Operational Risk: Quantification Models

Editorial

We observe a new wave of appeal for the quantification of operational risk. For banks, the enhanced capital requirements in the upcoming Basel III regime incentivize the exploration of capital optimization potential through more granular and risksensitive measurement approaches. One of these opportunities is the move to (or the refinement of the existing) advanced measurement approach (AMA) for operational risk. The wave of development of a second generation of Advanced Measurement Approach (AMA) models happens – despite the higher regulatory scrutiny – to approve such models given their assessment of model shortcomings in the last financial crisis. For insurance companies, current Solvency II requirements likewise trigger the development of internal operational risk models. At first sight, the less explicit requirements of Solvency II regarding methodology choice seems to be an advantage, but the lack of insurance

industry benchmarks and regulatory rules can cause lengthy and difficult-to-manage approval processes. The aim of this brochure is to give an overview of the critical steps towards the design, development and validation of an internal operational risk quantification methodology. Given our international experience with numerous clients, we have learned that most of them strive for a light approach which combines and integrates existing operational risk framework elements in a robust modeling framework and which doesn’t create excessive operational burden in servicing and maintenance. We are confident that this brochure highlights the relevant issues and that it will constitute a value proposition for the development of an internal quantification approach or at least a jump-start for a thorough assessment of the respective risk and rewards.

Dr. Marc Ryser Partner

Alessandro Lana Manager

Content

1 Executive Summary 2 Elements of a Sound Operational Risk Quantification Model
2.1 Data 2.2 Business Environment and Internal Control Factors (BEICFs) 2.3 Experts’ Judgment & Scenarios 2.4 Model Design & Diversification Effects 2.5 Results & Risk Allocation

6 8
9 9 10 10 11

3 Where is Your Value in Op Risk Modeling?
3.1 Banks 3.2 Insurance & Re-Insurance Companies

13
14 16

4 Lessons Learned & Trends

17

1 Executive Summary

Operational Risk Model Design Whilst big operational risk losses continue to get a lot of media coverage and regulatory wariness of operational risk models for banks and insurance is on the rise, we observe a new wave of appeal for the quantification of operational risk. Triggers for this development are internal requirements on better risk management as well as higher capital requirements from new regulatory regimes (Basel III, Solvency II), which leads companies to explore the risk sensitivity of their calculations and to optimize capital consumption. A sound operational risk model is definitely more than just a formula, because the underlying operational risk profile of a firm needs to be explored by various means to feed the model. All model components, its inputs (data or expert judgment), the calculation engine and the treatment of results, must be surrounded by an appropriate governance framework. The model design, from purely expert driven to very sophisticated Bayesian approaches, must be supported by suitability analysis, indicating in particular why key modeling assumptions are applicable to the firm’s risk profile. The principal challenge is to combine the merits of empirical loss data (objective but backward looking) and expert judgement (subjective but forward looking), both are essential sources of information. To cope with such requirements, Ernst & Young has been developing a Statistical Tool for Operational Risk Modeling (STORM) that is based on our experience with numerous companies in designing, assessing and validating internal operational risk models. The STORM methodology is designed to give defendable answers to regulatory concerns and to optimize costs-benefit considerations of an in-house model development, while still allowing for a flexible structure, which can be easily tailored to each firm’s profile.

Application Fields, Tailoring to the Firm’s Specific Risk Profile In our brochure we predominantly focus on banks and insurance companies, however operational risk is one of the dominant risk categories for Asset Managers and non-financial firms as well. For banks in particular, the more stringent capital requirements of Basel III raise the potential benefits of the Advanced Measurement Approach (AMA) for operational risk in respect to the Basic and Standardized approaches. Many banks are currently reviewing their approaches. The development of a second generation of Advanced Measurement Approach (AMA) models is an observed trend, despite the higher reluctance of regulators to approve such models given that the last financial crisis highlighted human shortcomings in the first generation models. For insurance companies, Solvency II requirements likewise triggered the development of internal operational risk models. At first sight, the less explicit requirements of Solvency II regarding methodology choice seem to be an advantage, but the lack of benchmarks and rules can cause lengthy and difficult-to-manage approval processes. An obvious approach would be to learn from banking experience with AMA models and make appropriate changes to the insurance business.

