Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Indonesia Certificate in
Banking Risk and Regulation

Training Instructor Course
Level 3
Part B: Credit risk and operational
risk management and regulation
Global Association of Risk Professionals, Inc.

6. The Advanced Measurement Approach to measuring
operational risk
Market risk and treasury risk Part A

management and regulation
1. An introduction to the use of 2. The Internal Models

3. Capital management and
statistics in the measurement Approach to measuring and
treasury risk
of financial risk managing market risk
Credit risk and operational risk Part B

management and regulation
4. Internal Ratings-Based 6. Advanced Measurement

5. Collateral and 7. Managing
approaches to measuring Approach to measuring
securitization operational risk
credit risk operational risk
Supervision and regulation

Part C
8. The supervisory 9. Supervision of operational 10. Basel II disclosure 11. The BI

review process risk and other risks requirements supervisory regime

6.1 The Advanced Management Approach
6.1 The Advanced Measurement Approach
The Basel II Accord specifies three different approaches that can

be used to calculate a banks operational risk capital.
Of the three, the Advanced Measurement Approach is the most

sophisticated method of measuring operational risk and calculating
the required capital.
The Advanced Measurement Approach differs from the Basic

Indicator Approach and the Standardised Approach in that the
Accord does not specify any model or methodology.

Instead it permits a bank to use its own internal operational risk

measurement models. Any method of measuring internal risk is
permissible provided it meets the quantitative and qualitative
criteria, and is approved by the supervisor.
Thus the Basel II Accord has opted for a balance between flexibility
and consistency, rather than a one-size-fits-all approach.

Model capabilities
Any measurement system used under the Advanced
Measurement Approach must be capable of estimating
expected losses, and unexpected losses. It must also be
capable of identifying potential losses from catastrophic or
extreme events, known as tail events.
The regulatory operational risk capital is obtained by
combining the expected and unexpected losses, unless a
bank can demonstrate that expected losses have been
accounted for elsewhere.

Model capabilities
For example they could have been included within
product pricing. If a bank can demonstrate it has already
accounted for expected losses then they can be partially
or totally omitted.
Internationally active banks and banks with significant operational

risk exposures, (e.g. specialist processing banks) are expected to
implement the Advanced Measurement Approach and develop their
own methodologies for calculating operational risk capital.

Model capabilities
The Advanced Measurement Approach uses historical internal loss

data, external data and other data, which is derived from business
factors and internal controls (see Section 6.4). Validation of the
models is also necessary through the use of techniques such as
scenario analysis.
Within the Advanced Measurement Approach the Basel II Accord

also sets out criteria that define the structure for creating an
operational risk function, including the reporting lines and reporting
process.

Advanced Measurement Approach techniques
Although no model or methodology is specified under the

Advanced Measurement Approach, banks are tending to adopt one
of the following three basic techniques:
Internal Measurement Approach (IMA)

Loss Distribution Approach (LDA)
Risk Drivers and Controls Approach (RDCA) scorecards.
A brief description of each technique is provided in the following

sections.

6.1.1 Internal Measurement Approach
The Internal Measurement Approach (IMA) is similar to the Internal

Ratings-Based approaches for calculating credit risk regulatory
capital.
Under the Internal Measurement Approach a bank maps its

activities into business lines, as per the Standardised Approach.
Once this has been completed the bank defines a set of operational
risk events and maps the internal data across each business
line/risk type combination.

6.1.1 Internal Measurement Approach - example
Bank AA adopts the IMA for calculating its operational risk capital. It
uses the Basel II definitions for its business lines and risk-event
types. It maps its business activities into the business lines.
Business activities
Business lines
Corporate Finance Trading and Sales Retail Banking
Commercial Banking Payment and Settlement Agency Services
Asset Management Retail Brokerage

6.1.1 Internal Measurement Approach - example
It then maps its internal data for each business line to the risk-
event types:
Business lines
Corporate Finance Trading and Sales Retail Banking
Commercial Banking Payment and Settlement Agency Services
Asset Management Retail Brokerage
Risk-event types
Internal Fraud External Fraud Employment practices
and workplace safety
Clients, products and Damage due to physical Business disruption and
business practices assets system failures
Execution, delivery and process management

For each business line/risk type an exposure indicator, such as

gross income, is allocated.
This exposure indicator represents the amount of operational risk in

each business line/risk type and is set by the supervisor.
Expected losses (EL) for each business line/risk type combination

are then calculated by multiplying the exposure indicator (EI) by the
probability of a loss event occurring (PE) and then by the estimated
loss if the event occurs (LGE).

