Thèse

Mastère Spécialisé enManagement des Systèmes d'Information & Technologies

Specialised Master inManagement Information and Technology

MSIT 2003Professional Thesis

BNP Paribas Corporate and Investment BankingInformation Technologies and Operations

HEC- Hautes Etudes Commerciales Ecole des Mines de Paris

Chi-Pheng Chung

Information System Environment for the

Operational Risk Management

Information System Environment for the Operational Risk Management

EXECUTIVE SUMMARY .................................................................................................................... 4

SUBJECT.......................................................................................................................................4STRUCTURE.................................................................................................................................4SUMMARY....................................................................................................................................4

1. BASEL CAPITAL ACCORD PRESENTATION ......................................................................... 7

HISTORY OF THE BASEL CAPITAL STANDARDS.........................................................................7WHY UPGRADING?......................................................................................................................7OBJECTIVES OF THE NEW ACCORD..........................................................................................8STRUCTURE.................................................................................................................................9

2. BASEL 2 PRACTICAL ISSUES .................................................................................................. 10

3. OPERATIONAL RISK MEASUREMENT METHODOLOGIES ........................................... 12

DEFINITION OF OPERATIONAL RISK........................................................................................12THE MEASUREMENT METHODOLOGIES..........................................................................12

1. THE BASIC INDICATOR APPROACH.....................................................................................132.THE STANDARDISED APPROACH...........................................................................................14

THE ALTERNATIVE STANDARDISED APPROACH...........................................................163.ADVANCED MEASUREMENT APPROACH (AMA).................................................................18

(I) QUALITATIVE STANDARDS.......................................................................................18(II) QUANTITATIVE STANDARDS....................................................................................19

AMA soundness standard................................................................................19Detailed criteria................................................................................................19Internal data.....................................................................................................20External data....................................................................................................21Scenario analysis..............................................................................................21Business environment and internal control factors..........................................21

(III) RISK MITIGATION....................................................................................................22(IV) SUMMARY..............................................................................................................23

Key Characteristics..........................................................................................23Implementation................................................................................................24Challenges........................................................................................................24Benefits............................................................................................................24Conclusion.......................................................................................................25

4. CASE STUDY: OPERATIONAL RISK AT BNP PARIBAS-CIB CORE BUSINESS ............ 26

BNP PARIBAS IN BRIEF ................................................................................................................... 26

THE SITUATION ................................................................................................................................ 28

Information System Environment for the Operational Risk Management -Professional Thesis MSIT 2003- 2/40

Information System Environment for the Operational Risk Management

PART 1.......................................................................................................................................29GUIDELINES...................................................................................................................29

PART 2.......................................................................................................................................30PART 3 (EXTRA)........................................................................................................................31

ANSWERS ............................................................................................................................................ 32

PART 1.......................................................................................................................................32OPERATIONAL RISK CONSTRAINTS...............................................................................32OPERATIONAL RISK PROCESS.......................................................................................32AMA METHOD..............................................................................................................33STAKES..........................................................................................................................33

PART 2.......................................................................................................................................34BENCHMARK SUMMARY................................................................................................34WHAT SORT OF REPORTING DATA BASE TO DEPLOY?...................................................35

Database...........................................................................................................35Key information...............................................................................................36Future Optimisation/ Enhancement.................................................................37Technical Difficulties.......................................................................................37

OPERATIONAL RISK GLOBAL POLICY...........................................................................37HOW TO BRING EVERYONE TO FOLLOW THE POLICY?...................................................38HOW TO CONVINCE?......................................................................................................38

PART 3 (EXTRA)........................................................................................................................38

CONCLUSION ..................................................................................................................................... 39

REFERENCES ..................................................................................................................................... 40

ANNEX .................................................................................................................................................. 41


EXECUTIVE SUMMARY

SUBJECT

This case study is about the Operational Risk historical incident loss data at the BNP

Paribas Corporate and Investment Banking-CIB core business.

STRUCTURE

This paper first presents an overall summary of the Basel 2 accord from a regulatory

point of view then from the industry one. Secondly, the Operational Risk will be treated the

way same, regulatory aspect then the industrial one. Thirdly, focus is made on the capital

calculation methods and particularly on the Advanced Measurement Approach, which

includes the historical incident loss data base. Finally, the case study starts and evolves

around this very data base and the way BNP Paribas Corporate and Investment Banking-CIB

core business manages it.

SUMMARY

This entire debate here is about capital. Banks want to keep this reserve of inactive

money as low as possible. Meanwhile regulators want to make sure that unexpected losses

won’t bring banks to their knees and in turn the whole economy.

Basel 1988 Accord is not a strategic or competitive risk management advantage, it is a

regulatory measure impacting all the majors banks world-wide. It is intended to set sufficient

capital aside to cover-up unexpected losses, that may arise from credit or market activities.

Eventually, it will be replaced by Basel 2 Accord, also known as the McDonough

ratio. Its purpose is the same as its predecessor. However, the performance credit risk models

were so high, that it enabled banks to lower their capital. In order to sustain a significant level

of capital, regulators introduced a new type of risk, the Operational Risk.

Introduction

A bank is no different from any other company, in the sense that if in the event of a

bankruptcy, it should be able to pay back government taxes, suppliers, customers, employees

and any other third parties involved. Investments in physical assets such as properties are

often used to ensure that in such cases, these can be sold in order to honour debts. However,

before reaching such a dramatic stage, a reserve of cash money, or also called capital, is used

as a buffer. So, in the case of a severe computer attack disrupting all banking operations, this

capital is immediately at hand to rebuild whatever was damaged and therefore restart the

activities and also allow the bank to continue living, which in turns imply work for

employees, stability in the economy to a certain extent and so on.

Indeed, what are the odds of a successful severe computer attack? How much is at

stake? In one word, what are the risks? Notice also that this particular case is in no way

related to core business activities. Therefore, bad investments for instant would not come

under this category of risk, The Operational Risk. In more general terms, it is the risk related

to the loss resulting from inadequate or failed internal processes, people and systems or from

external events.

However, the capital allocated to risks were first normalised to the banking industry

with the 1998 Basel Accord. The way to calculate the risk over capital ratio, The Cooke ratio,

mainly takes into account the credit and the market risk capitalisation.

Nowadays, at the light of an energy trading company financial scandal and the terrorist

attacks on a major market place coupled with the reduction in risk capitalisation through

elaborated risk models, there is a speed up in the process to update this accord to Basel 2. The

new McDonough ratio, which is to eventually replace the Cooke ratio, adds the operational

risks and allows different calculation method for different risks. As it is the case for the

market risk since 1996, the credit and the operational risk can be evaluated as a basic

indicator, as a standardised or as an advanced approach on the different business line of the

bank. Also, This new accord is based on 3 pillars: the Minimum Capital Requirement,

Supervisory Review Process and the Market Discipline.

Introduction

In this report we will first explain what sort of banking group are affected by the New

Basel Accord and what are the views of the industry. Secondly, we will focus on the

operational risk aspect. Once again, first regulatory-wise and then industry-wise. The third

part will be describing the calculation methods and will be focusing on the Advanced

Measurement Approach. Finally, we will see an example of the historical incident data base in

a major European bank and the information that can be extracted from this base.


1. BASEL CAPITAL ACCORD PRESENTATION

HISTORY OF THE BASEL CAPITAL STANDARDS

The driving forces for the 1988 Basel Capital Accord was the concern of the

Governors of the G10 Central Banks that the capital of the world’s major banks had become

dangerously low after persistent erosion through competition and the Latin American debt

crisis. The 1988 Accord established minimum levels of capital that helped to strengthen the

soundness and stability of the international banking systems and enhanced competitive

equality among internationally active banks.

