Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Information risk
and
data quality management
Operational Risk
Alberto Ferreras Salagre [email protected]
Julio - 2015
Alberto Ferreras, FRM 2015
2
Anthony Tarantino and deborah Cernauskas, Risk Management in Finance: Six
Sigma and Other Next Generation Techniques (Hoboken, nJ: John Wiley & Sons,
2009).Chapter 3. Information Risk and Data Quality Management
Assess the potential negative impact poor data quality may have on a business 8-9
Identify the most common issues which result in data errors 10
Identify some key dimensions of data quality. 11-12
Describe the operational data governance process and differentiate between
data quality inspection and data validation.
13-14
Summarize the process of creating a data quality scorecard and compare three
different viewpoints for reporting data via a data quality scorecard
15-17
FRM I
Alberto Ferreras, FRM 2015
3
“Principles for Effective Data Aggregation and Risk Reporting,” (Basel
Committee on Banking Supervision Publication, January 2013).*
Explain the potential benefits of having effective risk data aggregation and
reporting
25-26
Describe key governance principles related to risk data aggregation and risk
reporting practices.
27-28
Identify the data architecture and IT infrastructure features that can contribute
to effective risk data aggregation and risk reporting practices.
29-30
Describe characteristics of a strong risk data aggregation capability and
demonstrate how these characteristics interact with one another.
31-36
Describe characteristics of effective risk reporting practices 37-45
FRM I
Alberto Ferreras, FRM 2015
4
John Hull, Risk Management and Financial Institutions, 3rd Edition (Boston:
Pearson Prentice Hall, 2012). Chapter 20.
Compare three approaches for calculating regulatory capital. 98-103
Describe the Basel Committee’s seven categories of operational risk. 74-78
Derive a loss distribution from the loss frequency distribution and loss severity
distribution using Monte Carlo simulations. 111-114
Describe the common data issues that can introduce inaccuracies and biases in the
estimation of loss frequency and severity distributions. 119-120
Describe how to use scenario analysis in instances when data is scarce. 121
Describe how to identify causal relationships and how to use risk and control self
assessment (RCSA) and key risk indicators (KRIs) to measure and manage
operational risks.
83
Describe the allocation of operational risk capital and the use of scorecards. 123
Explain how to use the power law to measure operational risk. 115
Explain the risks of moral hazard and adverse selection when using insurance to
mitigate operational risks. 89
FRM I
Alberto Ferreras, FRM 2015
Information Risk and Data Quality Management
Principles for Effective Data Aggregation and Risk Reporting
5
Information risk and data quality management
FRM I
Alberto Ferreras, FRM 2015
Information Risk and Data Quality Management
Principles for Effective Data Aggregation and Risk Reporting
6 FRM I
Alberto Ferreras, FRM 2015
7
Information risk and data quality management
If successful business operations rely on high-quality data, then the opposite is likely to be true as well: flawed data will delay or obstruct the successful completion of business processes.
No enterprise risk management program is complete
without instituting processes for assessing, measuring, reporting, reacting to, and controlling the risks associated with poor data quality.
FRM I
Alberto Ferreras, FRM 2015
8
Assess the potential negative impact poor data quality may have on a business.
1. Financial impacts: Lower revenues or higher expenses Increased operating costs, decreased revenues, Missed opportunities, Reduction or delays in cash flow, Increased penalties, fines, or other charges.
2. Confidence-based impacts. Managers may make incorrect business decisions based on faulty data
Decreased organizational trust, low confidence in forecasting, inconsistent operational and management reporting,
delayed or improper decisions.
3. Satisfaction impacts. Customers may become dissatisfied when the business processes faulty data (e.g.,
billing errors). Employees may become dissatisfied when they are unable to properly perform
their job due to flawed data.
FRM I
Alberto Ferreras, FRM 2015
9
4. Productivity impacts increased workloads, decreased throughput, Increased processing time, decreased end-product quality.
5. Risk impacts Underesrimaring credir risks due to inaccurare documentarion, thereby exposing a
lender to potential losses. Underestimating investment risk, thereby exposing an investor to potential losses.
6. Compliance is jeopardized,
whether that compliance is with government regulations, industry expectations, or self-imposed policies (such as privacy policies).
A business may no longer be in compliance with regular ions (e.g., Sarbanes-Oxley) if fi nancial reporrs are inaccurare
Despite the natural tendency to focus on financial impacts, in many environments the risk and compliance impacts are largely compromised by data quality issues.
FRM I
Alberto Ferreras, FRM 2015
10
Identify the most common issues which result in data errors.
Data entry errors Missing data Duplicate records Inconsistent data Nonstandard formats Complex data transformations Failed identity management processes Undocumented, incorrect, or misleading metadata
All of these types of errors can lead to inconsistent reporting, inaccurate aggregation, invalid data mappings, incorrect product pricing, and failures in trade settlement, among other process failures.
Employee Fraud and Abuse Underbilling and Revenue Assurance Credit Risk Development Risk Compliance Risk
FRM I
Alberto Ferreras, FRM 2015
11
Identify some key dimensions of data quality.
DATA QUALITY EXPECTATIONS The first step toward managing the risks associated with the introduction of flawed data into the environment is articulating the business user expectations for data quality and asserting specifications that can be used to monitor organizational conformance to those expectations
Accuracy. Exactitud The degree to which data correctly reflects the real world object. Measurement of accuracy can occur by manually comparing the data to an authoritative source of correct information.
Completeness. Completitud The completeness dimension specifies the expectations regarding the population of data attributes. The extent to which the expected attributes of data are provided. Eg: phone number.
Completeness does not necessarily imply accuracy
FRM I
Alberto Ferreras, FRM 2015
12
Consistency. Consistencia Consistency refers to measuring reasonable comparison of values in one data set to those in another data.
Note that consistency does nor necessarily imply accuracy
There are three types of consistency: l. Record level: consistency between one set of data values and another set within the same record. 2 Cross-record level: consistency between one set of data values and another set in different records. 3. Temporal level consistency: between one set of data values and another set within the same record
at different points in time.
Reasonableness. Razonabilidad This dimension is used to measure conformance to consistency expectations relevant within specific operational contexts.
Currency. Relevancia This dimension measures the degree to which information is current with the world that it models.
Uniqueness. Naturaleza única This dimension measures the number of inadvertent duplicate records that exist within a data set or across data sets
FRM I
Alberto Ferreras, FRM 2015
13
Describe the operational data governance process and differentiate between data quality inspection and data validation.
Operational data governance is the manifestation of the processes and protocols necessary to ensure that an acceptable level of confidence in the data effectively satisfies the organization’s business needs.
Operational data governance refers to the collective set of rules and processes regarding data that allow an organization to have sufficient confidence in the quality of its data
A data governance program defines the roles, responsibilities, and accountabilities associated with managing data quality. A data quality scorecard could be used to monitor the Success of such a program.
Operational data governance combines the ability to identify data errors as early as possible with the process of initiating the activities necessary to address those errors to avoid or minimize any downstream impacts.
FRM I
Alberto Ferreras, FRM 2015
14
o Data Quality Inspection vs. Data Validation
While the data validation process (is a one~tirne step)reviews and measures conformance of data with a set of defined business rules, inspection is an ongoing process to:
Reduce the number of errors to a reasonable and manageable level.
Enable the identification of data flaws along with a protocol for interactively making adjustments to enable the completion of the processing stream.
Institute a mitigation or remediation of the root cause within an agreed-to time frame. Solve the cause of the errors and flaws in a timely manner
The goal of data quality inspection is to catch issues early on before they have a substantial negative impact on business operations.
FRM I
Alberto Ferreras, FRM 2015
15
Summarize the process of creating a data quality scorecard and compare three different viewpoints for reporting data via a data quality scorecard
o Essentially, the need to present higher-level data quality scores
introduces a distinction between two types of metrics.
“base-level” metrics. The simple metrics based on measuring against defined dimensions of data quality. They quantify specific observance of acceptable levels of defined data quality rules.
“complex” metric. Representing a rolled-up score computed as a function (such as a sum) of applying specific weights to a collection of existing
metrics, both base-level and complex. Complex data quality metrics can be accumulated for reporting in a scorecard in one of three different views: by issue, by business process, or by business impact.
FRM I
Alberto Ferreras, FRM 2015
16
Data Quality Issues View Evaluating the impacts of a specific data quality issue across
multiple business processes demonstrates the diffusion of pain across the enterprise caused by specific data flaws.
This scorecard scheme, which is suited to data analysts attempting to prioritize tasks for diagnosis and remediation, provides a rolled-up view of the impacts attributed to each data issue. Drilling down through this view sheds light on the root causes of impacts of poor data quality, as well as identifying “rogue processes” that require greater focus for instituting monitoring and control processes
Business Process View A scorecard view by business process. For each business process, this scorecard scheme consists of complex
metrics representing the impacts associated with each issue. The drill-down in this view can be used for isolating the source of the introduction of data issues at specific stages of the business process as well as informing the data stewards in diagnosis and remediation.
FRM I
Alberto Ferreras, FRM 2015
17
Business Impact View Business impacts may have been incurred as a result of a number of
different data quality issues originating in a number of different business processes.
This reporting scheme displays the aggregation of business impacts rolled up from the different issues across different process flows.
