Upload
akhilesh-tripathi
View
225
Download
0
Embed Size (px)
Citation preview
RISK MANAGEMENT
• BUSINESS IS INHERENTLY RISKY
• RISKS CANNOT BE AVOIDED COMPLETELY
• RISKS DEFY CONVENTIONAL THINKING
• IMPORTANCE OF RISKS CHANGES WITH TIME
2
The risk of loss The risk of loss resulting from resulting from
inadequate or failed inadequate or failed internal processes, internal processes, people and systems people and systems
or from external or from external events.events.
The risk that a The risk that a borrower may not be borrower may not be able to repay a loan.able to repay a loan.
The risk of loss The risk of loss arising from the arising from the
fluctuating prices of fluctuating prices of investments as they investments as they
are traded in the are traded in the global markets.global markets.
Operational RiskCredit Risk Market Risk
Operational Risk• Historically, operational has taken a back seat to market
and credit risk-it is not easy to quantify-it means different things to different people-in trading you are paid to assume market and credit risk but not operational risk
However, operational risk can be large when not effectively measured or controlled
5
Operational Risk
• Reserve Bank of India DefinitionAny risk which is not categorized as market or
credit risk, or the risk of loss arising from various types of human or technical error. It is also synonymous with settlement or payments risk and business interruption, administrative and legal risks. Operational risk has some form of link between credit and market risks.
6
What is operational risk?• Basel definition:“The risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events (including legal risk but excluding strategic and reputational risk)”
Legal Risk – the risk of loss (including litigation costs, settlements and regulatory fines) resulting from the failure of the bank to comply with laws, regulations, prudent ethical standards and contractual obligations in any aspect of the bank’s business.
Generally excludes losses related to credit(outside of the defined boundaries)
Excludes opportunity costs7
Definition - contd
Examples of operational risks in retail branch (illustrative)
– Internal processes: KYC guidelines not observed resulting in fraud
– People related : Lack of Job Knowledge, task misperformance, accounting error, delivery failure etc.
– Systems related : system failure, ATM outages etc. – External events : Natural disasters resulting in
disruptions of operations
•Key Point; Each Bank’s definition for internal management purposes should reflect its unique risk characteristics including its size and sophistication and complexity of its products and activities and nature
8
Compliance / Legal Risk
Compliance/Legal risk includes, but is not limited to, exposure to fines, penalties or punitive damages resulting from supervisory actions, as well as private settlements. Legal/compliance risk arises from an institution’s failure to enact appropriate policies, procedures, or controls to ensure it conforms to laws, regulations, contractual arrangements, and other legally binding agreement and requirements.
9
Documentation Risk
The unpredictability and uncertainty arising out of improper or insufficient documentation which gives rise to ambiguity regarding the characteristics of the financial contract is referred to as documentation risk.
10
Types of Operational Risks• People risk
- Incompetence - Fraud• Process risk
– Transaction risk – Execution error– Product complexity– Settlement error– Documentation/ contract risk
11
Types of Operational Risks• Operational control risk -Exceeding limits -Security risks -Volume risk• Technology risk -System risk -Programming error -Information risk -Telecommunication error• Risk from External Environment
12
Operational Risk
Your perception in back home situation:- Branches- Controllers- Compliance Risk (Risk of legal or regulatory compliance)
HOW TO CONTROL/MITIGATE
13
Features of Operational RiskEmbedded and inherent in internal processes, activities, people and systems across the entire Bank
Cannot quantify / measure in the same manner as credit or market risk
quantifying individual events is a challenge. For e.g. system downtime, business disruption
approach to be adopted for quantifying overall capital charge is a challenge
With continuous changes in operations, processes, technology, external environment of the Bank, nature of operational risk undergoes changes all the time
Being pervasive in nature, who should own its management poses a challenge
Pervasive
Measurement is a challenge
Dynamic
Ownership – a challenge
14
Operational Risk has different qualities from other risks
• People People – Leniency, temptationLeniency, temptation
• Multiplier-effectMultiplier-effect– Multiple control breakdowns can lead to exponential growth Multiple control breakdowns can lead to exponential growth
of potential lossof potential loss
