Internal Loss Data
A Regulator’s Perspective
AON Operational Risk Symposium
Australian Prudential Regulation Authority
17 April 2008
1. Why Collect ILD
1. Tailored Insurance
2. Risk Management
3. Capital Management
2. Collection Techniques
1. Policies and Procedures
2. How ILD is Collected
4. Allocation to Business lines
4. Key Issues
Why Collect ILD?
As a result of Basel II, complex banks wishing to implement the Advanced
Measurement Approach (AMA) for operational risk capital have embedded the
collection of Internal Loss Data (ILD) into their risk management practices. ILD is a
valuable resource because it is the closest data representation of an institutions
internal loss profile and provides insight into the risk appetite of the bank and the
effectiveness of any controls in place.
Institutions who calculate operational risk regulatory capital (ORRC) using APRA’s
Standardised Approach (SA) are not required to collect ILD for the purposes of
capital calculation, however many other benefits can be obtained from the
collection of internal data, such as:
• Tailored insurance policies
• Improved risk management practices
• Help in the development of capital management
Operational risk insurance policies tend to
cover a wide range of loss categories that
may not be relevant to all institutions
(e.g. Bankers Blanket Bond). Using ILD,
institutions are in a better position to
tailor insurance contracts to meet their
individual risk profiles.
Collecting ILD enables both complex and
INSURANCE simple institutions to demonstrate their
POLICY key risk areas to insurance providers. By
using observed losses to back up their
claims, institutions may be able to obtain
a more relevant and comprehensive
insurance policy tailored to the major
risks of the institution.
Emerging Risk Mitigation Products
As a direct result of the AMA process, new products have entered the market to cater
for the increased demand for operational risk mitigation. There are essentially three
classes of products available:
• Modified Insurance Policies –Existing insurance policies have been modified to
include fewer exclusions, dispute resolution procedures and arbitration
timescales to reduce the uncertainty of claim payment.
• Third Party ‘Wrappers’ – Provides access to another parties’ capital to provide
liquidity in case of a loss, which is repayable on insurance payout.
• Capital Market Products- Risk mitigation is achieved by replacing traditional
insurance policies with bond products (e.g. catastrophe bonds).
For a bank to obtain reductions in their regulatory capital requirements, the risk
transfer arising from the use of risk mitigation products must be approved by APRA.
Many institutions still rely heavily on qualitative measures and judgements to monitor
and control their operational risk exposure. Over the recent past, the number of
large scale unexpected operational risk losses has created some unease about the
soundness of traditional operational risk management practices. As such, ILD can help
improve the risk management practices of an institution as it allows for the
identification, measurement and analysis of historical data, to assist in the
identification of emerging trends in an institutions’ loss profile.
Trends, benchmarks and budgets feed into Key Risk Indicators (KRIs) and other
Business Environment and Internal Control Factors (BEICFs) to allow for the
identification of emerging risks and the proactive management of an institution’s risk
An embedded risk management culture ensures staff are on the lookout for loss
events which helps contribute to the prevention and reduction of potential future
Example - Event Type Analysis
Int – Internal Fraud
Ext – External Fraud
DPA – Damage to Physical Assets
EP&WS – Employment Practices and
BD&SF – Business Disruption and System
ED&PM – Execution Delivery and Process
100 1,000 10,000 100,000 CP&BP – Clients Products and Business
No. of Losses Practices
This is an example of a type of loss data analysis that can assist institutions to identify major
•The size of the bubble represents the total impact of losses from that Business Line.
•The position of the bubble on the impact axis represents the average impact of each loss.
•The position of the bubble on the frequency axis represents how many data points have
been collected for that business line. 7
Just as AMA accredited banks use ILD in
the determination of their operational risk
$ $ regulatory capital, ILD may be a useful
reference in the development of the
Internal Capital Adequacy Assessment
$ Process (ICAAP).
APS110–Capital Management stipulates
that an institution must have “adequate
systems and procedures to identify,
measure, monitor and manage the risks
arising from the ADI’s activities on a
continuous basis to ensure that capital is
held at a level consistent with the ADI’s
risk profile.”1 The collection of operational
risk losses may help in the identification of
major risks areas and aid in the
transparency of the capital management
1 APS110 – Section 6a
Example - Risky Business
AS – Agency Services
AM – Asset Management
•CF CB – Commercial Banking
CF – Corporate Finance
RB – Retail Banking
P&S – Payments and
$10,000 T&S – Trading and Sales
100 1,000 10,000 100,000
O - Other
No. of Losses
This is an example of a type of loss data analysis that can assist institutions identify which
areas of their business are prone to losses, and consequently require more capital and
focussed risk management.
