This action might not be possible to undo. Are you sure you want to continue?
AN OLD CHALLENGE IN A NEW ENVIRONMENT
HANS-ULRICH DOERIG, VICE CHAIRMAN
CREDIT SUISSE GROUP
JANUARY 2001 PARTLY ADJUSTED APRIL 2003
ADVICE TO THE READER
Aware that the reader of this presentation is always under time pressure, I propose the following advice:
The "really" hurried reader gains an overview from (17 pages): S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions
The "less" hurried reader gains an enlarged overview from (56 pages): S S S S Table of Contents Chapter 1 - Introduction Chapter 2 - Summary and Outlook: 12 Conclusions 12 Principles / or 12 Issues / 12 Checks / etc. (which are highlighted in yellow throughout the paper)
The reader wishing a complete overview should read (135 pages): S the document in its entirety
Operational Risks in Financial Services
In view of the increasing industry discussion on Operational Risks and the BIS intention to charge banks with additional regulatory capital requirement, I held the original presentation at the Institut International d'Etudes Bancaires in October 2000. This Institute is a forum of 50 European top management members. Since then, I adjusted some texts and added a few pages, where appropriate.
This presentation would not have been ready in time without the constructive and critical contributions by my CSG Risk Management staff. My thanks to them.
While having structured and written the presentation myself, Dr. Harry Stordel deserves a special mention of thanks - he concentrated on research for some chapters and some of his ideas have been included. My thanks also to Mrs. Annette M. Rouiller who handled the presentation appearance, a rather nerve-wrecking task in a hectic environment.
Operational Risks in Financial Services
Table of Contents
1. Introduction and Overview 1.1 The 100 Risks in Financial Services 1.2 Coping with Risk Complexity 1.3 Operational Risk in Risk Management 1.4 The 12 Golden Organisational Principles in Risk Management 2. Summary and Outlook: 12 Conclusions 3. Operational Risks: Framework for Definitions and Dimensions 3.1 Operational Risk Definitions 3.2 Five major OpRisk-Categories and their Sub-Categories 3.3 Overlaps between Risk Classes 3.4 Operational Risk ? Total Risk - Credit Risk - Market Risk 3.5 The Dimensions of OpRisk Management 3.6 The four Stages of OpRisk Management 4. Major OpRisk-Mishaps in Financial Services: 12 Lessons learned 4.1 Introduction 4.2 Overview of 8 selected Mishaps since 1991 4.3 The 1977 Credit Suisse Chiasso Case 4.4 OpRisk Scandals in Financial Services: 12 Lessons 5. Organisations with a 5000 Year OpRisk Experience: 12 Lessons 5.1 Introduction 5.2 Principles of the Military 5.3 Military OpRisk Experience: 12 Lessons 6. Managing Operational Risks: The 12 S's as a High Level Requirement Risk Management Framework Strategy and Structure 6.2.1 Corporate Governance 6.2.2 Segregation of Duties 6.2.3 Management Structure for OpRisk 6.2.4 Audit driven OpRisk Management 6.3 System and Systems 6.3.1 Framework of OpRisk Management 6.3.2 OpRisk Control Process: 12 General Rules to Watch 6.3.3 Top-down versus Bottom-up OpRisk Management 6.3.4 Risk Processes: Quantitative and Qualitative Approaches 6.3.5 Personal Attention by Senior Management 6.3.6 Compensation-System 6.3.7 Modern IT-systems lead to New Processes 6.4 Safety and Speed 6.5 Staff and Skills 6.6 Style and Shared Values 6.7 Stakeholders and Symbol 6.8 Synchronisation 7. Managing Operational Risks: Practical Instruments and Tools 7.1 Introduction 6.1 6.2
4 4 5 7 8 11 19 19 20 22 23 24 25 26 26 26 29 30 33 33 33 40 43 43 44 44 46 47 48 49 49 49 52 53 53 54 54 56 59 62 66 68 69 69
2 10.3 Loss-Scenario / Qualitative Assessment Models 10.2 Credit Suisse Group’s Approach: Scenario Based 10.9 Communication 12.5 Capital Allocation 10.8 Applications and Limitations of Tools 8.4. Selected Areas of Future Concern 12.4 3 .2 Using Data: 12 Issues 10.1 Factor-derived / Indicator based Models 10.8 Settlement 12.1 Insurance as Part of Risk Management 8.2 Statistical / Actuarial / Simulation-based Models 10.7 Fraud 126.96.36.199 Control and Risk Self-Assessment 7.4.4 Risk Indicators and Escalation Triggers 7.1 The Three Pillar Approach by the BIS 11.1 Risk Data Methodology: 12 Issues 9. The Data Challenge 9.6 OpRisk Dashboard 7.10 Transformation Management List of Abbreviations Bibliography 10.3 Impact & Frequency Scorecard 7.5 Outsourcing 12.3 Strategy and Structure for Insurance Coverage 8. Concerns of Supervisors 11.5 Alternative Risk Transfer 8.6 OpRisk Quantification: 12 Conclusions 11.2 Customer Complaints 12. Quantification of Operational Risks Introduction What is Quantified in OpRisk ? Purpose of OpRisk Quantification How to Quantify/Model OpRisk 10.2 Availability of Insurance 8. Operational Risk Transfer: Insurance and Finance 8.1 10.7 Loss Event Database 7.3 IT Migration 12.2 The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View 12.5 Risk and Process Mapping 7.6 Risk Transfer: 12 Guiding Principles 9.5.4 IT Security 12.1 Business Continuity Planning 12.3 10.6 Money Laundering 12.CSG Operational Risks in Financial Services 69 71 72 73 74 74 75 76 76 77 78 79 79 80 83 83 86 90 90 91 95 96 98 99 100 101 101 102 102 104 104 106 114 114 115 116 117 119 120 122 125 127 129 132 134 7.4 Funded Captives 8.1 Bankers’ Trust Approach: Combining Methods 10.
It is the essence of financial institutions' activities. imperfections have to be acknowledged. institution-wide strategy and tactics towards risk can no longer be achieved by applying common sense only . Good risk management is a decisive competitive advantage. The daily life of a human being is full of risks. there is more pressure to avoid things going wrong while continuing to improve corporate performance in the new environment. reduce.1 indicates such variety. however. New governance requirements are quite explicit about this responsibility. diligent and intelligent risk taking is an "attitude" towards stakeholders. Risk management is a daily struggle against uncertainty and a daily learning process: Risk management is not a program. While not avoidable. Comprehensive. is not taking one. 4 . Financial services . but can be misleading or provide a "false sense of security". but a process for which senior management and Board of Directors are increasingly called upon to ensure. The greatest risk.1 The 100 Risks in Financial Services Risk is uncertainty about a future outcome. transfer. risk is manageable .are exposed to a variety of risks. define. Chart 1. risk management will remain a blend of art and science. Quality of leadership and governance is increasingly an issue of risk management. It helps to maintain stability and continuity and supports revenue and earnings growth. Life without uncertainty is like a movie or a joke of which you already know the outcome. avoid and manage risk. 1. Risk is part of corporate life. complex and often interlinked. Today. Risk is highly multifacetted. all the 100 risks have at least an "operational touch". There is a need for credible and relevant methodologies to identify. Risk is to be managed. however. especially "operational risks". not feared. assess. Quantified risk is seductive.albeit common sense remains crucial.dealing with so many daily actions and reactions by human beings . especially "intelligent risks". as the chances for rewards move towards zero. A recognised risk is less "risky" than the unidentified risk. Risk management is an obligation to stakeholders. Good risk management is not only a defensive mechanism. Despite all the progress in the quantification of risks.as a matter of fact most banks live reasonably well by incurring risks. Introduction and Overview Risk management has always been an explicit or implicit fundamental management process in financial services. but also an offensive weapon.CSG Operational Risks in Financial Services 1.
CSG Operational Risks in Financial Services Chart 1. Market.albeit different for any specific situation as to priority.2 also indicates the scope and challenge of any integrated firm-wide risk management. 5 . credit. Doerig. timing. Chart 1. 1998 Control Procedures Documentation Naturally.presented in Chart 1. such variety is confusing and not helpful for coping with risks. focused on OpRisk management. An intelligent "packaging" of risks is needed. The 12 S's will appear in the following chapters again and again. Strategy and reputation risks are tackled on a systematic and qualitative basis. intensity and scope.1: 100 Risks in Financial Services Interest Regulatory Strategy Systemic Credit Spread Business Volume Team Departures Insider Innovation Collateral Settlement Systems Revenues Custody Risk Culture Public Relations War Large Exposures Catastrophe Infrastructure Shutdown Credit Netting Cost FX Style Volatility Market Litigation Management Structure Rogue Trading Liquidity Proportionality Character Risk Appetite Priority Setting Counterparty Operations Pricing Reputation Brand Low ProbabilityHigh Impact Losses AL Management Intrusion Globalisation New Business Cross Border Balance Sheet Structure Know-How Competition Transparence Legislation Refinancing Complexity Capital Allocation Legal Segmentation Communication Court Decisions IT Product Capital Access Timing Commodity 100 Risks in Financial Services Partnerships-Alliances Bridge Finance Social Unrest Financial Models Centralisation-Decentralisation Concentration Know Your Client MIS Critical Size Hackers Risk Control Staff / Team Change Management Channels / Internet Risk Capacity Motivation Compliance Cadence of Change Syndication Emerging Markets Supervisory Risk Ratings Event Risks Project Future Commitments Flexibility Political Insurance Outsourcing Take-Over Data Integrity Theft / Crimes/ Fraud Deal Breakup Value Proposition Initiatives Overload Control Environment © H. insurance underwriting and commission and fee income risks have become quantifiable in a more credible fashion. 1.-U. Such a packaging often involves setting a priority focus.there are over 30'000 banks and estimated 20'000 insurance companies world-wide. The 12 S's serve as a systematic base for general management.2 as one example of many . any organisation has to build on what I call the 12 S's .differentiates among 7 priority risk categories. This focus might differ from one bank to the other . Thereby.2 Coping with Risk Complexity Credit Suisse Group .
Mortgages Allfinanz Bancassurance Personal Financial Services Private Banking Asset Management for Institutions.Symbol . FX.proactive risk management . Doerig. Syndication. An attempt is made here to find some of the more relevant common denominators.CSG Operational Risks in Financial Services Chart 1. Mkt. Doerig.discipline as to corrective actions Co mp eti tio Pe n rc ep tio n Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins. Risk Management 4 = Capital Strengths. to retail or wholesale banking. Securitisation Comprehensive Risk Mgt for Risks of all Sorts incl. Private Banking.modern methods / limits . Financial Engineering. 3. M&A Wholesale Banking: Loans. 5 2. 4 Logistics 6 . Brokerage Investment Banking: Prim.g.in retail banking.constructive control attitude . wholesale banking or even concentrate on logistics as insourcer for outsourcers. Underwriting Risk Business Risk Operational Risk Chart 1.3: Focused Universal Banking: Year 2000 onwards 4 Core Activities: Retail. 5 5 Prime Value Generators for the Product or Activity Groups 1 = Operational Excellency: Standardisation. 5 1.Synchronisation Ensuring a risk culture with: . 4 Private 3.-U.3 is a simplified attempt to visibly present my personal thinking as to the years to come for financial services.Stakeholders . 5 Wholesale national = global 3.Strategy . 4 4. Segmentation 2 = Client Orientation: IT-Contacts plus physical Client Contact 3 = Excellency re Product. 5 3. 3. 5. 4.Simplicity . Wholesale and Logistics 9 Product or Activity Groups: Retail Banking: Individual and small/ medium sized Companies. incl.Structure . 4. Chart 1.Sustainability . for 3rd Parties: Insourcer for Outsourcers 2. Commodities. Structured Financing. Derivatives. 2000 & ies lic Po © H.2: Building an Organisation for the Management of 8 Major Risks Major factors shaping the risk disposition of an individual and an organisation Scope and challenge of an integrated firmwide risk management Effective risk management provides focus on and control over 8 major risks Values.Skills .successfully so . 2. Funds Trading: Securities. Insurance Securitisation 1.System/s . some of these challenges may only apply e. Rating & Standing 5 = Critical Size and/or Market Share © H. Almost all will have similar challenges as to OpRisk. 5.Shared values . Finance. 5 3.Safety . 2000 Retail ur s vio ion ha lat Be gu Re Markets & Economy Liquidity Risk Logistics: Back-/Mid office. "Market Touch". 3. private banking. The convergence of all sorts will lead to the focused universal banking concept for some. Many will specialise . Corp.-U. 4.Speed . Society & Politics & on ati logy ov o Inn chn ns Te io at ct pe Ex Facts Ex pe rie nc Cli e en ts Action and Reaction by Management and Staff Knowledge Building on the organisation’s 12 S: .continuous training .
happen daily in every financial services organisation. While dealing with "operational risks" more closely. Mistakes and failures. Activism is abound. The general environment for financial services will continue to change dramatically. frameworks different. consultants looking for new assignments lack a track record. OpRisk will primarily be driven by: S S S S S S S S S S S New products Product sophistication New distribution channels New markets New technology Complexity (IT-interdependencies. You can name anything out of the "banking-life". What an imbroglio to start with?! Operational risk management is . models complex and/or not (yet) credible.simply put .good management and close to quality management. quants hungry for fresh challenges.3 Operational Risk in Risk Management The management of market and credit risks has made great progress as to its methodologies and quantification approaches. data hazy. As a result. some more serious. also in the judgement on competitors.in a continuous process and ever changing environment . it almost certainly has an operational risk touch. The confusion as to OpRisk and its management is quite impressive in the industry: Definitions not settled. given the vast and reasonably reliable data and statistics.while not new but in a new environment . I realised the breadth and complexity of such a task. It will call for significant and continuous adjustments in the way enterprises do business and adapt their operations. data structures) E-Commerce Processing speed Business volume New legislation Role of non-government organisations S S S S S S S S S S S Globalisation Shareholder and other stakeholder pressure Regulatory pressure Mergers and Acquisitions Reorganisations Staff turnover Cultural diversity of staff and clients Faster ageing of know-how Rating Agencies Insurance Companies Capital Markets 7 .have received tremendously increased attention as of very recent. As management in financial services is dealing with people for people .e. very rarely they can be very grave. but the approach is more empirically founded. This does not mean that misjudgements as to the future are rarer.are eager to get additional capital charges.in spite of all . Operational risks . OpRisk losses. some negligible. i. This should make every manager humble.there cannot be an easy answer or a simple model. Supervisors .CSG Operational Risks in Financial Services 1. academics impractical.
I am fully aware that every organisation is always in different stages of quality performance and process sophistication. Chapter 6 deals with the more high level management issues. Let me stress. the number 12 has played the symbolic role of completeness . OpRisk data and quantification follow in chapters 9 and 10. They are the result of observations and adjustments over the years and apply to OpRisk aspects as well. 8 . I have therefore included the experience of 9 mishaps in the financial world and the very concrete experience of the oldest organisation with operational risks: the military. It would be quite presumptuous to try for a complete paper on "good OpRisk management" or "good management": This paper contains suggestions based on personal opinion and observations.which is somewhat ambitious for an active banker.4 The 12 Golden Organisational Principles in Risk Management Ahead of the OpRisk discussion. There is often not "only one solution" in management. Chapter 3 deals with the definition of OpRisk. however. but probably are the more vital elements when it comes to implementation. 1. They also force a priority setting. my observations tell me that "12 messages" are just about digestible to keep one's attention span.also from non-banks . In the future. In chapters 4 and 5. while chapter 7 presents some OpRisk instruments and tools. A financial services organisation must be a learning organisation and increasingly also a "knowledge-organisation". Having observed the financial scene for some years. These are some of the reasons why OpRisk gets such attention at present. Some of the following 12 conclusions or issues sound banal. Reputation is increasingly also built on OpRisk management skills. given the interdependencies of internal projects and external pressures. including the ones from Credit Suisse Group (CSG). New approaches can solve many old problems. The reader will also realise that I seem to have a "preoccupation" with the number 12.a successful OpRisk management is crucial for survival. Concerns and issues of regulators and supervisors are presented in chapter 11. the market will be less forgiving of any colossal lapse. Over centuries. my following 12 Golden Rules in Risk Management should be a guide throughout the presentation. More important. OpRisk transfer is discussed in chapter 8.CSG Operational Risks in Financial Services With dramatically increased competition . OpRisk and OpRisk management are not only about risks and threats. I also know that there are many "paths to Rome". Both are chances and opportunities as well. while areas of future concerns for OpRisk management are in the final chapter 12.
including attention to proportionality. Credibly quantified and relevant risks represent an opportunity.especially rigorous audit reports . Rigorous measures in case of non-compliance/breaches. Focus on long-term initiatives versus short-term ones. Risk taking = risk management. Watch harm by association. global and changing world. However "best practice" must be applied intelligently – no "fads". interpretable. Deal with consequences of the unexpected cases. not only legalistic form: "smell test" with "overall view". Strategy Æ structure Æ system Æ systems Æ safety Æ speed. Adequate compliance environment: Responsibility lies not only with immediate heads Æ leadership function of each management level. Thereby no organization ever achieves an ideal or perfect positioning in every respect. comparable across the institution. transparent. 3. training and time to get everyone worldwide on an adequate control/compliance level. No diagnosis without information. "Ownership" of issues and risks. 2.Ensure the balance of gains versus losses. . Thoughtful self-challenge . "Best practice" as goal. Prevention ahead of correction. Know what you do not know. standardized. but as a "learning organization" in a dynamic environment. Do not fear but respect risks. Risk and compliance awareness ideally with everyone. we are continuously adjusting the contents with new priorities or refinements based on experience. The 6 S's for the systematic mental discipline of an organization: the logical sequence. "Informed and intelligent" risk-taking. What is measured. If not credible. simplicity. speed. replicable. structure. cynicism abounds. S Management of risks for own organization comes ahead of risk management for supervisors/regulators. systems. It takes a lot of discipline. Transparency as to policies. 6. embedded in aggregated processes. allocation of responsibility and accountability and discipline are basic preconditions. safety. objective. 9 . Watch liquidity/flexibility aspects in turbulent times. Data characteristics are ideally: Complete. Emphasize furthering the risk culture. auditable. observed and recognized gets attention. Clear structure. integrity and relevance of data/systems/information as a basis. Risk management is a tenacious process not a program. Prioritise disciplined processes and structures. Executing the Fundamentals 1. Risk is uncertainty about future results. front office versus support areas . concentration and diversification Æ active portfolio management. consistent. rather than controlling the numbers.e. etc. directives. Care about substance. The issue is not the intellectual level of the 12 principles but rather their diligent implementation which is challenging in a diverse. Completeness.can provide a formidable basis to avoid/limit operational risks.but "constructive tension" where appropriate.CSG Operational Risks in Financial Services Table 1. Clear and communicated responsibility and accountability. Know the rules of the game: courage for unpleasant measures with a "culture of consequences". Ongoing questioning of strategy. No conflicts of interest: i. 4.1: The 12 Key Principles in Risk Management Our principles have not changed. Retaining the perspective 5. Capital allocation based on Economic Risk Capital. Never forget "extreme event" risks. and above all they are relevant and credible as to facts and perceptions.
integrity and character. Complex organizations. 2003 10 . "Reductio ad absurdum" may lead to a "model figure" but is irrelevant in the overall context. feel. Counterbalancing is a management task. Successful risk management is primarily the result of the capacity. Theoretical rigidity may not prevail over practical relevance and credibility. Not all risks are relevant and/or quantifiable: also here. Models are as good as the underlying assumptions: "garbage in" – "garbage out effect". professional and life experience. New external parameters and continuous restructurings can make models questionable. 9. synthesize and save knowledge. Faster race – higher bar: antennae out to receive and implement internal and external input. A model is always a strong reduction/approximation of a more complex reality. Watch internal and external exuberances and paralysis. Data is ubiquitous and abounds: Timely sorting and packaging in the proper context creates relevant information and value added. Facts. Those values count which are enforced. 11. Models are always only part of an overall risk management approach and must include common sense. 8. A financial institution is a “knowledge and learning organization”. Honesty includes intellectual honesty: Cover-ups are lethal. use 20/80 approach. Combine overall judgement by experienced people with specialist knowledge. Focus on human aspect 10. People with authority especially must be educators: source. Learn from mistakes and determine causality. part science. perceptions. especially for models. Human element is THE critical factor of success. Markets might promise but never guarantee anything.CSG Operational Risks in Financial Services Table 1.-U. Mistakes or misjudgements are unavoidable: The ways of correcting mistakes are part of culture. share. expectations – all are important. aptitude and attitude of the people involved: people shape the culture. Lead by example – practice what you preach. Limitation of models. Responsible control/compliance/risk culture is as important as the most sophisticated quantification. The more complex a risk type is. restructurings and projects can add risks. Risk management is part art. concentrated and controlled its management must be. intuition and inspiration for risk and market direction. © H. Good mix of professional. open-minded and honest people with formal training. To be right too soon is also wrong: timing is the issue. Comparisons of absolute model figures with those of third parties are questionable: The prime internal value added of a good model – including the stress test – is its trend over time. Complexity is the enemy of speed and responsiveness: try hard for simplicity. Professionalism includes: inquisitiveness. Doerig. Specialists can "walk out" easily in good times. Continuous learning and training is part of the evaluation/incentive process. Knowledge alone is not enough: it is the rigorous implementation which leads to results. S Common sense for reality checks. Self-management and leadership with regard to a culture of open communication based on "experience" and know-how are increasingly challenging: Ban knowledge-hoarders and turn knowledge-givers into heroes as part of evaluation/incentive process. the more specialized. Risk management is often the art of drawing sufficient conclusions from insufficient premises. 12. as there is no reliable base material.1 (continued): The 12 Key Principles in Risk Management 7. Risk culture on the whole is the final responsibility of the top management. reputation and brand equity.
1. risk management especially for market and credit risks. quantify and partly transfer losses and risks Closer attention by regulators Attention by and responsibility of senior management and Board of Directors OpRisk seen in a broader context A fast changing environment. consolidation and convergence in the industry continue. more analytical attempts to identify. Over the last 10 years. context dependent. From obscurity they moved to respectability. categorise. Also for reputation reasons. "internal". in which OpRisk management takes place: boundaries increasingly blur. Many institutions have moved away from this negative definition to a positive definition. often not clearly discernible vis à vis e. From respectability they have at least reached prominence. OpRisks are usually not willingly incurred.g. OpRisk is not "other risks": The term "other risks" stems from the obsolete notion of OpRisk as all non-market and non-credit risks. market and credit risks and not diversifiable. has reached the impact stage. OpRisks cannot be laid off in liquid trading markets: OpRisks are only eliminated if a bank ceases to be. more non-banks enter the turf. interdependent. measure. including OpRisk More rational. Risk management and OpRisk management in banking have been around since the inception of banking.CSG Operational Risks in Financial Services 2. OpRisk management is often close or parallel to quality management and. OpRisks are avoided. dis-intermediation and global capital markets grow faster 2.with credible. measurement and modelling of OpRisk is so difficult to come by. These are some of the reasons why the definition. often they are insignificant in an overall context. define. OpRisk management today is gaining prominence.cannot be expected in the near future. "bank made". Market and credit risks are revenue driven. incredibly multifaceted. Summary and Outlook: 12 Conclusions OpRisk management is nothing new per se. Its quantitative foundation . therefore. relevant and meaningful total figures . often judgemental. OpRisks are primarily institutional. OpRisks are not. but the stage of the full quantitative impact has not been reached. reputation and shareholder value. 11 . Perhaps it never will be! What is new and will become a more prevalent development: S S S S S S Generally increased risk awareness. Contrary to market and credit risks. contributes to client satisfaction.
with no barriers. but a strategy enabler: it enables transactions and services any time.and a common risk culture . Human.usually adds complexity and diversity of cultures. Such a "technical environment" represents a major new challenge for management and especially for OpRisk management. While computing solves many OpRisk problems. control. Globalisation . 12 . at decreasing prices. including environmental and social responsibility. The 2 major future drivers . especially in financial services. A common culture . privacy protection etc. instantaneously.globalisation and Internet-related technologies will challenge the banks to take on additional and partly new OpRisk: Avoidance of a "double click imbroglio". External. 3. Policy / Process. it also creates new ones: IT. Sustained and sound profitability is also the best contribution for avoiding systemic risks and protecting savers. management and staff. The OpRisk management of the future has to be seen in the wider context of globalisation and Internet-related technologies.with its many advantages for the stakeholders of a modern firm . a suggested OpRisk definition could be: "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors. security. compliance. IRT changes everything. IRT is no longer just a strategy supporter. The increasing globality of financial services increases the demands on governance.CSG Operational Risks in Financial Services Having recognised the above. Ubiquitous computing and Internet-related technologies (IRT) make every business a data-based business in a new e-economy. Managing a modern company means managing on behalf of all core stakeholders.will be one of THE challenges for a globally oriented organisation. Creating value for clients. staff and business partners is a precondition for creating shareholder value." This definition needs categorisation: Organisation. Old World and New World are moving towards One World. Technology.
synchronisation as discussed in chapter 6. With good OpRisk management an organisation manages its risks. 5. along the diligent. style. All the more important is good management. the responsibilities for the disaster and the OpRisk management capability to deal with the aftermath become more visible. Good OpRisk management . 13 . It is now becoming more formalised and increasingly measured or at least consciously observed. Thereafter.is a decisive base for enhancing the reputation of a bank: OpRisk deficiencies appear in every bank.CSG Operational Risks in Financial Services 4. 6. stakeholders. skills. control and capital requirements of supervision Shareholder pressure versus other stakeholders' expectation The winners will be those who understand the forces of change best. speed. The only alternative to good OpRisk management is crisis management. A more analytical OpRisk management approach is emerging: The attention it receives is a multiple of what it was only 5 years ago. structure. In a major crisis. Thereby. OpRisk has been controlled at least in some fashion . symbol. In a crisis situation.g. shared values. daily management of the 12 S's of an organisation: strategy.for years. systematic. safety. implement accordingly and "synchronise" their efforts optimally in turbulent times. system/s. staff. Banks face continued dilemmas which have OpRisk ramifications: S S S S S S S S S S S S S The most venerable versus the most vulnerable E-commerce hype versus hybris Dot-com culture with rapid responses and change versus structured. who more and more ask for individual responsibility.in combination with quality management . the crisis itself often manages the organisation. almost daily. sometimes slow structure / system and legacy systems Innovation "entrepreneurship" and "intrapreneurship" versus structure and processes Consistency and predictability versus change and innovation Long term orientation versus short term performance pressure Security versus speed Scale and standardisation versus scope and differentiation "Roots" versus "strong wings" of management and staff in global organisations Local conditions versus global pressures: "glocalism" Maximising activities where the outcome is controlled and minimising exposures for which there is little or no control over the outcome Operating and capital allocation efficiency versus compliance. e. 7. Good OpRisk management prevents crises. However. disciplined. The control and compliance environment is increasingly checked by supervisors. shareholders and other stakeholders will be much less forgiving of a major OpRisk mishap in the future. Clear structures and processes with defined allocation of responsibilities are preconditions for a successful OpRisk management. consistent and effective communication as well as honesty show a fundamental financial value. the impact on market capitalisation and reputation can be significant during the first few months.
systems and staff. credible by facts and perception. interpretable. teachable. complete. transparent. tools. 9.not withstanding the major differences among banks . Remember the pains in building market and credit risk models over the years.as shown in chapters 7 and 9 can be misleading. consistent. with an incomparably better database. organise second and act third in the right and not the wrong direction. OpRisk management is a continuous learning process: OpRisk management is not a program. but it will take years.has made considerable progress over the last 2 3 years in OpRisk areas. Existing OpRisk measurements and tools are usually not expressed in financial terms. Based on this lesson: Think first. I doubt whether there can be one "catch-all" OpRisk model with a credible outcome: "more sizzle than steak"? In addition.CSG Operational Risks in Financial Services Financial institutions and regulators / supervisors should be aware of the cost / benefit relationship of setting in place the quantification of OpRisk involving data gathering. risk transfer solutions and potential risk quantification . capital allocation and risk transfer. such as: definition. OpRisk measurement and internal loss information should . Many statistics . except for some subcategories which might not be relevant in the overall context. There is no credible and satisfying overall model applicable to "OpRisk at large" available for the quantification at present. 8. The financial services industry as a whole . procedures. 14 . the momentum is building each year with improved data on hand. minimally standardised to be used across institutions.also in the interest of rational data collection. There is still a long way to go to reach an effective. quants. There will be a convergence of a common definition. auditable and above all. models. 10. reporting. However. The credibility of OpRisk measurement is enhanced if there is quantitative evidence of cost of collecting data versus benefits of measurement. inconsistent. aspects of strategy and planning. irritating and confusing. it is management which is responsible for the reasonableness and credibility of models. credible and implementable OpRisk analytical framework. excepting loss databases. tools and models. structure. They became core and standard management tools. The experience of setting up such systems for the quantification of market risks indicates the cost and inertia involved for changing the system and systems for a relatively little disputed analytical approach. objective. or supervisors. diligent process throughout an organisation. it is a continuous.be guided by the following characteristics: Relevant in the overall context. not academics. concept.