Multiplier effect – Barings 1995:Multiplier effect – Barings 1995:-No independent oversight, no local risk manager- no segregation of duties between front and back-office- systems unable to handle trade flow and trading errors- sizable and repeated HQ cash transfer for ‘client’ margin loan without credit approval- Lack of HQ understanding of business (i.e. huge ‘profits’ in index arbitrage & brokerage)- audit report warnings ignored
15
Pillar 1Pillar 1 Pillar 2Pillar 2 Pillar 3Pillar 3
Minimum Capital Minimum Capital RequirementsRequirements
Supervisory Review Supervisory Review ProcessProcess
Market DisciplineMarket Discipline
Establishes minimum standards for management of capital on a more risk-sensitive basis and specifically addresses:
• Credit risk• Operational risk• Market Risk
Increases the responsibilities and levels of discretion for supervisory reviews and controls covering:
• Processes for capital and risk profile management
• Capital adequacy• Level of capital
charge• Proactive monitoring
of capital levels and ensuring remedial action
Expands the content and improves the transparency of financial disclosures to the market, with disclosure of:
• Description of risk management approaches
• Levels of capital• Analysis of risk
exposures and capital by businesses / segments
The New Basel Capital Accord consists of three mutually enforcing pillars. All three pillars need to be applied by banks.
Structure of the Basel Accord
Risk Management – Needed due to pervasive scope of risk
The pervasive scope of risk points to the need for a bank-wide, comprehensive risk management strategy, supporting structure , monitoring and control, and measurement processes which encompass all key elements of risk.
Risk and Control CultureRisk and Control Culture
Credit Risk• Corporate• Consumer• Counterparty• Sovereign• Model• Insurance
Operational Risk • Internal fraud• External fraud• Employment practices
and workplace safety• Clients, products &
business practices• Damage to physical
assets• Business disruption &
system failure• Execution, delivery &
process management
Market Risk• Underwriting• Liquidity• Market Price• Trading and ALM• Model
Reputational Risk and Business Strategy Risk, both are specifically excluded by BASEL
17
• Credit Risk– Standardised Approach (a modified version of the existing
Basel 1 approach)– Foundation Internal Ratings Based Approach– Advanced Internal Rating Based Approach
• Market Risk (unchanged from Basel 1)– Standardised Approach– Internal Models Approach
• Operational Risk– Basic Indicator Approach– Standardised Approach– Advanced Measurement Approaches
Basel II Menu
Approaches to minimum capital Requirement
Basel II provides banks with a menu of approaches for quantifying the different types of risk under Pillar 1
18
Capital Allocation for Operational Risk
- Basic Indicator Approach – Banks must hold capital equal to 15% of average of previous 3 years annual gross income.
- Standardised Approach - Bank’s activities are decomposed into a number of standard business lines. Capital charge standardised by supervisor; gross income of each business line multiplied by prescribed ‘beta’ factor for that business line.
- Advanced Measurement Approach - Meant for Banks meeting rigorous standards and subject to Supervisory Approval.
19
Basic Indicator Approach• Capital Charge = 15% of av. Gross Annual Income
(positive income) of previous 3 years
• Basel Committee defines Gross Income as: net interest income + net non-interest income
- gross of any provisions (e.g. for unpaid interest), gross of operating expenses (including fees paid to outsourcing service providers), excluding realised profits/losses from sale of securities in the banking book, excluding extraordinary or irregular income such as income from insurance claims
20
Operational Risk Capital : Basic Indicator Approach
KBIA = GI x α where:KBIA = Capital charge under Basic Indicator App. GI = average annual gross income last 3 yrs. α = 15%
Gross income = net interest income + net non-interest income as laid down by supervisors/ national accounting standards.
1. gross of any provisions2. exclude realised profits/losses from sale of securities in
banking book (HTM and AFS) 3. exclude extraordinary/ irregular items/ Insurance Income
21
Bank’s Gross Income mapped to 8 business lines defined by Basel
Capital charge for each business line calculated by multiplying an indicator by a factor assigned to that business line Indicator: annual gross income (as described in BIA) Factor: beta () established by the BCBS
Total capital charge is based on the 3 year average of the simple summation of the regulatory capital charges across each of the business lines in each year
The Standardized Approach
22
The Standardised Approach (TSA)
More refined than Basic Indicator Approach
Gross income for each business line, not the whole institution.
