Transcription
The future of operationalrisk managementComprehensive CapitalAnalysis and Review (CCAR)Operational risk lessons learned
Contents3Introduction4Overall framework considerations7Framework component considerations11Summary11Contact us2 The future of operational risk management Comprehensive Capital Analysis and Review (CCAR)
IntroductionBanks continue to evolveand enhance their CCARoperational risk loss estimationprocess with renewed focuson the qualitative aspectsof estimation including theleverage of, and integrationwith, their existing operationalrisk management program.Increased regulatory scrutinyof the estimation processeshas prompted banks to paygreater attention to the designand execution of their end-toend frameworks.Losses attributable to operational risk are a significantfactor in CCAR loss projections for many banks. As theCCAR process has matured, with regulators and financialinstitutions learning from each other in an ongoing andreinforcing cycle, significant regulatory focus has nowshifted to operational risk after greater initial focus oncredit and market risk.An emerging regulatory focus—very much in line withsound day-to-day risk management—is to ensure that theCCAR loss estimation framework be firmly grounded in theinstitution’s regular operational risk management process.In other words, the CCAR estimation cannot be a discreteprocess divorced from the institutions’ ongoing operationalcontrol, monitoring, and mitigation process. This is akey consideration as institutions design and evolve theirCCAR operational loss framework to be more efficient,streamlined, and cost efficient.Additionally, learning from the experience of buildingand challenging quantitative models over the last five tosix years, both the industry and regulatory agencies arereaching an appreciation that, due to the fundamentaldifferences between operational risk in comparison tomarket or credit risks, there are limits to the power ofquantitative approaches; and correspondingly, a greaterstress on incorporating qualitative or judgementalapproaches in a well-structured and controlled manner.Operational risk lessons learned 3
Overall framework considerationsMany institutions have designed their operational riskestimation frameworks to consider both historical andforward-looking approaches. Regulators are graduallybecoming more open to looking at qualitative approachesto estimate forward-looking losses, however, they stillrequire institutions to look at their internal loss historyand identify correlation with macro-economic scenariosand events.The first step toward managing operational risk beginsas part of the first line of defence where businessmanagers identify, own, and manage operationalrisks and the controls that mitigate the identifiedrisks. Risk identification should include triggersthat institutions use to identify potential controlfailures that may result in operational losses.At regular intervals,1 the identified risks and controlsare required to be evaluated for effectiveness.Many institutions have set up risk and control selfassessments (RCSA) to evaluate inherent riskspresent within the institution, the controls designedto mitigate them, and resultant residual risks. Theseassessments help institutions identify materialoperational risks that potentially could go on to besignificant influencers of operational losses. Materialrisks so identified are used in scenario analysis toestimate forward-looking events with low likelihood,but that are plausible, with high severity and impact.An efficient and effective CCAR process should begrounded in and leverage the existing operational riskmanagement framework ensuring alignment betweenCCAR material risks and storylines, and the actualrisk profile and loss experience of the institution. Thesuccess of CCAR depends upon the effectiveness ofhow upstream operational risk framework controlshave been designed, monitored, and challenged toidentify material risks that the institution faces.1Operationalrisk governance should set clear standards for how often this reviewis done. It is typically annual for most material risks and controls.4 The future of operational risk management Comprehensive Capital Analysis and Review (CCAR)
Operational risk management componentsRISKIDENTIFICATIONRISKMONITORINGLOSS finitionsKey riskindicatorsData sourcing, quality,and ownershipBusiness and risktype segmentationBusiness unitsegmentationInternet and residualrisk assessmentControlsmonitoringData transformation,aggregation, andreportingModelingthresholdsRisk profileaggregationRCSA/top risksIncidentreportingLitigation reserveestimationLossmodelingQualitative lossmodelingORM inputs to SREFINEMENTCCAR framework componentsGovernanceand oversightLegal lossforecastingQuantitativemodelingMaterial riskidentificationStorylinesand workshopsNine-quarter lossestimationEconomic stressscenariosAggregation andloss refinementOverall CCARreportingOperational risk lessons learned 5
