2. What is Risk?
Risk may be viewed as :
Trade off between
“Higher Rewards” that potentially come with
OPPORTUNITY
and
“Higher Risks” that have to be borne as a
consequence of DANGER
Deviation of actual returns from the expected
returns
5/22/2011 Bushra Angbeen 2
3. Risk Management - Defined
Risk management can be defined as:
“The process by which organizations
identify, assess, control, monitor and
measure their significant risks from
all sources for the purpose of
increasing short and long term value
to stakeholders.”
Risk Management is a continuous activity that aggregates and
integrates risk management activities across all types of risk in
order to achieve maximum risk-adjusted returns.
5/22/2011 Bushra Angbeen 3
4. Structure of the Basel Accord
The New Basel Capital Accord consists of three mutually enforcing pillars. All three
pillars need to be applied by banks.
Pillar 1 Pillar 2 Pillar 3
Minimum Capital Supervisory Review Market Discipline
Requirements Process
Increases the Expands the content and
Establishes minimum responsibilities and levels improves the
standards for of discretion for transparency of financial
management of capital supervisory reviews and disclosures to the
on a more risk-sensitive market, with disclosure
controls covering: of:
basis and specifically • Processes for capital
addresses: and risk profile • Description of risk
management management
• Credit risk • Capital adequacy approaches
• Operational risk • Level of capital charge • Levels of capital
• Market Risk • Proactive monitoring of • Analysis of risk
capital levels and exposures and
ensuring remedial capital by businesses
/ segments
action
5. The pervasive scope of risk points to the need for a bank-wide, comprehensive risk
management strategy, supporting structure , monitoring and control, and
measurement processes which encompass all key elements of risk
Risk Management – Needed due to pervasive scope of risk
Operational Risk
• Internal fraud
• External fraud
Credit Risk • Employment practices
• Corporate
Market Risk
and workplace safety
• Consumer • Underwriting
• Clients, products &
• Counterparty • Liquidity
business practices
• Sovereign • Market Price
• Damage to physical
• Model • Trading and ALM
assets
• Insurance • Model
• Business disruption &
system failure
• Execution, delivery &
process management
Risk and Control Culture
5/22/2011 Bushra Angbeen 5
6. Focus of Basel II Market Risk
Pillar I of Basel Accord – Minimum Capital Requirements focuses on
three major categories of Risk
Credit Risk Operational Risk Market Risk
The risk that a The risk of loss
borrower may not arising from the
be able to repay a The risk of loss fluctuating prices of
loan. resulting from investments as they
inadequate or are traded in the
failed internal global markets.
processes, people
and systems or
from external
events.
7. The Basel II Accord and RBI’s Draft Guidance Note on Management of Operational Risk,
defines operational risk as:
What is operational risk ?
“The risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events.”
The definition includes legal risks but excludes strategic and
reputation risks.
Examples of operational risks in retail branch
(illustrative)
Internal processes: KYC guidelines not observed resulting in fraud
People related : Inadequate training to handle products and customer
complaints resulting in loss of business
Systems related : Inadequate systems to handle voluminous transactions
External events : Natural disasters resulting in disruptions of operations
5/22/2011 Bushra Angbeen 7
8. Features of Operational Risk
Pervasive Embedded and inherent in internal processes,
activities, people and systems across the entire Bank
Cannot quantify / measure in the same manner as
Measureme credit or market risk
nt is a
challenge quantifying individual events is a challenge. For
e.g. system downtime, loss of customers, business
disruption
approach to be adopted for quantifying overall
capital charge is a challenge
Dynamic With continuous changes in operations, processes,
technology, external environment of the Bank, nature
of operational risk undergoes changes all the time
Ownership
Being pervasive in nature, who should own its
–a
management poses a challenge
challenge
5/22/2011 Bushra Angbeen 8
9. Why is Operational Risk receiving
increased attention ?
Growing complexity in the banking industry (products,
services, technology, globalization, acquisitions/mergers,
etc.)
Several large and widely publicized operational losses in
recent years eg. Barings Bank, Sumitomo Corp, Diawa
Bank (NY) Societe Generale
Rapid pace of innovation
Increased focus on corporate governance
Increased global competition
A changing regulatory capital regime.
