1

Internal Loss DataA Regulator’s Perspective

AON Operational Risk Symposium

Harvey Crapp

Australian Prudential Regulation Authority

17 April 2008

2

Agenda

1. Why Collect ILD 1. Tailored Insurance2. Risk Management3. Capital Management

2. Collection Techniques1. Policies and Procedures2. How ILD is Collected

3. Challenges 1. Scope 2. Thresholds3. Validation4. Allocation to Business lines

4. Key Issues

3

Why Collect ILD?

As a result of Basel II, complex banks wishing to implement the Advanced Measurement Approach (AMA) for operational risk capital have embedded the collection of Internal Loss Data (ILD) into their risk management practices. ILD is a valuable resource because it is the closest data representation of an institutions internal loss profile and provides insight into the risk appetite of the bank and the effectiveness of any controls in place.

Institutions who calculate operational risk regulatory capital (ORRC) using APRA’s Standardised Approach (SA) are not required to collect ILD for the purposes of capital calculation, however many other benefits can be obtained from the collection of internal data, such as:

• Tailored insurance policies• Improved risk management practices• Help in the development of capital management

4

Tailored Insurance

Operational risk insurance policies tend to cover a wide range of loss categories that may not be relevant to all institutions (e.g. Bankers Blanket Bond). Using ILD, institutions are in a better position to tailor insurance contracts to meet their individual risk profiles.

Collecting ILD enables both complex and simple institutions to demonstrate their key risk areas to insurance providers. By using observed losses to back up their claims, institutions may be able to obtain a more relevant and comprehensive insurance policy tailored to the major risks of the institution.

BA

NK

INSURANCE POLICY

5

Emerging Risk Mitigation Products

As a direct result of the AMA process, new products have entered the market to cater for the increased demand for operational risk mitigation. There are essentially three classes of products available:

• Modified Insurance Policies –Existing insurance policies have been modified to include fewer exclusions, dispute resolution procedures and arbitration timescales to reduce the uncertainty of claim payment.

• Third Party ‘Wrappers’ – Provides access to another parties’ capital to provide liquidity in case of a loss, which is repayable on insurance payout.

• Capital Market Products- Risk mitigation is achieved by replacing traditional insurance policies with bond products (e.g. catastrophe bonds).

For a bank to obtain reductions in their regulatory capital requirements, the risk transfer arising from the use of risk mitigation products must be approved by APRA.

6

Risk Management

Many institutions still rely heavily on qualitative measures and judgements to monitor and control their operational risk exposure. Over the recent past, the number of large scale unexpected operational risk losses has created some unease about the soundness of traditional operational risk management practices. As such, ILD can help improve the risk management practices of an institution as it allows for the identification, measurement and analysis of historical data, to assist in the identification of emerging trends in an institutions’ loss profile.

Trends, benchmarks and budgets feed into Key Risk Indicators (KRIs) and other Business Environment and Internal Control Factors (BEICFs) to allow for the identification of emerging risks and the proactive management of an institution’s risk profile.

An embedded risk management culture ensures staff are on the lookout for loss events which helps contribute to the prevention and reduction of potential future losses.

7

Example - Event Type Analysis

•CP&BP•Int

•BD&SF

•EP&WS•DPA

•ED&PM

•Ext

$1,000

$10,000

$100,000

$1,000,000

$10,000,000

100 1,000 10,000 100,000

No. of Losses

Impa

ct

Int – Internal Fraud

Ext – External Fraud

DPA – Damage to Physical Assets

EP&WS – Employment Practices and Workplace Safety

BD&SF – Business Disruption and System Failure

ED&PM – Execution Delivery and Process Management

CP&BP – Clients Products and Business Practices

This is an example of a type of loss data analysis that can assist institutions to identify major risks.

•The size of the bubble represents the total impact of losses from that Business Line.

•The position of the bubble on the impact axis represents the average impact of each loss.

•The position of the bubble on the frequency axis represents how many data points have been collected for that business line.

8

Capital Management

Just as AMA accredited banks use ILD in the determination of their operational risk regulatory capital, ILD may be a useful reference in the development of the Internal Capital Adequacy Assessment Process (ICAAP).

APS110–Capital Management stipulates that an institution must have “adequate systems and procedures to identify, measure, monitor and manage the risks arising from the ADI’s activities on a continuous basis to ensure that capital is held at a level consistent with the ADI’s risk profile.”1 The collection of operational risk losses may help in the identification of major risks areas and aid in the transparency of the capital management plan.1 APS110 – Section 6a

$

$$

$ $

9

Example - Risky Business

AS – Agency Services

AM – Asset Management

CB – Commercial Banking

CF – Corporate Finance

RB – Retail Banking

P&S – Payments and Settlement

T&S – Trading and Sales

O - Other

This is an example of a type of loss data analysis that can assist institutions identify which areas of their business are prone to losses, and consequently require more capital and focussed risk management.

