View
216
Download
3
Category
Tags:
Preview:
Citation preview
Dr Chris StalviesDirectorCognitix Limited
The Regulatory Time Bomb redefining how people work with risk
Contents
Introduction The problem – examples Why it has become a regulatory hotspot Who is affected How they are affected When they will be affected What customers need to do Problems – data modelling Opportunities
About Cognitix What we do
– Cognitix is a risk management and corporate governance company that helps organisations identify rapidly factors that can help predict success or failure.
– We supply Cognitix Quadrant the most powerful and flexible solution available to help financial services companies satisfy FSA and Basel II operational risk regulatory requirements
About Cognitix
Where we come from– The background of the founders is operational
risk management in the financial services sectors combined with very strong in-house development capabilities. We work with companies of all sizes
Where we are going– We will become the standard for operational risk
management
About Cognitix Quadrant
Web technology based Multi tiered databases fits any hierarchy End to end risk management process XML output Rules based fuzzy logic engine incorporated Validates collaborative input to assess and predict
high impact low frequency events Very low integration costs
Cognitix philosophy
Cognitix Quadrant takes a Bayesian approach to the assessment of High Impact Events.
This is reinforced by standard statistical analysis so that reliable data is available for further manipulation or for input to risk management processes.
Application of rules based analysis and fuzzy logic profoundly augments the capabilities of the system in an uncertain environment.
What is Operational Risk
Risk Management Process– The proactive identification, analysis and control of those
risks which threaten the assets or earning capacity of an enterprise (Institute of Risk Management)
Operational Risk – a relatively new classification– The risk of direct of indirect loss resulting from inadequate or
failed internal processes, people and systems or from external events
– Traditional banking risks such as Credit and Trading risks do not form part of this Framework. Strategic risk and reputational risk are specifically excluded.
Measurement or Assessment?
What is happening?
Regulators all around the world are imposing new regulations on banks and insurance firms to make sure they
– Can demonstrate they know how to manage operational risks
– Put aside enough capital to cope with operational risks Deadlines have been set Many firms have not woken up to this need Many thousands of companies are affected Thousands of small intermediaries are not going to
make it
Why is it happening
Major losses and failure in the corporate world over the past years have forced regulators globally to take action to protect the financial system
A few examples
Polly Peck Schneider Tyco Atlantic Computers World Com Maxwell BCCI Standard Chartered Bombay Bankers Trust/PG ABN-AMRO Chiasso NatWest Markets
Kidder Peabody Daiwa Bank Metallgesellschhaft Barings Barlow Clowes Pensions mis-selling Lloyds re-insurance spiral Morgan Grenfell Jardine Fleming Levitt
The Vicious Circle
Failure of controls
Unsustainableproduct
Individualidiosyncrasies
FraudFalse accounting
Overstated securityvalues
The Vicious Circle - 2
Failure of controls
Unsustainableproduct
Individualidiosyncrasies
FraudFalse accounting
Overstated securityvalues
Maxwell
Morgan Grenfell
Barings
Polly PeckFacia
Atlantic Computers
Wallace Smith
Standard Chartered
Kidder
DaiwaBarlow Clowes
Pensions mis-selling
Bankers Trust/PG
Jardine Fleming
Metallgesellschaft
Levitt
Schneider
ABN-AMRO
Lloyds
NatWest Markets
What is being done about it
Across the world regulators have intervened e.g. – Basel Committee on Banking Supervision– FSA– CAD 3– Higgs– Turnbull– Sarbane Oxley– MAS– King Report
The pressure is from…….
Operational Risk Basel II
– requires all financial institutions to be able to demonstrate that they are maintaining adequate capital to support their operational risks
– CP3 CAD3 FSA
– CP142 – applies to both banks and insurance firms equally
– CP178 – Lloyds
Corporate Governance Higgs
Turnbull
Sarbanes-Oxley
Institutional Investors
Why is it a hot topic now?
Regulators globally have been forced to take action to protect the financial system
The most common cause of loss has been “ Operational” (reminder - people, processes and systems and external events)
Territorial regulators give this the force of law e.g. CAD3, FSA
Companies must:– Have adequate systems in place to be able to manage the
risks – Have sufficient capital put aside to cover them in the event
of these types of loss happening
When is it going to happen Global
– 2007 but with 3 or 4 years data
European– Expected Oct 03 for enforcement
UK – FSA regulated Banks and Insurance Firms– 2003 FSA publishes final policy for operational risk management
systems and controls– 2003/4 One year for firms to prepare for implementation of
operational risk management systems and controls policy– 2004 Operational risk management systems and controls policy
takes effect– Insurance registration must be completed by 15/1/2005 or drop dead
What needs to be done
Guidance from Basel
Guidance from the FSA
Guidance from BaselLikely to become best practice in all sectors
Sound Practices paper - Basel Committee Feb. 2003
1. The Board exercises oversight responsibility 2. The Board ensures a complete internal audit of ORM
but the internal audit function should not be directly responsible for operational risk management
3. Senior management implements the programme 4. Management identifies and assesses OR inherent in
all activities 5. Management monitors OR profiles
Basel Sound practices
6. Management creates control policies, processes and procedures
7. Management creates contingency and business continuity plans
8. Bank supervisors require all banks to have an effective framework
9. Supervisors independently evaluate bank practices
10. Banks should make sufficient public disclosure of OR approaches
Guidance from FSA
The firm will need to document its policy for managing operational risk – its strategy and objectives and the processes that it adopts to achieve;
– Analysis of the firm’s risk profile– Which risks are to be accepted – How it intends to identify, assess, monitor and control the
risks, with an overview of the people, processes and systems to be used
– Where information is used internally for capital allocation purposes, how that exercise is undertaken.
