Operational Risk Management. By: A V Vedpuriswar

Transcription

1 Operational Risk Management By: A V Vedpuriswar September 17, 2017

2 Introduction Globalization and deregulation of financial markets, combined with increased sophistication in financial technology, have made banking activities very complex. Events such as the September 11 terrorist attacks, rogue trading losses at Barings, UBS and the Y2K scare serve to highlight the importance of operational risk management. Operational risks faced by banks today include fraud, system failures, terrorism and employee compensation claims. 1

3 Conceptual Issues Unlike market/ credit risk, operational risk is largely internal to financial institutions. As institutions are understandably reluctant to advertise their mistakes, it is more difficult to collect data on operational losses. Moreover, losses may not be directly applicable to another institution, as they were incurred under possibly different business profiles and internal controls. Market/ Credit risk can be conceptually separated into exposures and risk factors. Exposures can be easily measured and controlled. In contrast, the link between risk factors and the likelihood and size of operational losses is not so easy to establish. Very large operational losses, which can threaten the stability of an institution, are relatively rare. This leads to a very small number of observations in the tails. This thin tails problem makes it very difficult to come up with a robust value for operational risk (VOR) at a high confidence level. As a result, there is till some scepticism as to whether operational risk can be subject to the same quantification as market and credit risks. 2

4 Typical Bank Org Structure 3

5 Front Office The more client-facing side of the business is known as the front office. These personnel typically include: sales people who act as the main contact point between the bank and its clients. traders/market makers, who are responsible for executing trades with various counterparties. 4

6 Middle Office 5

7 Middle Office functions (1) Initial trade verification The input of trades into relevant trading systems Investigation of any discrepancies in trade details Daily P&L reporting Reconciliation and updating of trading positions Monitoring risk limits 6

8 Middle Office functions (2) The middle office function attempts to bridge the gap between the front office the back office The middle office typically gets involved in risk management control aspects of trading. The middle office personnel are capable of independently valuing portfolios analyzing risk positions. 7

9 Back Office functions Some key responsibilities of back office employees include: capturing trade details in the settlement system validating trade details issuing settlement instructions ensuring that the trades settle on the value date making payments by electronic transfer mechanisms ensuring timely delivery of securities 8

10 The Trade Lifecycle Trading Activities Trade Execution Trade Capture (Front office) Trade Capture (Back Office) Operational Activities Trade Enrichment Trade Validation Trade Agreement Transaction Reporting Settlement Instructions The Role of the Custodian Pre Value Date Settlement Instruction Status Settlement Failure Trade Settlement Reflecting Trade Settlement Internally

11 Trade skeleton The typical trade information fed by a trading system and captured by the settlement system is called the trade skeleton. These are the minimum details a trader or market maker must provide as these items are variable and cannot be guessed by the settlement department. 10

12 Recording details, Trade agreement, Validation Inaccurate recording of trading details can lead to unnecessary costs and risks for the bank. To prevent inaccurate information being sent to the outside world, trade information must be validated. It has become standard practice in many markets to strive for trade agreement as soon as possible after trade execution. In many securities marketplaces, individual trade details must be sent to the regulator by a specified deadline. 11

13 Settlement : Exchanging Securities and Cash The exchange of securities and cash is known as settlement with the securities industry. The most efficient and risk-free method of settlement is known as Delivery versus Payment (DvP). DvP involves simultaneous exchange of securities and cash between buyer and seller (through their custodians). The seller is not required to deliver securities until the buyer pays the cash. The buyer is not required to pay cash until the seller delivers the securities. 12

14 Free of Payment The alternative to settling a DvP basis is to settle on a Free of Payment (FoP) basis. Parties will need to arrange delivery of securities or payment of cash prior to taking possession of the other asset. Due to the risks involved, most banks avoid settling in this manner, whenever possible. 13

15 Static data Static data (sometimes referred to as standing data ) describes data that changes occasionally, or not at all. The two principal components are: Securities static data Counterparty static data. The data must be carefully maintained. If for instance, the coupon rate on a bond is not set up correctly, incorrect trade cash values will result. Similarly, an incorrect counterparty postal address could result in a client failing to receive a trade confirmation. Books and records must be accurate, up-to-date, complete and reflect reality. 14

16 Compliance The compliance officers within a bank are responsible for ensuring conformity to the various rules and regulations, as laid down by the local regulatory authority. This implies that: only qualified personnel execute trades on the bank s behalf; reporting of trade and positional information to the regulatory authorities is complete and effected within the stated deadlines; methods of investigating trade disputes between the STO and its counterparties are carried out in a thorough and correct manner; measures are taken to prevent unlawful activities within the STO, such as insider trading. 15

17 Settlement failures Insufficient securities Insufficient cash Unmatched settlement instructions 16

18 Definition The Basel Committee defines operational risk as: "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." This definition includes legal risk, but excludes strategic and reputational risk. Banks can adopt their own definitions of operational risk, if the minimum elements in the Committee's definition are included. 17

19 Types of Operational Risk Internal fraud External fraud Employment practices and workplace safety Clients, products, business practices Damage to physical assets Business disruption and system failures Execution, delivery and process management 18

20 Internal Fraud Intentional misreporting of positions Unauthorized undertaking of transactions Deliberate mismarking of positions Insider trading (on an employee's own account) Malicious destruction of assets Theft/robbery/extortion/embezzlement Bribes/kickbacks Forgery Willful tax evasion 19

21 External Fraud Theft/robbery Forgery Computer hacking damage Theft of information Check kiting 20

22 Employment practices and workplace safety Employee compensation claims Wrongful termination Violation of health and safety rules Discrimination claims Harassment General liability 21

23 Clients, products and business practices Breaches of fiduciary duties Suitability/disclosure issues (KYC, and so on) Account churning Misuse of confidential client information Antitrust Money laundering Product defects Exceeding client exposure limits 22

24 Damage to physical assets Natural disasters (earthquakes, fires, floods, and so on) Terrorism Vandalism 23

25 Business disruption and system failures Hardware and software failures Telecommunication problems Utility outages/disruptions 24

26 Execution, delivery and process management Miscommunication Data entry errors Missed deadline or responsibility Model errors Accounting errors Mandatory reporting failures Missing or incomplete legal documentation Unapproved access given to client accounts Non-client counterparty disputes Vendor disputes Outsourcing 25

27 Qualitative assessment Environment Activities Supervision Disclosure 26

28 Risk Assessment Checklists Questionnaires Workshops Scorecards 27

29 Operational Risk Indicators Operational risk indicators attempt to identify potential losses before they happen. Some indicators are applicable to specific organizational units (for example, transaction volumes and processing errors). Others can be applied across the entire bank (for example, employee turnover, new hires and number of sick days). In practice, the most common risk indicators are lagging or ex -post measures. They provide information on events that have already taken place (eg, failed trades, settlement errors, and so on). 28

30 Statistical Approaches Statistical approaches involve the collection of actual loss data and the derivation of an empirical statistical distribution. An unexpected loss amount, against which banks must hold a capital buffer, can then be calculated from the distribution. In theory, the unexpected loss can be calculated to any desired target confidence level. In practice, many banks are working towards measuring operational risk to a 99.9% confidence level. 29

31 Legal risk The Basel Committee's definition of operational risk explicitly includes legal risk. Legal risk is the risk of disruption or adverse impact on the operations or condition of a bank due to: unenforceable contracts lawsuits adverse judgments other legal proceedings It can arise due to a variety of issues, from broad legal or jurisdictional issues to something as simple as a missing provision in an otherwise valid agreement. 30

32 Master Agreements There are now master agreement forms for many financial products. These agreements: create a common legal framework that can be understood by all market participants. cover most of the major legal points that should be agreed as part of documenting the transactions. Master agreements cover how the parties will conduct themselves in case of the early termination of the contractual agreements due to credit default or other unforeseen events. The agreements specify how the exposures for more than one transaction will be netted against each other. 31

33 Top down and bottom up approaches Top-down models attempt to measure operational risk at the broadest level, that is, using firm wide data. Results are then used to determine the amount of capital that must be set aside as a buffer against this risk. This capital is allocated to business units. Bottom-up models start at the individual business unit or process level. The results are then aggregated to determine the risk profile of the institution. Bottom-up models can lead to a better understanding of the causes of operational losses. 32

34 Tools to manage Operational Risk Item Audit oversight Critical Self assessment Actuarial Models Key Risk indicators Causal networks Description This consists of reviews of business processes by an external audit department. Each business unit identifies the nature and degree of operational risks Distribution of frequency of losses is combined with their severity distribution to produce an objective distribution of losses due to operational risk Simple measures such as audit scores, staff turnover, trade volumes provide an indication of whether risks are changing over time. The networks describe how losses can occur from a cascade of different causes. 33

35 Problem A particular operational risk event may happen once in 100 years. The loss if this event happens is expected to be in the range $10-85 million and follow a uniform distribution. What should be the price of insurance to protect against a loss of more than $ 65 mn? Probability of event = 1/00 =.01 Probability (Loss> 65) = (85-65)/(85-10) = 20/75 = 4/15 Expected severity = ( ) /2 = 75 Expected loss =.01 x (4/15) (75) = $.2 million = $ 200,

36 Problem Probability No of events Probability Loss.75 20, , ,000 Calculate the expected loss. Expected loss =.8(0) +.2[.75 x x100, x 600,000 = 0 +.2[15, , ,000] =

37 Sample Loss Frequency and Severity Distribution Frequency Distribution Severity Distribution Probability Frequency Probability Severity $1, $10, $100,000 Expectation 0.5 Expectation $23,500 36

38 No. of Losses First Loss Second Loss Total Loss Probability 0 $ 0 $ 0 $ , , , , , , ,000 1,000 2, ,000 10,000 11, , , , ,000 1,000 11, ,000 10,000 20, , , , ,000 1, , ,000 10, , , , , Expectation 11,750 p f p Severity $1, $10, $100,000 37

39 Mitigating Operational Risk : Internal control methods Item Separation of functions Dual entries Reconciliation Tickler systems Controls over amendments Description Traders should not perform clearance and accounting functions. Entries should be matched from two different sources that is, the trade ticket and the confirmation by the back office. Results should be matched from different sources for instance, the trader s profit estimate and the computation by the middle office. Important dates for a transaction should be entered into a calendar system that automatically generates a message before the due date. Any amendment to original deal tickets should be subject to the same strict controls as original trade tickets. 38

40 Mitigating Operational Risk : External control methods Item Confirmation Verification of prices Authorisation Settlement Audits Description Trade tickets need to be confirmed with the counterparty. To value positions, prices should be obtained from external sources. The counterparty should be provided with a list of personnel authorized to trade, and a list of allowed transactions. The payment process itself can indicate if some of the terms of the transactions have been incorrectly recorded. They provide useful information on potential weakness areas in the organizational structure of business process. 39