operational risks
DESCRIPTION
operational risk modelingTRANSCRIPT
04/13/23 1
OPERATIONAL RISK MANAGEMENT
04/13/23 2
What is Operational Risk?
The risk of loss resulting from inadequate or failed
internal processes, people and systems or from
external events (The Basel II Capital Accord)
FORMERLY any risk but market and credit risks
It is NOT a brand new stuff and it is the risk that affects
all businesses
Operational risk is inherent in carrying out a process/
operational activity.
04/13/23 3
Classification of Operational Risks
Operational risk events are
classified by two factors:
frequency – how often the
event occurs
impact – the amount of the
losses resulting from the
event
High
Frequency
Low
Impact
High
Frequency
High
Impact
Low
Frequency
Low
Impact
Low
Frequency
High
Impact
Fre
qu
ency
Impact
04/13/23 4
Classification of Operational Risks
Generally, operational risk management focuses on only
two of these event types:
Low frequency / high impact (LFHI)
High frequency / low impact (HFLI)
Why?
04/13/23 5
Classification of Operational Risks
High frequency/low impact events are managed to
improve business efficiency. These events tend to be
readily understood and are viewed as ‘the cost of doing
business’.
Examples?
04/13/23 6
Expected loss verses unexpected loss
Expected loss is the loss incurred as a bank conducts its
normal business.
Can be simply defined as the cost of doing business
The only way to totally prevent them is to cease doing
business.
04/13/23 7
Expected loss versus unexpected loss
A bank uses statistical methods to predict its expected
losses.
In short, the firm uses past data and experience to
predict the future.
A simple method of calculating expected loss is to
compute the mean (average) of the actual losses over a
given time and accept this as the likely future level.
04/13/23 8
Expected loss verses unexpected loss
A firm may also attempt to ‘predict’ its unexpected losses
using statistics, much like the way that is used to predict
expected losses.
The problems are the past data may not available and
therefore to calculate unexpected loss a firm uses:
available internal data
external data from other firms
data from operational risk scenarios
04/13/23 9
Operational risk event categories
The simplest way of understanding operational risk in banks is to
categorize it as anything but credit risk or market risk.
However, this is a very broad definition and does not help manage
operational risk.
Generally, operational risk events can be subdivided into:
internal process risk
people risk
systems risk
external risk
legal risk
04/13/23 10
Internal Process Risk
Internal process risk is defined as the risk associated
with the failure of a bank’s processes or procedures.
During a bank’s day-to-day operations, staff follow preset
working practices.
These procedures and policies will include all the
checks, and controls required to ensure that customers
are correctly served and the bank remains within the
laws and regulations by which it is governed
04/13/23 11
Internal Process Risks
Internal process risk events include:
documentation – inadequate, insufficient or wrong
lack of controls
marketing errors
misselling
money laundering
incorrect or insufficient reporting (e.g. regulatory)
transaction error
Reviewing and improving a bank’s internal processes as part of
operational risk management can improve its efficiency. Errors often
occur when a process is complicated, disorganized or easily
circumvented, all of which are also inefficient business practices.
04/13/23 12
Risk Management Process Feedback Loop
1. Identify, assess and prioritize risks
2. Develop strategies to measure risk
3. Design policies and procedures to mitigate risks
4. Implement and assign
responsibility
5. Test effectiveness and evaluate
results
6. Revise policies and procedures
FRAMEWORK• Risk strategy,
tolerance
• Roles and responsibilities
• Policies and procedures
• Risk definition and categorization
FRAMEWORK• Risk strategy,
tolerance
• Roles and responsibilities
• Policies and procedures
• Risk definition and categorization
MEASUREMENT• Estimation of annual
losses – cost of operational failure
• Estimation of VaR – risk capital
• Estimation of scores representing quality of internal controls
MEASUREMENT• Estimation of annual
losses – cost of operational failure
• Estimation of VaR – risk capital
• Estimation of scores representing quality of internal controls
PROCESSES• Loss data collection
• Risk indicator data collection
• Control self-assessment
• Risk assessment and analysis
• Workflow
• Automatic notification
• Follow up action
PROCESSES• Loss data collection
• Risk indicator data collection
• Control self-assessment
• Risk assessment and analysis
• Workflow
• Automatic notification
• Follow up action
REPORTING• Integrated MIS
reporting
• Awareness of exposures
• Knowledge of controls quality
• Cost benefit analysis
• Improved risk mitigation and transfer strategy
REPORTING• Integrated MIS
reporting
• Awareness of exposures
• Knowledge of controls quality
• Cost benefit analysis
• Improved risk mitigation and transfer strategy
There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit
Management & Control Quality
Eco
no
mic
Pro
fit
The universe of operational risks spans causes, events and consequences
Insufficient trainingInsufficient training
CAUSES EVENTS CONSEQUENCES
Lack of managementsupervision
Lack of managementsupervision
Inadequateauditing procedures
Inadequateauditing procedures
Inadequate security measures
Inadequate security measures
Poor HRpolicies
Poor HRpolicies
Poor systemsdesign
Poor systemsdesign
Inadequate segregation of duties
Inadequate segregation of duties
ExternalFraud
