Lecture 16

Operational Risk Management

• A growing desire has emerged to organize the components of operational risk into what Hubner et al. (2003) call a “coherent structural framework”

• Haunbenstock (2003) identifies the components of the operational risk framework as:

• (i) strategy,

• (ii) process,

• (iii) infrastructure, and

• (iv) the environment

Strategy: • development of a risk management strategy;

• development of risk management culture;

• definition of management roles and responsibilities;

• ensuring that an appropriate management and control structure is in place

The risk management framework: Process• The process involves the day-to-day activities

required to understand and manage operational risk, given the chosen strategy.

• The process consists of• (i) risk and control identification,• (ii) risk measurement and monitoring,• (iii) risk control/mitigation, and• (iv) process assessment and evaluation.

Process : Risk and control identification• Risk identification starts with the definition of operational risk

to provide a broad context for potential threats

• The best way to identify risk is to talk to people who live with it on a daily basis

• The degree of risk is typically defined as frequency and severity, rated either qualitatively or quantitatively

• Mestchian (2003) suggests a decomposition of operational risk into process, people risk, technology, and external risk

• Then these risk can be identified as low, medium, or high in different business activities like in Table on the next slide, or with frequency or severity like in Figure 2, one slide next

Risk identification

Risk assessment of activities• a

ORF : Process - Identification• Risk identification should also include monitoring of the

external environment and industry trends, as new risks emerge continuously

• (ii) Control identification• The identification of controls is part of the identification

process, as it complements the identification of risk.• Controls include:

– management oversight, – information processing, – activity monitoring, – automation, – process controls,

– segregation of duties, – performance indicators – and policy and procedures

The control framework defines the appropriate approach to controlling each identified risk

(iii) Risk Mitigates• Risk mitigators include

– training,

– insurance programs, – diversification and – outsourcing

• Insurance, which is a means of risk control/mitigation, is typically applied against the large exposures where a loss would cause a charge to earnings greater than that acceptable in the risk appetite

• For the purpose of risk identification, the Federal Reserve System (1997) advocates a three-fold risk-rating scheme that includes (i) inherent risk, (ii) risk controls, and (iii) composite risk.

• Inherent risk (or gross risk) is the level of risk without consideration of risk controls, residing at the business unit level

• Inherent risk depends on (i) the level of activity relative to the firm’s resources, (ii) number of transactions, (iii) complexity of activity, and (iv) potential loss to the firm

• Composite risk (or residual risk or net risk) is the risk remaining after accounting for inherent risk and risk mitigating controls

• The Federal Reserve System (1997) provides a matrix that shows composite risk situation based on the strength of risk management (weak, acceptable, strong) and the inherent risk of the activity (low, moderate, high)

• For example, when weak risk management is applied to low inherent risk, the resulting risk is low/moderate composite risk

• On the other extreme, when strong risk management is applied to high inherent risk, the composite risk will be moderate/high

• Illustration is given in the figure on next slide

The FRS’s classification of inherent and composite risks

• (iv) Risk measurement• As risks and controls are identified, risk measurement

provides insight into the magnitude of exposure, how well controls are operating and whether exposures are changing and consequently require attention

• The borderline between identification and measurement is not clear, however, Haubenstock (2003) identifies the following items as relevant to the measurement of operational risk

• a. Risk drivers, which are measures that drive the inherent risk profile and changes in which indicate changes in the risk profile

• These include transaction volumes, staff levels, customer satisfaction, market volatility, the level of automation

• b. Risk indicators, which are a broad category of measures used to monitor the activities and status of the control environment of a particular business area for a given risk category.

• The difference between drivers and indicators is that the former are ex ante whereas the latter are ex post

• Examples of risk indicators are profit and loss breaks, failed trades and settlements and systems reliability

• c. The loss history: which is important for three reasons: (i) loss data are needed to create or enhance awareness at multiple levels of the firm; (ii) they can be used for empirical analysis; and (iii) they form the basis for the quantification of operational risk capital

• d.Causal models: which provide the quantitative framework for predicting potential losses.

• These models take the history of risk drivers, risk indicators and loss events and develop the associated multivariate distributions.

• The models can determine which factor(s) have the highest association with losses

• e. Capital models, which are used to estimate regulatory capital as envisaged by Basel II.

• f. Performance measures: which include the coverage of the self-assessment process, issues resolved on time, and percentage of issues discovered as a result of the self assessment process

• (v) reporting • Reporting is an important element of measurement and

monitoring

• A Key objective of reporting is to communicate the overall profi le of operational risk across all business lines and types of risk.