Gross income for a business line- same definition as in Basic Indicator Approach.
Capital charge- multiply gross income by a factor (beta) assigned to that business line.
Total capital charge, KTSA={Σyears 1-3 max[Σ(GI1-8 x β1-8),0]}/3where:KTSA= capital charge The Std. App. GI1-8 = Gross Income β1-8 = multiplication factor
23
Standardised Approach
Business Lines Beta factor ()Corporate Finance 18 %
Trading & sales 18 %
Retail Banking 12 %
Commercial Banking 15 %
Payments & settlements 18 %
Agency services 15 %
Asset Management 12 %
Retail Brokerage 12 %
24
Operational Risk Capital: The Standardised Approach (TSA) – an example
Business Lines Average Gross Income of 3 years (Rupees in
crores)
Beta factor () Capitalcharge
Corporate Finance 200 18 % 36
Trading & sales 100 18 % 18
Retail Banking 200 12 % 24
Commercial Banking 200 15 % 30
Payments & settlements 200 18 % 36
Agency services 100 15 % 15
Asset Management 100 12 % 12
Retail Brokerage 100 12 % 12
Total 1200 183
25
OR Capital : BIA vs TSA
• Under TSA capital computation is a function of the nature of bank’s business composition. E.g. for banks where Treasury & Commercial segments are the major contributor the Bank will have to allocate a higher capital (Commercial – 15%, Trading & Sales – 18%) as against banks who are active in retail segment where beta factor is 12%
• Thus TSA presents a more realistic capital computation approach as compared to BIA as it is a function of business mix.
• Income is still the proxy for risk and therefore both TSA and BIA don’t provide Bank with any incentive for improved risk management
26
Advanced Measurement ApproachDefinition:
Under Advanced Measurement Approach, the regulatory capital will equal the risk capital measured by Bank’s internal operational risk measurement system using Bank specific statistical models
Banks under this approach are allowed to develop their own empirical model to quantify required capital for Op risk based upon the 4 data elements.
Banks have flexibility in the specific methods used for incorporating the elements in the models
27
Advanced Measurement Approach
• Under this approach, regulatory capital requirement for Operational Risks will be calculated on the basis of risk measure generated by bank’s internal operational risk measurement system using quantitative & qualitative criteria
– subject to supervisory approval
29
Advanced Measurement Approach• 1st step in AMA is Operation Profiling: - Identification & quantification of ORs in terms of its
components - Prioritization of ORs and identification of risk concentrations - Formulation of bank’s strategy for OR management & risk
based audit• Estimated level of Operational Risk depends on - estimated probability of occurrence - estimated potential financial impact - estimated impact of internal controls (problem: absence of reliable historical data) ( Need to Extract Loss Data in various business lines and
strengthen MIS.)30
• RCSA (Risk and Control Self Assessment)• KRI (Key Risk Indicator)• Loss Data Entry
Advanced Measurement Approach
31
Business Lines & Loss Events• Basel – II & RBI have identified :• 8 Business lines and 7 Risk Event Categories
BUSINESS LINES/EVENT TYPES
INTERNAL FRAUD
EXTERNAL FRAUD
EMPLOYMENT PRACTICES AND WORK PLACE SAFETY
CLIENTS, PRODUCTS & BUSINESS PRACTICES
DAMAGES TO PHYSICAL ASSETS
BUSINESS DISTRUPTION AND SYSTEM FAILURES
EXECUTION DELIVERY & PROCESS MANAGEMENT
CORPORATE FINANCE
TRADING AND SALES
RETAIL BANKING
COMMERCIAL BANKING
PAYMENT AND SETTLEMENT
AGENCY SERVICES
ASSET MANAGEMENT
RETAIL BROKERAGE 33
Mapping of Business Lines
• Internal historical loss data to be mapped onto Level – 1 business lines
Level – 1 Level – 2 Activity Group
Corporate Finance Corporate Finance M&A, Underwriting, Securitisation, Syndication,
Government Finance
Merchant Banking
Advisory Services
Trading & Sales Sales Foreign Exchange, Repos, Brokerage, Income from Cross Selling
Market Making
Treasury
Retail Banking Retail Banking Private Lending & deposits, other banking services
Card Services
Commercial Banking Commercial Banking Gross Income
Continues…
34
Mapping of Business Lines
Level – 1 Level – 2 Activity Group
Payment & Settlement External Clients Payments and Collections, Funds Transfer, Clearing &b Settlement
Agency Services Custody Depository, Securities lending, Corporate Actions,Corporate Agency
Retail Brokerage Retail Brokerage Execution Services