Also. credible and accepted approach to risk management is only one important attribute of a strong risk management effort. therefore. remains the relevance and credibility of such attempts. insurance.CSG Operational Risks in Financial Services We should not overlook that an analytically sophisticated. legal and compliance. Tools become more integrated and are also used by line or front functions. excepting very confidential data on legal disputes. comprehensive and consistent as part of a modern risk management framework. becoming a core competency of risk management and of general management. On the one hand. straightthrough-processing. S A more conscious analytical and multi-disciplined integration of credit. Sound OpRisk management is. controls. The focus on quantification attempts is increasing. operations. Internal and external audit play a crucial role. including OpRisk. finance. there are more traditional concerns about "high frequency. "As people are walking all the time in the same spot. high impact" losses. systematic. with corresponding risk transfers. Data sharing agreements in neutralised form get created. market and OpRisk control functions: internal and external audit. Important. see chapter 10. especially if more ex-ante and not exclusively ex-post oriented. there always has to be ample room for common sense. a path appears. synonymous with good customer service. however. low impact" losses with concerted efforts like quality management. Loss events are opportunities to improve structure. A better focused business approach: a move from a "defensive" posture of OpRisk management to an "offensive" positioning. 11. system and systems. A simple number can be so intriguing. a sophisticated risk management framework with more analytical and predictive contents. but do not ever forget the "garbage in . A greater general awareness and institutionalisation of risk management. Credible and relevant internal database systems become more commonly defined. product control. S S S S S S 15 . For more. On the other hand. there is a pronounced concern for "low frequency. Risk management becomes TQM and. structured." (Lu Xun). Strategic planning is linked with risk management and OpRisk. Risk management is always and consciously an integrated part of good business management. which supports reputation and share price. A "false sense of security" could lead to wrong priority setting and counterproductive outcomes. Developments to be expected: S S S Greater involvement and "buy-in" by senior management and Board of Directors. standardised.garbage out" effects. Greater visibility of the risk management function and its place within the organisation. therefore.
well-meaning in the name of creditors' and investors' protection and avoidance of systemic risks . Extreme internal and external risks. Reliable and punctual insurance protection will have to be recognised by supervisors. Regulators and supervisors should hopefully be positively impressed by the ongoing conscious OpRisk management efforts in the industry.unfortunately . Some insurance companies increasingly "detect" the huge potential in this market. (e. Various regulators and supervisors seem to prefer a simple "box-ticking OpRisk capital charge". which is just not fair.g. Banking supervision is firmly risk-based.CSG Operational Risks in Financial Services S S Internal economic risk capital models include OpRisk in view of more internal rational capital allocation targets. Regulators and supervisors who do not take this truism into account . as shown in chapter 8. Regulators and supervisors especially with the planned BIS Pillar 1 . but would have fostered the credibility of regulators. The BIS should be encouraged to add a Pillar 4 to the suggested and discussed Pillars 1 . The level playing field remains . More risk transfer to third parties which are able to analyse. S S 16 . Close to 100% of the benefit of OpRisk management is derived from the fact of doing so.an unresolved issue. More outsourcing of non-core activities and partnerships with banks and non-banks. Understanding and managing OpRisk is more important than putting a regulatory value on it. cooperation and information sharing between supervisors gets closer. hackers. All this entails new aspects of OpRisk which need close attention. difficult to evaluate credibly or ignores the relevant issues like "good management".take on a greater interest and a rather pronounced responsibility in the OpRisk arena. New regulatory and supervisory standards and entities converge. IT security) become increasingly insurable. profits come from taking risks. Risk transfer becomes part of an integrated OpRisk management. good OpRisk management is core. especially Internet-related. Global rules? More intervention? More judgements on management? More influence on the strategy of a bank? Risk creates value.3: sustained sound and diversified profitability as THE precondition and THE contribution to protect creditors and to avoid systemic risks.3 approach . rogue trading. diversify and bear OpRisk of banks: insurance for external risks and for integrated risk products as well as for standardised capital market transactions.end up in making the financial system more unstable. For such profitability and growth. There are many different ways other than "capital" to judge an organisation. as presented in chapter 11.
they were not of systemic nature. industry knowledge. Discipline is the discipline for good OpRisk management. Good OpRisk management may never get a Nobel Prize. which have nothing to do with regulatory capital. There are better "checks and controls by supervisors". With Pillar 2. but is still core for successful survival. 17 . is the challenge for supervisors. OpRisk management is only very partly rocket science and partly social science as the targeted objects and issues change continuously and the past does not repeat itself in the same context. management know-how and judgement capabilities. Convergence is observed in almost all financial activities. represent similar "systemic risks". including insurance. Civilian and military studies . Regulators and supervisors finally have to come to grips with the following issues: S S S Really threatening OpRisk issues for banks have been very rare in the past. OpRisk management is good management of the 12 S's of an organisation as described under chapter 6: Senior management is called upon to act. the supervisors take on an additional risk management layer for the respective bank. What are the measures of the regulators to avoid such potential systemic risks of non-banks? Why care about systemic risks by banks while ignoring those by non-banks? Why should banks be charged with a special OpRisk regulatory charge? Why should banks become less competitive? S S 12.reveal: Insufficient management and processes were responsible for 80% of the mishaps. Both. OpRisk should be supported by a Pillar 1 capital requirement for each bank and additional Pillar 2 capital for "special OpRisk situations".presented in chapter 5 . Good OpRisk management relies on proper corporate culture with a diligent risk culture and a positive acceptance of control. The 9 major mishaps of financial institutions as discussed in chapter 4 were all issues of management. there are continued arguments about the justification for Pillar 1 OpRisk capital requirements. Why not convergence of the very same activities' regulatory environment? Non-banks are exposed to the same OpRisk as banks. however. not of regulatory capital.CSG Operational Risks in Financial Services According to supervisors.
This strong statement . The issue is not capital.CSG Operational Risks in Financial Services Good OpRisk management within a proper risk culture includes: S S S S S S S S S Proper structure and governance Risk management visibility Control. Not surprisingly. Good OpRisk management improves quality and reduces cost by cutting risks. every employee should ideally be a risk or control manager in his/her daily activity: A general pure awareness of risks is already a major step towards successful OpRisk management. it is about management: diligent. arduous and daily OpRisk management supports the stability and continuity of a firm. it achieves the most important steps towards a successful OpRisk management." (Inconnu) 18 .is evidenced by the experience of the major mishaps in the past financial history and by the experience of the military with the longest OpRisk exposure of human history. visibility and acceptance within the organisation. compliance Forward-looking internal audit and corresponding follow-ups Proper tools and analytical measurement of OpRisk Attempts for credible and relevant quantification Proper skills and style Continuous adjustments of safety measures especially related to Internetactivities and above all: A shared values attitude as to "acceptability of risks" When an organisation reaches and maintains such a challenging level.I hope it is strong enough . good OpRisk management amounts to a competitive advantage and is reflected in the shareholder value. Finally. the critical OpRisk management success factor is management and staff: experienced people with integrity. "Tout ce qui mérite d'être fait. OpRisk is not so much about capital and models. credibility. therefore. mérite d'être bien fait. As a consequence. it is human beings in an organisation serving human beings with their actions and reactions.
Chart 3. A common practical definition of OpRisk does not exist in the literature nor in the industry as shown in Chart 3. 15% No formal definition. This reference will be quoted BBA (1999) in the following. however. 3. 1 See British Bankers’ Association. 5% Exclusive (TR-MR-CR) definition. The survey of BBA (1999) 1 provides a good overview of the different views on OpRisk definitions. RMA. there are as many definitions as there are financial institutions. To summarise its results: S A consensus about the nature of OpRisk is emerging as regards OpRisk being the risk of losses resulting from inadequate or failed processes. Therefore. industry wide definition of OpRisk will emerge. 29-38. accepted and identical across an organisation. progressively opening the way for more convergence of its generic features. Philadelphia. 31% Source: BBA (1999). Operational Risk. 19 .1. it is important to know what it is to be managed. Theoretically. PricewaterhouseCoopers (1999).1: OpRisk Definition Types in the Financial Industry Single. people.CSG Operational Risks in Financial Services 3. does not mean that a unique. a definition of OpRisk is needed. the next frontier. RMA. ISDA. 49% Multiple definitions. positive definition. and systems or from external events Definitions of OpRisk in each specific firm are different S The widespread confusion prevailing in the financial industry about OpRisk is somewhat fading. This. 1999.1 Operational Risks: Framework for Definitions and Dimensions Operational Risk Definitions Before managing anything. This definition has to be understood. pp.
p. errors. responsibilities. 5. 29. Organisation Policy/Process Technology Human External" The 5 suggested categories are major and they present a valid base for solving problems for management. diversity in some detailed aspects will continue to prevail: S S S "OpRisk is the risk of everything other than credit and market risk"2 "OpRisk is the risk associated with the Operations department" (narrowest definition) "OpRisk is the risk that deficiencies in information systems or internal controls will result in unexpected loss. Organisation: risks arising from such issues as change management. and system or from external events" (BBA/ISDA/RMA)4 S With OpRisk.2 Five major OpRisk-Categories and their Sub-Categories The following OpRisk-definition is used by Credit Suisse Group: S "Operational risk is the risk of adverse impact to business as a consequence of conducting it in an improper or inadequate manner and may result from external factors. Other Risks (OR) Discussion Paper.BIS. 2. 29. individual and unique operational setting. Each institution has its own. and can be captured in five major OpRisk categories: 1. 2. 4. while there is a broad agreement on the general concept of OpRisk. project management. 20 . Risk Management Group (2000). April 2000. BS/00/27. Thus. The crucial issue is the intellectual framework and discipline for present and future problem-solving approaches under new paradigms: 1. the devil lies in the details. corporate culture and communication. Policy and Process: risks arising from weaknesses in processes such as settlement and payment. 2 3 This is the definition of 15% of the 55 institutions surveyed in BBA (1999). Quoted as BIS (2000). systems failure and inadequate procedures or controls" (BIS)3 "OpRisk is the risk of direct or indirect losses resulting from inadequate or failed processes. control failures. The risk is associated with human error. 4 BBA (1999). 3. OpRisk may tangibly manifest itself in the likes of business disruption. 3. Basel Committee on Banking Supervision. people.CSG Operational Risks in Financial Services The following sample of the major OpRisk definitions by the industry and regulators shows that. p. allocation and business continuity planning. non-compliance with internal policies or external regulation or failures in products or client dealings. misdeeds or external events. to be able to manage OpRisk might require tailoring its definition and its sub-categories to the firm’s specific setting.
By linking causation to relevant business activities. Technology: risks arising from defective hard. as well as breaches in IT security. conflict of interest or from other internal fraudulent behaviour. Human: risks arising from failure of employees. Not surprisingly. complexity requires breaking down and simplification. Important is the intellectual. They allow one to be more specific on firm relevant risk drivers which require focus and responsibility assignment. 17. Employee Employer Conflict of interest Policy / Process 8. 3. 20. thereby providing management with an OpRisk framework. It is important that this sub-categorisation relies on a root analysis. After all. the 5 major OpRisk categories need further refining.CSG Operational Risks in Financial Services 3. 21 . as well as lack of physical security for the institution and its representatives. 13. failures in other technology such as networks or telecommunications. 6. 11. causation of OpRisk loss events. As methodologies and techniques advance at CSG. Communications Hard. 5. i. 4. 19. 14. Governance / Structure Culture Communication Project Management Outsourcing Business continuity Security Technology 12. 10.or software. so will these sub-categories be refined or deleted. 16. organisational and continuous discipline in categorising the risks and in doing something reasonable about them: Table 3. Subcategories have to be created which allow the adding of new OpRisk aspects and the subtracting of obsolete ones. employer. Policy and process Compliance Product Client External 18.and Software IT Security Human 15. 4.e. External: risks arising from fraud or litigation by parties external to the firm. 2. The structure also lends itself to possible quantification by drawing upon data sources relevant for modelling as well as for qualitative reporting.1 OpRisk Sub-Categories Organisation 1. it is intended to use this structure as a tool with which to act upon OpRisk. 5. 9. 7. Physical Litigation Fraud These 20 sub-categories cannot be considered as complete.
An essential component of the exercise is to identify the best way of managing a risk class in a uniform and coherent manner. This separation exercise forms core risk classes for the daily management and quantification where possible and credible. These risks are partly overlapping or interdependent. uniform management technique based on the peculiar features of a risk class provides the rule for drawing the line to other risks. Models should never prevent managers from using their common sense. the framework-basis. particularly for risks that only allow an approximate quantification. important here is to focus on the structure.3 Overlaps between Risk Classes Chart 3. The ability to use a common. 22 . To do this. This exercise is complex and time consuming. The activity focus of the firm is at the basis for determining the priority risk classes and developing or refining appropriate management tools and techniques. Intellectual honesty should prevail in identifying the most appropriate technique. 3.CSG Operational Risks in Financial Services While it is impossible to describe all aspects of each 20 sub-categories in this paper. 2000. the pragmatic management angle should be taken. The main challenge for risk management is to separate them in an intelligent way.2 is an attempt to map the risks faced by a firm providing banking and insurance services. whether quantitatively or qualitatively based.2: Overlaps between Risk Classes Reputation Risk = Risk of losses by not meeting stakeholders' expectations Strategy Risk = Risk of losses from not choosing “to do the right thing" Credit Risk = Risk of losses from borrowers not meeting their obligations Market Risk = Risk of losses from value changes of financial instruments Business Risk = Risk of losses from business volume changes Insurance Underwriting Risk = Risk of losses from unexpected insurance claims volume Operational Risk = Risk of losses from not "doing things right" Source: Credit Suisse Group / GRM. and their relevance to the daily management of any financial services firm: Identify the format and follow it with discipline. Chart 3. The reliance on using available but misleading data should be carefully evaluated. This requires a "positive definition" of each risk class.
margin pressures. Reputation risk is the aggregation of the outcome of all risks plus other internal and external factors. Ideally for some supervisors. i. interest rate. Strategy is doing the right thing at the right time. number of clients growth. The relative assessment comes from the market. documentation issues . Risk as to strategy. Legal risks . an earnings-at-risk model serves the purpose. Commission and Fee Income risk (C&F) is above all determined by outside forces: market moves.credit risk .i. Reputation is a reflection of facts. revenue growth. commission and fee income. based on a what-if analysis.are part of OpRisk. rating and attracting and keeping good staff. liquidity. Models are available for determining "outliers".Market Risk Defining OpRisk in an exclusionary way . 20%? What are the effects on total revenues. operations. NIAT. In contrast. commission and fee income. OpRisk originates primarily from within the specific organisation. It is not so much the strategy. the relative stock performance.Credit Risk .4 Operational Risk ≠ Total Risk . "Other Risks" include primarily risks as to strategy. dividends? What is the organisation's flexibility to adjust to a downturn over years? Regulatory capital is not the solution for every risk. perceptions and expectations and a key factor for the share price. Interest rate and liquidity risks are for my taste part of market risks.e.market risk" prevents from identifying a structured way of managing it. interest rate have each to be and can be handled in a different fashion. Strategy risk deals with the existing base of a bank and its options.certainly not yet feasible in a credible fashion. models would produce a regulatory capital for all "Other Risks" which is .e. those who are significantly above average for interest rate risks.e. Reputation is the outcome of the mix of doing the right thing and doing things right over an extended period. These risks are not covered here. For Economic Risk Capital. except risks in the category "external". C&F risks are primarily revenue related and can be stress-tested with simple what-if analysis which can be easily compared across banks: What if business volume decreases by e. Credit and market risks originate form outside the bank. liquidity. legal. The legal environment and its changes are part of strategy risk. but implementation which in turn is OpRisk. "total risk . reputation. 23 . i.like litigation. reputation. The best measure is relative share performance.CSG Operational Risks in Financial Services 3. Some supervisors define Total Risk = Market Risk + Credit Risk + Other Risk.g.
corrections. the line between control and shareholder value creation is difficult to draw. management process. it is as old as banks are. 24 . Control: Independent risk assessment. The dimension "2. What is new is: S S S S The increased explicit awareness and consciousness of managers and senior management for OpRisk issues The explicit and analytical approach The better awareness to gear an organisation's risk profile towards those risks for which it has a comparative advantage in managing The pressure to allocate capital more consciously Risk management can add value and represent a valid business case in two dimensions: 1. Shareholder value creation" adds a further stage which treats OpRisk more like a real business. OpRisk management also gets close to quality management. Shareholder value creation: efficiency. rational economic capital allocation. product enhancements. supervisory requirements. attractive returns increasingly depend on excellent risk management. if only implicit. Important is the direction to be chosen. efficiency management and the concept of opportunity cost. etc. limits. The dimension "1. progress reporting. To understand the risks has always been a fundamental. duplicate control avoidance. Naturally.5 The Dimensions of OpRisk Management Sustained. etc. therefore. complying with rules and regulations. OpRisk management.CSG Operational Risks in Financial Services 3. activism is widely-spread . including OpRisk management. There are neither ready-made solutions. competitive strategic advantage. OpRisk of a bank is not new. can move from one extreme to another one: Crisis management ´ business continuity planning ´ compliance ´ shareholder and other stakeholder value enhancement. compliance. confusion is ubiquitous. correct risk evaluation and pricing. improved reputation. 2.and consultants enjoy hey days. business continuity planning. catching non-compliance and illegal actions. complying with usual management needs. reduction of regulatory capital. nor quick-fixes. Control" basically covers the following: avoiding accidents. escalation. The spectrum moves from the Bottom to the Board Room.
3: Stages of Operational Risk Management Development Stage 1: Identification • Data collection Stage 2: Metrics & Tracking • Finding quantifiable means to track risks • Creation of reporting mechanism • Significant business unit involvement • investment in automated data gathering & workflow technologies • Significant use of manpower Stage 3: Measurement • Development and continuous refinement of modelling approach • Creation of OpRisk data • Majority of effort born by OpRisk Group • Significant technology development effort • Limited use of manpower Stage 4: Integrated Management • integration OpRisk exposure data into management process • Significant senior management involvement • Management of OpRisk exposures (e. The research indicates that most of the Top 500 financial institutions worldwide are still in stage 1 and 2. But not simpler. depending on the complexity and the size of an organisation. 3.3 years.6 The four Stages of OpRisk Management Implementing OpRisk management implies the progression through the following four stages5 in Chart 3. Aber ja nicht einfacher. A handful has attained Stages 3 and 4. "Alles soll so einfach wie möglich gemacht werden.CSG Operational Risks in Financial Services Any major OpRisk management project has the following five preconditions for success: S S S S S Strong management support Credibility overall Small realistic steps: all at once is impossible A better organisation afterwards Respect the constraints: compliance also with supervisors' requirements Such a project may not be just "another project". insurance) • Investment in processes.g. Feb. Einstein) 5 Meridien Research Inc. 2000 Meridien Research approximates the lead time for Stage 1 to Stage 4 with a minimum of 2 . New York.to be checked with Meridien 25 . (A. however. "Time for a New Look at Operational Risk". limited technology or manpower required • Prioritisation of risks • Significant business unit involvement • Limited technology usage • Significant use of manpower Source: Meridien Research. internal acceptance and credibility of the tools and figures produced are not without doubts. . 2000.(2000)." Every thing should be made as simple as possible.3: Chart 3.
1994. (1997) All that Glitters – The Fall of Barings. J.: "Sumitomo losses show up poor links". Penguin Books. e. F. N. 26 .com research team material. most individuals and institutions tend to avoid "twisting the knife in the wound". Gapper.CSG Operational Risks in Financial Services 4. Computing.. Articles and books discuss selected cases in more details.2 Overview of 8 selected Mishaps since 1991 The reviewed mishaps in Chart 4. 4. "Orange County Crisis Jolts Bond Market. Exploiting such opportunities requires a willingness and capacity to learn.. Analysis of past internal or external mistakes is key to at least partially avoiding them in the future. my approach in using the losses of a mishap is probably exaggerating the level of "pure OpRisk". Existing OpRisk literature devoted to the investigation of lessons learned from past losses focuses on a few highly publicised events. However. This allocation rule to OpRisk versus market or credit risk leads to an overestimation of the level of OpRisk. This selection encompasses cases. the incurring of both these risks was exclusively as a consequence of an uncontrolled OpRisk.1 Major OpRisk-Mishaps in Financial Services: 12 Lessons learned Introduction Mistakes create opportunities. 4. adverse impacts to business as a consequence of conducting it in an improper or inadequate manner. where market risk or credit risk were sometimes also at play.. This should help us to devise priorities and areas of focus for a successful OpRisk management. we must overcome this cultural barrier and refrain from turning the page of mishap before having read and re-read it attentively! The aim of this chapter is to do such a revisiting in order to derive lessons from past collapses commonly associated with an OpRisk event. Dec. 6 Based on Operational Risk.". In fact. The New York Times.6 This is primarily due to a widespread cultural barrier leading firms and individuals to disclosing only a minimum of information concerning financial mishaps. Jun 20. Operational mishaps are primarily triggered by significant breaks through existing floors and controls set by market or credit limits.1 were selected based on CSG’s definition of OpRisk: ". To tackle OpRisk.g. viewing mistakes as shameful and preferring to address new challenges rather than to resolve old ones. 1997. Therefore... Denton. Norris.. 1997. 8.
segregation of information flow. CFO and staff of subsidiary Unfavourable market turn Failures along the 5 major OpRisk-categories (CSG) Organisation Governance. bn) Loss in % of capital and loss to creditors Speed of irregularity maturating to mishap Irregularity description 10 4. money laundering Top management Perpetrator Overexposure to leverage. culture of trust only Lax internal controls & audit. fraudulent loans. liquidity and volatility risk with derivative instruments Top management strategists Persistent unfavourable market Unauthorised commodity trades (double of firms annual trading) over 10 years Dissimulation of excessive hedging exposure Branch office staff Crisis trigger Regulatory audit report on massive fraud Mistaken sending of document to finance office Information and communication flow weakness. 1996 Metallgesellschaft 1993 About 100% equity 70% Slow 44% 45% about 100% Fast Slow Fast Wide range of illegal activities including i.1: Features of 8 selected operational risk mishaps since 1991 Mishap BCCI 1991 Feature Approx. sovereign.6 LTCM 1998 Sumitomo Corp. insufficient model adjustment and stress testing. model.CSG Operational Risks in Financial Services Chart 4.6 1. Governance. Inadequate management reporting systems Missing electronic trade reporting links Fraud by staff member CEO. Culture of blind structure. secrecy model belief. fictitious deposits. total loss amount (in USD. culture. allocation of responsibilities. communication breakdown Policy incoherence Technology Human Practical skills as to assessment of changed parameters External BoE action timing --Source: Credit Suisse Group / GRM compilations (2000) Fraud by owner --- Inadequate skills / understanding of instruments --- 27 . duties allocation of responsibilities Policy / Process Regulatory and legal compliance.4 2. Inadequate documentation Change of market importance/size.e.
management. Governance. of duties Governance. agency risk Failures along the 5 major OpRisk-categories (CSG) Organisation Governance. losses concealed by management from regulators US branch office trader(s) Confession letter sent by trader to bank president Governance. bn) Loss in % of capital Speed of irregularity maturating to mishap Irregularity description 1.1 Orange County 1994 Barings 1995 NatWest Markets 1997 Daiwa 1995 Approx.6 1. management. 100% Medium 3 years 100% Medium 3 years negligible Medium3 years 24% Slow 11 years Trading in securities not legally approved. employee failure (fraud). management. agency risk Breach of policy. forgery of back office documentation. lack of control culture diversity. total loss amount (in USD. potential losses Unauthorised and concealed trading in options and futures.CSG Operational Risks in Financial Services Chart 4. employer misjudgement Software dependency (blind acceptance of systemgenerated valuations) Employee failure (fraud) External ----Source: Credit Suisse Group / GRM compilations (2000) --- Employee deficiency (poor trading skills).2 1. culture (superstar). regulatory compliance failure. employer misjudgement --- 28 . information coordination and distribution Breach of policy. information flow failure Breach of policy. loss concealment. possible management involvement External audit investigation Unauthorised trading. regulatory compliance. information flow failure Policy / Process Inadequate policy (poor market risk management).3 0. nonsegr. deliberate option mispricing Perpetrator Orange County treasurer Warning to county executives by treasurer’s staff Crisis trigger Trader. management. regulatory compliance Technology Human Employee failure (faulty trading strategy) Employee failure (lack of character). nondisclosure of massive. Unauthorised transfers between options books. Subsidiary in Singapore Margin call Trader.1: Features of 8 selected major operational risk mishaps Mishap Feature Approx.
In summary. the Chiasso branch manager set up an offshore trustee company (Texon). The wildest speculations broke loose and triggered a major crisis. The latter remained restricted to ensure the compliance of guarantees with regulations. Texon provided the Chiasso branch manager with a medium to "externalise" branch losses and a vehicle to circumvent CS controls on loans and investments. errors and misdeeds were essential in building the Chiasso losses. while other branches had to digest bad loans. Zurich (2000). procedural and control failures. In March 1977. It contained neither precise information about the risk amount nor any assurances of a contingency plan. External signals raised to senior management were investigated on a minimalistic basis.7 The reason for allocating the Chiasso scandal to an OpRisk event is that it occurred exclusively as a consequence of having conducted business in an improper and inadequate manner. head office ignored several internal signals which hinted at irregularities. From the "Schweizerische Kreditanstalt" to Credit Suisse Group. see Jung. 1969 and then again in 1976 about the practices of the Chiasso branch were dismissed or superficially investigated. (2000).had to turn down. The fraud began with placing customers' saving deposits in high yield instruments against CS letters of guarantee for Texon.CSG Operational Risks in Financial Services 4. The implementation of corrective measures was never verified. 29 . Management never wondered how the Chiasso branch could show a sustained impressive profitability track record. What happened? In the early 1960s. These practices were to continue until March 1977. headquarters followed a policy of "why bother as long as profits flowed". Fact finding mostly took place on a verbal basis and was satisfied by vague explanations. despite documented evidence.which failed due to similar practices as those practised by the Chiasso branch . Only the concerns of tax authorities on withholding tax evasion triggered an internal investigation in 1969. pp. In December 1976. Several initiatives were launched to investigate the links and exposure of the branch to Texon. J. a hasty and insufficiently prepared press statement about the fraud was issued. Structural. Neither did it bother to inquire how Chiasso could provide loans which other branches . 245-289. Internal audit was not requested to act. officially managed and controlled by an outside third party legal office. the breakdown of Weisscredit Bank . During this period and until the end of 1976.3 The 1977 Credit Suisse Chiasso Case The old Credit Suisse Chiasso branch scandal of 1977 is a good example of Murphy’s law in terms of a fraud induced OpRisk. NZZ Verlag. Over time. Nor did it provide for a channel through which branch staff could escalate their concerns on possible irregularities to head office. Several competitors’ complaints in 1968.based on headquarter imposed restrictions . Information about the identified irregularities remained limited to four individuals at the headquarters until late 1976. the fraud extended to transferring non-performing branch loans for their full value to Texon and converting the guarantees into participations.finally triggered concerns about the situation in Chiasso. 7 For a detailed discussion of the Chiasso case.
indication of possible accounting irregularities causes. The framework allows focusing management’s attention on major weak spots requiring particular and regular attention. skills. structure. uninformed. system/s. speed. quarterly management meetings with Chiasso branch managers) components were assumed to grow in a linear fashion over time and supplemented with "outbursts" at times when references to possible irregularities surfaced. safety.4 OpRisk Scandals in Financial Services: 12 Lessons The total of 9 relevant cases of the past presented lead to the following 12 lessons for everybody: 1. 2000 4. trust ahead of follow up checks 25. style. competitors complaints Mar 61 Mar 63 Mar 65 Mar 67 Mar 69 Mar 71 Mar 73 Mar 75 Mar 77 Fraud Internal control failures Documented internal signals Management review failures Internal communication failures External warnings Communication mismgt Time Source: Credit Suisse Group / GRM. Chart 4. media boom on the affair External warnings: Ignored. just to name the most important here. market break downs.8 It is used to reflect the progressive build up of fraud exposure at risk and the cumulating of the various OpRisk components. crisis magnifying Internal communication: None: Investigation of problems exclusively on a bilateral base. The fraud and the documented internal signals (accounting reports.CSG Operational Risks in Financial Services Chart 4.4. tax investigation.1977. irregularities investigations focus on settling immediate complaints. reporting generally only verbal Crisis outburst: Control: No search for Internal signals: Ignored Ability of branch to provide loans rejected by headquarters. which could have been expected to trigger corrective operational action when conducting business in an adequate manner. 30 . vague. it provides the basis for a disciplined and systematic review of the aspects commonly at the root of OpRisk. The depicted OpRisk level is only illustrative.2 summarises the major ingredients of what ended in an approximate CHF 2 bn loss. If used as a checklist. It is not only "Banks" which incur OpRisk. Lack of good governance at large and lack and/or breach of policies and processes are the common issues for all 9 cases. not sharing information. 2. 3. a vehicle allowing parallel accounting. high yield high risk investments circumventing headquarters’ controls Management: Not caring about repeated warnings. happy with superficial explanations Communication: Hastily.2: What went wrong in Chiasso? Risk Level (indicative) Fraud: Time bomb Texon. 8 Peaks were allocated for a documented event. non-banks can equally present a potential systemic risk. impressive sustained profitability track record. The 12 S's of each organisation failed at work: Strategy. A framework based on the OpRisk categorisation elements of chapter 3 constitutes a useful basis for identifying major OpRisk drivers. It is not intended to imply that there is a specific critical risk level which triggers the crisis outburst.
Unavailability of direct and reliable information is a problem. but must be complemented by diligent supervision and accepted controls.not surprisingly .see documentation for loans with long tenors. Human inadequacies are . Significantly higher returns than average over time deserve more attention.see transparent market developments.relevant in all cases. 7. additional checks are needed such as: S S S S S S Track record of irregularities (e. The big "C" for character in banking is as alive as ever. Senior management and Boards have to take their supervisory function seriously and invest time in it.g.operational crises tend to be: S S Major when the perpetrator stems from management or owners Absorbable when the perpetrator stems from more junior positions 5. MIS and generally higher "risk awareness". 11. Trust is recommended. Operational irregularities tend to happen more often in branches or remote subsidiaries than at head-office. whether character or skill. tax irregularities) Track record of generating competitors' complaints Sustained profits and absence of bad loans compared with others Feedback to inquiries Site visits Intuition. This often requires a personal follow-up. Therefore. fact based press releases. 10. "gut feeling": Management is seldom an "IQ" issue only 9. Relative size of an operational mishap tends to be correlated with the level of the perpetrator. 8. a professional communication strategy has to be defined ensuring explanatory. as well as a sharing of the personal assessment of the situation with colleagues. Co-ordination with authorities and experts from the public relations / communication department is essential. 6. However. both are part of OpRisk management once the mishap is recognised.CSG Operational Risks in Financial Services 4. Based on this. Are the people involved really that much smarter? Internal and external communication and expectation management is crucial.with the exception of the Barings and the not discussed Kidder Peabody cases . S Longer for standard financial instruments . no hesitation in being more demanding on details. the past is not an indicator for the future: Potential external hazards need appropriate attention. audits. 31 . It requires a crisis task force devoted to finding out all the facts and devising a clear contingency plan of measures to be taken to sort out the problem. In fact . The speed of irregularity detection generally depends on the complexity of the financial instruments involved: S Short for more complex trading instruments . External risks did not play a major role in any of the most severe cases of the past with the exception of the BCCI case.