• There are two alternative ways of reporting to a central database as shown in Figure

• One way is indirect reporting where there is a hierarchy in the reporting process, which can be arranged on a geographical basis.

• Otherwise, direct reporting is possible where every unit reports directly to a central database

• a

• Reporting methods:• Checklists are probably the most common approach to self-

assessment

• Structured questionnaires are distributed to business areas to help them identify their level of risk and related controls

• The response would indicate the degree to which a given risk affects their areas.

• It would also give some indication of the frequency and severity of the risk and the level of risk control that is already in place

• The narrative approach is also used to ask business areas• to define their own objectives and the resulting risks

• The workshop approach skips the paperwork and gets people to talk about their risks, controls, and the required improvements

• Lam (2003b) identifies two schools of thoughts with regard to quantitative and qualitative measures of risks

• (i) the one believing that what cannot be measured cannot be managed, hence the focus should be on quantitative tools

• and (ii) the other, which does not accept the proposition that operational risk can be quantified effectively, hence the focus should be on qualitative approaches

• Lam (2003b) warns of the pitfalls of using one approach rather than the other, stipulating that “the best practice operational risk management incorporates elements of both”.

(vi) Risk control/mitigation• When risk has been identified and measured, there are a

number of choices in terms of the actions that need to be taken to control or mitigate risk

• These include (i) risk avoidance, (ii) risk reduction, (iii) risk transfer, and (iv) risk assumption (risk taking)

• Risk avoidance can be quite difficult and may raise questions about the viability of the business in terms of the risk-return relation

• A better alternative is risk reduction, which typically takes the form of risk control efforts as it may involve tactics ranging from business re-engineering to staff training as well as various less extensive staff and/or technical solutions.

• Cost-benefit analysis may be used to assist in structuring decisions and to prevent the business from being controlled out of profit

• a

• a

• a

People issues• the relevant type and calibre of people are

available;

• there are adequate levels of training and development of the staff;

• the staff have the skill levels that are appropriate to the tasks assigned to them

Technology issues• adequate systems to support the various

product lines;

• systems are available for management information and reporting;

• there is communication infrastructure to support the operation;

• data warehouses that allow integration and consolidation of information and data across the organization;

• tools and systems available for managing market risk across the organization

• enterprise-wide credit monitoring and credit risk management systems.

Themes in risk management framework

• There are four fundamental themes that are critical for establishing and maintaining a comprehensive and effective risk management framework

• 1 The ultimate responsibility for risk management must be with the board of directors. They need to ensure that organization structure, culture, people and systems are conducive to effective risk management. The requirements for risk management must be defined and established by those charged with overall responsibility for running the business

• 2. The board and executive management must recognize a wide variety of risk types, and ensure that the control framework adequately covers all of these. As well as including market and credit risks, it should include operations, legal, reputation and human resources risks, that do not readily lend themselves to measurement

• 3. The support and control functions, such as the back and middle offices, internal audit, compliance, legal, IT and human resources, need to be an integral part of the overall risk management framework

• 4. Risk management objectives and policies must be a key driver of the overall business strategy, and must be implemented through supporting operational procedures and controls.

• a

• a

• a

• a

• Operational risk can be minimized in a number of ways: Internal control methods consist of

1. Separation of functions– Individuals responsible for committing

transactions should not perform clearance and accounting functions

2. Dual entries– Entries (inputs) should be matched from two

different sources, that is, the trade ticket and the confirmation by the back office.

3. Reconciliations• Results (outputs) should be matched from different

sources, for instance the trader’s profit estimate and the computation by the middle office

4. Tickler systems• Important dates for a transaction (e.g., settlement,

exercise dates) should be entered into a calendar system that automatically generates a message before the due date.

• Controls over amendments: Any amendment to original deal tickets should be subject to the same strict controls as original trade tickets.

External control methods consist of1. Confirmations: Trade tickets need to be confirmed

with the counterparty, which provides an independent check on the transaction.

2. Verification of prices: To value positions, prices should be obtained from external sources. This also implies that an institution should have the capability of valuing a transaction in-house before entering it.

3. Authorization: The counterparty should be provided with a list of personnel authorized to trade, as well as a list of allowed transactions.

4. Settlement: The payment process itself can indicate if some of the terms of the transaction have been incorrectly recorded, for instance, as the first cash payments on a swap are not matched across counterparties.

5. Internal/external audits: These examinations provide useful information on potential weakness areas in the organizational structure or business process.

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a

• a