Operational Risk and Resiliency

FRM Fin an cial R isk M anager
<S>GARP
2020
EXAM PART II
Operational Risk and Resiliency
Pearson
Book: G A R P _O R R 000200010272205729
Project M anager: EEB
Rights Ed: KW
Copyright © 2019, 2018, 2017, 2016, 2015, 2014, 2013, 2012, 2011 by Pearson Education, Inc.
All rights reserved.
Pearson Custom Edition.
This copyright covers material written expressly for this volum e by the editor/s as well as the com pilation itself. It does not cover the individual
selections herein that first appeared elsew here. Permission to reprint these has been obtained by Pearson Education, Inc. for this edition only. Further
reproduction by any means, electronic or m echanical, including photocopying and recording, or by any information storage or retrieval system , must
be arranged with the individual copyright holders noted.
Grateful acknowledgment is made to the following sources for "Stress Testing Banks," by Til Schuermann, reprinted from the International
permission to reprint material copyrighted or controlled by them: Journal o f Forecasting 30, no. 3, (2014) pp. 717-728, by permission of
Elsevier BV.
"Principles for the Sound M anagem ent of O perational Risk," by Basel
Com m ittee on Banking Supervision, Ju n e 2011, by permission of the Bank "G uidance on Managing Outsourcing Risk," Supervisory Letter SR 13-19/
for International Settlem ents. Information retrieved from the Bank for C A 1 3-21, D ecem ber 2013, by permission of the Board of Governors of
International Settlem ents is freely available at their w ebsite: w w w .bis.org. the Federal Reserve System .
"En terp rise Risk M anagem ent: Theory and Practice," by Brian W. Nocco "M anagem ent of Risks Associated with M oney Laundering and Financing
and Rene M. Stulz, reprinted from Journ al o f A p p lie d C o rp o ra te Finance, of Terrorism ," by Mark C arey, February 2019, the G A R P Risk Institute.
vol. 18, no. 4, Fall 2006, by permission of John W iley & Sons, Inc. "Regulation of the O T C D erivatives M arket," by John C Hull, reprinted
from Risk M an agem en t and Financial Institutions, 5th edition (2018), by
"W hat is ER M ?," by Jam es Lam, reprinted from En terp rise Risk
permission of John W iley & Sons, Inc.
M anagem ent: From Incentives to C ontrols, Second Edition (2014), by
permission of John W iley & Sons, Inc. "C apital Regulation Before the Global Financial C risis," by Mark Carey,
April 2019, the G A R P Risk Institute.
"Im plem enting Robust Risk A p p etite Fram ew orks to Strengthen Financial
Institutions," Ju n e 2011, by permission of the Institute of International "Solvency, Liquidity and O ther Regulation A fter the Global Financial
Finance. C risis," by Mark C arey, April 2019, the G A R P Risk Institute.
"Banking Conduct and Culture: A Perm anent M indset C h an g e," by "High-Level Sum m ary of Basel III Reform s," by Basel Com m ittee on
the G 30 W orking G roup, 2018, by permission of the Group of 30 Banking Supervision, D ecem ber 2017, by permission of the Bank for
Consultative Group on International Econom ic and M onetary Affairs, Inc. International Settlem ents. Information retrieved from the Bank for
International Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
"Risk C ulture," by Alessandro Carretta and Paola Schwizer, reprinted
from Risk Culture in Banking by Alessandro Carretta, Franco Fiordelisi "Basel III: Finalising Post-Crisis Reform s," by Basel Com m ittee on
and Paola Schw izer (2017), by permission of Palgrave Macmillan. Banking Supervision, D ecem ber 2017, by permission of the Bank for
International Settlem ents. Information retrieved from the Bank for
"O p R isk Data and G o vern an ce," by Marcelo G Cruz, Gareth W Peters International Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
and Pavel V Shevchenko, reprinted from Fundam ental A sp e c ts o f
"The Cyber-Resilient O rganization," by A ndrew Coburn, Eireann Leverett,
O perational Risk and Insurance A nalytics: A H andbook o f O perational
and Gordon W oo, reprinted from Solving C yb er Risk: Protecting Your
Risk (2015), by permission of John W iley & Sons, Inc.
Com pany and S o cie ty (2019), by permission of John W iley & Sons, Inc.
"Adoption of Supervisory G uidance on Model Risk M anagem ent,"
"Cyber-Resilience: Range of Practices," by Basel Com m ittee on Banking
reprinted from Financial Institution Letter FIL-22-2017, Ju n e 2017,
Supervision, D ecem ber 2018, by permission of the Bank for International
published by the Federal D eposit Insurance Corporation.
Settlem ents. Information retrieved from the Bank for International
"Inform ation Risk and Data Q uality M anagem ent," by David Loshin, Settlem ents is freely available at their w ebsite: w w w .b is.o rg .
reprinted from Risk M an agem en t in Finance: Six Sigm a and O th er "Building the U K Financial Sector's O perational Resilience," by the Bank
N ext-G eneration Techniques, edited by Anthony Tarantino and Deborah of England and the Financial Conduct Authority, Ju ly 2018, reprinted by
Cernauskas (2009), by permission of John W iley & Sons, Inc. perm ission.
"Validating Rating M odels," by G iacom o De Laurentis, Renato Maino, "Striving for O perational Resilience: The Q uestions Boards and Senior
and Luca M olteni, reprinted from D evelop in g, Validating and Using M anagem ent Should A sk ," by Rico Brandenburg, Tom Ivell, Evan Sekeris,
Internal Ratings (2010), by permission of John W iley & Sons, Inc. M atthew G rub er and Paul Lewis, 2019, by permission of O liver W ym an.
"Assessing the Q uality of Risk M easures," by Allan M Malz, reprinted Learning O bjectives provided by the Global Association of Risk
from Financial Risk M an agem en t: M o d e ls, H istory, and Institutions (2011), Professionals.
by permission of John W iley & Sons, Inc.
All tradem arks, service marks, registered tradem arks, and registered
"Risk Capital Attribution and Risk-Adjusted Perform ance M easurem ent," service marks are the property of their respective owners and are used
by Michel Crouhy, Dan Galai and Robert Mark, reprinted from The herein for identification purposes only.
Essentials o f Risk M anagem ent, 2nd Edition (2014), by permission of the
Pearson Education, Inc., 330 Hudson Street, New York, New York 10013
M cGraw-Hill Com panies, Inc.
A Pearson Education Com pany
"Range of Practices and Issues in Econom ic Capital Fram ew orks," by
Basel Com m ittee on Banking Supervision, March 2009, by permission of w w w .pearsoned.com
the Basel Com m ittee on Banking Supervision. Printed in the United States of Am erica
"C apital Planning at Large Bank Holding Com panies: Supervisory ScoutAutomatedPrintCode
Expectations and Range of Current Practice," August 2013, by
permission of the Board of Governors of the Federal Reserve System . 000200010272205729
EEB /K W
Pearson ISBN 10: 0135966000

ISBN 13: 9780135966006
Contents
1.7 Business Resiliency

Chapter 1 Principles for the and Continuity 12
Sound Management 1.8 Role of Disclosure 12
of Operational Risk 1
1.1 Preface 2
Chapter 2 Enterprise Risk
1.2 Role of Supervisors 2
Management:
1.3 Principles for the Management Theory and
of Operational Risk 3
Fundamental Principles of Operational
Practice 13
Risk Management 4
Governance 5
2.1 How Does ERM Create
Risk Management Environment 5
Shareholder Value? 14
Role of Disclosure 5
The Macro Benefits of Risk Management 14
1.4 Fundamental Principles of The Micro Benefits of ERM 15
Operational Risk Management 5
2.2 Determining the Right
1.5 Governance 6 Amount of Risk 16
The Board of Directors 6
2.3 Implementing ERM 20
Senior Management 7
Inventory of Risks 20
1.6 Risk Management Environment 8 Economic Value versus Accounting
Identification and Assessment 8 Performance 21
Monitoring and Reporting 9 Aggregating Risks 22
Control and Mitigation 10 Measuring Risks 24
Regulatory versusEconomic Capital 24 Section 2 - Key Outstanding
Using Economic Capital to Challenges in Implementing
Make Decisions 25 Risk Appetite Frameworks 41
The Governance of ERM 26
Section 3 - Emerging Sound
Conclusion 26 Practices in Overcoming
the Challenges 43
3.1 Risk Appetite and Risk Culture 44
Chapter 3 What Is ERM? 27 3.2 "Driving Down" the Risk Appetite
into the Businesses 45
3.3 Capturing Different Risk Types 47
3.1 ERM Definitions 28 3.4 The Benefits of Risk Appetite
as a Dynamic Tool 48
3.2 The Benefits of ERM 29 3.5 The Link with the Strategy
Organizational Effectiveness 29 and Business Planning Process 49
Risk Reporting 29 3.6 The Role of Stress Testing
Business Performance 30 within an RAF 52
3.3 The Chief Risk Officer 31 Section 4 - Recommendations

for Firms 55
3.4 Components of ERM 33
Recommendations for Board Directors 55
Corporate Governance 33
Recommendations for Senior
Line Management 33 Management 57
Portfolio Management 34 Recommendations for Risk Management 58
Risk Transfer 34
Annex I: Case Studies 59
Risk Analytics 34
Developing a Risk Appetite Framework
Data and Technology Resources 35 at RBC May 2011 59
Stakeholder Management 35 Risk Appetite within National Australia
Bank: An Ongoing Journey 62
Scotiabank-A Canadian Experience
in Setting Risk Appetite May 2011 68
Chapter 4 Implementing
Risk Appetite Framework Development
Robust Risk at the Commonwealth Bank of Australia 71
Appetite
Frameworks to
Strengthen
Financial Chapter 5 Banking Conduct
Institutions 37 and Culture 77
Introduction 38 Introduction 78
Section 1 - Principal Findings Section 1. Assessment
from the Investigation 39 of Industry Progress 86
iv ■ Contents
Mindset of Culture 88 External Frauds 120
Senior Accountability and Governance 89 Internal Fraud 120
Performance Management Employment Practices and Workplace
and Incentives 91 Safety 120
Staff Development and Promotions 92 Damage to Physical Assets 121
An Effective Three Lines of Defense 94 7.3 The Elements of the OpRisk
Regulators, Supervisors, Enforcement Framework 121
Authorities, and Industry Standards 95
Internal Loss Data 121
Section 2. Lessons Learned 98 Setting a Collection Threshold
and Possible Impacts 121
Completeness of Database
(Under-Reporting Events) 122
Chapter 6 Risk Culture 105 Recoveries and Near Misses 122
Time Period for Resolution
of Operational Losses 123
6.1 Introduction 106
1
Adding Costs to Losses 123

6.2 What Corporate Culture Provisioning Treatment of Expected
Is and Why It Matters? 106 Operational Losses 123
6.3 Risk Culture: Scope 7.4 Business Environment

and Definition 108 and Internal Control Environment
Factors (BEICFs) 123
6.4 Risk Culture: Drivers
Risk Control Self-Assessment (RCSA) 124
and Effects 109
Key Risk Indicators 125
6.5 Change and Challenge:
J
7.5 External Databases 126

Deploying an Effective
Risk Culture 110 7.6 Scenario Analysis 127
Conclusions 113 7.7 Oprisk Profile in Different
Financial Sectors 129
Bibliography 113
Trading and Sales 129
Corporate Finance 129
Retail Banking 129
Chapter 1 OpRisk Data Insurance 130
and Governance 115 Asset Management 131
Retail Brokerage 132
7.8 Risk Organization
and Governance 133
7.2 OpRisk Taxonomy 116 Organization of Risk Departments 133
Execution, Delivery, and Process Structuring a Firm Wide Policy:
Management 117 Example of an OpRisk Policy 134
Clients, Products, and Business Practices 118 Governance 134
Business Disruption and System Failures 119
Contents ■ v
Chapter 8 Supervisory Chapter 9 Information Risk
Guidance on and Data Quality
Model Risk Management 151
Management 137
9.1 Organizational Risk, Business
8.1 Introduction 138 Impacts, and Data Quality 152
Business Impacts of Poor Data Quality 152
8.2 Purpose and Scope 138
Information Flaws 153
8.3 Overview of Model Risk
9.2 Examples 153
Management 138
Employee Fraud and Abuse 153
8.4 Model Development, Underbilling and Revenue Assurance 153
Implementation, and Use 140 Credit Risk 153
Model Development and Insurance Exposure 154
Implementation 140
Development Risk 154
Model Use 141
Compliance Risk 154
8.5 Model Validation 142
9.3 Data Quality Expectations 154
Key Elements of Comprehensive
Validation 143 Accuracy 154
Validation of Vendor and Other Completeness 154
Third-Party Products 146 Consistency 154
Reasonableness 155
8.6 Governance, Policies,
Currency 155
and Controls 146
Uniqueness 155
Board of Directors and Senior
Management 147 Other Dimensions of Data Quality 155
Policies and Procedures 147 9.4 Mapping Business Policies
Roles and Responsibilities 147 to Data Rules 155
Internal Audit 148
9.5 Data Quality Inspection,
External Resources 148 Control, and Oversight:
Model Inventory 149 Operational Data Governance 155
Documentation 149
9.6 Managing Information
Conclusion 149 Risk Via a Data Quality Scorecard 156
Data Quality Issues View 156
Business Process View 157
Business Impact View 157
Managing Scorecard Views 157
Summary 157
vi ■ Contents
12.3 RAROC: Risk-Adjusted Return
Chapter 10 Validating on Capital 184
Rating Models 159
1
12.4 RAROC for Capital Budgeting 185

12.5 RAROC for Performance
10.1 Validation Profiles 160 Measurement 186
RAROC Horizon 186
10.2 Roles of Internal Validation
Units 161 Default Probabilities: Point-in-Time
(PIT) vs. Through-the-Cycle (TTC) 188
10.3 Qualitative and Confidence Level 188
Quantitative Validation 162 Hurdle Rate and Capital Budgeting
Qualitative Validation 162 Decision Rule 188
Quantitative Validation 166 Diversification and Risk Capital 189
12.6 RAROC in Practice 190
Conclusion 192
Chapter 1 Assessing the
Quality of Risk
Measures 173 Chapter 13 Range of
Practices and
11.1 Model Risk 174 Issues in
Valuation Risk 174 Economic
Variability of VaR Estimates 175 Capital
Mapping Issues 176 Frameworks 193
Case Study: The 2005 Credit
Correlation Episode 176
Case Study: Subprime Default Models 180 13.1 Executive Summary 194
Use of Economic Capital and
Governance 194
Chapter 12 Risk Capital Risk Measures 194
Risk Aggregation 195
Attribution and
Validation 195
Risk-Adjusted Dependency Modelling in Credit Risk 195
Performance Counterparty Credit Risk 196
Measurement 181 Interest Rate Risk in the Banking Book 196
Summary 196
12.1 What Purpose Does Risk 13.2 Recommendations 196

Capital Serve? 182 13.3 Introduction 198
12.2 Emerging Uses of Risk 13.4 Use of Economic Capital
Capital Numbers 182 Measures and Governance 199
Contents ■ vii
Business-Level Use 199 13.10 Annex 3: Interest Rate
Enterprise-Wide or Group-Level Use 200 Risk in the Banking Book 227
Governance 202 Sources of Interest Rate Risk 227
Supervisory Concerns Relating to Use Interest Rate Measurement
of Economic Capital and Governance 203 Techniques and Indicators 228
13.5 Risk Measures 205 Modelling Issues 229
Desirable Characteristics of Risk Main Challenges for the
Measures 205 Measurement of Interest Rate
Risk in the Banking Book 229
Types of Risk Measures 206
Calculation of Risk Measures 207 References 233
Supervisory Concerns Relating
to Risk Measures 208
13.6 Risk Aggregation 208
Aggregation Framework 208
Chapter 14 Capital Planning
Aggregation Methodologies 209 at Large Bank
Range of Practices in the Choice of Holding
Aggregation Methodology 212 Companies 235
Supervisory Concerns Relating
to Risk Aggregation 213
13.7 Validation of Internal 14.1 Introduction 236
Economic Capital Models 214 14.2 Foundational Risk
What Validation Processes Management 238
Are in Use? 215 Risk Identification 238
What Aspects of Models Does
Validation Cover? 218 14.3 Internal Controls 239
Supervisory Concerns Relating Scope of Internal Controls 239
to Validation 218 Internal Audit 239
13.8 Annex 1: Dependency Independent Model Review and
Validation 240
Modelling in Credit Risk Models 218
Policies and Procedures 240
Types of Models 219
Ensuring Integrity of Results 241
Supervisory Concerns Relating to
Currently Used Credit Portfolio Documentation 241
Models 221 14.4 Governance 241
13.9 Annex 2: Counterparty Board of Directors 241
Credit Risk 223 Board Reporting 242
Counterparty Credit Risk Challenges 223 Senior Management 242
Range of Practices 225 Documenting Decisions 243
viii ■ Contents
14.5 Capital Policy 243 Modeling Losses 273
Capital Goals and Targets 244 Modeling Revenues 274
Capital Contingency Plan 244 Modeling the Balance Sheet 275
14.6 BHC Scenario Design 245 15.5 Stress Testing Disclosure 275
Scenario Design and Severity 245 Conclusion 278
Variable Coverage 246
Acknowledgments 278
Clear Narratives 246
References 278
14.7 Estimation Methodologies
for Losses, Revenues, and
Expenses 246
General Expectations 246 Chapter 16 Guidance
Loss-Estimation Methodologies 249 on Managing
PPNR Projection Methodologies 257 Outsourcing
14.8 Assessing Capital Risk 281
Adequacy Impact 261
Balance Sheet and RWAs 261
Allowance for Loan and Lease 16.1 Purpose 282
Losses (ALLL) 262
16.2 Risks from the Use
Aggregation of Projections 262
of Service Providers 282
14.9 Concluding Observations 263
16.3 Board of Directors
and Senior Management
Responsibilities 282
Chapter 15 Stress Testing 16.4 Service Provider Risk
Banks 265 Management Programs 282
A. Risk Assessments 283
B. Due Diligence and Selection
Abstract 266 of Service Providers 283
C. Contract Provisions and
Considerations 284
15.2 Stress Testing in the D. Incentive Compensation Review 286
Literature 270 E. Oversight and Monitoring
15.3 Stress Testing Design 271 of Service Providers 286
F. Business Continuity
15.4 Executing the Stress and Contingency Considerations 287
Scenario: Losses and Revenues 272 G. Additional Risk Considerations 287
Contents ■ ix
18.2 Post-Crisis Regulatory
Chapter 17 Management of Changes 297
Risks Associated Uncleared Trades 297
with Money Determination of Initial Margin: SIMM 298
Laundering and 18.3 Impact of the Changes 299
Financing of Liquidity 299
Terrorism 289 Rehypothecation 300
The Convergence of OTC and
Exchange-Traded Markets 300
17.1 Background 290 18.4 CCPS and Bankruptcy 300
17.2 Application of Standard Summary 301
Practices 290
Further Reading 301
17.3 Risk Assessment 291
17.4 Customer Due Diligence
and Acceptance 291
Chapter 19 Capital
17.5 Transaction and Other Regulation
Monitoring and Reporting 291
Before the
17.6 Correspondent Banking 291 Global
17.7 Wire Transfers 292 Financial
17.8 International Scope 292 Crisis 303
References 292
19.1 The Basel Accord:
Basel I Variant 304
Chapter 18 Regulation The Risk-Based Capital Ratio 305
of the OTC 19.2 The Basel Accord:
Derivatives Basel II Variant 309
Market 293 Capital for Credit Risk 310
Retail Exposures Under IRB 312
Credit Mitigants Other Than Collateral 313
18.1 Clearing in O TC Markets 294 Capital for Operational Risk 313
Margin 294 Solvency II 314
Central Clearing 295 Summary 315
Bilateral Clearing 296
Netting 296 References 315
Events of Default 296
x ■ Contents
Chapter 20 Solvency, Chapter 21 High-Level
Liquidity Summary of
and Other Basel III
Regulation Reforms 327
After the
Global
Standardised Approach for
Financial Crisis 317 Credit Risk 328
Internal Ratings-Based
20.1 The Financial Stability Approaches for Credit Risk 331
Board 318 Removing the Use of the Advanced IRB
Approach for Certain Asset Classes 331
20.2 Basel 2.5 318 332
Specification of Input Floors
Stressed VaR 318
Additional Enhancements 332
Incremental Risk Charge 318
Correlations and the Comprehensive CVA Risk Framework 332
Risk Measure 319 Operational Risk Framework 333
20.3 Basel 3 319 Leverage Ratio Framework 333
The Definition of Capital 320 Buffer for Global Systemically
Leverage Ratio Capital Requirements 321 Important Banks 333
Systemically Important Financial Refinements to the Leverage Ratio
Institutions 321 Exposure Measure 334
Buffers 321 Output Floor 334
Liquidity Requirements 323
Transitional Arrangements 335
Derivatives Counterparty Credit Risk 324
20.4 Resolution Planning and
Preparation 324
CoCos 324
Chapter 22 Basel III: Finalising
Living Wills 325 Post-Crisis
Reforms 337
20.5 Stress Testing and Other
Local Applications of Basel 325
20.6 Other Reforms 326 22.1 Introduction 338
References 326 22.2 The Standardised Approach 338
Contents ■ xi
The Business Indicator 338
The Business Indicator Component 338 Chapter 23 The Cyber-Resilient
The Internal Loss Multiplier 338 Organization 345
The Standardised Approach
Operational Risk Capital
Requirement 339 23.1 Changing Approaches
22.3 Application of the to Risk Management 346
Standardised Approach within Identify, Protect, Detect, Respond,
Recover 346
a Group 339
Threat Analysis 346
22.4 Minimum Standards for
the Use of Loss Data Under 23.2 Incident Response
the Standardised Approach 339 and Crisis Management 346
Real-Time Crisis Management:
22.5 General Criteria on Loss How Fighter Pilots Do It 346
Data Identification, Collection Rapid Adaptation to Changing
and Treatment 340 Conditions 347
22.6 Specific Criteria on Loss Cyber Risk Awareness in Staff 347
Data Identification, Collection Business Continuity Planning
and Treatment 340 and Staff Engagement 347
Building of the Standardised Approach Gaming and Exercises 348
Loss Data Set 340 Nudging Behavior 348
Gross Loss, Net Loss, and Recovery 23.3 Resilience Engineering 348
Definitions 340
Safety Management 348
22.7 Exclusion of Losses from Hotel Keycard Failure Example 349
the Loss Component 341
23.4 Attributes of a
22.8 Exclusions of Divested Cyber-Resilient Organization 349
Activities from the Business Anticipate, Withstand, Recover,
Indicator 342 and Evolve 349
22.9 Inclusion of Losses and Negative Attributes 350
Bl Items Related to Mergers Six Positive Attributes for Resilience 350
and Acquisitions 342 Cyber Resilence Objectives 350
22.10 Disclosure 342 23.5 Incident Response Planning 351

Forensic Investigation 351
22.11 Annex: Definition of
Initial Breach Diagnosis 352
Business Indicator Components 342
xii ■ Contents
23.6 Resilient Security Solutions 352 24.4 Approaches to Risk
Resilient Software 352 Management, Testing and
Detection, Containment, and Incident Response and Recovery 367
Control 352 Methods for Supervising Cyber-Resilience 368
Minimize Intrusion Dwell Time 353 Information Security Controls Testing and
Anomaly Detection Algorithms 353 Independent Assurance 368
Penetration Testing 354 Response and Recovery Testing and
The Risk-Return Trade-Off 354 Exercising 369
Cyber-Security and Resilience Metrics 370
23.7 Financial Resilience 355
Financial Consequences of a 24.5 Communication and Sharing
Cyber Attack 355 of Information 371
Financial Risk Assessment 355 Overview of Information-Sharing
Frameworks Across Jurisdictions 371
Reverse Stress Testing 355
Sharing Among Banks 373
Defense in Depth 356
Sharing from Banks to Regulators 373
Enterprise Risk Management 356
Sharing Among Regulators 374
Cyber Value at Risk 356
Sharing from Regulators to Banks 375
Re-Simulations of Historical Events 357
Sharing with Security Agencies 375
Counterfactual Analysis 357
Building Back Better 357 24.6 Interconnections with
Events Drive Change 358 Third Parties 377
Education for Cyber Resilience 358 Governance of Third-Party Connections 377
Improving the Cyber Profession 359 Business Continuity and Availability 379
Information Confidentiality and Integrity 380
Specific Expectations and Practices with
Regard to the Visibility of Third-Party
Chapter 24 Cyber-Resilience: Connections 381
Range of Auditing and Testing 381
Practices 361 Resources and Skills 382

Chapter 25 Building the
24.2 Cyber-Resilience Standards UK Financial
and Guidelines 363
Sector's
24.3 Cyber-Governance 363 Operational
Cyber-Security Strategy Is Expected
But Not Required 364
Resilience 383
Management Roles and
Responsibilities 365
Cyber-Risk Awareness Culture 365
The Importance of Operational
Architecture and Standards 366
Resilience 384
Cyber-Security Workforce 366
Contents ■ xiii
Important Concepts in the Supervisory Cloud Services 403
Authorities' Approach to Operational Continuity 403
Resilience 384
Economic Functions 403
Discussion Paper Structure 386
Financial Market Infrastructure (FMI) 403
25.2 Operational Resilience General Data Protection Regulation
of Business Services 387 (GDPR) 403
Focusing on Business Services 387 Impact Tolerances 403
Prioritising by Business Services 387 Impact Tolerance Statement 403
Building Resilient Business Services, Integrity 403
Assuming Disruption Will Occur 388 Operational Resilience 403
25.3 Operational Resilience Operational Risk 403
of Firms and FMIs 389 Risk Appetite 403
Factors Relating to the Supervisory Real Economy 403
Authorities' Objectives 390 Real-Time Gross Settlement
Existing Regulatory Requirements and (RTGS) Service 403
Expectations for Firms and FMIs 392 Senior Manager's and Certification
What This Might Mean for Firms and Regime (SM&CR) and Senior Insurance
FMIs in Practice 395 Managers Regime (SIMR) 403
Supervisory Authorities 404
25.4 Clear Outcomes for
Systems and Processes 404
Operational Resilience 397
Vital Services 404
Current Approaches 398
Potential Benefits of Setting Impact
Tolerances 398
25.5 Supervisory Assessment Chapter 26 Striving for
of Operational Resilience 399
Operational
Sector-Wide Work 399
Reviewing How Impact Tolerances Are
Resilience 405
Set and Used 400
Analysis of Systems, People and Processes
that Support Business Services 400 Executive Summary 406
Gaining Assurance that Firms and 26.1 Why Now?: Need for Operational
FMIs Have the Capabilities to Deliver Resilience 406
Operational Resilience 400
Supervisory Tools 401 26.2 Bend, But Don't Break:
Operational Resilience Approach 406
Conclusion 401
26.3 Has the Organization Got It?:
Responses and Next Steps 402
Important Questions to Ask
Feedback and Questions 402 About Operational Resilience 409
Annex 1: Glossary of Terms 402 26.4 Improving Resilience:
Business Services 402 Getting Started 409
Capabilities 402
Bibliography 413
Clearing House Automated Payment
System (CHAPS) 403 Index 417
xiv ■ Contents
Chairman
Dr. Rene Stulz
Everett D. Reese Chair of Banking and M onetary Econom ics,
The Ohio State University
Members
Richard Apostolik Dr. Attilio Meucci, CFA
President and C E O , Global Association of Risk Professionals Founder, ARPM
Michelle McCarthy Beck, SMD Dr. Victor Ng, CFA, MD

C h ief Risk Officer, T IA A Financial Solutions C hief Risk Architect, M arket Risk M anagem ent and Analysis,
Goldm an Sachs
Richard Brandt, MD
O perational Risk M anagem ent, Citigroup Dr. Matthew Pritsker
Senior Financial Econom ist and Policy Advisor / Supervision,
Julian Chen, FRM, SVP
Regulation, and Credit, Federal Reserve Bank of Boston
FRM Program Manager, Global Association of Risk Professionals
Dr. Samantha Roberts, FRM, SVP
Dr. Christopher Donohue, MD
Balance Sheet Analytics & M odeling, PN C Bank
G A R P Benchmarking Initiative, Global Association of Risk
Professionals Dr. Til Schuermann
Partner, O liver Wyman
Donald Edgar, FRM, MD
Risk & Q uantitative Analysis, BlackRock Nick Strange, FCA
Director, Supervisory Risk Specialists, Prudential Regulation
Herve Geny
Authority, Bank of England
Group Head of Internal A udit, London Stock Exchange Group
Dr. Sverrir Porvaldsson, FRM
Keith Isaac, FRM, VP
Senior Q uant, SEB
Capital M arkets Risk M anagem ent, TD Bank Group
William May, SVP

Global Head of Certifications and Educational Program s, Global
Association of Risk Professionals
FRM® Committee ■ xv
Learning Objectives
A fter com pleting this reading you should be able to:
Describe the three "lines of defense" in the Basel model Describe tools and processes that can be used to identify
for operational risk governance. and assess operational risk.
Summarize the fundam ental principles of operational risk Describe features of an effective control environm ent and
m anagem ent as suggested by the Basel Com m ittee. identify specific controls that should be in place to address
operational risk.
Explain guidelines for strong governance of operational
risk, and evaluate the role of the board of directors and Explain the Basel Com m ittee's suggestions for managing
senior m anagem ent in implementing an effective opera technology risk and outsourcing risk.
tional risk fram ework.
E x c e rp t is rep rin ted by perm ission from the Basel C om m ittee on Banking Supervision.
1
1.1 PREFA CE that banks should consider when designing operational risk poli
cies, processes and risk m anagem ent system s.
1. In the Soun d Practices for the M anagem ent and Supervision 4. Supervisors will continue to encourage banks "to move along
o f O perational Risk (Sound Practices), published in February the spectrum of available approaches as they develop more
2003, the Basel Com m ittee on Banking Supervision (Com m ittee) sophisticated operational risk m easurem ent system s and prac
articulated a fram ework of principles for the industry and super tic e s ."23Consequently, while this chapter articulates principles
visors. Subsequently, in the 2006 International C on verg en ce o f from emerging sound industry practice, supervisors expect
Capital M easurem ent and Capital Standards: A R evised banks to continuously improve their approaches to operational
Fram ew ork— C om prehensive Version (commonly referred to as risk m anagem ent. In addition, this chapter addresses key ele
"Basel II"), the Com m ittee anticipated that industry sound prac ments of a bank's Fram ework. These elem ents should not be
tice would continue to evo lve.1 Since then, banks and supervi viewed in isolation but should be integrated com ponents of the
sors have expanded their knowledge and experience in overall fram ework for managing operational risk across the
implementing operational risk m anagem ent fram eworks (Fram e enterprise.
work). Loss data collection exercises, quantitative im pact stud
5. The Com m ittee believes that the principles outlined in this
ies, and range of practice reviews covering governance, data
chapter establish sound practices relevant to all banks. The
and modelling issues have also contributed to industry and
Com m ittee intends that when implementing these principles, a
supervisory knowledge and the em ergence of sound industry
bank will take account of the nature, size, com plexity and risk
practice.
profile of its activities.
2. In response to these changes, the Com m ittee has deter
mined that the 2003 Sound Practices paper should be updated
to reflect the enhanced sound operational risk m anagem ent 1.2 ROLE O F SUPERVISORS
practices now in use by the industry. This docum ent— Principles
for the Sou n d M anagem ent o f O perational Risk and the Role o f 6. Supervisors conduct, directly or indirectly, regular indepen
Supervision— incorporates the evolution of sound practice and dent evaluations of a bank's policies, processes and systems
details eleven principles of sound operational risk m anagem ent related to operational risk as part of the assessm ent of the
covering (1) governance, (2) risk m anagem ent environment and Fram ework. Supervisors ensure that there are appropriate
(3) the role of disclosure. By publishing an updated paper, the mechanisms in place which allow them to remain apprised of
Com m ittee enhances the 2003 sound practices fram ework with developm ents at a bank.
specific principles for the m anagem ent of operational risk that
7. Supervisory evaluations of operational risk include all the
are consistent with sound industry practice. These principles
areas described in the principles for the m anagem ent of opera
have been developed through the ongoing exchange of ideas
tional risk. Supervisors also seek to ensure that, where banks are
between supervisors and industry since 2003. Principles for
part of a financial group, there are processes and procedures in
the Sou n d M anagem ent o f O perational Risk and the Role o f
place to ensure that operational risk is managed in an appropri
Supervision replaces the 2003 Sound Practices and becom es the
ate and integrated manner across the group. In performing this
docum ent that is referenced in paragraph 651 of Basel II.
assessm ent, cooperation and exchange of information with
3. A Fram ew ork for Internal C ontrol System s in Banking O rgan other supervisors, in accordance with established procedures,
isations (Basel Com m ittee, Septem ber 1998) underpins the may be necessary. Some supervisors may choose to use exter
Com m ittee's current work in the field of operational risk. The nal auditors in these assessm ent processes.4*
C ore Principles for Effective Banking Supervision (Basel Com m it
tee, O ctober 2006) and the C ore Principles M eth o d o lo g y (Com
m ittee, O ctober 2006), both for supervisors, and the principles
identified by the Com m ittee in the second pillar (supervisory 2 B C B S (2006), paragraph 646.
review process) of Basel II are also im portant reference tools
3 Refer to the Com m ittee's papers H igh-level prin ciples fo r the
cro ss-b o rd er im plem entation o f the N ew A cco rd , August 2003, and
Principles fo r hom e-host su p erviso ry cooperation and allocation m echa
nisms in the co n te x t o f A d v a n ce d M easu rem en t A p p ro a ch e s (A M A ),
N ovem ber 2007.
1 Basel Com m ittee on Banking Supervision, International C o n verg en ce
o f Capital M easu rem en t and Capital Standards: A R evised Fram ew ork— 4 For further discussion, see the Com m ittee's paper The relation
C om prehen sive Version, Section V (O perational Risk), paragraph 646, ship b etw een banking su p erviso rs and bank's external auditors,
Basel, Ju n e 2006. January 2002.
2 ■ Financial Risk Manager Exam Part II: Operational Risk and Resiliency
8. Deficiencies identified during the supervisory review may be with applicable laws and regulation. In practice, the two notions
addressed through a range of actions. Supervisors use the tools are in fact closely related and the distinction between both is less
most suited to the particular circum stances of the bank and its important than achieving the objectives of each.
operating environment. In order that supervisors receive cur
12. Sound internal governance forms the foundation of an effec
rent information on operational risk, they may wish to establish
tive operational risk m anagem ent Fram ework. Although internal
reporting mechanisms directly with banks and external auditors
governance issues related to the m anagem ent of operational
(e.g ., internal bank m anagem ent reports on operational risk
risk are not unlike those encountered in the m anagem ent of
could be made routinely available to supervisors).
credit or m arket risk operational risk m anagem ent challenges
9. Supervisors continue to take an active role in encouraging may differ from those in other risk areas.
ongoing internal developm ent efforts by monitoring and evalu
13. The Com m ittee is seeing sound operational risk governance
ating a bank's recent im provem ents and plans for prospective
practices adopted in an increasing number of banks. Common
developm ents. These efforts can then be com pared with those
industry practice for sound operational risk governance often
of other banks to provide the bank with useful feedback on
relies on three lines of defence— (i) business line managem ent,
the status of its own work. Further, to the extent that there are
(ii) an independent corporate operational risk m anagem ent func
identified reasons why certain developm ent efforts have proven
tion and (iii) an independent review.6 Depending on the bank's
ineffective, such information could be provided in general terms
nature, size and com plexity, and the risk profile of a bank's activ
to assist in the planning process.
ities, the degree of form ality of how these three lines of defence
are im plem ented will vary. In all cases, however, a bank's opera
tional risk governance function should be fully integrated into
1.3 PRINCIPLES FOR THE the bank's overall risk m anagem ent governance structure.
M AN AGEM EN T O F OPERATIONAL
14. In the industry practice, the first line of defence is busi
RISK ness line m anagem ent. This means that sound operational risk
governance will recognise that business line m anagem ent is
10. Operational risk5 is inherent in all banking products, activi
responsible for identifying and managing the risks inherent in
ties, processes and system s, and the effective m anagem ent of
the products, activities, processes and systems for which it is
operational risk has always been a fundam ental elem ent of a
accountable.
bank's risk m anagem ent program m e. As a result, sound opera
tional risk m anagem ent is a reflection of the effectiveness of the 15. A functionally independent corporate operational risk func
board and senior m anagem ent in administering its portfolio of tion (C O R F)7*is typically the second line of defence, generally
products, activities, processes, and system s. The Com m ittee,
through the publication of this chapter, desires to promote and
enhance the effectiveness of operational risk m anagem ent
throughout the banking system. 6 A s discussed in the Com m ittee's paper O perational Risk— Sup ervisory
G uidelines fo r the A d v a n ce d M easu rem en t A p p ro a ch es, Ju n e 2011,
11. Risk management generally encompasses the process of independent review includes the following com ponents:
identifying risks to the bank, measuring exposures to those risks Verification of the Fram ew ork is done on a periodic basis and is typi
(where possible), ensuring that an effective capital planning and cally conducted by the bank's internal and/or external audit, but may
involve other suitably qualified independent parties from external
monitoring programme is in place, monitoring risk exposures and
sources. Verification activities test the effectiveness of the overall Fram e
corresponding capital needs on an ongoing basis, taking steps to w ork, consistent with policies approved by the board of directors, and
control or mitigate risk exposures and reporting to senior man also test validation processes to ensure they are independent and im ple
agem ent and the board on the bank's risk exposures and capital m ented in a manner consistent with established bank policies.
positions. Internal controls are typically em bedded in a bank's Validation ensures that the quantification system s used by the bank
day-to-day business and are designed to ensure, to the extent are sufficiently robust and provides assurance of the integrity of inputs,
assum ptions, processes and outputs. Specifically, the independent
possible, that bank activities are efficient and effective, informa validation process should provide enhanced assurance that the risk
tion is reliable, timely and com plete and the bank is compliant m easurem ent m ethodology results in an operational risk capital charge
that credibly reflects the operational risk profile of the bank. In addition
to the quantitative aspects of internal validation, the validation of data
inputs, m ethodology and outputs of operational risk m odels is im portant
5 O perational risk is defined as the risk of loss resulting from inadequate
to the overall process.
or failed internal processes, people and system s or from external
events. This definition includes legal risk, but excludes strategic and 7 In many jurisdictions, the independent corporate operational risk func
reputational risk. tion is known as the corporate operational risk m anagem ent function.
Chapter 1 Principles for the Sound Management of Operational Risk ■ 3

com plem enting the business line's operational risk m anagem ent supervisory expectations. For exam ple, while internal audit
activities. The degree of independence of the C O R F will differ should not be setting specific risk appetite or tolerance, it
among banks. For small banks, independence may be achieved should review the robustness of the process of how these lim
through separation of duties and independent review of pro its are set and why and how they are adjusted in response to
cesses and functions. In larger banks, the C O R F will have a changing circum stances.
reporting structure independent of the risk generating business
20. Because operational risk m anagem ent is evolving and the
lines and will be responsible for the design, m aintenance and
business environm ent is constantly changing, m anagem ent
ongoing developm ent of the operational risk fram ework within
should ensure that the Fram ework's policies, processes and
the bank. This function may include the operational risk m ea
system s remain sufficiently robust. Im provem ents in operational
surem ent and reporting processes, risk com m ittees and respon
risk m anagem ent will depend on the degree to which opera
sibility for board reporting. A key function of the C O R F is to
tional risk m anagers' concerns are considered and the w illing
challenge the business lines' inputs to, and outputs from, the
ness of senior m anagem ent to act prom ptly and appropriately
bank's risk m anagem ent, risk m easurem ent and reporting sys
on their warnings.
tem s. The C O R F should have a sufficient number of personnel
skilled in the m anagem ent of operational risk to effectively
address its many responsibilities. Fundamental Principles of Operational
16. The third line of defence is an independent review and Risk Management
challenge of the bank's operational risk m anagem ent controls,
Principle 1: The board of directors should take the lead in
processes and system s. Those performing these reviews must
establishing a strong risk m anagem ent culture. The board of
be com petent and appropriately trained and not involved in the directors and senior m anagem ent9 should establish a corporate
developm ent, implementation and operation of the Fram ework.
culture that is guided by strong risk m anagem ent and that sup
This review may be done by audit or by staff independent of the ports and provides appropriate standards and incentives for
process or system under review, but may also involve suitably
professional and responsible behaviour. In this regard, it is the
qualified external parties.
responsibility of the board of directors to ensure that a strong
17. If operational risk governance utilises the three lines of operational risk m anagem ent culture10 exists throughout the
defence model, the structure and activities of the three lines whole organisation.
often varies, depending on the bank's portfolio of products,
Principle 2: Banks should develop, im plem ent and maintain a
activities, processes and system s; the bank's size; and its risk
Fram ework that is fully integrated into the bank's overall risk
m anagem ent approach. A strong risk culture and good com m u
m anagem ent processes. The Fram ework for operational risk
nication among the three lines of defence are im portant charac
m anagem ent chosen by an individual bank will depend on
teristics of good operational risk governance. a range of factors, including its nature, size, com plexity and
18. Internal audit co verag e should be adequate to in d ep en risk profile.
dently verify that the Fram ew ork has been im plem ented as
intended and is functioning e ffe c tiv e ly .8 W here audit activities
are outsourced, senior m anagem ent should consider the
9 This chapter refers to a m anagem ent structure com posed of a board
effectiveness of the underlying arrangem ents and the su itab il of directors and senior m anagem ent. The Com m ittee is aware that there
ity of relying on an outsourced audit function as the third line are significant differences in legislative and regulatory fram ew orks across
of d efen ce. countries as regards the functions of the board of directors and senior
m anagem ent. In some countries, the board has the main, if not exclu
19. Internal audit coverage should include opining on the sive, function of supervising the executive body (senior m anagem ent,
general m anagem ent) so as to ensure that the latter fulfils its tasks.
overall appropriateness and adequacy of the Fram ework and
For this reason, in som e cases, it is known as a supervisory board. This
the associated governance processes across the bank. Internal means that the board has no executive functions. In other countries, the
audit should not simply be testing for com pliance with board board has a broader com petence in that it lays down the general fram e
approved policies and procedures, but should also be evaluat work for the m anagem ent of the bank. Owing to these differences, the
term s "board of directors" and "senior m anagem ent" are used in this
ing whether the Fram ework meets organisational needs and
chapter not to identify legal constructs but rather to label two decision
making functions within a bank.
10 Internal operational risk culture is taken to mean the com bined set of
8 The Com m ittee's paper, Internal A u d it in Banks and the Supervisor's individual and corporate values, attitudes, com petencies and behaviour
Relationship with A u d ito rs, August 2001, describes the role of internal that determ ine a firm's com m itm ent to and style of operational risk
and external audit. m anagem ent.
Governance11 place at the board, senior m anagem ent, and business line levels
that support proactive m anagem ent of operational risk.
The Board of Directors
Principle 3: The board of directors should establish, approve Control and Mitigation
and periodically review the Fram ework. The board of directors Principle 9: Banks should have a strong control environ
should oversee senior m anagem ent to ensure that the policies, ment that utilises policies, processes and system s; appropri
processes and system s are im plem ented effectively at all deci ate internal controls; and appropriate risk mitigation and/or
sion levels. transfer strategies.
Principle 4: The board of directors should approve and review a
risk appetite and tolerance statem ent1
12*for operational risk that
1 Business Resiliency and Continuity
articulates the nature, types, and levels of operational risk that Principle 10: Banks should have business resiliency and continu
the bank is willing to assume. ity plans in place to ensure an ability to operate on an ongoing
basis and limit losses in the event of severe business disruption.
Senior Management
Principle 5: Senior m anagem ent should develop for approval by
Role of Disclosure
the board of directors a clear, effective and robust governance
structure with well defined, transparent and consistent lines of Principle 11: A bank's public disclosures should allow stakehold
responsibility. Senior m anagem ent is responsible for consistently ers to assess its approach to operational risk m anagem ent.
implementing and maintaining throughout the organisation poli
cies, processes and systems for managing operational risk in all
of the bank's material products, activities, processes and sys 1.4 FUNDAM ENTAL PRINCIPLES O F
tem s consistent with the risk appetite and tolerance.
OPERATION AL RISK M AN AGEM EN T
Risk Management Environment Principle 1: The board of directors should take the lead in
establishing a strong risk management culture. The board
Identification and Assessment of directors and senior management should establish a cor
Principle 6: Senior m anagem ent should ensure the identification porate culture that is guided by strong risk management
and assessm ent of the operational risk inherent in all material and that supports and provides appropriate standards and
products, activities, processes and system s to make sure the incentives for professional and responsible behaviour. In this
inherent risks and incentives are well understood. regard, it is the responsibility of the board of directors to
ensure that a strong operational risk management culture
Principle 7: Senior m anagem ent should ensure that there is an
exists throughout the whole organisation.
approval process for all new products, activities, processes and
system s that fully assesses operational risk. 21. Banks with a strong culture of risk m anagem ent and ethi
cal business practices are less likely to experience potentially
Monitoring and Reporting damaging operational risk events and are better placed to deal
effectively with those events that do occur. The actions of the
Principle 8: Senior m anagem ent should im plem ent a process to
board and senior m anagem ent, and policies, processes and
regularly monitor operational risk profiles and material exp o
system s provide the foundation for a sound risk m anagem ent
sures to losses. Appropriate reporting mechanisms should be in
culture.
22. The board should establish a code of conduct or an ethics

policy that sets clear expectations for integrity and ethical values
11 See also the Com m ittee's Principles fo r enhancing co rp o ra te g o ver
nance, O cto b er 2010. of the highest standard and identify acceptable business prac
tices and prohibited conflicts. Clear expectations and account
12 "Risk ap p etite" is a high level determ ination of how much risk a firm is
willing to accept taking into account the risk/return attributes; it is often abilities ensure that bank staff understand their roles and
taken as a forward looking view of risk acceptance. "Risk to lerance" is responsibilities for risk, as well as their authority to act. Strong
a more specific determ ination of the level of variation a bank is willing
and consistent senior m anagem ent support for risk m anage
to accept around business objectives that is often considered to be the
amount of risk a bank is prepared to accept. In this docum ent the term s ment and ethical behaviour convincingly reinforces codes of
are used synonym ously. conduct and ethics, com pensation strategies, and training

program m es. Com pensation policies should be aligned to the c. describe the bank's accepted operational risk appetite and
bank's statem ent of risk appetite and tolerance, long-term stra tolerance, as well as thresholds or limits for inherent and
tegic direction, financial goals and overall safety and soundness. residual risk, and approved risk mitigation strategies and
A Q
They should also appropriately balance risk and reward. instruments;
23. Senior m anagem ent should ensure that an appropriate level d. describe the bank's approach to establishing and moni
of operational risk training is available at all levels throughout toring thresholds or limits for inherent and residual risk
the organisation. Training that is provided should reflect the exposure;
seniority, role and responsibilities of the individuals for whom it e. establish risk reporting and M anagem ent Information Sys
is intended. tem s (MIS);
Principle 2: Banks should develop, implement and maintain a f. provide for a common taxonom y of operational risk terms
Framework that is fully integrated into the bank's overall risk to ensure consistency of risk identification, exposure rating
management processes. The Framework for operational risk and risk m anagem ent objectives14;
management chosen by an individual bank will depend on a
g. provide for appropriate independent review and assess
range of factors, including its nature, size, complexity and
ment of operational risk; and
risk profile.
h. require the policies to be reviewed w henever a material
24. The fundam ental premise of sound risk m anagem ent is that
change in the operational risk profile of the bank occurs,
the board of directors and bank m anagem ent understand the
and revised as appropriate.
nature and com plexity of the risks inherent in the portfolio of
bank products, services and activities. This is particularly impor
tant for operational risk, given that operational risk is inherent in 1.5 G O V ER N A N CE
all business products, activities, processes and system s.
25. A vital means of understanding the nature and com plexity The Board of Directors
of operational risk is to have the com ponents of the Fram ework
Principle 3: The board of directors should establish, approve
fully integrated into the overall risk m anagem ent processes of
and periodically review the Framework. The board of direc
the bank. The Fram ework should be appropriately integrated
tors should oversee senior management to ensure that the
into the risk m anagem ent processes across all levels of the
policies, processes and systems are implemented effectively
organisation including those at the group and business line lev
at all decision levels.
els, as well as into new business initiatives' products, activities,
processes and system s. In addition, results of the bank's opera 28. The board of directors should:
tional risk assessm ent should be incorporated into the overall
a. establish a m anagem ent culture, and supporting processes,
bank business strategy developm ent processes. to understand the nature and scope of the operational
26. The Fram ework should be com prehensively and appropri risk inherent in the bank's strategies and activities, and
ately docum ented in board of directors approved policies and develop com prehensive, dynamic oversight and control
should include definitions of operational risk and operational environments that are fully integrated into or coordinated
loss. Banks that do not adequately describe and classify opera with the overall fram ework for managing all risks across
tional risk and loss exposure may significantly reduce the effec the enterprise;
tiveness of their Fram ework. b. provide senior m anagem ent with clear guidance and direc
27. Fram ework documentation should clearly: tion regarding the principles underlying the Fram ework
and approve the corresponding policies developed by
a. identify the governance structures used to manage opera
senior m anagem ent;
tional risk, including reporting lines and accountabilities;
c. regularly review the Fram ework to ensure that the bank has
b. describe the risk assessm ent tools and how they are used;
identified and is managing the operational risk arising from
external market changes and other environmental factors,
13 See also: the C om m ittee's R e p o rt on the range o f m e th o d o lo g ies for

the risk and perform an ce alignm ent o f rem uneration, May 2011; the
Financial Stability Forum's Principles fo r so u n d com pensation practices, 14 An inconsistent taxonom y of operational risk term s may increase the
April 2009; and the Financial Stability Board's FSB principles fo r so u n d likelihood of failing to identify and categorise risks, or allocate responsi
com pensation p ra ctices— im plem entation standards, Septem ber 2009. bility for the assessm ent, monitoring, control and mitigation of risks.
as well as those operational risks associated with new prod governance structure with well defined, transparent and
ucts, activities, processes or system s, including changes in consistent lines of responsibility. Senior management is
risk profiles and priorities (e.g ., changing business volumes); responsible for consistently implementing and maintaining
d. ensure that the bank's Fram ework is subject to effective throughout the organisation policies, processes and systems
independent review by audit or other appropriately trained

for managing operational risk in all of the bank's material
parties; and products, activities, processes and systems consistent with

the risk appetite and tolerance.
e. ensure that as best practice evolves m anagem ent is availing
them selves of these ad vances.15 32. Senior m anagem ent is responsible for establishing and
maintaining robust challenge mechanisms and effective issue-
29. Strong internal controls are a critical aspect of operational
resolution processes. These should include system s to report,
risk m anagem ent, and the board of directors should establish
track and, when necessary, escalate issues to ensure resolu
clear lines of m anagem ent responsibility and accountability for
tion. Banks should be able to dem onstrate that the three
implementing a strong control environm ent. The control envi
lines of defence approach is operating satisfactorily and to
ronment should provide appropriate independence/separation
explain how the board and senior m anagem ent ensure that this
of duties between operational risk m anagem ent functions, busi
approach is im plem ented and operating in an appropriate and
ness lines and support functions.
acceptable manner.
Principle 4: The board of directors should approve and 33. Senior m anagem ent should translate the operational
review a risk appetite and tolerance statement for opera risk m anagem ent Fram ew ork established by the board of
tional risk that articulates the nature, types and levels of directors into sp ecific policies and procedures th at can be
operational risk that the bank is willing to assume. im plem ented and verified within the different business units.
30. W hen approving and reviewing the risk appetite and toler Senior m anagem ent should clearly assign authority, resp o nsi
ance statem ent, the board of directors should consider all rel bility and reporting relationships to encourage and maintain
evant risks, the bank's level of risk aversion, its current financial acco untab ility, and to ensure that the necessary resources are
condition and the bank's strategic direction. The risk appetite available to m anage operational risk in line within the bank's
and tolerance statem ent should encapsulate the various opera risk ap p etite and to leran ce statem ent. M oreover, senior
tional risk appetites within a bank and ensure that they are m anagem ent should ensure that the m anagem ent oversight
consistent. The board of directors should approve appropriate process is ap p ro p riate for the risks inherent in a business
thresholds or limits for specific operational risks, and an overall unit's activity.
operational risk appetite and tolerance. 34. Senior m anagem ent should ensure that staff responsible for
31. The board of directors should regularly review the appropri managing operational risk coordinate and com m unicate effec
ateness of limits and the overall operational risk appetite and tively with staff responsible for managing credit, m arket, and
tolerance statem ent. This review should consider changes in the other risks, as well as with those in the bank who are responsible
external environm ent, material increases in business or activity for the procurem ent of external services such as insurance risk
volum es, the quality of the control environm ent, the effective transfer and outsourcing arrangem ents. Failure to do so could
ness of risk m anagem ent or mitigation strategies, loss exp eri result in significant gaps or overlaps in a bank's overall risk man
ence, and the frequency, volume or nature of limit breaches. agem ent program m e.
The board should monitor m anagem ent adherence to the risk 35. The managers of the C O R F should be of sufficient stature
appetite and tolerance statem ent and provide for tim ely d etec within the bank to perform their duties effectively, ideally evi
tion and remediation of breaches. denced by title com m ensurate with other risk m anagem ent
functions such as credit, market and liquidity risk.
Senior Management 36. Senior m anagem ent should ensure that bank activities
are conducted by staff with the necessary exp erien ce, tech n i
Principle 5: Senior management should develop for approval
cal capabilities and access to resources. Staff responsible for
by the board of directors a clear, effective and robust
m onitoring and enforcing com pliance with the institution's
risk policy should have authority independent from the units
they oversee.
15 See the Com m ittee's 2006 International C o n verg en ce o f Capital M ea
surem en t and Capital Standards: A R evised Fram ew ork— C o m p reh en 37. A bank's governance structure should be com m ensurate
sive Version; paragraph 718(xci). with the nature, size, com plexity and risk profile of its activities.

