Get documents about "Finance 590
Document Sample
Finance 590
Enterprise Risk Management
Operational Risk
MarkVonnahme
Department of Finance
University of Illinois at
Urbana-Champaign
ERM
• Why operational risk management
– Some perspectives on significance
• Major financial disasters have included operational
risk issues as a main contributing factor
• Operational risks often interrelated with market and
credit risk
• When operational risk is not managed centrally it
leads to lack of consistency across an org
ERM
• Benefits of effective operational risk
management
– Minimizes day to day losses and reduces
potential for costly occurrences
– Improves company’s ability to meet business
objectives
– Strengthens overall enterprise risk management
system
ERM
• Operational Risk
– a common definition
“ Operational risk is the risk of direct or indirect
loss resulting from inadequate or failed internal
processes,people,and systems or from external
events”
BBA,et al
ERM
• Operational risk
– The real definition varies by company based
upon industry and other factors; essentials
include
• Process risk
• People risk
• System risk
• Event risk
• Business risk
ERM
• Process risk
– Risk occurs through ineffective or inefficient
processes
• Ineffective –fail to achieve objectives
• Inefficient-meet objectives but excessive costs
What does this mean
Examples
ERM
• People risk
– Result from
• Staff constraints
• Incompetence
• Dishonesty
• Cultures that do promote not risk awareness
What does all this mean
Examples
ERM
• System risk
– More and more common across business
• Technology keeping up with business
– My experiences
– Includes systems availability,data integrity,systems
capacity,unauthorized access and use,and business
recovery contingencies
• Programming errors
• Security
• Mergers and acquisitions
– My experiences
ERM
• Event risk
– Unlikely single events that have serious
consequences
• Many examples
• Expect the unexpected
• Event risk may have ripple effect impacting other
areas
– Market, credit, financial
– Other operational areas
ERM
• Business risk
– Risk of loss due to unexpected changes
• All kinds of risks including
– Strategy
– Client management
– Pricing
– Reputation and brand
– Many,many others
ERM
• Some key questions relate to
– Vulnerabilities in business strategy and plans
– Product diversification or sufficient business
– Appropriate operating leverage
– Wrong or changing business assumptions
– Fix or exit a business
– Exit strategy
ERM
• Operational Risk Management Process
– Risk policy and organization
– Risk identification and assessment
– Capital allocation and performance
measurement
– Risk mitigation and control
– Risk transfer and finance
ERM
• Risk policy and organization
– Management principles for operational risk
– Definition and taxonomy for operational risk
– Objectives and goals
– Operational risk processes and tools
– Organizational structure
– Roles and responsibilities
ERM
• Risk identification and assessment
– A range of qualitative and quantitative tools to
assess, measure and manage;these include
• Loss incident database
• Control self-assessment
• Risk mapping
• Risk indicators and performance triggers
ERM
• Capital allocation and performance
measurement
– Link risk to performance measurement through
the capital allocation process
• No widely accepted model
– No one methodology or single solution ; a
combination of approaches
ERM
• Capital allocation and performance
measurement continued
– Top down models v bottom up models
ERM
• Top down models
– Implied capital model
– Income volatility model
– Economic pricing model
– Analog model
ERM
• Bottom –up or loss distribution model
– Statistical analysis
– Scenario analysis
ERM
• Risk mitigation and control
– The ying is useless without the yang
– Assessing and measuring does no good without
improving and controlling risk factors
– Once measurement is in place must implement
processes that identify and reduce operational
risk
• Involves people, training,changing or structure, etc.
ERM
• Risk transfer and finance
– Choices to address key operational risks
• Implement internal control v risk transfer
• Not mutually exclusive; generally complementary
• Company should go through the ERM process
– Identify risk exposures and quantify probabilities,severities and
economic capital requirements
– Integrate operational risk with other key risks
– Establish operational risk limits
– Implement internal controls and risk transfer finance strategies
– Evaluate alternative methods, providers, and structures including
cost benefit analysis
ERM
• Best practices in operational risk
management
– Operational risk may be most dangerous
– Wide range of industry practices
• Basic
• Standard
• Best
ERM
• Operational risk
– Basic practice-a company
• Recognized operational risk as key risk
• Definition of operational risk and sub categories is in place
• Operational risk manger is appointed to develop a program
• Operational risk committee with key reps is in place
• Tracking program for risk is in place
• Self assessment performed regularly
• Policy developed and approved
• Operational risk management group acts a consultant to sr.
mgmt.
