a regulatory perspective on operational risk world bank presentation may 20, 2004
DESCRIPTION
A Regulatory Perspective on Operational Risk World Bank Presentation May 20, 2004. Presented by: Eric Rosengren Senior Vice President Federal Reserve Bank of Boston. Outline. How to define operational risk for banks Why banks and supervisors are pursuing quantification of operational risk - PowerPoint PPT PresentationTRANSCRIPT
A Regulatory Perspective on A Regulatory Perspective on Operational RiskOperational Risk
World Bank PresentationWorld Bank PresentationMay 20, 2004May 20, 2004
Presented by:Eric Rosengren
Senior Vice PresidentFederal Reserve Bank of Boston
22
OutlineOutline
How to define operational risk for banksHow to define operational risk for banks
Why banks and supervisors are pursuing Why banks and supervisors are pursuing quantification of operational riskquantification of operational risk
A detailed look at the Advanced A detailed look at the Advanced Measurement Approach for banksMeasurement Approach for banks
Implications for emerging marketsImplications for emerging markets
33
Basle Operational Risk Definition/ Basle Operational Risk Definition/ FrameworkFramework
““The risk of loss resulting from inadequate The risk of loss resulting from inadequate or failed internal processes, people and or failed internal processes, people and systems or from external events” systems or from external events” This definition includes legal riskThis definition includes legal risk Strategic and reputational risk are excludedStrategic and reputational risk are excluded
44
Basle Operational Risk Definition/ Basle Operational Risk Definition/ Framework Framework continued...continued...
Operational Risk is Operational Risk is not:not: All risk other than credit and marketAll risk other than credit and market Only systems & IT relatedOnly systems & IT related NewNew
Internal Fraud External Fraud
Employment Practices & Workplace
Safety
Clients, Products &
Business Practices
Damage to Physical Assets
Business Disruption &
System Failures
Execution, Delivery &
Process Management
Corporate Finance
Trading & Sales
Retail Banking
Payment & Settlement
Agency Services
Commercial Banking
Asset Management
Retail Brokerage
Loss Event Types
Bu
sin
ess
Lin
es
55
Examples of Operational Examples of Operational LossLoss Events Events in Bankingin Banking
Internal FraudInternal Fraud: Allied Irish Bank, Barings, : Allied Irish Bank, Barings, and Daiwa Bank Ltd - $691 million, $1 and Daiwa Bank Ltd - $691 million, $1 billion, and $1.4 billion, respectively - billion, and $1.4 billion, respectively - fraudulent trading.fraudulent trading.
External FraudExternal Fraud: Republic New York Corp. - : Republic New York Corp. - $611 million - fraud committed by custodial $611 million - fraud committed by custodial client.client.
66
Examples of Operational Examples of Operational LossLoss Events Events in Banking in Banking continued...continued...
Employment Practices and Workplace Employment Practices and Workplace SafetySafety: Merrill Lynch - $250 million - legal : Merrill Lynch - $250 million - legal settlement regarding gender discrimination.settlement regarding gender discrimination.
Clients, Products & Business PracticesClients, Products & Business Practices: : Household International - $484 million- Household International - $484 million- improper lending practices; Providian improper lending practices; Providian Financial Corp. - $405 million- improper sales Financial Corp. - $405 million- improper sales and billing practices.and billing practices.
77
Examples of Operational Loss EventsExamples of Operational Loss Events
Damage to Physical AssetsDamage to Physical Assets: Bank of New : Bank of New York - $140 million - damage to facilities York - $140 million - damage to facilities related to September 11, 2001.related to September 11, 2001.
Business Disruption and System FailuresBusiness Disruption and System Failures: : Solomon Brothers - $303 million - change Solomon Brothers - $303 million - change in computer technology resulted in in computer technology resulted in “unreconciled balances”.“unreconciled balances”.
88
Examples of Operational Loss Events Examples of Operational Loss Events continued...continued...
Execution, Delivery & Process ManagementExecution, Delivery & Process Management: : Bank of America and Wells Fargo Bank - $ Bank of America and Wells Fargo Bank - $ 225 million and $150 million, respectively - 225 million and $150 million, respectively - systems integration failures/failed transaction systems integration failures/failed transaction processing.processing.
