View
2.361
Download
4
Category
Preview:
DESCRIPTION
Javed H siddiqiCROSoneri Bank Ltd
Citation preview
Operational Risk & Basel II
2April 9, 2023
Defining & Understanding Operational Risk
“Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.”
-Basel Committee on Banking Supervision
3April 9, 2023
Defining & Understanding Operational Risk
4April 9, 2023
Defining & Understanding Operational Risk
5April 9, 2023
Defining & Understanding Operational Risk
6April 9, 2023
Defining & Understanding Operational Risk
Other Risks
Credit Risk
Market Risk
Operational risk
7April 9, 2023
Defining & Understanding Operational Risk
What risks are we talking about??
A loan goes bad!Bank suffers losses on outstanding forward
contracts.
8April 9, 2023
Defining & Understanding Operational Risk
“More than 80% of our Credit risk is really just Operational risk.”
Senior Risk Officer,
Large German Bank
9April 9, 2023
Defining & Understanding Operational Risk
If a severe operational risk event is accounted for under credit risk, the loss may very well be reported, and the economic capital number may even be adjusted to help ensure appropriate capital coverage. However, this is unlikely to lead to appropriate management decisions. The resulting (incorrect) credit risk increase will almost certainly result in a reduction of loans in a region or to an industry sector or client – but seldom will result in the credit process redesign that is actually needed.
10April 9, 2023
1988 Capital AccordToo simplisticSubject to manipulationsEncouraged more risk takingLeading banks, using sophisticated models
realized that they were ‘over capitalized’ and lobbied for a more risk sensitive capital framework.
Basel II – Evolution of Ops Risk
11April 9, 2023
The New Accord Basel II is based on the fundamental principal that risk
capital should be based on level of risk (i.e., risk sensitive).
Incentive: Requiring banks to hold capital based on their actual level of risk banks would give banks an incentive to reduce their level of risk
Lessons from past experience (in market risk): risk measurement improves risk management.
Basel II – Evolution of Ops Risk
12April 9, 2023
Supervisory Review
Supervisory Review
Market Discipline
Market Discipline
Providing a flexible, risk-sensitive capital management framework
Providing a flexible, risk-sensitive capital management framework
Minimum Capital
Requirements
Minimum Capital
Requirements
Basel IIBasel II
Three Pillars
Basel II – Evolution of Ops Risk
13April 9, 2023
Minimum Capital
RequirementRisk-weighted
Exposures
Market Risk
No Change Major Changes
New element added
Risk of losses in on and off balance sheet
positions arising from movements in market
prices
Credit Risk
Potential that a bank borrower or
counterparty will fail to meet its obligations in
accordance with agreed terms
Operational Risk
Risk of direct or indirect loss resulting from
inadequate or failed internal processes,
people and systems or external events
Basel II – Evolution of Ops Risk
14April 9, 2023
PILLAR 1
Minimum CapitalRequirements
PILLAR 2
SupervisoryReview
PILLAR 3
Market Discipline
Risk WeightsDefinition of
Capital
Credit RiskOperational
RiskMarket Risk
StandardizedApproach
Internal RatingsBased Approach
AssetSecuritization
Basic IndicatorApproach
StandardizedApproach
Advanced Measurement
Approach
FoundationApproach
AdvancedApproach
StandardizedApproach
Internal RatingsBased Approach
Alternate Standardized
Approach
Balance the flexibility and freedom given to
banks
Basel II – Evolution of Ops Risk
15April 9, 2023
Based uponBusiness Line
Gross Income Beta
Based upon an institutional
Gross Income Alpha
Based upon Loss Distribution
Approach. Scenarios or Risk Drivers &
Controls
Basic Indicator Standardized Advanced
Minimum for all banks Minimum for large banks Target for leadings
But also requires adherence to a set of “Sound Practices”
Basel II – Evolution of Ops Risk
16April 9, 2023
Basel II – Evolution of Ops Risk
17April 9, 2023
Basel II – Evolution of Ops Risk
18April 9, 2023
Basic Indicator Approach Under BIA the capital charge for operational risk is a fixed
percentage of average positive annual gross income of the bank over the past three years.
