Upload
friends4growth-group
View
887
Download
3
Embed Size (px)
DESCRIPTION
The 2nd seminar of Friends4Growth in Ho Chi Minh city with Prof. Enoch Ch'ng from SMU - Singapore Management University. Friends4Growth Together We Grow -------------------------------------------------- Friends4Growth is a group of young professionals, who share a common passion to learn and grow more in their career through formal and informal educational opportunities. The group was founded by Vietnamese national Le Tran, a Wharton MBA Class of 2009. The Friends4Growth mission is as follows: - Be a place for young professionals to exchange and enhance knowledge - Bring educational opportunities to members by providing access to well-known professors, business leaders and industry experts - Provide information of universities around the world to members with intention to study abroad - Share experience in studying, job search, working and living outside Vietnam To achieve its mission, the group organizes various activities on a monthly basis to its members, such as: - Seminars on various industry topics, with a sponsorship of the Singapore Management University. - Coffee chats with experienced professionals from more developed economies - Q&A sessions covering overseas life and work from seasoned experts Website: www.friends4growth.com Join us at: http://facebook.com/friends4growth and http://vn.linkedin.com/in/friends4growth If you have any inquiry, please contact us at [email protected]
Citation preview
Enoch CHNG
Associate Professor of Information Systems (Education) & Director, SIS Programs in Financial Services (TOPS)
School of Information Systems
Singapore Management University
What do financial institutions know about operational risk?
8/3/2012 1
Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 2
Examples of Operational Failures in Finance
• Barings (Singapore, 1995)
• Sumitomo (New York, 1996)
• NatWest (London, 1997)
• LTCM (Greenwich, 1998)
• HIH Insurance (Sydney, 2000)
• Cantor Fitzgerald (New York, 2001)
• Allied Irish Bank (Baltimore, 2002)
• Mizuho (Tokyo, 2005)
• Société Générale (Paris, 2007)
• TD Ameritrade (January 2008)
• UBS rogue trader scandal (London, Sep 2011)
• JPM Hedge Loss (London, 2012)
8/3/2012 3
Features of Mishaps
8/3/2012 4
LTCM
1998
NatWest
1997
Sumitomo
1996
Barings
1995 ?
Loss (USD bn)
4.4 0.2 2.6 1.3 ?
Loss in % cap
44% negligible 45% 100% ?
Time to mishap
Fast 3 yrs 10 yrs 3 yrs ?
Trigger Market
conditions External
audit Mistaken sending
Margin call ?
Loss events with a long time-lag usually require an additional external trigger event to make the losses apparent.
Rogue Trading
• Frequency and Severity
– Quite frequent and very severe.
• Where does it occur?
– US, Europe, Singapore, South America, …
– Far-flung branch office.
• Profile
– Relatively young or star traders.
– Gambling persona.
– Seemingly profitable business unit.
– Internal pressure to bring in high returns.
• Sequence of Events
– Usually starts small and very innocuous (cover up of an error), but then may continue for many years (while expanding) before being discovered.
– Warning signs are not heeded.
– Management inaction.
• How to avoid?
– Internal audits and controls (with separate lines of reporting), regular internal transfers, mandatory vacations, …
8/3/2012 5
Human Error
• There are many examples of very common human errors (example in FX: USD-Euro vs Euro-USD trade).
• Frequency and Severity – quite often and severe.
• Important factors: Experience, Workload.
• How to avoid: Well designed information systems with error-correcting feedback, additional checking by independent people.
• Complexities in information system design: – Requirements of having real time feed of
market data. (Not easy, especially not when stock is very lightly traded or when trading is very volatile).
– Information may have to be fed into a neural net in order to detect anomalies. Neural net has to provide feedback in real time.
8/3/2012 6
Why does a human error much more often result in a loss rather than in a
gain ?
Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 7
One Way of Looking at Risks in Banking
8/3/2012 8
Banking Risks
Market Risk
Credit Risk
Liquidity Risk
Operational Risk
Legal Risk
Reputational Risk
Equity Risk
Interest Rate Risk
Currency Risk
Commodity Risk
Transaction Risk
Portfolio Concentration
Risk
Trading Risk
Gap Risk
Issuer Risk
Counterparty Risk
Specific Risk
General Market Risk
Money Transfer Risk
Value Error Risk
Systems Risk
Clearance Risk
Model Risk
• Early work resorted to a negative definition of 'other risks' – all risks except credit, market and interest rate risk in the banking book.
