The future of operational risk in financial services A new approach to operational risk capital management

Similar documents
InFocus. Insurance regulation and technology: Adding business value to compliance

Stand out for the right reasons Financial Services Risk and Regulation. Hot topic. Operational risk a single standardised approach for all

The role of an actuary in a Policy Administration System implementation

Get Smarter. Data Analytics in the Canadian Life Insurance Industry. Introduction. Highlights. Financial Services & Insurance White Paper

White Paper. Not Just Knowledge, Know How! Artificial Intelligence for Finance!

Tax analytics The three-minute guide

National Family Office Forum: Adapt, innovate, and transform 2018 survey report

Implementing behavioral analytics to drive customer value: Insurers cannot afford to wait.

7 STEPS TO BUILD A GRC FRAMEWORK FOR BUSINESS RISK MANAGEMENT BUSINESS-DRIVEN SECURITY SOLUTIONS

Blockchain: A true disruptor for the energy industry Use cases and strategic questions

Session 2. Leveraging Predictive Analytics for ERM

Risky Business: Are You Ready for the Next Market Move? Incur less pain, more gain with a managedrisk approach to energy sector hedging

Modernizing reinsurance administration

Credit risk management. Why it matters and how insurers can enhance their capabilities

Tax, data and analytics moving from control to transformation

Tax Management Consulting Leading tax departments through change

Guidelines for Anti-Money Laundering and Combating the Financing of Terrorism

Transforming claims through predictive modelling

Advanced Operational Risk Modelling

Unlocking the potential of Finance for insurers

Advanced analytics and the future: Insurers boldly explore new frontiers. 2017/2018 P&C Insurance Advanced Analytics Survey Results Summary (Canada)

Basel 4: the way ahead

Guideline. Capital Adequacy Requirements (CAR) Chapter 8 Operational Risk. Effective Date: November 2016 / January

To G20 Finance Ministers and Central Bank Governors

Next-Gen Contract Management

Risk Management Strategy

Actuaries and the Art of Communication. Deloitte Consulting LLP

Classify: Leveraging an Intuitive Database for Investor Targeting Shivi Kumar

Measuring and reporting operational process risk

3areas Artificial Intelligence can impact

The Financial Platform Built for now DESKTOP WEB MOBILE

Analytics for insurers The three-minute guide

Emerging trends in global financial crime prevention and anti money laundering

Prepare for success. 5Insights for executives. Operational transfer pricing: Failure to implement can hinder performance

InsurTech HUB România

Basel III: Finalising post-crisis reforms

Regulation and Public Policies Basel III End Game

Life Sciences Spotlight Effectively Treating the Impacts of the Converged Revenue Recognition Model

Tax operations evolution Drivers, barriers, and building blocks

WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE

Operational Risk in the Basel framework

Implementing the Expected Credit Loss model for receivables A case study for IFRS 9

Tax Digitalization: Latin America leads the change

ANNUAL GOVERNANCE STATEMENT FOR THE POLICE AND CRIME COMMISSIONER FOR NORFOLK AND THE CHIEF CONSTABLE FOR NORFOLK

Data Analytics and Unstructured Data Actuaries 2.0

Banking Title Application Fraud: The Enemy at the Gates

The Proactive Quality Guide to. Embracing Risk

Fintechs and regulatory compliance The risk management imperative. May 2018

CloserLook Investment Management Outlook

Media & Entertainment Spotlight Navigating the New Revenue Standard

Session 73 PD, Predictive Modeling for the Marketing Actuary. Moderator: Maria Patricia Marcelo Arellano, FSA, CERA, MAAA

Why your board should take a fresh look at risk oversight: a practical guide for getting started

Reimagining customer relationships. Asia-Pacific

Increase Effectiveness in Combating VAT Carousels

Bond Pricing AI. Liquidity Risk Management Analytics.

Preparing for the New ERM and Solvency Regulatory Requirements

Using data mining to detect insurance fraud

Actionable Intelligence December 2017

Fraud Investigation & Dispute Services Corporate misconduct individual consequences

The next step forward Can one actuarial system do it all?

