Implementing Operational Risk in an
Enterprise Risk Management Framework Implementing Operational Risk in an
Enterprise Risk Management Framework
William GonyerManaging [email protected]
William GonyerManaging [email protected]
2
Broad Street Banking I Operational Risk Management
Session OutlineSession Outline
Operational Risk as a component to ERM; BIS II defined and as template to an ORM
program; The Pillars of Hercules and Basel II’s European
Flavor; One Man’s Struggle for European Convergence; Campaign Promises, a Big Stick and the art of
moral suasion; ORM for Less than Million Euros; COSO, SOX and the World Today.
3
Broad Street Banking I Operational Risk Management
How Does ORM Fit Within ERM as Defined?How Does ORM Fit Within ERM as Defined?
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
4
Broad Street Banking I Operational Risk Management
Operational RiskOperational Risk
Is a pragmatic approach to many of the risks covered within an ERM framework. OR is defined by Bank for International Settlement as “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events.”
Targeted for banking institutions by the BIS. Three “Pillars”: minimum capital requirements,
supervisory review of capital adequacy and public disclosure.
5
Broad Street Banking I Operational Risk Management
Pillar 1 – Minimum Capital RequirementsPillar 1 – Minimum Capital Requirements
Capital is calculated using the amount of the institution’s available capital as the numerator and risk-weighted assets as the denominator. The minimum capital ratio is 8%:
Risk-weighted assets come from credit and market activities and Basel II introduced the added component of Operational Risk.
6
Broad Street Banking I Operational Risk Management
Weighing the Assets of Operational Risk Weighing the Assets of Operational Risk
Basel II provided three methods for calculating the Operational Risk component the capital equation:
Basic Indicator Approach;
Standardized Approach; and
Advanced Measurement Approaches (AMA).
7
Broad Street Banking I Operational Risk Management
The Basic Indicator ApproachThe Basic Indicator Approach
Under the basic indicator approach the “weight of the asset” is calculated using the three year average of gross income multiplied by a fixed charge of 15%.
This approach is intended for a financial institution with less complex operations.
8
Broad Street Banking I Operational Risk Management
The Standardized ApproachThe Standardized Approach
Under the standardized approach the gross income of a defined business unit is multiplied by a percentage associated with the type of business:
Corporate finance 18%
Trading and sales 18%
Retail banking 12%
Commercial banking 15%
Payment and settlement 18%
Agency services 15%
Asset management 12%
Retail brokerage 12%
9
Broad Street Banking I Operational Risk Management
Advanced Measurement Approaches Advanced Measurement Approaches
A financial institution utilizes its own risk measure generated by its Operational Risk measurement system.
The specific methodology must be approved by its regulatory supervisor.
10
Broad Street Banking I Operational Risk Management
Pillar IIPillar II
Supervisory review of capital adequacy
Capital adequacy is something we are all familiar with but in the broker/dealer industry there is no specific requirement to calculate a capital component for OR.
Experience shows that in the distant past regulators looked to a multiple of regular required capital to cover undisclosed risk as an informal buffer. The buffer served as a discussion point with the regulator.
11
Broad Street Banking I Operational Risk Management
Pillar IIIPillar III
Market Discipline
Public disclosure is limited for the broker/dealer industry as there is no specific requirement for adoption of an Operational Risk program, its capital nor its disclosure requirements.
There are however, requirements under Generally Accepted Accounting Principles that material, expected losses be disclosed.
12
Broad Street Banking I Operational Risk Management
The implementation processThe implementation process
13
Broad Street Banking I Operational Risk Management
Implementation Case StudyImplementation Case Study
Implementation began in August 2001 at the US subsidiary of a fully licensed “universal bank” in France where implementation was a (regulatory) requirement.
Ixis was an investment bank with two US registered B/D subsidiaries. The bank’s headcount was about 350, with a balance sheet of approximately $45 billion in assets and revenue of $340 million. By the end of implementation, organic growth had increased headcount to 500, assets totaled $60 billion and revenue exceeded $500 million .
14
Broad Street Banking I Operational Risk Management
Management Buy In – The Key to Any Successful Implementation
Management Buy In – The Key to Any Successful Implementation
Ixis’ management was very decentralized in that departmental management had significant authority within functional domains and budgetary constraints.
There was a management committee of up to 7 members.
There were 17 departmental cost centers. These two groups were the focus of attention to sell the
program and establish strategic and operational mandates.
15
Broad Street Banking I Operational Risk Management
Background and PreparationBackground and Preparation
The OR compliance manager provided a briefing on the requirements and sample self-assessment questionnaires.
An intensive study of the BIS information on the subject from their website provided additional context for the self-assessment and OR measurement requirements.
Contacts were made with departments who were working together to perform the self assessment at the bank’s capital markets sister company in Paris.
In consultation with the CEO, the OR team put together a plan for local implementation along with a budget for the next year.
16
Broad Street Banking I Operational Risk Management
Implementation of OR ProgramImplementation of OR Program
Armed with Head Offices’ compliance requirement and the CEO’s buy-in, a 7 to 8 member working group was established to build the Self Assessment of OR questionnaire.
The departments heads of this group were selected based on a number of factors:
Department HC and budget;
Functional risks within departmental domains; and
Departmental manager’s relative influence or expected importance for the OR program’s success.