For example, one scorecard could report rolled-up metrics documenting the accumulated impacts associated with credit risk, compliance with privacy protection, and decreased sales. Drilling down through the metrics will point to the business processes from which the issues originate; deeper review will point to the specific issues within each of the business processes. This view is suited to a more senior manager seeking a high-level overview of the risks associated with data quality issues, and how that risk is introduced across the enterprise
FRM I
Alberto Ferreras, FRM 2015
1 - Which of the following viewpoints regarding data quality scorecards is best described as providing a high-level understanding of the risks embedded in data quality problems? A. Business impact view.
B. Business process view.
C. Data quality issues view.
D. Data process issues view.
FRM I
Alberto Ferreras, FRM 2015
Flawed data will delay or obstruct the successful completion of business processes
Negative impact poor data quality: Financial Confidence-based Satisfaction Productivity Risk Compliance
Data errors lead can lead to inconsistent reporting, inaccurate aggregation…...
Key dimensions of data quality Accuracy Completeness Consistency Reasonableness Currency Uniqueness
Operaríonal data governance Data Quality Inspection vs. Data Validation Data Quality / Business Process / Business Impact
RESUMEN DE IDEAS
19
FRM I
Alberto Ferreras, FRM 2015
Information Risk and Data Quality Management
Principles for Effective Data Aggregation and Risk Reporting
20
Alberto Ferreras, FRM 2015
21
o Identify Principles for effective risk data aggregation and risk reporting
One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks.
Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.
Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.
This had severe consequences to the banks themselves and to the stability of the financial system as a whole.
In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks’ ability to identify and manage bank-wide risks.
FRM I
Alberto Ferreras, FRM 2015
22
o “risk data aggregation” (RDA) means:
defining, gathering and processing risk data according to the bank’s risk reporting requirements to
enable the bank to measure its performance against its risk tolerance/appetite.
This includes sorting, merging or breaking down sets of data.
o The paper presents a set of principles to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices (the Principles). In turn, effective implementation of the Principles is expected to enhance risk management and decision-making processes at banks.
o The adoption of these Principles will enable fundamental improvements to the management of banks. The Principles are
expected to support a bank’s efforts to:
FRM I
Alberto Ferreras, FRM 2015
23
o The principles are initially addressed to SIBs and apply at both the banking group and on a solo basis. Banks identified as G-SIBs by the FSB in November 20118 or November 20129 must meet these Principles by January 2016; G-SIBs designated in subsequent annual updates will need to meet the Principles within three years of their designation.
o It is strongly suggested that national supervisors also apply these Principles to banks identified as D-SIBs by their national supervisors three years after their designation as D-SIBs.
o The Principles and supervisory expectations contained in this paper apply to a bank’s risk management data. This includes data that is critical to enabling the bank to manage the risks it faces. Risk data and reports should provide management with the ability to monitor and track risks relative to the bank’s risk tolerance/appetite.
FRM I
Alberto Ferreras, FRM 2015
24
o These Principles also apply to all key internal risk management models, including but not limited to, Pillar 1 regulatory capital models (eg internal ratings-based approaches for credit risk and advanced measurement approaches for operational risk), Pillar 2 capital models and other key risk management models (eg value-at-risk).
o All the Principles included in this paper are also applicable to processes that have been outsourced to third parties
The Principles cover four closely related topics: • Overarching governance and infrastructure • Risk data aggregation capabilities • Risk reporting practices • Supervisory review, tools and cooperation
o Banks should develop forward looking reporting capabilities to provide early warnings of any potential breaches of risk limits that may exceed the bank’s risk tolerance/appetite.
o These risk reporting capabilities should also allow banks to conduct a flexible and effective stress testing which is capable of providing forward-looking risk assessments. Supervisors expect risk management reports to enable banks to anticipate problems and provide a forward looking assessment of risk.
FRM I
Alberto Ferreras, FRM 2015
25
Explain the potential benefits of having effective risk data aggregation and reporting.
Enhance the infrastructure for reporting key information, particularly that used by the board and senior management to identify, monitor and manage risks;
Improve the decision-making process throughout the banking organisation;
Enhance the management of information across legal entities, while facilitating a comprehensive assessment of risk exposures at the global consolidated level;
Reduce the probability and severity of losses resulting from risk management weaknesses;
Improve the speed at which information is available and hence decisions can be made; and
Improve the organisation’s quality of strategic planning and the ability to manage the risk of new products and services. FRM I
Alberto Ferreras, FRM 2015
26
• An increased ability to anticipate problems.
• In times of financial stress, effective risk data aggregation enhances a bank`s ability to identify routes to return to financial health.. For expample, a bank may be better able to identify a suitable merger partner in order to restore the bank`s financial viability.
• Improved resolvability.
• By strengthening a bank`s risk function, the bank is better able to
make strategic decisions, increase efficiency, reduce the chance of loss, and ultimately increase profitability
FRM I
Alberto Ferreras, FRM 2015
27
Describe key governance principles related to risk data aggregation and risk reporting practices.
Principe 1 Governance
A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
o The governance principle suggests that risk data aggregation should be part of the bank's overall risk management framework.
o To ensure that adequate resources are devoted, senior management should approve the framework before implementation
A bank’s risk data aggregation capabilities and risk reporting practices should be:
Fully documented and subject to high standards of validation. This validation should be independent , using staff with specific IT, data and reporting expertise
FRM I
Alberto Ferreras, FRM 2015
28
Considered as part of any new initiatives, including acquisitions and/or divestitures, new product development, as well as broader process and IT change initiatives. When considering a material acquisition, a bank’s due diligence process should assess the risk data aggregation capabilities and risk reporting practices of the acquired entity, as well as the impact on its own risk data aggregation capabilities and risk reporting practices. The impact on risk data aggregation should be considered explicitly by the board and inform the decision to proceed.
The bank should establish a timeframe to integrate and align the acquired risk data aggregation capabilities and risk reporting practices within its own framework.
Unaffected by the bank’s group structure. The group structure should not
hinder risk data aggregation capabilities at a consolidated level or at any relevant level within the organisation (eg sub-consolidated level, jurisdiction of operation level). In particular, risk data aggregation capabilities should be independent from the choices a bank makes regarding its legal
organisation and geographical presence.
A bank’s senior management should be fully aware of and understand the limitations that prevent full risk data aggregation, in terms of coverage (eg risks not captured or subsidiaries not included), in technical terms (eg model performance indicators or degree of reliance on manual processes) or in legal terms (legal impediments to data sharing across jurisdictions).
The board should also be aware of the bank’s implementation of, and ongoing compliance with the Principles set out in this document.
FRM I
Alberto Ferreras, FRM 2015
29
Identify the data architecture and IT infrastructure features that can contribute to effective risk data aggregation and risk reporting practices.
Principle 2 Data architecture and IT infrastructure.
A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
Principie 2 requires that:
Risk data aggregation capabilities and risk reporting practices should be given direct consideration as part of a bank’s business continuity planning processes and be subject to a business impact analysis.
FRM I
Alberto Ferreras, FRM 2015
30
A bank should establish integrated data taxonomies and architecture across the banking group, which includes information on the characteristics of the data (metadata), as well as use of single identifiers and/or unified naming conventions for data including legal entities, counterparties, customers and accounts.
Multiple data models may be used as long as there are robust automated reconciliation measures in place.
Roles and responsibilities should be established as they relate to the ownership and quality of risk data and information for both the business and IT functions. The owners (business and IT functions), in partnership with risk managers, should ensure there are adequate controls throughout the lifecycle of the data and for all aspects of the technology infrastructure. The role of the business
owner includes ensuring data is correctly entered by the relevant front office unit, kept current and aligned with the data definitions, and also ensuring that risk data aggregation capabilities and risk reporting
practices are consistent with firms’ policies.
FRM I
Alberto Ferreras, FRM 2015
31
Describe characteristics of a strong risk data aggregation capability and demonstrate how these characteristics interact with one another.
Principle 3 Accuracy and Integrity
A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data
should be aggregated on a largely automated basis so as to
minimise the probability of errors.
Controls surrounding risk data should be as robust as those applicable to accounting data.
Where a bank relies on manual processes and desktop applications (eg spreadsheets, databases) and has specific risk units that use these applications for software development, it should have effective mitigants in place (eg end-user computing policies and procedures) and other effective controls that are consistently applied across the bank’s processes.
FRM I
Alberto Ferreras, FRM 2015
32
Risk data should be reconciled with bank’s sources, including accounting data where appropriate, to ensure that the risk data is accurate.
A bank should strive towards a single authoritative source for risk data per each type of risk.
A bank’s risk personnel should have sufficient access to risk data to ensure they can appropriately aggregate, validate and reconcile the data to risk reports.
As a precondition, a bank should have a “dictionary” of the concepts used, such that data is defined consistently across an organisation.
There should be an appropriate balance between automated and manual systems. Where professional judgements are required, human intervention may be appropriate. For many other processes, a higher degree of automation is desirable to reduce the risk of errors.
Banks must document and explain all of their risk data aggregation processes whether automated or manual (judgement based or otherwise). Documentation should include an explanation of the appropriateness of any manual workarounds, a description of their criticality to the accuracy of risk data aggregation and proposed actions to reduce the impact.
Supervisors expect banks to measure and monitor the accuracy of data and to develop appropriate escalation channels and action plans to be in place to rectify poor data quality.
