OperationalRisk inFinancialServices

MichaelPinedo
SternSchoolofBusiness NewYorkUniversity

Overview
IINTRODUCTIONANDPRELIMINARIES
IaExamplesofOperationalFailures IbThePlaceofOpsRiskManagementinaCompany IcProcessMapping,ReliabilityTheory,andOptimalRedundancies IdOpsRiskandTotalQualityManagement(TQM)

IIMEASUREMENTOFOPERATIONALRISK
IIaBaselII IIbVaRandOpsVaR IIcMeasurementofOperationalRiskandSelfAssesment IIdDataCollection(internal)andAnalysis IIeDistributionsofLossesandExtremeValueTheory(EVT) IIfKeyRiskIndicators(KRIs)andMultiFactorAnalysis IIgExternalLossData(ORX) IIhCorrelationsandDependencies

IIICONCLUSIONSANDDISCUSSION
IIIaOverviewofframework IIIbHedgingOpsrisk(insurance,securitization,etc.) IIIcStateoftheart Systems,software

I-a Examples of Different Types of Operational Failures in Finance

Mizuho (humanerror,Japan) AlliedIrishBank (unauthorizedtrades(currency
trading),smallorganization,UnitedStates)

Socit Gnrale (unauthorizedtrades(equity

derivatives,stockindexfutures),largeorganization,France)

HIHInsurance (baddiversification,lackoftransparency
andoversight,Australia)

TDAmeritrade(WebsiteCrash) CantorFitzgerald(bondtradinghouse;lost2/3ofits
operationson9/11)
3

Mizuho(Tokyo,2005)
HumanError: Tradertriestosell300,000shareat1yen insteadof1shareat300,000yen. PartiesInvolved: Mizuho TokyoStockExchange Fujitsu(designerofthecomputerizedtradingsystem) UBS(counterpartywhomadethemostmoney) Results: Severalhighlevelpeoplehadtoresign.
4

HumanErrors
Complexitiesininformationsystemdesign:
requirementsofhavingrealtimefeedofmarket data.(Noteasy,especiallynotwhenstockisvery lightlytradedorwhentradingisveryvolatile) Informationmayhavetobefedintoaneuralnetin ordertodetectanomalies.Neuralnethasto providefeedbackinrealtime.
5

Allied Irish Banks (contnd.)

RogueTrading
FrequencyandSeverity Quitefrequentandvery severe Usuallystartssmallandveryinnocuous(coverupof anerror),butthenmaycontinueformanyyears (whileexpanding)beforebeingdiscovered. Wheredoesitoccur? U.S.,Europe,Singapore, SouthAmerica, Howtoavoid? Internalauditsandcontrols (withseparatelinesofreporting),regularinternal transfers,mandatoryvacations,
7

NickLeesonYasuoHamanakaJeromeKerviel
19951999Singaporeprison19972005PrisoninJapan

JuanPabloDavila
19992007PrisoninChile

NaturalDisasters Terrorist Attacks

CantorFitzgeraldlost2/3ofitsoperationson9/11 (includingallitstopmanagementwiththeexceptionofCEO HowardLutnick)

Whereshouldacompanykeepallitscomputerbackupsand howaretheykeptcurrent?(e.g.,serversatSchwab) Howshouldtheorganigramofacompanyberedrawnwhen topmanagementisvictimofanaccident? After9/11therearelegalrequirementswithregardto locationsofbackups.

9

I-b The Place of Ops Risk Management in a Company

TypesofRisksina FinancialServicesCompany

Market Risk

Credit Risk

Operations Risk Business Risk

Strategic Risk

11

FINANCIAL RISKS IN BANKS

Credit Risk Market Risk

Operational Risk
Interest rate risk Internal operational risks

Other

Counterparty failure to meet obligations

Liquidity risk

Sources of Risk

Counterparty default

Foreign exchange rate risk

People

Business/ Strategic risk Reputational risk

Counterparty credit rating change

Equity price risk

Process

Other credit risks

Other market risks

Systems

Political risk

External operational risks

General legal risk

Overview of risks in financial services

Loans Futures Swaps Bonds Equities Options Interbank Transactions Trade financing Foreign exchange Transactions Settlement of transactions Other

People

Other risks

Natural disasters

Primary Scope

of Application

Debt Securities Equities Commodities Other

Operational efficiency in all business lines: Corporate finance Trading & sales Retail banking Commercial banking Payment & settlement Agency services & custody Asset management Retail brokerage

Commodities & Equities Short- and long-term business strategies Transactions Other

12

Goldman Sachs Annual Report (2001)

Ops Risk is finally getting some attention!

13

Types of Operational Risk Losses

1. Transaction Errors: Includes restitution payments (principal and/or interest) or other compensation to clients as well as disbursements made to incorrect parties and not recovered.