Gross income is defined as the sum of net interest income and net non-interest income and shall be arrived at before accounting for:
(i) Provisions, including those for credit impairment;(ii) operating expenses (iii) realized profits/ losses from the sale of securities (iv) extraordinary items, (v) income derived from insurance.
No qualifying criteria but banks are expected to follow SBP guidelines on risk management.
Basel II – SBP Guidelines
19April 9, 2023
The Standardized Approach banks divided into eight business lines: corporate finance,
trading & sales, retail banking, commercial banking, payment &settlement, agency services, asset management, and retail brokerage
Within each business line, gross income to serves as a proxy for the scale of business operations and thus the operational risk exposure
The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.
The total capital charge is calculated as the three-year average of the simple summation of the regulatory capital charges across each of the business lines in each year.
Basel II – SBP Guidelines
20April 9, 2023
Basel II – SBP Guidelines The Standardized Approach
Business Lines Beta Factors
Corporate finance 18%
Trading and sales 18%
Retail banking 12%
Commercial banking 15%
Payment and settlement 18%
Agency services 15%
Asset management 12%
Retail brokerage 12%
21April 9, 2023
The Alternative Standardized ApproachUnder the ASA, the operational risk capital charge
/methodology is the same as for the Standardized Approach except for two business lines – retail banking and commercial banking. For these business lines, loans and advances – multiplied by a fixed factor ‘m’ replaces gross income as the exposure indicator.
KRB = bRB x m x LARBWhereKRB is the capital charge for the retail banking business linebRB is the beta for the retail banking business lineLARB is total outstanding retail loans and advances (non-risk weighted
and gross of provisions), averaged over the past three years andm is constant the value of which is 0.035
Basel II – SBP Guidelines
22April 9, 2023
The Alternative Standardized Approach Under the ASA, banks may aggregate retail and
commercial banking (if they wish to) using a beta of 15%. Similarly, those banks that are unable to disaggregate their gross income into the other six business lines can aggregate the total gross income for these six business lines using a beta of 18%, with negative gross income treated as described above
Basel II – SBP Guidelines
23April 9, 2023
Advanced Measurement Approach
Under the AMA, the regulatory capital requirement will equal the risk measure generated by the internal operational risk measurement system of institutions, using the quantitative and qualitative criteria for the AMA.
Basel II – SBP Guidelines
24April 9, 2023
TSA – Qualifying Criteria
BoD oversight.Separate Operational Risk management function.Tracking ops loss dataSystem of reporting ops risk exposureWell documented ORM, with policies and
procedures.Periodic review to validate the ORMRegular review by external auditors.
Basel II – SBP Guidelines
25April 9, 2023
AMA – Quantitative Standards SBP is not specifying the approach or distributional
assumptions used to generate the operational risk measure for regulatory capital purposes. However, bank must be able to demonstrate that its approach captures potentially severe ‘tail’ loss events.
The AMA soundness standard provides significant flexibility to banks in the development of an operational risk measurement and management system. However, in the development of these systems, banks must have and maintain rigorous procedures for operational risk model development and independent model validation.
Basel II – SBP Guidelines
26April 9, 2023
AMA – Detailed Criteria Any internal operational risk measurement system must be
consistent with the scope of operational risk and the loss event types defined in the document.
Capital requirement as the sum of expected loss (EL) and unexpected loss (UL), unless bank can demonstrate that it is adequately capturing EL in its internal business practices.
The risk measurement system must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates.
The bank must validate its correlation assumptions using appropriate quantitative and qualitative techniques.
Basel II – SBP Guidelines
27April 9, 2023
AMA – Detailed Criteria Cont’d Any operational risk measurement system must have
certain key features; to include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems.
A bank needs to have a credible, transparent, well-documented and verifiable approach for weighting these fundamental elements in its overall operational risk measurement system.