When designing the operational risk governance structure, a better understand its risk profile and allocate risk m anagem ent
bank should take the following into consideration: resources and strategies most effectively.
a. Com m ittee structure— Sound industry practice for larger 39. Exam ples of tools that may be used for identifying and
and more com plex organisations with a central group func assessing operational risk include:
tion and separate business units is to utilise a board-created
a. Audit Findings: W hile audit findings primarily focus on con
enterprise level risk com m ittee for overseeing all risks,
trol weaknesses and vulnerabilities, they can also provide
to which a m anagem ent level operational risk com m ittee
insight into inherent risk due to internal or external factors.
reports. Depending on the nature, size and com plexity of
the bank, the enterprise level risk com m ittee may receive b. Internal Loss Data Collection and Analysis: Internal opera
tional loss data provides meaningful information for assess
input from operational risk com m ittees by country, business
or functional area. Sm aller and less com plex organisations ing a bank's exposure to operational risk and the
may utilise a flatter organisational structure that oversees effectiveness of internal controls. Analysis of loss events can
operational risk directly within the board's risk m anagem ent provide insight into the causes of large losses and informa
com m ittee; tion on whether control failures are isolated or system atic.18
Banks may also find it useful to capture and monitor opera
b. Com m ittee com position— Sound industry practice is for
tional risk contributions to credit and market risk related
operational risk com m ittees (or the risk com m ittee in
losses in order to obtain a more com plete view of their
sm aller banks) to include a combination of members with
operational risk exposure;
expertise in business activities and financial, as well as inde
pendent risk m anagem ent. Com m ittee mem bership can
c. External Data Collection and Analysis: External data ele
also include independent non-executive board m em bers, ments consist of gross operational loss amounts, dates,
recoveries, and relevant causal information for operational
which is a requirem ent in some jurisdictions; and
loss events occurring at organisations other than the bank.
c. Com m ittee operation— Com m ittee m eetings should
External loss data can be com pared with internal loss data,
be held at appropriate frequencies with adequate time
or used to explore possible weaknesses in the control envi
and resources to perm it productive discussion and
ronment or consider previously unidentified risk exposures;
decision-m aking. Records of com m ittee operations
should be adequate to perm it review and evaluation of d. Risk Assessm ents: In a risk assessm ent, often referred to
com m ittee effectiveness. as a Risk Self Assessm ent (RSA), a bank assesses the pro
cesses underlying its operations against a library of poten
tial threats and vulnerabilities and considers their potential
1.6 RISK M AN AGEM EN T impact. A similar approach, Risk Control Self Assessm ents
(RCSA), typically evaluates inherent risk (the risk before con
ENVIRON M EN T
trols are considered), the effectiveness of the control envi
ronment, and residual risk (the risk exposure after controls
Identification and Assessment are considered). Scorecards build on RCSAs by weighting
Principle 6: Senior management should ensure the identifica residual risks to provide a means of translating the RCSA
tion and assessment of the operational risk inherent in all output into metrics that give a relative ranking of the con
material products, activities, processes and systems to make trol environment;
sure the inherent risks and incentives are well understood. e. Business Process M apping: Business process mappings
38. Risk identification and assessm ent are fundamental charac identify the key steps in business processes, activities and
teristics of an effective operational risk m anagem ent system. organisational functions. They also identify the key risk
points in the overall business process. Process maps can
A /
Effective risk identification considers both internal factors and

external facto rs.1
17 Sound risk assessm ent allows the bank to
6 reveal individual risks, risk interdependencies, and areas of
control or risk m anagem ent weakness. They also can help
prioritise subsequent m anagem ent action;
16 For exam ple, the bank's structure, the nature of the bank's activities,
the quality of the bank's human resources, organisational changes and
em ployee turnover.
18 M apping internal loss data, particularly in larger banks, to the Level 1
17 For exam ple, changes in the broader environm ent and the industry business lines and loss event types defined in A nnexes 8 and 9 of the
and advances in technology. 2006 Basel II docum ent can facilitate com parison with external loss data.
f. Risk and Perform ance Indicators: Risk and perform ance indi that are geographically distant from the head office. Moreover,
cators are risk metrics and/or statistics that provide insight the level of risk may escalate when new products activities, pro
into a bank's risk exposure. Risk indicators, often referred to cesses, or system s transition from an introductory level to a level
as Key Risk Indicators (KRIs), are used to monitor the main that represents material sources of revenue or business-critical
drivers of exposure associated with key risks. Perform ance operations. A bank should ensure that its risk m anagem ent con
indicators, often referred to as Key Perform ance Indicators trol infrastructure is appropriate at inception and that it keeps
(KPIs), provide insight into the status of operational pro pace with the rate of growth of, or changes to, products activi
cesses, which may in turn provide insight into operational ties, processes and system s.
w eaknesses, failures, and potential loss. Risk and perfor
42. A bank should have policies and procedures that address
mance indicators are often paired with escalation triggers
the process for review and approval of new products, activi
to warn when risk levels approach or exceed thresholds or
ties, processes and system s. The review and approval process
limits and prompt mitigation plans;
should consider:
g. Scenario Analysis: Scenario analysis is a process of obtaining
a. inherent risks in the new product, service, or activity;
expert opinion of business line and risk managers to identify
potential operational risk events and assess their potential b. changes to the bank's operational risk profile and appetite
outcom e. Scenario analysis is an effective tool to consider and tolerance, including the risk of existing products or
potential sources of significant operational risk and the activities;
need for additional risk m anagem ent controls or mitigation c. the necessary controls, risk m anagem ent processes, and risk
solutions. Given the subjectivity of the scenario process, mitigation strategies;
a robust governance fram ework is essential to ensure the
d. the residual risk;
integrity and consistency of the process;
e. changes to relevant risk thresholds or limits; and
h. M easurem ent: Larger banks may find it useful to quantify
f. the procedures and metrics to measure, monitor, and man
their exposure to operational risk by using the output of the
age the risk of the new product or activity.
risk assessm ent tools as inputs into a model that estim ates
operational risk exposure. The results of the model can be The approval process should also include ensuring that appro
used in an econom ic capital process and can be allocated priate investm ent has been made for human resources and
to business lines to link risk and return; and technology infrastructure before new products are introduced.
i. Com parative Analysis: Com parative analysis consists of The implementation of new products, activities, processes and
comparing the results of the various assessm ent tools to system s should be monitored in order to identify any material
provide a more com prehensive view of the bank's opera differences to the expected operational risk profile, and to man
tional risk profile. For exam ple, comparison of the fre age any unexpected risks.
quency and severity of internal data with RCSAs can help

the bank determ ine whether self assessm ent processes are
functioning effectively. Scenario data can be com pared to Monitoring and Reporting
internal and external data to gain a better understanding of
Principle 8: Senior management should implement a process
the severity of the bank's exposure to potential risk events.
to regularly monitor operational risk profiles and material
40. The bank should ensure that the internal pricing and per exposures to losses. Appropriate reporting mechanisms
form ance m easurem ent mechanisms appropriately take into should be in place at the board, senior management, and
account operational risk. W here operational risk is not consid business line levels that support proactive management of
ered, risk-taking incentives might not be appropriately aligned operational risk.
with the risk appetite and tolerance.
43. Banks are encouraged to continuously improve the quality of
Principle 7: Senior management should ensure that there operational risk reporting. A bank should ensure that its reports
is an approval process for all new products, activities, pro are com prehensive, accurate, consistent and actionable across
cesses and systems that fully assesses operational risk. business lines and products. Reports should be m anageable
in scope and volum e; effective decision making is im peded by
41. In general, a bank's operational risk exposure is increased
both excessive amounts and paucity of data.
when a bank engages in new activities or develops new prod
ucts; enters unfamiliar m arkets; implements new business pro 44. Reporting should be tim ely and a bank should be able to
cesses or technology system s; and/or engages in businesses produce reports in both normal and stressed market conditions.

The frequency of reporting should reflect the risks involved and c. review of the treatm ent and resolution of instances of
the pace and nature of changes in the operating environment. non-compliance;
The results of monitoring activities should be included in regular
d. evaluation of the required approvals and authorisations to
m anagem ent and board reports, as should assessm ents of the ensure accountability to an appropriate level of m anage
Fram ework perform ed by the internal audit and/or risk m anage
ment; and
ment functions. Reports generated by (and/or for) supervisory
e. tracking reports for approved exceptions to thresholds or
authorities should also be reported internally to senior m anage
limits, m anagem ent overrides and other deviations from
ment and the board, where appropriate.
policy.
45. Operational risk reports may contain internal financial, opera
49. An effective control environm ent also requires appropriate
tional, and compliance indicators, as well as external market or
segregation of duties. Assignm ents that establish conflicting
environmental information about events and conditions that are rel
duties for individuals or a team without dual controls or other
evant to decision making. Operational risk reports should include:
counterm easures may enable concealm ent of losses, errors or
a. breaches of the bank's risk appetite and tolerance state other inappropriate actions. Therefore, areas of potential con
ment, as well as thresholds or limits; flicts of interest should be identified, minimised, and be subject
b. details of recent significant internal operational risk events to careful independent monitoring and review.
and losses; and
50. In addition to segregation of duties and dual control, banks
c. relevant external events and any potential impact on the should ensure that other traditional internal controls are in place
bank and operational risk capital. as appropriate to address operational risk. Exam ples of these
controls include:
46. Data capture and risk reporting processes should be ana
lysed periodically with a view to continuously enhancing risk a. clearly established authorities and/or processes for
m anagem ent perform ance as well as advancing risk m anage approval;
ment policies, procedures and practices. b. close monitoring of adherence to assigned risk thresholds
or limits;
Control and Mitigation c. safeguards for access to, and use of, bank assets and records;
Principle 9: Banks should have a strong control environment d. appropriate staffing level and training to maintain expertise;
that utilises policies, processes and systems; appropriate e. ongoing processes to identify business lines or products
internal controls; and appropriate risk mitigation and/or where returns appear to be out of line with reasonable
transfer strategies. expectations;20
47. Internal controls should be designed to provide reasonable f. regular verification and reconciliation of transactions and
assurance that a bank will have efficient and effective opera accounts; and
tions; safeguard its assets; produce reliable financial reports; and g. a vacation policy that provides for officers and em ployees
comply with applicable laws and regulations. A sound internal being absent from their duties for a period of not less than
control programme consists of five com ponents that are integral
two consecutive weeks.
to the risk m anagem ent process: control environm ent, risk
assessm ent, control activities, information and com munication, 51. Effective use and sound implementation of technology
can contribute to the control environm ent. For exam ple, auto
and monitoring activities.19
mated processes are less prone to error than manual processes.
48. Control processes and procedures should include a system However, autom ated processes introduce risks that must be
for ensuring com pliance with policies. Exam ples of principle ele addressed through sound technology governance and infra
ments of a policy com pliance assessm ent include:
structure risk m anagem ent programmes.
a. top-level reviews of progress towards stated objectives; 52. The use of technology related products, activities, processes
b. verifying com pliance with m anagem ent controls; and delivery channels exposes a bank to strategic, operational,
19 The Com m ittee's paper Fram ew ork fo r Internal C ontrol System s in 20 For exam ple, where a supposedly low risk, low margin trading activity
Banking O rganisations, Septem ber 1998, discusses internal controls in generates high returns that could call into question w hether such returns
greater detail. have been achieved as a result of an internal control breach.
and reputational risks and the possibility of material financial product offerings, and improve services, it also introduces risks
loss. Consequently, a bank should have an integrated approach that m anagem ent should address. The board and senior man
to identifying, measuring, monitoring and managing technology agem ent are responsible for understanding the operational risks
risks. Sound technology risk m anagem ent uses the same pre associated with outsourcing arrangem ents and ensuring that
cepts as operational risk m anagem ent and includes: effective risk m anagem ent policies and practices are in place to
manage the risk in outsourcing activities. Outsourcing policies
a. governance and oversight controls that ensure technology,
and risk m anagem ent activities should encom pass:
including outsourcing arrangem ents, is aligned with and
supportive of the bank's business objectives; a. procedures for determ ining whether and how activities can
be outsourced;
b. policies and procedures that facilitate identification and
assessm ent of risk; b. processes for conducting due diligence in the selection of
c. establishm ent of a risk appetite and tolerance statem ent potential service providers;
as well as perform ance expectations to assist in controlling c. sound structuring of the outsourcing arrangem ent, includ
and managing risk; ing ownership and confidentiality of data, as well as term i
nation rights;
d. im plem entation of an effective control environm ent and the
use of risk transfer strategies that mitigate risk; and d. programmes for managing and monitoring the risks associ
ated with the outsourcing arrangem ent, including the finan
e. monitoring processes that test for com pliance with policy
thresholds or limits. cial condition of the service provider;
e. establishm ent of an effective control environment at the

53. M anagem ent should ensure the bank has a sound technol-
bank and the service provider;
ogy infrastructure that meets current and long-term business
requirements by providing sufficient capacity for normal activity f. developm ent of viable contingency plans; and
levels as well as peaks during periods of market stress; ensuring g. execution of com prehensive contracts and/or service
data and system integrity, security, and availability; and support level agreem ents with a clear allocation of responsibilities
ing integrated and com prehensive risk m anagem ent. Mergers between the outsourcing provider and the bank.
and acquisitions resulting in fragm ented and disconnected infra
55. In those circum stances where internal controls do not ad e
structure, cost-cutting measures or inadequate investm ent can
quately address risk and exiting the risk is not a reasonable
undermine a bank's ability to aggregate and analyse information
option, m anagem ent can com plem ent controls by seeking to
across risk dimensions or the consolidated enterprise, manage
transfer the risk to another party such as through insurance. The
and report risk on a business line or legal entity basis, or oversee
board of directors should determ ine the maximum loss exposure
and manage risk in periods of high growth. M anagem ent should
the bank is willing and has the financial capacity to assum e, and
make appropriate capital investm ent or otherwise provide for a
should perform an annual review of the bank's risk and insurance
robust infrastructure at all tim es, particularly before mergers are
m anagem ent program m e. W hile the specific insurance or risk
consum m ated, high growth strategies are initiated, or new
transfer needs of a bank should be determ ined on an individual
products are introduced.
basis, many jurisdictions have regulatory requirem ents that must
54. O utsourcing2
23 is the use of a third party— either an affiliate
2
1 be considered.24
within a corporate group or an unaffiliated external entity— to
56. Because risk transfer is an im perfect substitute for sound
perform activities on behalf of the bank. Outsourcing can
controls and risk m anagem ent program m es, banks should view
involve transaction processing or business processes. W hile out
risk transfer tools as com plem entary to, rather than a replace
sourcing can help manage costs, provide expertise, expand
ment for, thorough internal operational risk control. Having
mechanisms in place to quickly identify, recognise and rectify
21 Refer also to the Com m ittee's Ju ly 1989 paper Risks in C o m p u ter and distinct operational risk errors can greatly reduce exposures.
Telecom m unication System , and its May 2001 paper Risk M anagem ent Careful consideration also needs to be given to the extent to
Principles fo r Electro n ic Banking.
which risk mitigation tools such as insurance truly reduce risk,
22 Technology infrastructure refers to the underlying physical and logi transfer the risk to another business sector or area, or create a
cal design of information technology and communication system s, the
new risk (e.g ., counterparty risk).
individual hardware and software com ponents, data, and the operating
environm ents.
23 Refer also to the Jo in t Forum's February 2005 paper O utsourcing in 24 See also the Com m ittee's paper, R eco gn isin g the risk-m itigating
Financial Services. im pact o f insurance in operational risk m odelling, O cto b er 2010.

1.7 BUSINESS RESILIEN CY be im plem ented to ensure that staff can effectively execute
contingency plans. Plans should be tested periodically to ensure
AND CONTINUITY that recovery and resumption objectives and tim efram es can
be met. W here possible, a bank should participate in disaster
Principle 10: Banks should have business resiliency and con
recovery and business continuity testing with key service
tinuity plans in place to ensure an ability to operate on an
providers. Results of formal testing activity should be reported
ongoing basis and limit losses in the event of severe business
to m anagem ent and the board.
disruption.25
57. Banks are exposed to disruptive events, some of which may

be severe and result in an inability to fulfil some or all of their 1.8 ROLE O F DISCLOSURE
business obligations. Incidents that damage or render inaccessible
the bank's facilities, telecommunication or information technology Principle 11: A bank's public disclosures should allow
infrastructures, or a pandemic event that affects human resources, stakeholders to assess its approach to operational risk
can result in significant financial losses to the bank, as well as management.
broader disruptions to the financial system. To provide resiliency
60. A bank's public disclosure of relevant operational risk man
against this risk, a bank should establish business continuity plans
agem ent information can lead to transparency and the develop
commensurate with the nature, size and complexity of their
ment of better industry practice through market discipline. The
operations. Such plans should take into account different types of
amount and type of disclosure should be com m ensurate with
likely or plausible scenarios to which the bank may be vulnerable.
the size, risk profile and com plexity of a bank's operations, and
58. Continuity m anagem ent should incorporate business impact evolving industry practice.
analysis, recovery strategies, testing, training and awareness
61. A bank should disclose its operational risk m anagem ent
program m es, and communication and crisis m anagem ent pro
fram ework in a manner that will allow stakeholders to determ ine
gramm es. A bank should identify critical business operations,262
*
7
whether the bank identifies, assesses, monitors and controls/
key internal and external dependencies, and appropriate resil
m itigates operational risk effectively.
ience levels. Plausible disruptive scenarios should be assessed
for their financial, operational and reputational im pact, and the 62. A bank's disclosures should be consistent with how senior
resulting risk assessm ent should be the foundation for recovery m anagem ent and the board of directors assess and manage the
priorities and objectives. Continuity plans should establish con operational risk of the bank.
tingency strategies, recovery and resumption procedures, and 63. A bank should have a formal disclosure policy approved by
communication plans for informing m anagem ent, em ployees, the board of directors that addresses the bank's approach for
regulatory authorities, customer, suppliers, and— where determ ining what operational risk disclosures it will make and
appropriate— civil authorities. the internal controls over the disclosure process. In addition,
59. A bank should periodically review its continuity plans to banks should im plem ent a process for assessing the appropri
ensure contingency strategies remain consistent with current ateness of their disclosures, including the verification and fre
operations, risks and threats, resiliency requirem ents, and quency of them .29
recovery priorities. Training and awareness program m es should

25 The Com m ittee's paper, High-level principles for business continuity,
o f Capital M easu rem en t and Capital Stan dards: A R evised Fram ew ork—
August 2006, discusses sound continuity principles in greater detail.
C om p reh en sive Version, Section V (O perational Risk), Basel, Ju n e 2006,
26 A bank's business operations include the facilities, people and pro paragraph 810.
cesses for delivering products and services or perform ing core activities,
as well as technology system s and data.
o f Capital M easu rem ent and Capital Stan dards: A R evised Fram ew ork—
27 External dependencies include utilities, vendors and third-party ser C om p reh en sive Version, Section V (O perational Risk), Basel, Ju n e 2006,
vice providers. paragraph 821.
Learning Objectives
Define enterprise risk m anagem ent (ERM) and explain Describe the role of and issues with correlation in risk
how implementing ERM practices and policies can create aggregation, and describe typical properties of a firm's
shareholder value, both at the macro and the micro level. market risk, credit risk, and operational risk distributions.
Explain how a company can determ ine its optimal amount Distinguish between regulatory and econom ic capital, and
of risk through the use of credit rating targets. explain the use of econom ic capital in the corporate deci
sion making process.
Describe the developm ent and implementation of an ERM
system , as well as challenges to the implementation of an
ERM system.
E x c e rp t is from Journal of Applied Corporate Finance 18, No. 4 (2006), b y Brian W. N occo and Rene M. S tu lz *
* W e are grateful for com m ents from Don Chew , Michael Hofmann, Jo anne Lamm-Tennant, Tom O 'B rien , Jero m e Taillard, and W illiam W ilt.
13
The past two decades have seen a dram atic change in the role level. A t the macro level, ERM creates value by enabling senior
of risk m anagem ent in corporations. Twenty years ago, the job m anagem ent to quantify and manage the risk-return trade-off
of the corporate risk m anager— typically, a low-level position in that faces the entire firm. By adopting this perspective, ERM
the corporate treasury— involved mainly the purchase of insur helps the firm maintain access to the capital markets and other
ance. A t the same tim e, treasurers were responsible for the resources necessary to im plem ent its strategy and business plan.
hedging of interest rate and foreign exchange exposures. O ver
A t the micro level, ERM becom es a way of life for managers and
the last ten years, however, corporate risk m anagem ent has
em ployees at all levels of the company. Though the academ ic
expanded well beyond insurance and the hedging of financial
literature has concentrated mainly on the macro-level benefits of
exposures to include a variety of other kinds of risk— notably
ERM , the micro-level benefits are extrem ely im portant in prac
operational risk, reputational risk, and, most recently, strategic
tice. As we argue below, a well-designed ERM system ensures
risk. What's more, at a large and growing number of com panies,
that all material risks are "o w n ed ," and risk-return trade-offs
the risk m anagem ent function is directed by a senior executive
carefully evaluated, by operating managers and em ployees
with the title of chief risk officer (CRO) and overseen by a board
throughout the firm.
of directors charged with monitoring risk measures and setting
limits for these measures.
A corporation can manage risks in one of two fundam entally

The Macro Benefits of Risk Management
different ways: (1) one risk at a tim e, on a largely com part Students in the first finance course of an M BA program often
mentalized and decentralized basis; or (2) all risks viewed come away with the "p erfect m arkets" view that since share
together within a coordinated and strategic fram ework. The holders can diversify their own portfolios, the value of a firm
latter approach is often called "enterprise risk m anagem ent," does not depend on its "to tal" risk. In this view, a company's
or "E R M " for short. In this article, we suggest that com panies cost of capital, which is a critical determ inant of its P/E ratio,
that succeed in creating an effective ERM have a long-run com depends mainly on the "system atic" or "nondiversifiable
petitive advantage over those that manage and monitor risks com ponent of that risk (as typically measured by a company's
individually. O ur argument in brief is that, by measuring and "b e ta"). And this in turn implies that efforts to manage total risk
managing its risks consistently and system atically, and by giving are a waste of corporate resources.
its business managers the information and incentives to optimize
But in the real world, where investors' information is far from
the trade-off between risk and return, a com pany strengthens its
com plete and financial troubles can disrupt a company's opera
ability to carry out its strategic plan.
tions, a bad outcom e resulting from a "diversifiable" risk— say,
In the pages that follow, we start by explaining how ERM can an unexpected spike in a currency or com m odity price— can
give com panies a com petitive advantage and add value for have costs that go well beyond the im m ediate hit to cash flow
shareholders. N ext we describe the process and challenges and earnings. In the language of econom ists, such risks can have
involved in implementing ERM . We begin by discussing how a large "deadw eight" co sts.1
company should assess its risk "ap p e tite," an assessm ent that
To illustrate, if a company expects operating cash flow of $200
should guide management's decision about how much and
million for the year and instead reports a loss of $50 million, a
which risks to retain and which to lay off. Then we show how
cash shortfall of this size can be far more costly to the firm than
com panies should measure their risks. Third, we discuss various
just the missing $250 million. First of all, to the extent it affects
means of laying off "non-core" risks, which, as we argue below,
the market's expectation of future cash flows and earnings, such
increases the firm's capacity for bearing those "co re" risks the
a shortfall will generally be associated with a reduction in firm
firm chooses to retain. Though ERM is conceptually straightfor
value of much more than $250 million— a reduction that reflects
ward, its implementation is not. And in the last— and longest—
the market's expectation of lower growth. And even if operating
section of the chapter, we provide an extensive guide to the
cash flow rebounds quickly, there could be other, longer-lasting
major difficulties that arise in practice when implementing ERM .
effects. For exam ple, assume the company has a number of
strategic investm ent opportunities that require im m ediate fund
ing. Unless the firm has considerable excess cash or unused 1
2.1 HOW DO ES ERM CREATE
SH AREH O LDER V A LU E?
1 There is a large academ ic literature that investigates how firm value
ERM creates value through its effects on com panies at both a depends on total risk. For a review of that literature, see Rene Stulz, Risk
"m acro" or company-wide level and a "m icro" or business-unit M an ag em en t and D erivatives, Southwestern Publishing, 2002.
debt capacity, it may be faced with the tough choice of cutting earnings as the underlying would have a similar advantage over
back on planned investments or raising equity in difficult cir a derivatives dealer.
cum stances and on expensive term s. If the cost of issuing equity
More generally, in making decisions whether to retain or trans
is high enough, m anagem ent may have little choice but to cut
fer risks, com panies should be guided by the principle of com
investm ent. And unlike the adjustm ent of market expectations
parative advantage in risk-bearing.2 A company that has no
in response to what proves to be a tem porary cash shortfall, the
special ability to forecast m arket variables has no com parative
loss in value from the firm having to pass up positive-NPV proj
advantage in bearing the risk associated with those variables. In
ects represents a perm anent reduction in value.
contrast, the same company should have a com parative advan
For most com panies, guarding against this corporate "underin tage in bearing information-intensive, firm -specific business risks
vestm ent problem " is likely to be the most im portant reason to because it knows more about these risks than anybody else. For
manage risk. By hedging or otherwise managing risk, a firm can exam ple, at Nationwide Insurance, exposures to changes in
limit (to an agreed-upon level) the probability that a large cash interest rates and equity markets are managed in strict ranges,
shortfall will lead to valuedestroying cutbacks in investment. with excess exposures reduced through asset repositioning or
And it is in this sense that the main function of corporate risk hedging. A t the same tim e, Nationwide retains the vast majority
m anagem ent can be seen as protecting a company's ability to of its insurance risks, a decision that reflects the firm's advantage
carry out its business plan. relative to any potential risk transfer counterparty in term s of
experience with and knowledge of such risks.
But which risks should a company lay off and which should it
retain? Corporate exposures to changes in currencies, interest One im portant benefit of thinking in term s of com parative
rates, and com m odity prices can often be hedged fairly inex advantage is to reinforce the message that com panies are in
pensively using derivatives such as forwards, futures, swaps, business to take stra teg ic and business risks. The recognition
and options. For instance, a foreign exchange hedging program that there are no economical ways of transferring risks that are
using forward contracts typically has very low transaction costs; unique to a company's business operations can serve to under
and when the transfer of risk is inexpensive, there is a strong score the potential value of reducing the firm's exposure to
case for laying off econom ic risks that could otherwise under other, "non-core" risks.3 O nce m anagem ent has decided that
mine a company's ability to execute its strategic plan. the firm has a com parative advantage in taking certain business
risks, it should use risk m anagem ent to help the firm make the
On the other hand, com panies in the course of their normal
most of this advantage. Which brings us to a paradox of risk
activities take many strategic or business risks that they can
m anagem ent: By reducing non-core exposures, ERM effectively
not profitably lay off in capital markets or other developed risk
enables com panies to take more strategic business risk— and
transfer markets. For instance, a company with a promising
greater advantage of the opportunities in their core business.
plan to expand its business typically cannot find an econom ic
hedge— if indeed there is any hedge at all— for the business
risks associated with pursuing such growth. The company's The Micro Benefits of ERM
m anagem ent presumably understands the risks of such expan
sion better than any insurance or derivatives provider— if they As discussed above, an increase in total risk can end up reduc
don't, the company probably shouldn't be undertaking the ing value by causing com panies to pass up valuable projects or
project. If the company were to seek a counterparty to bear otherwise disrupting the normal operations of the firm. These
such business risks, the costs of transferring such risks would costs associated with total risk should be accounted for when
likely be prohibitively high, since they would have to be high assessing the risk-return trade-off in all major new investm ents.
enough to com pensate the counterparty for transacting with If the company takes on a project that increases the firm's total
a better informed party and for constructing models to evalu risk, the project should be sufficiently profitable to provide an
ate the risks they're being asked to hedge. For this reason, we adequate return on capital after com pensating for the costs
should not be surprised that insurance com panies do not offer associated with the increase in risk. This risk-return trade-off
insurance contracts that provide com plete coverage for earn
ings shortfalls or that there is no market for derivatives for which
the underlying is a company's earnings. The insured com panies For an extended treatm ent of this concept, see Rene Stulz, "Rethink
ing Risk M anagem ent," Jo u rn a l o f A p p lie d C o rp o ra te Finance, Vol. 9
would be in a position not only to know more than the insurers No. 3, Fall 1996.
about the distribution of their future earnings, but to manipulate
3 For a discussion of core and non-core risks, see Robert M erton,
that distribution to increase the payoffs from such insurance "You Have More Capital Than You Think," Harvard Business R eview
policies. A firm that entered into a derivatives contract with its (Novem ber, 2005).
Chapter 2 Enterprise Risk Management: Theory and Practice ■ 15

must be evaluated for all corporate decisions that are expected division could take a project that another would reject based on
to have a material impact on total risk. a different assessm ent of the project's risk and associated costs.
With the above capital allocation and perform ance evaluation
Thus, a major challenge for a company implementing ERM is
system mechanisms put in place when ERM is im plem ented,
to ensure that decision-making not just by senior m anagem ent,
business managers are forced to consider the impact of all
but by business managers throughout the firm, takes proper
material risks in their investm ent and operating decisions. In
account of the risk-return trade-off. To make this happen, the
short, every risk is "o w ned " since it affects som eone's perfor
risk evaluations of new projects must be perform ed, at least
mance evaluation.
initially, on a decentralized basis by the project planners in the
business units. A com pletely centralized evaluation of the risk- Spreading risk ownership throughout the company has become
return trade-off of individual projects would lead to corporate more important as the scope of risk management has expanded
gridlock. Take the extrem e case of a trader. Centralized evalu to include operating and reputational risks. Ten or 20 years ago,
ation would require the C RO 's approval of each of the trader's when risk management focused mainly on financial risks, compa
decisions with a potentially material impact on the firm's risk. nies could centrally measure and manage their exposures to mar
But in a decentralized evaluation of the risk-return trade-off, ket rates. But operational risks typically cannot be hedged. Some
each unit in the corporation evaluates this trade-off in its deci of these risks can be insured, but companies often choose to
sion making. An im portant part of senior management's and the reduce their exposure to such risks by changing procedures and
CRO 's job is to provide the information and incentives for each technologies. The individuals who are closest to these risks are
unit to make these trade-offs in ways that serve the interests of generally in the best position to assess what steps should be taken
the shareholders. to reduce the firm's exposure to them. So, for exam ple, decisions
to manage operating risks are often entrusted to line managers
There are two main com ponents of decentralizing the risk-return
whose decisions are based on their knowledge of the business,
trade-off in a company:
and supplemented by technical experts where appropriate.
a. First, managers proposing new projects should be required
Nationwide has developed a "factor-based" capital allocation
to evaluate all major risks in the context of the marginal
approach for its m anagem ent accounting and perform ance
impact of the projects on the firm's total risk. The com
evaluation system . Capital factors are assigned to products
pany's decision-making fram ework should require the busi
based on the perceived risk of such products. For exam ple, the
ness managers to evaluate project returns in relation to the
risk associated with, and capital allocated to, insuring a home in
marginal increases in firm-wide risk to achieve the optimal
a hurricane- or earthquake-prone area is greater than that for a
amount of risk at the corporate level.
home in a non-catastrophe exposed region.
b. Second, to help ensure that managers do a good job of
O ne of the most im portant purposes of such a risk-based capital
assessing the risk-return trade-off, the periodic perform ance
allocation system is to provide business managers with more
evaluations of the business units must take account of the
information about how their own investm ent and operating
contributions of each of the units to the total risk of the
decisions are likely to affect both corporate-wide perform ance
firm. As we will see later, this can be done by assigning
and the measures by which their perform ance will be evaluated.
a level of additional "im puted" capital to the project to
When com bined with a perform ance evaluation system in this
reflect such incremental risk— capital on which the project
way, a risk-based capital allocation approach effectively forces
m anager will be expected to earn an adequate return. By so
the business managers to consider risk in their decision-making.
doing, the corporation not only measures its true econom ic
Nationwide's risk factors are updated annually as part of the
perform ance, but also creates incentives for managers to
strategic and operational planning process, reflecting changes in
manage the risk-return trade-off effectively by refusing to
risk and diversification. Decision-making authority is delegated
accept risks that are not econom ically attractive.
by means of a risk limit structure that is consistent with Nation
With the help of these two mechanisms that are essential to wide's risk appetite fram ework.
the m anagem ent of firm-wide risk, a company that implements
ERM can transform its culture. W ithout these means, risk will be
accounted for in an ad hoc, subjective way, or ignored. In the 2.2 DETERM INING THE RIGHT
form er case, promising projects could be rejected when risks AM OUNT O F RISK *
are overstated. In the latter case, system s that ignore risk will
end up encouraging high-risk projects, in many cases without How should a company determ ine the optimal amount of total
the returns to justify them . Perhaps even more troubling, one risk to bear? To answer this question, it's im portant to start by
recognizing that the costs associated with the cash shortfalls we risk portfolio by trading off the probability of large shortfalls
discussed earlier would not exist if the firm had a larger buffer and the associated costs with the expected gains from taking or
stock of equity capital invested in liquid assets. But carrying retaining risks.
excess equity also, of course, has costs. For exam ple, a recent
Let's refer to this targeted minimal level of resources (which can
study concludes that, for some com panies (typically larger,
be form ulated in term s of cash flow, capital, or market value) as
mature com panies), the last dollar of "excess" cash is valued by
the company's financial distress "threshold." Many companies
the market at as little as 60 cents.4
use bond ratings to define this threshold. For exam ple, m anage
By reducing risk, a company can reduce the amount of exp en ment may conclude that the firm would have to start giving up
sive equity capital needed to support its operating risks. In this valuable projects if its rating falls to Baa. In that case, it would
sense, risk m anagem ent can be viewed as a substitute for equity adopt a financial and risk m anagem ent policy that aims to limit
capital, and an im portant part of the job of the C R O and top to an acceptably low level the probability that the firm's rating
m anagem ent is to evaluate the trade-off between more active will fall to Baa or lower. Given a firm's current rating— and let's
risk m anagem ent and holding a larger buffer stock of cash assume it is A a— it is straightforward to use data supplied by the
and equity. rating agencies to estim ate the average probability that the
firm's rating will fall to Baa or lower. A study by Moody's using
As we saw earlier, for com panies without a large buffer of excess
data from 1920 to 2005 shows that the probability of a company
equity, a sharp drop in cash flow and value can lead to financial
with an Aa rating having its rating drop to Baa or lower within a
distress and a further (permanent) loss of value from underin
year's tim e is 1.05% , on averag e.5
vestm ent. Let's define "financial distress" to be any situation
where a company is likely to feel com pelled to pass up positive W hether such a probability is acceptable is for top m anagem ent
net present value (NPV) activities. and the board to decide. For a company with many valuable
growth opportunities, even just a 1% chance of having to forgo
Many com panies identify a level of earnings or cash flow that
such investments may be too risky. By contrast, a basic m anufac
they want to maintain under almost all circum stances (i.e.,
turing firm with few growth opportunities is likely to be better
with an agreed-upon level of statistical confidence, say 95%,
off making aggressive use of leverage, maximizing the tax ben
over a one-year period) and then design their risk m anage
efits of debt, and returning excess funds to shareholders. For
ment programs to ensure the firm achieves that minimum. For
such a firm, the costs associated with financial trouble would be
exam ple, in the case described earlier of the firm with a $250
relatively low, at least as a percentage of total value.
million shortfall, m anagem ent may want to explore steps that
would ensure that the firm almost never loses more than, say, For financial com panies like Nationwide, however, there is
$100 million in a year, since that may be the point where man another im portant consideration when evaluating the costs of
agem ent begins to feel pressure to cut projects. But, as the financial distress that is specific to financial institutions: financial
mention of statistical confidence intervals suggests, a company trouble has an adverse impact on liabilities like bank deposits
cannot— nor should it attem pt to— guarantee that its cash and and insurance contracts that constitute an im portant source of
earnings will never fall below the level it's aiming to protect. As the value of banks and insurance com panies.6 Because such lia
long as a com pany operates in a business that promises more bilities are very credit-sensitive, these financial institutions gen
than the risk-free rate, there will be some risk of falling into erally aim to maximize their value by targeting a much lower
financial distress. probability of distress than the typical industrial firm.
W hat m anagem ent can accomplish through an ERM program, Let's suppose for the moment that a rating is a com pletely reli
then, is not to minimize or elim inate, but rather to limit, the able and sufficient measure of the probability that a company
probability of distress to a level that m anagem ent and the board will default— an assumption we will reexam ine later. And let's
agrees is likely to maximize firm value. Minimizing the prob consider a company that would have to start giving up valuable
ability of distress, which could be achieved by investing most of
the firm's capital in Treasury bills, is clearly not in the interests of
shareholders. M anagement's job is rather to optim ize the firm's
5 Moody's Default and Recovery Rates of Corporate Bond Issuers,
1920-2005, March 2006. We com pute probabilities that assume that the
rating is not w ithdraw n.
4 By contrast, for riskier com panies with lots of growth opportunities, 6 See M erton, Robert C ., 1993, "O peration and Regulation in Financial
the sam e dollar can be worth as much as $1.50. See Lee Pinkowitz and Interm ediation: A Functional Persp ective," in O peration and Regulation
Rohan W illiam son, "W hat Is the M arket Value of a Dollar of Cash Hold o f Financial M arkets, edited by P. Englund. Stockholm : The Econom ic
ing s?," G eorgetow n University working paper. Council.

Table 2.1 Transition Matrix from Moody's
Rating To:
Rating From: Aaa Aa A Baa Ba B Caa-C Default
Aaa 91.75% 7.26% 0.79% 0.17% 0.02% 0.00% 0.00% 0.00%
Aa 1.32% 90.71% 6.92% 0.75% 0.19% 0.04% 0.01% 0.06%
A 0.08% 3.02% 90.24% 5.67% 0.76% 0.12% 0.03% 0.08%
Baa 0.05% 0.33% 5.05% 87.50% 5.72% 0.86% 0.18% 0.31%
Ba 0.01% 0.09% 0.59% 6.70% 82.58% 7.83% 0.72% 1.48%
B 0.00% 0.07% 0.20% 0.80% 7.29% 80.62% 6.23% 4.78%
Caa-C 0.00% 0.03% 0.06% 0.23% 1.07% 7.69% 75.24% 15.69%
A verage one-year rating transition m atrix, 1920-2005, conditional upon no rating w ithdraw al.
S o u rce: Moody's Default and Recovery Rates of Corporate Bond Issuers, 1920-2005, March 2006.
projects if its rating fell to Baa or below (that is, Baa would In practice, however, the process of determ ining a target rating
serve as its financial distress threshold). Assum e also that man can involve more considerations, which makes it more com pli
agem ent and the board have determ ined that, for this kind of cated. For exam ple, Nationwide analyzes and manages both
business, the optimal level of risk is one where the probability its probability of default and its probability of dow ngrade, and
of encountering financial distress is 7% over a one-year period. it does so in separate but related fram eworks. The company's
Such an optimal level of risk would be determ ined by com par optimal probability of default is anchored to its target Aa ratings
ing the costs associated with financial distress and the benefits and reflects the default history of Aa-rated bonds. By contrast,
of having a more levered capital structure and taking on riskier the probability of downgrade to Baa or below is assumed to be
projects. affected by, and is accordingly managed by limiting, risk con
centrations such as those arising from natural catastrophes and
To the extent that ratings are reliable proxies for financial health,
equity markets.
com panies can use a rating agency "transition m atrix" to esti
mate the amount of capital necessary to support a given level of In the exam ple above, the com pany is assumed to maximize
risk. The transition m atrix shown in Table 2.1 can be used to value by targeting a rating of A . As we noted earlier, equity
identify the frequency with which com panies moved from one capital provides a buffer or shock absorber that helps the firm to
rating to another over a certain period (in this case, 1920 to avoid default. For a given firm, a different probability of default
2005).7 For any rating at the beginning of the year (listed in the corresponds to each level of equity, so that by choosing a given
left-hand column of the table), the column of numbers running level of equity, m anagem ent is also effectively choosing a prob
down from the heading "B a a " tells us the probability that a ability of default that it believes to be optim al.
company will end up with a Baa rating at the end of the year.
As can be seen in Table 2.1, an A rating is associated with a
Again, let's assume m anagem ent wants the probability of its rat probability of default of 0.08% over a one-year period. Thus,
ing falling to Baa or lower over the next year to average around to achieve an A rating, the company in our exam ple must have
7%. To determ ine the probability of a downgrade to or lower the level of (equity) capital that makes its probability of default
than Baa for a given initial rating, we add up the probabilities of equal to 0.08% . If we make the assumption that the value of a
ending with a rating equal to or lower than Baa along the row company's equity falls to a level not materially different from
that corresponds to the initial rating. The row where the prob zero in the event of default, we can use the probability of
abilities of ending at Baa or lower is closest to 7% is the one default to "back out" the amount of equity the firm needs to
corresponding to an A rating. Consequently, by targeting an A support its current level of risk.
rating, m anagem ent would achieve the probability of financial
distress that is optimal for the firm. Although the probability of default is in fact a com plicated func
tion of a number of firm characteristics, not just the amount of
equity, the analytical process that leads from the probability of
7 See footnote 2. default to the required amount of capital is straightforward.
To see this, suppose that the company
becom es bankrupt if firm value at the
end of the fiscal year falls below a
default threshold level, which is a
function of the composition and
amount of the firm's d e b t.8 Given this
assum ption, the firm needs the
amount of equity capital that will
make the probability of its value fall
ing below the default threshold level
equal to 0.08% (or alternatively, the
amount that will ensure that its value
will not fall below the default thresh
old level with a probability of 99.92% ).
A company can also assess its costs

of financial distress by using criteria
other than ratings and ratings thresh
olds. For instance, in addition to a rat
ing downgrade, Nationwide Insurance
identifies a number of other scenarios
that it views as imposing large costs
on the company. C h ief among them
Fiqure 2.1 Required equity capital to achieve a target probability of default
are high levels of volatility in earnings
a function of firm volatility or VaR.
and capital that, while not alone suf
ficient to cause a rating dow ngrade,
could contribute to an increase in overall risk and hence the an amount of equity equal to its firm-wide one-year VaR deter
required level of capital. For each of these critical variables and mined at a probability level of 0.08% .
scenarios, Nationwide sets target probability levels and accept
For some com panies, VaR conveys the same information as the
able tolerances that enable the firm to limit its volatility risk
volatility of its stock price or market value, which would allow
within those targeted levels.
the firm using VaR to focus on these more direct measures of
W hen thinking about acceptable levels of volatility, and the volatility of its value.9 But for those com panies for which the dis
equity capital needed to support them , many financial com tribution of firm value changes is not "norm al" or sym m etric, the
panies use a risk measure called value-at-risk, or VaR for short. analysis of risk provided by VaR can be quite different from the
VaR is the amount of the loss that is expected, with some pre information provided by volatility— and in such cases, VaR must
specified probability level, to be reached or exceeded during a be estim ated directly.
defined time period. For instance, if a portfolio of securities has
But whether m anagem ent uses VaR or volatility, given a tar
a one-year VaR at the 5% probability level of $20 million, there
geted probability of default or financial distress, the company
is a 5% chance the portfolio will have a loss that exceeds $20
faces a trade-off, as illustrated in Figure 2.1, between its level of
million in the next year. VaR can also be com puted for an entire
VaR or volatility and the size of its buffer stock of equity capital.
com pany by assessing the distribution of firm value. When the
As VaR or volatility increase, the firm requires more capital to
determ ination of the buffer stock of equity proceeds along the
achieve the same probability of default. And as can also be seen
lines described so far, the company in our exam ple must have
in the upward shift from line x to line y in Figure 2.1, this trade
off becom es steeper if m anagem ent chooses to reduce the tar
geted probability of default.
8 If all debt w ere due at the end of the year, the default threshold level
would be the principal amount of debt outstanding plus interest due.
However, if debt matures later, firm value could fall below the principal
amount of debt outstanding without triggering a default. So, the default
threshold level is lower than the principal amount of debt outstanding 9 In particular, VaR is a multiple of volatility when the variable for which
when the firm has long-term debt. VaR is estim ated has a normal distribution.

Now suppose that based on its estim ate of volatility, m anage a given amount of total risk, the company can increase its
ment concludes that the firm needs $5 billion of equity capital capital to achieve its target rating. A t the margin, the firm
to achieve its target probability of default. As noted earlier, the should be indifferent between changing its capital and
company can reduce its required level of equity by using risk changing its risk.
m anagem ent to reduce the probability of default, which would
4. Top m anagem ent decentralizes the risk-capital trade-off
make sense if that option were deem ed less costly than holding with the help of a capital allocation and perform ance evalu
the $5 billion of equity. In making this trade-off between m anag ation system that motivates managers throughout the orga
ing risk and holding more equity, the company should aim to
nization to make investm ent and operating decisions that
position itself "at the margin" where it is indifferent between optim ize this trade-off.
decreasing risk and increasing capital. M anagem ent can satisfy
itself that it has achieved this position if, after having decided
on a certain combination of risk m anagem ent and capital, it 2.3 IM PLEM ENTING ERM
can show that, for exam ple, spending another $10 million to
decrease risk by 1% will save the firm roughly $10 million in But if ERM is conceptually straightforward, its im plem entation is
equity capital costs. In this event, it has achieved the optimal challenging. For a company to succeed in implementing ERM ,
amount of risk. it is critical that people throughout the organization understand
how it can create value. M anagers must understand that it is not
Using this approach, the company can evaluate the marginal
an academ ic exercise but a critical tool for executing the firm's
impact of a project on both its risk of default and its risk of
strategy. Thus ERM must be "sold" to and "bought into" by
financial distress. As total risk increases, the firm requires more
all levels of the organization. For the whole organization to get
capital to support that risk. Moreover, the cost of the additional
behind it, considerable thought must be devoted to the design
capital provides a useful measure of the cost of the project's
of managerial perform ance evaluation and incentives. We now
contribution to the firm's total risk. The project is worth under
consider the main challenges involved in making ERM work.
taking only if its NPV is large enough to cover that additional
cost. Similarly, when evaluating the perform ance of a unit within
the firm, the unit contributes to shareholder wealth only insofar Inventory of Risks
as its econom ic value added exceeds the cost of its contribu
tion to the risk of the firm. In this way, then, the capital required The first step in operationalizing ERM is to identify the risks to
to support the contribution of an activity to the total risk of the which the company is exposed. A common approach is to iden
firm becom es itself a measure of risk— a measure that, because tify the types of risks that will be m easured. In the early days of
of its sim plicity, can easily be added up across different activities corporate risk m anagem ent, financial institutions focused mainly
or risks. on market and credit risks. Eventually operational risk was
added. As a result, a common practice for banks is to classify all
The conceptual fram ework of ERM can thus be summarized as
risks into one of three categories: market, credit, and opera
follows:
tional. But for such an approach to capture all the risks the firm
1. M anagem ent begins by determ ining the firm's risk appetite, is exposed to, operational risk has to be a catch-all category
a key part of which is choosing the probability of financial that includes all risks that are not m arket and credit risks.101
distress that is expected to maximize firm value. When Many com panies have gone beyond measuring market, credit,
credit ratings are used as the primary indicator of financial and operational risks. In recent years, some firms have also
risk, the firm determ ines an optimal or target rating based attem pted to measure liquidity, reputational, and strategic
on its risk appetite and the cost of reducing its probability risks. Further, the three-party typology used in banking often
of financial distress. does not correspond well to the risks faced in other industries.
2. Given the firm's target rating, m anagem ent estim ates the For exam ple, because insurance com panies have risks on their
amount of capital it requires to support the risk of its opera asset side— that is, the risks associated with their investment
tions. In so doing, m anagem ent should consider the prob
ability of default.
3. M anagem ent determ ines the optimal combination of capi 10 For banks, the definition of operational risk that prevails in the Basel
11 accord is much narrower; for instance, it ignores the reputational risks
tal and risk that is expected to yield its target rating. For
that are today a major concern of many financial institutions. A s a result,
a given amount of capital, m anagem ent can alter its risk for banks, there will be a tension betw een the m easurem ent of opera
through hedging and project selection. Alternatively, for tional risk for regulatory purposes and from the perspective of ERM .
portfolio— as well as their liability side, such com panies gener units often resist such monitoring efforts because they are time-
ally use a different typology. Nationwide Insurance regularly consuming and distract from other activities. A well-known
measures and monitors its asset, liability, operating, liquidity, exam ple of such resistance that ultimately created massive prob
and strategic risks— and it considers reputational risks in the lems for the old UBS took place when the firm attem pted to
context of each of these risks and of its overall business. (M arket include its equity derivatives desk into its risk m easurem ent sys
and credit risks are both treated as parts of asset risks.) tem . Because the equity derivatives desk used a different com
puter system , such an undertaking would have required major
Having identified all of the company's major risks, m anagem ent
changes in the way the desk did its business. But since the desk
must then find a consistent way to measure the firm's exposure
was highly profitable, it was allowed to stay outside the system.
to these risks— a common approach that can be used to identify
Eventually, the operation incurred massive losses that funda
and quantify all the firm's significant exposures. W ithout such a
mentally w eakened the bank and led it to seek a m erger.11
m ethod, exposure to the same risk could have different effects
on the perform ance evaluation and decision-making of differ
ent business units and activities. The resulting possibility that Economic Value versus Accounting
identically risky activities would be allocated different amounts Performance
of capital would almost certainly create tension within the firm.
Furtherm ore, risk would gradually migrate within the organiza Although credit ratings are a useful device for helping a com
tion to those parts of the firm where it received the lowest risk pany think about its risk appetite, m anagem ent should also
rating and sm allest capital allocation. recognize the limitations of ratings as a guide to a value-m axi
mizing risk m anagem ent and capital structure policy. Because
For an inventory of risks to be useful, the information pos of the extent of their reliance on "accounting" ratios as well as
sessed by people within the organization must be collected, analysts' subjective judgm ent, credit ratings are often not the
made com parable, and continuously updated. Organizations most reliable estim ates of a firm's probability of default. For
that have grown through acquisitions or without centralized IT exam ple, a company might feel confident that the underlying
departm ents typically face the problem of incom patible com econom ics of its risk m anagem ent and capital structure give
puter system s. Com panies must be able to aggregate common it a probability of default that warrants an A rating, but find
risks across all of their businesses to analyze and manage those itself assigned a Baa rating— perhaps because of a mechanical
risks effectively. application of misleading accounting-based criteria— by the
Nationwide em ploys both a top-down and a bottom-up pro agencies. In such cases, m anagem ent should rely on its own
cess of risk identification. From a top-down perspective, the econom ics-based analysis, while making every effort to share its
company's ERM leadership and corporate level risk com m ittee thinking with the agencies.
have identified all risks that are large enough in aggregate to But having said this, if maintaining a certain rating is deem ed to
threaten the firm with financial distress in an adverse environ be critical to the success of the organization, then setting capital
ment. The bottom-up process involves individual business units at a level that achieves the probability of default of the targeted
and functional areas conducting risk-control self assessments rating may not be enough. M anagem ent may also have to tar
designed to identify all material local-level risks. The goal is to get some accounting-based ratios that are im portant determ i
identify all im portant risks, quantify them using a consistent nants of ratings as well.
approach, and then aggregate individual risk exposures across
This question of econom ic or value-based m anagem ent vs.
the entire organization to produce a firm-wide risk profile that
accounting-based decision-making raises a fundamental ques
takes account of correlations among risk. For exam ple, Nation
tion of risk m anagem ent: W hat is the shortfall that m anage
wide analyzes and establishes aggregate limits for the equity
ment should be concerned about? Is it a shortfall in cash flow
risk stemming from three main sources: (1) the stock holdings
or in earnings? Is it a drop in a company's G A A P net worth or a
in its property and casualty insurance investm ent portfolio;
market-based measure of firm value?
(2) the fee levels that are tied to equity values in the variable
annuity and insurance contracts of its life insurance business; If the company is managing its probability of default, it should
and (3) the asset m anagem ent fees that are tied to equity obviously focus on the measure that is most directly linked to
values in its investm ent m anagem ent business. that outcom e. For exam ple, an unexpected drop in this year's
cash flow may not be a problem for a company if its future cash1
Corporate failures to conduct thorough "inventories" of their
risks on a regular basis have been responsible for a striking num
ber of major corporate disasters over the last 20 years. Business 11 See Dirk Schutz, La Chute de I'U BS, Bilan, 1998.

flows are clearly unaffected. If the firm finds it easy to borrow W hile com panies should pursue econom ic outcom es whenever
against its future cash flows or tangible assets, a shortfall in this possible, there will clearly be situations where they need to
year's cash flow is unlikely to lead the firm to default. But those limit the volatility of reported accounting earnings. Com panies
com panies that cannot borrow against future cash flows, per with debt covenants that specify minimal levels of earnings and
haps because they are too speculative and have few tangible net worth are one exam ple. Another is provided by com panies
assets, may be affected much more adversely. In such cases, the that face regulatory requirements to maintain minimal levels
shortfall in cash flow, by triggering financing constraints, could of "statutory" capital, which is typically defined in standard
push the firm into financial distress. It is these kinds of com pa accounting term s. Yet another are com panies whose ability to
nies that are likely to focus their risk m anagem ent efforts on attract custom ers depends in part on credit ratings, which in
measures of cash flow volatility. turn can be affected by earnings volatility. Nationwide Insur
ance, for exam ple, operates in many businesses that are highly
But if a com pany is more likely to experience financial distress
sensitive to credit ratings. And to the extent its ratings could be
because the p re se n t value of future cash flows is low than
affected by high (or unexplained) levels of accounting volatility,
because of a drop in cash flow, m anagem ent must model the
management's decision-making must clearly take such volatility
risk of changes in firm value, which reflects the present value
into account. In such cases, the challenge of an ERM system is
of expected future cash flows, rather than the risk of changes
to m eet the lenders' and regulators' accounting requirements
in cash flows. There are a number of topdown approaches that
while still attem pting to manage risk from the perspective of
provide estim ates of total risk based on industry benchm arks
econom ic value. Nationwide's approach is to make econom ically
that are cheap and easy to im plem ent. Unfortunately, such
based decisions to maximize value while treating its targeted
approaches are not useful for managing risk within a com
"A a " ratings vulnerability as a "constraint." A significant amount
pany because they do not make it possible to relate corporate
of effort is devoted to minimizing the effect of this constraint
actions to firm -wide risk. For instance, m anagem ent could
through disclosure and communication with the rating agencies.
obtain an estim ate of the volatility of firm value or cash flows by
looking at the distribution of the value or cash flows of com pa
rable com panies. But such an approach would provide m anage Aggregating Risks
ment with little understanding of how specific risk m anagem ent
policies, including changes in capital structure, would affect A firm that uses the three-part typology of m arket, credit, and
this estim ate. operational risk mentioned earlier generally begins by measur
ing each of these risks individually. If the firm uses VaR, it will
Thus, a m anagem ent intent on implementing ERM must esti
have three separate VaR m easures, one each for m arket risk, for
mate the expected distribution of changes in firm value from
credit risk, and for operational risk. These three VaRs are then
the bottom up. W hen, as is typical, a company's value is best
used to produce a firm-wide VaR.
estim ated as the present value of its expected future cash flows,
m anagem ent should "build" its estim ates of firm value by m od As shown in Figure 2.2, these three types of risks have dram ati
eling the distribution of future cash flows. As a fundamental cally different distributions.12 M arket risk behaves very much like
part of its ERM program, Nationwide has developed stochastic the returns on a portfolio of securities, which have a "norm al" or
models that generate multi-year cash flow distributions for its sym m etric distribution. In contrast, both credit and operational
main businesses. risk have asym m etric distributions. With credit risk, either a
creditor pays in full what is owed or it does not. In general, most
The Accounting Problem creditors pay in full, but some do not— and when a creditor
defaults, the loss can be large. With operational risk, there tends
By focusing on cash flows, then, a company focuses on its eco
to be large numbers of small losses, so that small operational
nomic value. But while helping the firm achieve its target prob
losses are almost predictable. There is also, however, some
ability of default, such an approach could also result in more
chance of large losses, so that the distribution of operational
volatile accounting earnings. For exam ple, under the current
losses has a "long tail." Statisticians describe distributions as
accounting treatm ent of derivatives, if a company uses deriva
having "fat tails" when the probability of extrem e losses is
tives to hedge an econom ic exposure but fails to qualify for
higher than can be described by the normal distribution. W hile
hedge accounting, the derivatives hedge can reduce the volatil
many use the normal distribution to estim ate the VaR of market
ity of firm value while at the same tim e increasing the volatility
of accounting earnings. And thus a com pany that implements
ERM could end up with higher earnings volatility than a com pa 12 This is also the case when risks are divided into asset risks, operational
rable firm that does not. risks, and liability risks.
Market Risk
Loss
2 4 6 8 10
Loss
Operational Risk
Fiqure 2.2 Typical market, credit, and operational risk distributions.
risk, such an approach is not appropriate for credit and opera regardless of w hether they use their own or other firms' correla
tional risks because these risks have fat tails. tion m easures, com panies should keep in mind the tendency for
correlations to increase in highly stressed environments.
W hen aggregating the risks, one must also estim ate their cor
relations. The probability of experiencing sim ultaneously highly One im portant issue in estimating correlations across types of
adverse market, credit, and operational outcom es is typically risks is the im portance of recognizing that such correlations
very low. This means that there is diversification across risk cat depend to some extent on the actions of the com pany. For
egories, and that the firm-wide VaR is thus less than the sum exam ple, the total risk of an insurance com pany depends on the
of the market risk, credit risk, and operational risk VaRs. How correlation between its asset risk and its liability risk. By chang
much less depends on the correlation between these risks. The ing its asset allocations, the company can modify the correlation
estimation of the correlations between certain types of risks is at between its asset risk and its liability risk. As a consequence, an
present more art than science. For this reason, many com panies insurance company's asset portfolio allocations can be an essen
choose to use averages of correlations used by other firms in tial part of its risk m anagem ent effort. For exam ple, Nationwide
their industry rather than relying on their own estim ates.13 But Insurance uses a sophisticated asset/liability model to create an
efficient frontier of investm ent portfolios. The actual target port
13 For data on correlations used in practice for financial institutions, see
folio selected takes into consideration the firm's tolerance for
Andrew Kuritzkes, Til Schuermann, and Scott M. Weiner, "Risk Measure
ment, Risk Management and Capital Adequacy in Financial Conglomer interest rate, equity market, and other risks as well as the oppor
ates," Brookings-Wharton Papers on Financial Services, 2003, pp. 141-193. tunity for expected econom ic value creation.

