Docstoc

Operational Risk in Financial Services

Document Sample
Operational Risk in Financial Services Powered By Docstoc
					  Operational  Risk 
in Financial Services

      Michael Pinedo  
    Stern School of Business
      New York University



                               1
                            Overview
I     INTRODUCTION  AND  PRELIMINARIES 
  I‐a    Examples of Operational Failures
  I‐b   The Place of Ops Risk Management in a Company
  I‐c    Process Mapping,  Reliability Theory,  and Optimal Redundancies
  I‐d    Ops Risk and Total Quality Management (TQM)

II    MEASUREMENT  OF OPERATIONAL RISK  
  II‐a     Basel II
  II‐b     VaR and Ops‐VaR 
  II‐c     Measurement of Operational Risk and Self Assesment
  II‐d     Data Collection (internal)  and Analysis
  II‐e     Distributions of Losses  and  Extreme Value Theory  (EVT) 
  II‐f      Key Risk Indicators (KRIs)  and   Multi‐Factor Analysis
  II‐g     External Loss Data (ORX) 
  II‐h     Correlations and Dependencies 

III    CONCLUSIONS AND  DISCUSSION  
  III‐a   Overview of framework 
  III‐b   Hedging Ops risk  (insurance,  securitization, etc.) 
  III‐c    State of the art ‐ Systems, software                            2
I-a Examples of Different Types of
    Operational Failures in Finance
 • Mizuho (human error,  Japan) 
 • Allied Irish Bank (unauthorized trades (currency 
     trading),  small organization,  United States)
 • Société Générale  (unauthorized trades (equity 
     derivatives, stock index futures),  large organization,  France)
 • HIH Insurance (bad diversification, lack of transparency 
     and oversight,  Australia) 
 •   TD Ameritrade  (Website Crash)
 •   Cantor Fitzgerald  (bondtrading house;  lost 2/3 of its 
     operations on  9/11) 
                                                                        3
          Mizuho    (Tokyo,  2005)
Human Error:
     Trader tries to sell 300,000 share at 1 yen
     instead of 1 share at 300,000 yen. 

Parties Involved: 
        Mizuho
        Tokyo Stock Exchange 
        Fujitsu (designer of the computerized trading system)
        UBS (counterparty who made the most money) 

Results:
       Several high level people had to resign. 
                                                                4
                 Human Errors
Complexities in information system design:

• requirements of having real time feed of market 
  data.  (Not easy,  especially not  when stock is very 
  lightly traded   or   when trading is very volatile) 

• Information may have to be fed into a neural net in 
  order to detect anomalies.   Neural net has to 
  provide feedback in real time.   
                                                           5
Allied Irish Banks (contnd.)




                               6
                Rogue Trading
• Frequency and Severity  ‐ Quite frequent and very 
  severe
• Usually starts small and very innocuous (cover up of 
  an error),  but then may continue for many years  
  (while expanding) before being discovered.
• Where does it occur?   ‐ U.S.,  Europe, Singapore, 
  South America,  …
• How to avoid?   ‐ Internal  audits and controls 
  (with separate lines of reporting),   regular internal 
  transfers,  mandatory vacations,  …
                                                       7
  Nick Leeson     Yasuo Hamanaka    Jerome Kerviel
1995‐1999 Singapore prison              1997‐2005   Prison in Japan 

                                Juan Pablo Davila
                                    1999‐2007   Prison in  Chile 




                                                                       8
     Natural Disasters – Terrorist 
               Attacks
• Cantor Fitzgerald lost 2/3 of its operations  on  9/11 
  (including all its top management with the exception of CEO 
  Howard Lutnick)



• Where should a company keep all its computer backups and 
  how are they kept current?   (e.g.,  servers at Schwab)
• How should the organigram of a company be redrawn when 
  top management is victim of an accident ? 

• After 9/11 there are legal requirements with regard to 
  locations of backups.  
                                                             9
  I-b The Place of
Ops Risk Management
    in a Company
    Types of Risks in a 
Financial Services Company




      Market Risk     Credit Risk



    Operations              Strategic
      Risk                    Risk
                 Business
                  Risk


                                        11
                                                                                                    FINANCIAL RISKS
                                                                                                        IN BANKS


                                         Credit Risk                          Market Risk                    Operational Risk                                   Other


                                                       Counterparty failure                                                    Internal
                                                                                              Interest rate risk                                                            Liquidity risk
                                                       to meet obligations                                                 operational risks


                                                                                            Foreign exchange                                                                 Business/
                                                       Counterparty default                                                                      People
           Sources of Risk




                                                                                                 rate risk                                                                  Strategic risk


                                                       Counterparty credit                                                                                                  Reputational
                                                                                              Equity price risk                                 Process
                                                         rating change                                                                                                          risk


                                                        Other credit risks                  Other market risks                                  Systems                      Political risk


                                                                                                                              External                                      General legal
                                                                                                                           operational risks                                    risk



Overview of risks in                                                                                                                             People                      Other risks



financial services                                                                                                                          Natural disasters



                                                Loans
Primary Scope
                             of Application




                                                Futures
                                                                                                                          Operational efficiency in
                                                Swaps                                                                     all business lines:
                                                                                      Debt Securities                                                               Commodities & Equities
                                                Bonds
                                                Equities                                                                  Corporate finance
                                                                                      Equities                                                                      Short- and long-term
                                                Options                                                                   Trading & sales
                                                                                                                                                                    business strategies
                                                Interbank                                                                 Retail banking
                                                Transactions                          Commodities                         Commercial banking
                                                                                                                          Payment & settlement                      Transactions
                                                Trade financing
                                                Foreign exchange                      Other                               Agency services & custody
                                                                                                                          Asset management                          Other
                                                Transactions
                                                                                                                          Retail brokerage
                                                Settlement of transactions                                                                                                             12
                                                Other
Goldman Sachs Annual Report (2001)
    Ops Risk is finally getting some attention!




