Operational risk management and measurement
-
Upload
rahmat-mulyana -
Category
Business
-
view
1.781 -
download
4
description
Transcript of Operational risk management and measurement
OPERATIONAL RISK MANAGEMENT
06/09/2013 1
What is Operational Risk?
� The risk of loss resulting from inadequate or failed
internal processes, people and systems or from
external events (The Basel II Capital Accord)
� FORMERLY any risk but market and credit risks
� It is NOT a brand new stuff and it is the risk that affects
06/09/2013 2
� It is NOT a brand new stuff and it is the risk that affects
all businesses
� Operational risk is inherent in carrying out a process/
operational activity.
Classification of Operational Risks
� Operational risk events are
classified by two factors:
� frequency – how often the
event occurs
� impact – the amount of the
High
Frequency
Low
Impact
High
Frequency
High
Impact
Fre
qu
en
cy
06/09/2013 3
� impact – the amount of the
losses resulting from the
event
Low
Frequency
Low
Impact
Low
Frequency
High
Impact
Fre
qu
en
cy
Impact
Classification of Operational Risks
� Generally, operational risk management focuses on only
two of these event types:
� Low frequency / high impact (LFHI)
� High frequency / low impact (HFLI)
06/09/2013 4
� Why?
Classification of Operational Risks
� High frequency/low impact events are managed to
improve business efficiency. These events tend to be
readily understood and are viewed as ‘the cost of doing
business’.
� Examples?
06/09/2013 5
� Examples?
Expected loss verses unexpected loss
� Expected loss is the loss incurred as a bank conducts its
normal business.
� Can be simply defined as the cost of doing business
� The only way to totally prevent them is to cease doing
business.
06/09/2013 6
business.
Expected loss versus unexpected loss
� A bank uses statistical methods to predict its expected
losses.
� In short, the firm uses past data and experience to
predict the future.
� A simple method of calculating expected loss is to
06/09/2013 7
� A simple method of calculating expected loss is to
compute the mean (average) of the actual losses over a
given time and accept this as the likely future level.
Expected loss verses unexpected loss
� A firm may also attempt to ‘predict’ its unexpected losses
using statistics, much like the way that is used to predict
expected losses.
� The problems are the past data may not available and
therefore to calculate unexpected loss a firm uses:
06/09/2013 8
therefore to calculate unexpected loss a firm uses:
� available internal data
� external data from other firms
� data from operational risk scenarios
Operational risk event categories
� The simplest way of understanding operational risk in banks is to
categorize it as anything but credit risk or market risk.
� However, this is a very broad definition and does not help manage
operational risk.
06/09/2013 9
� Generally, operational risk events can be subdivided into:
� internal process risk
� people risk
� systems risk
� external risk
� legal risk
Internal Process Risk
� Internal process risk is defined as the risk associated
with the failure of a bank’s processes or procedures.
� During a bank’s day-to-day operations, staff follow preset
working practices.
� These procedures and policies will include all the
06/09/2013 10
� These procedures and policies will include all the
checks, and controls required to ensure that customers
are correctly served and the bank remains within the
laws and regulations by which it is governed
Internal Process Risks
� Internal process risk events include:
� documentation – inadequate, insufficient or wrong
� lack of controls
� marketing errors
� misselling
� money laundering
06/09/2013 11
� money laundering
� incorrect or insufficient reporting (e.g. regulatory)
� transaction error
� Reviewing and improving a bank’s internal processes as part of
operational risk management can improve its efficiency. Errors often
occur when a process is complicated, disorganized or easily
circumvented, all of which are also inefficient business practices.
