Operational Risk Management

Overview:
The Operational Risk Management article describes the process of identifying, assessing, measuring, monitoring and reporting operational risks. Basel II capital calculation methods and corporate governance guidelines are discussed.
Operational Risk
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk (BCBS). Operational risk is different from other risks (e.g. credit, market, liquidity) because it is usually not taken in exchange for an expected return; it exists in the natural course of business activity. Failure to appropriately manage operational risk can expose firms to significant losses.
Operational Risk Management Process
The process of risk management for operational risk is similar to the risk management process described in the previous article, “Risk Management Basics”. The process consists of identification, assessment, measurement, mitigation, monitoring, and reporting of risks.
Risk Identification & Assessment:
As a first step, firms should identity the relevant operational risks inherent in their activities, processes, products, and systems. One technique for identifying risks is to observe all processes and create a list of potential risk sources (known as Business Process Mapping). This step should be completed by the risk management department in conjunction with knowledgeable and well-seasoned employees of various departments within the firm. This method allows for open communication/ discussion and can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. Other techniques for identifying risk include critical self assessment, actuarial models, scenario analysis, external data collection, and comparative analysis.
Subsequent to identifying the risks, firms should asses its exposure on a quantitative and qualitative basis. Quantitative assessments are related to direct financial loss which could have potentially been caused from the actualization of a risk. Quantitative assessments are only required for risks which may potentially result in a direct financial loss to the firm.  Consider the following factors in evaluation of each risk:

• Frequency of occurrence: How often might the risk event occur? To help determine the frequency of occurrence, consider events that actually happened and potential future events. It will be helpful to also refer to events which have occurred external to the firm (other firms in the banking industry).
• Typical damage: What is the average estimated financial loss? If this event has occurred in the past, consider what the average damage it resulted in.
• Exceptional damage: What is the severe estimated financial loss? For the exceptional damage, consider what the largest loss would be if this event occurs.

Note: For the above factors, take into account the relevant controls in place which mitigate the risk.
The qualitative assessment is concerned with other all losses which could occur with the actualization of the risk. It is related to the level of severity of the risk (high medium, low). The assessment should consider the factors discussed in the quantitative assessment as well as mitigating controls, potential damages to reputation, and other factors.
Risk Measurement & Mitigation:
Risk reduction can arise in terms of a decrease in the financial damages or frequency of occurrence of loss events. An important step in the risk mitigation process is to assess and improve on the existing mitigating controls and to create new controls as necessary. An effective risk management plan should contain a timetable for reviewing controls along with relevant risk owners responsible for implementation. Internal controls should be in place to provide assurance that the firm will have efficient and effective operations and will comply with relevant laws and regulations.
Risk Monitoring & Reporting:
An effective monitoring and reporting process is essential for adequately managing operational risk. There should be timely reporting of key information to senior management and the board of directors to support proactive management of risks. The reports should be precise, inclusive, and reliable across business lines. Keep in mind that excessive amounts of data may impede effective decision making. Reports should highlight significant operational risk events and losses and any breaches of set limits (i.e. risk appetite/tolerance of the firm).
Basel II Capital Calculation Methods
The Basel Committee on Banking Supervision (BCBS) is an international group created in response to international concerns of banking instability. For a brief history on the Basel Accords refer back to the Basel III Key Updates article. To ensure bank safety and adequate protection from risk, BCBS requires banks to hold capital against various risks, including operational risk. The amount of capital a firm needs to hold is directly proportional to the amount of risk the firm may be exposed to. In order to conform to the Basel Accords, firms must implement one of the following measures to calculate the capital charge for operational risk:

• Basic Indicator Approach (BIA) – This method calculates operational risk capital based on the firm’s annual gross income. The capital held for operational risk must be equal to 15% of the firm’s average annual gross income (for the previous three years). Exclude the years in which the firm’s annual gross income was zero or negative.
• Standardized Approach (TSA) – This method states that firms must divide their activities into eight business lines: corporate finance, trading & sales, retail banking, commercial banking, payment & settlement, agency services, asset management, and retail brokerage. Gross income within each business line serves as a proxy for the scale of business operations.  It determines the likely scale of operational risk exposure within each of these business lines.  The capital charge for each business line is calculated by multiplying gross income by a factor (12%-18%) assigned to that business line.
• Advanced Measurement Approaches (AMA) – Under the AMA, the regulatory capital requirement is generated by the firm’s internal operational risk measurement system.  To use this approach, firms must first meet certain regulatory requirements. For instance, firms must have a sound operational risk management system and sufficient resources to conduct such internal assessments. The following lists the official Basel II defined event types with some examples for each category:

