Operational risk management Meeting regulatory and business expectations

Transcription

1 Operational risk management Meeting regulatory and business expectations Jonathan Humphries 3 rd September 2013

2 Agenda Introduction Why is operational risk important? Key elements of an operational risk framework Strategies for operational risk Scenario analysis Modelling Unlocking the value of insurance Conclusions 1 1

3 Introduction How can operational risk be used to deliver value to the business Building robust processes for identification, measurement, control and management Scenario analysis challenges and emerging practices Modelling the value and challenges to overcome Capital optimisation and financing 2 2

4 Introduction What is operational risk? The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events It includes legal risk, but excludes strategic and reputational risk In the context of a firm s risk taxonomy Financial Risks Other risks Pension Market ALM Credit Settlement / counterparty Business Operational Sub categories to be defined Sub categories to be defined Sub categories to be defined Sub categories to be defined Sub categories to be defined Sub categories to be defined E.g. Internal Fraud, etc 3 3

5 Why is operational risk important? Background Financial crises The financial crisis of 2008 highlighted the need for firms to improve their management of risk with a particular focus on Governance, Frameworks and Operational Risk Operational risk No matter how large or sophisticated a firm is, operational risk has been at the centre of many high profile losses Legislation and regulators (incl. Dodd-Frank (CCAR), Basel 2, 2.5 & 3, Solvency 2) Putting considerable emphasis on the need for firms to: i. Quantify their ability to absorb losses and define their risk appetite ii. iii. Understand their exposure to potential loss expected and unexpected Ensure the business is effectively capitalised to meet the requirements of (i) and (ii) 4 4

6 Why is operational risk important? Four perspectives of operational risk management CRO COO Worry: Am I managing risk effectively? Tell me how well we re doing to manage risk! Risk/ Regulation Cost/ Efficiency Worry: Am I wasting money in how I manage operational risk? Budget is tight, I need to get the cost/loss balance right Control Architecture Worry: How do I manage earnings volatility? I need to know sources of volatility! CFO Shareholder Value Balance Transparency Appetite CEO Customer Worry: Am I using risk and regulatory compliance to competitive advantage? I want to improve customer service through smarter control 5 5

7 Why is operational risk important? Using risk management to deliver value to the business Capital Management Cost Minimisation Risk Governance Drivers Regulatory objectives Capital/liquidity adequacy Customer protection Risk Appetite Risk Measurement Business objectives Revenue growth Cost minimisation Regulatory compliance Capital Sufficiency Manage risk volatility Outputs Capital management (Incl. insurance) Product development & pricing Business Value Cost reduction & management Talent management 6 6

8 Enabling Systems Loss estimates (EUR) 1,000,000, ,000,000 10,000,000 1,000, ,000 10,000 Swedish FSA OpBase Claims OpBase PKMs Bank A data 1,000 0% 10% 20% 30% 40% 50% 60% 69% 79% 89% 99% Cumualtive distribution Risk Information, decisionmaking & capital management Key elements of an operational risk framework Strategy & Objectives Governance & Organisation Policies & Procedures Communication & Stakeholder management Processes, quantification & modelling Data collection & Aggregation Risk Reporting & MI Management Actions KRI & KPI Data Internal Data BE&CF Data External Data VaR Model (gross/net of insurance) Exposure Parameters Risk Taxonomy Loss Scenarios Developed to assess exposure by ET/RC Severity by ET/RC Frequency by ET/RC Risk Capacity & Tolerance (Appetite) 7 7

9 Risk Factors or Causes Risk Categories or Events Consequences or Outcomes Direct and Indirect Losses Key elements of an operational risk framework Risk taxonomy: The dynamics of operational risk MANAGE & CONTROL MEASURE MANAGE AND CONTROL Timeline t(-1) t(0) t(1) t(2) t(n) One or more risk factors are improperly managed The operational risk event occurs One or more direct or indirect loss(es) reported as a result of the risk event 8 8