• Latest definition:
– The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including those adversely affecting reputation, legal enforcement of contracts and claims.
– Excludes strategic, business and systemic risk. However they are often captured simply as operational risk.
Operational Risk ≠ Total Risk – Market Risk – Credit Risk
Definition of Operational Risk
8/3/2012 9
Operational Risk Varies by Business Types
8/3/2012 10
Causal Analysis and Risk Management
8/3/2012 11
Symptoms
Causally related events
Root cause events
Risk Mitigation
Risk Prevention
Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 12
Operational Risk Taxonomy
8/3/2012 13
People
Internal Acts
Employment Practices &
Workplace Safety
Employee Relations
Safe environment - workers & 3rd party
Diversity & discrimination
Clients, Products and Business
Practices
Processes Execution, Delivery
& Process Management
Systems IT and Utilities
External Events
Damage to or Loss of Assets
External Acts
Basic Operational Risk Factors
8/3/2012 15
• People risk
• Process risk
– Model risk
– Transaction risk
– Operational control risk
• Technology risk
• Incompetency • Fraud, …
• Model/methodology error • Mark-to-model error, ….
• Execution error • Product complexity
• Booking error • Settlement error • Documentation/contract risk, ...
• Exceeding limits
• Security risks
• Volume risks, …
• System Failure • Programming error • Information risk • Telecommunication failure, …
Operational Risk Management
Objectives
• To generate a broader understanding of operational risk issues at all levels of the firm that touch on key areas of risk.
• To enable the organization to anticipate risks more effectively.
• To change behavior in order to reduce operational risk and to enhance the “culture of control” within the organization.
• To provide objective information so that services offered by the organization take account of operational risks.
• To provide support in ensuring that adequate due diligence is shown when carrying out mergers and acquisitions.
• To provide objective measurements of performance.
• To avoid potential catastrophic losses.
“Must Have” Elements
• An agreed conceptual framework that provides: – a definition of operational risk;
– identification of the key components of operational risk;
– the role and responsibilities of the function;
– its organizational fit within risk management and the firm as a whole;
– its operating principle
– its approach to measurement; and its approach to reporting results.
• A systems and data architecture that provides timely, comprehensive and consistent information for decision taking and risk evaluation.
• The resources, i.e. management and people.
• The necessary tools, e.g. techniques for measurement.
8/3/2012 16
Framework (giving a view both backwards and forwards)
8/3/2012 17
Three Lines of Defense Model
8/3/2012 18
Area Purpose Role
3rd
Lin
e o
f D
efen
se
Ind
epen
den
t
Ass
ura
nce
Audit function will
challenge the key
processes employed
by the business
Internal/External Audit Provide independent challenge
& assurance
Provide independent assurance on
key controls and reporting &
overall or policy framework
2n
d L
ine
of
Def
ense
Go
vern
ance
& O
vers
igh
t
Established
committee
structures and
reporting
OR Policies
Endorsed
OR Framework & Reporting
Built
Provide the infrastructure and the
analysis to aid oversight and challenge
in respect of OR policies,
framework and reporting
Ops risk function acts
as overall owners of
OR policy and control
assurance processes
OR Managers Oversight &
Challenge
Provide oversight & challenge
Provide expert advice
1st
Lin
e o
f D
efen
se
Man
age
OR
The business is
responsible for day to
day risk management,
and testing of
controls (Sox)
The Business
Front Line
Establish a suitable risk &
control environment.
Test key controls
Identify risks improvement actions,
Implement controls, Reporting on
progress/incidents
Potential Risk/Failure Points in Insurance
8/3/2012 19
Covered
Losses
Fraudulent
Losses
Processing
Errors
Total Losses
Policy
Premium
Processing
Errors
Total Premium
Standard
Expenses
Fraudulent
Expenses
Total Expenses
Processing
Errors
Underwriting
Errors
Financial
Statements
PricingRegulatory /
Rating Agency
Capital Models
The significant sources of operational risk are implicitly included in regulatory and rating agency capital models.
Sequential Activities and its Relationship to Reliability Theory
• When a number of activities in a product has to be done in series, then the “survival” probabilities have to be multiplied.
– Assume 3 activities in series; each one having a probability of 0.9 of being done correctly. The probability of the entire product done correctly is
0.9 x 0.9 x 0.9 = 0.73
• Example
– Independent Verification
o Independent verification of all activities reduces probabilities of errors and potential fraud.
What is optimal redundancy?