2. Loss of or Damage to Assets: Reduction in value of the firms non-financial asset and property due to some kind of accident (e.g. neglect, accident, fire, earthquake)

3. Theft, Fraud and Unauthorized Activities 4. Regulatory, Compliance and Taxation Penalties: Fines, or the cost of any other penalties, such as license revocations and associated costs- excludes lost/forgone revenue.

5. Legal Liability: Judgments, settlements, external legal and other related costs which arise as a result of an Operational Risk Event.
14

Basic Operational Risk Factors

People risk Process risk
A. Model risk
Model/methodology error Mark-to-model error, . Execution error Product complexity Booking error Settlement error Documentation/contract risk, .. Exceeding limits Security risks Volume risks, . System Failure Programming error Information risk Telecommunication failure, .
15

Incompetency Fraud, .

B. Transaction risk

C. Operational control risk

Technology risk

Objectives of an Operational Risk Management Function

To generate a broader understanding of operational risk issues at all levels of the firm that touch on key areas of risk To enable the organization to anticipate risks more effectively. To change behavior in order to reduce operational risk and to enhance the culture of control within the organization. To provide objective information so that services offered by the organization take account of operational risks. To provide support in ensuring that adequate due diligence is shown when carrying out mergers and acquisitions. To provide objective measurements of performance. To avoid potential catastrophic losses. (compare this with a quality control function in a manufacturing company)
16

I-c Process Design, Mapping, Reliability Theory and Optimal Redundancies

ProcessMappingandPotential Risk/FailurePoints
Processesarecomplexstructuresofactivitiesin seriesandactivitiesinparallel. Thereliabilityortheerrorrateineachoneofthe stepsofsuchprocessescanbeestimated.The potentialfailurepointshavetobedetermined. Addingadditionalqualitycontrolchecksis determinedbyatradeoffbetweenthecostofa check,thereductionintheprobabilityofafailure andtheexpecteddamageofafailure. andtheexpecteddamageofafailure
18

19

IdOpsRiskand TotalQualityManagement (TQM)

20

WhyTQMor6Sigma?
BankofAmericahastoprocessdailyapproximately 30,000,000checks.Thenumberofchecksnot processedcorrectlyislessthan100. AmajorinvestmentbankinNYprocessesdaily approximately10,000Forextrades.Thenumber oftradeswithminorerrorslessthan100.The numberoftradeswithamediumsizeerrorless than1.(Note:eachtrademaybesubjecttoa numberofamendmentsorexceptions)
21

What can Financial Services Learn from other Industries with regard to mitigation of Ops Risk through Total Quality Management?
From the Manufacturing industry: -- Shingo systems (Poka-yoke systems) -- Statistical Process Control (SPC) -- Deming s 14 points From the Aviation industry: -- Near-Miss reporting systems -- Check lists From the Health Care Industry: -- Second opinions -- knowledge system software
22

Comparison of the Different Service Industries

Industry
Transportation (Aviation, Shipping) Health care(hospitals, nursing homes) Financial Services(Retail Banks; Investment Banks)

Loss Potential
Major loss of life; Environmental Damage Loss of life

Risk Measurement
Near-Miss Reporting Systems Success rate of surgeries Losses can be measured precisely (Relatively high Probability of Catastrophic Loss) Surveys; Losses cannot be measured easily (low probability of catastrophic loss).

Risk Mitigation Procedures

Checklists; Redundancies Second Opinions; Knowledge system Software Redundancies; hedging; insurance; securitization

Major Financial Losses

Hospitality Industries(hotels; cruise ships)

Limited Financial Losses(thefts; accidents)

security systems; training of personnel

II-a

Basel II

STRUCTURE OF BASEL II CAPITAL ACCORD Pillar 1 Minimum capital requirements Pillar II Supervisory review of capital adequacy Pillar III Market discipline & public disclosure

1. CREDIT RISK (since 1988) 2. MARKET RISK (since 1996) 3. OPERATIONAL RISK (since 2001)

Pillar 1 for Operational Risk: Capital Charge Measurement Approaches

Basic Indicator Approach (BIA) Standardized Approach (SA) Advanced Measurement Approaches (AMA) (Bottom-up approaches)

(Top-down Approaches)

Structure of the Basel II Capital Accord and Pillar I for operational risk 25

BusinessLines
1.CorporateFinance 2.TradingandSales 3.RetailBanking 4.CommercialBanking 5.PaymentandSettlement 6.AgencyServices 7.AssetManagement 8.RetailBrokerage
26

EventTypes
1.InternalFraud 2.ExternalFraud 3.EmploymentPracticesandWorkplaceSafety 4.Clients,ProductsandBusinessPractices 5.DamagetoPhysicalAssets 6.BusinessDisruptionandSystemFailures 7.Execution,Delivery,andProcessManagement

27

II-b What is VaR and what is OPS-VaR ?