Risk Management Process Feedback Loop
1. Identify, assess and prioritize risks
2. Develop strategies to measure risk
6. Revise policies and procedures
06/09/2013 12
3. Design policies and procedures to mitigate risks
4. Implement and assign
responsibility
5. Test effectiveness and evaluate
results
MEASUREMENT
• Estimation of annual losses – cost of operational failurePROCESSES
REPORTING
• Integrated MIS reporting
• Awareness of exposures
• Knowledge of controls quality
There are four fundamental steps to managing operational risk, with each step leading to improvements in management & control quality and greater economic profit
FRAMEWORK
• Risk strategy, tolerance
• Roles and responsibilities
• Policies and procedures
• Risk definition and categorization
operational failure
• Estimation of VaR –risk capital
• Estimation of scores representing quality of internal controls
PROCESSES
• Loss data collection
• Risk indicator data collection
• Control self-assessment
• Risk assessment and analysis
• Workflow
• Automatic notification
• Follow up action
controls quality
• Cost benefit analysis
• Improved risk mitigation and transfer strategy
Management & Control Quality
Eco
no
mic
Pro
fit
The universe of operational risks spans causes, events and consequences
Insufficient training
CAUSES EVENTS CONSEQUENCES
Lack of management
supervision
Inadequate
segregation of duties
External
Fraud
Internal
FraudRegulatory, Compliance
& Taxation Penalties
EFFECTSMonetary
Loss or Damage
to Assets
Legal Liability
Inadequate
auditing procedures
Inadequate security
measures
Poor HR
policies
Poor systems
design
Employment Practices
& Workplace Safety
Clients, Products
& Business Practices
Damage to
Physical Assets
Business Disruption
& System Failures
Execution, Delivery &
Process Management
Restitution
Loss of Recourse
Reputation
Business Interruption
Monetary
Losses
OTHERIMPACTSForgone
Income
•
•
•
Write-down
Using internal and external loss data can calculate Value at Risk
INDIVIDUALLOSS EVENTS
RISK MATRIX FOR LOSS DATA
VARCALCULATION
TOTAL LOSSDISTRIBUTION
74,712,345
74,603,709
LOSS DISTRIBUTIONS
Frequencyof events74,603,709
74,457,745
74,345,957
74,344,576
167,245
142,456
123,345
113,342
94,458
•
•
•
of events
Severity of loss
43210
40-
50
30-
40
20-
30
10-
20
0-10
INTERNAL
FRAUD EXTERN AL
FRAUD
EMPLO YMEN T PRACT ICES & W ORKPLACE
SAFET Y
CLIENTS, PRODUCTS &
BUSINESS PRACT ICES
DAMAGE TO PHYS IC AL
ASSETS
EXECUTION, DELIVERY &
PROCESS MAN AGEMENT
BUSINESS DISRUPT ION AND
SYSTEM FAILURES TOTAL
Corporate Finance Number 36 3 25 36 33 150 2 315
Mean 35,459 52,056 3,456 56,890 56,734 1,246 89,678 44,215
Standard Deviation 5,694 8,975 3,845 7,890 3,456 245 23,543 6,976
Trading & Sales Number 50 4 35 50 46 210 3 441
Mean 53,189 78,084 5,184 85,335 85,101 1,869 134,517 66,322
Standard Deviation 8,541 13,463 5,768 11,835 5,184 368 35,315 10,464
Re tai l Banking Number 45 4 32 45 42 189 3 397
Mean 47,870 70,276 4,666 76,802 76,591 1,682 121,065 59,690
Standard Deviation 7,687 12,116 5,191 10,652 4,666 331 31,783 9,417
Commerc ial Banking Number 41 3 28 41 37 170 2 357
Mean 43,083 63,248 4,199 69,121 68,932 1,514 108,959 53,721
Standard Deviation 6,918 10,905 4,672 9,586 4,199 298 28,605 8,476
Payment & Settlements Number 37 3 26 37 34 153 2 321
Mean 38,774 56,923 3,779 62,209 62,039 1,363 98,063 48,349
Standard Deviation 6,226 9,814 4,205 8,628 3,779 268 25,744 7,628
Agency Services Number 44 4 31 44 40 184 2 386
Mean 46,529 68,308 4,535 74,651 74,446 1,635 117,675 58,018
Standard Deviation 7,472 11,777 5,045 10,353 4,535 321 30,893 9,154
Asset Management Number 40 3 28 40 36 165 2 347
Mean 41,876 61,477 4,081 67,186 67,002 1,472 105,908 52,217
Standard Deviation 6,725 10,599 4,541 9,318 4,081 289 27,804 8,238
Re tai l Brokerage Number 48 4 33 48 44 198 3 417
Mean 50,252 73,773 4,898 80,623 80,402 1,766 127,090 62,660
Standard Deviation 8069 12719 5449 11182 4898 347 33365 9886
Insurance Number 43 4 30 43 39 179 2 375
Mean 45,226 66,395 4,408 72,561 72,362 1,589 114,381 56,394
Standard Deviation 7,262 11,447 4,904 10,063 4,408 312 30,028 8,897
To tal Number 435 36 302 435 399 1,812 24 3,806
Mean 45,653 67,021 4,450 73,245 73,044 1,604 115,459 56,926