The merits of the Accord were widely recognised and during the 1990’s it became an

accepted world standard, with well over 100 countries applying the Basel framework to their

banking system. As a result, the two objectives of adequate capital levels and the creation of a

“more level playing field” were achieved.

WHY UPGRADING?

Since the implementation of the 1988 Accord and later amendments, capital ratios of

nearly all internally active banks have increased substantially, thus reinforcing the solidity of

the international banking system. The widespread adoption in many countries fostered

competitive equality.

However, the financial world has evolved significantly during the past ten years, to the

point where a bank’s capital ratio, calculated using the current Accord, may not always be a

good indicator of its financial condition. The current risk weighting of assets results, at best, is

a crude measure of economic risk, primarily because degrees of credit risk exposure are not

sufficiently calibrated to differentiate adequately borrowers’ differing default risks. For

example, a loan to a corporate borrower rated AAA would attract the same regulatory capital

of 8% as a loan to a borrower rated BB, regardless of the obviously very different default risk

as indicated in the rating. Top quality loans require relatively high capital underpinning.

Therefore, from a return-on-capital point of view, it has become less lucrative to hold such

low risk assets. It is because of this and other business technical reasons that there was a need

for an upgrade to the New Basel Capital Accord.

Basel Capital Accord Presentation

The scope of application of the new accord will be applied to internationally active

banks. “Banks” meaning the whole banking group, it includes entities at various levels, such

as the parent or holding company, and also subsidiaries with significant particitpation.

OBJECTIVES OF THE NEW ACCORD

Continue to promote safety and soundness in the financial system. The new framework

should at least maintain the current overall level of capital in the system.

Continue to enhance competitive equality.

To constitute a more comprehensive approach to addressing risks.

To contain capital approaches that are appropriately sensitive to the degree of risk

involved in a bank’s positions and activities.

To focus on internationally active banks, although its underlying principles should be

suitable for application to banks of varying levels of complexity and sophistication.


Basel Capital Accord Presentation

STRUCTURE


1) Minimum Capital Requirements

How capital adequacy is measuredTotal capital / (Credit risk + Market risk + Operational risk) = Capital ratio

Approaches to measure Credit riskStandardised Approach (a modified version of the existing

approach, considering external ratings)Internal Rating Based ApproachFoundation ApproachAdvanced Approach

Approaches to measure Market risk (unchanged 1996 amendment)Standardised ApproachInternal Models Approach

Approaches to measure Operational riskBasic Indicator ApproachStandardised ApproachAdvanced Measurement Approach

2) Supervisory Review Process

Supervisors are responsible for evaluating banks’ internal processes which are:

Board and Senior Management oversightSound capital assessment (current/future strategic capital

planning)Comprehensive assessment of risksMonitoring and reporting Internal control review3) Market

Discipline (Disclosure Rules)

Disclosure requirements and recommendationsStructure of capitalRisk exposures and assessment

Credit risk, market risk, operational riskExplanation of grading systemsDetails on industry sectors, counterpart types, maturity distribution,

amount of impaired loans, allowance for credit losses, provisions Organisation of credit risk management function and definitionsBreak down of portfolio by ratings (internal or external) for each

segmentProbability of default estimates for each rating categoryEx-post performance as an indication of quality and reliability of

systemCredit risk mitigation techniques, treatment of collateral

THREE BASIC PILLARS

BASEL 2 PRACTICAL ISSUES

A change in international rules on bank capital is inevitable. Most banks, at least in

Europe, seem resigned to this, even though for some it will mean big increases in capital

requirements. However, Basel 2 will not take effect before January 2007.

In France, 82% of the banks see Basel 2 as a regulatory constraint, versus 73% for the

rest of Europe. Meanwhile, they do not exclude the fact that is it an opportunity to implement

a better risk management.

This point of view is also shared by 87% of banks from ten countries in Europe. Also,

57% of them are expecting a change in their competitive position, and half of which are

anticipating to modify their product portfolio.

The average impact seems acceptable: a decrease in charges for many classes of credit

risk, offset by a totally new charge for operational risk. That leaves the overall minimum

regulatory in the banking system about the same as now. In addition, national regulators will

be expected to add more charges to keep their banks well above the minimum.

But the devil is in the detail. Hardly any bank represents the average. Many banks

specialising in areas such as Securities Custody and Asset Management will be heavily

impacted. On the other hand, banks that focus on retail and small business lending may see

their capital charges fall by 20%.

However, it is agreed by the industry that Basel 2, compared to the previous accord, is

taking banks’ regulatory capital closer to “economic capital”, the theoretically ideal cushion

against unexpected losses.

Though, criticism rises. Some fears that the process is too difficult to put in place and

too expensive to make any economic sense but only for the biggest banks. While some others

claim that it does not go far enough and does not allow evolving techniques to get closer to

the economic capital.

There is another ambiguous point, the discretion to national regulators. The Basel

Committee is spending as much time to co-ordinate its own supervisor as it is with banks.

Basel 2 Practical Issues

A first example is between America and Europe. There would be only ten American

banks concerned by Basel 2, with an extra ten adopting the regime on a voluntary basis.

While the rest would still follow the more simple previous accord, with a few local

enhancements. Across the Atlantic, the European Union is committed to write Basel2 into the

EU law and therefore to apply it to all banks or investment firms regardless of the size and

scope.

Another example of inconsistencies is within Europe. The discretion of the national

regulator may give plenty of scope to favour their national champions. Within the Euro area,

they might even try to use their powers as an instrument of macro-economic policy. Deprived

of the means to modify interest or exchange rates, these supervisors may be tempted to

exercise selective flexibility.

The third consultative document emitted by the Basel Committee has not yet produced

a definite accord. Lobbying from banks is still trying to bias the final version to their favour.

The Committee includes thirteen different countries, of which France, Germany, Japan,

Switzerland, United Kingdom and the United States; and standing on common ground will

not be an easy task.


3. OPERATIONAL RISK MEASUREMENT METHODOLOGIES

DEFINITION OF OPERATIONAL RISK

Operational risk is defined as the risk of loss resulting from inadequate or failed

internal processes, people and systems or from external events. This definition

includes legal risk, but excludes strategic and reputational risk.

The measurement methodologies

There are three methods for calculating operational risk capital charges. Their level of

sophistication is related to their risk sensitivity:

1. Basic Indicator Approach;

2. Standardised Approach;

Alternative Standardised Approach

3. Advanced Measurement Approach (AMA).

Banks are encouraged to use the appropriate approach as they develop more

sophisticated operational risk measurement systems and practices.

A bank will be permitted to use the Basic Indicator or Standardised Approach for

some parts of its operations and the Advanced Measurement Approach for others provided

certain minimum criteria are met.

However, a bank will not be allowed to choose to revert to a simpler approach once

it has been approved for a more advanced approach without supervisory approval. In addition,

if a supervisor determines that a bank, using a more advanced approach, no longer meets the

qualifying criteria for this approach, it may require the bank to revert to a simpler approach

for some or all of its operations, until it meets the conditions specified by the supervisor for

returning to a more advanced approach.

1. THE BASIC INDICATOR APPROACH

Banks using the Basic Indicator Approach must hold capital for operational risk

equal to a fixed percentage (denoted alpha) of average annual gross income over the

previous three years. The charge may be expressed as follows:

KBIA = GI x

Where:

KBIA = the capital charge under the Basic Indicator Approach

GI = average annual gross income over the previous three years

= 15% which is set by the Committee, relating the industry wide level of required

capital to the industry wide level of the indicator.