Based on analytic techniques widely used in the insurance industry to measure the financial impact of an events Used for determining - the expected loss from operational failures - the economic capital for operational risk - concentration of operational risk OP VaR makes no assumptions about the causes of the failure, just like Market VaR makes no assumptions about the cause of interest rate moves Can be applied to all types of operational risk exposures across all the businesses of the bank Can be used to design insurance and other risk transfer coverage
28

Risk Concepts
Loss Distribution
Aggregate Loss Frequency

Value at Risk (VaR) Catastrophic Losses

Expected Losses (Covered by provisions or pricing)

Unexpected Losses

Aggregate Loss Severity

ValueatRisk(VaR)
Theamountoflosswhichwillnotbeexceededovera certaintimehorizon(e.g.oneyear)withacertain confidence(e.g.95%) Applicabletomarket,credit,andoperationalrisk Oneofthemostcommonriskmeasures Certainpitfalls:doesnotalwaysdecreaseasportfoliois diversified,lowerboundforhigherlosses,

OperationalRiskVaR
LossDistributionApproach(LDA):Frequencyandseverityoflossesisestimated basedonhistoricalinternallossdata.AggregatelossoverthenexttimehorizonT
S = Li
i =1 NT

NT istherandomvariablerepresentingthefrequencyoflossesover thenexttime

periodTandarei.i.d.randomvariablesrepresentingtheseverityoflosses. Li Forfixedfrequency,distributionofsumisconvolutionofsingleseverityloss distribution BaselRequirement:99.9%confidenceleveland1yeartimehorizon.

P ( S < VaR

99 . 9 , 1 year

) = . 999

DetermineseverityandfrequencydistributionandcomputeVaRusingMonteCarlo simulationassuminglossesareindependentandidenticallydistributedandseverity andfrequencyareindependent.Samplefrequency,N,andthentakeNsamplesfrom severityandsumup. FirmwideVaRissumofVaRforeachBPM0,region,andLossTypecell.Needto justifyuseofcorrelationsinreducingVaR.

31 31

From Tools for Risk Analysis to Ops-Var

Calculation of Actual PEs & LGEs Calculation of Actual PEs & LGEs

Exposure Base (Eis)

Calculation of OP VaR

Reporting

Internal Loss History Actual Loss Rates

Industry Loss History

Projected Loss Rates

OpVars

RAROC

Scenario Analysis Stress Scenario Key Risk Drivers (KRDs)

OpVar Report

32

II-c Measurement of Operational Risk: Self-Assesment

Who is Measuring Operational Risk?

Internal Audit

Senior Management Risk Management Legal

Operations

Business Management Insurance Finance Information Technology

34

How is Operational Risk Measured ?

The industry measures Operational Risk in two ways 1. Quantitative Approach - Statistical - Historical - Internal/External Failures - Monte Carlo simulation

2. Qualitative Approach - Based on self-assessments

Either approach on its own does not tell the whole story

Too rigid Relevancy?

Too judgmental No reference points

35

Basel II makes a distinction between several approaches

(1) (2) (3) BasicIndicatorApproach(BIA) StandardizedApproach(SA) AdvancedMeasurementApproaches(AMA) InternalMeasurementApproach ScorecardApproach LossDistributionApproach

BasicIndicatorApproach(BIA)
TheoperationalriskcapitalchargeunderBIAis calculatedasafixedpercentageoftheaverageover thepreviousthreeyearsofpositiveannualGross Income(GI).(Grossincomeisnetinterest incomeplusnetnoninterestincome) Percentageiscurrentlysetat15% Verycrude!

37

Loss Distribution Approach

The Loss Distribution Approach: Approach
Standard statistical techniques are available
which techniques are most appropriate? what are appropriate for modeling the tail of the distribution?

Data Quality is Important

Incorporating high-severity events
External data? Scenario analysis?
38

Loss Distribution Approach continued

Generally,estimationofanoperational lossdistributioninvolves3steps:
1.Estimatingafrequencydistribution 2.Estimatingaseveritydistribution 3.Runningastatisticalsimulationto producealossdistribution (compounddistributionusuallydoesnot haveaniceanalyticalform)

39

Overview of LDA continued...

Frequency Distribution
Density

Severity Distribution
Density

Number of Loss Events per Year

$ Value of a Loss Events

Density

25 million
Expected Loss

250 million
Unexpected Loss, 99.9 %

Total Operational Loss over a 1 year time horizon

40

Severity of Loss
LogNormal

Event Frequency

Fat-Tail LogNormal
Mean frequency = 296 221 events / 0.75 years

Probability of Loss

Distribution selected based upon statistical best-fit tests

Empirical Data

Probability

AnnualFrequency Log of Loss Amount in $mm

Theoretical distributions are fitted to the empirical data using a statistical fitting technique called Maximum Likelihood Estimation Best-Fit distribution is selected based on statistical tests which calculate the maximum difference between the theoretical distribution and the empirical data

Annual frequency of event determined using historical event occurrence, taking into account business changes, adjustment for trends Absent additional information, frequency is assumed to follow a Poisson distribution, standard in the industry used to model randomly distributed events

41

II-d Data Collection and Analysis

Internal Data
FrequencyData SeverityData

Howshouldwedealwithoutliers?

