mitigating operational risk: risk transfer solutions

Mitigating Operational Risk Exposure: Risk Transfer Solutions

ABA OPERATIONAL RISK MANAGEMENT FORUMApril 17th 2008

Michel Rochette, MBA, FSA

ENTERPRISE RISK ADVISORY, LLC

Topics

• Context and recent developments

• Opportunities to go beyond Basel II compliance

• Op risk mitigation environment:– Self mitigation– Self insurance– Risk transfer:

• Insurance mitigation• Alternative risk transfer: Captives• Capital markets solutions

• Case: Insurance mitigation optimization

Context:

“Regulators are becoming concerned that banks may seek to manage the [Operational Risk Capital] charge rather than to manage the risk itself”

Susan Schmidt Bies, Federal Reserve Board Governor

New York, March 29, 2006

Reminder: Sound Practices Paper-BIS 2003

• Development of an appropriate op risk mgt environment:– Board level & management with clearly defined roles.

• Risk Management: – Identification– Assessment– Mitigation & monitoring– All material activities, products, processes and systems

covered– Monitor operational risk profile – Policies/processes/procedures to manage the risk– Must chose appropriate risk mitigation strategies in light

of their risk appetite.

StrategicBasel IIOperational Risks

Financial Business

Attracting & retaining talentCompetition

Managing organizational changeM&A/business diversification

New product strategyNew market strategy

Outsourcing and supplier chainGovernance of risk

Interest ratesCredit environment

LiquidityFX environment

Equity environmentFinancial liabilities

Internal processesSystem failureInternal/External FraudEmployment practices: Health & Safety / Loss of Key PeopleClients/products/Business practicesExternal incidentLegal impact includedInsurance allowed as mitigant

Brand/ReputationCorporate social responsibilityProduction volumes/pricingLoss of Intellectual propertyOther risk mitigation integrated

Operational Risk: Basel II Compliance View

StrategicBasel IIOperational Risks

Financial Business

Attracting & retaining talentCompetition

Managing organizational changeM&A/business diversification

New product strategyNew market strategy

Outsourcing and supplier chainGovernance of risk

Interest ratesCredit environment

LiquidityFX environment

Equity environmentFinancial liabilities

Internal processesSystem failureInternal/External FraudEmployment practices: Health & Safety / Loss of Key PeopleClients/products/Business practicesExternal incidentLegal impact includedInsurance allowed as mitigant

Brand/ReputationCorporate social responsibilityProduction volumes/pricing impactLoss of Intellectual propertyOther risk mitigation integrated

Operational Risk: ERM View

65%

69%

77%

56%

55%

41%

35%

63%

75%

70%

48%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Failure of disaster recovery plan

Merger/acquisition/restructuring

Physical damage

Market risk

Failure to attract or retain staff

Regulatory/legislative changes

Market environment

Distribution or supply chain failure

Third party liability

Business interruption

Damage to Reputation

AON 2007 Global Risk Survey

Most risks are operational!

US Regulators’ Expectations: AMA

• Risk-Based Capital Standards. – Applies to IRB and AMA only at this time. – Banks with $250 billion US+ in consolidated assets. –Core –– Other banks may adopt this new framework: - Opt–in -– Standardized approach for general banks will be finalized in Q1-

2008 with qualifying criteria.

• Compliance and op risk must be analyzed together: – Definition of loss is consistent with Basel II including legal losses.– Legal loss: litigation, settlements, fines resulting from failure to

comply with laws, regulations, prudent ethical standards, contractual obligations in any aspect of the bank’s business.

– May also explain industry interest to implement GRC/ERM.

AMA – Designing Compliant Policies

Policy minimum requirements– be provided by underwriters with

a claims paying ability rated in one of the three highest categories

– an initial term of at least one year and a residual term of more than 90 days;

– have a minimum notice period for cancellation of 90 days;

– have no exclusions or limitations based upon regulatory action or for the receiver or liquidator of a failed bank.

Additional requirements– cover must be linked to specific

operational risk/s.– appropriate discounts to the

value of the policies must be calculated for:• the cancellation terms of the

policy, if less than 1 year• any uncertainty or delay in

the payment of claims; • Instances where the residual

term of a policy is less than one year. The discount becomes 100 percent in the last 90 days of the policy period.