99
Bank’s Recognize the Significance of Bank’s Recognize the Significance of Operational RiskOperational Risk
More than 100 losses exceeding $100 Million More than 100 losses exceeding $100 Million over the last decadeover the last decade
Large banks recognize the importance/ Large banks recognize the importance/ magnitude of op risk:magnitude of op risk: Based on recent Basle survey, on average they Based on recent Basle survey, on average they
hold 15% of their capital for Op Risk.hold 15% of their capital for Op Risk. Per their Annual Reports, Deutsche Bank and Per their Annual Reports, Deutsche Bank and
JPM are holding €2.5B and $5.8B for operational JPM are holding €2.5B and $5.8B for operational risk.risk.
1010
Rationale Banks Cite for Quantifying Rationale Banks Cite for Quantifying OpRiskOpRisk
Operational failures negatively impact profitabilityOperational failures negatively impact profitability Banks that measure and manage operational risk can reduce Banks that measure and manage operational risk can reduce
earnings volatilityearnings volatility Banks that measure and manage operational risk can reduce Banks that measure and manage operational risk can reduce
likelihood of an operational event becoming a “capital event” likelihood of an operational event becoming a “capital event”
Businesses are more complex, changing rapidly, Businesses are more complex, changing rapidly, operationally intensive, and technology reliantoperationally intensive, and technology reliant Banks that measure and manage operational risk are likely Banks that measure and manage operational risk are likely
to be less susceptible to systemic problemsto be less susceptible to systemic problems
1111
Rationale Banks Cite for Quantifying Rationale Banks Cite for Quantifying OpRisk OpRisk continued...continued...
Customers and shareholders demand Customers and shareholders demand operational sophistication, speed, and operational sophistication, speed, and flawless executionflawless execution
Risk modeling that omits (or arbitrarily sets) Risk modeling that omits (or arbitrarily sets) capital for operational risk can distort capital for operational risk can distort decision making and performance evaluation decision making and performance evaluation
1212
Rationale Banks Cite for Quantifying Rationale Banks Cite for Quantifying OpRisk OpRisk continued...continued...
Allows banks to identify source of Allows banks to identify source of operational lossesoperational losses Perhaps surprising, many banks do not Perhaps surprising, many banks do not
routinely track such lossesroutinely track such losses ““Causal” factor analysis helps manage these Causal” factor analysis helps manage these
risksrisks
Allows banks to identify operational loss Allows banks to identify operational loss outcomes that they have exposure to, but outcomes that they have exposure to, but have yet to experience. have yet to experience. example: bad cluster of high frequency, low example: bad cluster of high frequency, low
impact eventsimpact events
1313
Rationale Banks Cite for Quantifying Rationale Banks Cite for Quantifying OpRisk OpRisk continued...continued...
Provides a framework for modeling extreme Provides a framework for modeling extreme events.events. ““Scenario Analyses” of low frequency, high Scenario Analyses” of low frequency, high
impact eventsimpact events example: business interruptionexample: business interruption
Help incorporate the quantification of “risk Help incorporate the quantification of “risk reduction” into the decision making processreduction” into the decision making process examples: technology, growth, insurance examples: technology, growth, insurance
productsproducts
1414
Goals of Bank SupervisorsGoals of Bank Supervisors
Revise international capital accord to Revise international capital accord to incorporate greater risk sensitivity and incorporate greater risk sensitivity and capture significant risks, including op risk capture significant risks, including op risk
Allocate capital according to a risk-Allocate capital according to a risk-focused approach to the quantification of focused approach to the quantification of operational riskoperational risk
1515
Goals of Bank SupervisorsGoals of Bank Supervisors continued...continued...
