Using Meaningful KRI s for Basel II Operational Risk Management

Transcription

1 Using Meaningful KRI s for Basel II Operational Risk Management Presentation to: The Association of International Bank Auditors November 4, 2008 The Association of the Bar of New York City

2 3

3 What do these firms have in common? They were each in their own way able to weather one of the worst storms in financial history It has been determined that: Financial institutions have a greater chance of sustained growth if they can quickly anticipate and adapt to the changing risks they face. Anticipating the Shift 4

4 Senior Supervisors Group Observations on Risk Management Practices during the Recent Market Turbulence March 6,

5 Four differences in risk management approaches were as follows: IDENTIFYING RISK APPETITE TO RISK MITIGATION STRATEGY The balance that each firm s senior management in general achieved between its desire to do business and its appetite for risk as reflected in the tone set for developing or enforcing controls on the resulting risks ; IDENTIFYING RISK TO TAKING ACTION The role that senior management in particular played in identifying and understanding material risks and acting on that understanding to mitigate excessive risks; BREAK-THROUGH UPWARD CORPORATE COMMUNICATIONS BARRIERS The efforts that senior management undertook to surmount organizational structures that tended to delay, divert, or distort the flow of information up the management chain of the firm; and BREAK-THROUGH X-DISCIPLINARY COMMUNICATIONS BARRIERS The breadth and depth of crossdisciplinary discussions and communication of insight into relevant risks across the firm. Senior Supervisors Group Observations on Risk Management Practices during the Recent Market Turbulence March 6,

6 Enterprise Risk Management (ERM) Current View Risk Management Responsibilities Communication Tied to Meeting Strategic Object tives Communication Tie ed to Tolerance Entity Level Culture Setting Strategic Objectives & Direction Risk Appetite Code of Ethics Corporate Policies Management Level Line of Business Limits / Risk Tolerance & Thresholds Divisional Policies Risk Assessment & Response Decisioning Approval Level Setting Organizational Design Supervisory Level Scenario Level Risk & Control Activities Review Key Risk Indicators Data Validation Surveillance Level Quantitative Analysis (VaR, LGD, OpVar) Imbedded Testing Rules-Based or Artificial Intelligence Monitoring Risk Identification Governance & Compliance Risk Response 7

7 Relating ERM to Basel II Operational Risk

8 How much risk is an organization willing to accept in pursuit of creating value, [ not how much it is able to take.] Identify Factors Affecting Threshold Risk Appetite Business & Tactical Strategy Monitor the Threshold Risk Tolerance Strategic Objectives Specify the Threshold Examples: Financial, Social and Environment al Intent e.g., To Not make $ in spite of How we meet regulatory obligations How much risk is the organization able to financially pay for losses as a result of risk related events? Examples: +/- 5% variation in revenue 0% Regulatory fines/penalties 9

9 Primary Findings OCC Survey of Credit Underwriting Practices (October 2007) Commercial and retail credit underwriting standards eased for a fourth consecutive year. The 2007 survey reflected a divergence of commercial underwriting standards by institution size. Large banks continued to ease standards, especially for leveraged and large corporate products. Mid-size banks eased standards modestly, while community banks tightened standards. More banks eased retail underwriting standards than tightened, primarily due to competition. Easing was concentrated in the large bank group. October 2007 Did Big Bank CEO s Risk Appetite Change between ? How Did This Change in Confidence Reflect in Strategic Objectives? What Would you Expect the Bank s Risk Tolerances to Look Like Now? What Key Risk Indicators Would you Develop to Prevent this from Happening Again? How Do You Think this Tightening is Reflected in Business Strategy and Tactics Say in Underwriting? 10

10 KRI s in Relation to Economic Capital Investment in KRIs will reap benefits including ability to: Help Define Basel II Business and Environmental Internal Control Factors (BEICF) Closer to Real - Time Help justify right-sizing adjustments in allocated economic capital to actual risk levels.