10 Key elements of an operational risk framework The role of different data elements Historical internal losses do not provide a good understanding of exposure to unexpected loss External data used in isolation does not take into consideration an organisation s specific dynamics and controls Scenarios provide an excellent mechanism to enable organisations to: identify possible future events that could give rise to unexpected or catastrophic loss assess their exposure to potential loss identify control & transfer mechanisms to manage and finance losses Frequency Expected Loss Review internal loss data Review internal risk assessments Analysis of consortia data Unexpected Loss Review near miss scenarios Analysis of peer data in OpBase (Aon claims) Analysis of consortia data Consideration of scenarios Catastrophic Loss Analysis of peer data in OpBase (publicly sourced) Consideration of scenarios OpBase*, our proprietary source of external data, is a powerful tool for developing scenarios & estimated exposure Severity * OpBase contains quantitative and qualitative information on over 19,000 losses and incidents suffered by more than 3,000 financial institutions globally 9 9

11 Strategies for operational risk The role of data in identification & measurement OPRISK OBJECTIVES? 1) Measure & capitalise 2) Manage & Control ROLES OF DATA & RECONCILIATION Measure (model) & capital management 1) Measure 2) Control ScA ILD RCSA ELD Control, manage & educate 10 10

12 Scenario analysis Risk identification and assessment sample heat map for scenario selection Using multiple data sources to identify events where large losses might materialise Retail Banking: Heat Map Identifying Risks for Evaluation by Scenario Analysis Client ET1 and ET2, OpBase Taxonomy for ET3 Data Provided by Client Ref BET 1 BET 2 (Risk Name) OpBase BET3 Non-Zero Maximum Loss Non-Zero Maximum Loss Non-Zero Maximum Loss Non-Zero Maximum Loss Non-Zero Maximum Loss 1 Technology & Infrastructure Failure 1 Technology and Infrastructure Failures Computer Virus/Glitch (Sy) ,000 1,215 12,296, ,121,208 2 Technology & Infrastructure Failure Process map & business Technology and Infrastructure Failures Hardware (Sy) ,000 1,215 12,296, , Technology impact & Infrastructure analysis Failure Technology and Infrastructure Failures Software (Sy) ,000 1,215 12,296, , ,632,506 5 Technology & Infrastructure Failure Technology and Infrastructure Failures Utility Outage/Disruptions (Sy) ,000 1,215 12,296, Technology & Infrastructure Failure Failure in payments infrastructure 2 25, Clients, Products & Business Practices Advisory Activities Disputes over Performance of Advisory Activities (AA) ,111 2, ,000, , ,651, Clients, Products & Business Practices Improper Business or Market Practices Antitrust (IB or MP) 14 11,806 2, ,708, ,062, ,770,120,000 9 Clients, Products & Business Practices Improper Business or Market Practices Corporate Governance of Client of the Financial Institution (IB or MP) 14 11,806 2, ,708, , ,912,272, Clients, Products & Business Practices Improper Business or Market Practices Corporate Governance of FI (IB or MP) 14 11,806 2, ,708, ,249, ,207, Clients, Products & Business Practices Improper Business or Market Practices Improper Advertising (IB or MP) 14 11,806 2, ,708, ,534, Clients, Products & Business Practices Improper Business or Market Practices Improper Trade/Market Practices (IB or MP) 14 11,806 2, ,708, ,866, ,230,119, Clients, Products & Business Practices Improper Business or Market Practices Insider Trading (on firm's account) (IB or MP) 14 11,806 2, ,708, , Clients, Products & Business Practices Improper Business or Market Practices Intellectual Property Violations (IB or MP) 14 11,806 2, ,708, Clients, Products & Business Practices Improper Business or Market Practices Libel/Slander/Defamation (IB or MP) 14 11,806 2, ,708, , , Clients, Products & Business Practices Improper Business or Market Practices Market Manipulation (IB or MP) 14 11,806 2, ,708, ,703, ,113,536, Clients, Products & Business Practices Improper Business or Market Practices Problems Resulting from a Merger/Acquisition (IB or MP) 14 11,806 2, ,708, ,484, ,196, Clients, Products & Business Practices Improper Business or Market Practices Sales Discrimination (IB or MP) 14 11,806 2, ,708, ,227,302, Clients, Products & Business Practices Improper Business or Market Practices Unlicensed Activity (IB or MP) 14 11,806 2, ,708, ,121, Clients, Products & Business Practices Non-compliance with Anti-Money Laundering regulations Money Laundering (IB or MP) ,242, Clients, Products & Business Practices Product Flaws Model Errors (PF) 4 6, ,015, ,050, Clients, Products & Business Practices Product Flaws Product Defects (unauthorised, etc.) (PF) 4 6, ,015, Clients, Products & Business Practices Selection, Sponsorship & Exposure Exceeding Client Exposure Limits (S, S & E) 4 54, ,000, , Clients, Products & Business Practices Selection, Sponsorship & Exposure Failure to Investigate Client per Guidelines (S, S & E) 4 54, ,000, , Clients, Products & Business Practices 3 Suitability, Disclosure & Fiduciary Account Churning (S, D & F) 3 4,000 2,608 3,071,520, , ,458, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Aggressive Sales (S, D & F) 3 4,000 2,608 3,071,520, ,953, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Breach of Contract (S, D & F) 3 4,000 2,608 3,071,520, ,623, ,846, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Breach of Privacy (S, D & F) 3 4,000 2,608 3,071,520, , ,242, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Conflict of Interest (S, D & F) 3 4,000 2,608 3,071,520, ,765, ,321, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Director/Officer Negligence (S, D & F) 3 4,000 2,608 3,071,520, ,227, ,885, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Errors & Omissions (S, D & F) 3 4,000 2,608 3,071,520, ,238, ,557, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Fiduciary Breaches (S, D & F) 3 4,000 2,608 3,071,520, ,818, ,608,580, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Guideline Violations (S, D & F) 3 4,000 2,608 3,071,520, ,962, ,303, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Lender Liability (S, D & F) 3 4,000 2,608 3,071,520, , ,250, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Misuse of Information/Trade Secrets (S, D & F) 3 4,000 2,608 3,071,520, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Non-Disclosure of Sensitive Issue (S, D & F) 3 4,000 2,608 3,071,520, ,197, ,340, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Retail Consumer Disclosure Violations (S, D & F) 3 4,000 2,608 3,071,520, , ,903, Clients, Products & Business Practices Suitability, Disclosure & Fiduciary Suitability/Disclosure Issues (KYC, etc.) (S, D & F) 3 4,000 2,608 3,071,520, ,235, ,150,016, Clients, Products & Business Practices Sensitive or confidential information compromised Misuse of Confidential Information (S, D & F) ,894, ,839,000 Aon Data Internal Losses ORX Losses RCSA Aon Claims PKM Losses 11 11

13 Stress loss 1 in 5 yr loss Scenario analysis Sample Scenario template Definition Basel II Risk Type Level 1 Definitions Basel II Risk Type Level 2 Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary / suitability requirements), or from the nature / design of a product Suitability, Disclosure & Fiduciary Losses arising from the firm engaging in account churning practices [i.e. performing or encouraging multiple transactions in order to generate higher commissions], aggressive sales, breach of customer account agreement, breach of privacy, misuse of customer confidential information, guidelines violation (own guidelines or imposed by an administrative or regulator body), non-disclosure of sensitive issues, retail consumer disclosure violations, suitability / disclosure issues (e.g. Know Your Customer), lender liability and errors or omissions. Causal Factors Scenario description(s) Consequential Factors Misrepresentation Disclosure Breach of Fiduciary Duty / Bad Faith The firm is accused of referring a number of clients to a Registered Investment Advisor (RIA) with know disciplinary and performance issues. After incurring significant losses in their accounts, the customers of the RIA allege that the firm had knowledge of previous customer complaints related to the RIA and continued to refer clients to them. Settlement / compensation Individual action Class Action Negligence The regulator receives several thousand complaints against a bundled investment offering alleging that its marketing material contains untrue statements of material facts and omit other facts (inaccurate disclosure of underlying risks). The regulator s Enforcement Division decides to investigate the firm and identifies systematic failures around Retail Consumer Disclosures. Regulatory inquiry / Administrative proceedings Arbitration Criminal complaint A lawsuit is brought by the regulator against the firm which leads to the firm paying a significant fine and having to compensate a large number of affected customers. Reference Data Incident count Internal losses (>$5k) Risk Register (RC&SA) Aon Claims Publicly sourced # losses OpBase reference data Severe losses for similar events in peer institutions PKM04507 Dexia Bank Nederland NV ($516m) PKM01338 Household Int Ltd ($484m) Aon19737 Fiduciary breaches ($92m) Exposure assessment 1) Frequency Assessment 2) Severity Assessment (Single Loss) Frequency Assessment Estimated annual count Severity Assessment Median 1:10y 1:40y Selected TBA Selected TBA TBA TBA 12 12