Provide incentives for banks to measure and Provide incentives for banks to measure and manage operational risksmanage operational risks Promote sound internal policies/controls/ proceduresPromote sound internal policies/controls/ procedures Motivate investment in operational risk infrastructure Motivate investment in operational risk infrastructure
to reduce operational riskto reduce operational risk
Ensure appropriate consideration of stress Ensure appropriate consideration of stress testing/systemic risktesting/systemic risk Consideration of systemic implications of operational Consideration of systemic implications of operational
risk decisions made by individual firmsrisk decisions made by individual firms
1616
Basle II Operational Risk FrameworkBasle II Operational Risk Framework
Minimum Regulatory Capital (Pillar 1)Minimum Regulatory Capital (Pillar 1) Framework for calculating op risk capital chargeFramework for calculating op risk capital charge Utilizes spectrum of approaches of increasing Utilizes spectrum of approaches of increasing
complexitycomplexity
Sound Practices (Pillar 2)Sound Practices (Pillar 2) Basle issued Sound Practices Paper February Basle issued Sound Practices Paper February
20032003
Disclosure (Pillar 3)Disclosure (Pillar 3) Market DisciplineMarket Discipline Expected to be strong motivatorExpected to be strong motivator
1717
Basle II: Current Op Risk ProposalBasle II: Current Op Risk Proposal
Alternative approaches provided to accommodate different levels of Alternative approaches provided to accommodate different levels of bank sophistication:bank sophistication:
Supervisor Specified Parameters Supervisor Specified Parameters Bank Defined Parameters
Bank-wide Measure Business Line Based Supervisor Set Qualitative / Quantitative Stds
Exposure Indicator * Alpha Exposure Indicator * Beta Significant Flexibility
Exposure Indicator = Gross Income Exposure Indicator = Gross Income Examples:
Alpha = 15% Betas = 12 - 18% Loss Distribution Approach
Scorecard Approach
Basic Indicator Approach Standardized Approach Advanced Measurement Approaches (AMA)
Increasing Complexity Increasing Risk Sensitivity
1818
Key Elements of a Basle II AMAKey Elements of a Basle II AMA
1.1. Internal DataInternal Data
2. External Data2. External Data
3. Scenario Analysis3. Scenario Analysis
4. Internal Control and Business4. Internal Control and BusinessEnvironment FactorsEnvironment Factors
5. Insurance/Mitigation Techniques5. Insurance/Mitigation Techniques
Flexible, framework that builds on banks’ Flexible, framework that builds on banks’ internal methodologies and allows for internal methodologies and allows for evolution of practice over timeevolution of practice over time
1919
Key Elements of a Basle II AMA Key Elements of a Basle II AMA continued...continued...
Qualitative and quantitative supervisory Qualitative and quantitative supervisory criteriacriteria Similar approach as Basle Market Risk Similar approach as Basle Market Risk
AmendmentAmendment
Key elements can be combined in different Key elements can be combined in different ways to quantify the bank’s OpRisk exposureways to quantify the bank’s OpRisk exposure
Rely on supervisory validation and Rely on supervisory validation and benchmarking across institutionsbenchmarking across institutions
2020
Operational Loss DataOperational Loss Data
Data collection differs across banks:Data collection differs across banks: The more detail the better, but detail comes at The more detail the better, but detail comes at
a $ costa $ cost What kind of tracking system is needed? What kind of tracking system is needed?
Manual? Automated? Training?Manual? Automated? Training? Definition? Date information? Insurance Definition? Date information? Insurance
payoffs? Other recoveries?payoffs? Other recoveries? What is the appropriate $ threshold to capture in What is the appropriate $ threshold to capture in
database? Near misses?database? Near misses? How should operational events “across business How should operational events “across business
lines” be handled?lines” be handled?
2121
Operational Loss Data Operational Loss Data continued...continued...
How should internal data be supplemented with How should internal data be supplemented with external data?external data?