Gross income is defined as net interest income plus net non-interest income. It is

intended that this measure:

(i) Should be gross of any provisions (e.g. for unpaid interest);

(ii) Exclude realised profits/losses from the sale of securities in the banking book;

(iii) Exclude extraordinary or irregular items as well as income derived from

insurance.

As a point of entry for capital calculation, there are no specific criteria for the use of

the Basic Indicator Approach. Nevertheless, banks using this approach are encouraged to

comply with the Committee’s guidance on Sound Practices for the Management and

Supervision of Operational Risk, February 2003.

2.THE STANDARDISED APPROACH

In the Standardised Approach, banks activities are divided into eight business lines

and are affected a Business Lines Beta() Factors :

1- Corporate Finance :18%

2- Trading and Sales :18%

3- Retail Banking :12%

4- Commercial Banking :15%

5- Payment and Settlement :18%

6- Agency Services :15%

7- Asset Management :12%

8- Retail Brokerage :12%

Within each business line, gross income is a broad indicator that serves as a proxy for

the scale of business operations and thus the likely scale of operational risk exposure within

each of these business lines. The capital charge for each business line is calculated by

multiplying gross income by a beta factor assigned to that business line.

Beta serves as a proxy for the industry-wide relationship between the operational risk

loss experience for a given business line and the aggregate level of gross income for that

business line. It should be noted that in the Standardised Approach gross income is measured

for each business line, not the whole institution, i.e. in Corporate Finance, the indicator is the

gross income generated in the Corporate Finance business line.

The total capital charge is calculated as the simple sum of the regulatory capital

charges across each one of the business lines. The total capital charge may be expressed as:

KTSA = (GI1-8 x 1-8)

Where:

KTSA = the capital charge under the Standardised Approach

Operational Risk Measurement Methodologies The Standardised Approach

GI1-8 = the average annual level of gross income over the past three years, as defined

above in the Basic Indicator Approach, for each of the eight business lines

1-8 = a fixed percentage, set by the Committee, relating the level of required capital to

the level of the gross income for each of the eight business lines.


The Alternative Standardised Approach

The creation of an alternative standardised approach (ASA) is intended for banks that

cannot make a complete distinction between their business lines, as requested in the standard

approach.

It s up to the discretion of national authority that can choose to allow a bank to use the

ASA, provided the bank is able to satisfy its supervisor by assuming that this alternative

approach provides an improved basis by, for example, avoiding double counting of risks.

Under the ASA, the operational risk capital charge/methodology is the same as for the

Standardised Approach except for two business lines - Retail Banking and Commercial

Banking. For these business lines, loans and advances - multiplied by a fixed factor .m. -

replaces gross income as the exposure indicator. The betas for Retail and Commercial

Banking are unchanged from the Standardised Approach. The ASA operational risk

capital charge for Retail Banking (with the same basic formula for Commercial Banking) can

be expressed as:

KRB = βRB x m x LARB

Where

KRB is the capital charge for the Retail Banking business line

RB is the beta for the Retail Banking business line

LARB is total outstanding retail loans and advances (non-risk weighted and gross of

provisions), averaged over the past three years.

m is 0.035

For the purposes of the ASA, total loans and advances in the Retail Banking business

line consists of the total drawn amounts in the following credit portfolios: Retail, SMEs

treated as Retail, and Purchased Retail Receivables. For Commercial Banking, total

loans and advances consists of the drawn amounts in the following credit portfolios:

Corporate, Sovereign, Bank, Specialised Lending, SMEs treated as Corporate and Purchased

Corporate Receivables. The book value of securities held in the banking book should

also be included.

Operational Risk Measurement Methodologies Alternative Standardised Approach

Under the ASA, banks may aggregate Retail and Commercial Banking (if they wish

to) using a beta of 15%. Similarly, those banks that are unable to disaggregate their gross

income into the other six business lines can aggregate the total gross income for these six

business lines using a beta of 18%. As under the Standardised Approach, the total capital

charge for the ASA is calculated as the simple sum of the regulatory capital charges

across each of the eight business lines.


3.ADVANCED MEASUREMENT APPROACH (AMA)

(i) Qualitative standards

A bank must meet the following qualitative standards before it is permitted to use an

AMA for operational risk capital:

a) Independent Operational Risk Management Function responsible for the design and

implementation of the bank’s Operational Risk Management framework.

b) The bank’s internal operational risk measurement system must be closely integrated into

the day-to-day risk management processes. For instance, this information must play a

prominent role in risk reporting, management reporting, internal capital allocation, and

risk analysis. The bank must have techniques for allocating operational risk capital to

major business lines and for creating incentives to improve the management of

Operational Risk throughout the firm.

c) There must be regular reporting of operational risk exposures and loss experience to

business unit management, Senior Management, and to the Board Of Directors.

d) The bank must have a routine in place for ensuring compliance with a documented set of

internal policies, controls and procedures concerning the operational risk management

system.

e) Auditors must perform regular reviews of the operational risk management processes and

measurement systems and of the independent operational risk management function.

f) The validation of the operational risk measurement system by external auditors and/or

supervisory authorities must include the following:

Verifying that the internal validation processes are operating in a satisfactory

manner.

Making sure that auditors and supervisory authorities are in a position to have

easy access

Operational Risk Measurement Methodologies Advanced Measurement Approach

(ii) Quantitative standards

AMA soundness standard

The Committee is not specifying the approach used to generate the operational risk

measure, but it must be able to demonstrate that its approach captures potentially severe tail

loss events.

Banks must have and maintain rigorous procedures for operational risk model

development and independent model validation. The Committee will review progress in

regard to operational risk approaches by the end of 2006.

Detailed criteria

This section describes quantitative standards that will apply to internally-generated

operational risk measures:

1) Supervisors will require the sum of expected loss (EL) and unexpected loss (UL).

That is, to base the minimum regulatory capital requirement on UL alone, the bank

must be able to demonstrate to the satisfaction of its national supervisor that it has

measured and accounted for its EL exposure.

2) Measurement system must be sufficiently granular to capture the major drivers of

operational risk affecting the shape of the tail of the loss estimates.

3) Risk measures for different operational risk estimates must be added for purposes

of calculating the regulatory minimum capital requirement. However, the bank

may be permitted to use internally determined correlations in operational risk

losses. The bank must validate its correlation assumptions.

4) Measurement system key features: These elements must include the use of

internal data, relevant external data, scenario analysis and factors reflecting

the business environment and internal control systems. A bank needs to have a

credible, transparent, well-documented and verifiable process.



Internal data

The tracking of internal loss event data for the foundation of empirical risk estimates,

as a mean of validating the inputs and outputs of the bank's risk measurement system or as the

link between loss experience and risk management and control decisions.

Banks must have documented procedures for assessing the on-going relevance of

historical loss data.

Risk measures must be based on a minimum of five-year observation period. But,

when first implementing the AMA, a three-year historical data window is acceptable.

To qualify for regulatory capital purposes, a bank's internal loss collection processes

must meet the following standards:

To assist in supervisory validation

Capture all material activities and exposures from all appropriate sub-systems and

geographic locations.

A bank should collect information about gross loss amounts, the date of the event,

any recoveries of gross loss amounts, as well as some descriptive information

about the drivers or causes of the loss event.

A bank must develop specific criteria for assigning loss data arising from an event

in a centralised function. Operational risk losses that are related to credit risk and

have historically been included in banks, credit risk databases (e.g. collateral

management failures) will continue to be treated as credit risk for the purposes

of calculating minimum regulatory capital under the New Accord. Therefore, such

losses will not be subject to the operational risk capital charge. Nevertheless, for

the purposes of their internal operational risk databases, banks must record all

operational risk losses consistent with the scope of the definition of operational

risk. Any losses related to credit risk must then also be separately identified (e.g.

flagged) as such within their internal operational risk databases.