1. Internal Fraud – embezzlement of assets, bribery, and tax evasion
2. External Fraud- identity or information theft, computer hacking, forgery and robbery
3. Employment Practices and Workplace Safety – safety of employees, discrimination and workers compensation
4. Clients, Products, & Business Practice- breach of fiduciary duties, improper trades and market manipulation
5. Damage to Physical Assets – natural disasters and terrorism
6. Business Disruption & Systems Failures – software failures and system disruptions/downtime
7. Execution, Delivery, & Process Management – accounting errors and data entry errors

Corporate Governance (Operational Risk)
Corporate governance is the structural design of how risk management functions within a firm.  Risk should be managed within known and agreed risk tolerances (risk appetite). According to the BCBS, common industry practice for sound operational risk governance relies on three lines of defense:

1. Business Line Management - In charge of identifying and managing the risks inherent in the products, services, and activities for which they are responsible.
2. Independent Corporate Operational Risk Management Function - Responsible for the design, maintenance, and ongoing development of the operational risk framework within the firm. This includes measuring and reporting of risks and challenging the output provided by the business lines.
3. An Independent Review and Challenge – Must be competent and independent from the development, implementation and operation of the risk governance framework.

Note: Other schools of thought consider a fourth line of defense, the board of directors. The three lines of defense ultimately report into the board.
A culture of risk awareness and open communication amongst the three lines of defense is imperative to effective operational risk governance. The board of directors is responsible for promoting a culture of risk awareness and for overseeing senior management to ensure that relevant policies and procedures are implemented across all decision levels. In addition the board of directors should approve and review the risk appetite and tolerance statement for operational risk. In turn, senior management should develop an effective governance structure with clear lines of responsibility and ensure that policies and procedures are followed. The chief risk officer (CRO) should report to the CEO or CFO and be independent of business lines. The role of the chief risk officer should include the following duties:

• Develop and evaluate risk management policies and procedures
• Provide risk leadership
• Establish and review risk metrics used for risk assessment
• Provide appropriate risk reports
• Challenge decisions regarding risk

Conclusion
Operational risk is not taken in exchange for a return; however the failure to manage this risk may result in significant losses. The BCBS provides three different methods of calculating capital (BIA, TSA, & AMA). Proper management of operational risks may lead to a reduction of losses and can result in a more accurate assessment the firm’s exposure. An effective corporate governance framework leads to proactive and informed decision making.
_____________________________________________________________________________________________________
Basel Committee on Banking Supervision: Consultative Document on Operational Risk. January 2001. www.bis.org
Basel Committee on Banking Supervision: Sound Practices for the Management and Supervision of Operational Risk. December 2010.  www.bis.org
Institute of Operational Risk: Operational Risk Governance. September 2010.  www.ior-institute.org/


Subscribe to similar articles here (FREE): www.riskarticles.com

Basel III Key Updates

Overview:

The “Basel III Key Updates” article describes a concise history of Basel I & II and provides an overview of the key Basel III rules and regulations. In addition, a comparison of Basel II & Basel III is illustrated. 

The 1, 2, 3’s of Basel


It all started in 1988 with Basel I, a document provided by the Basel Committee on Banking Supervision (BCBS) which gave life to the Basel Accords. The Basel Accords are recommendations on banking laws and regulations. A key proposal of Basel I was to reduce bank exposure to credit risk by holding enough capital; 8% of its risk-weighted assets.
In June 2004, BCBS issued a revised version of the Basel Accords, Basel II. The Accords were amended in order to facilitate a more comprehensive, sophisticated and risk-sensitive approach for banks to calculate regulatory capital necessary to protect against various types of risks.
The recent financial crisis underlined a number of weak areas in the Basel II rules. On September 12, 2010, the Group of Central Bank Governors and Heads of Supervision, the oversight body of the BCBS issued a press release announcing its full endorsement of the agreement it had reached on July, 26 2010 in relation to the proposed reforms to the Basel II framework. These proposed reforms have been endorsed by G-20 on November 12, 2010 at the Seoul Summit and are now referred to as Basel III.