Basel II – SBP Guidelines
28April 9, 2023
AMA – Internal Loss Data tracking Internal loss data is most relevant when it is clearly linked
to the institution’s current business activities, technological processes and risk management procedures.
assessing the on-going relevance of historical loss data, including those situations in which judgment overrides, scaling, or other adjustments may be used
minimum five-year observation period of internal loss data. When the bank first moves to the AMA, a three-year historical data window is acceptable.
Basel II – SBP Guidelines
29April 9, 2023
AMA – Internal Loss Data tracking Bank must be able to map its historical internal loss data
into the relevant level 1 supervisory categories. The internal loss data must be comprehensive in that it
captures all material activities and exposures from all appropriate sub-systems and geographic locations.
A bank must have an appropriate de minimis gross loss threshold for internal loss data collection
Aside from information on gross loss amounts, a bank should collect information about the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event.
Basel II – SBP Guidelines
30April 9, 2023
AMA – Internal Loss Data tracking Treatment of Operational risk losses that are related to
credit risk Operational risk losses that are related to market risk are
treated as operational risk for the purposes of calculating minimum regulatory capital and will therefore be subject to the operational risk capital charge.
Basel II – SBP Guidelines
31April 9, 2023
AMA – External Data The operational risk measurement system of bank must use
relevant external data (either public data and/or pooled industry data), especially when there is reason to believe that the bank is exposed to infrequent, yet potentially severe, losses.
External data should include data on actual loss amounts, information on the scale of business operations where the event occurred, information on the causes and circumstances of the loss events to assess the relevance of the loss event for other banks
must have a systematic process for determining the situations for which external data must be used and the methodologies used to incorporate the data (e.g. scaling, qualitative adjustments etc.
Basel II – SBP Guidelines
32April 9, 2023
AMA – Scenario analysis A bank must use scenario analysis of expert opinion in
conjunction with external data to evaluate its exposure to high-severity events.
Scenario analysis should be used to assess the impact of deviations from the correlation assumptions embedded in the bank’s operational risk measurement framework, in particular, to evaluate potential losses arising from multiple simultaneous operational risk loss events
Basel II – SBP Guidelines
33April 9, 2023
AMA – Business environment and internal control factors
In addition to using loss data, whether actual or scenario-based, institution’s firm-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile.
These factors will make institution’s risk assessments more forward-looking, more directly reflect the quality of the bank’s control and operating environments
Basel II – SBP Guidelines
34April 9, 2023
AMA – Risk Mitigation
Under the AMA, banks are allowed to recognize the risk mitigating impact of insurance in the measures of operational risk used for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total operational risk capital charge calculated under the AMA.
to take advantage of such risk mitigation will depend on compliance with the certain criteria
Basel II – SBP Guidelines
35April 9, 2023
Fundamental problem
“In the field of operational risk management, it’s hard to find good data. Internal loss data seem to be insufficient and external loss data are affected by reporting biases and numerous idiosyncratic factors”
AMA-Uses and misuses of Loss Data
36April 9, 2023
Major issues with loss data
Most institutions don’t have a lot of internal loss data. Many operational loss data sets have very “long tails” In summary, internal data is insufficient to be used in a
meaningful manner. To address this problem, many institutions have chosen to
supplement their internal loss data with external loss data
AMA-Uses and misuses of Loss Data
37April 9, 2023
Problems with external loss data-Pooled
Idiosyncratic factors size, controls, culture, business processes, legal environment and geographic location
AMA-Uses and misuses of Loss Data
38April 9, 2023
Problems with external loss data - Public
Reporting biases misreporting Non reporting Threshold Lack of necessary details
AMA-Uses and misuses of Loss Data
39April 9, 2023
Problems with external loss data
Does this mean external data is ‘useless’?? No!. Insurance industry has been successfully using
external data to calculate expected loss rates and the volatility (confidence intervals) around these estimates.
This suggests that there may be scientific ways of addressing these data problems.
