WIXLIB

Operational Risk –An Enterprise RiskManagement PresentationMargaret Tiller SherwoodFCAS, ASA, MAAA, FCA, CPCU, ARM, ERMP, CERAPresidentTiller Consulting Group, Inc.Session Number: TBR4Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Operational Risk – An ERM PresentationDefinitionTypes of Operational RiskOperational Risk Management FrameworkQuantificationMitigationMonitoringRisk Identification and Mitigation ExamplesWords of WisdomJoint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionBasel II – Operational risk is the risk of loss resultingfrom inadequate or failed internal processes, peopleand systems, or from external events. Thisdefinition includes legal risk, but excludes strategicand reputation risk.3Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionWho are these people?What does this have to do with us?4Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionBasel Committee on Banking Supervision –Committee of banking supervisory authorities thatprovides a forum for cooperation on banksupervisory matters and encourages convergencetowards common approaches and standards. It alsoframes guidelines and standards for banks and banksupervisors.Basel Accords – Recommendations on banking lawsand regulation5Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionBasel II was intended to create an internationalstandard for banking regulators to control how muchcapital banks need to put aside to guard against thetypes of financial and operational risks banks face.Basel II lists three types of risk:Credit riskMarket riskOperational riskWhat about liquidity risk?6Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionMarket liquidity is the risk that a security can not besold at all or quickly enough to prevent a loss.Market liquidity risk is a type of market risk. It isaddressed in Basel III.Funding liquidity risk is the risk that liabilities can notbe met when due.Funding liquidity risk is an operational risk.7Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionSolvency II codifies and harmonizes EU insuranceregulation.Solvency II definition - Operational risk means therisk of loss arising from inadequate or failed internalprocesses, personnel or systems, or from externalevents. [It] shall include legal risks, and excluderisks arising from strategic decisions, as well asreputation.8Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionLegal risk - risk of loss due to legal actions oruncertainty in the applicability or interpretation ofcontracts, laws, or regulations. Included.Strategic risk – risk arising from decisionsconcerning a company’s direction. Excluded.Reputational risk - risk related to the trustworthinessof the company. Excluded.9Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionBetter definition - Operational risk is the risk arisingfrom execution of a company’s business function.This focuses on the risks arising from people,processes, and systems.Note that it includes external events that affect acompany’s operations.10Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

