Operational Risk; Quantification Models

7/31/2019 Operational Risk; Quantification Models

1/20

Operational Risk:Quantication Models


2/20


3/20

We observe a new wave of appeal for the

quantication of operational risk. For banks,

the enhanced capital requirements in

the upcoming Basel III regime incentivize

the exploration of capital optimization

potential through more granular and risk-

sensitive measurement approaches. One

of these opportunities is the move to (or

the renement of the existing) advanced

measurement approach (AMA) for

operational risk. The wave of developmentof a second generation of Advanced

Measurement Approach (AMA) models

happens despite the higher regulatory

scrutiny to approve such models given

their assessment of model shortcomings

in the last nancial crisis.

For insurance companies, current Solvency II

requirements likewise trigger the

development of internal operational risk

models. At rst sight, the less explicit

requirements of Solvency II regarding

methodology choice seems to be an

advantage, but the lack of insurance

Dr. Marc Ryser

Partner

Alessandro Lana

Manager

industry benchmarks and regulatory rules

can cause lengthy and difcult-to-manage

approval processes.

The aim of this brochure is to give an

overview of the critical steps towards the

design, development and validation of an

internal operational risk quantication

methodology. Given our international

experience with numerous clients, we

have learned that most of them strivefor a light approach which combines

and integrates existing operational risk

framework elements in a robust modeling

framework and which doesnt create

excessive operational burden in servicing

and maintenance.

We are condent that this brochure

highlights the relevant issues and that it

will constitute a value proposition for the

development of an internal quantication

approach or at least a jump-start for a

thorough assessment of the respective

risk and rewards.


4/20


5/20

Conte

nt

1 Executive Summary 6

2 Elements of a Sound Operational Risk Quantication Model 8

2.1 Data 9

2.2 Business Environment and Internal Control Factors (BEICFs) 9

2.3 Experts Judgment & Scenarios 10

2.4 Model Design & Diversication Effects 10

2.5 Results & Risk Allocation 11

3 Where is Your Value in Op Risk Modeling? 13

3.1 Banks 14

3.2 Insurance & Re-Insurance Companies 16

4 Lessons Learned & Trends 17


6/20


7/20

7Ernst & Young Operational Risk: Quantication Models

Lessons Learned and Trends

A very prominent observation and tendency we notice in the

market is the integration of the quantication model in the daily

risk management process. Contrary to a stand-alone element for

regulatory capital calculation, the model has a clear link to the

Risk and Control Assessments (RCAs) framework and to rm-

wide risk appetite & quantication models. A solid and integrated

RCA approach for identifying, collecting and processing bottom-up

Operational Risk Model Integrated in

the Overall Operational Risk Framework

risk and control information and allocation of results with similar

granularity is a cornerstone of operational risk quantication.

A continuous and circular risk management process links RCAs,

top-down scenario analysis and the quantication model (based

on expert inputs and loss data) as process elements. Such an

integrated RCA framework has been implemented by Ernst & Young

at many clients (see box Risk Convergence).

Risk Convergence: systematic integration

of corporate governance, risk management

and control functions.

The main focus is on harmonizing the

various elements in order to avoid

redundancies and to identify and close

gaps in coverage and management of key

risks. Risk convergence is implemented

on a cyclical basis and has the followingcomponents:

Integrated scoping

Integrated assessments

Integrated reportingQuantication

Key Requirement:

sound RCAs process,

inclusive risk catalogue

(e.g. resulting from

Risk Convergence)

Management

Top-Down

Risk Identi-

cation/

Scenario

Analysis

Bottom-Up

Risk and

Control

Assess-

ment


8/20

8 Ernst & Young Operational Risk: Quantication Models

Motivation

The initial step for the development of any kind of model is

the denition of the model scope and motivation. Beside the

implicit purpose of quantifying operational risks, it is important

to determine if the need arises from regulatory requirements(e.g. Basel II/III, Solvency II), or if the model development is

driven by internal requirements (e.g. Earnings at Risk E@R,

scenario analysis for risk appetite determination). This basic

scope denition is the rst step to develop key information for a

suitable design of the model, such as the appropriate quantiles of

measurement, the calculation frequency and eventual constraints

in the choice between different approaches.

