Managing Operational Risk - Citibank - Banking · PDF fileManaging Operational Risk Jaidev...
Transcript of Managing Operational Risk - Citibank - Banking · PDF fileManaging Operational Risk Jaidev...
AGENDA
WHAT IS OPERATIONAL RISK
WHAT IS OPERATIONAL RISK
MANAGEMENT
WHAT IS THE VALUE
PROPOSITION
1
2
3
Risk of loss resulting from
inadequate or failed internal
processes, people and systems or
from external events.
What is Operational Risk?
1. Business Practices: Inappropriate business practices or
market conduct
2. Business Selection: Inadequate due diligence; non
adherence to credit, market, oprisk policies and limits
3. Infrastructure Adequacy/Capacity: Inability to support
business growth due to deficiencies in the infrastructure
4. Financial Integrity: Incorrect books, records, reporting
5. Compliance with Laws and Regulations: Failure to comply
with the spirit and letter of applicable laws/regulations
6. Information Security: Inappropriate safeguarding of
customer or proprietary information assets; cyber-security
7. Continuity of Business: Inability to continue business
during a contingency event
8. Employment Practices: Inappropriate employment
practices and workplace environment
9. Vendor Management : Risks not defeased, poor practices
What are the standard firm’s key Operational Risks?
Process Risks
Execution, Delivery, Process Mgmt
Business Disruption, Systems Failure
Conduct Risks
Clients, Products, Business Practices
Employment Practices, Workplace
Internal Theft, Fraud
External Risks
External Theft and Fraud
Damage to Physical Assets
Operational Risk
Operational Risk as a Discipline
Discipline Modern History Risk Mitigation Tools Risk Measurement
Credit
Risk
Age > 50 years
Portfolio view > 35 yrs
Quantitative > 20 yrs
Active mitigation >15 yrs
Target market/portfolio
Risk-based capital
Credit approval process
Assignments / participations
Credit derivatives
Value at Risk based on
• Prob. of Default – ORR
• LGD – FRR
Operational
Risk
Age <10 years
Portfolio view… TBD
Quantitative < 5 yrs
Active mitigation: culture?
Risk-based capital
Pace of business growth
Infra investment, planning
People management, training
Value at Risk based on
• Loss frequency
• Loss severity
Metrics / KRIs
Market
Risk
Age >30 years
Portfolio view >20 yrs
Quantitative >15 yrs
Active mitigation>10 yrs
Risk-based capital
Boundaries
Diversification
Hedging positions
Value at Risk based on
• Factor Sensitivity
• Potential Losses
4
Operational Risk Management Basics
• Management of the frequency AND severity of events and losses
o Dimension operational risk exposure (quantitative, qualitative) to confirm an acceptable
level of risk
o By ensuring adequate controls, maintain exposure (and financial/reputation risk) within
acceptable levels
o Determine the appropriate level of capital to absorb extreme losses associated with risks
that do not lend themselves to control, and for control failures
• The tools of Op Risk Management:
• Loss capture for causal analysis (to get preventive measures), capital modelling
• Assessments (Self, Audit, Regulator) for view on control effectiveness, residual risk
• Metrics (KRIs) warn of imbalances and serve to attract management attention
• Scenario analysis dimensions potential frequency and severity, unexpected losses
• Capital aids the firm’s solvency; capital allocation informs management decisions
5
The good news: disasters bring change…Change for the good, despite the costs
Lifeboats expensive, heavy, ate up deck space - Board of Trade dominated by shipbuilders
Poor procedures: 2200 passengers, only 1200 could have been saved, only 700 were
Greater attention to amenities than to safety - engineers did not have critical input vs. $
For over 5 decades, operators had taken larger and larger risks to save money, to compete
Safety drills a mere custom, boring, bureaucratic, inconvenient
What Sank the Titanic?
7
The Problem with Operational Risk
• Potential losses are practically unbounded
– Exposure is undefined and undimensioned
– Losses are not capped, e.g by Credit Risk Limits or Market Risk Stop Losses
– Observed loss amounts are not simply related to firm size although some
evidence of deep pockets premium e.g lawsuits and regulatory settlements
– Loss severity distributions are fat-tailed
– The payoff profile is asymmetric
• Risks are not easily controlled in the short term
– Limited ability to ‘trade down’ or close positions’
– Risks often only recognized ‘ after the fact’
– Often significant lags between cause and effect
– Management and Measurement of Risk follow diverse paths
• Capital need is driven by the risk of infrequent but extremely large events
8
The Problem with OpRisk Management
• Ex-Ante vs Ex-Post: Historical, rear-view mirror … years on, we still know too little
• “What” are we Managing
• Who owns the “So-What”
• Tool-kit Elements disparate, outmoded: the dots are still un-join-able
• Same brush applied to High-Severity and High-Frequency risks
• Perceived focus on Measurement over Management; achievement of Neither
• Stakeholders tired of Assessments, Form-filling, Bean-Counting …that go Nowhere
• Regulators seen to focus on form, not substance.