Measuring Risks For most investm ent grade com panies, then, it is much easier
to evaluate the distribution of changes in firm value over the
Some com panies focus mostly on tail risk— the low-probability, range of changes that encom passes not default, but just a rat
large-loss outcom es. As a result, when they measure the risk of ings dow ngrade. For exam ple, using the Moody's transition
changes in the present value of cash flows, they use a measure matrix data (Table 2.1), one can say with some confidence that
like VaR at a probability level that corresponds to a default an A-rated firm has a 5.67% chance on average of being down
threshold. Some of these com panies also com plem ent their VaR graded to a Baa rating over a one-year period; in other words,
estim ates with stress tests in which they investigate the impact such an event is expected to happen in more than one year out
on firm value of rare events (such as the crisis period of August of 20. (In contrast, default is expected to happen in approxi
and Septem ber 1998 that followed Russia's default on some of mately one year out of 1,000.) Because of the abundance of
its debt). data on downgrades as opposed to defaults for A-rated com pa
Though VaR is widely used, it is im portant to understand its nies, the distribution of changes in firm value that corresponds
limitations and to com plem ent its use with other risk measures. to a downgrade to Baa can be estim ated more precisely. O ver
Perhaps the main problem is that while VaR measures the loss that much narrower range of possible outcom es, the prob
that is expected to be exceeded with a specified probability, lems created by "asym m etries" in the distribution of firm value
it says nothing about the expected size of the loss in the event changes and the so-called "fat tail" problems (where extrem e
that VaR is exceeded. Some have argued that com panies should negative outcom es are more likely than predicted by common
instead focus on the expected loss if VaR is exceeded. But statistical distributions) are not likely to be as severe. In such
focusing on this risk measure, which is often called conditional cases, m anagem ent may have greater confidence in its esti
VaR, instead of focusing on VaR has little econom ic justification mates of the distribution of value changes corresponding to a
in the context of firm wide risk m anagem ent. Setting the com pa downgrade rather than a default and will be justified in focusing
ny's capital at a level equal to the conditional VaR would provide on managing the probability of a downgrade.
the firm with a lower probability of default than the targeted As discussed previously, it is also im portant to understand and
level, leading to an excessively conservative capital structure. take account of risk correlations when analyzing and m anag
But a more important reason for companies to look beyond a ing default and distress probabilities. Nationwide Insurance
VaR measure estimated at the probability level corresponding incorporates in its econom ic capital model a correlation matrix
to a default threshold is that ERM adds value by optimizing the that reflects sensitivity-tested stress correlations. It is also now
in the process of exploring event-driven correlation analysis
probability and expected costs of financial distress. It is therefore
critical for companies to make sure that the equity capital set for scenarios that include terrorist attacks, mega hurricanes,
based on a VaR estim ate leads to the targeted optimal probabil and pandem ics.
ity of financial distress. Such an effort requires a broader under

standing of the distribution of firm value than is provided by a
VaR estim ate for a given probability of default. Further, since dif
Regulatory versus Economic Capital
ferent levels of financial distress have different costs, a company The amount of equity capital required for the company to
can take these different costs into account and focus on the achieve its optimal rating may bear little relation to the amount
probability distribution of different levels of financial distress. of capital regulators would require it to hold. A firm that
practices ERM may therefore have an amount of capital that
To compound the problem , when a company has a high rating
substantially exceeds its regulatory requirements because it
target, the estimation of VaR becom es more of an art as the esti
maximizes shareholder wealth by doing so. In this case, the
mated VaR corresponds to an extrem ely low probability level.
regulatory requirem ents are not binding and would not affect
To see this, consider a company that has determ ined that an A
the firm's decisions.
rating is optim al. Since the probability of default for an A-rated
company is only 0.08% over a one-year period, to estim ate The company would be in a more difficult situation if its required
its optimal amount of capital the firm must therefore estim ate regulatory capital exceeded the amount of capital it should hold
the loss in value that is exceeded with a probability of 0.08% . to maximize shareholder wealth. Nationwide Insurance refers to
The problem , however, is that few A-rated com panies have any this excess as "stranded capital." To the extent that econom ic
experience of losses that come anywhere near that level. And and regulatory capital are subject to different drivers, the dif
without any historical experience of such losses, it is difficult for ference between the two can be arbitraged to some degree to
m anagem ent to estim ate the VaR at that probability level and minimize the level of stranded capital. Nationwide allocates any
then evaluate the result. residual stranded capital to its businesses and products. If all the
potential com petitors of the firm face the same onerous regula way to estim ate the cost of the impact of a new risky activity on
tory capital requirem ents, the capital the firm has to hold that the firm's total risk is to evaluate how much incremental capital
is not justified on econom ic grounds is simply a regulatory tax. would be necessary to ensure that the new risky activity has no
If some potential com petitors could provide the firm's products impact on the firm's probability of financial distress.
without being subjected to the same regulatory capital, these
To illustrate, suppose that before the company takes on the new
less regulated com petitors could offer the products at a lower
activity, the VaR estim ate used to set the firm's capital is $5 bil
price and the firm would risk losing business to them . In this
lion. Now, with the new activity, this VaR estim ate increases
case, the firm would have to factor in the cost of regulatory cap
to $5.1 billion. Thus, for the firm to have the same probability
ital of its various activities and would want to grow its portfolio
of financial distress as it had before it undertook the new risky
of activities in a way that requires less regulatory capital.
activity, it would need to raise capital of $100 million. Moreover,
Regulatory capital is generally defined in term s of regulatory this capital would have to be invested in such a way that the
accounting. For purposes of an ERM system , com panies focus investment does not increase the risk of the firm, since otherwise
on G A A P and econom ic capital. An exclusive focus on account the VaR of the firm would further increase. If the risky new activ
ing capital is mistaken when accounting capital does not accu ity is expected to last one year, and the cost to the firm of having
rately reflect the buffer stock of equity available to the firm. this additional $100 million available for one year is estimated to
The firm may have valuable assets that, although not marked to be $8 million, then the econom ic value added of the new activ
market on its books, could be sold or borrowed against. In such ity should be reduced by $8 million. If the firm ignores this cost,
cases, the firm's book equity capital understates the buffer stock it effectively subsidizes the new risky activity. To the extent that
available to it that could be used to avoid default. riskier activities have higher expected payoffs before taking into
Thus, in assessing the level of a company's buffer of capital, this account their contribution to the firm's probability of financial
suggests that the amount of its G A A P equity capital is only part distress, a firm that ignores the impact of project risks on firm
of the story. The composition and liquidity of the assets matters wide risk ends up favoring riskier projects over less risky ones.
as well. If the firm incurs a large loss and has no liquid assets it Though the exam ple just discussed is straightforward, the
can use to "finance" it, the fact that it has a large buffer stock of implementation of this idea in practice faces several difficulties.
book equity will not be very helpful. For this reason, many com A com pany is a collection of risky projects. A t any tim e, a proj
panies now do separate evaluations of their liquidity and the ect's contribution to the firm's total risk depends on the risk of
amount of equity capital they require. A s the practice of ERM the other projects and their correlations. When business units
evolves, we would expect such com panies to pay more atten are asked to make decisions that take into account the contri
tion to the relation between the optimal amount of equity and bution of a project to firm-wide risk, they must have enough
the liquidity of their assets. information when making the decision to know how to evaluate
that contribution. They cannot be told that the contribution will
Using Economic Capital to Make Decisions depend on everything else that is going to happen within the
firm over the next year, and then have a risk charge assigned to
As we saw earlier, if com panies could simply stockpile equity
their unit after the fact.
capital at no cost, there would be no deadw eight costs associ
ated with adverse outcom es. M anagem ent could use its liquid Many com panies sidestep this issue and ignore correlations alto
assets to finance the losses, and the bad outcom e would have gether when they set capital. In that case, the capital required
no effect on the firm's investm ent policy. But in the real world, to support a project would be set so that the project receives
there are significant costs associated with carrying too much no benefit from diversification, and the contribution of the
equity. If the market perceives that a company has more equity project to firm-wide risk would then be the VaR of the project
than it needs to support the risk of the business, it will reduce itself. To account for diversification benefits under this system ,
the firm's value to reflect management's failure to earn the cost the firm would reduce the cost of equity. But when evaluating
of capital on that excess capital. the perform ance of a business unit, the VaR of the business
unit would be used to assess the contribution of the unit to
W hen a company undertakes a new risky activity, the probability
the firm's risk and the units would effectively get no credit for
that it will experience financial distress increases, thus raising
diversification benefits.
the expected costs of financial distress. O ne way to avoid these
additional costs is by raising enough additional capital so that When decentralizing the risk-return trade-off, the company has
taking on the new risky activity has no effect on the probability to enable the managers of its business units to determ ine the
of financial distress. Consequently, the most straightforward capital that has to be allocated to a project to keep the risk of

the firm constant with the relatively simple information that is trusted by investors. In such cases, investors will be able to
readily available to them . Nationwide's factor-based capital allo distinguish bad outcom es that are the result of bad luck rather
cation and perform ance evaluation system is an exam ple of such than bad m anagem ent, and that should give them confidence to
an approach. The com pany allocates diversification benefits keep investing in the firm.
within major business units, but not across them . This means
that a project whose returns have a low correlation with the
other activities within its unit will receive "cred it" for such diver CON CLUSION
sification benefits in the form of a lower capital allocation for the
unit. But investments of a business unit that have low correla In this chapter, we have discussed how enterprise risk m anage
tions with activities of other major business units are not cred ment creates value for shareholders and exam ined the practical
ited with firm-wide diversification benefits. The rationale for this issues that arise in the im plem entation of enterprise risk man
policy is that it enables Nationwide's top m anagem ent to take agem ent. Although the key principles that underlie the theory
account of the effects of new investments on risk at the corpo of ERM are well- established, it should be clear from this article
rate level while at the same tim e holding the business managers that additional research is needed to help with the im plem en
who make those decisions accountable for earning returns con tation of ERM . In particular, while much attention has been
sistent with their com petitive operating environment. paid to measures of tail risk like VaR, it has becom e clear from
attem pts to im plem ent ERM that a more com plete understand
ing of the distribution of firm value is required. Though correla
The Governance of ERM tions between different types of risks are essential in measuring
firm-wide risk, existing research provides little help in how to
How does a com pany know that its ERM is succeeding? W hile
estim ate these correlations. Com panies also find that some of
one outcom e of effective ERM should be a better estim ate of
their most troubling risks— notably, reputational and strategic
expected value and better understanding of unexpected losses,
risks— are the most difficult to quantify. A t this point, there is
ERM does not eliminate risk. Thus, extrem e negative outcomes
little research that helps practitioners in assessing these risks,
are still a possibility, and the effectiveness of ERM cannot be
but much to gain from having a better understanding of these
judged on whether such outcom es m aterialize. The role of ERM
risks even if they cannot be quantified reliably.
is to limit the probability of such outcom es to an agreed-upon,
value-m axim izing, level. But what if the probability of default In sum, there has been considerable progress in the im plem en
is set at one in 1,000 years? Q uite apart from whether this is tation of ERM , with the promise of major benefits for corporate
indeed the value-maximizing choice, such a low probability shareholders. And, as this implementation improves with the
means that there will be no obvious way to judge whether the help of academ ic research, these benefits can only be expected
C RO succeeded in managing risk so as to give the firm its target to grow.
probability of default.
To evaluate the job of a C R O , the board and the C E O must Brian Nocco is the C h ief Risk O fficer of N ationwide Insurance.
attem pt to determ ine how well the company's risk is understood Rene Stulz is the Reese Chair of Banking and M onetary Econom ics at
O hio State University's Fisher School of Business and a research fellow
and m anaged. A company where risk is well understood and
at the N BER and at the European Corporate G overnance Institute. He is
well managed is one that can command the resources required also a m em ber of the executive com m ittee of the Global Association of
to invest in the valuable projects available to it because it is Risk Professionals (G ARP).
What Is ERM?
Learning Objectives
Describe Enterprise Risk M anagem ent (ERM) and compare Describe the role and responsibilities of a chief risk officer
and contrast differing definitions of ERM . (CRO ) and assess how the C RO should interact with other
senior m anagem ent.
Com pare the benefits and costs of ERM and describe the
motivations for a firm to adopt an ERM initiative. Describe the key com ponents of an ERM program.
E x c e rp t is C hapter 4 o f Enterprise Risk M anagem ent: From Incentives to Controls, S e co n d Edition, by Ja m es Lam.
27
Earlier, we reviewed the concepts and processes applicable to across business units and functions, and provide overall risk
almost all of the risks that a company will face. We also argued monitoring for senior m anagem ent and the board.
that all risks can be thought of as a bell curve. Certainly, it is a
Nor is risk monitoring any more efficient under the silo
prerequisite that a com pany develop an effective process for
approach. The problem is that individual risk functions measure
each of its significant risks. But it is not enough to build a sepa
and report their specific risks using different m ethodologies
rate process for each risk in isolation.
and form ats. For exam ple, the treasury function might report
Risks are by their very nature dynamic, fluid, and highly inter on interest rate and FX risk exposures, and use value-at-risk as
dependent. As such, they cannot be broken into separate com its core risk m easurem ent m ethodology. On the other hand,
ponents and managed independently. Enterprises operating in the credit function would report delinquencies and outstand
today's volatile environm ent require a much more integrated ing credit exposures, and measure such exposures in term s of
approach to managing their portfolio of risks. outstanding balances, while the audit function would report out
standing audit items and assign some sort of audit score, and
This has not always been recognized. Traditionally, com panies
so on.
managed risk in organizational silos. M arket, credit, and opera
tional risks were treated separately and often dealt with by dif Senior m anagem ent and the board get pieces of the puzzle,
ferent individuals or functions within an institution. For exam ple, but not the whole picture. In many com panies, the risk func
credit experts evaluated the risk of default, m ortgage specialists tions produce literally hundreds of pages of risk reports, month
analyzed prepaym ent risk, traders were responsible for mar after month. Yet, oftentim es, they still don't manage to provide
ket risks, and actuaries handled liability, mortality, and other m anagem ent and the board with useful risk information. A good
insurance-related risks. Corporate functions such as finance and acid test is to ask if the senior m anagem ent knows the answers
audit handled other operational risks, and senior line managers to the following basic questions:
addressed business risks. • W hat are the company's top 10 risks?
However, it has becom e increasingly apparent that such a • Are any of our business objectives at risk?
fragm ented approach sim ply doesn't work, because risks are • Do we have key risk indicators that track our critical risk
highly interdependent and cannot be segm ented and managed exposures against risk tolerance levels?
by entirely independent units. The risks associated with most
• W hat were the company's actual losses and incidents, and did
businesses are not one-to-one m atches for the primary risks
we identify these risks in previous risk assessm ent reports?
(m arket, credit, operational, and insurance) implied by most tra
ditional organizational structures. Attem pting to manage them • Are we in com pliance with laws, regulations, and corporate
risk policies?
as if they are is likely to prove inefficient and potentially danger
ous. Risks can fall through the cracks, risk inter-dependencies If a company is uncertain about the answers to any of these
and portfolio effects may not be captured, and organizational questions, then it is likely to benefit from a more integrated
gaps and redundancies can result in suboptim al perform ance. approach to handling all aspects of risk— enterprise risk man
For exam ple, imagine that a com pany is about to launch a agem ent (ER M ).1
new product or business in a foreign country. Such an initiative
would require:
• The business unit to establish the right pricing and market-

3.1 ERM DEFINITIONS
entry strategies;
Since the practice of ERM is still relatively new, there have yet
• The treasury function to provide funding and protection to be any widely accepted industry standards with regard to the
against interest rate and foreign-exchange (FX) risks; definition of ERM . As such, a multitude of different definitions is
• The Information Technology (IT) and operations function to available, all of which highlight and prioritize different aspects of
support the business; and ERM . Consider, for exam ple, a definition provided by the Com
• The legal and insurance functions to address regulatory and mittee of Sponsoring Organizations of the Treadway Com m is
liability issues. sion (C O SO ) in 2004:
It is not difficult to see how an integrated approach could more

effectively manage these risks. An enterprise risk m anagem ent
1 O ther popular term s used to describe enterprise risk m anagem ent
(ERM) function would be responsible for establishing firm-wide include firm -wide risk m anagem ent, integrated risk m anagem ent, and
policies and standards, coordinate risk m anagem ent activities holistic risk m anagem ent.
"ERM is a process, effected by an entity's board of company and rationalizes the use of derivatives, insurance, and
directors, m anagem ent, and other personnel, applied in alternative risk transfer products to hedge only the residual risk
strategy setting and across the enterprise, designed to deem ed undesirable by m anagem ent.
identify potential events that may affect the entity, and
Third, enterprise risk m anagem ent requires the integration of
manage risk to be within its appetite, to provide rea
risk m anagem ent into the business processes of a company.
sonable assurance regarding the achievem ent of entity
Rather than the defensive or control-oriented approaches used
objectives."
to manage downside risk and earnings volatility, enterprise risk
Another definition was established by the International O rgani m anagem ent optim izes business perform ance by supporting
zation of Standardization (ISO 31000): and influencing pricing, resource allocation, and other business
decisions. It is during this stage that risk m anagem ent becomes
Risk is the "effect of uncertainty on objectives" and risk
an offensive weapon for m anagem ent.
m anagem ent refers to "coordinated activities to direct
and control an organization with regard to risk." All this integration is not easy. For most companies, the implemen
tation of ERM implies a multi-year initiative that requires ongoing
W hile the C O S O and ISO definitions provide useful concepts
senior management sponsorship and sustained investments in
(e.g ., linkage to objectives), I think it is im portant that ERM is
human and technological resources. Ironically, the amount of time
defined as a value added function. Therefore, I would suggest
and resources dedicated to risk management is not necessarily
the following definition:
very different for leading and lagging organizations.
Risk is a variable that can cause deviation from an
The most crucial difference is this: leading organizations make
expected outcom e. ERM is a com prehensive and inte
rational investments in risk m anagem ent and are proactive, opti
grated fram ework for managing key risks in order to
mizing their risk profiles. Lagging organizations, on the other
achieve business objectives, minimize unexpected earn
hand, make disconnected investments and are reactive, fighting
ings volatility, and maximize firm value.
one crisis after another. The investments of the leading com pa
The lack of a standard ERM definition can cause confusion for a nies in risk m anagem ent are more than offset by improved effi
com pany looking to set up an ERM fram ework. No ERM defini ciency and reduced losses.
tion is perfect or applicable to every organization. My general
Let's discuss the three major benefits to ERM : increased organi
advice is for each organization to adopt an ERM definition and
zational effectiveness, better risk reporting, and improved busi
fram ework that best fit their business scope and com plexity.
ness perform ance.
3.2 THE BEN EFITS O F ERM Organizational Effectiveness

Most com panies already have risk m anagem ent and corporate-
ERM is all about integration, in three ways. oversight functions, such as finance/insurance, audit and com pli
First, enterprise risk m anagem ent requires an integrated risk ance. In addition, there may be specialist risk units: for exam ple,
organization. This most often means a centralized risk m anage investm ent banks usually have market risk m anagem ent units,
ment unit reporting to the C E O and the Board in support of while energy com panies have com m odity risk managers.
their corporate- and board-level risk oversight responsibilities. The appointm ent of a chief risk officer and the establishm ent of
A growing number of com panies now have a C h ief Risk O fficer an enterprise risk function provide the top-down coordination
(CRO ) who is responsible for overseeing all aspects of risk within
necessary to make these various functions work cohesively and
the organization— we'll consider this developm ent later. efficiently. An integrated team can better address not only the
Second, enterprise risk m anagem ent requires the integration individual risks facing the company, but also the interdependen
of risk transfer strategies. Under the silo approach, risk transfer cies between these risks.
strategies were executed at a transactional or individual risk
level. For exam ple, financial derivatives were used to hedge
Risk Reporting
market risk and insurance to transfer out operational risk. How
ever, this approach doesn't incorporate diversification within or As previously noted, one of the key requirements of risk man
across the risk types in a portfolio, and thus tends to result in agem ent is that it should produce tim ely and relevant risk
over-hedging and excessive insurance cover. An ERM approach, reporting for the senior m anagem ent and board of directors.
by contrast, takes a portfolio view of all types of risk within a As we also noted, however, this is frequently not the case. In a
Chapter 3 What Is ERM? ■ 29

silo fram ework, either no one takes responsibility for overall risk existence of heavy internal and external pressures. In the busi
reporting, and/or every risk-related unit supplies inconsistent ness world, managers are often galvanized into action after a
and som etim es contradictory reports. near miss— either a disaster averted within their own organiza
tion or an actual crisis at a similar organization.
An enterprise risk function can prioritize the level and content
of risk reporting that should go to senior m anagem ent and the In response, the board and senior m anagem ent are likely to
board: an enterprise-wide perspective on aggregate losses, pol question the effectiveness of the control environm ent and
icy exceptions, risk incidents, key exposures, and early-warning the adequacy of risk reporting within their com pany. To put it
indicators. This might take the form of a risk dashboard that another way, they will begin to question how well they really
includes tim ely and concise information on the company's key know the organization's major risk exposures.
risks. O f course, this goes beyond the senior m anagem ent level; Such incidents are also often followed by critical assessments
the objective of ERM reporting is by its nature to increase risk from auditors and regulators— both groups which are constitu
transparency throughout an organization. tionally concerned with the effectiveness of risk managem ent.
Consequently, regulators focus on all aspects of risk during
Business Performance exam inations, setting risk-based capital and com pliance require
ments, and reinforcing key roles for the board and senior man
Com panies that adopt an ERM approach have experienced agem ent in the risk m anagem ent process.
significant im provem ents in business perform ance. Figure 3.1
This introspection often leads to the em ergence of a risk cham
provides exam ples of reported benefits of ERM from a cross-
pion among the senior executives who will sponsor a major
section of com panies. ERM supports key m anagem ent decisions
program to establish an enterprise risk m anagem ent approach.
such as capital allocation, product developm ent and pricing, and
As noted above, this risk champion is increasingly becoming a
mergers and acquisitions. This leads to improvements such as
form alized senior m anagem ent position— the chief risk officer,
reduced losses, lower earnings volatility, increased earnings, and
or C R O .
improved shareholder value.
Aside from this, direct pressure also comes from influential
These im provem ents result from taking a portfolio view of all
stakeholders such as shareholders, em ployees, ratings agencies,
risks; managing the linkages between risk, capital, and profit
and analysts. Not only do such stakeholders exp ect more earn
ability; and rationalizing the company's risk transfer strategies.
ings predictability, m anagem ent have few er excuses today for
The result is not just outright risk reduction: com panies that
not providing it. O ver the past few years, volatility-based m od
understand the true risk/return econom ics of a business can take
els such as value-at-risk (VaR) and risk-adjusted return on capital
more of the profitable risks that make sense for the company
(RARO C) have been applied to measure all types of market risk
and less of the ones that don't.
within an organization; their use is now spreading to credit risk,
Despite all these benefits, many com panies would balk at and even to operational risk. The increasing availability and
the prospect of a full-blown ERM initiative were it not for the liquidity of alternative risk transfer products— such as credit
Benefit Company Actual Results
M arket value im provem ent Top money center bank O utperform ed S&P 500 banks by 58% in stock price
perform ance
Early warning of risks Large commercial bank Assessm ent of top risks identified over 80% of future losses;
global risk limits cut by one-third prior to Russian crisis
Loss reduction Top asset-m anagem ent 30% reduction in the loss ratio enterprise-wide; up to 80%
company reduction in losses at specific business units
Regulatory capital relief Large international commercial $1 Billion reduction of regulatory capital requirem ents, or
and investm ent bank about 8-10%
Risk transfer rationalization Large property and casualty $40 million in cost savings, or 13% of annual reinsurance
insurance company premium
Insurance premium reduction Large manufacturing company 20-25% reduction in annual insurance premium
Fiqure 3.1 ERM benefits.
derivatives and catastrophe bonds— also means that com panies • Implementing a set of risk indicators and reports, including
are no longer stuck with many of the unpalatable risks they losses and incidents, key risk exposures, and early warning
previously had no choice but to hold. O verall, the availability of indicators;
such tools makes it more difficult and less acceptable for com • Allocating econom ic capital to business activities based on
panies to carry on with more primitive and inefficient alterna risk, and optimizing the company's risk portfolio through
tives. Managing risk is management's job. business activities and risk transfer strategies;
• Com m unicating the company's risk profile to key stakehold
ers such as the board of directors, regulators, stock analysts,
3.3 THE CH IEF RISK O FFIC ER
rating agencies, and business partners; and
The role of a chief risk officer has received a lot of attention • Developing the analytical, system s, and data m anagem ent
within the risk m anagem ent community, as well as from the capabilities to support the risk m anagem ent program
finance and general m anagem ent audiences. Articles on chief Still, given that enterprise risk m anagem ent is still a relatively
risk officers and ERM appear frequently in trade publications new field, many of the kinks have yet to be smoothed out of the
such as Risk M agazine and Risk and Insurance, but have also C hief Risk O fficer role. For exam ple, there are still substantial
been covered in general publications such as C F O magazine, amounts of ambiguity with regard to where the C R O stands in
the Wall S tre e t Journal, and even USA Today. the hierarchy between the board of directors and other C-level
• • •
positions, such as C E O s, C F O s, and C O O s.
Today, the role of the CRO has been widely adopted in risk In many instances, the C R O reports to the C FO or C E O — but
intensive businesses such as financial institutions, energy firms, this can make firms vulnerable to internal friction when serious
and non-financial corporations with significant investment activities clashes of interest occur between corporate leaders. For exam
and/or foreign operations. Today, I would estimate that as many ple, when Paul Moore, form er head of regulatory risk at H BO S,
as up to 80% of the biggest U.S. financial institutions have CRO s. claimed that he had been "fired . . . for warning about reckless
lending," the resulting investigations led to the resignation of
The recent financial and econom ic m eltdowns have increased
H BO S' chief executive, Sir Jam es Crosby, as the deputy chair
the demand for com prehensive ERM fram eworks. As an indica
man of the Financial Services A uthority.*•3
tion of this increased dem and, executive m anagem ent training
programs in ERM are increasingly offered by leading business One organizational solution is to establish a dotted-line report
schools. For exam ple, in Novem ber 2010, Harvard Business ing relationship between the chief risk officer and the board or
School im plem ented a five-day program designed to train board risk com m ittee. Under extrem e circum stances (e.g ., C E O /
C E O s, C O O s, and C R O s in managing risk as corporate leaders: C FO fraud, major reputational or regulatory issues, excessive
there have been two other sessions to date, one in February risk taking beyond risk appetite tolerances), that dotted line may
o
2012, and one just recently, in February 2013. convert to a solid line so that the chief risk officer can go directly
to the board without fear for his or her job security or com pen
Typical reports to the C R O are the heads of credit risk, mar
sation. Ultim ately, to be effective, risk m anagem ent must have
ket risk, operational risk, insurance, and portfolio m anage
an independent voice. A direct communication channel to the
ment. O ther functions that the C RO is commonly responsible
board is one way to ensure that this voice is heard.4
for include risk policy, capital m anagem ent, risk analytics and
reporting, and risk m anagem ent within individual business units. For these dotted-line reporting structures between the C RO
In general, the office of the C RO is directly responsible for: and the board (and between the business line risk officers and
the C R O ), it is critical that an organization clearly establish and
• Providing the overall leadership, vision, and direction for
docum ent the ground rules. Basic ground rules include risk
enterprise risk m anagem ent;
escalation and communication protocols, and the role of the
• Establishing an integrated risk m anagem ent fram ework for all board or C RO in hiring/firing, annual goal setting, and com pen
aspects of risks across the organization; sation decisions of risk and com pliance professions who report
• Developing risk m anagem ent policies, including the quantifi to them .
cation of the firm's risk appetite through specific risk limits;
3 Davy, Peter. "Cinderella M om ent," Wall S tre e t Journal, O ctober 5, 2010.
2 W inokur, L.A . "The Rise of the Risk Leader: A Reappraisal," Risk Pro 4 Lam, Jam es. "Structuring for A cco untab ility," Risk Progressional, Ju n e
fessional, April 2012, 20. 2009, 44.

Another board risk oversight option is to alter existing audit strategic roles is the prim ary contributing factor to their suc
com m ittees to incorporate risk m anagem ent. In a survey of the cess, and that with the com ing years, this progress is only
S&P 500, "58% of respondents said that their audit com m ittees likely to a cce le ra te .7
were responsible for risk m anagem ent."5 However, this presents
• • •
problems of its own; oftentim es, audit com m ittees are already
working at maximum capacity just handling audit m atters, and Some argue that a com pany shouldn't have a C RO because that
are unable to properly oversee ERM as well. Henry Ristuccia, of job is already fulfilled by the C E O or the C F O . Supporting this
Deloitte, affirms that unless the "audit com m ittee [can improve] argum ent is the fact that the C E O is always going to be ulti
its grasp of risk m an ag em en t. . . a separate risk com m ittee mately responsible for the risk (and return) perform ance of the
needs to be fo rm e d ."6 com pany, and that many risk departm ents are part of the C FO 's
organization. So why create another C-level position of C RO and
The lack of an ERM standard is also a significant barrier to the
detract from the C EO 's or C FO 's responsibilities?
positive developm ent of the C R O role. Mona Leung, C FO
of Alliant Credit Union, says that "w e have too many varying The answer is the same reason that com panies create roles for
definitions" of enterprise risk m anagem ent, with the result other C-level positions, such as chief information officers or
that ERM means something different to every company, and chief marketing officers. These roles are defined because they
is im plem ented in different ways. O f course, firms from differ represent a core com petency that is critical to the success for
ent industries should (and must) tailor their approaches to risk the company— the C E O needs the experience and technical
m anagem ent in order to m eet the requirements of their specific skills that these seasoned professionals bring. Perhaps not every
business models and regulatory fram eworks, but nonetheless, it company should have a full-time C R O , but the role should be an
is im portant to have a general ERM standard. explicit one and not simply one implied for the C E O or C F O .
Despite the remaining am bivalences in the structure of the For com panies operating in the financial or energy m arkets, or
C RO role, I believe that it has elevated the risk m anagem ent other industries where risk m anagem ent represents a core com
profession in some im portant ways. First and forem ost, the petency, the C R O position should be considered a serious pos
appointm ent of executive managers whose primary focus is sibility. A C RO would also benefit com panies in which the full
risk m anagem ent has improved the visibility and organizational breadth of risk m anagem ent experience does not exist within
effectiveness of that function at many com panies. The successes the senior m anagem ent team , or if the build-up of required risk
of these appointm ents have only increased the recognition and m anagem ent infrastructure requires the full-time attention of an
acceptance for the C RO position. experienced risk professional.
Second, the C R O position provides an attractive career path for W hat should a company look for in a C R O ? An ideal C RO would
risk professionals who want to take a broader view of risk and have superb skills in five areas. The first would be the leadership
business m anagem ent. In the past, risk professionals could only skills to hire and retain talented risk professionals and establish
aspire to becom e the head of a narrowly focused risk function the overall vision for ERM . The second would be the evangeli
such as credit or audit. Nearly 70 percent of the 175 participants cal skills to convert skeptics into believers, particularly when it
in one online seminar that I gave on Septem ber 13, 2000, said com es to overcoming natural resistance from the business units.
they aspired to becom e C R O s. Third would be the stewardship to safeguard the company's
financial and reputational assets. Fourth would be to have the
Today, C R O s have begun to move even further up the corpo
technical skills in strategic, business, credit, market, and opera
rate ladder by becom ing serious contenders for the positions
tional risks. And, last but not least, fifth would be to have con
of C E O and C F O . For exam ple, M atthew Feldm an, form erly
sulting skills in educating the board and senior m anagem ent,
C R O of the Federal Home Loan Bank of C hicago, was
as well as helping business units im plem ent risk m anagem ent
appointed its C E O and President in May of 2008. Likew ise,
at the enterprise level. W hile it is unlikely that any single indi
D eutsche Bank C R O Hugo Banziger was a candidate for UBS
vidual would possess all of these skills, it is im portant that these
C E O . Kevin Buehler, of M cKinsey & C o .'s, affirm s that the
com petencies exist either in the C RO or elsewhere within his or
gradual m ovem ent of C R O s from control functions to more
her organization.
5 Banham , Russ. "D isaster A ve rte d ," C F O M agazine, April 1, 2011, 2.

7 W inokur, L. A . "Th e Rise of the Risk Leader: A Reappraisal," Risk
6 Ibid. Professional, April 2012, 17.
3.4 CO M PO N EN TS O F ERM Corporate Governance
Corporate governance ensures that the board of directors and
A successful ERM program can be broken down into seven key
m anagem ent have established the appropriate organizational
com ponents (see Figure 3.2). Each of these com ponents must
processes and corporate controls to measure and manage risk
be developed and linked to work as an integrated whole. The
across the com pany. The mandate for effective corporate gov
seven com ponents include:
ernance has been brought to the forefront by regulatory and
1. Corporate governance to ensure that the board of directors industry initiatives around the world. These initiates include the
and m anagem ent have established the appropriate organi Treadway Report from the United States, the Turnbull Report
zational processes and corporate controls to measure and from the UK, and the Dey Report from Canada. All of these
manage risk across the company. made recom m endations for establishing corporate controls
2. Line m anagem ent to integrate risk m anagem ent into the and emphasized the responsibilities of the board of directors
revenue-generating activities of the com pany (including and senior m anagem ent. Additionally, the Sarbanes-O xley A ct
business developm ent, product and relationship m anage provides both specific requirem ents and severe penalties for
ment, pricing, and so on). non-compliance.
3. Portfolio m anagem ent to aggregate risk exposures, incor From an ERM perspective, the responsibilities of the board of
porate diversification effects, and monitor risk concentra directors and senior m anagem ent include:
tions against established risk limits.
• Defining the organization's risk appetite in term s of risk poli
4. Risk transfer to mitigate risk exposures that are deem ed too cies, loss tolerance, risk-to-capital leverage, and target debt
high, or are more cost-effective to transfer out to a third rating.
party than to hold in the company's risk portfolio.
• Ensuring that the organization has the risk management skills
5. Risk analytics to provide the risk m easurem ent, analysis, and and risk absorption capability to support its business strategy.
reporting tools to quantify the company's risk exposures as • Establishing the organizational structure of the ERM fram e
well as track external drivers. work and defining the roles and responsibilities for risk man
6 . Data and technology resources to support the analytics and agem ent, including the role of chief risk officer.
reporting processes. • Implementing an integrated risk m easurem ent and m anage
ment fram ework for strategic, business, operational, financial,
7. Stakeholder m anagem ent to com m unicate and report the
and com pliance risks.
company's risk information to its key stakeholders.
• Establishing risk assessm ent and audit processes, as well
Let's consider these in turn.
as benchmarking company practices against industry best
practices.
• Shaping the organization's risk culture by setting the tone

from the top not only through words but also through
1. Corporate G overnance
Establish top-down risk management actions, and reinforcing that com m itm ent through incentives.
• Providing appropriate opportunities for organizational learn

3. Portfolio 4. Risk Transfer ing, including lessons learned from previous problem s, as
2. Line M anagem ent
M anagem ent Transfer out well as ongoing training and developm ent.
Business strategy
Think and act like a concentrated or
alignment
"fund manager" inefficient risks
6. Data and Technology

Line Management
5. Risk Analytics
Resources
Develop advanced Perhaps the most im portant phase in the assessm ent and pricing
Integrated data and
analytical tools of risk is at its inception. Line m anagem ent must align business
system capabilities
strategy with corporate risk policy when pursuing new business
7. Stakeholders M anagem ent and growth opportunities. The risks of business transactions
Improve risk transparency for key stakeholders
should be fully assessed and incorporated into pricing and prof
Fiqure 3.2 Seven components of ERM. itability targets in the execution of business strategy.

Specifically, expected losses and the cost of risk capital should desirable but concentrated risks. To reduce undesirable risks,
be included in the pricing of a product or the required return of m anagem ent should evaluate derivatives, insurance, and hybrid
an investm ent project. In business developm ent, risk acceptance products on a consistent basis and select the most cost-effective
criteria should be established to ensure that risk m anagem ent alternative. For exam ple, corporations such as Honeywell and
issues are considered in new product and market opportuni Mead have used alternative risk transfer (ART) products that
ties. Transaction and business review processes should be com bine traditional insurance protection with financial risk pro
developed to ensure the appropriate due diligence. Efficient tection. By bundling various risks, risk managers have achieved
and transparent review processes will allow line managers to estim ated savings of 20 to 30% in the cost of risk transfer.
develop a better understanding of those risks that they can
A com pany can dram atically reduce its hedging and insurance
accept independently and those that require corporate approval
costs— even without third-party protection— by incorporat
or m anagem ent.
ing the natural hedges that exist in any risk portfolio. In the
course of doing business, com panies naturally develop risk
Portfolio Management concentrations in their areas of specialization. The good news

is that they should be very capable of analyzing, structuring,
The overall risk portfolio of an organization should not just and pricing those risks. The bad news is that any risk concentra
happen— that is, it should not just be the cumulative effect of tion can be dangerous. By transferring undesirable risks to the
business transactions conducted entirely independently. Rather, secondary market— through credit derivatives or securitization,
m anagem ent should act like a fund manager and set portfolio for exam ple— an organization can increase its risk origination
targets and risk limits to ensure appropriate diversification and capacity and revenue without accumulating highly concentrated
optimal portfolio returns. risk positions.
The concept of active portfolio m anagem ent can be applied Finally, m anagem ent can purchase desirable risks that they
to all the risks within an organization. D iversification effects cannot directly originate on a tim ely basis, or swap undesir
from natural hedges can only be fully captured if an orga able risk exposures for desirable risk exposures through a
nization's risks are view ed as a w hole, in a portfolio. More derivative contract.
im portantly, the portfolio m anagem ent function provides
a direct link between risk m anagem ent and shareholder
value m axim ization. Risk Analytics
For exam ple, a key barrier for many insurance com panies in The developm ent of advanced risk analytics has supported
implementing ERM is that each of the financial risks within the efforts to quantify and manage credit, m arket, and operational
overall business portfolio is managed independently. The actu risks on a more consistent basis. The same techniques that allow
arial function is responsible for estimating liability risks arising for the quantification of risk exposures and risk-adjusted profit
for the company's insurance policies; the investm ent group ability can be used to evaluate risk transfer products such as
invests the company's cash flows in fixed-incom e and equity derivatives, insurance, and hybrid products. For exam ple, man
investments. The interest rate risk function hedges mismatches agem ent can increase shareholder value through risk transfer
between assets and liabilities. However, an insurance company provided that the cost of risk transfer is lower than the cost of
which has im plem ented ERM would manage all of its liabil risk retention for a given risk exposure (e.g ., 12% all-in cost of
ity, investm ent, interest rate, and other risks as an integrated risk transfer versus 15% cost of risk capital).
whole in order to optim ize overall risk/return. The integration
A lternatively, if m anagem ent wants to reduce its risk exposure,
of financial risks is one step in the ERM process, while strategic,
risk analytics can be used to determ ine the most cost-effective
business, and operational risks must also be considered in the way to accom plish that objective. In addition to risk m itiga
overall ERM fram ework.
tion, advanced risk analytics can also be used to significantly
im prove net present value (NPV)- or econom ic value added
(EVA)-based decision tools. The use of scenario analyses and
Risk Transfer
dynam ic sim ulations, for exam ple, can support strategic plan
Portfolio m anagem ent objectives are supported by risk transfer ning by analyzing the probabilities and outcom es of different
strategies that lower the cost of transferring out undesirable business strategies as well as the potential im pact on share
risks, and also increase the organization's capacity to originate holder value.
Data and Technology Resources Stakeholder Management
O ne of the greatest challenges for enterprise risk m anagem ent Risk m anagem ent is not just an internal m anagem ent process. It
is the aggregation of underlying business and market data. Busi should also be used to improve risk transparency in a firm's rela
ness data includes transactional and risk positions captured in tionship with key stakeholders. The board of directors, for exam
different front- and back-office system s; m arket data includes ple, needs periodic reports and updates on the major risks faced
prices, volatilities, and correlations. In addition to data aggrega by the organization in order to review and approve risk man
tion, standards and processes must be established to improve agem ent policies for controlling those risks. Regulators need to
the quality of data that is fed into the risk system s. be assured that sound business practices are in place, and that
business operations are in com pliance with regulatory require
As far as risk technology goes, there is no single vendor soft
ments. Equity analysts and rating agencies need risk information
ware package that provides a total solution for enterprise risk
to develop their investm ent and credit opinions.
m anagem ent. Organizations still have to either build, buy, and
customize or outsource the required functionality. Despite the An im portant objective for m anagem ent in com m unicating
data and system challenges, com panies should not wait for and reporting to these key stakeholders is an assurance that
a perfect system solution to becom e available before estab appropriate risk m anagem ent strategies are in effect. O ther
lishing an enterprise risk m anagem ent program. Rather, they w ise, the com pany (and its stock price) will not get full credit,
should make the best use of what is available and at the same since interested parties will see the risks but may not see the
tim e apply rapid prototyping techniques to drive the systems- controls. The increasing em phasis of analyst presentations
developm ent process. Additionally, com panies should consider and annual reports on a com pany's risk m anagem ent cap ab ili
tapping into the power of the Internet/lntranet in the design of ties is evidence of the im portance now placed on stakeholder
an enterprise risk technology platform. com m unication . . . .

Learning Objectives
Describe best practices for the implementation and com Assess the role of stress testing within an RAF, and
munication of a risk appetite fram ework (RAF) at a firm. describe challenges in aggregating firm-wide risk
exposures.
Explain the relationship between a firm's RAF and its risk
culture, and between the RAF and a firm's strategy and Explain lessons learned in the implementation of a RAF
business planning process. through the presented case studies.
Explain key challenges to the implementation of an

RAF and describe ways that a firm can overcom e each
challenge.
E x c e rp t is rep rin ted from Implementing Robust Risk A ppetite Fram eworks to Strengthen Financial Institutions, by the Institute o f
International Finance, Ju n e 2011.
37
INTRODUCTION taking can help achieve business objectives while respect
ing constraints to which the organization is subject." A key
1. O ne of the key lessons of the financial crisis was that some finding of the C M BP was that putting in place a robust risk
firms took more risk in aggregate than they were able to appetite fram ework constitutes an essential com ponent
bear given their capital, liquidity, and risk m anagem ent of adequate risk m anagem ent. The C M BP elaborated on
capabilities, and some took risks that their m anage a number of aspects regarding risk appetite, including the
ment and Boards did not properly understand or control. high-level governance aspects of defining and im plem ent
Indeed, in its O ctober 2009 report, Risk M anagem ent L e s ing a risk appetite fram ework.
sons from the G lobal Banking Crisis o f 2008, the Senior 5. In 2009 the IIF, recognizing the need to actively promote
Supervisors Group (SSG) highlighted major governance the im plem entation of the C M BP recom m endations,
challenges at the 20 largest banks in the most-affected established a Steering Com m ittee on Implementation
jurisdictions, in particular "the unwillingness or inability (SCI). This com m ittee was charged with steering the EF's
of Boards of Directors and senior managers to articulate, efforts on further analysis of key risk m anagem ent im plica
measure and adhere to a level of risk acceptable to the tions of the crisis as well as tracking EF m em bers' efforts
firm ." The SSG concluded that "a key weakness in gov in revising their practices and implementing Industry
ernance stem med from . . . a disparity between the risks practices recom m endations. In D ecem ber 2009 the SCI
that their firms took and those that their Boards of D irec issued its report, Reform in the Financial Services Industry:
tors perceived the firms to be taking." Put simply, Boards Strengthening Practices for a M ore Stable System , which
did not understand well enough, or properly control in assessed the progress made by the Industry in im plem ent
advance, the risks that their firms were taking. These con ing and em bedding revised risk m anagem ent and gover
clusions are not disputed by the Industry. nance practices.
2. Three years after the crisis, largely as a consequence of 6. Am ong other issues, the 2009 SCI report focused once
these conclusions, there is now consensus between super again on risk appetite, further developing and discussing
visors and the Industry that a clearly articulated statem ent the concept and a number of related issues. The report
of risk appetite and the use of a well-designed risk ap p e also provided an augm ented definition of risk appetite
tite fram ework to underpin decision-making are essential as being "the amount and type of risk that a company is
to the successful m anagem ent of risk. Taken together, able and willing to accept in pursuit of its business objec
such a statem ent and fram ework provide clear direction tives." The statem ent of risk appetite balances the needs
for the enterprise and ensure alignment of expectations of all stakeholders by acting both as a governor of risk
among the Board, senior m anagem ent, the risk m anage and a driver of current and future business activity. It is
ment function, supervisory bodies, and shareholders. In expressed in both quantifiable and qualitative term s and
combination with a strong risk culture, they provide the covers all risks." In particular, the 2009 report set out an
cornerstone for building the effective enterprise-wide risk analytical fram ework for risk appetite and outlined a num
m anagem ent fram ework that is essential to the long-term ber of key issues in regard to the practical implementation
stability of a firm. of the concept by financial firms.
3. In 2008 the Institute of International Finance form ed a
7. Risk appetite has also received a great deal of atten
high-level Com m ittee on M arket Best Practices (CM BP) to
tion from the regulatory community. In particular, the
draw key lessons for the financial services industry from
SSG — which has been the public sector group most
the global financial crisis that was unfolding at that tim e.
deeply involved in the analysis of the risk m anagem ent
The C M BP issued a report containing a number of key
implications of the crisis— has focused extensively on risk
principles and recom m endations for the Industry, focusing
appetite issues and related supervisory im plications. Sp e
on areas such as governance, risk m anagem ent, and trans
cifically, the SSG's 2009 report, Risk M anagem ent Lessons
parency. The core purpose of these recom m endations was
from the G lobal Banking Crisis o f 2008, identified risk
to promote much more robust risk m anagem ent and gov
appetite as a crucial elem ent of robust risk m anagem ent.
ernance fram eworks in financial institutions.
The SSG identified a number of deficiencies in the way the
4. Early in the discussion and analytical process that led to Industry was approaching risk appetite issues, observing,
the final C M BP report, IIF members identified risk appetite for exam ple, that much more evidence was needed of
as being of fundamental im portance. The C M BP report Board involvement in setting and monitoring adherence
defined risk appetite as "a firm's view on how strategic risk to firms' risk appetite, and that the Industry needed to
continue working to make risk appetite statem ents much • To develop specific practical recom m endations for
more robust to encom pass a suitably wide range of m ea firms to address the challenges of implementing a
sures and actionable elem ents. robust and meaningful risk appetite fram ework.
8. In D ecem ber 2010, the SSG issued another report, O b ser 12. The W G R A has carried out an Industry survey, group dis
vations on D evelopm en ts in Risk A p p e tite Fram eworks cussions, interviews, and case studies involving a diverse
and IT Infrastructure, which elaborated on this subject. In sam ple of participants globally. As detailed in A nnex II,
particular, the SSG highlighted the im portance of Board respondents to the survey represented a cross-section of
and senior m anagem ent involvem ent in the articulation geography and institutional size, all at various stages of
and implementation of the risk appetite fram ework and the implementation journey. The survey was sent to 79
em phasized the need to em bed revised practices within firms; 73 responses were received from 40 firms. Although
firms so that such practices can be sufficiently resilient in the survey responses received were rich and com prehen
an increasingly com petitive environment. sive, in order to get behind them to understand at a prac
tical level how challenges were overcom e to enable the
9. W hile there is clearly a substantial amount of ongoing
sharing of good practices, multiple them atic conference
work by both the Industry and the regulatory community
calls, as well as bilateral in-depth discussions, were held
in the area of risk appetite fram eworks, it is widely recog
with Industry participants in several continents, covering
nized that additional guidance would be helpful as firms
the key topics and challenges considered in Section 2. The
continue refining their practices and m ethodologies. The
survey responses, conference calls, extensive bilateral dis
reports by the 11F and the SSG , together with the substan
cussions, and the four case studies supplied have provided
tial experience gained by firms in the last several years,
the background for our in-depth analysis of the current
constitute a fertile ground in which to continue developing
challenges facing the Industry and a practical set of rec
guidance as to how m anagem ent and Boards should con
om mendations to move forward.
front and resolve difficult, basic issues linked to the design
and implementation of a risk appetite fram ework. 13. A nnex I presents four highly detailed case studies which
were generously provided, upon request, by Com m on
10. As fi rms, in response to the crisis, continue to make
wealth Bank of Australia, National Australia Bank, Royal
progress in improving their risk appetite processes, pri
Bank of Canada, and Scotiabank. These case studies are
marily in pursuit of stronger risk m anagem ent but also
intended to com plem ent the evidence gathered through
to meet evolving supervisory expectations, additional
the survey and the W G R A discussions and to provide valu
guidance should draw on lessons from firms' experience
able insights and "real-life" exam ples of the approaches
and from the successful practices that are being devel
that large firms have taken to overcoming the challenges
oped globally by many in the Industry. This can, in turn,
involved in establishing a risk appetite fram ework (RAF).
form the basis for a constructive dialogue with the global
The case studies represent an integral part of this report
supervisory community.
and are recom m ended reading as they contain a wealth of
11. In order to organize the in-depth analysis and discus detailed information regarding the diversity of approaches
sion of risk appetite issues, assess the Industry's state of taken, the role of leadership and collaboration, the itera
practice on the subject, and learn by leveraging the exp e tive nature of RAF developm ent and the influence of cul
rience and expertise of a broad range of market partici ture in the risk appetite process.
pants, the 11F SCI established the Working Group on Risk
A ppetite (W G RA). The W G R A and the present report have
the following key objectives:
SECTION 1 - PRINCIPAL FINDINGS
• To assess and evaluate current Industry practices in the
area of risk appetite.
FROM THE INVESTIGATION
• To identify the key stages and the technical and cultural 14. This section outlines a number of key findings of our
challenges in the journey toward setting— and moni work on risk appetite, the extent to which the Industry
toring adherence to— appropriate boundaries for risk, is em bracing it, and the principal im pedim ents to im ple
within a sound risk appetite fram ework. mentation. It outlines a number of practical steps that
• To bring Industry expertise and sound practices to firms have taken to overcom e the principal challenges and
bear on examining how these challenges have been which form the basis of emerging Industry sound practices
addressed, including the analysis of real-life case studies. in this evolving area. In some instances the findings of
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions ■ 39

this report are not new. The survey highlights, reinforces, Supervisors need to be alert to this and avoid insist
or otherwise clarifies issues that the Industry continues ing on form ulaic solutions that may not be aligned with
to struggle with and that at tim es have been com mented business needs.
on elsew here. The report does, however, aim to offer 19. Despite the different stages of developm ent of firms'
valuable insights on how many of these challenges are
RAFs and the multiplicity of approaches being taken, our
being overcom e. investigation has shown that there is some convergence
15. It is clear from the responses to the survey and from the of thought and experience around the im plem entation,
discussions that followed that developing a risk appetite design, and im pact of an effective risk appetite fram e
fram ework is a journey on which the Industry finds itself work. These areas of convergence include:
in the early stages. Although the cultural, organizational, a. Successful im plem entation is highly dependent on
and technical challenges are form idable and the major effective interactions among all key stakeholders,
ity of firms are not yet where they either need or want to
including Board m em bers, senior m anagem ent, the
be, our investigation has shown that a number of leading
risk m anagem ent function, and the operating busi
firms in the Industry are making good progress. Evidence
nesses. In a large m ajority of firm s, defining or setting
suggests that there has been more progress in designing, the risk appetite is initiated by senior m anagem ent
im plem enting, and em bedding risk appetite fram eworks—
and, after an effective challenge process, is approved
at least in participating firms— than has been generally
by the Board. In all cases the "tone from the to p " was
realized until now. essential to driving the process. It is clear that where
16. The aggregate risk profiles of large financial institutions there is visible and continuous support of the risk
are com plex, multidimensional, and, even where risk IT is appetite concept from the Board and senior m anage
well developed, relatively o p aq ue.1 Consequently, devel m ent, the developm ent and im plem entation of the
oping a risk appetite fram ework requires tim e and signifi risk appetite fram ew ork was much more effective in
cant intellectual and financial resources. Not surprisingly, all respects.
the degree of progress varies across participating banks, b. The in-depth discussion around the survey results
and a substantial gap is likely to remain for some time indicates quite clearly that putting in place an effec
between leading-edge practices and what is "typ ical." tive risk appetite framework is inextricably linked
O ne very striking feature of the results of this investiga to the risk culture of a firm. To be fully effective, the
tion, however, is the widespread recognition of the intrin risk appetite fram ew ork, together with an ap p recia
sic im portance of risk appetite to good risk m anagem ent tion of its benefits, needs to be dissem inated through
and the motivation to get this right. out the institution. Done properly, im plem entation
17. W here progress has been made to date, it has been of a risk appetite fram ew ork can act as a powerful
driven principally by a recognition by the firms' leadership reinforcem ent to a strong risk culture in providing
of the need to strengthen risk m anagem ent and gover a coherent rationale and consistent fram ew ork for
nance arrangem ents. It has not typically been solely, or understanding risk at all levels. It can never substitute
even primarily, a response to specific regulatory or super for proper system s, controls, and limits, but instead
visory requirem ents. supplem ents and m otivates these and may even
increase com pliance. Firm s with strong risk cultures
18. Not only are firms at different stages of developm ent
that provide staff with guidance for their own behavior
of their RAFs, they are also adopting a wide range of
and w hat to look for and challenge in others are much
approaches, as can be clearly seen from the important
more effective in the im plem entation process. This is
and detailed case studies supplied in A nnex I. This reflects
especially im portant when developing appetite state
differing business m odels, structures, and degrees of
ments around those risks that are less quantifiable
com plexity. Thus, an im portant finding of our work is
(e .g ., operational risk, risks of legal or regulatory non-
that one size does not fit all. W hile some convergence of
com pliance, and reputational risk). It is also clear that
practices can be expected to em erge over tim e, diversity
risks cannot be com pletely avoided, and aspirational
of approach is inevitable and should not be discouraged.
statem ents relating to "zero to leran ce" of certain
types of risk are less useful than detailed guidance to
1 The identification of sound industry practices for risk IT is the subject
of a parallel IIF report: Risk IT and O p era tio n s: Stren gthening Capabili the businesses about how such risks should be view ed
ties, Ju n e 2011. and m anaged.
c. W hile implementing an RAF is challenging, those f. The survey shows that a large majority of firms (70%)
firms that have made progress are clear that they see are taking a comprehensive view of all risks across
tangible benefits resulting from their risk appetite the firm, not merely focusing on those risks that can be
process. W hile these benefits are not always apparent easily m easured, and are using a combination of quan
at the start, there is a high degree of consensus among titative and qualitative metrics in expressing risk ap p e
such firms that the RAF is allowing the Board and the tite. This reinforces the point that risk appetite does
senior m anagem ent to have a more informed discus not mean the creation of a com plex, highly granular
sion of the risks in the business plan and strategy. Firms set of limits. That said, at this stage in the journey the
reporting the most progress have also established most common transmission mechanism for com muni
strong linkages between risk issues and strategy, plan cating Board-level risk appetite statem ents throughout
ning, and finance— the last two of these being areas the enterprise is the translation into limits. This in part
in which risk was often not form ally considered in the reflects the quantifiable nature of some risks and pro
past. These linkages have been put in place at both vides for clear, recognizable boundaries.
the enterprise-wide and business unit (BU) levels. Such g. Stress testing and stress metrics play a role in the
processes may, at least initially, make the resource risk appetite fram ework of almost all respondents
planning cycle longer and more com plicated, but this is (only one firm stated that they are not used). The use
a price well worth paying in return for fostering a more of stress tests varies, with some banks putting them at
robust risk culture and a stronger awareness through the center of the risk appetite setting process, whereas
out the organization. Firms at a more advanced stage others use stress tests primarily to "sense-check"
also highlight the benefits deriving from a stronger their appetite.
integration of risk considerations into the strategic and
h. A large majority of those responding indicated that
business plans and more effective risk/reward decision
risk appetite is monitored on an ongoing basis at the
making across the organization. These benefits can be
group level and that a contingency plan or escalation
clearly seen in the case studies attached in A nnex I.
procedure is triggered when a risk appetite metric
d. There is a high degree of commonality around the most is exceeded.
relevant inputs driving the shaping of a firm's risk 20. As noted above, the case studies in A nnex I are an essen
appetite. Most often used is capital capacity, followed tial part of this report and clearly illustrate many of the
by budget targets, liquidity, and other market con points listed above.
straints and stress test results. Although not captured in
the survey data, several firms em phasized that a firm's
overall strategy and financial objectives should be con SECTION 2 - K EY OUTSTANDING
sidered as a key input. CH A LLEN G ES IN IM PLEM ENTING
e. Limits and controls have a central role in any well-run RISK APPETITE FRAM EW ORKS
organization, but an excessively narrow emphasis on
granular limits (or too many of them) can provide false 21. Despite the visible progress being made by many in the
com fort to m anagem ent and supervisors; lead to a Industry in the im plem entation of effective risk appetite
m echanical, "tick-box" (or com pliance-type) approach; fram eworks, more needs to be done. The survey and
and detract from or undermine this crucial dialogue. A discussion reveal there is a degree of com monality in the
strong RAF is much more powerful than limits alone: hurdles firms are facing and the need for proven practi
staff at all levels with any significant responsibility cal solutions to these issues. Section 3 provides a number
should know what they need to do and why, rather of exam ples of emerging Industry sound practices in
than merely follow instructions. The overwhelm ingly addressing these. This section outlines the largest chal
im portant conclusion from firms' experiences in this lenges that are proving most difficult to overcom e. The
area is that developing an RAF is not about putting in chart below shows the most relevant survey results in
place "tablets of stone" and creating and im plem ent this context.
ing a structure of many hundreds of highly granular 22. The link with the wider risk culture is of central impor
limits. It is im portant that stakeholders, including super tance but is also problematic in some firms. Broad
visors, should recognize this when assessing progress in discussion among firms reinforces the point that without
this area. a strong risk culture success on the risk appetite journey

is extrem ely difficult, if not im possible, while it is easiest noted, firms that have been most successful in creating
to im plem ent an effective RAF where there is already a an RAF to date have recognized that it needs to pervade
strong culture around risk. However, a number of respon the organization in the sense that risk concepts are fully
dents cited culture and its link to risk appetite as being an understood by staff at a range of levels and influence
im portant and difficult issue. A strong culture implies that behavior as a result of being internalized. The benefits of a
staff understand what is required of them with respect to risk appetite fram ework are often much more apparent to
risk and why, and where such a strong risk culture exists it Board members and senior m anagem ent than they are to
may be possible for firms to place less reliance on narrow mid-level staff. This raises questions of how best to train
com pliance with limits and processes. N evertheless, even and educate staff to enable them to perceive the benefits
the strongest culture needs to be supported with good of the new approach and also touches upon the desired
system s, controls, and limits. It is also necessary to estab responsibilities of m anagem ent in such training and the
lish a strong link between risk appetite and com pensation. way in which the new approaches can or should be sup
A t the sim plest level this can be an assessm ent of whether plem ented with formal controls and limits.
business results and key perform ance indicators (KPIs) 24. The best way of expressing risk appetite in a way that
have been achieved by operating within limits and in covers all relevant risks is also proving a challenge for
accordance with the behaviors and culture described and firms. This is particularly true in respect to risks that are
em bedded within the risk appetite. W here this is not the less quantifiable and require a more qualitative approach.
case remuneration incentive awards should be m oderated O nce the process moves beyond traditional credit
or adjusted accordingly.
and market risks— where historical data is abundantly
23. Effectively cascading the risk appetite framework available— to focus on reputational, strategic, and opera
throughout the firm and embedding and integrating it tional risks, significant challenges remain. However, it is
into the operational decision-making process is clearly widely recognized that an RA F cannot be confined to risks
the largest challenge for almost all firms. W hile most firms that can be easily m easured. To be meaningful, risk ap p e
have risk policies and risk measures in the form of limits tite needs to take a com prehensive view across a firm,
that can easily be cascaded through the organization, and risk appetite statem ents need to capture and include
other guidance on risk tends to be more general and at a those risks that cannot be easily quantified. The identifi
higher level. The linkage between high-level risk appetite cation and effective mitigation of such risks is a difficult
principles and the risk policies and metrics guiding day- challenge that is not, of course, confined to risk appetite.
to-day decision-making needs further developm ent. As W hile some firms are com fortable tracking these risks with
0 5 10 15 20 25
Effectively cascading the risk appetite statement through the operational levels
10 VJ 6
of the organization and embedding it into operational decision making processes
How to best express risk appetite for different risk types,

some of which can be quantified in generally accepted ways, 6 3
and some of which cannot be easily quantified
Using the risk appetite framework as a dynamic tool for managing risk rather than
another way of setting limits or strengthening compliance
Using the risk appetite framework as a driver of strategy and business decisions 5 5 2
Achieving sufficient clarity around the concept of risk appetite and some of the
7 2 3
terminology used (e.g. difference between risk appetite and risk limits)
How to effectively relate risk appetite to risk culture I