– Parallel Checking (Independent)
o If an activity has a 0.1 probability of error, an independent verification with the same probability of error, reduces the overall error rate to 0.01.
o If the parallel activity is negatively correlated with the first activity, then overall error rate is even lower; if it is positively correlated with the first activity, then it is higher than 0.01.
8/3/2012 20
Why TQM or 6-Sigma?
Size of Operation
• Bank of America has to process daily approximately 30,000,000 checks. The number of checks not processed correctly is less than 100.
• A major investment bank in NY processes daily approximately 10,000 Forex trades. The number of trades with minor errors less than 100. The number of trades with a medium size error less than 1.
– Note: each trade may be subject to a number of amendments or exceptions
Learning from Other Industries
• From the Manufacturing industry:
– Shingo systems (Poka-yoke systems)
– Statistical Process Control (SPC)
– Deming’s 14 points
• From the Aviation industry:
– Near-Miss reporting systems
– Checklists
• From the Health Care Industry:
– Second opinions
– Knowledge system software
8/3/2012 21
Variations/Variability
• Process variability is inevitable
– Human variability
– Machine or System variability
• How much variability is too much?
– Assignable variations
o Can be traced to a specific reason
o Should be eliminated
– Natural or random variations
o Form a pattern that can be described as a distribution
o We say that the process is “in control” when there are only natural variations
8/3/2012 22
In control Not in control
Assume process is OK
OK Type II error
Take corrective action
Type I error OK
Specification Limits vs. Performance Limits
8/3/2012 23
performance
specification
An Undesirable Situation
performance
specification
A Very Undesirable Situation
performance
specification
A Vulnerable Situation
performance
specification
A Very Desirable Situation
Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 24
How is Operational Risk Measured?
8/3/2012 25
• Quantitative Approach
– Statistical
– Historical
– Internal/External Failures
– Monte Carlo Simulation
• Qualitative Approach
– Based on self-assessments
• Either approach on its own does not tell the whole story
Too rigid Relevancy?
Too judgmental No reference points
Basel III – Operational Risk
• Basic Indicator Approach (BIA)
– The operational risk capital charge under BIA is calculated as a fixed percentage of the average over the previous three years of positive annual Gross Income (GI).
– Percentage is currently set at 15%
• Standardized Approach (SA)
– Banks activities are divided into 8 Business lines (Corporate Finance, Trading, Retail Banking, etc.)
– Each Business line has its own GI; again we look at the GIs over the last three years.
– The capital charge for each business line is multiplied by a factor that is specified for that business line.
– Factor for each business line is somewhere between 12 and 18%.
• Advanced Measurement Approaches (AMA)
– the Internal Measurement Approach (IMA)
– the Score Card Approach (SCA)
– the Loss Distribution Approach (LDA)
8/3/2012 26
Basel III Specific Criteria
• Supervisory guidelines have been established for the Advanced Measurement Approach governing 33 principles in 4 separate categories. Supervisors will assess banks against each of these guidelines.
8/3/2012 27
Governance 1. Roles and responsibilities
2. Board of Director oversight
3. Appropriate resources
4. Independent function
5. Risk and Exposure reporting
6. LOB responsibility
7. LOB alignment with firm-wide policy
8. Firm-wide policies and procedures
Data & Reporting 9. Firm-wide exposure reporting
10. Senior management reporting
11. Internal controls minimum standards
12. Data sufficiency
13. Definition
14. Collection and modification standards
15. Loss history time series
16. Data mapping
17. Loss data capture policy
Data & Reporting (cont’d) 18. External loss data policy
19. Management review of external data
20. Thresholds
21. Boundaries
Environment 22. Business environment and control factors
23. Comparison of loss experience
24. Scenario analysis policy
Capital Measurement 25. Analysis framework
26. Documented assumptions
27. Calculated elements
28. Treatment of EL
29. Diversification / correlation assumptions
30. Insurance offset
31. Data management
32. Verification
33. Independent testing
Variables In Foreign Exchange Trade
8/3/2012 28
Stage I
(Before order Match or Broker Verification)
Stage II
(Before Financial Confirmation)
Stage III
(Before Settlement Confirmation)