FRM I
Alberto Ferreras, FRM 2015
33
Principle 4 Completeness
A bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Principie 4 requires that:
A bank’s risk data aggregation capabilities should include all material risk exposures, including those that are off-balance sheet. Both on- and off-balance sheet risks should be aggregated
A banking organisation is not required to express all forms of risk in a common metric or basis, but risk data aggregation capabilities should be the same regardless of the choice of risk aggregation systems implemented. However, each system should
make clear the specific approach used to aggregate exposures for any given risk measure, in order to allow the board and senior management to assess the results properly.
FRM I
Alberto Ferreras, FRM 2015
34
Supervisors expect banks to produce aggregated risk data that is complete and to measure and monitor the completeness of their risk data. Where risk data is not entirely complete, the impact should not be critical to the bank’s ability to manage its risks effectively. Supervisors expect banks’ data to be materially complete, with any exceptions identified and explained.
Principle 5 Timeliness
A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
FRM I
Alberto Ferreras, FRM 2015
35
Principie 5 requires that:
A bank’s risk data aggregation capabilities should ensure that it is able to produce aggregate risk information on a timely basis to meet all risk management reporting requirements.
Critical risks indude, bur are not limited ro
The aggregated credit exposure to a large corporate borrower. By comparison, groups of retail exposures may not change as
critically in a short period of time but may still include significant concentrations;
Counterparty credit risk exposures, including, for example,
derivatives;
Trading exposures, positions, operating limits, and market concentrations by sector and region data;
Liquidity risk indicators such as cash flows/settlements and funding; and
Time-critical Operational risk indicators (eg systems availability, unauthorised access).
FRM I
Alberto Ferreras, FRM 2015
36
Principle 6 Adaptability
A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Adaptability will enable banks to conduct better risk management, including forecasting information, as well as to support stress testing and scenario analyses. Data aggregation processes that are flexible and enable risk data to be aggregated
for assessment and quick decision-making; Capabilities for data customisation to users’ needs (eg dashboards, key
takeaways, anomalies), to drill down as needed, and to produce quick summary reports;
Capabilities to incorporate new developments on the organisation of the business and/or external factors that influence the bank’s risk profile; and
Capabilities to incorporate changes in the regulatory framework. Supervisors expect banks to be able to generate subsets of data based on requested scenarios or resulting from economic events.
FRM I
Alberto Ferreras, FRM 2015
37
Describe characteristics of effective risk reporting practices
o Accurate, complete and timely data is a foundation for effective risk management.
o However, data alone does not guarantee that the board and senior management will receive appropriate information to make effective decisions about risk.
o To manage risk effectively, the right information needs to be presented to the right people at the right time. Risk reports based on risk data should be accurate, clear and complete.
FRM I
Alberto Ferreras, FRM 2015
38
Principle 7 Accuracy.
Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
o Risk management reports should be accurate and precise to ensure a bank’s board and senior management can rely with confidence on the aggregated information to make critical decisions about
risk.
Defined requirements and processes to reconcile reports to risk data;
Automated and manual edit and reasonableness checks, including an inventory of the validation rules that are applied to quantitative information. The inventory should
include explanations of the conventions used to describe any mathematical or logical relationships that should be verified through these validations or checks; and
Integrated procedures for identifying, reporting and explaining data errors or weaknesses in data integrity via exceptions reports.
Supervisors expect banks to consider accuracy requirements analogous to accounting materiality.
FRM I
Alberto Ferreras, FRM 2015
39
Principle 8 Comprehensiveness
Risk management reports should cover all material risk areas within the organisation. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients. Risk management reports should include exposure and position
information for all significant risk areas (eg credit risk, market risk, liquidity risk, operational risk) and all significant components of those risk areas (eg single name, country and industry sector for credit risk). Risk management reports should also cover risk-related measures (eg regulatory and economic capital).
FRM I
Alberto Ferreras, FRM 2015
40
Reports should identify emerging risk concentrations, provide information in the context of limits and risk appetite/tolerance and propose recommendations for action where appropriate. Risk reports should include the current status of measures agreed by the board or senior management to reduce risk or deal with specific risk situations. This includes providing the ability to monitor emerging trends through forward-looking forecasts and stress tests.
For example, an aggregated risk report should include, but not be limited to, the following information:
capital adequacy, regulatory capital, capital and liquidity ratio projections, credit risk, market risk, operational risk, liquidity risk, stress testing results, inter- and intra-risk concentrations, and funding positions and plans.
FRM I
Alberto Ferreras, FRM 2015
41
Principle 9 Clarity and usefulness.
Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
A bank’s risk reports should contribute to sound risk management and decision-making by their relevant recipients, including, in particular, the board and senior management. Risk reports should ensure that information is meaningful and tailored to the needs of the recipients. (Reporting policies and
procedures should recognise the differing information needs of the board, senior management, and the other levels of the organisation (for example risk
committees). Reports should include an appropriate balance between
risk data, analysis and interpretation, and qualitative explanations.
FRM I
Alberto Ferreras, FRM 2015
42
The board should alert senior management when risk reports do not meet its requirements and do not provide the right level and type of information to set and monitor adherence to the bank’s risk tolerance/appetite. The board should indicate whether it is receiving the right balance of detail and quantitative versus qualitative information.
Senior management is also a key recipient of risk reports and it is responsible for determining its own risk reporting requirements. Senior management should ensure that it is receiving relevant information that will allow it to fulfil its management mandate relative to the bank and the risks to which it is exposed.
A bank should develop an inventory and classification of risk data items which includes a reference to the concepts used to elaborate the reports.
Supervisors expect a bank to confirm periodically with recipients that the information aggregated
FRM I
Alberto Ferreras, FRM 2015
43
Principle 10 Frequency
The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
The frequency of risk reports will vary according to the type of risk, purpose and recipients. A bank should assess periodically the purpose of each report and set requirements for how quickly the reports need to be produced in both normal and stress/crisis situations. A bank should routinely test its ability to produce accurate reports within established timeframes, particularly in stress/crisis situations.
FRM I
Alberto Ferreras, FRM 2015
44
Supervisors expect that in times of stress/crisis all relevant and critical credit, market and liquidity position/exposure reports are available within a very short period of time to react effectively to evolving risks. Some position/exposure information may be needed immediately (intraday) to allow for timely and effective reactions
Principle 11 Distribution.
Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained. Procedures should be in place to allow for rapid collection and
analysis of risk data and timely dissemination of reports to all appropriate recipients. This should be balanced with the need to ensure confidentiality as appropriate.
Supervisors expect a bank to confirm periodically that the relevant recipients receive timely reports.
FRM I
Alberto Ferreras, FRM 2015
45
Supervisory review, tools and cooperation.
Principle 12 Review.
Supervisors should periodically review and evaluate a bank’s compliance with the eleven Principles above.
Principle 13 Remedial actions and supervisory measures.
Supervisors should have and use the appropriate tools and resources to require effective and timely remedial action by a bank to address deficiencies in its risk data aggregation capabilities and risk reporting practices. Supervisors should have the ability to use a range of tools, including Pillar 2.
Principle 14 Home/host cooperation
Supervisors should cooperate with relevant supervisors in other jurisdictions regarding the supervision and review of the Principles, and the implementation of any remedial action if necessary.
FRM I
Alberto Ferreras, FRM 2015
2 - A bank should include information on data characteristics (metadata) and naming conventions for legal entities. counterparties, customers, and account data in aggregated risk data. This is suggested by the Basel Committee on Banking Supervision in the principle related to: A. accuracy.
B. completeness. C. claarity and usefulness. O. data architecture and infrastructure
FRM I
Alberto Ferreras, FRM 2015
Risk data aggregation The Principles is expected to enhance risk management and decision-
making processes at banks.
Potential benefits of having effective risk data aggregation and reporting. Reporting key information. Improve the decision-making process. Facilitating a comprehensive assessment of risk exposures. Improved
resolvability.Reduce the probability and severity of losses. Anticipate problems. Improve the speed which information. Improve the
organisation’s quality of strategic planning…
Overarching governance and infrastructure. Principle 1 Strong governance arrangements
Risk data aggregation capabilities Principle 2. Ddesign, build and maintain data architecture and IT infrastructure
Risk reporting practices. Principles 3-6 specify standards and requirements for effective risk data aggregation.
Principles 7- 11 specify standards and requirements for effective risk reporting practices
To manage risk effectively, the right information needs to be presented to the right people at
the right time. Risk reports based on risk data should be accurate, clear and complete
Supervisory review, tools and cooperation. Principles 12- 14
RESUMEN DE IDEAS
47
FRM I
Alberto Ferreras, FRM 2015
Conceptos Introductorios
Ciclo de Gestión del R.Operacional
Basilea II
Modelos Avanzados de R.Operacional
48
Operational risk
Alberto Ferreras, FRM 2015
Conceptos Introductorios
Ciclo de Gestión del R.Operacional
Basilea II
Modelos Avanzados de R.Operacional
49
Alberto Ferreras, FRM 2015
• El Diccionario de la Real Academia Española de la Lengua define el
riesgo como:
1. Contingencia o proximidad de un daño.
2. Cada una de las contingencias que pueden ser objeto de un contrato de seguro
¿Y en una EMPRESA?
El riesgo de la empresa consiste en la incertidumbre de alcanzar los
resultados previstos como consecuencia de determinados eventos que lo
impidan. Estos eventos, algunos de ellos “previsibles” otros “inesperados.
Definición de la palabra Riesgo
50 FRM I
Alberto Ferreras, FRM 2015
¿ Qué es el Riesgo Operacional ?