How to make best use of stress-testing in the risk appetite process II
How to most effectively aggregate risks from different business units and/or
different risk types, for risk appetite purposes
qualitative indicators, most are making significant efforts 27. Stress testing, and how it should be effectively incor
to quantify such risks, through, for exam ple, proxy m ea porated into the risk appetite framework, remains an
sures and use a combination of qualitative and detailed area of uncertainty and evolving practice in the Industry.
quantitative elem ents in their risk appetite statem ents. While it is widely accepted as being a component of an
effective risk appetite framework, there is less consensus
25. Some respondents are finding it difficult to shift the
about exactly how stress testing should be incorporated
perception that risk appetite is primarily about set
into a framework. The use of stress tests varies widely,
ting limits. W hile limits and risk policies are important
with some banks putting them at the center of the risk
com ponents of an effective risk appetite fram ework, the
appetite— setting process, even as others use stress tests
more dynamic nature of risk appetite and its role in man
primarily to sense-check their appetite. As a general obser
aging risk, driving strategy, and optimizing return on a
vation, the firms that were most affected by the financial
much broader basis needs to be ingrained throughout
crisis appear to be more advanced in this area, but further
the organization. Ensuring that the RAF is positioned and
guidance is required for the majority. While an important
perceived internally as a dynamic tool for shaping the risk
focus of an RAF will be the level of risk with which the Board
profile of the institution, rather than as merely a dressed-
and senior management are comfortable during "business
up, "grander" process for setting limits and additional
as usual" conditions, it is equally important to understand
business constraints is also an im portant challenge. In real
and consider the implications of extreme but plausible sce
ity, it is necessary to strike the right balance between a
narios on the risk profile. The technical and methodological
fram ework on the one hand which is so rigid, constraining
challenges of stress and scenario testing are well known. In
and inflexible over time as to be unable to sensibly and
the RAF context, Boards, senior management, and business
prudently accom m odate the evolution of the businesses
units need to ask how the results of stress tests should be
and group strategy in a tim ely fashion, having due regard
interpreted and what they mean for risk profiles and prefer
to the risk im plications, and one on the other hand which
ences. One particularly important question in this context is
is excessively flexible and too easily substantially changed
the extent to which Board members and risk professionals
from one period to the next (perhaps in response to any
are equipped a) to make sense of scenarios that have poten
number of proposed growth initiatives), and consequently
tially very substantial impacts but low probability and b) to
imposes insufficient discipline on the businesses, lacks
push back against the pressures from the business that are
continuity, and is difficult for all em ployees to understand
curtailing apparently profitable lines of business.
and em brace. Striking this balance correctly requires care
ful judgm ent by Boards and senior m anagem ent. 28. A related issue is how to achieve an appropriate aggre
gation at the group level of the levels of risks for the
26. Many firms have difficulty forging the necessary links different individual businesses and how to establish rela
between risk appetite and the strategic and busi tionships between these. Individual business units need to
ness planning processes, though leading firms have have a consistent fram ework for setting their own toler
done this successfully. It is relatively straightforward to ances for risk, and these need to be consistent with the
establish an RAF in the sense of the Board setting out overall enterprise-wide risk appetite, both individually and
a statem ent of risk preferences that the business then in aggregate. Although progress has been made in this
seeks to translate into a range of limits. There is a growing area by a number of firm s, no single approach is dominant
recognition, however, that this is a very narrow concept today. There is currently no uniform process for translating
of risk appetite and that the establishm ent of actionable high-level risk appetite indicators into more specific m ea
guidance at the business unit level is crucial. The tradi sures, such as risk limits and tolerances, and further work
tional approach of making high-level statem ents and then is needed in the area of risk aggregation.
seeking to turn these into a plethora of granular and not
well-understood limits has been shown to have serious
limitations, as it tends to result in risk appetite being seen
SECTION 3 - EM ERGIN G SOUND
within the businesses as a remote and som etim es irrele PRACTICES IN O VERCO M IN G THE
vant part of the risk m anagem ent apparatus. A s explained CH A LLEN G ES
further below, risk appetite needs to be an integral part of
a business. Its effects need to be pervasive throughout the 29. The objective of this section is to draw on the survey and
organization, and there needs to be a clear link between the case studies, as well as discussions with firms to iden
the RAF and business decisions. tify ways in which the principal challenges identified in the

previous section might be overcom e. The point needs to be
made at the outset that the Industry is still some distance This self-reinforcing link is explained by one firm in the fo l
from an identifiable body of sound practices in most of lowing way: "Th e adoption o f a Risk A p p e tite Fram ew ork
d id not en coun ter m ajor resistance from the organization.
these areas. W hat follows, however, is intended to form the
This is likely due to (a) the Bank's existing strong risk man
basis of emerging good practices.
agem ent culture and (b) the fact that the sp e cific m etrics
in the 'm easures' com pon en t o f the Risk A p p e tite Fram e
w ork w ere key existing m etrics that already had buy-in
3.1 Risk Appetite and Risk Culture across the organization. In many resp ects, the adoption
o f a form al Risk A p p e tite Fram ew ork co d ified existing risk
A crucial challenge is building a strong link and an effective
culture, principles, o b jectives, and m ea su res."
interaction between culture and the RAF. Risk culture can
A n o th er firm highlighted that "the risk a p p etite fram ew ork
be defined as the norms and traditions o f behavior o f indi
plays a crucial role in establishing the d esired risk culture
viduals and o f groups within an organization that d eter
across the organization. The discussions o f risk a p p etite
mine the way in which they identify, understand, discuss, across the G roup as well as the sp ecific con ten t o f the
and act on the risks the organization confronts and the Board-ow ned Risk A p p e tite Statem en t have p ro m o te d a
risks it takes.2 It is widely recognized that a strong (or strong risk culture, which is key to su ccess. Business Units
weak) risk culture manifestly and directly impacts the risk understand what is ou tside a p p etite and therefore do not
pursue th ese opportunities. The Risk A p p e tite Statem ent
appetite process.
contains a key section outlining the principles o f the risk
31. Firms that had made the most progress in establishing a culture that the G roup seeks to a ch ieve."
risk appetite fram ework report that there is a close and
indissoluble link between risk appetite and culture.
firms from financial centers where there is traditionally a less
Risk appetite is about the organization being clear, and
direct link between profit/return and remuneration report
making clear to others its desired level of risk. This in turn
that risk appetite may be an easier "sell" to staff and busi
informs the planning and risk taking decisions of the busi
ness heads.
ness units. Decision-m akers, while continuing to be bound
by policies and limits, have a clearer understanding of why 34. G iven these close links, the practical steps for getting the
the policies and limits are as they are. And to the extent culture of risk appetite right are similar to those for g et
that they have the discretion and scope to exercise ju d g ting overall risk culture right. O verall, firms report that
ment, the risk appetite will provide them with a lodestone they know when they are making progress when refer
that helps to inform them in doing so. ences to risk and risk appetite becom e a normal part of
day-to-day discourse about the business.
32. Some firms have found that internal "values" statem ents
can be of some use in reinforcing culture. If these are seen
Overall Lessons:
as self-serving and isolated exam ples of "m anagem ent-
sp eak," such statem ents are likely to be counterpro • There needs to be a demonstrable commitment to
ductive; however, if they are part of a consistent set of explaining— through training and day-to-day experience—
m essages and behaviors that provide staff m em bers with the importance the institution attaches to risk appetite.
a guide to their own behavior, they can be the basis on This needs to have the consistent support of the highest
which staff can feel able to constructively challenge behav level of management.
iors or decisions of others, and they can be of real benefit. • Many staff for whom the benefits of an effective RAF are
33. The link with culture is therefore potentially self-reinforcing: not immediately apparent are unlikely to undergo an instant
firms with a strong risk culture find it relatively more straight conversion. Even after training and assimilation are in place,
forward than others to implement a risk appetite framework. it is necessary to operate rigorous controls and limits.
A t the same time, an effective risk appetite framework can • It is im portant to develop m easurable indicators of
consolidate and reinforce an effective risk culture with indi com pliance with risk m anagem ent norms that can form
viduals and business heads feeling reinforced about doing a robust basis for promotion and remuneration. This
the right thing. National traditions play a part in this. Some should include not only com pliance with hard limits but
also with clearly stated behavioral expectations. C om pli
ance with these more qualitative criteria can be more
2 A p p en d ix III of the D ecem ber 2009 IIF report, "R efo rm in the Financial
difficult to assess objectively but is critical in establish
Services Industry: Stren gth en in g Practices fo r a M o re Stab le S y stem ,"
provides a background discussion around the concept, im portance, and ing the desired risk culture and is integral to making
key im pacts of risk culture. risk appetite effective. Rigorous application of such
guidelines is consistent with cultivating a strong risk cul 36. Two points, however, em erged very clearly in this regard:
ture, provided it is consistent and relatively transparent. • An effective risk appetite fram ework should be perva
• Clear communication of risk appetite param eters and sive throughout the organization in that all staff with
preferences is a prerequisite for developing the appro any significant decision-making authority should under
priate culture. Individuals need to feel incentivized to stand the institution's stance toward risk and what it
com ply with these and confident in doing so. There can means for them .
be no hidden agendas or revealed preferences on the
• Yet the benefits of an effective risk appetite fram ework,
part of m anagem ent. while very real, are often not apparent to more junior
• Consistency of m essages and consistency of senior staff and, indeed, there may be some initial resistance
behaviors with these m essages, rewards and sanctions or skepticism among these groups.
that are dem onstrably consistent with the m essages, and 37. For this reason, communication and training are essential
the absence of barriers to bad news travelling upward starting points. The C E O needs to be personally involved
are essential com ponents of a strong culture. in promulgating the message about the risk appetite
• There is value in measures such as the creation of a fram ework and what it means. There needs to be com
meaningful and non-public statem ent of values codify plete agreem ent within the Board and management on a
ing this. But culture is determ ined ultimately by what the meaningful and com prehensive definition of risk appetite,
leadership does rather than by what it says. and the concepts need to be communicated in a straight
forward way without jargon. There also needs to be clarity
3.2 "Driving Down" the Risk Appetite into in communications about where risk appetite fits alongside
risk capacity or tolerance, that is, how much risk it is techni
the Businesses
cally possible to take, and the current level of risk being
35. Effective internal communication that makes risk appetite taken. Finally, there needs to be clarity regarding the own
directly relevant to employees in the business units is seen ership of risk. The risk function should own the overall risk
as a major challenge by all participating banks. A variety of fram ework and the interface with the Board on risk appe
approaches have been taken, but no clear consensus has yet tite. However, responsibility for risk within the business
emerged about how to do this most effectively. This remains units and for achieving consistency with the enterprise
very much work in progress, even for the leading banks. wide risk stance rests squarely with business unit heads.
A cornerstone in the architecture o f an R A F and a key step in • A n o th er firm has a rather d eta iled statem en t covering
its internal communication is the articulation of a risk appetite the follow ing qualitative and quantitative elem en ts: 1. To
statement. Som e firm-specific exam ples are provided below :• g en era te sustainable econom ic p ro fit com m ensurate
with the risks taken; capital liquidity & im pairm ents &
• O ne firm explains that its risk a p p etite statem en t is cur
e x p e c te d loss; 2. To b e well capitalised on a regulatory
rently a mix o f quantitative lim its/m etrics and qualitative
basis and maintain a long-term d e b t rating o f X ; 3. To
guidelin es:
maintain a strong Tier 1 ratio co m p rised o f a large core
i) Limits and m etrics consistently m onitored include: R O E: Tier 1 p ro p o rtio n ; 4. To maintain a w ell-diversified funding
Stress tests: RW A limits; Capital m arket m easures (e.g. structure; 5. To keep o ff the balance sh e e t vehicles non
VaR, trading limits): Liquidity ratios: Single-N am e C on material in size relative to the size o f the balance sh e e t;
centration: Industry concentration; and Country en ve 6. Risk m anagem ent to ensure im pairm ents and losses
lopes. These lim its/m etrics co rresp o n d to the Target are m anaged within the group's toleran ce; 7. To m anage
Rating se t fo r the Bank. all risk ca teg o ries within its a p p e tite ; 8. To harness b e n
ii) Qualitative guidelines mainly stem from a co m p re efits from business diversification to g en era te nonvolatile
hensive se t o f Risk forum s at the Execu tive M anage and sustainable earnings; 9. To co m p ete in businesses
m ent level (e .g ., Portfolio d ecision s: Risk C om m ittee, with international custom ers w here m arket connectivity
Stra teg ic Risk Forum s on C ountries, Industry/Product/ is critical, b u sin esses with local custom ers w here w e have
S ecto rs, as well as on Capital M arket activities. Key local scale and p ro d u cts w here global scale is critical to
Individual d ecision s: Risk com m ittees on one sp ecific effe ctiven ess; 10. To use robust and appropriate scenario
transaction/counterparty; Excep tio n a l Transaction and stress testin g to assess the potential im pact o f the chosen
N ew A ctivity Validation C om m ittees. Them atic trans scenario on the G roup's capital adequacy and stra teg ic
versal p o licies: C red it policies). plans.
Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions 45

38. Limits are a necessary part of driving risk appetite into the overall risk appetite. Business unit heads are responsible
the businesses. Effective limits are an essential part of for formulating these local plans. They also have a respon
any risk fram ework, whether or not the firm em braces a sibility to explain the importance of risk appetite concepts
full RAF. Financial institutions have operated with limits and boundaries within their business units. Illustrating the
(e.g ., for lending or market transactions) for many years, links between specific business initiatives and day-to-day
without necessarily effectively controlling aggregate risks transactions and the broader risk appetite helps to make
within acceptable levels. The establishm ent of an effective these processes come alive for staff within the businesses.
fram ework goes far beyond the simple setting of limits, Some firms have also found value in a "them atic" approach
however. There is a strong consensus that it is very impor to risk, placing a specific focus on aspects of risk— such as
tant for staff who are subject to limits to understand both reputation risk— for a specific period.
the context and rationale for these and their implications
40. Similarly, staff on risk committees or those who are involved
for revenue, custom er service/satisfaction, and aggregate
in the approval of transactions can link risk appetite con
risks. The objective is to foster an effective, ongoing dia
cepts to individual policies and transaction approvals,
logue about the boundaries of acceptable risks and the
thereby raising awareness and understanding of the bound
implications of these boundaries, including for the optimal
aries and importance of risk appetite facilitating dialogue
allocation of scarce resources within the firm.
within the businesses about these boundaries and limits.
39. In this context, a strong culture of responsibility for, and
41. When this dialogue within and across business units and
open dialogue about, risks in the businesses is seen as fun
with risk and senior management works well, it facilitates
damentally important in effectively embedding risk appetite
both intelligent challenges to the risk appetite boundaries
in the business lines. Business unit leaders have a strong
and their evolution over time. In this way, the risk appetite
leadership role to play in this. Firms that have made the
framework is made dynamic and is able to sensibly accom
most progress in implementing risk appetite have put in
modate new business opportunities and changes to the risk/
place processes designed to ensure the broad congruence
reward relationships between different parts of the business.
of business and risk decisions and the overall enterprise
wide risk appetite. In these firms, business heads are 42. The Iink between risk appetite as expressed by the Board
required to have visible ownership of risk in their areas and the behavior of mid-level staff em powered to make
and to incorporate risk explicitly in their business planning. local decision is also facilitated by the integration of the
Processes then need to be put into place to check the con RAF into the business planning, as further explained in
sistency of these— both individually and in aggregate— with section 3.5.
In som e banks the business unit leaders are required to have the operational groups/enterprise risk appetite. This awareness
prim ary' accountability for preparing and interpreting their is created through learning program s targeted at mid-level
own risk a p p etite statem ents to ensure that they are both management. M id-level m anagem ent in front-line opera
p ro p erly aligned with the group risk a p p etite statem ents tions is g u id ed in part by the sim plified statem ents created
and also w ell-design ed and effective in com m unicating to by the enterprise. Both qualitative and quantitative aspects
the sta ff in their own businesses. Fo r instance, in one firm are reflected through policies and procedures that govern
the "line o f Business (LO B) m anagem ent is resp on sib le for the activities o f mid-level staff. These policies and procedures
execu tin g the stra tegic and financial operating plans o f the provide m ore detail to the high-level statem ents o f the risk
business, optim izing the risk and rew ard o f the business appetite, including business practices for exam ple, reputa
within limits establish ed by execu tive m anagem ent, and tional risk, regulatory and legal requirem ents), risk transparency
ensuring internal controls are appropriate. A dditionally, each requirem ents for exam ple, new products and initiatives) as well
LO B d evelo p s a Line o f Business Risk A p p e tite which further as detailed limit fram eworks (market risk, liquidity and funding,
drives the en terprise Risk A p p e tite into the individual Lines credit risk) that are se t at various levels o f the organization."
o f Business. Every em p loyee understands that it is his or her
A few banks highlight a link with business planning: "The
responsibility to im plem ent and adhere to the Risk A p p e tite
integration o f the risk a p p etite statem en t production into the
while making daily business d e c isio n s."
fram ew ork o f the business planning p ro ce ss gives a linkage
In addition, other banks seem to rely on an appropriate inter o f the Board's risk a p p etite to the decisions and strategies
action am ong risk culture, awareness, and policies and p ro ce m ade b y business at that tim e. This is also e x p re sse d via the
dures. A s explained by one bank participating in our survey: Board's capital plan, w here return requirem ents, capitaliza
"The link is b a sed on an awareness o f the qualitative aspects, tion targets, and capital allocation resolutions com bine with
o f e x p e cte d norms and behaviors and how decisions impact business volum e ta rg e ts."
Overall Lessons: among the participants about how the risks that cannot be
easily quantified (if at all) should be captured in the RAF.
• Comm unication and education on the benefits of a risk
appetite fram ework are essential. M em bers of senior 44. Some firms report that an effective first stage in the iden
m anagem ent need to be visibly and consistently associ tification of risk appetite has been a free-ranging and
ated with these. sometimes quite qualitative discussion of risk with the
Board. It is reported that this can be helpful in avoiding
• Limit setting is a key part of risk m anagem ent, whether
becoming bogged down either in issues of definition or
or not it is part of a wider risk appetite fram ework. Busi
quantification. The Board's preferences are then subse
ness unit and risk m anagem ent heads should use the risk
quently turned into a quantified fram ework.
appetite fram ework as the context for explaining and
promulgating limits and risk policies. 45. In some banks there is a clear link between elem ents of
the RAF and operational risk m anagem ent. To the extent
• Business unit heads must own local business plans, which
that operational risk m anagem ent seeks to identify, quan
in turn must pay proper regard to risk. This, including the
tify, and control less intrinsically quantifiable aspects of
link to the wider risk appetite, should be clearly and con
risk, the m ethodologies developed can be a useful input
sistently communicated to staff.
to a broader RAF fram ework. Some firms indicated that
• Continuous and open dialogue about risks is seen as
a range of indicators is reported to the Board as part of
fundamentally important in effectively em bedding risk
regular reporting on com pliance with the risk appetite
appetite in the business lines. Business unit leaders have a
fram ework. Many banks involved in the study were seek
strong leadership role to play in this. When this dialogue
ing proxies to help them to understand the manner in
about risks— within and across business units and with
which risks (both internal and external) are evolving, at
risk and senior management— works well, it facilitates
least directionally. In this context, defining risk appetite
both intelligent challenges to the risk appetite boundaries
was described as "an art around the science." There was
and their evolution over time. In this way, the risk appe
agreem ent that around any set of similar metrics one
tite framework is made dynamic and is able to sensibly
needs to overlay a good measure of interpretation.
accom m odate new business opportunities over time.
46. However, some clear examples were given that resulted
in a significant change to the risk appetite for certain busi
3.3 Capturing Different Risk Types nesses. One high-profile example of this is material changes
43. Incorporating different risk types into the risk appetite to the regulatory landscape (e.g., Lehman minibonds in
framework and, more specifically, capturing risks that can Hong Kong). These kinds of changes in the regulatory (and
political) environment fundamentally change the level of risk
not easily be quantified, is a challenging task. There is wide
agreement that the RAF should capture and include all associated with certain businesses and, subsequently, the
material risks, including those that are not easily quanti risk/reward of the business proposition significantly.
fied, such as operational and reputational risks. However, 47. Comm ittee structures, if thoughtfully designed, can provide
although 70 percent of the participating firms stated that an opportunity to draw on experienced judgm ent and over
their RAF covers all risks, no real consensus was seen sight in areas in which quantification is inherently weak.
One institution n o te d that, w herever p o ssib le, estim ates are arriving at an overall indication o f how large or small that risk
m ade o f the potential im pact o f crystallized risks on future is in com parison with o th er risks. This is m ore a question o f
earnings capacity. Exam ples o f this w ould b e the e ffe ct o f m agnitude rather than precision, as the o b jective is to ensure
regulatory changes or sanctions on the revenue from individ that it carries enough w eight versus o th er risks.
ual business lines. An effo rt is then m ade to com pare these
O ne firm undertakes a regular assessm ent o f the p erceptio n s
im pacts with th ose o f o th er risks. However, "this is re c o g
o f various stakeholders (clients, shareholders, em ployees,
nized as being very su b je ctiv e " and o f very lim ited value with
and regulators) noting a) that these legitim ately differ and b)
re sp e ct to non-linear tail risks such as litigation or serious
that the ob jective should b e "no su rp rise s." This approach is
reputational dam age.
reinforced through the creation o f a senior Reputation Risk
A n o th er bank d o es not g o as far in seekin g to quantify C om m ittee com prised o f senior m anagem ent (C FO , C RO ,
risks but d o es try to estim ate the potential im pact o f risks and heads o f Legal and Com pliance). This com m ittee reviews
on future earnings capacity fo r each risk with the o b je c t o f highly com plex or structured transactions that may create
(Continued)

particularly high levels o f reputation risk. The basic p u rp o se • Penalties from supervisors, inclusive o f the results o f inves
is to determ ine w hether this is the type o f business the firm tigations and rem edial actions im posed, even w here there
should b e doing. A n o th er firm uses com m ittee structures to is no fine;
assess the broader risk im plications o f new p ro d u ct approvals. • N ew p ro d u ct activity and de-listing o f p ro d u cts (gives a
A n o th er firm captures a num ber o f m etrics o f varying im por real flavor o f the use te st and how this is affecting "real
tance. Fo r exam ple: life");
• Com m unications to the central bank/regulator regarding • Trading with su sp e c te d insider traders; and
m oney laundering breaches; • Com plaints from custom ers.
48. The point was also made by many firms that, notwithstand 50. O ur investigation has shown that successfully position
ing a professed "zero tolerance" for some categories of ing the RA F internally as a dynam ic tool for shaping the
risk (such as reputation risk and the risks of legal or regula risk profile of an institution depends critically on how
tory non-compliance) there are, in reality, always tradeoffs, it is em bedded in the businesses and on the quality of
and zero levels of these risks are not achievable in practice. the ongoing, day-to-day dialogue about risk within and
The key thing is to recognize these risks and manage them across business units and with risk m anagem ent staff and
intelligently. senior m anagem ent. As discussed in section 3.2, when
this dialogue works w ell, it facilitates both intelligent
Overall Lessons: challenges to risk appetite boundaries and their evolu
• To be effective, the risk appetite fram ework needs to tion over tim e. In such circum stances, the risk appetite
fram ew ork is seen and understood to be dynam ic by all
incorporate all material forms of risk, including those that
are not readily quantifiable. Zero tolerance is not a very participants.
meaningful or practical concept— all risks need to be 51. Risk appetite fram eworks and processes of the kind
actively m anaged. discussed in this report are relatively new in many orga
• Firms should make a maximum effort to quantify such nizations, and take tim e to institutionalize. Participating
risks, making use of such innovative approaches as esti banks agree that the benefits are not im m ediately appar
mates of earnings foregone. ent at the outset; in some banks, there is (or was) active
resistance from some business units that needed to be
• Maximum use should also be made of proxies and other
overcom e.
m etrics, even where these do not perm it the direct quan
tification of losses. Quantification and the developm ent 52. It is obvious that leadership from the top is important, in
of proxies need to draw on operational risk fram eworks. term s of stating the reason for creating the risk appetite
• Com m ittee structures to address reputational or legal fram ework and associated processes and explaining the
risks directly, and the risk implications of new products benefits to be gained from doing this. Nevertheless, from
can, if well operated, bring experienced oversight to the experience of some banks it may be necessary to start
bear effectively. with an elem ent of com pulsion. Participants reported that
they needed to push quite hard initially to get the busi
nesses to think about risk appetite, although after "learn
3.4 The Benefits of Risk Appetite as a ing by doing" for a while, many reported that they have
Dynamic Tool seen the benefits.
49. The following two challenges are som ewhat linked and 53. In general, senior executives appreciate the benefits of
need to be addressed as im portant steps in building an risk appetite more readily than those lower down in the
RAF: positioning and communicating the RAF internally as business. The active dialogue linked to specific transac
a dynamic tool for shaping the risk profile of the institu tions within the business line was described earlier, and it
tion, rather than as merely a dressed-up, more elaborate is key to educating front-line staff about risk appetite and
process for setting limits or a source of additional business the benefits that awareness and understanding of it bring
constraints, and communicating its benefits. to the business and the group.
described. The key is to be "real" with the business— it is
O ne participating bank ran a series o f w orkshops for line im portant to make the risk appetite measures and metrics
sta ff in se le c te d business units, titled "H o w risk appetite clear and real in the individual business units to facilitate
affects y o u ." These p ro v e d useful in raising awareness o f
effective challenge and discussion. If this is achieved,
the key risk a p p etite co n cep ts and received positive fe e d
it is the experience of the leading participants that the
back from participating staff, who generally saw why this
was im portant from an organizational p ersp e ctive . benefits will becom e progressively clearer to all stakehold
ers as time passes; this is also strongly reflected in the
Similarly, another bank holds risk a p p etite w orkshops with
each o f its m ajor busin esses to identify concerns such as case studies.
im plem entation and/or resource issues. These w orkshops
aim not only at "driving d o w n " the R A F into the busi Overall Lessons:
n esses but also at enabling the busin esses to understand
the full b en efits available from a co m p lete risk a p p etite • Leadership from the top is crucial, in term s of stating the
fram ework, such as an assessm en t o f limits and financial reason for creating the RAF and explaining its benefits.
volatility, that is, the volatility o f a business's plan, where N evertheless, it may be necessary to start with an ele
to focus resources and capital, alignm ent to oth er p ro ment of compulsion.
ce sse s through stress testing, and gauging the potential o f
the business goin g forward. • The active dialogue within and across business units and
with risk m anagem ent staff and senior m anagem ent is
essential to communicate the benefits that the im plem en
tation of an RAF brings to the firm. Such dialogue should
54. In general, participants agreed that there is a balance to also be linked to specific transactions within the business
be found between coercion ("this is the policy/limit, keep line in order to effectively involve front-line staff.
to it") and understanding ("here is the broader risk con
• Education is a key elem ent in raising awareness about
text and rationale to help guide what you do").
the full benefits originating from a com plete risk appe
55. As noted previously, business unit leaders must have the tite fram ework.
principal responsibility for bringing risk appetite into their
• Business unit leaders must have the principal responsibil
business units and incorporating it into the regular fab
ity not only for bringing and incorporating risk appetite
ric of their businesses. Similarly, they have the principal
into their business but also for articulating the benefits of
responsibility for articulating the benefits of risk appetite
risk appetite in their businesses.
in their businesses— and so they need to be convinced of
the benefits them selves. Some participants reported that
initial resistance in particular business units can be effec 3.5 The Link with the Strategy and
tively overcom e in many instances by the C E O , C R O , and Business Planning Process
other senior leaders actively explaining and reinforcing the
need for business unit staff to em brace risk appetite and
58. The establishm ent of an effective link between the risk
appetite fram ework and the strategy and business plan
have it becom e part of the fabric of the organization.
ning processes is fundam ental.
56. It is im portant to note that if specific business units can't
59. A key finding of this study is that such a link has been
get the needed quantitative information to see how they
effectively established at a number of leading institu
are tracking against key risk appetite metrics, then risk
tions in recent years. This has been achieved in several
appetite concepts have less traction and less "b ite" in
different ways, as the National Australia Bank (NAB) and
those business units; in these circum stances the benefits
of the fram ework and processes are less clear to front-line Com m onwealth Bank of Australia (CBA) case studies
illustrate. There is strong agreem ent, however, that the
staff. For this reason, firms should be acutely aware of the
relationship needs to be iterative and based on extensive
m easurem ent limitations at each stage of their risk ap p e
internal dialogue.
tite fram ework evolution.
57. In making the benefits more visible in the businesses, it 60. The fi rms that have made the most progress in this typi
cally followed a process that involved some variation of
is im portant to em phasize the return dimension of risk
the following:
appetite and the opportunity for risk/reward optimization
and to position risk appetite as a foundation for active • The Board set key, top-level principles and risk param
dialogue within and about the business, as previously eters for the overall risk appetite at the group level.

• This may take the form of a fully articulated risk appe In some cases an initial effort is made at translating the
tite statem ent or, som etim es, an initial, high-level sig high-level statem ent into m etrics such as RoE, RW A, and/
naling of key risk param eters to business divisions. or net funding needs, which are then fed into the busi
• Use of these guidelines by the business units in draft nesses. In general, however, it is recognized that the
ing their own, divisional business and budget plans. In process needs to involve a com bination of breaking down
some cases this involves the creation of local risk ap p e the high-level aspirations into m easurable dim ensions
tite statem ents. In others it involves the articulation of and business units form ulating their bottom-up plans in
a risk "posture" that indicates w hether risk is expected a consistent form , allowing the appropriate consistency
to increase, decrease, or remain constant in the busi checks to take place.
ness unit. 63. The fi nal stage in the iterative process may involve chang
• Ensuring that, w hatever the form of the local plan, it ing either aspects of the business plans or of the overall
em beds and is fully consistent with the high-level risk risk appetite— but if the latter, this is done on a properly
appetite statem ent or principles. informed basis in order to create the needed alignm ent
between the two that has often been missing in many
• Individual and aggregated assessm ent at the group
institutions in the past. The fact that such decisions are
level of proposed business and budget plans and com
made on a properly measured and informed basis, and
parison with the group risk appetite.
within a formal and robust governance fram ework, is the
• Revision and am endm ent as appropriate of divisional
key to ensuring that the risk appetite fram ework strikes
level plans and budgets— or, in some cases, group risk
the right balance between being unduly rigid— and there
appetite.
fore unable to effectively and prudently accom m odate
61. In some cases the formal planning process, rather than business and strategy evolution— and excessively flexible,
being wholly "top dow n," incorporates a significant in which case it would fail to create the necessary disci
am ount of "bottom up" planning at an early stage, pline on the business.
starting at the divisional level. But in either case,
iteration— starting with a concept of risk appetite — ►
business planning — ►aggregation — ►checking back with One bank p ro vid ed an exam ple o f when the explicit con
sideration o f risk a p petite in the planning p ro cess led to
the risk appetite fram ework and adjusting as necessary—
an increase in a business line/asset class rather than the
was observed to be the key and an im portant method to im position o f a reduction. The group had a g reed to a firm
creating essential alignm ent between the divisional and w ide risk appetite for a certain asset class, and one busi
business unit plans and the group risk appetite statem ent. ness unit w anted to increase exposure. This led to a risk vs.
This process also builds common awareness of the inter return discussion, which led to a shift within the asset class
o f increased allocation to the requesting business unit, but
action and tradeoffs between key risk appetite constraints
without an increase in firm-wide risk appetite for that asset
and revenue opportunities. Some firms have found the
class. It was rep o rted that "n ot everyone liked the answer,
use of standardized form ats for setting out strategic plans but they appreciated the openness o f the discu ssion ."
incorporating m andatory sections on risk profile and risk
appetite to be useful mechanisms for ensuring that these
issues have the appropriate prominence in the planning 64. The value of a stronger link between risk appetite and
process. business-level planning was summed up by C B A , "B u ild
ing of the consideration of risk appetite into the group's
62. In general, the process begins with high-level signaling of
strategic planning process has been a significant step
risk or key risk param eters. For instance, N A B, as further
forward and has given both m anagem ent and Board trans
explained in the case study in A nnex I, starts its process
parency either to amend the strategy to align with the
by discussing and agreeing the high-level risk posture
existing appetite or the appetite to allow for the proposed
of each major business and the group. A nother institu
strategy over decisions."
tion noted that prior to the strategy planning risk man
agem ent and/or finance provide indications of current
65. The following have been key factors in building and rein
sensitivities (e.g ., leverage, liquidity, capital objectives forcing the necessary links with the business units:
or constraints, etc.), so that the initial business planning • The creation of a strong partnership between the
process is done on a more informed basis. There is no group risk m anagem ent, strategy, and finance func
uniform approach for translating high-level risk appetite tions, notwithstanding some initial resistance to this
decisions into w orkable param eters for business units. in a few institutions, because of some concerns about
potentially com plicating the planning/budget process. and widely understood concept that avoids technical
There was general recognition and acceptance that language and enables extensive participation by a wide
form ally including the risk m anagem ent function in the group of participants in the dialogue and discussion
planning process may make the process longer and about risk appetite. The iterative process described
more com plicated, but this was seen by those banks above needs to include an explicit discussion of the
that have taken this step as well worth it for the result risk/reward tradeoffs. The relevant questions are: W hat
ing alignm ent of risk appetite and plans. As the plan are we trying to do? and W hat are the tradeoffs? One
ning process is repeated, participants learn by doing firm reported: "This [risk appetite] approach allows an
and a new process with new expectations becom es intelligent discussion of 'who we are' and the optimal
established that becom es more efficient over tim e. business mix and balance based on risk and return."
However, as observed by NAB in its case study, the Another said: "getting the Head of Strategy to recog
language of risk used by risk m anagem ent staff can nize and incorporate Risk M anagem ent personnel into
often be opaque and not closely associated with the planning decisions was big win for us."
language used by those staff who develop strategy • Periodic reviews between risk m anagem ent, finance,
and business plans. Therefore, it is im portant for risk and each business division to discuss what is new or
m anagem ent staff to find ways to com m unicate and growing rapidly, what is changing, what's driving those
engage effectively in the planning process. changes, and what are the emerging risk/capital/liquid-
• Use of the concept of "risk posture"— a qualitative ity capacity issues, are a good tool for keeping the
expression of whether the business unit intends to take required linkage strong. These reviews also support the
more, less, or approxim ately the same amount of risk process for the next planning cycle.
over the next planning period— at both the divisional • Some firms require that each business head be able to
and group levels is an effective approach in moving the explain how risk appetite has been taken into account in
discussion forward and supplem ents the use of quan local strategy documents and how key elements of the
titative m etrics. Risk posture is an intuitive, accessible, business unit strategy are consistent with risk appetite.
W hat follow s is a notew orthy exam ple o f how a resp o n d en t • C ustom er and p ro d u ct profitability are m easured via C us
firm is achieving the link b etw een its R A F and stra teg y and tom er Level Profitability R eporting (CLPR), which in co rp o
planning: rates econom ic capital;
Links b etw een Risk A p p e tite and Stra teg ic Planning: • Capital is re p re se n te d in the Risk A p p e tite sta tem en t and
m easured and m onitored as such.
• Line o f Business Risk m anagem ent is involved from the
beginning o f the stra teg ic planning cycle to evaluate and Links b etw een Risk A p p e tite and Liquidity Planning:
assess how grow th or revenue targets fit with the C om • Together with the C h ief Financial O fficer G roup, Risk M an
pany's Risk A p p e tite ; agem ent is involved in settin g and m onitoring liquidity risk
• The Plan is d e v e lo p e d to assure G overnance and Control limits, guidelines and early warning indicators;
functions are appropriately aligned and sta ffed around • Risk M anagem ent controls include the analysis o f co n
new grow th; tractual obligations and utilization o f stress m odeling to
• A ll plans fo r grow th are alig n ed around the Risk ensure that excess liquidity is sized appropriately and
A p p e tite ; aligned with the liquidity risk tolerance o f the en terprise;
• The C h ief Risk O fficer ensures alignm ent o f the Strategic • Risk M anagem ent incorporates liquidity risk analysis into
Plan to the Risk A p p e tite . Risk m anagem ent has o p p o rtu new p ro d u ct, business and investm ent decisions where
nities throughout the p ro cess to challenge any elem ents applicable, and works with Lines o f Business that have
o f the plan. material contingent funding exp o su res and/or require
Links b etw een Risk A p p e tite and Capital Planning: material levels o f unsecured funding;
• Liquidity Risk is re p re se n te d in the Risk A p p e tite sta te
• The capital fram ew ork assesses capital adequacy in rela
m ent and m easured and m onitored as such.
tion to risk and p ro vid es a com m on currency for m easur
ing business unit perform an ce; Links b etw een Risk A p p e tite and Perform ance M anagem ent:
• The capital m anagem ent p ro ce ss considers credit, mar • Perform ance m anagem ent is tied to adherence to the Risk
ket, operational, interest rate, liquidity, country, com pli A p p e tite in all areas o f the enterprise, including Risk, Lines
ance and stra teg ic risks in the Internal Capital A d e q u a cy o f Business and En terprise C ontrol Functions.
A ssessm e n t P rocess;

Overall Lessons: 69. In this context, leading banks in a number of jurisdic
tions are increasingly using a variety of stress testing
• There needs to be an iterative relationship between set
processes, which typically feature a combination of mac
ting risk appetite and planning at both the group and
roeconomic scenarios and changes in m arket variables,
the business unit levels.
to understand financial outcom es for the group, including
• This involves a partnership between a group's risk man potential credit and market losses and the likely reduction
agem ent, strategy, and finance and the business units, or loss of business revenues under severe econom ic and
with explicit consideration of risk in business planning. market scenarios. Conducting such stress tests for all enti
• Risk posture— a qualitative expression of whether a busi ties across a group requires overcoming a number of very
ness unit intends to take more, less, or approxim ately substantial technical challenges and the significant exer
the same amount of risk over the next planning period— cise of m anagem ent judgm ent.
can be a useful starting point for this discussion.
70. In general, banks in national jurisdictions that were hit
• The annual planning process should be supplem ented hardest by the financial crisis appear to have made more
with quarterly reviews by risk m anagem ent, finance, and progress on developing com prehensive, firm-wide stress
the businesses to assess how the risk profile and the testing capabilities, perhaps in response to Industry-wide
risk/return tradeoffs are changing. These reviews should stress testing requirem ents of national regulators. They
place a special focus on business activities or risk con are therefore more likely to use these capabilities in a
centrations that are new or growing rapidly and what is more central way in their process for setting risk appetite.
changing and what's driving those changes, as well as
71. An im portant challenge facing m anagem ent in the deter
any emerging risk/capital/liquidity capacity issues.
mination of risk appetite is how much relative weight
should be given to:
3.6 The Role of Stress Testing within • The predicted level or range of aggregate losses that
an RAF could be sustained over a defined tim e period under
relatively likely, less severe adverse econom ic and
66 . An im portant issue on which the investigation has been
market conditions (e.g ., a "one-in-ten year" econom ic
focused is the potential role of stress and scenario test
downturn scenario), as against
ing within a risk appetite fram ework. Linked to this is the
• The much higher predicted level or range of aggre
question of how appropriate levels of risk can be deter
gate losses that could be sustained over a defined
mined for individual businesses and in aggregate for the
tim e period under a variety of relatively unlikely, m ore
group in total and the relationship between these.
severe— but nonetheless plausible— stress scenarios
67. Consciously constraining aggregate risks in advance so
(including severe liquidity stress scenarios).
as to ensure a firm's survival under severe stress scenarios
72. The key areas in which m anagem ent needs to exercise
is part of the raison d 'etre and at the heart of setting risk
judgm ent are therefore:
appetite appropriately. It is essential for senior m anage
ment and the Board to carefully analyze and understand • The severity of the stresses/scenarios to be applied.
the likely distribution of potential outcom es that would As noted, it is necessary to strike a balance in estab
be experienced over time under a variety of severe, but lishing scenarios that are appropriately severe while
plausible econom ic and m arket scenarios and to deter being not so implausible as to make it impossible to act
mine what level of loss would be tolerated under each of upon them.
these scenarios. • The implications of the stress and scenario outcomes
68 . These assessments are crucial but very com plex and dif for losses and how these com pare to what are judged
ficult, involving both significant technical challenges and to be acceptable loss levels within the existing risk
the exercise of a substantial amount of judgm ent. They appetite. It is also necessary to ensure that the im plica
cannot be reduced to a series of sim ple, form ulaic steps. tions for capital levels are rigorously assessed.
This is because, as the financial crisis has shown, for large • The implications of the foregoing for risk appetite
financial groups the aggregate, integrated risk profile of a and strategy. Boards and m anagem ent need to be
firm and the way this evolves is opaque, to insiders as well equipped to assimilate and act upon the outcom es of
as to outsiders, and difficult for senior m anagem ent, direc stress tests, even where they em body relatively low
tors, and supervisors to properly understand. probability events.
73. It would appear that in many banks these judgm ents have likely losses that would be experienced under more severe
been made som ewhat implicitly to date, given the con stress scenarios and treating the results of these stress
siderable technical challenges involved. These are very scenarios as more binding in the risk appetite process.
subjective but im portant questions, and a divergence of
76. Some banks participating in our investigation, including
views regarding their treatm ent was seen among the par
some banks in jurisdictions that were less affected by the
ticipating banks. Indeed, participants reported that it is
financial crisis, have not yet built a com prehensive, group
common to see a divergence of views on these questions
wide stress testing capability or have not yet fully incor
even within the m anagem ent team s of individual banks.
porated stress testing into their process for setting risk
74. It is nevertheless im portant to distinguish between the appetite. For these banks, selected stress tests have been
relatively technical challenges of ensuring that scenarios
used to date primarily as a basis for checking and chal
are chosen carefully and their implications properly lenging the reasonableness of quantitative risk appetite
worked through and the strategic challenge of ensuring param eters and boundaries that have been set via other,
that the outcom es of stress and scenario tests are acted more subjective means. Some banks in this category have
upon. Boards and m anagem ent often report difficulty in placed higher emphasis to date on ensuring a strong risk
assimilating the implications of relatively low probability
culture and effective dialogue about risks at all levels, and
events and pushing through the necessary adjustments to they caution that placing heavy emphasis on stress test
business models and strategies. Some report that this will ing in the risk appetite— setting process may risk placing
becom e even more of a challenge as com petitive pres too much focus on "known unknowns." Consequently, it
sures reassert them selves as memories of the crisis fade. is clear from our investigation that the further develop
75. It is possible to make a tentative observation that some ment of stress testing capabilities and the evolution of
of the banks that were hit hardest in the financial crisis are the way in which stress testing outcom es are incorporated
currently taking a more conservative approach than others into the process and context for setting risk appetite is an
that were im pacted less severely. The form er are placing area that many firms are continuing to develop, as can be
more w eight in setting their overall risk appetite upon the clearly seen in some of the case studies.
One leading firm has d e v e lo p e d a co m p reh en sive, firm business lines and establish ed an unam biguous level o f sever
w ide stress-testin g capability and uses this in a way that is ity. Subsequ ently, scenarios covering o th er potential firm
central to the p ro c e ss o f settin g its risk a p p e tite . The bank w ide vulnerabilities have been im plem ented.
had originally built its firm -w ide risk a p p e tite fram ew ork D evelop m en t o f scenarios typically begins with the identifica
around a s e t o f statistical loss m easures, which it co m p a red tion and prioritization o f an area o f concern, i.e., a potential
with earnings and capital m etrics. U nderpinning the fram e
econ om ic or m arket crisis, through dialogue am ong risk
w ork w ere statistical m od els fo r individual b u sin esses and m anagers, econom ists, and line m anagem ent. Scenarios are
p o rtfo lio s, co m p le m e n te d b y stress m o d els ta rg e te d tow ard calibrated on a "h ow bad could it plausibly g e t" basis. B ased
the idiosyn cratic vulnerabilities o f th o se p o rtfo lio s (not on a broad outline o f the prim ary scenario drivers, the firm
gen erally com binable du e to in co n sisten t scenario assum p d evelo p a d etailed scenario specification describing the evo
tions). Lim its on a com bination o f th ese stress and sta tisti
lution o ver 1-2 years o f a few dozen broad macro and m arket
cal m o d el results w ere u se d as o p era tin g con trols on the
variables such as G D P grow th in m ajor m arkets, interest and
b u sin esses. W hile severa l units within the bank had g a in ed FX rates, equity m arkets, cred it spreads, inflation, and hous
substantial e x p e rie n ce in the g en eration o f m acro and mar ing prices. Both short-term and long-term behavior m ust b e
ket scen arios and the evaluation o f their im pacts on their m o d ele d to evaluate im pact on po rtfo lio s at o p p o site ends
re sp e ctiv e b u sin esses, th e se had not b ee n in teg ra ted to
o f the liquidity spectrum , i.e., m arket vs. cred it risks. H istory
d e v e lo p firm -w ide scenarios.
and sta keh o ld er input inform the setting o f th ese param
During the financial crisis, the firm reco g n ized the n ee d eters, which are u p d a ted periodically (at least once a year)
to ensure that scenario assum ptions remain econom ically
to adapt its risk a p p etite fram ew ork to incorporate stress
m eaningful.
scenarios alongside its statistical m odels and to particularly
em phasize protection o f its Tier 1 capital as a risk a p p etite In tandem with this, analysis— often making use o f historical
o b jective. The p e rio d follow ing the Lehman collapse se rv e d data at a granular level— is p erfo rm e d to identify' the key
as a catalyst and m odel exam ple for the d evelo p m en t o f sensitivities o f business/portfolio incom e with the scenario
firm -wide scenarios, since it im pacted many o f the bank's inputs; w here necessary (i.e., for trading portfolios), the
(Continued)

scenario specification is e x te n d e d to substantially greater the scenario. A dditionally, the sufficiency o f earnings to co ver
detail. In som e cases, w here data analysis d o e s not lead to potential losses (and the timing o f those losses) is considered.
sufficient explanatory pow er, ju d g m e n t as to scenario im pacts Conform ance to risk a p p etite is te ste d and re p o rte d to senior
or p ro xy m etrics is applied. The possibility that causal rela m anagem ent m onthly in the form o f a dashboard and com
tionships are m istakenly iden tified through analysis o f lim ited mentary, including d etailed review o f portfolio and business
data is also con sid ered . Typically, effects on m arket and credit losses/perform ance under the binding scenario. During the
risk po rtfo lios and incom e o f a sset gathering businesses are annual planning p ro cess, the entire risk a p p etite fram ework
p o ssib le to m odel m ore robustly, while volum e-based busi is review ed up to Board level and business plans are evalu
nesses and operational risks require m ore ju d g m en t. a ted through the lens o f the fram ework and its m etrics. Firm
w ide stress scenarios are co n sid ered a particularly valuable
Scenario im pact on P&L, capital, and RW As are evaluated
com pon en t o f the fram ework, because o f the relative ease
both in absolute term s and with re sp e ct to typical m etrics
o f describing (and debating) the causal chain b y which losses
(i.e.. Tier 1 ratio). The w orst-case scenario o f the available se t
arise and can b e identified with businesses, portfolios, and
is chosen (along with the com plem entary firm-wide statistical
risk drivers. C onsequently, it is co n sid ered that scenario-
m odel results) for com parison against risk a p p etite ob jectives.
b a sed m etrics offer advantages o f transparency and avoid
O f these, perhaps the g re a test focus is on maintaining a mini
ance o f (som e) blind sp o ts relative to statistical m easures.
mum Tier 1 ratio at all tim es, evaluated for each quarter o f
Challenges Associated with Firm-wide Risk • The inability of capital measures to capture the liquidity
Aggregation: dimensions of risk, which are so crucial for understand
ing potential losses in severe scenarios.
77. O ne of the significant challenges that firms will eventually
face as they proceed along the risk appetite journey is • More fundam entally, the non intuitive nature of capi
the issue of risk appetite aggregation— that being, once tal m easures. Experience has shown that it is difficult
individual businesses have set their own risk appetite to get senior managers and directors to engage in a
boundaries, how does an organization decide whether, in meaningful way with statistical variables and capital
aggregate, these boundaries fit within the firm's overall measures (e.g ., Value at Risk at 99% or 99.95% confi
risk appetite? Or, conversely, if key quantitative aspects of dence levels) and use them with confidence in the risk
the group's overall risk appetite have been determ ined, appetite process. The experience of a number of firms
how can the risk appetite of individual businesses be set has been that it can be easier to get active engage
in such a way as to ensure alignm ent with the overall risk ment from senior m anagem ent and directors around
appetite in aggregate? Given that this discussion includes specific m acroeconom ic scenario assumptions.
all risks, some of which are not easily quantified, a great For these reasons, although certain capital measures (e.g.,
deal of m anagem ent judgm ent is required to effectively Tier 1 capital adequacy) are the subject of prominent focus
manage this issue, which is obviously very closely related in the overall risk appetite process, it is difficult to robustly
to the issue of risk aggregation. determine an acceptable level of aggregate risks using
78. The technical challenges involved in risk aggregation are capital measures alone. This is one reason why, in addition
numerous and com plex. In practice, most banks use a to capital and liquidity measures, leading banks in certain
variety of regulatory and econom ic capital measures for jurisdictions are increasingly using a variety of stress testing
risk aggregation purposes. However, these measures suf processes, as discussed in detail above.
fer from a number of im portant weaknesses when used for 79. W hile Industry practice is clearly still developing in this
this purpose. These include: area of risk appetite aggregation, our investigation has
• The inability of capital measures to capture and reflect shown that there are certain practices that have proven
non quantifiable risks. effective to date. These include:
• The challenges of determ ining the appropriate treat • All risks should be included in the aggregation process,
ment of risk concentrations and diversification within not just those that are quantifiable, such as market,
and between risk types. credit, and liquidity.
• The difficulty of directly linking capital measures to sp e • For risks that are quantifiable, comparison of the
cific m acroeconom ic stress scenarios. enterprise-level limit fram ework to the aggregation
of business unit limits— including single name, Industry • M anagem ent and Boards need to feel confident in
concentration limits or econom ic and regulatory capi assessing the results of the chosen stress and scenario
tal allocation— is an effective and practical measure tests. It is often more meaningful to present outcomes
of alignment. in concrete term s ("This is what the following scenario
• Attention to the diversity, quality, and stability of earn would imply for Tier 1 capital . . .") than in more abstract
ings across the enterprise is essential; term s ("There is a 1 percent probability of a loss of
$X m illion.")
• Aggregation should identify areas of excessive risk
concentration. In this regard it is also im portant that • Boards need to ensure that there is a robust m echa
when aggregating risk, over-reliance not be placed nism for holding the line on risk appetite in light of
on a potential diversification benefit. Recent history stress results when faced with inevitable resistance
has proved that in tim es of crisis, diversification of risk from the business. If the decision is to take no action in
often fails in practice. response to a stressed scenario, the Board and m anage
ment should be able to explain fully why this decision
• For all risks, the aggregate view of risk posture (as
is defensible.
outlined in this paper) is helpful in determ ining how
an organization is approaching risk overall. If, for • The com pliance of stressed outcom es with the bound
exam ple, the individual business units are each willing aries contained within the RAF should be monitored
to take on more risk in the coming year, comparison frequently, and the risk appetite and stress testing
of risk posture at the platform level is a simple cross fram eworks them selves should be reviewed at least
check to determ ine if senior m anagem ent has that annually with the Board.
same awareness.
• Aggregation of risk appetite should be done on both a