                                                  13
      Types of Operational Risk Losses

1. Transaction Errors:
   Includes restitution payments (principal and/or interest) or other
   compensation to clients as well as disbursements made to incorrect
   parties and not recovered.


2. Loss of or Damage to Assets:
   Reduction in value of the firm’s non-financial asset and property due to
   some kind of accident (e.g. neglect, accident, fire, earthquake)


3. Theft, Fraud and Unauthorized Activities

4. Regulatory, Compliance and Taxation Penalties:
   Fines, or the cost of any other penalties, such as license revocations and
   associated costs- excludes lost/forgone revenue.


5. Legal Liability:
   Judgments, settlements, external legal and other related costs which arise
    as a result of an Operational Risk Event.
                                                                                14
 Basic Operational Risk Factors

People risk                    Incompetency
                               Fraud, ….


Process risk
 A. Model risk                 Model/methodology error
                               Mark-to-model error, ….

 B. Transaction risk           Execution error
                               Product complexity
                               Booking error
                               Settlement error
                               Documentation/contract risk, …..

 C. Operational control risk   Exceeding limits
                               Security risks
                               Volume risks, ….

Technology risk                System Failure
                               Programming error
                               Information risk
                               Telecommunication failure, ….

                                                                  15
   Objectives of an Operational Risk
        Management Function
• To generate a broader understanding of operational risk
  issues at all levels of the firm that touch on key areas of risk
• To enable the organization to anticipate risks more
  effectively.
• To change behavior in order to reduce operational risk and
  to enhance the “culture of control” within the organization.
• To provide objective information so that services offered by
  the organization take account of operational risks.
• To provide support in ensuring that adequate due diligence
  is shown when carrying out mergers and acquisitions.
• To provide objective measurements of performance.
• To avoid potential catastrophic losses.

                    (compare this with a quality control
                    function in a manufacturing company)
                                                                16
  I-c Process Design,
Mapping, Reliability Theory
and Optimal Redundancies
  Process Mapping and  Potential
        Risk / Failure Points
• Processes are complex structures of activities in 
  series and activities in parallel.  
• The reliability or the error rate in each one of the 
  steps of such processes can be estimated.  The 
  potential failure points have to be determined.  
• Adding  additional  quality control checks  is  
  determined by a tradeoff between the cost of a 
  check,  the reduction in the probability of a failure 
  and the expected damage of a failure.  
  and the expected damage of a failure

                                                           18
19
   I‐d      Ops Risk   and  
Total Quality Management 
            (TQM)




                               20
       Why  TQM  or  6‐Sigma ? 
• Bank of America has to process daily approximately  
  30,000,000  checks.   The number of checks not 
  processed correctly is less than 100. 

• A major investment bank in NY processes daily 
  approximately  10,000  Forex  trades.  The number 
  of trades with minor errors less than 100.   The 
  number of trades with a medium size error less 
  than 1.      (Note: each trade may be subject to a 
  number of  amendments or exceptions) 
                                                        21
 What can Financial Services Learn from other
Industries with regard to mitigation of Ops Risk
     through Total Quality Management?
From the Manufacturing industry:
  -- Shingo systems (Poka-yoke systems)
  -- Statistical Process Control (SPC)
  -- Deming’ s 14 points

From the Aviation industry:
  -- Near-Miss reporting systems
  -- Check lists

From the Health Care Industry:
  -- Second opinions
  -- knowledge system software
                                               22
Comparison of the Different Service Industries

            Industry         Loss Potential           Risk               Risk Mitigation
                                                   Measurement            Procedures
         Transportation      Major loss of life;      Near-Miss          Checklists;
           (Aviation,         Environmental           Reporting          Redundancies
           Shipping)            Damage                Systems
            Health              Loss of life        Success rate of      Second Opinions;
        care(hospitals,                               surgeries             Knowledge
        nursing homes)                                                   system Software
           Financial         Major Financial         Losses can be        Redundancies;
         Services(Retail        Losses                 measured              hedging;
             Banks;                                     precisely           insurance;
          Investment                                (Relatively high       securitization
            Banks)                                    Probability of
                                                      Catastrophic
                                                          Loss)
           Hospitality       Limited Financial      Surveys; Losses      security systems;
        Industries(hotels;    Losses(thefts;           cannot be            training of
          cruise ships)         accidents)          measured easily         personnel
                                                   (low probability of
                                                      catastrophic
                                                         loss).
II-a   Basel II
                                        STRUCTURE OF
                                           BASEL II
                                       CAPITAL ACCORD

                     Pillar 1                Pillar II             Pillar III

                    Minimum               Supervisory               Market
                     capital               review of              discipline
                  requirements              capital                & public
                                           adequacy               disclosure
                                  1. CREDIT RISK (since 1988)
                                 2. MARKET RISK (since 1996)

                            3.    OPERATIONAL RISK (since 2001)


                                 Pillar 1 for Operational Risk:
                                 Capital Charge Measurement
                                           Approaches

