Upload
the-boeing-center
View
115
Download
0
Embed Size (px)
Citation preview
1
2
Operational Risk in Financial Services
Michael PinedoStern School of Business
New York University
Washington University, St. Louis, February 2017
3
OverviewI Case Studies: Operational Failures
and their Causes II Management of Costs and Ops Risk in
Financial Services III Basel II, Basel III and Measurement of
Operational Risk IV Key Risk Indicators (KRIs) and Multi-Factor
AnalysisV Discussion and Conclusions
4
I Examples of Operational Failures in Financial Services
(a) Mizuho (human error, equity trading, Japan)
(b) AIB Case (unauthorized trading, small organization, lack of oversight)
(c) Cantor Fitzgerald (bond trading house; lost 2/3 of its operations on 9/11;role of backup)
5
(a) Mizuho (Tokyo, 2005)Human Error:
Trader tries to sell 300,000 share at 1 yeninstead of 1 share at 300,000 yen.
Parties Involved: MizuhoTokyo Stock Exchange Fujitsu (designer of the computerized trading system)
UBS (counterparty who made the most money)
Results:Several high level people at Mizuho and the Tokyo Stock Exchange had to resign.
6
Human Errors• Frequency and Severity – quite often and severe• Important factors:
Experience level of employee,
Information system not well designed or unstable, Workload,Stress,Disruptive events (market, force of nature, etc.)
• How to avoid: Well designed information systems with error-correcting feedback, additional checking by independent people
• There are many examples of very common human errors (e.g., in Forex: USD-Euro vs Euro-USD trade)
7
(b) Allied Irish Banks (Baltimore, 2002)
8
Allied Irish Banks (contd.)
9
Allied Irish Banks (contd.)
• Where were the (internal or external) auditors ? How can the absence of 600 mm dollars go unnoticed for so long? Is anyone keeping track of the cash ?
• What kind of strategy was AIB following when it hired Rusnak ? (Have a trader work in complete isolation; questionable strategy!)
• Note what at the end brought people’s attention to Rusnak’s trades: the amount of capital at risk.
Comparison of Ops Risk Factors and Losses at Three Institutions
Barings Bank Allied Irish Banks (AIB) Societe Generale
Year of loss detection 1995 2002 2008
Location Singapore (Branch, remote) Baltimore (Remote) Paris (at Headquarters; everything but remote)
Estimated period of unauthorized or fraudulent activities
1992-1995 1997-2002 2007-2008
Estimated loss size $US 1.4billion $US 691.2 million $US 7 billion
Consequences Collapse of Barings Bank All first to be sold to M & T Bank ???
Trader involved Nicholas Leeson John Rusnak Jerome Kerviel
Major trigger of loss Unauthorized trading activities Fraudulent trading activities Unauthorized trading activities
Assumed motivation Profit-related bonus payments Profit-related bonus payments Profit-related bonus payments
Risk and control framework
1. No adequate supervision2. No segregation of duties3. Insufficient level of training4. Management incompetence
1. No adequate supervision2. No segregation of duties3. Gaps in back office procedures4. Flaws in computer and risk
control systems5. Management incompetence6. Failure to reconcile daily cash
flows
1. No adequate supervision2. No adequate risk management
function3. Gaps in back office procedures4. Flaws in computer and risk control
systems5. Management incompetence6. Failure to reconcile daily cash flows
Organizational culture 1. “Superstar “ culture2. Arrogance in dealing with
warning signs3. Culture clash between
England and Singapore branches
1. “Superstar “ culture2. Arrogance in dealing with
warning signs (or too much trust?)
1. “Superstar” culture2. Arrogance in dealing with warning
signs (or too much trust?)
(c) Cantor Fitzgerald (New York, 2001)
Terrorist Attacks – Natural Disasters
• Cantor Fitzgerald lost 2/3 of its operations on 9/11 (including all its top management with the exception of CEO Howard Lutnick)
• Where should a company keep all its computer backups and how are they kept current? (e.g., servers at Schwab)
• How should the organigram of a company be redrawn when top management is victim of an accident ?
• After 9/11 there are legal requirements with regard to locations of backups.