"normal course" and stressed basis.
S E C T IO N 4 - R E C O M M E N D A T IO N S
80. Aggregation of all risks for the purpose of determ ining fit
F O R FIRM S
within the overall risk appetite of the organization is an
81. This section draws together a number of the main findings
ongoing challenge. As an industry, some progress is being
of this report for Board directors, senior m anagem ent, and
made but as with many other aspects of this paper, this
risk managers in firms.
will take tim e and a great deal of m anagem ent judgm ent
to develop.
Recommendations for Board Directors
Overall Lessons:
82. O ne of the main m essages from this report is th at a
• A com prehensive, enterprise-wide stress testing well-functioning risk appetite fram ework is one that
mechanism is a key part of a fully effective risk appetite is pervasive throughout the organization. A ttem p ts
fram ework. to introduce risk ap p e tite as a rem ote and d isem b o d
• M anagem ent needs to develop clear and consistent ied asp ect of risk m anagem ent have ten d ed to fail.
criteria for deciding on the severity/plausibility of the The process has been much more successful w here it
stress and scenario tests chosen. Firms should generally has been recognized that risk ap p e tite needs to be
err on the side of choosing more, rather than less-severe intim ately bound up with co rp o rate culture, co rp o rate
scenarios, though this needs to be balanced against the g o vern an ce, and strateg y and planning as w ell as risk.
need for the results to be operationally useful. Boards have an integral part to play in the definition
• O nce the primary scenarios have been chosen, economic and m onitoring of risk ap p e tite and the interchange
and markets expertise, together with informed judg with m anagem ent, risk m anagem ent, and the business
ment, are needed to assess the array of secondary impli is crucial in this. Th e follow ing are the main im p lica
cations for the firm as a whole. tions of our investigation for Board m em bers. Th ey are
p articularly relevant for m em bers of Board Risk M an
• Results of stress tests need to be linked to key objective
agem ent C o m m ittees.
variables such as P&L, RW As, and Tier 1 capital and illus
trate explicitly how outcom es for these would comply 83. Board members need to be properly equipped to
with risk appetite boundaries through tim e. engage fully with risk and risk appetite. They need

to understand generic risk concepts and the relevance 87. O perating a risk appetite fram ework in the dynamic and
of these to the business. They also need to have access iterative way advocated in this report makes it particularly
to the information and expertise necessary to enable im portant that all participants, including Board m em bers,
them to develop a good understanding of the risk pro risk m anagem ent staff, senior m anagem ent, and busi
file of the firm. They should insist that the material pro ness heads, are clear about their respective functions and
vided to them strikes the right balance between providing responsibilities. Setting out the initial risk appetite state
a com prehensive macro perspective and illustrating the ment or signaling a set of risk preferences is just the start
required level of detail. of a process of ongoing discussion and testing. Board
members need to challenge senior m anagem ent to ensure
84. Board members should be proactive in insisting on proper
that the necessary processes and structures to facilitate
support from management and risk management pro
this are put into place and remain effective.
fessionals, in term s of education on risk concepts and
approaches, technical briefings, and updates on the risk 88 . Such an iterative approach results in Board members hav
implications of products and activities. ing other significant challenge functions. This challenge
is essential to ensuring that the risk appetite fram ework
85. The Board needs to establish the fram ework for risk, typi
is neither stultifyingly rigid nor excessively flexible. These
cally through the articulation of a clear and meaningful
challenge functions include, but are not confined, to:
risk appetite statement. This is likely to include a num
ber of key metrics as well as clear qualitative guidance • Making certain that mechanisms are in place to ensure
in respect to less quantifiable risks. One test of whether that new business initiatives, transactions, or products
the statem ent is meaningful might be whether and how are consistent with the enterprise-wide risk appetite,
it would change in response to a decision by the Board and that the risk implications of these are fully under
that 10 percent more (or less) risk would be acceptable. stood before the activity proceeds.
Another test would be whether the statem ent would • Ensuring that mechanisms are in place to monitor and
provide the basis for an effective challenge to plans on manage risks that are not readily quantifiable— such as
the part of one or more business units to move to a mark reputation and legal risks— and that their level is consis
edly more expansionary mode, with attendant implications tent with overall risk appetite.
for risk. • Ensuring that stress testing is undertaken in a rigorous
86. Board members need to ensure that risk appetite is and com prehensive way and that the Board is able to
used in a dynamic and iterative way. A key conclusion of assess the results in the context of the risk appetite
this report is that an effective RAF extends far beyond a fram ework (more on this below).
mechanism that simply creates limits. Instead, it involves a 89. In general, as this report emphasizes, an effective RAF
dynamic or iterative process in which: is indissolubly linked to the culture of an institution.
• The Board provides a clear statem ent or set of signals There are no simple measures of risk culture, and it is a
regarding its preferred risk/return trade off. key responsibility of Boards to understand and shape this
culture. Experience has shown that it can be exceptionally
• This informs an enterprise-wide process in which, on
difficult for Boards and supervisors to detect weaknesses
the basis of extensive dialogue, business units deter
in risk culture in an otherwise performing firm; in particular,
mine their business models and strategies and the risk
the absence of obvious contra-indicators cannot be taken
implications of these.
as positive evidence of a strong culture. Understanding and
• The Board then considers whether the individual and
shaping the firm's risk culture involves setting broad direc
aggregate risk stances and positions of the business
tion and continual challenging of senior management to
units are consistent with the firm's risk appetite.
demonstrate how their actions and communications are con
• If these are not consistent, a conscious and informed sistent with this and how rewards and penalties are visibly
decision is made to change one or more of the busi and predictably aligned with the firm's avowed risk culture.
ness unit profiles or the overall risk appetite. Senior management should be expected to account for
In some cases, the process is more "bottom up" with the their behaviors, and Board members may find it helpful to
initiative for setting risk taken more at business unit level. find opportunities to interact directly with staff at all levels in
In such cases, the role of the Board in establishing the an attempt to gauge the extent to which they are aware of
param eters for risk and actively assessing it at both busi and responsive to a positive risk culture, and to assess, for
ness unit and aggregate levels is especially important. example, the extent to which "bad news travels upwards".
90. Even the strongest risk culture needs to be supported by and business leaders. This includes recognition and
effective systems and controls. Board m em bers need to acknowledgm ent that a clear statem ent of risk appetite
satisfy them selves that the firm has a clear and consistent helps drive risk and governance discussions, is integral
set of controls and limits that support the objectives of to the strategic and business planning discussions, and
the risk appetite statem ent and the observance of the provides assurance to regulators and rating agencies that
boundaries of acceptable risk em bodied within the risk the institution has clear param eters for how much risk it
appetite fram ework. Board members should challenge will take on. The following are the main implications of our
m anagem ent on the way in which these system s are used investigation for senior m anagem ent:
to encourage com pliance and penalize noncompliance. 94. To be effective it is essential that senior manage
This may, for exam ple, involve the setting of objective ment set the tone and lead the discussion regarding
and quantifiable behavioral norms or objectives that can risk appetite. Senior m anagem ent must be seen as
be used in determ ining remuneration or promotion or, taking a leadership role in articulating the importance
conversely, as the basis for disciplinary action when neces and benefit of risk appetite throughout an organiza
sary. The Board may seek input from the C RO in regards tion. This is an ongoing responsibility and must be
to any risk cultural or behavioral issues that the Board continually em phasized.
should consider in making incentive paym ent decisions
95. Recognition that risk appetite and risk culture are inex
for executives.
tricably linked is important, given that culture derives
91. Boards have a key role to play in the evaluation of from leadership and determ ines inter alia, how middle-
stress and scenario test results. M embers need to satisfy level managers assimilate and em bed risk appetite.
them selves that the stress tests are conducted rigorously,
96. Creation of an enterprise-wide RAF is an iterative
that the stresses and scenarios strike the right balance
process involving the Board, senior m anagem ent, and
between severity and realism, and that the implications
risk m anagem ent staff. A t the heart of the process is an
have been properly evaluated across all businesses in
ongoing dialogue, and senior m anagem ent should expect
the group. Boards have a fundamental role in deciding
to be challenged by the Board as to what is being recom
w hether risk appetite needs to be revisited or adjusted in
m ended, including risk/return tradeoffs and regular close
light of the results. Board members also need to ask them
scrutiny and discussion of all aspects of the firm's risk pro
selves searching questions about their ability to assimilate
file under stressed conditions.
and respond to low-probability but high-impact scenarios.
97. It is an absolute requirement that the business (and not
Many Board members find this very challenging. Boards
risk management) take ownership and drive the devel
need to be aware of their limitations in this regard and
opment of line-of-business risk appetite and profile. It
consider carefully whether these are acting as a brake on
must be recognized that risk appetite does not belong
effective decision-making.
to the risk m anagem ent staff and is not simply another
92. Finally, Boards should subject their own operations
way to set limits and constrain business. Business unit risk
and processes to constant review. Every effort should appetite fram eworks are the main vehicle for providing
be made to identify, on a continuous basis, areas in which
guidance and clarity regarding which activities and risks
Board procedures have worked well and not so well and
businesses can consider and what would be outside of
to learn from m istakes. There should be an annual review agreed upon appetite.
of how the Board interacts with the m anagem ent and
98. It is im portant to recognize that while it is helpful to have
business heads. O verall, the Board should have a formal
an articulation of risk appetite that can be used by the
process at least annually for considering whether and
Board and all levels of m anagem ent, there is no clear
how it has made a real difference to risk m anagem ent in
need to have the enterprise-level RA F as a docum ent
the organization.
that middle m anagem ent across the enterprise must use.
The critical com ponent is to have a risk appetite fram e
work that helps drive a clear and com prehensive limit
Recommendations for Senior
structure for the various businesses as well as activities
Management
and limits that determ ine the ability of middle m anage
93. Implementation of an effective risk appetite framework ment to pursue and grow specific lines of activity that
is highly dependent on visible support from senior link back to the enterprise risk appetite fram ework. Line-
management, including a bank's Executive Com m ittee of-business risk appetite frameworks should not be

developed as simple subsets (or even simple "clones") 103. Risk m anagem ent needs to be actively involved at
of the enterprise framework. W hile there are linkages to multiple levels in the developm ent of the risk appetite
the enterprise fram ework, the most useful aspects of the fram ework. It is incumbent upon risk management to
business-level fram eworks are often quite specific to the provide clarity of concept and definition and support
line of business, reflecting the diversity of a firm's activi in understanding the implications of the risk appetite
ties, geographic scope, or regulatory regimes in which statem ents and metrics as they develop. A lack of clar
it operates. ity in definition often leads to confusing and ineffective
99. Senior management needs to ensure that the risk appe discussion that can frustrate the participants and extend
tite framework includes full consideration of and appro the process unnecessarily. In this regard, it is important
priately reflects business strategy. It is important that the that risk m anagem ent provide the necessary coaching and
Board and the market understand that the senior manage training to facilitate the understanding of risk appetite on
ment takes risks in areas that are central to its key strategies an enterprise-wide basis.
and businesses and that losses in those areas, while not 104. An effective RAF covers all risks, and it is im portant that
positive, are expected and understood as a likely outcome risk m anagem ent work with all stakeholders in developing
in both normal business conditions and under a difficult the right balance of appropriate quantitative and quali
market/stress scenarios. Smaller and more peripheral tative metrics. Recognizing that the appetite for some
businesses by contrast should not be a source of significant risks is more easily quantified than others, it is important
losses. that risk m anagem ent lead the discussion and develop
100. It is im portant that senior m anagem ent understands and ment of desired behavior and tolerances for less quantifi
accepts how the RAF will apply to its activities and impact able risks such as reputation risk.
any initiatives, growth plans, or acquisitions that may be 105. Risk appetite is an iterative process that requires perse
under consideration. The strategic planning process verance. To that end, the challenges faced early in the
must include discussions relating to risk appetite and process are different from those experienced later. A t
profile. W hile risk appetite needs to becom e a fundam en all stages, it is im portant for risk m anagem ent to ensure
tal driver of strategy and of front-line business decisions, it full engagement by all key stakeholders, including the
should be accepted that it will take time and effort to get Board, senior m anagem ent, and risk practitioners.
this to a point at which business unit leaders and risk man
106. A t the same tim e, risk management must allow the busi
agers are com fortable with the process.
nesses to take charge of the process of developing line-
101. Business leaders must ensure that risk metrics ade of-business-level risk appetite statements. This means
quately capture and reflect all material risks of their the business unit leaders them selves, not the em bedded
business. These metrics should be meaningful and pertain risk m anagem ent staff within the business units.
to their key business and risk drivers. Similarly, the busi
107. Risk m anagem ent needs to provide the appropriate
nesses are responsible for putting appropriate controls in
infrastructure and controls to support the ongoing
place to effectively manage their risks, so as to ensure that
maintenance of the RAF. This includes com prehensive
they do not exceed their defined risk appetite.
and tim ely reporting to senior m anagem ent and the
Board to provide clear reference to the current risk profile
Recommendations for Risk Management and to make the fram ework itself both real and relevant.
Ongoing reporting of the firm's risk profile relative to the
102. Developm ent and m aintenance of an effective risk ap p e
agreed upon risk appetite— and how this is changing—
tite fram ework is a shared responsibility, with risk man
and repeated/iterative discussions of the evolving fram e
agement staff playing an essential role in the process. It
work itself, will help to build both "pattern recognition"
is not uncommon for risk m anagem ent to take the lead in
and acceptance of the fram ework as a useful tool.
building m anagem ent support and engaging the Board as
the fram ework is developed. Similarly, the ongoing main 108. Risk appetite needs to be viewed in the context of both
tenance of a robust fram ework is heavily dependent on normal and stress conditions. Risk m anagem ent needs
risk m anagem ent to provide good-quality reporting of risk to be capable of providing both of these perspectives and
metrics to support the fram ework and its application. The facilitating the appropriate discussion at the Board level
following are the main implications of our investigation for with regard to the potential impact on business strategy
risk m anagem ent staff: and planning.
109. It is critical that risk management engage with the busi Initial Planning and Development of RBC's Risk
nesses in the strategy and planning process to ensure Appetite Framework
proper alignm ent between the enterprise-level state
Work to form alize RBC's enterprise risk appetite began in 2006,
ment of risk appetite and those statem ents created at the
as part of the annual process to benchm ark and refresh credit
business-specific level.
risk and market risk limits. An initial presentation on risk appe
110. Risk m anagem ent should be the catalyst and conduit tite was made to the Risk Com m ittee of our Board of Directors
for effective discussion of risk appetite between the to gain feedback on the approach to articulating RBC's risk
Board and the businesses by translating what may be at appetite, and confirm areas of priority.
tim es high-level statem ents of risk preference into effec
Initial statem ents of RBC's risk appetite were derived from
tive risk measures and limits appropriately tailored to
a review of decisions made by senior m anagem ent and the
each business.
Board that yielded explicit statem ents about what risks were
111. Risk m anagem ent must ensure that the RAF is supported acceptable, and what risks we wanted to avoid. We identified
by a suite of risk policies that reinforce and reflect the
to the Board areas we intended to enhance, as well as a plan to
risk appetite as articulated. This includes a clear under
develop a com prehensive Risk A ppetite Fram ework. The global
standing of the process for dealing with and reporting
financial crisis of 2008 then triggered further prioritization of risk
transactions that may be approved outside of policy
appetite for financial services institutions.
boundaries as well as excesses to approved risk appetite.
The Chief Risk O fficer and Group Risk M anagem ent (risk man
112. Education and communication are areas in which it is vital
agem ent corporate function) acted as a catalyst to define and
for risk m anagem ent to participate on an ongoing basis. It
communicate the value of risk appetite. O ur Board of Directors
is necessary to effectively com m unicate the key elem ents
was engaged primarily through the Board Risk Com m ittee, and
of the design, im plem entation, and m aintenance of the
this com m ittee provides feedback and challenges the risk/return
risk appetite fram ework to all stakeholders internally and
tradeoffs implicit within risk appetite. It was understood that our
externally. It also is im portant that the Board be able to
Risk A ppetite Fram ework would be expanded and refined over
address questions raised by shareholders and regulators
tim e, and that we were learning as we progressed through the
alike as to the appropriateness of the nature and quan
developm ent process.
tum of the risks being assum ed, both individually and in
aggregate, and how senior m anagem ent is challenged in RBC's Risk A ppetite Fram ework was created through an itera
this regard. tive process. We faced an early challenge to reach consensus on
a single m anagem ent view of self-imposed constraints or other
specific param eters to put forward to the Board for feedback
A N N EX I: CA SE STUDIES and approval. We gradually gained senior m anagem ent buy-
in, yet had to remain focused on building senior m anagem ent
Developing a Risk Appetite Framework understanding and acceptance of how the Risk A ppetite Fram e
at RBC May 2011 work would apply to the key activities and decisions they faced
within their business segm ents.
A boutRBC
Buy-in to the Risk A ppetite Fram ework also had to be built
Royal Bank of Canada (RY on T S X and N YSE) and its subsidiaries
within our Group Risk M anagem ent function. We needed to cre
operate under the master brand name RBC. We are Canada's
ate a forum for the various specialist groups within Risk to shape
largest bank as measured by assets and market capitalization,
the fram ework, and we now rely on these team s to com muni
and among the largest banks in the world, based on market
cate and reinforce the fram ework.
capitalization. We are one of North Am erica's leading diversi
fied financial services com panies, and provide personal and Central to our fram ework is the consideration of business strat
commercial banking, wealth m anagem ent services, insurance, egy, and the concept that not all losses are created equally. This
corporate and investm ent banking and transaction processing pertains to our ongoing intention to take risks in areas that are
services on a global basis. We em ploy approxim ately 79,000 full- central to our key strategies and businesses, and that losses in
and part-time em ployees who serve close to 18 million personal, those areas, while not a positive, are expected and understood
business, public sector and institutional clients through offices in as a likely outcom e in difficult market and stress scenarios.
Canada, the U.S. and 50 other countries. For more information, Sm aller and more peripheral businesses by contrast should not
please visit rbc.com . be a source of significant losses.

Risk Appetite Framework • Establish and regularly confirm our risk appetite, defined
by drivers and self-imposed constraints through which
Risk appetite is now a fundam ental part of RBC's Enterprise Risk
we have chosen to limit or otherwise influence the
M anagem ent Fram ework, which is our enterprise-wide program
amount of risk undertaken
for identifying, m easuring, controlling and reporting of the
significant risks faced by the organization. Integral to our Enter • Translate our risk appetite into risk limits and tolerances
prise Risk M anagem ent Fram ework is our strong risk culture, that guide businesses in their risk taking activities
which is both a prerequisite to and reinforced by risk appetite. • Regularly m easure and evaluate our risk profile against
Used effectively, risk appetite aligns business strategy, people, risk limits and to leran ces, ensuring appropriate action
processes and infrastructure. is taken in advance of risk profile surpassing risk
appetite
We define risk appetite as the amount and type of risk we are
willing to accept in the pursuit of our business objectives. RBC's RBC's Risk A ppetite Fram ework is com posed of four major
Risk A ppetite Fram ework provides a structured approach to: com ponents:
• Define our risk capacity by identifying regulatory con

straints that restrict our ability to accept risk
The largest circle represents the regulatory constraints RBC faces. RBC's regulatory
constraints are classified as:
1) Financial - Tend to be quantitative in nature and therefore easier to interpret.
Capital ratios and liquidity metrics are examples of financial regulatory
constraints.
2) Other - Tend to be predominately qualitative in nature and therefore require
judgment in interpreting requirements and assessing compliance. Examples
include maintaining compliance with legislative and regulatory requirements,
and adhering to privacy and information security regulations.
Financial
The darker center circle represents RBC's risk appetite as defined by

1) Drivers - These are business objectives that imply risks RBC must accept to
generate the desired financial return. Examples include revenue growth and
earnings per share.
2) Self-imposed constraints - Quantitative and qualitative statements that
Regulatory Reputational restrict the amount of risk RBC is willing to accept. Examples follow
on the next page.
Financial
The center circle refers to our risk limits and tolerances that we translate from
risk appetite:
1) Risk limits are quantifiable levels of maximum exposure RBC will accept. They
are established only for risks that are financial and measurable, such as
credit risk and market risk.
2) Risk tolerances are qualitative statements about RBC's willingness to accept
risks that are not necessarily quantifiable and for those risks where RBC does
Regulatory Reputational
not have direct control over the risk we accept (such as legal risk and
reputational risk).
We communicate risk limits and tolerances through policies, operating procedures and
Financial
limit structures.
The striped oval represents the organization's risk profile at a given point in time.
Regulatory
Reputational
A key elem ent of RBC's Risk A ppetite Fram ework is self- Reporting
imposed constraints and drivers in which we have chosen to
Risk profile relative to risk appetite is reported quarterly to
limit or otherwise influence the amount of risk undertaken. We
senior m anagem ent and the Board of Directors. An Annual
have seven key categories of self-imposed constraints:
Enterprise Risk Presentation is also made to the full Board of
• Maintain a "A A " rating or better Directors. We have found that a com prehensive and balanced
• Ensure capital adequacy by maintaining capital ratios in set of our most meaningful m etrics, connected with external
excess of rating agency and regulatory thresholds developm ents, has yielded effective discussion and decision
making. Reporting has been a key com ponent in building under
• Maintain low exposure to "stress events"
standing of the fram ework and its application.
• Maintain stability of earnings
• Ensure sound m anagem ent of liquidity and funding risk Success Factors
• Maintain a generally acceptable regulatory risk and com
An im portant success factor has been strong support of our
pliance control environment
Board of Directors, C hief Executive Officer, and senior m anage
• Maintain a risk profile that is no riskier than that of our ment. Our emphasis on risk appetite as an enterprise priority
average peer has been fram ed and accepted as a critical elem ent to advance
For each category of self-imposed constraints we then have our strong risk culture.
a set of quantitative and qualitative key m easures. O ur self- Repeated iterations with stakeholders were helpful in gradually
imposed constraints and key measures are regularly reviewed building pattern recognition, senior m anagem ent buy-in, Board
and updated, and approved by the Risk Com m ittee of our of Directors' support, and confirmation of the central com po
Board of Directors. nents of our Risk A ppetite Fram ework.
Risk appetite developm ent has been led by our C R O , with

Application of RBC's Risk Appetite Framework ongoing facilitation by senior executives in Group Risk M anage
Beginning in 2008, two pilots were conducted to determ ine ment and engagem ent with business segm ents. We began to
if the Risk A p p etite Fram ew ork used to determ ine enterprise build business segm ent ownership of business segm ent— level
level self-im posed constraints could be applied at the busi risk appetite by integrating risk appetite with business strategy.
ness segm ent level. The heads of risk with direct responsi A flexible approach was required because one method would
bility for business segm ent risk m anagem ent facilitated the not fit for all businesses and stakeholders.
interpretation of the enterprise fram ew ork to each business
O ur risk fram eworks contain straightforward term inology and
segm ent context. This led to the developm ent of business
can be generally understood by all stakeholders. We avoid
level constraints that aligned to the seven key categories of
overly technical and com plex discussions about risk with our
enterprise self-im posed constraints. Businesses also chose to
Board and senior m anagem ent, and focus discussion within
incorporate several key specific constraints to businesses which
the context of real and current issues for our institution. In this
they m anage.
vein, our business segm ent statem ents of risk appetite are quite
We have made significant progress building out com prehensive focused and business driver specific, for exam ple, concentration
statem ents of risk appetite for each business segm ent. Risk risk for certain sectors, acceptable earnings volatility and levels
appetite and risk profile were applied in this year's business seg of capital at risk.
ment strategy developm ent process more explicitly than in pre
vious years. Activities continue to enhance business segm ent/ Challenges
unit risk appetite, and com m unicate risk appetite concepts to
It was initially challenging to achieve clarity on what risk appetite
broad em ployee audiences.
means and how it is used to drive m anagem ent decisions. Board
We observe an increasing number of discussions and propos and senior m anagem ent decisions implied a high level risk
als fram ed within the context of risk appetite. We see our appetite; however, it was initially challenging to gain consensus
organizational capability improving to ensure that risk appetite and concisely articulate risk appetite for the enterprise. Itera
considerations are well incorporated into growth initiatives and tive discussions on the fram ework and ongoing reporting of risk
business planning overall. Group Risk M anagem ent will continue profile helped improve our definition of risk appetite, and build
to facilitate and oversee enhancem ents to business segm ent risk understanding and acceptance with senior m anagem ent and
appetite and related reporting. the Board.

It also took tim e to gain traction building business segm ent As m entioned, we will continue to enhance articulations of risk
articulations of risk appetite because it was not possible for appetite for our business segm ents and key lines of business.
business segm ent fram eworks to be developed as simple Com pensation risk m anagem ent is another practice that we are
subsets of the enterprise fram ework. W hile there are distinct integrating into our risk fram eworks.
linkages to the enterprise fram ework, some of the most useful
It is also our objective to cascade risk appetite concepts to
aspects of the business level fram eworks are often quite specific
broader em ployee audiences, to create a general understanding
to the business segm ent or business line.
of risk appetite and instill ownership of risk. Consistent with our
We also needed to demonstrate the value of a risk appetite industry peers, we have made significant progress in the area of
framework in some instances, before the businesses (and not risk appetite, and there remains work to be done to achieve full
Group Risk Management) would take ownership and drive the business engagem ent and integration into all relevant m anage
developm ent of business segm ent risk appetite. There were some ment processes.
early concerns that risk appetite and risk profile reporting was
one more mechanism to impose limits or constrain growth plans.
Risk Appetite within National Australia
Lesson Learned and Key Benefits Achieved
Bank: an Ongoing Journey
By articulating risk appetite at both an enterprise and busi Overview-Where We are on the Journey
ness segm ent level, we have an effective combination of top- The setting of risk appetite within National Australia Bank
down constraints and business specific risk drivers. The linkage currently manifests itself in two key ways. Firstly, the framework
between the enterprise level constraints and the actions of busi by which we determine our risk posture is strongly aligned to,
nesses to grow or change risk profile is now fairly clear. O w ner and informs, the planning process. Secondly, the statement of
ship of issues is also now clearer. risk appetite (the Risk Appetite Statement (RAS)) and its three
Risk appetite and risk profile are effective communication tools. elements ("posture," "budget" and "settings," described
Increased transparency and reporting on these matters has facil below) sets out our capacity for taking on risk and the settings
itated internal alignm ent among business and functional lead associated therewith.
ers, and supports effective decision making. O ur enterprise risk O ur current capability, in term s of risk appetite, reflects an
profile provides a consolidated view of risk concentrations and ongoing journey over a number of years and will continue to
deficits to ensure alignm ent between actual risk exposure and evolve as our thinking develops. As with most large organisa
target risk exposure. O ur Risk A ppetite Fram ework and risk pro tions, the pace of change is a function of the ability of the
file have also been very helpful in conversations with our Board, organisation to absorb that change. As such, our strategy for
regulators and rating agencies. improving the risk appetite has been m easured, rather than
Risk appetite is increasingly integrated into our business strate dram atic, so as to ensure understanding, acceptance and use
gies and planning processes, so that strategies are developed as we progress. This has allowed us to approach the task with
and approved in the context of risk appetite. We are em bed a longer term vision, introduce change progressively, reflect on
ding into our annual strategic planning process analysis of how the responses and then refine our thinking.
growth objectives, degree of planned change and "risk posture" The risk appetite fram ework (RAF) is grounded in:
may im pact business segm ent risk profile and risk appetite. In
• strong engagem ent between key stakeholders, including
addition, our annual process where the Board approves del
Board and Executive, in setting the planning envelope
egation of authorities to m anagem ent and the associated limit
for the business; and
structures is now put forward with direct linkage to risk appetite.
• an interactive process over the planning period that sees
Moving Forward agreem ent on the risk reward tradeoffs that are required
for the plan.
Our enterprise Risk A ppetite Fram ework is updated at least
The fram ework results in a statem ent on risk appetite, the RAS,
annually, focused on continued developm ent of self-imposed
which encom passes:
constraints. For exam ple, we are enhancing constraints pertain
ing to low exposure to stress events, operational risk and quali • a "risk posture" that seeks to qualitatively describe our
tative measures for non-financial risks. O ther areas of focus are capacity and willingness to take risk at any point con
to create more forward looking metrics, and achieve the right sidering the internal and external circum stances and a
blend of qualitative and quantitative key measures. forward view;
• a "risk budget" expressed as an econom ic capital limit of risk is som ewhat opaque and not broadly identified with by
within which the Group must operate; and those tasked to develop and execute strategy and plan— that
• "risk settings" that express key operational limits. is, the businesses. Finding ways for Risk to communicate and
engage in planning was thus critical to the developm ent of
Through a combination of a fram ework strongly integrated into
risk appetite.
the plan, and the production of a RAS as the em bodim ent of
risk appetite, we seek to effectively com m unicate this appetite On top of all this, responsibility for preparing the RAS frequently
throughout the organisation. changed hands between team s in either Risk or Finance, which
made it difficult to establish a long-term vision or change
agenda for risk appetite.
Modest Beginnings
The developm ent of our RAS and associated fram ework has Our First Steps-Dedicated Resources and
been, and continues to be, iterative. As described below we are Defining "Risk Posture" Qualitatively
currently up to the 3rd generation RAS. Our current capability
By 2009, we found ourselves at a crossroads. Thinking around
owes much to the learnings, insights and persistence of those
risk appetite was relatively basic and the RAS was seen by many
tasked with earlier efforts.
as having limited relevance or influence.
We have been preparing RASs for a number of years and well
Despite our best efforts it focused primarily on econom ic capital
before it was becoming an explicit regulatory expectation. The
(a measure not widely understood in the business), was pre
RAS was created under the leadership of the Board Risk C o m
pared after the annual planning and strategy process was com
mittee and the sponsorship of the C FO and C R O . W hilst rigor
plete (hence merely reflecting what was to be done) and was
ous and well-grounded in principles of corporate finance, the
widely seen as uninformative in term s of strategic and business
em phasis was on quantitative risk and capital metrics and not
decisioning (and hence of little strategic use).
enough on qualitative discussion or actual risk settings, limits
and policies. For this reason the RAS remained a centrally man The Group C R O and the Board Risk Com m ittee continued
aged docum ent with little visibility or traction beyond the Board to push for further im provem ents in the thinking behind, and
and Group Executive. delivery of, the RAS, highlighting areas that could be improved
to assist the Group in its understanding and application around
O ur "second-generation" RASs set out to respond to these
risk appetite. A t this stage, responsibility for the RAS changed
identified gaps by incorporating clear, explicit and detailed
hands yet again, and was given to a designated owner within
risk settings, limits and triggers. The drawback of these RASs
Risk. We created a new position— Head of Risk A ppetite, who
was that whilst there was a lot of detail around risk settings,
reported through the General M anager C redit Strategy to the
it becam e inaccessible to readers given its com plexity. More
Group C hief Credit Officer. A dedicated risk appetite function
im portant, the Board and the executive felt that the detail
was an im portant step in the journey, taken to lift the relevance
made it hard to "see the wood for the trees" and were of the
and influence of risk appetite concepts and m ethodology in the
view that links between the RAS and overall business strategy
Group. For the first tim e, it had an owner whose principal role
were unclear.
was to not only prepare the RAS but to develop our thinking
This issue of the lack of strategic relevance for the RAS was around how best to em bed risk appetite into the business.
com pounded by the absence of a fully integrated role for the
Given this structural change, the risk appetite team em barked
Risk function itself within the planning process. W hilst Risk had
on developing the "third-generation" RAS by starting with a
a clear role in matters such as the validation of forecasts on loan
clean slate and spending tim e thinking more explicitly about
loss provisioning or expectations about the m ovem ent in asset
what we were looking to achieve.
quality, it had a minimal part in framing the initial risk envelope
in which the business strategies and financial plans were to fit. The challenge was to give life and meaning to risk appetite so
that there was one agreed [upon] view that was used and under
W hy was this the case? A part from the well-accepted view that
stood throughout the Group.
Finance "ran the planning process," Risk lacked both a platform
to effectively com m unicate its views and a fram ework to mean The major breakthrough was the decision to describe the "risk
ingfully participate in the planning process. In particular, Risk posture" for the Group, and separately each business unit, in
was not successful in identifying a language that readily con term s of three broad settings linked to directional benchm arks.
veyed its position and views. Unlike Finance, whose language is These settings were qualitative, and conveyed how the Group
encapsulated in metrics that are well understood, the language would position itself over the plan period, having regard to the

internal and external environm ent. It effectively sought to pro planning (to signal direction) and when planning is finalised (to
vide direction on whether we were prepared to take more or assess whether plans reflect the agreed upon posture). This
less risk. By describing this posture, both in language and visual debate occurs between all stakeholders, including the Board,
form, we provided an anchor point from which to develop the and can best be described as interactive and iterative. There
Risk engagem ent with the business units about the respective are a number of stage gates during the planning process where
risk appetite. we revisit the posture assumptions and positioning. More for
mally, we submit three RASs a year to the Board, each showing
A fter defining this "risk posture," it becam e easier to debate
changes in the posture relative to prior periods (for both the
where we should be, or wanted to be, in term s of a risk stance.
businesses and the Group).
This debate could be had at both the Group level and at each
business unit recognising differing market positions, strategic As we evolve our thinking on posture, we see opportunity to
capability and priority and external conditions which vary mark further enhance and enrich the discussion. To this end we are
edly across our Group. It provided a fram ework for the Execu trialling whether the description of a risk posture statem ent
tive to do this in a manner that was more readily understood for key risks (e.g ., credit, operational, m arket, reputation, etc.)
without reversion to the traditional language of risk (limits, and for major business activities would enhance m essaging. A
metrics, etc.). As such, it elevated the richness of the discussion direct benefit in developing this thinking is that it forces broader
and gave new impetus to the role and purpose of risk appetite. engagem ent with all stakeholders and raises awareness around
By forcing this discussion around the appropriate posture, given risk appetite.
both the subsisting circum stances and our capabilities and con
straints, the linkage to the plan was more easily understood. It Along the Path-Completing the Picture
also ensured that once a particular posture was agreed upon, W hilst describing a risk posture was a catalyst for increased
risk appetite and settings could be more explicitly linked to debate at Executive and Board level, and one that has seen the
the strategy. quality of discussion around risk appetite increase throughout
For 2009 the initiative around risk posture was "after the event" the Group, other developm ents have also been important.
as the plans were by then already substantially com pleted. Since A key developm ent has been increased engagem ent by Risk
then, we have sought to set the risk posture (and associated with the Strategy and Finance team s in the developm ent of the
guidelines) ahead of the planning process so as to provide the strategic, financial and risk param eters established for the plan
businesses with appropriate direction. ning process. This has allowed us to more effectively integrate
Importantly, we seek to describe the risk posture for each line of risk appetite into the planning process, as businesses see the
business and bring these together to reflect the overall Group three key Group functional stakeholders (in risk, finance and
position. Debate around posture occurs both when we start strategy) more closely aligned and linked in their messaging
around the drivers of financial outcom es. From a Board per
spective, increased engagem ent between the Group func
Conservative Neutral Expansionary
tions has provided com fort that the strategies and business
plans more effectively reflect a risk lens.
Business Unit 1 This has also allowed for more effective review and challenge
throughout the planning process (over some 6-8 months) in
order that plan outcomes reflect not only the financial exp ec
tations but also the risk appetite. W here they are outside this,
adjustm ents to either the plan or the risk appetite are made.
H i U n it 2
This integration and the role of the RA F in the planning cycle
j are shown below in Exhibit 4.1.
As discussed above, the concept of a risk posture has

allowed Risk to more effectively com m unicate with strategy
and finance. We have also developed the concept of "key risk
Ke
them es" within the RAS, which are the most im portant risks
(or "categories" of risk) facing the Group at any tim e. They
Group: Past postures com plem ent thinking around Group strategies, form a basis
Current posture
for identifying the most relevant points of vulnerability in the
This approach to the RAF is shown below.
W hilst the fram ework for the RAS and risk appetite was evolv
ing, we were conscious that communication through to bankers
Rik Appetite, Fisnaneial Plan remained a challenge. The language of the RAS is targeted at
and Strategy are integrally
connected
the Board, Executive and Senior M anagem ent. Beyond this,
the language is less appropriate for day-to-day activity. N ot
All three communicate risk /
reward 'trade-off^ to be withstanding, it is clear that effective communication to bank
made, though with different
language ers needs to occur in some form if the RAS is to fulfil its role of
"Board to Banker" understanding of risk appetite.
To this end we have sought to engage businesses in preparing

their own "risk-setting statem ents" (RSSs) that can be more
granular and effective in communicating m essages to all levels
Exhibit 4.1 Risk appetite in the planning cycle. of the business. W hilst these clearly need to align to the RAS,
they provide more latitude to effectively com m unicate to a
broader audience. Although some progress has been m ade, this
plan and provide a fram ework for thinking about risk mitigation.
remains a work in progress.
In addition, because they are described in common language
rather than technical term s, they provide a more broadly under
stood link for those outside the Risk community. Lessons Learned-Successes and Challenges Along
Having established the role of "risk posture" (a qualitative risk the Way
setting description) in risk appetite we have also sought to The developm ents described above have been interactive
enhance our thinking around the more quantitative aspects of with enhancem ents to both the RAS and the fram ew ork
the RAS, in particular: occurring as w e progressed. In the course of our journey,
• setting a "risk budget" in term s of econom ic capital; and the absence of an "o ff the shelf" solution has m eant we
have spent significant tim e discussing w hat w orks and w hat
• describing operational "risk settings" to further enhance
do esn't. O ur approach has alw ays been to dem onstrate
the communication with bankers.
ongoing steady im provem ent rather than com ing up with the
The "risk budget" is described in econom ic capital term s and
"co m p lete so lu tio n ." G iven the uniqueness of the issue, the
sets our maximum risk taking capacity. Reflecting the posture,
m ultifaceted nature of the challenge and the relative interest
it establishes a limit in advance on the use of our available risk
and needs of stakeho ld ers, w e have concluded that this is not
capital to support business activity. Allocated to the businesses
achievab le. Rather, ongoing develop m ent and refinem ent will
by risk class (e.g ., credit, m arket, operational risk, etc.), it pro
lead to b etter outcom es.
vides a quantitative boundary for planned activity. Actual use
of econom ic capital is then measured against these limits. This Against this backdrop, there are lessons we have learnt along
approach has served as a trigger to review increased business the way that have shaped, and continue to shape, our thinking.
activity in certain areas where econom ic capital limits were likely The things that have led to significant im provem ent for us
to be insufficient to support the proposed activity. include:
In the past, econom ic capital would not have acted as such a • fostering leadership of the debate on risk appetite from
constraint as it had always been an outcom e of the plans (i.e., the C E O , the C RO and the Board Risk Com m ittee;
the agreed upon plan used "this" amount of econom ic capital)
• fostering a receptive internal environment. The organisa
and as such was not seen as a limit on activity or as a trigger
tion has worked hard on its culture over time and has a
point for a decision.
strong em phasis on team work, collaboration and enter
Having set a "risk posture" (qualitative) and a "risk budget" prise thinking. This, alongside the wake-up call issued to
(quantitative), we then establish "risk settings" to further pro all parties associated with the financial services sector
vide guidance as to the risk tolerances within which the Group (arising from the global financial crisis and its aftermath),
should operate. These risk settings are represented by limits, has enabled more sophisticated and planned discus
policies and procedures and other setting statem ents and are sions and analysis on the forward outlook for risk and the
more operational in nature. They are at different levels of granu environm ent and our response through posture, appetite
larity depending on the messaging required. and strategy;

Risk se ttin g s
Existing Customer Controls

Outlook
franchise needs
• Models • Hurdles
• Trading (e.g. x-sell,
limits return, LVR,
etc.)
Potential • Op. loss
tolerance • Policies
rewards
• Audits
Limits
Confidence in • Industry • Equity
capabilities • Country • Product
• Market • Liquidity
• IRRBB • etc.
Expectations
for return
Processes / procedures
• Making • Customer
decisions onboarding
• Product • Training
exposure
Regulatory Legacy monitoring
Risk-taking
capacity constraints assets /
Messaging
liabilities
Not all risk settings are in the RAS-but all are consistent with it
Exhibit 4.2 From risk posture to risk budget and actual risk settings.
• identifying a single, dedicated team with accountability • identifying key stakeholders in the business to champion
for the RAS and the broader fram ework has allowed us risk appetite discussion; and
to attain consistency in approach and provide the im pe • maintaining the ongoing com mitment of key stakehold
tus for innovation; ers such as the Board and senior executive.
• separating discussion of risk appetite into three parts, Most important, we can already say that in the past few years
each of which are linked but serve a different purpose: the outcome of a number of material strategic decisions taken
risk posture, risk budget and risk settings; by the Group were significantly influenced by the fram ework
• integrating the risk appetite and RAS with the strategic described above.
and financial planning process; As there are diverse views around the approach to risk appetite
• increasing the dialogue with the business units around (and the RAS) our journey has not been without challenges.
their view of risk posture; Some of the more significant challenges have been:
• delivering three RASs to the Board with the cycle and • balancing the desire for quantitative or prescriptive crite
content linked to the planning process. This has allowed ria to define risk posture with the flexibility and generality
for more regular Board discussion on risk appetite and that qualitative, "principles-based" definitions provide.
has reinforced the link between risk appetite and the We have responded by developing a number of quantita
business strategies and plans. The Board now sees more tive metrics which are "indicative" of risk posture whilst
careful consideration of the implications of proposed avoiding the trap of attempting to define it formulaically.
actions and activities on the Group risk profile and its
• choosing the appropriate m etric for each application.
relation to the Group Risk A ppetite and evidence of risk
For exam ple, econom ic capital is the m etric for risk
appetite thinking in its discussions with m anagem ent;
"budgeting" across the Group, but other metrics are
• supplem enting the RAS and associated discussion with more useful for other applications, such as exposure lim
risk workshops and targeted risk papers for the Board, its, trading desk limits, industry or country credit exp o
has assisted the Board in linking risk appetite to the busi sure limits, etc. Our response has been not to promote a
ness activities and the portfolios; single all-encompassing risk metric but rather to identify
• engaging with our Regulator; the most appropriate risk metrics for each purpose.
• whilst used as the measure of risk budget, the use of from a risk portfolio perspective, not just our limits, bud
econom ic capital still remains a challenge. We continue get and tolerances;
to use it given its historic link to past RASs, IC A A P and • further linking the "return-on-risk" (as opposed to return
the fact that most measured risks can be quantified in on-capital) with the risk appetite;
econom ic capital term s (albeit there is always debate
• using the RAS to further enhance transparency around
as to the voracity of the number). Notwithstanding this,
trade-offs in respect to choices between strategic priori
most stakeholders still have little engagem ent with eco
ties, investments and risk levels we are prepared to accept;
nomic capital as a meaningful m etric to measure risk
• continuing to develop the fram ework for defining "risk
perform ance against. The proper place and purpose of
econom ic capital as a useful tool in the RAF continues to setting statem ents" (RSSs) within the businesses; and
be a focus. • explicitly linking changes in external environm ent to
• never allowing the sole use of "risk adjusted" metrics changes in risk appetite.
(like econom ic capital, RWAs and VaR) to lead us to lose

sight of the underlying nominal exposure behind each Conclusion-Reflecting on the Journey
risk. Banks lose dollars, not econom ic capital— and the The key for National Australia Bank in advancing the RAF has
same can be said of shareholder dividend paym ents— so been:
we always seek to ensure visibility of unadjusted exp o
• identifying dedicated resources for accountability;
sures when discussing any risk.
• developing a standardised risk language around posture,
• integrating meaningful stress testing into the risk ap p e
appetite, settings;
tite and planning fram ework, including setting limits
more system atically and drawing insights from the • aligning Risk with Strategy and Finance;
results, which is a task that is still a work in progress; and • fully engaging Risk as key participant in the planning
• balancing coverage of credit risk (our largest single process;
risk type), with other material risks (such as operational • continuing to develop thinking around the RAF by
or reputation risk), which are less easily quantified or engaging with the key stakeholders; and
described. As with stress testing, this is still a work • seeking ways to broaden the view and understand
in progress. ing of risk appetite so others feel more engaged in its
developm ent.
Where We Co from Here-Further Increasing the The benefits from the advancem ent of our RAF and the align
Value of the Risk Appetite Framework ment on issues of strategy, finance and risk have elevated the
The journey never ends. W hilst we have made progress, we quality of debate around risk profile and the linkages with the
are of the view that further enhancem ents can be, and will current and targeted risk profile. O ur approach has been to
be, made to our RAF to increase its effectiveness within the develop our risk appetite fram ework in a manner which meets
Group. In recent discussions with stakeholders, including our organisational needs, reflecting our experiences and our
Board m em bers, a range of issues have been identified that level of maturity. We have taken an evolutionary approach to
would further enhance the impact of the RAS and associated ensure we bring the organisation along at a pace that will more
fram ework including: deeply em bed the RAF into our organisational culture and
processes. We know that if we pushed the pace of change too
• further progressing the discussion around stress testing,
rapidly, and without the appropriate engagem ent and consulta
scenarios and responses and incorporating this more
tion with the business units, our efforts would not be as suc
robustly into the planning process;
cessful. We know this because we hear and observe many more
• continuing to com plem ent the use of econom ic capital discussions and debates around risk appetite today than in the
with consideration of other key measures such as regula past. O ur internal culture has aided the developm ent of the Risk
tory capital and sim ple, unadjusted exposure; A ppetite fram ework and at the same tim e, the Risk Appetite
• enhancing how the risk appetite shapes portfolios from fram ework assists in continuing to define, describe and shape
a top-down perspective, with analysis on why such deci our risk culture. The challenge is to remain vigilant to ensure that
sions would be taken— e .g ., matching external risks with we continue to learn and adapt our thinking reflecting where we
portfolio shape and defining "where we want to be" are at and where we want to be. We cannot be com placent.

Scotiabank-A Canadian Experience in through a risk lens. Risk managers across the industry began giv
ing more consideration to defining risk appetite as a guide for
Setting Risk Appetite May 2011
decision-m aking— to fram e how much risk their firms were w ill
The year 2008 marked a strategic inflection point for the ing to take on in the context of executing their business strate
world's view on "risk ." The financial crisis com pelled the gies and in the drive for value.
Risk M anagem ent discipline in global financial institutions to
A t the tim e, Scotiabank p articipated in a Canadian bench
re-assess every method and assumption em bedded in their
m arking survey, conducted by D elo itte, as one input to
processes. Three years later, we can all reflect on how financial
defining appropriate p ractices. The study confirm ed that risk
institutions have evolved their risk fram ew orks, including, to
ap p etite was an active area of focus for the banks and that
various degrees, a deliberate, robust and clear expression of
form alization would take the form of a Board-approved fram e
"risk ap p etite."
w ork with ties to capital m anagem ent and other m anagem ent
This case study captures the challenges and lessons in the activities.
design and im plem entation of a Risk A ppetite Fram ework at
There is general industry consensus on the meaning of "risk
Scotiabank (the Bank). Today Scotiabank considers im plem enta
appetite" and the im portance of distinguishing it from risk
tion of their Risk A ppetite Fram ework to have been successful.
capacity. The broadly held view is that risk appetite is an expres
For perspective, however, Scotiabank was not starting at the
sion of the desire to take risk and, implicitly, a statem ent of
beginning. It already had a risk appetite position em bedded in
how returns will be earned against that risk. It is, in effect, a
its strong risk culture that had served it well through the finan
key part of the contract between senior m anagem ent and the
cial crisis. N onetheless, Scotiabank recognized the potential
Board . . . and the shareholders they represent. Risk appetite is
value of a more clearly defined, com prehensive Risk A ppetite
clearly distinct from risk capacity, which is the ability of the firm
Fram ework based on governing financial objectives, risk prin
to withstand risk events. However, that seem s to be where the
ciples and risk appetite m easures. Scotiabank integrated these
industry consensus ends. To date there is no common approach
key dimensions into an enterprise-wide fram ew ork, strength
beyond definitions and key elem ents of a fram ework at the cor
ening its overall approach to governing risk-taking activities.
porate level.
The Risk A p p etite Fram ework was approved by the Bank's
Board of Directors in early 2010. The journey of evolving that
Fram ework continues. Setting Context
The Bank's most senior executives were actively engaged in
Enterprise Risk industry discussions relating to risk, implications of the global
crisis and the subsequent way forward for the industiy. Senior
In 2006 the Bank created an Enterprise Risk function with a man
executives becam e involved in 11F benchmarking efforts, sup
date of linking capital capacity, revenue and risk-taking across
ported by a broad cross-section of m anagem ent.
the various risk types (e.g ., credit, market, liquidity, operational
risk, etc.). The first priority of the new team was the develop The Enterprise Risk m andate was expanding in several ways. In
ment of appropriate and actionable risk metrics. From there, a addition to becoming central support for the EF benchmarking
com prehensive information package was developed for regular analysis, the team began integrating risk measures from across
reporting to senior m anagem ent and the Board on all risks span the firm. They started to serve as a clearinghouse for all types
ning the entire Bank against key Board-approved risk limits, of risk information, and as a risk communications channel for
globally, creating a clear picture of the Bank's risk exposures. senior m anagem ent and the Board. W ithout a more defined Risk
Additional priorities included further developm ent of the Bank's A ppetite Fram ework, however, the risk reporting lacked context.
credit risk strategy. With these developm ents, the Board was So the team conducted an internal assessm ent of what was in
more informed and could becom e more engaged. Together, place and confirmed the following:
these risk limits, and various risk reporting aspects, helped
• The Bank already had an implicit risk appetite em bedded
senior m anagem ent articulate to the Board the amount of risk
in its strong risk m anagem ent culture. A t Scotiabank, the
being taken at the institution.
risk culture is anchored in a long history of who we are as
By 2008 it was evident that a broader strategy was required. a lender, from our early days of financing North A m eri
Risk M anagem ent at the Bank was still, to a large extent, siloed can Eastern Seaboard trade to the launch of our first per
by risk type. The inter-connectedness of risks was only begin sonal loans in 1958, and continuing today with market
ning to be aggregated. And various dimensions of financial leading financing programs around the world. O ur deep
perform ance and strength were not consistently being viewed experience in lending has em bedded a focus on capital
preservation that spans the full spectrum of risk . . . mak Developm ent of the next iteration of the Fram ework focused on
ing risk m anagem ent a strategic priority shared by all a few key areas:
em ployees. Today, a key aspect of this culture is to be
• The context of the Bank's governing financial objectives
well-diversified across business lines, countries, products
and strategic principles;
and industries. Another key elem ent of the culture is
• Articulation of Risk M anagem ent principles (qualitative
the relatively long tenure of em ployees. For exam ple, of
attributes) that would guide the Bank's overall approach
Canadian-based managers— people in decision-making
in risk-based activities;
roles— over one-third have been with the Bank more
than 20 years. And the Executive M anagem ent Com m it • Bringing into focus a limited number of risk measures
tee's tenure is even longer. Based on that deep exp eri that were considered essential objective expressions of
ence, senior m anagem ent has a strong sense for what the Bank's risk profile, along with corresponding target
would be "offside" relative to the cultural norms estab ranges; and
lished over alm ost one hundred and eighty years; • Establishm ent of monitoring and reporting structures.
• Existing limit structures w ere, in effect, a network of Developm ent of the Risk A ppetite Fram ework was driven by
contracts already in place between Risk M anagem ent, Risk M anagem ent in collaboration with a broad range of stake
the Business Lines and the Board on what risks could be holders. Finance was a pivotal partner in the work as they had
taken, or not; and overall m anagem ent of the Bank's Balanced Scorecard (more
• Business lines clearly owned risk, complemented by highly recently moved to the Strategic Planning O ffice). As well,
centralized decision-making on risk policy setting and sig Global Human Resources ensured that em ployee incentives are
nificant transactions through executive committees. linked to perform ance, and that risk perform ance is taken into
consideration. Engagem ent of senior m anagem ent in the Busi
However,
ness Lines was a key part of the review and approval process.
• The existing limit structure was com plex and not co d i The Bank's A sset & Liability Com m ittee served as the forum
fied in any w ay that made it straightforw ard to com for review prior to presentation to the Executive M anagem ent
bine and report the total risk taking activities to the Com m ittee, and ultimately the Board.
Board; and
The approach could be relatively expedient based on a few
• There was no explicit statem ent of the objectives
factors:
and principles that governed the Bank's decisions for
risk-taking. • The well-established risk culture;
Most experts on "risk appetite" acknowledge that the develop • The independence of the Risk M anagem ent oversight
ment of a fram ework should engage senior m anagem ent in the function; and
Risk M anagem ent function and in the Business Lines, as well as • The specific limits to be brought into the Fram ework
the Board. However, the biggest obstacle to developing the could be largely to be drawn from the network of exist
fram ework and implementing it can be the lack of consensus on ing controls.
what risks are appropriate for the firm and the extent of controls The Framework that emerged from the discussions had two sides: a
needed to mitigate the risks. So, when there is broad apprecia qualitative, principles-based component, and specific risk measures
tion of an established risk culture along with specific risk-based in key risk disciplines. More specifically, the structure was under
contracts already in place between the stakeholders, the task pinned by sound risk governance, followed by the Risk Appetite
of designing and implementing a risk appetite fram ework is Framework itself. The use of risk management techniques was con
already well advanced. sidered to be another key component, including the strategies, pol
icies, limits, processes, measurement and monitoring tools which
Diving In Risk Management implements. These risk management techniques
are deployed across the spectrum of risk disciplines covering credit,
The first iteration of the Risk A ppetite Fram ework involved
market, liquidity, operational and reputational risk. Finally, the
selection of existing quantitative metrics (covering Board-
entire structure is underpinned by the Bank's strong risk culture.
approved risk limits, perform ance targets and capital targets) as
key indicators of the Bank's risk appetite and actual risk profile.
The indicators were consolidated and incorporated into the
Operationalizing the Framework
Capital M anagem ent Policy. By the end of 2008, however, it was With the Fram ework generally agreed upon, the risk measures
evident that a more com plete policy was needed. were operationalized through quarterly monitoring, including

com prehensive Board reporting. This practice helped to • avoidance of excessive concentrations, and
consolidate risk reporting and to bring into focus the Bank's • ensuring that risks are clearly understood, m easurable
perform ance on the risk contract between m anagem ent and and m anageable.
the Board.
2 . Strategic Principles provide qualitative benchm arks to
Functionally, the Bank im plem ented the principles com ponent guide the Bank in its pursuit of the Governing Financial
of the Fram ework by referencing the Fram ework in policies such O bjectives, and to gauge broad alignment between new
as the Capital M anagem ent Policy and by communicating the initiatives and the Bank's risk appetite. Strategic principles
risk appetite principles to the Board, Executive, Senior M anage include:
ment and shareholders via the "M anagem ent's Discussion &
• placing emphasis on the diversity, quality and stability of
Analysis" section of the Annual Report.
earnings;
Through established policy groups, the Fram ework was cas • focusing on core businesses by leveraging com petitive
caded to major international subsidiaries. advantages; and
The Fram ework was initially socialized externally with local regu • making disciplined and selective strategic investments.
lators and at a "C olleg e of Supervisors" and was included in
3 . Governing Financial O bjectives focus on long-term share
presentations with rating agencies. holder value. These objectives include sustainable earnings
By 2010, form alized processes were being put into place for growth, m aintenance of adequate capital in relation to the
ongoing internal discussion. Annually, the Fram ework is now Bank's risk profile and availability of financial resources to
shared with the senior team responsible for Bank-wide strategic meet financial obligations on a tim ely basis at reasonable
planning developm ent— the Strategy Working Group— which is prices.
made up of Senior Vice Presidents and C FO s for the Business 4 . Risk A ppetite Measures provide objective metrics that
Lines and Corporate Functions. As well, the Fram ework has gauge risk and articulate the Bank's risk appetite. They
becom e a lens for reviewing the strategic plans of each Business
Line in the Executive M anagem ent Com m ittee's annual strategic
planning process.
/ Risk \
/ Governance \
Evidence of Change / Risk Appetite \
The value of formalizing the Risk A ppetite Fram ework is best / Governing Financial \
/ Objectives \
illustrated by the change in Scotiabank's Annual Report to / Strategic Principles \
shareholders. Prior to 2008, there had been no discussion of risk / Risk Management Principles \
appetite. By 2010, the Annual Report contained several pages / Risk Appetite Measures \
directly connected to the new Risk A ppetite Fram ework, cap / Risk Management Techniques \
tured here: / Strategies Policies Ft Limits \
/ Guidelines Processes Ft Standards \
In discussing Scotiabank's overarching Risk M anagem ent Fram e / Measuring Monitoring Ft Reporting
work, the Bank is now more able to enunciate the relationship of
/ Risks
risk governance, risk appetite and risk m anagem ent techniques Credit Market Liquidity Operational Reputational Environmental
and the foundation of these in the Bank's strong risk m anage
ment culture. Strong Risk Culture
2010 Annual Report Risk Management ^ A . p, . .