What the FSA expects to see
Monthly Operational Risk Pack A Risk Map that assesses high frequency losses and
low frequency/high impact exposures Analysis of the effectiveness of existing controls with
action plans for risk reduction Improvements made to risk positions through
activation of risk controls or improved effectiveness of existing controls
Aggregate risk accumulations – by actual costs of risk or expected low frequency/high impact exposures
Solutions typical definition of requirements
The ability to: create risk profiles, not just
loss data modelling document the controls capture loss data create action plans with
responsibilities and accountability clearly shown
manipulate data into reports flag alerts to the Board by
self certification procedures and scenario planning capability
develop key risk indicators Sarbanes Oxley capability
(corporate governance) Integrate validated external
loss databases.
Problems
Data– Quality– Availability
Data Models– Based on traditional requirements
People– Don’t always tell what they know
Culture/Corporate Governance– Senior management responsibility
Organisational Change– Need to start with a framework
Opportunities Huge new market, wider than just financial services Regulatory pressure to buy Risk management solutions can be added to any other
service Genuinely new market with regulatory drivers Cognitix Quadrant is different
– risk analytic models adapted from credit or trading environments are not adequate to deal with the totally different requirements of operational risk assessments.
– The real value is that it is able to help to predict what might happen, where data is too limited to be statistically modelled by traditional stochastic methods.
– We provide full support ranging - framework design to technical implementation
“Cognitix is the most radical, high impact and cost effective approach available for risk and
governance”
© Cognitix Limited 2003
To share opportunities with us please contact
chris.stalvies@cognitixglobal.com
+44 (0)7980 734875
D E M O N S T R A T I O N
Overview of Quadrant
Notes
This slideshow features Quadrant, showing how the entire risk management process is addressed including:
1.Identification
2.Assessment/Measurement
3.Control
Only selected parts of the full functionality of Quadrant are shown in the interests of brevity
Contents This is a Bank example, for illustration only.
1.Access - Sign on screen for multilevel access2.Responding - Respondent screens with and without costing3.Viewing
Client view – hierarchical – select data to view Viewing risk factors – apply weightings – hide non
relevant Viewing data outputs – Boston chart example Viewing data outputs – Bar chart example Viewing details – sorting – raising Issues
4.Managing Issues5.Event logging6.Applying Risk Appetites
Access to all functions is through this sign on screen
The top bar can be changed to reflect Partners own branding
From this single screen youhave seven levels of access
1. Super Administrator2. Administrator3. Consultant4. Client5. Respondent6. Manager7. Resource
This is the first and only screen most users see – they just choose a category and select the appropriate radio button on the range
There is no limit on the number or location of respondents
Include qualitative data for richness
Instructions can be provided at any level of detail
Scales are non numeric here, andcan be tailored
Users with more in depth knowledge are asked to provide
more information about the maximum cost of the risk if it
happens, the cost of countermeasures and frequency
The first run produces a risk map, the second one is for controls assessment using“Implementation” and “Effectiveness” as measures
Risk assessment questions arestructured by Client, and canbe viewed hierarchically
For each Client the risk questions are organised into Categories
The data can beanalysed at any level by clicking this button
View risks weighted and un-weighted
Questions can be analysed at several levels including scorecards
Each question and/or category can be weighted on each scale and can be hidden from selected users if desired
Respondents only answer questionsrelevant to themselves
The Boston chart is a simple but effective display of risks ranked by priority.
Hover the mouse over a star and detailsappear – click to drill down for more detail
Increasing levels of granularity can be displayed x2 to x64
Data can beviewed inother formats
Resize for a better view
Another display is the Bar ChartRisk scores for individual criteria
Risk scores combined
Colour coding for instant impact
In this view data can be displayed in a number of ways, including the standarddeviation of responses, raise Issues and Actions and sort the columns
Drill downSort by risk colour code
Risks can be easily escalated to Issues with action plans, and managers and resources set tasks to mitigate the risks.
Tasks are monitored for completion status
Events can be logged and actions assigned
This one button produces a consolidatedreport for FSA Operational Risk compliance
Any number of risks can be related to an event
Formulae can be applied to each scale to reflect the risk appetite
Risks can be viewed as “appetised” or “un-appetised”
© Cognitix Limited 2003
chris.stalvies@cognitixglobal.com
“Cognitix is the most radical, high impact and cost effective approach available for risk and governance”
Recommended