To confirm compliance with regulatory requirements,institutions have broken down the operational riskloss estimation processes to logical components. Thefollowing are the four broad components defined: A quantitative model that uses historical data andattempts to model operational risk and macroeconomicrelationships (typically validated by the institutions’Model Risk Management [MRM] function) Scenario analysis for estimating losses related toforward-looking idiosyncratic events A legal loss component to estimate potentiallitigation losses Subject Matter Specialist (SMS) workshops to refineloss estimates from the previous componentsThe approach to estimating and stressing operationalrisk losses and ensuring all the individual componentsfunction efficiently requires a clearly designed governancestructure supported by appropriate personnel. Thisstructure is required to accommodate the escalation ofissues to leadership, establish a conflict resolution process,and install continuous process improvement. Further, thegovernance function should include review and challengeacross the different aspects of the CCAR operational riskloss estimation process.In the following sections, we look at the individualcomponents that make up an overall framework andsummarize specific lessons learned and considerationsfrom the individual components.6 The future of operational risk management Comprehensive Capital Analysis and Review (CCAR)
Framework componentconsiderationsQUANTITATIVE MODELSQuantitative models attempt to forecast operational riskrelated losses across the CCAR forecast horizon based onhistorical loss experience and macro-economic variables.Industry experience over the last several years has led toa consensus that purely statistical approaches to CCARprojection models for operational risk are somewhat moreelusive than models for other risk-related losses suchas credit or market risk for several reasons, including:Specific considerations Institutions have made significant improvements to theiroperational risk event and loss data capture processes,particularly in the aftermath of the financial crisis.However, this process has historically lagged data-drivenquantitative modeling efforts in market and credit risk. Models often incorporate higher percentiles of theevent size (loss) distribution as a proxy for additionalstresses under adverse and severely adverse scenariosas compared to the base scenario. Regulatoryexpectations assume that projected operational losseswill be higher for adverse and severely adverse ascompared to base scenarios. The magnitude of institutions’ operational losses istypically driven by large idiosyncratic events that aredifficult to model based on the available history. Except for certain types of operational risk that canbe attributed to stress on control systems based onmacroeconomic condition, most operational lossesdo not demonstrate meaningful correlation. This is afundamental assumption that drives most statisticalmodels for CCAR. Industry consensus, and regulatory acceptance, that thesize of individual operational loss events evidence littlecorrelation with macro-economic factors. Where strongerrelationships do exist, they are typically observed in thefrequency of events occurring driven by macro-economicfactors. Consequently, common modeling practicesinclude separately modeling the frequency of events,and the expected severity of events. Notwithstanding the industry consensus, regulatoryexpectations still require a thorough investigation of thedata to identify whether meaningful correlations can befound (with appropriate segmentation) before falling backto an average-based approach.Accordingly, many institutions adopt a combination ofeconometric models (where feasible) and extrapolationsfrom historic data to project operational risk relatedlosses for CCAR. This, in turn, places a much heavierburden on the qualitative or judgemental scenarioanalysis processes (below) to ensure adequatelevel of losses are captured in the forecast.Operational risk lessons learned 7
SCENARIO ANALYSISScenario analysis2 is a process of obtaining theexpert opinion of business line and risk managers toidentify potential operational risk events and assesstheir outcome. Institutions use scenario analysisto estimate idiosyncratic losses with the help ofSMS in the form of workshops. Typically, institutionsconduct workshops on an annual basis to captureplausible forward-looking risks, which are high-severity,low-probability and not adequately captured by thequantitative model.Material operational risks specific to the institution areused as primary business inputs to the process and mustbe tailored to the lines of business, products, and servicesoffered to customers, and the events and loss historyof the institution. They are used to create the individualscenarios that would be used in the Scenario Analysisworkshop discussion. Business unit heads, functionalheads, SMS, representation from the legal department,operational risk management representation, and2scenario challengers who are independent of the businessshould attend the workshops. Where the participants arenot able to attend, a delegate should be nominated toparticipate in lieu of the original participant.The process starts with the pre-workshop phasewhere discussions are held to develop storylines andnarratives based on identified risks that are expandedand quantified during the workshop. In addition tothe material operational risks, RCSA results, internalloss history, external loss history, and industry trendsidentified by the businesses are used as informationthat could help in building out the scenario storyline.The scenarios should align with the operational riskprofile specific to the institution. In the workshop,participants discuss the various outcomes of thescenarios and estimate operational loss amountsprimarily driven by expert judgment. Workshops areheld for multiple scenarios, and only a few are chosenby the experts to be used in CCAR submissions.Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, Bank for International Settlements, June 2011,https://www.bis.org/publ/bcbs195.pdf.8 The future of operational risk management Comprehensive Capital Analysis and Review (CCAR)
Specific considerations Discussion of timing of losses materializing across thenine-quarter CCAR forecast period should be consideredas part of the workshop sessions. Ideally, the discussionin the workshop should include both the magnitude andtiming of the losses. The distribution of losses over the forecasted ninequarter period should be stressed or otherwiseanalytically evaluated for the potential timing ofconcentrated losses. Bias mitigation is a necessary aspect of the workshopprocess. Bias education for the participants prior to theworkshop sessions is helpful. An independent functionthat plays the challenge role during the workshops couldencourage active identification and challenge of bias. Selection of a subset of scenarios from the scenarioanalysis program to be used in the CCAR submissionusually involves expert judgment. If institutions haveestablished empirical formulae that can be used to selectrelevant scenarios, they should ensure robust justificationof the methodology.REGULATORY GUIDANCE2011 was the first time institutions were formally required to submit their CCAR reports.3 During the initial three years,the Federal Reserve (“Fed”) had specific operational risk feedback to individual institutions. In 2014, as part of thequalitative assessment, the Fed focused on the robustness of the bank hold company's capital planning process thatincluded supporting risk identification, risk measurement, and risk-management practices. The following year, materialrisk identification became a key theme. Regulators wanted to understand if institutions had a comprehensive processfor identifying the full range of relevant risks arising from their specific business mix and exposures. This included risksthat became apparent only under stress.2015 saw the release of regulatory guidance in the form of SR letters from the division of banking supervision andregulation (SR 15-18 and SR 15-19). These letters laid out the supervisory expectations for capital planning, includingrequirements tied to the size and scope of operations, activities, and systemic importance of the institution. Therelevant operational risk sections identified key themes such as the risk identification process, approaches tooperational loss estimation, and the quality and use of data. Additionally, large and complex institutions were requiredto use scenario analysis in their operational loss projections. During this time, the Fed made several enhancements toits models used to estimate operational risk stress capital.The regulators continue to focus on risk identification as a major theme. Based on the 2018 review and assessmentresults, regulatory expectations included establishment and implementation of a comprehensive, institution-wide riskidentification process that enables capture and measurement of risks.4 Additionally, a big focus included theassumptions and analysis designed to address known data or model weaknesses, challenge to the strategic or othermanagement actions during a given stress event, or to support elements of the forward-looking assessment thatremain difficult to model and therefore require the application of well-governed business judgment.3Board of Governors of the Federal Reserve System, Comprehensive Capital Analysis and Review: Objectives and Overview, March 18, ssreleases/files/bcreg20110318a1.pdf.4Board of Governors of the Federal Reserve System, “Federal Reserve releases results of Comprehensive Capital Analysis and Review (CCAR)” press release,June 28, 2018, eases/bcreg20180628a.htm.Operational risk lessons learned 9