Asset Management Discretionary Fund Management
Institutional, Retail
Non-discretionary Fund Management
35
Detailed Loss Event Type Classification
Event Type Category Level 1
Definition Categories (Level 2) Activity Example (Level 3)
Internal Fraud Losses due to acts of a type intended to defraud or circumvent regulations, which involves at least one internal party
Unauthorized Activity
Transactions not reported (intentional)Sanctioning Unauthorised Activities
Theft & Fraud Fraud / Credit Fraud/ Theft / Embezzlement / RobberyMisappropriation of assetsForgeryImpersonation Tax non-compliance / Evasion of TaxBribes / Kickbacks
External Fraud Losses due to acts of a type intended to defraud, circumvent rules, by a third party
Theft & Fraud Theft / RobberyForgery
System Security HackingTheft of information
36
Detailed Loss Event Type ClassificationEvent Type
Category Level 1
Definition Categories (Level 2)
Activity Example (Level 3)
Employment practices & workplace safety
Losses arising from acts inconsistent with employment, health or safety laws,From payment of personal injury claims or from discrimination events
Employee Relations
Compensation, Termination Issues, Organized Labour Activity
Safe Environment General Liability, Employee health, Workers Compensation
Diversity & Discrimination
All discrimination types
Damage to Physical Assets
Losses arising from loss or damage to physical assets from natural disaster or other events
Disaster & Other Events
Natural Disaster LossesHuman losses from external sources (terrorism etc.)
Business disruption and system failures
Losses arising from disruption of business or system failures
Systems HardwareSoftwareTelecommunicationsUtility outage 37
Detailed Loss Event Type ClassificationEvent Type
Category Level 1Definition Categories
(Level 2)Activity Example
(Level 3)Clients, Products & Business Practices
Losses arising from an unintentional or negligent failure to meet professional obligation to specific clients or from the nature of design of a product
Suitability, Disclosure & Fiduciary
Fiduciary breaches / guidelines violationsSuitability (KYC), Breach of Privacy, Aggressive Sale, Account Churning, Misuse of Confidential Information, Lender Liability
Improper Business or Market Practices
Improper Trade / market practicesMarket ManipulationInsider TradingUnlicensed ActivityMoney Laundering
Product Flaws Product defects Model errors
Selection, Sponsorship & Exposures
Failure to investigate client per guidelinesExceeding client exposure limits
Advisory Activities Disputes over performance of advisory services 38
Detailed Loss Event Type ClassificationEvent Type
Category Level 1Definition Categories
(Level 2)Activity Example (Level 3)
Execution, Delivery & Process Management
Losses from failed transaction processing or process management from relations with trade counterparties and vendors
Transaction Capture, Execution & Maintenance
MiscommunicationData Entry, Maintenance or loading errorMissed deadline or responsibilityAccounting error / entity attribution errorDelivery failureCollateral management failureReference Data Maintenance
Monitoring & Reporting
Failed mandatory reporting obligationInaccurate External Reports
Customer Intake & Documentation
Client permissions / disclaimers missingLegal documents missing / incomplete
Customer Account management
Unapproved access given to accountsIncorrect customer recordsNegligent loss or damage
Vendor & Suppliers OutsourcingVendor Disputes
39
AMA : Data Elements A bank’s internal measurement system must reasonably estimate unexpected losses based on the combined use of :-
Internal Loss Data External Loss Data Scenario Analysis Business Environment & Internal Control
Factors (BEICF)
40
Loss Events Database – OR Redefined
• Creation of Loss Events Database :• Clarity on definition –
• Example : a loan goes badClearly : Credit RiskBut, it is found that the faulty documentation is not
enforceable Now clearly : Operational Risk
• Example : a dealer runs a position resulting in loss due to market movements
Clearly : Market RiskBut, it is found that the dealer exceeded permitted limitsNow clearly : Operational Risk
41
Internal Loss Data
Definition:
“Any data on exposures held in a bank’s existing or historical portfolios, including data elements or information provided by third parties regarding such exposures.” e.g. Penalties, Compensation paid etc.