Thus for each business line/risk type combination the expected

losses are:
EL = EI x PE x LGE
The probability of an event occurring and its estimated losses are

derived from the banks internal data.
PE is the equivalent of credit risks probability of default (PD) and

LGE is the equivalent of loss given default (LGD) for credit risk.

6.1.1 Internal Measurement Approach example
Bank AA is a retail bank and has a gross income of USD 65 million

for its retail banking business line and adopts gross income as the
exposure indicator.
Bank AA uses the IMA to calculate its operational risk regulatory

capital. It uses gross income as its exposure indicator. The
expected losses for Bank AAs retail banking business are.
Exposure indicator (EI) = USD 65 million

Risk-event type PE LGE EL (EIxPExLGE)

% USD USD million
Internal fraud 0.0002 1000 0.13
External fraud 0.0008 1000 0.52
Employment practices and workplace 0.0020 500 0.65
safety
Clients, products and business 0.0100 100 0.65
practices
Damage due to physical assets 0.0004 500 0.13
Business disruption and system failures 0.0250 50 0.81
Execution, delivery and process 0.0400 50 1.30
management
For its retail banking business line, Bank AA would have a total of
USD 4.19 million in expected losses.

The Internal Measurement Approach assumes a straightforward

relationship between expected and unexpected losses.
Unexpected losses are assumed to be a simple multiple of
expected losses.
For a given business line/risk type the expected losses are

converted to unexpected losses by applying a scaling factor (the
gamma). A bank can either derive the gamma values using
statistical analysis of its internal data, or obtain gamma values
based on global data from the supervisor.
The gamma in the operational risk IMA equates to the risk-weight

coefficients in the credit risk IRB approach.

To convert unexpected losses to operational risk capital an

adjustment factor, Risk Profile Index (RPI), is applied to reflect the
risk profile of the individual bank for each risk-event type. The RPI
factor can either be derived by the bank (using statistics) or
obtained from the supervisor.
Thus for each business line/risk type combination the operational

risk capital is:
Required capital = EL x gamma x RPI

The overall capital charge is obtained by simply adding up all of the

individual business line/risk type capital requirements.
A detailed discussion of the Internal Measurement Approach, the

exposure indicator (EI), and the gamma is beyond the scope of the
Certificate.
The following example shows the IMA calculation with the exposure
indicator based on gross income.

Taking the earlier example of retail Bank AA, it has a gross income
of USD 65 million for its retail banking business line.
Bank AA uses the IMA to calculate its operational risk regulatory

capital. Bank AA uses the expected losses for its retail banking
business line gross income (see example above) to calculate its
regulatory capital.

Risk-event type EL Gamma RPI Capital

(ELxGammaxRPI)
USD million
Internal fraud 0.13 2.0 0.8 0.21
External fraud 0.52 2.0 0.9 0.94
Employment practices and workplace 0.65 1.2 0.9 0.70
safety
Clients, products and business practices 0.65 1.5 1.2 1.17
Damage due to physical assets 0.13 2.5 0.4 0.13
Business disruption and system failures 0.81 2.0 1.3 2.11
Execution, delivery and process 1.30 1.2 1.3 2.03
management
For its retail banking business line, Bank AA, would need
USD 7.29 million of operational risk capital.

6.1.2 Loss Distribution Approach
Of the techniques currently being implemented under the Advanced

Measurement Approach the most popular is the Loss Distribution
Approach where value at risk (VaR) is used to calculate the
regulatory capital.
This approach is considered to be the most risk-sensitive technique

to calculating operational risk capital. It is based on actuarial
models used in the insurance industry to estimate losses from
insured events.

The Loss Distribution Approach bases its calculations on statistical

analysis of loss experiences (internal and external data).
The first step is for a bank to map the historical internal and
external data to each of its business lines and risk types. For each
business line/risk type the data is converted into loss-severity
(LSD) and frequency (FD) distributions.
Once these have been calculated the method generates a loss

distribution for each business unit/risk type. This loss distribution
can be simulated using various techniques including Monte Carlo
simulations.

The operational risk capital for a business line/risk type is

calculated by taking the 99.9% VaR (commonly called the
OpVaR) from the loss distribution.
The total operational risk capital for a bank is calculated
by adding the results for each business unit/risk type.