Basel III: Three Pillars Still Standing


Basel III was essentially designed to address the weaknesses of the recent crisis; however its intent is to prepare the banking industry for future economic downturns as well. The framework enhances firm-specific measures and includes macroprudential regulations to help create a more stable banking sector.
The basic structure of Basel III remains unchanged with three mutually reinforcing pillars.




Key Elements of Basel III
 
Better Capital Quality


Basel III has introduced a much stricter definition of capital. Higher quality capital means more loss-absorbing capacity, which in turn means that banks will be stronger, allowing them to better withstand periods of stress.

Capital Conservation Buffer


Banks will be required to hold a capital conservation buffer of 2.5%.  The purpose of the conservation buffer is to ensure that banks maintain a cushion of capital that can be used to absorb losses during periods of financial and economic stress.

Countercyclical Buffer

The objective of the countercyclical buffer is to increase capital requirements in good times and decrease in bad times.  The buffer will slow banking activity when it overheats and will encourage lending when times are tough.  The buffer will range from 0% to 2.5%, consisting of common equity or other fully loss-absorbing capital.

Minimum Common Equity and Tier 1 Capital Requirements


The minimum requirement for common equity, the highest form of loss-absorbing capital, is raised from the current 2% to 4.5% of total risk-weighted assets.  The overall Tier 1 capital requirement, consisting of not only common equity but also other qualifying financial instruments, will increase from the current minimum of 4% to 6%.  The minimum total capital requirement will remain at the current 8% level; however, the required total capital will increase to 10.5% when combined with the conservation buffer.

Leverage Ratio

The financial crises pointed out that the value of many assets fell more quickly than assumed from historical experience. As a result, Basel III rules include a leverage ratio to serve as a safety net. A leverage ratio is the relative amount of capital to total assets (not risk-weighted). This aims to put a cap on swelling of leverage in the banking sector on a global basis. A 3 percent leverage ratio of Tier 1 will be tested before a mandatory leverage ratio is introduced in January 2018.

Liquidity Ratios

A framework for liquidity risk management will be created. A new Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR) will be introduced in 2015 and 2018, respectively. These two ratios will be discussed in detail in future articles regarding liquidity risk.

Systemically Important Financial Institutions (SIFI)

As part of the macroprudential framework, systemically important banks will be expected to have loss-absorbing capability beyond the Basel III requirements. Options for implementation include capital surcharges, contingent capital and bail-in-debt.

Basel II vs. Basel III

.






Transitional Arrangements

The BCBS and the G-20 Leaders agree that the reforms should be introduced in a way that does not impede the recovery of the real economy.  In addition, time is provided for translation of the new internationally agreed standards into national legislation.  A great summary of the phase-in arrangements of the new rules can be found here: http://www.bis.org/press/p100912b.pdf


Subscribe to free risk management articles here: http://tinesworld.com/ 

---

Relevant Sources

• http://www.bis.org/publ/bcbsc111.pdf
• http://www.bis.org/publ/bcbs118.pdf
• The Basel III Capital Framework: a decisive breakthrough BIS.gov (November 2010)
• Basel 3: Important Updates from The Knowledge Congress Webcast Series (January 2011)

Risk Management Basics

Overview:

Risk Management Basics is the first article of the weekly series. It discusses the fundamentals of risk management in the financial industry, the risk management process, and the types of risks. The article is written for the purpose of introducing the subject to readers who are not in the risk management field; however, it is also a great review for readers who have experience in the field. The depth of the topics will gradually increase as time goes on.  If you want to subscribe to free risk management articles please go to http://tinesworld.com/


Risk: Why Manage It?