11 Simple Definition A KRI tracks an important exposure and does it well. A Common indicator is relevant to everyone in the organization (e.g., Customer Complaints, Employee Morale) A Specific indicator is relevant to Business Unit (e.g., number of unmatched trades) From Wikipedia, the free encyclopedia A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give us an early warning to identify potential event that may harm continuity of the activity/project. KRIs are a mainstay of Operational Risk analysis. 12

12 Proper implementation of KRI s improve a firm s ability to: Clearly convey risk appetite Optimize risk and return and Improve likelihood of achieving primary business goals through more effective operational risk management. Begin with Risk / Control Self-Assessment. This step is key to bridging Expected/Unexpected Losses with KRI s. Understand the Top Down economic and business perspective, and prepare to use a bottom-up approach under a common loss category/causal factor framework for each Business Unit Before starting, make sure you ve: Defined Organizational Topography: Lines of Business, Business Units, Cross-Functional Units Established C-Level Buy-In Pre-Planned Communication Structures (i.e., not used for compensation, discussed through Risk Management) Determined Appropriate Level of Resources are Available to Implement a Reliable KRI Development Process Developed an Implementation Plan e.g., Targeting a Pilot Area with Biggest Expected Return for Time Spent Begin with the End in Mind At the end of the day, KRIs should be: Consistent Comparable with other business units/lines of business (Apples : Apples) Relevant Ties to risk tolerance / appetite Transparent Easily understood in common business language function Complete Data validation to ensure accurate / complete 13

13 Ask these 3 questions: What Are the Worst Losses/Near Misses Over the Past 10 Years Caused in this Business Unit? Your Competitors Units? (95 99% CL) [Identify Factors Affecting Threshold] Identify Factors Affecting Threshold What Would be the Level of Loss I Could Tolerate vis-à-vis my Business Unit Strategic Plan? [Specify the Threshold] Specify the Threshold Monitor the Threshold Evaluate Enterprise Level Risks, Historical Loss and Near Miss History, Relate it to Business Unit, Consortium Data (KRIex) Causal Factors Tied to Loss Event Types Leading (preventative) - # Credit Limit Overrides Lagging (detective) - # System Outages Current - # Legal Actions or Customer Complaints Ties to Risk Tolerances and LOB Business Plan Work backwards from capital requirements Corporate Underwriting no single credit > $6M w/out SVP Approval E.g., </= 2% Manual Overrides on Trading Account Entries Ensure Threshold is Relevant to Scaling Data for Comparability How Often Would I Need to Monitor the Risk Indicators & To Whom Would I Escalate to Take Action in Enough Time to Mitigate Loss? [Monitor the Threshold] Daily, Monthly, Quarterly Report to Business Line Management Take Corrective Action Early 14

14 Business Unit #1 Inherent Risk Analysis: Corporate Finance Underwriting Loss Categories Internal Fraud External Fraud Employment Practice & Workplace Safety Clients, Products and Business Practices Business Disruption & Failure Damage to Physical Assets Execution, Delivery & Process Mgmt. Strategy Loss of Key People w/o Succession Product Design Tied to Inadequate Credit Standards Dept. BCP Plan Does not Work w/firm-wide Aggregate Credit Limits Are Exceeded Management Abuse of Signing Authority Undocumented Termination Process Poor Oversight of Underwriter Decisions Not Providing Employees with BCP Instructions Underwriting Fees not Collected or Accounted for Conduct Employee Self-Dealing Sexual Harassment Lawsuits Underwriters taking Bribes Negligence in Employee Performance Process Conflicting Duties s/u in Organization Fraudulent Borrower Documents Customer Identification / KYC Not performed Instruction BCP not Clear. Credit Policies/Proce dures Unclear Technology Access Security Breach Firewall Security Lax Corporate Credit Application UnderFunctions Systems will not Recover within Required Time Data is Corrupted System to System transmission error External Factors Damaging Viruses being Introduced in Cyber Attacks Massive Defaults in Corporate Credits in US Outsource Vendors Fail in the event of a Disaster Fire, Flood Monitoring Functions Legal & Finance IT Security & Legal H/R Legal IT IT Governance Compliance & Finance Causal Factors Due to: 15

15 Business Unit #1 Inherent Risk Analysis: Corporate Finance Underwriting Loss Categories Internal Fraud External Fraud Employment Practice & Workplace Safety Clients, Products and Business Practices Business Disruption & Failure Damage to Physical Assets Execution, Delivery & Process Mgmt. Strategy Loss of Key People w/o Succession Product Design Tied to Inadequate Credit Standards Dept. BCP Plan Does not Work w/firm-wide Aggregate Credit Limits Are Exceeded Management Abuse of Signing Authority Undocumented Termination Process Poor Oversight of Underwriter Decisions Not Providing Employees with BCP Instructions Underwriting Fees not Collected or Accounted for Conduct Employee Self-Dealing Sexual Harassment Lawsuits Underwriters taking Bribes Negligence in Employee Performance Process Conflicting Duties s/u in Organization Fraudulent Borrower Documents Customer Identification / KYC Not performed Instruction BCP not Clear. Credit Policies/Proce dures Unclear Technology Access Security Breach Firewall Security Lax Corporate Credit Application UnderFunctions Systems will not Recover within Required Time Data is Corrupted System to System transmission error External Factors Damaging Viruses being Introduced in Cyber Attacks Massive Defaults in Corporate Credits in US Outsource Vendors Fail in the event of a Disaster Fire, Flood Monitoring Functions Legal & Finance IT Security & Legal Human Resources Legal IT IT Governance Compliance & Finance Causal Factors Due to: 16