The 9 cases represent no good arguments for OpRisk regulatory capital solving the problem. Common sense and "gut feeling" which come from experience also are important. a financial services organisation cannot be a knowledge company . Otherwise. Some interesting questions can be raised: S S S S S Did the models of LTCM work .CSG Operational Risks in Financial Services 12. The prime issues for most of the 9 mishaps were lack of good OpRisk management: improper structure. The bank cases were all cases for Pillar 2 and 3. An organisation must be a learning organisation. Extreme Value Theory. systems. shared values. all five questions are to be answered with a "no" which does not imply at all that I am against credible and relevant quantification of OpRisk or at least credible attempts to try and observe a few "provisional results" over some years." (C.e. would these two organisations with such huge additional capital requirements have been competitive before the collapse? In my opinion. Models.) have been of relevant use at the time of occurrence? Would such theoretical quantification ex-ante have avoided the mishaps? Would any of the today's quant-approaches have calculated a large enough capital requirement to avoid a total collapse of BCCI or Barings? And. They are only one of various elements for our judgements and decisions in addition to the more relevant aspects of the management of the 12 S's as discussed in chapter 6. system. you just make another mistake. Pavese) 32 . If you do not learn from internal and/or external mistakes.which is what it should be. quantification and other tools are neither able nor meant to predict the "when" of a crisis outburst. if so. i. Chaos Theory etc. as presented in chapter 10. All 9 cases had a very different context. as discussed in chapter 11. "Lessons are not given. They are taken.with the smartest quant brains available worldwide? Would any of the present and potentially upcoming quantification approaches for OpRisk (including Value at Risk. were unique in their constellation.
methods for managing OpRisk. Most methods of operational risk management are therefore running under the heading "business process reengineering". 9 The manufacturing industry primarily views operational risk from the opportunity perspective.also with technological challenges .1 Organisations with a 5000 Year OpRisk Experience: 12 Lessons Introduction Experience is often key to success.J. Bieberdorf W. Va. Since it exists. The general structure of these tools is common to all units. 5.1.10 The US military has developed simple tools to help its leaders make sound decisions in a logical manner in order to manage identified risks.2 Principles of the Military In the military. it was already a core concern for several sectors of life. the pharmaceutical industry and the nuclear power generation industry. the military as a managed human and technical organisation has been devising ways to manage operational risks. Naval Safety Centre. This leads again to 12 lessons.CSG Operational Risks in Financial Services 5. The oil and chemical industry. which have been developed by the US military with its recent experience are reviewed. directly or indirectly relevant for financial services.27. MCO 3500. the purpose of OpRisk management is to enhance hazard identification in the operational environment in order to eliminate risks or reduce them to an acceptable level.9 The OpRisk management methods developed by these sectors of activity are the result of many years of trial and error.. Long before analytical OpRisk management came into fashion in the financial industry. as shown in Chart 5. given their higher exposure to risk events. OpRisk is not constrained to banking activities but involved in all activities and organisations of human beings. For decades. of fine-tuning and of perfectioning.would be arrogant and represent another OpRisk opportunity loss. April 1997. The OpRisk management process used by US Military can generally be broken down into six steps. "Operational Risk Management". However. 10 See Capt. 33 . This should help to devise or confirm the key elements and rules that should feature financial sector's approach to OpRisk management. the manufacturing industry has been devising solutions for controlling their OpRisk. Not to learn from this experience in financial services . Very briefly. The aim of this chapter is to review a selected set of the methods of OpRisk management. their detailing and implementation is very unit specific. Norfolk. have focused on the operational risk management aspect for years. 5. Armies over the years have as an organisation developed certain principles which have been adjusted again and again.
because they define how this interaction takes place. however. the army places extreme importance on detailing the various elements of the 5-M model. Table 5. "mission" is not discussed here as it is always specific to the task and cannot be presented in general terms. is that the devil lies in the details. machine. it has developed a detailing covering all risk origins for each of the elements of the 5-M model. management. 2000 1.CSG Operational Risks in Financial Services Chart 5.provides the basic framework for analysing operational systems and determining the relationship between composite elements that work together to perform the mission. which by analogies try to tailor this checklist to the needs in the financial industry. The specific risk drivers which would have to be integrated in a checklist are highly dependent upon the activities. Therefore.. There is a significant overlap between the elements of the 5-M model as they interrelate directly. However. The main conclusion. mission . We have added two columns.man.4 Risk Control mentation Measures Make Control Decisions Select risk controls Clarify implementation Establish accountability Risk decision Provide support Supervise Review Source: Credit Suisse Group / GRM. Based on its experience. the latter are only illustrative. USAF. Crowell M.1 shows that interesting similarities can exist between the military and the financial sector in terms of OpRisk drivers. It is crucial to obtain a complete list of the hazards to which an operation is exposed. The focus of the 5-M model is to identify in detail what could cause a mishap. adapted from Mjr. 34 . or an operational risk.1 summarises what the army uses as a checklist for the identification of hazards. the most crucial elements are leadership and management. media. However. The 5-M model . Identify the Risk The first step is to identify the hazards or risks. Table 5.1: USAF Operational Risk Management Six Step Process 1 Identify the Risk Supervise and Review 6 1 2 Assess the Risk Operational analysis Assess hazard exposure Identify risk control options List hazards Assess hazard severity List hazard causes Identify Mishap probability In-depth hazard identification Assess complete risk Prioritize risk controls 2 3 4 5 6 Evaluate control effects Risk 5 3 Analyse Control Imple. Military and civilian safety studies cite management processes to amount to 80% of reported mishaps.
etc. speed limits. Policies. training. etc. MIS. precipitation. Selection Performance Performance Personal factors Personal factors Machine: Used as intended. etc. security. man-made obstructions Ventilation. ice. manuals. peer pressure. humidity. hilly. wind. available DOC statements various criteria. adequate. etc. stress. compliance manuals. communication. Operational Market Hygienic Infrastructure Vehicular Communication Distribution channels. Clients needs in term of frequency and speed of transactions Market features. tools. limitations.1: The 5-M Model Check List for a Comprehensive Risk Identification Element USAF Category Description of Check-list USAF Risk Drivers Financial Industry Category Equivalent Environment Description of possible Financial Industry Risk Drivers Medium: Environment External. etc. etc. etc Terrain. Job satisfaction. skills-job profile matching. culture. useable. competitors behaviour (part of strategy risk) Offices. island solutions. vegetation. values. Insight. incentives. discipline. habit pattern. Checklists. corrosives. features of customer interfaces and IT Hiring profile. training. largely environmental forces Climatic visibility. escalation. interface with man Design Maintenance Logistics Tech data Design IT architecture Maintenance & Migration Service providers Work tool user manuals Standards Engineering and userfriendly Tool complexity. time. communication. policy. Management: Directing the process by defining Standards Procedures Procedures Crew rest. dirt. training requirements. Paved.CSG Operational Risks in Financial Services Table 5. adaptive skills. air quality. confidentiality. parts Supply. etc. etc. restrictions. Job satisfaction. Personality. Engineering and user-friendly Training. discipline. etc. Dependencies. etc. reliance Clear. available Code of Conduct. education. values. etc. upkeep. etc. Audit. etc. Man: Area of greatest variation and thus of risks Selection Right person. risk limits and flags. lawful orders Source: USAF and Credit Suisse Group / GRM (2000) Controls Controls 35 . restrictions. adequate. repair Clear. Governance principles & training Checklists. useable. motivation survey. etc.
The focus is to link the hazard to one or several elements in the 5-M model. Tools used to perform this task include change analysis. the operational analysis boils down to making the key factors of an operation or issue more transparent. For this purpose. list the possible hazards Third. Assess the Risk With the hazards identified. risk is defined as "the probability and severity of loss linked to the hazard". some method is required to assess and prioritise the list of hazards. in order to be able to identify a possible management action. it is attempted to identify the first link (root cause) in the chain of events leading to an OpRisk occurrence. analyse the operations Second. Once the list of hazards is established. The financial industry also uses workflow and organisational charts for this purpose.11 In the financial industry this procedure is often employed in the elaboration of business plans or for project management. proceed to an in-depth hazard identification The operational analysis basically is breaking down the operation into "bite size" pieces. The aim is to put the limited resources against the risk faced.2 gives an overview of the approach used to determine the risk level for each identified hazard. the USAF proceeds to listing the causes for each of the identified hazards. In the end. 2. list hazard causes Fourth.CSG Operational Risks in Financial Services How does one go about in identifying the OpRisk? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First. Table 5. 11 The USAF employs flow charts as tools to analyse its operations and break them down into separate components. brain storming and "what-if" analysis. 36 . For each case.
reduction. the USAF: S S S Identifies risk control measures Determines risk control effects Prioritises the list of available risk control measures The identification of risk control measures involves searching for as many risk control options as possible by referring to the list of causes. minor system impairment.) Hazard Mishap Probability Frequent (occurs often in a career) Likely (occurs several times in a career) Occasional (occurs sometimes in a career) Seldom (possible to occur in a career) Unlikely (occurs very rarely in a career) Extremely high risk Extremely high risk High risk High risk Medium risk Extremely high risk High risk High risk Medium risk Low risk High risk Medium risk Medium risk Low risk Low risk Medium risk Low risk Low risk Low risk Low risk Risk Levels Source: USAF compiled by Credit Suisse Group / GRM. assess the hazard severity Third. mission accident analysis and "what-if" analysis. the USAF analyses control measures. In the financial sector. assess the mishap event probability Fourth. major system damage. 37 . Analyse Risk Control Measures After having completed the risk assessment. the analysis of past OpRisk events could offer interesting avenues in identifying relevant risk control measures.) Moderate (minor injury.2: USAF Risk Levels Event Severity Catastrophic (death.) Critical (partial disability. Risk control options include avoidance. For each hazard exceeding an acceptable level of risk.CSG Operational Risks in Financial Services Table 5. etc. spreading and transference. complete the risk assessment 3. minor system damage. assess the hazard exposure Second. etc.) Negligible (minor treatment. 2000 How does one go about assessing the OpRisk level? The army provides a useful systematic and simple approach for going through each element of the 5-M checklist: S S S S First. Tools used to perform this task are brainstorming. etc. system loss. etc.
but could benefit from enhancing mechanisms and standards for systematic learning from mishaps. opportunity assessment and a cost versus benefit analysis. Make Control Decisions After having prioritised risk control measures. the long term consequences of the decision and the law of diminishing returns of resources allocated to risk control (see Chart 5. Tools assisting in making this choice are databases of implementation decisions recorded in a standardised format.3: The Law of Diminishing Returns Risk level high Allocated resources Accident reductions low Resources allocated to risk reduction Look for “happy medium” where cost of the control measure balance severity of risk Source: Credit Suisse Group / GRM. 4.CSG Operational Risks in Financial Services The determination of risk control effects evaluates the effectiveness of each control measure. In the financial sector these tools are also available. In the financial industry an important requirement for such a procedure would be a clear responsibility allocation for each OpRisk category. the accountable person selects those risk control measures that will reduce the risk to an acceptable level. In the financial sectors similar tools are used. 2000 38 . The benefits of the operation are set against the level of risk of the operation. scenarios and next accident assessments. but not often in the context of OpRisk. Tools used in this context are mishap risk index matrices. Chart 5.3). The prioritisation of risk controls prepares the choice of measures to be taken. It involves the use of tools such as computer modelling. considering the cumulative risk of all identified hazards. adapted from US Air Combat Command. For each hazard. Best controls are generally consistent with mission objectives and the optimum use of available resources. the person in USAF who is accountable for accepting the risk has to make the risk control decisions.
Quick response times. this would possibly require making OpRisk an issue for the BoD and mandating the CRO or COO with the day to day management of OpRisk. Risk Control Implementation Once the operations are launched it is essential to ensure the implementation of the selected risk control measures.4. command must support the control measures put in place. These could be complemented by simple summaries of lessons learned from practical OpRisk cases. This requires getting command approval prior to implementing a control measure. In the financial industry. In any case. Chart 5. In the USAF. should not serve as an excuse to neglect documentation. job aids. policies.limit opportunity • Get lost in the priority system • Misunderstood Source: Credit Suisse Group / GRM. directives. adapted from US Air Combat Command. To be successful. 2000 39 . charts.4: The Pitfalls of selected Control Measures • Inappropriate control for the hazard • Operators do not use them • Leaders do not use them • Cost too much • Impede the mission . etc. Accountability is an important element of OpRisk management. a roadmap for implementation as well as a description of the attempted end state are provided. In the financial industry. directives and manuals are often used as well as training material.CSG Operational Risks in Financial Services 5. In the financial industry. For this purpose. Tools used for this task are examples. this aspect is critical given the relatively rapid turnover of staff. this involves: S S S Making the implementation clear Establishing accountability Providing support Clarifying implementation entails making sure that control measures are understood. management should be aware of the common obstacles to the implementation of controls as summarised in Chart 5. Possibly computer aided standardised decision making forms could provide an avenue for enhancing accountability. It requires sign off and proper documentation of all relevant risk taking decisions. pictures. however.
The operations must also be periodically reviewed. The review process must be systematic. In the financial industry management reviews.CSG Operational Risks in Financial Services 6. 1. 5. goals) Man Machine Media (environment) Mission or mishap Risk categories are categorised as to their severity and probability 4."12 "OpRisk management is:13 S S S S 3. Apply the 6 steps process (Air Combat Command): S S S S S S Identify risk Assess risk Analyse risk Make control decisions Implement risk control Supervise and review 12 13 US Navy. This entails the monitoring of the operation to ensure that: S S S Controls are effective and remain in place Changes in the operation which require further risk management are identified Actions are taken to correct ineffective risk controls and reinitiate the risk management steps in response to new hazards Tools assisting in performing supervision include inspection. Supervise and Review Once the operation is running it requires to be supervised. Logic-based common sense approach to decision making Integrates the 5-M factors.3 Military OpRisk Experience: 12 Lessons I have reduced the military experience to 12 lessons. US Navy (1997). audits and controlling investigations are increasingly tailored to OpRisk management aspects. Once assets are expended to control risks. procedures. th 40 . "OpRisk management is a process. 27 Fighter Wing (no date). values. not a program! It requires incorporating risk in decision making at all levels. during and after the operation Not a radical new way of doing things "Mission oriented" 2. Always use the proper methodology: The 5-M concept: S S S S S Management (standards. a cost benefit analysis must be accomplished to see whether risk and cost are in balance. observation and feedback programs. before.
Such a culture ensures pro-active risk management Chart 5. techniques and energy Civilian and military studies reveal: Insufficient management processes are responsible for 80% of mishaps Personnel is the dominant factor in mishaps. 41 . Hasty = time critical: on the run consideration of the 6 steps above Deliberate: complete 6 steps application ´ add time and techniques In-depth: complete 6 steps application ´ add time. Experience of military on the quality of involvement strongly supports this approach. created and sustained by effective communication" = enterprise culture14 14 US Navy (1997). as shown in Chart 5. Ideally. "Safety is built on integrity. Therefore.5: Everyone’s Involvement is highly desired! A Judgement on different Levels of Involvement Involvement Level: • Personal ownership • Team member • Input provider • Coordinator • Comment and feedback provider • Robot: object of inspection or enforcement Source: Credit Suisse Group / GRM.5 Successful risk management requires an enterprise culture which makes everyone a risk manager. it has to be led. management should ensure that everyone when performing his or her tasks takes into account some risk management considerations. trust and leadership. adapted from US Navy 27th Fighter Wing 2000 Quality: Best Worst 6.CSG Operational Risks in Financial Services Intensity of risk management is different with time available: S S S 5.
Make risk decisions at the right level: This is a level where the decision-maker has the necessary information. the level of approval authority should be commensurate with the level of risk accepted. However. Airtevron one.CSG Operational Risks in Financial Services 7. To establish a personal ownership as a risk culture. KISS: Keep It Short and Simple . You lead people. Final risk decision-making authority resides with the agency or individual assigning the tasking within the chain of command. The goal of OpRisk management is not to eliminate risk. experience and maturity to make a good decision. Risks are more easily managed when addressed in the planning stage of an operation. Accept no unnecessary risk: Leaders who accept unnecessary risk are gambling with others’ lives (in banking with others’ money). e.g.This rule recognises three key truths: S S S Complexity is often at the root of risk Communication is essential to mitigate risks Others do not per se understand one’s thinking "You don't manage people: you manage things. 10. "Introduction to Operational Risk Management". but to manage the risk so that the mission can be accomplished with the minimum amount of loss15 12. Anticipate and manage risk by planning: This first rule is one of simple efficiency and economy. Normally risk decisions are made by the leader directly responsible for the operation.1 Safety/Naptobs Dept.. 42 ." (Admiral Grace Hooper) 14 15 US Navy (1997). Accept risk when benefits outweigh the cost: This rule recognises two key truths: S S There is some degree of risk associated with all operations. five levels of OpRisk management training can be conceived:14 S S S S S Indoctrination: Making everyone aware of OpRisk User: Introduce concerned individuals to the five step OpRisk management process Advanced: Train relevant individuals to apply OpRisk management and its tools Leader: Enable responsible individuals to make OpRisk management decisions Senior leader: Provide a basic understanding of OpRisk management 8. 9. VX. Take only risks that are necessary to accomplish the mission. at the level where the risk taking can be influenced and is born. 11.
Doerig. institution-wide risk management. insurance. stakeholders.modern methods / limits .constructive control attitude .Safety .Symbol .Skills . asset management. trading. & ies lic Po © H.-U.Stakeholders . strategy. investment banking. they all have very different prerequisites.Structure .discipline as to corrective actions Co mp eti tio Pe n rc ep tio n Strategy Risk Reputation / Brand Risk Market Risk Credit Risk Ins.proactive risk management . Here.can be structured along the 12 S's for every organisation. Underwriting Risk Business Risk Operational Risk Markets & Economy Cli e Each financial services organisation has its own peculiar history. speed. brokerage.System/s . safety.in this context in regard to OpRisk management . By nature. I repeat my chart from chapter 1: Chart 1.Synchronisation Ensuring a risk culture with: . Retail banking. style. staff. structure. Managing Operational Risks: The 12 S's as a High Level Requirement This chapter deals with OpRisk management from the high level . the comments are more oriented toward high level issues. I have tried to come up with some salient common and general OpRisk related denominators concerning any organisation.Shared values .top-down viewpoint. The 12 S's of such a management approach are: strategy.Speed . shared values.Sustainability . skills. It is primarily concerned with setting the right management framework for dealing with OpRisk in the context of a fully integrated.1 Risk Management Framework An analytical and conscious approach to solve management issues .CSG Operational Risks in Financial Services 6. symbol.continuous training .Simplicity . 6. 2000 ur s vio ion ha lat Be gu Re Liquidity Risk 43 . structure.Strategy . synchronisation. Society & Politics & on ati gy ov olo Inn hn c ns Te io at ct pe Ex Facts Ex pe rie nc e nts Action and Reaction by Management and Staff Knowledge Building on the organisation’s 12 S: .2: Building an Organisation for the Management of 8 Major Risks Major factors shaping the risk disposition of an individual and an organisation Scope and challenge of an integrated firmwide risk management Effective risk management provides focus on and control over 8 major risks Values. system/s. irrespective of its peculiarities. set-up. values and challenges.
efficiency and effectivity.2. country management with focus on specific risk areas and concentrations Tier 3: Senior management and supervisory board with focus on the overall risk profile Tier 4: Internal and external audit with focus on deficiencies as to policy.2 Strategy and Structure There are very few really original banking strategies. We also should not completely overlook Peter Drucker's statement: "No institution can possibly survive if it needs geniuses or supermen to manage it. Tier 5: Regulators . legal and compliance. This paper cannot deal with specific national or EU legislation . risk transfer 6. It must be organised in such a way as to be able to get along under a leadership composed of average human beings. set ambitious but realistic targets.nor should it discuss the respective responsibilities of the Board of Directors versus the Executive Board. structure. 44 . e.Mitigants = Residual risk Mitigants can be the 12 S's management as well as e.de lege lata or de lege ferrenda . Important is .CSG Operational Risks in Financial Services Basically. but it is not for that reason easy" (von Clausewitz)." 6. hedging. We all observe the worldwide convergence of what constitutes good corporate governance. one can differentiate between "six tiers of defence" for risks: Tier 1: Business front line with the prime responsibility for taking and managing risks Tier 2: Support functions like product control.g. also in the European banking industry: "Accountability" has become the key issue. rules. especially for OpRisk management and its related issues like TQM. Implementation is the issue. The strategy should secure no undue risk taking. However.supervisors with prime role of an external referee Tier 6: Shareholders and other stakeholders as ultimate daily overall judges Simplified.g. A structure for the 21st century has to take into account the need for continued innovation and creativity: structure with flexibility. regulations etc.also based on the respective legislation . any financial organisation without a dedicated. Only a logical structure can lead to the successful implementation of the S's. simple and continuously checked strategy is lost from the start: "Strategy is always simple.the clear allocation of responsibilities and the establishing of functioning checks and controls. but correct for any risk management is the following formula: S S Inherent risk .1 Corporate Governance Quality starts at the top. strategic risk management. The structure very much depends on the strategy.
style. 45 . system. symbol Structure. objectives. deadlines. independence with built-in checks. Table 6. but also more recent supervisory and auditing requirements make it very clear that senior management today has an ever increasing responsibility to deal with risks. who is responsible for OpRisk management? Documented as to policy. the Audit or Chairman's Committee.1 shows how these are linked with my 12 S's. safety Staff. all call on the various boards' responsibility to identify the relevant risks and to have an "embedded" risk management system. it is not so crucial whether the whole BoD or Executive Board. system Skill. a formal policy statement. an Executive Board Risk Committee.1: BIS Essential Practices and the 12 S's BIS Practices Strategic objectives and a set of corporate values Clear line of responsibility and accountability Proper qualification of board of directors Appropriate oversight by management Internal and external auditors as independent checks Compensation consistent with bank's ethical values. system. I raise salient elements of BIS' 1999 report "Enhancing Corporate Governance for Banking Organisations". stakeholders. Corresponding 12 S's Strategy. structure and losses? Is there a clearly defined escalation process? Trend analysis? Impacts of OpRisk? Reports on OpRisk how often? Who reports to whom on legal cases.CSG Operational Risks in Financial Services As a catch-all for present or future requirements. safety Structure. strategy and control environment Transparency as to corporate governance Source: Credit Suisse Group / GRM. shared values Structure. systems. The September 1999 Basle Committee on Banking Supervision on "Enhancing Corporate Governance for Banking Organisation" identifies 7 essential practices. systems. Questions could be raised like: Does your organisation have an accepted OpRisk definition. the recent Turnbull report and the EMI ECB recommendations. in a diligent and continuous fashion. including OpRisk. controls and proper reporting. synchronisation The above. diligence. the CEO or the CRO have such a responsibility. These aspects have become more formalised lately. with clear allocation of responsibility. on insurance issues? Is the information consolidated and fit for high level supervision? In this context. care and promptly. safety. shared values. not just a "separate exercise" or "to take risk into consideration". system. The Cadbury report. style Structure. Table 6. This is essential for proper OpRisk management. Important is that it is done with skill. a regular review of responsibilities? What committee deals with OpRisk? Who is the owner of an important issue? At a functional level. 2000. shared values.
2000 IT Development 46 . 6. It also led to shorter decision making processes . private banking.are assembled: Retail banking.2.-U. asset management and investment banking. A balance has to be found between: S S Extreme alignment (too much = bureaucracy and demotivation) and Extreme adaptability and flexibility (too much = chaos or difficult control) The new decentralised structure initiated by Credit Suisse Group in 1996 served it well: Below a small Corporate Centre (= Holding Company). The intensity and frequency of risk management discussions depend on the organisation's specific situation. Regulators take a more vivid interest in such or similar committees and Board functions related to risks. A reduction of complexity was achieved also for OpRisk by grouping similar skills and workflows in one unit. a total of 6 major Business Units . ownership of risk more effective. One benefit of the restructuring was clearly defined responsibilities and enhanced transparency and discipline.and to a much more focused risk management. This fact holds true not only for lower level functions. but also for Executive Board levels.CSG Operational Risks in Financial Services The role of an Audit or Risk Committee of the Board has become much more visible. Additional opportunity costs were avoided. insurance.2: Managing OpRisks – Major Forces in a continuous Interplay Shareholders and other Stakeholders Supervisors Legislation BoD Senior Management Internal and External Audit Line / Business Management Legal & Compliance Product Control Financial Control IT Country Management Risk Transfer Insurance Operations Risk Management Competition © H.with their own Executive Board .under the Group guidance . including the information for the Supervisory Board. including OpRisk. Doerig.2 Segregation of Duties Internal and external cases indicate that many of the significant OpRisk losses in history were related to the lack of segregation of duties: front versus support functions. Chart 6. The major forces influencing the management of OpRisk are presented in Chart 6. Each organisation has to strike the balance between what is to be managed tightly and what more loosely. personal financial services.2.
IT and country management. 47 . The following functions report directly to the Vice Chairman who has no line functions: Risk management. Risk management must add value by: S S S S S S S S Fostering risk awareness in various situations and cycles of a firm or market Setting standards Ensuring smooth running of the firm's risk processes and methods Disclosing and escalating relevant risks to senior management No positions. as it is not a profit centre.3 Management Structure for OpRisk A survey has identified 3 generic organisational models for OpRisk management: 16 S S S A Head Office OpRisk function A dedicated but decentralised support Internal Audit playing a lead role in OpRisk management. Such corporate structure acceptance and firmness of risk management is presented in Chart 6.3. product control.3: Corporate Operational Risk Organisation Model Board of Directors Senior Management Operational Risk Committee Internal Audit Operational Risk Related Staff Functions • • • • • Compliance Human Resources Insurance IT Legal Chief Risk Officer Business Unit Management Head of Operational Risks Head Office Operational Risk Staff Business Units Operational Risk Staff Source: BBA (1999) As important as the concrete structure is the visibility.g. financial control. but helping to prevent losses Offering constructive risk mitigation and pricing advice Assessing / quantifying risks Benchmarking with peers. Trading and Investment Banking report to different Executive Board members.CSG Operational Risks in Financial Services CSFB e. operations. treasury. The Head Office OpRisk approach is receiving the widest acceptance. separates trading versus support functions. legal & compliance.2. where feasible 16 BBA (1999). 6. Chart 6. acceptance and firmness of risk management.
especially revisited issues . processes.2. forward looking and diligent audit reports are an excellent base for operational improvements and reduction or elimination of OpRisk: From ex-post assessments to ex-ante improvements. procedures issues come up in 29% etc. At CSG. It is true that many conventional audits are more control-oriented or concentrating on symptoms. CFO and CRO as well. In my opinion. the Business Units have their own audit tracking system.g. A comparison over years allows for some conclusions as to progress in especially OpRisk issues. At Group level. he exercises formal and informal influence. 48 . audit reports are reviewed by the CEO.CSG Operational Risks in Financial Services At CSG. bottom-up approaches are encouraged.4 Audit driven OpRisk Management It is self-evident that auditing and controlling activities are not reporting to those who are audited: Internal audit reports go to the Chairman or Audit Committee of the Supervisory Board.10 auditors per 1000 staff on average. terminology. especially in the OpRisk arena. thus insuring independence. percentage data on items for correction are established for each BU and then consolidated. Unsatisfactory major reports are subject to additional follow-up requests by Group Management.are bonus relevant. He monitors. methods. depending on business activity and the engaging in consulting on OpRisk management matters. Example: documentation issues at large are mentioned in 31% of all reports. Statistics based on internal audit findings can be revealing. However. At CSG e. procedures. A limited CSG analysis of 12 banks indicates: Retail banking has 3 -5 and investment banking 7 . As important as the audit reports themselves are the corresponding follow-ups and corrective actions by those concerned. encourages and intervenes if needed and advisable. Very unsatisfactory reports . he promotes the creation of a "proper" risk culture by following the previous 12 Golden Rules on page 9. Internal and external audits play a very relevant role. the 6 major business units each have a CRO or CCO and an appointed OpRisk officer. also on higher levels. the audit driven approach is the most pragmatic and readily implementable approach in OpRisk management. The Group-CRO chairs 3 different risk related committees and has an overall topdown function as to creation and alignment of definitions. The tasks of internal auditors vary. 6.
measurement and reporting as tools are presented in chapter 7. Additional risk mitigation is dealt with in chapter 8. 49 . Risk assessment. tools and mitigation strategies. Here. based on BBA (1999) Strategy and structure aspects were discussed previously.2 OpRisk Control Process: 12 General Rules to Watch In its September 1998 framework on internal control the BIS mentions three main objectives and roles of the internal control framework:18 S S S Efficiency and effectiveness of activities (performance objectives) Reliability.3. we deal with the risk management process. 12-13. BIS (1998).4. primarily control aspects.3 System and Systems System as one of the 12 S's stands for processes.CSG Operational Risks in Financial Services 6.1 Framework of OpRisk Management A common framework for OpRisk management for banks which has emerged recently includes integrated processes. 6.4: Enterprise-wide OpRisk Management Framework Integrate with Market and Credit Risk S Strategy Risk Policies Risk Mgt Process Controls Assessment Measurement Reporting Align with Stakeholders System and Systems Risk Mitigation Operations Management Company Culture Source: Credit Suisse Group. Chart 6. completeness and timeliness of financial and management information (information objectives) Compliance with applicable laws and regulations (compliance objectives) 17 18 BBA (1999).17 This framework has 6 components as presented in Chart 6. while Systems are their corresponding IT and communication tools. pp. 6.3.
CSG Operational Risks in Financial Services Internal control consists of 5 interrelated elements: S S S S S Management oversight and the control culture Risk recognition and assessment Control activities and segregation of duties Information and communication Monitoring activities and correcting deficiencies The control and compliance process of a firm represents one of the most decisive OpRisk management tasks.. For me.2: OpRisk Control: 12 General Rules as a Check List19 1. the risk culture aspect is the most decisive factor and base for good risk management. Integrate OpRisk functions/responsibilities in job descriptions. especially in today's environment. Supervisors increasingly discipline breaches of responsibilities. and you must do". Map regulatory requirements directly to compliance control. Organise the activities so that they can be controlled: Establish clear structures and procedures. 5. 3. checks organised. what FSA expects. Construct procedures relevant for the concrete activity. "Operational Risk Control. It cannot be quantified or modelled. "owner" of specific activity. CMS. June 2000.. records.. I have summarised some existing and / or increasingly upcoming requirements as a "checklist" with 12 general rules to watch in the context of OpRisk. especially in OECD countries. Table 6. Document the procedures and maintain the relevant documents: You might have to prove something. key risks. This "cultural aspect" needs close and continued attention by senior management. S. including: Structure. 6. 19 This section is partly based on: Morris. activity. Individuals are increasingly held responsible by supervisors. 50 . allocate responsibilities to suitable individuals. controls. does "owner" know what he/she owns. regulatory requirements. 2. In Table 6. 4. An appropriate control and compliance culture is part of the risk culture. "Culture" is qualitative.2. London. workflow. Control is a difficult balance between action making the fortune and "the cautious seldom err" (Confucius): Have a control environment and a compliance culture which accepts internal supervision: Compare some of the "S" of an organisation: strategy ´ structure ´ system ´ systems ´ safety ´ speed ´ staff ´ skills ´ style ´ shared values. Regulators' standards are continuously being raised.
e-business Outsourcing Security. safety: access to infrastructure. Compliance plays an increasingly core role for OpRisk control S S S S S S S S S S Proper positioning of compliance for a specialised activity: e.. 9... Teachable: so it can be used as a training aid Implementable: use simple check lists Auditable 8. including data on clients Insider trading Conflicts of interest Money laundering Suitability of clients Branch/subsidiary offices. role of temps and consultants Monitorable Instructing: what is to be done in case of.g. Procedures should ideally have the following characteristics: S S S S S S S S S Single document as to rules and requirements Structured along the activity flow Comprehensive Clear: so someone else can pick it up. Train management and staff: Train the supervisors of staff: supervisors also check.. Special attention for control procedures should be paid to the following: S S S S S S S S S S S S S New business / activity / product Internet activity.. internal data Client privacy protection. see staff turnover.CSG Operational Risks in Financial Services 7. especially far away from HO Overly profitable areas Internal communication/information flow Change management 10. E-commerce presents a new control/compliance challenge S S S Entrepreneurs and creative innovators also need structure and systematic approaches in management: e-nablement = e-compliance E-business within the firm's regulatory and compliance framework Monitoring by senior management 51 . private banking has very different requirements compared to investment banking Compliance officers becoming risk managers: from a rule based approach to a function based approach? Enough and suitable compliance staff? Adequate procedures and reporting lines? Access to senior management? Staff understands compliance function? Compliance monitoring? Elevation procedures? Investigation on breaches? Follow-up on rectification? 11.