LITIGATION LOSS COMPONENTThe forecast includes losses from known litigation eventsor potential losses from unknown litigation events.Individual open cases with material loss exposuregreater than a specified threshold are considered inthe litigation loss estimation process. Losses fromknown litigation events are assessed and calculatedwith inputs from the institution’s legal group. Thecalculations consider assessment of potential stresson the litigation outcomes. For the unknown litigationevents, institutions usually consider scenario analysisas a method to estimate potential losses. Either a legalexpert provides input during the institution’s scenarioanalysis workshops or the legal team has its ownscenario analysis workshops for litigation events.Specific considerations Legal loss estimates that are derived using expertjudgment should be sufficiently justified, including lossesimpacted during periods of stress. While estimatingidiosyncratic legal losses for developing litigation events,the legal department has a better understanding of thedeveloping event. The legal team should documentrationale supporting the estimation while submitting lossestimates. Date assignments for loss events (especially legal loss) thatimpact the institution over time should not solely bebased on judgment. Institutions should also clearly lay outguidelines regarding the recognition of timing of a lossevent based on the occurrence of the event.LOSS REFINEMENT AND AGGREGATIONLoss refinement and aggregation is an expert-drivenprocess to review and refine initial loss forecast derivedfrom the quantitative model, scenario analysis process,and litigation loss components. It is often facilitatedby the operational risk management function througha series of workshops. Experts discuss and challengemodeling approaches and results from the scenarioanalysis and litigation loss components during theworkshops. These workshops serve the purposeof capturing risk drivers of operational losses thatare not completely or only partially captured in theprevious components. The workshop process followsa clear and logical order of discussion of differentrisk taxonomies, review of the estimation approach,discussion of loss projections, and adjustment, if any.Specific considerations While workshops may be conducted in multiplephases for logistical reasons, final aggregation andloss refinement should be performed once all theother components of the CCAR operational riskprocess are executed. The outcome of the loss refinement andaggregation should provide a narrative as to howthe results included in the CCAR estimates capturethe totality of the institutions operational riskexposure. While the contents of legal scenario narratives are typicallyprivileged and may therefore not be visible to theoperational risk management function for validation andchallenge, operational risk management shouldnevertheless be responsible for establishing thestandards of the loss estimation process and guidelinesfor quantification and challenge.10 The future of operational risk management Comprehensive Capital Analysis and Review (CCAR)
SummaryContact usThe components discussed above including the quantitative modelmake up the significant components of the CCAR operational riskframework. What ties all these individual pieces together is thestewardship of the ORM function. Operational risk managementshould ensure consistent implementation and sustainedperformance of an institution’s operational risk framework. It isthe function’s responsibility to ensure that the framework providescomprehensive coverage across the different operational risk eventtypes and to perform ongoing validation of not just the individualcomponents, but the overall operational risk framework.Monica O’ReillyUS Regulatory & Operations Risk LeaderDeloitte & Touche LLP 1 415 783 5780monoreilly@deloitte.comAs part of a broader effort to improve sustainability of an institution’sCCAR operational risk loss estimation forecasting efforts, firmsneed to not only strengthen the individual components, but alsoensure that the framework is grounded in and leverages thebusiness-as-usual operational risk management framework.Vikram BhatUS Banking & Capital Markets LeaderDeloitte & Touche LLP 1 973 602 4270vbhat@deloitte.comAlexandre BradyUS Risk and Capital LeaderDeloitte & Touche LLP 1 415 783 5413alebrady@deloitte.comNitish IdnaniUS Operational Risk LeaderDeloitte & Touche LLP 1 212 436 2894nidnani@deloitte.comKrishnaswamy BalasubramanianSpecialist Leader, Operational RiskDeloitte & Touche LLP 1 609 806 7043krbalasubramanian@deloitte.comSrinivas VasudevanManager, Operational RiskDeloitte & Touche Assurance & EnterpriseRisk Services India Private Limited 1 404 487 7357svasudevan@deloitte.comOperational risk lessons learned 11
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial,investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, norshould it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that mayaffect your business, you should consult a qualified professional advisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network ofmember firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referredto as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms ofDTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may notbe available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about ourglobal network of member firms.Copyright 2019 Deloitte Development LLC. All rights reserved.
relevant operational risk sections identified key themes such as the risk identification process, approaches to operational loss estimation, and the quality and use of data. Additionally, large and complex institutions were required to use scenario analysis in their operational loss projections. During this time, the Fed made several .
