Embed Size (px)
Citation preview
A brief history of Operational Risk Management - Lessons Learned?
Dr. Sebastian Fritz-Morgenthal
London, 25th of November 2015
2
Reply Annual Risk Symposium
London – 25th of November 2015
1 Lessons learned?A brief history of Operational Risk Management
1
Challenges
3
Evolutionary Steps of Operational Risk Management
Lessons Learned?
2
4 Summary
3
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 1: Denial
There is no such thing as Operational Risk
(before the roaring 1980s at Wall Street)
We are in banking and banking is about managing
clients, loans and deposits and trades.
We have credit, market and liquidity risk, nothing else!
4
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 2: Ignorance
We do not have Operational Risks
(The early 1990s)
Well, mistakes happen, but not in our institution!
5
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 3: Zero Tolerance
We do not accept Operational Risks
(before the Millenium)
Whenever we identify one, we close it!
6
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 4: Collect
We collect (and classify) Operational Risks
(2000ff – Basel 2 preparation)
We collect events, hence have full transparency
about what is going on in our institution.
7
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 5: Measure
We use our own (and external) events to measure and
simulate operational risk
(Basel 2 AMA in action – 2007 - 08)
Our measurement gives us a precise view of our operational risk profile.
Hence, we can actively manage it.
8
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 6: Wake up
Apparently, our AMA has not much to do with our true
risk profile
(2009ff – Multi Billion OR Losses …)
Our model describes the past and has nothing to do with what is going on in
the bank.
9
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementYou know these three chaps?
10
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementEver heard about the whale of London?
11
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementHow about this one?
12
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementA view on Data Security from an Insurer
September 2015 – Zurich Insurance Group
ICT: Information and Communication Technology
13
Reply Annual Risk Symposion
London – 25th of November 2015
Speech by Mr. Stefan Ingves, Chairman of the Basel Committee and Governor of
Sveriges Riksbank, at Unique Lecture at the 2015 Annual Convention of the
Asociación de Mercados Financieros, 2 November 2015, Madrid, Spain.
The Committee will publish proposals around the end of the year related to the use of
models. In some cases, the proposals will remove internally modelled approaches for
some risk categories. One example is operational risk, where most
would agree that the benefits of the Advanced Measurement
Approaches are not proportionate to the related costs and
complexity. In other cases, the proposals will consist of introducing additional
constraints to internally modelled approaches. More detail on the Committee's
thinking in these areas will come in due course.
http://www.bis.org/speeches/sp151102.htm
From the Vasa to the Basel framework:
The dangers of instability
1
14
Reply Annual Risk Symposium
London – 25th of November 2015
1 Evolutionary Steps of Operational Risk ManagementStep 7: The new normal
How can we improve Operational Risk Measurement
and Management?
(2015ff)
What does not work?
What do we need instead?
15
Reply Annual Risk Symposium
London – 25th of November 2015
2 Lessons learned?A brief history of Operational Risk Management
1
Challenges
3
Evolutionary Steps of Operational Risk Management
Lessons Learned?
2
4 Summary
16
Reply Annual Risk Symposium
London – 25th of November 2015
2 Challenges
1. How to manage the risk of human failure?
2. How to deal with the threat to the bank‘s data
and systems?
3. How to overcome the complexity of the banks
operating model?
17
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?A brief history of Operational Risk Management
1
Challenges
3
Evolutionary Steps of Operational Risk Management
Lessons Learned?
2
4 Summary
18
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?What did not work?
2012 ORX Report on Operational Risk Loss Data: average total gross loss of 1.88 € per €100 gross income
Source: Operational Riskdata eXchange Association (ORX), Newspaper
External Fraud
Technology & Infrastructure Failures
Natural Disasters & Public Safety
Employment Practices & Workplace Safety
Clients, Products & Business Practices
Execution, Delivery & Process Mgmt.
Internal Fraud
Human Failure
88%
19
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?Some studies show a relationship between individual risk appetite
and behaviour or even the tendency to bend the rules
Société Générale (SG)
Jérôme Kerviel 2008
UBS
Kweku Adoboli 2011
Decent degree at secondary
university
Decent degree at secondary
university
Straight to SG after university Straight to UBS after university
Former trade support/control;
knowledge of back office processes
and controls
Former trade support/control;
knowledge of back office processes
and controls
No possibility of personal gain
except bonus
No possibility of personal gain
except bonus
SG describes him as single person
acting on his own
UBS describes him as single
person acting on his own
Supposed to be client facilitation Supposed to be client facilitation
Aged 31 when arrested Aged 31 when arrested
Lifestyle (Gambling and Debt)
Personal Account Dealing
Tracking of Mandatory Time Away /
Adherence to Holiday Policy
Tracking of unusual office hours
Chat protocols / Emails / Bloomberg Messenger
/ Social Media
Password misuse
Unauthorized use / access of profiles
Code of Conduct Breaches
Example – Similarities between
Jèrôme Kerviel and Kweku AdoboliKey Risk Indicators
20
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?However, risk management functions usually do not include the
acting of their employees
Team
Operational Risk Management
Framework
Identi-
fication
Monitoring
Treat-
ment
Risk Reporting
Assess-
ment
Culture and Awareness
Po
lic
ies
, S
trate
gy &
Pro
ce
du
res
Go
ve
rna
nc
e a
nd
Org
an
iza
tio
n
Operational Risk
Management
Human
Failure
Include individual behaviour as well
ad interaction within and between
teams
Individual
Profiling
21
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?Potential Risks and propensities can be extracted from individual
and team assessments
ControlledPerformance
Driven
Cautious Impulsive
Control Dimension Potential Risks of Individuals
Orientation Dimension Potential Risiks of Teams
Late decision
taking
No decision
taken Hasty decision
taking
Decision based
on own
advantage
Low High
Orientation
Medium
Introvert
ActivatedActivated
Extrovert
Activated
Introvert Balanced Extrovert
Introvert
InhibitedInhibited
Extrovert
Inhibited
Low
High
Beh
av
ior
Mediu
m
E
B
G
C
A
H
F
D
Missing
collaboration
Problem
announcement
was too late
ILLUSTRATIVE
Z
Y
W
X
Potential Risk
22
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?Massive data growth rates are potentially overwhelming risk
management capabilities
Key Questions
Treasure of internal data
secure?
