Operational Risk Management Systems 2008

Navigating through a fragmented market

March 2008

RR08011

About Chartis Research

Chartis Research is the leading provider of research and analysis on the global market for risk technology. Our goal is to support enterprises as they drive business performance through better risk management, corporate governance and compliance. We help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. This includes technology for: Operational Risk Management Credit Risk Management Market Risk Management Asset & Liability Management Fraud and Anti-Money Laundering Prevention and Detection Basel II, Sarbanes-Oxley, Solvency 2 Chartis Research has a total focus on Risk Technology giving it significant advantage over generic market analysts. Chartis Research has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programmes for Fortune 500 firms and leading consulting houses. www.chartis-research.com

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Chartis Research Ltd. The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that Chartis Research delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. Chartis Research accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis.

Chartis Research Ltd 2008

Page 2

Contents
Executive summary .................................................................................................................................... 5 Market requirements ................................................................................................................................. 8 Framework for evaluating ORM systems ..........................................................................................10 Operational risk and compliance under a common governance umbrella by RiskTech ...................................................................................................................................................12 The cyclicality of operational risk: The tracking phenomenon by Algorithmics ...........................................................................................................................................21 Related Chartis Research ........................................................................................................................

Chartis Research Ltd 2008

Page 

List of figures and tables

Figure 1: Figure 2: Figure : Figure : Figure 5: Figure 6: Figure 7: Figure 8: Figure 9: Competitive Landscape 2008 ...........................................................................................................................................6 Framework for navigating through a fragmented ORM software market .....................................................................................................................................................................................7 Risk and Compliance Scorecard/Portal .............................................................................................................9 Integrated GRC from Ad-hoc to Systematic ...................................................................................15 Risk and control self-assessment (RCSA) process example ..........................................17 (From the Chicago Board of Exchange and Algo FIRST*): VIX index and large operational risk loss events............................................................................22 Changes in total frequency of operational risk loss events vs. changes in the average VIX. ..........................................................................................................2 Changes in people risk class vs. changes in the VIX .................................................................25 Changes in relationship risk class vs. change in the VIX ....................................................26

Table 1:

ORM System Vendor Evaluation Framework........................................................................................11

Chartis Research Ltd 2008

Page 

Executive summary
The second wave of expenditure in operational risk management (ORM) systems is now fully visible. Chartis retains its 2007 forecast for the worldwide ORM market to grow to $1.55bn by 2011. This growth has been fuelled by: 1 Many US and European financial institutions continue to replace their first generation ORM systems. This is largely due to inflexible and rigid product design and the ongoing evolvement of ORM methodologies. 2 Some market segments, such as emerging regions (e.g. Middle-East, Asia-Pacific, South America), and vertical sectors (e.g. insurance, asset management) are investing in formal ORM systems for the first time. 3 Average investment in ORM projects is increasing, as more and more financial institutions are seeing ORMs strategic business benefits and not just a tactical tick-inthe-box initiative. Financial institutions working on the demand side of the market are re-examining their approach, culture and systems for managing operational risk. This is as a result of recent high profile losses, rogue trader events , failures in internal controls and processes surrounding the credit crunch. Furthermore, firms have realised that the traditional compliance box-ticking approaches to managing risk do not achieve the desired outcome. Operational risk needs to be treated as an integral part of the overall governance, risk and compliance (GRC) strategy. Meanwhile, on the supply side of the market, Sarbanes-Oxley and Basel II have chewed-up and spat-out many first generation software vendors and products. Amongst the survivors, a hand-full of vendors have managed to emerge from the darkness, and have proved to the market and themselves that the operational risk software business is both a worthwhile and a profitable business to be in. Operational risk management (ORM) software brands such as Horizon, OpRisk Analytics, Raft, Agena, and ORTOS have more or less disappeared from the radar. In most cases, this has been through a trade-sale or a dignified exit. In the meantime, a handful of software vendors have established themselves as clear leaders and form the premier league. These include SAS, OpenPages, RCS, Algorithmics and Reveleus. There is also healthy competition from a chasing pack of second tier vendors who have good niche capabilities or dominate one or two local/national markets, but have not been able to break into the global enterprise solution category. These include LIST, Interexa, Chase Cooper, BWise, Optial, SunGard/Ci3, eFront and Methodware. This has resulted in a highly fragmented market where selecting the right vendor is highly dependent on geography, methodology, experience and the complexity or sophistication of the buying organisation.

Chartis Research Ltd 2008

Page 5

Figure 1: Competitive Landscape 2008

High Tier 2 Vendors

Premier Division

Market share potential

n SAS n Methodware n Paisley n BWise LIST n SunGard n n Algorithmics Reveleus n n OpenPages n RCS

Low Low

n Interexa n Optial n eFront Chase Cooper n

Completeness of offering

High

Chartis Research Ltd 2008

Page 6

Figure 2 represents Chartis view on the top three vendors to be considered for different selection criteria and buyer characteristics. Figure 2: Framework for navigating through a fragmented ORM software market
Framework for navigating through a fragmented ORM software market Dimensions of Selection

Size of Financial Institution Tier 1 or 2 SAS OpenPages Reveleus Tier 3 or 4 RCS BWise LIST Tier 5 or 6 Methodware ChaseCooper eFront

Sophistication of functional requirements (directly proportional to price) Advanced SAS Algorithmics RCS Intermediate OpenPages BWise Reveleus

Geographical focus Global SAS OpenPages Reveleus Europe SAS RCS SunGard/Ci Americas OpenPages Paisley Algorithmics Asia-Pacific SAS Reveleus Methodware Middle-East & Africa SAS Reveleus ChaseCooper

Primary focus on qualitative techniques OpenPages BWise Paisley

Primary focus on quantitative techniques SAS Algorithmics Reveleus

This report contains key extracts from Chartis Operational Risk Management Systems 2008 Market Analysis report RR08012, published March 2008. Detailed vendor rankings, expenditure data and research can be obtained by accessing this report from www.chartis-research.com

Chartis Research Ltd 2008

Page 7

Market requirements
Between January and March 2008, Chartis conducted a global survey of banks and insurance companies across the financial services industry. We received 318 responses, which provided the following insights: 42% of respondents expect a decrease in operational risk losses, as a result of enhancements to their ORM systems and procedures in 2007. 68% of respondents expect their ORM budgets, both internal and external expenditure, to increase over the next 12 months. Key areas of expenditure include development of internal reporting processes and systems, and internal training. 52% of respondents are aiming for the Advanced Measurement Approach (AMA) for Basel II compliance by 2011. In Europe, 62% of respondents are applying the Loss Distribution Approach (LDA), 42% are using a COSO-based approach, and 63% are using a combination of both. In North America, 48% of respondents are applying LDA, 67% are using a Coso-based approach, and 63% are using a combination of both. In Asia-Pacific region 44% of respondents are using LDA, 60% are using a Coso-based approach, and 56% are using a combination of both. In terms of data inputs into the ORM system, the following data types are being utilised: 83% of respondents use internal loss data, 72% of respondents use risk/control selfassessment data, 52% of respondents use scenario analysis data, 46% use external loss data, 32% use KRI data and 9% use near-miss data. 68% of respondents expect to increase their ORM technology budget over the next 12 months. In the emerging markets of Middle-East, Africa and Eastern Europe, 71% of respondents are aiming for the Standardized approach within the next two years, and the Advanced Measurement Approach (AMA) in 2010 2011.