• The size of the bubble represents the total impact of losses from that Business Line.
• The position of the bubble on the impact axis represents the average impact of each loss.
• The position of the bubble on the frequency axis represents how many data points have
been collected for that business line. 9
When establishing loss collection policies and
procedures, the complexity of the data
collection system should be commensurate with
the demands of the data. Additionally, data
collection systems should be flexible enough
that they are able to adapt to the changing
needs of the institution.
For data collection to be effective,
comprehensive policies and procedures need to
be embedded into the culture of the
organisation. These policies become a reference
point for staff when recording a loss to ensure
consistency, accuracy and completeness.
ILD Policies generally provide guidance on all
matters concerning the recording of loss events;
including the definition of an operational risk
loss event, loss amount, and event type
allocation guidance etc.
How ILD is Collected
AMA Institutions have generally collected ILD for both internal purposes and the
calculation of regulatory capital. In APS115, APRA has defined what information is
required to be recorded for the calculation of regulatory capital. Institutions recording
data for internal purposes are able to tailor their data collection to suit their own needs.
Institutions generally record the following characteristics for each Operational Risk Loss:
•Gross Loss amount- The loss amount before any recoveries from insurance.
•Date of event- Institutions have recorded one or a combination of the date the
loss occurred, the discovery date or the accounting date.
•Descriptive information- Manual enrichment by business units adds valuable
qualitative information, such as the cause of the loss and the failed controls.
•The Classification of the loss- Once the data is collected institutions have had to
classify the loss into one (or more) of the Basel BU/Risk type combinations.
•The Nature of the Loss- Credit Risk and Market Risk related losses should be
flagged to ensure correct treatment in capital calculation.
Challenges in Collecting ILD
The nature and quality of operational risk
data collected by institutions directly
affects the outcome of any quantification
or risk management decisions.
During the accreditation process it was
evident that AMA applicants were
experiencing similar problems in regard to
the treatment of losses in their operational
risk loss databases. Issues were generally
related to the characteristics of the data,
i.e how it is collected and used. Institutions
developing data capture systems face
decisions regarding the scope of data,
thresholds used, allocation mechanisms and
Scope of Internal Data
Institutions developing and implementing
their operational risk loss policies and
procedures must set clear rules around the
scope of the ILD the institution wishes to
Given the general scarcity of operational
risk data, institutions may choose to collect
near miss and rapid recovery data as a
useful input into risk management and
measurement procedures, particularly
input into KRIs and scenario analysis.
A precise definition of what constitutes as a
near miss and rapid recovery is required to
ensure consistency, especially if no actual
loss is incurred.
Loss Collection Thresholds
A loss collection threshold is the level above
which all operational risk data must be
collected and recorded in the internal loss
When setting the threshold level, institutions
should first consider the purpose of the data
and how different thresholds will affect its
overall usability. Institutions should be aware
of the trade-off between the added benefits
of collecting smaller losses and the cost of
collecting such information.
Generally thresholds should be set using
robust empirical methods rather than
subjective means. However, given the initial
lack of data available to conduct empirical
analysis, a well reasoned threshold is
acceptable in the short term.
Allocation to Business Lines
A single operational risk event may result in losses
occurring in multiple business lines and event types.
Inconsistencies may arise when losses are entered into
the system and there is no single business unit/risk
type combination to assign to the loss.
Institutions must develop specific criteria for allocating
losses arising from an operational risk loss event that
spans more than one business line1. To maintain
consistency, most AMA institutions have generally
allocated the full loss amount to the business line/risk
type with the largest exposure.
It is important for institutions who do allocate single
event losses to multiple business lines to identify such
losses in the database for risk measurement and
1 APS115 – Attachment B Paragraph 25
Validation of ILD
Validation of ILD encompasses both the
review and assessment of data integrity and
comprehensiveness. An annual review of the
data is essential to ensure reliability of the
data and effectiveness of internal controls1.
To maintain consistency, some institutions
have made use of a centralised function to
input the general data information, then
relying on business units to assist with the
details (such as control failures etc).
Institutions have generally relied upon manual
validation techniques such as general ledger
reconciliation and audit reviews. Institutions
should incorporate automatic data
verification into the data input facility,
limiting the amount of manual validation
1 APS 115 Attachment B Paragraph 14
• Collecting internal operational risk data creates
many benefits for institutions including;
• Tailored insurance policies
• Improved risk management
• Capital management
• The sophistication of the data capture system
should be commensurate with the use of the
• Sound policies and procedures need to be
embedded into the risk management culture of
the organisation to ensure consistent and
accurate reporting of losses.
• Key challenges in collecting ILD include;
• Scope of data thresholds chosen
• Allocation of losses