• So Management says stay away from us, just keep the Regulators happy
• All in all, Default approach is therefore Compliance and Audit, not Risk
9
BEST PRACTICES IN
OPERATIONAL RISK
PROCESS VIEW !!!
ANALYSIS, ANALYSIS
JOIN DOTS
SCENARIOS, CAPITAL
COMMUNICATE
1
2
3
4
5
What is Op Risk Management
Inherent
Risk -
Mitigation
or ‘Hedge’ =
Residual
Risk
<
/
=
Risk
Appetite
Identified &
Classified
Controls
Designed &
Implemented
Informed by
Losses, Metrics,
Scenarios
Top-Down
Quantitative &
Qualitative
Basel with
bespoke
Adjustments
Assess & Test
Design AND
Effectiveness
Assessed and
Independently
Tested
Re-tested against
Scenarios, Capital
Jointly
determined –
Bus. & Risk
Primary role of
Business Mgt
Primary role of
Op Risk Mgt
Board, Senior Mgt,
Risk
11
An integrated, comprehensive and forward looking approach to risk
• Risk and control directly linked to process & outcomes: front, middle, back
• Clarity on the effort to manage objectives-based vulnerabilities
OpRisk Management Essentials
Embedded and entwined into organization, business, and culture
• Start with overall process framework (process maps, anybody ?!!)
• Identify Risk/s based on threat/s to meeting business objectives
• Define required Controls; Configure and Customize controls
• Compute and optimize resources (time, cost) to implement the controls
• Complete integration with process, people and technology for resilience
• Implement essential Assessments, Metrics, Scenarios, Capital charge
1
2
Speak one language across stakeholders (including Regulators)
• Vulnerability mapped to Basel risk classification for “same page”
• Isolate the ‘cost of control’ to set up the too-much-versus-too-little dialogue
• Systematize the Control debate: existing, duplicate, expensive, useless
3
12
Process / Control Analysis
• Who does what?
• What assumptions are made but not tested?
• Are controls missing or sloppy?
• Would better MIS help?
• What steps in the process can be simplified, eliminated?
• Can automation help?
• Loss data, KRIs, exception reports, assessment data…
• Where else are these problems seen?
• Where are similar problems prevented?
End-to-End
Process
Inefficiencies
Weak Points
Fixes
Relevant
Data
Who
Cares?
• Who would like to see this problem fixed?
• Agreement end-to-end on solutions
• Where else could such solutions make a difference?
Integrated Op Risk Analysis
Risk
Drivers
• Why did the event / loss occur ?
• What could have prevented it ?
• What factors influenced the nature? … the size ?
Environment
• What controls failed / did not exist at all ?
• Covered in assessments of the entity causing the loss ?
• Where else could such a control failure occur ?
Metrics
• Did available metrics warn of trouble ?
• What metrics could best track these risk drivers ?
• What set of metrics could best capture the end-to-end risks ?
Scenarios and
responses
• Could the loss have been much larger or messier?
• Could such losses occur more frequently? …how? … where?
• Does industry experience tell us anything meaningful ?
Capital
Implications • Does capital adequately cover stresses ?
• How should capital allocations reflect relative risk ?
Scenario Analysis
• What controls can prevent an event?
• Do they exist and work well?
• Would existing metrics warn of trouble?
• Would it happen HERE?
• If so, how big could it be HERE?
• Is capital sufficient?
• Control improvements?
• Better metrics?
• What data is available about past frequency and scale?
• What factors drive the size of the impact?
• Do we face a previously unrecognized risk?
• In which businesses, regions?
Would it
Happen?
Fixes
Capital Impact
How big?
Could it
Happen?
Who Cares? • Who would be most hurt?