Chartis Research Ltd 2008

Page 8

The figure below represents a framework for an integrated ORM system. Figure : Risk and Compliance Scorecard/Portal
Risk and Compliance Scorecard/Portal

Reporting and Query Engine

Risk Analytics

Aggregation Engine

Workflow Management Document Management

Risk and Compliance Data Warehouse

Learning Management Process Management

Data Quality Management Engine Extract, Transform and Load

OpRisk Data

KRIs

OpRisk Applications/Data

Enterprise Applications

Risk and Control Self Assessment

Internal Loss Event System

Transaction Systems

Financial Systems

External Loss Data/ Consortium Data Fraud & Anti-Money Laundering System

Manual KRI Collection

HR Systems

Credit and Market Risk Systems

Scenario Analysis

IT Management Systems

CRM/ Marketing Systems

Chartis Research Ltd 2008

Page 9

Framework for evaluating ORM systems

The market for ORM software is highly competitive. Financial institutions have sometimes had some doubts about the benefits of investing in this area, however, they remain prepared to spend significant time and money on it. That is partly as a result of the spread and the success of ORM regulations and methodologies. The demand for software to automate the ORM process has grown rapidly, particularly over the last two years. Many vendors have offered new ORM applications and there are very few barriers to entry at the lower end of the market. The requisite skills, such as database development, questionnaire or form design, and report creation, have been available for some time. This has resulted in a diverse range of products that offer a variety of technical approaches and different degrees of functionality, as well as quality. A financial firm has to compare its individual requirements with the solutions on offer. The decision to opt for one particular product or vendor will depend on a number of factors. These include: functionality, vendor size, customer service, user-friendliness, where and how the data is stored, and last but not least size of budget. Organisations have to consider all of these factors, as well as any demand for specific features, and examine every available solution. Organisations face a difficult choice; there are numerous vendors with different approaches and packages. Often, the short-term solution is not the right long-term investment. Chartis has developed an Evaluation Framework, described in the table below, to guide firms through the choices they must make when selecting ORM software. Practitioners and end-users have helped to develop the framework so that it reflects the needs of the purchaser. The evaluation criteria carry weightings; organisations may need to adapt these to reflect their specific priorities. The framework represents the decision-making process used by a financial institution seeking to implement an ORM software application. It includes the key considerations and questions for a potential buyer. It examines: Core functionality Data management capability Vendor characteristics Implementation process User friendliness Complexity Customisability/flexibility Costs

Chartis Research Ltd 2008

Page 10

Table 1: ORM System Vendor Evaluation Framework

CRITERIA Functionality: Loss Event data capture and reporting Risk & Control Self Assessment KRIs/Scorecards Scenario Analysis External Loss Data Basic Reporting Process Modelling Advanced Analytics and Modelling Total Data Management: Reference Data Management Data Access Data Quality Management/Cleansing Data Storage Data Security Total Vendor characteristics: Operational Risk Expertise Number and quality of ORM customers Consulting and Training Support Strategic Direction and level R&D Investment Help-line Support Geographical Support Number ORM system support staff Financial/Future Stability Terms & Conditions of Licence Total Customisability/Flexibility: Data collection forms/questionnaires Scorecard/KRIs Reports: drill-down, OLAP, ad-hoc Interfacing with other applications Total Usability: Intuitive Navigation Presentation/Visualisation capability On-line help/documentation Use of language Total Implementation: Implementation Time Time-effort to train users Training Requirements Vendors commitment and competing projects Total Total Cost of Ownership Licence cost (cost per user) Annual support & Maintenance Implementation and training costs (external) Implementation costs (internal) On-going internal support & administration costs Total TOTAL WEIGHTING 7% 7% 7% % % % % 5% 40% 2% 2% 2% 2% 2% 10% 2% 2% 1% 2% 1% 1% 1% % 1% 15% 5% % % % 15% % % 2% 2% 10% 2% 0.5% 0.5% 2% 5% 1% 1% 1% 1% 1% 5% 100%

Chartis Research Ltd 2008

Page 11

Operational risk and compliance under a common governance umbrella

Pat Medapa, Director, Operational Risk and GRC Practice
RiskTech 1. Introduction
The Basel II Accord identifies operational risk as a stand alone exposure which not only needs to be adequately capitalized for, but also well managed by banks. Separately, banks have always been subject to meeting a raft of compliance mandates related to the various jurisdictions in which they operate. Even prior to the finalization of the Accord in 2004, several pioneering banks had invested time and resources in addressing the unique challenges and demands of effective operational risk management. Driven by conclusions from data analysis and lessons learnt in implementation of underlying processes, GRC (Governance, Risk and Compliance) software solutions have evolved into mature second generation platforms. Such solutions provide a single platform that: delivers an integrated view of a financial institutions governance framework, enables the end-to-end management of operational risk, and enables compliance to various central bank regulations, other applicable standards as well as compliance to key internal policies. This article explores GRC drivers and trends, best practices around assessment planning and the broad functional capability required from a technology solution to address the overlaps between the requirements of multiple risk and compliance initiatives, placing them under a common governance umbrella. Such a platform would enable financial institutions to re-use the output of a Risk and Control Self-assessment (RCSA) across multiple control and oversight programs such as Audit, IT, Security, Sarbanes-Oxley (SOX) and Operational Risk Management (ORM).

2. GRC drivers
External and internal drivers have contributed to the need for change in a financial institutions approach and processes for meeting GRC requirements. To add to the challenge, these drivers have been constantly changing in scope and impact, very often driven by the ever growing capability of underlying supporting technologies. External drivers include: Pressures on business from the political environment political action in response to events such as 9/11, or issues such as global warming, bring pressure on businesses to comply with government sponsored sanctions and requirements. Corporate scandals, varying from questionable management practices, to outright fraud, have focused both investor and public attention. This in turn has motivated regulatory bodies across the

Chartis Research Ltd 2008

Page 12

globe to formulate new and improved public initiatives and regulations, such as Anti Money Laundering (AML) and the Sarbanes Oxley Act (SOX). The demand for more ethical business processes and actions during the 1980s and 90s, interest in business ethics accelerated dramatically. Today, most major corporate websites place emphasis on their commitment to promoting non-economic social values under a variety of headings (e.g. ethics codes, social responsibility charters). In some cases, corporations have redefined their core values in the light of business ethical considerations. Swings in the economic environment increase business risk economic downturns are typically the periods when financial institutions experience losses due to credit defaults, litigation around operational practices, and decrease in the value of their investment portfolio. The expansion of the legal and regulatory risk environment the scope and scale of regulatory and legal requirements are continuously growing to meet the load imposed by a world enabled by technology, leading to a move away from a checklist based approach, to one based on risk-based principles and frameworks such as COSO and Basel II. Increasing legal and regulatory liability aggressive action by regulatory bodies leads to increasing litigation, fines, and settlements, and increased scrutiny from rating agencies and listing exchanges.