        Basic Indicator          Standardized             Advanced Measurement
        Approach (BIA)           Approach (SA)              Approaches (AMA)

               (Top-down Approaches)                       (Bottom-up approaches)

Structure of the Basel II Capital Accord and Pillar I for operational risk
                                                                       25
             Business Lines
1. Corporate Finance 
2. Trading and Sales 
3. Retail Banking 
4. Commercial Banking 
5. Payment and Settlement 
6. Agency Services 
7. Asset Management 
8. Retail Brokerage 

                              26
              Event Types
1.  Internal Fraud
2.  External Fraud
3.  Employment Practices and Workplace Safety 
4.  Clients, Products and Business Practices 
5.  Damage to Physical Assets 
6.  Business Disruption and System Failures 
7.  Execution, Delivery, and Process Management 




                                                   27
    II-b What is VaR and
      what is OPS-VaR ?

•   Based on analytic techniques widely used in the insurance industry to measure
    the financial impact of an events

•   Used for determining

     - the expected loss from operational failures
     - the economic capital for operational risk
     - concentration of operational risk

•   OP VaR makes no assumptions about the causes of the failure, just like Market
    VaR makes no assumptions about the cause of interest rate moves

•   Can be applied to all types of operational risk exposures across all the
    businesses of the bank

•   Can be used to design insurance and other risk transfer coverage
                                                                                    28
                                Risk Concepts

                                 Loss Distribution
Aggregate
Loss
Frequency
                                                   Value at Risk (VaR)

                                                                 Catastrophic
                                                                 Losses



                                                                     Aggregate
            Expected Losses                      Unexpected Losses   Loss
            (Covered by provisions or pricing)                       Severity
              Value at Risk (VaR)

• The amount of loss which will not be exceeded over a 
  certain time horizon (e.g. one year) with a certain 
  confidence (e.g. 95%) 
• Applicable to market, credit, and operational risk
• One of the most common risk measures
• Certain pitfalls: does not always decrease as portfolio is 
  diversified, lower bound for higher losses,
                           Operational Risk VaR
• Loss Distribution Approach (LDA): Frequency and severity of losses is estimated 
  based on historical internal loss data. Aggregate loss over the next time horizon T
                                         NT
                                    S = ∑ Li
                                         i =1
•   NT is the random variable representing the frequency of losses over the next time 
  period T and       are i.i.d. random variables representing the severity of losses. 
                Li
• For fixed frequency, distribution of sum is convolution of single severity loss 
  distribution
• Basel Requirement: 99.9% confidence level and 1 year time horizon. 

                           P ( S < VaR   99 . 9 , 1 year   ) = . 999

• Determine severity and frequency distribution and compute VaR using Monte Carlo 
  simulation assuming losses are independent and identically distributed and severity 
  and frequency are independent. Sample frequency, N, and then take N samples from 
  severity and sum up. 
• Firmwide VaR is sum of VaR for each BPM0, region, and Loss Type cell. Need to 
  justify use of correlations in reducing VaR.


                                                                                         31
                                                                                          31
   From Tools for Risk Analysis to Ops-Var

             Calculation   Calculation
Exposure
              of Actual     of Actual            Calculation
Base (Eis)                                                     Reporting
             PEs & LGEs      PEs &               of OP VaR
                              LGEs

Internal
Loss
History


                  Actual
                              Projected
Industry          Loss                                OpVars
                                Loss
Loss              Rates                                        RAROC
                               Rates
History




Scenario
Analysis

                                           Stress
                                          Scenario             OpVar
                                                               Report
Key Risk
Drivers
(KRDs)


                                                                        32
II-c Measurement of
    Operational Risk:
     Self-Assesment
Who is Measuring Operational Risk?

                         Internal Audit


                            Senior
                          Management


                                                   Risk
     Business
                                                Management
    Management
                 Legal              Insurance
                 Operations        Finance
                         Information
                         Technology




                                                             34
How is Operational Risk
       Measured ?
    The industry measures Operational Risk in two ways


1. Quantitative Approach

- Statistical
- Historical
- Internal/External Failures
- Monte Carlo simulation



2. Qualitative Approach

- Based on self-assessments


      Either approach on its own does not tell the whole story




•     Too rigid                           •   Too judgmental
•     Relevancy?                          •   No reference
                                              points
                                                                 35
  Basel II makes a distinction
  between several approaches


(1)   Basic Indicator Approach (BIA) 
(2)   Standardized Approach (SA) 
(3)   Advanced Measurement Approaches (AMA) 
         Internal Measurement Approach 
         Scorecard Approach 
         Loss Distribution Approach 
   Basic Indicator Approach  (BIA)
• The operational risk capital charge under BIA is 
  calculated as a fixed percentage of the average over 
  the previous three years of positive annual Gross 
  Income (GI).                 (Gross income is net interest 
  income plus net noninterest income)  
• Percentage is currently set at 15%  
• Very crude !




                                                           37
   Loss Distribution Approach
• The Loss Distribution Approach:
                        Approach
  – Standard statistical techniques are available
     • which techniques are most appropriate?
     • what are appropriate for modeling the “tail” of the
       distribution?

• Data Quality is Important
  – Incorporating high-severity events
     • External data?
     • Scenario analysis?

