Upload
ann-fisher
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
OPERATIONAL RISK
Issues & Challenges
March 9, 2007
Partners in Risk & Compliance
2Partners in Risk & Compliance
Table of Contents
ORM Framework and its Components
Single Biggest Challenge
Self Assessment – Issues & Challenges
KRI – Issues & Challenges
LDM – Issues & Challenges
AMA – Issues & Challenges
3Partners in Risk & Compliance
ORM Framework - Components
4. Risk Mitigation Programmes
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
BCP/DRP
Risk Causes
• Process• People• Systems• External
Even
t Fre
qu
en
cy
99.99%Confidence level
CATASTROPHICLOSS
Effect Severity
EXPECTED LOSS
UNEXPECTED LOSS
RISK
Risk Governance Operational Risk Definition/ Governance/ Policies
1. Self Assessments (SA)
Strategic Diagnostic Study
Risk & Control Self Assessment (RCSA )
Loss Provisioning
Gross Income Allocation to calculate capital under SA
Loss Data Capture
Loss Data Analysis
3. Loss Data Management (LDM)
Ris
k M
an
ag
em
en
t 2. Key Risk Indicator
Key Risk Indicator (KRI)
AMA Capital calculation using LDA, SBA & HMA
Internal Control Supervision
Risk Measurement
4Partners in Risk & Compliance
ORM Framework - Components
4. Risk Mitigation Programmes
Integrated Reporting ( SA, KRI & LDM),
New Product & Activity ( including Outsourcing)
BCP/DRP
Risk Causes
• Process• People• Systems• External
Even
t Fre
qu
en
cy
99.99%Confidence level
CATASTROPHICLOSS
Effect Severity
EXPECTED LOSS
UNEXPECTED LOSS
RISK
Risk Governance Operational Risk Definition/ Governance/ Policies
1. Self Assessments (SA)
Strategic Diagnostic Study
Risk & Control Self Assessment (RCSA )
Loss Provisioning
Gross Income Allocation to calculate capital under SA
Loss Data Capture
Loss Data Analysis
3. Loss Data Management (LDM)
Ris
k M
an
ag
em
en
t 2. Key Risk Indicator
Key Risk Indicator (KRI)
AMA Capital calculation using LDA, SBA & HMA
Internal Control Supervision
Risk Measurement
5Partners in Risk & Compliance
Single Biggest Challenge
“Operational risk is very different”
Market Risk Credit Risk Operational Risk
Risk Position
Quantifiable exposure
Yes Yes Difficult
Exposure measurePosition; risk
sensitivityMoney lent, Potential
exposure
Difficult – no ready equivalent position
available
CompletenessPortfolio
completenessKnown Known Unknown
Context dependency &
data
Context dependency Low Medium High
Data frequency High Medium Continuous
Relevance Measurement &
Validation
Applicable for departments
Treasury and Market risk
Credit DepartmentThrough out the
Bank
TestingAdequate data for
back testing
Back testing difficult to perform over
short term
Results very difficult to test over any time
horizon
6Partners in Risk & Compliance
Self Assessment Issues & Challenges
Decision for approach: Bottom up vs Top down
Rationalizing roles and responsibilities
Assigning responsibility and accountability for operational risk without impacting effectiveness and efficiency
Overlaps of ORM with other risk control areas such compliance, audit etc
Awareness among the employees of the bank with respect to the benefits of operational risk management
Creating blame free environment – encouragement to identify lacks in the existing controls
7Partners in Risk & Compliance
Self Assessment - Top Down Vs Bottom up
Pros
Easy of Implementation
Cons
Lacks granularity
Pros
Offers complete drill down of risk assessment
Cons
Misses “big picture”
8Partners in Risk & Compliance
Segregation of Roles & Responsibilities
BORMBORMBORM
Department 3Department 2Department 1Operational
Risk
Compliance
Audit
RP RP RP
Direct Reporting
Indirect Reporting
Working Relationship
BORM – Business Operational Risk Manager
RP - Representative
Business Line
9Partners in Risk & Compliance
Awareness & Change in Culture
Change of culture where people are encouraged to report risks rather than hide it
All business units should capture losses in a consistent framework rather than their individual way
Carrot / Stick approach
Monitoring & Learning
A Sense of evolution
PurposeA Sense of Direction
CapabilityA Sense of
competence
Commitment
A Sense of identity and values
Action
10Partners in Risk & Compliance
Key Risk Indicators - Issues & Challenges
Suitability and relevance of the KRI ( Quality over Quantity)
No means to consistently relate the occurrence of Loss events and the location of the problem
Plenty of indicative data is available in various MIS, but the relevance is never tested
Difficult in implementing across the organisation as it requires an interface with various source systems