AMA-Uses and misuses of Loss Data
40April 9, 2023
AMA-Uses and misuses of Loss Data
41April 9, 2023
Analysis of a typical set of internal data
If you were to take the internal data from a bank with many years of loss experience and plot it as a histogram, it would probably resemble the graphical illustration in the previous slide.
This histogram reveals following facts; that the loss data are collected above a certain threshold that there is a distinct “body” and “tail” to this distribution and that the tail region contains a number of “outliers.”
AMA-Uses and misuses of Loss Data
42April 9, 2023
Analysis of a typical set of internal data The figures actually represents two different risk classes.
The body consists mainly of execution errors (primarily high-frequency/ low-severity losses), and
the tail consists mainly of losses from other (primarily low-frequency/high-severity) risk classes
However, if one were to examine data from the high-severity classes in a large external loss database, one would observe that the data in these data sets are continuously distributed. In other words, these so-called outliers actually do follow a distribution of their own.
However, if we were limited to using internal data alone, we would have to wait several thousand years (in a static risk environment) to get to that distribution.
AMA-Uses and misuses of Loss Data
43April 9, 2023
Analysis of external data There are, broadly speaking, three types of external data —
public data, insurance data and consortium data. Public Data
These data are drawn from publicly available information: newspaper reports, regulatory filings, legal judgments, etc.
Contain size based reporting bias. Because of this reporting bias, one cannot extrapolate frequency or
severity parameters directly from the data. Insurance Data.
Insurance data represent losses that have been submitted as claims to insurance companies.
These data are captured only in risk classes where the insurance company has offered insurance coverage.
Vendor does not reveal the identity of the firms that experienced the losses.
AMA-Uses and misuses of Loss Data
44April 9, 2023
Analysis of external data Consortium Data.
These are pooled sets of internal data submitted by member organizations
The advantage of consortium over public data is that consortium data are not subject to public (media) reporting biases.
Disadvantages are; In some organizations, internal reporting is not yet
comprehensive; because consortium data are obtained from many
organizations, categorization tends to be less consistent. Consortium data represents only a subset of the loss data
universe,
AMA-Uses and misuses of Loss Data
45April 9, 2023
“Relevance” in the Context of External Data
The Basel II requires that banks use “relevant” external data in their models.
Making external loss data relevant in connection with the bank’s internal loss data, following points need to be considered.
Cautiously consider scaling individual loss data to the size of one’s institution
Be wary of scaling individual losses to the quality of one’s internal control environment.
Don’t try and select “relevant” data points from an external database based on the question, “Could this loss happen to me, given my internal control structure?”.
AMA-Uses and misuses Loss Data
46April 9, 2023
“Relevance” in the Context of External Data
Think carefully before selecting “relevant” data points from an external database based on the question, “Is this organization similar to my organization in terms of control quality?”
AMA-Uses and misuses Loss Data
47April 9, 2023
Categorizing Operational Losses
Transaction
Inadequate Supervision
Reputation
Insufficient Training
Compliance
Poor Management
Execution
Information
Relationship
Unauthorized Activities
Legal
Fixed Cost Structures
Settlement
Key man
Theft
Fraud
Fiduciary
Customer
Business Interruption
Technological
Lack of Resources
Criminal
Rogue Trader
Physical Assets
Sales Practices
People
48April 9, 2023
‘Event’ based categorization BIS framework is designed to be event based
approach. While the risk universe consists of three independent
dimensions; causes, events, consequences. It’s more logical to look at ops losses in a cause/effect
matrix framework. Such an approach helps evolve better, valid and
consistent controls
Categorizing Operational Losses
49April 9, 2023
Categorizing Operational LossesCAUSES
Inadequate segregation of duties
Insufficient training
Lack of managementsupervision
Inadequate auditing procedures
Inadequate security measures
Poor systems design
Poor HRpolicies
EVENTS CONSEQUENCES
InternalFraud
ExternalFraud
Employment Practices & Workplace Safety
Clients, Products & Business Practices
Damage to Physical Assets
Business Disruption & System Failures
Execution, Delivery & Process Management
Legal Liability
Regulatory, Compliance & Taxation Practices
Less of Damage to Assets
Restitution
Loss of Resources
Write-down
Reputation
Business Interruption
EFFECTSMonetaryLosses
OTHER IMPACTSForgoneIncome
50April 9, 2023
An operational risk framework
Managing Ops Risk
51April 9, 2023
An operational risk framework operational risk strategy comprises both
the “top-down” process of capital allocation and clear guidance for the “bottom-up” processes of risk
identification, assessment, management, reporting and supervision, and governance arrangements that constitute the management framework.