                                                       38
    Loss Distribution Approach
          – continued …

Generally, estimation of an operational 
loss distribution involves 3 steps:    

 1. Estimating a frequency distribution
 2. Estimating a severity distribution
 3. Running a statistical simulation to
    produce a loss distribution                        
    (compound distribution usually does not
    have a nice analytical form)                          39
                              Overview of LDA continued...
                                                                                               Severity Distribution
               Frequency Distribution




                                                                     Density
Density




          Number of Loss Events per Year                                                    $ Value of a Loss Events
                    Density




                                            25 million                                             250 million

                                           Expected Loss                                      Unexpected Loss,
                                                                                                   99.9 %


                                               Total Operational Loss over a 1 year time horizon
                                                                                                                       40
                                 Severity of Loss                                                                   Event Frequency

                               LogNormal


                                     Fat-Tail LogNormal

                                                                                                                                Mean frequency = 296
                                                                                                                                221 events / 0.75 years




                                                                                                      Probability
Probability of Loss




                                                           Distribution selected based
                                                           upon statistical best-fit tests



                                                                              Empirical Data



                                                                                                                              AnnualFrequency


                              Log of Loss Amount in $mm


            •         Theoretical distributions are fitted to the empirical data
                                                                                               •   Annual frequency of event determined using historical
                      using a statistical fitting technique called Maximum
                                                                                                   event occurrence, taking into account business changes,
                      Likelihood Estimation
                                                                                                   adjustment for trends
            •         “Best-Fit” distribution is selected based on statistical tests
                                                                                               •   Absent additional information, frequency is assumed to
                      which calculate the maximum difference between the
                                                                                                   follow a Poisson distribution, standard in the industry
                      theoretical distribution and the empirical data
                                                                                                   used to model randomly distributed events
                                                                                                                                                             41
II-d Data Collection
     and Analysis
             Internal Data

  ‐ Frequency  Data 

 ‐ Severity  Data 

How should we deal with outliers? 


Are Internal Data sufficient to be able to 
analyze and estimate low frequency events? 
                                              43
  How to Record Occurrences of Events 
   to  Obtain Frequency of Loss Data

  Each loss event has several dates associated with it, namely,   
• Date at which event was triggered (cause)
• Date at which event was discovered
• Date at which loss was taken into account
  Which ones of these dates are important ? 

  With regard to losses, which losses should be recorded? 

.   Recently perceived market values 
.   Invested funds (adjusted with reasonable ROI)
                                                                 44
     Fitting Frequency Distributions: Regression
•   Key risk indicators (KRI’s): business control factors are used as a proxy or indicator for the 
    quality of the control environment: e.g. Transaction volume, employee headcount, 
    transaction fails count
•   KRI’s are used along with the historical loss frequency to estimate the frequency in the VaR 
    model by a Poisson regression procedure. Some functional relation is assumed between the 
    Poisson frequency and the KRI’s and the parameters in the functional relation are 
    estimated using maximum likelihood.
•   For example, the frequency n is assumed to be Poisson distributed:
                                                    λne −λ
                                         f (n) =
                                                       n!
•   Poisson frequency is linearly related to the KRI’s:

                       λ = α × Fails _ Count + β × Transactio ns _ Count

•                                             α
    Maximum likelihood is used to estimate      , β
                L(α , β ) = ∑ log( f (ni , Fails _ Counti , Transaction _ Counti ; α , β ))
                            i


•   Sensitivity analysis: impact on VaR from bumping up transaction volume or fails count 
    by  10%, 50%, etc.

                                                                                                45
                                                                                                 45
              Fitting severity distributions
• Severity distributions: Lognormal, normal, exponential, gamma, 
  Weibull, Champernowne (studied for wage distributions; lognormal
  in body and Pareto near tail). Exploring alpha‐stable and g‐and‐h 
  distribution.
• Maximum likelihood method estimation (parameters which 
  maximize the log likelihood of observations)
• Goodness of fit tests: Kolmogorov‐Smirnov
                    D = max i | Fempirical ( X i ) − Fmod el ( X i ) |
  Kuiper (supremum), Anderson‐Darling (minimize square of 
  difference between empirical and model)
• Conditional maximum likelihood is used to estimate severity 
  parameters in the presence of a lower threshold, K
                                              f (X k ;γ )
                         γˆ = max log ∏
                                        k   1 − F (K ; γ )

• Model severity loss distribution above and below loss threshold 
  with separate tail and body distributions representing unexpected 
  and expected losses.
                                                                         46
                                                                          46
    Adjustments to Remove Historical Bias
       and Take Learning into Account


•    Isn’t any adjustment purely subjective and therefore why go through a
     mathematical rigorous analysis when in the end it still relies on judgment ?

•    First, nothing wrong with judgment; it is used in business all the time, even
     by actuaries

      -   the benefit of the rigorous math is that the judgment is used in a
          systematic, coherent and consistent way

•    Depends on what type and how judgments are used

      -   A list of opinions about the quality of the control environment i.e.
          separation of duties
      -   Or risk drivers, i.e. data on the characteristic of the operational
          environment no of deposit accounts

                                                                                     47
II‐e    Distributions of Losses 
 and Extreme Value Theory 




                              48
     Distribution of operational losses



    Expected events                         Unexpected events

(high probability, low losses)          (low probability, high losses)

    Limited Financial Impact     Severe financial impact    Catastrophic Financial
                                                                   impact




Covered by            Business   Operational risk capital   Insurable (risk transfer or
                        plan                                    “risk financing”)




                                                                                      49
                     Distribution of operational losses
                                (over a given (fixed) time horizon)




                     Expected                       Unexpected


                                         Severe              Catastrophic
Likelihood of loss




                                 Severity of loss




                                                                            50
      Example of High Probabilities 
           and  Low Losses 
Credit Card Business: 
    Operational Risk is mainly due to fraud 
    High probabilities   and  low losses 
    For any credit card  issuer the  total monthly losses due to Operational 
       Risk  has a very low  variance. 