Internal drivers include The changing scale and scope of business activity globalization has resulted in a trend towards large global financial institutions, as evidenced by recent large scale mergers and acquisitions. The expansion of a financial institutions reach through organic and/or inorganic growth increases the magnitude of this driver in large, complex global banks, the number of dependencies and the severity of losses resulting from breaks in such dependencies is magnified. Geographical distribution and the intricate web of business partner relationships as a financial institution expands, it operates in different geographical and political environments. Going global increases the level of risk, as well as the number of compliance requirements that a financial institution is subject to. Changing and diverse technology environments organizational ability to generate business through technology, coupled with the need to cut costs, has resulted in a patchwork of applications and hardware, sometimes requiring manual intervention in order to achieve what ideally should be a straight through automated process. Limited and scattered siloed approach to risk and compliance traditional siloed approaches to GRC have resulted in redundancy, inconsistency and sub optimal utilization of information across related programs

3. GRC trends
In response to the drivers described above, financial institutions need to first establish a framework that addresses the varying requirements of, not only various internal control and oversight functions, but also those of business, management and external supervisory bodies. This common framework will allow GRC to be adequately measured and monitored on a sustainable, consistent, efficient and transparent basis. The following trends are emerging in response to the drivers described in the previous section: An integrated view of a financial institutions governance framework across risk and compliance the current trend in financial institutions today is towards an enterprise risk management framework and the creation of roles such as the chief risk officer and Chartis Research Ltd 2008 Page 1

chief compliance officer. The role of Finance has also assumed importance in the wake of regulations such as SOX. Integration of GRC with Corporate Social Responsibility (CSR) CSR is a concept whereby financial institutions consider the interests of society by taking responsibility for the impact of their activities on customers, employees, shareholders, communities and the environment, in all aspects of their operations. This obligation is seen to extend beyond the statutory obligation to comply with legislation and sees financial institutions voluntarily taking further steps to improve the quality of life for employees and their families, as well as for the local community and society at large. Internal policies very often are more stringent in scope and requirement than the external requirements that they have been formulated to address. As discussed earlier, the move away from a checklist based approach, to one based on guiding principles, has resulted in those financial institutions with a strong control culture incorporating elements of CSR into the actual GRC program itself. Initiatives such as training, and the active discouragement by management of poor risk management practices and unethical behavior, are some examples of how the trend has developed over the past few years. Move to the formalization of a new products and/or business process methodology financial institutions are moving towards a formalized framework to evaluate the impact of the addition or change to a firms existing product mix or process structure. Under such a framework, relevant departments evaluate the risk impact of the delta required to accommodate either the new product/process or change to the same, identifying risks associated with the proposed change. Only after all relevant departments have provided their analysis will a consensus go/no-go decision be arrived at. These formalized new products and/or business process review mechanisms will replace the traditional practice at some large financial institutions where individual locations or business units independently define or alter corporate policies, procedures, controls, and business practices without any central authority or oversight. This formalized approach will lead to standardized business processes, policies and controls, and the establishment of a single corporate policy portal. Technology changes to accommodate the emerging requirements of GRC technology solutions that address risk and compliance requirements are evolving from stand alone point solutions to a single platform upon which solutions are crafted, utilizing the toolkits that accompany such platforms. The holy grail of GRC technology solutions is to provide a forms-based data capture capability, with flexible workflow and forms definition, overlaying a single enterprise-wide data warehouse to support cross use of information and reporting across multiple solution packs.

4. The federation of islands

The traditional approach to managing risk and compliance was siloed, fragmented and on a case by case basis. For example, theft of a firms assets by an employee typically entailed the involvement of the concerned line of business, security and human resources. Lack of a centralized role, such as an operational risk management department, meant that this data would not be utilized to derive and disseminate useful information across other areas of the firm, and potentially avert a repeat instance. As such, a bank should first conceptualize an optimal structure in establishing a governance framework that not only addresses the needs of stand alone control departments, but also serves the oversight requirements of the board, senior management and Audit. Achieving this could even entail a re-structuring of the firms overall control and oversight structure, to allow the cross sharing of data analysis/ assessments between various departments without compromising the rationale for the existence of such departments. Effective scheduling entails the deliberate consideration of

Chartis Research Ltd 2008

Page 1

the frequency and intensity around control assessments required to satisfy the needs of the relevant stakeholders. The figure below depicts the key areas involved in a GRC framework. Figure : Integrated GRC from Ad-hoc to Systematic

Ad-hoc GRC
BDRP IT Security Customer Service

Systematic GRC

Compliance

Legal Facilities

IT Risk Mgt

HR

Corporate Communications

Controllers

Security
Compliance HR

GRC

Legal Audit

Facilities Mgt
LOBs Finance Mgt Security

Individual LoB Mgt

Insurance

5. Areas of commonality
For the purpose of identifying areas of data overlap and redundancy, we have set out below the key categories for data collection for ORM and Compliance programs. From a data capture and follow-up perspective, ORM requires the following data across the enterprise Operational risk events events arising from failed or inadequate people, processes, systems or the external environment. Such data is historical and backward looking. Risk and Control Assessments the evaluation of the quality of the control environment in mitigating the operational risk exposure of the firm. This process involves risk identification, control identification, control test set-up, control testing, control assessment and risk assessment. Such data provides a current snapshot of the quality of the firms control environment. Key Risk Indicators the capture of metrics related to indicators that could predict operational failure. Such data provides a forward looking view of the firms exposure to operational risk. Issues and Action Planning captures, consolidates and tracks the firms risk mitigation efforts around control weaknesses identified in each of the three data groups above. Such data provides insight into the proactive nature and effectiveness of a firms ORM program. Note: Operational Risk Management Entities In order to associate the data to relevant dimensions, initially, the focal points of operational risk management need to be defined. This critical definition may be achieved through a process mapping exercise, whereby the product and services mix of the firm is matched up against the geographical locations where the firm operates. Once the combination of the organizational unit, product and

Chartis Research Ltd 2008

Page 15

location is defined, all the necessary processes and support functions required to sustain the chain of origination, execution and settlement may be comprehensively identified. From a Compliance perspective, the following data is required: Policy on-boarding In the event of a new regulation or a change to an existing regulation, the Compliance department is responsible for reviewing the impact; identifying the applicability and setting up of internal deadlines to comply with the change. The result of such analysis will be incorporated into an existing policy repository. Compliance obligations From the policy repository, a list of compliance obligations is extracted. To be kept in mind is the fact that obligations could arise from both external and internal policies. This list details all the compliance obligations that a firm needs to meet in order to be compliant with all the regulations from the multiple jurisdictions that it is subject to. Controls Against each obligation that has been defined, one or more controls with their associated control tests needs to be identified. It is to be noted that the same control may have also been associated with a risk that had been identified in the ORM Risk and Control Assessment process. Issues and actions planning The risk mitigation efforts around any control weaknesses that were identified in meeting the compliance obligations of the firm need to be captured, consolidated and tracked. Note: Compliance Entities as with the definition of Operational Risk Management Entities, Compliance Entities also need to be defined, compliance obligations typically being associated to the product or service being offered by an organization unit in a particular geography. Having completed a comprehensive review of the data requirements of both the ORM and Compliance programs, RiskTech has identified the following two areas with the greatest overlap and duplication, and hence the greatest opportunity for integration: 1. 2. Risk and Control Assessments Issues and Action Planning

Control Assessment is a key area for data re-use and eliminating duplication. This is illustrated in the example Risk and Control Self-Assessment (RCSA) process described in Figure 5.