_ . . , Strategic Principles
Principles
The Report notes that the Risk A ppetite Fram ework consists of
four com ponents and elaborates on each:
1. Risk M anagem ent Principles provide the qualitative founda

tion of the Risk A ppetite Fram ework. These include:
i Risk Appetite
Framework
|
¥
• promotion of a robust risk culture,

• accountability for risk by the Business Lines, Governing Financial Risk Appetite
Objectives Measures
• independent central risk oversight,
provide a link between actual risk-taking activities and the evolve from reliance on the culture and norms, to em bedding
risk m anagem ent principles, strategic principles and gov the Fram ework as the more clearly defined and rigorous context
erning financial objectives. These measures include capita for decision-making.
and earnings ratios, market and liquidity risk limits and
As for "the right balance," there still needs to be linkage
credit and operational risk targets.
between the high-level principles and metrics as expressions
of risk appetite at the top of the Bank and the risk indica
Strategies, Policies Guidelines, Processes tors and limits deployed at a business unit level. W hile some
a Limits a Standards
measures of credit and market risk have been allocated to
businesses, others, including most measures for operational
risk are not easily aggregated, nor divided. As such, the Bank
Risk Management (and the industry) continues to work at an effective way to link
Techniques
certain "top of the house" measures with business specific risk
perform ance measures.
Measurement, Additional work also remains to further integrate the Risk A p p e

Monitoring tite Fram ework with other risk policies and the enterprise-wide
Et Reporting
stress testing program.
Ultim ately, Scotiabank's test of an effective Risk A ppetite

• Risk m anagem ent techniques are regularly reviewed and
updated to ensure consistency w ith risk-takin g a ctivitie s, and
Fram ework is that it fits the organization; the Board under
relevance to the business and fin an cial strategies o f the Bank stands it; m anagem ent is having good discussions reflecting
both qualitative and quantitative m easures; decisions are made
Key Benefits, Challenges and Future and action is taken; and sustainable long-term earnings growth
Considerations is achieved.
The Fram ework is envisioned as a living docum ent that will

undergo periodic review and update. The Bank considers it to Risk Appetite Framework Development
be an evolving guideline that will continue to be dissem inated at the Commonwealth Bank of Australia
internally and which will find expression in additional policies,
strategies and risk m anagem ent practices in the future. Background
The biggest benefits of defining the Risk A ppetite Fram ework W ithin the Com m onwealth Bank of Australia (CBA ) G roup, risk
for Scotiabank have been that it provides greater transpar appetite had always been part of the risk vocabulary. However,
ency of the key objectives, principles and m easures defining historically there has been little docum entation of a formal
the Bank's appetite for risk in the pursuit of value, and it has fram ew ork. During the mid-2000s som e attem pts had been
enabled greater awareness and more effective communication made to define the fram ework but it was not until the appoint
with internal risk decision-m akers and external stakeholders. ment of the new Group C h ief Risk O fficer in 2008 and the
actions of an energetic Board Risk Com m ittee chairman that
This "case" captures how the developm ent of a strong and
the need for a form al, Board-owned risk appetite foundation
functioning Risk A ppetite Fram ework can be accom plished in
gathered real traction. Consequently, a project to develop a
the setting of a strong, existing risk culture where there is a
risk appetite fram ew ork was launched at the start of 2009 and
deep network of established controls, limits and risk oversight
this case study covers the various stages of its developm ent
structure. The developm ent of the Fram ework was the straight
to date.
forward part. Work continues on key challenges around im ple
mentation and further alignm ent.
What Do We Mean by Risk Appetite ?
The key challenge continues to be a combination of 1) aw are
The first challenge was to understand what was meant by risk
ness and application of the Fram ework within the Business
appetite. Internal discussions revealed many different interpreta
Lines, and 2) finding the right balance between broad principles
tions of what was meant by risk appetite. Furtherm ore, publicly
and granular guidance for day-to-day decision-making with line
available disclosures from banks and financial institutions around
m anagem ent throughout the Bank.
the world also appeared to use the term in different ways.
In term s of awareness, the program was launched with "road Annual Reports often referred to "acting in accordance with risk
show s," but more communication work needs to be done to ap p etite," but nowhere was the risk appetite defined.

We felt that part of the reason for the lack of traction in previous and, just as important, how we could establish the Board's views
attem pts to establish a risk appetite fram ework was the lack of a on this.
common definition of "in what term s" risk appetite was defined.
A clear conceptual definition was therefore required. Board and Management Engagement
This led us to define risk appetite as: "The types and degree The Group's risk appetite needs to be owned by the Board. We
of risk the Group is willing to accept for its shareholders in its were aware that getting effective engagem ent and ownership
strategic, tactical and transactional business actions." That is, of the Board depended on us taking the Board along the devel
appetite was expressed as a boundary on risk taking activities opm ent road with us rather than either presenting a docum ent
that defines where we do not want to be, rather than where we for them to rubber stamp or other actions that lowered Board
want to be. We liken it to the outer boundary markings on a m em ber personal investm ent in the outcom e.
sports field-we don't mind where you play as long as you don't
O ur approach was to have a series of structured conversations
go outside of this boundary.
over a period of months with the Board. The first of these was
This contrasts with the amount of risk you are able to take (a conducted as an interactive voting session to gather anonymous
capacity for risk taking), the amount of risk you wish to take (a views from all Board m em bers on a number of key questions
target for risk taking) and, of course, the actual risk profile (the regarding outcom es for the Group that they would be least w ill
amount of risk you are actually taking). All these alternative ing to accept. This involved selecting various absolute measures
expressions add characterisation to our risk taking capabilities as well as ranking various potential outcom es. W here answers
and exposures. were not well aligned between Board m em bers a staff-facili
tated discussion was used to arrive at an acceptable consensus
If the role of risk m anagem ent is thought of in term s of both
view. We found that questions requiring ranking of choices
protecting the organisation from unwanted outcom es and
added clarity of insight on Board appetite. A fear by staff that
advising the organisation on how to optimise its risk/return out
the Board would collectively adopt a highly conservative risk
com es, then risk appetite is supporting the protection role of
outcom e did not happen, but we prepared the Board by talking
risk m anagem ent; the optimisation of risk and return is part of
about appropriate risk-taking as key to profitable growth.
the advisory role of risk m anagem ent and is addressed by assist
ing business set their target risk profile. Arm ed with this base input we were able to translate the Board's
views into what we believed was the risk appetite that they had
Monitoring risk levels then becom es one of monitoring the
expressed. This was written up and presented back to the Board
actual risk profile against target levels that have been set to
as a draft Risk Appetite Statement for their further discussion and
optimise risk-adjusted returns within the risk appetite boundary.
refinement over a series of further Board meetings. In the latter
This is illustrated in Figure 4.1.
stages nuancing of the words became more and more prevalent,
The Group actively uses these types of "sp id er" diagrams in its but by starting the Board engagem ent without a draft document
business unit and Board dashboards to good effect. the initial conversations had concentrated on the concepts rather
With a clear concept established, we could turn attention to the than the words.
term s in which we should express the risk appetite boundary The same interactive voting session was first trialled with a sub
set of the Group's m anagem ent Executive Com m ittee. Interest
ingly, the views of m anagem ent were less well aligned than they
were am ongst the Board members.
Spare Risk Dimension 1 Risks actively '
Capacity sought ,
Content of the Group Risk Appetite Statement
A t C B A the risk appetite is defined by a combination of the
Dimension 5 Dimension 2
Group Risk Appetite Statem ent (RAS) and the supporting Group-
BOUNDARY
level risk policies, such as the credit concentration policies, which
(APPETITE)
£ define specific limits aligned with the RAS principles and metrics.
Actual Risk / /Target Risk Profile
Profile / ^ (Strategy) The RAS covers three im portant areas:
Dimension 4 Dimension 3
®CBA Group • The conceptual definition of risk appetite for the Group;
Figure 4.1 The risk appetite concept in CBA. • Risk Culture; and
• The risk-taking boundary— specific boundaries exposures/outcom es that we do not wish to experience but
(expressed in both quantitative and qualitative terms) for recognise are not 100% preventable. W here they arise the RAS
major risk drivers, together with expressions on how par commits us to take rapid and com prehensive action to minimise
ticular risk types are controlled. the chance of reoccurrence.
Having an appropriate "Risk Culture" is viewed as absolutely key Having developed the content of the Group RAS with the
to effective risk m anagem ent. The RAS sets down a high-level Board, an im portant second step was to validate the alignment
statem ent of intent with regard to risk, i.e., what we stand for of the existing Group-level risk policies, and in particular the
in risk term s (e.g ., the business, not Risk, m anages and own the limits contained within those policies, to the RAS. These poli
risks), and the expected behaviours of em ployees with regard to cies com plete the definition of the overall risk appetite. The
risk. The aim is to ensure that the right people own the risk and RAS metrics are now one of the key drivers of the limits that
support the desired risk outcom es. are included in risk policies, for exam ple, the counterparty,
The approach to defining the culture was no different to the industry and country limits within the credit concentration policy
other content in the RAS— we asked the Board questions about fram ework.
the culture and behaviours they exp ected and then drafted
content that we thought reflected their responses. The result Cascading of the Risk Appetite
was a single page containing around 10 cultural and 6 behav
By necessity, the Group-level risk appetite is high level and
ioural principles relating to risk, which was edited based on
requires translation into more specific and meaningful term s for
Board responses to it. Exam ples of the types of topics that we
a particular business unit.
cover are the need to understand and appropriately price for
risk and a culture where it is safe to call out m is-m anagem ent of The approach to this was to make the head of each business
risk by others. unit— not the C hief Risk O fficers of the business units—
accountable for developing an equivalent RAS for their business
In order to em bed the desired culture there was a need to link it
unit. The RAS would need to be both aligned with the Group
to the remuneration system and this has been addressed in two
risk appetite but also specific to the characteristics of their busi
main ways:
nesses. This responsibility was an im portant part of the cultural
The Board asked, as one elem ent of aligning with the regula change, with the business them selves rather than Risk M anage
tor's requirem ents, that risk m anagem ent opine on com pliance ment being responsible for the risks being taken on and for their
with these principles for their consideration in setting executive outcom es.
incentive awards; and
Board members read these docum ents to test their specificity
The Group's internal staff perform ance review system opens to the activities of the business unit, and also as a lens through
with the requirem ent to consider whether an individual's key which to view the strategies presented by businesses.
perform ance has been achieved by operating within the culture
and boundaries of the Group's and the relevant business units'
RAS.
Bedding in RAS
The risk-taking boundary includes qualitative expressions of re q u ire s c a s c a d i n g
"risks to which the Group is intolerant" together with more
Principles Supporting lim its
quantitative limits for key financial outcom es for the Group.
The "intolerant" concept arose from conversations with the

Board and m anagem ent about incentives and consequences
£
of operating outside of appetite. If we were to say that we had —
Q_
Q)
■
r-h
zero appetite for particular risks (e.g ., fraud) and we aligned

n>
o
n
perform ance assessm ent and incentives to operating within
appetite, then a fraud incident should have remuneration 3
rT
LQ
n>
im plications. This could create the wrong behaviours (either
spending disproportionately on preventing fraud or non
reporting of fraud incidents) and so, rather than talk about zero
appetite, the concept of intolerance was developed. These are Figure 4.2 Risk appetite components and cascading

Link to Strategy • By setting clear Risk Culture expectations in the Group
RAS and putting ownership for developing business unit
A major elem ent of the overall risk appetite fram ework is the
RASs on the heads of the business units (rather than the
interaction between risk appetite and strategy. The formal align
business unit risk team s), there has been a cultural shift
ment and interaction of these two elem ents had not previously
in the ownership of risk from Risk M anagem ent to the
been built into the operations of the Group.
businesses. Business units now act with clearer responsi
The first point of connection is that both appetite and strategy bility (ownership) for the risk they take on.
should be aligned with the Group's vision and values. Beyond
• The incorporation of the review of risk appetite as part
that the appetite is setting boundaries on risk taking activities
of the strategic planning process, and the presentation
while strategy is seeking optimal use of the Group's resources
of strategic plans, form ally accom panied by recently
in response to the evolving environments in which we oper
agreed upon risk appetite statem ents, to both m anage
ate. Each should be challenging the other. Equally, reading one
ment and Board has brought risk appetite considerations
should give knowledge of the other. These concepts are illus
form ally into key decision making and strategy setting
trated in Figure 4.3.
discussions.
The building of the consideration of risk appetite into the • The understanding of the interaction of strategy and
Group's formal strategic planning process has been a significant risk appetite has changed previously held views that
step forward. However, it is not just in a formal way that risk risk appetite was a barrier to progress, and in particular
appetite has im pacted decision making across the organisation. that it could not be challenged or changed. A lot of
The referencing of decisions as being aligned with or outside work has gone into explaining the connection between
risk appetite is now becoming part of the everyday conversa strategy and appetite and the im portant way that they
tions around the bank. Even more gratifying is to hear people are brought together in strategic planning, to give both
often talk of the need to reassess the risk appetite in light of m anagem ent and the Board transparency over decisions
opportunities that are presented, which creates an evolving and either to amend the strategy to align with the existing
productive challenge to current RASs— leading to keeping RASs appetite, or the appetite to allow the proposed strategy.
fresh and appropriate. The joint consideration and refinem ent of strategy and
risk appetite is now part of business as usual. (See the
Successes to Date "A ssess & Revise" arrows in Figure 4.3.)
There have been several aspects of the developm ent of risk • By establishing clear boundaries, Business units under
appetite that have worked well and translated into meaningful stand what is outside appetite and therefore do not pur
benefits for the Group: sue these opportunities, leading to a reduction in both
wasted effort and frustration.
• Firstly, the approach to engaging with the Board led to a
strong sense of ownership and a depth of understanding • By bringing the requirem ent to operate into align
of risk appetite by the Board that would not otherwise ment with the Group and local risk appetite statem ents
have been achieved. into the perform ance m anagem ent and remuneration
fram ework, risk appetite has achieved a high level of
awareness and influence on behaviours. Key behaviours
Bedding RAS in... are found in the Group RAS, e .g ., responsibility to raise
Links it to other critical elements in a risk framework issues, protection for doing so and "no harm" to people
CBA Group Vision and Values who raise false-positive issues.
Group Risk Appetite Continuation in the Evolution of Risk Appetite

Statem ent/Policies
Although considerable success has been achieved in the risk
appetite journey so far, we are cognisant that there is more
to be done in developing the maturity of risk appetite across
Business Unit
Risk Appetite the Group.
# Statem ent/Policies
• By necessity, the Group RAS is high level and principle
Figure 4.3 The critical link between appetite and based in nature. The challenge is in cascading this
strategy. to lower levels in a way that makes it meaningful in
day-to-day decision making on the front line. Business • The incorporation of stress testing outcomes into the
units are developing risk param eters for lower level contextual setting of risk appetite is an area that we con
portfolios/products that will translate the limits/prin- tinue to develop.
ciples established in the Group and business unit RASs
into meaningful limits for staff working in these areas. Summary of Key Lessons Learned
This will allow a more granular inclusion of RAS con
As the risk appetite has been developed a number of lessons
sideration into perform ance assessm ents and incentive
have been learned, the forem ost of which include:
paym ent outcom es.
• W ithout sponsorship from the top it is difficult to get
• There has been som e initial reluctance by som e busi
traction in developing a risk appetite fram ework.
ness units to set the hard quantitative boundaries
required to help define risk ap p etite. This may be • W ithout a clear conceptual definition of risk appetite
partly due to the presence of a form al policy limit se t there are many confusing and ineffective discussions
ting fram ew ork, plus a previously held view that once about risk m anagem ent and we fail to get business buy-
set, RAS quantitative boundaries would be difficult to in to the fram ework.
change. (The Board actively assists in this m atter by • The conversations around risk appetite are equally as
engaging on proposed changes out of cycle to the im portant and beneficial as the actual Risk A ppetite
annual RAS review process.) Further w ork is needed Statem ent docum ent produced from them .
to include more specific quantitative boundaries for • Culture is a fundamental part of risk appetite and to the
these businesses. success of em bedding risk appetite in the organisation.
• Further developm ent is ongoing in adding clarity to busi Taking the time to craft descriptions of what risk appetite
ness unit RASs and strategies so that they becom e more the Group and business units have for variance in risk
overtly com plem entary and aligned. culture breathes life into risk culture.

Banking Conduct
and Culture
A Permanent Mindset Change
Learning Objectives
Describe challenges faced by banks with respect to Summarize expectations by different national regulators
conduct and culture, and explain motivations for banks to for banks' conduct and culture.
improve their conduct and culture.
Describe best practices and lessons learned in managing a
Explain methods by which a bank can improve its corporate bank's corporate culture.
culture, and assess progress made by banks in this area.
Explain how a bank can structure perform ance incentives

and make staff developm ent decisions to encourage a
strong corporate culture.
E x c e rp t is rep rin ted from Banking Conduct and Culture: A Perm anent M indset Change, by the G 30 W orking G roup, 2018.
77
IN T R O D U C T IO N m anagem ent, and supervisors, and promised to provide an
update on the progress major banks have made in implementing
This year marks the tenth anniversary of the 2008-09 global our recom m endations. This report provides that update.
financial crisis, an event that put banking culture and conduct We focus on two fundam ental questions: (1) How much progress
under the global spotlight. In the previous installment of our has the banking industry made in culture and conduct (Box 5.1)
series of reports on this topic, Banking C on d u ct and Culture—A since the financial crisis, particularly since our last report?, and
Call for Sustained and C om prehensive Reform (2015), we put (2) W here do we go from here? That is, in what areas should
forth a set of recom m endations for banks, their boards and banks continue to press on, and what evolving questions should
BOX 5.1 D EFIN ITIO N O F CULTURE AND CO N D U CT

In our 2015 report,* we defined culture as the mechanism that influenced by the less tangible elem ents, such as the bank's
delivers the values and behaviors that shape conduct and con unspoken rules, ideas, norms, and subconscious beliefs that
tributes to creating trust in banks and a positive reputation for lie beneath the surface.
banks among key stakeholders, both internal and external.
Managing culture thus requires understanding visible con
We used a fram ew ork that identifies key factors that deter duct and behaviors as well as the com plex web of influences
mine two broad outcom es for a bank: (a) client and stake that lie beneath them .
holder perceptions about the bank's reputation and services,
W hile conduct can be evaluated as good or bad, culture
and w hether the bank builds trust (among stakeholders
itself cannot be. The culture of each firm is unique to that
including em ployees, society, governm ent, and supervisors);
organization and it is not empirically right or wrong;
and (b) financial perform ance, which rewards shareholders.
rather, it has to b e rig h t fo r th at organization. In that same
To achieve these outcom es, the bank starts with its history
vein, firms that have had conduct issues or scandals do not
(client franchise, brand, technology, and financial resources),
necessarily have an overall bad culture but have elem ents of
defines a purpose or strategy for the institution, and d evel
their culture that are misaligned with the outcomes the firm
ops a unique culture that is the summation of values and
is seeking and that are driving undesirable or inappropriate
ethics, desired conduct standards, and implied behaviors.
behaviors. That is why it is so im portant to focus on both the
Figure 5.1 provides a schem atic sum mary of this fram ew ork.
overall culture and all of the elem ents that com prise culture.
Culture com prises not only conduct and behaviors, but also Culture is com plex and is made up of multiple structural
the bank's values and ethics. W hile cultural norms and beliefs elem ents (such as processes, policies, organization, and
cannot easily be m easured, the conduct and behaviors that technology) and multiple human elem ents (such as norms,
the cultural norms encourage or discourage can be. In fact, expectations, beliefs, and values), all of which must be
conduct can and should be observed, m onitored, m anaged, aligned with one another and with the desired outcomes in
and incentivized. It is im portant to rem em ber that while con order for the culture to work for the firm.
duct and behaviors— that is, what people actually say and * Sou rce: Banking C o n d u ct and Culture - A Call fo r Su sta in ed and
do— are the only visible elem ents of culture, they are directly C om prehen sive Reform , Group of Thirty, W ashington, D .C ., 2015.
INPUTS OUTCOM ES
C U LTU R E C LIEN T & S T A K EH O LD ER

P E R C E P T IO N S
Conduct & Values &

Reputation Trust
behaviors ethics
BANK P U R P O S E & ST R A T EG Y FINANCIAL PER FO R M A N CE
BANK HISTORY
Fiaure 5.1 Elements of a unique bank culture.
they be mindful of going forward? 85
To address these questions, we inter 80
viewed a significant number of C E O s,
75
board m em bers, and senior executives
at major banks across the globe, as well — 70
as a number of supervisory institutions o 65

>
and industry standards bodies. We <D HI] 62
z 60
also drew on other sources including V )
£ 55
insights from O liver W yman's global
practice. 50
45
O v e r th e last d eca d e , bank culture
and con d u ct have re c e iv e d in creased 0
atten tion from bank m anagem ent 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
and th e ir su p e rv iso rs, clien ts/ — Banks Consumer goods Media Automotive
cu sto m ers, and in vesto rs. Supervisors, Energy Health care Technology
regulators, and governm ents globally Figure 5.2 Edelman Trust Barometer results by industry sector, 2006-2018.
have increased scrutiny of culture and
Sou rce: Edelm an Trust Barom eter Archive.
conduct issues; since the financial crisis,
the banking industry has paid an esti Note: Trust level results are distinguished betw een tw o populations: "Inform ed public" (ages 25-64,
collegeeducated, in top 25 percent of household income per age group/country), and "general
mated US$350 billion to US$470 bil population" (all population ages 18+). Due to differences in publicly disclosed results by Edelm an,
lion1 in penalties (including fines and years 2006-2011 of this figure show informed public results; years 2012-2015 show a blend of
litigation/settlem ent charges) for informed public and general population results; and years 2016-2018 show general population
results.
conduct-related m atters, evidence that
these so-called soft people issues can significantly impact the • Systematization of the roles of second and third lines of
bottom line. Both institutional clients and retail custom ers are defense in culture and conduct, and a push toward greater
becoming more focused on bank conduct and culture, driven by ownership of these concerns by the first line
highly publicized cases of conduct failures. Senior executives • Changes to business processes, including new prod
and board members are increasingly expected to dem onstrate uct approval and product governance, revised pric
that conduct risk is understood and m anaged, and that appro ing approaches, improved whistleblowing m echanism s,
priate discipline and culture are being reinforced. and review of questionable m arket practices in trad
A s a resu lt, banks have in v e ste d significant e ffo rt in im prov ing and hedging, all of which are signs that the conduct
ing th e ir culture and conduct. With increasing appreciation of agenda is beginning to cascade down to the way business
the scope and scale of culture and conduct issues, banks have is done.
instituted many changes focused on improving their culture and D e sp ite th e se e ffo rts to im p ro ve co n d u ct and culture, th e
conduct. These efforts span both formal and informal measures banking in d u stry still su ffe rs from a n e g a tive rep u ta tio n ,
and include: and tru st still n e e d s repairing. According to the Edelm an
Trust Barom eter, the banking industry historically ranked
• Refinem ent and/or re-articulation of bank purpose and val
among the most highly trusted industries since the end of the
ues, with subsequent establishm ent of extensive com m unica
World W ar II; however, trust declined precipitously during the
tion and training programs
financial crisis, and today remains low com pared to other indus
• Heightened engagem ent at the board level on conduct and
tries and far from recovering to precrisis levels, as shown in
culture issues
Figure 5.2.
• Modification of compensation and perform ance m anagem ent
The ongoing stream of conduct scandals, ranging from lapses
schem es to incorporate not just financial results but also
in custom er protection to anti-m oney-laundering deficiencies
behavioral considerations
to m anipulation of m arket benchm ark rates to rogue trad
ers, has called attention to the intim ate link betw een conduct
1 Sou rces: Conduct Costs Project, Good Jo b s Project, O liver W yman and reputation and continues to take a toll on the bank
analysis. ing industry's reputation. The broad spectrum of topics and
Chapter 5 Banking Conduct and Culture ■ 79

geographies of recent scandals (see Figure 5.3) reveals that W hile some scandals are institution-specific, the reputational
conduct is not just an investm ent banking issue but an "all fallout is often not limited to the offending institution but has
banks, all g e o g ra p h ie s, all b u sin esses p o ten tia l issu e ," as one a contagion effect, impacting other players in the industry.
banking official put it. It is relevant to all banks globally and to This shows that trust is an industry common good rather than
all lines of business within banks. (See Box 5.2 for the case of an institution-specific com petitive advantage. Further, as scan
A ustralia.) dals are often revealed retrospectively rather than in real tim e,
N ote: A M L — anti-money laundering; BBSW = Bank Bill Swap Rate; E T F = exchange-traded fund; EU = European Union; FX = foreign exchange;
IPO = initial public offering; LIBO R — London Inter-bank O ffered Rate; 1M DB
the reputational overhang can live on long after the m iscon are n o t " Banks have a small window to figure out how to man
duct occurs, som etim es even after the specific issue has been age culture and conduct and regain the public's trust. W ithout
addressed. All this shows that while trust and reputation are earning trust every day, the continued survival of banks is at risk
easy to lose, rebuilding it is much more difficult. Even as banks from displacem ent by new industry entrants, a growing list that
continue their efforts to becom e more trustworthy, becoming includes fintech start-ups, technology firm s, retailers, and te le
trusted again will be a slower process. com com panies.
Banks cannot a ffo rd to b e com placent a b o u t th e ir tru st and In addition to the risk of client attrition, trust and reputational
reputational problem s, especially in light o f em erging com issues may over time also lead to problems in acquiring and
p e titio n from altern a tive p ro vid e rs. As Bill G ates presciently retaining talent. For instance, young m illen n ial continue to be
put it nearly twenty-five years ago, "banking is necessary; banks turned off by banks' reputational problems and are opting instead
IN G & BANK
Money laundering: An investigation opened in 2016
has resulted in a US$900 million fine for failing to
prevent years of money laundering abuse.
ABN AMRO I s l pumob notionol bonk
Mortgage fraud: M ortgage Fraudulent transaction:
advisors forged client signatures Issued fraudulent guarantees A B L V
in revised docum entation on for diamond merchant firms Violated International sanctions
m ortgages to withdarw unsecured loans against North Korea & bribed Latvian
from overseas branches official to prevent tougher A M L rules
WELLS
p
FARGO
CornnomweaHhRmk
Fraudulent accounts: Deutsche Bank
O pened millions of Money laundering: Money laundering: Failied
|CBC Negligence led to more to prevent a US$10 billion
fradulent savings C5 l*>ST\l.S\U\uSliVNK«JFCIU\» 1
& checking accounts Loan fraud: 19 banks granted loans than 50,000 breaches Russian money-laundering
without custom er to criminals who illegally pledged of A M L & counterterriosm schem e, resulting in
consent gold of low purity as collateral laws worth US$ millions US$630 million in fines
i
2015
i 2016
i i
2017
i
2018
i f f 5= ^ t
ID
bsi.
Cotinionwealth Jarik Bank
IALC0NPRIVY!! RANK
Unsuitable financial Aggressive sales Money laundering: C E O
Money laundering: Bankers targets: Increased resigns amid probe into
advice: Encouraged
participated in and coordinated overdraft protection US$200 billion m oney
more than 3,500
money laundering activities linked amounts & credit card laundering scheme
clients to undertake
to corrupt Malaysian 1M BD fund borrowing limits without perpetrated at its
risky, inappropriate,
investments custom er authorization Estonia branch
WELLS
p
FARGO
Comnonwoatth - AMP .
"Forced" auto insurance sales: Fees for "no service":
Sold auto collateral protection Charged thousands of
insurance to more than 550,000 custom ers for financial
custom ers who did not need advice that was not
coverage delivered

BOX 5.2 THE AU STRALIAN CRISIS
A s the current situation unfolding in Australia dem onstrates, specific to APRA's review of C B A , the report contains lessons
the banking industry remains subject to further serious scan for the industry as a whole, and in fact, other banks are being
dals and fallouts. required to conduct a self-assessment against the specific C B A
findings. The key issues outlined in the review include:
In D ecem ber 2017, Australian prime minister Malcolm Turn-
bull's governm ent called for the establishm ent of the Royal • Lack of alignm ent between banking remuneration
Commission into M isconduct in the Banking, Superannua practices and fram eworks and indicators of good conduct
tion and Financial Services Industry following revelations of
• Lack of senior leadership and board oversight on issues of
years of serious m isconduct by Australia's financial institu
conduct and culture
tions. Since the 2015 G30 report, egregious examples
of misconduct have surfaced, affecting one or more of • Inadequate oversight and challenge by the Board and its
Australia's "Big Four" banks* These include rate manipula gatekeeper com m ittees of emerging nonfinancial risks
tion allegations (2015), unsuitable financial advice impacting • Unclear accountabilities, starting with a lack of ownership
thousands of clients (2015), weak controls to prevent thou of key risks at the Executive Com m ittee level
sands of breaches of anti-money-laundering/counterterrorism • Paucity or nonexistence of sufficient internal controls.
laws (2018), and fees for no service (for exam ple, charging
accounts of dead clients) (2018). As next steps, A P R A has recom m ended that the banks
design and im plem ent stronger remuneration practices that
These incidents have led to over US$700 million in penal
will align with strong conduct and culture outcom es, and that
ties and compensation since the 2008 global financial crisis,
banks leverage the Banking Executive Accountability Regime
removal of senior leadership (at C B A and AM P), and numerous
(BEAR) to detail international best practices on strengthening
legal and criminal investigations. An interim report, released
conduct and culture.
in Septem ber 2018, noted remuneration practices and inade
quate consequences as having been closely linked to issues of With the ongoing Royal Commission investigation and
conduct and culture, with more to come pending the final rec pending recommendations, as well as continued revelations
ommendations of the Royal Commission. The executive sum of retrospective misconduct among Australia's financial institu
mary of the Interim Report of the Royal Commission points to tions, we anticipate that the Australian banking industry is only
greed as a central issue, resulting in "the pursuit of short-term beginning its long journey to repair its conduct and culture.
profit at the expense of basic standards of honesty" (p. xix). • National Australia Bank (N AB), Com m onwealth Bank of Australia
Separately, the Australian Prudential Regulatory Authority (C BA ), Australia and New Zealand Banking Group (ANZ), and West-
pac (W BC).
(APRA) concluded in April 2018 its prudential inquiry into
C B A and released a report that outlines key shortcomings in Sou rce: "W hy is Australia investigating its banks?," B B C N ews,
governance, accountability, and culture. While the findings are February 12, 2018.
for other sectors, as seen in the changing career destinations cho banks to be able to play their role in society, and to the stability
sen by M BA students post-graduation (Figure 5.4). Despite a of the broader financial system. Banks are held to a higher stan
number of high-profile discrimination lawsuits, banks' efforts dard than many other service providers given that the services
focused on improving diversity have been minimally successful, as banks provide are viewed by many as a public good that ben
diverse talent remains deterred by cultures they view as not efits society— that is, interm ediating between sources and needs
supportive and attentive to their developm ent and well-being. of funds and facilitating transactions throughout the econom y—
Further, the shift toward digitization will continue to reveal gaps and the effects of failure extend beyond just shareholders, with
in banks' technology capabilities, pressuring banks to compete repercussions for the broader econom y. Further, because bank
for talent that is already in high demand by other industries. ing products and services can be com plex and difficult to under
stand, the public expects banks to provide good advice based
This and similar trends may spark concerns about potential
on expertise and in the clients' best interest.
talent shortages in an industry that is highly dependent on its
human resources as a com petitive differentiator. And yet, many banks that devote considerable attention to their
business strategies and actions spend insufficient time thinking
Bank culture and con du ct are m ore im portant than ever,
about their purpose and the role they play in society. Despite
to rep air tru st and reputational issu es and fulfill the role
the trending notion of balancing stakeholder needs and the
o f banks in so ciety. Sound culture and conduct are critical for
argument that, over the long run, putting the custom er first is
2 "W hy Diversity Program s Fail," Frank Dobbin and A lexandra Kalev, the best way to drive sustainable shareholder value, shortterm
Harvard Business R eview 94 (7) (July/August), 2016. trade-offs often confront banking executives, in which doing
Finance
Consulting
Technology
Investment Banking* * “ In v e stm e n t B a n k in g ” is a s u b s e t

o f th e “ F in a n c e ” c a te g o ry . M B A =
0 5 M a s te r o f B u s in e s s A d m in is tra tio n .
Percentage of MBA graduates entering each industry
■ 2007 ■ 2013 ■ 2017
Fiq u re 5 .4 Career destinations chosen by MBA students.

Sou rces: 2007 and 2013 data: "Business education: Banks? No, thanks!," The Econom ist, O cto b er 11, 2014. 2017 data: average
em ploym ent data from Chicago Booth, W harton, Harvard, London, and IN SEA D .
what is best for custom ers may lead to less im m ediate profit or • Have things really changed? Skeptics wonder whether true
more im m ediate cost. In such situations, clarity of purpose is change is possible in an industry that maintains large poten
critical to enable executives to resist the tem ptation of near- tial upsides to pushing the boundaries, and point to the
term gains, and to make decisions for the long run. Banks must exam ple of Wall Street in 2017 recording its highest bonuses
understand, reinforce, and internalize their key econom ic and since 2006.4 In addition, despite banks implementing many
social purpose and improve their culture and conduct to fulfill process and policy changes to mitigate m isconduct, culture
that purpose. and conduct have yet to be fully em bedded in many banks in
how they do business, and conduct issues are still observed
Responsibility for ensuring the organization's ability to bal
in banks worldwide. O thers are concerned about the passage
ance purpose and profit ultim ately resides with the board and
of time dimming the effect of the lessons learned during the
the C E O . Under the rubric of culture, as with other aspects
global financial crisis, and of the possible return to old prac
of business perform ance, the board should see it as its key
tices, especially if interest rates rise, regulation is lessened,
responsibility to set the right tone and reinforce the desired
and other business conditions improve. As post-global finan
culture, and to oversee the bank's efforts to sustain a healthy
cial crisis regulations are potentially rolled back (in some juris
culture. In addition to the board, the chief executive should
dictions), firm-level focus on conduct and culture (by the
have a com prehensive aw areness of the overall tone and know
board and senior leaders) must take on even greater
w hat is happening under his or her w atch. An expectation that
im portance.
senior m anagem ent should invariably be aware of every depar
ture from desired behaviors w ould, of course, be unrealistic, • Potential for culture and conduct fatigue. Especially in
inappropriately implying a reversal of the burden of proof. But some geographies where there has been a long-standing
it is a specific responsibility of the board and senior m anage focus on conduct and culture problem s, we detected some
ment to put in place robust processes to identify and ensure desire to move on and get on with business. Banks cannot
appropriate escalation of behavioral breaches. Such processes think of culture and conduct as separate from business,
should be designed to be auditable and the subject of regular or as m erely soft or HR-specific issues. They are business,
monitoring by internal audit as a key ingredient of the third line that is, how business needs to be done and the means by
of defense. which banks can achieve continued success and sustain
ability. For culture and conduct initiatives to be success
Despite significant efforts, many still voice concern about the
ful, they need to becom e internalized as a way of doing
industry's ability to make profound and lasting change. In our
business rather than a program that is created and then
interviews, industry leaders voiced several questions and con
ignored. Conduct and culture must be understood by all
cerns about culture and conduct:
em ployees.
3 Balancing stakeholder needs with putting the custom er first ultimately 4 "N Y S Com ptroller DiN apoli: Wall Street Profits and Bonuses Up
im proves com pany success, so no trade-off between custom ers and Sharply in 2 0 1 7 ," O ffice of the New York State Com ptroller, March 26,
shareholders should exist. 2018; http://w w w .osc.state.ny.us/press/releases/m arl8/032618.htm .

• Shift in relevant management and leadership capabili em bedded bias in autom ated black box system s and artificial
ties. Many leaders reported that historically, the banking intelligence (Al).
industry m anaged the business and the people prim arily via • Rolling bad apples. Individuals with poor conduct records
quantitative m etrics (for exam ple, volum es, sales, and prof move from one bank to another. Can issues truly be resolved
its), which w ere relatively straightforw ard to assess. In the and addressed at the industry level if "bad players" can
context of the increased em phasis on culture and conduct, simply move from one institution to another with impunity?
however, there is greater need for m anagem ent acumen W hat can the industry do to address this? Are there lessons
and skill as banks start to m anage not just the "w h at" but from other professional industries (for exam ple, legal, m edi
also the "h o w ," which requires much more judgm ent as cal, engineering) that are applicable? Do laws defending
well as proxim ity to and involvem ent in the daily business em ployee rights clash with the industry's ability to protect
operations. A lso, driving sustainable cultural change at large itself from toxic em ployees? The industry continues to grap
organizations requires leadership capabilities that may not ple with these issues within the constraints of privacy and
have been a focus of developm ent in the past, such as more em ploym ent laws.
focus on soft people m anagem ent skills rather than finan
• Increasing scope for supervisory gaps and conduct
cial acum en. Finally, creating an environm ent of psycho
arbitrage. As the thinking of financial authorities around
logical safety where all em ployees feel em pow ered to be
the world continues to evolve on conduct and culture, the
authentic, where diversity can thrive, and where challenging
divergence in supervisory approaches across jurisdictions
groupthink is encouraged will require greater m anagem ent
is arousing concerns around conduct arbitrage, that is to
skills.
say large firms seeking to benefit from supervisory over
• Shifting toward a more nuanced and effective style of sight in jurisdictions that may be less focused and dem and
management. This is especially difficult in many institutions ing. Further, O pen Banking developm ents have started
given the leadership deficit they are facing. In fact, many to create some blurring of com petitive lines across banks,
banks historically promoted their best producers/perform- technology com panies, retailers, and telecom com panies,
ers into m anagem ent roles with minimal regard to ability or adding to concerns around fair com petition and custom er
interest in managing others (and often without regard to the protection.
individuals' values and ethics, sending a powerful message *
in term s of the organization's priorities). And little time was
dedicated to developing m anagem ent skills. A m anagem ent This report is structured as follows. Section 1 presents industry
role was often considered a reward for a job well done rather progress on conduct and culture since the financial crisis, and
than a privilege, obligation, and responsibility to develop particularly since our 2015 report; section 2 outlines the lessons
others and ensure the long-term sustainability of the firm. learned; section 3 offers additional, specific recom m endations
Banks are now realizing a leadership gap in middle m anage reinforcing our 2015 recom m endations; and section 4 explores
ment layers, with a lack of skill and capacity to manage the outstanding questions and opportunities for continued progress
"how " of perform ance, and limited ability to influence and in the future.
drive team member behaviors. A number of banks that have W hile this report focuses on banks as our prim ary audience,
historically underinvested in the m anagem ent and leadership we note that non-bank financial institutions (for exam ple, pri
capabilities that they require are now investing in leadership vate equity firm s, hedge funds, and insurance com panies) are
developm ent to make up for lost tim e. also prone to conduct and culture issues that are sim ilar to
• Evolving forces on conduct. W hile the definition of good those of banks. Certain issues may com e into particularly sharp
conduct will stay the sam e, the pressure points will change focus at these institutions, such as the possibility of outsized
as the m arket and business models continue to evolve. financial rewards prom oting excessive risk-taking behavior. We
Banks will be tasked with anticipating and addressing addi hope that, as has been the case with our previous reports on
tional scenarios for m isconduct that may em erge, such as governance and supervision, the leadership and directors of
uncertainty in pricing contracts in the context of the London non-bank financial institutions will also internalize the lessons
Inter-bank O ffered Rate (LIBO R) transition; new General learned and our recom m endations. A s Box 5.3 m akes clear,
Data Protection Regulation (GDPR) requirements around conduct and cultural failures are not unique to banks— far
data usage, consent, retention, and portability; and risk of from it.
BO X 5.3 NOT JU ST BANKS
Exam ples of corporate m isconduct are not limited to the are rampant. During the tenure of its form er C E O , Uber's
banking industry. O ther industries w orldw ide, including man culture had serious faults and resulted in numerous inci
ufacturing, autom otive, and high tech, have exhibited various dents of m isconduct, including deliberately undermining
forms and levels of m isconduct, especially over the last few its com petitors (for exam ple, booking thousands of fake
years. As in banking, the root causes of m isconduct stem Lyft rides, spamming Lyft drivers), underpaying its drivers,
from poor corporate cultures, inexperienced or self-absorbed using technology to deceive law enforcem ent, applying
m anagers, w eak internal controls, and lack of safe escalation surge prices inappropriately, and stealing trade secrets
procedures. These have resulted in billions of dollars in fines, from Waymo (the Uber exam ple is also an interesting case
criminal investigations and charges, leadership removal, and of social media turning on a company for its decisions/
loss of custom ers. behaviors, and the #D eleteU ber m ovement showed cus
tom ers voting with their feet).
Two industries, in particular, autom otive and high tech, high
In D ecem ber 2017, A pple adm itted to slowing the pro
light the sim ilarities in environmental factors also observed in
cessors on its older generation iPhones, presumably to sell
the banking industry, which led to cultural breakdowns and
more batteries or new iPhones. Finally, Facebook has
eventually to m isconduct issues.
dem onstrated significant negligence in managing the pri
• Automotive: In G erm any, in particular, several major vacy of millions of its users' data, as revealed in the C am
incidents of m isconduct have em erged from the bridge Analytica scandal in early 2018. Personal conduct
intentional manipulation of vehicular software to deceive of senior executives is also under scrutiny; in a one-month
em issions tests. In Septem ber 2015, the United States period in the summer of 2018, three C E O s in the chip
and G erm any opened investigations into Volkswagen's/ industry resigned or were fired for conduct reasons (the
Audi's deliberate rigging of software on 11 million diesel- com panies involved are Texas Instruments, Intel, and
powered vehicles w orldw ide between 2009 and 2015, Ram bus).3
including 600,000 vehicles in the United States, to falsify
em issions levels to pass U.S. emissions tests. Investigators
further found active approval, engagem ent, and conceal Cross-industry lessons
ment of this program by the Volkswagen/Audi senior Upon examination of other industries that have suffered
leadership, including th en -C EO Martin W interkorn. significant and system ic cultural breakdowns similar to
Consequently, Volkswagen has faced numerous federal those observed in banking, we identify five characteristics
investigations in both the United States and Germ any; that these industries have in common and that might
criminal charges or arrests of senior leaders and m anag provide insights into characteristics that lead to greater
ers, including Volkswagen's and Audi's C E O s; and over culture risk.
US$30 billion in recalls, legal penalties, and settlem ents
1 1. Lack of diversity: Industry hom ogeneity in backgrounds,
as of m idyear 2018. In addition, Germ an authorities are
education, gender, and racial/ethnic composition
investigating sim ilar m isconduct at Daimler, which faces a
remains prevalent and can foster groupthink cultures.
potential U S$4.4 billion fine for illegal software in some
Such environments limit the number of challenges or
M ercedes-Benz m odels.1 2
alternative opinions required to effectively mitigate poor
It is worth noting that the Germ an car executives
business decisions.
concerned received among the highest bonuses in the
country. 2. Presence of dominant companies: A few large, success
• High tech: The high-tech industry has also struggled with ful players dom inate these industries and may lead to
deprioritizing culture, given that these com panies have
many reputational issues, allegations of m isconduct, and
been able to attract custom ers and talent due to their
loss of business due to actions that negatively impact key
stakeholders (that is, custom ers and em ployees). In addi dominant brands.
tion, the hightech industry overall has been plagued by 3. High dependence on specialized skills: High-quality,
extensive accusations of discrimination and mistreatm ent well-educated candidates with specialized knowledge
of fem ale em ployees. The exam ples of cultural failings are critical in these industries. As a result, such individu
als can often take on an outsized organizational role in
1 "Audi C E O Rupert Stadler arrested in G erm an y," CN N Money,

Ju n e 18, 2018.
3 "Texas Instruments C E O Resigns A fter C ode of Conduct Viola
2' "G erm an y threatens Daim ler with 3.75 billion euro fine over tio n s," Maria Arm ental and Eliot Brown, Wall S tre e t Journal, Ju ly 17,
em issions-Spiegel," Reuters, Ju n e 1, 2018. 2018.
(Continued)

their influence and decision making and make it more annual w age for computer- and tech-related jobs is 77
challenging to fire such highly valued individuals even percent higher than the U.S. m ean.4
in the face of egregious behaviors or inappropriate
5. Ineffective leadership and management skills: Board
decisions. Distorted views of individual's contributions
m em bers, senior leaders, and middle m anagem ent of
can also lead to the cult of personality in many of these fast-growing and highly successful firms may over- esti
firms. mate their own and their company's capabilities and be
4. Misaligned incentives: Perform ance and remuneration ill-equipped and too inexperienced to recognize poten
schem es are often aligned with quantitative or financial tial risks and com plexities of their operating and revenue
targets, which can inadvertently prioritize decisions that models. Hubris caused by a high degree of success can
lead to m isconduct. In addition, average annual wages also cause individual leaders to believe their capabilities
for positions in these industries tend to be significantly and decisions are unassailable and they start to believe
higher than mean annual national w ages; for exam ple, in their own rhetoric.
the United States, the mean annual wage for financial
analysts and advisors is 107 percent higher than the U.S. 4 "N ational O ccupational Em ploym ent and W age Estim ates," U.S.
mean annual wage across all industries, and the mean Bureau of Labor Statistics, W ashington, D .C ., May 2017.
S E C T IO N 1. A S S E S S M E N T assessed, we observed significant gaps between the leaders

and laggards, with some institutions having made significant
O F IN D U ST R Y P R O G R E S S *•
im provem ents while others still operate under the perception
of "it w ould never happen to us."
Our 2015 report outlined key recom m endations for improv
ing conduct and culture, across both the what and the how for • W hile progress in term s of inputs/efforts can be easily
banks to challenge their cultural foundation: observed, whether and how these inputs/ efforts actually
impact outcomes is difficult to prove. Even a reduction in
• THE WHAT. Banks should specify their cultural aspirations
conduct breaches over tim e cannot be considered a con
through a robust set of principles, and fashion mechanisms
clusive indication of im provem ent, as seen by the number
that deliver high standards of values and associated conduct
of conduct scandals that persisted for many years and only
consistent with the firm's purpose and broader role in society.
recently have come to light.
• THE HOW. Banks should work to fully em bed the desired cul
Given these considerations, we focus on the efforts and inputs
ture through ongoing monitoring and perseverance, drawn
of banks to improve culture and conduct, and we attem pt to
from four key areas: senior accountability and governance,
provide a range of views on progress across the industry.
perform ance m anagem ent and incentives, staff developm ent
and promotion, and an effective three lines of defense. That the industry mindset on culture has evolved was a point
of unanimous agreem ent across all our interviews. There is
Our specific recom m endations are summarized in Table 5.1.
now collective appreciation of the im portance of culture and
This chapter reviews the progress the banking industry has conduct, and the need to improve. But tangible industry prog
made on conduct and culture since the financial crisis, particu ress has been slow, especially as the bar for good conduct
larly since our last report in 2015, with a specific focus on the continues to rise and the public continues to expect more from
recom m endations above. Before we begin, two caveats: banks, and as levels of transparency (especially due to social
media) increase. W hile a number of individual firms have made
• It is not possible to holistically grade progress at a global
headway in implementing changes to formal and informal ele
level, given the (sometimes very) significant differences
ments of culture, the industry as a whole continues to struggle
by geography and by each individual institution; for larger
to em bed culture in a more fundamental manner, and to con
banks, progress may even differ across businesses, offices,
clusively dem onstrate the effects of these changes. Moreover,
and team s. For exam ple, banks in markets directly impacted
there is a growing gap between firms that are applying a holis
by the financial crisis (for exam ple, the United States, the UK,
tic, multipronged approach with active board-level engagem ent
and Europe) experienced an im m ediate spotlight on culture
and firms that continue to focus more narrowly on m isconduct
and conduct and have been on this journey for a decade,
m anagem ent and com pliance as the solution to cultural issues.
while banks in markets that escaped the financial crisis rela
tively unscathed (for exam ple, Australia) have only more Two relatively recent incidents in particular have attested to the
recently begun to focus on the issue. In many of the areas seriousness of the continuing cultural and behavioral leadership
Table 5.1 Summary of 2015 Recommendations
Area Recommendations
1 Fundamental shift in a. Banks should look at culture and look to achieve consistent behavior and conduct aligned
the overall mindset on with firm values, as key to strategic success.
culture
b. Banks should reinforce the m essages in their actions and in their internal communications.
c. Banks' behaviors and conduct should be open to constructive internal challenge.
2 Senior accountability d. O versight of em bedded values, conduct, and behaviors should receive regular attention in
and governance boards' agenda setting, given sensitivity to reputational risk.
e. Board charters should include responsibility for oversight of values and conduct.
f. Boards should build a reputation, values, and conduct risk tolerance dashboard to aid in their
evaluation of cultural issues.
g. If the Chair and C E O positions are not split, boards should ensure that the lead independent
director spends adequate tim e in the effective challenge role to the C E O on values and con
duct issues.
h. The C E O and Executive team should be highly visible in championing the desired values and
conduct, and face material consequences if there are persistent or high-profile breaches.
i. The C E O should ensure that there is a thorough process that reviews the bank's brand and
reputational standing.
j. A sset owners and third-party fund managers should tell boards directly that they consider
effective governance and accountability to be a priority cultural m atter for the firm and
investors.
3 Performance k. Com pensation and promotion processes should ensure reflection of desired behaviors,
management and including consequences for weak m anagem ent oversight or willful blindness.
incentives
l. A com prehensive set of indicators is needed to monitor and assess the adherence of individu
als and team s to firm values and desired conduct.
m. Individual review and assessm ent of senior executives by the senior leadership and C E O is
required.
4 Staff development and n. Banks should buttress first-line skills and ensure that frontline m anagem ent and leadership are
promotion properly trained in how to conduct judgm ent-based staff evaluation and deal with identified
breaches.
o. Banks should develop programs for staff across all areas of the bank that regularly reinforce
what the desired values and conduct mean in practice.
p. Institutions should form ulate and im plem ent a system-wide values and conduct evaluation
process for internal promotions and external hires.
5 An effective three lines q. Staff and management in the business (first line of defense) should shoulder the largest respon
of defense sibility forjudging whether behavior is in line with the bank's values and desired conduct.
r. Banks should allocate clear second-line ownership to Com pliance or Risk M anagem ent func
tions and ensure that the designated function is on the Executive team .
s. Banks should provide assurance to all em ployees that reports of wrongdoing in the workplace
will be taken seriously and confidentially without reprisal. Banks should challenge the conven
tional wisdom on legal im pedim ents and ensure that robust penalties and appraisal processes
are in place.
(Continued)