3.3: The Choice of an OpRisk Management System Top-down S S S S S S S S Close to strategy. Supervisory board and senior management have an increasing responsibility for controls and compliance: from back to board room S S S S S S S S Key functions and procedures? Control environment? Adequate compliance function? Controls: serious breaches and their remedial follow-ups? Database on breaches? Clear areas of management responsibility? Management support for controls? Compensation impact? 6. 2000. measurement. 52 . Table 6. priority setting. For me. unified standards Comparable statistics High level mitigation Accountability? Compliance and/or acceptance? S S S S S S S Bottom-up Close to the concrete activity.3 indicates some of the aspects of the two models.3 Top-down versus Bottom-up OpRisk Management There is no commonly accepted benchmark or model as to the methodology of managing OpRisk. reporting. Most important seems to me the clear ownership of an activity. the OpRisk management process includes identification. I believe in a mix. both have advantages and disadvantages. often origin of risk Close interaction between events and people. assessment. the ability to generate reliable. control and mitigation. Top-down and bottom-up. policy and corporate governance Management driven Loss events knowledge Defined. Table 6. processes and technology Local quality controls Sense of duty as a main driver? Dependence on staff initiative? Own standards? Incentives? Source: Credit Suisse Group / GRM.CSG Operational Risks in Financial Services 12. Not surprisingly therefore. evaluation. there are arguments for both top-down and bottom-up approaches in OpRisk management. meaningful and relevant information and a well functioning early warning system. As to be expected in the art of management.
4 Risk Processes: Quantitative and Qualitative Approaches Whether top-down or bottom-up. as presented in Chart 6.5 Personal Attention by Senior Management With all the requirements as to strategy. Honestly: S S S S S S How often is senior management visiting and discussing with support / control functions? How often and how long is senior management in the "machine room"? How often is senior management showing a vivid interest in some .3.CSG Operational Risks in Financial Services 6. if feasible • for possible qualitative improvements k Ris tors c i a In d Analysis ve ati alit qu financial implement improvements or transfer the risk appropriately Source: Credit Suisse Group / GRM.5. one element often overlooked is the personal senior management attention to support functions and to details in regard to OpRisk aspects. system and systems presented up to now.3. OpRisk management can be based on quantitative and qualitative assessments. 1999 6. if any • create incentives to encourage best practice 53 .5: Qualitative and Quantitative Operational Risk Management Process • establish a set of indicators • regularly monitor risk indicators • use as basis for management reporting analyse trend of indicators: • for their financial impact. but important for a department or issue? What is the time allotted at management meetings for support functions? What "pats on the shoulders" do they get? How large is the compensation difference between front producers and excellent or even crucial support people who are so relevant for mitigating OpRisk and fostering reputation? or on a ti e r tig sf Mi Tran Risk Based Internal Charge Management Decisions • determine what kind of action is necessary. Chart 6.overall unimportant .detail. Both should be combined and must induce management actions.
The assessment of a line manager has to include control and reputational performance.CSG Operational Risks in Financial Services 6. Important is to rethink or even reinvent processes.a modern compensation scheme should take the following into account: S S S S S Serious negative control and compliance performance is included for the overall performance judgement. the organisation and even the individual concerned.are part of the yearly bonus fixing In case of doubt in regard to the clean-up of previous or real OpRisk performance issues. The new technologies lead to unique opportunities to modify and/or overhaul business processes as to workflow. e. 24h x 7 availability of e-commerce services with realtime execution of transactions. efficiency and flexibility. there is a suspension of the bonus-entitlement until full compliance has been achieved A meaningful portion of a bonus is in shares and/or options.bonus systems according to "plain volume performance". Integrated IT networks are central. 6. harmonised and stable over time. such as higher automation. the higher the longer-term component of compensation. While all banks are under massive competitive market pressure. In my opinion . that is when good management shows. such as reducing OpRisk. However. 54 . The higher the seniority. effective after a few years and/or with a knock-in performance The higher the management level.Anglo-Saxon influenced . they open the door for chaos and risks if they are not consistent. support of process work functions. the higher the number of years for the potential blocking of shares. it is a serious issue which is relevant for OpRisk management as well. Pure short-term orientation can be damaging for the shareholder. instant communication. especially for a global institution. That is the time when certain risks .g.7 Modern IT-systems lead to New Processes The pressure from everywhere to invest continuously and dramatically . For my personal taste. with a longevity premium Some support functions. The new IT in conjunction with process re-architecture has many advantages related to the reduction of OpRisk. globality.especially repeated weaknesses .including OpRisk . They first and foremost enable business development. including for "producers" Seriously negative audit issues . structured.6 Compensation-System Banks are regularly being criticised for the . increasing the operational quality and fostering the reputation are as core as the contribution of "producers" S The more diverse management and staff on a global scale. support for quick decision making.appear. other stakeholders. service delivery and risk reduction. actual work steps in processes.including in the interest of risk reduction . the more relevant the above suggestions become.3.in the interest of a proper risk management in the medium term . Internet related technologies enable much higher and more sophisticated levels of co-ordination. quick storage and retrieval.in modern processes is immense. monitoring against given standards.3. senior management should only get their bonuses in shares: either you have a medium-term commitment or you do not.
because the users are ill prepared and resist.CSG Operational Risks in Financial Services Without even trying to be technical. 12. 11. 8. 55 . 2. 10. there are some basic rules in regard to OpRisk to consider: Table 6. 6. Processes and systems are standardised across regions and product lines. data can be audited. cost / benefit of a backup for backup? Systems . As little manual intervention as possible: great sources of mistakes are manual interventions ´ minimal reconciliation ´ more ideal is straight-throughprocessing. firewalls and business continuity plans are key. One source of data throughout . avoid island solutions. Communication and training is the issue. Reassess the existing process on a regular basis. especially recurring mistakes need re-examination of manager/supervisor/system/systems. but the handling of bottlenecks mostly determine the quality and risk limitation potential.4: OpRisk-Systems: 12 IT related Basics 1. 9. data should have a single assigned owner. 7. but they most probably add new ones: any solution breeds new problems. with potential conflicts between the interested parties: co-operation. high tech combined with high touch.are interdependent and complex. Security protection. Business line processes are separated from IT: no overreaching access of line function for data and IT-systems. Not maximum performance. New systems/processes should eliminate many risk sources. even technically perfect IT-solutions fail. No core systems without backup. 4. Quality will no longer be a differentiating factor but a precondition for a decent survival. 5. Future-oriented and fully compatible architecture for operational demands of business.especially market data. Quality is parallel to reducing OpRisk. 3. consensus and compromise are management functions: follow the KISS-rule. Many.by their nature .
so easy to lose.(2000): "Digital Buccaneers Caught in a Legal Web" Financial Times. size. we must make sure that we fulfil regulatory requirements and observe all laws.is an issue of confidence and trust for which aspects of safety and security play such a crucial role. However. Internet.5: Safety and Speed: 12 Principles 1. especially by Webcommerce information plays. The challenges are great: managing heterogeneous systems. this can imply slowness which in turn hampers competitiveness. Is the planned US "safe harbour" approach the answer? Table 6.besides capital strength. rapid IT changes. The damage caused by serious security / safety failures of an Internet activity most probably has a negative effect on other activities of the same organisation. financial or other.cost / benefit dependent Perception is as important as facts Safety / security come ahead of speed: S S S S Safety is a precondition. A general legal risk is the data protection problem. May 30. unless the customer agrees otherwise Companies must not obtain more data on individuals than they need to carry out their stated purpose There is a privacy gap between the USA and Europe which poses problems for global marketers: What is sacred in Europe generally is for sale in the USA.4 Safety and Speed One of the most distinguishing elements of competitiveness of a bank is its safety and security. The EU directive of 1998 has 4 basic principles:20 S S S S Individuals should be able to obtain and make corrections to information that is held about them by companies or institutions Companies must gain their customers' consent before storing or using information about them Companies must only use data for the original purpose that was expressed at the time of collection. J. not a differentiation factor for a bank A bank's appetite for safety risks has to be smaller than the one of a non-bank Banks need safety in their speed: trust builds confidence "E-commerce-ready" management structure and system/s 3. Today. Confidence and credibility of a bank .its most valuable asset .so hard to get. restructurings and new products of all sorts. Whatever we do. the fast beats the slow. cost. e-commerce. A bank's reputation . Safety and security foster accident free quality Prevention is often cheaper in the long run than damage control .rely largely on its safety and security: S S S 2. Only confidence at large builds reputation . position . more often than the big the small one. 2000 56 . 20 See Randall.CSG Operational Risks in Financial Services 6.
Operational Risks in Financial Services
Proactive business continuity planning - as a business imperative - is as much a prevention as a cure. Logical system threat is perceived as more important than physical threat: S S S S Regular checks on the relevant safety / security issue Combine traditional disaster recovery and fault-tolerant computing Speed of crisis response mostly more important than perfectionism Outsourcing increasingly possible, but outsourcer's responsibilities vis à vis clients remain
Any transformation project - restructuring, M&A, new systems, new process, new products - entails additional special and complex safety and security issues. Key success factors for projects: S S S S S Strong senior management support and involvement Thinking before acting Good planning Convincing business case Good discipline and controlling
High systems availability and user friendliness are a crucial - factual and perceived - indicator for safety and security: S S S S 99.99% availability for mission-critical systems is becoming a priority Minimise downtime with review of hardware, software, systems compatibility, processes and staff training Proven systems normally are more secure and reliable Watch the cumulative effect of systems downtime
More security breaches - especially IT related - stem from inside the organisation than from outside - ignorance, carelessness, complexity, deliberately: S S S S S S S S S Security starts with identifying and planning Identify own weak areas and the real assets to be protected Protection of intellectual property, client list, computer codes etc. is as important as protection of money Preventive controls (biometrics password etc.) Documented detection and remedy controls Corporate style and culture Training Clear disclosure to employees that any and all communication they engage in on company time and equipment is subject to potential surveillance Watch also ex-employees
Operational Risks in Financial Services
Safety management is - besides having the right infrastructure, technology, service level agreements, processes and recoverability - primarily a matter of OpRisk management applying discipline, e.g.: S S S S S S S S S Rigorous password security and changes; cumulative barriers to overcome for access Rigorous Chinese walls Rigorous control mechanisms for new business activities, involving sign-offs by all concerned parties (including operations, L&C, tax, risk management) Continuously updated anti-virus software Immediate virus notification Regular checks and controls of logical security Backup Regular awareness management Rigorous discipline as to breaches
Piracy on privacy and denial of service scare away clients, anywhere: transactions and data must be safe, secure, private, verifiable, auditable and defensible. E-commerce especially allows transaction information to be tracked, collected, compiled and used, respectively, misused. Protection of privacy and safety can be fostered by: S S S S S S S Protection from "cookies" (software tracking what you do on www.) Regular checks on new processes, new technology Terrestrial links (with two or more access points, satellite as stand-by) Secure Sockets Layer (SSL) Home Banking Computer Interface Standard (HBCI) encryption plus chip card with digital signature Existing (challenge response logic) and upcoming encryption technology with unique codes Public Key Infrastructure (PKI) increasingly enables users of Internet to securely and privately exchange data through the use of a public and a private cryptography key pair that is obtained and shared through a trusted authority. PKI's allow the use of digital certificates, which can identify individuals or organisations to authorise secured and private transactions across the Internet21
The legal ramifications of the virtual online world are in flux and need careful examination. The EU has started various initiatives with directives on electronic signatures, e-commerce, distance marketing of financial services, distance selling, data protection. The legal aspects are potentially also relevant in the context of comprehensive general liability insurance. Watch for: domain name infringement, sale of keywords, copyright infringements and patent infringements, invasion of privacy, defamation, unfair competition, contractual risks, jurisdictional risk, employment practice liability, health and safety of staff, local legal specifics.
Norton, J. (no date), Security and Data Protection, FKM.
Operational Risks in Financial Services
Every major financial institution has the task of supporting industry-wide efforts and organisations to standardise transactions and foster safety and security, such as Global Straight-Through Processing Association (GSTPA), SWIFT, Continuous Link Settlement (CLS), CHIPS, etc.
Staff and Skills
The value of a financial services institution increasingly lies in its intangibles: data, knowledge, skills, people, network, reputation and brand. These are bundled together in the organisation and can also reflect in OpRisk. Worldwide, a battle for talent is going on. Human capital has become more important than financial capital. Human capital with its creativity will become THE core asset. The brain ware is the issue, not the hardware! For financial institutions, employee selection, retention and development is at least on the same level as customer loyalty or shareholder support. As a matter of fact, the last two stakeholders' aspects very much depend on proper management and staff. Despite all the quantitative and analytical methods used in disciplined and structured organisations, people still base their decisions on personal inclination, ad-hoc influences, group dynamics, belief systems, cultural norms and values.
Table 6.6: Staff and Skills: 12 Principles 1. Personality of a person is probably the most important core trait for a successful long term survival in an organisation, followed by motivation and ability. If above statement is correct, personality aspects should be the key selection and retention arguments. There is seldom a large difference between what a person is privately versus professionally. These aspects should never be forgotten as the ultimate source of OpRisk is always human in nature. This is important for risk management in general as risks are perceived subjectively: when a risk taker is in a relevant gain position, he/she becomes more conservative; in a position of loss, he/she normally becomes more risk seeking, having not much to lose (Prospect theory). A common bias is also the personal confirmation bias: more attention is given to information which confirms a personal hypothesis than information which contradicts it. All this requires employees with character, integrity and ability to be self critical.
60 . tax advice. part-time or term-time working. Intuition. New skills needed in a competitive world include the management of change. especially among younger people: S S Be part of a fashionable job with positive vibrations. privileged early-stage investments. More flexibility is needed for e. This does not imply that aspirations and expectations of support people can be kept low! Take into account the aspects shown under 3. it only leads to additional OpRisk. but not all. for job-sharing. Be aware that different attitudes exist. Never hire or keep anybody where there are question marks as to integrity and intellectual honesty. and knowledge without integrity is dangerous and dreadful" (S. also in operational or support areas. Some aspects of management can be learned. then the selection. Hire people who understand what they do and what they decide.g. stock options. paternity leave. Example: "Team of the month" as an official firmwide announcement. 1709 . Make entrepreneurship and creativity an issue. 4. position. Not only the responsibility. 3. Johnson. 5. childcare. Excellent performers in front functions or specialists are not necessarily good people managers . If the difference between very good and not so good employees is 2 to 1. outlook. dress-downs. always hire somebody who is interested in developing him.or herself. but watch the drag factor of a 80% commitment only: another OpRisk issue.1784). no-strings attached sabbaticals. difficult to do. empowerment. of confrontation without hostility and of conflicts. This is easy to say. Recruiting and nurturing skills of managers and HR will be challenged even more in regard to this OpRisk. For tasks of some importance. special leave.. "Integrity without knowledge is weak and useless. Managers and staff in Operations and Support often are not in the limelight like front people. retention and development of people becomes even more crucial. but also include some limelight. even if very demanding and hyperactive. or Ensure balance between private and professional lives Both attitudes can lead to personal growth.which can mean OpRisk. compensation and colleagues attract excellent staff. 6. telecommuting. experience and EQ remain important.CSG Operational Risks in Financial Services 2.
diversity of staff. from "know-how" to "feelhow" to "do-how". People's ability to change/learn is not primarily a function of capacity. 9. IQ. EQ and leadership. knowledge management is also information management: the right contents in proper form. litigation and/or media pressure in those areas are becoming more prevalent in Europe. given the growing diversity of staff and high turnover rates. The new technology of Inter. Global markets require a mix of management skills. This is even more crucial. but of choice. 10.Webucation . high turnover rates and the coming termination of loyalty and lifetime employment. Tougher legislation will come up. 11. Knowledge management is an increasingly important and conscious corporate activity. multicultural perspective. People with the most attractive personality and best skills are the most mobile. Continuous training and retraining becomes crucial for each employer and employee. It leverages existing intellectual information assets. mobbing. This is another OpRisk mitigant. It is probably correct that a proper culture of an organisation improves people's attitudes and strengths. Coming to other regions from the USA. bullying. Therefore. Organisations are being challenged to identify and separate the high-value. corporate experience and best practice. high-utility data from the low-value data. a global organisation is bound to have problems. harassments of all sorts and infrastructural environment aspects have to be a senior management's OpRisk concern today. continuous in-house education and training . Management and staff of a global organisation need to demonstrate four key qualifications: S S S S Attitude Awareness Knowledge and Skills Without these. Staff pressure. management and staff issues in regard to discrimination. Staff is mostly over-newsed and often under-informed. technological literacy. 61 . given the new economic environment. Acquiring knowledge ≠ applying knowledge.CSG Operational Risks in Financial Services 7. at the right time to the right people becomes the key to success. Therefore. 8.and Intranet makes a very efficient. including sensitivity.possible: B2E.
The engagement of outside consultants has become an important skill feature for almost any financial institution.CSG Operational Risks in Financial Services 12. This aspect is . The following guidelines address OpRisk at the root as they touch the individual's attitudes.is THE most crucial factor for a successful risk management generally and in OpRisk management in particular. 2. such an expression can be difficult to describe. Table 6. actions and reactions. written and unwritten and often invisible totality of common norms.7: Style and Shared Values: 12 Guidelines 1. New mass media and Internet seem to be forging tomorrow's global culture with an internationalisation of activities and staff. 62 . Risk culture . 6.an expression often used and misused .is this formal and informal. values.even more important than the most sophisticated quantitative risk models which also need intellectual honesty. values and beliefs? Corporate culture . customs and beliefs on a local.in my judgement . including for OpRisk management.6 Style and Shared Values Style and shared values are core issues for the risk management of a financial organisation. Each organisation has its very specific corporate culture. Is the culture of global identification and cyber citizenship going to be enough of roots. values. thinking and acting which determines the behaviours of management and staff. Traditionally. including for OpRisk management matters. national and perhaps regional level.besides people . internally and externally. including trading rules The consulting hey days for the introduction of the Euro and for Year 2000 are over. It is a qualitative expression of the organisation. some of their representations vis à vis regulators do not make life easier for banks. The control culture acts above all at the very place where risks are taken: At the level of the individual acting on behalf of the firm. Such a temporary skill acquisition can be successful as long as the following conditions are met: S S S S S S S S Well formulated specified mandate with time limit Right experience Your project must be a consultant's priority Qualification of team members with specific responsibilities Acceptable financial situation of the consulting firm No conflict of interest Credibility as ambassador for the institution Compliance with internal rules during the contract. culture has been linked to common language. New engagements must be found among which OpRisk matters are most welcome. Some consultants are playing on fears about vulnerability rather than providing relevant and credible solutions. Culture is core for the identity of people.
system and systems. but also as to admitting and learning from mistakes and correcting them properly. At the same time.according to my perhaps still idealistic taste . Such processes often are the sources of initiatives. openness and the ability to work in a team. Top responsibility for the risk culture lies with senior management. Given the environment today and tomorrow. Important are the shared aspirations. 6. integrity. The style of a company should be inspiring . energy and avoidance of risks. risk-adjusted compensation Elimination of undesirable managers and staff Prevention of risks ahead of correction Identification with the company.CSG Operational Risks in Financial Services What is acceptable may differ from one individual or organisation to the next. Therefore. "acceptability" needs formal and informal processes. Discipline must be in place as to following structures. Honesty. 3. Some components of a good risk culture: S S S S S S S S S S S S S 4. 5. 63 . It follows that a key factor in risk management and risk culture is discipline and perseverance as THE message of senior management. risk conscious behaviour. mistakes happen daily as the future turns out differently than expected. fairness Flat structure. proper system and systems Properly formulated policies Clear guidelines and manuals Continuous risk oriented training Alert staff. innovation. even if he or she acts far away.with the following parameters: The employee brings competitive performance short-term and continuous competence building long-term. Not every decision can have or should have written rules: Managers and staff have to be able to make the majority of their decisions within a cultural framework. supportive management Active and constructive communication Open agendas Acceptance of controls Natural. such contract between employee and employer should be attractive for both partners. the employer cares for competitive employment terms and conditions short-term and commits sustained investment in employability long-term. creativity. The role of internal communication through informal processes and structures must not be underestimated. not by ideas that people live" (Anatole France). sense of belonging Financial services is largely a judgement business. Purely and formally ruled staff is an excellent recipe for getting mediocre quality only. intellectual honesty. "It is by acts.
11. Senior management's action and reaction should take this into account when working towards mitigating OpRisk. A "full picture" environment. While it is the most crucial aspect of risk management. 9. Therefore. All should know what others . You will never know how good a company's risk culture is until it is put to the test. One recipe for OpRisk management is the removal of a "blame culture". the rapid change.relevant for their responsibilities . R.is a continuing. p. These are the reasons why CSG introduced an internal global and self-imposed Code of Conduct for close to 80'000 staff as part of their employment contract. The 12 internal core values of the code as one example are shown in Table 6. While the daily application of such a Code of Conduct is the issue . 125. The direct non-quantifiable characteristics of risk culture make regulators uneasy. 10. London (1998). Rinks Books. a performance appraisal process must be designed to pick-up poor shows at an early stage. 8.it will be part of the regular internal auditing . (1998): Operational Risk and Financial Institutions. Staff must feel less concerned about admitting mistakes. Controlling and disaster simulation are good measures for judging the overall state of the organisation and using as base for improvements. certainly much more than "box-ticking". C. Subordinates or staff fully realise this. Common denominators and shared values of an organisation are becoming much more relevant. professionalism and motivation will be improved. there can be a very fine line between the two. To singularly judge an organisation with maturity and experience must be highly challenging for an outside supervisor. (1998): "Operational Risk in Retail Banking" in Jameson. psychologically. Avoid the "knowledge is power" syndrome. Risk management . the diversity and fluctuation of staff and the globalisation of business.it should provide the individuals around the globe a sense of focus and belonging. 64 . never-ending process.CSG Operational Risks in Financial Services 7. "To take care" of management and staff is not synonymous with "caring for people". 12. given the "dilution" of other institutions' credibility. Whether an organisation has a good or bad risk culture is a highly qualitative judgement.are doing and planning. To sack or reprimand staff after an incident can lead to covering up future problems.in the context of corporate culture and specifically for risk / control culture . Compare the military experience in chapter 5.8: 22 See also Rachlin. it cannot be mathematically quantified. not a program.22 Avoid "silo thinking and acting" in OpRisk management.
in-depth knowledge and prompt and courteous service leads to success. fairly compensate our staff and achieve an attractive return for our shareholders. We treat confidential information as such and do not disclose non-public information concerning the Credit Suisse Group companies. policies and standards. We believe in courteous and respectful treatment of our stakeholders. We base our business operations on conscious. disciplined and intelligent risk taking. 6 Core Performance Values SERVICE EXCELLENCE TEAMWORK COMMITMENT RISK CULTURE PROFITABILITY We are committed to providing superior service to our clients. government authorities. Problems or mistakes are viewed as a chance to improve. We support equal opportunities and a work environment free of discrimination and harassment of any sort. We are committed to exemplary management discipline and a first class control and compliance environment. taking into account the personal contribution to targets. employees.CSG Operational Risks in Financial Services Table 6. confidentiality. We do not mislead our stakeholders. We are committed to sustained profitability which enables us to carry out our strategies. Legality. 65 . We honour our commitments and take personal responsibility for our actions. and comply with them. competitors. shareholders.8: 12 Core Values for Employees of Credit Suisse Group 6 Core Ethical Values INTEGRITY RESPONSIBILITY FAIRNESS COMPLIANCE TRANSPARENCY CONFIDENTIALITY We realise that our global franchise is based on our core ethical values and our long standing reputation for integrity. We promise only what we can deliver. We believe that knowing our clients and offering them value by combining good judgement. transparent and open dialogue with our stakeholders based on fairness. We believe in achieving more for our stakeholders by working together to draw upon our individual and collective strengths and abilities worldwide and across business lines. We respect the interests of our stakeholders (clients. We believe in independent risk management. financial regulators. Every employee contributes her/his best to reach our common goals. both internal and external. their clients and employees. unless required by law. come before profits. We acknowledge the importance of all relevant laws. make long-term investments. We are committed to excellence through continuous improvement of our management practices and know-how. mutual respect and professionalism. service providers. media) and of society as a whole. fairness and professionalism. We seek constructive. We recognise individual contribution to the current and future success of our firm and reward it objectively. compliance and our core ethical values. governance and teamwork. compliance and audit processes with proper management accountability for the interests and concerns of our stakeholders. regulations. by maintaining focus and intensity of effort. trust. however.
The better and "risk-free" the ongoing service. the better also the internal and external credibility of the transformation project itself. Early inclusion of potential clients. but also supervisors. Influences and interdependencies between an organisation versus its stakeholders are manifold. interdependent. speed. 66 . Stakeholders and other described factors influence the "symbol". quality. Perhaps such social responsibility is a trade-off for more freedom to move. The client or end-user is the final arbiter on a new service or process . Operational skills of an institution are crucial for nurturing customer loyalty: reliance. complex. Corporate performance is increasingly judged by global standards. Table 6. 3. IT-driven. which leads to a world which is highly global. banks do not seem to have had any major problems with operational e-safety. 2. all stakeholders drive the financial success and the share price which leads to sustainability. OpRisk management is close to quality and operations management. mobile. reputation. anywhere-anytime connected. But the preconditions for a successful partnership in society remain: profitability and growth. 5. often informal and hardly quantifiable. transparency. time-pressured and competitive.primarily customers. pilots and field tests can reduce the OpRisk involved. 4. customer orientation and "risk-free" activities. innovative.are not cared for.9: Stakeholders and Symbol: 12 Issues 1. Managing for shareholders means managing for stakeholders. Most clients are primarily interested in the quality he/she receives during the transformation. employees. access. Creating value for financial institution customers is the greatest challenge. Customer "ownership" is probably still the key strategic barrier for competitors. With globalisation and a gradual demise of traditional states and politics. A proactive social responsibility will have a more pronounced advantage vis à vis stakeholders. risk-free means "reliable" for many clients. OpRisk management is especially challenged in restructuring and M&A situations. partners. Such a record will be a crucial differentiation argument vis à vis non-bank competitors. Every one of these characterisations entails challenges for OpRisk management. the client expects privacy for his/her personal financial transactions. The new environment is fast.CSG Operational Risks in Financial Services 6.7 Stakeholders and Symbol This pair of the 12 S's is another "soft" area of an organisation and increasingly key for a successful survival. There is a trend away from the sole shareholder towards a more integrated stakeholder orientation. Shareholders cannot be satisfied if other stakeholders . The expression "symbol" stands for identity. government and nongovernment organisations .not the enthusiastic internal project team. brand. the corporation's responsibility as a "partner in society" increases. Up to now.
a brand and affect the share price. Activists success requires energetic.the result of what a company says about itself. Certification of the latter is a proof of the seriousness in OpRisk management. Various staff aspects were discussed above. J. Activists win when genuine problems are ignored. all this creates expectations in regard to the "trusted bank" which also have to be managed. Some of their aspirations have to be taken very seriously. (1998). Every organisation stands for something . Good reputation is . they have little choice but to move on. or behaviours simply don't pass the smell test. Environmentally conscious lending and investing . Effective corporate communication is the lifeblood of any financial institution which is so heavily dependent on confidence and trust. Satisfying its employees enables a company to satisfy its clients. Good OpRisk management calls for proper disclosure and suitability checks on counterparties. negative responses from their targets.simply put . at least in the medium term. but good communication needs good facts. The 12 S's are partly directly related to the symbol. NYC. Good reputation is the greatest intangible asset of a financial institution. mostly in unquantifiable and intangible ways. often indirectly.CSG Operational Risks in Financial Services 6. an identity. 67 .and what others say about it. 1998. Without it.with commensurate internal processes . issues remain unexplained. Financial institutions are more and more challenged in regard to their environmental consciousness for their own infrastructure. The 12 S's of an organisation .have an OpRisk content as well. Such organisations have very different shapes and shades. a brand.including in OpRisk areas . environmental and working practices can make or break the reputation. which should provide the needed identification."23 10. "Activists rarely win against honourable organisations. Financial institutions also have to protect themselves from the customer. Social cohesion has become a component of success. ethical.whether in fact or perceived internally and externally: every organisation is a symbol for something: it has a reputation. Key is a formal and informal mutually acceptable understanding between employer and employee. In the context of "symbol management" and of social cohesion. 23 Lukaszewski. Good communication can reinforce reputation. A company's social. 7. embarrassment and humiliation. what it does . an experience. perception. White Plains. the activities of the non-governmental organisations become increasingly relevant. There may be momentary damage. 8.create "a symbol" and support a brand. 9.discussed in detail up to now .
but a bad synchronisation of all the efforts leads to a poor implementation. 12. system and systems. A strategy or concept might well be perfect.is less of a science.as an organisation in itself . each employee takes some responsibility for risk management as well as for corporate reputation. The art in financial services is not the perfect application of one of the 12 S's: The art of managing a bank or another business is the combination and synchronisation of the various S's: right strategy and priority. global reach. stage of risk management. but more of an art.8 Synchronisation The 12 S's-discussion and the previous chapters show that OpRisk management is not an easily definable. This is the reason why management including OpRisk management .CSG Operational Risks in Financial Services 11. Good OpRisk management is largely good management. The priorities must be different. This makes up the "individualised corporation". but also emotional human beings who make efforts and mistakes every day. right time. distribution channels. style. given the specifics of tradition. This is the "compensation" for the consistency driving value. Corporate communication .is exposed to OpRisk. An ineffective communication organisation combined with a concrete risk or major OpRisk issue can lead to disaster: from cracks to crisis in extremis. The most relevant singular factor for establishing an excellent reputation long-term is earnings stability combined with growth. Operational skills combined with a successful OpRisk management are an instrumental base for sustained earnings and the management of reputation and brand. 6. right form. We are dealing internally and externally with not only rational. strategy. each organisation having its own orientation and aggregate skills and expertise. measurable and quantifiable issue. different share price valuations and different expectations in the market. right structure. Ideally. "The difference between stumbling blocks and stepping-stones is how you use them" (Source unknown) 68 . right cost/price. right efforts and intensity. structure. OpRisk is rather different from one organisation to the next. right people. This is the reason why financial institutions have different results or different long-term success. shared values etc.
including audits and compliance measures . as well as diverse practical applications for every department and every employee function. This is similar to the military approach as discussed in Chapter 5. 24 BBA (1999).1 Chapter 6 focused on OpRisk management from a high level point of view. . 7. more high level approaches of general management . a cross-functional workteam helps to develop the broadest possible coverage for the achievement of the business objective. control and manage OpRisk in its day-to-day specific area of activity. With the increased awareness of senior management for risks in general and for OpRisk in particular. some of which are still being developed and may be CSG specific.is the issue. In many cases. pp 55 ff. Chapter 7 concentrates on a more bottom-up point of view with corresponding tools. Management must clarify the relationship between the organisation's primary corporate objectives and the specific business line objectives for each participating unit. assess. Such an approach leads to integrated risk management. CRSA uses a formally documented process in which management and/or workteams review the effectiveness of the business controls to contain risks and to meet defined objectives. each has its limitations. assessment and mitigation of OpRisk. No one tool on its own is sufficient. Management of operations has always used some sort of tools to identify. Managing Operational Risks: Practical Instruments and Tools Introduction 7. 69 .2 Control and Risk Self-Assessment According to a recent study. These objectives can include diverse areas. The ultimate objective of this process is to foster the identification. "Synchronisation" of the tools combined with previously discussed.24 Control and Risk Self-Assessment (CRSA) is a workteam-based technique to help managers identify and measure OpRisk through estimates based on the consensus opinion of a group of knowledgeable managers and staff. 110 banks approached. these tools have received closer attention. self-assessment is the most widely used tool among banks.CSG Operational Risks in Financial Services 7. A facilitator is designated to assist the workteam whose members should be people who are key to the achievement of the specific business objective or are influencing the operation that has been selected for review.Response from 55 banks.
possible audit remark 3.events that could prevent the achievement of an objective Controls . Source: Credit Suisse Asset Management. The framework's categories may include: purpose. capability. audit remark 2. direct controls. International best practice This approach is used for different functions and locations. Chart 7. It is obvious that CRSAs benefit the organisation. process oversight and culture.CSG Operational Risks in Financial Services Workshops are conducted with employees from participating departments using a framework consisting of control categories. controls and risks is captured for each business objective. planning.the real or possible events or situations where a business/quality objective is not being met or may not be met given the controls in use/place. measurement. The objectives are analysed in terms of: S S S Threats . The information on threats. Local best practice 5. summarised and reported to senior management. employee well-being and morale.activities that provide additional assurance that objectives are met Agreed residual risk . the employee by his/her involvement and management due to the bottom-up feedback provided. Due to the dynamic nature of a firm's risk profile. 1999 100% 0% 70 . No procedure in place. to review the controls in place to achieve each business objective under analysis. Level of external audit standard met 4. The information is then documented. CRSA findings should periodically be updated. Procedure in place.1. commitment. on average) Self-Assessment Checks 1. A simplified CRSA example of CSG's Asset Management Business Unit is presented in Chart 7.1: Process Self-Assessment Risk level (results.