External data

Measurement system must use relevant external data.

Scenario analysis

A bank must use scenario analysis of expert opinion in conjunction with external data

to evaluate its exposure to high severity events. Over time, such assessments need to be

validated and re-assessed through comparison to actual loss experience to ensure their

reasonableness.

Direct losses from events or accidents are measured by statistical means. However,

indirect losses such as unrealised revenues stemming from bad reputation related to exposed

fraud of an employee cannot be measured in the same way. There are no objective data on

these indirect losses. In this case, it is necessary to use Scenario Analysis based on

assumptions on how often and what severity these indirect losses bring about.

In addition, some events or accidents do not always occur according to loss history.

When there are possibilities that it could occur according to the loss experience of peer banks,

these potential losses could be measured by Scenario Analysis.

Business environment and internal control factors

In addition to using loss data, risk assessment methodology must capture key business

environment and internal control factors must meet the following standards:

the factors should be translatable into quantitative measures that lend themselves

to verification.

the various factors need to be well reasoned.

The framework and each instance of its application must be documented and

subject to independent review within the bank and by supervisors.

Over time the process need to be validated through comparison to actual internal

loss experience, relevant external data, and appropriate adjustments made.



(iii) Risk mitigation

The recognition of insurance mitigation will be limited to 20% of the total operational

risk capital charge.

A bank’s ability to take advantage of such risk mitigation will depend on compliance

with the following criteria:

The insurance provider has a minimum claims paying ability rating of A.

The insurance policy must have an initial term of no less than one year.

The insurance policy has a minimum notice period for cancellation and non-

renewal of the contract.

The insurance policy has no exclusions or limitations based upon regulatory action

or for the receiver or liquidator of a failed bank.

The insurance coverage has been explicitly mapped to the actual operational risk

loss exposure of the institution.

The insurance is provided by a third party entity.

The framework for recognising insurance is well reasoned and documented.

The bank discloses the reduction of the operational risk capital charge due to

insurance.

A bank’s methodology for recognising insurance under the AMA also needs to

capture the following elements through discounts in the amount of insurance recognition:

The residual term of a policy, when less than one year, as noted above.

A policy’s cancellation and non-renewal terms.

The uncertainty of payment as well as mismatches in coverage of insurance

policies.



(iv) Summary

Key Characteristics

This approach is the method of capital calculation that have the most potential to be

the closest to the economic capital.

Risk Sensitive

Low risk activities require less capital for operational risk.

Capital reflects operational risks for size and scope of bank’s activities:

Banks with low risk business or less activity need less capital for operational risk.

Banks with better controlled environments require less capital for operational risk.

Banks with well developed risk mitigation hold less capital for operational risk.

Flexible:

Own methodologies reflective of their business.

Use a combination of internal/external data, and scenario analysis to determine capital.

Capital allocation can be integrated into scorecards, risk indicators, warning systems and

audit scores used to measure and monitor operational risk.

Rewards investment in better control environments:

Actions that reduce losses also reduce capital.

Actions that reduce the likelihood or severity of extreme events can reduce capital.

Actions that mitigate risk can reduce capital.

Results in Appropriate Capital:

AMA is not a capital tax.

Capital allocation changes with risk profile of organization.

Capital allocation changes as industry improves the measuring, monitoring, and

mitigation of operational risk.



Implementation

Internal statistical model is the basis for calculating Operational Risk exposure and capital

charge.

Four Components of an AMA

Operational Loss Data (Internal/ External).

Scenarios.

Risk Self Assessments.

Key Risk Indicators.

Challenges

Greater complexity / resource commitment than exposure indicator approaches

Numerous modeling issues / decisions need to be made by bank:

Incorporation of external data.

Appropriate distributional assumptions.

Incorporation of risk mitigation.

Scenario Analysis.

Qualitative assessments require improved rigor.

Identification of risk indicators that highly correlate with operational losses.

Combine quantitative techniques and qualitative factors into a comprehensive

methodology.

Benefits

Banks investing in AMA methodology are already seeing benefits:

Reduce both expected losses and volatility of earnings.

Measuring losses allows identification of causal factors for operating losses.

Provides framework for addressing extreme outcomes.

Allows comparison of investment in controls, investment in technology, investment in

insurance, or self insuring with capital.



Reduces distortions in decision making and performance evaluation from omitting

capital for operational risk.

Conclusion

Exposure indicator approaches are relatively easy to implement but lack risk focus and

proper incentive structure.

AMA requires additional effort but reinforces banks’ existing risk management

objectives, practices and results in a more accurate allocation of capital:

Risk-sensitive.

Flexible.

Rewards investment in controls / reducing op risk.

Well integrated with banks’ existing risk management processes.

Not a capital tax.


4. CASE STUDY: OPERATIONAL RISK AT BNP PARIBAS-CIB CORE BUSINESS

BNP Paribas in brief

The situation

Answers

BNP PARIBAS IN BRIEF (AS OF THE 31ST DECEMBER 2002)

The most profitable bank in the Euro zone, in terms of net income

A net banking income of Euro 16,8 billion down 3,8% and an operating result in down

10,4% in comparison to 2001.

A return on equity of 13,5% and income ratio of 65,2%

BNP Paribas posted net income of Euro 2,83 billion in 2002

With a presence in 87 countries BNP Paribas has a staff of 87 700 employees including 66

000 in Europe

BNP Paribas top core businesses with their respective part in the total net banking

income are as follow:

Corporate Investment and Banking: 30%

BNP Paribas is of one the largest Corporate And Investment Bank of European origin

and has a strong presence in Paris and London. The Group is ranked number one in several

market segments in Europe and Asia and also has a very strong franchise in the United States.

The depth and breadth of its international network allows the Group to satisfy the needs of

multinationals, financial institutions, governments and investors throughout the world.

Net Banking Income : Euro 5.146Billion

Employees : 12.300

Case Study : Operational Risk at BNP Paribas BNP Paribas in Brief

Private Banking and Asset Management: 13%

Present world-wide, it is a core business under rapid expansion. It regroups five core

businesses, collecting, managing, increasing clients' assets and wealth—combining them with

services. The Private Banking, Asset Management, Insurance, Securities Services, and Real

Estate métiers are business lines whose markets have high potential, and in which the pole has

placed strong ambition for development.

With more than 8,000 employees, the pole is positioned amongst the top French,

European, and world-wide players.


Employees : 10.300

French Retail Banking: 57%

With a network of 2300 branches across France and new distribution channels offering

both electronic and telephone services, BNP PARIBAS distributes banking products and

services to 6 million clients and one-third of all French small businesses. It is also a leader in

Visa bank cards, a leader in online banking and a leader in private banking (as part of a joint

venture with Private Banking and Asset Management)

It also includes Investment Retail Banking and Special Finance Services among its

most profitable divisions.


Employees : 59.800


THE SITUATION

You just found a new job. You were in the ‘Group Risk Management’ for the Credit

Risk. Your job was to do to an ultimate check on files in order to validate corporate loans.

You were also aware that the New Basel Accord started their rounds of talks last week.

However, you just received a phone call from the ‘Group Human Resources’ asking you to set

up an Operational Risk cell in Paris for the Corporate Banking and Investment core business.

It is the first time you ever heard about such a risk, but you decide that it is a new challenge

and take up the position. Here you are packing and on your way to your new office.

Your direct hierarchy will be the head of the Information Technology and Operations

of the Corporate Banking and Investments core business, you will be also co-ordinating the

workflow among all the business lines and the Group Risk Management- Operational Risk

department.

