OPERATIONAL RISKMANAGEMENT

experience in building

a Basle II compliant ORM software ORBIT

Hightening Operations RiskHighly Automated Technology - if not properly controlled has

the potential to transform risks from manual processing errors to system failure risks.

Networked computers ATMs EDCs providing seamless movement of funds

RTGS and cross country fund transfers Web based account operations

Idbi bank

Branch C

Branch ABranch B

Branch X

ATM R

ATM R

ATM R

ATM R

ATM R

ATM R

Shared ATM

EDC at POS

Emergence of e-commerce - risks not fully understood.

E Seller A

Logistics Company E Buyer

Clearing Agency

Bank X

Bank M

Hacker

Mergers, de-mergers and consolidation -test the viability of newly integrated systems.

Bank ABCFinacle

K+ITMS

Bank XYZBank Master

IRISCITI Sol

The Merged BankHow to integrate systems

Migrate DataCreate new controls

Emergence of banks acting as very large-volume service providers - needs maintenance of high-grade internal controls and back-up systems.

Electronic collection of Telecom Bills for a client base of 1 million bill collection every month. 12 million transactions annually

Dividend Payment mandate for Reliance 3.5 million share holders Instant credit of amount promised

Outsourcing arrangements - may present significant other risks.

Call centres: to respond to customer clients Have a chat with your credit card care agency

Clearing Upload and checking by contract agency

Collection of cash/cheques from client’s premises through security agencies

Courier services for delivery of cards/PINs and statements

Developing an Appropriate Risk Management Structure

Board of Directors

Internal Auditors

Senior Mgt

Risk Management Committee

Risk Mgt

Operations Personnel and Risk Takers

The Committee has proposed that the Minimum Regulatory Capital (MRC) be lowered from 20% of minimum regulatory capital of 8% (i.e. 1.8% of the total risk weighted assets) to 12% (ie 1.08% of the total risk weighted assets).

With AMA implementation this can be brought down to 9% (0.72%).

THE KEY DRIVER

Internal CausesPeople

ProcessesSystems

idbi bank has adopted Basel’s definition of

Operational Risk …..

The risk of loss resulting from inadequate or

failed internal processes, people and systems

or from external events.

Definition

External Events

BASLE II has prescribed Three approaches :

• Basic Approach • Standardised Approach• Advanced Management Approach -

AMA

Idbi bank has chosen to go by the AMA

BASIC INDICATOR APPROACH

Banks using Basic Indicator Approach(BIA) have to hold capital for operational Risk equal to a fixed percentage (alpha) of a single indicator (Gross Income)

K = EI * • Where K = Capital charge under BIA• EI = Gross Income = a fixed percentage set by the Basle

committee (LDCEs are conducted for this purpose.)

STANDARDISED APPROACH

• Bank’s activities are divided into 8 Business Lines. • Each Business Line is measured by an Exposure

Indicator which is Gross Income for that Business Line. • Within each Business Line the capital charge is

calculated by multiplying the said Business line Gross Income by a “beta” factor

• The sum of all Business Line Capital charge would be the Capital charge for the Bank.

K = E (EI * )

• K is capital charge• EI is Exposure Indicator – Gross Income is the a fixed percentage for each Business line set by

the Basle Committee.

ADVANCED MEASUREMENT APPROACH (AMA)

• The AMA gives banks incentive to collect internal loss data step by step. Under the AMA banks would be allowed to use the capital charge as per their internal measurement systems subject to Qualitative & Quantitative standards set by the Committee.

• Among the most important of these quantitative standards is that the risk measurement system must be based on internal loss data that can be mapped into the Basle Committee’s specified Business Lines and Loss Event Types.

Organisation Structure

Board of Directors

Risk Management Committee

Operational Risk Group ALCO

HeadRisk Management

Operational Risk Credit Risk Market Risk

Bank has developed a framework called ORBIT (Operational Risk Business Intelligence Tool) for measuring, monitoring and controlling Operational Risk, based on the guidelines set by Basel.

The main features of the framework of Operational Risk developed by IDBI Bank are as under:

KRI data gathering framework

Control Framework

Incident Reporting Structure (IRS) data gathering framework

VaR Engine

Query and reporting

Scenario analysis

Framework

• Key Risk Indicators (KRI’s) are identified product wise.

•Each KRI is linked to a product and each product to a Business line.

•Business lines are defined as per Basel guidelines.

•For any new product introduced by the Bank , KRIs are identified and gathered.

KRI - Data Gathering Framework

KRI - Data Gathering Framework

• (KRI’s) framework pinpoints information from Core banking software for use in ORBIT

• Most of the KRIs are gathered using an automated data upload process by which specific KRI are sourced from various applications of the Bank viz. Finacle, Net Bkg, Phone bkg, ATM etc.. Additionally, there are some KRIs which are sourced by means of manual feeds from branches / various functions.

• KRI’s are gathered every month and stored in the KRI data base from which Analysis of Ops data is done

kri

comprises of :

•Branch operations performance rating

•Trigger reports module

Control Framework

•KRIs are rated on a five grade scale:

Excellent / Good / Satisfactory / Fair / Poor

•Ratings are done by attributing weights to certain critical KRIs.

•Rating parameters are classified into five categories & Weight assigned to each category .

People management

Business management

Security management

Customer management

Compliance with internal policy

•Operational quality of a branch is rated on a 5 grade scale:

Well managed / Low risk / Medium risk / High Risk / very High Risk.

•Model

Control Framework - Branch Performance Rating

This module consists of reports, which as the name suggests, are triggered whenever certain events occur viz.

•Brisk Triggers. A trigger report is generated for branches which have scored poor in any of the parameters used in Ops rating model for branch heads to take corrective action.

•Report also goes to controlling authority concerned for monitoring corrective action effectively.

Control Framework - Trigger Reports

• An operational loss event is defined as one where the Bank suffers either an actual loss or a potential loss.

• Under the Advanced Measurement Approach, historical loss data forms the basis of VaR. The loss data is captured using an incident report framework. IRS is a loss incident gathering framework.

• An incident report is filed on the occurrence of an operational loss event.

• Loss event is categorised by Loss event category and Business line.

Event

IRS Structure

• VaR Model facilitates computation of Economic Capital for Operational Risk.

• Idbi bank has classified its business lines. Loss event category and loss effect category as per the guidelines of BASEL.

• Under this approach idbi bank estimates the likely distribution of operational loss over one year horizon, for each business line and loss event type, at a confidence level of 99.9%.

VaR Engine

VaR Engine MethodologyMethodology for VaR Computation-

• Data collection – capturing of Loss Data.

• Curve Fitting – applying Statistical formulas on Loss Data.

• Simulation – applying Monte Carlo Simulation

• VaR Estimation – reading the final value using a 99.9% Confidence Level.

Perform the same iterations for each Business Line, Event type combination

VaR Estimate for the Bank is the sum of all VaR estimates for all the Business Lines of the Bank.

Reports

Query & Reporting

This module generates queries/reports branch-wise, region wise and product wise.

Scenario Analysis

• What if analysis – adds flexibility to the system to stimulate the impact of external loss/fraud event or any extreme values.

Challenges for Indian banks

Data availability & integrity Data warehousing / mining Building up processes Strengthening skills Model validation – requires greater collaboration

with regulator Cost - investment in risk analytics and risk

technology – getting management buy-in Stress testing, scenario analysis – building

capabilities

Thank you!