Chartis Research Ltd 2008

Page 16

Figure 5: Risk and control self-assessment (RCSA) process example

Management RSCA
RCSA
Identification and evaluation of risks to process/resources and product Identification and evaluation of controls around the risks Calculation (configurable) of inherent Risk rating Effectiveness of controls rating Residual risk rating Mitigating actions control gaps acceptance with justification N Classifications or attributes may be attached to Process, Risk, Control, Action, Control Test, Control Test Issue, Control Audit, Control Audit Issue Flexible workflow definition

Independent Control Testing and Control Audit

Control Testing
Independently test the controls defined and evaluated in the RCSA Access (read only) to the entire RCSA and related action planning Management response enabled to Test Issues identified

Action 1 Ctrl 1

Action 2 Action N

Risk 1 Ctrl 2 Ctrl N

Ctrl Test Issue 1 Ctrl Test 1

Ctrl Test Issue 2

Proc 1

Risk 2

Ctrl Test Issue N Ctrl Test 2 Ctrl Test N

Org Unit Mapping to

Legal entity Product Standard BII business lines Proc 2 Risk N

Control Audit
Independently test the controls defined and evaluated in the RCSA and also evaluate the Control Testing Access (read only) to the entire RCSA and related action planning

Proc N

Access (read only) to the Control Testing and Test Issues

Ctrl Audit Issue 1 Ctrl Audit 1

Ctrl Audit Issue 2 Ctrl Audit Issue N

Ctrl Audit 2 Ctrl Audit N

Chartis Research Ltd 2008

Page 17

Similarly, the integration of Issues and Action Planning activities across Compliance and ORM programs would provide a significant opportunity to eliminate duplication, reducing the cost and time required to complete associated action plans and increase consistency across the enterprise.

6. Assessment planning
While ORM is still an evolving discipline, financial institutions have always been subject to a multitude of regulations and compliance obligations that are unambiguous, well defined and well understood. The consequences of non compliance are relatively severe while ORM best practice is defined by the firms adherence to a set of prescriptive guidelines, non compliance to a regulation could result in steep regulatory fines or even the closure of the firms operations. The outcome of control testing is utilized ultimately to arrive at an overall Control Assessment of the applicable entity against which the control is associated. Control Testing has two key variables: 1. Control Test Frequency the periodicity of the control test, be it daily, weekly, monthly, quarterly, semi annually or annually. 2. Control Test Intensity the rigor with which the control test is performed. This typically relates to the sample size of control test data which could range from the entire set of transactions that have occurred within the period of the control test to a rule based proportion of such set of transactions within the timeframe of the control test frequency. Control Assessments based on frequent and intense control testing are obviously more reliable than Control Assessments based on less frequent and/or less intense control testing. It is reasonable to assume that, given the consequences of non compliance, the testing and assessment of controls related to key compliance obligations will, while not necessarily more frequent, at least be more intense than the control assessment requirements of an ORM program. A common pain point being experienced by large financial institutions today is the time and effort being consumed in the Risk and Control Assessment process. Control Testing is the area that requires the largest set of resources and time to complete. Very often, a line of business is required to provide evidence to the Compliance program of the quality of controls that have been mapped to a compliance obligation, shortly followed by a similar requirement from the ORM program. This redundancy, and wasted time and effort, may be limited by effective assessment planning that requires the involvement of the stakeholders, supported by the appropriate technology platform. The key elements of effective and efficient assessment planning are: Identification and participation of the stakeholders, such as business lines, ORM, Compliance, other specialist and support departments such as Legal, HR, Finance, Audit, IT, Security, Facilities and Vendor Management, etc. A mapping of the risks that have been identified in the ORM program to the obligations as defined by the compliance program. This mapping could be explicit or implicit via the common control(s) A mapping of the different entities involved, e.g. ORM, Compliance and Audit entities The establishment of trigger conditions for assessments, related messages and notifications including subscriptions, content, and type task or alert The identification of those controls whose assessments could be re-used and the areas that potentially would re-use this information

Chartis Research Ltd 2008

Page 18

7. Broad functional capability of an integrated operational risk management and compliance platform
The following broad functionality must be available on a technology platform to meet the needs of ORM, Compliance and Audit Definition of entities the capability of combining stand alone hierarchies such as organization unit, product, process, location into individual entities Policy and procedure management serves as a repository for all policies and procedures to be followed across the enterprise. Document management capability is required to track changes to existing policies and procedures. Alternatively, a link to an institutions formal central corporate policy management portal would meet this requirement. Policy repository a repository of the current policies that are being followed across the enterprise Compliance obligations captures the entire set of compliance obligations that an enterprise must meet to satisfy its regulatory requirements Risk the library of risks that have been identified, to be made available across the enterprise. Such risks may be tagged by the appropriate centralized department, as applicable to an entity, or could be used as reference and customized to local conditions. Controls the library of controls (and associated control tests) and made available across the enterprise Key risk indicators collects and collates configurable risk indicator information Event Management collects Loss and Near miss Event data from around the Organization Workflow configurable workflow across data capture modules and related entities Assessments Planning and capturing assessments of controls and risks, including certifications required by certain compliance regulations, e.g. SOX Economic capital the estimation of Operational Risk Capital utilizing the Advanced Measurement Approach Issues and action planning the consolidated capture of Issues arising across programs, and their associated Action Plans. Audit this requirement is focused on Risk-based Audit. Risk-based Audit is a system of random and more frequent audits based on the risk profile of individual business units/support functions/products. The annual audit plan should include the schedule and the rationale for audit work planned. It should also include the areas and their prioritization based on the level and direction of risk. At minimum, an independent area within Assessments and Issues and Action Planning must be provided to support Audits oversight role. New product and process assessment prior to the addition of a new product or process to the firms current mix or a change to an existing process being followed, an assessment of the impact must be performed to support the final decision.