ExternalFraud
Employment Practices & Workplace Safety
Employment Practices & Workplace Safety
Clients, Products & Business Practices
Clients, Products & Business Practices
Damage to Physical Assets
Damage to Physical Assets
Business Disruption & System Failures
Business Disruption & System Failures
Execution, Delivery & Process ManagementExecution, Delivery & Process Management
Internal Fraud
Internal Fraud
Regulatory, Compliance & Taxation Penalties
Regulatory, Compliance & Taxation Penalties
RestitutionRestitution
Loss of RecourseLoss of Recourse
ReputationReputation
Business InterruptionBusiness Interruption
EFFECTSMonetary Losses
OTHERIMPACTSForgoneIncome
•
•
•
Write-downWrite-down
Loss or Damage to Assets
Loss or Damage to Assets
Legal LiabilityLegal Liability
Using internal and external loss data can calculate Value at Risk
INDIVIDUALLOSS EVENTS
RISK MATRIX FOR LOSS DATA
VARCALCULATION
TOTAL LOSSDISTRIBUTION
74,712,345
74,603,709
74,457,745
74,345,957
74,344,576
167,245
142,456
123,345
113,342
94,458
•
•
•
LOSS DISTRIBUTIONS
Frequencyof events
Frequencyof events
Severity of loss
Severity of loss
43210
40-50
30-40
20-30
10-20
0-10
INTERNAL
FRAUD EXTERNAL
FRAUD
EMPLOYMENT PRACTICES & WORKPLACE
SAFETY
CLIENTS, PRODUCTS &
BUSINESS PRACTICES
DAMAGE TO PHYSICAL ASSETS
EXECUTION, DELIVERY & PROCESS
MANAGEMENT
BUSINESS DISRUPTION AND
SYSTEM FAILURES TOTAL
Corporate Finance Number 36 3 25 36 33 150 2 315
Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215
Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976
Trading & Sales Number 50 4 35 50 46 210 3 441
Mean 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322
Standard Deviation 8,541 13,463 5,768 11,835 5,184 368 35,315 10,464
Retail Banking Number 45 4 32 45 42 189 3 397
Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690
Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417
Commercial Banking Number 41 3 28 41 37 170 2 357
Mean 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721
Standard Deviation 6,918 10,905 4,672 9,586 4,199 298 28,605 8,476
Payment & Settlements Number 37 3 26 37 34 153 2 321
Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349
Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628
Agency Services Number 44 4 31 44 40 184 2 386
Mean 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018
Standard Deviation 7,472 11,777 5,045 10,353 4,535 321 30,893 9,154
Asset Management Number 40 3 28 40 36 165 2 347
Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217
Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238
Retail Brokerage Number 48 4 33 48 44 198 3 417
Mean 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660
Standard Deviation 8069 12719 5449 11182 4898 347 33365 9886
Insurance Number 43 4 30 43 39 179 2 375
Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394
Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897
Total Number 435 36 302 435 399 1,812 24 3,806
Mean 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926
Standard Deviation 7,331 11,555 4,950 10,158 4,450 315 30,311 8,981
Annual Aggregate Loss ($)Mean 99th Percentile
VaR Calculator
e.g.,Monte Carlo
Simulation Engine
VaR Calculator
e.g.,Monte Carlo
Simulation Engine
Composite control assessment/indicator scores can be used to modify capital figures
0
Current score
VAR
CONTROL ASSESSMENT/INDICATOR
SCORE
Adjustment for Quality of
Current Control Environment
Adjustment for Quality of
Current Control Environment
CAPITAL
190190100210210
Previous score 50
Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change
04/13/23 17
What does it tell us?
04/13/23 18
Basel II Approaches on Operational Risk
•Basic Indicator•Standardized
•Advanced Measurement
•OPERATIONAL
•Standardized•Foundation IRB•Advanced IRB
•CREDIT
04/13/23 19
The Basic Indicator Approach
Banks using the Basic Indicator Approach must hold
capital for operational risk equal to the average over the
previous three years of a fixed percentage (denoted
alpha) of positive annual gross income.
Figures for any year in which annual gross income is
negative or zero should be excluded from both the
numerator and denominator when calculating the
average.
04/13/23 20
The charge may be expressed as follows:
04/13/23 21
The Standardized Approach
In the Standardized Approach, banks’ activities are divided into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage.
Within each business line, gross income is a broad indicator that serves as a proxy for the scale of business operations and thus the likely scale of operational risk exposure within each of these business lines.
The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.
Beta serves as a proxy for the industry-wide relationship between the operational risk loss experience for a given business line and the aggregate level of gross income for that business line.
It should be noted that in the Standardized Approach gross income is measured for each business line, not the whole institution, i.e. in corporate finance, the indicator is the gross income generated in the corporate finance business line
04/13/23 22
Standardized Approach
04/13/23 23
Standardized Approach
04/13/23 24
Mapping Business Lines
?
04/13/23 25
Advanced Measurement Approaches (AMA)
Under the AMA, the regulatory capital requirement will
equal the risk measure generated by the bank’s internal
operational risk measurement system using the
quantitative and qualitative criteria.
Use of the AMA is subject to supervisory approval.
A bank adopting the AMA may, with the approval of its
host supervisors and the support of its home supervisor,
use an allocation mechanism for the purpose of
determining the regulatory capital requirement