• Audit and compliance group acts as checker
ERM
• Operational risk
– Standard practice-a company builds on basic
• Developed full set of operational risk indicators
• Established goals and MAPs for the indicators
• Developed early warning signals
• Risk based maps developed to identify key exposures in
operations
• Developed several years of risk losses and incidents
• Response plans and contingency plans developed
• Audit and operational risk management independent of each
other
• Org learning programs are in place
ERM
• Operational risk
– Best practice – a company continues to build
• Business risk and reputational risk included
• Advanced in their processes to assess and measure risk with
qualitative and quantitative tools
• Allocate economic capital to underlying risks along with credit
risk and market risk
• Initiate development of scenario based operational risk
modeling to quantify potential loss
• Insurance function is fully integrated with operational risk
function
• Risk transfer strategies based upon cost benefit analysis
• Evolved from just control function to one that supports better
decisions on price, growth and profit
ERM
• Operational risk
– Where do you think most companies are in the
cycle or phases of “ best practices ”
ERM
• Questions
• Discussion
Finance 590
Enterprise Risk Management
Business Applications
MarkVonnahme
Department of Finance
University of Illinois at
Urbana-Champaign
ERM
• Business applications have followed the
requirements and changes of business
• RM practices have evolved
• RM will continue to evolve and adjust to business
conditions and change
ERM
• Business Applications
– Three major applications
• Stage I: Minimizing the Downside (loss reduction)
• Stage II: Managing Uncertainty
• Stage III: Performance Optimization
• Combination of all three is Enterprise Risk
Management
ERM
• Stage I: Minimizing the Downside
– RM in the 1970s focused on protection against
downside risks
– Establishing credit controls, investment and liquidity
policies,audit procedures and insurance coverage
– Defensive RM practices looked at minimizing losses in
credit risk, market risk and operational risk
– Found out it was not enough
– Demonstrating how RM can be positive in supporting
profit and business growth lead to next stage
ERM
• Stage II: Managing Uncertainty
– RM focuses on managing volatility around business and
financial results
– A number of sources of volatility were catalysts
• 1970s: fixed to floating exchange rates and wildly fluctuating
oil prices
• 1980s: double digit inflation, double digit interest
rates(volatility) and lending crises
• 1990s: derivative losses, volatile equity markets and
beginnings of major economic shifts
• 2000-today: economic changes, corporate scandals, new
regulations - “ uncertainty continues ”
ERM
• Stage II continued
– With increased volatility RM practices evolved
• Credit scoring and migration models to develop
more precise estimates default probabilities
• Advances in management of financial market risks
• Recognition of importance of operational risk
management
ERM
• Stage II continued
– Risk transfer products increased in popularity
• Derivatives and sophisticated insurance products
– Recognition that additional products needed
• Derivatives and insurance not enough
– Alternative risk transfers
– Integration of risk management silos
• Transfer packages of risks
• Development of integrated internal models for risk
• A more holistic view of risk
• Spurred use of RM for performance optimization
ERM
• Stage III Performance Optimization
– RM characterized by integrated approach to all
types of risk
– Move from partial integration in other stages to
complete integration
– Risk and return are important component
• Not defensive
• Move to an offensive approach in dealing with
credit , market risk and operational risk
ERM
• Further evolution of RM
– Changes in business environment will continue
to impact the development of the practice
• Globalization
• Technology
• Changing market structures
• Restructuring
• Other changes we do not know about today
ERM
• Discussion
• Questions
• Next class
Finance 590
Enterprise Risk Management
Steve D’Arcy
Department of Finance
Lecture 5
Strategic and Operational Risk
Measurements
April 19, 2005
Reference Material
• Chapter 14 – Operational Risk Management in
Enterprise Risk Management by James Lam
• Why COSO is Flawed by Ali Samad-Khan
• Burchett and Dowd presentation
http://www.casact.org/affiliates/cagny/1101/basel1.ppt
• Reputation Risk – Operational Risk
CAS ERM Task Force presentation
Overview
• Strategic Risk
• Operational Risk
• Measures of Operational Risk
– Capital requirements for operational risk
– Market performance
• COSO Approach
• Critique of COSO Approach
Strategic Risk
• Difficulty in quantifying strategic risks
• Contrast with hazard and financial risks
– Lack of data
– Imprecision of measurements
• How do you measure the likelihood and
impact of:
– a competitor’s or regulator’s actions
– a technological innovation
– a political impediment
Operational Risk
• Loss from inadequate or failed
– Processes
– People
– Systems
• External events (generally covered under
Hazard Risks)
Measures of Operational Risk
• Basel Accord
– Capital requirements
• Market performance
– Examine similar events for other companies
New Basel Capital Accord
• Focus is on banks
• Convergence of regulation will expand
application to insurers and other industries
• Minimum capital requirement
Capital Ratio = Total Capital/(Credit Risk + Market Risk
+ Operational Risk)
Minimum Capital Ratio = 8%
Top Down vs. Bottom Up Capital
Allocation
Top Down
Start with aggregate capital for the industry
Allocate this to each risk source
Allocate result to individual financial institutions
Bottom Up
Identify each source of risk
Develop a method for measuring the magnitude
Derive capital from this measure
Proposed Capital Approaches
• Basic Indicator
• Standardized
• Internal Measurement
• Loss Distribution
Basic Indicator Approach
KBIA = EI*
KBIA = the capital charge under the Basic Indicator Approach
EI = the level of an exposure indicator for the whole
institution, provisionally gross income
= a fixed percentage relating the industry-wide level of
required capital to the industry-wide level of the
indicator
Standardized Approach
KTSA = (EI * ) 1-8 1-8
KTSA = the capital charge under the Standardized Approach
EI1-8 = the level of an exposure indicator for each of the 8
business lines
1-8 = a fixed percentage relating the level of required capital
to the level of the gross income for each of the 8
business lines
(Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking
Payment and Settlements, Agency Services and Custody, Retail Brokerage,
Asset Management)
Internal Measurement Approach
KIMA = (EI *PE *LGEij*ij)
ij ij
KIMA = the capital charge under the Internal Measurement Approach
EIij = the level of an exposure indicator for each business line and event
type combination
PEij = the probability of an event given one unit of exposure, for each
business line and event type combination
LGEij = the average size of a loss given an event for each business line and
event type combination
ij = the ratio of capital to expected loss for each business line and event
type combination
Loss Distribution Approach
• Similar to Hazard Risk analysis
Market Performance Approach
• Gather information regarding publicly traded peer
companies that have experienced significant distress events
negatively affecting stock price relative to market indexes.