AreInternalDatasufficienttobeableto analyzeandestimatelowfrequencyevents?
43

HowtoRecordOccurrencesofEvents toObtainFrequencyofLossData
Eachlosseventhasseveraldatesassociatedwithit,namely, Dateatwhicheventwastriggered(cause) Dateatwhicheventwasdiscovered Dateatwhichlosswastakenintoaccount Whichonesofthesedatesareimportant? Withregardtolosses,whichlossesshouldberecorded?

.Recentlyperceivedmarketvalues .Investedfunds(adjustedwithreasonableROI)
44

FittingFrequencyDistributions:Regression
Keyriskindicators(KRIs):businesscontrolfactorsareusedasaproxyorindicatorforthe qualityofthecontrolenvironment:e.g.Transactionvolume,employeeheadcount, transactionfailscount KRIsareusedalongwiththehistoricallossfrequencytoestimatethefrequencyintheVaR modelbyaPoissonregressionprocedure.Somefunctionalrelationisassumedbetweenthe PoissonfrequencyandtheKRIsandtheparametersinthefunctionalrelationare estimatedusingmaximumlikelihood. Forexample,thefrequencynisassumedtobePoissondistributed:

f (n) =

ne
n!

PoissonfrequencyislinearlyrelatedtotheKRIs:

= Fails _ Count + Transactio ns _ Count

Maximumlikelihoodisusedtoestimate ,
L( , ) = log( f (ni , Fails _ Counti , Transaction _ Counti ; , ))
i

Sensitivityanalysis:impactonVaRfrombumpinguptransactionvolumeorfailscount by10%,50%,etc.
45 45

Fittingseveritydistributions
Severitydistributions:Lognormal,normal,exponential,gamma, Weibull,Champernowne(studiedforwagedistributions;lognormal inbodyandParetoneartail).Exploringalphastableandgandh distribution. Maximumlikelihoodmethodestimation(parameterswhich maximizetheloglikelihoodofobservations) Goodnessoffittests:KolmogorovSmirnov
D = max i | Fempirical ( X i ) Fmod el ( X i ) |

Kuiper(supremum),AndersonDarling(minimizesquareof differencebetweenempiricalandmodel) Conditionalmaximumlikelihoodisusedtoestimateseverity parametersinthepresenceofalowerthreshold,K

= max log
k

f (X k ; ) 1 F (K ; )

Modelseveritylossdistributionaboveandbelowlossthreshold withseparatetailandbodydistributionsrepresentingunexpected andexpectedlosses.

46 46

Adjustments to Remove Historical Bias and Take Learning into Account

Isnt any adjustment purely subjective and therefore why go through a mathematical rigorous analysis when in the end it still relies on judgment ? First, nothing wrong with judgment; it is used in business all the time, even by actuaries the benefit of the rigorous math is that the judgment is used in a systematic, coherent and consistent way

Depends on what type and how judgments are used A list of opinions about the quality of the control environment i.e. separation of duties Or risk drivers, i.e. data on the characteristic of the operational environment no of deposit accounts
47

IIeDistributionsofLosses andExtremeValueTheory

48

Distribution of operational losses

Expected events
(high probability, low losses)
Limited Financial Impact

Unexpected events
(low probability, high losses)
Severe financial impact Catastrophic Financial impact

Covered by

Business plan

Operational risk capital

Insurable (risk transfer or risk financing)

49

Distribution of operational losses

(over a given (fixed) time horizon)

Expected Severe

Unexpected Catastrophic

Likelihoodofloss

Severityofloss

50

ExampleofHighProbabilities andLowLosses
CreditCardBusiness:
OperationalRiskismainlyduetofraud Highprobabilitiesandlowlosses Foranycreditcardissuerthetotalmonthlylossesdue toOperational Riskhasaverylowvariance.

USAandEuropedealwiththisissueinacompletelydifferentway: Europehasmademajorinvestmentsinthesmartcard USAhasmademajorinvestmentsindatamining(neuralnets,etc.) Themainriskinthecreditcardbusinessisstillcreditrisk.