DefinitionOperational risk does not include strategic risk – therisk that arises from decisions concerning acompany’s objectives.Reputational risk may arise from operational risk butis not, in and of itself, an operational risk. It also canarise from credit risk, market risk, and strategic risk.Operational risk is not used to generate profit,whereas market risk, credit risk, and strategic risk cando so.11Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Types of Operational RiskBasel II ListInternal fraud – misappropriation of assets, tax evasion, intentional mismarking ofpositions, briberyExternal fraud – theft of information, hacking damage, third party theft and forgeryEmployment practices and workplace safety – discrimination, workers’ compensation,employee health and safetyClients, products, and business practice – market manipulation, antitrust, impropertrade, product defects, fiduciary breaches, account churningDamage to physical assets – natural disasters, terrorism, vandalismBusiness disruption and system failures – utility disruptions, software failures,hardware failuresExecutive, delivery, and process management – data entry errors, accounting errors,failed mandatory reporting, negligent loss of client assetsLegal risk is in several of these categories.12Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Types of Operational RiskOperational risk losses usually are idiosyncratic to aparticular institution.Operational risk losses most commonly are from afailure of internal controls.Internal operational risk losses arise from errors andineffective operations.13Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Operational Risk Management FrameworkBasel IIRisk organizational and governance structurePolicies, procedures and processesSystems used by a bank in identifying, measuring,monitoring, controlling and mitigating operational riskOperational risk measurement system (ORMS) –systems and data used to measure operational riskto estimate the operational risk charge14Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Operational Risk Management FrameworkEnterprise Risk Management Steps1. Identify risks2. Describe and/or quantify risks3. Decide how to mitigate risks4. Implement decisions5. Monitor results of decisions and make changes asneededCommunication is key.15Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Operational Risk Management FrameworkBasel II differentiates between verification andvalidation.Verification tests the effectiveness of the overallORMF and tests ORMS validation processes toensure they are independent and implementedconsistent with bank policies.Validation ensures that the ORMS is sufficientlyrobust and provides assurance of the integrity ofinputs, assumptions, processes, and outputs.16Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Operational Risk Management FrameworkEssential elements for verification and validation:IndependenceCapacity – adequately staffed with adequateresourcesProfessional competence and due diligence17Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationBasel Committee on Banking Supervision “Operational Risk – SupervisoryGuidelines for the Advanced Measurement Approaches” June 2011Operational risk data categories for AdvancedMeasurement Approaches:Internal loss data (ILD)External data (ED)Scenario analysis (SA)Business environment and internal controlsfactors (BEICF)18Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationIt all starts with scenarios.Ask “What if ?”Don’t know what internal and external data to collectunless you have some idea of what scenariosyou need to look at.Data includes qualitative as well as quantitative.Qualitative data sometimes is more important thanquantitative, particularly when there are recentchanges.19Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationInternal Loss Data (ILD)Internal to the organizationUsed to estimate loss frequenciesUsed to inform the severity distribution(s)Serves as input into the scenario analysis20Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationExternal Data (ED)External to the organizationUsed to estimate loss severity, particularly for the tailMay be from a consortium of like members(Association of British Insurers’ Operational RiskConsortium – www.abioric.com)21Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationScenario Analysis (SA)Scenario outputs form part of the input into theAdvanced Measurement Approach modelQualitativeProduce range of resultsQuantify uncertainty arising from scenario biases –This is a significant challenge.22Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

QuantificationBusiness Environment and Internal Controls Factors(BEICF)Highly subjectiveOften used as indirect input into the quantificationframeworkOften used as an ex post adjustment to modeloutput23Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationGoalsHave business continuityMitigate financial lossReduce reputational risk24Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationThe size of loss a company is willing to acceptcompared to the cost of correcting errors orimproving operations determines its operationalrisk appetite.Most effective means of reducing operational riskare sound policies, practices, and procedures forinternal events and insurance for external andsome internal events.25Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationLow frequency, low severity – may do nothing.Low frequency, high severity – analyze by scenario testing.Handled by planning for these in advance and/or by financingrisk such as by purchasing insurance.High frequency, low severity – may do nothing. Howeverthese can accumulate to the point where the severitybecomes larger, such as if it triggers a loss of reputation.High frequency, high severity – take risk control measures.May finance risk such as by purchasing insurance.26Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationInsurance companies sell products that mitigateothers’ operational risks.27Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationBasel Committee on Banking Supervision - “Principles for the SoundManagement of Operational Risk” June 2011Internal controls embedded in day-to-day operationsare designed to ensure to the extent possiblethat:Activities are efficient and effectiveInformation is reliable, timely and completeThe entity is compliant with applicable lawsand regulation.28Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MitigationThree lines of defense:Business line managementAn independent corporate operational riskmanagement functionAn independent review29Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

MonitoringKey Performance Indicator (KPI) – Are weachieving our desired level of performance?Key Risk Indicators (KRI) – How is our risk profilechanging and is it within our desired tolerancelevels?Key Control Indicators (KCI) – Are ourorganization’s internal controls effective?30Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/

Risk Identification and Mitigation ExamplesFine Dining RestaurantFamily ownedOpen only for dinner Monday through SaturdaySeats 80 at a time for two seatings a nightPrivate party room upstairsOwner is one of the managers on duty but is also a chefHas a general manager and one other manager on dutyHas two part-time office staff and one cleanerHas an Executive Chef, two Line Chefs, one Dessert ChefHas two expediters and two dishwashersHas three captains, six waiters, six bussers, and one bartenderHas one hostess and one coat checkerSubcontracts car parking31Joint IACA, IAAHS and PBSS Colloquium in Hong Kongwww.actuaries.org/HongKong2012/