6

Ernst & Young Operational Risk: Quantification Models

Lessons Learned and Trends A very prominent observation and tendency we notice in the market is the integration of the quantification model in the daily risk management process. Contrary to a stand-alone element for regulatory capital calculation, the model has a clear link to the Risk and Control Assessments (RCAs) framework and to firmwide risk appetite & quantification models. A solid and integrated RCA approach for identifying, collecting and processing bottom-up

risk and control information and allocation of results with similar granularity is a cornerstone of operational risk quantification. A continuous and circular risk management process links RCAs, top-down scenario analysis and the quantification model (based on expert inputs and loss data) as process elements. Such an integrated RCA framework has been implemented by Ernst & Young at many clients (see box “Risk Convergence”).

Operational Risk Model Integrated in the Overall Operational Risk Framework

Key Requirement: sound RCAs process, inclusive risk catalogue (e.g. resulting from Risk Convergence)

Risk Convergence: systematic integration of corporate governance, risk management and control functions. Bottom-Up Risk and Control Assessment Management Top-Down Risk Identification/ Scenario Analysis The main focus is on harmonizing the various elements in order to avoid redundancies and to identify and close gaps in coverage and management of key risks. Risk convergence is implemented on a cyclical basis and has the following components:

Quantification

• Integrated scoping • Integrated assessments • Integrated reporting

Ernst & Young Operational Risk: Quantification Models

7

2 Elements of a Sound Operational Risk Quantification Model

Motivation The initial step for the development of any kind of model is the definition of the model scope and motivation. Beside the implicit purpose of quantifying operational risks, it is important to determine if the need arises from regulatory requirements (e.g. Basel II/III, Solvency II), or if the model development is driven by internal requirements (e.g. Earnings at Risk – E@R, scenario analysis for risk appetite determination). This basic scope definition is the first step to develop key information for a suitable design of the model, such as the appropriate quantiles of measurement, the calculation frequency and eventual constraints in the choice between different approaches. Model Components Thorough Operational Risk model building requires both an overarching governance framework and a robust basis of components, such as Risk and Control Assessments (RCAs) and Business Environment and Internal Control Factors (BEICFs). We will briefly describe these elements, together with indications on common issues and solutions.

The model components are sorted according to inputs, calculations (methodology and engine) and outputs. Model Governance Framework Model inputs, calculations and outputs are embedded in a governance framework that defines all key elements for the sound development, use and maintenance of the model together with a description of how the model aids higher level calculations or further models (e.g. aggregated capital charge across risk types, E@R). This includes in particular:

• Appropriate validation procedures at inception and ongoing • Monitoring changes in the company operational risk profile or
in regulations

• Roles and responsibilities, guidelines for model use and reporting

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios

Model Design/Diversification Effects

Calculations

Data

BEICFs Model Inputs Expert Judgment/Scenarios

Results & Risk Allocation Governance Framework

Model Outputs

Data

BEICFs Model Inputs Expert Judgment/Scenarios

Model Design/Diversification Effects

Calculations

Model Design/Diversification Effects

Calculations

Results & Risk Allocation Governance Framework

Model Outputs

Results & Risk Allocation Governance Framework

Model Outputs

Q1 2011

Q2 2011

Q3 2011

Governance Framework (Model Validation, Operational Risks Monitoring, Aggregation with other Risk Types)

8

Ernst & Young Operational Risk: Quantification Models

2 Elements of a Sound Operational Risk Quantification Model |

2.1 Data

2.2 Business Environment and Internal Control Factors (BEICFs)
Risk and Control Assessments (RCAs) and Business Environment and Internal Control Factors (BEICFs) represent another source of important inputs for the quantification model. RCAs/BEICFs deliver information gained through monitoring of the company’s business and control experience (similar to loss events information). These elements extend the range of information to forward-looking elements (e.g. trends in the industry, upcoming new risks). Typical key information that can be obtained from a well-structured RCAs/BEICFs framework includes:

