Implementing Operational Risk in an Enterprise Risk Management Framework. William Gonyer Managing Director [email protected] Session Outline. Operational Risk as a component to ERM; BIS II defined and as template to an ORM program;
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Is a pragmatic approach to many of the risks covered within an ERM framework. OR is defined by Bank for International Settlement as “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events.”
Capital is calculated using the amount of the institution’s available capital as the numerator and risk-weighted assets as the denominator. The minimum capital ratio is 8%:
Risk-weighted assets come from credit and market activities and Basel II introduced the added component of Operational Risk.
Basel II provided three methods for calculating the Operational Risk component the capital equation:
Under the basic indicator approach the “weight of the asset” is calculated using the three year average of gross income multiplied by a fixed charge of 15%.
This approach is intended for a financial institution with less complex operations.
Under the standardized approach the gross income of a defined business unit is multiplied by a percentage associated with the type of business:
A financial institution utilizes its own risk measure generated by its Operational Risk measurement system.
The specific methodology must be approved by its regulatory supervisor.
Supervisory review of capital adequacy
Capital adequacy is something we are all familiar with but in the broker/dealer industry there is no specific requirement to calculate a capital component for OR.
Experience shows that in the distant past regulators looked to a multiple of regular required capital to cover undisclosed risk as an informal buffer. The buffer served as a discussion point with the regulator.
Public disclosure is limited for the broker/dealer industry as there is no specific requirement for adoption of an Operational Risk program, its capital nor its disclosure requirements.
There are however, requirements under Generally Accepted Accounting Principles that material, expected losses be disclosed.
Implementation began in August 2001 at the US subsidiary of a fully licensed “universal bank” in France where implementation was a (regulatory) requirement.
Ixis was an investment bank with two US registered B/D subsidiaries. The bank’s headcount was about 350, with a balance sheet of approximately $45 billion in assets and revenue of $340 million. By the end of implementation, organic growth had increased headcount to 500, assets totaled $60 billion and revenue exceeded $500 million .
Ixis’ management was very decentralized in that departmental management had significant authority within functional domains and budgetary constraints.
The OR compliance manager provided a briefing on the requirements and sample self-assessment questionnaires.
Armed with Head Offices’ compliance requirement and the CEO’s buy-in, a 7 to 8 member working group was established to build the Self Assessment of OR questionnaire.
The departments heads of this group were selected based on a number of factors:
These factors relate to the OR definition “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events” such as the department headcount and budget and the risks associated with the department’s responsibilities.
Another consideration was the departmental manager’s relative influence or expected importance for the OR program’s success.
The following rationale helped convince working group or committee members of the value of the OR program and their active participation:
The working group began the development of a baseline self-assessment questionnaire. The questions were categorized according to the BIS table “Detailed Loss Event Type Classification.” A key objective for the self-assessment was that it follow the BIS classification and that the end product questionnaire would quantify loss risk and produce an “heat map” by business lines. Business lines were based on departments which aligned with the business types of BIS on page 8 of the presentation.
BIS classifies loss events in the following Level I Categories:
Theses events are defined and broken down further into Levels 2 & 3 having greater detail at each succeeding level.
Impact of Risk
Ability to Control Risk
Dedicated Staff – From 2001 to 2006 there was no authorized headcount, rather the department was staffed using temporary staff for major projects and cost allocations from each department for Risk Managers and support staff – typically 5 to 15% of a fully charged staff, while no charges were allocated to small departments. 25% of OR Head’s departmental cost (including admin staff) was allocated to the project, and system administration support was provided by a junior officer in the audit team. Key indicator chase and follow-up was performed by either the OR Head or admin support. Significant loss events were often followed up by audit staff as audit issues and thus not charged to OR.
The eight components
of the ERM framework
apply equally to OR…