• The size of the bubble represents the total impact of losses from that Business Line.

• The position of the bubble on the impact axis represents the average impact of each loss.

• The position of the bubble on the frequency axis represents how many data points have been collected for that business line.

•O•AS

•P&S

•AM

•T&S•CF

•CB •RB

$10,000

$100,000

$1,000,000

$10,000,000

100 1,000 10,000 100,000

No. of Losses

Impa

ct

10

Collection Techniques

When establishing loss collection policies and procedures, the complexity of the data collection system should be commensurate with the demands of the data. Additionally, data collection systems should be flexible enough that they are able to adapt to the changing needs of the institution.

For data collection to be effective, comprehensive policies and procedures need to be embedded into the culture of the organisation. These policies become a reference point for staff when recording a loss to ensure consistency, accuracy and completeness.

ILD Policies generally provide guidance on all matters concerning the recording of loss events; including the definition of an operational risk loss event, loss amount, and event type allocation guidance etc.

11

How ILD is Collected

AMA Institutions have generally collected ILD for both internal purposes and the calculation of regulatory capital. In APS115, APRA has defined what information is required to be recorded for the calculation of regulatory capital. Institutions recording data for internal purposes are able to tailor their data collection to suit their own needs. Institutions generally record the following characteristics for each Operational Risk Loss:

•Gross Loss amount- The loss amount before any recoveries from insurance.

•Date of event- Institutions have recorded one or a combination of the date the loss occurred, the discovery date or the accounting date.

•Descriptive information- Manual enrichment by business units adds valuable qualitative information, such as the cause of the loss and the failed controls.

•The Classification of the loss- Once the data is collected institutions have had to classify the loss into one (or more) of the Basel BU/Risk type combinations.

•The Nature of the Loss- Credit Risk and Market Risk related losses should be flagged to ensure correct treatment in capital calculation.

12

Challenges in Collecting ILD

The nature and quality of operational risk data collected by institutions directly affects the outcome of any quantification or risk management decisions.

During the accreditation process it was evident that AMA applicants were experiencing similar problems in regard to the treatment of losses in their operational risk loss databases. Issues were generally related to the characteristics of the data, i.e how it is collected and used. Institutions developing data capture systems face decisions regarding the scope of data, thresholds used, allocation mechanisms and validation techniques.

13

Scope of Internal Data

Institutions developing and implementing their operational risk loss policies and procedures must set clear rules around the scope of the ILD the institution wishes to collect.

Given the general scarcity of operational risk data, institutions may choose to collect near miss and rapid recovery data as a useful input into risk management and measurement procedures, particularly input into KRIs and scenario analysis.

A precise definition of what constitutes as a near miss and rapid recovery is required to ensure consistency, especially if no actual loss is incurred.

14

Loss Collection Thresholds

A loss collection threshold is the level above which all operational risk data must be collected and recorded in the internal loss database.

When setting the threshold level, institutions should first consider the purpose of the data and how different thresholds will affect its overall usability. Institutions should be aware of the trade-off between the added benefits of collecting smaller losses and the cost of collecting such information.

Generally thresholds should be set using robust empirical methods rather than subjective means. However, given the initial lack of data available to conduct empirical analysis, a well reasoned threshold is acceptable in the short term.

15

Allocation to Business Lines

A single operational risk event may result in losses occurring in multiple business lines and event types. Inconsistencies may arise when losses are entered into the system and there is no single business unit/risk type combination to assign to the loss.

Institutions must develop specific criteria for allocating losses arising from an operational risk loss event that spans more than one business line1. To maintain consistency, most AMA institutions have generally allocated the full loss amount to the business line/risk type with the largest exposure.

It is important for institutions who do allocate single event losses to multiple business lines to identify such losses in the database for risk measurement and management purposes. 1 APS115 – Attachment B Paragraph 25

16

Validation of ILD

Validation of ILD encompasses both the review and assessment of data integrity and comprehensiveness. An annual review of the data is essential to ensure reliability of the data and effectiveness of internal controls1.

To maintain consistency, some institutions have made use of a centralised function to input the general data information, then relying on business units to assist with the details (such as control failures etc).

Institutions have generally relied upon manual validation techniques such as general ledger reconciliation and audit reviews. Institutions should incorporate automatic data verification into the data input facility, limiting the amount of manual validation required.1 APS 115 Attachment B Paragraph 14

17

Key Issues

• Collecting internal operational risk data creates many benefits for institutions including;

• Tailored insurance policies• Improved risk management

practices• Capital management

• The sophistication of the data capture system should be commensurate with the use of the data.

• Sound policies and procedures need to be embedded into the risk management culture of the organisation to ensure consistent and accurate reporting of losses.

• Key challenges in collecting ILD include;• Scope of data thresholds chosen• Allocation of losses

• Validation