5/22/2011 Bushra Angbeen 9
10. Approaches to minimum capital Requirement
Basel II provides bank with a menue of approaches for quantifying the different
type of risk under pillar one:
Basel II Menu
• Credit Risk
– Standardised Approach (a modified version of
the existing Basel 1 approach)
– Foundation Internal Ratings Based Approach
– Advanced Internal Rating Based Approach
• Market Risk (unchanged from Basel 1)
– Standardised Approach
– Internal Models Approach
• Operational Risk
– Basic Indicator Approach
– Standardised Approach
– Advanced Measurement Approach
5/22/2011 Bushra Angbeen 10
11. Operational Risk Capital : Basic
Indicator Approach
Use of Basic indicator or Standardised Approach for some risks and AMA
for others is permitted.
Cannot revert to a simpler approach if an advanced approach has been
permitted, without supervisory approval.
Basic Indicator Approach (BIA)
KBIA = GI x α
KBIA = Capital charge under Basic Indicator App.
GI = average annual gross income last 3 yrs.
α = 15%
Gross income= net interest income + net non-interest income as laid down by
supervisors/ national accounting stds.
(i) gross of any provisions (e.g. for unpaid interest- intt. Suspense a/c);
(ii) exclude realised profits/losses from sale of securities in banking book
(HTM and AFS)
(iii) exclude extraordinary/ irregular items/ Insurance Income
5/22/2011 Bushra Angbeen 11
12. The Standardized Approach (TSA)
Banks activities mapped to 8 business lines
framework
Capital charge for each business line calculated by
multiplying an indicator by a factor assigned to
that business line
Indicator: annual gross income (as described in BIA)
Factor: beta () established by the BCBS
Total capital charge is based on the 3 year average
of the simple summation of the regulatory capital
charges across each of the business lines in each
year
5/22/2011 Bushra Angbeen 12
13. The Standardised Approach (TSA)
Qualifying criteria established by the Basel
Committee plus additional criteria by national
supervisors
Key Basel Committee criteria for international
active banks:
•Core for Adequate governance framework and risk
non management system
internation
Policies and documented criteria for mapping
al active
banks business lines & activities into the standardised
framework
Independent operational risk management function
Track operational risk data (including material losses) by
•Recommend business line
ed for non
international
Report operational risk exposures to business unit
active banks management, senior management and board
Validation and regular independent review of operational risk
assessment system
5/22/2011 Bushra Angbeen 13
14. The Standardised Approach (TSA)
More refined than basic indicator approach
8 business lines.
Gross income for each business line, not the whole
institution.
Gross income for a business line- same definition as in Basic
Indicator Approach.
Capital charge- multiply gross income by a factor (beta)
assigned to that business line.
Total capital charge, KTSA = Σ(GI1-8 x β1-8 )
KTSA= capital charge The Std. App.
GI = Gross Income
β = multiplication factor
5/22/2011 Bushra Angbeen 14
15. Operational Risk Capital: The
Standardized Approach (TSA)
Business Lines Average Gross Beta factor Capital
Income of 3 years charge
Corporate Finance 200 18 % 36
Trading & sales 100 18 % 18
Retail Banking 200 12 % 24
Commercial Banking 200 15 % 30
Payments & settlements 200 18 % 36
Agency services 100 15 % 15
Asset Management 100 12 % 12
Retail Brokerage 100 12 % 12
Total 1200 183
5/22/2011 Bushra Angbeen 15
16. OR Capital : BIA vs TSA
Basic Indicator Approach Year BIA TSA Diff.
and Standardised require
much larger capital for
operational risk than AMA 2008 3280 3710 430
There is little difference
between the capital needs 2009 3528 4070 542
under BIA and TSA: both
are high.
2010 3982 4594 612
TSA provides little relief,
because of the very nature of
our business composition. 2011 4883 5634 751
(chart: Rs cr)
2012 6105 7043 938
•16
•Bushra Angbeen •5/22/2011
17. Advanced Measurement Approach
Cap Required = risk measure generated by bank’s
internal operational risk measurement system.