Setting the risk tolerance/risk appetite Bottom up and top down approaches.
Managing Ops Risk
52April 9, 2023
Organizational Structure Two key goals need to be reflected in an
organizational structure for operational risk: The agreement that operational risk cannot be confined to
specific organizational units (unlike market risk) but remains largely the responsibility of line managers and some defined special or support functions (such as IT, HR, legal, internal audit, or compliance)
The division of duties among management, an (often to be established) independent risk management function, and internal audit.
Managing Ops Risk
53April 9, 2023
Managing Ops Risk
54April 9, 2023
Managing Ops Risk
OPERATIONAL RISK GOVERNANCE ROLES AND RESPONSIBILITIES
55April 9, 2023
Managing Ops Risk
Reporting Ops risk reporting has to cover two distinct aspects:
Delivery of defined, relevant operational risk information to management and risk control
Reporting of information aggregated by risk category to business line management, the board and the risk committee.
Whereas the first type of information contains predominantly “raw” data such as losses, near misses, indicators, and risk assessment results, the second reflects aggregated, structured, and often analyzed information designed to provide each level of management with what it needs to enable better operational risk management.
56April 9, 2023
Managing Ops Risk
Reporting Framework
57April 9, 2023
Managing Ops Risk
Reporting Framework
58April 9, 2023
Managing Ops Risk
Definitions, Linkages, and Structures The development of definitions, linkages, and structures can
help enable banks to efficiently identify, assess, and report such operational risk-related information. Definitions, linkages, and structures thus form the basis of consistent databases that can help enable banks to maintain data that remains meaningful over time.
The endeavor helps to clarify the scope of operational risk and avoid differing interpretations as well as identify sub-categories and boundaries with other areas of risk (especially credit and market).
Finally, comparisons between different sources of information (e.g., risk assessment, loss data collection, key risk indicators) can be conducted on a consistent basis, which leads to the ability to draw more powerful conclusions from the otherwise probably too-sparse data
59April 9, 2023
Managing Ops Risk
Risk assessment Risk assessment provides banks with a qualitative approach
to identifying potential risks of a primarily severe nature As a tool that helps enable identification –– risk assessment
picks up where loss data collection leaves off. Indeed, it helps fill the knowledge gap left by backward looking and often sparse loss data and attempts to establish risk-sensitive and forward-looking identification of operational risk
the basic structure of a risk assessment is universal: a set of matrices identifying and assessing operational risk and its subcomponents in terms of likelihood and impact of occurrence, based on a defined risk appetite
60April 9, 2023
Managing Ops RiskRisk assessment – A typical risk profile
61April 9, 2023
Managing Ops Risk
Key Risk Indicators The bank should assess aspects of operational risk based
on key risk indicators (KRIs) – factors that may provide early warning signals on systems, processes, products, people, and the broader environment.
Monitoring should also look at broader business related KPIs, to have a better understanding of future direction of the bank and related risks.
The monitoring mechanism should be devised in such a way that it enables the cross-referral of KRIs and makes for easy identification of correlations.
62April 9, 2023
Managing Ops Risk
Key Risk Indicators The monitoring must show the KPIs as trends and not
just as one-off figures. What is of interest to management is the ways in which the KPIs change over time and not just the absolute figures.
63April 9, 2023
Managing Ops RiskKRIs – a scorecard approach
64April 9, 2023
There are mature frameworks from other industries upon which the processes of Operational Risk Management could be based.