11
Backup Data Compliance
• SEC Compliance Rules (with regard to backup of trading data, e-mails, as well as phone conversations).
• Company must have a Business Recovery Plan (BRP) in place, for in case a Significant Business Disruption (SBD) (either internal or external) occurs.
• Frequencies of backups. If daily, what is the worst case of the data loss and how can it be recovered ?
• Location of storage of backup data. How would the retrieval process be ?
12
Operational Risk in Retail Banking and Brokerage
• Botched System Upgrades or Mergings of Systems (e.g., TD-Commerce, November 2009 ). This can happen when one financial institution acquires another. Operational-IT risk may result in reputation risk. Damage may be severe, but not necessarily catastrophic.
• Security Breaches Customers identities may be compromised. (Either because of hackers or because of human negligence (loss or theft of notebook computer)) .
• ATM , Debit Card, or Credit Card Fraud (10% of Americans have been victim of Card frauds)
• New product design and client approval processes products may not be priced properly or the risk may not have been assessed properly -- especially in new or foreign markets (e.g., mortgages)
13
Systems (Technology) Glitches and Crashes - Trading Software Glitches. Installation of new trading
software (not sufficiently well tested), may cause severeproblems in program trading (Knight Capital – August 2012).
- Phone System can crash. Mobile phones cannot take over,since these systems will immediately get overloaded.
- Internet access site can crash. Should a company havemultiple sites (even on servers in different countries) ?
- When systems tend to be unstable, then there is also agreater likelihood of human error in order execution. Risk iscompounding.
14
II Cost Management and Ops Risk Management in Financial Services
Market Risk
CreditRisk
OtherRisks
OPS Risk
Types of Primary Risks in a Financial Services Company
PrimaryRisk Events
(Company Level)
Propagation Effects Ensuing Risks
(Company Level)Catastrophic Risk(Industry Level)
Credit Risk
Operational Risk
Market Risk
Reputation Risk
Liquidity Risk
Systemic Risk
Contagion Risk
Ops Risk Definition (Basel II)
Risk of a Loss Resulting fromInadequate or Failed InternalProcesses, People, or fromExternal Events
18
19
Types of Operational Costs
1. Human Resources: traders, auditors, IT personnel, etc.
2. IT Investments: Cost of computing and telecommunications equipment; backups, etc.
3. Insurance costs : Rogue trader insurance, etc.
20
Types of Operational Risk Losses
1. Transaction Errors:Includes restitution payments (principal and/or interest) or other compensationto clients as well as disbursements made to incorrect parties and not recovered.
2. Loss of or Damage to Assets:Reduction in value of the firm’s non-financial asset and property due tosome kind of accident (e.g. neglect, accident, fire, earthquake)
3. Theft, Fraud and Unauthorized Activities
4. Regulatory, Compliance and Taxation Penalties:Fines, or the cost of any other penalties, such as license revocations andassociated costs- excludes lost/forgone revenue.
5. Legal Liability:Judgments, settlements, external legal and other related costs which ariseas a result of an Operational Risk Event.
21
Operational Risk Factors in a Trading Department
People risk Incompetency, Unauthorized behavior, Internal Fraud, External Fraud (e.g., client), and so on.
Process riskA. Model risk Model/methodology error
Mark-to-model error, …. Model not sufficiently tested (not superstress tested)
B. Transaction risk Execution errorProduct complexityBooking errorSettlement errorDocumentation/contract risk, …..
C. Operational control risk Exceeding limitsSecurity risksVolume risks, ….
Technology risk System FailureProgramming error (e.g., high frequency trading)Information riskTelecommunication failure, …. 21
Elements of a Workable and PracticalOps Risk Management
1. An agreed conceptual framework that provides:-- a definition of operational risk;-- identification of the key components of operational risk;-- the role and responsibilities of the function;-- its organizational fit within risk management and
the firm as a whole;-- its operating principle-- its approach to measurement; and-- its approach to reporting results.
2. A systems and data architecture that provides timely, comprehensive and consistent information for decision taking and risk evaluation. Dashboards, etc.
3. The resources, i.e. management and people.
4. The necessary tools, e.g. techniques for measurement.
Human Resource Management
• Proper transfers of employees from one division (location) to another (the goal is to avoid having “remote” locations and also not to have the very same team in place for extended period of time (bring in new blood)).