Bank must fulfil qualitative & quantitative criteria
Supervisory approval reqd. for using AMA
Initial monitoring by supervisor for determining whether
the approach is credible & appropriate.
Supervisory approval reqd. for using AMA
Initial monitoring by supervisor for determining whether
the approach is credible & appropriate.
5/22/2011 Bushra Angbeen 17
18. General Qualification Requirements for AMA
Overall : Rigorous process consistent with
internal risk management & MIS: appropriate
infrastructure
Risk Management : independent Operational
Risk Management function
Data & Assessment Systems : ability to
assess risks & data consistent with activities &
profile; transparent, systematic, credible and
verifiable processes that incorporate the four
data elements
5/22/2011 Bushra Angbeen 18
19. General Qualification Requirements for AMA Cont’d
Required Data Elements :
-Internal Loss data
-External Loss data
-Scenario Analysis
-Business Environment & Internal Control Factors (BEICF)
Quantification Systems
Data management & Maintenance : systems to support
data collection, storage, analysis monitoring & validation
Control, Oversight & validation : governance& oversight,
periodic review, model validation & independent verification
& documentation of all material aspects
5/22/2011 Bushra Angbeen 19
20. Internal Loss Data
Definition
Any data on exposures held in a bank’s existing or historical portfolios,
including data provided by third parties
Systematic process for capturing & using Operational loss data
Operational losses must be mapped to 7 event types and 8 business lines
Threshold for data collection , banks to demonstrate that no important
loss data is excluded
Operational losses related to credit risk will continue to be classified as
credit risk
Operational losses related to market risk will be treated as operational
risk
Internal loss data is used for direct input to Op.risk capital model. Also
as input in scenario analysis & BEICF
5/22/2011 Bushra Angbeen 20
21. External Loss Data
External loss event data means gross operational
loss occurring at organizations other than the bank
Obtained from vendors, newspapers, court records,
insurance companies, data consortia, etc
Multiple Uses
i) Management reports
ii) Direct input into capital model,
iii) Supplement the lack of internal loss data
iv) better understanding of severe but
infrequent loss “tail”events.
5/22/2011 Bushra Angbeen 21
22. Business Environment & Internal Control Factors
(BEICF)
The indicators of an institution’s operational risk profile
that reflect a current and forward looking assessment of
its underlying risk factors
Tools Used to support BEICF Requirement
- Risk Control Self-Assessment s (RCSA)
- Key Risk Indicators
- Process mapping
5/22/2011 Bushra Angbeen 22
23. Scenario Analysis
Nothing new, historically used for Business Continuity
Planning; being expanded for use in capital
Scenarios usually focus on developing the “severity” of
losses on larger events for use in the tail
Where scenarios are used:
Qualitative adjustment
Supplement Data
Use of scenarios varies widely among institutions
5/22/2011 Bushra Angbeen 23
24. Operational Risk Events Categories
Operational risk categories (Level I risk
categories) defined by Basel II and RBI:
Internal fraud
External fraud
Employment practices and workplace safety
Clients, products & business practices
Damage to physical assets
Business disruption & system failure
Execution, delivery & process management
5/22/2011 Bushra Angbeen 24
25. Operational Risk Events Categories
Level 1 Level 2 Examples (Level 3)
• transactions not
Unauthorized reported intentionally
Internal fraud activity • sanctioning
unauthorized activities
Theft and • Embezzlement/ bribes
fraud • Misappropriation of
assets
External fraud Theft • Forgery/ check kitting
and Fraud
• Theft/ Robbery
• Hacking damage
Systems
security • Theft of information
5/22/2011 Bushra Angbeen 25
26. Operational Risk Events Categories
Level 1 Level 2 Examples (Level 3)
Employment • Organized labour activity
Practices & Employee • Compensation, benefit,
Workplace safety relations termination issues
• Workers’ compensation
Safe
• Employee health & safety
environment
rules
Diversity and • All discrimination types
discrimination
Suitability, • Misuse of confidential
Clients, products & information
business practices Disclosure,
and • Suitability / disclosure
Fiduciary issues (KYC etc.)