The derivation, treatment, and
configuration of controls
Pre Event
•Design
• Process Vulnerability
• Compensating Control
• Control Environment
• People & Technology
Monitoring
• Monitoring
• RSCA plan and checklists
• Span of control
• Residual risk indicators
• Control effectiveness
Post Event
• Incident Management
• Detection
• Mitigation
• Escalation
• Prevention
Process Outcome
Basel Classification
Business Rules
Control Objectives
Compensating Control
Key Risk Metrics
Cost of Control
Control Procedures
Escalation Paths
Supervisory Review
Assessment Checklists
Control Configuration
16
Sample analytics and reports
- 20 40 60
Systems SecuritySuitability & Fiduciary
Non-Client CounterpartiesSystems
Business PracticesProduct Flaws
Unauthorized ActivityTheft and Fraud (External)Customer DocumentationTheft and Fraud (Internal)
Transaction Execution
Risk & Controls Analysis
Open Compensating Considered Control
0 10 20 30 40
Process Cycle time
Op
en
Ris
k b
y A
ctiv
ity
Analysis of Compensating Controls
55%
56%
57%
58%
59%
60%
61%
62%
63%
64%
65%
2030405060
Co
ntr
ol C
overa
ge
Cost Effectiveness (FTE)
Cost-Control Efficiency Frontier
0 10 20 30 40 50
Unauthorized activity
Theft & Fraud (Internal)
Theft & Fraud (External)
Systems security (Hacking etc)
Vendors & suppliers outsourcing &…
Transaction capture execution &…
Non-client trade counterparties…
Customer intake & documentation
Customer Client account manangement
Employee relations
Suitability, disclosure & fiduciary
Product flaws, defects, errors
Improper business or market practices
Metrics and Escalation Paths
Finance FO IT & infra Ops & HR Risk & compliance
17
0.0001
0.001
0.01
0.1
1
10
100
1000
0.1 1 10 100 1000 10000 100000
Capital : Three Fundamental Questions
Operational Event Frequency
Annual Events over Threshold
Loss Size
Question 1:
What is the
expected
frequency of
events over a
loss threshold?
Question 2: How rapidly does
loss probability decline with
size of loss (inverse slope = tail
parameter)?
Question 3: What
is the required
confidence level
for capital: 99.9%
Capital is the
extrapolated
loss at chosen
confidence
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
0 5 10 15 20 25
Frequency of Large Losses
Number of annual events over $1MM
Hypo OpRisk Capital
$Millions, 99.97%
Corp Fin, Underwriting, …
Severity = 0.90 Sales
and Trading
Severity = 0.75
Corp, Comml
Banking
Severity = 0.65
Cash & Trade
Severity = 0.55
Overall Banking
Business Mix
Severity = 0.78
Using Some Historical Estimates
Capital sensitivity by RLOB to Frequency
3,300
6,525
2,900
150 175
19
What did we learn from the Crisis
o Organizations try too hard to avoid learning from their own mistakes
o The sustainability tradeoff for financials cos. is not growth vs prudence, but with
o The Monday-Tuesday-Wednesday syndrome is unsustainable
o “Culture” means how we do business, to optimize that tradeoff
o Models don’t kill markets, people do
o The risk-taker is your first-line of defense, but all Three Lines matter
o We must evolve a common idea of what a Risk Manager is or does
o ‘Our people are our greatest assets’ needs to be real, insofar as Asset Risks
o Silos are fatal;: the way risk manifests is irrelevant, labels are redundant
o Join-the-dots intelligence is the only worthwhile investment in Risk Mgt
o There needs be sufficient premium on quantity and quality of communication
21
Risk in the post-crisis era
• Market & Credit Risk are transactional, substitutable, arbitrageable, inseparable
• Op Risk is corporate, top-down, about Infrastructure and Reputation
• But it is also inseparable from other Risk-types, and substitutable
• Operational Risk and Compliance also no longer separable
• Severity and Frequency management are 2 different schools within OpRisk
• A singular measure of Risk (e.g. VaR) is very good, and very bad
• Portfolio strategies must incorporate crisis correlations
• Time is nigh for a solution to the holistic stress-testing conundrum
22
“History only teaches us that we will be surprised, again and again”
The Value Proposition in OpRisk
Process-focus and optimization, integrated with Business Objectives
Entire Approach oriented towards Risk vis-à-vis Appetite
Join the Dots for Forward-looking view of Severity, Frequency, Onset
Inform about Cost-Benefit-Risk tradeoffs and Pricing
Provide key inputs for Investment decisions & governance
Derive Capital program as a dynamic tool to measure & manage
Provide the basis for clear actions vis-à-vis Business Strategy
Business Process
Remediation priorities across franchise, revenue, capital defense
23