    USA and Europe deal with this issue in a completely different way: 
    Europe  has made major investments in the  smartcard 
    USA has made major investments in data‐mining  (neural nets, etc.) 

The main risk in the credit card business  is  still  credit  risk. 

                                                                                51
              Extreme Value Theory

  How to model and predict catastrophic
    events that occur at low frequency

- The Central Limit Theorem (CLT) gives us a tool to
   analyze averages of events and gives us a feel for the
   standard deviation

- The Extreme Value Theorem (EVT) by Gnedenko gives
  us a tool to analyze the distribution of the maxima of
  random variables (tail events) within given periods.

                                                            52
         Limiting Distributions

- The CLT yields us in the limit the Normal
  (Gaussian) distribution

- The EVT yields us in the limit either the
  Generalized Extreme Value (GEV)
  distribution (special cases of this
  distribution are the Frechet, Weibull, and
  Gumbel distributions)
  or the Generalized Pareto Distribution

                                               53
     How Does Extreme Value Theory Fit
in the Overall Framework of Distributions?
Profit and loss distributions with chosen threshold for extreme
operational losses
                                                         Loss distribution




               Excess loss distribution

Catastrophic
    loss                                                         Profit and loss distribution




      Loss                                 u         0                                      Profit

                          Expected        Expected       Expected
                         excess loss        loss          profit
    Extreme Value Theory

Two Basic Models: 
     Block  Maxima Model 
        Limiting Distribution: 
        Generalized Extreme Value Distribution
     Peak Over Threshold Model (POT) 
        Limiting Distribution: 
        Generalized Pareto Distribution 


                                                 55
Generalized Extreme Value Distributions 




                                     57
58
II‐f     Key Risk Indicators
             and 
  Multi‐Factor Analysis  



                               59
        Key Risk Indicators:  
   Developmental  Considerations
• How many should be key – e.g. the RMA has over 1,400 KRIs  
   in its framework!
• Some will be leading and some lagging
• Defining and aggregating KRIs does sound straightforward, 
   but it will be more complicated as we go beyond the 
   surface level.
• KRIs Development is partly an art and partly scientific
• Risk indicators can be used for any type of risk and at any 
   level in the organisation – they do not have to be 100% 
   accurate.
                                                             60
               KRIs :   General Categories
 1.  Audit issues ‐ number and severity of issues that have not been resolved in a  timely 
    way
 2.  Business continuity – the vulnerability and criticality and processes, the quality  of
    the continuity plan, and the frequency and adequacy of practices and tests
 3.  Failed customers interactions ‐ the number, duration, and severity of failures  to 
    provide customers with prompt, reliable, and effective source
 4. Information security – the number and severity of virus attacks which had any  
    success, critical vulnerabilities left unresolved for a period, and security events with a 
    mpact
 5. Information technology ‐ the availability of technology at critical periods for critical 
    purposes
 6. Operational losses – the  dollar  value of losses
 7. Process breaks – the  frequency, severity, and size of trading, clearing, and settlement  
    failures and their customer impact
 8.  Profit – the number, suddenness, and severity of unexpectedly high profits or losses
 9.  Policy exceptions – the number and significance of policy exceptions
10.  Regulatory – the number and severity of comments and fines from regulators
11.  Staff turnover – turnover rates in critical functions
                                                                                          61
    Key Risk Indicators (KRIs)  for  
    Operational  Risk in Banking

• Transaction volume per employee 
• Average system downtime 
• Employee turnover
• Experience level of employees
• Number of amendments (exceptions) recorded
• Number of new products introduced in most recent 
  time period
• Number of ATMs robbed per 1000 ATMs
• Call  Centers performance measures
                                                      62
    Key Risk Indicators (KRIs) of
Operational Risk in Asset Management


 • Internal controls - audit results, audit frequency

 • Staffing - employee turnover, training budget, premium
   per employee, policies per employee

 • Outside Data Sources – Rating agencies, regulators,
   industry trade organizations, data warehousing firms

 • Security – Number of times systems have been hacked

 • Systems Reliability – Servers, call centers


                                                            63
      Ops Risk in Internet Banking
• Average take for an individual phisher is around 20,000 USD 
  a month (can go as high as 100,000 USD a month). 
• Phishing schemes are estimated to cost banks between 0.5 
  and 1.5 billion a year. 
• An incident may erode customer confidence in a bank 
  (publicity magnifying the effect across the customer base) .  
• Banks spend years and millions on building brand value;  
  this can be destroyed in one day with a single publicised 
  operational loss incident.
• Online fraud and security management are key components 
  of Ops Risk Management 

                                                               64
   Key Risk Indicators (KRIs) of
Operational Risk in Internet Banking

 • Internal controls - audit results, audit frequency

 • Server Reliability - Hours downtime

 • Staffing - employee turnover, training budget, premium
   per employee, policies per employee

 • Outside Data Sources – Rating agencies, regulators,
   industry trade organizations, data warehousing firms

 • Security – Number of times systems have been hacked


                                                            65
Multi‐Factor Analysis
 Incorporating Key Risk
 Indicators into a Single 
      Framework


                             66
Multifactor Analysis using
   Linear Regression

    Transactions Processing Data Set
               Multifactor Analysis using
                  Linear Regression
Ordinary least squares method: find best linear fit to data



                                                               ε4
                                                               ˆ




                ε1
                ˆ                                              Yi = α0 +α1Xi
                                                                    ˆ ˆ
                                     ε2
                                     ˆ
                                                  ε3
                                                  ˆ




                     X       X            X            X
                         1       2            3            4
             Example Multifactor Analysis
                        (ANOVA Table from EXCEL)

Monthly Loss=‐21,356 ‐ 864 × Headcount +
         12,655 × System Downtime + 155 × Transaction Volume 




                                                                69
           Use of Multifactor Analysis
• We can forecast losses if we can find a trend for KRI’s

• Knowing the coefficients in the Loss equation, we can “price”
  individual units of the variables.