¿Es un nuevo riesgo, que antes no existía ?
• No. El riesgo operacional es el más antiguo de todos. Está presente en cualquier clase de negocio y forma parte de nuestra vida cotidiana.
• Es inherente a toda actividad en la que intervienen personas y tecnología.
• En banca, el riesgo operacional es anterior al de crédito y al de mercado.
51
FRM I
Alberto Ferreras, FRM 2015
¿Donde se puede dar el Riesgo Operacional?
– Está presente en cualquier clase de negocio y forma parte de nuestra vida cotidiana.
52
FRM I
Alberto Ferreras, FRM 2015
• Nos saltamos algún control.
• Empleado falsifica una firma.
• No practicamos una retención de impuestos.
• El sistema informático no está disponible.
• Documentación legal incorrecta.
• Se incendia una oficina bancaria.
• Asesoramos mal a un cliente.
• El nombre de la entidad se asocia a un escándalo por blanqueo de dinero.
• Introducimos mal un datos de una operación.
Ejemplos de Riesgo Operacional
53
FRM I
Alberto Ferreras, FRM 2015
Si es algo tan antiguo, ¿porque este reciente interés?
• Porque, como veremos mas adelante el Riego Operacional es un
riesgo muy relacionado con los procesos, (más concretamente,
aunque no sólo, con algún tipo de error en los mismos), y en la
actualidad la complejidad de los mismos se esta incrementando
exponencialmente.
• La consecuencia: aumento en la probabilidad de error y en el
coste del mismo.
• Costes Directos. Pérdidas sufridas por las entidades.
• Costes Indirectos. Coste de implantación de cambios
regulatorios.
Pero, ¿cuanto puede costar el riesgo operacional?
FRM I
Alberto Ferreras, FRM 2015
The ORX Global Operational Risk Database is the world’s largest operational
risk loss data resource.
- At 30 June 2013 the Database contained 327,465 loss events worth to a
total value of €166,092,571,314.
- At 30 September 2014 the Banking Database contained
406,939 loss events worth a total value of €230,802,382,321 (+ 39% up)
Pero, ¿Cuanto puede costar un evento?
55
FRM I
Alberto Ferreras, FRM 2015
0 € 1.000 € 2.000 € 3.000 € 4.000 € 5.000 €
Madoff
Societe General
Sumitomo Bank
UBS
Daiwa Bank
Baring Bank
Allied Irish Bank
Bank Of Scotland
NBA
Bankers Trust
Natwest
1.500 Millones €
4.700 Millones €
1.370 M
¿Cuanto puede llegar a constar un evento de RO?
50.000 Millones €
56
FRM I
Alberto Ferreras, FRM 2015
■ February 2002—Allied Irish Bank ($691 million loss). A rogue trader, John Rusnack, hides three years of losing trades on the yen/dollar exchange rate at the U.S. subsidiary. The bank’s reputation is damaged.
■ March 1997—NatWest ($127 million loss). A swaption trader, Kyriacos Papouis, deliberately covers up losses by mispricing and overvaluing option contracts. The bank’s reputation is damaged. NatWest is eventually taken over by the Royal Bank of Scotland.
■ September 1996—Morgan Grenfell Asset Management ($720 million loss). A fund manager, Peter Young, exceeds his guidelines, leading to a large loss. Deutsche Bank, the German owner of MGAM, agrees to compensate the investors in the fund.
■ June 1996—Sumitomo ($2.6 billion loss). A copper trader amasses unreported losses over three years. Yasuo Hamanaka, known as “Mr. Five Percent,” after the proportion of the copper market he controlled, is sentenced to prison for forgery and fraud. The bank’s reputation is severely damaged.
■ September 1995—Daiwa ($1.1 billion loss). A bond trader, Toshihide Igushi, amasses unreported losses over 11 years at the U.S. subsidiary. The bank is declared insolvent.
■ February 1995—Barings ($1.3 billion loss). Nick Leeson, a derivatives trader, amasses unreported losses over two years. Barings goes bankrupt.
■ October 1994—Bankers Trust ($150 million loss). The bank becomes embroiled in a high-profile lawsuit with a customer that accuses it of improper selling practices. Bankers settles, but its reputation is badly damaged. It is later bought out by Deutsche Bank.
■ Enero 2008. Societe Generale (€ 4.700 m). Durante el año 2007 y principios del 2008, un trader “Jérôme
Kerviel” acumuló grandes posiciones € 49.900 m en Equity index, el cierre de dichas porciones coincidió con una caída del mercado lo que acarreo la citada pérdida.
■ Septiembre 2011 UBS (€ 1.500 m). En septiembre de 2011, el banco suizo IBS anunción haber sufrido unas pérdidas de 1.500 millones de euros por actividad no autorizada de su trader de 31 años Kweku Adoboli.
■ Bank os Scotland (€615): Un telepredicador Americano, empezó a hablar mal en su programa de los escoceses
después de que este banco, no acometiese la creación de un banco en estados unidos, del cual el telepredicador iba a
tener una participación significativa.
57
FRM I
Alberto Ferreras, FRM 2015
58 FRM I
Alberto Ferreras, FRM 2015
Cambios Regulatorios.
– Entidades Financieras
• Basilea II.
– Por primera vez se incluirá una dotación de capital por
riesgo operacional
• MiFID. (Markets in Financial Instruments Directive)
– Basada en el concepto Know your customer
• MiFID II - 2017
– Entidades de Seguro
• Solvencia II - 2016
59
FRM I
Alberto Ferreras, FRM 2015
¿Qué es el Riesgo Operacional?
Una definición amplia: ( Negative definition of other risk)
“Any financial risk other than Market and Credit risk” Jorion p 533
“Anything that is not Credit- or Market- Risk Related” Hoffman p 35
Una definición limitada:
“Risk arising for Operations” Jorion pag 537
“The risk that deficiencies in information systems or internal controls will result in unexpected losses” Schwartz and Smith p 40
La definition de Basilea:
“The risk of loss resulting from inadequate or failed internal processes, people and system, or external events. This definition includes legal risk , but excludes strategic and reputational risk. ” Basilea II
60
FRM I
Alberto Ferreras, FRM 2015
¿Qué excluye la definición de Basilea?
• Riesgo estratégico (strategic risk): aquel proveniente de la
elección de una estrategia errónea para asegurar un
rendimiento máximo del capital empleado.
• Riesgo de negocio (business risk): aquel que se deriva de
cambios desfavorables en los ámbitos fiscal, económico,
regulatorio o de competitividad. Algunas entidades no
distinguen entre riesgo de negocio y riesgo financiero.
• Riesgo reputacional (reputational risk): es la exposición a
la incertidumbre de resultados, como consecuencia de
eventos que pueden afectar negativamente a la percepción que
los stakeholders tienen del Grupo.
61
FRM I
Alberto Ferreras, FRM 2015
¿Qué incluye la definición de Basilea?
• Riesgo Legal (legal risk):
Aquel que se origina cuando una operación no esta
contemplada por la ley, o se incumple la misma.
Occurs if contracts are not properly prepareted and
executed, or the counterparty claims lack of understanding
and , therefore, the contract is unsuitable.
• Riesgo de Modelo (Model Risk):
Aquel que se origina cuando se utiliza el modelo o los
parámetros incorrectos en la valoración o cobertura de un
producto.
62
FRM I
Alberto Ferreras, FRM 2015
No siempre es posible gestionar y medir el RO
G e s t i ó n
M e
d i
c i
ó n
Estratégico
y/o Negocio
Operacional
(Basilea - Solvencia)
Reputacional
Regulatorio
63
FRM I
Alberto Ferreras, FRM 2015
En Riesgo Operacional
¿El tamaño es lo único que importa?
Severidad
A – 1 m
B – 100m
Frecuencia
100 veces al año
1 vez cada 100 años
Problema práctico:
Una entidad tiene 2 debilidades y presupuesto para solucionar
sólo una de las dos.
¿En función de la información aportada cual de las dos
debilidades debería de abordar la entidad ?
Coste Anualizado
100
1
64
FRM I
Alberto Ferreras, FRM 2015
Dimensiones de Riesgo Operacional
0 1 2 3 4 5
1
3
2
4
5
65
FRM I
• Loss frequency is defined as the number of losses over a specific time period (typically one year),
• and loss severity is defined as the value of financial loss suffered (i.e., the size of the loss).
Alberto Ferreras, FRM 2015
RIESGO
DE MERCADO
RIESGO
DE CRÉDITO
RIESGO
OPERACIONAL
Causas
Impacto
De Fontnouvelle, Djesus- Rueff, Jordan and Rosengren (2003) find that the
capital requirement for operational risk at large US financial institutions
often exceed the capital requirement for their market risk. Mo Chaudhury 2010
66
FRM I
Alberto Ferreras, FRM 2015
B e n e f i c i o
R i
e s
g o
mercado
operacional
No es necesario asumir RO
para conseguir beneficios
crédito
“Operational risk is highly
firm and operations specific,
and unlike the market, credit,
interest rate and foreign
exchange risks, a higher level
of operational risk exposure
is not generally rewarded
with a higher expected
return”
Mo Chaudhury 2010
El riesgo operacional es distinto a los demás...
67
FRM I
Alberto Ferreras, FRM 2015
RIESGO
Factor de Riesgo
Pérdida Potencial
PÉRDIDA
Evento Op.