Standard Deviation 7,331 11,555 4,950 10,158 4,450 315 30,311 8,981
Annual Aggregate Loss ($)Mean 99th Percentile
Simulation
VaR
Calculator
e.g.,
Monte
Carlo
Simulation
Engine
Composite control assessment/indicator scores can be used to modify capital figures
VAR
CONTROL ASSESSMENT/INDICATOR
SCORE
Adjustment for Quality of
CAPITAL
0
Current score
Quality of Current Control
Environment
190100
210
Previous score 50
Linking capital to changes in the quality of internal controls provides an incentive for desired behavioral change
What does it tell us?
06/09/2013 17
Basel II Approaches on Operational Risk
•Basic Indicator
•Standardized
•Advanced Measurement
•Standardized
•Foundation IRB
•Advanced IRB
06/09/2013 18
•OPERATIONAL •CREDIT
The Basic Indicator Approach
� Banks using the Basic Indicator Approach must hold
capital for operational risk equal to the average over the
previous three years of a fixed percentage (denoted
alpha) of positive annual gross income.
� Figures for any year in which annual gross income is
06/09/2013 19
� Figures for any year in which annual gross income is
negative or zero should be excluded from both the
numerator and denominator when calculating the
average.
The charge may be expressed as follows:
06/09/2013 20
The Standardized Approach
� In the Standardized Approach, banks’ activities are divided into eight business lines:
corporate finance, trading & sales, retail banking, commercial banking, payment &
settlement, agency services, asset management, and retail brokerage.
� Within each business line, gross income is a broad indicator that serves as a proxy
for the scale of business operations and thus the likely scale of operational risk
exposure within each of these business lines.
� The capital charge for each business line is calculated by multiplying gross income by
a factor (denoted beta) assigned to that business line.
06/09/2013 21
a factor (denoted beta) assigned to that business line.
� Beta serves as a proxy for the industry-wide relationship between the operational risk
loss experience for a given business line and the aggregate level of gross income for
that business line.
� It should be noted that in the Standardized Approach gross income is measured for
each business line, not the whole institution, i.e. in corporate finance, the indicator is
the gross income generated in the corporate finance business line
Standardized Approach
06/09/2013 22
Standardized Approach
06/09/2013 23
Mapping Business Lines
06/09/2013 24
Advanced Measurement Approaches (AMA)
� Under the AMA, the regulatory capital requirement will
equal the risk measure generated by the bank’s internal
operational risk measurement system using the
quantitative and qualitative criteria.
� Use of the AMA is subject to supervisory approval.
06/09/2013 25
� Use of the AMA is subject to supervisory approval.
� A bank adopting the AMA may, with the approval of its
host supervisors and the support of its home supervisor,
use an allocation mechanism for the purpose of
determining the regulatory capital requirement
Lakukanlah agregasi dengan @Risk dengan prosedur berikut
1. Data severity dan frequency dicari distribusinya untuk mendapatkan
parameter dalam simulasi Monte Carlo
2. Pertama kali yang disimulasi adalah parameter distribusi frequency,
buatlah 1.000 iterasi
3. Identifikasikan numbers of #event dengan fungsi Excel
COUNTIF(range,criteria). Ex. COUNTIF(a1:a1000;1)=220. Artinya
dalam 1000 simulasi, ada 220 kejadian dimana fraud terjadi sekali
Agregasi Operational VaR Dengan Simulasi MC
26
dalam 1000 simulasi, ada 220 kejadian dimana fraud terjadi sekali
4. Akumulasikan #event (tentunya terkecuali untuk 0 event), untuk
menentukan berapa iterasi yang diperlukan untuk simulasi kedua
yakni simulasi atas distribusi severity. Misalnya kita harus
memperoleh 2.370 data severity data untuk membangun (aggregate)
operational loss distribution
5. Lakukanlah agregasi (lihat slide berikut) dan sortirlah untuk
memperoleh the worst 1% (data ke 11 dari hasil sortiran), itulah nilai
VaR
6. VaR = unexpected loss, sedangkan Capital at Risk adalah VaR –
expected loss. Bagaimana cara menghitung Expected loss ?