42
Internal Loss Data
Platform & Systematic process for comprehensive data collection of Operational loss
Operational losses must be mapped to 7 event types and 8 business lines
Threshold for data collection , banks to demonstrate that no important loss data is excluded
Internal loss data is used for direct input to Op Risk capital model. Also as input in scenario analysis & BEICF (Business Environment & Internal Control Factors)
Issues related with the collection of Loss Data from branches developed
43
External Loss Data
Bank’s operational risk measurement system must use relevant external operational loss data (either public data and / or pooled industry data)
Obtained from data consortia, vendors, newspapers, court records, insurance companies, etc
Multiple Uses i) Management reports ii) Direct input into capital model, iii) Supplement internal loss data for low frequency and high severity events (tail events)
44
External Loss Data
Definition:“ External data refers to information on exposures
held outside of the bank’s portfolio or aggregate information across an industry.”
It along with scenario analysis helps in capturing data for tail events (high severity- low frequency)
45
Loss Data – Near Misses
"Near Misses" are operational risk events where no loss has actually been incurred by the Bank. Examples are Attempted Frauds, Failed Controls, Potential System failure etc.
It can also be explained as an operational risk event which results in no financial impact by chance, or following any action taken by counterparty or a third party. The fact that there is no financial impact is neither due to the efficiency of controls nor to a specific internal action.
Live Example:In a branch, if there was an attempt to encash fake dividend warrant of an amount of Rs 100000.00 which was prevented by vigilant staff.
46
Business Environment & Internal Control Factors (BEICF)
The Indicators of an institution’s operational risk profile that reflect a current and forward looking assessment of its underlying business risk factors and internal control environment.
Tools Used to support BEICF Requirement Risk Control Self-Assessment s (RCSA)Key Risk Indicators
47
Operational Risk Management - RCSA• RCSA is a systematic and rigorous process which leverages the
collective knowledge of individuals within the organization to proactively Identify, Assess, Mitigate/Control and Report `Significant Risks’
• RCSA questionnaires developed for various entities, viz. front office, mid office and back office
• RCSA process customized to suit various risk entities of the Bank
• After the risks are identified, controls are to be put in place and the efficacy of which can be measured in the subsequent RCSA exercise resulting in better risk management.
• It is a continuous process.
48
RCSA : Risk AssessmentRisk assessment enables management to rate
and analyze significant risks based on impact (severity) and likelihood (frequency) and identify controls for risk mitigation
As part of the risk assessment process an “Owner” is defined for each risk and timelines for implementation
Risk assessment forms basis for subsequent steps of risk mitigation, measurement and reporting.
49
RCSA : Assessment ScaleSEVERITY OF OPERATIONAL LOSS1. Very low impact2. Low impact3. Moderate impact4. High impact5. Very high impact
PROBABILITY OF LOSS1.Very low likelihood2. Low likelihood3. Moderate likelihood4. High likelihood5. Very high likelihood
50
KEY RISK INDICATORS • KRIs are early warning signals used to monitor Op Risk.
KRIs are generally derived from key risks identified in the RCSA exercise to enable the bank track the trajectory of risks.
• KRIs could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover (attrition in treasury), system downtime and so on.