• For each company, evaluate historical stock price relative
to the S&P 500 or industry related stock price index during
the “pre-event” period.
• Using the relationship to one or more indexes, project
future stock price movements for the individual company
stock on a pro-forma basis for the “post-event” period.
• Compare the pro-forma stock price to the actual stock price
in the post-event period, to estimate the hypothetical
percentage loss in market valuation for each day.
Market Performance Approach (2)
• Project cumulative average market valuation movements
beyond the latest available post-event data point for
individual companies based on the cumulative average
percentage movement in market valuation for the
remaining companies in the sample data, up to one year
beyond the event.
• Derive a rough model for the number of trading days
before stock price “recovers” to the pro-forma projected
level.
Schering-Plough Corp.
EVENT: Schering-Plough has problems with FDA manufacturing regulations, leading
to a delay in approval for its allergy blockbuster successor, Clarinex.
• Market Cap Loss:
$15.3 Billion or 22% Relative Price Performance for Schering-Plough and
(2/15/01 – 3/8/01) the S&P 500: Novermber 1, 2000 through June 1, 2001
125%
2/01: FDA halts review on SGP’s
• Recovery Period to Date: Clarinex, due to separate
manufacturing concerns
100%
None
75%
• 2/01: Class action lawsuit
filed against directors and 50%
11/1/00
12/1/00
1/1/01
2/1/01
3/1/01
4/1/01
5/1/01
6/1/01
officers
Schering-Plough S&P 500
125% Schering-Plough
Schering-Plough
100%
S&P 500
S&P 500 Pharm
75%
Forecast
50%
1/1/01
2/1/01
3/1/01
4/1/01
5/1/01
6/1/01
11/1/00
12/1/00
The ore tica l Lost Ma rke t Ca p - Sche ring
25%
Lost Market Cap
20%
15%
10%
5%
0%
0 50 100 150 200 250 300 350 400
Ela pse d Da ys
Pro-forma stock price movements modeled relative to the S&P 500 Pharmaceutical index.
McKesson Corporation
EVENT: McKesson improperly reports its software revenue
from newly acquired HBOC, resulting in loss of investor
confidence.
• Market Cap Loss: Relative Price Performance for McKesson Corp. and the
$ 9.1 Billion or 50% S&P 500: January 2, 1999 through August 1, 1999
(4/27/99 – 4/29/99) 125%
• Recovery Period to Date: 100% 4/99: MCK reduces
None earnings by 4.4% after
75% restating financials
•4/99 – Class action lawsuit 1/99: Acquired HBOC
filed against directors and 50%
officers 25%
1/1/99
1/15/99
1/29/99
2/12/99
2/26/99
3/12/99
3/26/99
4/9/99
4/23/99
5/7/99
5/21/99
6/4/99
6/18/99
7/2/99
7/16/99
7/30/99
•6/99 – McKesson
downgraded by S&P and
Moody’s McKesson S&P 500
125%
McKesson
100% McKesson
S&P 500
75%
S&P 500 HC
50% Forecast
25%
1/1/99
2/1/99
3/1/99
4/1/99
5/1/99
6/1/99
7/1/99
The ore tica l Lost Ma rke t Ca p - McKe sson
35%
Lost Market Cap
30%
25%
20%
15%
10%
5%
0%
0 50 100 150 200 250 300 350 400
Ela pse d Da ys
Pro-forma stock price movements modeled relative to the S&P 500 Healthcare Services index.
Why COSO is Flawed
• Resource intensive approach
• Identification, definition and assessment of risk
– Performed by business managers
• Results in huge catalogue of risks
• Likelihood-impact method
Risk = Likelihood x Impact
Actuarial Approach
• Individual loss events
• Risk matrix for loss data
• Loss distributions
– Frequency
– Severity
• VaR Calculation
• Total loss distribution
Conclusion
• Quantifying strategic and operational risk is
the latest challenge for ERM
• Variety of approaches proposed
• Eventual standard likely to follow the
approaches used for hazard and financial risk
• Lots of work remains to be done in this area
Related docs