REPUTATION RISK ON THE RISE

The sensitivity of financial products and services to integrity risks

Predictive Analytics in Life Insurance. Advances in Predictive Analytics Conference, University of Waterloo December 1, 2017

Tax operations evolution Drivers, barriers, and building blocks

ERM/ORSA Training Thai General Insurance Association (TGIA)

people and culture are key to our success

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

The next era of aerospace and defense: How to outperform in an environment of innovative disruption 2017 Company performance update

The Art of Conversation. kpmg.com/uk/insurance

Office of the Comptroller of the Currency (OCC) Regulatory Development: Recovery Planning Guidelines

Solving the MiFID II Research Unbundling Challenge

Boston Chapter AGA 2018 Regional Professional Development Conference. Brandeis University Professor Erich Schumann May 2018

FIGHTING AGAINST CRIME IN A DIGITAL WORLD DAVID HARTLEY DIRECTOR, SAS FRAUD & FINANCIAL CRIME BUSINESS UNIT

Actionable Intelligence

Outline. Consumers generate Big Data. Big Data and Economic Modeling. Economic Modeling with Big Data: Understanding Consumer Overdrafting at Banks

2014 EY US life insuranceannuity

FINANCIAL INSTITUTION GOVERNANCE AND REGULATION SERVICES EXPERTS WITH IMPACT

Credit Unions: Turning Strong Member Relationships into Market Share

Achieving integrated risk management

SOLUTIONS FOR MEETING DOL FIDUCIARY RULE REQUIREMENTS

Short, engaging headline

TD BANK INTERNATIONAL S.A.

New rules call for new actions: Tax authority mandates drive disruptive change. Spotlight on Europe. Tax

The Components of a Sound Emerging Risk Management Framework

Mortgage Lender Sentiment Survey

Targeted improvements to the accounting for long-duration contracts

Automotive Services. Tools for dealers, lenders and industry service providers that drive profitable results in today s economy

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

Predictive Claims Processing

AI Strategies in Insurance

Basel Committee on Banking Supervision. High-level summary of Basel III reforms

How Can YOU Use it? Artificial Intelligence for Actuaries. SOA Annual Meeting, Gaurav Gupta. Session 058PD

Certified in Risk and Information Systems Control

Digital insurance: How to compete in the new digital economy

Day 2: Session 2 Tax governance, risk and control

Areas AI will transform insurance in years. Cecilia Chow, Head of Sales, Key Accounts, JOS

The importance of regulating in the FinTech s world for the protection of consumers

Moderator: Missy A Gordon FSA,MAAA. Presenters: Missy A Gordon FSA,MAAA Roger Loomis FSA,MAAA

Overlapping examination priorities for 2018

IBM Financial Crimes Insight for Insurance

Transcription:

The future of operational risk in financial services A new approach to operational risk capital management

02

The future of operational risk in financial services A new approach to operational risk capital management Understanding the implications of the new Standard Measurement Approach and using it as a catalyst to enhance operational risk management programs As part of its completion of post-crisis reforms, the Basel Committee on Banking Supervision (Basel Committee) recently finalized its Basel III standard, which complements its previously published initial phase of Basel III reforms 1. The new standard fundamentally changes how operational risk capital (ORC) is calculated. This shift has major implications for banks internal loss data and how it could be used to derive business value and risk management insight. In the past, many internationally active banks, based on requirements of their primary regulator, used a model-based approach that included a number of variables that determined the ORC they were required to hold. Under the new standard, that model-based advanced measurement approach (AMA) is being replaced by the Standardized Measurement Approach (SMA), which essentially limits a bank s influence over ORC to a single variable: the Internal Loss Multiplier (ILM), which is in turn based on the bank s actual loss history. The focus on internal losses when determining a bank s ORC requirement has two important implications. First, banks need to ensure that their internal loss data and the systems, processes, and controls associated with building internal loss databases are as accurate and robust as possible in order to support and substantiate their calculated ILM. Second, banks have a tremendous opportunity to reduce the existing and future ORC by focusing effort on managing and reducing actual operational losses, thereby mitigating the impact of the ILM factor in the calculation of ORC. The latter will likely require new behaviors and a new mind-set, since many banks have traditionally viewed internal operational risk incidents and the corresponding losses as unavoidable costs of doing business and something over which banks have had little control. However, with the addition of strong capital incentives to improve, banks may likely discover that internal losses can, in fact, be actively reduced. This is particularly the case with respect to new analytic and predictive technologies that make it possible to identify root causes and mitigate potential problems and risks before they result in major losses. This point of view highlights essential components of a mature operational risk management framework that goes beyond compliance with the new standard. We describe how firms can leverage anticipated investments to derive risk intelligence from existing data to generate insight and reduce internal losses. By building an operational risk management framework that goes beyond compliance, banks can better navigate operational risk incidents by actively reducing their impact, allowing them to lead in their industry. 1. Basel III: Finalising post-crisis reforms, Bank for International Settlements, December 2017, https://www.bis.org/bcbs/publ/ d424.htm. 03