Data can be information on loss events experienced directly by the company (internal data) as well as information on loss events experienced by peer companies (external data). The information required for appropriate integration in the operational risk model is quite extensive and includes, for example, the definition of a date convention (e.g. settlement date), a clear description of the event, the amounts involved and eventual link to previous transactions and controls (e.g. several transactions resulting from the same event). In particular for external events, guidelines for the selection/ filtering and scaling of data lead to the transparent treatment of model inputs. Data may be collected locally (e.g. at business division or subsidiary level), but should converge in a central database where quality checks are made. Finally, information provided by means of loss data is not only important for the quantification of operational risk, but delivers fundamental inputs for qualitative risk management as well. The definition of investigations and mitigation measures can only be efficient if the quality of loss data information is reliable and detailed, in particular for external loss events.

• A complete risk catalogue that can help to structure the loss • A subset of the risks catalogue (e.g. 10%) can inform about
potential high severity losses (scenarios), which have to be analyzed for tail distribution calibration

data analysis (LDA), in order to model the body of the overall distribution of operational losses

• Common controls and triggers are strong indications of potential
risk/scenario dependencies, which have to be considered for appropriate model design

Leveraged use of such information within a quantification approach is possible only if the RCAs/BEICFs framework is sound, centralized (firm-wide approach) and regularly updated.

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios

Common Issues

Common Issues

• Limited internal data history • Limited information on low-frequency, high-impact • Limited descriptive information of loss events • Unsystematic data collection/loss of information
Solutions

• Not available or inconsistent (e.g. different templates for each business division/ • Not conceived to be input into a quantitative model (e.g. no EL estimation • Outdated information, no ongoing updates foreseen
Solutions for each risk) no aggregated view)

• The usage of external databases or local data consortiums allows for an increase of •
available data, in particular in the high-impact, low-frequency region Structured and inclusive collection process of internal loss events, centrally stored in a relational database

• RCAs/BEICFs framework based on a structured and centralized approach • Regular involvement of risk type-specific subject matter experts for the assessment
of the impact of mitigation measures and forward-looking elements 9 (e.g. Risk Convergence)

Ernst & Young Operational Risk: Quantification Models

| 2 Elements of a Sound Operational Risk Quantification Model

2.3 Experts’ Judgment & Scenarios

2.4 Model Design & Diversification Effects
The two most common modeling approaches are Loss Distribution Approach (LDA) and Scenario Approach (SA). Usually, both approaches are combined to build the overall operational risk quantification model, however with different levels of relative contribution across industries and specific companies (based on the quality and quantity of loss data information). Given the nature of operational risk, where the tail behavior is dominated by lowfrequency, large-impact events, pure SA approaches may be an appropriate choice when justified (e.g. LDA information is marginal) and if no specific regulatory requirement conflicts with such a choice. One of the most challenging steps in the model design is the definition of a sound linkage of LDA and SA components. This ranges from a simple sum to aggregation by simulation. Again, the analysis leading to a specific method must be justifiable and well-documented (no key model assumption based on arbitrary decisions). Accounting for diversification effects (e.g. across risk types) is one of the principal added values in comparison to simple quantification approaches (e.g. the basic indicator for banks under Basel II). Diversification has to be modeled according to the company’s structure and granularity level of inputs/outputs. Finally, the choice of the calculation engine (capability, vendor models) must be consistent with the model requirements, in particular in terms of required flexibility for the ease of ongoing adaptations and improvements, frequency of use, number of users and their quantitative operational risk expertise.

The scenario component of an operational risk model is predominantly determined by two steps: the definition of scenarios and their calibration. For both of these tasks, an integration of expert judgment for tailoring the scenarios to the company’s operational risk profile is a common approach. However, expert judgment should only complement industry information instead of totally replacing it. In particular, industry information on tail distribution characteristics of common scenarios contains significantly more robust information than an often arbitrary expert calibration at high severity quantiles. For example investment suitability and external fraud event severity distributions are typically fat tailed, technical systems and business disruption severity is usually thin tailed (see EY STORM Tool). The definition of scenarios should cover all potential high severity risks and result in a longer-term invariant of the model. The tail calibration of scenarios is pre-dominantly a mid-term invariant (“worst cases assessments should not change frequently”); however it requires at least a yearly review based on the current business environment and new information.