• Transfer of employees is a delicate balance between costs and benefits.
• Enforcement of mandatory vacations and leaves of absences (during vacation no contact with the office is allowed).
23
Proper Design of Incentive Systems
• Incentives for employees – immediate bonuses for the employee versus long term risk for the company
• Incentives for the company – if a company knows that risky assets will be sold there is less of an incentive to assess that risk carefully
How does this compare to the incentive systems in the insurance industry ?
24
Backups - Redundancies - Auditors
• Extra personnel just to check all the activities of the basic personnel
• Trade-off between the annual cost of the extra people and the reduction in the probability of an Ops Risk event occurring
Role of Internal and of External Auditors
• Internal auditors focus on departmental and divisional data. Analysis of the manner in which data is being collected. Stronger focus on remote locations.
• External auditors focus more on aggregate data at the corporate level; data provided by the company.
26
III Basel II, Basel III, and Measurement of
Operational Risk
28
(Top-down Approaches) (Bottom-up approaches)
Pillar 1 for Operational Risk:Capital Charge Measurement
Approaches
Basic Indicator Approach (BIA)
Standardized Approach (SA)
Advanced Measurement Approaches (AMA)
Pillar 1
Minimum capital
requirements
Pillar II
Supervisory review of capital
adequacy
Pillar III
Market discipline & public
disclosure
1. CREDIT RISK (since 1988)2. MARKET RISK (since 1996)
3. OPERATIONAL RISK (since 2001)
STRUCTURE OFBASEL II
CAPITAL ACCORD
Structure of the Basel II Capital Accord and Pillar I for operational risk
29
Regulation Under Basel II Specific Criteria
Supervisory guidelines have been established for the Advanced Measurement Approach governing 33 principles in 4 separate categories.
Supervisors will assess banks against each of these guidelines
Governance1. Roles and responsibilities2. Board of Director oversight3. Appropriate resources4. Independent function5. Risk and Exposure reporting6. LOB responsibility7. LOB alignment with firm-wide policy8. Firm-wide policies and procedures
Data & Reporting9. Firm-wide exposure reporting10. Senior management reporting11. Internal controls minimum standards12. Data sufficiency13. Definition14. Collection and modification
standards15. Loss history time series16. Data mapping17. Loss data capture policy
Data & Reporting (cont’d)18. External loss data policy19. Management review of external data20. Thresholds21. Boundaries
Environment22. Business environment and control
factors23. Comparison of loss experience24. Scenario analysis policy
Capital Measurement25. Analysis framework26. Documented assumptions27. Calculated elements28. Treatment of EL29. Diversification / correlation assumptions30. Insurance offset31. Data management32. Verification33. Independent testing
30
Business Lines
1. Corporate Finance 2. Trading and Sales 3. Retail Banking 4. Commercial Banking 5. Payment and Settlement 6. Agency Services 7. Asset Management 8. Retail Brokerage
Which business lines are most susceptible to Operational Risk ??
31
Event Types
1. Internal Fraud2. External Fraud (clients, criminals, hackers, etc.)3. Employment Practices and Workplace Safety 4. Clients, Products and Business Practices 5. Damage to Physical Assets 6. Business Disruption and System Failures 7. Execution, Delivery, and Process Management
Which event types are most susceptible toOperational Risk ??
OPERATIONAL RISK MODELS
Top-Down Bottom-up
Multifactor models for pricing equity
Capital Asset Pricing Model Approach
Income-based models
Expense-based models
Operating leverageModels
Process-based models
Actuarial models
Proprietary models
Scenario analysis andstress testing
Risk indicator models
Causal models andBayesian belief networks
Reliability models
Multifactor causal models
Empirical loss distributionbased models
Parametric lossdistribution based models
Models based on ExtremeValue Theory
Overview of Operational Risk Models
33
How is Operational Risk Measured ?
The industry measures Operational Risk in two ways
1. Quantitative Approach
- Statistical- Historical - Internal/External Failures- Monte Carlo simulation
2. Qualitative Approach
- Based on self-assessments
Either approach on its own does not tell the whole story
• Too rigid• Relevancy?