The future of operational risk in financial services The new formula-based approach for calculating operational risk capital In December 2017, the Basel Committee issued revised standards that finalized its post-crisis reforms and new Basel III framework. The revised standards include a new way to measure the amount of ORC that banks are required to hold. This new SMA seeks to restore credibility in the calculation of risk-weighted assets (RWAs) and improve the comparability of banks capital ratios. Specific objectives of the reform include: Simplifying the Basel framework by replacing the four current approaches with a single standardized approach Making the framework more risk-sensitive by combining a refined measure of gross income with a bank s own internal 10year loss history Making it easier to compare RWAs from bank to bank by removing the option to use multiple approaches and internal models The SMA is based on the following components: The Business Indicator (BI), which is a financial-statement-based proxy for operational risk The Business Indicator Component (BIC), which is calculated by multiplying the BI by a set of regulatory-determined marginal coefficients (αi) The ILM, which is a scaling factor that is based on a bank s average historical losses and the BIC In practical terms, the ILM is the only variable a bank has significant control over, but its impact can be significant. The revised operational risk framework doesn t take effect until January 1, 2022. This gives banks time to improve their processes for collecting, managing, and analyzing internal loss data to reduce their ILM and, thus, the ORC they re required to hold. 04

Changing behaviors and culture In the financial services industry, the past decade has seen numerous well-publicized and damaging misconduct scandals, both institutional and retail. As a result, improving conduct is at the top of most firms agendas. Advanced operational risk management programs with predictive risk capabilities can provide intelligence on changes in employee sentiments and behaviors that might be early indicators of potential conduct lapses. However, deep-rooted changes at the culture level are also needed. Many organizations have no pre-defined incentives or consequences related to high-frequency, low-impact operational losses. Typically, only massive loss events have any consequences for management. This is likely due to the fact that operational losses have traditionally been viewed as an unavoidable cost of doing business, and there s a common perception that management has no control over such losses (unlike credit and market risk, which have standard levers for managing and mitigating risk). In the wake of the financial crisis, some local regulators introduced clawback frameworks and longer term incentive compensation linked to risk adjusted performance. However, these limited efforts haven t had a significant impact on reducing the industry s overall operational losses. More recently, the introduction of conduct risk frameworks, along with a renewed focus on culture risk, has helped some organizations begin to better understand the links in product design, compensation and sales incentives, management objectives, and employee behavior. What s still missing in many cases is direct accountability for operational risk losses specifically, consequences that have a meaningful impact on first-line management, whether by affecting the size of their operating budgets and available investment funds or, more personally, by affecting their performance evaluations and compensation. These types of consequence and incentives can help establish a culture where operational losses aren t just glossed over as a write-off in financial statements. The SMA makes the long-term capital and business consequences of operational losses more significant for banks. Thus, it s only common sense for banks to try to change behavior by aligning operational losses with business unit and executive performance. This will require institutions to empower their managers with enough authority and flexibility to change their business environment including the underlying process and tools and to manage risks more proactively. Improving the quality of historical loss data Given the new standardized formula for calculating ORC, banks will likely scale back on their advanced modeling efforts. Instead, they may pivot those resources to improve the quality of their internal loss history through such activities as formalizing definitions of operational risk events and improving incident identification and reporting. The Basel Committee has provided specific guidelines and criteria for data quality. In particular: Banks are expected to base their ORC calculations on ten years of data. During the transition period, five years of data is acceptable. However, for large institutions that previously used the AMA, ten years of data shouldn t pose a significant challenge as the required incident reporting processes and data quality procedures should already be in place. Data is most relevant when it can be directly linked to a bank s current businesses and internal operating environment. Extra consideration should be given to historical losses in businesses and activities that have been carved out and sold or in businesses being wound down. Banks must have documented procedures and processes for the identification, collection, and treatment of internal loss data, including documented de minimis thresholds. Documented policies and procedures for identifying and reporting operational risk events must serve as the starting point for managing data capture and quality. Associated procedures and processes must be validated before a bank s loss data can be used to calculate its ILM and ORC. Regular independent reviews by corporate audit functions and external organization are also required. Specific information and attributes should be collected as part of the data for individual operational risk events. These data elements include gross loss amounts and key reference dates, such as the date of occurrence, date of discovery, and date of accounting. In addition, banks must collect information on recoveries of gross loss amounts as well as descriptive information about the causes and drivers of the loss event The Basel Committee has specified that banks failing to meet the minimum loss data standards might be subjected to severe penalties, including the requirement to hold capital that s at a minimum equal to 100 percent of their BIC. 05