6.1.3 Risk Drivers and Controls Approach
The Risk Drivers and Controls Approach differs from the other
Advanced Measurement approaches in that it is not a single
technique, but rather a collection of different scorecard methods.
In operational risk a scorecard is a mechanism for

showing the risk and controls within a process or
business through the use of weighted scores.
Typically a bank distributes questionnaires to each of its
business departments asking them to assess their risks
and controls.
From this a scorecard can be produced by applying a
value (or score) to each of the answers given.

6.1.3 Risk Drivers and Controls Approach example
A scorecard
Bank CC, a mortgage business, has completed a risk assessment

questionnaire and the responses have produced the following
scorecard:
Risk-event type Controls Risk

Internal fraud 2.5 3.2
External fraud 4.2 1.3
Employment practices and workplace safety 3.2 2.2
Clients, products and business practices 4.2 3.3
Damage due to physical assets 3.0 4.0
Business disruption and system failures 1.4 4.0
Execution, delivery and process management 4.0 2.0

6.1.3 Risk Drivers and Controls Approach example
The scorecard uses the following scales:
Controls Risk
1 very poor 1 very low
2 poor 2 low
3 average 3 average
4 good 4 high
5 very good 5 very high
This scorecard clearly shows that the mortgage business has a

high risk from business disruption, but low controls. Following this
review Bank CC should take steps to improve the mortgage
controls on business disruption.

The initial operational risk capital requirement is determined by

using one of several methods, including:
the Loss Distribution Approach, (i.e. OpVaR)

the Standardised Approach
low frequency/high severity loss scenarios
comparison of the banks risk profile with other peer group banks
and their capital requirements
comparison with the capital requirements for a banks other risk
types.

In the RDCA, once the initial capital requirement is determined the

method does not require complex statistics to recalculate the on-
going capital.
Instead it uses the banks experience and changing risk factors and
controls to adjust the operational risk capital. The RDCA takes into
account the banks risk profile and its operational risk controls.
The initial capital is adjusted using the scorecard created

for the risk drivers and controls. The bank builds a
scorecard assigning a factor indicating the risk profile and
controls for each business unit/risk type.

For each of these business lines/risk types the

operational risk capital requirement is adjusted as the
factors change. The new total operational risk capital for
the bank is determined by adding up the capital required
for each business unit/risk type.
Because the capital is adjusted, as the banks risk
controls and business environment change, the RDCA is
less reliant on historical data and is thus considered a
forward-looking technique.
It is important to note that the operational risk capital
charge will need to be revalidated on a regular basis.

6.2 Internal loss data
To use the Advanced Measurement Approach a bank

must collect, store, maintain and report internal historical
loss information. Internal loss databases record gross
losses from operational risk events that have occurred
within a bank.
Advanced Measurement Approach models use a banks
past experiences to predict its future potential losses.

Clearly the accuracy of the Advanced Measurement Approach risk

capital calculation is heavily dependent on the quality of the data
held.
The Basel Committee requires a bank to establish a formal process

for the capture management and reporting of internal operational
risk loss data. A bank must be able to tie its risk estimates to its
actual loss experience.
Thus the process a bank uses for collecting the internal data is
subject to relevancy, quality and content standards. These
standards are beyond the scope of the Certificate.

Level 1 discussed the importance of near miss events to

operational risk management and measurement. Students should
recall that a near miss is a risk event that occurs, but which does
not result in loss.
For completeness, data relating to near-miss events should also be

recorded alongside the internal loss data.

6.2.1 Internal loss data criteria and associated factors
The Basel II Accord specifies criteria for the collection and

management of internal risk loss data. To use internal data in its
own Advanced Measurement Approach a bank is required to:
have the capability to map the data to the Basel II risk loss
categories (see Section 6.2.2)
have the capability to map the data to the banks current business
activities, risk management procedures and technology, and hence
to the Basel II business lines as defined under the Standardised
Approach

provide mechanisms for linking related events, identifying events

that have occurred across multiple business units, and allocating
central department (such as IT) events across businesses
ensure that the Approach remains consistent with business

activities through regular reviews
base any operational risk measure on a minimum of five-years

worth of internal loss data, (although there is only a three-year
requirement on initial implementation of the Approach).

The Basel II Accord allows banks to set a minimum threshold under

which losses are not recorded. This is to minimize the overheads of
using the Advanced Measurement Approach and prevent banks
collecting huge amounts of data from high frequency/low impact
events.
While threshold limits will clearly vary from bank to bank, they must
be consistent with those used by a banks peer group.
A bank must also be able to justify that excluded activities and

exposures will not have a large effect on its overall risk estimates.