• Too judgmental• No reference
points
Basel II makes a distinction between several approaches
(1) Basic Indicator Approach (BIA) (2) Standardized Approach (SA) (3) Advanced Measurement Approaches (AMA)
Internal Measurement Approach Scorecard Approach Loss Distribution Approach
35
Loss Distribution Approach • The Loss Distribution Approach:
– Standard statistical techniques are available• which techniques are most appropriate?• what are appropriate for modeling the “tail” of the
distribution?
• Data Quality is Important– Incorporating high-severity events
• External data?• Scenario analysis?
36
Loss Distribution Approach – continued …
Generally, estimation of an operational loss distribution involves 3 steps:
1. Estimating a frequency distribution2. Estimating a severity distribution3. Running a statistical simulation to
produce a loss distribution (compound distribution usually does nothave a nice analytical form)
37
Overview of LDA continued...
38
What types of Distributions are we talking about ?
• Frequency distributions Poisson (possibly non-homogeneous; rate being a function of
internal and external environment) Negative Binomial
• Severity distributions Normal (skinny tail - say for monthly credit card losses)
Lognormal (heavy tail – say for monthly trading losses due to Ops Risk)Exponential GammaFrechetWeibull
39
• Theoretical distributions are fitted to the empirical data using a statistical fitting technique called Maximum Likelihood Estimation
• “Best-Fit” distribution is selected based on statistical tests which calculate the maximum difference between the theoretical distribution and the empirical data
• Annual frequency of event determined using historical event occurrence, taking into account business changes, adjustment for trends
• Absent additional information, frequency is assumed to follow a Poisson distribution, standard in the industry used to model randomly distributed events
Severity of Loss
AnnualFrequency
Prob
abili
ty
Mean frequency = 296221 events / 0.75 years
Event Frequency
Fat-Tail LogNormal
LogNormal
Log of Loss Amount in $mm
Prob
abili
ty o
f Los
s
Distribution selected basedupon statistical best-fit tests
Empirical Data
40
What is VaR and what is OPS-VaR ?
• Based on analytic techniques widely used in the insurance industry to measure the financial impact of an events
• Used for determining
- the expected loss from operational failures- the economic capital for operational risk- concentration of operational risk
• OPS- VaR makes no assumptions about the causes of the failure, just like Market VaR makes no assumptions about the cause of interest rate moves
• Can be applied to all types of operational risk exposures across all thebusinesses of the bank
• Can be used to design insurance and other risk transfer coverage
Expected Losses(Covered by provisions or pricing)
CatastrophicLosses
Risk Concepts
Distribution of Losses over given time period
AggregateLoss Frequency
AggregateLoss Severity
Unexpected Losses
Value at Risk (VaR)
ORX Data
42
Value at Risk (VaR)
• The amount of loss which will not be exceeded over a certain time horizon (e.g. one year) with a certain confidence (e.g. 95%)
• Applicable to market, credit, and operational risk• One of the most common risk measures• Certain pitfalls: does not always decrease as portfolio is
diversified, lower bound for higher losses,
IVKey Risk Indicators
and Multi-Factor Analysis
44
Key Risk Indicators: Developmental Considerations
• How many should be key – e.g. the RMA has over 1,800 KRIs in its framework!
• KRIs development is partly an art and partly scientific• Some will be leading and some lagging• Defining and aggregating KRIs does sound straightforward,
but it will be more complicated as we go beyond the surface level. KRIs should not be too high level; they should measure also on divisional or group level
• Risk indicators can be used for any type of risk and at any level in the organisation – they do not have to be 100% accurate.
45
Ten Key Characteristics of Effective KRIs
1. Based on consistent methodologies and standards.2. Incorporate risk drivers: exposure, probability, severity, and
correlation.*3. Be quantifiable: $, %, or #.4. Track in time series against standards or limits.5. Tie to objectives, risk owners, and standard risk categories.6. Balance of leading and lagging indicators.7. Be useful in supporting management decisions and actions.8. Can be benchmarked internally and externally.9. Timely and cost effective.10. Simplify risk, without being simplistic.
46
A list developed by 50 large banks has more than 1,800 risk indicators and organizes them into 12 general categories of KRIs. Individual institutions use
index values along with trigger points to signal needed corrective/mitigating action.