Gaining efficiency by automating data collection and aggregation from multiple sources Cost efficiency is becoming a higher priority in risk management and compliance, with risk managers increasingly being expected to do more with less. This pressure is creating an incentive for risk leaders to explore and embrace new technologies and techniques that can help improve the efficiency and effectiveness of their programs. A bank s infrastructure for operational risk management should leverage automated workflows to continuously monitor for emerging problems and ensure the right people receive the right information in a timely manner, enabling them to respond quickly and effectively. Banks can consider taking advantage of the latest advances in robotic process automation (RPA) and cognitive technology to streamline and automate routine activities, such as data collection, cleansing, and storage for both structured and unstructured data. RPA bots can be created to continuously scan the internal environment and collect data from predetermined sources. In conjunction with increased information standardization and more intelligent optical character recognition (OCR) and cognitive technologies, these innovations can transform data into a powerful tool for real-time production and monitoring of key risk indicators, management information, and internal risk and control reporting. A valuable byproduct of introducing these methods and technologies into operational risk management is the alignment of expectations and outcomes across the three lines of defense: The first-line businesses and functions where the risk originates The second-line risk and compliance groups The third-line internal audit function Once all three lines of defense agree on a solution and its inputs and outputs for example, agreeing on what an RPA bot will do, what data it will use, and what reports it will generate everyone should be able to use the same results, leading to synchronous and seamless alignment. Creating an effective infrastructure for aggregated risk data and risk reporting When designing an infrastructure for operational risk data and reporting, institutions should consider the principles issued by the Basel Committee for effective risk data aggregation and risk reporting. Also known as BCBS 239, these principles apply to all key internal risk management models for regulatory capital, including the AMA for operational risk. Although the AMA is being replaced by the SMA, BCBS 239 will continue to be relevant to the design of an operational risk data infrastructure, given the importance of internal loss data to an institution s calculation of its operational risk capital using the SMA. The principles outlined in BCBS 239 aim to strengthen banks risk data aggregation capabilities and internal risk reporting practices. Broad areas covered by the principles include: Overarching governance and infrastructure Risk data aggregation capabilities Risk reporting practices Supervisory review, tools, and cooperation According to BCBS 239, the term risk data aggregation refers to defining, gathering, and processing risk data. For operational risk, key activities include: Establishing policies that define operational risk incidents Specifying attributes to be collected for each event that s considered an operational risk incident Building an internal loss history as part of an institution s operational risk database Moving forward, banks should consider expanding the attributes collected for operational risk events and include a broader range of data elements in operational risk databases to enable more advanced data modeling and analytics. 06

