for management purposes Stefan Look, Deutsche Börse
1 OpRisk Value-at-Risk at Deutsche Börse Group
Breaking down OpRisk Value-at-Risk Deutsche Börse Group 2 Operational Risk Analysis Operational Risk at DBG is defined in line with Basel II definition as loss resulting from inadequate or defective systems and internal processes, from human or technical failure, from inadequate or defective external processes, from damage to physical assets, and from legal risk. Root Cause Event Effect A risk event can be the result of various root causes, such as: software flaws, process / products flaws, capacity squeeze, internal human error, terrorist attack, internal fraud, external fraud like cyber risk, elementary event like fire, water, storm, earthquake DBG classifies its risk events in four risk types: Availability: Unavailability of technical infrastructure, facilities or staff, Service Deficiency: Impaired (no or wrong) process or execution due to product, process or execution deficiencies, Damage to Physical Assets: Risk of losses arising from damage to physical assets, Legal: Non-respect of existing laws & regulation and all contractual commitments A risk event can have several effects, such as: Customer compensation, External lawyers fees, Replacement cost for destroyed equipment, Regulatory fines All effects could lead to a loss for Deutsche Börse Group
Deutsche Börse Group 3 Examples of Operational Risk Analysis There are usually no one-to-one relationships between root cause, event, effect and loss but a complex network: Root Cause Terrorist Attack Internal Human Error Cyber Attack Event Damage to data centre Unavailability of IT system Missed deadline Wrong cash instruction Effect Replacement costs Customer compensation External lawyers fees
OpRisk Quantification Deutsche Börse Group 4 In a simplified OpRisk quantification approach, loss data (internal and external) and scenario data is used as input into the model. The OpRisk model generates distributions for severity and frequency, which are the basis for the simulation of the annual loss distribution. The annual loss distribution is used to derive different risk measures. Deutsche Börse Group uses Value-at-Risk as main risk measure. Input Data OpRisk Model Monte Carlo Simulation Annual Distribution OpRisk Quantification Internal / external loss data Severity Distributions % Value-at-Risk Expected Shortfall Frequency Distributions Expected
OpRisk Scenario Data Deutsche Börse Group 5 As Deutsche Börse Group (DBG) is lacking internal loss data and as not sufficient external loss data from comparable institutions is available, DBG mainly uses scenarios as input data. An OpRisk scenario is based on expert opinion and describes an OpRisk event, its underlying root causes and subsequent effects and losses. Key parameter of an OpRisk scenario are the probability that the scenario occurs and the severity in case it occurres. Example: Scenario 1 Description: Description of potential event, root causes, effects and losses Scenario 2 Probability: 1x every 10 years range: 100k 1m Min value Max value
Deutsche Börse Group 6 Examples of OpRisk Scenario Data OpRisk scenarios could either focus on a root cause (e.g. terrorist attack) and describe all subsequent events, effects and losses, or event (e.g. unavailability of IT system) including all root causes and subsequent effects and losses OpRisk Scenario Terrorist Attack OpRisk Scenario Unavailability of IT System Root Cause Terrorist Attack Terrorist Attack Internal Human Error Cyber Attack Event Damage to data centre Unavailability of IT system Missed deadline Unavailability of IT system Effect Replacement costs Customer compensation External lawyers fees Customer compensation External lawyers fees OpRisk scenarios need to be defined independent and non-overlapping to prevent double counting.
2 OpRisk Value-at-Risk for management purposes
Deutsche Börse Group 8 Management View on OpRisk For OpRisk Management purposes it is important to know the impact of input data on the Value-at-Risk, because only with this knowledge it is possible to take risk based decisions: Input Data OpRisk Quantification Root Cause Scenario data Value-at-Risk Event Math. modelling could be black box Effect The problem is that because of the complex modelling, the impact of single input data (e.g. a specific scenario or root cause) on VaR cannot be easily derived directly from the input data.
Deutsche Börse Group 9 Example 1 for OpRisk Management Question Assume that a new service (e.g. product or IT system) is planned that would lead to new risks. The new risks could be described by experts by one or more new OpRisk scenarios. Question: What is the impact of the new service on the VaR? Input Data OpRisk Quantification Root Cause Scenario data Value-at-Risk Event Effect The answer to this question is important to assess the risk / return of the new service.
Deutsche Börse Group 10 Example 2 for OpRisk Management Question Assume that new risk mitigating measures are planned that would reduce the likelihood that a root cause will lead to a risk event. Question: What is the impact of a single root cause (e.g. cyber attack) on the VaR? Input Data OpRisk Quantification Root Cause Scenario data Value-at-Risk Event Effect The answer to this question is important to prioritise risk mitigation measures.
Deutsche Börse Group 11 Questions to be answered What would be the impact on Value-at-Risk of a new service? one or more new OpRisk scenarios are added to the input data a single root cause (e.g. cyber attack)? the root cause could be the driver for several events and be described in several OpRisk scenarios additional investments in risk mitigating measures (e.g. compliance or information security)? frequency or severity of OpRisk scenarios could change
Breaking down OpRisk Value-at-Risk Deutsche Börse Group 12 Problem to be solved to answer the questions Value-at-Risk is calculated on Deutsche Börse Group level for capital adequacy assessment. To answer management questions it is necessary to break down this total figure to: Business segments (i.e. Xetra, Eurex, Clearstream, MD+S) Legal entities (e.g. Eurex Clearing, Clearstream Banking) Root causes (e.g. cyber attack, violations against laws/ regulations, staff unavailability, natural disaster) Events (e.g. system unavailability, physical damage) business segments, legal entities root causes events
3 Potential Solutions and their shortfalls
Deutsche Börse Group 14 Incremental Risk -Approach VaR is calculated with and without the new OpRisk scenarios. The difference is called incremental risk and shows how much VaR would change with the new service Scenario data Root Cause VaR basic = Event Effect Value-at-Risk without new service VaR new - VaR basic = Root Cause Event Scenario data VaR new = Incremental Risk Effect Value-at-Risk with new service
Deutsche Börse Group 15 Incremental Risk - Evaluation Advantages Easy to calculate no implementation effort Additional calculation is not time consuming Easy to explain for one new service as it shows the incremental VaR to the known VaR figure without the new service Disadvantages Approach difficult for two or more new services (because calculation order and combination has impact on result) Could be negative, although new service is risky (because of changed fitted severity distribution) Depends on VaR without new service
Deutsche Börse Group 16 Risk Allocation -Approach VaR is calculated with the new OpRisk scenarios and afterwards allocated to all services / root causes. The allocation key α could be based e.g. on: Expected maximum loss = probability of loss * max loss amount Expected loss VaR or Expected Shortfall of individual service Root Cause Event Scenario data VaR new = VaR new * α 1 = VaR 1 = VaR allocated to service 1 VaR new * α 2 = VaR 2 = VaR allocated to service 2 Effect Value-at-Risk with new service VaR new * α N = VaR N = VaR allocated to service N
Deutsche Börse Group 17 Risk Allocation - Evaluation Advantages Easy to calculate low implementation effort Additional calculation is not time consuming Easy to explain Always positive Disadvantages Result very sensitive to selected allocation key Stopping service i (and its related risks) would not reduce VaR by VaR i
Contact Dr. Stefan Look Deutsche Börse AG Group Risk Management Mergenthalerallee 61 65760 Eschborn Germany Phone: + 49-(0) 69-2 11-17723 Fax: +49-(0) 69-2 11-617723 stefan.look@deutsche-boerse.com www.deutsche-boerse.com