Pérdida Contable
68
FRM I
Alberto Ferreras, FRM 2015
Por qué es importante el riesgo operacional. – Costes directos & Costes Indirectos
Conceptos de Frecuencia y Severidad.
Tres definiciones de Riesgo Operacional. BIS
Diferencia entre – Riesgo vs Pérdida
– Factor de Riego vs Evento
– Pérdida potencia vs Perdida Contable
RESUMEN DE IDEAS
69
FRM I
Alberto Ferreras, FRM 2015
Conceptos Introductorios
Ciclo de Gestión del R.Operacional
Basilea II
Modelos Avanzados de R.Operacional
70
Alberto Ferreras, FRM 2015
• Opción 1 - Estrategia del avestruz
• Opción 2 :Dos enfoques
MEDICION DEL RIESGO OPERACIONAL.
Obtener conclusiones y toma de decisiones
Pérdida Evento
GESTION DEL RIESGO OPERACIONAL.
• Gestión Pasiva ( Medición)
Pérdida Evento
• Gestión Activa.
Riesgo de Perdida Factor de Riesgo
E
X
P
O
S
T
E
X
A
N
T
E
¿Cómo se puede gestionar el Riesgo Operacional?
71
FRM I
Alberto Ferreras, FRM 2015
Identificar
Estimar o Cuantificar
Mitigar
Seguir
Ciclo de Gestión Activa del Riesgo Operacional
Información
Op risk management does
not ensure that nothing
will go wrong, but instead
focuses on identifying and
assessing what can go
wrong, on monitoring and
reporting changes in risk,
and mitigating and
controlling the impact of
any events that are
threatening to occur, or
that have occurred and
need speedy
72
FRM I
Alberto Ferreras, FRM 2015
• Errores en procesos
• Legales
• Incumplimiento normativo
• Fraudes
• Sobrepasar límites
• Fugas de talento
• Caída de sistemas
• Fallos de programación
• Daños en edificios
EVENTOS
SUCEDIDOS
AGRUPAR
CRITERIO
DE
CLASIFICACION
CLASIFICAR
GESTIONAR
LA INFORMACION
Procesos
Fraudes y Act. N.A.
RRHH
Tecnología
Desastres ¿ Que es la mora ?
¿POR QUÉ ?
73
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
1. Internal fraud: Acts of a type intended to defraud, misappropriate property, or circumvent regulations, the
law, or company policy (excluding diversity or discrimination events which involve at least one internal
party).
Examples include intentional misreporting of positions, employee theft, and insider trading on an
employee’s own account.
Insider traiding and unanthorized trading are captured under this category.
2. External fraud: Acts by third party of a type intended to defraud, misappropriate property, or circumvent
the law.
Examples include robbery, forgery, check kiting, and damage from computer hacking.
EF capture all events where there has been fraud, with no collusion or participation from internal
employee. High-profile operational risk (cyber security)
3. Employment practices and workplace safety: Acts inconsistent with employment, health, or safety laws
or agreements, or which result in payment of personal injury claims, or claims relating to diversity or
discrimination issues.
Examples include workers compensation claims, violation of employee health and safety rules, organized
labor activities, discrimination claims, and general liability (for example, a customer slipping and falling at
a branch office).
Captures losses that result from harm suffered by employees either due to workplace accident or due
to mistreatment by the firm.
Describe the Basel Committee’s seven categories of operational risk. J. Hull
Baseil II Event Type classification
74
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
4. Clients, products, and business practices: Unintentional or negligent failure to meet a professional
obligation to clients and the use of inappropriate products or business practices. Examples are fiduciary
breaches, misuse of confidential customer information, improper trading activities on the bank’s account,
money laundering, and the sale of unauthorized products
Some of the largest events, as large legal losses are often captured here
5. Damage to physical assets: Loss or damage to physical assets from natural disasters or other events.
Examples include terrorism, vandalism, earthquakes, fires, and floods.
Most evnts in this category will be covered at least in part, by insurance.
6. Business disruption and system failures: Disruption of business or system failures.
Examples include hardware and software failures, telecommunication problems, and utility outages.
It is often best measurement in lost opportunities, rather than direct losses.
7. Execution, delivery, and process management: Failed transaction processing or process management, and
disputes with trade counterparties and vendors.
Examples include data entry errors, collateral management failures, incomplete legal documentation,
unapproved access given to clients accounts, nonclient counterparty misperformance, and vendor disputes.
High frequency category
• “Consistency is more important than accuracy. As long as similar events are always in
the same way, the operational risk management can be effective”
Baseil II Event Type classification
75
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
Examples by Basel II Event Type classification.
• Internal fraud: Allied Irish Bank, Barings, and Daiwa lost $700 million, $1 billion,and $1.4 billion, respectively, from fraudulent trading.
• External fraud: Republic New York Corp. lost $611 million because of fraud committed by a custodial client.
• Employment practices and workplace safety: Merrill Lynch lost $250 million in a legal settlement regarding gender discrimination.
• Clients, products, and business practices: Household International lost $484 million from improper lending practices; Providian Financial Corporation lost $405 million from improper sales and billing practices.
• Damage to physical assets: Bank of New York lost $140 million because of damage to its facilities related to the September 11, 2001, terrorist attack.
• Business disruption and system failures: Salomon Brothers lost $303 million from a change in computing technology.
• Execution, delivery, and process management: Bank of America and Wells FargoBank lost $225 million and $150 million, respectively, from systems integration failures and transaction processing failures.
76
FRM I
IDENTIFICAR IDENTIFICAR
Alberto Ferreras, FRM 2015
77
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
78
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
• El ejemplo siguiente está tomado de Robert Ceske (de NetRisk) en el manual de P. Jorion (edición 2001-2).
• Las líneas de negocio no se corresponden exactamente con las definidas en Basilea II, pero sirven para hacerse una idea:
• ¿Pero, todos los bancos son iguales?, ¿Todos los departamentos de un
banco hacen , lo mismo y se pueden enfrentar a los mismos problemas ?, ¿
Todos los bancos y departamentos pueden tener el mismo perfil de riesgo
operacional ?
•Commercial banking is exposed mainly to credit risk, less so to operational risk,
and least to market risk.
• Investment banking, trading, and treasury management have greater exposure to
market risk.
• By contrast, business lines such as retail brokerage and asset management are
exposed primarily to operational risk. (Jorion 4 ed)
Clasificación de R.O. de Basilea II (Líneas de Negocio)
79
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
80
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
Matriz de clasificación de Basilea
OR
C 3
ORC 2
ORC 1
81
FRM I
IDENTIFICAR
Alberto Ferreras, FRM 2015
Herramientas de cálculo de capital (motor de cálculo de capital)
Herramientas de autoevaluacion
(RCSA)
Análisis de escenarios
Indicadores de Riesgo Operacional
(KRI, KPI,KCI…)
Bases de datos de pérdidas
operacionales
82
FRM I
CUANTIFICAR
Alberto Ferreras, FRM 2015
Indicadores de riesgo operacional BCBS (2002b) defines ‘key risk indicators as: risk indicators are statistics and/or metrics, often financial, which can provide insight into a
bank’s risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may
be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of
errors and omissions
PROACTIVE APPROACHES-Causal Relationships Operational risk managers should try to establish causal relations between decisions taken and operational risk losses.
One approach to establishing causal relationships is statistical. Risk control and self-assessment (RCSA) is an important way in which banks try to
achieve a better understanding of their operational risk exposures. KRI- The most important indicators are prospective. They provide an early warning
system to track the level of operational risk in the organization.
The hope is that key risk indicators can identify potential problems and allow remedial action to be taken before losses are incurred. It is important for a bank to quantify
operational risks, but it is even more important to take actions that control and manage those risks.
Examples of key risk indicators that could be appropriate in particular situations are 1 Staff turnover 2. Number of failed transactions 3. Number of positions filled by temps 4. Ratio of supervisors to staff 5. Number of open positions 6. Percentage of staff that did not take 10 days consecutive leave in the last 12 months
Describe how to identify causal relationships and how to use risk and control self assessment (RCSA) and key risk indicators (KRIs) to measure and manage operational risks. J Hull
83
FRM I
SEGUIR
Alberto Ferreras, FRM 2015
Objetivos de gestión de R. Operacional en una empresa.
1. Eliminar el riesgo operacional (Imposible)
2. Intentar no sucedan eventos (Frecuencia)
3. Si suceden, intentar que cuesten lo menos posible
(Severidad)
4. Si no puedo evitarlos o disminuir su coste, por lo
menos tener recursos para pagarlo.(Severidad-
Capital)
84
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
Una vez que hemos decidido tomar algún tipo de medida,
¿ que podemos hacer ?
OBJETIVOS
FRECUENCIA SEVERIDAD
Reducir la probabilidad de que suceda el
evento
Reducir el impacto económico del
evento
ESTRATEGI
A
Mejorar los controles Internos
Ejemplos:
Baring
National Bank Of Australia
Allied Irish Banks
Mejorar los controles Internos
Planes de Contingencia
Planes de Continuidad
Transferencia de Riesgo
(Aseguramiento)
Ejemplos
El 11 de Septiembre
Although insurance is available for some types of operational risk (e.g., damage to physical assets, business
disruption and system failure, et cetera), the insurance policies can be quite expensive, may entail risks of
cancellation or lack of compliance by the insurer, and there is a cap on regulatory capital relief
for insurance of operational risk 85
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
Internal control methods consist of:
• Separation of functions: Individuals responsible for committing should not perform clearance and accounting
functions.