Internal data content
In addition to gross losses the Basel II Framework specifies a

minimum set of data to be collected in association with a loss
event. This minimum set of data includes:
date of the risk event

cause of the risk event
description of the risk event
any recovery of gross loss made
date of any recoveries
business unit in which the event occurred.

It is recommended that the internal losses database include at least

two additional data types. Banks are required to map their own risk
definitions into Basel event-loss categories.
To simplify this mapping process any loss database should include

the risk loss category and sub-category that each event is assigned
to.
The new Accord requires banks to manage operational risk as well

as measure it. To help improve their operational risk management
some banks find it useful to record any actions taken to mitigate the
risk and prevent the event recurring.

6.2.2 Operational risk loss event type
The Basel II Capital Accord does not assume that banks

will collect and structure their operational loss data in
identical ways.
Nor does it assume that internal structures of banks are
identical. It is likely that a banks internal loss data
structure will reflect the definition of operational risk, the
event types, and the business structure adopted by the
bank.

To provide a common approach the Basel II Framework stipulates

that a bank must be able to map its internal operational risk
definitions to:
a standard set of loss event types

the Standardised Approach business lines.
By using a standard set of loss event type classifications Basel has

provided a process for mapping a banks actual losses to the
Advanced Measurement Approach.

The Basel II Framework sets out a three-tier approach to defining

each of the risk loss event types:
Level 1 the Event type category
Level 2 the Categories
Level 3 the Activity examples.

The mapping of operational risk classes and business lines to the

Basel risk loss event type classifications and business lines has
three purposes:
it provides a standard set of definitions so that the capital costs

across different banks are calculated on a like-for-like basis
it ensures the Advanced Measurement Approach is

comprehensive and captures all material activities and exposures
it assists the supervisor in validating the banks internal model

under the Advanced Measurement Approach.

The Basel event type classifications
The Basel II Accord provides a definition for each of the event type
categories. Table 6.1 gives the Level 1 (Event type category) and
the Level 2 (Categories) defined in the Advanced Measurement
Approach:
Event type category (Level 1) Categories (Level 2)

Internal fraud Unauthorized activity
Theft & fraud (internal)
External fraud Theft & fraud (external)
Systems security
Employment practices & workplace Employee relations
safety Safe environment
Diversity & discrimination


Event type category (Level 1) Categories (Level 2)
Clients, products and business Suitability, disclosure and fiduciary
practices Improper business or market practices
Product flaws
Selection, sponsorship and exposure
Advisory activities
Damage due to physical assets Disasters and other events
Business disruption and system Systems
failures
Execution, delivery and process Transaction capture, execution and
management maintenance
Monitoring and reporting
Customer intake and documentation
Customer/client account management
Trade counterparties
Vendors and suppliers

6.2.2 Operational risk loss event type example
Each Level 2 category is broken down further to a Level 3 activity.

Let us look at Internal Fraud from the above list as an example:
Event type category (Level 1) Definition

Internal fraud Within Basel II internal fraud is defined as
losses due to acts of a type intended to
defraud, misappropriate property or circumvent
regulations, the law or company policy,
excluding diversity/discrimination events, which
involves at least one internal party.

Categories (Level 2) Definition

Unauthorized activity This loss event type includes intentional actions
Theft & fraud (internal) by internal employees, usually for some
personal gain.
If an employee incorrectly records a transaction
due to error the it is not internal fraud.
If an employee deliberately fails to record a
transaction, for personal gain, then this is fraud.

Activities (Level 3) Examples

Unauthorized activity Transactions not reported (intentional)
Transaction type unauthorized (with monetary loss)
Mismarking of position (intentional)
Theft & fraud (internal) Fraud / credit fraud / worthless deposits
Theft / extortion / embezzlement / robbery
Misappropriation of assets
Malicious destruction of assets
Forgery
Check kiting
Smuggling
Account take-over / impersonation / etc.
Tax non-compliance / evasion (willful)
Bribes / kickbacks
Insider trading (not on the firms account)

6.2.3 Internal data issues
There are inherent problems in using internal data as an input into

the Advanced Measurement Approach.
For example the quality and appropriateness of the data will

directly impact on the accuracy of the Approachs calculations.
These issues mean that a bank should use internal data with
caution and support it with the banks operational risk experience.