• For example,  the cost of one more minute of system downtime 
  in a month is $12,655 

• We can perform stress tests. Management can now estimate 
  how much the total expected operational loss will increase if 
  the trading volume increases by x %.     If transaction volume 
  increases by 50% from its average, then 
             stressed monthly loss = $1,159,831                   70
        Use of Multifactor Analysis
               Cost/Benefit Analysis




1) Cost / Benefit Analysis

Ex: If we hire 1 employee costing $ x /year   
the reduction in losses is estimated to be
              $864 x 12 = $ 10,368 
     Incorporating Key Risk Indicators in 
               Capital Charge
Two approaches:

• KRI Volatility Adjustment to Capital Charge
• Frequency Regression
 Incorporating Key Risk Indicators Capital 
    Charge: KRI Volatility Adjustment
       Key Risk Indicators and the Volatility of Losses




                         Control Environment
                                                          Volatility in
                           Volatility Add-In
                                                          The Control Quality
    OR Capital
                                                          Losses Volatility
                          Operational VaR



OpRisk Capital = (1 + KRI volatility ) × OpRiskVaR
     Incorporating Key Risk Indicators in Capital 
           Charge: Frequency Regression


•     The loss frequency is assumed to be a linear function of the KRIs. For example:
      Loss Frequency = α × Transaction Fails Count  + β × Transaction Volume

•     Regression analysis and maximum likelihood analysis is performed to determine 
      parameters    α,   β

•     Loss frequency determines frequency distribution. Frequency and severity 
      distributions are used to calculate operational risk VaR and capital charge.




74
     Incorporating Key Risk Indicators in Capital 
           Charge: Frequency Regression
 •   Example:
     Loss Frequency = 0.0199 × Transaction Fails Count + 0.0122 × Transaction 
     Volume

     Using most recent value of KRI, e.g. Transaction Fails Count = 5,  Transaction 
     Volume = 163

     Then Loss Frequency = 0.0199 x 5 + 0.0122 x 163 = 2.09 / day
     Use this loss frequency and previously estimated severity distribution to 
     calculate VaR

 •   Frequency regression can also be used to perform stress tests. For example,  
     VaR increases 20% when transaction fails count increases 5%.



75
II-g External Loss Data
                 External Loss Data
Input data for Advanced Measurement Approach:

 •   Internal Loss Data
 •   Scenario Analysis
 •   Key Risk Indicators
 •   External Loss Data




                                                77
                External Loss Data
Reasons for using external loss data
 • Required by AMA
 • Complement existing internal loss data. Internal loss data may 
   not include large magnitude losses. External loss data can 
   help to estimate tail of the loss distribution
 • Internal loss data may not be available




                                                               78
                   External Loss Databases
• Public External Loss Databases: e.g. Fitch
    • Includes identity of firm
    • Tends to cover just large losses which attracts attention of media
    • Covers limited loss types, e.g. not Execution, Delivery and Process Management
• Consortia: e.g. ORX
    • Identity of Firm is anonymous
    • Wider array of losses and loss types
• Insurance Data: insurance claim data provided by insurance brokers e.g. OpBase
    • Tends to be smaller losses below $5M
    • Bias due to deductibles and policy limits
    • Available loss types will depend on type of insurance policy
     ORX Background and History
ORX is a not‐for‐profit organization, owned and run by the Members

ORX was incorporated as a Swiss Association in April 2002

ORX was founded with the objective of sharing quality operational risk data 
on a secure and anonymized basis to enable banks to improve risk
measurement and management

ORX also works with its members to:

 •   develop operational risk management practice

 •   set common standards for the industry

 •   develop professional networks

 •   conduct leading edge research
                                                                          80
                                  ORX  Loss Data 
ORX strives for consistency in the data it collects from members. Each individual loss  event is categorized according 
    to
the common standards set out in the ORX Operational  Risk Reporting Standards (available from   www.orx.org). ORX
members are required to  report all losses over €20,000. Above this threshold it is the  objective of ORX that the  data
from every member is complete. Each loss is then characterized according to the  following primary attributes:
Classification Data
    • Reference ID number (Member generated)
    • Business Line (Level 2) Code (See Appendix 3.2 for ORX Business Line table)
    • Event Category (Level 2) Code (See Appendix 3.3 for ORX Event Category table)
    • Country (ISO Code)
    • Credit‐related (C/N)
    • Related event Ref ID (Member generated)
Reference Dates
    • Date of Occurrence
    • Date of Discovery
    • Date of Recognition
Amounts
    • Gross Loss Amount
    • Direct Recovery
    • Indirect Recovery
Exposure Indicators by Business Line (Level 2)                                                                  81
    • Gross Income
             Algo OpData   (Fitch) 
• Algorithmics – Subsidiary of  Fitch (700 people) 
• Database contains 12,000 publicly reported operational risk 
  losses, each with a value over 1,000,000 USD
• Time span 16 years
• Each year 750 – 1000 new entries are added




Important Feature:  Customer, who buys the 
  database,  does not have to show his own data !