1) Audit Issue Management Index tracks the number and severity of audit issues that have not been resolved in a timely fashion.
2) Business Continuity Index tracks the vulnerability and criticality of processes, the quality of continuity plans and the frequency and adequacy of practices and tests.
3) Failed Customer Interactions Index tracks the number, duration and severity of failures to provide customers with prompt, reliable and effective service (via say callcenters).
4) Information Security Index tracks the number and severity of virus attacks that had any success, of critical vulnerabilities left unresolved for a significant period and of security events with client impact.
5) Information Technology Index tracks the availability of technology at critical periods for critical purposes.
6) New Product Index tracks the rate of introduction of significant, new products with major implications for people, processes or systems.
7) Operational Losses is the dollar amount of losses.
8) Process Breaks Index tracks the rate, severity and size of trading, clearing and settlement failures and their customer impact.
9) Profitability Index tracks the number, suddenness and severity of unexpectedly high profits or losses.
10) Policy Exceptions Index tracks the number and significance of policy exceptions.
11) Regulatory Index tracks the number and severity of comments made and fines levied by bank and securities regulators.
12) Staff Turnover Index tracks turnover rates in critical functions. 47
48
Indicators for Ops Risk in Retail Banking• Daily transaction volume per employee • Average system downtime • Employee turnover (aggregate as well as on branch level
or group level)• Experience level of employees at each branch• Number of amendments (exceptions) recorded per
transaction (mortgages, loans, and so on) • Number of new products (e.g., mortgages) introduced in
most recent time period• Number of ATMs robbed per 1000 ATMs• Number of ATM claims/complaints for each client• Call Centers performance measures (waiting times,
percentage of callers satisfied after first call-in)
Ops Risk in Internet Banking
• Average take for an individual phisher is around 20,000 USD a month (can go as high as 100,000 USD a month).
• Phishing schemes are estimated to cost banks between 0.5 and 1.5 billion a year.
• An incident may erode customer confidence in a bank (publicity magnifying the effect across the customer base) .
• Banks spend years and millions on building brand value; this can be destroyed in one day with a single publicized operational loss incident.
• Online fraud and security management are key components of Ops Risk Management
49
50
Multi-Factor Analysis:
How to integrate Key RiskIndicators into a single framework
and relate Costs to Risks
Business Environment KRI Description
Systems System Downtime
System Slowtime
Software Stability (…)
Number of minutes that a system is offline
Number of minutes that a system is slow
Number of lines changed in a program
People/Organization Employees
Employee Experience (…)
Number of employees
Average number of months of experience
Data Flow and Integrity Data Quality (…) Ratio of transactions with errors to total transactions, number of breaks
between systems, number of failed transactions
Volume Sensitivity Transactions (…) Number of transactions
Control Gaps Ratio of Processes Under Control (…) Processes under control – audit/total processes
External Environment Counterparty Errors
Number of Changes in Regulations
Number of errors caused by counterparties
Exact Descriptions of Key Risk IndicatorsExamples of a few possible KRIs:
Multifactor Analysis using Linear Regression
Transactions Processing Data Set
Ordinary least squares method: find best linear fit to data
X1
X2
X3
X4
1̂ε
2ε̂3ε̂
4ε̂
ii XY 10 ˆˆ αα +=
Multifactor Analysis using Linear Regression
54
Example Multifactor Analysis (ANOVA Table from EXCEL)
Monthly Loss = - 21,356 - 864 × Headcount +12,655 × System Downtime + 155 × Transaction Volume
55
Use of Multifactor Analysis• We can forecast losses if we can find a trend for KRI’s
• Knowing the coefficients in the Loss equation, we can “price” individual units of the variables.