Insurers’ Claims Paying Abilities

Standards & Poor Moody’s Fitch Best

Long-Term Insurer Financial Strength Rating

Long-Term Insurance Financial Strength Ratings

Insurance Financial Strength Ratings

Financial Strength Ratings

Ability to pay under insurance policies and contracts in

accordance with their terms.

Company’s ability to meet its senior policyholder claims and

obligations.

Ability to meet obligations on a timely basis.

Financial strength and ability to meet ongoing obligations

to policyholders.

A A A B++, B+

Source: UK FSA

US Regulatory Criteria for Other Mitigant

• Regulators are open to other risk mitigant approaches if:

– FI must calculate its operational risk exposure.– Mitigant must be able to absorb losses with sufficient certainty.– Must receive prior written approval.

• Mitigant must cover potential operational losses in a manner consistent with holding regulatory capital.

• Regulators will consider other risk mitigant in due course on “ the basis of growing experience”. – Insurance industry has that experience. – Not necessary to reinvent the wheel.– European regulators are taking a fresh analysis of op risk mitigant.

Managing Operational Risk Beyond Compliance

• Opportunity:– Operational risk is viewed horizontally – end-to-end process -,

originating within some business units but impacting the value of the whole organization.

– Operational risk takes into account:• direct, indirect and opportunity losses.• a forward-looking and risk-based approach.

• Regulatory (Basel II):

– Losses related to people, process, systems and external events. – Focuses only on direct losses including legal claims (litigation,

settlement & fines).– Excludes reputation and business aspects. – For many companies, most of their value comes from their

reputation.

Managing Operational Risk: Improved Performance

• Firms can better estimate their company-wide operational risk tolerance on their financial value, not just their regulatory capital.

• Firms can assess the cost/benefit of implementing “controls” to reduce their operational risk exposure within their desired risk tolerance, thus better managing their economic capital.

• Firms can better integrate insurance, other op risk mitigant, compliance in the overall op risk framework instead of keeping them separate.

• Firms can create financial incentives for business units to invest time/money/efforts to manage the operational risk under their control by :– Integrating its cost in prices of product. Usually not done at this

time. – Measuring performance taking into account operational risk capital

allocated. RAROC type measures.

Managing Operational Risk: Improve your Business

• Firms become more resilient to operational risk shocks. Can turn around more quickly.

• Firms can better communicate to their stakeholders both in advance and after a major operational risk shock:– Can demonstrate that they are in control! → reputation.– Firms gained market share by managing and communicating well an

operational risk failure.

• Firms keep operational risk on their radar screen continuously – forward looking – instead of thinking about it when an event happens. Frequency of major disruptions is decreasing.

• Improved internal communications:– Just relying on your “quants” to assess operational risk without the

involvement of the business units create moral hazard.

Operational Risk Mitigant Environment

Expected Unexpected Catastrophic

Yearly Profit/Internal

Controls

Purely Self Insurance/

Insurance/ART

Insurance/

Capital Mkts

Benefits of Integrating Operational Risk Mitigant

• Business perspective:

– Your institution is NOT in the business of managing op risk. → Low TOLERANCE for this risk.

– Insurance is in the business of managing op risk. → APPETITE for op risk.

– These businesses are complementary, should work together and be more integrated internally.

– This trend is observed more and more.

• Regulatory perspective:

– “Agencies will take into account whether a particular operational risk mitigant covers potential operational losses in a manner equivalent to regulatory capital”.

– Mitigant would cover insurance and other approaches subject to certain minimum qualifying criteria.

Universe of Op. Risk Mitigation: Characteristics

• Internal management: controls– Implemented without much consideration of the costs involved. – Embedded in the AMA calculations through control effectiveness

scores.• Self insurance:

– Calculating and allocating regulatory capital for op risk is a form of self insurance by banks.

– “Insurance” is direct if calculated by AMA.– “Insurance” is indirect if embedded in the regulatory credit capital

as traditionally done by banks in the general regulatory rules. • Insurance:

– Always existed.– Private and public solutions. – Not integrated very often with operational risk groups.– Standard policies don’t always match. – Optimization of the insurance buying decision in relation to the

operational risk exposure is not usually done.

Universe of Op. Risk Mitigation: Characteristics

• Alternative Risk Transfers (ART):– Used by companies to mitigate risks that the traditional

insurance markets cannot cover.– Probably already used by some of your institutions without

your knowledge!– Covers services like Captives for op risks like workers comp

and external events.• Capital markets solution:

– In existence for some op risks, mostly external events.– Some op risks are securitized like CAT Bonds.– Cover both risk transfer and risk finance solutions. – More talk in the industry about op risk derivatives.



