Managing Operational Risk

Jaidev Iyer, Operational Risk Exprt

 AGENDA

1 WHAT IS OPERATIONAL RISK

2 WHAT IS OPERATIONAL RISK

MANAGEMENT

3 WHAT IS THE VALUE

PROPOSITION
 Operational Risk

What are the standard firm’s key Operational Risks? What is Operational Risk?
Risk of loss resulting from
1. Business Practices: Inappropriate business practices or
inadequate or failed internal
market conduct
processes, people and systems or
2. Business Selection: Inadequate due diligence; non from external events.
adherence to credit, market, oprisk policies and limits
3. Infrastructure Adequacy/Capacity: Inability to support Process Risks
business growth due to deficiencies in the infrastructure Execution, Delivery, Process Mgmt
4. Financial Integrity: Incorrect books, records, reporting Business Disruption, Systems Failure
5. Compliance with Laws and Regulations: Failure to comply Conduct Risks
with the spirit and letter of applicable laws/regulations
Clients, Products, Business Practices
6. Information Security: Inappropriate safeguarding of Employment Practices,Workplace
customer or proprietary information assets; cyber-security
Internal Theft, Fraud
7. Continuity of Business: Inability to continue business
during a contingency event External Risks
8. Employment Practices: Inappropriate employment External Theft and Fraud
practices and workplace environment Damage to Physical Assets
9. Vendor Management : Risks not defeased, poor practices
 Operational Risk as a Discipline
Discipline Modern History Risk Measurement Risk Mitigation Tools

Credit Age > 50 years Value at Risk based on Target market/portfolio

Risk Portfolio view > 35 yrs • Prob. of Default – ORR Risk-based capital
Quantitative > 20 yrs • LGD – FRR Credit approval process
Active mitigation >15 yrs Assignments / participations
Credit derivatives

Market Age >30 years Value at Risk based on Risk-based capital

Risk Portfolio view >20 yrs • Factor Sensitivity Boundaries
Quantitative >15 yrs • Potential Losses Diversification
Active mitigation>10 yrs Hedging positions

Operational Age <10 years Value at Risk based on Risk-based capital

Risk Portfolio view… TBD • Loss frequency Pace of business growth

Quantitative < 5 yrs • Loss severity Infra investment, planning
Active mitigation: culture? Metrics / KRIs People management, training

4
 Operational Risk Management Basics
• Management of the frequency AND severity of events and losses
o Dimension operational risk exposure (quantitative, qualitative) to confirm an acceptable
level of risk

o By ensuring adequate controls, maintain exposure (and financial/reputation risk) within

acceptable levels

o Determine the appropriate level of capital to absorb extreme losses associated with risks
that do not lend themselves to control, and for control failures

• The tools of Op Risk Management:

• Loss capture for causal analysis (to get preventive measures), capital modelling

• Assessments (Self, Audit, Regulator) for view on control effectiveness, residual risk
• Metrics (KRIs) warn of imbalances and serve to attract management attention

• Scenario analysis dimensions potential frequency and severity, unexpected losses

• Capital aids the firm’s solvency; capital allocation informs management decisions

5
 VALUE IS ELUSIVE

WHO IS LOOKING FOR IT ?

HOW AND WHEN?
 What Sank the Titanic?

For over 5 decades, operators had taken larger and larger risks to save money, to compete

Greater attention to amenities than to safety - engineers did not have critical input vs. $

Lifeboats expensive, heavy, ate up deck space - Board of Trade dominated by shipbuilders

Poor procedures: 2200 passengers, only 1200 could have been saved, only 700 were

Safety drills a mere custom, boring, bureaucratic, inconvenient

The good news: disasters bring change…Change for the good, despite the costs
7
 The Problem with Operational Risk
• Potential losses are practically unbounded
– Exposure is undefined and undimensioned
– Losses are not capped, e.g by Credit Risk Limits or Market Risk Stop Losses
– Observed loss amounts are not simply related to firm size although some
evidence of deep pockets premium e.g lawsuits and regulatory settlements
– Loss severity distributions are fat-tailed
– The payoff profile is asymmetric

• Risks are not easily controlled in the short term

– Limited ability to ‘trade down’ or close positions’
– Risks often only recognized ‘ after the fact’
– Often significant lags between cause and effect
– Management and Measurement of Risk follow diverse paths

• Capital need is driven by the risk of infrequent but extremely large events

8
 The Problem with OpRisk Management

• Ex-Ante vs Ex-Post: Historical, rear-view mirror … years on, we still know too little

• “What” are we Managing

• Who owns the “So-What”

• Tool-kit Elements disparate, outmoded: the dots are still un-join-able

• Same brush applied to High-Severity and High-Frequency risks

• Perceived focus on Measurement over Management; achievement of Neither

• Stakeholders tired of Assessments, Form-filling, Bean-Counting …that go Nowhere

• Regulators seen to focus on form, not substance.

