Internal Loss Data A Regulator's Perspective by fym21946


									Internal Loss Data
A Regulator’s Perspective

AON Operational Risk Symposium

Harvey Crapp
Australian Prudential Regulation Authority
17 April 2008


1. Why Collect ILD
    1.   Tailored Insurance
    2.   Risk Management
    3.   Capital Management

2. Collection Techniques
    1.   Policies and Procedures
    2.   How ILD is Collected

3. Challenges
    1.   Scope
    2.   Thresholds
    3.   Validation
    4.   Allocation to Business lines

4. Key Issues
Why Collect ILD?

As a result of Basel II, complex banks wishing to implement the Advanced
Measurement Approach (AMA) for operational risk capital have embedded the
collection of Internal Loss Data (ILD) into their risk management practices. ILD is a
valuable resource because it is the closest data representation of an institutions
internal loss profile and provides insight into the risk appetite of the bank and the
effectiveness of any controls in place.

Institutions who calculate operational risk regulatory capital (ORRC) using APRA’s
Standardised Approach (SA) are not required to collect ILD for the purposes of
capital calculation, however many other benefits can be obtained from the
collection of internal data, such as:

    • Tailored insurance policies
    • Improved risk management practices
    • Help in the development of capital management

Tailored Insurance

                            Operational risk insurance policies tend to
                            cover a wide range of loss categories that
                            may not be relevant to all institutions
                            (e.g. Bankers Blanket Bond). Using ILD,
                            institutions are in a better position to
                            tailor insurance contracts to meet their

                            individual risk profiles.

                            Collecting ILD enables both complex and
   INSURANCE                simple institutions to demonstrate their
     POLICY                 key risk areas to insurance providers. By
                            using observed losses to back up their
                            claims, institutions may be able to obtain
                            a more relevant and comprehensive
                            insurance policy tailored to the major
                            risks of the institution.

Emerging Risk Mitigation Products

  As a direct result of the AMA process, new products have entered the market to cater
  for the increased demand for operational risk mitigation. There are essentially three
  classes of products available:

       • Modified Insurance Policies –Existing insurance policies have been modified to
         include fewer exclusions, dispute resolution procedures and arbitration
         timescales to reduce the uncertainty of claim payment.

       • Third Party ‘Wrappers’ – Provides access to another parties’ capital to provide
         liquidity in case of a loss, which is repayable on insurance payout.

       • Capital Market Products- Risk mitigation is achieved by replacing traditional
         insurance policies with bond products (e.g. catastrophe bonds).

  For a bank to obtain reductions in their regulatory capital requirements, the risk
  transfer arising from the use of risk mitigation products must be approved by APRA.

Risk Management

Many institutions still rely heavily on qualitative measures and judgements to monitor
and control their operational risk exposure. Over the recent past, the number of
large scale unexpected operational risk losses has created some unease about the
soundness of traditional operational risk management practices. As such, ILD can help
improve the risk management practices of an institution as it allows for the
identification, measurement and analysis of historical data, to assist in the
identification of emerging trends in an institutions’ loss profile.

Trends, benchmarks and budgets feed into Key Risk Indicators (KRIs) and other
Business Environment and Internal Control Factors (BEICFs) to allow for the
identification of emerging risks and the proactive management of an institution’s risk

An embedded risk management culture ensures staff are on the lookout for loss
events which helps contribute to the prevention and reduction of potential future

         Example - Event Type Analysis
                                                                                        Int – Internal Fraud
                                                                                        Ext – External Fraud

                                                                                        DPA – Damage to Physical Assets

                                                                                        EP&WS – Employment Practices and
                                                                                        Workplace Safety

         $100,000                                                   •ED&PM

                                                                                        BD&SF – Business Disruption and System
                          •DPA                                         •Ext
                                                                                        ED&PM – Execution Delivery and Process
                    100          1,000                     10,000             100,000   CP&BP – Clients Products and Business
                                           No. of Losses                                Practices

This is an example of a type of loss data analysis that can assist institutions to identify major
•The size of the bubble represents the total impact of losses from that Business Line.
•The position of the bubble on the impact axis represents the average impact of each loss.
•The position of the bubble on the frequency axis represents how many data points have
been collected for that business line.                                                                                    7
Capital Management

                        Just as AMA accredited banks use ILD in
                        the determination of their operational risk
            $       $   regulatory capital, ILD may be a useful
                        reference in the development of the
                        Internal Capital Adequacy Assessment
            $           Process (ICAAP).
        $       $
                        APS110–Capital Management stipulates
                        that an institution must have “adequate
                        systems and procedures to identify,
                        measure, monitor and manage the risks
                        arising from the ADI’s activities on a
                        continuous basis to ensure that capital is
                        held at a level consistent with the ADI’s
                        risk profile.”1 The collection of operational
                        risk losses may help in the identification of
                        major risks areas and aid in the
                        transparency of the capital management
                        1   APS110 – Section 6a
  Example - Risky Business

                                                                           AS – Agency Services
                                                                           AM – Asset Management
                           •CF                                             CB – Commercial Banking
                                                                           CF – Corporate Finance

                                                                           RB – Retail Banking
                                          •P&S                 •RB
                                                                           P&S – Payments and
                                             •O                            Settlement

              $10,000                                                      T&S – Trading and Sales
                     100          1,000               10,000     100,000
                                                                           O - Other
                                          No. of Losses

This is an example of a type of loss data analysis that can assist institutions identify which
areas of their business are prone to losses, and consequently require more capital and
focussed risk management.
• The size of the bubble represents the total impact of losses from that Business Line.
• The position of the bubble on the impact axis represents the average impact of each loss.
• The position of the bubble on the frequency axis represents how many data points have
been collected for that business line.                                                  9
Collection Techniques

When establishing loss collection policies and
procedures, the complexity of the data
collection system should be commensurate with
the demands of the data. Additionally, data
collection systems should be flexible enough
that they are able to adapt to the changing
needs of the institution.