Yearly Profit/Internal

Controls

Self Mitigation: Annual Profits/Internal Controls

• Estimate distribution of op risk exposure:– Gross op risk exposure– Exposure net of internal control business factors – “internal

mitigant”• Regulation: FI must obtain an estimate of EOL:

– Expected and predictable average annual op risk losses for a given risk category.

– Can be covered by op risk “offsets” • Internal business practices.• Reserves if allowed by GAAP.• FI should compare cost of internal business practices and

average annual losses in order to maximize company value.



Purely Self Insurance

Self Insurance Mitigation

• Estimate distribution of op risk exposure:– Gross op risk exposure– Exposure net of internal control business factors – “internal

mitigant”• Regulation:

– FI must self insure to a 99.9% 1-yr VAR, UOL.– Existing regulatory rules - general rules - cover op risk indirectly in

the credit risk capital rule. • Traditionally, rule of thumb was that 20% of credit losses were

in fact operational risk, not credit risk.– If your bank is AMA or non AMA, you pay for op risk! – If AMA, op risk capital will be explicit, credit capital will be reduced.– If not AMA and not managing op risk, your credit capital will be

higher.

Self Insurance (AMA) vs. Insurance

• AMA Op risk capital:– Internal and external loss data with

recoveries of at least 5 years.– Control Environment– Scenarios for unexpected situations.

–Forward looking component of AMA.

– Dependence allowed only if can be justified.

• Other qualifying criteria:– Internal op risk group– Validation– Ongoing qualification– Documentation– Collection of loss data.

• Boundaries between credit and operational

– Treated as credit risk losses

• Underwriting of Insurance use the same elements:

– Company internal loss data.– External data from Insurance

industry loss database with loss development factors: recoveries extend more than 5 years.

– Forward looking assessment based on industry knowledge

– Brokers assess dependence through insurance quotes.

• Bank’s diversified risk groups:– internal risk management– Insurance brokers– IT/project management groups– Validation done annually when

insurance renews.– Already collecting loss data.

• Insurance underwriting would assess root cause.



Insurance

US Op Risk Requirements vs. Insurance

• Definition of op risk loss:– All expenses associated with

a loss event except:• Opportunity loss• Foregone revenues• Costs to

enhance/correct/prevent future op. risk events.

• No prescribed methodology:– Most banks use LDA.

• Op. Risk Capital is like self-insuring the risk.

• Insurance is to indemnify: – Regulatory definition of loss

is similar to insurance definition of loss.

• Insurers pricing methods:– ALL use LDA– EOL = Deductible – UOL = What insurers usually

pay.

• Insurance is contingent capital to your bank.

US Regulatory Limitations of Insurance

• Risk Based Capital Relief of insuring some op risk exposure, MAXIMUM of:– Op. Risk Exposure adjusted for qualifying op risk mitigant

minus offsets (if, any)– 80% * (op risk exposure – offset ).

• Implications:– If your institution is an AMA, regulatory relief of integrating

mitigant is limited but not the business benefit.– If your institution is not AMA, better managing op risk will

reduce your “indirect” op risk capital that is embedded in the credit capital through a better management of the premiums/costs of your traditional insurance overages.



ART

� A captive is a dynamic, flexible insurance tool that exists primarily to reduce the cost of a company’s overall exposure to retained risk by underwriting and funding selected risks of its parent and affiliates.

� Captives take many forms but most are single-parent entities that insure risks of their affiliates and sometimes related third parties

� Unless reinsurance markets are accessed, captives are NOT risk transfer vehicles.

� Not considered insurance companies by NAIC.

ART: Captive

22.6%

23%

Manufacturing

10.5%Utilities, Transport and Comms.

5%

All others 8.2%

Services (i.e. Education, Health, Legal, Recreation)

Finance, Insurance and Real Estate

23.2%

Construction

7.6%Retail Trade

Global Total: 1,386Source: AGIM 2006 Captive StatisticsNote: Industry sectors as per global SIC codes

Source: AGIM 2006 Captive Statistics

Client Captives by Industry

� Manage business risk exposures � Reduce the cost of risk retention� Provide difficult to obtain coverage: fill the gaps in

standard commercial insurance.� Augment capacity� Generate underwriting capacity� Co-ordinate international insurance programs� Capture insurance-related profits� Improve risk management especially for non

traditional risks are captives are tailored. � Achieve state tax efficiencies� Access reinsurance market.