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Event #Event
Code (1)Event
Code (1) DateCost
CenterBusiness
Line Loss Recoveries Insurance Event Description1 IF 12 960116 10003 RB 19057.25 0.00 19057.252 EF 31 960116 20003 RB 40905.04 0.00 40905.043 SY 22 960116 33890 CF 10194.55 3433.00 10194.554 SY 11 960119 45359 CF 52831.68 0.00 52831.685 PD 11 960120 11101 CB 36558.11 0.00 36558.116 IF 32 960120 10003 PS 620537.37 0.00 620537.377 IF 22 960122 20203 AS 10181.69 0.00 10181.698 EF 31 960122 19767 AS 24783.17 13556.00 24783.179 EE 17 960122 19332 TS 11963.49 0.00 11963.4910 EE 27 960122 18897 AS 20086.56 0.00 20086.56. . . . . . . . .. . . . . . . . .. . . . . . . . .. . . . . . . . .. . . . . . . . .
2701 UA 8 960146 10003 RB 14451.49 0.00 14451.492702 UA 3 960148 10003 RB 11010.46 0.00 11010.462703 WS 17 960150 33890 CF 24681.18 0.00 24681.182704 SF 26 960152 23223 AM 17963.66 16963.66 17963.66
2222
Quantification MethodologiesQuantification Methodologies
Alternative techniques are availableAlternative techniques are available Chosen technique must include key elements Chosen technique must include key elements
of AMA: internal data, external data, scenario of AMA: internal data, external data, scenario analysis, and internal control and business analysis, and internal control and business environment factorsenvironment factors
Example 1: Loss Distribution Approach Example 1: Loss Distribution Approach Models frequency distribution and severity Models frequency distribution and severity
distribution to formulate an operational loss distribution to formulate an operational loss distributiondistribution
Challenge to understand appropriate modeling Challenge to understand appropriate modeling of the “tail” of the severity distributionof the “tail” of the severity distribution
2323
Quantification MethodologiesQuantification Methodologies continued...continued...
Example 2: Scorecard ApproachExample 2: Scorecard Approach Models required capital at the corporate levelModels required capital at the corporate level Allocates capital pool to business lines based on Allocates capital pool to business lines based on
scorecardscorecard
Other credible methodologies will be acceptableOther credible methodologies will be acceptable AMA does NOT preclude alternativesAMA does NOT preclude alternatives
2424
Quantification Methodologies - LDAQuantification Methodologies - LDA
The Loss Distribution Approach: The Loss Distribution Approach: Standard statistical techniques are availableStandard statistical techniques are available
which techniques are most appropriate?which techniques are most appropriate? what are appropriate for modeling the “tail” of the what are appropriate for modeling the “tail” of the
distribution?distribution?
Data Quality is ImportantData Quality is Important Incorporating high-severity events Incorporating high-severity events
External data?External data? Scenario analysis?Scenario analysis?
2525
Quantification Methodologies - LDA Quantification Methodologies - LDA continued...continued...
Incorporating Risk MitigationIncorporating Risk Mitigation Insurance coverage can be incorporated into Insurance coverage can be incorporated into
methodologymethodology uses information about deductibles/limits on uses information about deductibles/limits on
“event policies”“event policies” still have to assess translation into credit/legal still have to assess translation into credit/legal
riskrisk Provides framework to assess appropriateness Provides framework to assess appropriateness
of coverageof coverage
2626
Overview of LDAOverview of LDA
Generally, estimation of an operational loss Generally, estimation of an operational loss distribution involves 3 steps:distribution involves 3 steps:
1. Estimating a frequency distribution1. Estimating a frequency distribution
2. Estimating a severity distribution2. Estimating a severity distribution
3. Running a statistical simulation to produce 3. Running a statistical simulation to produce a a loss distributionloss distribution
2727
Overview of LDA Overview of LDA continued...continued...
25 million 250 million
Total Operational Loss over a 1 year time horizon
Den
sity
Expected Loss Unexpected Loss, 99.9%
Frequency Distribution
Number of Loss Events per Year
Den
sity
Severity Distribution
$ Value of a Loss Events
Den
sity
2828
Internal Control and Business Internal Control and Business Environment FactorsEnvironment FactorsQualitative Risk AssessmentsQualitative Risk Assessments
Developing qualitative operational risk Developing qualitative operational risk assessmentsassessments Tailored to business line, and are designed to be Tailored to business line, and are designed to be
“real time”“real time”and/or “forward-looking”and/or “forward-looking”
““Scorecard” Scorecard” business unit asked to answer series of questions business unit asked to answer series of questions
regarding OpRiskregarding OpRisk
2929
Internal Control and Business Internal Control and Business Environment FactorsEnvironment FactorsQualitative Risk Assessments Qualitative Risk Assessments continued...continued...
examples:examples: What is the number of sensitive positions filled by What is the number of sensitive positions filled by
temps?temps? What is the ratio of supervisors to staff?What is the ratio of supervisors to staff? Does your business unit have confidential client Does your business unit have confidential client
information?information?