How to prepare frequency distribution for aggregation…
Aggregation: Estimate the Operational VaR
Result of Monte Carlo Simulation for Frequency Distribution
0 926 0
1 2204 9074
2 2621 6870
3 2079 4249
4 1237 2170
5 589 933
6 233 344
27
6 233 344
7 79 111
8 24 32
9 6 8
10 1 2
11 1 1
12 0 0
13 0 0
14 0 0
15 0 0
10000 23794#iteration for Monte Carlo
Simulation of Severity Distribution
How to operate the aggregation in @Risk and Excel from 10.000 iteration
Aggregation: Estimate the Operational VaR
#iteration 1 2 3 4 5 6 7 8 9 10 11 TOTAL SORTED TOTAL
1 139.403 25.355 3.028 37.287 2.413 62.683 3.077 106.145 17.996 29.145 28.931 455.462 2.794.407
2 5.906 15.094 60.111 6.412 5.717 2.888 6.190 4.368 13.120 12.693 132.498 2.302.650
3 41.016 34.273 17.829 10.913 121.993 31.014 3.013 4.311 2.867 267.227 1.838.147
4 3.010 16.466 71.539 3.668 24.766 64.436 4.789 2.848 1.036.967 1.228.489 1.589.285
5 5.372 16.507 12.280 229.791 396.221 3.133 3.356 2.820 14.135 683.615 1.442.909
6 19.552 5.364 2.544 5.840 15.704 11.879 10.091 3.044 9.696 83.713 1.372.917
7 2.817 22.719 9.117 12.405 26.192 3.262 6.648 2.848 17.606 103.614 1.371.524
8 4.491 29.917 4.240 4.270 11.240 41.110 2.943 8.490 5.850 112.552 1.262.464
28
8 4.491 29.917 4.240 4.270 11.240 41.110 2.943 8.490 5.850 112.552 1.262.464
9 17.105 10.360 6.097 7.844 21.148 69.398 42.012 6.649 4.104 184.717 1.228.489
10 2.311 11.268 33.293 58.336 7.880 4.487 71.697 9.249 198.521 1.208.609
11 10.619 28.960 39.238 7.351 2.273 397.857 17.500 22.171 525.969 1.194.787
98 4.044 20.590 12.202 8.690 5.730 236.285 36.835 324.377 455.850
99 40.555 32.769 52.625 107.587 2.755 4.314 3.747 244.353 455.462
100 15.605 25.863 89.315 3.224 62.638 19.859 12.503 229.006 448.611
101 5.584 4.667 19.408 6.858 4.147 2.814 3.533 47.010 447.740
102 21.416 8.238 5.680 8.168 13.596 3.667 15.001 75.766 442.711
103 7.437 13.141 66.185 13.844 5.912 10.419 32.618 149.557 442.142
104 7.152 5.699 11.974 5.746 2.813 2.551 15.965 51.900 441.322
105 6.927 5.045 10.536 4.530 26.766 2.612 5.228 61.644 439.977
Unexpected Loss Rp 447.740.000
Expected Loss Rp 25.265.000
Capital at Risk Rp 422.475.000
Fre
quency o
f lo
sses
Capital at Risk (Rp 422.475.000)=Unexpected losses – Expected Losses
Sustaining losses in Operational Risk
1%
29
Size of losses
Fre
quency o
f lo
sses
Income Capital Insurance
1%
447.74025.265