Model Components

Thorough Operational Risk model building requires both an

overarching governance framework and a robust basis of

components, such as Risk and Control Assessments (RCAs)

and Business Environment and Internal Control Factors (BEICFs).

We will briey describe these elements, together with indications

on common issues and solutions.

2 Elements of a Sound Operational RiskQuantication Model

The model components are sorted according to inputs, calculations

(methodology and engine) and outputs.

Model Governance Framework

Model inputs, calculations and outputs are embedded in agovernance framework that denes all key elements for the sound

development, use and maintenance of the model together with

a description of how the model aids higher level calculations or

further models (e.g. aggregated capital charge across risk types,

E@R). This includes in particular:

Appropriate validation procedures at inception and ongoing

Monitoring changes in the company operational risk prole orin regulations

Roles and responsibilities, guidelines for model use and reporting

Governance Framework (Model Validation, Operational Risks Monitoring, Aggregation with other Risk Types)

Q1 2011 Q2 2011 Q3 2011

Data RCAs/BEICFs

Expert Judgment/Scenarios

Model Design/Diversification Effects

Results & Risk Allocation

Governance Framework

Model Inputs

Calculations

Model OutputsData BEICFs

ExpertJudgment/Scenarios

ModelDesign/DiversificationEffects

Results&RiskAllocation


ModelInputs

Calculations

ModelOutputs

Data BEICFs

ExpertJudgment/Scenarios

ModelDesign/DiversificationEffects

Results&RiskAllocation


ModelInputs

Calculations

ModelOutputs


9/20


2 Elements of a Sound Operational Risk Quantication Model |

Data can be information on loss events experienced directly by

the company (internal data) as well as information on loss events

experienced by peer companies (external data). The information

required for appropriate integration in the operational risk model is

quite extensive and includes, for example, the denition of a dateconvention (e.g. settlement date), a clear description of the event,

the amounts involved and eventual link to previous transactions and

controls (e.g. several transactions resulting from the same event).

In particular for external events, guidelines for the selection/

ltering and scaling of data lead to the transparent treatment of

model inputs.

Data may be collected locally (e.g. at business division or subsidiary

level), but should converge in a central database where quality

checks are made.

Finally, information provided by means of loss data is not only

important for the quantication of operational risk, but delivers

fundamental inputs for qualitative risk management as well. The

denition of investigations and mitigation measures can only

be efcient if the quality of loss data information is reliable and

detailed, in particular for external loss events.

Limited internal data history Limited information on low-frequency, high-impact Limited descriptive information of loss events Unsystematic data collection/loss of information

Not available or inconsistent (e.g. different templates for each business division/no aggregated view)

Not conceived to be input into a quantitative model (e.g. no EL estimationfor each risk)

Outdated information, no ongoing updates foreseen

The usage of external databases or local data consortiums allows for an increase ofavailable data, in particular in the high-impact, low-frequency region

Structured and inclusive collection process of internal loss events, centrally storedin a relational database

RCAs/BEICFs framework based on a structured and centralized approach(e.g. Risk Convergence)

Regular involvement of risk type-specic subject matter experts for the assessmentof the impact of mitigation measures and forward-looking elements

Risk and Control Assessments (RCAs) and Business Environment

and Internal Control Factors (BEICFs) represent another source of

important inputs for the quantication model. RCAs/BEICFs deliver

information gained through monitoring of the companys business

and control experience (similar to loss events information). Theseelements extend the range of information to forward-looking

elements (e.g. trends in the industry, upcoming new risks).

Typical key information that can be obtained from a well-structured

RCAs/BEICFs framework includes:

A complete risk catalogue that can help to structure the lossdata analysis (LDA), in order to model the body of the overall

distribution of operational losses

A subset of the risks catalogue (e.g. 10%) can inform aboutpotential high severity losses (scenarios), which have to be

analyzed for tail distribution calibration

Common controls and triggers are strong indications of potentialrisk/scenario dependencies, which have to be considered for

appropriate model design

Leveraged use of such information within a quantication approach

is possible only if the RCAs/BEICFs framework is sound, centralized

(rm-wide approach) and regularly updated.