• So Management says stay away from us, just keep the Regulators happy

• All in all, Default approach is therefore Compliance and Audit, not Risk

9
 BEST PRACTICES IN
OPERATIONAL RISK

1 PROCESS VIEW !!!

2 ANALYSIS,ANALYSIS

3 JOIN DOTS

4 SCENARIOS,CAPITAL

5 COMMUNICATE
 What is Op Risk Management

<
Inherent Mitigation Residual Risk
- = /
Risk or ‘Hedge’ Risk Appetite
=

Identified & Controls Informed by Top-Down

Classified Designed & Losses, Metrics, Quantitative &
Implemented Scenarios Qualitative

Basel with Assess & Test Assessed and Re-tested against

bespoke Design AND Independently Scenarios, Capital
Adjustments Effectiveness Tested

Jointly Primary role of Primary role of Board, Senior Mgt,

determined – Business Mgt Op Risk Mgt Risk
Bus. & Risk

11
 OpRisk Management Essentials

1 An integrated, comprehensive and forward looking approach to risk

• Risk and control directly linked to process & outcomes: front, middle, back
• Clarity on the effort to manage objectives-based vulnerabilities

2 Embedded and entwined into organization, business, and culture

• Start with overall process framework (process maps, anybody ?!!)
• Identify Risk/s based on threat/s to meeting business objectives
• Define required Controls; Configure and Customize controls
• Compute and optimize resources (time, cost) to implement the controls
• Complete integration with process, people and technology for resilience
• Implement essential Assessments, Metrics, Scenarios, Capital charge

3 Speak one language across stakeholders (including Regulators)

• Vulnerability mapped to Basel risk classification for “same page”
• Isolate the ‘cost of control’ to set up the too-much-versus-too-little dialogue
• Systematize the Control debate: existing, duplicate, expensive, useless

12
 Process / Control Analysis
Who • Who would like to see this problem fixed?
Cares?
• Loss data, KRIs, exception reports, assessment data…
Relevant • Where else are these problems seen?
Data • Where are similar problems prevented?

End-to-End • Who does what?

Process • What assumptions are made but not tested?

• What steps in the process can be simplified, eliminated?

Inefficiencies
• Can automation help?

• Are controls missing or sloppy?

Weak Points • Would better MIS help?

• Agreement end-to-end on solutions

Fixes • Where else could such solutions make a difference?
 Integrated Op Risk Analysis

• Why did the event / loss occur ?

Risk
Drivers • What could have prevented it ?
• What factors influenced the nature? … the size ?

• What controls failed / did not exist at all ?

Environment • Covered in assessments of the entity causing the loss ?
• Where else could such a control failure occur ?

• Did available metrics warn of trouble ?

Metrics • What metrics could best track these risk drivers ?
• What set of metrics could best capture the end-to-end risks ?

• Could the loss have been much larger or messier?

Scenarios and
responses • Could such losses occur more frequently? …how? … where?
• Does industry experience tell us anything meaningful ?

Capital • Does capital adequately cover stresses ?

Implications
• How should capital allocations reflect relative risk ?
 Scenario Analysis

Could it • Do we face a previously unrecognized risk?

Happen? • In which businesses, regions?

Who Cares? • Who would be most hurt?

• What controls can prevent an event?

Would it • Do they exist and work well?
Happen?
• Would existing metrics warn of trouble?
• What data is available about past frequency and scale?
How big? • What factors drive the size of the impact?
• Control improvements?
• Better metrics?
Fixes

• Would it happen HERE?