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios Model Design/Diversification Effects Calculations

Common Issues

Common Issues

• Not fully transparent inclusion of expert judgment leads to untraceable process • The calibration of scenarios is neither challenged nor validated appropriately.
Solutions

• Model components are not clearly distinguished

Experts are not fully conscious of the impact of their judgment to the overall result

• Independency assumptions are not supported by appropriate analysis • High sensitivity to few model parameters
Solutions

(no separation of inputs for body and tail distribution)

• The inclusion of expert judgment (deviation from pure data analysis) is well
documented and justifiable. The impact on results in discussed in dedicated workshops

Guidelines describing in detail the scenarios calibration process (inputs, initial calibration and validation)

• In depth analysis of dependencies (e.g. across risks) • Trade-off between model granularity and sensitivity

Separation in Low Impact High Frequency (LIHF) and High Impact Low Frequency (HILF) data clusters, for respectively body and tail loss distribution calibration

10

Ernst & Young Operational Risk: Quantification Models

2 Elements of a Sound Operational Risk Quantification Model |

2.5 Results & Risk Allocation

EY Statistical Tool for Operational Risk Modeling (STORM Tool) A practical multi-purpose operational risk quantification framework:

• Effective method to combine external consortium data with
What happens to the calculation results? This apparently trivial question is probably the most important. Models only conceived for regulatory compliance are often inefficient, because model outputs are not leveraged by the risk management and the company’s top management and may also fail use test requirements. It is very important to have a closed feedback loop, where model outputs are brought back to the company’s management attention at different levels. There is a need for consistency between granularity of the inputs-gathering process and the model outputs’ ability to describe marginal contributions to the total result (e.g. at business division, unit or local entity level). This is a key requirement for targeted and cost-efficient risk mitigation planning of available resources. At top management level, scenario analysis and model results can provide material information about strategic questions. The choice of product offerings and markets should also be evaluated based on key risk information, in order to be consistent with the firm’s overall risk appetite at all times. In particular for banks and insurance companies, since the publication of new regulations on capital requirements (Basel III, Solvency II), the inclusion of risk assessments (qualitative and quantitative) in strategic decisionmaking processes are already on the top of the agenda (e.g. capital optimization). internal scenario assessment to produce a robust capital calculation with limited internal data

• Simple and user-friendly graphical tool for creating, validating
and managing scenarios by translating them into loss distributions and facilitating a meaningful comparison with reference data

• Aggregation of loss distributions across risk types, and
back to organizational unit and risk type based on contributions to VaR

business unit based on a range of widely used copula models

• Allocation of diversified capital (net and gross of insurance) • Comprehensive reporting of diversified and undiversified

capital allocation at various levels, as well as useful statistics on the effectiveness of insurance

Results & Risk Allocation

Model Outputs

Common Issues

• Results cannot be allocated to a “risk or scenario owner”, because the model • No internal reporting of results (risk awareness) • Limited/inconsistent aggregation with other risk types
Solutions

delivers only aggregated figures. This limits the efficiency of incentives setting.

• Integration of results in internal risk reports and regular presentation of results • Clear treatment of boundary events (e.g. with credit risk)
to the management

Besides aggregated results, detailed information on marginal contributions must be part of the model outputs (according to the companies’ risk taxonomy)

Ernst & Young Operational Risk: Quantification Models

11

3 Where is Your Value in Op Risk Modeling?

Operational risk potentially exists in all activities and usually shows its principal characteristic of very negative skewed and fat tailed risk profiles (i.e. the most dangerous type of risk for the company’s survival) in all market segments. Within the financial services sector, banks and insurance companies are usually affected by material operational risk exposure which may reach the same scale of other risk types, such as market and credit risks, depending on the specific business. For asset managers, in terms of direct risks, operational risk is even the dominating risk type. For non-financial services corporations, like energy trading or health care production, operational risk is also a very important risk dimension, in particular for risks that can’t be fully insured. Under the assumption that effective operational risk management is built on both qualitative and quantitative management, the quantification step always begins with the identification of the principal risks types. Even if some common operational risk categories are specific to the company’s activity, many others are shared across industries. For example, “natural disasters” and “business continuity or execution and delivery” usually affect all