Case Study : Operational Risk at BNP Paribas The Situation

PART 1

After only a week in this new building, you have kept yourself informed of the new

regulations. You are asked to give a presentation about the Operational Risk to your direct

boss and to all the heads of the business lines. The content is sent to you from GRM-OR by

email and using a text format.

Give a presentation of 10mins giving sufficient credibility of why Operational Risk

should be taken seriously by the bank and why the AMA calculation method is more suitable

than the others.

Guidelines

“ Hi,

Here are the main topics you should address in your presentation.

1) Operational Risk’s Management Constraints: regulatory, technical and budgetary

constraints, strategic orientations, software application and business needs

2) Operational Risk Process: Communication, Organisation, Measure Analysis and

business processes

3) AMA method

4) Stakes:

Respect of regulatory requirements

Standardisation of incident management

Reporting to the highest management

Decrease in annual losses

Minimising regulatory capital, Optimising the economic capital

Regards.”



PART 2

This presentation is done and some of them are more convinced than others. Typically,

the businesses related to trade were already aware and were considering this type of risk.

Whereas the other businesses are still sceptical about it. You receive an email from GRM-OR.

It explains that one of the component, the historical data base, will have to gather incidents for

3 years. So there is no time to waste and you decide to present an implementation plan of this

database. You ask yourself these questions:

a) Make a summary of the benchmark for Operational Risk (Annex). Focus on the work

done so far, strategy about the methodology, organisation, authority and historical data

base.

b) What sort of reporting data base to deploy?

1) Quick first or long elaborated?

2) What are the key reporting information

From the base?

For the reports?

3) What are the future optimisation?

4) What about the technical difficulties?

Different servers around the world, no internet connection everywhere.

c) A global policy; it is a good idea to communicate about Operational Risk different

procedures to everyone, but what to mention? And how to suit specific needs?

d) How to convince everyone to report incidents? What about the reluctant ones?



PART 3 (EXTRA)

You have now designed a basic framework of the topics to be included in an

Operational Risk Report. You gathered opinions from different staff working on the same

subject. They made few comments but they all globally agreed on the format . This

framework was also validated by your direct superior, who is the Head of some 3000 IT

people around the world. He agreed with the central operational risk management to ‘lend’

them few IT teams, so that they could develop their own solutions. However, these teams

would still be under their original department’s control.

When you took position, 6months ago, you informed the central operational risk

management that you will draft a typical reporting tool. It would be a preliminary analysis of

the incidents recorded in the database. It would eventually be programmed, so that of a simple

click, tables and graphs would be made available in no time and to any authorised staff,

trained or not to database queries.

You receive a reply from the central operational risk management telling you that all

their IT teams are all booked for other purposes. You thought that you could do it yourself,

but they did not even decide which developing tool to use, while they were providing reports

for one of your sub department in a remote territory. Anyhow, it means that the reporting still

needs to be made manually, which takes a few days and are not foul-proof. There is also a

question of staff, who would agree to perform such a detailed, sensitive and repetitive duty?

Meanwhile, you need to set up committees based on this reporting to inform the Heads of

territories and departments about their incidents.

What would you do about the development of this report?


ANSWERS

PART 1

Operational Risk Constraints

Operational Risk Process

Business Processes Integrate risk assessment in business processes

Measure & risk Analysis

Define methods/ tools to identify risks from the top and business levels

Organisation

Efficient communication about priorities and risk assessments

Communication

Define a central management and an organisation to take decision in line with the

global policy and business risks

Management

Operations

Operational Risk Management Constraints

Business Needs

Software SolutionsTechnical

Regulatory

Budgetary

Strategic Orientations

Case Study : Operational Risk at BNP Paribas Answers

AMA Method

Stakes

Respect of regulatory requirements

Standardisation of incident management

Reporting to the highest management

Decrease in annual losses

Minimising regulatory capital, Optimising the economic capital


Advanced Measurement Approach

Historical Internal Loss

Data

External Loss Data

Business Environment and Internal

Control Factors

Scenario Analysis

Insurance

Historical Data

Forward Looking Data

Data


PART 2

Benchmark summary

Barclays Bank PLC

Barclays has virtually completed the formulation of sound operational risk policies,

procedures and practices throughout the bank.

Barclays has decided to outsource some activities. The ones considered uneconomic and

which do not add value to its client relationships, such as cheque and mortgage

processing.

Selecting which risks to retain and which to outsource or insure

Deutsche Bank AG

Operational risk framework has been developed.

Deutsche Bank has developed a matrix structure for operational risk management,

involving both divisional and regional operational risk officers.

The bank is using internal data for the higher frequency events; however, for the lower-

frequency high-impact events it is using external, publicly available industry data Risk-

reward relationship

HSBC Holdings plc

Given its size and diversity, HSBC Group has adopted a strong controls.

Each business unit is responsible for determining its own approach to risk management.

Reporting to senior management. This is underpinned by internal audit investigations and

recommendations, to which line management is required to produce and implement

appropriate action plans.

Companies and business lines within the Group are given the flexibility

I NG Bank N.V.

ING Bank has set up operational risk committees (ORCs) in all regions and major

countries, and is extending this concept to the remaining business units.. These ORCs,

chaired by General Management, are responsible for monitoring operational risks and

ensuring that appropriate actions are taken.



Lloyds TSB Bank Plc

The loss database has now been designed and will be implemented during the first quarter

of 2004.

Uniform methodology

Responsibility of the individual business units.

Swedbank ( ForeningsSparbanken)

In early 2000, the group set up a dedicated Group Operational Risk department composed

of four people.

Enable the bank to move from quarterly to real-time reporting above SEK50,000 for

approximately two years. Track record of eight years of loss data collection. Going

forward, the group plans to expand its data collection to "near misses" which are currently

only collected on an ad hoc basis.

The group’s data categorisation is in line with the approach suggested by the British

Bankers Association (BBA): a risk profile is created for each business unit based on four

fundamental risk elements (personnel, processes, systems, and external events).

What sort of reporting data base to deploy?

Database

At BNP Paribas, the quick solution was chosen. The argument put forward was

that incident reporting was given priority. There was no time to waste to gather incidents

in order to comply with the regulatory 3-year incident history.

The tool currently in place can reach every user of the internal electronic mail

system. It is the most common application after the Intranet. A migration to a web based

reporting tool is being rolled out.

Nowadays, the data base is polluted by information not always consistent and

efforts are being made to change these behaviours. Improvements in the reporting tool are

currently developed. The strategy about new version releases is questionable and often

hardly reaches a consensus, but still pushed by the centralised unit.



Key information

Database information:

Incidence / Discovery/ Creation date

Status (In Process/ Submitted for Approval/ Approved)

Type (Gain/ Loss/ Near Miss/ Opportunity Cost/ Undetermined)

Estimated/ Final /Impacted Amount

Event, Cause

Business/ Country

Reporting information :

0°/Summary- P&L impact: give a quick idea of the incident situation

1°/ Dates

Monthly trend per type of date: make sure the required delay are respected

late reports and late approvals: highlight troublesome incidents

2°/ Incidents Types: identify potential loss situations

3°/ Amounts

Estimated amounts versus Final amounts: potential financial losses

"Loss amounts" by size: low frequency-high impact incident analysis

4°/ Events and Causes: why did it happened? Is it recurrent? How to prevent it? Are

the action plans effective?