Benefits of Captives

Enterprise Risk Advisory, LLC @

Types of Captives vs. Op Risk

• TRIA: External Events• Employee Personal Lines: People Risk• Property Risk: External Events • Environmental Liabilities: Legal risk of many op risk.• Product liability: Product flaws of op risk• Could tailor op risk to captives.



Insurance/

Capital Mkts

Capital Markets Solutions- Overview

Type Insurance Risk transfer: Securitization/ILS/Exotic Ins Structures/Op Risk Derivative

Contingent Capital (CAT Bond for liquidity)

Credit Quality Varies by counterparty

Collaterisation Varies by counterparty

Term One-year Single/multi yr. Single/multi yr.

Payment Trigger

Indemnity Index based Pre defined, timely issuance of securities

Covered Perils Virtually any op risk

Natural/man-made risks

Natural/man made risks.

Capital Markets Solution: Aon’s CLIP

Exposu re

Type of riskRetained exposures / capital

Group Capital Optimisation

Business level P&L Management

Insurance Programme

Overall operational risk capital

Captive

BU Deductibles

Capital optimisation

Catastrophic Loss Insurance Programme

Earnings volatility reduction

CLIP structure

• Key characteristics– Coverage linked to event types– Probability of coverage

• 70% - 80%– Policy duration

• Multi - year– Claims Protocol, addressing

• Clarity of coverage• Payment timeliness

– Minimum security rating A– Price driven by underlying exposures

Limited capacity Wording difficult to map In excess of 40 exclusions Negligible regulatory capital relief Performance

• Catastrophe excess solution• Access to significant capacity• Insuring clauses as per your

event types• Fewer exclusions• Claims protocol and broader

coverage • CatEPut provides capital

injection while insurance liability determined

• Maximum regulatory capital relief

Traditional Insurance vs. CLIP

817 1242 156

Loss event to claim Claim made to settlement Settlement to payment

Average period from Act Start to Payment: 2,215 days

817 1242 156



817 1242 156


Average period from Settlement to payment: 156 days


CLIPTraditional Insurance

Summary of Risk Transfer Solutions

Level of Exposure Risk Solution AdvantagesType of Exposure

Expected

Unexpected

Low

Medium

High

Catastrophic

Yearly Profits/Internal

controls

Operating Group focus Efficient

Yearly profits/controls/Art

Art, Self Insure, Insurance

Capital markets, government, insurance &

capital market hybrid

Cash flow

Diversification Pooling Established Mechanism Long-term Access to very large

pool of capital

Insurance Mitigation Optimization

“Severity is painful, frequency is lethal.”

Greg Case, CEO Aon World Insurance Forum, Dubai, March 2008

Qualitative Mapping:

• Benefits: – Reduce mismatch & uncertainty of payments → lower discounts of

insurance in the AMA calculations → lower regulatory capital.• How:

– Aligning op. risk and insurance terminologies.– Aligning your internal risk language and insurance policy wording.– Assess coverage taking into account exclusions to your

operational risk framework.– In some cases, insurance will cover more than the regulatory

definition of op risk. • Ex. Business Interruption insurance covers loss of business,

which is clearly excluded from the regulatory definition.– Take into account public sources of insurance as well:

• Workers Compensation• US Terrorism Coverage• US flood insurance

Ex. Of Mapping of Insurance to Op. Risk

3rd ~ PI, CyberCustomer Account Management3rd ~ PICustomer Intake, Documentation

3rd ~ PI, GLVendors & Suppliers3rd ~ PITrade Counter-parties

3rd ~ PIMonitoring & Reporting3rd ~ PITransaction Capture, Execution & MaintenanceExecution, Delivery & Process

Management

3rd ~ Cyber1st ~ Property, Cyber, BBBSystems FailureBusiness Disruption & Systems Failure1st ~ PropertyDisasters & Other EventsDamage to Physical Assets3rd ~ PI, CyberAdvisory Activities3rd ~ PISelection, Sponsorship & Exposure3rd ~ PI, GLProduct Flaws3rd ~ PI, Cyber, GLImproper Business / Market Practices3rd ~ PI, CyberSuitability, Disclosure & FiduciaryClients, Products & Business Practices3rd ~ PI, GLDiversity & Discrimination3rd ~ GLSafe Premises – Invitees3rd ~ EL, GLSafe Environment – Employees3rd ~ EPL, GLEmployee RelationsEmployment Practices & Workplace