To always represent a KRI from a system value is challenging, hence finding surrogates and the relevance of surrogates
Difficult to compare KRIs across different institutions with different trigger points and risk appetite
Difficult to estimate the trigger points of each identified KRI
No observable best practice
11Partners in Risk & Compliance
Relevance of KRI
System Down
Inappropriate reconciliation procedures
When a loss happened 80% 30%
System up System down Total
Loss 20 80 100
No Loss 1,000 9,000 10,000
Total 1020 9,080 10,100
P (L) Given system down = 80/9080= 0.88%
P (L) Given system up = 20/1020 = 1.96%
When no loss happened
90% 30%
12Partners in Risk & Compliance
Interface with source systems and surrogate findingHaving Interface with so many systems and also finding the appropriate metric which represents the “key Risk” is a challenge. Finding surrogates to represent “Key Risks” has become a normal phenomenon
KRI(May or may not represent the Key Risk
which is supposed to be
reflected by the indicator)
CENTRAL
SOURCESYSTEM
ETL layer(for
values of KRI)
Treasury
Kondor Global +
Capital Market System
Kondor Plus
Relationship (Collateral) Management System
(RMS)
Loan System
Central Liability Tracking System
NPA System
Murabaha Finance System
Letter of Credit System
Letter of Guarantee System
Accounting System
HR System
13Partners in Risk & Compliance
Loss Data Management - Issues & Challenges
Setting up a consistent loss data collection process
Creating blame free environment – encouragement to report losses
Threshold determination
Lack of adequate internal loss history
The sanctity of the available data as it is not in sync with the actual booked losses
Differentiating between event (loss incident ) and a non event ( near miss)
Difference of opinion in defining loss events and near misses
Difference of opinion in treating the recovery
14Partners in Risk & Compliance
Threshold Determination
Determining threshold for capture of losses
Once a threshold is decided, mostly losses are not reported at the estimated loss amount is just below the threshold amount
Not deciding the threshold and capturing all losses is also Herculean as many insignificant events populate the loss database which are irrelevant and already factored in the cost of doing business
Different accounting treatment for both loss and recovery and hence the reconciliation problems
15Partners in Risk & Compliance
Event vs Non Event
If the full recovery happens within 5 days ( for example) the event is considered to be a non event
Full recovery after 5 days is also considered to be a non event and classified as rapidly recovered loss
Different accounting treatment for both loss and recovery and hence the reconciliation problems
Many banks also classify the non event as near misses, on the other hand there are banks who independently define near misses and keep it separate from non events
Some banks also keep the recovery option open for ever and even if the recovery happens after years it is not included as a loss as it is recovered
Lack of consistent guidelines for capture and treatment of internal losses, hence cannot be compared across internationally active banks
16Partners in Risk & Compliance
AMA Issues & Challenges
AMA must use all four input factors:
Internal data :
The challenges associated with the collection of internal loss data
External Data:
No proper guidance on use of external data
No specific rules for making the external data relevant for the bank
Scenario Analysis:
No established market standards
Can be done either by developing internal scenarios or using external scenarios
Business Environment & Internal control factors
Not directly integrated in the loss distribution
No proper rules or benchmark for validating correlation assumptions among various events
Capital figures cannot be compared across banks internationally
17Partners in Risk & Compliance
Linkages among the Building Blocks
Loss Data Mgmt
Group Risk
Business Unit /Line Management Objectives/Processes
Risk Events
Self Assessment
Key RiskIndicators
ControlsTest Results
Action Plan
Analysis & Case Management
Control Effectiveness, Testing & Findings
Preventing Losses
Risk Governance Framework
Findings
Risk & Control Self Assessment
(Bottom up)
Strategic Diagnostic (Top Down)
Regular Monitoring &
Reporting
Thank you
Confidentiality clause
This document is confidential. No part of it may be circulated or reproduced outside without express approval of Aptivaa Consulting.© Aptivaa Consulting 2007.