The main challenges in using internal data in the Advanced

Measurement Approach are:
identifying operational risk losses

accuracy
updating loss events
near misses
lack of data
inflation
quality of data
extreme events.

Identifying operational risk losses
For some operational risk events it is difficult to quantify the losses,

particularly if there are indirect losses.
In addition banks must be careful regarding how events that cross

risk types and operational risk categories are allocated. (These are
known as boundary events.)

6.2.3 Internal data issues examples
Due to a failure of an internal process Bank K over lends to a

customer and suffers large losses when the customer defaults on
the loan.
Are these losses due to credit risk (the failure of the customer to
pay back the loan) or are they operational risk losses (the failure of
the internal processes)?
A bank clerk working for Bank L allows a customer to withdraw

funds immediately after depositing a check, before the funds have
been cleared. The checks are later found to be forged.
Are these losses due to an external fraud event or an internal

process failure because the clerk did not follow the bank policy of
waiting for a check to clear before paying out funds?

Accuracy of using internal data in predictive models
Historical data cannot be used to predict future events with any

degree of certainty. There is no guarantee that the operational
losses suffered by a bank over the last five years will provide an
indication of its future losses. Not only could the structure and
business of the bank have changed, but if controls and operational
risk management are improved, the chance of events recurring
would be reduced.
Thus, models used under the Advanced Measurement Approach

must make allowances for changes within a bank and add an
element of chance (randomness) to account for external events
beyond the banks control.

Updating loss events
It is possible that losses resulting from operational risk events could

be reduced (or actually increase) over time. Some of the losses
may be recovered, for example insurance payments, recovery of
fraud, or payments from legal actions.
Thus, internal loss data must be reviewed regularly and kept up to

date. Consequently banks need to implement processes to track
these recoveries and update their loss databases as appropriate.

Near misses
It has already been stated that for completeness it is necessary to

include operational risk near miss data in a banks internal loss
records.
However, near misses will either result in a profit or have no impact.

Thus recording the actual result of near misses in the Advanced
Measurement Approach calculations will skew the results.
It is therefore necessary for banks to estimate the potential losses

from near miss events for inclusion in their models.

Lack of data
Not all banks will have comprehensive five-year (or even three-
year) records of all operational risk losses. The lack of appropriate
data can have severe effects on the statistically based Advanced
Measurement Approach methodologies.
These methods require sufficient data to make their results valid;

insufficient data significantly reduces the usefulness of the results.
Therefore banks that want to move to the Advanced Measurement

Approach will need to plan well in advance in order to collect the
required data.

Inflation
Historical loss data will need to be adjusted to account for inflation

and other changes.
For example the nature of operational risk is changing and that

some events are increasing in their severity. Thus five-year old data
may need to be adjusted to account for these changes in order to
avoid becoming invalid.

Quality of data
Any system based on data inputs is highly dependent on the quality

of the data. An adage from the information technology industry
sums up the potential problems well: garbage in equals garbage
out.
Therefore banks need comprehensive processes and incentives to

ensure the quality of their data, not only on initial input but also
throughout the datas five-year life time.

Extreme events
The Basel II Accord states that for a banks internal model to be

used under the Advanced Measurement Approach it must be
capable of identifying extreme or catastrophic events.
It is unlikely that a bank will hold sufficient (if any) internal loss data
to calculate these extreme events with any accuracy. Thus banks
will need to rely on external data and scenario analysis.

6.2.4 Sundry loss accounts as a source of historical

data
One source of data for historical operational risk losses is a banks

sundry profit and loss accounts.
A sundry profit/loss is made from miscellaneous

unspecified activities.
Typically a banks financial statements will include
accounts to record the profits and losses from its
business activities. If it makes profits/losses from other
activities it records these in its sundry profit/loss accounts.
Sundry losses can include losses from a failure of an

internal process or activity. This is, of course, a loss due
to an operational risk event.


data
Banks have been collecting and reporting operational risk losses in

sundry loss accounts for years.
It is not uncommon to see entries in sundry loss accounts that are

related to fraud, theft, systems malfunction, or customer errors.
Both profit and loss accounts should be used to include near miss
events.
In the UK the mapping process may be simplified by utilizing the

operational risk categories defined by the Financial Services
Agency (FSA).


data
The FSA breaks down operational risk into the following categories:
Business Risk
Crime Risk
Disaster Risk
IT Risk
Legal Risk
Reputational Risk
Systems and Operational Risk.