51

Extreme Value Theory

How to model and predict catastrophic events that occur at low frequency
- The Central Limit Theorem (CLT) gives us a tool to analyze averages of events and gives us a feel for the standard deviation - The Extreme Value Theorem (EVT) by Gnedenko gives us a tool to analyze the distribution of the maxima of random variables (tail events) within given periods.
52

Limiting Distributions
- The CLT yields us in the limit the Normal (Gaussian) distribution - The EVT yields us in the limit either the Generalized Extreme Value (GEV) distribution (special cases of this distribution are the Frechet, Weibull, and Gumbel distributions) or the Generalized Pareto Distribution
53

How Does Extreme Value Theory Fit in the Overall Framework of Distributions?
Profit and loss distributions with chosen threshold for extreme operational losses
Loss distribution

Excess loss distribution

Catastrophic loss

Profit and loss distribution

Loss Expected excess loss

u
Expected loss

0
Expected profit

Profit

ExtremeValueTheory
TwoBasicModels:
BlockMaximaModel
LimitingDistribution: GeneralizedExtremeValueDistribution

PeakOverThresholdModel(POT)
LimitingDistribution: GeneralizedParetoDistribution

55

GeneralizedExtremeValueDistributions

57

58

IIfKeyRiskIndicators and MultiFactorAnalysis

59

KeyRiskIndicators: DevelopmentalConsiderations
Howmanyshouldbekey e.g.theRMAhasover1,400KRIs initsframework! Somewillbeleadingandsomelagging DefiningandaggregatingKRIsdoessoundstraightforward, butitwillbemorecomplicatedaswegobeyondthe surfacelevel. KRIsDevelopmentispartlyanartandpartlyscientific Riskindicatorscanbeusedforanytypeofriskandatany levelintheorganisation theydonothavetobe100% accurate.
60

KRIs:GeneralCategories
1.Auditissues numberandseverityofissuesthathavenotbeenresolvedinatimely way 2.Businesscontinuity thevulnerabilityandcriticalityandprocesses,thequalityof thecontinuityplan,andthefrequencyandadequacyofpractices andtests 3.Failedcustomersinteractions thenumber,duration,andseverityoffailuresto providecustomerswithprompt,reliable,andeffectivesource 4.Informationsecurity thenumberandseverityofvirusattackswhichhadany success,criticalvulnerabilitiesleftunresolvedforaperiod,andsecurityeventswitha mpact 5.Informationtechnology theavailabilityoftechnologyatcriticalperiodsforcritical purposes 6.Operationallosses thedollarvalueoflosses 7.Processbreaks thefrequency,severity,andsizeoftrading,clearing,andsettlement failuresandtheircustomerimpact 8.Profit thenumber,suddenness,andseverityofunexpectedlyhighprofitsorlosses 9.Policyexceptions thenumberandsignificanceofpolicyexceptions 10.Regulatory thenumberandseverityofcommentsandfinesfromregulators 11.Staffturnover turnoverratesincriticalfunctions
61

KeyRiskIndicators(KRIs)for OperationalRiskinBanking
Transactionvolumeperemployee Averagesystemdowntime Employeeturnover Experiencelevelofemployees Numberofamendments(exceptions)recorded Numberofnewproductsintroducedinmostrecent timeperiod NumberofATMsrobbedper1000ATMs CallCentersperformancemeasures
62

Key Risk Indicators (KRIs) of Operational Risk in Asset Management

Internal controls - audit results, audit frequency Staffing - employee turnover, training budget, premium per employee, policies per employee Outside Data Sources Rating agencies, regulators, industry trade organizations, data warehousing firms Security Number of times systems have been hacked Systems Reliability Servers, call centers
63

OpsRiskinInternetBanking
Averagetakeforanindividualphisherisaround20,000USD amonth(cangoashighas100,000USDamonth). Phishingschemesareestimatedtocostbanksbetween0.5 and1.5billionayear. Anincidentmayerodecustomerconfidenceinabank (publicitymagnifyingtheeffectacrossthecustomerbase). Banksspendyearsandmillionsonbuildingbrandvalue; thiscanbedestroyedinonedaywithasinglepublicised operationallossincident. Onlinefraudandsecuritymanagementarekeycomponents ofOpsRiskManagement
64

Key Risk Indicators (KRIs) of Operational Risk in Internet Banking

Internal controls - audit results, audit frequency Server Reliability - Hours downtime Staffing - employee turnover, training budget, premium per employee, policies per employee Outside Data Sources Rating agencies, regulators, industry trade organizations, data warehousing firms Security Number of times systems have been hacked

65

MultiFactorAnalysis
IncorporatingKeyRisk IndicatorsintoaSingle Framework

66

Multifactor Analysis using Linear Regression

TransactionsProcessingDataSet

Multifactor Analysis using Linear Regression

Ordinaryleastsquaresmethod:findbestlinearfittodata

1 2 3

Yi = 0 +1Xi

Example Multifactor Analysis

(ANOVA Table from EXCEL)
MonthlyLoss=21,356 864 Headcount+ 12,655 SystemDowntime+155 TransactionVolume