Data Data

Common Issues Common Issues

Solutions Solutions

RCAs/BEICFs RCAs/BEICFs

Expert Judgment/Scenarios Expert Judgment/Scenarios

Model Inputs Model Inputs

2.1 Data 2.2 Business Environment and

Internal Control Factors

(BEICFs)


10/20


The scenario component of an operational risk model is

predominantly determined by two steps: the denition of scenarios

and their calibration. For both of these tasks, an integration of

expert judgment for tailoring the scenarios to the companys

operational risk prole is a common approach. However, expertjudgment should only complement industry information instead of

totally replacing it. In particular, industry information on tail

distribution characteristics of common scenarios contains signicantly

more robust information than an often arbitrary expert calibration

at high severity quantiles. For example investment suitability and

external fraud event severity distributions are typically fat tailed,

technical systems and business disruption severity is usually thin

tailed (see EY STORM Tool).

The denition of scenarios should cover all potential high severity

risks and result in a longer-term invariant of the model. The tail

calibration of scenarios is pre-dominantly a mid-term invariant

(worst cases assessments should not change frequently);

however it requires at least a yearly review based on the current

business environment and new information.

Not fully transparent inclusion of expert judgment leads to untraceable process The calibration of scenarios is neither challenged nor validated appropriately.

Experts are not fully conscious of the impact of their judgment to the overall result

Model components are not clearly distinguished(no separation of inputs for body and tail distribution)

Independency assumptions are not supported by appropriate analysis High sensitivity to few model parameters

Guidelines describing in detail the scenarios calibration process(inputs, initial calibration and validation) The inclusion of expert judgment (deviation from pure data analysis) is well

documented and justiable. The impact on results in discussed in dedicated

workshops

Separation in Low Impact High Frequency (LIHF) and High Impact Low Frequency(HILF) data clusters, for respectively body and tail loss distribution calibration In depth analysis of dependencies (e.g. across risks) Trade-off between model granularity and sensitivity

The two most common modeling approaches are Loss Distribution

Approach (LDA) and Scenario Approach (SA). Usually, both

approaches are combined to build the overall operational risk

quantication model, however with different levels of relative

contribution across industries and specic companies (based onthe quality and quantity of loss data information). Given the nature

of operational risk, where the tail behavior is dominated by low-

frequency, large-impact events, pure SA approaches may be an

appropriate choice when justied (e.g. LDA information is marginal)

and if no specic regulatory requirement conicts with such a choice.

One of the most challenging steps in the model design is the denition

of a sound linkage of LDA and SA components. This ranges from

a simple sum to aggregation by simulation. Again, the analysis

leading to a specic method must be justiable and well-documented

(no key model assumption based on arbitrary decisions).

Accounting for diversication effects (e.g. across risk types) is one

of the principal added values in comparison to simple quantication

approaches (e.g. the basic indicator for banks under Basel II).

Diversication has to be modeled according to the companys

structure and granularity level of inputs/outputs.

Finally, the choice of the calculation engine (capability, vendor

models) must be consistent with the model requirements, in

particular in terms of required exibility for the ease of ongoing

adaptations and improvements, frequency of use, number of users

and their quantitative operational risk expertise.

Data

Common Issues Common Issues

Solutions Solutions

RCAs/BEICFs


Model Inputs

Model Design/Diversification Effects Calculations

2.3 Experts Judgment & Scenarios 2.4 Model Design & Diversifcation

Effects

| 2 Elements of a Sound Operational Risk Quantication Model


11/20


What happens to the calculation results? This apparently trivial

question is probably the most important. Models only conceived for

regulatory compliance are often inefcient, because model outputs

are not leveraged by the risk management and the companys top

management and may also fail use test requirements.

It is very important to have a closed feedback loop, where model

outputs are brought back to the companys management attention

at different levels. There is a need for consistency between

granularity of the inputs-gathering process and the model outputs

ability to describe marginal contributions to the total result

(e.g. at business division, unit or local entity level). This is a key

requirement for targeted and cost-efcient risk mitigation planning

of available resources.