14 Scenario analysis Develop a robust picture of risk profile (prior to modelling) a scenario estimation platform Background The scenario (ScA) development process is an important contribution to understand resilience to threats that can have a severe impact on the business The output the ScA process is often used as a primary input into a firm s OpRisk capital model Challenges ScA process is very judgmental, relying on the knowledge of business experts ScAs are generally used to try to understand the types of losses that occur rarely - tail risks ScA participants tend to under-estimate exposure of their business to potentially severe losses Main challenge for firms is how do we make sure ScAs are not completely subjective? Purpose of Aon s Scenario Estimation Platform Help facilitators challenge participants assessments (without giving participants use of the tool) Provide a range of realistic or acceptable values for ScA based on an analysis of available internal and external data Please note: it remains a support rather than an absolute assessment. The participants should retain the ownership of the ScA process output 13

15 Modelling Why build a model? To meet regulatory requirements for capital planning purposes To examine the risk sensitivity of capital calculations To meet internal requirements - risk appetite, economic capital, earnings at risk To improve risk management by leveraging scenario or model outputs for strategic decisions like choice of products, M&A, insurance protection, monitoring business units performance 14 14

16 Modelling Required elements for an internal or AMA model An internal model requires the use of four data elements: Internal loss data External loss data Scenario analysis Business environment and internal control factors (BEICFs) The philosophy is that these elements can be combined in different ways to quantify exposure, as long as it is clearly justified and successfully defended Explicit constraints: The capital charge is derived from the annual loss distribution using a confidence level of 99.9% (1 in 1,000 year loss) For a economic capital model the confidence interval is defined by a firm s target credit rating, e.g. AA corresponds to a confidence interval of 99.95%, etc 15 15

17 Loss Amount $1,000,000,000 $100,000,000 $10,000,000 $1,000,000 $100,000 $10,000 Loss Amount $1,000,000,000 $100,000,000 $10,000,000 $1,000,000 $100,000 $10,000 $1,000 80% 82% 84% 86% 88% 90% 92% 94% 96% 98% 100% Mean = $34,000 Mean = $34,000 PKM Charles Schwab 95th Percentile 99th Percentile Fitted distribution 95th Percentile = $160,000 99th Percentile = $526,000 PKM Charles Schwab 95th Percentile 99th Percentile Fitted distribution 95th Percentile = $160,000 99th Percentile = $526,000 $1,000 80% 82% 84% 86% 88% 90% 92% 94% 96% 98% 100% Modelling Generic model development or implementation steps Choice of Granularity Frequency Calibration Severity Calibration Convolution Risks Aggregation (correlations) AMA steps BL or Group ET1 Frequency 1 Severity 1 Annual Loss 1 Severity Distribution above $5,000 Scenario 6 Initial Indication of Percentile Point for each Data Point (associated with nth highest loss when put in size order)... Annual Loss Aggregate diversified CaR ETj Severity Distribution above $5,000 Scenario 6 Frequency j Severity j Annual Loss j 99.9% Initial Indication of Percentile Point for each Data Point (associated with nth highest loss when put in size order) Informed by the Four Data Elements (ILD, ELD, Scenarios, BEICF) 16 16