8. The business benefits and value proposition

The identified clear cut benefits of integrated GRC to an enterprise can be summarized as: Reduced complexity and redundancy re-use of control assessments reduces the complexity and decreases cross program redundancy Chartis Research Ltd 2008 Page 19

Decreased cost reduced effort in control testing results in cost and time savings Improved reliability the re-use of control assessments based on high control test frequency and intensity to satisfy less demanding requirements results in improved reliability

GRC allows financial institutions to realize sustained benefits from an integrated solution for risk management, internal audit, corporate governance and compliance management. Some of the key value additions are as follows: An integrated and standardised approach to manage risk and compliance from a single platform Ability to leverage common controls and tests for managing complex regulatory requirements as well as risks Enhanced management analytics, reporting and performance metrics Improved overall quality of information and decision-making ability

About the author

Pat Medapa Director, Operational Risk and GRC Practice, RiskTech Pat Medapa is the Head of the Operational Risk and GRC practice at RiskTech. He has been involved in the field of operational risk management for over twelve years. Previously, he was Operational Risk Practice Head at i-flex Consulting and has been a key member of the ORM consulting team at Pricewaterhousecoopers. Over the last ten years, Pat has led successful ORM and GRC programs for financial institutions in the US, Europe and Asia-Pacific. He started his career in operational risk in the 1990s as a key member of the team that conceived, developed and implemented the operational risk management and modeling framework at Bankers Trust. He holds a Masters degree in Business Administration (Finance) from the University of Nevada, Las Vegas and is a graduate in Science from the University of Bangalore, India. Contact: patm@risk-technology.com

About RiskTech
RiskTechs (Risk Technology International) mission is to be the worldwide, first-choice resource for all financial institutions involved in implementing and managing risk and compliance technology solutions. Our pool of experts is drawn from leading financial institutions, top four consulting firms and top risk software vendors with real-life, practical experience. With offices in New York, London and Mumbai, RiskTechs global consulting services include: Credit risk management Market risk management Asset & liability management Operational risk management ERM technology selection and implementation Value-based compliance covering: Basel II, Sarbanes-Oxley, Solvency II, AML and MiFID For more information: www.risk-technology.com

Chartis Research Ltd 2008

Page 20

The cyclicality of operational risk: The tracking phenomenon

Penny Cagan, Managing Director, Operational Risk Research and Content, Algorithmics and Yakov Lantsman, Senior Vice President, Algorithmics

Introduction
The genesis of this paper came from a simple observation. We noticed that when we plotted out operational risk data, there were spikes in the number and severity of loss events in 1994, 1998, and 2002. This led to more in-depth research, comparing changes in operational risk loss events with a standard measure of volatility. The first thing we noted was that these years were all periods of significant market swings, so we set out to find a measure that we could test against our emerging theory that operational risk events track market volatility. We are familiar with the work others have done on tracking stock prices and shareholder value with operational risk; we supplied loss event data to many of these studies. (See Operational Risk in the Insurance Industry by Ran Wei, http://irm.wharton.upenn.edu/F03-Wei.pdf and Managing Operational Risk in Banking from McKinsey & Co, authored by Robert S. Dunnet, Cindy B. Levy and Antonio Simoes. http://fs.mckinsey.com/Display.aspx?id=66e9b645-704c-4d1f-911d-6c4b38d2015a) This time, we wanted to test our hypothesis against a standard measure of market volatility. This approach was influenced by the events of the summer of 2007, when the stock markets experienced a liquidity crisis on the heels of the discovery of inherent problems in the subprime mortgage sector. At the time, we had no idea that the markets would experience the largest unauthorized trading event in modern banking history, although we had a sense that the environment was conducive to such an occurrence. We set out to pull together analytics to explain what we intuitively felt was a probable occurrence in the near future. We settled upon the Volatility Index, or VIX, from the Chicago Board of Exchange (CBOE) as our standard measure of market volatility. The CBOE defines the VIX as a key measure of market expectations of near-term volatility conveyed by S&P 500 stock index option prices. The CBOE also states that the VIX has come to be known since 1993 as the worlds premier barometer of investor sentiment and market volatility. The VIX index tracks investor sentiment and is reflective of what is happening in the markets. Our supposition, given some unique features of operational risk events, and the lag between begin and end date, was that there are at least certain categories of risk types that might track alongside market volatility.

Chartis Research Ltd 2008

Page 21

Figure 6: (From the Chicago Board of Exchange and Algo FIRST*): VIX index and large operational risk loss events
CBOE Volatility index (VIX) since 1990 50
WGZ $20m UAT BankBoston $7m fraud

0 VIX Daily closing prices

Codelco $170m UAT

Enron $2.2bn fraud

AIB Allfirst $691m UAT

Hamilton Bank $10m fraud

0

Kidder Peabody/ J.Jett $50m UAT Barings $1.bn UAT

SocGen $7.2bn UAT Calyon 27m UAT

20

10

0 1/2/90

12/31/91

12/29/93

12/28/95

12/26/97

12/29/99

1/4/02

1/7/04

1/9/06

1/11/08

Sources: CBOE and Bloomberg (Jan 2, 1990 Jan 14, 2008

Tracking changes: Mapping operational risk loss events against the VIX
The CBOE states that the VIX has come to be known, since 1993, as the worlds premier barometer of investor sentiment and market volatility. The start date for the VIX was ideal for our purposes, as it approximately coincided with the date when we first started collecting loss event data in the early 1990s. An empirical observation of spikes in the VIX corroborated that we were using the right index for our study and that we were onto something (see Figure 6). Both the VIX graph, and that representing loss events in our internal operational risk loss database, represented in the broader sense, the patterns of a Sine Wave, which, if graphed to display the outline of a stone dropped into a still lake, would form waves at the moment of impact. We started thinking of operational risk loss events in this same way: we noticed an increase in the disclosure of operational risk loss events around the same time as the formation of volatility waves in the market and what we came to name the tracking phenomenon. Our next step was to map loss events against the VIX index. We experimented with frequencies and slices of the data, until we were able to present the two data sets in a way that made sense, from both a quantitative, and business perspective. Although we believe that daily data is the best barometer of volatility, for purposes of comparing both data sets, we aggregated the VIX data to an average annual frequency. We continue to investigate the use of daily volatility data in our research work in a mission to uncover a point in time measure that makes sense from the perspective of both the volatility and loss event data sets. It is difficult when dates of occurrence are considered in an examination of operational risk events, because, with a few exceptions, operational risk events do not represent a point in

Chartis Research Ltd 2008

Page 22

time, but a continuum that encompasses a breakdown of internal controls, and a trigger that leads to the actual loss event. For this reason, we also decided that it made the most sense to use end date or discovery date as an approximation for a point in time when comparing loss data with volatility. Because what we were after was volatility and a measure of change, which is essentially what the VIX measures, we mapped loss events against the volatility measure according to the change in number of total frequency of events. This also allowed us to adjust for a collection bias and the probability that as the disclosure of events becomes more transparent in the industry and media, it is more likely that we have identified a larger collection of losses during later years. When we plot the change in frequency of the total number of loss events against the changes in the average VIX, it becomes evident that changes in the two indexes track each other during key periods of volatility (see Figure 7). Figure 7: Changes in total frequency of operational risk loss events vs. changes in the average VIX.
1.8 1.6 1. 1.2 1.0 0.8 0.6 0. 0.2 0.0 1991 199 1997 2000 200 2006 Changes in Total Frequency Changes in Average VIX