In particular, there are two risk management standards - AS/NZS 4360/2004 and COSO/ERM – that, alone or in combination, could satisfy the requirements of Basel II for systems that are ‘conceptually sound’; and
The adoption of operational risk management processes that are based on proven, practical and usable standards, should reduce the overall costs to the industry of complying with Basel II.
‘Standards’ based approach to Ops risk
65April 9, 2023
The AS/NZS 4360: 2004 Framework
‘Standards’ based approach to Ops risk
66April 9, 2023
The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: Establish the Context: for strategic, organisational and risk
management and the criteria against which business risks will be evaluated.
Identify Risks: that could “prevent, degrade, delay or enhance” the achievement of an organisation’s business and strategic objectives.
Analyse Risks: consider the range of potential consequences and the likelihood that those consequences could occur.
Evaluate Risks: compare risks against the firm’s pre-established criteria and consider the balance between potential benefits and adverse outcomes.
‘Standards’ based approach to Ops risk
67April 9, 2023
The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: Treat Risks: develop and implement plans for increasing
potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’.
Monitor and Review: the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies.
Communicate and Consult: with internal and external ‘stakeholders’ at each stage of the risk management process.
‘Standards’ based approach to Ops risk
68April 9, 2023
The COSO ERM Framework The COSO Enterprise Risk Management (ERM) –
Integrated Framework defines ERM as a process, “effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The COSO/ERM Framework consists of eight ‘components’ organized by four ‘objectives’: Strategic; Operations; Reporting; and Compliance. As befits an ‘enterprise’ or ‘portfolio’ approach to risk management, the third dimension of this ERM matrix/cube is organizational: Subsidiary; Business Unit; Division, and Entity
‘Standards’ based approach to Ops risk
69April 9, 2023
The COSO ERM Framework
‘Standards’ based approach to Ops risk
70April 9, 2023
The eight ‘components’ of the ERM process are (COSO 2004): Internal Environment: establishing the ‘tone’ of an organization, including “risk
management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate”.
Objective Setting: ensuring that “management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite”.
Event Identification: identifying internal and external events that could impact the achievement of a firm’s objectives (both positively and negatively).
Risk Assessment: analysing risks “considering likelihood and impact, as a basis for determining how they should be managed.”
Risk Response: selecting ‘risk responses’ and developing “a set of actions to align risks with the entity’s risk tolerances and risk appetite”.
Control Activities: establishing and implementing policies and procedures “to help ensure the risk responses are effectively carried out.”
Information and Communication: identifying, capturing and communicating information that is relevant “in a form and timeframe that enable people to carry out their responsibilities.”
Monitoring: monitor the risk management process itself, modifying it as necessary.
‘Standards’ based approach to Ops risk
71April 9, 2023
Basel II and the standard frameworks Basel II identifies the responsibilities of the independent
Operational Risk Management function as “developing strategies to identify, assess, monitor and control/ mitigate operational risk”. These responsibilities map directly onto the AS/NZS 4360 and COSO frameworks as shown in the table in the next slide.
‘Standards’ based approach to Ops risk
72April 9, 2023
Basel II and the standard frameworks
‘Standards’ based approach to Ops risk
73April 9, 2023
Advantages of adopting a Standards Based Framework
Cost Savings Risk Reduction Training and Education Resources Independent Expertise IT Systems Outsourcing
‘Standards’ based approach to Ops risk
74April 9, 2023
ChallengesOrganizational SponsorshipBusiness Line Buy-in and ResourcesCoordination with Existing Control InitiativesDevelopment of Loss DatabasesWell-Designed Methodologies and ModelsAccess to Appropriate Information and
Reporting Mistaking Operational Risk for Market or Credit
Risk
Basel II - Challenges & pitfalls
75April 9, 2023
PitfallsWaiting for the regulators to provide detailed
guidance and lay out an implementation road map
Failing to make the link between information, technology, risk management and the business
Attempting to build a Basel II infrastructure without data and technical architecture road maps
Underestimating the magnitude of cultural change that Basel II requires
Basel II - Challenges & pitfalls
76April 9, 2023
THANKS!
Recommended