• Dual entries: Entries (inputs) should be matched from two different sources, that is, the trade ticket and the
confirmation by the back office.
• Reconciliations: Results (outputs) should be matched from different sources, for instance the trader’s profit
estimate and the computation by the middle office.
• Tickler systems: Important dates for a transaction (e.g., settlement, exercise dates) should be entered into a
calendar system that automatically generates a message before the due date.
• Controls over amendments: Any amendment to original deal tickets should be subject to the same strict controls
as original trade tickets.
External control methods consist of:
• Confirmations: Trade tickets need to be confirmed with the counterparty, which provides an independent check on
the transaction.
• Verification of prices: To value positions, prices should be obtained from external sources. This also implies that
an institution should have the capability of valuing a transaction in-house before entering it.
• Authorization: The counterparty should be provided with a list of personnel authorized to trade, as well as a list of
allowed transactions.
• Settlement: The payment process itself can indicate if some of the terms of the transaction have been incorrectly
recorded, for instance, as the first cash payments on a swap are not matched across counterparties.
• Internal/external audits: These examinations provide useful information on potential weakness areas in the
organizational structure or business process.
86
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
BoE Report on Barings Interior Allied Irisk Bank
Duty to Undestand Fallos en la revisión de los superiores de Mr Rusnak sobre la actividad
desarrollada
Sin embargo, Rusnak consiguió convencer a la dirección de que la utilización de
este tipo de cuentas era más conveniente porque eliminaba la carga de trabajo
del Back Office.
Clear Responsability La estructura de reporte del responsable de Mercados era matricial, es decir
reportaba a la alta dirección local y al responsable de Mercados de la casa
matriz.
Relevant Internal controls la persona responsable de asegurar que la actividad de negociación presenta
resultados satisfactorios, estaba encargado del control de dicha actividad.
Además se aprovechó de una debilidad de control más importante, que fue la
falta de obtención de confirmaciones por parte del back office.
Quick resolution of
weeknesses
Falta de respuesta adecuada cuando se identificaron incidencias en la
actividad de Mr Rusnak Fallos en la implementación completa de las recomendaciones de los
auditores y supervisores lo que hizo que tanto los superiores de Mr Rusnak, como los responsables de la
contabilidad y los auditores detectaran unos ingresos inadecuados para el uso
que se realizaba del balance
87
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
• Like market VAR, the distribution of op. losses can be used to estimate expected losses as well as the amount
of capital required to support this financial risk.
• Internal Capital Retention: This option reflects the pure retention of risk. In this case a bank simply
allocates a certain amount of capital that is considers sufficient to cover potential losses.
• The expected loss represents the size of operational losses that should be expected to occur. Typically, this represents high frequency, low severity events. This type of loss is generally absorbed as an ongoing cost and managed through internal controls. Such losses are rarely disclosed. systems.
• The unexpected loss represents the deviation between the quantile loss at some confidence level and the expected loss. Typically, this represents lower frequency, higher severity events. This type of loss is generally offset against capital reserves or transferred to an outside insurance company, when available. Such losses are sometimes disclosed publicly but often with little detail.
• The stress loss or catastrofic loss represents a loss in excess of the unexpected loss. By definition, such losses are very infrequent but extremely damaging to the institution. The Barings bankruptcy can be attributed, for instance, in large part to operational risk. This type of loss cannot be easily offset through capital allocation, as this would require too much capital. Ideally, it should be transferred to an insurance company. Due to their severity, such losses are disclosed publicly.
88
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
Explain the risks of moral hazard and adverse selection when using insurance to mitigate operational risks. J Hull
• An important decision for operational risk managers is the extent to which operational
risks should be insured against.
• Provided that the insurance company’s balance sheet satisfies certain criteria, a bank
using AMA can reduce the capital (up to 20%)
• Moral Hazard: The risk that the existence of the insurance contract will cause
the bank to behave differently than it otherwise would. This changed behavior increases the risks to the insurance company. Ways of dealt with it: o A deductible in any insurance policy. This means that the bank is
responsible for bearing the first part of any loss. o A coinsurance provision in a policy case. The insurance company pays a
predetermined percentage (less than 100%) of losses in excess of the deductible.
o A policy limit. This is a limit on the total liability of the insurer.
• Adverse Selection: This is where an insurance company cannot distinguish
between good and bad risks. It offers the same price to everyone and inadvertently attracts more of the bad risks. Ways of dealt with it:
o As time goes by, it gains more information about the bank’s operational risk control systems and losses data and may increase or reduce the premium charged.
89
FRM I
MITIGAR
Alberto Ferreras, FRM 2015
Enfoque de Medición vs Gestión de Riesgo Operacional.
Ciclo de gestión del Riesgo Operacional. o Identificación.
o Medición o cuantificación.
o Seguimiento
o Mitigación.
Clases de Riesgo y Líneas de Negocio.
Herramientas. o Herramientas de autoevaluación.
o Indicadores.
o Bases de datos.
o Procedimientos de Mitigación. o Moral Hazard
o Adverse Selection
RESUMEN DE IDEAS
90
FRM I
Alberto Ferreras, FRM 2015
Transferir
Hacer Frente
Evaluación de la situación de riesgo
Transferir
Estrategias:
Evitar
Reducir
Frecuencia
Severidad
Seguros
Derivados
Capital Riesgo No Transferible
RESUMEN DE IDEAS Mitigar
91
FRM I
Alberto Ferreras, FRM 2015
3 - Alter conducting a detailed internal controls assessment, a trading firm sees that it is highly vulnerable to rogue trading. The company seeks to insure against this operational risk and requests insurance policy pricing from two insurers. Insurer A offers tired pricing based on the trading firm`s internal controls and Insurance B offers a single standard fee. Compared to Insurer A, Insurer B is exposing itself to more of witch kind of risk ? A. Insurance fraud. B. Moral hazard. C. Adverse selection. D. Reputational decline.
FRM I
Alberto Ferreras, FRM 2015
Conceptos Introductorios
Ciclo de Gestión del R. Operacional
Basilea II
Modelos Avanzados de R. Operacional
93
Alberto Ferreras, FRM 2015
Basilea II • Inclusión de modelos avanzados de riesgo de crédito.
• Inclusión de una dotación específica por riesgo operacional.
• Equiparación del riesgo operacional con el de crédito y mercado.
• El capital mínimo requerido será menor cuanto más alto sea el nivel del modelo de gestión utilizado.
Evolución de la Normativa Bancaria
94
FRM I
Alberto Ferreras, FRM 2015
CAPITAL
SUPERVISIÓN
TRANSPARENCIA
Basilea II
1 2 3
R.
C R E D I T O
R.
M E R C A D O
R.
O P E R A C I O N A L
R. I N T E R E S
OTROS RIESGOS
R. L I Q U D E Z
R. E S T R A T E G I C O
R. R E P U T A C I O N A L
O T R O S
95
FRM I
Alberto Ferreras, FRM 2015
Grandes incentivos para estar en el nivel avanzado 1) Reducción notable de la dotación de capital 2) La implantación de herramientas para gestionar el RO, provocarán una disminución de los eventos adversos (reducción
de pérdidas) 3) El pilar 3º del acuerdo (transparencia), hace que la gestión del riesgo sea una ventaja competitiva
Básico
• El capital se calcula como el 15% de la media trianual del Margen Bruto del Banco
Estándar
• El capital se calcula por líneas de negocio
• Cada línea tiene una beta o coeficiente.
Avanzado
• El capital se calcula por unidades de cálculo de capital (ORC), a partir de datos internos
Pilar I para Riesgo Operacional
96
FRM I
Alberto Ferreras, FRM 2015
Pilar 2: Supervisión del Regulador
• Los niveles de capital del pilar 1 son los mínimos
• El Regulador podrá establecer niveles más elevados si lo cree conveniente, a tenor de la
capacidad de gestionar los riesgos operacionales que demuestre la entidad
Pilar 3: Transparencia de Mercado
• Obligación de publicar regularmente la forma de gestionar los riesgos operacionales
• The two most significant of these disclosures are The size of the capital charge and the
technique used to calculated it.
• The size of the capital charge. The capital is the only comparable measure of exposure
available.
• The technique used to calculated it. While the technique used gives an indication of the
sophistication of the institution´s risk management and, to some extent, the emphasis
accorded to the issue by the bank.
97
FRM I
Alberto Ferreras, FRM 2015
Compare three approaches for calculating regulatory capital. J. Hull
The Basic Indicator Approach.
• Banks using the Basic Indicator Approach must hold capital for operational risk equal to the average over the previous three years of a fixed percentage (denoted alpha) of positive annual gross income. Figures for any year in which annual gross income is negative or zero should be excluded from both the numerator and denominator when calculating the average. The charge may be expressed as follows:
where: • KBIA = the capital charge under the Basic Indicator Approach • GI = annual gross income, where positive, over the previous three years • N = number of the previous three years for which gross income is positive • α = 15%, which is set by the Committee, relating the industry wide level of required
capital to the industry wide level of the indicator.