companies. This is an important element for leveraging on modeling experience across application fields and compliance with existing or up-coming regulations. Despite the common nature of operational risks, the relative importance of each single category is often market-specific. Regulations and market loss events define trends that may drive risk categories to the top of the list. For example, in the banking and insurance industries we have seen the importance of investment suitability (consumer protection) substantially increasing during the past few years. Asset managers experience new regulations (e.g. UCITS IV, AIFMD) impacting the perception of legal & compliance risks and non-financial services companies are increasingly focusing on natural disasters scenarios. In the following subsections of this chapter, we are going to discuss in more detail the two markets currently mostly affected by regulatory requirements for operational risk quantification: banks and insurance companies.

Operational risks (illustrative examples) Natural Disaster/Epidemic/Business Continuity Execution/Delivery/Process Management Investment Suitability/Consumer Protection Internal/External Fraud Sanctions/Embargos Jurisdiction-Specific Issues Legal/Compliance

Asset Management

Insurance/Re-Insurance Companies

Banks

Industrial Production (e.g. Health Care)

Commodities (e.g. Energy)

Financial Services

Non-Financial Services

Ernst & Young Operational Risk: Quantification Models

13

| 3 Where is Your Value in Op Risk Modeling?

3.1 Banks

Basel II – Second Generation Models During the past few years banks have gained experience of 1st generation operational risk models that were developed in the course of the publication of Basel II requirements. The advanced measurement approach (AMA) was predominantly chosen by large banks with experience in in-house model development. 1st generation models, however, experienced severe issues during the 2008–2009 period, in particular in terms of stability and transparency, which have often triggered regulatory sanctions. In order to support the development of a more robust 2nd generation of models, the Basel Committee on Banking Supervision published several studies between 2009 and 20111. The requirements of the 2nd generation of models include, in particular, a more transparent and traceable calibration process and a better approach for the integration of RCAs/BEICFs into the model and even of the model itself into the daily operational risk management process. Basel III – Consequences of the Overall Capital Requirements Increase Whilst large banks had already recognized the advantages and the higher risk sensitivity of AMA versus the basic and standardized approaches of Basel II, the publication of Basel III expectations for total regulatory capital have also raised the interest in AMA at mid-sized banks. In particular, mid-sized banks with a large contribution of operational risk to the total regulatory capital (e.g. with dominating private banking divisions) are now reevaluating the costs-benefits trade-off in light of gross income forecasts for the coming years.

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios

Model Design/Diversification Effects

Calculations

Results & Risk Allocation Governance Framework

Model Outputs

Established Market Practice

• Most banks have already started internal data collection and have access to • The model design of second generation models is supported by more • After 3–4 years of operative use, the necessary policies and guidelines
have been duly developed and tested Challenges detailed guidance (e.g. BIS studies) external data sources

• BEICFs are not well-integrated, RCAs processes are often developed without • Often, regulatory expectations in terms of transparency and traceability • Capital allocation and incentives management are not yet effective and
require more granularity in the model of scenario calibration are not yet met any link to the quantification step

1 July 2009: “Observed range of practice in key elements of Advanced Measurement Approaches (AMA)” October 2010: “Recognizing the risk-mitigating impact of insurance in operational risk modeling” December 2010: “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches – consultative document” 14 Ernst & Young Operational Risk: Quantification Models

3 Where is Your Value in Op Risk Modeling? |

How can EY help you? • Gap analysis and assessment of cost and potential benefits of moving to AMA

• Review of 1st generation AMA models, including benchmark
analysis (based on EY AMA database)

• Support in the development of 2nd generation models.
If required, tailoring of our packaged tool solution (EY STORM Tool)

• Model validation, benchmarking of results and calibration • Support in the development of the required governance
framework (e.g. policies, scenario templates)