For    data    collection   to   be   effective,
comprehensive policies and procedures need to
be embedded into the culture of the
organisation. These policies become a reference
point for staff when recording a loss to ensure
consistency, accuracy and completeness.

ILD Policies generally provide guidance on all
matters concerning the recording of loss events;
including the definition of an operational risk
loss event, loss amount, and event type
allocation guidance etc.
How ILD is Collected

AMA Institutions have generally collected ILD for both internal purposes and the
calculation of regulatory capital. In APS115, APRA has defined what information is
required to be recorded for the calculation of regulatory capital. Institutions recording
data for internal purposes are able to tailor their data collection to suit their own needs.
Institutions generally record the following characteristics for each Operational Risk Loss:
    •Gross Loss amount- The loss amount before any recoveries from insurance.

    •Date of event- Institutions have recorded one or a combination of the date the
    loss occurred, the discovery date or the accounting date.

    •Descriptive information- Manual enrichment by business units adds valuable
    qualitative information, such as the cause of the loss and the failed controls.

    •The Classification of the loss- Once the data is collected institutions have had to
    classify the loss into one (or more) of the Basel BU/Risk type combinations.

    •The Nature of the Loss- Credit Risk and Market Risk related losses should be
    flagged to ensure correct treatment in capital calculation.

Challenges in Collecting ILD

The nature and quality of operational risk
data collected by institutions directly
affects the outcome of any quantification
or risk management decisions.

During the accreditation process it was
evident that AMA applicants were
experiencing similar problems in regard to
the treatment of losses in their operational
risk loss databases. Issues were generally
related to the characteristics of the data,
i.e how it is collected and used. Institutions
developing data capture systems face
decisions regarding the scope of data,
thresholds used, allocation mechanisms and
validation techniques.

Scope of Internal Data

                         Institutions developing and implementing
                         their operational risk loss policies and
                         procedures must set clear rules around the
                         scope of the ILD the institution wishes to

                         Given the general scarcity of operational
                         risk data, institutions may choose to collect
                         near miss and rapid recovery data as a
                         useful input into risk management and
                         measurement        procedures,   particularly
                         input into KRIs and scenario analysis.

                         A precise definition of what constitutes as a
                         near miss and rapid recovery is required to
                         ensure consistency, especially if no actual
                         loss is incurred.

Loss Collection Thresholds

A loss collection threshold is the level above
which all operational risk data must be
collected and recorded in the internal loss

When setting the threshold level, institutions
should first consider the purpose of the data
and how different thresholds will affect its
overall usability. Institutions should be aware
of the trade-off between the added benefits
of collecting smaller losses and the cost of
collecting such information.

Generally thresholds should be set using
robust empirical methods rather than
subjective means. However, given the initial
lack of data available to conduct empirical
analysis, a well reasoned threshold is
acceptable in the short term.

Allocation to Business Lines

                           A single operational risk event may result in losses
                           occurring in multiple business lines and event types.
                           Inconsistencies may arise when losses are entered into
                           the system and there is no single business unit/risk
                           type combination to assign to the loss.

                           Institutions must develop specific criteria for allocating
                           losses arising from an operational risk loss event that
                           spans more than one business line1. To maintain
                           consistency, most AMA institutions have generally
                           allocated the full loss amount to the business line/risk
                           type with the largest exposure.

                           It is important for institutions who do allocate single
                           event losses to multiple business lines to identify such
                           losses in the database for risk measurement and
                           management purposes.
                           1 APS115 – Attachment B Paragraph 25

Validation of ILD

Validation of ILD encompasses both the
review and assessment of data integrity and
comprehensiveness. An annual review of the
data is essential to ensure reliability of the
data and effectiveness of internal controls1.

To maintain consistency, some institutions
have made use of a centralised function to
input the general data information, then
relying on business units to assist with the
details (such as control failures etc).

Institutions have generally relied upon manual
validation techniques such as general ledger
reconciliation and audit reviews. Institutions
should      incorporate     automatic     data
verification into the data input facility,
limiting the amount of manual validation
1   APS 115 Attachment B Paragraph 14
Key Issues

             •   Collecting internal operational risk data creates
                 many benefits for institutions including;
                            • Tailored insurance policies
                            • Improved risk management
                            • Capital management
             •   The sophistication of the data capture system
                 should be commensurate with the use of the
             •   Sound policies and procedures need to be
                 embedded into the risk management culture of
                 the organisation to ensure consistent and
                 accurate reporting of losses.
             •   Key challenges in collecting ILD include;
                            • Scope of data thresholds chosen
                            • Allocation of losses
                           • Validation


To top