If you look up the synonyms for the word “risk” you will likely receive results such as: danger, hazard, threat, peril, and gamble. So, why do people, companies, governments, and countries expose themselves to risk? The answer is simple: without risk there is no reward. Being that risk is an inevitable part of life, it is of great importance to mitigate the exposure. Notice how I said mitigate vs. eliminate. The reason behind this is that if we eliminate all risk, we essentially eliminate all return. Proper risk management ensures that financial institutions create a roadmap to achieve strategic goals. It allows companies to seize opportunities and to mitigate adversity.

Types of Risks

In the financial industry, risk arises from many different activities such as investments, loans, sales, purchases, legal transactions, economic downturn, internal processes/systems failure, negative publicity, etc. The three key risks that will be discussed in this article are: Market, Credit, & Operational risk.

Market Risk

Market risk arises from exposure to fluctuations in market prices, including exchange rates, commodity prices, and interest rates. According to the Basel Committee on Banking Supervision (BCBS), market risk is “the risk that arises from fluctuations in the values of, or income from, assets”. In other words, it is the possibility of loss on investments or trading operations due to changes in the market.

Credit Risk

Credit risk occurs when dealing with customers, vendors, and other counterparties. It is generally viewed as the risk of default on an obligation. The BCBS defines credit risk as a risk which “occurs whenever a firm is exposed to loss if another party fails to perform obligations”.

Operational Risk

Operational risk is associated with human error, system failures, and insufficient procedures and controls. The BCBS defines it as “the risk of loss, resulting from inadequate or failed internal processes, people, or systems, or from external events”.

The Risk Management Process

The risk management process operates within a structured framework that is dynamic and ongoing. A sound framework will ensure that a proper trade-off is maintained between the risks taken and returns earned.  Furthermore, proper risk management will support the attainment of strategic goals, protect business assets and reputation, ensure compliance with regulatory requirements, improve efficiency, and reassure management that the firm is aware of, and has controls in place to mitigate current and future risks.
The process is generally broken down into the following six phases:



Risk Identification & Assessment:
The first two steps of the process involves identifying and assessing risks inherent in all material activities, processes, systems, and products of the firm. Some common methods of identifying risks are described below:

Goal-based identification: Firms set goals and objectives;  events that may jeopardize or obstruct the likelihood of achieving the goals is identified as risk.

Taxonomy-based identification: A taxonomy is a breakdown of potential risk sources. A survey is created based on the risks listed in the taxonomy.  The survey is answered by knowledgeable and experienced employees, exposing risks relevant to the firm.

General-risk evaluation: In financial institutions, lists with well-known risks are available. Each risk in the list can be verified for relevance to the firm.

Once all the risks have been identified, it is time to review and evaluate each one of them. Risks should be assessed on a qualitative level as well as quantitative.  All identified risks must be ranked in terms of probability of occurrence and severity levels. It is important to prioritize risks, because attention should be given to the risks which have the greatest potential negative impact on the firm’s achievement of its objectives.

Identifying and prioritizing risks is an integral step in the process because it sets the focus for all further steps in the risk management process.

Risk Measurement & Mitigation: 

Risk measurement is the estimation of the likelihood and magnitude of a risk. As mentioned previously, risks can be ranked  based on how severely the risk is likely to impact the firm’s objectives.

Risk mitigation is the attempt to reduce (a) the degree of the exposure to risk and/or (b) the probability of its occurrence. This step should include evaluating various controls in place to mitigate the risk. In addition, weak or ineffective controls should be identified and enhanced to improve risk mitigation.

Risk Monitoring & Reporting: 

Firms can invest resources into identifying, assessing, measuring, and mitigating risks; however, if a strong monitoring procedure is not in place, the risk management process will be ineffective. Adequate monitoring of risks allows for timely detection and modification of deficiencies.

Risk reporting is an essential step in the process and should not be considered the “last step”. It is an ongoing activity which must take place during all stages of the process. This step facilitates communication between various departments, to management, and the board of directors.

Information must be reported to decision makers on a timely basis, in a way which will help in the monitoring and control of the firm. Reporting and feedback can be used to refine the risk management process by modifying or improving methodology.

Check out the RM Weekly blog

At
http://tinesworld.com/