69

UseofMultifactorAnalysis
WecanforecastlossesifwecanfindatrendforKRIs KnowingthecoefficientsintheLossequation,wecanprice individualunitsofthevariables. Forexample,thecostofonemoreminuteofsystemdowntime inamonthis$12,655 Wecanperformstresstests.Managementcannowestimate howmuchthetotalexpectedoperationallosswillincreaseif thetradingvolumeincreasesbyx%.Iftransactionvolume increasesby50%fromitsaverage,then 70 stressedmonthlyloss=$1,159,831

UseofMultifactorAnalysis
Cost/BenefitAnalysis

1)Cost/BenefitAnalysis Ex:Ifwehire1employeecosting$x/year thereductioninlossesisestimatedtobe $864x12=$10,368

IncorporatingKeyRiskIndicatorsin CapitalCharge
Twoapproaches: KRIVolatilityAdjustmenttoCapitalCharge FrequencyRegression

IncorporatingKeyRiskIndicatorsCapital Charge:KRIVolatilityAdjustment
KeyRiskIndicatorsandtheVolatilityofLosses

Control Environment Volatility Add-In OR Capital

Volatility in The Control Quality Losses Volatility

Operational VaR

OpRisk Capital = (1 + KRI volatility ) OpRiskVaR

IncorporatingKeyRiskIndicatorsinCapital Charge:FrequencyRegression
ThelossfrequencyisassumedtobealinearfunctionoftheKRIs.Forexample: LossFrequency= TransactionFailsCount+ TransactionVolume Regressionanalysisandmaximumlikelihoodanalysisisperformed todetermine parameters, Lossfrequencydeterminesfrequencydistribution.Frequencyandseverity distributionsareusedtocalculateoperationalriskVaRandcapitalcharge.

74

IncorporatingKeyRiskIndicatorsinCapital Charge:FrequencyRegression
Example: LossFrequency=0.0199 TransactionFailsCount+0.0122 Transaction Volume UsingmostrecentvalueofKRI,e.g.TransactionFailsCount=5,Transaction Volume=163 ThenLossFrequency=0.0199x5+0.0122x163=2.09/day Usethislossfrequencyandpreviouslyestimatedseveritydistributionto calculateVaR Frequencyregressioncanalsobeusedtoperformstresstests.Forexample, VaRincreases20% whentransactionfailscountincreases5%.

75

II-g External Loss Data

ExternalLossData
InputdataforAdvancedMeasurementApproach:

InternalLossData ScenarioAnalysis KeyRiskIndicators ExternalLossData

77

ExternalLossData
Reasonsforusingexternallossdata
RequiredbyAMA Complementexistinginternallossdata.Internallossdatamay notincludelargemagnitudelosses.Externallossdatacan helptoestimatetailofthelossdistribution Internallossdatamaynotbeavailable

78

ExternalLossDatabases
PublicExternalLossDatabases:e.g.Fitch
Includesidentityoffirm Tendstocoverjustlargelosseswhichattractsattentionofmedia Coverslimitedlosstypes,e.g.notExecution,DeliveryandProcessManagement

Consortia:e.g.ORX
IdentityofFirmisanonymous Widerarrayoflossesandlosstypes

InsuranceData:insuranceclaimdataprovidedbyinsurancebrokerse.g.OpBase
Tendstobesmallerlossesbelow$5M Biasduetodeductiblesandpolicylimits Availablelosstypeswilldependontypeofinsurancepolicy

ORX Background and History

ORXisanotforprofitorganization,ownedandrunbytheMembers ORXwasincorporatedasaSwissAssociationinApril2002 ORXwasfoundedwiththeobjectiveofsharingqualityoperationalriskdata onasecureandanonymizedbasistoenablebankstoimproverisk measurementandmanagement ORXalsoworkswithitsmembersto: developoperationalriskmanagementpractice setcommonstandardsfortheindustry developprofessionalnetworks conductleadingedgeresearch
80

ORXLossData
ORXstrivesforconsistencyinthedataitcollectsfrommembers.Eachindividuallosseventiscategorizedaccording to thecommonstandardssetoutintheORXOperationalRiskReportingStandards(availablefromwww.orx.org).ORX membersarerequiredtoreportalllossesover20,000.AbovethisthresholditistheobjectiveofORXthatthedata fromeverymemberiscomplete.Eachlossisthencharacterizedaccordingtothefollowingprimaryattributes:

ClassificationData
ReferenceIDnumber(Membergenerated) BusinessLine(Level2)Code(SeeAppendix3.2forORXBusiness Linetable) EventCategory(Level2)Code(SeeAppendix3.3forORXEventCategorytable) Country(ISOCode) Creditrelated(C/N) RelatedeventRefID(Membergenerated)

ReferenceDates
DateofOccurrence DateofDiscovery DateofRecognition

Amounts
GrossLossAmount DirectRecovery IndirectRecovery

ExposureIndicatorsbyBusinessLine(Level2)
GrossIncome

81

AlgoOpData(Fitch)
Algorithmics SubsidiaryofFitch(700people) Databasecontains12,000publiclyreportedoperationalrisk losses,eachwithavalueover1,000,000USD Timespan16years Eachyear750 1000newentriesareadded