data
A number of these categories are commonly used in defining

entries in sundry profit and loss accounts in banks.
Thus it is possible for a bank to establish a standard process for

mapping sundry losses to Basel risk event types via the FSA
categories. Banks using the data may, however, need to create
rigorous processes for ensuring it is recorded correctly.
In banking it is common to find that while losses have no owners

profits are likely to have many.


data example
Bank Js Treasury over books a hedging transaction when a

dealing ticket to purchase USD 10 million with GBP, is accidentally
entered into the trading system as USD100 million. The mistake is
quickly noticed and USD 90 million is rapidly sold. However during
this time the US dollar has strengthened against sterling and the
transaction has made a profit.
Does Bank J record this as a sundry profit or a trading profit?
As this is a near miss operational risk event it should record this as

a sundry profit.

6.3 External loss data
It is extremely unlikely that a bank will have internal historical loss

data for every potential future operational risk event. This is
particularly true when considering low frequency/high severity
events.
Just because a bank has not suffered a loss due to a fire or flood
does not mean it will continue to avoid these losses in the future.

The Advanced Measurement Approach requires banks to predict

expected and unexpected losses when calculating operational risk
capital.
When estimating unexpected losses it is highly probable that a

bank will have little or no data on extreme events on which to base
its predictions.
To calculate unexpected losses that include potential events, and

not just those the bank has already experienced, a bank is required
to supplement the internal data with relevant external data.

6.3.1 External risk loss data criteria and content
The Basel II Framework stipulates that a bank must have a clear

process for using external data. This process must show the
supervisor where the data has been used and how it has been
incorporated into the Advanced Measurement Approach model.
External loss data must include:
actual loss amounts

information on the scale of the business operation where the
event occurred
event causes
circumstances of the event
information to assist a bank with assessing the relevance of a
particular loss event.

6.3.2 Sources of external data
Historically banks have been cautious about releasing loss data

due to the potential reputational damage of incidents. This has
meant that comprehensive operational risk data on the banking
industry has been limited.
However, as the Basel II Accord has developed, and the need for
external data highlighted, the availability has improved. Two main
sources of external data for banks have been developed. They are
external public data and external pooled data.

External public data is data collected from publicly

available reports and other sources.
Usually this kind of data will be collated by a company
and sold on to banks. It may be included within a
commercial operational risk software package.
External public data will contain a greater number of
extreme events than a banks own internal data.
However, due to a number of issues such as quality, the
data may require substantial cleaning before it can be
used in an Advanced Measurement Approach model.

External pooled data is data collated by a consortium of

banks or financial organizations. An example of pooled
data is GOLD the loss collection database complied by
the British Bankers Association.
External pooled data differs from external public data in that:
it contains both public and non-public data shared by the

consortium
the data is likely to be more relevant to the peer group that
shares the data
the consortium banks agree to share their relevant internal losses
there is a degree of confidentiality between sharing banks.

In addition, the pooled data is likely to be recorded at a different

minimum loss level to public data. Public data tends to record only
those events with losses over USD 1 million while the pooled data
threshold is lower.
The threshold level for pooled data tends to be set at a level agreed
by the particular consortium.

6.3.3 External data issues
The use of external data is subject to a range of issues similar to

those encountered in internal data. However, as a bank has no
control over issues such as quality and completeness, the impact
and severity of the issues encountered can be greater than is the
case with internal data.
The main areas of concern with using external data in the

Advanced Measurement Approach are:
accuracy
inflation
quality
relevance
incomplete data sets.

Relevance
External data is collated from a wide range of banks with many

different risk profiles. Consequently there is no guarantee that the
external data used by a particular bank will be relevant. The scale
of losses and probability of an event will be highly dependent on a
banks risk controls, risk profile, business and size.
When using external data as an input into Advanced Measurement

Approach models banks will need to adjust the data to give it
relevance.
For example, the amount of loss may be scaled (up or down) to

reflect the size of the bank using the external data. The Basel II
Accord stipulates that external data must contain information to
assist banks in assessing the relevance of an event.

Incomplete data sets
External data sets are likely to be incomplete as the data might

have been gathered from several different inconsistent sources.
The data may also be limited by how much information a bank is
willing to disclose.
Operational risk events have an impact on a banks reputation.

Consequently banks are hesitant to put information on these types
of losses into the public domain.
Incompleteness of data is a problem more often associated with

external public data than external pooled data.