The future of operational risk in financial services 07

Developing advanced capabilities in risk analytics and predictive risk intelligence Armed with aggregated historical data about internal losses (along with robust automated processes for data collection and management), banks will be better positioned to capitalize on advanced capabilities, such as big data analytics, correlation and root cause analysis, and predictive risk intelligence. These capabilities will enable banks to identify patterns and trends that may help reduce internal losses in the future. Banks have long been interested in finding ways to enhance their traditional operational risk practices via predictive risk intelligence 2. Although historical data on operational losses is still the baseline for complying with regulatory capital rules, such data has always been seen as a blunt instrument for controlling loss and risk profiles. In the past, the necessary tools and technologies to make more insightful correlations and predictions didn t yet exist. A specific challenge is that most Basel historical data models don t provide enough information for organizations to identify truly meaningful correlations between losses and other factors, leading to insights that are obscure or spurious. Occasionally, experienced operational risk practitioners with help from data scientists have used their intuition to identify some patterns among risk profiles, losses, and the events in legacy models. However, this generally didn t happen until long after the event occurred. In addition, it was often limited to situations where extreme data variations were clearly visible situations that were so infrequent that they had no real predictive value. (e.g., human resources information, compliance data, and internal management information systems), and external data (e.g., sensing data, social media, customer complaints, and regulatory actions). These aggregated models enable vastly improved analytical results and insights by providing billions of data combinations, which greatly increase the likelihood of uncovering patterns and correlations that were previously unnoticeable or detected too late. This can help banks prevent unpredictable tail outcomes, potentially reducing operational losses and capital impacts. Banks also need to develop robust reporting capabilities that can provide early warnings about emerging situations that may exceed their risk tolerance and risk appetite. Several leading institutions are already using advanced analytics and big data techniques to improve the effectiveness of their risk programs in a wide range of areas, from trade surveillance and third-party risk management to fraud prevention, anti-money laundering, and regulatory reporting. Given the advanced tools and vast amounts of data available today, banks should seize upon the valuable opportunities enabled by predictive risk intelligence, big data analytics, and other breakthrough innovations. Through such techniques as machine learning and artificial intelligence, banks now have the ability to efficiently build and mine large and complex data sets that combine traditional Basel data with transaction data, non-transaction data 2. Please see our whitepaper, Seeing the storm ahead: Predictive Risk Intelligence, Deloitte Development LLC, 2017, https:// www2.deloitte.com/us/en/pages/risk/articles/predictive-risk-intelligence.html. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. 08

Predictive risk intelligence case study As the world becomes more digitized and customers and counterparties continue to leverage multiple bank-provided platforms for their transaction needs, banks rely heavily on the 24x7 availability of the underpinning technologies to facilitate these transactions. Regulators have also stepped up their efforts to curb technology failures in order to maintain the integrity of markets and protect customers. The loss from a technology failure can not only damage an organization s reputation and drive away potential revenue, but it could also result in significant fines from regulatory agencies. How does our solution work? Incident and issue logs Capacity monitoring and peak loads System upgrades Error logs Operational incident loss data Internal sources Cleanse and standardize Data anomaly detection Data deduplication Analyze and identify risk patterns Machine learning algorithms Predictive modeling Generate early warning signals Near-real-time dashboards with alerts System alerts Report predictive scores Risk scores for emerging risk trends External sources External cyber threats Customer complaints Risk sensing data Deloitte s predictive risk intelligence (PRi) solution can help organizations uncover information on increasing risk profiles and potentially provide advanced warning of a technology failure event. The PRi solution begins by collecting and evaluating internal and external variables that can best predict a future technology failure. Data is cleansed and standardized to remove anomalies and machine learning algorithms. Other advanced analytics are applied to the data to identify potential patterns of causation and correlation to technology failures, which typically have a very short cycle to impact. Leaders can then view a near-real-time dashboard that provides alerts and early warnings for the organization s critical systems. 09

Looking ahead As operational risk managers search for ways to increase the value of their programs, much of their focus should be on reducing internal losses. An essential step toward achieving that objective is improving the quality and completeness of internal loss data. The greatest value will revolve around identifying patterns and correlations in data and predictive intelligence aggregating internal loss data with data from a wide range of other internal and external sources and then using the latest cognitive, machine learning, and analytics tools to identify dangerous buildups of potential risk. These advanced capabilities can give a bank the forward-looking insights it needs to develop effective strategies for mitigating risk and reducing losses, including reducing the bank s ILM and required ORC. 10

Contacts Monica O Reilly Banking and Capital Markets Advisory Leader Principal Deloitte Risk and Financial Advisory Deloitte & Touche LLP monoreilly@deloitte.com +1 415 783 5780 Krissy Davis Operational Risk Leader Partner Deloitte Risk and Financial Advisory Deloitte & Touche LLP kbdavis@deloitte.com +1 617 437 2648 Nitish Idnani Operational Risk Banking Leader Principal Deloitte Risk and Financial Advisory Deloitte & Touche LLP nidnani@deloitte.com +1 212 436 2894 Steve Bhatti Specialist Leader Deloitte Risk and Financial Advisory Deloitte & Touche LLP stbhatti@deloitte.com +1 617 437 2451 11

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright 2018 Deloitte Development LLC. All rights reserved.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback