Operational Risk & Basel Ii

Operational Risk & Basel II

2April 9, 2023

Defining & Understanding Operational Risk

“Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.”

-Basel Committee on Banking Supervision

3April 9, 2023


4April 9, 2023


5April 9, 2023


6April 9, 2023


Other Risks

Credit Risk

Market Risk

Operational risk

7April 9, 2023


What risks are we talking about??

A loan goes bad!Bank suffers losses on outstanding forward

contracts.

8April 9, 2023


“More than 80% of our Credit risk is really just Operational risk.”

Senior Risk Officer,

Large German Bank

9April 9, 2023


If a severe operational risk event is accounted for under credit risk, the loss may very well be reported, and the economic capital number may even be adjusted to help ensure appropriate capital coverage. However, this is unlikely to lead to appropriate management decisions. The resulting (incorrect) credit risk increase will almost certainly result in a reduction of loans in a region or to an industry sector or client – but seldom will result in the credit process redesign that is actually needed.

10April 9, 2023

1988 Capital AccordToo simplisticSubject to manipulationsEncouraged more risk takingLeading banks, using sophisticated models

realized that they were ‘over capitalized’ and lobbied for a more risk sensitive capital framework.

Basel II – Evolution of Ops Risk

11April 9, 2023

The New Accord Basel II is based on the fundamental principal that risk

capital should be based on level of risk (i.e., risk sensitive).

Incentive: Requiring banks to hold capital based on their actual level of risk banks would give banks an incentive to reduce their level of risk

Lessons from past experience (in market risk): risk measurement improves risk management.


12April 9, 2023

Supervisory Review

Supervisory Review

Market Discipline

Market Discipline

Providing a flexible, risk-sensitive capital management framework

Providing a flexible, risk-sensitive capital management framework

Minimum Capital

Requirements

Minimum Capital

Requirements

Basel IIBasel II

Three Pillars


13April 9, 2023

Minimum Capital

RequirementRisk-weighted

Exposures

Market Risk

No Change Major Changes

New element added

Risk of losses in on and off balance sheet

positions arising from movements in market

prices

Credit Risk

Potential that a bank borrower or

counterparty will fail to meet its obligations in

accordance with agreed terms

Operational Risk

Risk of direct or indirect loss resulting from

inadequate or failed internal processes,

people and systems or external events


14April 9, 2023

PILLAR 1

Minimum CapitalRequirements

PILLAR 2

SupervisoryReview

PILLAR 3

Market Discipline

Risk WeightsDefinition of

Capital

Credit RiskOperational

RiskMarket Risk

StandardizedApproach

Internal RatingsBased Approach

AssetSecuritization

Basic IndicatorApproach


Advanced Measurement

Approach

FoundationApproach

AdvancedApproach


Internal RatingsBased Approach

Alternate Standardized

Approach

Balance the flexibility and freedom given to

banks


15April 9, 2023

Based uponBusiness Line

Gross Income Beta

Based upon an institutional

Gross Income Alpha

Based upon Loss Distribution

Approach. Scenarios or Risk Drivers &

Controls

Basic Indicator Standardized Advanced

Minimum for all banks Minimum for large banks Target for leadings

But also requires adherence to a set of “Sound Practices”


16April 9, 2023


17April 9, 2023


18April 9, 2023

Basic Indicator Approach Under BIA the capital charge for operational risk is a fixed

percentage of average positive annual gross income of the bank over the past three years.

Gross income is defined as the sum of net interest income and net non-interest income and shall be arrived at before accounting for:

(i) Provisions, including those for credit impairment;(ii) operating expenses (iii) realized profits/ losses from the sale of securities (iv) extraordinary items, (v) income derived from insurance.

No qualifying criteria but banks are expected to follow SBP guidelines on risk management.

Basel II – SBP Guidelines

19April 9, 2023

The Standardized Approach banks divided into eight business lines: corporate finance,

trading & sales, retail banking, commercial banking, payment &settlement, agency services, asset management, and retail brokerage

Within each business line, gross income to serves as a proxy for the scale of business operations and thus the operational risk exposure

The capital charge for each business line is calculated by multiplying gross income by a factor (denoted beta) assigned to that business line.

The total capital charge is calculated as the three-year average of the simple summation of the regulatory capital charges across each of the business lines in each year.


20April 9, 2023

Basel II – SBP Guidelines The Standardized Approach

Business Lines Beta Factors

Corporate finance 18%

Trading and sales 18%

Retail banking 12%

Commercial banking 15%

Payment and settlement 18%

Agency services 15%

Asset management 12%

Retail brokerage 12%

21April 9, 2023

The Alternative Standardized ApproachUnder the ASA, the operational risk capital charge

/methodology is the same as for the Standardized Approach except for two business lines – retail banking and commercial banking. For these business lines, loans and advances – multiplied by a fixed factor ‘m’ replaces gross income as the exposure indicator.

KRB = bRB x m x LARBWhereKRB is the capital charge for the retail banking business linebRB is the beta for the retail banking business lineLARB is total outstanding retail loans and advances (non-risk weighted

and gross of provisions), averaged over the past three years andm is constant the value of which is 0.035


22April 9, 2023

The Alternative Standardized Approach Under the ASA, banks may aggregate retail and

commercial banking (if they wish to) using a beta of 15%. Similarly, those banks that are unable to disaggregate their gross income into the other six business lines can aggregate the total gross income for these six business lines using a beta of 18%, with negative gross income treated as described above


23April 9, 2023

Advanced Measurement Approach

Under the AMA, the regulatory capital requirement will equal the risk measure generated by the internal operational risk measurement system of institutions, using the quantitative and qualitative criteria for the AMA.


24April 9, 2023

TSA – Qualifying Criteria

BoD oversight.Separate Operational Risk management function.Tracking ops loss dataSystem of reporting ops risk exposureWell documented ORM, with policies and

procedures.Periodic review to validate the ORMRegular review by external auditors.


25April 9, 2023

AMA – Quantitative Standards SBP is not specifying the approach or distributional

assumptions used to generate the operational risk measure for regulatory capital purposes. However, bank must be able to demonstrate that its approach captures potentially severe ‘tail’ loss events.

The AMA soundness standard provides significant flexibility to banks in the development of an operational risk measurement and management system. However, in the development of these systems, banks must have and maintain rigorous procedures for operational risk model development and independent model validation.


26April 9, 2023

AMA – Detailed Criteria Any internal operational risk measurement system must be

consistent with the scope of operational risk and the loss event types defined in the document.

Capital requirement as the sum of expected loss (EL) and unexpected loss (UL), unless bank can demonstrate that it is adequately capturing EL in its internal business practices.

The risk measurement system must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates.

The bank must validate its correlation assumptions using appropriate quantitative and qualitative techniques.


27April 9, 2023

AMA – Detailed Criteria Cont’d Any operational risk measurement system must have

certain key features; to include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems.

A bank needs to have a credible, transparent, well-documented and verifiable approach for weighting these fundamental elements in its overall operational risk measurement system.


28April 9, 2023

AMA – Internal Loss Data tracking Internal loss data is most relevant when it is clearly linked

to the institution’s current business activities, technological processes and risk management procedures.

assessing the on-going relevance of historical loss data, including those situations in which judgment overrides, scaling, or other adjustments may be used

minimum five-year observation period of internal loss data. When the bank first moves to the AMA, a three-year historical data window is acceptable.


29April 9, 2023

AMA – Internal Loss Data tracking Bank must be able to map its historical internal loss data

into the relevant level 1 supervisory categories. The internal loss data must be comprehensive in that it

captures all material activities and exposures from all appropriate sub-systems and geographic locations.

A bank must have an appropriate de minimis gross loss threshold for internal loss data collection

Aside from information on gross loss amounts, a bank should collect information about the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event.


30April 9, 2023

AMA – Internal Loss Data tracking Treatment of Operational risk losses that are related to

credit risk Operational risk losses that are related to market risk are

treated as operational risk for the purposes of calculating minimum regulatory capital and will therefore be subject to the operational risk capital charge.


31April 9, 2023

AMA – External Data The operational risk measurement system of bank must use

relevant external data (either public data and/or pooled industry data), especially when there is reason to believe that the bank is exposed to infrequent, yet potentially severe, losses.

External data should include data on actual loss amounts, information on the scale of business operations where the event occurred, information on the causes and circumstances of the loss events to assess the relevance of the loss event for other banks

must have a systematic process for determining the situations for which external data must be used and the methodologies used to incorporate the data (e.g. scaling, qualitative adjustments etc.


32April 9, 2023

AMA – Scenario analysis A bank must use scenario analysis of expert opinion in

conjunction with external data to evaluate its exposure to high-severity events.