At top management level, scenario analysis and model results

can provide material information about strategic questions. The

choice of product offerings and markets should also be evaluated

based on key risk information, in order to be consistent with the

rms overall risk appetite at all times. In particular for banks and

insurance companies, since the publication of new regulations on

capital requirements (Basel III, Solvency II), the inclusion of risk

assessments (qualitative and quantitative) in strategic decision-

making processes are already on the top of the agenda (e.g. capital

optimization).

Results cannot be allocated to a risk or scenario owner, because the modeldelivers only aggregated gures. This limits the efciency of incentives setting.

No internal reporting of results (risk awareness) Limited/inconsistent aggregation with other risk types

Besides aggregated results, detailed information on marginal contributions mustbe part of the model outputs (according to the companies risk taxonomy) Integration of results in internal risk reports and regular presentation of results

to the management

Clear treatment of boundary events (e.g. with credit risk)

EY Statistical Tool for Operational Risk Modeling

(STORM Tool)

A practical multi-purpose operational risk quantication

framework:

Effective method to combine external consortium data withinternal scenario assessment to produce a robust capital

calculation with limited internal data

Simple and user-friendly graphical tool for creating, validatingand managing scenarios by translating them into loss

distributions and facilitating a meaningful comparison withreference data

Aggregation of loss distributions across risk types, andbusiness unit based on a range of widely used copula models

Allocation of diversied capital (net and gross of insurance)back to organizational unit and risk type based on

contributions to VaR

Comprehensive reporting of diversied and undiversiedcapital allocation at various levels, as well as useful statistics

on the effectiveness of insurance

Common Issues

Solutions

2.5 Results & Risk Allocation

Results & Risk Allocation Model Outputs

2 Elements of a Sound Operational Risk Quantication Model |


12/20


13/20


Operational risk potentially exists in all activities and usually shows

its principal characteristic of very negative skewed and fat tailed

risk proles (i.e. the most dangerous type of risk for the companys

survival) in all market segments. Within the nancial services sector,

banks and insurance companies are usually affected by materialoperational risk exposure which may reach the same scale of other

risk types, such as market and credit risks, depending on the specic

business. For asset managers, in terms of direct risks, operational

risk is even the dominating risk type. For non-fnancial services

corporations, like energy trading or health care production,

operational risk is also a very important risk dimension, in particular

for risks that cant be fully insured.

Under the assumption that effective operational risk management

is built on both qualitative and quantitative management, the

quantication step always begins with the identication of the

principal risks types. Even if some common operational risk

categories are specic to the companys activity, many others are

shared across industries. For example, natural disasters and

business continuity or execution and delivery usually affect all

3 Where is Your Valuein Op Risk Modeling?

companies. This is an important element for leveraging on modeling

experience across application elds and compliance with existing or

up-coming regulations.

Despite the common nature of operational risks, the relativeimportance of each single category is often market-specic.

Regulations and market loss events dene trends that may

drive risk categories to the top of the list. For example, in the

banking and insurance industries we have seen the importance

of investment suitability (consumer protection) substantially

increasing during the past few years. Asset managers experience

new regulations (e.g. UCITS IV, AIFMD) impacting the perception

of legal & compliance risks and non-nancial services companies

are increasingly focusing on natural disasters scenarios.

In the following subsections of this chapter, we are going to

discuss in more detail the two markets currently mostly affected

by regulatory requirements for operational risk quantication:

banks and insurance companies.

Operational risks (illustrative examples)

Natural Disaster/Epidemic/Business Continuity

Execution/Delivery/Process Management

Investment Suitability/Consumer Protection

Internal/External Fraud

Sanctions/Embargos

Jurisdiction-Specific Issues

Legal/Compliance

Financial Services

Asset ManagementInsurance/Re-Insurance

Companies

Non-Financial Services

Industrial Production

(e.g. Health Care)

Commodities

(e.g. Energy)Banks


14/20


| 3 Where is Your Value in Op Risk Modeling?

Basel II Second Generation Models

During the past few years banks have gained experience of 1st

generation operational risk models that were developed in the

course of the publication of Basel II requirements. The advanced

measurement approach (AMA) was predominantly chosen by largebanks with experience in in-house model development.