Table 5.1 Continued
Area Recommendations
t. Staff rotation between control and business functions may be beneficial and help develop the
desired firm-wide cultural mindset.
u. Banks should ensure that the third line of defense is robust, has operational independence, is
suitably staffed, and has a clear mandate to exam ine adherence to standards.
6 Regulators, supervi v. Regulators should carefully consider the limited effectiveness of promulgating rules related to
sors, and enforcement values and conduct.
authorities
w. Conduct-of-business and prudential supervisors can, however, gauge the effectiveness of
board and m anagem ent processes that generate tangible oversight and change in values and
conduct.
x. Conduct-related assessm ent should be em bedded into the core supervisory work, rather than
developed as an "add-on" task or objective.
y. Industry-led standard-setting initiatives should be encouraged.
and managerial deficit, one regarding Wells Fargo in the United money-laundering scandal has shown that whistleblowing cannot
States and one regarding Com m onwealth Bank of Australia be overlooked and should always be carefully and swiftly investi
(CBA ). Wells Fargo, considered an industry leader in cross-sell gated by senior m anagem ent with the oversight of and reporting
metrics and praised for having successfully navigated the finan to the board. Likewise, a money laundering scandal at ING led to
cial crisis, saw a series of high-profile scandals erupt in succes a US$900 million fine earlier this year. The Punjab National Bank
sion from late 2016 that revealed serious cultural failings such US$2 billion fraud has also highlighted conduct and oversight
as flawed incentives and excessive sales pressures, a pattern of weaknesses in India's state-owned banks. Finally, the reported
corner-cutting and unethical behavior, and inaction by senior conduct failure at Goldman Sachs related to 1M DB, drives home
leadership. C B A , the largest financial institution in Australia and that a focus on conduct and behavior is essential to all firms.
a bank respected for its history of financial success and technol
ogy innovations, also underwent a succession of scandals and
was found in a 2018 prudential inquiry to harbor critical cultural Mindset of Culture
shortcom ings, including a sense of com placency; utilizing only
Since the financial crisis, culture and conduct concerns have
a reactionary approach to exposed risks; insularity; and pursuit
risen in prominence at many banks, representing a clear shift in
of consensus at the expense of constructive challenge and
the mindset of culture. Most banks by now have re-articulated
accountability.
their core values (which are unique to each bank, but commonly
In some ways, these cases shook up the industry in each market include concepts such as custom er/client centricity, integrity,
more than other cases because they were so unexpected; these and internal collaboration) in a Code of Conduct or similar docu
were institutions with stellar reputations that had weathered the ment and have made efforts to repeatedly com m unicate these
financial crisis relatively unscathed. They were also considered throughout their organizations (including implications of per
solid traditional banking institutions with a community focus. sonal and com pany behaviors and expectations related to the
These scandals proved that conduct issues are not limited to firm's values).
investment banking and can in fact permeate conventional retail
Banks have taken various approaches to com m unicate values
and wealth management banking activities. As one senior industry
throughout their organizations. One C E O personally reviews
member stated, it is when the institution is successful, growing,
im portant bank-wide communications to increase visibility of
and well-regarded that senior leadership must be most vigilant
the bank's values and ensure alignm ent with the organization's
against the "tyranny o f su ccess," extreme overperformance vis-a-
culture. O ther banks have set up regular town halls and focus
vis competitors, and the temptation of willful blindness.
groups to promote dialogue on values and create venues for
Unfortunately, major conduct failures continue elsewhere, further constructive challenge. A number of institutions have devel
underscoring this is not predominantly an Anglo-Saxon matter. oped interactive training and role-playing to further clarify and
For exam ple, the Danske Bank US$200 billion Estonia-Russia entrench the values and expectations.
Despite significant progress in formal intention, fram eworks, and dedicated attention to culture and conduct topics, leading to a
com m unications, the degree to which these values have been deficit in expectations and guidance for senior executives on
em bedded in the day-to-day behaviors of em ployees has yet such issues. Today, conduct and culture discussions account for
to be determ ined. W hile "tone from the to p " is appropriately a meaningful share of board agendas, and as observed by indus
focused on conduct and culture m atters, it is unclear if this has try participants, the increased board involvem ent represents not
flowed throughout the organization and whether em ployees at just lip service but tangible im provem ent.
all levels, and especially in the front lines, have fully internalized
The specific form of implementation varies across banks. Some
how this will change how they do business. Much opportunity
boards have co-opted existing, more broadly mandated com
also remains in working with middle m anagem ent layers to
mittees (for exam ple, Risk Com m ittees); some banks have newly
ensure that tone from above properly reflects the m essage and
established dedicated subcom m ittees on culture and conduct
intent from the top, and that em ployees are not in a position
topics; and still others have opted for multiple overlapping com
where they feel a conflict between what they hear from senior
mittees to exercise joint oversight over these issues.
leadership and what they are required to do on a day-to-day
basis. O ur prior recommendation to split Board Chair and C E O roles
has been executed to varying degrees. Many U.S. banks persist
Accurately understanding and measuring changes in culture on
in a com bined role. Wells Fargo notably shifted to a split model
the ground remains challenging (especially in large, multi-geog
driven by shareholder pressure in the aftermath of the conduct
raphy and multi-business-unit banks), and will require banks to
failure and scandal, and Citigroup has announced they will
continuously monitor whether the formal shifts in their mindset
confine to split the Chair and C E O roles. W hile the splitting of
of culture have translated to changes in the day-to-day conduct
roles does not on its own guarantee elimination of misconduct
and behaviors of their em ployees.
(scandals have occurred in banks with split roles), it nonetheless
Banks need to ensure that the inclusion of behavior and is good governance practice and facilitates checks and balances
conduct within their m indset and approach toward business is between board and executive leadership.
perm anent, and to view the process underway as a fundamental
shift in how they do business rather than a program or set of Board-Level Conduct Management Reporting
initiatives. Many leaders interviewed shared the concern that as
Developing m anagem ent and board-level conduct m anagem ent
the crisis and scandals are put behind us, the lessons might be
reporting has been a major area of focus for many banks over
forgotten and a return to old practices might occur.
the last few years, in response to regulatory and senior m anage
ment pressure. Many banks are in the process of creating and
Senior Accountability and Governance refining their culture (and often also ethics) dashboards, often
leveraging data and information that is already collected across
Board Responsibilities and Involvement the organization, and now collating and analyzing these
With the increased public scrutiny on conduct and culture, and indicators through a culture lens for the first tim e. There is
greater expectation for Boards to be fully informed of and general agreem ent on the value and im portance of such
involved in such issues, ignorance is no longer an acceptable dashboards, though the approaches vary in the type, amount,
excuse. In fact, on conduct issues and risk taking, many directors and granularity of indicators. Results are often exam ined by a
are asking them selves "how do we really know ?" and are put variety of factors including geography, business unit/function,
ting in place measures for greater involvement and insights into tenure, and em ploym ent level, to identify subcultures, discrep
the company culture. ancies, and pockets of issues existing today and appearing
over tim e.6
The banking industry overall has stepped up board-level involve
ment on these topics. Prior to the crisis, only one-third of global The trend analysis across both leading and lagging indicators
system ically im portant financial institutions (SIFIs) had a dedi has been used effectively in a number of institutions, but many
cated board- level financial risk com m ittee,5 and boards rarely organizations still struggle with shortcom ings in their reporting
(for exam ple, once a year or som etim es even less frequently) abilities. The challenges reported by banks include:
• DATA QUALITY AND AVAILABILITY: The required data are

not available and take tim e to build (requiring capability
5 "B S B Blog: Sir David W alker on Banking Conduct and C ulture,"
David Walker, Banking Standards Board, May 24, 2018; https://
www.bankingstandardsboard.org.uk/bsb-blog-sir-david-walker- 6 See Section 2 Lessons Learned for additional information on how
on-banking-conduct-and-culture/. banks are approaching culture and conduct m easurem ent and reporting.

enhancem ent or new roles and responsibilities), and/or aligned with the company's culture, even though it resulted in a
available data are of poor or variable quality. Data must significant loss of business and profits for the com pany. Third,
also enable reporting and metrics at the right level of detail leaders can and should model desired behaviors by express
and granularity to be able to identify localized declines or ing (and, more im portantly, demonstrating) a genuine desire
w eak areas. M anagem ent must be able to slice and dice to receive and respond to feedback. A t one bank, the C E O ,
the information in order to spot, highlight, and investigate upon finding that a culture issue raised by an em ployee had not
specific or localized issues. G reater advances in technology received attention in a tim ely manner, proffered a personal apol
and Al are starting to enable greater monitoring and analysis ogy for the delay.
capabilities.
Finally, bank leadership can tangibly dem onstrate they are in
• APPLICABILITY: Defining standardized metrics across busi the same boat with em ployees by taking responsibility for the
nesses and geographies that are meaningful and can be consequences of difficult actions or outcom es. For exam ple,
aggregated remains a challenge. the C E O at one bank took a voluntary 40 percent pay reduction
• RELEVANCE AND EFFECTIVEN ESS: Existing metrics pro upon unveiling a plan to cut staff numbers and instituted long
vide useful but limited insights in isolation, and relationships term incentive plans with com pensation deferred for multiple
between variables and trends need to be considered. Also, years.
banks continue to struggle to develop forward-looking Senior leaders sharing their own dilemmas and scenarios of
measures and test outcom es, and given the fact that avail when they faced difficult and ambiguous decision making also
able metrics are often asym m etrical, they remain focused helps in both defining the expectations and making leaders
on reporting m isconduct rather than conduct more broadly
more approachable.
(including positive measures of conduct).
• USEFULNESS: Conduct and culture reporting in many institu Role of Asset Owners and Third-Party Fund
tions is a relatively new exercise and will require practice to Managers in Influencing the Board and
get right. Many banks are still struggling with how to best Management Focus on Culture and Conduct
use the data and metrics to trigger action or achieve goals
• A sset owners and shareholders are beginning to increase
of better managing conduct risk. Interpreting the data and
pressure on banks with regard to culture and conduct, and in
translating it into actionable insights is a work in progress at
a number of interviews, C E O s spoke about actively engag
many banks we interviewed.
ing key shareholders in a dialogue about their firm's culture.
Monitoring and m easurem ent will always be difficult, but this Investors, on the other hand, still feel it is difficult to have
should not dissuade firms from the exercise, as they can con a true voice in the process given the diffuse nature of the
tinue to develop and adjust their tools over tim e. investor community; that is, they rarely speak with one voice
(see Box 5.4).
Modeling Behavior • The Wells Fargo scandals revealed the extent of increasing
Banks increasingly recognize the im portance of leading from the investor attention on these topics: not only did they incite
vocal reactions from activist investors, dem anding improved
top ("tone from the top") and the need for senior m anagem ent
governance and changes in board m em bership, but the
to consistently set concrete exam ples of desired behavior for
the organization to follow. W hile tone from the top can m aterial resulting record US$60 million senior executive claw-backs
were made possible by prior activism in 2013 by New York
ize in various ways, a few best practices have em erged in recent
years. City's pension funds to enable clawbacks in the event of
m isconduct.7,87
8
First, leaders can ensure that their communications through
out the bank are consistent, clear, and relatable, (for exam ple,
clearly explaining key decisions, how they fit with the firm's
overall strategy and culture, and how the decision is relevant
to em ployees). Second, leaders can dem onstrate the desired 7 "C iti, W ells broaden exec pay claw back policies, M arketW atch,
behavior by living it on a daily basis and exhibiting it in how they March 13, 2013; https://w w w .m arketw atch.com /story/
citi-wells-broaden-exec-pay-clawback-policies-2013-03-13.
act within the firm, with em ployees, and with custom ers and
8 Claw backs (especially ones due to public/investor dem ands) should be
clients. Exam ples matter, and those set by a firm's leadership
seen by the industry as a last resort m easure. The industry should strive
are key to em bedding culture. One C E O set a strong tone early to achieve effective upfront com pensation assessm ents rather than after-
in their tenure by rejecting a business opportunity that was not the-fact rem ediation.
BOX 5.4 THE IN V ESTO R VIEW
As com panies in the banking industry (and in other industries) returns are necessary but not sufficient; returns can be wiped
face increasing conduct issues, and have incurred significant out by one event. Culture failures not only lead to hard costs
financial costs (fines, lawsuits, lost business), we have seen (fines, lawsuits) and financial losses, but scandals and reputa
investors increasingly paying attention to the softer issues tional issues put m anagem ent in a crisis m ode, which detracts
beyond financial results. A number of bank C E O s reported from their focus on business growth and revenue generation.
to us that they have started engaging directly with large A sustainable business model must include a focus both on
investors to discuss their culture— and the potential impact financial results and on addressing the interests and w ell
of strategy on culture and conduct. For the first tim e, we being of all stakeholders. As one institutional investor stated:
included interviews with large institutional investors in our "It is not a choice between profit or purpose— we are long
report, the key findings of which are described below. term investors for our clients and that requires our portfolio
com panies to pay attention to both profit and purpose."
Investors we interviewed care about the culture of their
portfolio com panies from two perspectives: (a) they look for The challenge, of course, is that even today, the markets
a board that is independent and strong, while also being put significant focus on quarterly earnings, which can lead
appropriately involved in understanding how the business is to business decisions and actions that maximize short-term
run; and (b) they look for sustainability, which requires both financial results over other priorities. One institutional inves
strong financial results and positive outcom es for all stake tor told us that the market needs to start thinking long term
holders, not just shareholders. rather than in quarterly results, "but the market is not good at
pricing the value of having sustainable results: there is value
Board culture: The investors we spoke with look at the corpo
in good culture and good corporate citizenship but we call
rate culture but also, importantly, at the board culture. W hile
these the nonfinancial elem ents because we don't know how
the two are related, they are not the sam e. Assessing the
to price sustainability." This investor looks carefully at envi
board culture enables investors to understand the effective
ronmental, social, and corporate governance (ESG )* elements
ness of the board in representing and defending the interests
as they believe these provide forward-looking insights. Finan
of shareholders. Elem ents that they look at include:
cial results report on historical perform ance, but the ESG
• Diversity of board members (such as experience, back elem ents provide predictive insights into an organization's
ground, and gender) health, and therefore continued ability to perform.
• Culture of accountability within the board W hile asset owners have the potential to significantly influ
• Ability to dissent and have differing views from the ence boards and m anagem ent to focus on culture as a driver
majority of long-term sustainability; the greatest im pedim ent remains
• "Chum m iness" of the board with the C E O . the diffuse nature of the investor community and of their
interests. Even the largest institutional investors rarely have
Investors also assess how well the board understands the cul significant ownership in any one com pany, and it can be dif
ture of the firm and how the culture drives ability to achieve ficult for them (on their own) to influence board/m anagem ent
desired results. One investor we spoke with said that while agendas. A side from specific scandals that can cause inves
boards have becom e more involved in discussions with man tors to align their interests, shareholders in any one com
agem ent about culture, many directors are still unable to fully pany often have very diverse goals and may seek divergent
articulate or describe the company culture. From the inves outcom es. The asset owners we interviewed spoke about
tors' viewpoint, there appears to be room for im provem ent the need for the investm ent community as a whole to better
in term s of boards' understanding, involvement in, and influ align on the im portance of culture and governance as drivers
ence on corporate culture. of sustainable financial results.
Culture as a driver of sustainability: W hile investors focus on Note: The ESG elem ents are the three main areas of focus in
returns, there is an increasing recognition that "so ft" fac measuring the sustainability and ethical im pact of an investm ent in a
tors such as culture can make or break a company. Financial com pany.
Performance Management Authority (EBA) guidance, have reviewed their remuneration
and Incentives schem es, and incorporated cultural and behavioral consider
ations into perform ance scorecards, most notably at senior
Many banks, particularly in the UK and Europe,9 driven by m anagem ent levels. Banks are at varying stages of formalizing
recent Financial Conduct Authority (FCA) and European Banking these measures, cascading them to middle m anagem ent levels
9 In Australia, A PR A released an updated rem uneration fram ew ork and Sydney, April 2018. Specifics on im plem entation and outcom es are not
set of standards; see "Inform ation Paper: Rem uneration practices at yet available.
large financial institutions," Australian Prudential Regulation Authority,

and below, and ensuring consistent application. W hile some A num ber of leaders w e in terview ed , w hile agreeing about
banks are beginning to report cases of significant compensation the need to change com pensation structures, also pointed
adjustments resulting from the adoption of balanced score- to the lim ited im pact on culture this change will have if done
cards for perform ance m anagem ent, many banks still weigh the in isolation. In fa ct, com pensation is often a by-product of its
"how " elem ent lower than the "w h at." In practice, it is much environm ent rather than a driver. W henever there is m iscon
easier to evaluate direct results than behaviors, and difficult to duct, there are alm ost alw ays issues with incentive design.
penalize high perform ers who do not fall in line with cultural However, one must ask w hether the incentives drove the
expectations. Nonetheless, boards and m anagem ent must take undesirable behavior or the incentives are an indication of
this step, and be willing to term inate em ployees for conduct the wrong m indset, which is ultim ately responsible for the
breaches when necessary. behavior.
Recent years have seen cases of conflicted rem uneration To be credible, the shift toward a balanced perform ance man
m odels that incentivize overly aggressive sales behaviors that agem ent culture also requires willingness and courage on the
resulted in harmful outcom es for custom ers. A num ber of indi part of leadership to deal with high perform ers (from a purely
vidual firm s have rem oved sales-focused incentives for frontline results perspective) who display toxic behaviors. W hen m anage
staff, opting instead for alternative m easures such as those ment unevenly upholds standards of behavior, it sends a power
based on team goals and custom er satisfaction outcom es. ful message to all team members of what is im portant in reality
O ne bank shifted com pensation away from paying based on regardless of the stated values.
profitability m etrics to paying commission based on a service
Banks have also becom e more willing to act on and publicize
provided to the customer. For the com mission to be paid, the
breaches of conduct, and some have signaled when conduct
client must be aware of and happy with the service (a third
failures have led to term inations, which, when done, sends
party is em ployed to collect client satisfaction key perform ance
a very strong firm -wide m essage. W hereas in the past poor
indicators [KPIs]). A nother bank shifted to a three-pronged
behavior from a strong producer may have been overlooked,
perform ance evaluation for all staff: (a) perform ance in jo b , (b)
banks today have much lower tolerance for bad behavior
effectiveness of behavior, and (c) results on personal stretch
and have stated that they are even willing to forego revenue
goals.
opportunities (for exam ple, w ithdraw from certain deals or
This transition in compensation structures has not been without businesses) where necessary in favor of maintaining a strong
friction, with some banks experiencing initial sales declines, and culture.
others needing to experim ent with alternative perform ance
Banks are also beginning to weigh the potential benefits of
measures to achieve the right balance between incenting good
using breach of conduct incidents and term inations as teaching
conduct and achievem ent of strategic goals. The changes in
moments, against the potential risks of running afoul of privacy,
incentives will also require efforts in other areas, such as reedu
confidentiality, and em ploym ent law. Some banks are choosing
cating staff to better assess custom er needs and make suitable
to explicitly com m unicate such narratives, while others rely on
recom m endations, and introducing new service tools and rou
informal grapevines and collective consequences (for exam ple,
tines for frontline staff.
heavier scrutiny of activities) imposed on team s of the offend
A nother challenge of transitioning from purely results-based ing individual or individuals to spread the m essage internally.
com pensation to a balanced-scorecard com pensation structure A number of senior industry executives pointed to the discon
is that it requires insight into how em ployees perform their role. nect between regulation and societal expectations on the one
This means that m anagers must have enough tim e and m an hand, and em ploym ent and privacy laws on the other. D eal
agem ent acumen to understand what actions and decisions are ing rapidly and forcefully with egregious breaches of conduct
required in different circum stances and w hether the em ployee can be difficult, especially in certain jurisdictions with strong
did in fact exhibit these behaviors. A lso, because com pensation em ployee protection. In the current climate of social justice
is such a blunt (and limited) instrum ent for influencing behav cam paigns and activist investors, ethical and legal consider
ior, organizations that value the "ho w " as much as the "w hat" ations need to be aligned.
need to minimize reliance on com pensation as a m anagem ent
tool. Com pensation has a role to play, but more im portant is Staff Development and Promotions
the role of leadership. O ne institution we interview ed trains
m anagers to look for real-time coachable moments to drive Training programs on conduct and culture have expanded
em ployee behaviors rather than only ex-post com pensation in size and scope at most banks, often focusing on defining
m easures. specific expectations around behavior and helping em ployees
understand how abstract values and principles specifically trans ambiguous and com plex situations where the right answer is not
late into day-to-day responsibilities and expectations. This is a obvious.
very im portant elem ent of driving behavior; historically, while
A t the same tim e, some banks have seen that the increased
banks had value and mission statem ents, there was very little
level of training on all aspects of conduct can have a numbing
guidance for em ployees to translate highlevel statem ents into
effect on staff, where em ployees start to tune out and training
"w hat d o es this mean specifically for me in my everyday jo b
has the opposite effect than intended. It is im portant to have
to b e able to live up to the exp ectatio n s o f the institution?"
the right training for the right people at the right tim e and to
Banks are applying a variety of scenario-based/role-playing/
target the training and not push everyone through everything.
industrial theater approaches and using a combination of live
and web-based mechanisms to deliver content. As one industry Conduct screens are also increasingly being applied to prom o
leader put it, "w e n e e d to map the culture to the p ra ctica l," tion and external hiring decisions. Some banks have stepped up
providing actual exam ples of how the culture must be lived. their hiring practices to better assess new recruits' alignment
Another area of training is around the grey zones where ju d g with the organization's purpose, values, and expectations
ment is required. Banking is a com plex business where rules and on behavior; exam ples include conduct interview questions,
policies are not possible (or even desirable) for every situation. ethical screening, and various forms of personality assessm ents.
A principles-based culture requires that em ployees also have the Recent years have also seen active investm ent in surveil
knowledge, skills, and tools to face the multitude of decisions in lance technology at banks (see Box 5.5), typically beginning
BO X 5.5 USE O F M ACHIN E LEA RN IN G FOR CULTURE AND CO N D U CT

S U R V EILLA N C E BY SU PER V ISO R S
Both banks and supervisors have recently started to look The initial practical challenge is the collection of the nec
at the use of advanced technology (that is, Al and machine essary data in a consistent m anner across institutions.
learning) to support conduct risk m anagem ent through auto However, bigger concerns and challenges arise after the
mated surveillance techniques. data are co llected . Th ese include establishing baseline
behavior, setting thresholds and trig g ers, drawing m ean
Culture and conduct surveillance establishes what normal
ingful com parisons given the com plexity of institutions
or expected behavior is for a com pany/function/role, and
and differences across institutions, engaging institutions
then analyzes relevant data to identify behaviors that are
to investigate potential issues, and the treatm ent of false
not in line with the norm. This objective of identifying pat
positives. The other overarching issue, particularly from the
terns and anomalies in behavior is an ideal application for
perspective of supervised institutions, is the potential nega
machine learning models. For exam ple, clustering algorithms
tive consequence of big brother influence on em ployees
are effective in identifying patterns, trends, and correlations
created by the ongoing m onitoring of em ployee behaviors
in large bodies of data such as account openings and sales
and actions.
perform ance. In addition, natural language processing tech
niques can be used to extract sentim ent and meaning from The potential to use m achine learning by supervisors for
chat logs and call transcripts to identify em ployee m isbehav industry-wide culture and conduct surveillance is real,
ior or trends in custom er com plaints. given that the technology already exists, and the data
already reside within individual institutions. The benefits are
W hile not without some controversy (related to privacy and
num erous and include rapid identification and rem ediation
intrusiveness), the technology is advancing rapidly and there
of bad behavior and system ic issues; reduction of m anual,
are numerous benefits to automating the monitoring, com
siloed, and costly m onitoring processes at institutions; and
parison, and analysis of behavior patterns. Indeed, individual
understanding of the cultural health of the industry (sim ilar
com panies have experim ented with and are starting to im ple
to how other industry-wide exercises such as C o m p rehen
ment such capabilities. Supervisory bodies are also exploring
sive Capital Analysis and Review [C C A R ] help supervisors
how these capabilities could be used to address their goals
understand the financial health of the industry). However,
of ensuring safety and soundness.
the practical challenges are significant and likely prohibitive
Assuming supervisors can collect the necessary data at the at this point. O vercom ing these challenges would require
appropriate granularity and frequency from institutions, they a concerted effort and collaboration betw een supervisors
could apply machine learning techniques to monitor culture and the industry to ensure that the potential benefits of
and conduct at the industry level and across institutions on this new generation of surveillance m ethods outw eigh the
an ongoing or near real-time basis. However, even though dow nsides.
such applications are feasible in theory, the practical reality is
much more challenging.

with capital markets businesses but increasingly broadening frontline business areas have taken full ownership for conduct
in scope to other areas. The focus at the cutting edge is on risk and related change and developm ent programs. There are,
making better use of available data with advanced analytics, however, firms that were slower to make this shift and continue
bringing together disparate analytical outputs (for exam ple, to lag behind their peers.
communications/ trade/voice surveillance, social media scan
In addition to ensuring that the first line firmly owns conduct and
ning), and exploring additional analytics to detect or predict
culture risk m anagem ent, banks have also struggled with the
potential conduct events (for exam ple, reputational/sentim ent
organizational placem ent of the second line conduct oversight
analysis, network analysis, cluster analytics). W hile the technol
and control responsibility. Many banks have shifted the respon
ogy is rapidly evolving to support such capabilities, the ethical
sibility for second line oversight across a number of functions in
questions around the acceptable degree and level of em ployee
order to find the right fit. Common organizational placem ents
monitoring remain. With increased monitoring capabilities,
are Com pliance, HR, Risk (directly under the C hief Risk Officer),
banks need to carefully balance the need to manage conduct
O perational Risk, and Enterprise Risk M anagem ent. Each of
with the need to provide em ployees with some level of privacy
these has its own set of benefits and challenges:
and trust.
• Com pliance is probably the most natural fit given that it has
the expertise, experience, and discipline for surveillance and
An Effective Three Lines of Defense monitoring of em ployee activity. However, some banks are
starting to worry that it may restrict the view too much with a
An effective three lines of defense is the area of greatest focus on laws and regulations. Conduct is about what should
challenge and least progress to date. The shift of ownership or should not be done, rather than on what can or cannot be
of conduct and culture initiatives to the first line (where it done.
belongs) has been slow. Banks are beginning to improve clarity
• HR has the benefit of being able to integrate conduct man
of second-line oversight of conduct and culture risk, though
agem ent into the broader talent m anagem ent life cycle from
a standard model has yet to em erge; the specific setup varies
hiring to term ination. Banks with close HR involvement in
by bank size, com plexity, and risk m anagem ent approach.
conduct initiatives have benefited from the ability to closely
A t many banks, second line team s are often still responsible
em bed culture and values into various HR processes, includ
for driving conduct initiatives, focusing on the developm ent
ing perform ance evaluations, incentives structures, and
of fram ew orks and standards, piloting, and initial stages of
external recruiting. The downside is that as HR in some banks
im plem entation. In term s of the third line of defense, while
plays a first line role in many of those activities, its second
some banks have started to establish culture audit practices,
line abilities may be restricted (in fact, in a number of banks,
many banks still struggle with the best way to audit what can
HR is considered a first line function). Another potential limi
feel very intangible. Given this is a relatively new area of focus,
tation is that in many institutions, HR does not have the same
banks are in the process of working through a m aturity curve
organizational power as the Risk function, nor does it have
to understand the risk and develop a common taxonom y and
the proximity to the daily business that Com pliance and Risk
fram ew orks.
have.
The biggest gap we observed in the effective im plem entation of • Placing conduct m anagem ent in the Risk function directly
the three lines of defense for conduct risk m anagem ent is that in under the C hief Risk O fficer can be effective, especially in
many banks it still appears to primarily be a second line focus
institutions that have experienced significant conduct issues,
area. As with all other risks, to be properly m anaged, it needs to as it elevates the im portance of the function and senior man
be owned by the first line and em bedded in all business pro
agem ent line of sight. However, as an ongoing business-as-
cesses. It is especially im portant for the first line to be deeply usual structure, this can lead to a siloed approach to conduct
aware of and accountable for conduct risk m anagem ent given risk m anagem ent.
that conduct by its nature is how you do business. A conduct
• O perational risk m anagem ent is a natural fit for many institu
risk lens needs to be explicitly applied to all business activities
tions that have defined conduct risk within the operational
including new product approvals, pricing guidelines, customer
risk taxonom y and structure. Given that operational risk
com plaint handling, and evaluation of new transaction/business
opportunities. W here it has been a focus by regulators and
banks, some progress has been made. For instance, as the UK 10 "5 Conduct Q uestions" Industry Feedback for 2017 W holesale
FC A notes in its "5 Conduct Q uestions" April 2018 Industry Banking Supervision, Financial Conduct Authority, London, April 2018.
Feedback rep o rt,101for the polled com panies,11 nearly all 11 Per the report, a sam ple of approxim ately 30 firm s.
covers people, process, and technology risks, conduct risk This is often due to the lack of clarity of how this risk should
can be viewed as an extension of those risk types. The down be defined and m anaged. It cannot be overstated that ulti
side is that operational risk is such a broad and still evolving mately, ownership and oversight for conduct and culture risk
area of risk m anagem ent that conduct risk may get lost in the m anagem ent needs to be owned by the Board, the C E O , and
fray and not receive the attention it needs. the heads of the business units. Defining conduct risk, incorpo
• More recently, some banks have moved conduct risk man rating it into the risk appetite statem ent, and developing risk
agem ent under enterprise risk. This can make sense for sev identification and auditing processes are all still very much a
eral reasons: it is closely linked to reputational risk, it requires work in progress. For instance, many institutions are still strug
a holistic understanding of risks across the enterprise, and it gling with the classification of conduct risk: is it its own risk type
entails significant reporting effort for the board and senior or a subset of another risk such as operational risk? As with all
m anagem ent. The downside is that the Enterprise Risk Teams other risk types (credit, m arket, and operational and reputa
in many banks may be too small and not have the capacity to tional risks), the m ethodologies and practices will mature over
undertake oversight of such a pervasive risk type. tim e. Formal risk m anagem ent routines will need to be agreed
and adopted for the effective functioning of the three lines
Furthering the dilemma on the organizational placem ent of
of defense.
second line conduct risk oversight is that many institutions do
not yet have full clarity on whether conduct, culture, and ethics
should be managed as one integrated function, or separately. Regulators, Supervisors, Enforcement
W hile the industry has not defined one agreed model for sec Authorities, and Industry Standards
ond line oversight of conduct and culture, there are two guiding
Regulators and supervisors across the globe have increased
principles that should be observed:
attention to and expectations regarding conduct and culture.
• W hichever function is selected as the responsible second Exam ples include:
line, it needs to be clear. W hile all the groups listed above
• UNITED KINGDOM: The FC A has been a driving force, issu
likely have a role to play in the oversight and governance of
ing the Fair and Effective M arkets Review in conjunction with
conduct and culture, there needs to be clarity on roles and
the Bank of England and Her Majesty's Treasury, and im ple
responsibilities; that is, which function is taking the lead and
menting regulations for benchm ark rates, foreign exchange
which functions are tasked with contributing input (and the
(FX) remediation programs, and the Senior Managers and
type of input) need to be explicitly stated. The risk respon
Certification Regime to increase individual accountability and
sibilities, policies, and appetite statem ents also need to be
governance via banks' senior leadership.
aligned.
• EUROZONE: European regulators have dialed up scrutiny of
• W hichever team is given second line oversight and gover
conduct issues, for instance, with the E C B /E B A releasing
nance responsibility also needs to be given proper power for
conduct-related guidelines on governance arrangem ents and
conduct initiatives to have teeth.
remuneration policies, and the De N ederlandsche Bank
Banks are also starting to further their thinking in term s of the (DN B, the Dutch central bank) conducting exam inations
third line's role in the m anagem ent of culture and conduct. A focusing on topics such as decision making, leadership, and
number of banks have explicitly structured culture audit pro com munication. Further, the EC B updated its Manual for
cesses, and in some cases, institutions have established audit A sset Quality Review in June 2018, incorporating the
team s specifically focused on culture auditing. implications of International Financial Reporting Standard 9
W hile second line placem ent is im portant for an effective (IFRS 9) and increasing the im portance of bank business
conduct risk m anagem ent program, most im portant for the models focused on investm ent services. Also, as part of its
long-term and perm anent success of culture and conduct Internal Capital A dequacy Assessm ent Process, DN B has
efforts is ownership by the frontline business. Progress has stated they will devote particular attention to strategic risks
been slow in em bedding ownership of conduct risk in the first to banks, including the gradual deterioration of a business
line, often due to a lack of understanding or experience by model.1
2
the first line m anagem ent and/or the view of culture and con
duct as a soft HR issue rather than a business im perative. Due
12 IFRS 9 was prom ulgated by the International Accounting Standards
to lack of first line ownership, some banks have seen first line
Board and addresses accounting for financial instrum ents. It covers the
responsibilities slip to the second line, which in turn rendered classification and m easurem ent of financial instrum ents, im pairm ent of
ineffective the second line's role of independent challenge. financial assets, and hedge accounting.

• UNITED STATES: There has been increased focus on culture nonfinancial risks. " As a result, the A P R A applied a $1 billion
and conduct from the Federal Reserve Banks, the O ffice of Australian dollar add-on to C BA 's minimum capital
the Com ptroller of the Currency (O C C ), the Financial Indus requirem ent.
try Regulatory Authority (FIN RA ), the Securities and • HONG KONG: The Securities and Futures Commission's
Exchange Com m ission (S EC ), and the Consum er Financial (SFC's) M anager in Charge regime aims to increase account
Protection Bureau (C FP B ). In particular, the W ells Fargo ability of senior m anagem ent and managers of key/control
sales practices scandal led the O C C to launch a m ultiphase functions, while the Hong Kong Monetary Authority (HKM A)
industry-wide review. In his Ju n e 2018 speech, "N ow is the recently released a fram ework for fostering sound culture at
Tim e for Banking Culture R e fo rm ,"13 Federal Reserve Bank banks.
of New York president and C E O John W illiam s expressed a
• SINGAPORE: The Monetary Authority of Singapore (MAS)
sense of urgency in addressing banking culture, and the
has drafted proposed guidelines on individual accountability
"n e e d to ensure that bank m anagem ent and boards are
and conduct via banks' senior leadership.
exertin g stron g and effe ctive lea d ersh ip with ro b u st
• CHINA: The China Banking Regulatory Commission (CBRC)
g o vern a n ce. That m eans holding m anagem ent and boards
o f d irecto rs to high standards in term s o f culture and has published Conduct M anagem ent Guidelines for banks,
designed to facilitate reporting of im proper conduct in
c o n d u ct. "
banks. The process is designed to establish norms for long
• CANADA: The Financial Consum er Agency of Canada
term monitoring and inspection of bank practices. The
(FC A C ) launched a business practices probe, focusing on
People's Bank of China has also underlined the im portance of
bank em ployees' obligation to obtain custom er consent and
conduct and culture for the leadership of major banks via its
provide proper disclosure about fees and costs when selling
support for the G 30 recom m endations.
new products, and the O ffice of the Superintendent of Finan
cial Institutions (OSFI) launched a review of dom estic retail Financial authorities recognize that culture and conduct supervi
sion represents a departure from historical, often quantitatively
sales practices. The FC A C s related report,141
5released in
March 2018, noted insufficient controls at Canada's largest based prudential supervision, and are grappling with what that
means in term s of the skills and capabilities of their staff and
banks to mitigate the risk of mis-selling and breaching market
conduct obligations. their traditional approaches, and their own internal culture and
practices. A consensus view has yet to em erge on whether out
• AUSTRALIA: The Banking Executive Accountability Regime
side organizations that have traditionally focused on quantitative
(BEAR) is seeking to improve standards of behavior and
measures of bank health can, without hands-on experience, truly
accountability, and the Banking Royal Commission is cur
assess the culture of the banks they supervise and add value to
rently investigating incidents of m isconduct. The Interim
a culture review.
Report of the Royal Commission is critical of regulators, and
in its final report, due in February 2019, is likely to recom In our interviews we heard significant differences of opinion in
mend that they be accorded additional powers. In May 2018, term s of the role regulatory agencies can play. On the one hand,
the Australian Prudential Regulation Authority (APRA), culture is so intimate and unique to the strategy and values of a
released its review of Com m onwealth Bank of Australia's specific institution, it is hard to imagine any external party being
fram eworks for governance and accountability,
1 CT
noting able to engage productively in an assessm ent of the culture.
"CPA's con tin ued financial su ccess dulled the sen ses o f the On the other hand, numerous scandals and conduct issues have
institution, particularly in relation to the m anagem ent o f shown that insiders can miss signals of cultural deterioration,
and m anagem ent could benefit from external, unbiased inquiry.
Some regulators have taken an optim istic view on this and are
experim enting with alternative approaches. For exam ple, DNB
13 Now Is the Tim e for Banking Culture Reform : Rem arks given at
G overnance and Culture Reform C onference, Federal Reserve Bank has hired psychologists to observe and analyze culture at banks,
of New York, by John C . W illiam s, President and C E O of the Federal and the Monetary Authority of Singapore is building up Al and
Reserve Bank of New York, Ju n e 2018. data analytics capabilities.
14 "D om estic Bank Retail Sales Practices Review ," Financial Consum er
An im portant differentiation in determ ining the role supervisors
A gency of Canada, O ttaw a, March 20, 2018.
should adopt in this space is the difference between conduct
15 "Prudential Inquiry into the Com m onwealth Bank of Australia (CBA)
Final R ep o rt," Australian Prudential Regulation Authority, Sydney, April and culture. Given that conduct risk m anagem ent is based on
2018. observable behaviors, it may lend itself to a clearer supervisory
BOX 5.6 HOLDIN G M AN AGERS A C C O U N TA B LE
First introduced in 2016 by the UK Financial Conduct Author effective Ju ly 2018; and most recently the M onetary Author
ity, Accountability Regim es already cover or will cover many ity of Singapore's proposed Individual Accountability and
major financial centers and financial business models. These Conduct Regime and guidance from the US Federal Reserve
regimes are a direct response to a call to amend professional Bank.
standards and the culture of the banking sector following a
In designing and implementing these regimes, supervisors
perceived lack of personal responsibility for m anagem ent fail
need to have a clear view of the intended outcom es of an
ings in the financial crisis.
Accountability Regim e, and design a regime that adheres
The UK Senior M anagers and Certification Regime (SM CR), to those outcom es, taking lessons learned from established
introduced a statutory duty of responsibility for a defined set regimes such as the F C A SM CR. Special attention should be
of senior individuals in a firm to dem onstrate that they have paid upfront to consider potential unintended consequences
taken reasonable steps to prevent prudential and conduct and design standards and principles that allow for flexible
failures. The regime has been recognized by many as a key application where appropriate.
driver of cultural and behavioral changes in senior managers
Firms them selves should avoid a pure com pliance-based
in banking. The SM CR was originally established for deposit
"tick-box" approach when responding to Accountability
takers and later extended to include investm ent firms and
Regimes and ideally use such regimes as an opportunity to
insurers and focused clearer articulation of senior roles,
drive and build on strengthening leadership behaviors and
responsibilities, and accountability, as well as individual con
overall culture in the organization, ensuring that em ployees
sequences extending to legal prosecution and sanction in the
have the resources and support to discharge their duties.
event of breaches by the firm.
Firms that need to respond to regimes in multiple jurisdic
Accountability Regim es have since em erged in several other tions will need to align on approaches, and navigating the
jurisdictions including Hong Kong Manager-in-Charge (M IC), minefield of unintended behavioral consequences will be key
effective O ctober 2017; the Australian Prudential Regulation for both firms and supervisors.
Authority's BEA R (Banking Executive Accountability Regime)
assessm ent. As Box 5.6 shows, in recent years, supervisory • The Financial Stability Board has since 2015 been
authorities in a number of countries have recognized this and coordinating international efforts around a w ork plan to
reinforced managerial responsibility for conduct and conduct reduce m isconduct risk, most recently publishing a to o l
failures with accountability regimes. kit for firm s and supervisors to strengthen governance
fram ew orks. The tools focus on m itigating cultural drivers
C ulture, on the other hand, is intangible and ubiquitous; as
of m isconduct, strengthening individual responsibility and
such, it requires deep understanding of the strategy, operating
accountability, and addressing the "rolling bad ap p les"
m odel, and values of the organization. In other w ords, conduct
phenom enon.
can be assessed as right or wrong, whereas culture is not
objectively right or wrong, it can only be assessed in term s of • The Bankers' Oath in the Netherlands is a legally required
its alignm ent to the strategy and values of the institution. ethics statem ent and code of conduct holding bankers to
standards of good behavior. To date, it has been taken by
In some m arkets, discussions on conduct and culture have
87,000 Dutch bank em ployees.16
moved beyond individual bank efforts to collaboration across
multiple players in the industry, including tools and practices • The Global Banking Education Standards Board recently
that are shared more broadly. Exam ples include: announced standards for ethics education and training for
professional bankers, with plans to develop further standards
• The Banking Standards Board in the UK conducts an annual in both general banker com petency and on the capabilities
assessm ent across banks on culture and conduct topics, pro required in credit products.
viding participating banks with useful benchmarking on how
they are doing relative to peers.
• The Fixed Income, Currencies and Commodities Markets
Standards Board has developed actionable standards on
behavior and statem ents of good practice that have been 16 "The Banker's O a th ," Tuchtrecht Banken, Am sterdam ; https://www
well received by industry participants. .tuchtrechtbanken.nl/en/the-bankers-oath.

S E C T IO N 2. L E S S O N S L E A R N E D LESSON 2. Leadership always m atters. Conduct and culture
must be em bedded from the top down throughout the firm,
As the banking industry reflects on the last decade, and culture from the board to senior m anagem ent and through middle man
and conduct efforts gain additional maturity, our research has agem ent down to the teller, and through all business units and
revealed eight key lessons. geographic locations.
First and forem ost, the board needs to be aware of and involved
1 Managing culture is not a one-off event, but a in defining and guiding the culture. The board's role is to define
continuous and ongoing effort that needs to be
purpose of the organization and ensure that all business levers
constantly reinforced and that must becom e a
perm anent way of doing business. are aligned with that purpose. Strategy, com m unications, poli
cies, processes, and practices must all align with the desired
2 Leadership always m atters; conduct and culture must
culture, and the board must oversee that alignment.
be em bedded from the top down throughout the firm,
starting with the board and senior m anagem ent but Senior leaders need to involve middle m anagem ent to further
also importantly including middle m anagem ent.
articulate and reinforce firm values and intended behaviors in
3 The scope of conduct m anagem ent is shifting from their respective areas of oversight. The day-to-day realities of
m isconduct to conduct risk m anagem ent more frontline staff are most profoundly impacted by their immediate
broadly. manager rather than by the C E O or other senior executives. As
4 Managing culture requires a multipronged approach such, leadership modeling must flow all the way through the
and the simultaneous alignm ent of multiple cultural organization and cannot only be seen at the senior levels. This is
levers.
especially difficult for large, multi-geography and multi-business-
5 Ten years out from the financial crisis, there is strong unit banks. A direct m anager that does not model the values
recognition that a more diverse set of views and voices of the firm can easily undermine any exam ple or m essage com
in senior m anagem ent will lead to better (and more
municated by the C E O ; as such, many banks are shifting away
sustainable) outcom es for all stakeholders.
from focusing mainly on tone from the top, to tone from above.
6 W hile cultural norms and beliefs cannot be explicitly W hile the tone and direction of the culture message needs to be
m easured, the behaviors and outcomes that culture
consistent across all leaders, it also needs to be flexible enough
drives can and should be m easured.
to be aligned with the different styles of each leader.
7 Regulation has a limited role in rule setting and man
dating culture. LESSON 3. The scope of conduct management is shifting from
misconduct to conduct risk management more broadly. Conduct
8 Restoring trust will benefit the industry as a whole; as
such, industry-wide dialogue and best practices shar is not just about purposeful misbehavior driven by an employee's
ing are im portant elem ents in the journey toward a desire for personal gain or to meet performance targets (for exam
stronger and healthier banking sector. ple, rogue traders); rather, it should be considered more broadly.
For example, a bank's decisions— in the form of such things as
A discussion of each of these lessons follows.
business targets, product design, and automated processes— can
LESSON 1. Managing culture is not a one-off event, but a sometimes have unintended consequences and harm clients, cus
continuous and ongoing effort that needs to be constantly rein tomers, and/or colleagues even in the absence of bad intentions.
forced, and it needs to be perm anent (see Box 5.7). Banks need
In many institutions, conduct has been defined to include intent,
to not only find ways to keep culture discussions from becom
negligence, and failure of judgm ent. The definition is also
ing stale or repetitive, but also to ensure that culture efforts are
broadening to cover all stakeholders, having shifted from only
responsive to potential changes in the desired outcom es them
market and custom er im pact to also include harm to colleagues.
selves as the industry evolves (for exam ple, digitization). This
In this context, rather than just focusing on how to reduce bad
is particularly im portant as changes to conduct and culture are
conduct, it may be useful to consider the mirror image ques
further em bedded throughout the organization. It is also impor
tion of how to promote good conduct that aligns and furthers
tant to rem em ber that culture is not (and should not be) static;
the organization's purpose and values. It is also im portant to
it will evolve as the business evolves, custom er needs change,
consider the full potential consequences and implications of all
and com petitive forces modify. As such, the firm must constantly
business decisions.
and deliberately adapt culture to align to a changing strategy
and business conditions. Constant nudges and reinforcem ent of LESSON 4. Managing culture requires a multipronged approach
expectations are needed in everyday life as training alone is not and the simultaneous alignment of multiple cultural levers. C ul
enough to shift behavior. ture is not empirically good or bad, but it must be right for the
BOX 5.7 LESSO N S FROM O TH ER IN DUSTRIES
Banks can learn from other high-risk, asset-intensive indus the customer, and to mitigate those hazards so that the cus
tries that have worked for years to em bed responsibility for tom er is not harmed. Such analyses, applied to banking and
managing behaviors throughout the organization. Exam ples other financial products, could help banks think more rigor
include the following. ously about product features, even those commonly taken for
granted, and build in appropriate safeguards against poten
Oil and gas: Com panies have established specific guidance
tial custom er misuse.
on behavior (for exam ple, Shell's "Life-Saving Rules") that sets
clear expectations on acceptable vs. unacceptable behavior. Pharmaceuticals: Healthcare professionals abide by a phi
Also, firms use a buddy system to encourage employees, losophy of "right patient, right m edication, right tim e"* to
upon observing non-compliant behavior by peers, to intervene ensure patient safety and reduce errors in drug adm inistra
with each other without the need to escalate the issue up tion.** A banking analog (for exam ple, articulated as "right
the management chain. This helps create an environment of customer, right product, right need") of this philosophy could
trust and psychological safety where employees look after the help guide retail sales staff in recommending appropriate
well-being of the firm and of each other. Banks could consider products for custom ers, reduce mis-selling incidents, and ulti
applying similar approaches to clarify behavioral expectations mately improve custom er satisfaction and outcom es.
and foster a speaking-up culture. A speaking-up culture could * Some versions also specify, for exam ple, right dose, right route,
also mean speaking out to a colleague through mentoring and right reason, right docum entation, and right response.
coaching rather than only via escalation measures.
** W hile considered a useful rule of thum b, this is not a foolproof
Medical devices: "Hazard analysis" (also known as risk analy guideline; see "Th e Five Rights: A Destination without a M ap," by
sis) is a mandatory step in the design of medical devices, to M atthew Grissinger, P& T 35 (10) (O ctober): 542, 2010; https:\\w w w
consider the possible consequences of inadvertent misuse by .ncbi.nlm .nih.gov/pm c/articles/ PM C2957754.
organization based on its values, strategy, and business model. concrete, relatable exam ples around behavior in real-life situ
And the various levers of culture must be aligned with the desired ations that em ployees may face. W hile values and principles
outcomes. Cultural levers include structural elements such as provide direction, on their own they are often too abstract
policies, organization, processes, and technology, as well as intan to be directly useful in gray-zone situations. This can be best
gibles such as tone from the top, beliefs, and perceptions. achieved through tailored trainings across levels and more
open communication from senior leadership.
Em bedding culture is not about changing specific cultural levers
in isolation, but about achieving alignm ent throughout, that is, LESSON 5. Ten years out from the financial crisis, there is strong
a clearly stated (and believed) purpose that flows into strategy, recognition that a more diverse set of views and voices in senior
policies, behaviors, governance m odels, processes, perform ance m anagem ent will lead to better (and more sustainable) out
m easurem ent, and incentive schem es. Tone from the top and comes for all stakeholders. Many of the industry leaders inter
leading by exam ple are necessary for initiatives to have credibil viewed pointed to group-think as a contributing cause of the
ity, but they are not sufficient. Processes and structural elem ents behaviors leading to the financial crisis and many of the scandals
are also critical for enabling messaging to cascade uniformly that have occurred since.
and effectively throughout the organization, especially for larger Diversity in thinking, problem solving, and leadership styles
banks. Small changes in everyday decisions ultimately add up to will help organizations achieve better results through greater
big changes over tim e. Implications of this lesson include: questioning, challenging, creativity, and innovation. Diverse
leadership team s can also help em ployees (especially diverse
• Along the lines of "every organization is perfectly designed
em ployees) feel safer in raising concerns and escalating issues.
to get the results it g ets," a bank's various culture elem ents
are a reflection of its true (which may differ from its stated) Many leaders stated that their institutions have recently placed
values and priorities. Banks should think carefully about how greater focus and im portance on hiring, retaining, and em pow
each culture elem ent came to be designed/im plem ented/ ering diverse em ployees. These leaders recognize that suc
perceived in its current form , and make necessary adjust cessful, innovative, and learning organizations are ones that are
ments to ensure that it is aligned with the organization's diverse— at all levels of the organization. As one senior industry
desired values and priorities. leader stated, "everything changes for the b e tte r when you
• Beyond articulating purpose and values, banks need to pro have critical mass o f wom en in the C-Suite and the B oardroom ."
vide practical, actionable guidance to help staff make deci But results on this front are slow, and achieving truly diverse
sions. This means clear communication of expectations, and team s (especially at the senior levels) will require intentional

and ongoing effort. A 2016 study by O liver Wyman showed that them . W hile measuring culture is a challenging task, it is also
while slight im provem ent is being made in term s of fem ale rep a necessity. Leadership's ability to confidently and objectively
resentation in the C-Suite and the board, the numbers are very state that the conduct of individuals across the organization
low and only marginally improving (see Figure 5.5). is in line with their strategy, core principles, and desired goals
requires a set of indicators that can support their statem ents. To
Recent analysis of the financial sector by M ercer shows that
maintain a healthy culture and detect conduct issues before they
women are significantly better represented at the support staff
becom e a significant problem , m anagem ent needs to be able
level than at the senior m anager or executive level. In addition,
to observe and track behavior through meaningful and objec
the proportion of women decreases at each level as we move
tive m etrics. This is especially true for larger organizations that
up the hierarchy; they are hired at a lower rate than men at all
span numerous geographies and business lines, and can host a
levels except for senior m anager; they are less likely than men to
myriad of subcultures that differ significantly. In addition, banks
be promoted to the next level across all levels of the organiza
need to measure and report on culture and conduct because
tion; and they exit at higher rates than they are being hired at all
only by measuring them will banks be able to shift their focus
levels, and even more so at m anager level and above. This is a
away from purely quantitative financial metrics (for exam ple,
troubling picture. Global firms in other industries do not display
revenues, volum es, profits) to an understanding of how their
such large skews.
actions and decisions align to their values.
In addition, gender disparity in pay is gaining attention as an
Culture also needs to be measured and monitored because it
issue in the banking industry, as recently highlighted in the UK
is not constant; culture can and should evolve over tim e and be
but holding true globally. W hile some of this disparity can be
influenced by a number of factors including company strategy,
attributed to issues with equal pay for equal work, the fact that
hiring, growth, acquisitions, and external drivers such as evolv
women hold few er senior, highly paid positions than men is typi
ing custom er needs or technology advancem ents. W ithout
cally a larger source of disparity. Such im balances can create
effective m easurem ent, leadership cannot determ ine whether
culture issues such as bullying, harassm ent, and other behaviors
this evolution is progressing in a desirable direction.
that can negatively impact clients.
Deriving metrics from company values is a multistep process
One Bank Board Chair interviewed rightly stated: "A s human
that requires organizations to look inward and answer some
beings, we are not w ired to se e k out diversity; the natural o rd er
challenging questions starting with values, identifying stakehold
is to b e drawn to th ose who are like us. A n d for too many years,
ers and outcom es for each, and then articulating desired behav
cultural fit has been used in hiring and prom otion decisions as a
iors and translating them into observable metrics. Following this,
p ro xy for 'is ju st like m e."'
banks will need to em bark on a data exploration and analysis
LESSON 6. W hile cultural norms and beliefs cannot be explicitly effort to make sure that the data needed for the desired metrics
m easured, the behaviors and outcom es that culture drives can are available or can be readily collected. Several tools, including
and should be m easured. Banks are at various stages of trial and internal surveys, audits, and custom er assessm ents, are particu
error to determ ine what the right metrics are and how to use larly useful in gathering data for given metrics.
30
25 I
? 20%
20 18%
? -f— 16%^
15 14% 13% 14%
B o a rd
10 ExC o
In te rq u a rtile ra n g e
(25th to 75th
p e rce n tile )
0
2003 2008 2013 2016
F ia u re 5.5 Percentage of board and Executive Committee (ExCo) members in major
financial services organizations who are women.
Sou rce: O liver W ym an analysis of organization disclosures across 381 financial services organizations in 32 countries
("W om en in Financial Services," O liver W ym an, New York, 2016).
There is no silver bullet for measuring and reporting conduct metrics do not identify issues per se; rather, they identify
and culture, but several key design principles are critical to where to look for potential issues. The metrics don't tell you
building a culture dashboard that provides useful and actionable what went wrong, they just tell you where to look. In that
insights, as shown in Figure 5.6. same vein, as banks refine their approach to selecting and
calibrating metrics, they often struggle with many false posi
The more mature banks in term s of culture and conduct report
tives. Getting the right metrics and inferring the right insights
ing provide the following lessons learned:
will take time and should be piloted/tested over a period of
• The report should focus on metrics that are meaningful to tim e.
the purpose and values of the firm. Also im portant in metric
• The reporting should focus on conduct rather than nar
selection is having both leading and lagging metrics: the
rowly on m isconduct. When banks start down the culture
forward-looking metrics are key to identify what might hap
and conduct m easurem ent path, many focus their efforts
pen rather than only reporting on what did happen.
on m isconduct— intentional actions that are clear breaches
• To be truly valuable, the metrics should be seen over time of policies. However, culture and conduct reporting should
and analyzed as a trend rather than a single number or also include outcom es driven by unintentional behaviors and
point in tim e. In addition, the analysis should not just look unintended consequences, such as flawed product design
at individual metrics in isolation but rather assess how the that does not m eet custom er needs. Furtherm ore, to provide
data interact. Metrics from across strategy, governance, HR, a truly com prehensive and balanced view of com pany culture
service, operations, product, sales, and clients should come and conduct, the scope of m easurem ent should cover p o si
together to form the full narrative on culture and conduct. tive conduct and associated indicators such as em ployee
• The details are critical, and the board and senior m anage volunteer hours, em ployee satisfaction survey results, sustain
ment should focus on the anom alies, exceptions, and the tail, ability efforts, and social im pact investm ents.
given that in the summary view, the issues can be buried and • The reporting tool should be flexible and provide multiple
lead to a false sense of com placency. views, levels of granularity, geographic focus, and types of
• The report should include com m entary and explanation of metrics needed to meet the needs of multiple audiences (for
the data, and the reporting operating model should also example, the board, senior management, business heads, and
include the ability to do further analysis and investigation various second line functions). A number of institutions are start
where needed. With culture and conduct reporting, the ing to develop dynamic web-based reporting views (Figure 5.7).
O Has direct link to firm values 0 Displays trends over time © Provides granular results
and risk appetite framework for each indicator a cro ss lines of business
Leading
Value Metric vs. lagging
Company R e v e n u e a n d c o s t a g a in s t ta rg e t L e a d in g
landscape E f fic ie n c y ratio L e a d in g
In v o lu n ta ry tu rn o v e r, b y ty p e (e .g . S a le s L e a d in g
Our People
P r a c t ic e s , F ra u d , e t c .)
S a le s tra in in g c o m p le tio n r a t e s , b y ty p e L e a d in g
Customers C u s t o m e r c o m p la in t s b y ty p e L a g g in g
# o r % o f p r o d u c t s o n ly a p p ro p ria te fo r a L a g g in g
s m a ll s u b s e t o f c u s t o m e r s
Risk Control # o f p r o d u c t s w ith p e rio d ic re v ie w o v e rd u e L e a d in g
% o p e n is s u e s ra is e d b y a u d it L a g g in g
O v e rd u e c u s t o m e r a p p r o p r ia t e n e s s r e v ie w s L a g g in g
N u m b e r o f c o m p lia n c e b r e a c h e s L a g g in g
1
Q Includes granular O U ses both leading Q Provides value-adding

data and targets and lagging indicators commentary
Conduct metrics Dashboard
Fig u re 5 .6 Design principles for conduct and culture measurement.