Chart 7.1 in 10 years] 2 Low [Unlikely . 5 4 3 2 1 Very High High Medium Low Very Low Questions Impact: financial Impact: reputational Impact: regulatory Impact: human Impact: organisational Medium Tolerable/ moderate 3 Does the occurrence of this risk event: S have a tolerable effect? S prevent you from operating efficiently? High financial loss up to USD 25m Some negative press Regulatory scrutiny/ noticeable resource impact on normal activities Tolerable loss in terms of: S loss of Key Staff S loss of expertise S erosion of culture Noticeable resource impact on normal activities Tolerable loss in terms of: S loss of control S quality of system/ procedures S legal exposure S erosion of culture Example Irregular trading activities spotted by local controllers that may be classified as rogue trading. has a FREQUENCY rating of LOW.3 Impact & Frequency Scorecard It can also be useful to assess the impact and frequency of identified and relevant OpRisk events. Based on the fact findings from these analytical tools.A number of times a year] 4 High [Likely . This may be done using an impact and frequency scoring system quite similar to that presented in chapter 5 for military purposes.3: FREQUENCY ESTIMATOR (example) Frequency Alternatives & related words Unlikely Frequency Score 2 Descriptions Questions Low 1 in 50 years Is this risk event: Unlikely to happen? Say 1 in 50 years? ROGUE TRADING INCIDENT: Internal loss history indicates that this type of events.1 in 50 years] 1 Very Low [Rare .1 in 100 years] 71 . i.CSG Operational Risks in Financial Services 7. The impact of this event is assessed using the Impact Scoring tool.2: IMPACT SCORING SYSTEM (example) Impact Alternatives & related words Impact No. In particular OpRisk events that are identified as having potentially significant impact can be isolated for further analysis which may include frequency estimator and investigative study. Chart 7.1 in 2-5 years] 3 Medium [Moderate . IMPACT SCORE: Impact Score Range: 5 Very High [Devastating/ Catastrophic] 4 High [Substantial/ Major] 3 Medium [Tolerable/ Moderate] 2 Low [Negligible/ Minor] 1 Very Low [No Impact/ Insignificant] IMPACT ASSESSMENT: Regulatory Local regulator questioning the adequacy of the controls of traders’ limits – early feedback indicates that the regulator is satisfied that all feasible controls are installed and followed. appropriate management response can then be deployed.e. given the level of existing controls. likelihood of 1 in 50 years Frequency Score Range: 5 Very High [Almost Certain .
A few important KRIs are more relevant for management tracking and escalation triggering than the unimportant many. Key Risk Indicators (KRI) are primarily a selection of KPIs and KCIs. a business unit or department uses 10-15 different KRI's. breaches in Service Level Agreements. contract staff versus permanent staff. The example of chart 7. such trend analyses can serve as an early warning system and provide directional input for senior management involvement. cancel and corrects. 72 . severity of errors and omissions. Key Control Indicators (KCI) demonstrate the effectiveness of controls. If skilfully used. A KRI gives insight on the extent of stress of an activity. Sales people would monitor performance.CSG Operational Risks in Financial Services 7. A selection of the most valuable of these indicators are then elevated to "key indicator" status. Examples: number of audit exceptions. number of outstanding confirmations. settlement staff monitor mistakes resulting from inaccuracies in their operation etc. systems downtime. Typically. staff turnover. KCI and KRI.4 is based on the structure applied by CSG. red flags are triggered if the indicators move outside the established range. volume. These are nothing but abbreviations of the superlative of one and the same thing: All departments in a bank watch certain figures or trends related to their work. KRIs must be used as a time series to monitor and foresee trends. The market has coined three different names for such indicators which are relevant for OpRisk management: Key Performance Indicators (KPI) are normally used for monitoring operational efficiency. IT security breaches. unfilled vacancies. Examples include a number of failed trades. They all choose certain indicators which can be sensibly tracked over time. This selection is made by risk managers from a pool of business data/indicators considered useful for the purpose of risk tracking.4 Risk Indicators and Escalation Triggers OpRisk literature is full of fancy terms like KPI. absence levels and customer satisfaction surveys. Examples: failed trades. change management events.
4: Group-wide KRI . 2000 7. identifying risk drivers and controls. S S More than one control to prevent the same risk may indicate over-inspection and inefficiencies or lack of confidence in the process.Simple BU Simple KRI’s Simple KRI’s used for local management at the Business Unit’s level BU Base Data BU Base Data Departmental/functional Units’ control and performance data and statistics (a.5 Risk and Process Mapping OpRisk mapping is based on self-assessment / perception survey and is a qualitative technique to identify. categorise. visible way. simple KRI’s] BU KRI . / Action IT department Process or activity mapping is a technique employed to describe business processes in a clear. Lack of control to prevent a risk may be a consequence of a process inadequacy.CSG Operational Risks in Financial Services Chart 7. analyse and assign: S S S S Specific risks against a standard template Controls or other tactics to manage identified risks Residual risks and desired levels of residual risks Responsibility for management of identified risks Chart 7.Rolling up from Base Data to Group OpRisk Indicators Group OpRisk Indicators Group OpRisk Indicators OpRisk Indicators used for OpRisk Reporting to Ex Board and BoD [Group-wide specific KRI + common BU KRI’s] BU KRI . It can also help highlight issues such as: S The time delay between the risk and the control that identifies it. In the context of OpRisk.k. 73 . it is designed to provide a reflection of the diverse activities that take place within the departments. KCI/KPI). This gives an indication of how long a risk may exist before its controls discover it.Composite BU Composite KRI’s OpRisk Indicators used for OpRisk Reporting to Ex Board [Rolled-up/Aggregated BU level. Source: Credit Suisse Group / GRM.a.5: Example of an OpRisk Mapping OpRisk Category Technology OpRisk Subcategory Software Specific OpRisk Programming error Control & Residual OpRisk Control: Continual program of checking/up dating of critical systems Residual OpRisk Rating Medium Resp.
CSG Operational Risks in Financial Services 7. An established and complete database can potentially be used for modelling purposes and be applied to external loss events . For reporting of data aggregated below the category level. This version. however. A more relevant presentation is the one attached and presently being introduced at CSG. CSG’s OpRisk Dashboard is intended to provide senior management with a simple overview of operational risk levels and directional trends at the highest reporting aggregation level per business unit. which denotes fields for which no data is being reported.6 OpRisk Dashboard Risk versus Process Mapping is a detailed bottom-up tool and reflects the staff's skills and understanding. quantifies and provides financial OpRisk data. a similar dashboard is used.7 Loss Event Database A loss event database captures and accumulates individual loss events across business units and risk types. grading category-aggregated risk per BU by colour. as shown in Chart 7. thus.Acceptable Caution .6. The dashboard works on the traffic light principle.Marginally Acceptable Danger . Chart 7. makes use of the additional grading colour black.6: OpRisk: Risk Category by Business Unit (example): Organisation Process Policy Technology Human External CSPB CSFB CSAM BU 4 BU 5 BU 6 Legend: 1 0 0 0 0 0 1 1 1 0 0 1 0 0 1 0 Trend: Safe . Risk indicators aggregated to categories as BU-specific composites or via group-wide sub-categories are evaluated and given a weighting which contributes to the overall OpRisk category risk grade.assuming apples and apples are compared! 74 .Unacceptable Source: Credit Suisse Group / GRM 2000 0 1 Improving Constant Deteriorating 7. A loss event database is the only tool which measures. too detailed for senior management use.
7: Applications and limitations of each tool Tool Self. Combined they support a comprehensive OpRisk initiative. reputation.8 Applications and Limitations of Tools While each tool is valuable. 71.some are more robust than others and can provide greater insights and buy-in Some alternatives can be time consuming Primarily qualitative Impact Scorecard Assess the impact of identified risks by examining its impact on finance.CSG Operational Risks in Financial Services 7.or risk assessment* Applications Reinforce responsibility with business units Gain agreement on the operational risks and required next steps Bring together independent views Limitations Depends on method employed . 2000." (Danish Proverb) 75 .too detailed for senior management Limited value to senior management Difficult to maintain current Primarily qualitative Risk/indicator correlations are unproven Some operational risks difficult to measure Uncertainty if the right measures are being used or just where data are available Depends on the quality of the target setting and the risk indicators used Data difficult to collect on a consistent basis Frequency Scorecard Risk maps/ process * flows Detail understanding of the operations and the specific operational risk Risk indicators * Measure effectiveness operational risk management Objective. human and organisation Assess the frequency of identified risks by examining its likelihood of occurrence Scoring consistency depends on correct interpretation of a well-defined scoring system Scoring consistency depends on correct interpretation of a well-defined scoring system Determination of frequency score may be validated by internal loss history which may be incomplete Tool for lower level staff use . they work best in concert. The applications and limitations of each tool are outlined in Chart 7.7. p. Source: Credit Suisse Group / GRM. Chart 7. quantitative As often as daily updates Escalation triggers * Predetermine decision or intervention point for management * Loss event database Provides financial loss-based measures Tool for empirical analysis Tool for risk modelling and support for cost/ benefit analysis Note: * = BBA (1999). regulatory. "Act in the valley so that you need not fear those who stand on the hill.
Operational Risks in Financial Services
Operational Risk Transfer: Insurance and Finance
Insurance as Part of Risk Management
Risk avoidance, risk reduction and control were discussed previously. This chapter deals primarily with risk transfer through commercial insurance and also with risk financing through special purpose vehicles and other financing options. Some argue that insurance is a waste of money: "Buying a bank stock is implicitly buying an industry which is exposed to OpRisk fluctuations; losses disappear between the cracks as part of doing business and often disappear in the P&L." Insurance - in my opinion - is a valuable instrument to transfer risk and to complement also OpRisk management; it forces a bank to analyse its OpRisk and to differentiate between their impact and frequency; it avoids the high risk/low frequency situation; it helps to optimise economic risk capital and regulatory capital requirements - if the insurance coverage can be deducted; it smoothes earnings and provides liquidity assuming a proper contract: insurance is part of OpRisk management (see Chart 8.1).
Chart 8.1: Insurance - Part of the Risk Management Process
Evaluation of the Risk Situation Risk Strategy: • Avoid • Reduce • Transfer
Financing Options Bear
Source: Credit Suisse Group / GFF, 1999
A bank should - if possible - hedge non-core risk areas that cannot be diversified within the bank itself as they most often represent low probability high impact risks. An insurance company per se is in the business of pricing and holding a portfolio of such risks; it can diversify these risks across many banks, corporations and non-correlated risk classes. Naturally, what should be insured depends on a bank's strategy, activity, size, stakeholders and risk appetite. In my opinion, it is only good OpRisk management to insure diligently against unexpected catastrophic losses.
Operational Risks in Financial Services
Availability of Insurance
At this stage, various forms of insurance related to Organisational risks (see structure, system, IT etc.), Human risks and especially External risks are usually available, presently at reasonable prices. What the coverage - see Chart 8.2 - in reality represents, depends on the fine print, the historical relationship and the standing of the insurance company as well as the competitive situation in the insurance industry.
Chart 8.2: OpRisk Insurance: general Availability
Organisational Risks (Structure, System, IT) Loss to Bank • Directors & Officers Liab. • Entity Liab. (organisational Liab.: loss scenario to 3rd parties, customers etc. 3rd Party loss • Employment Practises Liab. • Bankers Profess. Liab. • Directors & Officers Liab. Human Risks External Risks
Loss to Bank • Unauthorised Acts (incl. trading) • Crime Ins. 3rd Party loss • General comprehensive Liab. • Employers' Liability • Employment Practises Liab. • Bankers Profess. Liability • Directors and Officers Liab. • Unauthorised acts • Crime Ins.
• Property Insurance • Accident and Health • Criminal Acts: Computer crime Hacking Cyber Attacks • Bankers Blanket Bond • Theft • Kidnapping and Extortion • Business Interruption
Increasing coverage is available for the protection of information assets and e-business activities
Source: Credit Suisse Group / GRM based on Kessler Consulting, Zurich, 2000
Innovative insurance companies are developing more integrated risk cover products for OpRisk. Swiss Re New Markets has recently created a product labelled FIORI (Financial Institutions Operational Risk Insurance).25 It adopts a rather broad-based OpRisk definition and - contrary to traditional contracts - provides a more preferable and timely reimbursement of loss. AON has come up with e-business risk insurance solutions.
Avery, R.,Milton, R. (2000): "Insurers to the rescue?" in Operational Risk Management, p. 65.
Operational Risks in Financial Services
Strategy and Structure for Insurance Coverage
The insurance strategy of any bank varies by nature: own cash-flow, self-insurance, captive insurance, finite insurance, reinsurance are solutions of varying degree. A possible model is presented in Chart 8.3.
Chart 8.3: Insurance Program Strategy: a possible Model
(amounts for illustrative purposes only)
Amount of Loss (USD MM) > 250
Principles of Risk Management avoid/prevent/ reduce
101 -249 51 - 100
Possible Insurance Strategy reinsure at reasonable premium / Captive insurance/ self insurance/ Captive insurance/ self insurance/ Cash Flow self insurance/ Cash Flow
11 - 50
Source: Credit Suisse Group / GFF, 1998
At CSG, the insurance set-up is structured the following way: Group responsibility S S S S S S S S Focus on strategy Provide protection for catastrophic and large sized losses Set uniform insurance framework for all BUs, including minimum retention levels Management of captive Claims handling and administration outsourced, but monitored by CSG Assist in loss prevention initiatives at BUs Receive potential claim notifications and losses exceeding a certain amount Place cumulative/aggregate risks
Business Unit responsibility S S S Analysis of BU's needs Implementation of strategy Responsibility for first losses remains entirely with BU which strengthens loss prevention discipline at BU
The allocation of the insurance activities by the Group is based on a %-weighting along the following components: loss history, allocated capital, number of employees, trading activities, US/UK activities (see greater litigation risks), common basis.
The move from risk transfer to risk finance equals the move from standard "off the shelf" products to "structured product solutions". de Perregaux. (1998) . including some risks normally difficult to place. 79 . Captives will be used to manage more OpRisk. We estimate that some firms will even diversify by writing more of their own risks including "nontraditional" risk. for which the number of specialist providers decreases substantially.5 years contracts. O. 3. FT 6/6/2000. increasing to more than 40% within a few years. Three types of ART solutions27 can be differentiated: 1. 95-109. Insurance derivatives have their limitations as there are no suitable indices to track with underlying economic variables being rather heterogeneous. but a low systematic risk.McKinsey Quarterly. 26 27 Weczel. Important is that captives regularly have to prove their value relative to market alternatives. 8. Some are transforming captives into profit centres by writing policies for 3rd parties. capital is only raised when a large loss takes place. writing unrelated business insurance. captives enter the mainstream of corporate financial strategy with a focus on shareholder value. See also Gerry Dickinson: Insurance finds a blend of innovation and tradition.the naming implies limits . Centralised buying of insurance and greater flexibility vis à vis reinsurance and for loss settlements are the most relevant justifications for captives. Therefore. While the financial justification remains essential.. not just hazard type risk. Finite insurance .can be layered between traditional insurance programs and selfinsurance. McKinsey26 estimated in 1998 that more than a 20% share of insurance coverage is taken up by self-insurance and captives. Finite risk insurance is an extension of traditional insurance with 3 . it is not surprising that the only really active insurance derivatives market is the property catastrophe options market at the CBOT.5 Alternative Risk Transfer Over the last few years. R. we have observed a complementary shift from Traditional Risk Transfer (TRT) to Alternative Risk Transfer (ART).4 Funded Captives Captives today enjoy an important integrated role in many companies' risk and financial strategy. Securitization or "Insuritisation" based on bond products are modelling the underlying loss experience of an insurance risk portfolio. Equity based securitization takes the form of a contingent claim on equity markets. N° (1998). offering the investor an uncertain return. 2. involving a tailor-made packaging of different types of insurance. Occasional limitation in the supply of certain contracts and insurance pricing in the market have fostered this growth. The underlying insurance losses are largely random which is attractive for a portfolio diversification. funding employee benefits and purchasing reinsurance on a direct basis.CSG Operational Risks in Financial Services 8. It is estimated that there are around 5000 captives worldwide today. pp.
1999.thus implying that an OpRisk regulatory capital charge should not be based on volume/size Claims tend to grow in terms of number of claims as well as size of institution Any large losses of financial institutions can have a negative impact on competitors due to the cross-linking among the banks. Insurance has become a more integral part of risk and financial framework insurance and can replace capital or represent "contingent capital". AON and Milliman & Roberts assessment. globalisation.6 1. given the current tendency of the majority to self-insure CAT Exposures . Risk Transfer: 12 Guiding Principles The need for risk transfer solutions will increase arising from factors like complexity. Therefore. often dictated by insurers. insurance buying was an independent function among others. Insurance must not be a safety net for management failures. Actuarial analyses on financial institutions since 198528 suggest S S S S S Known claims/losses in the market can potentially rise beyond USD 2bn (very rare) The database suggests that larger companies are more exposed to large claims Risk does not increase proportionally to the assets . increased pricing. Today.can discourage the purchase of insurance by those potential policyholders that are of perceived lower risk profile in comparison to their peers. management is recognising that insurance is a risk transfer tool and has an impact on the firm's value. Insurance complements risk management and is part of an integrated approach. In a more litigious society. there will be a growing scope for liability insurance.CSG Operational Risks in Financial Services 8. 28 Based on internal. Up to recently. Insurance can help to mitigate economic and reputational consequences. There was a limited choice of coverage offered. reporting to the firm's secretary or chief accountant. direct access and/or reporting to senior management has become best practice.there may be a tendency for insured parties to exercise less care and control and potentially experience greater losses than the uninsured S "Adverse selection" . resulting in temporary stock market reactions. 2. 3. It is not a substitute for sound OpRisk management. regulators' requirements and pressure for rational capital allocation. etc. 80 . new technology types of risks. 4. Confidentiality of existence and/or terms of insurance coverage is key due to the following: S "Moral hazard" .the likelihood that insurers will get a riskier-than-average sample. 5.
Insurers . especially for integrated seamless cover. This is the reason why they are good in statistically proven areas. A risk categorisation by insurance companies along an "all banks carry the same risk" methodology may lead to unfair pricing of the risk. Risk transfer by third party insurance and risk financing through special purpose vehicles and other financing options have to be carefully structured. Comparable pooled OpRisk statistics are rare or under construction. and to some extent still is. have come up with rather extended coverage for new risks. OpRisk losses are mostly kept confidential or are part of doing business. This is especially the case when it also includes an insurance consulting service by a knowledgeable 3rd party as to: S S S S S S Risk assessment Risk monitoring On site inspection Risk statistics Requirements on risk management systems Senior management contacts 7. risk transfer pricing remains somewhat opaque.g. Insurance has been. Such a situation is also a function of the insurance cycle and/or availability of coverage through alternative risk transfers.CSG Operational Risks in Financial Services 6.cover the risk they can measure. An improved base of mutual trust between bank and insurance company and of confidentiality assurance is needed. Regulators should give credit against any potentially upcoming capital charge. deductibility in the USA US GAAP.with 300 years experience . including capital markets. some also have improved on more accommodating payout solutions. a largely ring-fenced. particularly in view of: S S S S Tax aspects. SEC reporting Regulatory requirements Perception in the market 81 . What is known to one is not known to the other insurance company. Third party insurance is a complementary OpRisk management instrument. diversify and comfortably assess. Some of the banks' OpRisk areas seem to be difficult to assess. 9. There is limited data-exchange between insurance companies. however. Some insurance companies. 8. The increasing "insurability of OpRisk" and a firm effectively being able to get coverage and integrated seamless cover of new types of risks should be a very positive indicator for supervisors as well: another 3rd partyspecialist has seriously screened an operation and considers the respective bank as an attractive professional partner. e. statistics / figures are not readily available as in credit and market risks. 10. highly conditional and often illiquid instrument.
OpRisk issues are somewhat in the same situation today.given the 35'000 banks worldwide with over USD 35 trillion assets The differing "individual" causes. capital availability and the anticipated consolidation of the industry become an issue. combined with lots of efforts and creativity might change the situation. However. mostly being management issues The confidentiality aspects The difficulty of standardising OpRisk accordingly Few new inventions for the financial industry have actually been completed. trading exposures). whereas external risks are largely insurable. A stronger insurance market.CSG Operational Risks in Financial Services 11. supervisors and consultants concentrate on the relevant issues.g. but only rare solutions. With data improvements. the transactions are complex and time-consuming. Insurance company quality. there remains the crucial major difference between market/credit risks and OpRisk: the individual bank itself is the major OpRisk. OpRisk transfers into "Alternative Risk Transfer" solutions have been limited up to now because of: S S S S S The absence of credible banking OpRisk statistics The low number of catastrophic events in banking . They all knew that available data were far from perfect. With increased insurance coverage. There is little transparency on the track record of executed transactions. the reinsurance aspect becomes more important. 12. "Call on God. thereby spreading the risks on a global scale. but would improve over time. but row away from the rocks" (Indian Proverb) 82 . lending. all the other counterparty exposures to insurance companies have to be judged on a consolidated basis (e. there are concepts. Increased insurance demand might lead to major insurers becoming market-makers for capital market transactions. In addition. Perhaps one can compare the situation with the one 10 years ago when the banks started developing modern credit risk management systems. if banks. insurance companies could provide improved capital and liquidity protection.low probability / high impact events . In addition. Banks traditionally have spread risk coverage among various insurers in order to spread their counterparty risks. The market is working on OpRisk bonds with embedded options: the option would allow to retain the principal if an OpRisk loss of a predetermined size takes place.
2. the more frequent the better. business lines or clusters. The Data Challenge Models and quantifications are only as good as the data they build on. financial institutions cannot record everything in permanence. Many risk areas just cannot be measured. two types of data. However. Only with this discipline.say a camera and a tape recorder. etc. They require judgement. while recording many of their actions. most banks have "photographed" only bits and pieces of the big OpRisk picture in the past. unit. it is like taking a photograph. annual. qualitative data and quantitative data must be distinguished. many banks can already find OpRisk data at the overall level (such as litigation costs) of their organisation or for very specific areas (such as transactions or IT). we can also think of having OpRisk data systematically collected for all departments. While more OpRisk data are now being collected on a regular basis and sometimes even down to the business line level. The level of detail at which OpRisk data are or should be available. that it will still take some years until OpRisk data availability is such that it provides credible. what do we still need and by which means to get it? In particular. Clearly. time-. The question for OpRisk data is: what do we have already. frequency . garbage out" is of extreme importance when quantifying OpRisk. Activities only turn into data. I believe. Basically. which would call for daily data. quarterly. we will have to establish clarity on two aspects: S The frequency in which OpRisk data are available or should be available.CSG Operational Risks in Financial Services 9. however. source-. in terms of content. I would say this is neither realistic nor relevant. 3. transparent and relevant databases. In OpRisk particularly. In this context it is extremely important that the information to be captured in the data is clearly defined. 9. interpretation and analysis. These data types are just like pictures taken by two totally different instruments . Risk Data Methodology: 12 Issues Data availability is a precondition. the rule "garbage in. etc. useful data with information content is limited. They therefore also require different treatment. Do we have and do we need daily. This is a precondition for standardisation and tracking possible failures of reporting. formats. is it possible for data points to be combined in a reliable and credible database system and turn them into real information. 83 . monthly.1 1. In fact. S Presently. Structured data is a key rule to success: discipline is required in allocating tags to OpRisk data such as definition. organisation-.references. feature. century based data? There is a tendency to argue. Accordingly. if they are recorded in a form which can be retrieved at a later stage. Probably. to be able to make use of them.
earnings and equity of the respective company? A USD 25 Mio. See "garbage in. In such situations. Caveat vendor? 84 . significant challenges arise when transforming an organisation or putting two different firms together. be inquisitive if line people want to change the format.g. Are the OpRisk figures pure OpRisk or are they combined with an element of market. Any decent analysis is useless without it. garbage out effect". turnover. availability. It is a prerequisite of fully integrated risk management and risk aggregation. geography. Data quality and its consistency over time is the issue. size of companies. External loss and pooled data known in the market have to be carefully interpreted.CSG Operational Risks in Financial Services The financial industry has experienced restructurings and M&A. transactions and portfolio types. 5. evaluation on causes of losses. Cumbersome data collection can significantly distract from important risk management tasks. data structures . run and compare the old and the new approach parallel for some time. OpRisk data of an entity is unique as to e.help prevent us from comparing apples and oranges or the loss of information. subjectivity. definition of losses. Consistency of statistics is core. loss is not the same for a large and a small entity. Filtering data into useful decision-supporting information is like extracting a diamond out of tons of mud. In the data structure. causality. The lack of data credibility results in scepticism and cynicism and undermines any risk management framework.which are flexible and dynamic in terms of the "sorting" angle from which they can be looked at . and will continue to do so. 4. The third party data providers normally do not explicitly publish statistics on OpRisk along industry segments. credit or other risks? Are they insurance claims or estimated losses? Are the figures gross or net figures? Do they include the cost to fix the damage? Are the known OpRisk losses relating to banks or to insurance companies or to corporations in general? What are the specific losses compared with revenues. characteristics. Disciplined tagging enables comparability across structure and consistency over time.