• Firms that use this approach are still encouraged to adopt all of the risk
management elements that are outlined in the “Sound Practices” document.
nGI nBIA .1
BIA
98
FRM I
Alberto Ferreras, FRM 2015
The Standardised Approach
• The standardized approach is similar to the basic approach, except that
different business lines have different multipliers or betas. • The total capital charge is calculated as the three-year average of the simple
summation of the regulatory capital charges across each of the business lines in each year. In any given year, negative capital charges (resulting from negative gross income) in any business line may offset positive capital charges in other business lines without limit. However, where the aggregate capital charge across all business lines within a given year is negative, then the input to the numerator for that year will be zero. The total capital charge may be expressed as:
• There are also 3 alternative methods designed standard for companies having difficulties to divide the information by business line
BETAS by Basilea Business LInes
Corporate finance 18% Payment and settlement 18%
Trading and sales 18% Agency services 15%
Retail banking 12% Asset management 12%
Commercial banking 15% Retail brokerage 12%
STA
30,max31
8181
years
TSA GI
99
FRM I
Alberto Ferreras, FRM 2015
• The Basel Committee has listed conditions that a bank must satisfy in order to use the standardized approach or the AMA approach. It expects large internationally active banks to move toward adopting the AMA approach through time. To use the standardized approach a bank must satisfy the following conditions:
1. The bank must have an operational risk management function that is responsible for identifying, assessing, monitoring, and controlling operational risk. 2. The bank must keep track of relevant losses by business line and must create incentives for the improvement of operational risk. 3. There must be regular reporting of operational risk losses throughout the bank. 4. The bank’s operational risk management system must be well documented. 5. The bank’s operational risk management processes and assessment system must be subject to regular independent reviews by internal auditors. It must also be subject to regular review by external auditors or supervisors or both.
100
FRM I
STA
Alberto Ferreras, FRM 2015
Fuente: BdE. Guía para la aplicación del Método Estándar en la determinación de los recursos propios por riesgo operacional 2008
101
FRM I
STA
BIA
Alberto Ferreras, FRM 2015
Advanced Measurement Approaches (AMA) • Under the AMA, the regulatory capital requirement will equal the risk
measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria for the AMA discussed below. Use of the AMA is subject to supervisory approval.
A M A
• Se reconoce el efecto reductor del riesgo que entrañan los seguros en las medidas de riesgo operacional,
permitiéndose una reducción máxima del capital por este concepto del 20%. Se necesitan cumplir ciertos
requerimientos.
Requisitos Generales. Mejores Prácticas + Test de Uso
Implicación activa de la alta dirección y del consejo de administración en la gestión del riesgo Op.
Que el modelo sea sólido y este plenamente integrado en los sistemas de medición y Gestión de riesgos de
la entidad (Test de Uso).
Que la entidad cuente con recursos suficientes tanto en las líneas de negocio como en las áreas de control y
auditoria.
USE TEST. Comprobación de que el modelo sirve para la gestión activa del riesgo y es
utilizado diariamente por la organización.
Este requisito implica que en ningún caso sería admisible un modelo cuya única finalidad fuera el cálculo de
los requerimientos de capital. ( Mª Ángeles Nieto pag 172)
The bank’s system must be capable of allocating economic capital for operational risk across
business lines in a way that creates incentives for the business lines to improve operational risk
management.
102
FRM I
Alberto Ferreras, FRM 2015
Requisitos Cualitativos. Objetivo Facilitar gestión activa del Riesgo
Contar con una unidad independiente de gestión del riesgo operacional responsable del desarrollo e implantación de la
metodología de cálculo.
Que el modelo de medición de riesgo operacional esté totalmente integrado en los procesos de gestión de riesgo de la entidad.
Existencia de un sistema de información periódica a las direcciones de las líneas de negocio, a la alta dirección y al consejo de
administración.
El sistema debe de estar suficientemente documentado.
Debe de ser validado interna y externamente. (Mª Ángeles Nieto pag 172-173)
Requerimientos cuantitativos.
Que pueda identificar eventos situados en las “colas” de la distribución de probabilidad y que generan graves
pérdidas
Que su medida del riesgo operacional satisface unos criterios de solidez comparables a los del IRB (Horizonte temporal de 1
año y nivel de confianza del 99,9%)
Que el requerimiento de capital regulatorio deberá de ser la suma de la
pérdida esperada y la inesperada, a menos que el banco pueda demostrar que
ha efectuado una medición de la pérdida esperada y la esta cubriendo de
alguna forma. ( Mª Ángeles Nieto pag 173). Pérdida inesperada. El capital se calcula por defecto como la suma de las unidades de cálculo, salvo que se justifique una correlación
diferente.
Los cuatro elementos básicos.
Todos los modelos AMA deberán utilizar los cuatro elementos básicos de un sistema de medición de riesgo
operacional:
Datos Internos - Datos Externos – Escenarios - Factores de control y entorno de negocio. 103
FRM I
A M A
Alberto Ferreras, FRM 2015
• Capital por riesgo Operacional.
• Tres Pilares de BASILEA II.
• Tres metodologías de Medición de Riesgo Operacional.
1. Datos Internos 2. Datos Externos 3. Análisis de Escenarios 4. Factores de entorno y control
interno
• Requisitos calificar en AMA.
– Generales
– Cualitativos – “Sound Practices”
– Cuantitativos
– 4 Elementos Básicos del Modelo
- Grado de complejidad y sensibilidad al riesgo +
+ Nivel de requerimientos de recursos propios -
BIA STA A M A
RESUMEN DE IDEAS
104
FRM I
Seguros Max 20% reducción
Alberto Ferreras, FRM 2015
El Riesgo Operacional en Basilea II
BASILEA II Pilar I
Requerimientos de Capital
Pilar II
Supervisión del Regulador
Pilar III
Disciplina del Mercado
Riesgo de Mercado Riesgo de Crédito Riesgo Operacional
Metodologías Avanzadas Indicador Básico Enfoque Estándar
Líneas de negocio Beta
Finanzas Corporativas 18%
Negociación y ventas 18%
Banca minorista 12%
Banca comercial 15%
Pagos y liquidación 18%
Servicios de agencia 15%
Administración de activos 12%
Intermediación minorista 12%
Líneas de negocio Alfa
Entidad
15%
- Grado de complejidad y sensibilidad al riesgo + + Nivel de requerimientos de recursos propios -
1. Datos Internos 2. Datos Externos 3. Análisis de Escenarios 4. Factores de entorno y control interno
– Generales
– Cualitativos
– Cuantitativos
– 4 Elementos Básicos del Modelo
RESUMEN DE IDEAS
105
FRM I
Alberto Ferreras, FRM 2015
Factores de
entorno/control Análisis de
Escenarios
Datos Internos
Datos Externos
RESUMEN DE IDEAS
106
FRM I
Alberto Ferreras, FRM 2015
4 - The board of directors plays a key role in the process of creating a strong culture of risk management at an organization. As part of this role, one function that should be fulfilled by the board of directors is to: A. Monitor the effectiveness of the company’s governance
practices and make changes, if necessary, to ensure proper compliance.
B. Ensure that the interests of the company’s stakeholders are prioritized above its executives’ interests in order to maximize the potential return on investment.
C. Address issues that could potentially represent a conflict of interest by assigning committees composed exclusively of executive board members.
D. Establish a policy to address individual risk factors by either reducing, hedging, or avoiding exposure to each risk.
FRM I
Alberto Ferreras, FRM 2015
Conceptos Introductorios
Ciclo de Gestión del R. Operacional
Basilea II
Modelos Avanzados de R. Operacional
108
Alberto Ferreras, FRM 2015
Enfoque Empírico – Bases teóricas
Problema a resolver:
• Partiendo de una base de datos de 1.000 años del pérdida, facilitar la mejor
estimación del capital para el próximo año con un nivel de confianza de 90%.
Año Importe Posición Año Importe
1910 15 1 1915 1
1911 65 2 1955 6
1912 8 500 1975 50
…. 900 1999 90
2008 45 998 2000 200
2009 25 999 1980 500
2010 19 1.000 1929 1000
109
FRM I
Alberto Ferreras, FRM 2015
Enfoque Empírico – En la práctica
Base de datos
Interna 5 – 10
años de datos
Capital Infra estimado
Capital Adecuado
Capital Sobre estimado
Entidad
Regulador /
Supervisor
110
FRM I
Alberto Ferreras, FRM 2015
Derive a loss distribution from the loss frequency distribution and loss severity distribution using Monte Carlo simulations. J.Hull
Enfoque de Distribución de Perdidas o LDA Base Teórica I
Base Interna
Frecuencia
Possion (5)
Severidad
Log (2,1)
1º
Simulación
Frecuencia Severidad Perdida año 1
2 5 15 10
2º
Simulación
Frecuencia Severidad Perdida año 2
3 3 17 2
12
n
Simulación
Frecuencia Severidad Perdida año 1
1 25 25
Montecarlo
……….