Capital Impact • If so, how big could it be HERE?
• Is capital sufficient?
 The derivation, treatment, and
configuration of controls
Monitoring
• Monitoring
• RSCA plan and checklists
• Span of control
• Residual risk indicators
Control Objectives • Control effectiveness Control Procedures
Basel Classification Key Risk Metrics
Process Outcome Compensating Control
Business Rules Cost of Control

Pre Event Post Event

•Design Control Configuration •Incident Management
• Process Vulnerability Supervisory Review • Detection
• Compensating Control • Mitigation
• Control Environment Escalation Paths • Escalation
• People & Technology Assessment Checklists • Prevention

16
 Sample analytics and reports
Risk & Controls Analysis Analysis of Compensating Controls
Transaction Execution
Theft and Fraud (Internal)

Open Risk by Activity

Customer Documentation
Theft and Fraud (External)
Unauthorized Activity
Product Flaws
Business Practices
Systems
Non-Client Counterparties
Suitability & Fiduciary
Systems Security
- 20 40 60 0 10 20 30 40
Open Compensating Considered Control Process Cycle time

Metrics and Escalation Paths Cost-Control Efficiency Frontier

65%
Improper business or market practices 64%
Product flaws, defects, errors
63%

Control Coverage
Suitability, disclosure & fiduciary
Employee relations 62%
Customer Client account manangement 61%
Customer intake & documentation
Non-client trade counterparties…
60%
Transaction capture execution &… 59%
Vendors & suppliers outsourcing &… 58%
Systems security (Hacking etc)
Theft & Fraud (External) 57%
Theft & Fraud (Internal) 56%
Unauthorized activity
55%
0 10 20 30 40 50 60 50 40 30 20
Finance FO IT & infra Ops & HR Risk & compliance Cost Effectiveness (FTE)

17
 Capital : Three Fundamental Questions

Operational Event Frequency

Annual Events over Threshold
1000
Question 1: Question 2: How rapidly does
What is the 100 loss probability decline with
expected size of loss (inverse slope = tail
frequency of parameter)?
10
events over a
loss threshold?
1 Capital is the
extrapolated
0.1 loss at chosen
confidence
Question 3: What 0.01
is the required
confidence level
for capital: 99.9% 0.001

0.0001
0.1 1 10 100 1000 10000 100000
Loss Size
 Capital sensitivity by RLOB to Frequency
Using Some Historical Estimates

Hypo OpRisk Capital

$Millions, 99.97% Overall Banking
Business Mix
7,000 Severity = 0.78

Corp Fin, Underwriting, …

6,000 Severity = 0.90 6,525
Sales
and Trading
5,000
Severity = 0.75

4,000

3,300
3,000 2,900
Corp, Comml
Banking
2,000 Severity = 0.65

1,000 Cash & Trade

Severity = 0.55
150 175
0
0 5 10 15 20 25

Frequency of Large Losses

Number of annual events over $1MM
19
SUMMARY
 What did we learn from the Crisis

o Organizations try too hard to avoid learning from their own mistakes

o The sustainability tradeoff for financials cos. is not growth vs prudence, but with

o The Monday-Tuesday-Wednesday syndrome is unsustainable

o “Culture” means how we do business, to optimize that tradeoff

o Models don’t kill markets, people do

o The risk-taker is your first-line of defense, but all Three Lines matter

o We must evolve a common idea of what a Risk Manager is or does

o ‘Our people are our greatest assets’ needs to be real, insofar as Asset Risks
o Silos are fatal;: the way risk manifests is irrelevant, labels are redundant
o Join-the-dots intelligence is the only worthwhile investment in Risk Mgt
o There needs be sufficient premium on quantity and quality of communication

21
 Risk in the post-crisis era
• Market & Credit Risk are transactional, substitutable, arbitrageable, inseparable

• Op Risk is corporate, top-down, about Infrastructure and Reputation

• But it is also inseparable from other Risk-types, and substitutable

• Operational Risk and Compliance also no longer separable

• Severity and Frequency management are 2 different schools within OpRisk

• A singular measure of Risk (e.g.VaR) is very good, and very bad

• Portfolio strategies must incorporate crisis correlations

• Time is nigh for a solution to the holistic stress-testing conundrum

“History only teaches us that we will be surprised, again and again”

22
 The Value Proposition in OpRisk

 Process-focus and optimization, integrated with Business Objectives

 Entire Approach oriented towards Risk vis-à-vis Appetite

 Join the Dots for Forward-looking view of Severity, Frequency, Onset

 Inform about Cost-Benefit-Risk tradeoffs and Pricing

 Provide key inputs for Investment decisions & governance

 Derive Capital program as a dynamic tool to measure & manage

 Provide the basis for clear actions vis-à-vis

 Business Strategy
 Business Process
 Remediation priorities across franchise, revenue, capital defense

23
Thank you!

Questions?

24