Safety

3rd ~ PI1st ~ BBB, Cyber, PropertySystems Security3rd ~ PI1st ~ BBB, Cyber, PropertyTheft & fraudExternal Fraud3rd ~ PI1st ~ BBB, Cyber, PropertyTheft & fraud3rd ~ PI1st ~ BBB, UTUnauthorised activityInternal Fraud

Mapping to PoliciesEvent Type Level 2Event Type Level 1

3rd ~ PI, CyberCustomer Account Management3rd ~ PICustomer Intake, Documentation

3rd ~ PI, GLVendors & Suppliers3rd ~ PITrade Counter-parties

3rd ~ PIMonitoring & Reporting3rd ~ PITransaction Capture, Execution & MaintenanceExecution, Delivery & Process

Management

3rd ~ Cyber1st ~ Property, Cyber, BBBSystems FailureBusiness Disruption & Systems Failure1st ~ PropertyDisasters & Other EventsDamage to Physical Assets3rd ~ PI, CyberAdvisory Activities3rd ~ PISelection, Sponsorship & Exposure3rd ~ PI, GLProduct Flaws3rd ~ PI, Cyber, GLImproper Business / Market Practices3rd ~ PI, CyberSuitability, Disclosure & FiduciaryClients, Products & Business Practices3rd ~ PI, GLDiversity & Discrimination3rd ~ GLSafe Premises – Invitees3rd ~ EL, GLSafe Environment – Employees3rd ~ EPL, GLEmployee RelationsEmployment Practices & Workplace

Safety

3rd ~ PI1st ~ BBB, Cyber, PropertySystems Security3rd ~ PI1st ~ BBB, Cyber, PropertyTheft & fraudExternal Fraud3rd ~ PI1st ~ BBB, Cyber, PropertyTheft & fraud3rd ~ PI1st ~ BBB, UTUnauthorized activityInternal Fraud

Mapping to PoliciesEvent Type Level 2Event Type Level 1

Qualitative Insurance Mapping: Privacy Breach

• Events covered by the policy: – Costs of Computer Damage itself

• Maps to Business Disruption and systems failures exposure.

– Costs to notify and reimburse clients for losses– Costs to repair credit damage of clients– Costs to reimburse credit card companies– Costs to cover crisis management:

• creating websites• Set up call centers to inform the public• Hiring public relations firms• More coverage than regulatory op risk definition.

– Costs to cover litigation/fines of privacy laws/regulators• Not part of operational regulatory definition but would be

part of your compliance department!

• All would map External Fraud-Systems Security-Theft of Information exposures.

Quantitative Mapping:

• Assess frequency of op risk exposure and frequency of payment by insurance.

• This reflects policy wording and exclusions. • Insurance is based on fortuity.

• Assess severity of op risk loss to ultimate reimbursement by insurance. This is based on definition of covered op risk losses –single loss or aggregate loss - and by the insurance loss development factors.

• Some insurance coverage have better “hedge ratio” than others. – Ex. Flood insurance pays better than fraud related policies.

• Assess timing of op risk loss to timing of payment by insurance. – Insurance being based on indemnification, time necessary to

estimate loss.– Impact of insurance on your liquidity position.

69 237 24

0% 20% 40% 60% 80% 100%Loss event to claim Claim made to settlement Settlement to payment

Ex. of Payout Discount

• Analysis of historical Bankers’ Blanket Bond claims

Average period from loss event to payment: 330 days

Source: Aon claims data – 175 claims

Average period from settlement to payment: 24 days

Insurance Mitigation: Overall Mitigation Benefit

The tail may still be fat, but the curve is flatter

0 20

40

60

80

10

0 12

0 14

0 16

0 18

0 20

0 22

0 24

0

260

280

300

320

340

360

380

400

Post-MitigationPost-Management

Pre-Management

0%

1%

2%

3%

4%

5%

6%

7%

8%

9%

10%

11%

Distributionof Risks

Loss Value

OpRisk Measurement

Questions

Michel RochetteENTERPRISE RISK ADVISORY, [email protected]