Scenario analysis should be used to assess the impact of deviations from the correlation assumptions embedded in the bank’s operational risk measurement framework, in particular, to evaluate potential losses arising from multiple simultaneous operational risk loss events


33April 9, 2023

AMA – Business environment and internal control factors

In addition to using loss data, whether actual or scenario-based, institution’s firm-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile.

These factors will make institution’s risk assessments more forward-looking, more directly reflect the quality of the bank’s control and operating environments


34April 9, 2023

AMA – Risk Mitigation

Under the AMA, banks are allowed to recognize the risk mitigating impact of insurance in the measures of operational risk used for regulatory minimum capital requirements. The recognition of insurance mitigation will be limited to 20% of the total operational risk capital charge calculated under the AMA.

to take advantage of such risk mitigation will depend on compliance with the certain criteria


35April 9, 2023

Fundamental problem

“In the field of operational risk management, it’s hard to find good data. Internal loss data seem to be insufficient and external loss data are affected by reporting biases and numerous idiosyncratic factors”

AMA-Uses and misuses of Loss Data

36April 9, 2023

Major issues with loss data

Most institutions don’t have a lot of internal loss data. Many operational loss data sets have very “long tails” In summary, internal data is insufficient to be used in a

meaningful manner. To address this problem, many institutions have chosen to

supplement their internal loss data with external loss data


37April 9, 2023

Problems with external loss data-Pooled

Idiosyncratic factors size, controls, culture, business processes, legal environment and geographic location


38April 9, 2023

Problems with external loss data - Public

Reporting biases misreporting Non reporting Threshold Lack of necessary details


39April 9, 2023

Problems with external loss data

Does this mean external data is ‘useless’?? No!. Insurance industry has been successfully using

external data to calculate expected loss rates and the volatility (confidence intervals) around these estimates.

This suggests that there may be scientific ways of addressing these data problems.


40April 9, 2023


41April 9, 2023

Analysis of a typical set of internal data

If you were to take the internal data from a bank with many years of loss experience and plot it as a histogram, it would probably resemble the graphical illustration in the previous slide.

This histogram reveals following facts; that the loss data are collected above a certain threshold that there is a distinct “body” and “tail” to this distribution and that the tail region contains a number of “outliers.”


42April 9, 2023

Analysis of a typical set of internal data The figures actually represents two different risk classes.

The body consists mainly of execution errors (primarily high-frequency/ low-severity losses), and

the tail consists mainly of losses from other (primarily low-frequency/high-severity) risk classes

However, if one were to examine data from the high-severity classes in a large external loss database, one would observe that the data in these data sets are continuously distributed. In other words, these so-called outliers actually do follow a distribution of their own.

However, if we were limited to using internal data alone, we would have to wait several thousand years (in a static risk environment) to get to that distribution.


43April 9, 2023

Analysis of external data There are, broadly speaking, three types of external data —

public data, insurance data and consortium data. Public Data

These data are drawn from publicly available information: newspaper reports, regulatory filings, legal judgments, etc.

Contain size based reporting bias. Because of this reporting bias, one cannot extrapolate frequency or

severity parameters directly from the data. Insurance Data.

Insurance data represent losses that have been submitted as claims to insurance companies.

These data are captured only in risk classes where the insurance company has offered insurance coverage.

Vendor does not reveal the identity of the firms that experienced the losses.


44April 9, 2023

Analysis of external data Consortium Data.

These are pooled sets of internal data submitted by member organizations

The advantage of consortium over public data is that consortium data are not subject to public (media) reporting biases.

Disadvantages are; In some organizations, internal reporting is not yet

comprehensive; because consortium data are obtained from many

organizations, categorization tends to be less consistent. Consortium data represents only a subset of the loss data

universe,


45April 9, 2023

“Relevance” in the Context of External Data

The Basel II requires that banks use “relevant” external data in their models.

Making external loss data relevant in connection with the bank’s internal loss data, following points need to be considered.

Cautiously consider scaling individual loss data to the size of one’s institution

Be wary of scaling individual losses to the quality of one’s internal control environment.

Don’t try and select “relevant” data points from an external database based on the question, “Could this loss happen to me, given my internal control structure?”.

AMA-Uses and misuses Loss Data

46April 9, 2023

“Relevance” in the Context of External Data

Think carefully before selecting “relevant” data points from an external database based on the question, “Is this organization similar to my organization in terms of control quality?”