ImportantFeature:Customer,whobuysthe
database,doesnothavetoshowhisowndata!
82

IncorporatingExternalLossDatain MeasurementFramework
Approaches: Mixturemodel:Useexternallossdataintailandinternal lossdatainbody. Usefulwheninternallossdatahasfew highseverityevents CredibilityMethodology:Createlossdistributionwhichis weightedaverageofinternallossdistributionandexternal lossdistribution Qualitativeuse:asareferencetoinformscenarioanalysis workshops

83

II- h Correlations and Dependencies

RiskDrivers

85

DependenciesandCorrelations inOperationalRisk
BaselIIrequirescapitalchargeforoperationalriskof separatebusinesslinestobeaddedunlessdependencies betweenbusinesslinesistakenintoaccount. Independenceofoperationaleventsacrossbusinesslines anddiversificationmayreduceVaR.Hence,thereisastrong incentivetoincludeeffectofdiversification. However,regulatorsexpectfirmstodemonstratethat methodologyofincorporatingcorrelationsissound.

86

Copulas
UsingtheseparatemarginaldistributionofFixedIncomelosses andmarginaldistributionofEquitieslossestogetherwith theircorrelation,wewishtoconstructabivariateloss distributionfunctionF(X,Y) forthelossesforthetwo businesslines.Abivariatelossdistributiongivesthe simultaneousprobabilityofanEquitieslossandaFixed Incomeloss.

Solution:UseCopulas

87

Copulas
Copulasareanewwayofmodellingthecorrelation structurebetweenvariables. Theydisassociatethecorrelationstructurefromthe marginaldistributionsoftheindividualvariables Copulasofferamethodforcombiningmarginal distributionsintomultivariatedistributions
Goodmethodtocapturedependencyintail Flexibilityinpatternsofcorrelation Canusestatisticalmeasurestocomparefits

88

IIIConclusionsand Discussions

IIIaReviewofOperational RiskMeasurement Framework

ReviewofOpRiskMeasurement Framework:LossData
QualitativeAnalysisoftheData
Measurethemean,dispersionandheavytailednessofdatausingkurtosis
Lookforstatisticaloutliers

QuantitativeAnalysisofData
Estimateseverityandfrequencylossdistributionsfordata
Selectappropriatedistributionusinggoodnessoffittestsandgraphical

plots. Determinedatatruncationthreshold Goodnessoffittestsmeasurehowclosetheestimateddistributedisto theempiricaldistribution Graphicalplots:histogramsandQQandPPplots Extremevalueanalysis:useHillandMeanExcessplottocheckfitfor extremevaluedistributionsandchoiceofthreshold

ReviewofOpRiskMeasurementFramework: IncludeKeyRiskIndicators,ExternalLossData andScenarioAnalysis

IncludeKRIsinFramework:PerformRegressionAnalysis

Toidentifydriversoflosses Toconductstresstests Toforecastlosses IncorporateintoVaRviafrequencyregressionorKRIvolatility

adjustment
IncludeExternalLossDatainFramework

Usemixturedistibution(internallossesforbodyandexternal lossesfortail)orusecredibilitymethodologytobuildacombined lossdistributionusinginternallossesandexternallosses

Includescenarioanalysisfromselfassessmentprograminframework

ReviewofScenarioAnalysis
Scenarioanalysiscanbepartofariskandcontrolself assessmentprogram Expertsfromacrossthefirmassessspecificrisksfortheir business.Expertshaveaspectrumofroles:frontoffice, finance,operations,IT,andlegal.Theyassesspotentialrisks andqualityofcontrolsinplace.Theydeveloppossible scenariosandthelikelihoodandimpactofthesescenarios. Examples: Pandemicflu,terroristattack,unauthorizedtrading, trademisbookings,incorrectdataentry,systemcrashes

ReviewofOpsRisk MeasurementFramework

Findcorrelationsanddependencestructure

Generatelossdistributionsfromallinput dataelementsandfromcorrelation

ReviewofOpRiskMeasurement Framework:CalculateVaR
Severity Prob Prob Frequency

Losses sizes

Number of Losses

Aggregated Loss Distribution Prob

Needs to be computed by Monte Carlo simulation

Aggregate loss amount

ReviewofOpRiskMeasurement Framework:CalculateVaR
CalculateVaRbyaggregatingfrequencyandseverityusingLossDistribution

ApproachandMonteCarloSimulation Example:tocalculateyearly99.9%VaR Samplelosscountfromfrequencydistribution:e.g.15 wasobtained Sum15 samplesfromseveritydistribution: $56,786+...+$982,343=$6,734,341 $6,734,341 is1sampleoftheaggregatelossoverthenext year. Repeat100,000 timestoobtain100,000samplesoftheyearlyaggregateloss Rank100,000 aggregatelosssamplesfromhighesttolowest 99.9% yearlyVaRis100th highestonthelist

ModelBacktestingandValidation
Backtestingisfundamentaltoreceivingapprovalbyregulatorsforinternal measurementmodels =>Manyviolationsimpliesabankisriskierthanitseems (modelis inappropriateforpoorlycalibrated?) =>Tooconservativevaluesimplyexcesscapitalisation Inoperationalrisk,backtestingiscomplicatedbylimitedavailabilityofdata butitisstillpossibleandfundamentaltoverifytheaccuracyofthemodel.