10000 9000 8000 7000 6000 5000 4000

900 800 700 600 500 400 300 200 100 01/01/ 2006 01/01/ 2007 01/01/ 2008 01/01/ 2009 01/01/ 2010 01/01/ 2011 01/01/ 2012 01/01/ 2013 01/01/ 2014 0

Gross Income

Op Risk Capital Charge – Basic Indicator

Stock Index

Basic indicator Flat 15% rate applied to the average gross income over the past 3 years (positive income results)

Standardised approach Rates from 12% to 18% applied to the business divisions’ average gross income over the past 3 years (positive income results)

Ernst & Young Operational Risk: Quantification Models

15

| 3 Where is Your Value in Op Risk Modeling?

3.2 Insurance & Re-Insurance Companies
Solvency II – Leverage on Banking Experience The internal model approach under Solvency II also requires a model-based quantification of operational risk for insurance and re-insurance companies, which roughly aligns practices with large and mid-sized banks. However, the existing guidelines are not as detailed as those of AMA under Basel II. The increased degrees of freedom in relation to the model development represent only superficially an advantage. In addition to the difficulties of developing a robust model design without specific expectations, the most prominent project risk is linked to the local approval of the model by the regulator. Different regulators may have different levels of expectation, for example by stressing more or less the importance of specific model components. The most pragmatic approach is to leverage on the banking experience of AMA banking models, which already underwent the market “stress test” in 2008–2009. Especially because regulators are expected to provide consistent feedback while approving the models for insurance companies and banks. Nevertheless, insurance and re-insurance companies currently recognize the potential of a model-based quantification of operational risk, in particular derived from the potential benefit of diversification effects, which may be very significant for the typical company structure (e.g. several operating entities active on different markets and with diversified product offerings).

Data

RCAs/BEICFs Model Inputs Expert Judgment/Scenarios

Model Design/Diversification Effects

Calculations

Results & Risk Allocation

Model Outputs

Governance Framework Established Market Practice

• Insurance companies are often advanced in the development of a sound RCAs • Scenarios and HILF events analysis are well-known approaches • The structure for reporting at division and operating entity level is already
in place for insurance risks Challenges process that may be leveraged for the quantification process

• The history of internal loss data is often limited or even not yet well-structured • 1st generation models are not supported by detailed regulatory requirements • The governance framework is typically inexistent at this stage
How can EY help you? • Set up a project plan for model development and application to the regulator
(many degrees of freedom)

• Support the development of a model by leveraging on the

experience of AMA Basel II and recent implementation of Solvency II models. If required, tailoring of our packaged tool solution (EY STORM Tool) concepts (model design) and gap analysis for approval based on current regulatory feedback collected in the market

• For models already in an advanced development phase: review of • Model validation, benchmarking of results and calibrations • Support in the development of the required governance
framework (e.g. policies, scenario templates)

16

Ernst & Young Operational Risk: Quantification Models

4 Lessons Learned & Trends

A most natural leverage on lessons learned in relation to operational risk quantification can be gained from experience with AMA Basel II 1st generation models. The analysis of trends in regulations, in the market practice for model design, in structural requirements and in the definition of overall operational risk governance frameworks in the banking industry during the past few years constitutes a solid knowledge basis for the development of new operational risk models. AMA candidate banks, insurance companies, asset managers and even non-financial corporations, should consider such lessons learned in developing their own quantification models.

Regulations • We experience a consistent tendency for enhanced regulatory requirements, not only for overall operational risk quantification (e.g. Solvency II), but also for specific operational risk topics, like misselling (e.g. MIFID II), which might impact worst case loss estimations for the respective scenarios.

• Additionally, regulators raised their expectations for transparency
in model design, data flow and calibration. Internally developed “black boxes” or vendor models with limited insight on the model assumptions are not considered appropriate solutions anymore.

Application Fields/ Limited Experience (Today)

Asset managers & nonfinancial corporations – Beta Versions Models

ge ra ve Le
Insurance companies – First Generation Models

on

ns so es L

d ne ar Le

&

ds en Tr

Systemic Risk Companies – Local Regulations?