Stage IV
(Before Value Date)
(open trade)
Stage V
(Before Terms Confirmation)
1. Elapsed Time
2. Historical Volatility
3. Deviation from Average Volatility
4. Mark-to-Market
5. Trader Error Ratio
6. Client Sensitivity
7. Sales Error Ratio
1. Elapsed Time
2. Historical Volatility
3. Deviation from Average Volatility
4. Mark-to-Market
5. Trader Error Ratio
6. Client Sensitivity
7. Regulatory Risk
8. Execution Method
9. Client Operating Infrastructure
10. Incoming Confirm Method
11. Outgoing Confirm Method
12. Outgoing Conf Delay/Elapsed Time
13. Internal Credit Rating
14. Sales Error Ratio
1. Notional
2. Potential OD Rates
3. Master Agreement (Provisions for Netting)
4. Mark-to-Market
5. Fail Recovery Time
6. Client Sensitivity
7. Regulatory Risk
8. Liquidity Risk
9. Client Operating Infrastructure
10. Country Operating Infrastructure
11. Operator Stage II
12. Product Complexity
13. Time to Settlement Cutoff
14. Payment Instruction Precedence
1. Notional
2. Payment Instruction Precedence
3. Potential OD rates
4. Mark-to-Market
5. Fail Recovery Time
6. Client Sensitivity
7. Regulatory Risk
8. Liquidity Risk
9. Client Operation Infrastructure
10. Country Operating Infrastructure
11. Operator Stage I
12. Operator Stage III Approver
13. Master Agreement
1. Elapsed Time
2. Historical Volatility
3. Deviation from Average Volatility
4. Mark-to-Market
5. Trader Error Ratio
6. Client Sensitivity
7. Sales Error Ratio
8. Outgoing Confirm Method
9. Template Precedence
10. Incoming Confirm Method
11. Product Complexity
12. Master Agreement Operator State II
From Tools for Risk Analysis to OpVaR
8/3/2012 29
Exposure Base (EIs)
Internal Loss
History
Industry Loss
History
Scenario Analysis
Project-ed Loss Rates
OpVaR Actual Loss
Rates
Calculation of Actual PEs &
LGEs
Calculation of OP VaR
RAROC
Reporting
Key Risk Drivers (KRDs)
OpVaR Report
Calculation of Actual PEs &
LGEs
Stress Scenario
Outline
• Learning from Mishaps
– Examples of Operational Failures in Financial Industry
– Lessons Learnt
• Defining Operational Risk
• Managing Operational Risk
– Assessment of Operational Risk – General Considerations
– Process Design and Mapping, Reliability Theory, etc
– Ops Risk and Total Quality Management (TQM)
• Basel III and Measurement of Operational Risk
• Concluding Remarks
8/3/2012 30
OpRisk Management and Related Disciplines
8/3/2012 31
Audit Operations Management
Facilities Management
Total Quality Management
Financial Risk Management
Insurance Operational Risk Management
Contingency Planning
Risk Processes & Organization
Internal Control
Reliability Engineering
Actuarial Loss Model
Statistical Process Control
Proper Design of Incentive Systems
• Incentives for the company
– if company knows that risky assets will be sold there is less of an incentive to assess the risk carefully
• Incentives for employees
– immediate bonuses for the employee versus long term risk for the company
8/3/2012 32
Black Swan Events − Mitigants
• Not exposing oneself to large losses.
– For instance, only buying options (so one can at most lose the premium), not selling them.
• Performing sensitivity analysis on assumptions
– This does not eliminate the risk, but identifies which assumptions are key to conclusions, and thus meriting close scrutiny.
• Scenario analysis and stress testing
– These are widely used in industry; they do not include unforeseen events, but emphasize various possibilities and what one stands to lose, so one is not blinded by absence of losses thus far.
• Using non-probabilistic decision techniques
– While most classical decision theory is based on probabilistic techniques of expected value or expected utility, alternatives exist which do not require assumptions about the probabilities of various outcomes, and are thus robust. These include minimax, minimax regret, and info-gap decision theory.
8/3/2012 33
Operational Risk Management Framework
8/3/2012 34
Operational Risk Management Framework
Management Agenda • Purpose&objectives • Value proposition • Risk “appetite,” culture • Basel II
Understanding Operational Risk • Operational Risk Taxonomy • Key Risks and Trends
Best Practices/Standards • Policies & guidelines • Industry standards • Regulatory standards
Operational Risk Methodologies • Business Continuity Management • Technology Risk Assessment • Preventive, Detective Controls, Risk
Mitigation • Control Self Assessment • Risk Measurement/Quantification
Methods
Organisation Structure • Oversight structure • Roles & responsibilities
Management Information System • ORM system architecture
Unified Risk Management Process