III-b Hedging Operational Risk

Hedging Operational Risk

Approachestohedgingoperationalrisk
Insurance
Insurancecoveragecanbeincorporatedintomethodologyusing informationaboutdeductibles/limitsoneventpolicies Stillhavetotakeintoaccountcreditriskandlegalrisk

Securitization(financing)ofrisk

99

HedgingOperationalRisk

Probability

Severityofloss
$10M

Insurancemitigation

Securitization

Effect of Insurance on Loss Distribution

Probability of Loss

With insurance: Lower standard deviation, higher mean

Without insurance

Source: Marshall, C, Measuring and Managing Operational Risks in Financial Institutions, supra note20, p.435

Cost paid by bank

101

SecuritizingOperationalRisk
SecuritizingORprovidesanalternativetotraditionalinsuranceasawaytohedgeoperationalrisk.

Premium

Bank

Special Purpose Vehicle (SPV)

Bond

Capital Market
Commission

Insurance

Examples of Products: Ops Risk Linked Bonds: Bank pays premium and bond holder receives insurance. Bank is compensated if yearly operational losses exceed a certain threshold and bond holder forfeits part of principal. Equity Ops Risk Put Bank has option to sell its shares at fixed strike in the event that a legal loss event occurs

Some Challenges: Pricing requires estimating probability that aggregate losses exceed a threshold. No-arbitrage type pricing is not available since market is incomplete. Robust estimation of severity and frequency of operational losses is critical. Distinguishing relative risk between firms when a pool of data from a consortium is used Moral Hazard

OperationalRiskReserve Requirement
Simulateoperationallossesusingestimated severityandfrequencylossdistributions Trackreservebasedonthedifferenceinallocated grossincomeandoperationallosseseachday Determinefractionfofgrossincometoreservefor operationalriskreservestoavoidruin

III-c Software and Decision Support Systems

OverviewofCommerciallyAvailable SoftwarePlatforms(GartnerGroup 2008)

105

EnterpriseRiskManagementDashboard

106

DashboardwithOperationalRiskMetrics
Investment Bank - JPMorganChase
Equities

Equity Derivatives Group US (JPMorganChase)

Organization View

December 31, 2005

New York

See appendix for legend and data sources.

Note: Activity included in End to End view

Process View Process Map Activity Description Subrisks Controls SOX-404 Key Controls CSA Scores and Weights Action Plans CSA Capital Impact RED Data Audit Impact KRIs

Audit Summary (3/31/04 Rolling 12 Mo.) Capital Rating Audits Impact A 0 B 6 C 1 $5.6 D 0 F 0 Total 7 $5.6
Note: Activity included in End to End view Note: Activity included in End to End view

RED Events ($ Thousands)

Absolute Value

$20,000 $15,000 $10,000 $5,000 $0 Timing Economic

2001 $400 $15,451

2002 $370 $1,522

2003 $0 $30

Note: RED data is as of 12/31/2003

107

IIIdDiscussionand Conclusion

108

Loss Data Profile : Time Trends in Data Capture

Overall ORX Data and Statistics

Total 2002 7,838 5,272 2003 10,718 7,068 2004 14,905 4,640 2005 18,150 4,760 2006 21,135 4,218 2007 19,411 4,764

Total Number of Loss Events Total Gross Loss Amount (Millions)

92,157 30,722

Loss Frequency 2002-2007

Loss Severity 2002-2007

109

Capital Attribution: Present and Future

Current capital/attribution Future capital/attribution

Operational risk 20%

Operational risk 30%

Market risk 10%

Market risk 30%

Credit risk 70%

Credit risk 40% 110

InterplaybetweenOperationalRisk, CreditRisk,andMarketRiskinBanking
CreditRiskandMarketRiskmaybemagnifiedby OperationalRisk(e.g.,incentivesystem(bonuses)ofthe salesforcemaynotbealignedwiththecredit/marketrisk (upfrontcommissionforthesaleofalongtermcreditrisk)) Heavytradingvolumemaycausedelaysinobtainingmarket data Accuracyofinputdata(orsystemdowntime)mayaffect assetmanagers decisionmakingprocess Howshouldwecomputethismultipliereffect? Howshouldwemeasureanddealwithcorrelationeffects?
111