Embed Size (px)
Citation preview
Finance 590
Enterprise Risk Management
Operational Risk
MarkVonnahme
Department of Finance
University of Illinois at
Urbana-Champaign
ERM
• Why operational risk management– Some perspectives on significance
• Major financial disasters have included operational risk issues as a main contributing factor
• Operational risks often interrelated with market and credit risk
• When operational risk is not managed centrally it leads to lack of consistency across an org
ERM
• Benefits of effective operational risk management– Minimizes day to day losses and reduces
potential for costly occurrences– Improves company’s ability to meet business
objectives– Strengthens overall enterprise risk management
system
ERM
• Operational Risk– a common definition
“ Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes,people,and systems or from external events”
BBA,et al
ERM
• Operational risk – The real definition varies by company based
upon industry and other factors; essentials include
• Process risk• People risk• System risk• Event risk• Business risk
ERM
• Process risk– Risk occurs through ineffective or inefficient
processes• Ineffective –fail to achieve objectives
• Inefficient-meet objectives but excessive costs
What does this mean
Examples
ERM
• People risk– Result from
• Staff constraints• Incompetence• Dishonesty• Cultures that do promote not risk awareness
What does all this meanExamples
ERM
• System risk– More and more common across business
• Technology keeping up with business– My experiences
– Includes systems availability,data integrity,systems capacity,unauthorized access and use,and business recovery contingencies
• Programming errors• Security• Mergers and acquisitions
– My experiences
ERM
• Event risk– Unlikely single events that have serious
consequences• Many examples
• Expect the unexpected
• Event risk may have ripple effect impacting other areas
– Market, credit, financial
– Other operational areas
ERM
• Business risk– Risk of loss due to unexpected changes
• All kinds of risks including– Strategy
– Client management
– Pricing
– Reputation and brand
– Many,many others
ERM
• Some key questions relate to– Vulnerabilities in business strategy and plans– Product diversification or sufficient business– Appropriate operating leverage– Wrong or changing business assumptions– Fix or exit a business– Exit strategy
ERM
• Operational Risk Management Process– Risk policy and organization– Risk identification and assessment– Capital allocation and performance
measurement– Risk mitigation and control– Risk transfer and finance
ERM
• Risk policy and organization– Management principles for operational risk– Definition and taxonomy for operational risk– Objectives and goals– Operational risk processes and tools– Organizational structure– Roles and responsibilities
ERM
• Risk identification and assessment– A range of qualitative and quantitative tools to
assess, measure and manage;these include• Loss incident database
• Control self-assessment
• Risk mapping
• Risk indicators and performance triggers
ERM
• Capital allocation and performance measurement– Link risk to performance measurement through
the capital allocation process• No widely accepted model
– No one methodology or single solution ; a combination of approaches
ERM
• Capital allocation and performance measurement continued– Top down models v bottom up models
ERM
• Top down models– Implied capital model– Income volatility model– Economic pricing model– Analog model
ERM
• Bottom –up or loss distribution model– Statistical analysis– Scenario analysis
ERM
• Risk mitigation and control– The ying is useless without the yang– Assessing and measuring does no good without
improving and controlling risk factors – Once measurement is in place must implement
processes that identify and reduce operational risk
• Involves people, training,changing or structure, etc.
ERM
• Risk transfer and finance– Choices to address key operational risks
• Implement internal control v risk transfer• Not mutually exclusive; generally complementary• Company should go through the ERM process
– Identify risk exposures and quantify probabilities,severities and economic capital requirements
– Integrate operational risk with other key risks– Establish operational risk limits– Implement internal controls and risk transfer finance strategies– Evaluate alternative methods, providers, and structures including
cost benefit analysis
ERM
• Best practices in operational risk management– Operational risk may be most dangerous– Wide range of industry practices
• Basic
• Standard
• Best
ERM
• Operational risk – Basic practice-a company
• Recognized operational risk as key risk• Definition of operational risk and sub categories is in place• Operational risk manger is appointed to develop a program• Operational risk committee with key reps is in place• Tracking program for risk is in place• Self assessment performed regularly• Policy developed and approved• Operational risk management group acts a consultant to sr.