Año Importe
1 15
2 17
3 8
….
n-2 45
N-2 25
n 25
111
FRM I
Alberto Ferreras, FRM 2015
Enfoque de Distribución de Perdidas o LDA Base Teórica II
Distribución de Frecuencia
Distribución de Severidad
Simulation: Montecarlo
Capital
Basel II Op Capital
Poisson Binomial distribution Negative binomial
LogNormal
• The usual assumption is that loss severity is independent of loss frequency
112
FRM I
Convolution
Alberto Ferreras, FRM 2015
Si se realiza la suma de todas las casillas, estamos
poniéndonos en el peor de los escenarios
Estamos suponiendo correlación 1
Enfoque de Distribución de Perdidas o LDA Base Teórica III
8
1
7
1i j
ijLDA CARCAR
Líneas de Negocio CLASES DE RIESGO
PROCESOS FRAUDE
EXTERNO FRAUDE
INTERNO TECNOLOGIA RRHH
PRACTICAS COMERCIALES
DESASTRES
FINANZAS CORPORATIVAS
NEGOCIACION Y VENTAS
BANCA MINORISTA
BANCA COMERCIAL
LIQUIDACION Y PAGOS
SERVICIOS DE AGENCIA
ADMINISTRACION DE ACTIVOS
INTERMEDIACION MINORISTA
113
FRM I
Alberto Ferreras, FRM 2015
Enfoque LDA – Ajuste de Severidad en la práctica Sub-exponential Fat Heavy Tail Light Tail Other
LogNormal Mixture of distriburions
LogNormal-Gamma Exponential Empirical (body)
Log-Gamma Weibull G y H
Generalised Pareto (GDP) Gamma
Burr
Pareto
Log-logictic
114
FRM I
Alberto Ferreras, FRM 2015
Explain how to use the power law to measure operational risk. J Hull
where: V = losss variable X = large value of V K and alfa. = constants
• De Fountnouvelle et al. (2003), using data on losses from vendors, found that the power law holds well for the large losses experienced by banks.This makes the calculation of VaR with high degrees of confidence such as 99.9% easier.
• The 99.9 percentile of the loss distribution can then be estimated using a closed equation or formula.
• When loss distributions are aggregated, the distribution with the heaviest tails tends to dominate.
• This means that the loss with the lowest alpha defines the extreme tails of the total loss distribution.
• Therefore, if all we are interested in is calculating the extreme tail of the total operational risk loss distribution, it may only be necessary to consider one or two business line/risk type combinations.
Kxxv )(Prob
115
FRM I
Alberto Ferreras, FRM 2015
Enfoque LDA – Ajuste de Frecuencia en la práctica
Poisson The mean frequency of losses equals the variance of the frequency of losses.
Binomial distribution If the mean frequency is greater than the variance of the frequency
Negative binomial If the mean frequency is less than the variance
116
FRM I
Alberto Ferreras, FRM 2015
Enfoque LDA – Cálculo de capital RO en la práctica
117
FRM I
Alberto Ferreras, FRM 2015
Enfoque de Distribución de Perdidas o LDA En la práctica
Factores de entono
y/o control
Datos Externos
Datos Internos
Escenarios
Tiempo
Pérdida
Objetivo principal de complementar
la base de datos interna con datos
procedentes de bases externas o
escenarios, es tener una
representación adecuada de los
eventos significativos que pueden
condicionar el capital, para
asegurarse que la cifra obtenida no
esta infra estimada.
118
FRM I
Alberto Ferreras, FRM 2015
Describe the common data issues that can introduce inaccuracies and biases in the
estimation of loss frequency and severity distributions. J. Hull
Internal data: • The tracking of internal loss event data is an essential prerequisite to the development and
functioning of a credible operational risk measurement system. Internal loss data is crucial
for tying a bank's risk estimates to its actual loss experience.
• There are two types of operational risk losses: high-frequency low-severity losses (HFLSLs) and
low-frequency high-severity losses (LFHSLs). An example of the first is credit card fraud losses.
An example of the second is rogue trader losses. A bank should focus its attention on LFHSLs.
These are what create the tail of the loss distribution. A particular percentile of the total loss
distribution can be estimated as the corresponding percentile of the total LFHSL distribution plus the
average of the total HFLSL. Another reason for focusing on LFHSLs is that HFLSLs are often taken
into account in the pricing of products. By definition, LFHSLs occur infrequently. Even if good
records have been kept, internal data are liable to be inadequate, and must be supplemented
with external data and scenario analysis.
• Traditionally, banks have done a much better job at documenting their credit risk losses than their operational risk losses.
Also, in the case of credit risks, a bank can rely on a wealth of information published by credit rating agencies to assess
probabilities of default and expected losses given default. Similar data on operational risk have not been collected in a
systematic way.
• It is recornmended that banks use internal data when estimating the frequency of losses
and both internal and external data when estimating the severity of losses. 119
FRM I
Alberto Ferreras, FRM 2015
External data: • A bank’s operational risk measurement system must use relevant external data especially
when there is reason to believe that the bank is exposed to infrequent, yet potentially severe,
losses.
• There are two sources of external data.
o The first is data consortia, which are companies that facilitate the sharing of data
between banks.
o The second is data vendors /public data base, who are in the business of collecting
publicly available data in a systematic way.
• Both internal and external historical data must be adjusted for inflation.
• In addition, a scale adjustment should be made to external data.
• Size on the size of a loss experienced is non-linear
• Data from vendors cannot be used in the same way as internal data or data obtained through
sharing arrangements because they are subject to biases. For example, only large losses are
publicly reported, and the larger the loss, the more likely it is to be reported.
• Public data are most useful for determining relative loss severity.
>
120
FRM I
Alberto Ferreras, FRM 2015
Scenario analysis: • A bank must use scenario analysis of expert opinion in conjunction with external data to
evaluate its exposure to high-severity events.
• The aim of scenario analysis is to generate scenarios covering the full range of possible
LFHSLs. Some of these scenarios might come from the bank’s own experience, some might
be based on the experience of other banks, some might come from the work of consultants,
and some might be generated by the risk management group in conjunction with senior
management or business unit managers.
Describe how to use scenario analysis in instances when data is scarce. (J. Hull)
One difference between this scenario analysis and the normal one is that there is no model for
determining losses and, if data is not available, the parameters of the loss severity distribution
have to be estimated by the committee. One approach is to ask the committee to estimate an
average loss and a “high loss” that the committee is 99% certain will not be exceeded. A
lognormal distribution can then be fitted to the estimates.
• The advantage of generating scenarios using managerial judgment is that they include losses
that the financial institution has never experienced, but could incur. The scenario analysis
approach leads to management thinking actively and creatively about potential adverse
events.
121
FRM I
Alberto Ferreras, FRM 2015
Business environment and internal control factors: • In addition to using loss data, whether actual or scenario-based, a bank’s firm-wide risk
assessment methodology must capture key business environment and internal control factors
that can change its operational risk profile. These factors will make a bank’s risk
assessments more forward-looking, more directly reflect the quality of the bank’s control
and operating environments, help align capital assessments with risk management objectives,
and recognize both improvements and deterioration in operational risk profiles in a more
immediate fashion.
• John Hull - Business environment and internal control factors (BEICFs) should be taken into
account when loss severity and loss frequency are estimated.
122
FRM I
Alberto Ferreras, FRM 2015
Describe the allocation of operational risk capital and the use of scorecards.
• Operational risk capital should be allocated to business units in away that encourages
them to improve their operational risk management.
• Methodologies
o Euler`s Theorem
o Calculate incremental economic capital for each business unit and then allocate
economic capital to business units in proportion to their incremental capital.
(Incremental capital is the difference between the total economic capital with and
without the business unit.).
o Work with the component economic capital
o Scorecard
• If a business unit can show that it has taken steps to reduce the frequency or severity of a
particular risk, it should be allocated less capital.
• Note that it is not always optimal for a manager to reduce a particular operational risk.
Sometimes the costs of reducing the risk outweigh the benefits of reduced capital so that
return on allocated capital decreases.
• The overall result of operational risk assessment and operational risk capital allocation should
be that business units become more sensitive to the need for managing operational risk.
123
FRM I
Alberto Ferreras, FRM 2015
Enfoque LDA
Severidad Vs Frecuencia
Use the power law to measure operational risk.
Data Issues Internal
External
Scenarios
BEIC
Operational risk capital allocation.
124
RESUMEN DE IDEAS
FRM I
Alberto Ferreras, FRM 2015
5 - According to Basel II, the basic indicator and standardized approaches to operational risk require banks to hold capital for operational risk equal to a fixed percentage of gross income. The difference between the two approaches is that under the standardized approach: A. banks must calculate a capital requirement for each
business line, rather than at the firm level as in the basic indicator approach.
B. banks must calculate separate capital requirement for rated and unrated exposures rather than at the firm level as in the basic indicator approach.
C. the capital requirement is a higher percentage of income than in the basic indicator approach.
D. the capital requirement is a lower percentage of income than in the basic indicator approach.
FRM I
Alberto Ferreras, FRM 2015
6 - A risk analyst is attempting to analyze a bank´s operational loss severity distribution. However, historical data on operational risk losses is limited. Which of the following is the best way to address the issue? A. Generate additional data using Monte Carlo simulation and
merge it with the bank´s operational losses. B. Estimate the parameters of a Poisson distribution to
model operational loss severity. C. Estimate relevant probabilities using expected loss
information that is published by credit rating agencies. D. Merge external data from other banks with bank`s internal
data after making appropriate scale adjustment
FRM I
Alberto Ferreras, FRM 2015
7 - An operational risk manager is trying to compute the aggregate loss distribution for a firm's investment banking division. When using Monte Carlo simulation, which of the following loss frequency and loss severity distribution pairs is the most appropriate to use? A. Poisson, normal B. Poisson, lognormal C. Binomial, lognormal D. Binomial, normal
FRM I
Alberto Ferreras, FRM 2015
GRACIAS POR SU ATENCIÓN
Alberto Ferreras, FRM 2015
129
Pregunta Respuesta
1 A
2 D
3 C
4 A
5 A
6 D
7 B
FRM I