                                                                 82
     Incorporating External Loss Data in 
         Measurement Framework
  Approaches:
• Mixture model: Use external loss data in tail and internal 
   loss data in body. Useful when internal loss data has few 
   high severity events
• Credibility Methodology: Create loss distribution which is 
   weighted average of internal loss distribution and external 
   loss distribution
• Qualitative use: as a reference to inform scenario analysis 
   workshops




                                                                  83
II- h Correlations and
      Dependencies
Risk Drivers




               85
     Dependencies and Correlations
          in Operational  Risk 

• Basel II requires capital charge for operational risk of 
  separate business lines to be added unless dependencies 
  between business lines is taken into account.
• Independence of operational events across business lines 
  and diversification may reduce VaR. Hence, there is a strong 
  incentive to include effect of diversification.
• However, regulators expect firms to demonstrate that 
  methodology of incorporating correlations is sound. 



                                                             86
                           Copulas
Using the separate marginal distribution of Fixed Income losses 
  and marginal distribution of Equities losses together with 
  their correlation, we wish to construct a bivariate loss 
  distribution function F(X,Y) for the losses for the two 
  business lines. A bivariate loss distribution gives the 
  simultaneous probability of an Equities loss and a Fixed 
  Income loss. 



  Solution:  Use Copulas


                                                                   87
                           Copulas

•      Copulas are a new way of modelling the correlation  
  structure between variables.
•       They disassociate the correlation structure from the 
  marginal distributions of the individual variables
•       Copulas offer a method for combining marginal  
  distributions  into multivariate distributions
    –Good method to capture dependency in tail
    –Flexibility in patterns of correlation
    –Can use statistical measures to compare fits



                                                                88
III  Conclusions and 
      Discussions 
III a   Review of Operational 
       Risk Measurement 
           Framework
          Review of Op Risk Measurement 
               Framework: Loss Data
• Qualitative Analysis of the Data
    • Measure the mean, dispersion and heavy tailedness of data using kurtosis
    • Look for statistical outliers


• Quantitative Analysis of Data
    • Estimate severity and frequency loss distributions for data
    • Select appropriate distribution using goodness‐of‐fit tests and graphical 
    plots. 

              Determine data truncation threshold 

           Goodness of fit tests measure how close the estimated distributed is to 
         the empirical distribution

              Graphical plots:  histograms and QQ and PP plots

          E xtreme value analysis: use Hill and Mean Excess plot to check fit for 
         extreme value distributions and choice of threshold 
 Review of Op Risk Measurement Framework: 
Include Key Risk Indicators, External Loss Data 
            and Scenario Analysis
• Include KRIs in Framework: Perform Regression Analysis
• To identify drivers of losses
• To conduct stress tests
• To forecast losses
• Incorporate into VaR via frequency regression or KRI volatility
adjustment

• Include External Loss Data in Framework
      Use mixture distibution (internal losses for body and external 
     losses for tail) or use credibility methodology to build a combined 
     loss distribution using internal losses and external losses

• Include scenario analysis from self‐assessment program in framework
          Review of Scenario Analysis
Scenario analysis can be part of a risk and control self‐
assessment program

Experts from across the firm assess specific risks for their 
business. Experts have a spectrum of roles: front office, 
finance, operations, IT,  and legal. They assess potential risks
and quality of controls in place. They develop possible 
scenarios and the likelihood and impact of these scenarios.

Examples:
    Pandemic flu, terrorist attack, unauthorized trading, 
trade misbookings, incorrect data entry, system crashes
          Review of Ops Risk 
        Measurement Framework

•   Find correlations and dependence structure

•Generate loss distributions from all input 
data elements and from correlation
        Review of Op Risk Measurement 
           Framework: Calculate VaR 
       Severity                                  Frequency
Prob                             Prob




                  Losses sizes                       Number of Losses




                                                     Aggregated Loss Distribution
        Prob

                                                         Needs to be computed
                                                         by Monte Carlo simulation

                         Aggregate loss amount
         Review of Op Risk Measurement 
            Framework: Calculate VaR 
• Calculate VaR by aggregating frequency and severity using Loss Distribution 
Approach and Monte Carlo Simulation
• Example: to calculate yearly 99.9% VaR
  Sample loss count from frequency distribution: e.g. 15 was obtained

 Sum 15 samples from severity distribution: 

$56,786 + ... +$982,343=$6,734,341

$6,734,341 is 1 sample of the aggregate loss over the next year.