• KRIs to link to different risk dimensions such as: Potential frequency Average severity or cumulative loss
51
KEY RISK INDICATORS – 2
• KRIs to be readily defined, understandable and quantifiable– Collectable at a reasonable cost/time units– Comparable through time and across business units– Auditable
• Indicators may be either numeric or financial– Financial are preferred
• Institutions / Banks are all very different– There cannot be any standard library of KRIs- organisation /
business specific - function of internal controls too.– Different Banks/offices/Businesses may use different KRIs
for the same risk
52
KEY RISK INDICATORS - Example
Value Escalation Trigger
% Change over Last Quarter
% Change over Last
Year
Staff Turnover Rate 5% 15% 10% 20%
Downtime in IT system during Trading Hours
22 hours
24 Hours 15% 25%
Material Data Security Breaches 1 2 100% 100%
Number of Failed Critical Systems
6 10 100% 200%
Value of Loss due to Suspicious Activity
1.6 million
3 million 111% 103%
Value of Unreconciled items over 30 days
3.22 million
3 million 77% 262%
53
Scenario Analysis A systematic process of obtaining opinions from
Business Managers & Risk Management experts to derive reasoned assessments of the likelihood & impact of operational losses
Where scenarios are used:• Input for Operational Loss capital • Basis of a Operational Risk analytical framework
Use of scenarios varies widely among institutions
54
Example: Components of a Scenario
• Scenario: Rogue Trader• Output: Scenario loss amount and probability• Key considerations: “Each scenario should use internal loss
data, external loss data, business environment and internal control factors to determine the scenario severity and probability parameters.”
• Internal Loss Data– What losses has the firm experienced for the given
scenario?– What were the size of losses, frequency of major events?– What management actions have been taken to prevent
future occurrence or reduce potential size of loss?
55
Example: Components of a Scenario (cont.)• External Loss Data
– What major events of this particular scenario have occurred to other firms similar to the firm?
– What is the potential range of losses? How frequently have the events occurred?
– What is the potential loss and likelihood of occurrence for the firm?
• Business Environment & Internal Control Factors– What are the BEICFs that could affect size and likelihood of
loss?– Complexity of product/business, pace of change or market
regulation, volumetrics, key risk indicators.
56
Why is Operational Risk receiving increased attention ?
Growing complexity in the banking industry (products, services, technology, globalization, acquisitions/mergers, etc.)
Several large and widely publicized operational losses in recent years eg. Barings Bank, Sumitomo Corp, Diawa Bank (NY), Societe Generale , SATYAM,
Rapid pace of innovation Increased focus on corporate governance Increased global competition A changing regulatory capital regime.
57
BARINGS BANKThis is one of the most infamous tales of financial demise. Trader Nick Leeson was supposed to be exploiting low-risk arbitrage opportunities between derivatives written on the Nikkei equity index traded on the Singapore Money Exchange (SIMEX) and on the Osaka exchange. In practice, he was running open futures contracts on the two exchanges. Thanks to the lax attitude of senior management, Leeson was given control over the both the trading and back office functions.AS Leeson’s losses mounted, he increased his bets by selling options. Unfortunately, the major Kobe earthquake in February 1995 caused the Nikkei Index to drop sharply. Leeson’s losses increased rapidly, and Barings were unable to continue to fund his positions. Despite emergency meetings at the Bank of England, external support was not forthcoming for Barings, and in March 1995 it was purchased by the Dutch bank ING for just GBP 1.
58
Control of Operational Risk• Book of Instructions• Circulars• Delegation of Financial Powers• Appropriate Reporting System• Policies of the Bank• Use of Information Technology• Self Assessment• Audit committeesUnless you are able to implement your controls & you have
powers to penalise, the controls will be meaningless.59
Mitigating Operational Risk
Basic objective of Operational Risk Management is to mitigate Operational Risk:
• Inspection & Audit• Insurance• Training• Rewards
60
Control of Operational Risk
• Book of Instructions / Manuals
• Circulars
• Delegation of Financial Powers
• Appropriate Reporting System
• Policies of the Bank
• Use of Information Technology
• Self Assessment
• Audit committees62
Implementation at Role holders’ level – a Process
• Identify the events / transactions• Identify the parties involved• Identify the potential pressure points• Identify the processes :
– Awareness– Systems / Procedures
• Follow • Strengthen
• Own Implementation
63