OPERATIONAL RISK Issues & Challenges March 9, 2007 Partners in Risk & Compliance.

OPERATIONAL RISK

Issues & Challenges

March 9, 2007

Partners in Risk & Compliance

2Partners in Risk & Compliance

Table of Contents

ORM Framework and its Components

Single Biggest Challenge

Self Assessment – Issues & Challenges

KRI – Issues & Challenges

LDM – Issues & Challenges

AMA – Issues & Challenges


ORM Framework - Components

4. Risk Mitigation Programmes

Integrated Reporting ( SA, KRI & LDM),

New Product & Activity ( including Outsourcing)

BCP/DRP

Risk Causes

• Process• People• Systems• External

Even

t Fre

qu

en

cy

99.99%Confidence level

CATASTROPHICLOSS

Effect Severity

EXPECTED LOSS

UNEXPECTED LOSS

RISK

Risk Governance Operational Risk Definition/ Governance/ Policies

1. Self Assessments (SA)

Strategic Diagnostic Study

Risk & Control Self Assessment (RCSA )

Loss Provisioning

Gross Income Allocation to calculate capital under SA

Loss Data Capture

Loss Data Analysis

3. Loss Data Management (LDM)

Ris

k M

an

ag

em

en

t 2. Key Risk Indicator

Key Risk Indicator (KRI)

AMA Capital calculation using LDA, SBA & HMA

Internal Control Supervision

Risk Measurement


Single Biggest Challenge

“Operational risk is very different”

Market Risk Credit Risk Operational Risk

Risk Position

Quantifiable exposure

Yes Yes Difficult

Exposure measurePosition; risk

sensitivityMoney lent, Potential

exposure

Difficult – no ready equivalent position

available

CompletenessPortfolio

completenessKnown Known Unknown

Context dependency &

data

Context dependency Low Medium High

Data frequency High Medium Continuous

Relevance Measurement &

Validation

Applicable for departments

Treasury and Market risk

Credit DepartmentThrough out the

Bank

TestingAdequate data for

back testing

Back testing difficult to perform over

short term

Results very difficult to test over any time

horizon


Self Assessment Issues & Challenges

Decision for approach: Bottom up vs Top down

Rationalizing roles and responsibilities

Assigning responsibility and accountability for operational risk without impacting effectiveness and efficiency

Overlaps of ORM with other risk control areas such compliance, audit etc

Awareness among the employees of the bank with respect to the benefits of operational risk management

Creating blame free environment – encouragement to identify lacks in the existing controls


Self Assessment - Top Down Vs Bottom up

Pros

Easy of Implementation

Cons

Lacks granularity

Pros

Offers complete drill down of risk assessment

Cons

Misses “big picture”


Segregation of Roles & Responsibilities

BORMBORMBORM

Department 3Department 2Department 1Operational

Risk

Compliance

Audit

RP RP RP

Direct Reporting

Indirect Reporting

Working Relationship

BORM – Business Operational Risk Manager

RP - Representative

Business Line


Awareness & Change in Culture

Change of culture where people are encouraged to report risks rather than hide it

All business units should capture losses in a consistent framework rather than their individual way

Carrot / Stick approach

Monitoring & Learning

A Sense of evolution

PurposeA Sense of Direction

CapabilityA Sense of

competence

Commitment

A Sense of identity and values

Action


Key Risk Indicators - Issues & Challenges

Suitability and relevance of the KRI ( Quality over Quantity)

No means to consistently relate the occurrence of Loss events and the location of the problem

Plenty of indicative data is available in various MIS, but the relevance is never tested

Difficult in implementing across the organisation as it requires an interface with various source systems

To always represent a KRI from a system value is challenging, hence finding surrogates and the relevance of surrogates

Difficult to compare KRIs across different institutions with different trigger points and risk appetite

Difficult to estimate the trigger points of each identified KRI

No observable best practice


Relevance of KRI

System Down

Inappropriate reconciliation procedures

When a loss happened 80% 30%

System up System down Total

Loss 20 80 100

No Loss 1,000 9,000 10,000

Total 1020 9,080 10,100

P (L) Given system down = 80/9080= 0.88%

P (L) Given system up = 20/1020 = 1.96%

When no loss happened

90% 30%


Interface with source systems and surrogate findingHaving Interface with so many systems and also finding the appropriate metric which represents the “key Risk” is a challenge. Finding surrogates to represent “Key Risks” has become a normal phenomenon

KRI(May or may not represent the Key Risk

which is supposed to be

reflected by the indicator)

CENTRAL

SOURCESYSTEM

ETL layer(for

values of KRI)

Treasury

Kondor Global +

Capital Market System

Kondor Plus

Relationship (Collateral) Management System

(RMS)

Loan System

Central Liability Tracking System

NPA System

Murabaha Finance System

Letter of Credit System

Letter of Guarantee System

Accounting System

HR System


Loss Data Management - Issues & Challenges

Setting up a consistent loss data collection process

Creating blame free environment – encouragement to report losses

Threshold determination

Lack of adequate internal loss history

The sanctity of the available data as it is not in sync with the actual booked losses

Differentiating between event (loss incident ) and a non event ( near miss)

Difference of opinion in defining loss events and near misses

Difference of opinion in treating the recovery


Threshold Determination

Determining threshold for capture of losses

Once a threshold is decided, mostly losses are not reported at the estimated loss amount is just below the threshold amount

Not deciding the threshold and capturing all losses is also Herculean as many insignificant events populate the loss database which are irrelevant and already factored in the cost of doing business

Different accounting treatment for both loss and recovery and hence the reconciliation problems


Event vs Non Event

If the full recovery happens within 5 days ( for example) the event is considered to be a non event

Full recovery after 5 days is also considered to be a non event and classified as rapidly recovered loss

Different accounting treatment for both loss and recovery and hence the reconciliation problems

Many banks also classify the non event as near misses, on the other hand there are banks who independently define near misses and keep it separate from non events

Some banks also keep the recovery option open for ever and even if the recovery happens after years it is not included as a loss as it is recovered

Lack of consistent guidelines for capture and treatment of internal losses, hence cannot be compared across internationally active banks


AMA Issues & Challenges

AMA must use all four input factors:

Internal data :

The challenges associated with the collection of internal loss data

External Data:

No proper guidance on use of external data

No specific rules for making the external data relevant for the bank

Scenario Analysis:

No established market standards

Can be done either by developing internal scenarios or using external scenarios

Business Environment & Internal control factors

Not directly integrated in the loss distribution

No proper rules or benchmark for validating correlation assumptions among various events

Capital figures cannot be compared across banks internationally


Linkages among the Building Blocks

Loss Data Mgmt

Group Risk

Business Unit /Line Management Objectives/Processes

Risk Events

Self Assessment

Key RiskIndicators

ControlsTest Results

Action Plan

Analysis & Case Management

Control Effectiveness, Testing & Findings

Preventing Losses

Risk Governance Framework

Findings

Risk & Control Self Assessment

(Bottom up)

Strategic Diagnostic (Top Down)

Regular Monitoring &

Reporting

Thank you

Confidentiality clause

This document is confidential. No part of it may be circulated or reproduced outside without express approval of Aptivaa Consulting.© Aptivaa Consulting 2007.

OPERATIONAL RISK Issues & Challenges March 9, 2007 Partners in Risk & Compliance.

Documents

Transcript of OPERATIONAL RISK Issues & Challenges March 9, 2007 Partners in Risk & Compliance.