18 Modelling Generic model development or implementation steps The main steps for all AMA/internal models At each step, various options are permitted : one can decide to focus on historicallooking views (in case of availability of loss data) or on forward-looking views (Scenario based on expert opinions) This implies 3 main strategies : Internal data driven models (LDA) : loss data are the main driver and are then refined by the external data and the scenarios Scenario driven models (SA) : the parameters are derived from expert opinions, which are given looking at historical data and risk indicators A combination of the above In every case, the model has to take into account explicitly or implicitly the four different data sources, the difference between the strategies being the weight of loss data (internal and external) vs. the weight of expert judgement. The chosen strategy will depend on the bank s own characteristics (data quality and quantity, level of granularity, quality of adjustments...)

19 Modelling Illustration of modelled Value at Risk (VaR) results Mean Loss ($) Millions Aggregate Loss ($) Millions Illustrative risk profile Results shown by event type are undiversified 99.9th Percentile 99.5th Percentile 99th Percentile 95th Percentile 90th Percentile 80th Percentile Mean Internal Fraud External Fraud Employment Practices & Workplace Safety Clients, Products & Business Practices 0.01 Damage to Physical Assets 0.13 Business Disruption & System Failures Note: This case study uses an overall diversified 99.9%ile VaR (capital) number of $175 million for illustrative purposes only Execution, Delivery & Process Management

20 Modelling Key challenges Data quality, comprehensiveness and use Internal loss data Scenario analysis External data Model design, build and validation The use of complex models Units of measure Model validation 19 19

21 Modelling Current practices in the UK: governance, use and validation In July, we undertook a survey of 60 senior operational risk executives from leading banks, insurers and asset managers to understand current practices in the UK in relation to model governance, use and validation Survey participant profile W ha t is yo ur ma in b usine ss? Ho w ma ny p e o p le a re e mp lo ye d in yo ur o rg a nisa tio n g lo b a lly? Answe r Op tio ns Resp o nse Pe rce nt Banking 46% Insurance 42% Investment 13% Other (please 8% Answe r Op tio ns Less than 2,500 2,500-25,000 25, ,000 Greater than 100,000 Re sp o nse Pe rce nt 24.0% 28.0% 28.0% 20.0% Model type and use Answe r Op tio ns Basel II Solvency II BIA AMA Sta nd a rd fo rmula Pa rtia l inte rna l with sp e cific Op Risk mo d e l Full inte rna l mo d e l 6% 28% 0% 22% 0% 0% 0% 8% 58% 33% 20 20

22 Data quality Model maturity Modelling Current practices in the UK: Data quality and perceived model maturity An external party could easily replicate our methodology using only our internal documentation and loss & scenario data Model is in line with industry best practice Model meets regulatory requirements RCSA & other BEICF data reconciliation (e.g. with data, scenarios, calculation engine etc.) Points of interest Back-testing the scenario analysis Monitoring the quality of scenario outputs Data integrity (e.g. description quality, negative values, nonsensical years, blank fields, etc) Data point checks (e.g. checking trends, analyse peaks, check for duplicates, etc.) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 21 21

23 Validation tests Validation team Modelling Current practices in the UK: Model validation tests & capabilities We don t have a validation team Integrated into the build & design team Separate from build & design team, but under same senior management Statistical back-testing of OpRisk models is not possible Convergence testing Benchmarking of model outputs Points of interest Model replication Sensitivity testing on choice of distributions Sensitivity to changes in data Sensitivity testing on parameters 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 22 22