16 And How do you Decide to Treat Your Exposure to Risk? Enterprise Risk Management Prioritizing Risk Response Almost Certain Avoid Risks Reduce Likelihood F R Likely E Q U E N C Moderate Y / L I K E L I H O O D Reduce Unlikely Acceptable or Tolerable Level of Risk Rare 0 Insignificant Reduce Consequences Minor Major Critical Extreme SEVERITY / IMPACT / CONSEQUENCES 17

17 Business Unit #1 Inherent Risk Analysis: Corporate Finance Underwriting Loss Categories Internal Fraud External Fraud Employment Practice & Workplace Safety Clients, Products and Business Practices Business Disruption & Failure Damage to Physical Assets Execution, Delivery & Process Mgmt. Loss of Key People w/o Succession Product Design Tied to Inadequate Credit Standards Dept. BCP Plan Does not Work w/firmwide Aggregate Credit Limits Are Exceeded Undocumented Termination Process Poor Oversight of Underwriter Decisions Not Providing Employees with BCP Instructions Fees not Collected or Accounted for Negligence in Employee Performance Causal Factors Due to: Strategy Suggested KRI: (Leading/Preventative) NPD / Credit Committee Uses New Product Checklist Tool to Vet all risk tolerances Management Abuse ofincluding Collateral, Authority Covenants and Cash flow. Report to SVP showing criteria met Conduct +/- Established Employee Limits. Self-Dealing Tolerance = $ All Collateral < 90% Process LTV, # Covenant ConflictingReview Fraudulent outstanding >s/u 1 month Duties in Borrower Organization Suggested KRI: (Lagging/Detective) Sexual Underwriters Harassment taking Bribes Lawsuits Systems Operations Red Flag Documents Escalate: Credit Committee Technology Suggested Access Firewall Security Security Lax Breach KRI: (Leading/Preventative) Financial Times, Regulatory Surveys, etc. Trend Industry Defaults, Fitch, External Factors Damaging Moody s Viruses being Introduced in Exceeds 2% Cyber Attacks Tolerance: Peer banks $ reported loan loss write-downs Monitoring Escalate: Functions I/A, Legal & IT Security & Credit Committee Finance Legal 100% Transmission Errors, Report # Errors Instruction and thosecustomer not resolved > 8 hours. Identification BCP not Clear. / KYC Not Toleranceperformed = Zero Escalate = CIO Corporate Credit Application UnderFunctions Recent News Event show increased levels of SH Complaints Massive Defaults in Corporate Credits in US H/R Suggested Systems will KRI: not Recover Fees Uncollected within Receivable (per G/L) Aged Required Over 5 Business Days, Time Excess of $1,000 Reported to SVP Underwriting or Outsource Fees Waived Fire, Flood Vendors Fail in the event Tolerance of a Disaster= Credit Policies/Proce dures Unclearly Written System to System transmission errors (incomplete/in accurate) >/= 1% Fees or $1000 Escalate = CFOITor LOB Legal IT & Risk Governance Controller Mgmt ATS Solutions LLC Compliance & Finance 18

18 Private Banking (LOB) Corporate Finance (LOB) Loan Operations(Back Office) Corporate Underwriting Corporate Finance (Front Office) Causal Factors are analyzed on a LOB and Enterprise Level 19

19 20

20 If you re looking for the Top10 Best Firm-Wide KRIs, Save Your Energy! Risk / exposures change continually What may be best are risk scores (Customer Satisfaction/Technology Service/Employee Satisfaction) Strive for Consistency Across Organization (e.g., Scalability, etc.) over Quantity It takes time to think about the comparability of the KRIs Calculating Correlation of KRIs with Actual Losses to Validate is a good exercise but don t expect results will justify doing KRIs - Time better spent may be correlation to other KRI s. Once implemented, KRIs work immediately so loss history collected may not be robust enough to Think about joining KRI Exchange or other Consortium. Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivot table concept that all roads lead back to measuring / monitoring against defined loss categories Don t make it too difficult/costly to obtain the information or to validate the information gathered It will soon be dropped. 21

21 Thank You! Contact: Kristen L. Gantt CPA CFSA Managing Director Direct (732)