How to measure legal risk?
What controls are in place to
prevent fraud?
Do we adapt too slow to
market trends? Or too
quickly? Can business
processes adapt fast enough
to market changes?
Do you know
your data?
External Data
Regulatory
RequirementsNew Market
Trends
Internal Data
Risk of
data theft
Reputational
Risk
Business
Model
Risk
Risk of
Fraud
23
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?To Do List on Cybersecurity
1. Push accountability for cyber risks, starting with board-level cyber risk
management. Cyber risks could bankrupt companies, so companies must include a
broad view of global aggregations of cyber risk in their risk registers, hold
executives accountable, and move away from a checklist/ audit perspective.
2. Get insured. With cyber insurance, companies can transfer cyber risks, especially
for third party risks associated with data breaches or business interruption.
3. Extend the horizon of risk management to counterparties, contract and
outsourced partners, and upstream infrastructure. For example, one financial
institution reviewed every contract and outsourcing agreement, rating the criticality
of each, and auditing those on which they had the most exposure.
Source http://knowledge.zurich.com/cyber-risk/overcome-by-cyber-risks/
24
Reply Annual Risk Symposium
London – 25th of November 2015
3 Lessons learned?Process mapping shows process and control issues
1 Share Price Development in Appendix; 2 Total net interest and trading income of 6.847 bn CHF in 2010 (before event) and
4.872 bn CHF in 2012 (UBS Annual Report 2012)
Trade Capture
Trade Validation Processing Confirmation Dunning FixingFixing
confirmationPayments
ReconciliationTrade Event Monitoring
Final maturity
Trading & Settlement Syst.
Word
Trading & Settlement System
Trade CaptureIdentify
ExceptionSend BO
TicketPrepare
Confirmation
Trading & Settlement System
MaDS
Clarify & Approval
PrepareConfirmation
Overdue list
Manual Reset Report
Automat.Fixing 14h
Capture overdue item
Capture manual reset
Adjust
Load systemdata
Nostro breaks list
Reclamation ListCapture breakCapture recla
Ex-Decision RpCapture
TaskStation
Reclamation List
Done list
ManualReset
Iron Mountain
Clarify withFront Office
WordAdjust Prepare
Confirmation List
Agent fee tool
Agent confirm list
Confirmation statistics
Cost allocation
Input New
Input ChangeUpdate Status
Printout
Capture recla Capture recla
Aggregation
Capture Tx
Capture Tx
Notes
Print BOTicket
MaRisk list
Fax/Notes/ Markitwire
Trading & Settlement Sys. Liquidation
Report
Auxiliary systems Manual step Automated step Process issues
Suboptimal
allocation of
collateral
Common cross-functional errors in legal document management
Confirmation
is in wrong
currency
Hedging does
not comply with
T/Cs
Confirmation
does not
comply with
T/Cs
No counterparty hierarchy
or single identifier could
result in inadequate RWA
calculation
ILLUSTRATIVE BANKING EXAMPLE
25
Reply Annual Risk Symposium
London – 25th of November 2015
4 Lessons learned?A brief history of Operational Risk Management
1
Challenges
3
Evolutionary Steps of Operational Risk Management
Lessons Learned?
2
4 Summary
26
Reply Annual Risk Symposium
London – 25th of November 2015
4 Summary (I/II)
Steps Approach Description
1 Denial There is no such thing as Operational Risk
2 Ignorance We do not have Operational Risks
3 Zero Tolerance We do not accept Operational Risks
4 Collect We collect (and classify) Operational Risks
5 MeasureWe use our own (and external) events to
measure and simulate operational risk
6 Wake upApparently, our AMA has not much to do with our
true risk profile
7 The new normal?How can we improve Operational Risk
Measurement and Management?
27
Reply Annual Risk Symposium
London – 25th of November 2015
4 Summary (II/II)
Use and care for your internal OR model
But do also the following:
1. Implement clear process mapping
AND Three Lines of Defense
2. Manage your data and systems as if it were your
crown jewels
3. Have a clear view on the risk of human failure
AND try to manage it