 Repeat 100,000 times to obtain 100,000 samples of the yearly aggregate loss

 Rank 100,000 aggregate loss samples from highest to lowest

  99.9% yearly VaR is 100th highest on the list
          Model Backtesting and Validation

• Backtesting is fundamental to receiving approval by regulators for internal 
measurement models

   => Many violations implies a bank is riskier than it seems (model is 
inappropriate for poorly calibrated?)
   => Too conservative values imply excess capitalisation

• In operational risk, backtesting is complicated by limited availability of data 
but it is still possible and fundamental to verify the accuracy of the model.
 III-b Hedging
Operational Risk
        Hedging Operational Risk

Approaches to hedging operational risk

  – Insurance
     • Insurance coverage can be incorporated into methodology using 
       information about deductibles/limits on  “event policies”
     • Still have to take into account credit risk and legal risk
  – Securitization  (financing) of  risk 




                                                                    99
              Hedging Operational Risk 


Probability




                                                        Severity of loss

                                        $10M
                      Insurance mitigation     Securitization
Effect of Insurance on Loss Distribution
         Probability of Loss




                                         With insurance: Lower standard
                                         deviation, higher mean




                                                                          Without insurance



   Source: Marshall, C, Measuring and                                            Cost paid by bank
   Managing Operational Risks in Financial
   Institutions, supra note20, p.435



                                                                                                     101
                     Securitizing Operational Risk
     Securitizing OR provides an alternative to traditional insurance as a way to hedge operational risk.



                                 Premium        Special          Bond
                                                Purpose                          Capital
                  Bank                                                           Market
                                                Vehicle
                                                 (SPV)
                                Insurance                       Commission


    Examples of Products:

•     Ops Risk Linked Bonds:
       – Bank pays premium and bond holder receives insurance. Bank is compensated if yearly
          operational losses exceed a certain threshold and bond holder forfeits part of principal.
•     Equity – Ops Risk Put
       – Bank has option to sell its shares at fixed strike in the event that a legal loss event occurs

Some Challenges:

      •   Pricing requires estimating probability that aggregate losses exceed a threshold. No-arbitrage
          type pricing is not available since market is incomplete. Robust estimation of severity and
          frequency of operational losses is critical.
      •   Distinguishing relative risk between firms when a pool of data from a consortium is used
      •   Moral Hazard
       Operational Risk Reserve 
           Requirement
• Simulate operational losses using estimated 
severity and frequency loss distributions

• Track reserve based on the difference in allocated 
gross income and operational losses each day

• Determine fraction f of gross income to reserve for 
operational risk reserves to avoid ruin
III-c Software and Decision
      Support Systems
   Overview of Commercially Available  
Software Platforms  (Gartner Group ‐ 2008)




                                             105
Enterprise Risk Management Dashboard




                                   106
           Dashboard with Operational Risk Metrics
Investment Bank - JPMorganChase                             Equity Derivatives Group – US (JPMorganChase)                              December 31, 2005
Equities                                                             Organization View                                                           New York




           See appendix for legend and data sources.                                                                                                                   Process View
                                                                                                                                                                       Process Map
                                                                                                                                                                       Activity Description
                                                                                                                                                                       Subrisks
                                                                                                                                                                       Controls
                                                                                                                                                                       SOX-404 Key Controls
                                                                                                                                                                       CSA Scores and Weights
                                                                                                                                                                       Action Plans
                                                                                                                                                                       CSA Capital Impact
                                                                                                                                                                       RED Data
                                                                                              Note: Activity included in End to End
                                                                                                                                                                       Audit Impact
                                                                                                               view                                                    KRIs

                                                                                                                                                             Audit Summary
                                                                                                                                                        (3/31/04 Rolling 12 Mo.)
                                                                                                                                                                          Capital
                                                                                                                                                        Rating Audits Impact
                                                                                                                                                          A         0
                                                                                                                                                          B         6
                                                                                                                                                          C         1      $5.6
                                                                                                                                                          D         0
                                                                                                                                                          F         0
                                                                                                                                                        Total       7      $5.6

                             Note: Activity included in End to End                             Note: Activity included in End to End
                                                                                                                                                                   RED Events
                                              view                                                              view                                              ($ Thousands)
                                                                                                                                                                    Absolute Value


                                                                                                                                                    $20,000

                                                                                                                                                    $15,000

                                                                                                                                                    $10,000

                                                                                                                                                     $5,000

                                                                                                                                                         $0
                                                                                                                                                                2001           2002     2003
                                                                                                                                                    Timing      $400          $370      $0
                                                                                                                                                    Economic   $15,451        $1,522    $30



                                                                                                                                                     Note: RED data is as
                                                                                                                                                       of 12/31/2003




                                                                                                                                                                                       107
III‐d  Discussion and 
      Conclusion 




                         108
      Loss Data Profile : Time Trends in Data Capture

Overall ORX Data and Statistics

                                       Total    2002      2003    2004     2005     2006     2007


Total Number of Loss Events           92,157    7,838   10,718   14,905   18,150   21,135   19,411

Total Gross Loss Amount (Millions)   €30,722   €5,272   €7,068   €4,640   €4,760   €4,218   €4,764



        Loss Frequency 2002-2007                        Loss Severity 2002-2007




                                                                                            109
Capital Attribution: Present and Future

      Current                    Future
 capital/attribution       capital/attribution



     Operational risk          Operational risk
          20%                       30%




       Market risk               Market risk
          10%                       30%




       Credit risk               Credit risk
          70%                       40%

                                                  110
 Interplay between Operational Risk, 
Credit Risk, and Market Risk in Banking
 • Credit Risk and Market Risk may be magnified by 
   Operational Risk (e.g., incentive system (bonuses) of the 
   sales force may not be aligned with the credit/market risk 
   (up front commission for the sale of a long term credit risk))
 • Heavy trading volume may cause delays in obtaining  market 
   data
 • Accuracy of input data (or system down time) may affect 
   asset managers’ decision‐making process 
 • How should we compute this multiplier effect ?  
 • How should we measure and deal with correlation effects ?
                                                            111

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:28
posted:10/11/2011
language:English
pages:111