• For example, the cost of one more minute of system downtime in a month is $12,655
• We can perform stress tests. Management can now estimate how much the total expected operational loss will increase if the trading volume increases by x %. If transaction volume increases by 50% from its average, then
stressed monthly loss = $1,159,831
Use of Multifactor Analysis
1) Cost / Benefit Analysis: Ex: If we hire 1 employee costing $ x /year the reduction in losses is estimated to be
$864 x 12 = $ 10,368
2) Stress Test Analysis: If we double the transaction volume, what is the effect ? Does the linearity assumption make any sense when doing stress test analysis ? Most likely, the operational costs will increase convexly
V Current State of the Art, Discussion, and
Conclusions
57
Enterprise Risk Management Dashboard
58
59
Dashboard with Operational Risk Metrics
See appendix for legend and data sources. Process View Process Map
Activity DescriptionSubrisks
Controls SOX-404 Key Controls CSA Scores and Weights Action Plans CSA Capital Impact RED Data Audit Impact
KRIs
RED Events($ Thousands)
Absolute Value
$0
$5,000
$10,000
$15,000
$20,000
Timing $400 $370 $0
Economic $15,451 $1,522 $30
2001 2002 2003
Investment Bank - JPMorganChase Equity Derivatives Group – US (JPMorganChase) December 31, 2005Equities Organization View New York
Note: Activity included in End to End view
Note: Activity included in End to End view
Note: Activity included in End to End view
Note: RED data is as of 12/31/2003
IB-02 100.0
6Manage Pre- Transaction
IB-03 100.0
2Set Up & Manage Clients
IB-04 73.3
4Execute & Record Deal
IB-05 70.0
2Manage Confirms / Affirms
IB-06
Settle Cash & Securities
IB-07 100.0
7Account & Report Deal
IB-09
Manage Collateral & Client/Firm Margin
IB-10 94.8
10Manage P&L and Risk
IB-11 100.0
4Manage Transaction Positions & Cash
IB-12
Manage Fees
IB-13 85.0
2Provide Client Services
IE-01 81.8
8Oversight & Governance
IE-02 62.0
6Regulatory Compliance
IE-03 84.2
7Corporate Policy Compliance
IE-04 79.0
4Human Resources Management
IE-05 88.4
8IT Management
IE-06 91.9
9Business Continuity & Physical Security
Tran
sact
ion
Life
cycle
Ong
oing
Dea
l Man
agem
ent
Inte
rnal
Env
ironm
ent
15%Credit Limit Compliance-IB 6.0%Controls
Transaction Suitability-IB 3.0%Appropriateness Policy-IB 3.0%Know Your Customer (KYC) Poli 1.5%Heightened Risk Transaction Rev 0.7%SPE Transaction Approval - COR 0.4%
1.9%Client Data Management- IB 1.0%Controls
Customer Identification Prgrm & 0.9%
6.5%Transaction Capture-IB 2.9%Controls
Non-Routine Transactions-IB 1.4%Transaction Monitoring-IB 1.4%Approximate Loadings-IB 0.7%
7.2%Timely and Accurate Confirmatio 3.6%Controls
Independent Affirmation-IB 3.6%
0%No controlsControls 6.7%
G/L Separation of duties-COR 1.2%Controls
G/L Reconciliation-COR 1.2%G/L Balance Substantiation-COR 1.2%Interentity Derivative Reconciliati 1.2%Credit System Feeds-COR 0.7%Credit System Reconciliations-C 0.7%SPE Transaction Identify, Captur 0.4%
0%No controlsControls 17%
Market Limit Monitoring-IB 2.3%Controls
Market System Reconciliation-IB 2.3%Market FO Model Risk-IB 2.3%Exposure Management-IB 2.3%Daily/Monthly MTM-IB 1.8%Front-to-Back Office Reconciliatio 1.4%Front Office Signoff-IB 1.4%Model Inventory-IB 1.2%Fair Value Adjustments-IB 1.1%P&L Explanation-IB 0.7%
3.6%Transaction Amendments-IB 1.4%Controls
Transaction/Position Maintenanc 1.2%Instrument Data Management- IB 0.8%Other Reference Data Managem 0.2%
0%No controlsControls 1.6%
Client Valuation Processing-IB 1.2%Controls
Appropriate Disclaimers-IB 0.4%
6.0%Compliance Procedures-IB 1.8%Controls
Registration and Licensing-IB 1.2%Reg. Rep. Requirements and pro 1.0%Reg Rep Info. Validation & Gover 1.0%Anti-Money Laundering (AML) Tr 0.6%Adherence to Corp. Credit Manu 0.4%
9.1%Record Retention Requirements- 1.6%Controls