mgmt.• Audit and compliance group acts as checker
ERM
• Operational risk– Standard practice-a company builds on basic
• Developed full set of operational risk indicators• Established goals and MAPs for the indicators• Developed early warning signals• Risk based maps developed to identify key exposures in
operations• Developed several years of risk losses and incidents• Response plans and contingency plans developed • Audit and operational risk management independent of each
other• Org learning programs are in place
ERM
• Operational risk– Best practice – a company continues to build
• Business risk and reputational risk included• Advanced in their processes to assess and measure risk with
qualitative and quantitative tools• Allocate economic capital to underlying risks along with credit risk
and market risk• Initiate development of scenario based operational risk modeling to
quantify potential loss• Insurance function is fully integrated with operational risk function• Risk transfer strategies based upon cost benefit analysis• Evolved from just control function to one that supports better
decisions on price, growth and profit
ERM
• Operational risk– Where do you think most companies are in the
cycle or phases of “ best practices ”
ERM
• Questions
• Discussion
Enterprise Risk ManagementBusiness Applications
Finance 590
MarkVonnahme
Department of Finance
University of Illinois at
Urbana-Champaign
ERM
• Business applications have followed the requirements and changes of business
• RM practices have evolved
• RM will continue to evolve and adjust to business conditions and change
ERM
• Business Applications– Three major applications
• Stage I: Minimizing the Downside (loss reduction)
• Stage II: Managing Uncertainty
• Stage III: Performance Optimization
• Combination of all three is Enterprise Risk Management
ERM
• Stage I: Minimizing the Downside– RM in the 1970s focused on protection against
downside risks– Establishing credit controls, investment and liquidity
policies,audit procedures and insurance coverage– Defensive RM practices looked at minimizing losses in
credit risk, market risk and operational risk– Found out it was not enough– Demonstrating how RM can be positive in supporting
profit and business growth lead to next stage
ERM
• Stage II: Managing Uncertainty– RM focuses on managing volatility around business
and financial results– A number of sources of volatility were catalysts
• 1970s: fixed to floating exchange rates and wildly fluctuating oil prices
• 1980s: double digit inflation, double digit interest rates(volatility) and lending crises
• 1990s: derivative losses, volatile equity markets and beginnings of major economic shifts
• 2000-today: economic changes, corporate scandals, new regulations - “ uncertainty continues ”
ERM
• Stage II continued– With increased volatility RM practices evolved
• Credit scoring and migration models to develop more precise estimates default probabilities
• Advances in management of financial market risks
• Recognition of importance of operational risk management
ERM
• Stage II continued – Risk transfer products increased in popularity
• Derivatives and sophisticated insurance products
– Recognition that additional products needed• Derivatives and insurance not enough
– Alternative risk transfers– Integration of risk management silos
• Transfer packages of risks• Development of integrated internal models for risk• A more holistic view of risk• Spurred use of RM for performance optimization
ERM
• Stage III Performance Optimization– RM characterized by integrated approach to all
types of risk– Move from partial integration in other stages to
complete integration– Risk and return are important component
• Not defensive• Move to an offensive approach in dealing with
credit , market risk and operational risk
ERM
• Further evolution of RM– Changes in business environment will continue
to impact the development of the practice• Globalization
• Technology
• Changing market structures
• Restructuring
• Other changes we do not know about today
ERM
• Discussion
• Questions
• Next class
Finance 590Enterprise Risk Management
Steve D’ArcyDepartment of Finance
Lecture 5
Strategic and Operational Risk Measurements
April 19, 2005
Reference Material• Chapter 14 – Operational Risk Management in
Enterprise Risk Management by James Lam
• Why COSO is Flawed by Ali Samad-Khan
• Burchett and Dowd presentation
http://www.casact.org/affiliates/cagny/1101/basel1.ppt
• Reputation Risk – Operational Risk
CAS ERM Task Force presentation
Overview
• Strategic Risk
• Operational Risk
• Measures of Operational Risk– Capital requirements for operational risk– Market performance
• COSO Approach
• Critique of COSO Approach
Strategic Risk• Difficulty in quantifying strategic risks• Contrast with hazard and financial risks
– Lack of data– Imprecision of measurements
• How do you measure the likelihood and impact of:– a competitor’s or regulator’s actions– a technological innovation – a political impediment
Operational Risk
• Loss from inadequate or failed– Processes– People– Systems
• External events (generally covered under Hazard Risks)
Measures of Operational Risk
• Basel Accord– Capital requirements
• Market performance– Examine similar events for other companies
New Basel Capital Accord• Focus is on banks
• Convergence of regulation will expand application to insurers and other industries
• Minimum capital requirementCapital Ratio = Total Capital/(Credit Risk + Market Risk
+ Operational Risk)
Minimum Capital Ratio = 8%
Top Down vs. Bottom Up Capital Allocation
Top DownStart with aggregate capital for the industryAllocate this to each risk sourceAllocate result to individual financial institutions
Bottom UpIdentify each source of riskDevelop a method for measuring the magnitudeDerive capital from this measure
Proposed Capital Approaches
• Basic Indicator
• Standardized
• Internal Measurement
• Loss Distribution
Basic Indicator ApproachKBIA = EI*
KBIA = the capital charge under the Basic Indicator Approach
EI = the level of an exposure indicator for the whole institution, provisionally gross income
= a fixed percentage relating the industry-wide level of required capital to the industry-wide level of the indicator
Standardized ApproachKTSA = (EI1-8*1-8)
KTSA = the capital charge under the Standardized Approach
EI1-8 = the level of an exposure indicator for each of the 8 business lines
1-8 = a fixed percentage relating the level of required capital to the level of the gross income for each of the 8 business lines
(Corporate Finance, Trading and Sales, Retail Banking, Commercial BankingPayment and Settlements, Agency Services and Custody, Retail Brokerage,Asset Management)
Internal Measurement ApproachKIMA = (EIij*PEij*LGEij*ij)
KIMA = the capital charge under the Internal Measurement Approach
EIij = the level of an exposure indicator for each business line and event type combination
PEij = the probability of an event given one unit of exposure, for each business line and event type combination
LGEij = the average size of a loss given an event for each business line and event type combination
ij = the ratio of capital to expected loss for each business line and event type combination
Loss Distribution Approach
• Similar to Hazard Risk analysis
Market Performance Approach• Gather information regarding publicly traded peer
companies that have experienced significant distress events negatively affecting stock price relative to market indexes.