1st generation models, however, experienced severe issues during

the 20082009 period, in particular in terms of stability and

transparency, which have often triggered regulatory sanctions. In

order to support the development of a more robust 2nd generation

of models, the Basel Committee on Banking Supervision published

several studies between 2009 and 20111. The requirements of the

2nd generation of models include, in particular, a more transparent

and traceable calibration process and a better approach for the

integration of RCAs/BEICFs into the model and even of the model

itself into the daily operational risk management process.

Basel III Consequences of the Overall Capital Requirements

Increase

Whilst large banks had already recognized the advantages and the

higher risk sensitivity of AMA versus the basic and standardized

approaches of Basel II, the publication of Basel III expectations

for total regulatory capital have also raised the interest in AMA

at mid-sized banks. In particular, mid-sized banks with a large

contribution of operational risk to the total regulatory capital (e.g.

with dominating private banking divisions) are now reevaluating

the costs-benets trade-off in light of gross income forecasts for

the coming years.

1 July 2009: Observed range of practice in key elements of Advanced Measurement

Approaches (AMA)

October 2010: Recognizing the risk-mitigating impact of insurance in operational

risk modeling

December 2010: Operational Risk Supervisory Guidelines for the Advanced

Measurement Approaches consultative document

3.1 Banks

Data RCAs/BEICFs





Model Inputs

Calculations

Model Outputs

BEICFs are not well-integrated, RCAs processes are often developed withoutany link to the quantication step

Often, regulatory expectations in terms of transparency and traceabilityof scenario calibration are not yet met

Capital allocation and incentives management are not yet effective andrequire more granularity in the model

Most banks have already started internal data collection and have access toexternal data sources

The model design of second generation models is supported by moredetailed guidance (e.g. BIS studies)

After 34 years of operative use, the necessary policies and guidelineshave been duly developed and tested

Established Market Practice

Challenges


15/20


How can EY help you?

Gap analysis and assessment of cost and potential benetsof moving to AMA

Review of 1st generation AMA models, including benchmark

analysis (based on EY AMA database)

Support in the development of 2nd generation models.If required, tailoring of our packaged tool solution

(EY STORM Tool)

Model validation, benchmarking of results and calibration

Support in the development of the required governanceframework (e.g. policies, scenario templates)

10000

9000

8000

7000

6000

5000

4000

900

800

700

500

600

400

300

200

100

001/01/

2006

01/01/

2007

01/01/

2008

01/01/

2009

01/01/

2010

01/01/

2011

01/01/

2012

01/01/

2013

01/01/

2014

Gross Income Op Risk Capital Charge Basic Indicator Stock Index

Basic indicator

Flat 15% rate applied to the average gross income over

the past 3 years (positive income results)

Standardised approach

Rates from 12% to 18% applied to the business divisions

average gross income over the past 3 years (positive

income results)

3 Where is Your Value in Op Risk Modeling? |


16/20


Solvency II Leverage on Banking Experience

The internal model approach under Solvency II also requires a

model-based quantication of operational risk for insurance and

re-insurance companies, which roughly aligns practices with large

and mid-sized banks. However, the existing guidelines are not asdetailed as those of AMA under Basel II. The increased degrees

of freedom in relation to the model development represent

only supercially an advantage. In addition to the difculties of

developing a robust model design without specic expectations,

the most prominent project risk is linked to the local approval of

the model by the regulator. Different regulators may have different

levels of expectation, for example by stressing more or less the

importance of specic model components.

The most pragmatic approach is to leverage on the banking

experience of AMA banking models, which already underwent the

market stress test in 20082009. Especially because regulators

are expected to provide consistent feedback while approving the

models for insurance companies and banks.

Nevertheless, insurance and re-insurance companies currently

recognize the potential of a model-based quantication of

operational risk, in particular derived from the potential benet

of diversication effects, which may be very signicant for the

typical company structure (e.g. several operating entities active

on different markets and with diversied product offerings).

3.2 Insurance & Re-Insurance

Companies

Data RCAs/BEICFs





The history of internal loss data is often limited or even not yet well-structured 1st generation models are not supported by detailed regulatory requirements

(many degrees of freedom)

The governance framework is typically inexistent at this stage

Insurance companies are often advanced in the development of a sound RCAsprocess that may be leveraged for the quantication process

Scenarios and HILF events analysis are well-known approaches The structure for reporting at division and operating entity level is already

in place for insurance risks

Established Market Practice

Challenges

Model Inputs

Calculations

Model Outputs

How can EY help you?

