risk management must be
with the board of directors. They need to ensure that
organization structure, culture, people and systems are
conducive to effective risk management. The requirements
for risk management must be defined and established by
those charged with overall responsibility for running thebusiness
-
8/7/2019 Lecture 16 - Operational Risk Management
32/66
2. The board and executive managementmust recognize a wide variety of risk types,
and ensure that the control framework
adequately covers all of these. As well as
including market and credit risks, it should
include operations, legal, reputation and
human resources risks, that do not readily
lend themselves to measurement
-
8/7/2019 Lecture 16 - Operational Risk Management
33/66
3. The support and control functions, such asthe back and middle offices, internal audit,
compliance, legal, IT and human resources,
need to be an integral part of the overall risk
management framework
4. Risk management objectives and policies
must be a key driver of the overall business
strategy, and must be implemented through
supporting operational procedures andcontrols.
-
8/7/2019 Lecture 16 - Operational Risk Management
34/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
35/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
36/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
37/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
38/66
Operational risk can be minimized in a numberof ways: Internal control methods consist of
1. Separation of functions
Individuals responsible for committing
transactions should not perform clearance andaccounting functions
2. Dual entries
Entries (inputs) should be matched from twodifferent sources, that is, the trade ticket and theconfirmation by the back office.
-
8/7/2019 Lecture 16 - Operational Risk Management
39/66
3. Reconciliations
Results (outputs) should be matched from different
sources, for instance the traders profit estimate and
the computation by the middle office
4. Tickler systems
Important dates for a transaction (e.g., settlement,
exercise dates) should be entered into a calendarsystem that automatically generates a message
before the due date.
-
8/7/2019 Lecture 16 - Operational Risk Management
40/66
Controlsoveramendments: Any amendment tooriginal deal tickets should be subject to the samestrict controls as original trade tickets.
External control methods consist of
1. Conrmations: Trade tickets need to be conrmedwith the counterparty, which provides anindependent check on the transaction.
2. Vericationofprices: To value positions, pricesshould be obtained from external sources. This alsoimplies that an institution should have the capabilityof valuing a transaction in-house before entering it.
-
8/7/2019 Lecture 16 - Operational Risk Management
41/66
3. Authorization: The counterparty should beprovided with a list of personnel authorized to trade,as well as a list of allowed transactions.
4. Settlement: The payment process itself canindicate if some of the terms of the transaction have
been incorrectly recorded, for instance, as the rstcash payments on a swap are not matched acrosscounterparties.
5.Intern
al/extern
al
audits
:T
hese examinationsprovide useful information on potential weaknessareas in the organizational structure or businessprocess.
-
8/7/2019 Lecture 16 - Operational Risk Management
42/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
43/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
44/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
45/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
46/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
47/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
48/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
49/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
50/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
51/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
52/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
53/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
54/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
55/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
56/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
57/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
58/66
-
8/7/2019 Lecture 16 - Operational Risk Management
59/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
60/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
61/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
62/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
63/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
64/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
65/66
a
-
8/7/2019 Lecture 16 - Operational Risk Management
66/66
a