5°/ P&L Approach

Losses and Gains by Activities/Territory: Amount lost to date

6°/ Operational Risk Approach incidents< 15k€

Small incidents by Activity & Territory: identify concentration of incidents

Near-Misses split by activities: identify potential losses



7°/ No incident reported

List of Business Lines and Territories with no incident declared: give hints about the

ones not following the global policy

8°/ Incidents mapping

"Activities / Territories" concentration

Causes & Events mapping by Activities/Territories

9°/ Loss allocation Matrix: which back/front office pay the bill

Future Optimisation/ Enhancement

Cross-functionality : Need to gather information of the same user and the related

transactions Jurisdiction

Human : Estimation input as correct value to calculate the right capital

Processes : Map the internal processes controls with the database incidents

Overall : Better incident management, therefore risk capital closer to economic capital.

Technical Difficulties

The countries influenced by slow/non-existent internet are extremely few. Generally,

the activities that takes place there are backed up on a bigger platform elsewhere. Incident

reporting takes the form of a simple Excel sheet with required fields set by Group Risk

Management- Operational Risk- GRM-OR. They are sent on a daily or weekly basis.

Operational Risk Global Policy

The global policy is decided in the centralised Operational Risk department GRM-OR

with strong interactions with all the businesses. It then sets a common set of rules in line with

the regulations. It includes:

Process to enter incidents

Process to validation



Incident reporting threshold

Required delays

Explanation of tools vocabulary

What is an incident suitable to input

Role of different actors in the reporting process (e.g. correspondent makes sure of the

consistency of the data)

Also, in order to suit every business line needs, the global policy sets a minimum

criteria. It is after up to the businesses to customise them to match their own needs. E.g. the

reporting threshold is set to be €20.000 in the global policy, but the corporate banking set it to

€15.000.

How to bring everyone to follow the policy?

Financial incentives to input incidents? No.

The Operational Risk correspondents are the most senior staff (e.g. Secretary General)

in the territories. They are in charge of communicating and put in place the global policy.

They use a top to down approach.

How to convince?

It is a regulatory requirement to set aside capital. If it can be proven that the incident

management is good enough and the inherent risk well identified, then financial contributions

for the capital from the business line will be lowered.

PART 3 (EXTRA)

This dispute involved the Heads of these 2 departments. However, it is still going on

as this paper is being written. A solution that might be taken is to develop it internally to the

CIB department. However, it would pass over the co-ordination purpose of the central

operational risk management.


CONCLUSION

This paper is mainly treating the functional aspects of a report dedicated to the

Operational Risk Management. It exposes a summary of the regulatory requirements,

opinions from external point of view and its application in a leading French bank.

Within the AMA, the historical database is the first of the 4 components to be in place.

It is the most tangible and therefore the most practical to assign explicit requirements.

Whereas the others, there is still a strong need to identify their specifications, validate them

group-wide, find a common ground and develop reporting tools to eventually integrate all of

them together in order to have a sound operational risk management system.

Finally and above all, the accord has not even been finalised yet. All the planning still

depend on last minute changes. Many discussions around the AMA are still taking place.

However, the main framework has been set up. The delay added by these extra talks is indeed

precious time for banks to enhance their existing systems and plans.

From an information system point of view, the most interesting aspects are how or

what sort of applications will be developed for the 4 AMA components individually, and in

turn, how will they all be integrated together in order to form a single application handling

extremely various type of data and interconnecting them following different processes.

Conclusion

REFERENCES

Bank of International Settlements (2001): ”Sound Practices for the Management and Supervision of Operational Risk”, Basel Document.

Bank of International Settlements (April 2003): ”Consultative Documents: The New Basel Capital Accord”, Basel Document.

BNP Paribas (2002):”Annual Report”.

Federal Reserve Bank of Boston (Nov 2001): ”Operational Risk and the New Basel Accord, Presentation.

Jameson R. (Feb 2002):”The True Cost of Operational Risk”, ERisk.com, Article.

Jimenez C.& Merlier P. (April 2003) : “Modeliser les Risques Operationnels”, Risque & Prudentiel, Article.

Madar P.&Pennzio (July 2003): “Bâle II et IAS/IFRS, Tirer Profit des Nouvelles Regles”, Risque & Prudentiel, Article.

Lutz W. (July 2001):”Operational Risk, Capital Requirements, and Incentives”, Essay.

O’Neil P. (Feb 2003):”Survey Says…”, BNP Paribas, Article.

PriceWaterhouseHouse: ”Operational Risk- The New Frontier”, Presentation.

Robert Huebert (Dec 2001):”The Qualitative Analysis of Operational Risk”, Deutsche Bank, Presentation.

Ripault M.& Look I. (April 2003): “Les Enjeux du Risque Operationnels pour les Brokers”, Risque & Prudentiel, Article.

Sanderarajan S. (April 2003):” Risk IT- Banking on Basel- Strategies for competitive advantage”, Anz IT, Presentation.

The Economist (May 2003): “Deep Impact”, Article.

The Economist (Jimenez C.& Merlier P. (April 2003) : “Modeliser les Risques Operationnels”, Risque & Prudentiel, Article.

William J. McDonough (Sept 2002): ”Completing the Journey to the New Basel Accord”, Speech in Cape Town, South Africa.


ANNEX

Barclays Bank PLCBarclays Bank is making significant efforts to improve its risk culture

and reduce the level of losses resulting from operational risks. We believe the actions being taken could lead to an enhancement in the quality and stability of earnings.

Barclays publicly stated aim is to achieve top quartile total shareholder return (TSR) on a sustained basis.

In practice, this has in recent years required a return on economic capital of about 14%.

Risk appetite is defined through a Board of Directors’ statement, with standards for managing risk and Key Risk Indicators reviewed by a board committee. The bank identifies four principle types of risk: credit; market; A&L, liquidity and pricing risk; and other risks, which include operational, legal, tax and compliance.

During 2002, Barclays re-organised and upgraded its risk function, and appointed a new Group Risk Director.

With regard to development of operational risk management, Barclays has virtually completed the formulation of sound operational risk policies, procedures and practices throughout the bank.

Improvements are being made to the systems and reporting infrastructure. With regard to extreme risks that could potentially have a high impact upon the bank, but which by their very nature have a low probability of occurring, Barclays has implemented an early warning management information system (involving key performance and key risk indicators, traffic light and dash board systems, and escalation mechanisms).

Areas for further consideration include data integrity, together with improvements in interpretation and perception, particularly with regard to holistic risk processes.

The bank has begun the process of enhancing the efficiency and effectiveness of operational risk management. In response to Pillar 1 of Basel 2, Barclays has decided to adopt the advanced measurement approach (AMA). This should lead to a lower regulatory capital requirement; however, the bank has yet to fully evaluate expected gains.

Barclays has decided to outsource activities, such as cheque and mortgage processing, which is uneconomic and does not add value to its client relationships.

Operational risk profiling (i.e. selecting which risks to retain and which to outsource or insure) remains at an early stage. The market for effective ’alternative risk transfer’ solutions remains limited. Insurance,

although used in the past has yet to be actively developed as an operational risk profiling tool.

We view positively the fact that Barclays has been moving into a more focused and effective risk-based structure, concerned with adding value. We recognise the continuous efforts being made by Barclays to embed operational risk management throughout the bank. Our assessment of the progress made is that it is sound. Looking to the future, we would expect to see further efforts relating to cost-benefit analysis as the bank moves more into stage two of development. Failure to maintain the current dynamism could potentially result in ossifying bureaucracy, although we see no reason why this

should happen.

Deutsche Bank AGDeutsche Bank (rated Aa3/P-1/B) appears to be well positioned with regard to

operational risk management. It has been pro-active in the Basel 2 process through participation in industry working groups and direct discussions with regulators.