Transaction Surveillance-IB 1.5%Suspicious Transactions-IB 1.5%Business Control Committee For 1.5%Error Discovery-COR 1.5%CSA Process-COR 0.9%Issue Management-COR 0.6%
5.0%Appropriate Skill Sets-COR 2.5%Controls
Adequate and appropriate trainin 1.3%Performance Review Process-C 0.7%Consecutive Absence-COR 0.5%
6.2%Incident and Issue Management- 1.3%Controls
Change Control Process-Busines 1.2%Access Administration Process-C 0.9%Access Recertification-COR 0.8%Information Classification-COR 0.6%Information Ownership-COR 0.6%Security Awareness-COR 0.5%Data Confidentiality/Data Integrity 0.4%
5.0%Recovery Resources-COR 1.1%Controls
Business Continuity Plans-COR 0.9%Testing Business Continuity-COR 0.9%BC Change Management-COR 0.7%Personnel-COR 0.5%Facilities Access-IB 0.4%Essential Business Profile-COR 0.2%LOB Crisis Management-COR 0.2%Safekeeping of Valuables-IB 0.1%
$1,52814%
1$1,91017%
1
$7647%
1$2122%
1
$1,59214%
1$2,01618%
3$1,27311%
1$9298%
2$6376%
1$3583%
1
0 1 1 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 2 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 1 1 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 1 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 3 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 1 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 1 1 0Risk Accepts
CompletedIn ProgressLate
Remediation
0 1 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
1 0 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
7/8/2004Remediation data as of
9.9%SOX404 - COR 3.0%Controls
Active Management-COR 1.6%New Product Approval process-C 1.5%Management Information Reporti 1.2%Notification of new/amend Legisl 0.8%Project management-COR 0.7%Business Strategy-COR 0.7%Service Level Agreements-COR 0.4%
0 1 0 0Risk Accepts
CompletedIn ProgressLate
Remediation
Capital Summary Score Weight Controls (#) Controls (%) Reds Yellows Greens Capital ($000) Capital (%)Overall 87.3 100% 79 100% 1 12 66 $11,219 100%Transaction Lifecycle 89.5 37% 21 27% 0 2 19 $3,438 31%Ongoing Deal Management 95.0 22% 16 20% 0 2 14 $976 9%Internal Environment 81.3 41% 42 53% 1 8 33 $6,805 61%
Remediation SummaryWeightRisk Accepts Completed In Progress LateOverall 100%0 3 12 1Transaction Lifecycle 37%0 1 3 0Ongoing Deal Management22%0 1 2 0Internal Environment 41%0 1 7 1
Audit Summary(3/31/04 Rolling 12 Mo.)
Rating AuditsCapital Impact
A 0B 6C 1 $5.6D 0F 0
Total 7 $5.6
Comparisons of Operational Risk Factors to other Service Industries
Industry Loss Potential Risk Measurement
Risk Mitigation Procedures
Transportation (Aviation, Shipping)
Major loss of life; Environmental Damage
Near-Miss Reporting Systems
Checklists; Redundancies
Health care(hospitals, nursing homes)
Loss of life Success rate of surgeries
Second Opinions; Knowledge system Software; barcode use when delivering
medicine to patients
Financial Services(Retail Banks;
Investment Banks)
Major Financial Losses Losses can be measured precisely
(Relatively high Probability of
Catastrophic Loss)
Redundancies;hedging; insurance;
securitization
Hospitality Industries(hotels; cruise
ships)
Limited Financial Losses(thefts;
accidents)
Surveys; Losses cannot be measured easily (low
probability of catastrophic loss).
security systems; training of personnel
61
Comparisons to Issues Dealt with in Manufacturing Industries
• In the manufacturing industry, productivity as well as quality control are very important concepts that are interrelated.
• Productivity in manufacturing relates to cost control in financial services and quality control in manufacturing relates to Operational Risk in financial services.
• The Japanese companies (Toyota, Canon, etc.) have done an enormous amount of work on both sides of the coin (lean manufacturing, 6-sigma, etc.)
• How can the lessons learned in the manufacturing industries be applied to financial services and vice versa ??