• Model errors/ product
Product flaws defects
5/22/2011 Bushra Angbeen 26
27. Operational Risk Events Categories
Level 1 Level 2 Examples (Level 3)
Clients, products & Improper • Insider trading
business business
• Money laundering
practices….contd. practices
Selection, • Exceeding client exposure
sponsorship limits/ failure to investigate
and exposure clients as per guidelines
Advisory • Disputes over performance
activity of advisory activities
• Natural disaster losses
Damage to physical
activities Disasters and • Human losses from external
other events sources (terrorism etc)
• Hardware/ software
Business disruption
and systems failure Systems • Telecommunications/
Utility disruptions
5/22/2011 Bushra Angbeen 27
29. Management of Operational risk is taken to mean:
What is Operational Risk “Management” ?
Identification Assessment Monitoring
Mitigation
reporting
Measuremnt
Traditionally, Banks have always emphasized:
prevention of frauds
maintenance of integrity of internal controls
reduce errors in transaction processing
safeguard the data and systems of the Bank and so on…..
Then
what
is new
??
To view operational risk management as a comprehensive practice comparable
to the management of credit risk and market risk
To set aside a adequate capital charge to meet operational risks
5/22/2011 Bushra Angbeen 29
30. Objectives of Operational Risk Management
Reduce Impact Enable the Bank reduce the probability and
and Probability of potential impact of losses through the
Events introduction of “good practices”
Enable the businesses and functional areas to
Improve Controls improve controls and mitigation of significant
and Mitigate Risks operational risks throughout the organization.
Awareness Develop a common understanding of
operational risk across the Bank involving every
employee at all levels for pro-active
management of operational risks.
Risk Ownership Ensure that there is clear ownership for each
element of operational risk and assign clear
responsibility for related day to day risk
management and mitigation.
* These objectives of operational risk management have been formalized
by SBI in its OR policy
5/22/2011 Bushra Angbeen 30
31. Objectives of Operational Risk Management
Meet or exceed the regulatory requirements
Regulation
Help in meeting the capital adequacy
requirements set out by regulators and
Better Capital develop awareness of capital efficiency so as
Management to help the Bank meet its capital performance
objectives
Reward for better Create awareness of the level of risk incurred
risk management and ensure that product pricing compensates
for the levels of risks undertaken.
Explore the range of alternatives for risk
mitigation and choose the most cost effective
solution to address the operational risk
incurred.
Quality of Service
Improve the overall quality of the bank’s
products, processes, and services to customers
5/22/2011 Bushra Angbeen 31
32. Pillars of operational risk management
Policy Lays down the scope, objectives and overall guidelines for
bank- wide ORM implementation
Governance Lays down the position, roles/ responsibilities and reporting
structure lines of the personnel involved in ORM
Process Involves risk identification, validation/ assessment,
mitigation, measurement and reporting envisaged by Basel II
and RBI for effective risk management
Technology Required for collection of loss data and assessment results,
aggregation of risk information and reporting
Training
For structured dissemination of ORM process across the bank
and creating robust risk management environment
These requirements are based on guidance of Sound Practices for the Management and Supervision of
Operational Risk (SPOR) issued by Basel II recommended by RBI in Guidance note on ORM for
development of an appropriate risk management environment in the bank
5/22/2011 Bushra Angbeen 32
33. Title Author Publisher
Suggested Reading
An introduction to Operational Risk Kaiser & Kohne Risk Books
Operational Risk Jack L. King Wiley Finance
Managing Operational Risk Douglas G. Hoffman Wiley Finance
Sound Practices for the Mgmt & Basel BIS Publication
Supervision of Operational Risk
Operational Risk Modelling & Analysis M.Cruz Risk Books
Control & Self-Assessment for Risk Ed : Wade & Wyne
Mgt & other Practical Applications
Integrating market, Credit & Lampros Kalyvas, Risk Books
Operational Risk I.Akkizidis
Operational Risk with Excel & VBA Nigel Da Costa Wiley
5/22/2011 Bushra Angbeen 33