AMA-Uses and misuses Loss Data

47April 9, 2023

Categorizing Operational Losses

Transaction

Inadequate Supervision

Reputation

Insufficient Training

Compliance

Poor Management

Execution

Information

Relationship

Unauthorized Activities

Legal

Fixed Cost Structures

Settlement

Key man

Theft

Fraud

Fiduciary

Customer

Business Interruption

Technological

Lack of Resources

Criminal

Rogue Trader

Physical Assets

Sales Practices

People

48April 9, 2023

‘Event’ based categorization BIS framework is designed to be event based

approach. While the risk universe consists of three independent

dimensions; causes, events, consequences. It’s more logical to look at ops losses in a cause/effect

matrix framework. Such an approach helps evolve better, valid and

consistent controls

Categorizing Operational Losses

49April 9, 2023

Categorizing Operational LossesCAUSES

Inadequate segregation of duties

Insufficient training

Lack of managementsupervision

Inadequate auditing procedures

Inadequate security measures

Poor systems design

Poor HRpolicies

EVENTS CONSEQUENCES

InternalFraud

ExternalFraud

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Damage to Physical Assets

Business Disruption & System Failures

Execution, Delivery & Process Management

Legal Liability

Regulatory, Compliance & Taxation Practices

Less of Damage to Assets

Restitution

Loss of Resources

Write-down

Reputation

Business Interruption

EFFECTSMonetaryLosses

OTHER IMPACTSForgoneIncome

50April 9, 2023

An operational risk framework

Managing Ops Risk

51April 9, 2023

An operational risk framework operational risk strategy comprises both

the “top-down” process of capital allocation and clear guidance for the “bottom-up” processes of risk

identification, assessment, management, reporting and supervision, and governance arrangements that constitute the management framework.

Setting the risk tolerance/risk appetite Bottom up and top down approaches.

Managing Ops Risk

52April 9, 2023

Organizational Structure Two key goals need to be reflected in an

organizational structure for operational risk: The agreement that operational risk cannot be confined to

specific organizational units (unlike market risk) but remains largely the responsibility of line managers and some defined special or support functions (such as IT, HR, legal, internal audit, or compliance)

The division of duties among management, an (often to be established) independent risk management function, and internal audit.

Managing Ops Risk

53April 9, 2023

Managing Ops Risk

54April 9, 2023

Managing Ops Risk

OPERATIONAL RISK GOVERNANCE ROLES AND RESPONSIBILITIES

55April 9, 2023

Managing Ops Risk

Reporting Ops risk reporting has to cover two distinct aspects:

Delivery of defined, relevant operational risk information to management and risk control

Reporting of information aggregated by risk category to business line management, the board and the risk committee.

Whereas the first type of information contains predominantly “raw” data such as losses, near misses, indicators, and risk assessment results, the second reflects aggregated, structured, and often analyzed information designed to provide each level of management with what it needs to enable better operational risk management.

56April 9, 2023

Managing Ops Risk

Reporting Framework

57April 9, 2023

Managing Ops Risk

Reporting Framework

58April 9, 2023

Managing Ops Risk

Definitions, Linkages, and Structures The development of definitions, linkages, and structures can

help enable banks to efficiently identify, assess, and report such operational risk-related information. Definitions, linkages, and structures thus form the basis of consistent databases that can help enable banks to maintain data that remains meaningful over time.

The endeavor helps to clarify the scope of operational risk and avoid differing interpretations as well as identify sub-categories and boundaries with other areas of risk (especially credit and market).

Finally, comparisons between different sources of information (e.g., risk assessment, loss data collection, key risk indicators) can be conducted on a consistent basis, which leads to the ability to draw more powerful conclusions from the otherwise probably too-sparse data

59April 9, 2023

Managing Ops Risk

Risk assessment Risk assessment provides banks with a qualitative approach

to identifying potential risks of a primarily severe nature As a tool that helps enable identification –– risk assessment

picks up where loss data collection leaves off. Indeed, it helps fill the knowledge gap left by backward looking and often sparse loss data and attempts to establish risk-sensitive and forward-looking identification of operational risk

the basic structure of a risk assessment is universal: a set of matrices identifying and assessing operational risk and its subcomponents in terms of likelihood and impact of occurrence, based on a defined risk appetite

60April 9, 2023

Managing Ops RiskRisk assessment – A typical risk profile

61April 9, 2023

Managing Ops Risk

Key Risk Indicators The bank should assess aspects of operational risk based

on key risk indicators (KRIs) – factors that may provide early warning signals on systems, processes, products, people, and the broader environment.

