DEVELOPMENTS IN OPERATIONAL RISK MANAGEMENT Neil Brown Managing Director Global Head of Risk Management & Product Control 16 April 2003
RISK AND CONSEQUENCES “...only the foolhardy make choices based on the probability of an outcome without regard to its consequences....” “...only the pathologically risk-averse make choices based on the consequences without considering the probability involved...” Peter Bernstein
CONSULTATIVE PAPERS • CP140 (Insurers) – February 2003 (advance of Prudential Sourcebook in 2004) • CP142 (Asset Managers) – 2004 (parts into Prudential Sourcebook, parts into Senior Management, Systems & Controls) • Should reflect “common practices at prudently managed firms and that many firms already meet it” • Risk Identification / Risk Management / Risk Control
CONSULTATIVE PAPERS – Risk Identification • Nature of firm’s customers / products / activities / distribution • Design / implementation / operation of processes / systems • Risk Culture • HR management practices • Operating environment: political / legal / technological / market structure
CONSULTATIVE PAPERS – Risk Management • People resourcing / training / succession planning • Systems IT platform – minor manual error to major systemic error • External BCP • Outsourcing external / internal – still need to manage • Fraud / Money Laundering • Legal interpretation / enforcement of contracts • Group Risks assessment of other parts of Group
CONSULTATIVE PAPERS – Risk Controls • Improving Risk Culture • Corporate Governance - structure • Audit Trail / Evidence • Insurance ?
OPERATIONAL RISK FRAMEWORK • Establish specific accountability, policies & controls • Clearly document procedures and map process flows • Ensure segregation of duties • Ensure access controls to assets / data privacy • Ensure audit trails / evidence • Ensure continuity and disaster recovery • Review & approve control processes
OPERATIONAL RISK FRAMEWORK • Event / Loss database / Self assessment • “Quantification” of risk exposure? • Control identification / mapping • “Quantification” of mitigation / net exposure? • Identification of control improvements • Action tracking process
KEY INPUTS TO OPRISK MANAGEMENT PROCESS Building Blocks…… • Risk Reviews • Business Process Mapping • Control Self Assessment • Internal and External audit reports • Errors and Breaches Report • Compliance Monitoring programme • MIS data
KEY DELIVERABLES • Risk reviews / Process Maps / CSA action items. • Investigation of major errors and breaches. • Oversight of audit / BCP / ISO • Resolution and/or escalation of issues.
MANAGEMENT REPORTING • Key Risk Indicator / Key Control Indicator Reporting • Control Improvement Plans • Loss Data Reporting • Audit Tracking • Other Management Reporting
Quantification of OpRisk is sufficient to mitigate it Any data is better than no data Well run firms will be more certain about the probability and severity of an OpRisk Loss Massive losses require EVT to model them Insurance is an alternative to measuring and managing OpRisk exposures Quantification is still nascent, and is only part of the issue Loss data is context dependent Well run firms will suffer from small sample problem in modelling OpRisk losses Massive losses build over time Improve controls Evaluate relevance of EVT Insurance is potentially an additional mitigation SOME “MYTHS” SURROUNDING OPERATIONAL RISK
COMPARING OPRISK WITH MARKET RISK AND CREDIT RISK 1 Unlikely other than for certain high frequency low loss events, eg. operations losses.
OPERATIONAL RISK MODELS • Gross Income • Simple, cheap,transparent, no loss data required, verifiable • Backward looking, not indicative of risk, penalise well-run firms • Full Scorecard Approach • Understands processes, uses firm knowledge, uses historical data, incentivises • Very costly, bureaucratic, subjective • EVT • Relevant part of loss distribution • Ignores most of distribution, large losses not one-off events, small sample problem choice of threshold (how rare is rare)?
OPERATIONAL RISK MODELS • Bayesian Networks • Cause/effect and control become apparent, prior probabilities based on firm knowledge and experience, estimates easy to update, scenario analysis easy, simplifies complex processes, networks are firm specific • Complexity (require strong documentation), interpretation of results requires expertise, costly and time consuming (versus benefit?) • Monte Carlo simulation • Handles complex systems, produces appropriate loss distribution, can be dynamic, precision increased by increasing number of simulations • Larger the system the slower the process, complexity leads to few really understanding a complex system, choice of events to populate distribution key (GIGO), costly and time consuming (versus benefit?)
EXTERNAL DATA • Useful • For external risks • For information on HOW an event can occur • A reminder of relevance of OpRisk • Not Useful • To augment a small data set • For “any data are better than no data” argument
VALIDATION Validation of OpRisk models is a major issue: • Current published approaches do not address the “completeness of portfolio” issue • Causes of large losses are generally complex, the result of several factors so ability to predict future large losses based on previous ones is reduced • Much easier to predict for operations processing losses where, generally, few factors often cause loss • Context dependency issue: Lack of cause and effect • As yet no proven predicative link between past and future events • Lack of sufficient relevant data: System (firm, organization unit within firm) changes in character before adequate data is accumulated to validate a model • Sufficient data only available for the high-frequency, low-impact loss events – But these events would not drive the capital charge
PRACTICAL ISSUES FROM USING OPRISK MODELS Basel 2 proposed Basic and Standard approaches: • Current approaches could be misleading: Current basic indicator and standardized approaches base the OpRisk capital charge on a single indicator such as gross income • In general, more profitable institutions have less OpRisk – can invest in good people, systems, training • Eg. compare with airlines – more profitable airlines generally safer • Single indicators could lead to dysfunctional accounting practices and perverse incentives • Some evidence that OpRisk losses of the same magnitude happen to big and small firms Proposed OpRisk quantification approaches: • False reliance: attempting to summarize all OpRisk into single measure & managing by analogy to market risk and credit risk could be misleading and dangerous • May give impression of being in control to senior management/owners when in reality model generating misleading results • Misleading output: May cause senior management/owners to take actions that reduce OpRisk per the model, but not in reality – Actions may actually increase real risk • Lack of cause and effect: If the model does not predict all causes and effects accurately, incorrect management decisions could be the result • Distraction effect: Focus on quantification will divert important resources from other work • Potentially reduces the focus on sound risk management practices (Pillars 2 and 3)
SUMMARY • Encourage innovation of best practices • Current state of thinking for both OpRisk measurement and OpRisk management still evolving • Rules need to remain flexible to offer banks incentives to continue development in this area • OpRisks are highly context dependent & causes of large losses are generally complex • The higher the context dependency the less the past will be a good indicator for the future • No evidence yet to suggest that OpRisk is amenable to measurement to same extent as market risk or credit risk. No validated models that link back to underlying risk drivers • Many of the current approaches could create a false sense of security & distract resources from other work • If models had been in place in the past, how many material adverse OpRisk events would have been prevented? • CS approach – Focus resources on shrinking those “holes” • (1) Devote OpRisk resources into improving OpRisk management practices and tools, rather than quantification • (2) CS’s current Economic Risk Capital approach is to ensure management awareness of OpRisk and to integrate into overall risk capital process • (3) Most areas will use blend of tools - no silver bullet - lots of old fashioned management of people, MIS, systems, controls, etc.