Figure 7, which demonstrates a link between market changes and the change in number of loss events, was a good starting point in our analysis. The graph displays a pattern between the two data sets. They appear to increase and decrease in tandem during our targets periods of market volatility: 1994, 1998, and 2001 2002. Our next task was to split the operational risk loss data into its five risk class components and examine if there was a type of risk that might be more pronounced, either in terms of a point in time action, or discovery during times of volatility. Figure 7 examines all the risk classes aggregated together. We proceeded to compare the VIX data against our five risk classes: people, process, relationship, external, and technology. (See definition of the risk classes in the following discussion.) Our supposition was that when we tested the data against individual risk classes that are more homogenous groups of data, we would discover stronger dependencies between operational risk loss events and volatility. An examination of the VIX shows that times of great volatility tend to last for relatively short, intense periods. This is very different from the profile of large risk events that can continue for years, or in the most extreme examples decades, before they are uncovered or discovered. We track duration of operational risk loss events from the onset of the initial fraud, until its settlement or discovery date. What we have observed is that the point in time when a large

Chartis Research Ltd 2008

Page 2

fraud or unauthorized trading event is revealed, is often concurrent with market volatility. This is evident in the examples of real loss events that we provide in this paper. The loss data itself and the sample loss events demonstrate that an event may be ongoing for a relatively long period of time, but market volatility increases the probability that it will become discovered. In the case of unauthorized trading events, for instance, as market conditions become more volatile, the rogue trader continues to increase his losses while he tries to trade himself out of an ever-increasing hole. (See Codelco and Kidder Peabody cases discussed in this paper.) It becomes increasingly difficult to hide the accumulating losses until, almost by serendipity, they are uncovered. In addition, times of volatility lead to a tightening of the belt mentality in financial institutions, which also raises the likelihood that a risk event will be discovered. What this means is that contrary to general sentiment, losses do not lag behind market swings and volatility does not necessarily create a more fertile ground for operational risk losses. The rogue individuals and fraudsters are often long at work in perpetrating their misdeeds before the markets turn volatile. Instead, it enhances the severity of such losses and leads to their eventual unravelling. In other words, there is a greater chance that loss events will be ferreted out from the holes in which they have been hiding during market swings. What is interesting is that while the largest operational risk events are uncovered during volatile market conditions (Societe Generale, Enron, Barings, BCCI, Kidder Peabody, Codelco), they were ongoing during times of relative calm and prosperity. We believe this is consistent with the general belief in credit risk,that times of exuberance and positive market conditions can lead to a lax risk culture. This also holds true for operational risk cultures, which might operate under a more fluid control environment during growth periods. When markets start turning downward, both credit and operational risk officers have a tendency to tighten their belts.

Chartis Research Ltd 2008

Page 2

The impact of volatility on risk classes

We track loss events according to five risk classes: 1. People Risk: The risk of a loss intentionally or unintentionally caused by an employee i.e. employee error, employee misdeeds or involving employees, such as in the area of employment disputes. This risk class covers internal organizational problems and losses. 2. Process Risk: Risks related to the execution and maintenance of transactions, and the various aspects of running a business, including products and services. 3. Relationship Risk: Losses arising from the relationship or contact that a firm has with its clients, shareholders, third parties, or regulators. 4. Technology Risk: The risk of loss caused by a piracy, theft, failure, breakdown or other disruption in technology, data or information; also includes technology that fails to meet business needs. 5. External Risk: The risk of loss due to damage to physical property, or assets from natural or non-natural causes. This category also includes the risk presented by actions of external parties, such as the perpetration of fraud, or in the case of regulators, the execution of change that would alter the firms ability to continue operating in certain markets. When we examined the change in number of events in each of the five risk classes separately against changes in the VIX, it became evident that the closest match was the people risk class, which includes embezzlement, fraud, trading misdeeds, and other acts of intentional employee related malfeasance (see Figure 8). We noticed a less pronounced but still notable tracking effect when we isolated changes in relationship risk events vs. changes in the VIX (see Figure 9). Figure 8: Changes in people risk class vs. changes in the VIX
1.6 1. 1.2 1.0 0.8 0.6 0. 0.2 0.0 Year 199 1996 1999 2002 2005 Changes in People Frequency Changes in Average VIX

Chartis Research Ltd 2008

Page 25

Figure 9: Changes in relationship risk class vs. change in the VIX

2.5 2.0 1.5 1.0 0.5 0.0 Changes in Relationship Frequency Changes in Average VIX 2006

1991

1996

2001

People risk losses: The key to monitoring potential operational risk losses during times of volatility
The tracking phenomenon demonstrated in our people risk category of events, as viewed in Figure 8, suggests the importance of enhancing monitoring of this category of potential events during times of volatility, such as we witnessed in the summer of 2007. We continue to be in the throes of extreme market volatility, but it is apparent that the number and severity of people risk events have increased. We have experienced two notable unauthorized trading events which impacted two French banks: the first $347 million event surfaced during the turbulent 2007 summer. The second significantly larger loss event, valued at an estimated $7.2 billion, was discovered in early 2008. There are a variety of archetypical people risk events that can occur during times of volatility. These include unauthorized trading, front-running, embezzlement, misappropriation of funds, and aiding and abetting. Below, we have provided excerpts from the full case studies in our operational risk database, in order to demonstrate the scope and severity of events that have occurred in the past, during times of market volatility. The following is a list of market events that led to volatility and associated people risk events. Market Event of 1994: The Federal Reserve raises interest rates multiple times The US Federal Reserve raised interest rates several times in 1994, which resulted in substantial losses across the industry for derivative products with underlying securities tied to interest rates. Interest rates had been low for a long time before this period and interestrate derivatives felt like a safe and profitable investment; the markets appeared to forget that rates would start heading upwards at some point. Some managers of conservative mutual funds during this period added derivatives kickers to their portfolios. When rates started being raised month after month by the Federal Reserve, a large number of institutions that had purchased derivatives lost money, including Gibson Greetings, Procter & Gamble, and mutual fund managers. Examples of large people risk events from 1994: The Joseph Jett bond-trading scandal was one of a series of problems that plagued Kidder Peabody and eventually prompted the sale of the once highly profitable and elite firm by parent entity General Electric to PaineWebber in 1994. The SEC alleged that between 1991 and 1994, Joseph Jett faked nearly $350 million in profits in order to hide Chartis Research Ltd 2008 Page 26

$80 million in losses through a complex trading scheme. The SEC ultimately targeted lax controls within the company as a contributing factor to the event and criticized Kidders management for poor supervision and judgment, and for creating an environment where "employees were unwilling to ask tough questions when money was being made." In March 2000, GE agreed to pay $19 million to settle a class action shareholder suit. In a final resolution of the case, the Southern District Court of New York entered a judgment on September 7, 2007 that ordered Jett to repay $8.21 million and a $200,000 fine. In 1994 and in an unauthorized trading case, Corporacion Nacional Del Cobre De Chile (Codelco), the world's largest copper mining company, incurred a $170 million loss from the activities of rogue trader Juan Pablo Davila. During the course of the 1994 copper futures scandal, Codelco discovered Davila, its chief futures trader, had engaged in unauthorized trading activities. Between 1993 and 1994, Mr. Davila was alleged to have made unauthorized trades that cost the company $170 million.