Set up a project plan for model development and application tothe regulator

Support the development of a model by leveraging on theexperience of AMA Basel II and recent implementation of

Solvency II models. If required, tailoring of our packaged tool

solution (EY STORM Tool)

For models already in an advanced development phase: review ofconcepts (model design) and gap analysis for approval based on

current regulatory feedback collected in the market

Model validation, benchmarking of results and calibrations

Support in the development of the required governanceframework (e.g. policies, scenario templates)

| 3 Where is Your Value in Op Risk Modeling?


17/20


A most natural leverage on lessons learned in relation to operational

risk quantication can be gained from experience with AMA Basel II

1st generation models. The analysis of trends in regulations, in the

market practice for model design, in structural requirements and

in the denition of overall operational risk governance frameworksin the banking industry during the past few years constitutes a

solid knowledge basis for the development of new operational

risk models. AMA candidate banks, insurance companies, asset

managers and even non-nancial corporations, should consider

such lessons learned in developing their own quantication models.

4 Lessons Learned & Trends

Regulations

We experience a consistent tendency for enhanced regulatoryrequirements, not only for overall operational risk quantication

(e.g. Solvency II), but also for specic operational risk topics,

like misselling (e.g. MIFID II), which might impact worst case lossestimations for the respective scenarios.

Additionally, regulators raised their expectations for transparencyin model design, data ow and calibration. Internally developed

black boxes or vendor models with limited insight on the model

assumptions are not considered appropriate solutions anymore.

Application Fields/

Limited Experience

(Today)

Asset managers & non-

nancial corporations

Beta Versions Models

Insurance companies

First Generation Models

Banks SecondGeneration Models

Yesterday Today

Basel II Basel Committee Observed Range of Practice AMA Supervisory Guidelines

Solvency II

Asset Management

Local Regulations

Leverage

onLessonsLe

arned&Tr

ends

Systemic Risk

Companies Local

Regulations?

Basel III

Existing/Expected

RegulationsTomorrow


18/20


19/20

Switzerland

Dr. Marc Ryser, Partner

Risk, Financial Services

Phone +41 58 286 4903

Email [email protected]

Alessandro Lana, Manager


Phone +41 58 286 4271


United Kingdom (incl. Ireland)

Gerald Chappell, Executive Director


Phone +44 20 7951 7681


Dr. Mark London, Senior Manager


Phone +44 79 0022 8204


Dr. Sonja Koerner, Executive Director


Phone +44 20 7951 6495


Germany

Dr. Karsten Fser, Partner

Risk, Financial ServicesPhone +49 711 9881 14497


Dr. Martin Drr, Partner


Phone +49 711 9881 21870


France

Anne Le Henaff, Executive Director


Phone +33 1 4693 7966


Italy

Emilio Maf, Executive Director


Phone +39 02 722 12203


Luxembourg

Laurent Denayer, Executive Director


Phone +352 42 124 8340


Netherlands

Dr. Diederik Fokkema, Executive Director


Phone +31 88 40 70836


Portugal

Luis Oliveira Rodrigues, Executive Director


Phone +351 21 791 2032


Spain

Victor Martn Gimnez, Executive Director


Phone +34 9157 27906


Contact


20/20

Assurance | Tax | Legal | Transactions | Advisory

Ernst & Young

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and

advisory services. Worldwide, our 141,000 people are united by our

shared values and an unwavering commitment to quality. We make a

difference by helping our people, our clients and our wider communities

achieve their potential.

Ernst & Young refers to the global organization of member firms of

Ernst & Young Global Limited (EYG), each of which is a separate legal

entity. EYG, a UK company limited by guarantee, does not provide

services to clients.

In Switzerland, Ernst & Young Ltd is a leading audit and advisory company

offering services with about 2,000 employees at 10 locations also in the

area of tax and legal, as well as in transactions and accounting.

For more information about our organization, please visit

www.ey.com/ch

2011 Ernst & Young Ltd

All Rights Reserved.

KKL 0511

Documents

Operational Risk; Quantification Models