This process has to include quality checks within a predefined structure. Without maintenance. Set procedures and automation help to minimise the error potential of loading wrong data and the time resources necessary to perform the data maintenance. Such fundamentally different risk drivers can make the credibility of data comparisons and transfers between the banks highly suspect. Pollution of databases happens. adjustments are normal practice. Awareness of IT issues for automated loading could avoid many "operational risks of operational risks".which naturally also includes various performance indicators and other factors. availability. Relevance has to be ensured. subjectivity. 1999 6. new products are put in place. How can you measure and compare.g. 7. if you are not sure what to measure and to compare? How can you have confidence in answers on questionnaires of all sorts and even use such for modelling? Assuming a bank collects all operational losses diligently. causes. New environments. Sign here. This is an ongoing process. less trust-worthy and nonsense data must be weeded out. transactions and portfolio types. These adjustments can provide data users with non-transparent or undocumented indicators. Moreover. Once more. loaded and updated. is there a credible benchmark as a guideline? The only really reliable benchmark is most probably the relative stock market valuation .CSG Operational Risks in Financial Services "Ten crates of data and one little envelope of information. It is important that we remain aware of these issues if we do not want the "figure-evidence" to mislead us! 9. management styles. Polluted and fake data produce not only incorrect or incomplete but also misleading indicators. 8. Banks have very different activities. 85 ." © Ted Goff. characteristics. Times do change. structures and processes. OpRisk data of an entity is unique as to e. Data must consistently be reported. a database engine cannot run. Constant surveys and checks of the type of data being used must be performed to avoid "white noise" or unrealistic indicators. in any database development. sizes. New data content needs have to be assessed and old.
attorney privilege.which might potentially even be modelled with great pains . In addition. Legal disputes may take long until settlement. User transparent data are essential to have control of OpRisk. For example. And not every thing that counts. Einstein.CSG Operational Risks in Financial Services 10. and plain embarrassment. What is the rationale for a statistic? Who is the provider of data? How trustworthy is the source? Is there a mismatch between intention and interpretation? H. replicable. counts. credible by facts and perceptions. and the BBA's Global Operational Loss Database (GOLD). 9. comparable across the institution. How relevant and value adding is such an approach if the relevance amounts to 0. For senior management purposes. Many shy away from such an approach . the data collection must be in a reasonable cost/benefit or cost/risk mitigation relationship. transparent.03%? 86 . 12. confusing and misleading. Some of the data are and have to be highly confidential. complete. Statistics can be irritating. PWC's Op VaR Consortium. Assuming that ways and means for guaranteeing anonymity and confidentiality are found. media. a data sharing pool for hopefully only relevant figures could become one way for better OpRisk management and benchmarking. especially legal / court disputes which are mostly under a client . These initiatives encountered various obstacles to build a credible and efficient consortium structure. 1879 -1955).should be judged in the overall context vis à vis total revenues. These aspects should be fully appreciated for the transfer of data and by the regulators. especially when apples are compared with oranges. The diffusion and spreading of data are essential for a properly functioning management process and to ensure a control of OpRisks: get the right data to the right person at the right time in the proper form. teachable and. Truman's word: "If you cannot convince them. earnings and capital. objective. Using Data: 12 Issues Never forget the purpose for which you require data! "Not every thing that can be counted. Legal disputes and their OpRisk losses are not ideal candidates for data pooling.2 1. Sources on OpRisk data can be created through data sharing agreements or consortiums. specific individual OpRisk exposures . respective built-up provisions could be interpreted as evidence of a liability admission by the adversary. assuming apples are compared with apples. 11.understandably so given specific circumstances such as confidentiality aspects. OpRisk statistics should to enable a business view on future potential risks and to take corresponding action. auditable. interpretable. can be counted" (A. consistent. Data access issues have to be settled. above all. There are various market initiatives for risk data sharing including Multinational OpRisk Exchange (MORE). confuse them" is dangerous in a serious risk management framework! Serious data and statistics show the following characteristics: relevant.
tools and information bases.CSG Operational Risks in Financial Services I personally have reservations about attempts to collect loss data below USD 50’000 or USD 25’000 in the case of transaction processing events. a renewed attempt has started to collect loss data along the 5 major categories: organisation. transformations. policy and process." (A. With the exception of the collection of loss data.along the suggested 5 major categories: organisation. even if they are frequent. Carrel) A credible internal OpRisk data set should be part of the risk management strategy and framework.just by the effort of collecting data . Today. The internal set-up should ideally be structured so it can be an adjunct to external databases. At least within the organisation. turnover. standards. It fosters transparency and is good modern management. policy and process. Connections between cause and effect of losses have often not been proven statistically. The tools . 4. the existing tools do not usually produce results in financial terms. as well as data measurement systems have to be efficient and avoid errors." Identifying and measuring relevant data and even quantifying risks is good discipline and can be an opportunity. capital. the model might prove wrong)? 2. there is also a better ITconnectivity potential. I am a proponent of a credible and relevant internal database system. accounting codes and relevant key data sets. including for senior management reporting have to be agreed. In spite of my critical observations on data and statistics. Measurement encompasses a wide variety of concepts. 3. systematic and consistent . "Life leaps like a geyser for those who drill through the rock of inertia. This must happen along the line suggested in previous chapters. expenses? Can the collection cost involved be justified? Are the data complete (if not. Most organisations have worked on this internally and often in a vacuum. Data information extraction tools. Is such minimal data collection exercise setting the right priorities? How about the relevance vis à vis total revenues. primarily oriented towards control and measurement of performance and past developments. 87 . technology. rating agencies. Chapter 7 presented some of the tools. You cannot manage risks if you do not have information about them. identical definitions.raise OpRisk awareness and widen the scope of reference points for decision-making. technology. human and external. At the minimum we can say: "What gets measured and observed gets done. At CSG. Only the "hard hits" in the overall context are relevant. analysts' requirements and regulators' concerns. Data collection can help enhance transparency. cost efficient. Good management is a bargaining position vis à vis insurance companies and potentially capital markets. which is structured. human and external.
Their background is more easily understood. A "common language" among banks is difficult. 8. How can we convince our shareholders that we know our risks. such as best procedures to handle customer complaints. 9. Nevertheless I am convinced that the gaps. particularly for OpRisk. This is particularly important when OpRisk capital is allocated to specific business lines. Credible data based risk aggregation measures are more easily accepted. because it is reproducible and the result of clear criteria. particularly for OpRisk data. relevant database for a major push of insurability 6. more and more data and relevant information on financial institutions’ actions will be readily available. A more judgementally driven capital allocation could be perceived as a "dicing-out". if we do not have a credible framework for the relevant data and information extraction to help the insurer assess these risks? Insurance providers and capital markets are more reluctant to take on OpRisk of a bank as long as there is neither: S S Serious internal data or information base of an individual bank nor Pooled and credible industry wide.CSG Operational Risks in Financial Services 5. It allows to internalise the know-how of individuals into the firm thereby ensuring that it is not lost once these leave the company and to make it accessible to other staff. its application and interpretation could still vary widely. 10. before including other stakeholders’ concerns. if we provide them with contradicting. A cost / benefit analysis is imperative and bound to set priorities and focus. The possibility of destroying or not reporting material data has to be kept to a minimum. will be filled in small but realistic steps. irrelevant or no data at all? How can we expect to perform a risk transfer. It requires devoted personnel resources and extended IT-support tools. particularly if this exercise also includes more qualitative elements. Automated data loading and the limitation of access to records and the creation of data backups is key to controlling OpRisk resulting from staff fraud. They result from a mix of top-down co-ordination and focussing and bottom-up information collection. Collecting data constitutes an important step for fostering a learning knowledge organisation. Communication of data to outsiders requires credibility. Compliance with documentation duties requires data. Data based aggregation provides the structure and system for treating business lines equally. Data and information collection and maintenance is expensive. 88 . reporting and maintenance is an important part of a good OpRisk management. Even if regulators were to require a specific approach for "measurement". 11. As time goes by. particularly when data exist and could be used to perform this exercise at reasonable cost. The latter must primarily reflect the firm's specific needs. 7. Due diligent data collection. which are presently experienced in such areas as OpRisk.
"Risk without knowledge is dangerous. Data should never prevent from relying on good judgement." (P. data and information cannot and should not substitute for using judgement. Jennings. otherwise your organisation is not a learning organisation. Relevant losses should always be the subject of senior management discussion and have a post mortem and conclusions for the future. However.CSG Operational Risks in Financial Services 12. Data assists us in gaining transparency and making founded decisions. ABC) 89 . Knowledge without risk is rather useless.
assessment) • Data analysis (statistical distr. A Short Polemic" in Jameson. M. 182-184. pp. (1979). 1979. (1998). Operational Risk and Financial Institutions. Since the 16th. R.29 This has allowed significant progress in both science and technology and in management techniques. London 1998.) Why 2. have also been raised about the limitations and less desirable consequences of blind quantification.30 In addition.CSG Operational Risks in Financial Services 10.1: Issues in quantifying OpRisk 1. in Irvine. with the Scientific Revolution in Western Europe. Mgt control: bottom-up approach. (1979). Object • • • • Dimension Qualitative vs. J. however. 63-75. control • Necessity for untested assumptions on OpRisk limits application to capital allocation 29 See Young. 31 See Ong. R. pp. Demystifying Social Statistics. scenarios.1 Introduction Quantification is a powerful tool for enhancing transparency. Method OpR • Expert inputs (quali. (1998). Risk Books. It is thus not surprising that in the financial industry managers and regulators have an increasing interest in quantifying OpRisk. causal link Direct observability Depends on purpose: . despite the numerous conferences convened on quantifying OpRisk and involving the top specialists. eds.. Pluto.. "On the Quantification of Operational Risk.31 Chart 10. M. the quest for knowledge has focused on the quantifiable aspects of phenomena or events. modelling OpR Multidimensional & qualitative features make it exponentially more difficult to quantify than say MR or CR QUANTIFY 3. R. et al. 90 . as long as it is credible. K. quantitative Cause/effect vs. little substantive has emerged.. "Why Are Figures so Significant? The Role and the Critique of Quantification". Purpose Management control Prevention vs. qualitative risk change monitoring What How . etc) • Modelling (EVT.17th century. Risk level quantification: top-down approach. 30 See Young. 2000 OpR • OpRisk features suggest potential for improving mgt. Critiques. Quantification of Operational Risks 10. M. etc. mitigation Economic capital loss buffer Capital allocation Efficiency optimisation Regulatory pressure Source: Credit Suisse Group / GRM.
contagion/correlation . Also. severity or intensity Its frequency Its context dependency: different in different situations Its interaction . Context dependency .as for market risks . 32 See also for example Boose. "Characterisation of Tremor". Both require the ability to observe the phenomenon.are unique and change permanently. To ensure a credible outcome of the quantification. A. This tells whether every OpRisk event is unique in itself or shows regularities in occurrence as drivers do not alter. the less the past will be a good indicator for the future.1: what object. as shown in Table 10.this aspect is very important as several OpRisk elements are highly interrelated. as shown in Chart 10. we will look whether it is possible to measure each element of OpRisk separately or whether only a qualitative assessment can be performed. The frequency describes the number of times a move of a given size occurs within say a given time period or a given organisational unit. (1996). University of Tübigen 1996.with other events The size describes the observed extent of a move.2 What is Quantified in OpRisk ? Chapters 3 and 9 show that OpRisk includes a vast variety of different elements. the higher the context dependency. For OpRisk. before considering an aggregate OpRisk.1. fewer elements are effectively observable. This is why the use of databases of industry OpRisk events has limited relevance for the specific firm. as each might require a specific quantification method. 2) the areas of OpRisk where a measurement could be performed and 3) the most appropriate methods for this measurement in order to thrive for: S S S The relevance of OpRisk vis à vis the total risks Acceptable costs of gathering OpRisk information The credibility of the OpRisk quantification outcome 10. and how is it to be quantified? This will help us to identify 1) OpRisk quantification possibilities and limitations. In the area of OpRisk . 91 .CSG Operational Risks in Financial Services This chapter investigates the three major questions to be answered when proceeding to quantification.people and organisation . The interaction describes the interlinkages between moves. The context dependency describes whether the move size is different in different situations or not. why.is generally high for OpRisk as its major drivers .in contrast to market and credit risk . Quantification / measurement generally involves looking at four aspects of a phenomenon within an organisation:32 S S S S Its size. it is thus necessary to look at each element of OpRisk one by one. These aspects are at the core of the quantification of market and credit risk. In this exercise.
policy and process". 92 . the more difficult it will be to measure the OpRisk sub-category. You should not make a rule of something unique. Barings. as presented in chapter 4 in the case of BCCI. only permit a quantification based on qualitative assessments. rather judgemental assessment of the observability of the size and frequency of moves as well as of the relevance of context dependency and interaction for each OpRisk sub-category. quantification would allow identifying and tracking changes of the risk level over many years.1 shows that. CS Chiasso. etc. "Organisation. while some elements should be measurable. however.CSG Operational Risks in Financial Services Table 10. For these elements of OpRisk. "Technology" and "external risks" should allow for a database based quantification. most are difficult to measure. but not determine the absolute level of this risk. The lower the observability of moves in terms of size and frequency and the higher their context dependency and interaction. In such cases a qualitative assessment offers the best alternative for quantification.1 provides a crude. Table 10. similar to the one performed for market or credit risk. Fields marked in green indicate a somewhat credible data based measurement.
The subjectivity implied by the coarseness of the assessment forbids a generalisation and founding decisions on quantification on it.1: Features of the 20 CSG Operational Risk Sub-categories33 Observability Observability Relevance of Relevance of OpRisk Sub-category of size of frequency context dependency: different in different situation interaction: correlation with other subcategories Organisation Governance/Structure Culture Communication Project Management Outsourcing Business Continuity Security Policy/Process Policy and Process Compliance Product Client Technology Technology Infrastructure Software and Hardware IT Security Human Employee Employer Conflict of interest External Physical Litigation Fraud High High Low High High Low Low Low High Low Low High High High Low High High Low Low High Low Low High Low High High High High High High Low Low Low High Low Low Low High Low Low Low High Low Low High High High High High High High High Low Low Low Low Low Low Low Low Low Low Low Low Low Low High High High High High High High High High High Low High High High Source: Credit Suisse Group / GRM (2000) 33 The assessment of the various dimensions in the table is based on a crude .g.Low/High . context dependency is high for Governance as compared to say for Software.CSG Operational Risks in Financial Services Table 10.intuitive scale to allow simple preliminary understanding. Each individual line assessment is made relative to all the other lines (sub-categories) of the table: e. Clearly the quality of the assessment highly depends on the number and degree of refinement of each individual OpRisk sub-categories. 93 . The scaling is not absolute but relative.particularly in assessing the relevance of context dependency and interaction. Refinements of the scale should be made within the particular context of each institution .
high impact" OpRisk box are twofold. etc. These changes include: S S S S S S Restructured . but the important measurable.g. However. as only HIGH PROBABILITY LOW IMPACT OPRISK EVENTS provide enough observable data to allow the measurement of the OpRisk LEVEL. it is essential on the management level not to make the measurable important. significant changes have occurred in the area of OpRisk making the past a bad indicator of the future in OpRisk. 34 McNamara.34 Chart 10. the focus on the more realistic "high probability low impact" and "low probability high impact" events would allow better possibilities in progressing in the quantification of OpRisk. Also. it would boil down to attempting to make a rule out of something unique . Using external data to populate the internal database on such events is of limited help: often. Barings. but is it relevant in overall context? OpRisk evidence shows that this option is highly unlikely : • Extreme events are very rare and Probability of Event not comparable across firms or over time Medium Risk High Risk OpRisk evidence shows that this option is the most common: • Low probability high impact events are a feature of several OpRisk sub-categories • Problem of few measured data => Priority for quantification => Scenario based risk level quantification => Measurement of the change in risk level possible. Chart 10. the quantification of the overall level of OpRisk will be subjective.2 summarises the major issues involved in this managerial challenge.e.2: Major Challenge in OpRisk Quantification resides in Low Probability High Impact Events OpRisk evidence shows that this option is common: • High probability low impact events are a feature of some OpRisk sub-categories • Measured data exist => Potential for quantification => Measurement of risk level is possible. 2000 Limitations of databases of past losses from numerous sources to quantitatively fill a hypothetical "high probability. BCCI.CSG Operational Risks in Financial Services Given the challenge that only relatively few elements in OpRisk are credibly measurable and quantifiable. THE LOW PROBABILITY HIGH IMPACT OPRISK EVENTS merely allow the tracking of the CHANGE of the risk level over time. Such databases consider different definitions and causal environments of OpRisk and are thus difficult to apply to a specific firm environment. 94 .merged entities Increased transaction volume and interdependencies Changes in delivery channels and underlying business processes Greater distribution of control responsibilities New technology Organisation and cultural changes Therefore. based on qualitative OpRisk assessment Risk-return considerations question the building up of databases: => No relevance in overall context => No priority for data search and quantification Low Risk Medium Risk Severity of Impact Source: Credit Suisse Group / GRM.
In other words. These are loosely summarised in Chart 10. The decision of which purpose OpRisk quantification should primarily serve will determine its output and. all mgt units • Initially top-down • Advancing to bottom-up Note: OpR = OpRisk Mitigation Prevention Capital loss buffer • Quantitative OpR level assessment • Identification of overall OpR risk appetite • • • • • • • • • Quantitative OpR level indicator Credible or industry standard method Link of OpR indicator to economic capital Quantitative time-mapping of work flow 80/20 focus on core processes Cost allocation on work flow elements Quantitative OpR level for each mgt unit Units’ OpR level correlation matrix Allocation rule based on unit’s risk level Regulatory demand Efficiency optimisation Capital allocation Source: Credit Suisse Group / GRM. we have to ensure that: S S Quantification output is geared for management needs Quantification makes the most efficient use of existing resources and is relevant and credible As discussed in chapters 6 to 8 and summarised in Chart 10. However.quantitative and level OpRisk assessments. 95 . Using elaborated databased OpRisk systems for such purposes would at best be overdoing the job and most likely wasting precious time and human resources. mitigation and prevention purposes. In the "coverage & approach" column.in terms of data or qualitative assessments .CSG Operational Risks in Financial Services 10.whether via modelling or another method . Their output could be a scaling or rating of the OpRisk level to monitor its development over time. one has to be clear about the purpose it should serve.1. it also helps to avoid trying to crack a walnut with an air drill! Chart 10. by the same token.3. Such assessments can be implemented on a stand alone basis by a management unit. Here we have to make sure that the quantification of OpRisk . the simpler requirements . the input .it requires. Each has a different requirement on the approach to and output of an OpRisk quantification.are shaded lighter than the more difficult requirements . while the more resource intensive ones are shaded in pink.qualitative and overall OpRisk assessments . 35 In the column on "output requirements".such as periodic checklist-based reviews requiring relatively simple input . the less resource intensive coverages / approaches are shaded in green.is focused on and compatible with the business needs of the firm.3: Focusing OpRisk Quantification on Management Needs Management need Control Minimum output requirement • • • • • • • • • Qualitative OpR assessment OpR change over time Accountability allocation OpR driver identification Qualitative assessment of OpR drivers OpR mapping & contingency plans OpR driver identification Qualitative assessment of OpR drivers OpR mapping & early action triggers Coverage & Approach • Selected mgt units • Bottom-up / line mgt • Selected mgt units • Bottom-up / line mgt • Selected mgt units • Bottom-up / line mgt • Overall firm • Top-down • Overall firm • Top-down • Selected mgt units • Bottom-up / Top-down • Overall firm. only a coarse assessment of the CHANGE OF OPRISK OVER TIME is required. Qualitative assessments . 2000 Chart 10.3 Purpose of OpRisk Quantification Before starting quantifying OpRisk.are sufficient to perform such tasks.335 indicates that for OpRisk control. several management needs can be distinguished.
Risk. They also allow a coarse quantification of the overall OpRisk capital.4 How to Quantify/Model OpRisk Once the questions are solved of what and for which purpose OpRisk is to be quantified.and an OpRisk correlation-based capital or cost allocation mechanism. Chart 10.3. They offer the advantage of providing a firm-wide. " Getting the measure of the beast".covering the entire organisation of a firm are resource intensive and costly. D (1998a). See Hoffman. Bankers Trust abandoned quantifying OpRisk based on a bottom-up information gathering.and top-down approaches mobilise much less resources.1 shows that there are a number of choices including: S S S A qualitative assessment A process mapping A quantitative modelling 36 Because of this. 10. The output that would have to be produced for such purposes can range from a precise overall level of OpRisk to a risk adjusted return on capital (Raroc) or an OpRisk-VaR. p. As indicated in Chart 10.36 Very often therefore. 1998. Nov. 40. standard and systematic framework to OpRisk. focused bottom-up approaches limited to key parts of the firm . This requires many data points and thus a more complex input. All encompassing bottom-up approaches . the most suited approaches to and extent of coverage of OpRisk quantification differ. In contrast.CSG Operational Risks in Financial Services The improvement of operational efficiency and the generation of a capital allocation taking OpRisk into account require the assessment of the OpRisk level ideally for each individual organisation unit . This is because bottom-up information gathering is time intensive and cumbersome as long as no automatically loaded OpRisk database exists. The methods used to perform these tasks have to allow for integration in the market and credit risk quantification and cover a large part of the firm activities. generally relying on large databases of KPIs and KRIs. the most suitable quantification or modelling method can be chosen. top-down approaches offer a more pragmatic and adequate alternative to quantify OpRisk. depending on the management need. 96 .
4: Modelling Methods of OpRisk Data Analysis Best suited when: Modelling Best suited when: Expert Input Best suited when: • High context dependency • All types of events • Observable & qualitative data • Low context dependency • High frequency events • Many observable data • High context dependency • Low frequency events • Few observable data Methods: Methods: • Statistical / Actuarial / Empirical distribution • Stochastic Simulation • Fit parameter / Regressions • Stochastic processes • Extreme value theory (EVT) • Factor / Indicator-based / Causal theories • Decision/Event/Fault trees • Scenarios / Influence diagrams Methods: • Delphi method • Relative fractiles assessment • Preference among bets • Log of odds assessment • Bayesian approach Possible OpR application: • Organisation risk • Policy / Process risk • All other categories of OpR => using quali & quantitative data Possible OpR application: • Technology risk • Employee risk • External risk => Using quantitative OpR data Possible OpR application: • Organisation risk • Policy / Process risk • Conflicts of interest risk => Producing qualitative OpR data Note: OpR = OpRisk Source: Credit Suisse Group / GRM.4 under "Expert Input" . 2000 The techniques depicted in Chart 10. 1998. In this section we concentrate. Risk Books. aggregating various components of OpRisk-– if their calculation is based on different models . on the techniques depicted in Chart 10. 97 . (1998).4 under "Modelling" and "Data Analysis". as they are more quantitative by nature. 34 ff. D.such as for example the "Delphi method" or the "Log of odds assessment" . These have been discussed under the US Army experience in chapter 5 and also in chapter 7. "New Trends in Operational Risk Measurement and Management".as well as the most simple forms of "decision trees" and "influence diagrams" are essentially qualitative assessment and process mappings. See also Hoffman. in Operational Risk and Financial Institutions.4.to quantify and model OpRisk. otherwise one might end up comparing apples with oranges. 38 In such cases. therefore. Chart 10.at least theoretically . p. The consistency of the assumptions underlying to the various models used should then be ensured .e. This trend of combining various quantification approaches allows firms to tailor make quantification approaches to their own specific OpRisk environment.in their simplest form .CSG Operational Risks in Financial Services Chart 10.qualitative assessments It is to note that the trend is not to use particular models and techniques on a standalone basis but increasingly in combination with each other to do justice to the complexity of OpRisk. which range from quantitative sensitivity analysis to .4 provides an overview of the methods at disposal .g.38 37 Underlined in chart 10. one should not aggregate the results of say an extreme value theory inspired model with the results of a normal distribution inspired model.could be questionable. We will focus on three of the most discussed methods in the OpRisk debate:37 S S S The factor-derived or indicator-based quantification models The statistical/actuarial or simulation based quantification models The scenario models.
Preliminary Draft. It assumes a linear link between the level of OpRisk and business activity. BIS. "Is the Size of an Operational Loss Related to Firm Size". the most important drawback of the BIS causal theory model is that an OpRisk quantification based on exclusively measurable indicators is bound to produce incorrect and misleading approximations of OpRisk. The BIS method also bears the danger of creating perverse incentives.1 Factor-derived / Indicator based Models These models apply causal factors to build a prediction of the LEVEL of RISK.40 The level of OpRisk is identified by a multiple of a simple observable indicator or a combination thereof. The BIS method is a factor / causal theory model simplified to its extreme. p. etc. For example. Feb. See Basle Committee on Banking Supervision (1999). employee training expenditure. Basle June1999. failed reconciliations. but not necessarily of the operational LOSS amount.39 Along these lines. managed assets or total assets adjusted for off-balance sheet exposures.41 But. indicators for the quality of governance.42 For example. They tend to produce a figure for the relative future value of the causal factors on OpRisk. 2000. They are also considered to be only partially representative of OpRisk root causes. 50f. nonmeasurable OpRisk aspects critical in determining its level. 13. fee income. A new capital adequacy framework. Samad-Khan A. p. D. p. Comments on the Paper "A New Capital Adequacy Framework" of the Basle Committee on Banking Supervision. to project a level of OpRisk. indicators of the IT system complexity. Medapa P. 35.CSG Operational Risks in Financial Services 10. low and high frequency events. 181..43 39 40 See Hoffman. Empirical tests show that this assumption is not verified. 43 See Ong (1999). 42 See for example Swiss Bankers’ Association (2000). (1998). Mimeo Jan.. the OpRisk literature has remained nebulous about OpRisk explanatory variables. they would use a combination of error rates.4. in: Operational Risk. staff turnover. 41 See Shih J. 2000. Lowering fee income would save capital. Up to present times. These methods could be particularly useful in top-down frameworks to gain insights in both. However. the BIS has suggested an indicator-based quantification as a possible method for the quantification of OpRisk and the corresponding regulatory capital allocation. operating costs. (2000). This is because the high context dependency of most OpRisk elements makes qualitative. The drawback of relying exclusively on measurable indicators in factor / causal methods can be overcome by integrating qualitative aspects of OpRisk. lowering control related costs would save capital. thereby offering the advantage of being easily implementable. but also raise the OpRisk. Suggested indicators include: gross revenues. there is still a long way to go. but also crowd-out the regulated fee-income banking activities in favour of unregulated financial actors and thereby increase the systemic risk within the financial markets. 98 . p.
To do this . 2000 44 See for example: Austega. Interdependencies among OpRisk elements can also be taken into account.. In addition. "Measuring Operational Risk". due to the high context dependency of OpRisk. Q4 1998. slight changes in the environment. For each OpRisk category or sub-category these models generate a loss distribution. 2000 or Samad-Khan A.CSG Operational Risks in Financial Services 10. Simulation-based quantification models are very popular in the literature on OpRisk. "Banking and Risk Management". 99 . in: Global Trading.thousands of hypothetical years are simulated. 34f.44 The prime reason for this is that they allow filling the data gap prevailing in OpRisk for low probability events.applying randomly generated inputs to the underlying risk distribution of an OpRisk sub-category . will have a significant impact on the generated distribution. until a stable "empirical" loss distribution is produced. Jan. Chart 10. they require many data points and have to rely on the existence of complete OpRisk databases. The flaw is that the present state of OpRisk data does not allow for any backtesting of the correctness of the generated distribution. loss distributions for each of their relevant OpRisk sub-subcategories can be generated. The process can also be scaled down to individual business lines. particularly the actuarial inspired Monte Carlo simulation technique.4. The outcome of this exercise (see Chart 10. p. 5: Possible Monte Carlo Simulated OpRisk Loss Distribution for a given OpRisk Sub-Category Expected loss Unexpected loss Severe Catastrophic Probability of loss Loss level given confidence level (might be a function of OpRisk appetite) appetite) Severity of Loss To be covered by pricing To be covered by OpRisk capital Source: Credit Suisse Group / GRM. Gittleson D.2 Statistical / Actuarial / Simulation-based Models These models use actual loss data to construct representations of operational loss frequencies and severity in the form of statistical probability distributions. (1998).5) is familiar to market and credit risk specialists. To do this. These would require reviewing the entire underlying simulation setting.
2) recognise that. holding period) consistent with those employed for market and credit risk A specification which would allow the model to generate OpRisk Raroc or VaR measures A high degree of integration in the overall risk framework allowing to derive bottomup capital allocation mechanisms for OpRisk However. while individual outcomes are not predictable.CSG Operational Risks in Financial Services The simulation method offers four advantages: S S S S Strong quantitative support. recognising that a risk exposure exists. confidence interval. assumptional intransparency and its implementation will require important resources. based on the experience and expertise of key managers. However. Jan. the simulation method has also the drawback of a high degree of complexity. R (2000). 3-12. New England Economic Review.4. 10. e.3 Loss-Scenario / Qualitative Assessment Models These models produce a subjective loss estimate for a given time horizon (say one year) and confidence level (say 99%). Weaker assessment forms could just require ranking of the OpRisk level for each elements of a risk map or checklist. the section on the US army experience.g./Feb. or compensation rules and reports in. their distribution was. However. Kimball notes that two major advances in risk management have been to: 1) describe risk in terms of the distribution of potential outcomes and. once validated with sufficient firm specific data Methodology parameters (distribution. Qualitative assessment models have been put forward. not ignoring risks particularly in new business lines. 2000. as they rely on the subjective judgement of experts. Kimball also points to the three major challenges this approach to risk faces: Orienting capital on the tail or the "hundred-year-storms" of a correctly estimated distribution. e. as they are particularly well suited for tackling both the frequent inobservability of OpRisk and its high context dependency. as shown in Chapters 6 and 7 A transformation of the grading into an OpRisk level expressed in say USD Such methods have the advantage of enhancing transparency of the CHANGE of OpRisk. "Failures in Risk Management".45 Also. action triggers. A purely qualitative assessment can also be turned into a quantification method. getting a correct estimation of the distribution of outcomes. 45 An interesting discussion of the features and weaknesses of a distribution function based risk measurement can be found in Kimball. This could involve four core elements:46 S S S S A check list for a periodic and systematic qualitative assessment of each element of OpRisk A grading scale-based assessment considering criteria such as severity. They also allow a proactive management of the level of OpRisk. pp. they are only appropriate for a crude quantification of the OpRisk economic capital level and OpRisk capital allocation.g. 46 For more details see also chapter 5. the present state of data augurs for having to wait several years before backtesting or validation is possible. 100 . measuring correctly. probability and time horizon of occurrence Grading dependent management escalation procedures.
D.1 Bankers’ Trust Approach: Combining Methods47 Bankers Trust is seen by many as the leading thinker in quantifying OpRisk. few financial institutions have used modelling techniques to derive or aimed at deriving an OpRisk economic capital or establishing an OpRisk capital allocation mechanism. These classes have been kept to a minimum . however.and defined based on causation sources such as: resource. the firm relies on its well-populated OpRisk database covering the whole range of the loss distribution. technology resources. etc. It involves two steps: S S The risk measurement The capital attribution In the risk measurement process. This. These risk factors are detailed at the individual business line and profit centre level. The loss events are classified in the database within one of the firm’s OpRisk classes. Based on these weights. 47 This section bases on Hoffman. more plan to do so in the years to come. It applies Raroc since the 1970s.a one-year time horizon and a 99% confidence level – being particularly well suited for an integration of OpRisk in the general risk framework. These classes are more geared to risk management purposes than control oriented. The capital attribution process builds on a factor-based modelling using a broad array of risk factors. and external issues. BT's approach is most suited for financial firms in possession of a sophisticated OpRisk MIS. including the long-tail losses. The database consists of two sections: internal losses and losses from other firms. This has led to the creation of five classes: relationships. people. 101 . asset. an actuarial model and Monte Carlo simulation is applied to the loss database combined with a loss scenario modelling. the overall firm OpRisk capital is then allocated/distributed to the individual business lines. A loss potential is generated for each OpRisk class and for the overall firm. (1998) and (1998a).given that operational loss events are relatively sparse . e.5 Capital Allocation As yet. To perform both these steps. the characteristics of which . However. physical assets. did not prevent it from incurring other problems! BT has been building and expanding an operational loss database since 1993. Significant efforts have been devoted to developing ways of making the external loss information relevant to the firm’s features in order to combine both sections and make them complementary. A top-down approach is followed for the attribution of OpRisk capital to business lines. the training expenses of a given business line or the settlement error rate.g.5. 10.CSG Operational Risks in Financial Services 10. Very few are really happy with their approach. The factor-based model produces OpRisk weights for each business line.