Market Event of 1998: Russia defaults Russia was into its sixth year of economic reform in 1998, and the first one of positive economic growth since the fall of communism, when it failed to meet its debt obligations. Russia was in the process of renegotiating the sovereign debt it had inherited from the former Soviet Union when it defaulted in August 1998. On August 17, 1998, the Russian government floated the exchange rate, devalued the ruble, defaulted on its domestic debt, and restructured its ruble-denominated debt. It also suspended all payments to foreign creditors for 90 days. This led to a collapse in other unrelated sectors of the emerging markets and multi-billion dollar losses at US hedge fund Long Term Capital Management (LTCM). The effect on the market of LTCMs unwinding its position was so enormous that the Federal Reserve Bank, in a historic move, initiated a bailout of the hedge fund. Examples of large people risk events from 1998: On October 23, 1998, Westdeutsche Genossenschafts-Zentralbank eG (WGZ Bank) uncovered a people risk incident that cost the German co-operative bank $230 million. Two currency/FX option traders had manipulated data since the second quarter of 1997, in order to cover up losses they had incurred due to unauthorized trading. The perpetrators worked at WGZ Bank for many years and knew the vulnerabilities in the banks computer system that allowed them to circumvent internal controls. In order to hide their losses from detection by daily market risk control systems, the traders entered incorrect values into a system that calculated dollar exchange rates. In a case of people risk, the former executive at BankBoston's international private bank in New York, Ricardo Carrasco, was charged with defrauding the bank of $73 million. In February 1998, Carrasco disappeared and a month later it was alleged that he had embezzled money by making fraudulent loans. BankBoston filed a $67 million lawsuit in May 1998, alleging that Carrasco had "fraudulently induced" the bank to grant $73 million loans to Argentine businessman Barreiro Laborda and companies controlled by Laborda. The Federal Reserve said that Carrasco opened at least 26 accounts for Laborda over a three year period, beginning in 1994. Market Event of 2001 2002: Spitzer focuses on market practice issues; Enron collapses 2001 and 2002 were years of great change in the financial services industry, as a result of the activist stance of former New York State Attorney General Eliot Spitzer. The former Attorney General changed the rules of the game for what was acceptable on Wall Street when he focused attention on consumer issues and how small investors are impacted by market practices.

Chartis Research Ltd 2008

Page 27

Regulators of the financial services industry, such as the Securities and Exchange Commission and the Federal Reserve Bank, previously focused on issues of solvency and an institutions ability to preserve capital during times of volatility. This period also saw the dissolution of Enron and Worldcom two of the largest companies in the United States and accounting frauds that surfaced in many other institutions. Eliot Spitzer was later named Man of the Year by the Financial Times, in recognition of the global impact he had on the financial markets. Examples of large people risk events from 2002: In what the Financial Times (2/7/2002) called "another chapter in the cult of the rogue trader," and the largest such case since Nick Leeson managed to topple Barings Bank, Allied Irish, Ireland's largest bank, revealed on February 6, 2002 that a currency trader had disappeared after defrauding a US-based subsidiary of $691.2 million. John Rusnak was identified as the rogue trader who worked at Allied Irishs Maryland-based subsidiary, Allfirst. He initially went into hiding after the event was made public. Mr. Rusnak later surfaced and pled guilty to one count of bank fraud on October 24, 2002. He was sentenced to a prison term of seven and a half years in January 2003. It was later determined that the small Maryland-branch operation did not have the proper controls in place in order to oversee a proprietary trading operation. The US Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) shut down Hamilton Bank N.A. of Miami, on January 11, 2002. Hamilton Bank had about $130 million of potentially uninsured deposits held in approximately 3,600 accounts at the time of its closing. In 2006, Hamilton's chairman, Eduardo Masferrer was sentenced to 30 years and 2 senior officers of the bank drew shorter prison terms. A law firm that represented Hamiltons audit committee also agreed to pay fines in settlements with the OCC and FDIC. Market Events of 2007 & 2008: Crunch in credit markets and subprime blow-up lead to volatile trading conditions Market conditions for all financial institutions and lenders became so precarious during August 2007 that the Federal Reserve stepped in to add liquidity to the markets. The Federal Reserve last provided cash to the banking system in 1998, during the collapse of hedge fund Long-Term Capital Management. When the Federal Reserve moved to cut the discount borrowing rate, it released a statement saying that risk in the markets had increased appreciably. With short-term borrowing all but shut down by an associated freeze in the bank wholesale lending sector, and capital market transactions halted, trading markets drifted wildly between highs and lows. Examples of large people risk events from 2007 and 2008: Credit Agricole released a statement on September 18, 2007 indicating that a large market position on the books of subsidiary Calyons New York-based proprietary trading desk had been uncovered. The position was in unidentified credit market indices that were acquired during the last days of August and in excess of unauthorized internal limits. The bank said that when the cost of unwinding the trade is accounted for it will result in a 250 million ($347 million) loss. The position in question was taken by Calyons proprietary trading desk. An unidentified six traders were allegedly involved in building up the unauthorized position. The accumulation of unauthorized positions occurred in late August 2007 and at the height of the market volatility that was caused by the credit crunch and problems in the subprime mortgage sector. Societe Generale announced a 4.9 billion (USD $7.2 billion) loss on January 24, 2008 as a result of the misdeeds of one rogue trader. The bank characterized the largest rogue trading event to date as the result of elaborate fictitious transactions that allowed the 31-year-old trader to circumvent a series of internal controls. The trades in question

Chartis Research Ltd 2008

Page 28

involved plain vanilla stock-index futures. The trader previously worked in a back office function for the bank and is believed to have gained knowledge of how to circumvent the banks systems through this prior position. He was characterized by the governor of the Bank of France as a computer genius. SocGen estimated that the value of Kerviels positions was 50 billion euros ($73.26 billion). A recent report published by the French Finance Ministry estimated that Kerviels rogue trades started in 2005.