Monitoring should also look at broader business related KPIs, to have a better understanding of future direction of the bank and related risks.

The monitoring mechanism should be devised in such a way that it enables the cross-referral of KRIs and makes for easy identification of correlations.

62April 9, 2023

Managing Ops Risk

Key Risk Indicators The monitoring must show the KPIs as trends and not

just as one-off figures. What is of interest to management is the ways in which the KPIs change over time and not just the absolute figures.

63April 9, 2023

Managing Ops RiskKRIs – a scorecard approach

64April 9, 2023

There are mature frameworks from other industries upon which the processes of Operational Risk Management could be based.

In particular, there are two risk management standards - AS/NZS 4360/2004 and COSO/ERM – that, alone or in combination, could satisfy the requirements of Basel II for systems that are ‘conceptually sound’; and

The adoption of operational risk management processes that are based on proven, practical and usable standards, should reduce the overall costs to the industry of complying with Basel II.

‘Standards’ based approach to Ops risk

65April 9, 2023

The AS/NZS 4360: 2004 Framework


66April 9, 2023

The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: Establish the Context: for strategic, organisational and risk

management and the criteria against which business risks will be evaluated.

Identify Risks: that could “prevent, degrade, delay or enhance” the achievement of an organisation’s business and strategic objectives.

Analyse Risks: consider the range of potential consequences and the likelihood that those consequences could occur.

Evaluate Risks: compare risks against the firm’s pre-established criteria and consider the balance between potential benefits and adverse outcomes.


67April 9, 2023

The AS/NZS 4360: 2004 Risk Management Process seven main ‘elements’: Treat Risks: develop and implement plans for increasing

potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’.

Monitor and Review: the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies.

Communicate and Consult: with internal and external ‘stakeholders’ at each stage of the risk management process.


68April 9, 2023

The COSO ERM Framework The COSO Enterprise Risk Management (ERM) –

Integrated Framework defines ERM as a process, “effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

The COSO/ERM Framework consists of eight ‘components’ organized by four ‘objectives’: Strategic; Operations; Reporting; and Compliance. As befits an ‘enterprise’ or ‘portfolio’ approach to risk management, the third dimension of this ERM matrix/cube is organizational: Subsidiary; Business Unit; Division, and Entity


69April 9, 2023

The COSO ERM Framework


70April 9, 2023

The eight ‘components’ of the ERM process are (COSO 2004): Internal Environment: establishing the ‘tone’ of an organization, including “risk

management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate”.

Objective Setting: ensuring that “management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite”.

Event Identification: identifying internal and external events that could impact the achievement of a firm’s objectives (both positively and negatively).

Risk Assessment: analysing risks “considering likelihood and impact, as a basis for determining how they should be managed.”

Risk Response: selecting ‘risk responses’ and developing “a set of actions to align risks with the entity’s risk tolerances and risk appetite”.

Control Activities: establishing and implementing policies and procedures “to help ensure the risk responses are effectively carried out.”

Information and Communication: identifying, capturing and communicating information that is relevant “in a form and timeframe that enable people to carry out their responsibilities.”

Monitoring: monitor the risk management process itself, modifying it as necessary.


71April 9, 2023

Basel II and the standard frameworks Basel II identifies the responsibilities of the independent

Operational Risk Management function as “developing strategies to identify, assess, monitor and control/ mitigate operational risk”. These responsibilities map directly onto the AS/NZS 4360 and COSO frameworks as shown in the table in the next slide.


72April 9, 2023

Basel II and the standard frameworks


73April 9, 2023

Advantages of adopting a Standards Based Framework

Cost Savings Risk Reduction Training and Education Resources Independent Expertise IT Systems Outsourcing


74April 9, 2023

ChallengesOrganizational SponsorshipBusiness Line Buy-in and ResourcesCoordination with Existing Control InitiativesDevelopment of Loss DatabasesWell-Designed Methodologies and ModelsAccess to Appropriate Information and

Reporting Mistaking Operational Risk for Market or Credit

Risk

Basel II - Challenges & pitfalls

75April 9, 2023

PitfallsWaiting for the regulators to provide detailed

guidance and lay out an implementation road map

Failing to make the link between information, technology, risk management and the business

Attempting to build a Basel II infrastructure without data and technical architecture road maps

Underestimating the magnitude of cultural change that Basel II requires

Basel II - Challenges & pitfalls

76April 9, 2023

THANKS!

Documents

Operational Risk & Basel Ii