Make the important measurable not the measurable important (McNamara). the CFO and the CRO of the Group were asked to come up with a figure based on past experience. past experience and allocated activity. 102 . securing consistency is almost impossible.has been and will continue to be an issue of discussion.CSG Operational Risks in Financial Services 10. IT). 3. bending it into one simple figure requires making a significant amount of unstable assumptions. Both. 6. 7. We asked OpRisk specialists of the business units to come up with a 99% confidence figure on each business unit's estimates on their OpRisk . 5. For many such risks. An overall quantification of OpRisk is exponentially more complex than the quantification of market or credit risk. but excluding market and credit losses. OpRisk is extremely multifaceted.2 Credit Suisse Group’s Approach: Scenario Based In the process of allocating Economic Risk Capital (ERC) for OpRisk. so when bringing it back to the whole OpRisk. This figure X was then allocated to the business units based on a mix of size of assets and staff. the OpRisk ERC . The OpRisk quantification faces two major challenges: S S The high context dependency . Model outputs cannot only be wrong but also misleading. market and literature observation. thereby requiring a credible scenario analysis.with all the complexity and limitation of such an approach described above .of many OpRisk categories / sub-categories The priority to deal with low probability high impact events.different in different situations . credit and business volume risks are based on an ever improving and accepted model for all the various business units.including restoring to normal operational conditions. CSG went through an interesting bottom-up and top-down exercise. They also require important resources (staff. OpRisk is very different in nature to market or credit risk. Not surprisingly. based on practicability and experience over time. Therefore. 10. Each element of OpRisk has a preferred method for its measurement. While market. 2. Quantitative OpRisk models have a long way to go before they can be backtested or validated: until then they suffer from the garbage in garbage out syndrome. CFO and CRO. Monte Carlo simulation models can be useful in tackling low probability high impact events.5.6 OpRisk Quantification: 12 Conclusions 1. for which only very few internal data are available. these specialists could not agree even after heated deliberations. The figure X and its allocation to business units are subject to regular review. time. with different backgrounds came up with a very similar overall figure X. insurance coverage is increasingly available 4.
but not for an active management of OpRisk. "∆ΟΣ ΜΟΙ ΠΟΥ ΣΤΩ ΚΑΙ ΚΙΝΩ ΤΗΝ ΓΗΝ. OpRisk management tends to benefit more from the use of risk control indicators (RCIs) than from complex models which would compute and /or allocate an OpRisk amount. 12. A combination of qualitative and quantitative approaches offers the most promising avenue to get a grip on OpRisk. The pragmatic good judgement approach generally provides a valid base for good OpRisk management . 9. relevant and validated models. e." Give me a place to stand on. 10. it is more realistic / relevant / credible to rely on measures capturing the CHANGE of OpRisk than on measures capturing its doubtful absolute level. An OpRisk management based on relevant and credible OpRisk CHANGE measures is more effective than if it would rely on partial OpRisk LEVEL measures. on the other hand. 11. would only provide for a more or less precise estimation of the overall level of OpRisk and thereby for an ex-post measurement. In the near future. based on fee income. cap or reduce OpRisk. (Archimedes) 103 . and I will move the earth. A benchmark based capital charge is counterproductive to the control of OpRisk. RCIs dive into the business process and help to effectively control.as long as there are no credible.CSG Operational Risks in Financial Services 8.g. Models.
The BIS Porposal targets four main goals: S S S S Promote safety and soundness in the financial system. Supervisors must examine the internal capital measurements and the strategy of the banks.1 The Three Pillar Approach by the BIS The Basle Committee on Banking Supervision48 has taken a bold step towards updating the international capital framework for banks. the new framework should at least maintain the current overall level of capital in the system Enhance competitive equality Establish a more comprehensive approach addressing risks Refocus orientation towards internationally active banks. Consultations with market participants are still going on. They have the authority to require from banks to hold more than the minimum capital. underlying principles take into account the varying levels of complexity and sophistication The BIS is moving from the single pillar of minimum capital requirement to a 3 pillars approach.CSG Operational Risks in Financial Services 11. Concerns of Supervisors 11. the role of regulators is the protection of the saver / creditor and the assurance of well functioning banking and financial systems. 104 . Pillar 1: Minimum capital requirement Two alternatives are being studied for credit and other risks: S S A "standardised" approach to be used by a large number of banks Internal risk ratings to be used by major international banks Supervisory discretion Pillar 2: S A strong national supervisory and regulatory process ensures the maintenance of adequate capital. Banks must have internal procedures and tools to determine their own risk profile with corresponding capital. Supervisors should intervene early if there is a threat of capital inadequacy and require prompt remedial action. Supervisors expect that banks will exceed the regulatory minimum requirements. In general terms. S S S 48 BIS (1999). I do not wish to forego any conclusions or predict the outcome of the final version. In the following pages. They must examine the compliance with the regulatory capital requirements. they must have a strategy for the maintenance of a proper capital level. I want to describe the original intentions of the Basel proposal as to the treatment of Other Risks. and add some of my own concerns and ideas. which includes the avoidance of systemic risks.
At the same time. Pillar 3: S S Market discipline Greater disclosure of timely and reliable information relating to capital structure and risk exposures by banks is proposed.should always be in the minds of the supervisors for the overall judgement of a bank and its risks. Management.directly or indirectly part of a bank's risk management. I would argue that a clearly stated Pillar 4 is needed. While supervisors cannot and should not be directly responsible for profitability. they increasingly invest in non-traditional savings products. Earnings. Supervisors may become . Sustained.I would have preferred calling it Pillar 1 . EARNINGS CAPACITY IS MORE IMPORTANT THAN CAPITAL. but intensified CAMEL approach: Capital. sound and diversified profitability is THE precondition for protecting creditors and avoiding systemic risks. In addition. but also vis à vis non-banks. the level playing field issue needs serious attention. including OpRisk. regulators move from primarily macro-regulation to micro-management of a bank. Back to the traditional. Simplified.CSG Operational Risks in Financial Services The Pillar 2 principles effectively extend the current capital ratio approach to a more active and comprehensive framework for managing capital standards. it is interesting that a lot of efforts are devoted to Pillar 1. have an outstanding qualitative risk approach with the most sophisticated quantitative models and still represent a supervisory problem: lack of profitability. Asset. Liquidity. market participants have become emancipated. Such a Pillar 4 . This approach puts a heavy burden on the supervisors' judgemental capability. there is convergence of almost all aspects of financial activities. the savers save less. this not only among banks. A bank can comply with all existing and future capital changes. Supervisors are concerned about systemic risks and the role of the banks in the ecommerce environment. well trained people with appropriate standards of probity. Confusion of greater transparency with huge data quantity and increased market pressures should encourage banks to manage risks and capital more effectively. money is actively managed through other vehicles than "savings". Why do regulators not apply the same requirements for converged and changed activities? Is there not a unique chance to level the field for banks and non-banks? A meaningful contribution would support the credibility of the new 3 Pillar requirements which are targeted at banks only. They are concerned that services are offered by respectable. 105 . My suggestion Pillar 4: From a practitioner’s perspective.
How predictable will future supervisors' actions for banks become? In reality.2 1. etc. Such power should be exercised in a transparent. many of them clients. at least not all the time. years of uninterrupted dividend record. There is a lot of information to digest for 50 major banks worldwide: 500 reports. there are 50 major quoted banks with an assumed 20'000 shareholders each: 1'000'000 professionals and other intelligent individuals. There are at least 10 different analysts' reports on any major bank per year. Markets judge and discipline every working minute. It takes quite an irrational attitude to take risks with the aim to fail. geographic distribution. major clients gained or lost. Survival is not only about capital. for which banks have no option but to "agree". also by supervisors. even as Pillar 2 may not become that relevant for regulatory capital purposes. much more than 10 years ago. opine every trading day on these banks' total risks. supervisors can replace a firm's business judgement. Supervisors pursue disciplinary and other actions with the benefit of hindsight. compliance and controls. While stock markets can temporarily overshoot both ways. For argument's sake. fully knowing that a major portion of banking is taking and incurring daily risks. Pillar 3 should improve the risk transparency even more. 106 . To complete the picture. One million judgements cannot be that wrong. including OpRisk. management know-how and industry knowledge will be a unique challenge. 2. with cross comparisons on strategies and industry development. should banks have a choice to select their supervisors? 3. new activities. With their requirements and interventions. Such new judgemental capability. proportionate and consistent manner. The OpRisk Regulatory Solution: 12 Points from a Banker's Point of View A prime concern for supervisors should be my Pillar 4: sustained.CSG Operational Risks in Financial Services 11. sometimes twice or more often per year. sound and diversified earnings and profits. efficiency ratios. provisions. potentially even applying new standards to old frameworks. There has to be a reasonable amount of trust in the checks and balances of a market. it is also about performance: revenue growth and its diversification. They can be quite revealing for supervisors' concerns. clients distribution. One million investors buy or hold a favourite stock. the relative share price performance should be revealing also for supervisors. How important is confidence in market signals for supervisors? Supervisors seem to have an increasing interest in exercising their power along Pillar 2. rating agency reports could also be a major source for a supervisor's judgement. what mechanisms are there for banks to fall back upon if there is a misjudgement by supervisors? Will this result in banks not establishing official policies because supervisors might not agree with them? Unfairly treated staff can leave the bank for better shores. which are based among others on good OpRisk management. In addition.
numerous questionnaires. capital does not ensure that banks are immune from any failure or a global nuclear war. What kind of hits can the firm sustain with regard to revenues. without constantly bringing up past or insignificant deficiencies. However. the timely resolution of a deficiency and how it was handled by management should be recognised. the FED initiative was appropriate. If management is not "fit and proper". Good regulators intervene before the "capital" is called upon. It is a truism that misjudgements by banks will happen in the future. No bank can avoid deficiencies: the issue is. "real crisis" cannot be managed by regulators. supervision based on media gossip. anytime.g. the supervisors have the power to oust them. if the Board of Directors and/or the shareholders have not done so before. they have to be taken into account. to control and prevent undue risk taking for which it needs the necessary time. calls on branches around the world are increasingly becoming a burden for banks. Regulators are aware that OpRisk measurement and its quantification is questionable somehow but they want it for regulatory charge purposes anyway. e. It is equally true that banks are still around. Materiality is the issue.CSG Operational Risks in Financial Services Audits and regulatory requirements by one established supervisor have to be acceptable to other regulators. only by management. It only depends on your perspective of life. 5. Supervisors should be positively motivating. the Year 2000 transition and the e-commerce security design rather well. Assume the past handling of a deficiency as a lesson from which management has learnt and as a new base for handling future deficiencies. To be fair. Regulators and supervisors should be concentrating on the real issues: what-if analyses. choosing publicly one bank to set a new industry-standard. uncoordinated requirements. capital? What could such a hit imply for the rating? How is it insured against OpRisk? What kind of insurance does it get compared with others? 107 . External shocks can increasingly be mitigated with risk transfer. Senior management should be able to concentrate on managing the organisation. Regulators and supervisors should re-examine this simple "fixation" on capital. Cumbersome. how they are handled. Banks have managed up to now the more recent OpRisk challenges such as the introduction of the Euro. given the circumstances. Doomsayers find doom anyhow. net income before tax. Doubling up efforts is unacceptable. Capital serves as a cushion for unexpected market situations or an immediate buffer against a bank's quality deterioration. your assumptions and your model. anywhere. You can stress any bank to death with all its capital.any bank with a major LTCM exposure would have survived based on the direct LTCM exposure in case of an LTCM collapse. But this is not how successful business is orchestrated. with reasonable assumptions. Banking and its supervision make no exception there. but was saved by banks under FED leadership . Good regulators and supervisors know when to start and when to stop. irrelevant issues in the overall context. It may also be worth mentioning that LTCM was not a bank. A material. whether positive or negative. 4.
primarily risks as to strategy. bonds and derivatives.according to some supervisors . and this over many years. To ask them for only a "promemoria" capital charge might revive the memory. But life is more complicated: Risks as to strategy. assuming non-banks are equally supervised. empirically validated and produce capital requirements that are comparable across institutions.simplified . To "punish" the banks today for major mishap cases in the past . Credit risk models combine. reputation and business volume should be handled separately. also assume there has been no Pillar 1 charge for OpRisk since 1988. they all should be typical cases for the proposed Pillar 2. They should be of prime concern for the shareholders. at least theoretically. but would certainly not solve the problem: the issue is good OpRisk management or good management in general. interest rate. Can a similar framework also be applied for OpRisk. Would any of the mishaps in chapter 4 have been greater than actually was the case? No.there should be at least as much capital in the banking system as at present? Let us assume: the BIS proposal was introduced already in 1988 instead of the BIS 1988 scheme. Various supervisors prefer . business volume. context dependent OpRisks as a whole identified (yet). worldwide. legal. reputation. Pillar 2 is . 7. Why is it that . there are close to USD 40 trillion bonds and notes outstanding. models would produce one regulatory capital for all "Other Risks". Market risk management models have. third party ratings allow cross-checks. as Pillar 2 with its supervisory intervention should have worked. The 9 major mishap cases presented in chapter 4 and others were cases unfit for a modelling approach. Ideally for some. the experience of more than 30'000 banks around the world with assets over USD 35 trillion. regulators require the following for internal credit risk models: a model must be well integrated with the bank's day-to-day credit risk management. an area which is so much more in-house oriented? There is no credible model for multidimensional. theoretically speaking.including those incurred by non-banks .with "corresponding" regulatory capital requirements in the future would erase banks' competitiveness. conceptually sound. 108 . 8.an additional risk management layer by an official outside third party. With all this background.generally and simplified .CSG Operational Risks in Financial Services 6. Would the mishaps have been avoided or would they at least have been smaller? Yes or maybe. "Other Risks" should include ."objective boxticking" for capital requirements based on the formula: Total Risk = Market Risk + Credit Risk + Other Risks.with the potential introduction of Pillar 2 and its close monitoring. expressed in the share price. One of the justifications for the planned Pillar 2 must be to react to insufficient OpRisk management. intervening and additional capital requirement power for sub-standard banks . operations. 9. access to a history of daily prices of tens of thousands of stocks. In today's context. In addition.
how about measuring. Therefore.CSG Operational Risks in Financial Services 10. OpRisks are unique in terms of context dependency. interdependent. S S S S S S S 11. or increasingly will be. and often not relevant in the overall context of risk exposure. OpRisks are primarily internal risks or "bank made".parallel with other factors expressed in the share price and its level above book value. The characteristics of OpRisk are markedly different from other risks S Market and credit risks are . If a common definition of "other risk" or OpRisk already presents a problem. a major portion is qualitative / judgemental. unreliable. and of limited comparability over time for benchmarking purposes. Reasonable tolerance of defaults or mistakes should not be risks burdened with capital requirements. OpRisk methodology is in infancy stage. is much higher today than 5 years ago. OpRisks are usually not willingly incurred and not priced in the market. quantifying and modelling. The latter could actually create perverse incentives. this is part and cost of doing business. Checks and controls of the market and reputation aspects entice every bank to NOT occur operational losses as they increase expenses and/or affect the share price. if based on some of the suggested indicators and statistical methods. External risks have to be handled differently and are largely insurable. Arguments against an OpRisk Pillar 1 regulatory charge: S S The completely differing characteristics of OpRisk vis à vis other risks are described above. Risk awareness in general and for OpRisk specifically.with relatively objective market prices or ratings willingly taken for revenue’s sake. Data on OpRisk are often vaguely defined. OpRisk management is largely good general management with quantitative and qualitative targets and is . modelling is highly complex or not credible. More attention to a more analytical approach is increasing. The value of loss distribution based modelling with proper data for a subOpRisk or a sub-sub OpRisk might be limited if the modelling approach of another sub-group is completely different. rapid industry efforts might be hampered by a regulatory charge. often not clearly discernible from other risks like market or credit. incomplete. S 109 . even if only internally? How about industry commonality? OpRisks are incredibly multifaceted. The value is certainly limited if the risk figure is not relevant in the overall context.
If I were a supervisor.with the introduction of an OpRisk Pillar 1 charge? One-size-fits-all basically is an unsatisfactory approach. If regulatory market risk capital has a "safety multiplier". My concerns about the feasibility of OpRisk models and Pillar 1 do not imply that OpRisk management is not a serious issue. The 9 mishaps in chapter 4 were not "cases for capital".in an overall context serious can be "penalised" with a regulatory charge. considering the previous points raised: 110 . they were about good management. It is very much so.CSG S Operational Risks in Financial Services A minimum charge might provide a false sense of security and not foster adequate controls. Pillar 2 is the vehicle that disciplines a bank which represents a serious threat to the system. it is the shareholders who suffer first.which includes OpRisk issues . why not reduce this multiplier . assuming the supervisors have done their job before. structural and control issues. I would proceed the following way. S There should be no charge under Pillar 1 until: S S S S S S S S S Sensible definitions for OpRisk are agreed (including clear boundaries to Market and Credit Risks) Relevant risks have been determined No double counting is ensured Existing multipliers for Market Risk are reduced Assurances have been given that less capital will be needed for lending Risk transfer is made deductible Only quantifiable risk . An OpRisk Pillar 1 charge could be interpreted to mean that the supervisors are not convinced about their successful implementation of Pillar 2. Use Pillar 2 for "outliers": serious deficiencies . as proven in the past. Allocating regulatory capital is not the most effective way to improve OpRisk management.is selected Only for credible unexpected losses A credible attempt is made to create a level playing field with non-banks S OpRisk management is much more than a capital charge. The real issue is liquidity and funding. Then comes earnings power after which the "capital" is affected only.credible and relevant in the overall context . it is about good management. S S 12. Assuming a reasonable position of such affected bank excluding the OpRisk mishap. Any "unreasonable" charge makes banks uncompetitive. what an acquisition opportunity for third parties! Such reasonable position should prevail. especially if the charge is in no relation to the underlying risk. In case of a "reasonable" OpRisk disaster of a firm.
"if there has to be one" . clients. This is the real issue. Are there significant problems. Effect on ratings. solutions? Ask for over-budget projects. not the modelling of a sub-group risk. Agree with the industry on a definition of OpRisk and its categories. style: Synchronisation: 20% 20% 20% 20% 20% 111 . plans. What are the really relevant OpRisks in the overall context of an organisation? Concentrate on high impact – low frequency risks.or of a potential Pillar 2 charge for outliers. or losses irrelevant in the overall context (even if convincing as to calculation). technology. systems and safety measures. including IT aspects: This is crucial risk awareness and disaster preparation management. Example: S S S S S Structure: System. human and external risks and their subcategories. system. including IT. along the lines described in chapter 3. not on specific judgements on counterparties and personalities. I would suggest: that some of the S's could be used for simple weighting of deductions or add-ons for Pillar 1 . Ask for major legal disputes on a confidential. S Go through the 12 S's of an organisation as presented: Supervisors should be concentrating on structures. issues. What is the organisation doing about high impact – low frequency risks? Become knowledgeable on OpRisk insurance. skills. capital raising? This way. policy and processes. Check regularly on the 5 major OpRisk-categories. systems: Safety: Staff.CSG S Operational Risks in Financial Services What is more important: a regulatory charge or good management? What does the stock price of a financial institution . unnamed basis. Forget the broad "other risk" definition and concentrate on what OpRisk really is. What is the high impact – low frequency risks exposure of the organisation after having transferred risk to third parties? S S S S S Check regularly on business continuity plans. Organisation.also in relative terms indicate? What is the opinion of rating agencies / analysts? How often are interbank premiums of an institution checked? S Above all and of prime concern: What is the loss absorption capacity of an institution? Apply simple models and stress testing such as: "hit absorption capacity" versus earnings and capital. a majority of potential OpRisk issues can be judged and ticked off quickly and easily.
If "there has to be a minimum OpRisk capital charge. Pillar 2 concerns with a regulatory charge should primarily be oriented towards a reasonable probability of systemic risk or towards failure of the respective firm.simply decide so". simple to manage and cost efficient. There are various ways to calculate a simple charge for Pillar 1: a simple low percentage of the "other regulatory capital" for lenders and traders. Check on the contribution of each firm regarding OpRisk industry efforts. not capital charges of OpRisk or semi-credible OpRisk models. but management. Check on ongoing or planned efforts handling them. deserve special attention. Support and recognise each bank's contribution to improved settlement mechanisms: These are the real issues for avoiding systemic risks. self-assessed concerns in the OpRisk area. etc. a decreasing scale would reduce unfairness. Credible insurance contracts. Establish a rapid deployment force in case of crisis. Again.CSG S S Operational Risks in Financial Services Check regularly on the status of data collection and modelling efforts. Check on netting arrangements of all sorts. The capital charge under Pillar 1 seems to be a foregone conclusion for the supervisors. the level playing field becomes even more rocky. credible models for OpRisk with credible statistical evidence have to result in lower capital requirements. new activities. teach-ins. mergers etc. a low percentage on assets managed for asset gatherers. major IT-projects. as there are no correlations between size and risk. Major restructuring cases.for lack of better arguments . Have accessibility to all major counterparties. Pillar 2 provides the supervisors with enough power to correct a situation. S S S S S Add-ons based on Pillar 2 assessments would be eliminated in a timely fashion after the clean-up of a deficiency. If the percentage becomes too high. Re-check and supervise closely if the firm has missed a major one ex-ante. I personally argue against it. Ask regularly for the 3-5 major. this is an unfair approach for larger entities. because the issue is not capital. because regulators . S S S 112 . then it has to be a low in amount. They will calibrate according to their idea of the charge desired.
it is also carrots! "Half the failures of this world arise from pulling in one's horse as he is leaping" (August Hare) 113 . Do not double up. Be more credible with level playing field efforts. Make it attractive for banks to remain supervised as a BANK. Life is not only sticks.CSG S S S Operational Risks in Financial Services Become more flexible and market oriented: If parameters of the industry and the industry have changed. Co-ordinate with other supervisors. they have changed.
is essential for perception and reputation. 4. 6.also for low probability / high impact situations . almost anything in daily banking life has an OpRisk touch. Does the BCP fit the activity? What are the core activities to prioritise? What are the non-core activities? How much and what information can a core activity afford to lose? How much time can be allowed to restore a core activity normal activity? What activity needs to be fully mirrored with a back up facility? Does the BCP cover all essential business processes and locations and not only IT and communication infrastructure? Clear responsibilities for shared facilities? Does the BCP include not only electronic data. 3. Effective and efficient management of such a situation is overall probably more important for the stakeholders than the economic contribution of an insurance. I have selected . Business Continuity Planning: 12 Basic Checks 1. In contrast. 6. 5. IT and external services. 7. location. 1. 114 . 3. Good OpRisk management . 2.some areas of future concern.CSG Operational Risks in Financial Services 12. including e-commerce? Is the market for emergency procurements large enough or is a two-vendor-policy more advisable? 2. 4. disaster recovery seeks to re-establish the critical functions after an interruption or disaster.there are more .1 Business Continuity Planning Business Continuity Planning (BCP) is defined as disaster prevention and disaster recovery planning: the goal of disaster prevention is to reduce the threat of a disaster before it takes place. but also paper archives? How often a year are backup procedures tested for IT-modules and ITproduction? How about connectivity. These are concerns for any financial institution. 8. Business Continuity Planning Customer Complaints IT Migration IT Security Outsourcing Money Laundering Fraud Settlement Communication 12. irrespective of size and scope. BCP depends mainly on 4 resources: people. 5. Selected Areas of Future Concern As mentioned in the introduction. In this final chapter. application and user awareness testing? Does the BCP include all IT platforms. 9.
Customer Complaints: 12 Basic Checks 1. 12. How often and thoroughly is the BCP tested and rehearsed with disaster simulation? Is the BCP user awareness sufficient? Does staff understand that a rehearsal is not a performance evaluation. 10.CSG Operational Risks in Financial Services 7. within 1 day and within 2 weeks? 8. 12. 5. A proper OpRisk management requires these questions to be addressed periodically. 7. But how many really have a proper set-up to live up to this promise? Good customer complaints' handling is good quality and retention management. 11. 6. It can be an OpRisk mitigation tool. 115 . Only a very small percentage of unhappy customers actually complain. 3.2 Customer Complaints Every financial institution pledges customer service and customer satisfaction. which again helps to maintain a good reputation. In case of building outages: what percentage of normal business volume has to be functioning e. is it corrected to the customer's satisfaction? 2. especially concurrent to transformation projects? Is it checked at least once a year? Is a backup of a backup needed? Is the BCP consistently a subject for internal audit for all relevant activities and locations? Are the reporting lines in a crisis clear? Is an emergency call list at hand? 9. but they tend to tell many others. 4. Do you have a clearly communicated customer complaints organisation with corresponding service lines? Is the service line available 24 hours and accessible in reasonable time? Toll free? Do you have appropriate communication channels to third parties to speedily investigate and respond to a client's complaint that concerns a third party mistake? Is your staff properly trained to counsel irate and even unreasonable customers? Is personnel trained to not trivialise the client's account? Is your staff empowered to make on the spot decisions and gestures? How long does the customer have to wait? How are the complaints referred to specialists or specifically responsible management and staff? How long does the customer have to wait for an answer? Are written complaints answered in writing? In a positive tone? When the bank makes a mistake.g. but an evaluation of a plan? Are outsourced activities included in rehearsals? Is the PR department included? Is the BCP regularly updated.
12. Once it has been decided that an existing IT infrastructure is no longer suited to a product line or fails to meet regulatory requirements. 4. A "project building culture" should be fostered in order to create an open and collaborative environment in which a successful IT migration can occur. In doing so. 2. Users have to be involved early with their buy-ins. tasks can. p. the OpRisk potential is vast. 3. 49 Meridien Research Inc.49 A poorly performed IT migration can have long lasting effects on the operation of a business unit. as changes after the design has begun may cause expensive delays. Projects must plan and budget to keep the core project team in place through the implementation and beyond to manage post-migration issues. 12. team leaders. Good project management skills for non-IT related areas are key: leadership is required to complete a successful IT migration. It should secure that the common involvement of software specialists. 5. Strong top management support for the project is required. or brand new software may be employed altogether. 11. Does your staff handle the situation correctly in case the client made the mistake? Do you keep a complaints log? Does management look at the complaints log? Do recurring complaints lead to action? Do they indicate a faulty organisation. IT migration: 12 features for success 1. Time for a New Look at Operational Risk.CSG Operational Risks in Financial Services 8.3 IT Migration IT migration is the process of shifting or adapting an organisation’s current IT platform in order to accommodate new products/services or regulatory conditions. systems or unqualified staff? Do they suggest an operational risk? Are customer complaints a KRI? Do you have an institutionalised control mechanism for follow-ups? Even if only a very small percentage actually complains. it may be layering existing software with updates. Managers need to prioritise their functions and sign up to a 1 year business plan to ensure that the business remains stable. staff and end users remain open and viable. Planning and scheduling of the project and line activities across the Back Office need to be transparent.. system. 116 . While accountability cannot be delegated. The business strategy and product list should be kept constant throughout the development of the software. the attributes of the new system need to be agreed upon. As IT migration involves the inception of new methods and systems. do you use customer satisfaction surveys? Do the surveys lead to action? 9. 3. 10. as well as regulatory repercussions. February 2000.
50 As IT continues to develop at a rapid pace. Laws can change regardless of a firm's preparedness: expedient completion of a project becomes even more important. 7. staff and user training and preparedness is key. access to infrastructure and data becomes a primary concern. adequate staff training or data storage and backup. the cost measured in lost productivity due to denial-of-service attacks to the US economy last year was estimated at USD 10 billion. Accountability of all individuals is key. Be it the availability of safe networks. the incentive to take advantage of this time lag is great. For competitors. as networks virtually define the operations of the business. 50 For example. the loss of public goodwill and client confidence will vastly outweigh the costs of installing and maintaining satisfactory security. Furthermore. As networks become ubiquitous. If an interim scenario exists where the old and new IT platforms run simultaneously. 12. 10. the absence of a focused security work ethic will undermine protection efforts. 117 . Implementation ownership should be given to those who will be responsible for the new processes. Project teams and their management need to be located appropriately in order to ensure better resource-utilisation. All significant projects should go through a formal review against project objectives. failure to provide sufficient security is perhaps the greatest worry.CSG Operational Risks in Financial Services 6. along with the associated MIS. controls need to facilitate the take-over of the new system as smoothly as possible. From the perspective of OpRisk. 9. A weak security infrastructure is increasing the number of people gaining access to the skills required to attack a network or data. This figure will arise in the foreseeable future. 8. Standard controls on new processes need to be enforced. 11. After delivery and thorough testing of the new system.4 IT Security The central concept that unites all security related issues is that of a "securityawareness culture". firms come under pressure to understand the security implications of these advances. Testing of the new system should occur across a set number of days and production data and in a "parallel run" against the old system. 12. and therefore firms which fail to recognize the urgency of a security culture will bear the brunt of those costs.
a false sense of security should never be allowed to blossom. 10. Are training manuals.CSG Operational Risks in Financial Services IT security: 12 issues 1. detecting intrusions and tracking down perpetrators. Virus authors and hackers are creative. 7. 8. A breach at any one of these points could cause damage or theft. while common. E-mails that are sent to external addresses pose further risk. although asked to change network or software passwords frequently. The password is the first mode of data and network protection. An e-mail may be intercepted. None of the present precautionary measures and future variations of them will ever ensure a system that is 100% secure. 3. An organisation must have a security culture approach to protect its data and IT. Users need to be made aware of these and similar facts before a casual error results in damage. 2. Is staff. 4. and since multiple copies are usually generated. signature files and encryption codes. deletion is more complex than usually imagined. and remain motivated to further improve systems. effectively doing so? Are passwords shared just for convenience sake? Are the passwords complicated enough to be "safe"? Network of networks have to be protected by firewalls which monitor the flow of information from the outside world. there are commonly used tools which allow the sender of e-mails to change his/her identity and claim to be someone else. Most typically. this will include traffic from the Internet. IT security begins with the front line user on a day-to-day basis. Some infiltrators will always be able to break firewalls. contact from travelling employees or communication via e-commerce platforms. 118 . However. erratic. Do we have a culture that minimizes reaction times and the frequency of lapses and errors? Can data and files become lost or vulnerable because of unclear storage habits in shared drive networks? Are there clear and systematic rules for data access and storage? It is the responsibility of management to create a security culture that is equipped to handle the pace of change. The system in place is only as good as the training provided to users. therefore. is one of the least secure methods of communicating. have to verify additional sender information. documented user rules available? Is regular awareness training assured? E-mail technology. Protections significantly reduce the number of infiltrators who can break in. which is harder to fake. E-mail security also involves the sender information. as the messages leave the closed network of the firm. Proper IT security will. capricious and unreliable. E-mail encryption is one part of data transmission security. 9. Users can be changing. ID cards. support focal points. Use specialists who are engaged to try to infiltrate your systems. 5. 6. Computer security is about minimising risk.
particularly as the firm retains the inherent risk. With this in mind. Primarily. Backing up crucial information is the most obvious (and simplest) form of a contingency plan. Managers should establish clear Service Level Agreements in order to mitigate the risks. the ultimate responsibility for it is not. however this too requires a clear structure. As outsourcing generally extends over long periods of time. These advantages have to outweigh the loss of direct control over the service. January. 3. 5. 2. 12. The FSA then must consider the proposal at hand and may object to it. Therefore. which must be considered in turn.51 Outsourcing: 12 issues 1. The FSA also requires that banks inform them if outsourcing an operation may have a "material" effect on the risk profile. 119 . "The FSA continues to hold a bank’s management accountable for the adequacy of systems and controls for the outsourced activity". This principle is firmly enshrined in law. 2000. 51 For example the UK Banking Act of 1987. User awareness promotion and training is the answer. Too much is at risk. The Act states. security. gain efficiency and save costs. See: FSA. the first step in preventive measures is following common sense rules of conduct. transparency and management reporting of the service(s) are sufficient. This involves communicating precise minimum quality and reliability expectations. Outsourcing an operation allows a firm to focus on core activities. Once a virus has infiltrated the network. outsourcing is not free of operational risk issues.5 Outsourcing Outsourcing remains an avenue by which a firm can attain a competitive edge. Guide to Banking Supervisory Policy. irrespective of the duration and scope of the attack. Broader IT contingency planning should be done by each separate business unit by the respective IT Security Officer. The final responsibility of the outsourced service remains with the firm. information and some infrastructures are lost when activities are outsourced. the selection of the provider has to include an assessment of sustainability of his/her financial health and the extent of the mutual dependence. It retains the obligation towards its customers and supervisors to ensure that quality. These cannot be recalled within short notice. Computer virus attacks are not going to disappear. 12. Know-how.CSG Operational Risks in Financial Services 11. Key processes and core competences should not be outsourced. the institution loses some flexibility and potentially its availability to judge whether the provider remains at the cutting edge in the service it provides. 4. A clear and efficient contingency planning is necessary. damage in some form is highly probable. Nevertheless. while an operation or service may become outsourced.