Assuming that an external loss database is complete can also

adversely affect the accuracy of a banks operational risk model.
The Advanced Measurement Approach models predict expected
and unexpected losses using a combination of the impact and
frequency of historical events.
There is no guarantee that the pooled data supplied by a member

bank has been reported according to the common format agreed by
the consortium.

For example the threshold for loss events for the pooled data may
have been agreed at USD 25,000, but due to overhead constraints,
a member bank could set its internal threshold at USD 30,000.
Thus the collated number of events with losses under USD 30,000
will be less than the number that have actually occurred.
Therefore, any bank using this pooled data as an input into its
Advanced Measurement Approach model would be unaware of the
inaccuracy, skewing its risk measurement results.

6.4 Business factors and internal controls
In addition to using internal and external data the Basel II Accord

states that Advanced Measurement Approach calculations must
reflect business factors and internal controls.
Business factors include details about the market, staff, customers,

and economy, as well as the overall environment in which a bank
operates.
Examples of business factors are key risk indicators, economic

reports, industry reports and risk assessments. They are used to
indicate the risk profile of a bank and to help determine the
likelihood of an event occurring.

The Advanced Measurement Approach calculates operational risk

capital by combining the probability of an event with its potential
losses.
The business factors and internal controls are input into the
Advanced Measurement Approach as indicators of the risk profile
of a bank and help determine the probability of an event occurring.
For example, if the internal controls of a banks business unit

improve, then it is logical to assume that the possibility of incurring
losses due to process failure should be reduced.

The inclusion of business factors and internal controls ensures that

the Advanced Measurement Approach is forward looking.
Section 6.2 highlighted that one problem of using historical data in

the Advanced Measurement Approach calculations is in using the
past to predict the future. There is no guarantee that a banks
historical losses will be repeated.
Updating the model as the business environment and controls

change helps to address this problem. Using these factors enables
a bank to compare its predicted results/assessment of risk
indicators with actual losses.

6.4.1 Key risk indicators
Key risk indicators (KRI) are an important business

environment factor used in operational risk measurement
and management. In operational risk, key risk indicators
are a measure of the amount of risk in a vital process or
procedure. Examples of key risk indicators are:
system downtime
staff turnover
payments made as compensation for errors
transaction volumes
process failure and error reporting
customer complaints
service level agreement (SLA) performance metrics
audit reports.

The use of key risk indicators is of greatest importance when

looking at major processes and the vulnerability of the banks
operations to process failures, (e.g. single points of failure or
measures of stress).
These business factors are based on management experience and

observations of actual business activities and trends.

The use of KRIs is becoming more accepted, although there are

still issues relating to the number of key risk indicators used in a
risk measurement model.
One question is whether they are intended as explanatory

variables within the models. In statistics, explanatory variables are
normally used to test some aspect of a model or hypothesis.
Statisticians (and hence Advanced Measurement Approach model

developers) usually minimize the number of explanatory variables
in any model. However, the KRI approach often results in a
profusion of KRIs.

The Basel II Accord criteria for the Advanced Measurement

Approach require a bank to implement an operational risk
management framework as well as determining risk capital.
One requirement of this framework is that a banks senior

management must respond to operational risk events, both
potential and actual.
KRIs provide early warnings of risk events, highlighting potential

trouble spots for management action. Thus banks commonly use
threshold trigger levels on KRIs. When a KRI reaches its threshold
level management intervention is triggered.

6.4.1 Key risk indicators example
Bank W uses the availability time of its central processing system

as a key risk indicator. As part of its operational risk management
policy the bank has set a threshold level of 99.0% availability for
any given month. If the processing systems availability in a given
month drops below 99% management intervention is required.
Bank Ws management considers that for its current level of

business, the operational losses associated with less than 2%
system down time are minimal and acceptable. However, down
time above 2% is unacceptable. The threshold is set at 1% to
permit management to resolve the problems before severe losses
are incurred.

6.5 Scenario analysis
Within the Advanced Measurement Approach, the Basel

Framework requires banks to support the use of internal and
external data with scenario analysis.
Using historical internal and external data introduces a number of

issues into the internal models, most notably accuracy, relevance
and completeness.
Under the Advanced Measurement Approach banks are required to

validate their measurement models and to complement the data by
running scenarios of potential operational risk events.