Conclusions: Market volatility and operational risk

It is generally believed in the risk world that market booms lead to irrational exuberance and a certain laxity in lending standards that can create losses later on when market conditions turn downward. We especially believe that this is true with operational risk and business practices. The operating environment and control structure of a financial institution may become more fluid and adaptive during exuberant times, when the implementation of controls might be viewed as counter to growth and entrepreneurship. With the present identification of people risk losses that are in particular tracking market volatility, we believe it will become possible for risk managers to more accurately and astutely track potential weaknesses within their organizations. There are a number of controls that were apparently missing, weak, or nonperforming in the loss events that are excerpted in this paper. Supervision is a key issue and, in many of these cases, a lack of supervision was cited as a prominent omission by regulators. These events may have been perpetrated by a single individual, or group of wayward employees, but management was seemingly looking the other way. In many of the unauthorized trading events, the rogue trader was booking returns significantly above the average. In these cases, management often abdicates its role to manage, in favor of looking the other way. Managers and supervisors need to be willing to ask the tough questions at all times, but especially during times of high market volatility. Testing for data accuracy is another contributing factor that was present in many of the events discussed above. Many of the internal frauds and rogue trading events involved some sort of manipulation of data. Many of the traders had knowledge of how their companys systems operated and had the wherewithal to figure out how to manipulate inputs into company accounts, trading books, risk management systems, or ledgers. For the most part their inputs went unchecked and were not validated by another set of eyes. Times of high market volatility demand not just double verification, but perhaps triple verification of such inputs. It is also wise to run tests on internal risk systems, in order to determine where there could be vulnerabilities. This emphasis on people risk and internal fraud does not mean that other types of risks, such as relationship risk, involving regulatory authorities, clients, and market practices, do not increase during times of volatility. In fact, some of the largest risk events fall into this category. This includes the large Enron, WorldCom, and conflict of interest settlements that global banking organizations reached with shareholders and regulators. The people risk category most closely tracks market events, but in general, all risk categories increased in terms of their rate of change along with an increase in volatility. Times of volatility raise the stakes in the risk management game. Risk climates are established during times of relative calm and quiet. Risk managers always face the challenge to maintain their independence and receive senior management approval for their risk management initiatives. These times demand enhanced scrutiny of operational risk, with the associated prospect that additional capital may need to be set aside to cover

Chartis Research Ltd 2008

Page 29

associated losses that surface during this period. This suggests an associated move during such extraordinary times from loss prevention in a stable operating environment to loss control in a more tumultuous one. It may be that we will come to a time when we can more accurately track risk capital to market volatility and adjust the levels as necessary, and according to market demands. It is our belief that market volatility is a powerful indicator of increased frequency of operational risk events and especially in the category of internal fraud. Extreme swings in volatility in a market or sector should serve as a warning that it is no longer a status quo situation. We hope this research will help create a proactive response to operational risk during times of volatility and an opportunity for our clients to approach such times with an all hands on deck attitude. We will continue to track and monitor loss events against volatility measures and deepen our analytical research into the topic. Our continuing effort includes the tracking of operational risk events and the further development of an analytical framework in order to model dependencies between the VIX and possible additional indices and operational risk loss data. Our goal is to eventually develop best practices and business approaches toward the understanding of how volatility impacts the management of operational risk and what specific actions need to be taken, or practices modified, during times of high volatility. *Note: all loss data used in this study is from Algo FIRST, Algorithmics database of external risk loss events.

Chartis Research Ltd 2008

Page 0

About the authors

Penny Cagan Managing Director, Operational Risk Research and Content, Algorithmics Penny Cagan is a Managing Director with the operational risk division of Algorithmics. Leveraging over twenty-five years experience in financial services research, Penny manages the operational risk loss event databases Algo FIRST and Algo OpData, and leads research for the group. A highly-regarded and frequently requested speaker, Penny has delivered many keynote presentations and has published numerous articles in Risk magazine, Operational Risk newsletter, FOW, and the John Liner Review. Penny developed the case study approach to operational risk based on external events, and was the first person to go to market with an operational risk case study database. As manager of Algo FIRST for the past seven years, she has established the best practice standard for examining and analyzing industry case studies. Earlier in her career, she served as Head of Research for Deutsche Banks North American Business Information Services division and as Head of Reference Services with PaineWebbers investment banking division. Penny holds a MLS in Library Science and a BA and MFA in English Literature and Creative Writing. penny.cagan@algorithmics.com

Yakov Lantsman Senior Vice President, Algorithmics Yakov Lantsman is a Senior Vice President at Algorithmics, where he guides the companys quantitative modeling efforts. A twenty-year veteran with vast industry experience in applied mathematics and risk modeling, Yakov is a frequent presenter and author on modeling very complex processes, including fitting distributions, identifying theoretically valid computational short-cuts, and econometric modeling. Prior to joining Algorithmics, Yakov was Senior Vice President at Willis Re, leading the companys Research and Development efforts. This role built on Yakovs experience with Fitch Risk Management Services, where he was Senior Vice President and Head of Quantitative Services, as well as his experience as Assistant Vice President at Guy Carpenter & Company, where he was responsible for research and statistical modeling. Yakov received a PhD in Mathematics from Tashkent Institute of Technology and a MS in Mathematics from Tashkent State University.

Chartis Research Ltd 2008

Page 1

About Algorithmics
Algorithmics is the worlds leading provider of enterprise risk solutions. Financial organizations from around the world use Algorithmics software, analytics and advisory services to help them make risk-aware business decisions, maximize shareholder value, and meet regulatory requirements. Supported by a global team of risk experts based in all major financial centers, Algorithmics offers proven, award-winning solutions for market, credit and operational risk, as well as collateral and capital management. Algorithmics is a member of the Fitch Group. 2007 Algorithmics Software LLC. All rights reserved. You may not reproduce or transmit any part of this document in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Algorithmics Software LLC or any other member of the Algorithmics group of companies. ALGO, ALGORITHMICS, Ai & design, ALGORITHMICS & Ai & design, KNOW YOUR RISK, MARKTO-FUTURE, RISKWATCH, ALGO RISK SERVICE, ALGO CAPITAL, ALGO COLLATERAL, ALGO CREDIT, ALGO MARKET, ALGO OPVANTAGE, ALGO OPVANTAGE FIRST, ALGO RISK, and ALGO SUITE are trademarks of Algorithmics Trademarks LLC.

Chartis Research Ltd 2008

Page 2

Related Chartis Research

Operational Risk Management Systems 2008 Market Analysis March 2008 Doc #RR0801 Research Report RiskTech 100 2007 November, 2007 Doc # RR0703 Research Report RiskTech 100 2006 November, 2006 Doc # RR0603 Research Report Operational Risk Management Systems 2006 May, 2006 Doc # RR061 Research Report Operational Risk Management Systems Case Study May, 2005 Doc # RN056 Research Notes Operational Risk Management Key Risk Indicators and Scorecards May, 2005 Doc # RN055 Research Notes Operational Risk Management The Quantification Challenge May, 2005 Doc # RN054 Research Notes Regulatory Capital Assessments for Banks Key Challenges March, 2005 Doc # RP0604 Research Notes Economic Capital Best Practice Life Insurance February, 2006 Doc # RP0603 Research Notes Economic Capital Best Practice Banking February, 2006 Doc # RP0602 Research Notes Riak Aggregation Best Practice March, 2006 Doc # RP0601 Research Notes All related research can be found at www.chartis-research.com

Chartis Research Ltd 2008

Page 

Chartis Research Europe The City Arc Curtain Court 7 Curtain Road London EC2A LT + (0)207809661 www.chartis-research.com

Chartis Research US  Wall Street 12th Floor New York NY 1005 +1 212 61 7127