Confusion in this regard will hamper both the operation of the contracted service. 9. 7. Exploitation of varying VAT rates in different countries facilitated by the legal import/export of goods. Trade Related Money Laundering . The dependence on external entities may pose hidden risks which could only become apparent at a much later time. BCCI). 5. Physical disposal of cash (art. 6. Without satisfactory management reporting structures in place by both parties. such as the supply and/or software failure that the service provider relies upon. Alternative remittance scheme involves shifting value from location to location.exposed to money launderers using and abusing the financial system. 10. 4. An outsourcer must be convinced that the insourcer has adequate safeguards in place. 3. including the services of regulated institutions (layering). Open channels of communication must exist between the outsourcer and the contracted firm in order to make contingency plans realistic. over which managers will lose direct control. 12.g.CSG Operational Risks in Financial Services 6. 120 . These can involve a wide ranging number of issues. According to FSA rules. outsourcing can become inefficient and ineffective. Profiting from commission-driven brokerage or securities firms willing to invest huge sums on the behalf of money launders. as well as other commercial transactions are used as a cover. or even controlled by criminal elements specifically for that purpose (e. vital that a Service Level Agreement includes provisions for securing confidentiality. 11. The transparent segregation of duties to be performed has to be made clear to both sides. Service Level Agreements must exist even if the outsourcing takes place between units of the same firm. precious stones etc.6 Money Laundering Financial Service institutions are . sometimes using elements of the legitimate economy. Structured cash transactions through currency exchange bureaux and ATM’s (automated teller machines). 12. 2. It is.trade in international goods and services. 8. 7. This is yet another management concern which every financial organisation has to take very seriously.). Placement of funds into real estate.factually and by perception . Money Laundering: 12 Techniques and Schemes 1. Data that is used by the outsourcing firm may include proprietary information. as well as recovery efforts should they be required. therefore.
11. The identity and location of persons accessing the online account (via the ISP). Placing large scale regular bets through casinos. movement of value and anonymity of users of e-commerce technology. 121 . Smuggling of cash. financial institutions which arguably bear the lion’s share of responsibility in limiting the spread of illicit money via ecommerce. Cash purchase and early encashment of life insurance policies. It is. specifically "shell companies". law enforcement agencies.Online Banking: Opening and transacting through an online account can remove the face-to-face contact between customer and institution which often is the point at which suspicion initially arises. to give alert and informed consideration to the possibility of money laundering by a customer or prospective customer Where suspicion of money laundering arises.will have an explicit and adequately empowered role in setting and enforcing standards in regard to money laundering. These activities are used to layer and integrate illegitimate funds. 52 FSA Consultation Paper 46: "Money Laundering: the FSA's new role". especially from one country to a less vigilant one. Company Formation Agent: Such agents . are often unverifiable. London. however. Counter Measures for Financial Services: The UK FSA . This must happen by adherence to a policy as suggested above and development of IT solutions that resist the trend towards unrestricted size. 9." The essence of counter measures and controls are: S S S S S S S To exercise care when commencing business with a new customer At that stage. A major new issue is Internet .as one example . allowing unrestricted access to and control of accounts from any location. and subsequently. to communicate them to the authorities To ensure senior management oversight and control (without impeding the communication of individual suspicions to the criminal investigation authorities) To secure and maintain the informed participation in these systems of all relevant employees of the business To keep records which may prove significant for subsequent criminal investigations and prosecutions Traditional money laundering methods pose serious problems for the financial industry already: the e-money technology widens the scope of criminal activities available for the laundering of money today: establish systems which follow unusual transactions Governments.CSG Operational Risks in Financial Services 8. financial services and supervisors worldwide are faced with an enormous challenge.52 The role is no longer implicit as to ensuring firms' "fitness and properness". 10. 12.create juridical persons or legal entities. Internet banking allows for a single individual to simultaneously control several accounts with different institutions without attracting attention from those institutions with whom the accounts are maintained. or companies with no registered assets or operations where they are registered.individuals or entities . 4/2000. The proposed rule on compliance: "A firm must take reasonable care to establish and maintain adequate systems and controls for compliance with its regulatory obligations and for countering the risk that it might be used for further financial crime.
To put it simply: reinforcement of the KYC - Know Your Client - policy is a core OpRisk issue. Fraud53
Fraud: 12 Issues 1. It is people, not businesses or systems that commit fraud. In today's "connected economy" fraud is increasing. Fraud permeates every area of business. Almost one third of all frauds are committed by management. Since management usually makes up a much smaller portion of the workforce, this finding suggests that managers are more likely to commit fraud than other staff. Frauds are "disasters waiting to happen". They often start with a small incident, followed by some sort of a "spiral". 2. What makes people to commit fraud? In simple terms, fraud is being committed when a motive coincides with an opportunity. Among the main initiating factors are: S S S 3. Pressure to perform: a key factor Personal pressure: debt, excessive lifestyle, gambling, etc. Other triggers can be: beating the system, greed, revenge, boredom
Watch for the unusual as well as for some common fraud indicators: S S S S S S S S S S S S Autocratic management style; mismatch of personality and status; unquestioning obedience of staff Unusual behaviour; expensive lifestyle; untaken holidays Illegal acts of any sort Poor quality staff; low perceived status Low morale; high staff turnover; lack of intellectual challenge Results at any cost; compensation tied to nominal performance Poor commitment to control; poor reputation Remote locations poorly supervised; several firms of auditors Poorly defined business strategy; no "buy-in" by managers and staff Continuous profitability in excess of firm and industry norms Mismatch between growth and systems development Complex structures
The following points illustrate some means and tools to combat fraud: 4. Management and staff being alert to fraud and to warning signs, help stopping fraud in the early stage.
Partly based on Fraud Watch 2 information, London.
Edition, Davies, D., KPMG, ISBN 185355 958 X abg professional
Operational Risks in Financial Services
Management structures and systems: Structures are the foundation of internal control. Problems with structure and system may therefore completely undermine good controls. The following issues should therefore be given particular consideration: S S S S S S S S S S S Degree of collective responsibility Role of the chief executive Dominant personalities on board and management level Interaction between top management Relationship between head of division and division staff Status of support functions, including risk management Remoteness of the reporting lines Business unit defensiveness: "them and us" Status of front office. i.e. "front office heroes" Reward structure undermining the management structure Risk alertness
Matrix management structures while not inherently more risky, simply involve different kind of risks which are not always easily recognised. Possible points of friction can be: S S S S S S S Loyalty to a local business head rather than the functional head Incentives not aligned with structural responsibilities Special arrangements outside the normal management structure Lack of relevant expertise to operate a new structure Structure impedes implementation of risk management procedures Conflicting business objectives Culture and ethics
Style and shared values: There are many ways of expressing what is an accepted standard and what is not. Essential is that all staff at all levels in a company are bound to work under a set of rules which everyone has to accept. Disciplined acting by management according to what is not acceptable is essential. A good mean to identify the hallmarks of a company’s culture is to ask employees which adjectives describe best what it is like to work there. Where there is excessive pressure, risk increases. Problems can also occur where staff or a local entity is not assimilated into a group culture.
Communication: Effective communication contributes to a successful operating environment by securing staff buy-in to strategies and policies and giving management early warning signs of issues.
Operational Risks in Financial Services
People and technology: In more recent times computer fraud has become a global issue. The Internet age has removed the traditional safety previously provided by physical boundaries and can replace it potentially within an information and communication "free for all" environment. The attitude of needto-know is being replaced with need-to-share. The "job for life" ethos has disappeared and - along with it - the traditional loyalty to the firm. IT departments are increasingly staffed with high levels of contractors or are outsourced all together which poses risk culture issues. Technology cannot provide all the controls necessary. There remains a high reliance on staff and the application of manual controls. Organisations with loyalty are hard to develop and to retain. The "modern" culture can quickly move toward the "something for nothing" attitude. In such an environment, an increasing number of employees - given the opportunity - will commit fraud.
IT Security: The growing reliance on the Internet for communication makes the issue of IT securities more critical. The days are gone when security could be viewed as an IT activity delegated to the IT department. Today, security practices need to be an integral part of the way in which every employee carries out his or her job. To test one's own IT security, the same tools are employed as those used by the hackers. An example is the program SATAN, which was developed in the USA and can be downloaded for free from the Internet. Penetration testing has become another major tool for organisations to look for assurance over one's security arrangements. The testing is normally carried out by an "independent" who will attempt to intrude into the system in one or more scenarios such as "an unknowledgeable outsider" or "a knowledgeable outsider", etc. Good testers will use a variety - technical and social engineering techniques to break into the system only to draw corrective measures. Digital signatures are likely to become the most common method of verifying a user's identity in the electronic environment.
For each category of business risk there is in principle always an equivalent fraud risk. A "fraud shadow profile" can visualise fraud risks more clearly.
12 Rules for limiting hackers' attacks: S S S S S S S S S S Use regularly up-dated virus software Do not allow online merchants to store your credit card information purchases Use hard-to-guess passwords and change frequently Use different passwords for different Web sites and applications Use the most up-to-date version of your Web browser Send credit card information only to secure sites Install firewall software to screen traffic if you use DSL or a cable modem to connect to the net Do not open e-mail attachments unless you know the source of the incoming message Have an regular awareness and training program Act fast to attacks and coordinate the virus control mechanism worldwide
55 Without going into any further detail of the settlement risk complexity. but these may be feasible later.CSG Operational Risks in Financial Services 12. a live-feed system that simultaneously settles transactions is the obvious preferred solution. "Settlement Members" are shareholders of the Bank. and strict adherence to paying-in times and limit checks are crucial. A "User Member" also inputs trades directly into the CLS books. That solution will come with the Continuous Linked Settlement (CLS) system in the form of the CLS Bank. Report. which received regulatory approval in the United States. While it would be possible to mitigate Herstatt risks via speeding up reconciliation across settlement systems. 32. The degree to which a bank is at risk will depend on trade and settlement window size. January 2000. KPMG Continuous Linked Settlement Survey. Most famously. 125 . At present. c) the liquidity movement between users. p. I am listing key issues that can be used as a check list. 6. The CLS settlement process itself will follow three steps: a) the matching of trades. b) the debiting and crediting of accounts held at CLS and finally. and settle trades using their own accounts held at the Bank. intra-day trades will not be accommodated. The first. p. 54 55 BIS (1996).8 Settlement The concept of settlement risk is not anything new to the financial community. the basic structure involves three types of users. As discussed in the KPMG survey of the CLS Bank. The CLS Bank will not allow counterparty substitution. but is not a shareholder or involved in liquidity management.54 The term "Herstatt risk" has since been used to describe the risk that involves banks making and receiving payments at different times. The final user type are the "Third Parties" which conduct settlement via the previous two member types. the Bankhaus Herstatt was rendered insolvent in 1974 due to settlement problems.
g. for whatever reason. 8. sub-division or any group/entity within the organisation: Monitor the discrepancies versus the benchmark and allocate a rating. 126 .g. reflecting their respective action/influence parameters. Ageing of failed trades is critical: The ageing of failed trades has to be monitored.lead to the identification of concrete remedial actions. This is especially relevant when comparing these statistics to a third party benchmark. Management plans should be drawn up: Action plans . Drill-down reviews should be performed: Statistical evidence should be reviewed regularly on the lowest level of operations management. 7. Data on trade volumes have to be collected: Statistics should be available to provide daily evidence of trade volumes for both securities and monies transacted. Benchmarking emulates excellence: Establish benchmarks for each division.should be produced. cash trading volume on a selected number of stock exchanges. 2.for cleaning up the ongoing business issues . the frequency of reviews should decrease.CSG Operational Risks in Financial Services Settlements: 12 Checks 1. 5. 3. e. they cannot always tell "the whole story" . 4. Make the report more easily readable by applying a different colour to each level. 6. at least on a monthly basis. but delays longer than 30 days raise serious questions. The monitoring and analysis should . allowing management to allocate resources and recognise potential critical issues. 9. Monitoring and analysis is necessary: Detailed daily analysis should be monitored at the lowest operations management level. Risk rating reports: Senior operations management should be made aware of the development of settlement risks. Time series of trade volumes over time show changes in trade volume (expressed in percent or units). Know your failed trades: It is imperative that a financial institution knows quickly if trades have been successfully concluded or failed.if required . acceptable. warning zone. Failed trades over a certain amount of days vary from institution to institution. Speak to operations staff: All statistics should only be seen as a means of control. including its monitoring by management. unacceptable. 10.to be an informed manager it is necessary to speak to staff in regular intervals. 11. Accountability drives the implementation of control actions: Senior operations management must be accountable for actions after warning signs have been analysed. As the seniority of operations management increases. e.
media clippings and discussion with constructive but critical in. Corporate Communication: 12 Priorities 1. Each of the following 12 priorities or mitigants has OpRisk inherent56. develop the objective. Build the communication team: Turn to the specialist for specific problems. system. Listen to the internal and external world: "Machine room visits". Listen to communication specialists. In a high external risk concern situation. Communication in a loss. Co-ordinate business plans with front offices: To avoid unforeseen settlement problems (e. Companies should identify the risk proactively in order to get the trust of the internal / external world that everything in its power is being done to manage the risk. Design the message: Assess the consequences of releasing an information early or later. In addition.g. a core group has practised before and knows each other well from experience. The Conference Board of Canada. risk or crisis situation needs careful judgement of external risk concerns versus external confidence and trust. processes and organisation in regard to communication is an OpRisk as such. 284 .9 Communication Communication is the lifeline of any financial institution. it is only a question of time.CSG Operational Risks in Financial Services 12. Important. 56 Some suggestions for the 12 Priorities are based on Thiessen. It is not easy to separate internal and external communication in crisis situations. but senior management determines the message and the audience. regardless whether external confidence in the institution is low or high.: "Don't gamble with Goodwill". Be honest. entering new markets) it is imperative that senior operations management is well connected with the front office business drivers (see synchronisation). Ideally. Credible specialists provide details or background information.and outside sources can reveal real concerns significantly. open and frank . 2. 3.00 Report. Too early an information might endanger the accuracy . communication is a must. unexpected significantly higher and unmanageable volumes. however: internal communication has to take place at least at the same time as external announcements. It basically is a demanding task in regard to all of the 12 S's of an organisation: easy in wording.waiting too long is an invitation for third party speculations. Understand the context: Get the right information on a problem. an ineffective communication set-up can escalate any other loss or risk situation. K. sometimes awesome in implementation.or your credibility will suffer. 127 . The structure. whether factual or by perception: from cracks to crisis. determine the risk communication type. internally and externally. 12. processing of new instruments. 4. Below is a short description of a risk mitigants framework for communication risks.
Circumstances are less important than loss quantification. Simplification of all the above is a means to differentiate in the ever increasing "Information-Gau". crime. communicate with supervisors ahead of public statements. Banks with their losses and risks are especially interesting: it is so easy to put up a headline . Review the communications program prior to implementation: Communication has to be integral and consistent: "use same language". touchable. Deviations from factual and normative expectation make the news. 128 . Conflicts always help to dramatise: Chairman. the more visible. the following four "R's" apply: regret. 7. sex. The headlines these days: money. CEO and ExB Members are prime targets. auditors. 5. drama. Depending on the situation. Personification reduces the factual issue complexity: "bad guy" in a complex loss situation. experts. Therefore. consultants. Moralisation along "good" and "bad": moralisation is always personification. so that outside message / media is also relevant for internal people management. conflicts. e.CSG Operational Risks in Financial Services The media has an immense influence on many employees of the company concerned. money. Bank activities are complex and difficult to understand: dealing with large sums are ideal media targets. but critical group. emotions. politicians. We have to live with it. Quantification implies preciseness of research. fear. personalities involved and "victims". etc. Localisation gives a sense of identification: the closer. administration. Co-ordinate and co-operate with other credible sources: Examples include: regulators. Always consider the "12 Priorities for media: Complexity-reduction criteria in a complex world" S S S S S S S S S S S S 9. repeat your real message over and over. special interest groups in the audience? Complete the "four R's" in crisis situations: Should a loss or risk situation develop into a crisis situation. "Telling a story" is more "attractive" than factual description. Quotes are often taken out of context. Align the message with the target audience: Where does the audience live? Profile? Concerns? Opinions? Perceptions? Specific issues for specific "high interest" group? Spokespersons of stakeholders? NGO's. restitution and responsibilities have to be covered.g.myth of money and size at work. New is what is new to media. 6. Test and practice the program internally and externally with a trusted. sports plus envy. might well be new for media. Quotes used imply seriousness of research: selection along newness value. a large fraud in a trusted bank. reform. despair. hate and hope. emotional. What might be old for a bank. 8.
not on problem Look hard how organisation / target / project really function WILLINGNESS to change and COMMITMENT to the transformation process: S S S S S S S Hope = engine for achievements: perpetual triumph of hope over experience Have a clear mission and a clear purpose Have a common vision and a "clear and simple" strategy Capitalise on sense of urgency: "burning platform" Never forget human emotions Absolute priority: desire and ability to change and commitment to lead by example Earn the trust of the audience: credibility throughout the process is the issue 3. Risk communication programs deserve at least the same attention as the usual corporate programs. Challenge core assumptions: intellectual and emotional honesty is the issue If environment / parameters change: * transform even if still successful * ideally: be ahead of change or force change Focus on opportunity. but only in lay terms. not order Top-projects are top-tasks for top-management Get advocacy through "committed champions" 4.10 Transformation Management Common denominators for major restructurings.program. Self-critical SWOT analysis: S S S S 2. Delivery is at least as important as the content: Depending on the situation. Goals and activities must generate ADDED VALUES and be perceived as such: S S S S Focus on what mission really is in its environment Use power of argument. 11. Be credible: Professionalism and credibility are precondition for effective risk and loss communication. Mobilise a FORWARD-LOOKING corporate culture: S S S New mission sent to everybody Key to success: work WITH and not AGAINST the organisation "Stretching and pain for everybody" as policy 5. empathy rates higher than competency. mergers and acquisitions: 12 Imperatives 1.CSG Operational Risks in Financial Services 10. Avoid negativisms: it takes four positive words to erase the meaning of one negative word. Be brief. 12. 12.improved . clear and concise. Evaluate the communication program after implementation: An evaluation should be the base for the next . The CUSTOMER / END-USER is the final arbiter: S Limit internally generated enthusiasm for projects: include customer / end-user early 129 . Use statistics and research.
incl. local and e-Davids Allow for "productive impatience": allow for mistakes Cut through "permafrost" of people's attitude: people do not welcome consequences of transformation. with lifetime learning: create a winner-mentality Detect and support new talents Foster the brand as HR tool 10. TIMING and TEMPO are key success factors: S S S S Trade off between speed of execution (short-term) and building a common culture (long-term) Fight of large global Goliath against flexible. Client only interested in QUALITY he / she receives during transformation: S S S View the world through your customers' eyes The better the ongoing service. Avoid RESIDUAL COST BURDENS: S S Examine old structures and processes Outsource non-core activities 11.CSG Operational Risks in Financial Services 6. the better the internal and external credibility of the project Continuously adjust Business Continuity Plans 7. generally 9. simple and ongoing communication Use surveys. synthesise and store knowledge of past projects Both . not just the "bottom" Promote a culture of success. Recognise the "NEW VALUES": S S S S Transform the whole organisation. "town hall meetings" with global reach. transformation team Be careful on early retirements: watch the need for organisational knowledge Implement with "high-performance" team: those who cannot follow are not part of the team 8. Manage INTERNAL AND EXTERNAL EXPECTATIONS: S S S Use open. Intranet responses by top management "Over-communication" is mostly better than "under-communication" 12. Major transformation projects only have ONE CHANCE: S S S Execute the decisions in the spirit of the mission If environment / parameters change during transformation project: change the shift Continuously monitor control / supervise: guarantee for early corrections and an objective final assessment 130 . CREDIBLE ORGANISATION and CREDIBLE TOOLS: S S S S S S S Source. share.rational and emotional reactions are to be taken seriously Avoid "not-invented-here" syndrome Get and keep key talents: money and opportunities Have a retention program for key players.
CSG Operational Risks in Financial Services "People may doubt what you say. but they believe what you do" (Lauris Cass) 131 .
Management. Earnings. Asset.CSG Operational Risks in Financial Services List of Abbreviations ART ATM BBA BCCI BCP BIS BoD BT C&F CAMEL CBOT CEO CFO CLS COO CORE CR CRO CRSA CS CSFB CSG CSPB DSL ECB EMI EQ ERC EU EVT FED FIORI FOBO FT FSA GFF GIGO GOLD GRM GSTPA HBCI HO IQ IRT ISDA ISP IT KCI KISS KPI KRI KYC L&C LTCM M&A MIS MGT MORE MR NGO NIAT OECD OpRisk Alternative Risk Transfer Automated Teller Machine British Bankers’ Association Bank of Credit and Commerce International Business Continuity Planning Bank for International Settlements Board of Directors Bankers' Trust Commission and Fee Capital. Liquidity Chicago Board of Trade Chief Executive Officer Chief Financial Officer Continuous Linked Settlements Chief Operations Officer Compendium of Operational Risk Events Credit Risk Chief Risk Officer Control and Risk Self-Assessment Credit Suisse Credit Suisse First Boston Credit Suisse Group Credit Suisse Private Banking Digital Subscriber Line European Central Bank European Monetary Institute Emotional Quotient Economic Risk Capital European Union Extreme Value Theory Federal Reserve Financial Institutions Operational Risk Insurance Front Office Back Office Financial Times Financial Services Authority UK Group Corporate Development / Finance Garbage In Garbage Out Global Operational Loss Database Group Risk Management Global Straight-Through Processing Association Home Banking Computer Interface Standard Head Office Intelligence Quotient Internet Related Technologies International Swaps and Derivatives Association Internet Service Provider Information Technology Key Control Indicators Keep It Short and Simple Key Performance Indicators Key Risk Indicators Know Your Client Legal and Compliance Long Term Capital Management Mergers and Acquisitions Management Information System Management Multinational Operational Risk Exchange Market Risk Non Governmental Organisation Net Income After Tax Organisation of Economic Cooperation and Development Operational Risk / Risks 132 .
CSG Operational Risks in Financial Services PKI PR PwC RAROC RMA RMG SEC SSL SWIFT TQM TRT USAF USGAAP VAR VAT WGR Public Key Infrastructure Public Relations PriceWaterhouseCoopers Risk Adjusted Return on Capital Robert Morris Associates Risk Management Group Securities and Exchange Commission Secure Sockets Layer Society for Worldwide Interbank Financial Telecommunications Total Quality Management Traditional Risk Transfer US Air Force US Generally Accepted Accounting Principles Value at Risk Value Added Tax Winterthur Group 133 .
Airtevron one. FSA (2000). 6. Basel Committee on Payment and Settlement Systems (1996). All that Glitters . (2000). Risk.. Fraud Watch 2 nd Edition. Jameson. Nov. N. Hanebeck. Special Issue on Operational Risk. 1999. D. "New Trends in Operational Risk Measurement and Management". Boose. 1998.27. 2000. 2000. TM Kessler & Co. D. Naval Safety Centre. "Operational Risk Management". Basel. Jun. BIS. R. RMA. W. Milton (2000) "Insurers to the Rescue?". A. Operational Risk. BS/00/27. KPMB.1 Safety/Naptobs Dept. A.The Fall of Barings.Can it be Quantified?". (1979). RMA. Quoted as BIS (2000). UK. "Insurance Finds a Blend of Innovation and Tradition". Irvine. BIS. MCO 3500. 1997. CMG. et al.. Risk Books. Basel Committee on Banking Supervision. pp. Jewell. 134 . Jan. (2000). Avery. University of Tübigen 1996.61-69. "Characterisation of Tremor". Gapper. J. 1979. Penguin Books. P. BIS.J. From the Schweizerische Kreditanstalt to Credit Suisse Group. Risk Management Group (2000). Sept. (1998a). 2000. Risk Books. CORE (1999). British Bankers’ Association. the Next Frontier. Guide to Banking Supervisory Policy.CSG Operational Risks in Financial Services Bibliography Aichele. 1997. CORE Database. C. "Getting the Measure of the Beast". Quoted as BBA (1999). Basel Committee on Banking Supervision (1998). Ltd. Basel Committee on Banking Supervision (1999a).. J. "Settlement Risk in Foreign Exchange Transactions". 1999. Va. pp. BIS. Norfolk. in Jameson. Bieberdorf. Philadelphia. Operational Risk Manager. (1996). 2000. Net Secure .. 2000. Damned Lies and Usable Statistics". H. Sept. Apr. 2000. "Lies. 1998. BIS. Hoffman. "Other Risks (OR) Discussion Paper". PricewaterhouseCoopers (1999). Dickinson. (2000). (1997). R. Jung. Basel. Apr. "Introduction to Operational Risk Management". "A short Course on Business Process Re-Engineering with ARIS". Denton (1997). Austega (2000) "Banking and Risk Management". "Money Laundering: the FSA's new role". Financial Times. "Framework for the Internal Controls Systems in Banking Organisations".. Basel Committee on Banking Supervision (1999). FSA Consultation Paper 46. London. Arthur Andersen. (1998). 2000. 1998 pp. "Enhancing Corporate Governance for Banking Organisations". Hoffman.7-8. Quoted as BIS (1996). Jun. J. Arthur Andersen. Basel. (1998). Jun. Kiang (no date). March 1996. Operational Risk and Financial Institutions. "A New Capital Adequacy Framework". Zurich. Basel. ed. 1998. IDS-Gintic Pte. FSA (2000). 2000. (2000). R.1999. Zurich. "Operational Risk . (2000). C. "Protecting Your Information Assets and e-Business Activities". 38-41. London. P. Demystifying Social Statistics. VX. NZZ Verlag.. Quoted as BIS (1999a). Davies. ISDA. G. Quoted as BIS (1999). Apr. (1998). 2000. Pluto. Spring 2000. Operational Risk and Financial Institutions. Jan. RiskProfessional. Basel. London.
Issue 1/3 May 1999. 1998 Meridien Research Inc. 36-40. Jan. "OPNAVINST 3500. R. Q4 1998. "A Modern Approach to Operational Risk". Jan. Medapa (2000). (no date). Jun. RiskProfessional. Apr. Operational Risk and Financial Institutions. Dec. R. (2000). Morris. A. (2000). B.. Young. (1998). th 135 . K. Jan. M. 1996. et al. 2000. "Digital Buccaneers Caught in a Legal Web". Time for a New Look at Operational Risk. Feb. London. (1994) "Orange County Crisis Jolts Bond Market". Rachlin. 8. Jun. London. 1979. Kimber. (1998). Randall. pp. 2000. Comments on the Paper "A New Capital Adequacy Framework" of the Basel Committee on Banking Supervision. Samad-Khan. (2000). (1988). 1998. London. "Operating the Learning Curve". Mimeo. 2000. 2000. de Perregaux (1998) "Must It Always Be Risky Business?". P. 30. and You Must Do. N°1. (1979).CSG Operational Risks in Financial Services Kimball. Demystifying Social Statistics. M. "Sumitomo Losses Show Up Poor Links". Pluto. "Finding Value in a Collection of Losses". 1998. J. 2000. 2000. New England Economic Review. pp. New York. Operational Risk Training. Senior. (1999). 2427./Feb. D. The Conference Board of Canada. Quantification of Operational Risk. Submarine on Board Training. (1998). Weczel. "Why Are Figures so Significant?". "On the Quantification of Operational Risk. 2000. May. 2000. Swiss Bankers’ Association (2000). CMS. Security and Data Protection. eds. 2000. pp. 34-35. D. The Conference Board of Canada. "Failures in Risk Management". (2000). Risk Books. White Plains. Feb. K. "Is the Size of an Operational Loss Related to Firm Size?" reprint of Operational Risk. Computing. pp. KPMG (2000). S. in Jameson. Operational Risk Manager. FKM. C. (2000). M. 1994. O. A Short Polemic" in Jameson. R.. US Air Force (no date). Ong. F. in Irvine. The New York Times. Lukaszewski. Shih. "Operational Risk in Retail Banking".. Norton. (2000). E. Don't Gamble with Goodwill. (2000). 2000. Preliminary Draft. Saunderson. pp. 284-00 Report. (2000). 3 -12. (1998). US Navy (1997). (2000). 2000. Global Trading. A. Air Combat Command. Continuous Linked Settlement Survey. Operational Risk Control.. Norris. J. R. Jun. The Role and the Critique of Quantification. P. 20. Financial Times. What FSA Expects. (no title). 1998. Young. Centre for Operational Risk Research & Education. US Navy 27 Fighter Wing (no date). pp.. Feb. 95-103. J. J. Global Council on Risk Management.. Thiessen. McKinsey Quarterly. NYC. Gittleson (1998). Banking Technology.39". Risk Books. "Measuring Operational Risk". Samad-Khan..11-13. 2000. Operational Risk and Financial Institutions. 1997. J. Sommer. A.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.