Deutsche Bank believes firmly that operational risk management is concerned with the effective running of a bank. Its aim is to embed a risk aware culture throughout. The bank has put in place policies together with divisional standards, and it is currently in the process of developing a risk profile document. An operational risk framework has been developed. This is actively being rolled out across the group.

Deutsche Bank has developed a matrix structure for operational risk management, involving both divisional and regional operational risk officers. The development of supporting tools and techniques is seen as an ongoing process.

Deutsche Bank will be adopting the Advanced Measurement Approach (AMA) as specified under Pillar 1 of the new Basel Capital Accord (Basel 2). However, due to insufficient clarity from the regulators, it remains uncertain what advantage this will produce with regard to a reduction in the regulatory capital requirement.

The bank is currently collecting and analysing data. It expects to be able to show, in about three years time, how the effective management of operational risk has reduced the severity and frequency of losses.

A loss distribution approach (LDA) to the quantification of operational risk is being adopted. However, data quality and sparseness represent limiting factors with regard to the development and validation of operational risk models. The bank is using internal data for the higher frequency events; however, for the lower-frequency high-impact events it is using external, publicly available industry data. Currently, one single loss distribution curve is being used for the group as a whole. It is intended to replace this top down approach with a bottom up approach in 2004, giving an analysis by business line and event type. Other issues to be addressed are correlation and qualitative fine-tuning.

Moody’s believes that operational risk management within Deutsche Bank is soundly based and that solid progress is being made in a reassuringly cautious and questioning manner.

We are of the opinion that quantification is a difficult area particularly given current limitations concerning the quality and sparseness of data. The use of external data for extreme events is questionable, since it ignores the culture and control environment of the bank. With regard to the future, the next major stage of development for Deutsche Bank may be to optimise the risk-reward relationship (possibly through cost-benefit analysis) and to actively seek improvement in the quality and stability of earnings.

HSBC Holdings plcGiven its size and diversity, HSBC Group has adopted a strong controls based

approach to operational risk management. HSBC considers responsibility lies in all levels within the Group i.e. in Group headquarters, in the local head office and in the line management of each business activity.

HSBC’s control culture and philosophy emphasises individual accountability, within a framework prescribed in the Group standards manual (GSM) and functional instruction manuals (FIMs). Within this overarching framework, each business unit is responsible for determining its own approach to risk management.

The Group uses the following definition for operational risk: "Operational risk is the risk of loss arising through fraud, unauthorised activities, error, omission, inefficiency, systems failure or from external events. It is inherent to every business organisation and covers a wide spectrum of issues."

Monitoring is undertaken by regular reporting to senior management. This is underpinned by internal audit investigations and recommendations, to which line management is required to produce and implement appropriate action plans.

Reporting is a combination of financial and loss incident reporting. The trigger for the reporting of a loss incident being a charge to the P&L account. Operational risk losses are consolidated and reconciled to the financial reporting systems. Near misses are also collected where it is considered significant lessons can be learnt. All Group companies are required to report aggregate operational risk losses and incidents over a pre-determined limit, on a quarterly basis. In addition, all major trading companies within the Group are required to review the effectiveness of internal controls, on an annual basis.

HSBC focuses on management of operational risk and regards measurement as a secondary issue. Group Headquarters maintains oversight and control through three initiatives:

1. Operational risk loss data collection initiativeData collection began in January 2001 and has been implemented throughout the

Group on adecentralised basis. Data is classified by various attributes, including event type,

primary and secondary cause, business line and the country of loss.

2. Reporting of results of loss data collectionA regular Group-wide operational risk report, which provides a

summary of the Group’s operational risk loss experience and gives details of incidents over USD1 million, is provided to the Group Finance Director and is tabled at a Board Committee.

3. FeedbackFeedback reports containing brief details of all incidents identified

throughout the Group are distributed to the chief financial officers of the principal Group companies. Further details of incidents are provided where appropriate to relevant Group functions including Audit, Compliance,

Legal, IT Security, Insurance, etc. Completeness checks are carried-out by making comparisons with other reports received by Group functions.

Given the size and complexity of the HSBC Group it is considered that a one size fits all approach is inappropriate. Therefore, different companies and business lines within the Group are given the flexibility to implement different approaches within the prescribed framework. With regard to the new Basel Capital Accord (Basel 2), permissibility of a mixed basis under Pillar 1 may be important. HSBC is watching the results of other banks concerning the development of the more sophisticated advanced measurement approaches (AMAs) but as yet its view is that "the jury is still out.

HSBC is a solidly managed group, however, we believe that its thinking with regard to operational risk management is somewhat less advanced than is the case in other major banking groups. This reflects the fact that the Group took a decision not to participate actively in the development of AMAs, but rather to maintain a watching brief. Although the HSBC Group’s concentration on traditional accounting and reporting based systems could mean that it may lacks the speed of response of leading banks in this field, this is not, in our opinion, likely to be material to the success of the Group and in the longer term it could catch-up if it wishes to. Given its size and diversity HSBC Group benefits from a portfolio effect, which together with the substantial absolute level of its earnings, suggests that it has the capability to withstand substantial operational losses, should these arise.

ING Bank N.V.ING Bank has adopted a proactive stance towards operational risk

management and has been actively involved in a number of industry working groups. Its view is that a professional operational risk management function and process is essential for ensuring the continuity and reputation of a bank. ING Bank has set up operational risk committees (ORCs) in all regions and major countries, and is extending this concept to the remaining business units.. These ORCs, chaired by general management, are responsible for monitoring operational risks and ensuring that appropriate actions are taken. By taking a proactive stance the bank is aiming to avoid surprises. This requires early detection of key risks. Incident information is considered essential to better understand operational risks, based on the idea of ‘how can you learn for the future if you do not understand the past.’ The approach taken is to understand the cost of risk, develop ‘lessons learnt’, and take appropriate mitigating action. ING Bank uses an array of tools and techniques including periodic risk & control self-assessments (RCSA), continuous risk awareness programmes, monthly key risk indicator (KRI) reports, a new-product approval process, and action tracking of audit findings. Risk tolerances are set, based upon impact. ING considers performance measurement to be essential in a large conglomerate since ‘if you cannot measure risk you cannot control it’.

Fundamentally, ING believes that operational risk is about people. Risks, therefore, need to be allocated back to individual line managers in order to facilitate management control through accountability, responsibility and learning.

ING is also extending its operational risk management process to ING Insurance. Economic capital is used to incentivise business unit managers. Capital investment, which increases the rate of return and reduces risk, attracts a lower capital charge. ING believes that RAROC (Risk Adjusted Return On Capital) is an ideal management tool being both a carrot and a stick. Economic incentivisation has been used quarterly since 1998 and is continuing to be enhanced.

With regard to regulatory requirements, ING will be adopting the Advanced Measurement Approach (AMA) under Pillar 1 of the new Basel Capital Accord (Basel 2). The bank is currently using a combination of a Loss Distribution approach and Scorecard based approach since it believes that a combination of quantitative and qualitative tools and techniques may be required within the various business units, depending upon circumstances and future developments.

The bank collects quarterly internal loss data. It also collects information on near misses, which it sees as an essential part of management and learning. External data is sourced from two commercial providers together with that from the ORX industry consortium, of which ING is a founder member. ING considers that external data, if used carefully, is appropriate for scenario analysis and benchmarking purposes.

Moody’s believes that although ING Bank has chosen not to be in the vanguard in the field of operational risk management, its approach is well thought through and its management processes appear sound. Over the next twelve months, the key priorities for the bank are to further strengthen its organisation of operational risk management, rolling out operational risk committees (ORCs) to all business units, and enhancing operational risk tools and techniques.