These scenario tests are what if exercises combining external and

internal data, control factors and expert opinion to understand the
potential impact on the bank of extreme low frequency/high severity
events.
Under Basel II banks are required to understand the impact of

multiple extreme events occurring simultaneously. Scenario
analysis allows a bank to understand its own risk profiles and can
indicate the accuracy of the measurement models.
Once a bank runs a scenario it utilizes the results as input for its
risk capital models.

6.5 Scenario analysis example
Bank H has implemented a business continuity plan that covers its

trading operation. In the event of a serious problem that prevents it
from trading at its current location, the continuity plan states key
staff will be moved to another temporary location and continue
trading.
As part of Bank Hs use of the Advanced Measurement Approach it

runs an operational risk scenario. This scenario looks at the
situation where trading is stopped due to a flood caused by a burst
water pipe.
At the same time there is a building fire near the banks business
resumption site thus preventing staff from entering the temporary
trading building.

6.5 Scenario analysis example
Bank H finds that this scenario has catastrophic results because it

has no alternative to the resumption site and its traders wouldnt be
able to trade.
Bank Hs management takes two actions. First it updates its capital

calculation model to account for this tail event. Second, senior
management enters into an agreement with Bank K (a peer group
member) for it to provide back up resumption facilities in the
unlikely event that Bank H cannot access its resumption site.
Once this agreement is in place Bank H reruns the scenario and

finds that its impact is now negligible and readjusts it capital
calculation model.

When a bank uses scenario analysis to support its Advanced

Measurement Approach models it draws on expert opinion.
This can be drawn internally from a banks own experiences or

from external sources, such as industry experts and other banks.

6.6 The use of insurance to reduce operational risk
The Advanced Measurement Approach has been modified as a

result of the Quantitative Impact Studies (QIS) process. The main
change to the Advanced Measurement Approach, resulting from
QIS3, is allowing financial institutions to use insurance as an
operational risk mitigation factor.
Banks can reduce their operational risk capital charge by up to 20%

by having the appropriate insurance.

The use of insurance as a risk mitigation factor is subject to a

number of Basel II criteria. These include:
the insurance policy must have a duration of at least one year

the policy must be with a provider of A quality credit standing or
better
the policy must have a notice period of 90 days or more
the policy must be provided by a third party
the use of insurance as a mitigating factor must be clear, well
documented, well reported and based on sound reasoning
the reduction in risk capital must reflect the level of insurance and
be consistent with the actual likelihood and level of loss.

Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Hochgeladen von

Copyright:

Verfügbare Formate

Indonesia Certificate in

Banking Risk and Regulation

Global Association of Risk Professionals, Inc.

Market risk and treasury risk Part A

1. An introduction to the use of 2. The Internal Models

Credit risk and operational risk Part B

4. Internal Ratings-Based 6. Advanced Measurement

Supervision and regulation

8. The supervisory 9. Supervision of operational 10. Basel II disclosure 11. The BI

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

The Basel II Accord specifies three different approaches that can

Of the three, the Advanced Measurement Approach is the most

The Advanced Measurement Approach differs from the Basic

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

Instead it permits a bank to use its own internal operational risk

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

Internationally active banks and banks with significant operational

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

The Advanced Measurement Approach uses historical internal loss

Within the Advanced Measurement Approach the Basel II Accord

Global Association of Risk Professionals, Inc.

6.1 The Advanced Measurement Approach

Advanced Measurement Approach techniques

Although no model or methodology is specified under the

Internal Measurement Approach (IMA)

A brief description of each technique is provided in the following

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach

The Internal Measurement Approach (IMA) is similar to the Internal

Under the Internal Measurement Approach a bank maps its

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach - example

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach - example

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach

For each business line/risk type an exposure indicator, such as

This exposure indicator represents the amount of operational risk in

Expected losses (EL) for each business line/risk type combination

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach

Thus for each business line/risk type combination the expected

The probability of an event occurring and its estimated losses are

PE is the equivalent of credit risks probability of default (PD) and

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach example

Bank AA is a retail bank and has a gross income of USD 65 million

Bank AA uses the IMA to calculate its operational risk regulatory

Exposure indicator (EI) = USD 65 million

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach example

Risk-event type PE LGE EL (EIxPExLGE)

Global Association of Risk Professionals, Inc.

6.1.1 Internal Measurement Approach

The Internal Measurement Approach assumes a straightforward

For a given business line/risk type the expected losses are

The gamma in the operational risk IMA equates to the risk-weight