17
Broad Street Banking I Operational Risk Management
Factors Considered for Committee MembersFactors Considered for Committee Members
These factors relate to the OR definition “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events” such as the department headcount and budget and the risks associated with the department’s responsibilities.
Another consideration was the departmental manager’s relative influence or expected importance for the OR program’s success.
18
Broad Street Banking I Operational Risk Management
Selling OR to ManagementSelling OR to Management
The following rationale helped convince working group or committee members of the value of the OR program and their active participation:
A better idea that we direct the program rather than have HO define local implementation;
Better to establish a local process for management of capital requirements than accept a HO push-down;
An opportunity to perform a company-wide self-assessment Individual departments get a 2 for 1 – as risks are defined and acted
upon audit findings diminished with OR budget footing the bill. Departments don’t get penalized for weaknesses related to the risks identified.
19
Broad Street Banking I Operational Risk Management
Self Assessment of Operational Risk Self Assessment of Operational Risk
The working group began the development of a baseline self-assessment questionnaire. The questions were categorized according to the BIS table “Detailed Loss Event Type Classification.” A key objective for the self-assessment was that it follow the BIS classification and that the end product questionnaire would quantify loss risk and produce an “heat map” by business lines. Business lines were based on departments which aligned with the business types of BIS on page 8 of the presentation.
20
Broad Street Banking I Operational Risk Management
Loss Event TypesLoss Event Types
BIS classifies loss events in the following Level I Categories: Internal Fraud External Fraud Employment Practices and Workplace Safety Clients, Products & Business Practices Damage to Physical Assets Business Disruption and System Failures Execution, Delivery & Process Management
Theses events are defined and broken down further into Levels 2 & 3 having greater detail at each succeeding level.
21
Broad Street Banking I Operational Risk Management
The Questionnaire and the Heat MapThe Questionnaire and the Heat Map
The working group defined risks along the guidelines established from the BIS guidance including the Loss Event Type Categories. Additionally we established the definitions of the control processes.
The result was put into MS Excel as questions with boxes that indicated control over the specific event derived from the question and quantification of losses under normal operations and those of very severe events.
In the background a worksheet quantified both the control and loss severity as two points on scatter chart which was the heat map.
The heat map was divided into 4 quadrants: low loss and good control, high loss and good control, low loss and low control and high loss and low control.
22
Broad Street Banking I Operational Risk Management
Answer Scoring
By employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type.
• External Service External Service Provider Failure Provider Failure
• External FraudExternal Fraud
• RegulatoryRegulatory
• Compliance with Policies, Compliance with Policies, Procedures, and Practices Procedures, and Practices
• Key Control Key Control Effectiveness Effectiveness
• Customer Customer Risk Management Risk Management
• External CatastropheExternal Catastrophe
Ability to Control Risk
Imp
act of Risk
23
Broad Street Banking I Operational Risk Management
Results of the QuestionnaireResults of the Questionnaire
Action plans were put in place in cases where the expected loss was high and control was low – thus fulfilling the 2 for 1 commitment on areas of weakness (no audit finding.)
Key indicator reports were created to address the most frequent smaller losses and the high losses. The indictors were specific to each department and agreed as to report frequency. Indicators included things like fails, aged open items and audit recommendations that had not been addressed.
Each department assigned indicator and event monitoring and reporting staff . Typically this was the department head’s deputy.
Loss events were entered into a HO system by the departmental staff responsible for monitoring and reporting of Key Indicators.
24
Broad Street Banking I Operational Risk Management
ORM Management and OrganizationORM Management and Organization
25
Broad Street Banking I Operational Risk Management
ORM Roles & ResponsibilitiesORM Roles & Responsibilities
The Board of Directors – Head of OR reported to the Audit Committee of the BOD twice annually.
Management – Head of OR at Managing Director level. Risk Managers – each department assigned OR monitoring and reporting to a senior staff member - typically a VP or a Director. This liaison staff was supported by a second staff member to provide back-up for absences etc.
26
Broad Street Banking I Operational Risk Management
ORM Roles & Responsibilities - ContinuedORM Roles & Responsibilities - Continued
Dedicated Staff – From 2001 to 2006 there was no authorized headcount, rather the department was staffed using temporary staff for major projects and cost allocations from each department for Risk Managers and support staff – typically 5 to 15% of a fully charged staff, while no charges were allocated to small departments. 25% of OR Head’s departmental cost (including admin staff) was allocated to the project, and system administration support was provided by a junior officer in the audit team. Key indicator chase and follow-up was performed by either the OR Head or admin support. Significant loss events were often followed up by audit staff as audit issues and thus not charged to OR.
27
Broad Street Banking I Operational Risk Management
The Obligatory COSO SlideThe Obligatory COSO Slide
The eight components
of the ERM framework
apply equally to OR…
28
Broad Street Banking I Operational Risk Management
ORM RecapORM Recap
Operational Risk is a component of Enterprise Risk Management.
Basel II with its rich European taste provides excellent guidance for a comprehensive Operational Risk program.
A good program can be put in place for an organization of 250 – 1,000 headcount using a combination of in place and temporary resources.
29
Broad Street Banking I Operational Risk Management
ORM RecapORM Recap
Gentle and persistent persuasion is required to bring a program like ORM from seed to fruit.
Selection of committee, work group or internal partners for program such as ORM is critical. As is carrying through on campaign promises. The corollary is don’t do a George Bush I “read my lips no new taxes.”