Asset Management – Local Regulations

Solvency II

Banks – Second Generation Models

Basel II

Basel Committee Observed Range of Practice AMA Supervisory Guidelines

• •

Basel III

Yesterday

Today

Tomorrow

Existing/Expected Regulations

Ernst & Young Operational Risk: Quantification Models

17

| 4 Lessons Learned & Trends

Model Design • Market practice is moving toward model approaches which combine the contribution of the relative merits of internal & external data and expert judgment.

• Expert judgment inclusion has to be transparent and structured
in a traceable process.

• The relative contribution of data and judgment may substantially
differ across companies, however this must be justifiable and may even evolve over time (e.g. with increasing loss data experience).

Governance Framework • Another consolidated market trend is the integration of the quantification model in the daily risk management process. As opposed to a stand-alone element, the model is inter-linked to the RCAs’ framework and to firm-wide risk appetite quantification models. The appropriate granularity of risk allocation to business units and risk mitigation initiatives arising from legal entities’ incentives.

• The governance framework needs to be amended with

Structural Requirements • Besides the cumulated qualitative skills, operational risk management teams also need to develop appropriate technical and quantitative skills.

appropriate documentation and guidelines. Policies defining in sufficient detail roles and responsibilities as well as the timeline of key process steps are unavoidable elements. Regulators and audit firms, which predominantly rely on the quality of such documents, regard them as material evidence of transparency and traceability of the overall quantification framework.

• These requirements might be facilitated by the purchase of

appropriate tools, but a “delegation of knowledge” is not possible – the internal validation and use tests requirements would only lead to the transfer of the required knowledge from development teams to independent validation units.

18

Ernst & Young Operational Risk: Quantification Models

Contact
Switzerland Dr. Marc Ryser, Partner Risk, Financial Services Phone +41 58 286 4903 Email marc.ryser@ch.ey.com Alessandro Lana, Manager Risk, Financial Services Phone +41 58 286 4271 Email alessandro.lana@ch.ey.com United Kingdom (incl. Ireland) Gerald Chappell, Executive Director Risk, Financial Services Phone +44 20 7951 7681 Email gchappell@uk.ey.com Dr. Mark London, Senior Manager Risk, Financial Services Phone +44 79 0022 8204 Email mlondon@uk.ey.com Dr. Sonja Koerner, Executive Director Risk, Financial Services Phone +44 20 7951 6495 Email skoerner@uk.ey.com Germany Dr. Karsten Füser, Partner Risk, Financial Services Phone +49 711 9881 14497 Email karsten.fueser@de.ey.com Dr. Martin Dörr, Partner Risk, Financial Services Phone +49 711 9881 21870 Email martin.doerr@de.ey.com France Anne Le Henaff, Executive Director Risk, Financial Services Phone +33 1 4693 7966 Email anne.le.henaff@fr.ey.com Italy Emilio Maffi, Executive Director Risk, Financial Services Phone +39 02 722 12203 Email emilio.maffi@it.ey.com Luxembourg Laurent Denayer, Executive Director Risk, Financial Services Phone +352 42 124 8340 Email laurent.denayer@lu.ey.com Netherlands Dr. Diederik Fokkema, Executive Director Risk, Financial Services Phone +31 88 40 70836 Email diederik.fokkema@nl.ey.com Portugal Luis Oliveira Rodrigues, Executive Director Risk, Financial Services Phone +351 21 791 2032 Email luis.oliveirarodrigues@pt.ey.com Spain Victor Martín Giménez, Executive Director Risk, Financial Services Phone +34 9157 27906 Email victormanuel.martingimenez@es.ey.com

Ernst & Young Assurance | Tax | Legal | Transactions | Advisory
About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited (EYG), each of which is a separate legal entity. EYG, a UK company limited by guarantee, does not provide services to clients. In Switzerland, Ernst & Young Ltd is a leading audit and advisory company offering services with about 2,000 employees at 10 locations also in the area of tax and legal, as well as in transactions and accounting. For more information about our organization, please visit www.ey.com/ch © 2011 Ernst & Young Ltd All Rights Reserved. KKL 0511

Sign up to vote on this title
UsefulNot useful