• For each company, evaluate historical stock price relative to the S&P 500 or industry related stock price index during the “pre-event” period.
• Using the relationship to one or more indexes, project future stock price movements for the individual company stock on a pro-forma basis for the “post-event” period.
• Compare the pro-forma stock price to the actual stock price in the post-event period, to estimate the hypothetical percentage loss in market valuation for each day.
Market Performance Approach (2)• Project cumulative average market valuation movements
beyond the latest available post-event data point for individual companies based on the cumulative average percentage movement in market valuation for the remaining companies in the sample data, up to one year beyond the event.
• Derive a rough model for the number of trading days before stock price “recovers” to the pro-forma projected level.
Relative Price Performance for Schering-Plough and the S&P 500: Novermber 1, 2000 through June 1, 2001
50%
75%
100%
125%
11/1
/00
12/1
/00
1/1/
01
2/1/
01
3/1/
01
4/1/
01
5/1/
01
6/1/
01
Schering-Plough S&P 500
EVENT: Schering-Plough has problems with FDA manufacturing regulations, leading to a delay in approval for its allergy blockbuster successor, Clarinex.
Schering-Plough Corp.
• 2/01: Class action lawsuit filed against directors and officers
• Recovery Period to Date: None
• Market Cap Loss: $15.3 Billion or 22%(2/15/01 – 3/8/01)
2/01: FDA halts review on SGP’s Clarinex, due to separate manufacturing concerns
Theoretical Lost Market Cap - Schering
0%
5%
10%
15%
20%
25%
0 50 100 150 200 250 300 350 400
Elapsed Days
Lo
st
Market
Cap
50%
75%
100%
125%
11
/1/0
0
12
/1/0
0
1/1
/01
2/1
/01
3/1
/01
4/1
/01
5/1
/01
6/1
/01
Schering-Plough
S&P 500
S&P 500 Pharm
Forecast
Schering-Plough
Pro-forma stock price movements modeled relative to the S&P 500 Pharmaceutical index.
Relative Price Performance for McKesson Corp. and the S&P 500: January 2, 1999 through August 1, 1999
25%
50%
75%
100%
125%
1/1/
99
1/15
/99
1/29
/99
2/12
/99
2/26
/99
3/12
/99
3/26
/99
4/9/
99
4/23
/99
5/7/
99
5/21
/99
6/4/
99
6/18
/99
7/2/
99
7/16
/99
7/30
/99
McKesson S&P 500
EVENT: McKesson improperly reports its software revenue from newly acquired HBOC, resulting in loss of investor confidence.
McKesson Corporation
•4/99 – Class action lawsuit filed against directors and officers •6/99 – McKesson downgraded by S&P and Moody’s
• Recovery Period to Date: None
• Market Cap Loss: $ 9.1 Billion or 50% (4/27/99 – 4/29/99)
4/99: MCK reduces earnings by 4.4% after restating financials
1/99: Acquired HBOC
Theoretical Lost Market Cap - McKesson
0%5%
10%15%20%25%30%35%
0 50 100 150 200 250 300 350 400
Elapsed Days
Lo
st
Market
Cap
25%
50%
75%
100%
125%
1/1
/99
2/1
/99
3/1
/99
4/1
/99
5/1
/99
6/1
/99
7/1
/99
McKesson
S&P 500
S&P 500 HC
Forecast
McKesson
Pro-forma stock price movements modeled relative to the S&P 500 Healthcare Services index.
Why COSO is Flawed• Resource intensive approach
• Identification, definition and assessment of risk– Performed by business managers
• Results in huge catalogue of risks
• Likelihood-impact methodRisk = Likelihood x Impact
Actuarial Approach
• Individual loss events
• Risk matrix for loss data
• Loss distributions– Frequency– Severity
• VaR Calculation
• Total loss distribution
Conclusion• Quantifying strategic and operational risk is
the latest challenge for ERM
• Variety of approaches proposed
• Eventual standard likely to follow the approaches used for hazard and financial risk
• Lots of work remains to be done in this area