However, are these scorecards correlated However, are these scorecards correlated with true OpRisk exposure?with true OpRisk exposure?
3030
Internal Control and Business Internal Control and Business Environment FactorsEnvironment FactorsKey Risk IndicatorsKey Risk Indicators
Developing systems that track risk Developing systems that track risk indicatorsindicators ““Real Time” indicatorsReal Time” indicators Usually tailored to business lineUsually tailored to business line examples:examples:
employee turnoveremployee turnover number of open employee positionsnumber of open employee positions transaction volumetransaction volume average transaction sizeaverage transaction size
3131
Internal Control and Business Internal Control and Business Environment FactorsEnvironment FactorsKey Risk Indicators Key Risk Indicators continued...continued...
However, are these indicators correlated with However, are these indicators correlated with OpRisk exposure?OpRisk exposure?
Quantitative Analysis can help assess Quantitative Analysis can help assess relevancy of KRIsrelevancy of KRIs which are driverswhich are drivers what are important thresholdswhat are important thresholds
3232
AMA Should Be Consistent with the AMA Should Be Consistent with the Scope of ApplicationScope of Application
Applies to internationally active banks as well Applies to internationally active banks as well as to the entire banking groupas to the entire banking group
Home and host supervisors must be satisfied Home and host supervisors must be satisfied that capital reflects the operational risk profilethat capital reflects the operational risk profile
3333
Each Bank Must be Adequately Each Bank Must be Adequately Capitalized on a Stand-Alone BasisCapitalized on a Stand-Alone Basis
Capital is generally not freely transferable Capital is generally not freely transferable within a banking groupwithin a banking group
Banking groups are allowed to recognize Banking groups are allowed to recognize benefits of group-wide diversification at the benefits of group-wide diversification at the group levelgroup level
Group-wide diversification benefits cannot be Group-wide diversification benefits cannot be applied to significant banking subsidiariesapplied to significant banking subsidiaries
Non-significant bank subsidiaries may be Non-significant bank subsidiaries may be limited by host supervisor in applying limited by host supervisor in applying diversification benefits diversification benefits
3434
Supervisors Should Strive to Minimize Supervisors Should Strive to Minimize the Cost of AMA Cross-Border the Cost of AMA Cross-Border ImplementationImplementation
Institutions can leverage group resources at Institutions can leverage group resources at the subsidiary levelthe subsidiary level
Subsidiaries can rely on data, parameters Subsidiaries can rely on data, parameters and experts at the parent company – with and experts at the parent company – with consideration of specific circumstances of the consideration of specific circumstances of the legal entitylegal entity
3535
How Should Supervisors Coordinate?How Should Supervisors Coordinate?
Home supervisor will lead the coordination Home supervisor will lead the coordination efforteffortHost supervisors will need to be comfortable Host supervisors will need to be comfortable with the bank capital in host countrywith the bank capital in host country Coordination between home/host countries will be Coordination between home/host countries will be
criticalcritical Allocations will need to be mutually acceptableAllocations will need to be mutually acceptable
3636
Implications for emerging marketsImplications for emerging markets
To manage a risk you need to be able to To manage a risk you need to be able to measure itmeasure it
Operational loss data has been an Operational loss data has been an effective place to start – patterns in data effective place to start – patterns in data usually lead to better mitigationusually lead to better mitigation
Most effective use tends to be by firms that Most effective use tends to be by firms that use economic capital to manageuse economic capital to manage
Home/Host issues need to be resolvedHome/Host issues need to be resolved
Largest global banks are moving rapidly to Largest global banks are moving rapidly to be ready for implementationbe ready for implementation