24 Governance Reporting Use Modelling Current practices in the UK: Model governance, reporting & use Measuring exposure to unexpected losses (below RegCap), e.g. 90% (1 in 10 yrs, etc) Points of interest Calculating Ecap Calculating Reg Capital Measuring expected losses (EL) OpRisk information & data produced is used to drive changes in the control environment OpRisk is considered when launching new products, services or processes Reports produced assist management in making decisions Risk framework is fully integrated into the business Process for collection & reporting of OpRisk losses is embedded 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 23 23

25 Unlocking the value of insurance The relationship between events and policies Insurance has a long history of responding to operational risk But, individual events link to multiple policies and multiple events link to single policies Response is also affected by whether a loss occurs on a 1 st party or 3 rd party basis The relationship is complex Event Type Level 1 Internal Fraud External Fraud Employment Practices & Workplace Safety Clients, Products & Business Practices Damage to Physical Assets Business Disruption & Systems Failure Execution, Delivery & Process Management Event Type Level 2 Unauthorised activity Theft & fraud Theft & fraud Systems Security Employee Relations Safe Environment Employees Safe Premises Invitees Diversity & Discrimination Suitability, Disclosure & Fiduciary Improper Business / Market Practices Product Flaws Selection, Sponsorship & Exposure Advisory Activities Disasters & Other Events Systems Failure Transaction Capture, Execution & Maintenance Monitoring & Reporting Customer Intake, Documentation Customer Account Management Trade Counter-parties Vendors & Suppliers Mapping to Policies 1 st ~ BBB, UT 3 rd ~ PI 1 st ~ BBB, Cyber, Property 3 rd ~ PI 1 st ~ BBB, Cyber, Property 3 rd ~ PI 1 st ~ BBB, Cyber, Property 3 rd ~ PI 3 rd ~ EPL, GL 3 rd ~ EL, GL 3 rd ~ GL 3 rd ~ PI, GL 3 rd ~ PI, Cyber 3 rd ~ PI, Cyber, GL 3 rd ~ PI, GL 3 rd ~ PI 3 rd ~ PI, Cyber 1 st ~ Property 1 st ~ Property, Cyber, BBB 3 rd ~ Cyber 3 rd ~ PI 3 rd ~ PI 3 rd ~ PI 3 rd ~ PI, Cyber 3 rd ~ PI 3 rd ~ PI, GL 24 24

26 Aggregate Losses ($) Millions Mean Losses ($) Millions Unlocking the value of insurance Quantifying the impact of insurance (net for a $75m limit) 90 Illustrative risk profile - gross & net of insurance Results shown by event type are undiversified 99.9th Percentile 99.5th Percentile 99th Percentile 95th Percentile 90th Percentile 80th Percentile Mean Gross Net Gross Net Gross Net Gross Net Gross Net Gross Net Gross Net - Note: IF EF EP&WS CP&BP DtPA BD&SF This case study uses an overall diversified capital number of $175 million for illustrative purposes only. Insurance programme considered includes Crime & Professional Liability with a limit of $75m 25 ED&PM 25 25

27 Unlocking the value of insurance Structure optimisation (Total Cost of Risk vs Capital) Using an efficiency frontier approach we can identify the range of options offering greatest value Cost minimisation (expected/retained losses) plus premiums Capital optimisation (volatility minimisation) There is considerable value to be derived from insurance in terms of: Capital financing under Pillar 1 or 2 using emerging solutions P&L management using traditional policies, such as crime and Professional Indemnity 26 26

28 Conclusions Regulators are putting considerable emphasis on the need for firms to improve their management of risk with a particular focus on Governance, Frameworks & OpRisk The current focus within institutions on business efficiency, cost cutting and change will likely lead to significant tail risk in the future Understanding these dynamics will create a competitive advantage for firms The optimisation of a firm s risk finance programme can add significant value from both a capital management and capital utlilisation perspective There is an opportunity for firms to build frameworks that meet regulatory expectations, whilst delivering value for the business: Informing business decisions in areas such Process improvement, product development and control investment Using insurance to off-set capital and manage volatility 27 27

29 Copyright Aon UK Limited All rights reserved. No part of this publication may be produced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.