Lloyds TSB Bank PlcApproach and PositioningThe Lloyds TSB group has grown into its current form through

mergers and acquisitions, which has resulted in a relatively decentralised structure, with numerous business units, each with their own risk profile.

The group has, historically, taken a sound, realistic approach to operational risk management, and it recognises that there are increasing risks inherent in the current business environment. Working groups have been established to address the following key issues relating to operational risk:

1. Operational risk loss database The loss database has now been designed and will be implemented during the first quarter of 2004. As well as recording and categorising losses, the database will seek to include near misses and consider the causes of operational risk events.

2. An overall operational risk tool for the groupThe group is considering implementing a new uniform methodology

for managing operational risk, to replace the existing variety of approaches present in different business units.

3. Regulatory Capital ApproachThe bank is presently working towards recognition to at least the

standardised approach, with detailed consideration also being given to the AMA. With regard to positioning, Lloyds TSB has deliberately chosen not to be a prime mover so far. Instead, it has chosen to implement quickly those appropriate developments proven by other market participants to be effective, an approach which we see as valid, particularly for an organisation with a relatively low risk profile and conservative appetite for risk.

DefinitionLloyds TSB initially adopted Basel’s high level definition of

operational risk (i.e. the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events). It is currently developing a more useful granular definition in line with its approach to operational risk management.

Management and ReportingAn enterprise wide risk management (EWRM) approach has been

adopted. All risks are identifiedaccording to a number of drivers, of which operational risk is one,

and which impact others.Risk management is seen as the responsibility of the individual

business units. Regular business unit risk reviews are carried out, with support from the group risk function, and self assessments are completed by business units periodically.

The Future

Lloyds TSB is seeking to gradually bring about a cultural change within the group with regard to operational risk. It is proposing to introduce a more proactive, rather than reactive, stance and to move away from a zero tolerance style to one of informed flexibility. This will require a clear business case o be made for operational risk management.

Issues regarding governance and board involvement are also likely to need to be addressed, in order to bring about the cultural change associated with the further development of strong operational risk management procedures.

Swedbank ( ForeningsSparbanken)Summary and ConclusionsMoody’s views the Swedbank’s group operational risk management

as adequate. The group aims to be in line with best practices in that area - an objective which we expect it to achieve. Work is currently ongoing at a rapid pace with key milestones planned for 2004. The group’s focus is mainly on qualitative elements though data collection should in time favor quantitative content.

Approach and PositioningSwedbank has adopted a bottom-up approach to operational risk

management. The group ambitions to be on a par with recognized best banking practices in the Nordic region. Today, management focus is primarily on promoting awareness of operational risk issues throughout the group, notably through self-assessment workshops organized in collaboration with each of the group’s five business units (see Issuer Profile on Swedbank for details of the group’s business units). The group has been running a formal self-assessment program in its Swedish operations since 2001.

Definition and ScopeSwedbank does not aim to optimize its regulatory capital level

through operational risk management. Management views the development of its operational risk framework in three stages:

To ensure that the group has sound operational risk management systems,

To optimize the cost/benefit of these proceduresTo address competitive strategic positioning.

Management and ReportingOverall responsibility for operational risk management rests with the

Board of Directors of Swedbank. In particular, the Board has approved group-wide instructions addressing basic management techniques and consolidated reporting, notably with the view of monitoring operational risk management initiatives in FIH and Hansapank. The Board has created a dedicated Committee, the Audit and Operational Risk Committee, to address this issue. Swedbank has had dedicated operational risk policy since 1998 which was recently updated. In early 2000, the group set up a dedicated Group Operational Risk department composed of four people. The department is responsible for establishing policies and procedures and ensuring efficient, independent risk monitoring. The Head of the department, also responsible for Group Security, reports directly to the Chief Executive Officer.

Each business unit has a dedicated Operational Risk manager with line reporting to the business unit head and functional reporting to the Head of the Group Operational Risk team.

Reporting StructureCurrently, the Board of Directors receives operational risk reports

from the group risk department on a semi-annual basis, supplemented by

an annual presentation. The Chief Executive Officer and the Executive Management Committee receive reports on a quarterly basis. Reporting at the business unit level is currently being developed. Swedbank has adopted a two-phase approach to reporting, first targeting more qualitative reports and later aiming to include also quantitative content. Consultancy advice and guidance has been taken with regard to the use of key risk indicators (KRIs). A specific KRI project was run in Swedbank Markets last year which the group is currently replicating to the other four business units .

InfrastructureSystems are a combination of manual and IT elements. Further

system development is being undertaken to provide a more robust infrastructure together with an enhanced IT environment. It is proposed to increase the level of IT, in order to enable the bank to move from quarterly to real-time reporting and to enable more information to be captured and made readily accessible.

Data Quantification and ModelingSwedbank has been recording loss data for events exceeding

SEK50,000 for approximately two years. The group however reports that its subsidiary Hansapank is rather more advanced with a track record of eight years of loss data collection. Going forward, the group plans to expand its data collection to "near misses" which are currently only collected on an ad hoc basis.

The group’s data categorization is in line with the approach suggested by the British Bankers Association (BBA): a risk profile is created for each business unit based on four fundamental risk elements (personnel, processes, systems, and external events). These elements are then sub-divided, thus facilitating drill-down. Changes in each business unit’s risk profile are considered each year. Analysis of causality is progressing in line with data-capture and understanding.

Tools and TechniquesSwedbank is looking to implement a range of operational risk

management tools and techniques throughout the group, including periodic self-assessment exercises, risk and vulnerability analysis, and key risk indicators. Progress is at a different stage throughout the group’s five business units. This is also true in respect of related aspects such as awareness, organizational readiness and reporting procedures.

Regulatory ComplianceSwedbank has decided to opt for the standardized approach under

Pillar 1 of the new Basel capital accord (Basel 2). However, the group intends to further develop its operational risk management capability and may in time adopt more sophisticated measurement and quantification methods, of the AMA type, on a business unit basis, as warranted.

Economic CapitalA top priority for management, the group’s economic capital project

pursues the following goals:- to improve management’s understanding of how and where risks

are created in the group;- to quantify the size of the group’s risks;- to better price credit risk in lending transactions;- to understand the amount of capital required by type of risk and

per business unit;

- to compare business units’ performance using return on allocated economic capital;

- to increase capital efficiency throughout the group; and- to lower risk-related losses owing to a more transparent view of the

different risks.A preliminary study has been carried-out by consultants and

implementation is expected to be completed by 2004. The group’s operational risk-related work is part and parcel of the overall economic capital project. Business units are incentivized to contribute to lowering the group’s operational risk costs with a view to lowering the amount of economic capital they consume.

Fraud, Corruption and Financial CrimeSwedbank has systems and procedures in place for dealing with

fraud, corruption and financial crime which are regularly reviewed and updated. IT detection systems will are intended to become ncreasingly sophisticated through the use of artificial intelligence, including pattern theory. Management considers fraud a relatively more minor issue Swedbank. We understand that there are only about 20 internal cases of fraud per year and that these are of low value. Similarly, external frauds are of low value. With regard to money laundering, the bank reports about 80 to 100 events a year to the regulator. In that respect, the

group is working on identifying transaction patterns a early warning signals of fraud.

Contingency PlanningAt Swedbank, contingency planning is not the responsibility of the

Group Operational Risk department but, instead, is coordinated centrally by Group Security (though both departments report to the same Executive Officer). A crisis management team exists. Each business unit has its own contingency plans; in addition, some business segments may also have a different contingency plan. With regard to IT, the group has a separate site with a capability of being up and running within 24 hours.

Thèse

Documents

Transcript of Thèse