Conduct risk dashboard Settings Log Out
Board View Detailed View
Filte rs Region All ▼ Office All ▼ Period 2018 Q1 ▼
Metrics summary Insights am
S ta k e h o ld e r c a te g o ry O v e ra ll s ta tu s C o m m e n ts Feb 12, 2018

Employee turnover
Status: Open
C u s to m e rs a n d
c lie n ts • Spike in LO B 1 employee turnover over the
past two quarters.
Feb 12, 2018

E m p lo y e e s Spike in LOB 1 employee
turnover
Feb 2, 2018
Employee Hotline Volume
C o m m u n itie s Status: Resolved
• 10% increase in Employee Hotline volume
across the enterprise during 2017 Q4
• The increase w as determined to be the result
S h a r e h o ld e r s
of an employee hotline aw areness campaign
S u p e r v is o r s ,
r e g u la to r s , a n d Feb 2, 2018
g o v e rn m e n ts
Customer Complaints
Status: Resolved
Conduct risk dashboard Settings Log Out
Board View Detailed View
F ilte rs Region All Office All Period 2018 Q1
Teammates: Metric overview Insights All
Metric
Overall
status
LOB 1 LOB2 LOB3 Employee turnover F
Em ployee hotline volume and whistleblower case s
Status: Open ▼
Number of misconduct incidents (overall) Spike in US employee turnover over the

Number of em ployees with a misconduct incident in the past 12
past two quarters. The change is currently
under investigation.
—
months
Rate of employee turnover

• The trend is isolated to LOB1 at London
office 1. LO B 2 in the sam e office also
Employees: Trends has a spike, but not a s large.
- Jane Smith, Feb 12, 2018
• Reached out to the LO B 1 HR team in
Employee hotline volume Whistleblower cases that office; waiting for their perspective
Volume pegged to historical average Includes both substantiated and before escalating
unsubstantiated cases - Jane Smith, Feb 14, 2018
Add an update
U
l
Employee Hotline Volume

10 Status: Resolved ▼
• 10% increase in Employee Hotline
volume across the enterprise during
2017 Q4
Fiq u re 5 .7 Sample conduct and culture dashboards: Board view and detailed view.
S o u r c e : O li v e r W y m a n .
L E S S O N 7 . Regul ation has a limited role to play given that response, undermining the clarity of the m essage that culture is
culture cannot be mandated or defined by rules; that is, good a m atter for banks' boards and executives, creating a mindset
culture cannot be regulated into existence. A number of indus of outsourcing good judgm ent, and forcing disengagem ent
try leaders raised concerns related to the potential downsides of from activities that may expose banks to future financial pen
overly prescriptive regulation, such as encouraging a box-ticking alty. Having said that, regulatory agencies are responsible for
BO X 5.8 SKILLS AND CA PA BILITIES R EQ U IR ED O F REGULATO RS
To effectively assess banks and assist them in effecting last well-intentioned manner. Further, supervision of conduct and
ing conduct and culture changes, supervisors them selves culture will involve greater resources and time com mitment
will need to evolve in order to be properly equipped with relative to traditional supervisory activities, requiring ongoing
the right skills and capabilities. As one senior industry leader dedication, careful planning, and a deeper understanding of
stated, "a supervisor w ould not undertake the review o f a each bank's business model and strategy.
financial m odel w ithout financial m odeling e xp e rtise ; how
O ver tim e, some supervisors may find them selves needing
can they en g a g e in dialogue and review o f culture w ithout
to reassess their internal governance structure, operating
the skills in behavioral d rive rs?"
model, and rules of engagem ent. It goes without saying that
Supervisory team s should be com posed of experienced there should be no conduct issues among those tasked with
individuals who understand banks' business models and strat evaluating conduct. Finally, supervisors should consider lever
egy, and can engage in judgm ent-based, forward-looking aging additional expertise from external experts (for exam
discussions with boards and senior executives about con ple, behavioral scientists, governance experts) to bolster the
duct m atters. These team s must be adept at leveraging new quality of assessm ents and strengthen supervisors' knowl
types of assessm ent m ethodologies and be able to identify edge and capabilities going forward.
potential issues and behavioral outliers in a constructive and
safeguarding the safety and soundness of the financial services carry out their responsibilities on a daily basis (that is, they
industry. As such, these agencies cannot be excluded from the are more involved in and aware of the activities and decisions
dialogue and monitoring. being carried out in their organizations). See Box 5.8 for a
discussion of the skills and capabilities required of regulators.
The industry continues to explore effective approaches to regu
lation and supervision; while there is not yet a consensus view, • SUPERVISION: Supervision has an im portant role in engag
agreem ent is beginning to em erge in some areas, including: ing in a dialogue with the industry and holding up a mirror
to the institution. Supervisors can ask questions of the board
• REGULATION: Reg ulation can be an effective tool to focus
and m anagem ent to ensure an appropriate focus on culture
banks' attention on specific and tangible areas of persis
and conduct topics, and can also share industry best prac
tent conduct failures (for exam ple, conflicts of interest, risk
tices and learnings. It is im portant that supervisors share
incentives, and custom er protection), in such cases clearly
culture insights that they have gleaned from their work across
outlining basic principles while leaving room for banks to
multiple institutions and in their dialogue with regulatory
own and drive the specifics of im plem entation. The approach
bodies from around the world.
of principles-based regulation has recently proven effective
in two areas: increasing accountability of senior leadership Supervisors can also help in anticipating future sources of
(FCA 's Senior M anagers and Certification Regim e [SM&CR]) potential m isconduct given their broader industry-wide view.
and aligning remuneration policies to drive better conduct Trust, transparency, and open dialogue between banks and
(FC A /E B A guidance on remuneration). Regulatory bodies can supervisors will be critical to allow for this, and to enable
also outline requirem ents in term s of claw-back practices, early intervention to prevent serious issues before they
including defining the appropriate tim e period for deferrals m aterialize.
and clawbacks, which may be too short in some cases today.
• SYSTEMIC ISSUES: System ic issues such as the "rolling bad
The various senior accountability regimes seen in some juris apples" problem cannot be addressed by individual bank
dictions are one way regulation has impacted bank culture. efforts and require collective response across the industry
W hile the specifics differ, increasingly supervisors are incor and regulatory/supervisory b o d ies.17
porating individual accountability for breaches of conduct L E S S O N 8. Restoring trust will benefit the industry as a whole;
in the mandate of their senior m anagem ent regimes. These as such, industry-wide dialogue and best practices sharing are
are leading to changes in the roles and responsibilities of im portant elem ents in the journey toward a stronger and health
senior leaders and directors, and are also affecting how ier banking sector. The banking industry in major markets should
banks recruit, appoint, train, and com pensate their most
senior leaders. It is of course also having a direct im pact on 17 Although this must be done within the constraints of local legislation
the mindset and actions of these individuals and on how they and em ployee protection laws.

BOX 5.9 TRAIN IN G FOR LASTING BEH A VIO RA L C H A N G E
Many banks struggle to change their culture because they fail and actions, followed by nudges (ideally every eight or so
to address the issue of behavioral change. Training for behav days), seeking to affect the subconsciousness associated with
ioral change is not a linear process, but an iterative process, the change, and finally closing out to reinforce behavioral
with potential loopbacks to allow adjustm ents and learning. change.
People change their behavior gradually and on an individual
W hile there is no one-size-fits-all process of behavioral
basis, as behavior is em bodied in the person. That is, in the
change, there are typically five stages: awareness (becoming
moment of action, an em ployee doesn't always think about
aware of the new behaviors and need to change), nudging
his or her behavior, but rather simply behaves according
(starting to experience the impact of the new behaviors),
to subconscious patterns. Changing these behaviors is not
reinforcing (frequent repetition of new behavior delivers
possible in a one-off training or coaching session, but rather
consistent feedback), sustaining (reinforcing structures help
requires repeated rewiring of new patterns and suppressing
em bed the change), and, finally, impact (positive results
old ones over a series of reinforcing experiences, often an
appear on both a business and personal level).
awkward and difficult process, until the new patterns move
out of the conscious mind into the subconscious and becom e A well-designed training program com prises not just the
behaviors. initial training sessions, but also interventions in subsequent
months that help reinforce the behavioral intent. Banks
Neuroscience research suggests that driving behavioral
should look for ways to incorporate such interventions in
change relies on cycles that ensure new behaviors stick,
order to fully reap the benefits of the investm ent they make
starting with a diagnostic to develop a plan of action, then
in their training programs.
engineering a shock to raise awareness of target behaviors
seriously consider mechanisms of collaboration (for exam ple, evaluating their own firm's practices and collaborating with and
through industry standards organizations) to develop cross supporting other banks in identifying changes in conduct and
industry com parisons regarding their progress on culture and culture.
conduct. Even though culture is unique to each institution, col
The Fixed Income, Currencies and Com m odities M arket Stan
laboration and com parisons can benefit the industry by provid
dards Board also provides good exam ples of behavioral patterns
ing banks with a view, considered by some to be more honest
evident in m isconduct in its Ju ly 2018, Behavioural C luster Anal-
than that collected in-house, into their own culture relative to A Q
ys/s study. 0 The publication provides a practical toolkit to iden

those of peers. Further, such benchmarking results can provide
tify the root causes and relevant behaviors that underlie market
banks with an objective basis for introspection and construc
m isconduct. The study has identified 25 patterns, which can be
tive challenge, guarding against overconfidence in their own
categorized into seven categories of behavior: Price M anipula
approaches.
tion, Circular Trading, Collusion & Information Sharing, Inside
The Banking Standards Board (BSB) in the UK provides a good Information, Reference Price Influence, Im proper O rder Han
exam ple of this industry-wide collaboration. Established in 2015, dling, and Misleading Custom ers. The study finds that there are
the BSB is a private, nonregulatory, m em bership-based orga a limited number of patterns that repeat them selves, are juris-
nization open to any bank in the UK. The BSB has provided UK dictionally and geographically neutral, occur across different
banks with an open forum to share and aggregate best practices asset classes, and adapt to new technologies and market struc
on conduct and culture. One of the cornerstone pieces of work tures. This study also dem onstrates that conduct issues are a
achieved and published annually is the BSB Annual Review, long-standing and constant struggle that m anagem ent must vig
which assess current and year- over-year changes in behavior, ilantly monitor and m itigate. (See Box 5.9).
com petence, and culture in UK banking, and identifies key best
practices from m em ber banks. Though only its second report,
the 2017 Annual Review received over 36,000 responses of
18 "Behavioural Cluster Analysis, M isconduct Patterns in Financial Mar
input across 25 UK banks, which highlights the keen interest kets," Fixed Income, Currencies and Com m odities M arkets Standards
and active participation on the part of UK banks in critically Board, London, Ju ly 2018.
Risk Culture
Com pare risk culture and corporate culture and explain • Describe characteristics of a strong risk culture and
how they interact. challenges to the implementation of an effective risk
culture.
Explain factors that influence a firm's corporate culture
and its risk culture. Assess the relationship between risk culture and business
perform ance.
Describe methods by which corporate culture and risk
culture can be m easured.
Excerp t is Chapter 2 from Risk Culture in Banking, b y A lessandro Carretta, Franco Fiordelisi and Paola Schwizer.
6.1 IN T R O D U C T IO N the organization's specific way to perceive, think, and feel in
relation to problem s (Schein 2010). Organizational culture deals
Studies on corporate culture have been carried out for a long with different approaches. One takes into account external out
tim e. Corporate culture has been a popular m anagem ent tool puts: environm ental, architectural, technological, office layout,
since the early 1980s and, more recently, an intense activity dress code, behavioral standards (visible and audible aspects),
of research on this subject (arisen from the failure of tradi official docum ents (statutes, regulations, and internal com m u
tional cultural models) turned cultural explanations into a more nication), and sym bols. Such an analysis is the necessary basis
valuable asset than a simple m atter of "claim ing the residuals" for investigating principles, know ledge, and experiences that
(Zingales 2015). guide attitudes and behavior. These aspects reflect the internal
ized core values of the organization and justify the behavior of
In the last decades, the m arket saw a clear evolution of the
individuals. In fact, basic assum ptions which underlie actions are
role of banks, passed from public institutions to profit-driven
often hidden or even unconscious: beliefs determ ine the way
private entities. A new com petitive environm ent, in term s
in which group m em bers perceive, think, feel, and therefore,
of actors, rules, geography, and products, produced an
act but are difficult to observe from an outside perspective
evolution of corporate culture in banking. In this fram ew ork,
(Carretta 2001).
risk culture can be seen as a subculture with a central role
in financial institutions. This C hap ter provides an introduc Culture is more com plex than other organizational variables: it
tion to the concept of risk culture, focusing on its definition, can be extrem ely effective and at the same tim e resistant to the
im portance, and effects on bank com petition and financial need for change dictated by the environment (Fahlenbrach et al.
stability. It includes an in-depth analysis of the relevant litera 2012). Culture is, in fact, "w hat you do and how you do it when
ture and of good/bad practices. This C hap ter is structured as you are not thinking about it". If well governed over tim e, it can
follow s: be the glue that holds together a company.
• Definition and m easurem ent of corporate culture and its Culture has always been considered a key tool affecting cor
impact on corporate behaviors; porate behavior, but authors do not agree on how this occurs.
Some consider culture as a fixed effect on firm perform ance,
• Presentation of the scope and alternative definitions of Risk
while others argue that it is a variable that can be managed over
culture;
tim e. Viewing culture as a variable is a quite recent fact, and
• Analysis of drivers and effects of risk culture on sound and
several institutions have developed proper m anagem ent tools
prudent m anagem ent of financial institutions;
and fram eworks to measure and manage it.
• Discussion on main challenges in deploying an effective risk
The discussion is still going on, but, in principle, a culture suitable
culture.
for being applied to a business formula makes a significant con
tribution to business performance. A suitable culture implies that
6.2 W H AT C O R P O R A T E C U LT U R E people "m ake use" of the same assumptions and adopt behavior
inspired by the company's values; this increases the market value
IS A N D W H Y IT M A T T ER S ?
of the company identity. In business, the importance of main
taining behavior consistent with corporate culture needs to be
Literally speaking, there are many thousands of definitions of
constantly stressed, especially by "lead ers", at all levels of the
corporate culture, all sounding subtly different. Literature often
organization. The management should always remind the staff of
refers to corporate culture as the missing link to fully under
the underlying cultural contents and their positive impact on indi
stand how organizations act (Kennedy and Deal 1982). Culture
vidual and organization performance, by setting good exam ple
is the result of shared values, basic, underlying assum ptions and
and communication. According to economic literature, culture
business experiences, behavior and beliefs, as well as strategic
is a mechanism in such a way that makes the corporation more
decisions. Culture is much more than a m anagem ent style: it
efficient through simplified communication and decision-taking
is a set of experiences, beliefs and behavioral patterns. It is
process. From this perspective, a strong culture has high fixed
created, discovered or developed when a group of individuals
costs but reduces its marginal costs (Stulz 2014).
learn to deal with problem s of adaptation to the outside world
and internal integration. Individuals develop a system of basic The fact that culture can be structured as artifacts, values, and
assum ptions proven to be valid by past experience. M em bers assum ptions im plies different levels of analysis and assess
of the same group assim ilate these assum ptions, which becom e ment. The purpose of analysis requires a specific level of
assessm ent and the most appropriate m ethodology. However, ethnographic analysis and the case study, which allow an in-
researchers should keep in mind that the study of only the vis depth investigation, but at the same tim e limit the com parability
ible m anifestations of culture is likely to describe "how " but of results. According to Schneider (2000), direct observation is
not "w hy" (Carretta 2001). And as noted by Karolyi, there is a the only way to understand culture, since many of its aspects are
fragility in the measures of the cultural values available to us silent. In addition, people within an organization are not aware
(Karolyi 2015). of how many assumptions affect their behavior and take for
granted that it applies to everyone in the sector. Furtherm ore,
A number of survey methods and metrics are used, among
cognitive beliefs of researchers may influence their evaluation
others, by firms to investigate the mind-sets underlying culture
capacity. As a consequence, a problem of objectivity prevents
(See Box 6.1).
the possibility for other researchers to replicate the analysis and
In academ ic literature, there are some relatively well-established confirm its results.
approaches to measuring culture. Q ualitative methods are the
On the other hand, quantitative methods use standardized
approaches of analysis through statistical tools. These methods
do not provide in-depth observations but are more objective
BO X 6.1 M EASURIN G CULTURE AND and allow the comparison of different situations.
CULTURAL PR O G R ESS: RA N G E OF The goal should be to create a homogenous method within
A P P R O A C H ES USED BY FIRMS organizations or groups of interm ediaries, capable of reflecting
Employee engagement and culture survey the needs of com panies and of the environm ent. This would
result in a com parable approach com pliant with the regulatory
Most firms use annual em ployee engagem ent surveys,
supplem ented by culture and climate surveys or modules environment. Q uantitative methods have been primarily used
added to the regular engagem ent survey to evaluate culture indirectly, by observing developm ents in risk
governance and the link between risk governance and the com
Customer perceptions and outcomes pany's risk- return com binations (Ellul and Yerramilli 2013; Lingel
According to some firms, the real test of culture consists and Sheedy 2012; A ebi et al. 2012).
in the outcom es it generates. The focus is particularly on
custom er satisfaction scores, while other firms even try to A new and dynamic environm ent, in term s of actors, rules, geog
test outcom es (e.g ., mystery shopping or regular online raphy, and products has produced an evolution of corporate
panels of customers) culture in the banking sector. In the last century the market saw
Indicator dashboard a clear evolution of the role of banks, passed from public institu
tions to profit-driven private entities. For some countries, this
Several firms use a range of indicators, som etim es consoli
shift was very difficult and driven by an incisive, market-oriented
dated into "culture dashboards", including:
intervention by regulators, especially in Europe, where the final
• Custom ers: satisfaction scores, complaints
goal was the creation of a common market. Prudent regulation
• Em ployees: engagem ent scores, speaking up scores,
has increased the range of banking services offered and, indi
turnover, absence rates, grievances, use of w histleblow
rectly, com petition. In order to prevent excessive risk-taking, the
ing lines
Basel Com m ittee has promoted the " self-regulation" of inter
• Conduct and risk: conduct breaches, clawbacks, m ate
rial events, and escalations m ediaries, setting up a system of internal controls and a new
com pliance function. The new culture of supervisors is based
Validation on the collaboration with banks and this relationship may have
Firms use a range of methods to validate progress or per positive effects in term s of bank perform ances (Carretta et al.
form ance and confirm understanding: 2015). The financial behavior of fam ilies and firms, traditionally
• Consultancy firms' benchmarking exercises the main banking clients, has also undergone rapid changes.
• O ther external benchm arks Family propensity to save has decreased. Families today tend to
• Internal Audit assessm ents invest more in financial instruments inside or outside their home
• Triangulation across various data sources, e.g . staff and countries, while firms are adopting new forms of financing, by
custom er surveys acting directly on the capital markets.
Sou rce: A dapted from Banking Standards Board (2016). These underlying shifts dem onstrate the im portance of study
ing the effect of corporate culture on banks' perform ance and
Chapter 6 Risk Culture ■ 107

com petitiveness. The literature on banking culture focuses on 6.3 R ISK C U LT U R E : S C O P E
the existence of a specific culture and on how it reacts to the
A N D D E F IN IT IO N
new paradigm s, showing that culture creates value in firms, and
especially in banks. In an ever-changing market, credit supply
The O xford Dictionary defines risk as a situation that involves
and screening remain the most im portant activities undertaken
exposure to danger. Particularly dangerous exposure is called
by banks and represent a basic know-how. This comes from
bad risk. But banks, as well as any other firm, have the same
experience and the «mutual com mitment based on trust and
opportunities to take risks of an ex ante reward on a stand
respect» (Boot 2000), which are the expression of a specific
alone basis. This risk is being called "a good risk". One might
bank's culture.
be tem pted to conclude that good risk m anagem ent reduces
In some cases, culture in the financial institutions has dem on the exposure to danger. However, this view of risk m anage
strated the ability to integrate com panies' know-how and new ment ignores the fact that banks cannot succeed without taking
market opportunities. For exam ple, the entry of banks into the risks that are ex ante profitable. Consequently, taking actions
insurance business was difficult, due to limited experience with that reduce risk can be costly for shareholders when lower risk
sophisticated products. On the other hand, insurers had limited means avoiding higher risk valuable investments and activities.
experience with bank retail client requirements. The problem Therefore, from the perspective of shareholders, valuable risk
was solved through successful strategic alliances in which banks m anagem ent does not reduce risk in general, since reducing risk
used their distribution capacity and insurers developed simpler would mean not taking on valuable projects. If good risk man
products. Culture has also driven the creation of new approaches agem ent does not mean low risk, then what does it mean? How
to answer increasing com petition. A "culture of distribution" has is it im plem ented? W hat are its limitations? W hat can be done
replaced the pre-existing "culture of production". Due to this to make it more effective? (Stulz 2014). These questions can be
change, m anagem ent has shifted the focus from an efficient ser answered by looking at the concept of risk culture.
vice developm ent towards an effective selling system. This new
Some authors define risk culture (RC) as an element of corporate
perspective is centered on creating unique and personalized
culture; it is what in the culture relates to risk (Power et al. 2013).
conditions to attract the highest possible number of clients.
It is a product of organizational learning concerning what has or
In the new context, culture is a resource rather than a limitation. has not worked in past investments and procedures of a financial
If adequately taken into consideration, it can ensure the suc institution (Roeschman 2014). RC could be seen as a subculture
cess of com plicated events such as m ergers and acquisitions. with a central role in financial institutions. In fact, the culture of an
The "one size fits all" solution is not valid anymore, and despite organization is neither unique, nor uniform throughout the com
cultural integration is never easy, effective m anagem ent is the pany (Schein 2010). The growing complexity of operations, roles,
only chance to make it successful (Carretta et al. 2007). Part of and activities performed by firms produces different subcultures at
the literature considers culture as a static elem ent to be devel all levels of the organization; for example, the point of view on the
oped only in the long-term, but many authors and practitioners environment taken by the risk management department can sub
highlight that culture may be used in order to improve firm stantially differ from that taken by the business line. In this case,
perform ance and stability. Nowadays, it is particularly difficult to RC interacts with dominant corporate culture and subcultures to
develop and im plem ent a strategy due to the intrinsic variability ensure a continuous balance between the need for integration
of the m arket, with controls becoming increasingly com plicated and the opportunity for differentiation of these two perspectives.
due to a w ider range of bank activities and functions. In this con This balance is the basis for the adaptation to the environment
text, culture can create shared values to drive individual behav and for business changes. Box 6.2 presents a selection of the
ior in pursuing the organizational strategy and assisting the role existing definitions for RC in financial institutions; the main ones
of internal controls. are by FSB, Institute of International Finance (IIF) and Institute of
To conclude, a specific corporate culture exists in the bank Risk Management (IRM). These institutions use concepts that are
ing sector and literature shows that, in specific contexts, it widely used in literature to define corporate culture, such as val
can change and help bank stability. Em pirical studies confirm ues, norms, ethics, and traditions. The FSB and IIF definitions are
it (Carretta 2001): positive relations with the environm ent are very similar; in fact, both define RC as norms and behavior related
linked with an open culture. Banks have overcom e their previous to how individuals identify, understand, discuss (risk awareness ),
specialization, developing various new internal com petences: and act (risk-taking and management) concerning the risks. The
integration, team work, and interpersonal relations are the base IRM definition, on the other hand, refers to values and beliefs, and
for a new model of leadership. However, the results also show is in line with previous literature, which asserts that basic assum p
that this new culture is not yet widespread. tions (beliefs) are at the heart of culture (Schein 1990).
discuss, and act on the risks» (IRM 2012). So, RC is related to
BO X 6.2 RISK CULTURE «risk awareness, risk-taking and risk m anagem ent, and controls
D EFIN ITIO N S that shape decisions on risks», which act at all levels of the insti
tution «during the day-to-day activities and have an impact on
Risk culture can be defined as the norms and traditions
of the behavior of individuals and of groups within an the risks they assume)) (FSB 2014).
organization that determ ine the way in which they identify,
understand, discuss, and act on the risks the organization
confronts and the risks it takes (Institute o f International 6 .4 R ISK C U LT U R E : D R IV ER S
Finance 2009).
AND EFFECTS
«A bank's norms, attitudes, and behavior related to risk
awareness, risk-taking and risk management and controls First of all, RC depends on national culture and environment.
that shape decisions on risks. Risk culture influences the
As far as culture is concerned, some countries are more homo
decisions of management and employees during the day-
geneous than others, even though som etim es, areas having
to-day activities and has an impact on the risks they assume»
(Financial Stability Board 2014; Basel Com m ittee 2015). a similar culture are part of different nations. Despite these
limitations, comparing national cultures is still a meaningful and
«Risk Culture is a term describing the values, beliefs,
knowledge, and understanding about risk shared by a revealing venture and has becom e part of the main social sci
group of people with a common purpose, in particular, the ences. Research by Hofstede has shown that national cultures
em ployees of an organization or of team s or groups within differ particularly at the level of habitual, unconscious values
an organization)) (Institute o f Risk M anagem ent 2012). held by the majority of a population. According to Hofstede, the
«Barclays risk culture is the set of objectives and practices, dimensions of national cultures are rooted in our unconscious
shared across the organization, that drive and govern risk values. Provided that these values are acquired in childhood,
m anagem ent (Barclays P LQ . national cultures are rem arkably stable over tim e; changing
Num ber of levers are used to reinforce the risk culture, national values is a m atter of generations. Instead, practices
including tone from the top, governance and role change in response to the changing circum stances: symbols,
definition, capability developm ent, perform ance
heroes, and rituals change, but underlying values are largely
m anagem ent and reward)) (Lloyds Banking Group).
untouched. For this reason, differences between countries have
«Risk culture is characterized by a holistic and integrated such a rem arkable historical continuity.
view of risk, perform ance, and reward, and through full
com pliance with our standards and principles)) (UBS). Similarly, culture is very much a product of the environment
«lt can be defined as the system of values and behavior (Lo 2015). The International M onetary Fund has published
present throughout an organization that shapes risk deci empirical evidence covering about 50,000 firms in 400 sectors
sions. Risk culture influences the decisions of m anagem ent in 51 countries, according to which firms operating in countries
and em ployees, even if they are not consciously weighing characterized by lower aversion to uncertainty, greater indi
risks and benefits)). (Farrel and Hoon 2009)
vidualism and sectors with a strong opacity of information such
«The behavioral norms of a company's personnel with as the financial world have a more aggressive risk culture, and
regard to the risks presented by strategy execution and "even in a highly-globalized world with sophisticated m anagers,
business operations. In other words, it is a key elem ent
culture m atters" (Li et al. 2013). Furtherm ore, these aspects will
of a company's enterprise risk m anagem ent fram ework,
albeit one that exists more in practice than in codification)) be discussed in the following subsections: the im pact of regula
(Smith-Bingham 2015). tion and its underlying culture (Carretta et al. 2015), as well as
supervision pervasiveness of a company's risk culture (Power
«Risk culture encom passes the general awareness,
attitudes, and behavior of an organization's em ployees et al. 2013). In the financial system , supervisors and supervised
toward risk and how risk is managed within the parties can collaborate in order to improve the culture of risk,
organization. Risk culture is a key indicator of how widely fully aware that it is a sensitive area requiring tim e and resources
an organization's risk m anagem ent policies and practices (Senior Supervisors Group 2009; Group of Thirty 2008).
have been adopted)) (D eloitte Australia 2012).
Culture directly impacts on corporate risk-taking not merely
through indirect channels such as the legal and regulatory
fram eworks (Mihet 2012).
Concluding, RC is com posed of underlying assumptions and the
way they turn into norms, values, and artifacts. Not all assum p Risk culture also impacts on characteristics and behavior of a
tions are relevant, but only those about risk or, more precisely, firm and at the same tim e is an expression of them . O ver time
those that affect «the way in which they identify, understand, (Fahlenbrach et al. 2012), it can regulate the possibility for

BOX 6.3 THE M A CQ U A RIE U N IV ER SITY RISK CULTURE SC A LE
The M acquarie University Risk Culture Scale was used to the im portance of anonymous and independent risk cul
assess the culture in 113 business units across three large ture assessm ents where staff felt safe to reveal their true
banks, two headquartered in Australia and one in North beliefs.
Am erica. • There were statistically significant differences between the
The main findings were as follows: risk cultures of the three large banks analyzed.
• The majority of business units assessed (more than 95%
• Strong risk culture was generally associated with more
of 113) had an internally consistent perception of culture,
desirable risk- related behavior (e.g ., speaking up) and less
undesirable behavior (e.g ., manipulating controls). namely, there was a strong or obvious culture in the unit
(i.e., not just the perception of an individual but a qual
• Personal characteristics were also important. Long-tenured ity of the group). However, it should be noted that there
and less risk tolerant em ployees, and em ployees with a might have been agreem ent on the fact that culture was
positive attitude towards risk m anagem ent were more good or poor.
likely to display desirable risk-related behavior. Those with
high personal risk tolerance were more likely to display • The most significant variation in risk culture scores
occurred at the business unit level and seem ed to be
undesirable risk-related behavior.
driven by the local team environm ent. This was consis
• Good risk structures (policies, controls, IT systems, training, tent with the hypothesis that culture was a local construct
and remuneration systems) appeared to support a strong
highly dependent on interactions with close colleagues
culture and ultimately a less undesirable risk behavior.
and im m ediate managers.
Good risk structures did not by them selves guarantee good
behavior. Early results suggested that structures such as Sou rce: A dapted from Elizabeth Sheedy and Barbara Griffin, Em piri
remuneration were interpreted through the lens of culture. cal Analysis of Risk Culture in Financial Institutions: Interim Report,
• Senior staff tended to have a significantly more favorable M acquarie University, N ovem ber (2014).
perception of culture than junior staff. This highlighted
businesses to adapt to the changing environm ent, but it may bank's overall corporate governance (i.e. shareholders, board of
also change if it is no longer able to solve an organization's directors, m anagem ent, and auditors).
problems (Richter 2014). Therefore, it will only affect the role
Subcultures may exist depending on the different contexts within
of risk m anagem ent in the organization; even in case of highly
which parts of an institution operate (See Box 6.3). However,
sophisticated and form alized risk governance, risk culture is still
subcultures should adhere to the high-level values and elements
in charge of deciding which rules and behavior are important
that support an institution's overall risk culture. A dynamic bal
(Roeschmann 2014; Stulz 2014). As a mechanism of control over
ance is required between the value generated by the differences
behavior, risk culture can impact on results, and if it is strong
in risk perception and that generated by a unitary risk approach.
and in a stable environm ent, it can becom e more persistent over
time (Sorensen 2014).
The organization is perhaps the "elem entary unit" for the analy
6.5 C H A N G E A N D C H A L L E N G E :
sis of culture (Carretta 2001) and risk culture, but the individual D E P L O Y IN G A N E F F E C T IV E R ISK
is the unit in term s of personal integrity and propensity towards C U LT U R E
risk. High levels of perceived integrity are positively correlated
with good incomes, in term s of higher productivity, profitability, Risk culture is not a static thing but a formal and informal process
better industrial relations, and a higher level of attractiveness continuously repeating and renewing itself. Risk culture, as well
to prospective job applicants (Guiso et al. 2015), but individual as corporate culture, evolves over time in relation to the events
behavior appears to be influenced by both context and profes that affect an institution's history (such as mergers and acquisi
sional identity which, once more, confirm the key im portance of tions ) and to the external context within which it operates.
the organization (Villeval 2014).
Building a sound risk culture is a collective process, not simply a
Obviously, risk culture can appear in different forms as sub m atter of improving technical skills. Risk culture shall be a part
cultures, or even conflicting countercultures, in the following of a business and not simply of the supervision, which is not
areas: type of risk (i.e., credit or market), business functions and necessarily a good proxy. Therefore, it concerns decisions and
families in which it develops, prevailing business m odels, roles in actions on a daily basis, such as the way information is shared,
of a com plex organization like a bank is possible, but difficult
BO X 6.4 "U SIN G " CULTURE and requires the awareness of the need for change, many
resources, and a long tim e. In fact, relationships between
Although its influence on firm behavior has long been
clear, culture has only recently been discovered as a m anagem ent actions and culture are not necessarily linear, as
dependent variable of planning by m anagem ent litera there are m ultiple, com plex issues relating to proportionality
ture. In theory, culture suited to the type of enterprise can and accountability of individuals versus institutions that require
make a significant contribution to firm success. This means consideration by enforcem ent agencies (Group of Thirty 2015).
that people "m ake use of" culture, that their behavior
A major im provem ent in culture can be secured by focusing on
is inspired by com pany values, and that they have com
municated com pany values to the m arket, emphasizing values and conduct, which are the building blocks of culture.
the positive aspects of its culture (Hofstede 1983). It is (2) Change necessitates a system ic approach to all subjects
necessary for the "bosses" at all levels to continuously involved, by taking into account their mutual roles. A sustained
em phasize the im portance that behavior adheres to com focus on conduct and culture shall be carried out by banks
pany culture, repeat and strengthen its basic contents and
(board and m anagem ent), and the banking industry. All is
remind people that it has a positive impact on people and
needed to make major im provem ents in culture within the bank
com pany perform ance.
ing industry and individual institutions (Group of Thirty 2015).
Addressing cultural issues must of necessity be the responsibility
of the board and m anagem ent of firms. Supervisors and regula
the people being asked, when something went wrong, the
tors cannot determ ine culture, but the form er has an important
capacity to represent risk inside the organization and the under
monitoring function. (3) In order to be successful, the new cul
standing and correct use of docum ents. It also includes what
ture has to be profitable and create real value for all subjects,
"w o rked " in the past. With the changing of both external and
institutions, and individuals which present forms on their own
internal conditions, culture too changes along with a strategic
motivations explaining their possibly diverging behavior (Lo
change (See Box 6.4). O bsolete business culture is an obstacle
2015). The effect of all this should be the creation of a com peti
to improving perform ance.
tive advantage for firms with better cultures and conducts, with
The Group of Thirty (2015) states that culture and behavior respect to client reputation and the ability to attract staff and
in today's financial systems and institutions are inadequate. investors. Banks will only succeed if they accept that culture is
An im portant finding is that a suitable culture, with particular core to their business models and if they decide that fixing cul
regard to risk, is not a critical success factor but is displayed ture is key to their econom ic sustainability (Dickson 2015).
only to m eet the expectations of a public, custom ers or norms
The assessm ent of a bank's risk culture and the perception
at particular tim es. It is not central to governance organs or
of its possible distance from a culture that can be considered
senior m anagem ent. It is not sufficiently rewarded in perfor
adequate to context, business model, and governm ent require
mance m anagem ent and does not feature in bank personnel
ments are matters for the individual bank according to its char
training. It does not dialogue with three lines of risk defense,
acteristics. In fact, there is no doubt that risk culture is widely
(business, supervision and risk m anagem ent, auditing). In the
inadequate today and that there is a need to move from "form
United Kingdom , the Banking Standard Board has been set up
to substance". The attitude "I have complied with the regula
by seven big banks in response to the findings of a Parliam en
tions" needs to be replaced by "I have done everything possible
tary Com m ission. The Board aims to raise and spread behavioral
to prevent and resolve problem s". Ju st because it is legal it
standards inside the British financial system , thus contributing to
does not mean that it is right (See Box 6.5).
the continuous im provem ent in bank behavior and cu ltu re s
A process of cultural change is ambitious as it involves many
The main changes since 2008 in the risk culture scenario are
players. It is the case that bank shareholders, m anagem ent,
enforcem ent in legislation, growth of the risk function, introduc
bank staff, parliament, governm ent, legal system , supervision
tion of balanced scorecards replacing sales staff perform ance
authorities, media, education system , and custom ers are respon
indicators, shift in focus from com pliance to conduct, and cul
sible for the current unsatisfactory situation to various degrees.
ture becoming a board issue (Cass Business School 2015).
W hat matters today is that all these forces are involved in a
So how can a renewed culture be fully developed and spread in common effort to promote a new banking culture shared by
a bank today? both banking authorities and clientele. And, importantly banks
them selves shall play an active role in this new cultural change.
Theory and cross-industry experiences clearly dem onstrate
that three mechanisms are critical for achieving the cultural Risk culture is a sensitive area and cannot be dealt with on the
transform ation of the banking sector. (1) Changing the culture single dimension of lowering risk propensity by strengthening

BOX 6.5 M EA SU RES TO R ED U C E M ISCO N D U CT RISK
Codes and standards of conduct have been in place across m anner that is consistent across the industry, requires
the industry for some tim e. The issue was not the develop the developm ent of a consistent set of definitions,
ment of codes or standards, but their effective im plem en m ethods of assessm ent, and m easurem ent of conduct
tation and enforcem ent across diverse business lines and risk. These risks vary across product lines and may vary
jurisdictions. Official sector and private sector representa with the organizational structure of businesses within
tives noted that the effective implementation of conduct firm s.
risk m anagem ent involves fundamental changes in culture • G rey areas. A ctio ns that are not "ille g a l" but w hich,
and behavior across the industry, involving firms and market under particular circum stances, could be inconsistent
stakeholders. Such changes take tim e. with a firm 's values are som etim es difficult to address
Critical im plem entation challenges include: because they are often d ep en d en t on facts and circum
stances. Frontline em ployees are often called upon to
• Integration in business decision-m aking. The integration of exercise their discretion in fulfilling custom er requests;
behavior and ethical considerations in business decisions these decisions are som etim es com plex and can vary
(which could involve limiting or withdrawing from certain across business lines. Under these circum stances, it is
transactions or businesses) challenges the "prevailing con difficult to make prior determ inations on the best course
sensus" on success; other stakeholders, including a firm's
of action or to define clear boundaries. Firm s need to
custom ers and shareholders, may need to be involved in develop fram ew orks to address these questions in a
supporting these changes. consistent manner. A visible institutional leadership in
• Consistency of m essages and action. The "tone at the resolving and sanctioning a w eak m anagem ent of con
to p " is not always supported by consistent actions that duct risk will be im portant. Engaging business lines in
dem onstrate that conduct and ethical considerations vis co o p erative approaches to identifying conduct risk such
ibly determ ine hiring, promotions, professional standing, as "reporting in the public interest" may help overcom e
and success. This requires coordinated engagem ent of all lim itations of "w histleb lo w in g " approaches, which risk
parts of the organization; ethical and behavior consider putting em ployees and the institution on opposite
ations cannot, therefore, be segregated into com pliance sides. It was how ever noted that there was a significant
or human resources functions. Ensuring that senior level am ount of regulation and case law in existen ce which
em ployees take responsibility for driving forward changes should help give firm s clarity on w hat constituted a
is im portant to success. breach of regulation or law.
• Cross-border and cross-cultural issues. Supervisors, clients, • Role of directors. W hile board oversight of conduct risk
and stakeholders have different expectations and perspec is critical to the strengthening of conduct risk m anage
tives of the role of financial services providers. As such, m ent, an appropriate balance should be established
approaches to conduct risk m anagem ent, as well as rules betw een the accountability of individual execu tives and
relating to perm issible incentives regarding conduct, differ the board, in particular, N ED s. It was acknow ledged that
across jurisdictions. These differences pose challenges for boards are facing increased pressure and that there may
global firms seeking to establish consistent expectations be a risk that this could potentially create disincentives
across the institution. for exp erien ced and qualified exp erts to serve on them .
• Com m on taxonom y for conduct risk. The integration
of conduct risk in all aspects of a firm 's business, in a Sou rce: A dapted from Financial Stability Board (2015).
supervision. The most fundam ental issue in the risk culture m anagem ent tool and need to be explained in detail for a cor
debate is the trade-off between risk-taking and control (Power rect balance between risk-taking and the maintaining of an
et al. 2013). appropriate level of control. "Bad apples" in a bank shall not be
allowed to take the blame for specific behavior which reflects
As reported in the Financial Tim es, the C E O of UBS recently
a weak risk culture. Rather than a lack of personal integrity or a
com m ented that: "M istakes are ok . . . try to eliminate all risk
"natural" tendency towards dishonesty, non-compliant behavior
taking and threaten to punish all mistakes and the ensuing
is, in fact, the outcom e of exogenous environmental and com
culture of fear will limit the pursuit of legitimate business." The
pany factors which deform the sound conversion of individual
controversy caused by these comments showed that seeking
values into behavior and actions, which, in other words, reflect
to com pletely eliminate risk, which after all underpins all finan
a firm's unsatisfactory risk culture. An experim ent recently per
cial interm ediation, is unrealistic. Instilling into the personnel
form ed on a sample of bank managers com pared with other
the fear of making mistakes can only lead to immobility. In the
sectors aiming to test their propensity to lie yielded interesting
context of a robust and sound culture of risk, mistakes are a
findings. The propensity to lie is similar in different sectors and Carretta, A ., Farina, V., Schwizer, P. "Cultural Fit and Post-merger
in normal conditions, but rises significantly for managers, whose Integration in Banking M & As". Journal o f Financial Transforma
work environm ent (in this case the bank) is mentioned (Cohn tion 33 (2007): 137-155.
et al. 2014).
Cass Business School. "A Report on the Culture of British Retail
Risk culture is definitively 100% com patible with risk-taking and Banking". London, UK: New City Agenda and Cass Business
profit-making. A sound risk culture helps ensure that activities School, Novem ber 24, 2014.
beyond the institution's risk appetite are recognized, assessed,
Cohn, A ., Fehr, E., M arechal, M. A . "Business Culture and
escalated, and addressed in a tim ely manner (Dickson 2015).
Dishonesty in the Banking Industry". Nature 516 (2014): 86-89.
Deloitte Australia. "Cultivating an Intelligent Risk Culture: A Fresh

C O N C L U S IO N S Perspective". Sydney, AU : Deloitte Touche Tohmatsu Ltd. (2012).
Dickson, J . "The Relevance of the Supervision of Behavior

Culture matters. Risk culture is essential for a prudent and sound and Culture to the SSM ". Am sterdam , N ED : 'Looking
bank management, and needs to be central in any evaluation.
forw ard: Effective Supervision o f Behavior and Culture at
Risks are an inherent aspect of bank function and are taken, Financial Institutions ' C on feren ce in the Tropenm useum , De
transform ed, and managed with com petence and profession Nederlandsche Bank, Am sterdam , Septem ber 24, 2015.
alism. In this sense, risk culture is central to banks and has an
Ellul, A ., Yerramilli, V. "Stronger Risk Controls, Lower Risk:
impact on risk-taking propensity and policies, types of risk assess-
ment/performance ratio and final decisions. The behavior of Evidence from U.S. Bank Holding C om panies". Journal o f
Finance 68 (2013): 1757-1803.
banks and their personnel are a direct expression of risk culture.
Fahlenbrach, R., Prilmeier, R., Stulz, R. M. "This Tim e is the
Banks must develop their risk culture beyond regulatory
guidelines, in order to support their corporate strategy and Sam e: Using Bank Perform ance in 1998 to Explain Bank Perfor
strengthen their core skills, and turn risks into opportunities. mance During the Recent C risis". Journal o f Finance 67 (2012):
2139-2185.
They are required to com mit, to more effectively improving their
culture. The banks which are successful at doing this with consis Farrel, J . M ., Hoon, A . What's Your Com pany Risk C ulture? US:
tency, awareness, and determ ination in strategic decisions will KPM G US Lip., May, 2009.
raise and consolidate their market reputation.
Financial Stability Board, FSB. G uidance on Supervisory Interac
tion with Financial Institutions on Risk Culture. A Fram ew ork
for A ssessin g Risk Culture, FSB Publications, Policy Docum ents,
B IB L IO G R A P H Y
April 7, 2014.
A ebi, A . B., Sabato, G ., Schmid, C . "Risk M anagem ent, C o rp o Financial Stability Board, FSB. M easures to R ed u ce M isco n d u ct
rate, Governance and Bank Perform ance in the Financial C risis". Risk, FSB Publications, Progress Reports, Novem ber 6, 2015.
Journal o f Finance and Banking 36 (2012): 3213-3226.
Group of Thirty. Banking C on du ct and Culture. A Call for Su s
Basel Com m ittee on Banking Supervision, BSC BS Publications. tained and C om prehensive Reform , W ashington D C , US: Group
C orp ora te G overnance Principles for Banks. G uidelines, 2015. of Thirty, Ju ly, 2015.
Banking Standards Board. Annual Review 2015/2016, London, Guiso, L., Sapienza, P., Zingales, L. "The Value of Corporate
March 8, 2016. C ulture". E IE F W orking p a p e r 27 (2013).
Boot, A . W. A . "Relationship Banking: W hat Do We Know?" Hofstede, G . H. "The Cultural Relativity of Organizational Prac
Journal o f Financial Interm ediation 9 (2000): 7-25. tices and Th eo ries". Journal o f International Business Studies
14 (1983): 75-89.
Carretta, A ., Farina, V., Fiordelisi, F., Schwizer, P., Stentella
Lopes, F. S. "D on't Stand So Close to Me: The Role of Supervi Institute of International Finance(IIF). Reform in the Financial
sory Style in Banking Stability". Journal o f Finance & Banking Services Industry: Strengthening Practices for a M ore Stable Sys
52 (2015): 180-188. tem , Report of the I IF Steering Com m ittee on Im plem entation,
2009.
Carretta, A . (ed.). II g o vern o d el cam biam ento culturale in
banco: m odelli di analisi, strum enti operativi, valori individual'!, Institute of Risk M anagem ent. Risk Culture U nder the
Rome, ITA: Bancaria Editrice (2001). M icro sco p e G uidance for Board, 2012.

Karolyi, G . A . "The Gravity of Culture for Finance". Journal o f Schein, E. H. Organizational Culture and Leadership, 4th Edition,
C orporate Finance 41 (2015): 610-625. San Francisco, US: Jossey-Bass Inc. (2010).
Kennedy, A . A ., Deal, T. E. C orporate C ultures: The Rites and Schneider, B. The Psychological Life o f Organizations in Hand
Rituals o f C orporate Life, New York, US: Perseus Books (1982). b o o k o f Organizational Culture and Clim ate, eds. Ashkanasy,
Neal, M ., W ilderom , C eleste, P. M., W ilderom and Peterson,
Li, K., Griffin, D ., Zhao, L. "H ow Does Culture Influence C o rp o
Mark. F., London, Thousand O aks, New Delhi, UK, US, IND:
rate Risk-taking?" Journal o f C orporate Finance 23 (2013): 1-22.
Sage (2000).
Lingel, A ., Sheedy, E. A . "The Influence of Risk Governance on
Senior Supervisors Group. Risk M anagem ent Lesson s from
Risk O utcom es— International Evid en ce". M acquarie A p p lie d
Financial Crisis 2008, 2009.
Finance C entre Research P aper 37 (2012).
Sheedy, E ., and Griffin, B. Em pirical Analysis o f Risk Culture in
Lo, A . W. "The Gordon Gekko Effect: The Role of Culture in the
Financial Institutions: Interim R ep ort, Sydney, A U : M acquarie
Financial Industry". N B ER W orking Papers 21267 (2015).
University (2014).
Mihet, R. "Effects of Culture on Firm Risk-Taking: A Cross-country
Smith-Bingham, R. Risk Culture: Think o f the C o n seq u en ces,
and Cross-industry Analysis". IM F Working Paper 210 (2012).
New York, US: Risk M anagem ent Insights, Marsh & Me Lennan
Power, M ., Ashby, S., and Palerm o, T. Risk Culture in Financial Com panies, O liver Wyman (2015).
O rganizations: A Research R ep ort, London, UK: London School
Sorensen, J . B. "The Strength of Corporate Culture and the
of Econom ics (2013).
Reliability of Firm Perform ance". Adm inistrative Scien ce
Richter, C. "D evelopm ent of a Risk Culture Intensity Index to Q uarterly 47 (2014): 70-91.
Evaluate the Financial M arket in G erm any". P ro ceedin g s o f
Stulz, R. M. "G overnance, Risk M anagem ent, and Risk-Taking in
FIK U SZ Sym posium for Young R esearcher 14 (2014): 237-248.
Banks". Finance W orking Paper 427 (2014).
Roeschman, A . Z. "Risk Culture: W hat it is and how it Affects an
Villeval, M. C. "Behavioural Econom ics: Professional Identity Can
Insurer's Risk M anagem ent. Risk M anagem ent and Insurance".
Increase D ishonesty". Nature 516 (2014): 48-49.
Risk M anagem ent and Insurance R eview 17 (2014): 227-296.
Zingales, L. "The 'Cultural Revolution' in Finance". Journal o f
Schein, E. H. "Organizational Culture". The Am erican Psychologist
Financial Econom ics 117 (2015): 1-4.
Association 45 (1990): 109-119.
OpRisk Data and
Governance
Learning Objectives
Describe the seven Basel II event risk categories and iden Describe and assess the use of scenario analysis in m anag
tify exam ples of operational risk events in each category. ing operational risk, and identify biases and challenges
that which can arise when using scenario analysis.
Summarize the process of collecting and reporting
internal operational loss data, including the selection of Com pare the typical operational risk profiles of firms in
thresholds, the tim efram e for recoveries, and reporting different financial sectors.
expected operational losses.
Explain the role of operational risk governance and
Explain the use of a Risk Control Self Assessm ent (RCSA) explain how a firm's organizational structure can impact
and key risk indicators (KRIs) in identifying, controlling, risk governance.
and assessing operational risk exposures.
E x c e rp t is C hapter 2 o f Fundam ental A spects of O perational Risk and Insurance Analytics: A Handbook of O perational Risk,
b y M arcelo G. Cruz, Gareth W. P eters, and Pavel V. Schevchenko.
115
7.1 IN T R O D U C T IO N producing a classification. For exam ple, the fact that dolphins
live in the sea and look like a fish does not make them a fish as
One of the first and most im portant phases in any analytical pro many of their characteristics made biologists classify them as
cess, and this is certainly no different when developing O pRisk "m am m als". Taxonomy basically encom passes description, iden
m odels, is to cast the data into a form am enable to analysis. This tification, nom enclature, and classification. Therefore, taxonom y
is the very first challenge that an analyst or quant faces when has becom e an interesting and a popular turn in risk m anage
determ ined to model, measure, and even manage O pRisk. A t ment industry as new risks are being encountered at regular
this stage, there is a need to establish how the information avail intervals.
able can be modeled to act as an input in the analytical process Before getting onboard the risk taxonom y bandwagon, a firm
that would allow proper risk assessm ent to be used in risk man must perform a com prehensive risk mapping exercise. This
agem ent and mitigation. In risk m anagem ent, and particularly in means going through, in excruciating details, every major pro
O pRisk, this activity is today quite regulated and the entire data cess of the firm. For exam ple, let us imagine the equity trading
process, from collection to m aintenance and use, has strict rules, process. Analyzing this process would mean going through the
which in a way reduces the variance in the use of the data across risks since the custom er places an order until the transaction
the industry. gets fully settled with exchanges of paym ent and securities
The O pRisk fram ework starts by having solid risk taxonom y so delivered. Those will be the basic risks that unlikely would
risks are properly classified. Firms also need to perform a com change, unless there is a change in the process. From this pro
prehensive risk mapping across their processes to make sure cess, a risk manager should also be able to point out where
that no risk is left out of the m easurem ent process. This is a key losses are coming from and develop mechanisms to collect
process to be accom plished and where a number of firms should them . The outcom e of this exercise would be the building block
be paying more attention. of any risk classification study.
In this chapter, we lay the ground for the basic building blocks It is interesting to note that even today firms are struggling
of O pRisk m anagem ent. First we describe how risk taxonom y with basic risk classification, which is the base of the risk man
works, classifying loss events into the major risk categories. Then agem ent pyram id, the very first building block of a robust risk
we describe the four major data elem ents that should be used m anagem ent fram ework. Mistakes made in the past years in
to measure and manage O pRisk: internal loss data, external classifying a risk will have repercussions in the risk m anagem ent
loss data, scenario analysis, and business and control environ and on the communication of risks, at a minimum, to outside
ment factors. When these risk m apping, taxonom y, and data parties like regulators, and might com prom ise any good work
building blocks are reasonably structured, it becom es important done elsewhere in the fram ework. There are roughly three
to configure the organization of the O pRisk departm ent and a ways that firms drive this risk taxonom y exercise: cause-driven,
firm's risk governance. Even a very efficient and well-developed im pact-driven, and event-driven. In many firms, risk taxonom y
O pRisk fram ework would fail if the proper organization and poli is a mixture of these three making it even more difficult to get
cies are not in place. it right. Let us discuss these three methods. In the cause-driven
m ethod, the risk classification is based on the reasons that cause
operational losses. This usually follows the old O pRisk definition
7.2 O P R IS K T A X O N O M Y (which most firms use in their annual reports) in which O pRisk is
defined as a function of "people, system s, and external events".
The term "taxonom y" has becom e quite popular in the risk Some risk types in this classification would be, for exam ple,
m anagem ent industry. In most conferences and industrial w ork "lack of skills in trade control" or "inappropriate access control
shops, and most certainly among consultants, the term "risk to system s". Although there are some advantages in this type of
taxonom y" has becom e a regular mantra. So, what is risk taxon classification, as a "root cause" is pretty much em bedded into
omy? Taxonomy is actually a term borrowed from biology. One the risk classification, challenges arise when multiple causes exist
of the missions of the biologist is to discover new species on or the cause is not im m ediately clear. If this cause-driven risk
remote places of the planet and it would make their work easier classification is applied to a process in which operational losses
if they could classify a new species into a new group based have high frequency, it would be very difficult for risk m anag
on some characteristics. So taxonom y means the conception, ers to correctly classify every single loss, and the attrition within
naming, and classifying organisms into groups. It is a common the business and within the departm ent is likely to be high.
practice in biology to group individuals into species, arranging Another way to perform this classification exercise is through an
species into larger groups, and giving those groups names, thus impact-driven method. In this m ethod, the classification is made
according to the financial impact of operational losses. Most OpRisk framework, firms need to be very careful. In the following
firms that follow this type of classification do not invest heavily sections, all seven Basel II event types required for the advanced
in O pRisk m anagem ent; they just use this type to retrieve data measurement approach (AMA) are defined and discussed in
from their systems. This is quite common in sm aller firms. In this detail; detailed breakdown into event types at level I, level 2, and
type of classification, it is quite difficult to manage O pRisk as, activity groups is provided in BCBS (2006, pp. 305-307).
although the exposures are known, it is difficult to understand
what is driving these losses. Execution, Delivery, and Process
The event-driven risk classification is probably the most common Management
one used by large firms. It classifies risk according to O pRisk
EDPM loss event type is one of the most prominent in the
events. This is the classification used by the Basel Com m ittee.
O pRisk profile of firms or business units with heavy transaction
It is interesting to know that during the Basel II discussions,
processing and execution businesses. It encom passes losses
when this type of risk taxonom y was presented, most of the
from failed transaction processing, as well as problem s with
industries were reluctant to accept it. A number of firms, even
counterparties and vendors. Table 7.1 describes the Basel event-
today, follow their own classification initially and map to the
type breakdown for this risk.
Basel event-type category later. W hat is interesting in this clas
sification is that the definition is rather broad which should make Losses of this event type are quite frequent as these can be
it easier to accept changes in the process. For exam ple, under due to human errors, miscom munications, and so on, which are
"Executio n, Delivery, and Process M anagem ent" (EDPM ), which very common in an environm ent where banks have to process
is the level-1 event type, there is a category named "Transaction millions of transactions per day. A typical exam ple of execution
Capture, Execution, and M aintenance" that can be an umbrella losses might help to illustrate how frequent these losses can be.
for a number of event types. For exam ple, if the equity trading
Consider the following deal: A foreign exchange (FX) trader
process changes from an old-fashioned phone-based system to
bought USD 100,000,000 for €90,000,000 (i.e., USD 1 = € 0 .9 0 )
online high-frequency trading, using this classification would be
and then sold USD 100,000,000 for €90,050,000 (i.e.,
easy to define the taxonom y of these risks.
USD 1 = € 0 .9 0 0 5 ) with a trading initial profit of €50,000. Both
Given how new risks emerge in OpRisk, and also the breadth of its transactions were made almost at the same tim e, and the trader
scope, the concept and the ideas behind risk taxonomy in OpRisk was obviously very satisfied with a profit of €50,000. In his/her
sound quite appealing. However, as this is a building block of the excitem ent at the successful deal, however, there were some
Table 7.1 Execution, Delivery & Process Management (EDPM) Event-Type Defined as Losses from Failed
Transaction Processing or P rocess M anagem ent, from Relations with Trade C ounterparties and Vendors. Basel II
event type classification as provided in BCBS (2006, pp. 30 5-30 7)
Category (Level 1) Categories (Level 2) Activity Examples
Execution, Delivery & Transaction Capture, Execution M iscommunication; data entry, m aintenance or loading error;
Process M anagem ent and M aintenance missed deadline or responsibility; model/system m isoperation;
accounting error/entity attribution error; other task m isperform ance;
delivery failure; collateral m anagem ent failure; reference data
maintenance
Monitoring and Reporting Failed mandatory reporting obligation; inaccurate external report
(loss incurred)
Custom er Intake and Client perm issions/disclaim ers missing; legal docum ents missing/
Documentation incom plete
Custom er/Client Account Unapproved access given to accounts; incorrect client records
M anagem ent (loss incurred); negligent loss or dam age of client assets
Trade Counterparties Nonclient counterparty m isperform ance; misc. nonclient

counterparty disputes
Vendors and Suppliers Outsourcing; vendor disputes
Chapter 7 OpRisk Data and Governance ■ 117

EX EC U T IO N , D ELIV ER Y AND P R O C ESS M AN AG EM EN T: M ISUN DERSTAN DIN G
A TRADIN G O R D ER : LA RG E US PRIVATE BAN K, A U G U ST 2012
Despite the fact that there are currently many options to particular share". The private banker passed this order to
place orders, where technological devices such as e-mail, the trader, and at the end of the day the trader passed a
Internet, live chats are available, many purchase orders, bill to the private banker for several million US dollars. The
particularly in private banking, are still being placed by old- private banker was absolutely stunned to see that they had
fashioned telephone methods. A very common mistake is bought a significant portion of this particular company. A s a
the misunderstanding of the order, especially frequent when consequence of this transaction, the share price of this com
the counterparty is a foreign-language speaker and the com pany rose significantly which also generated questions from
munication chain usually goes from client to banker to trader authorities that suspected some type of pum p-and-dum p
assistant to trader, and in any one of these links there is schem e. Considering it all, the bank decided to keep the
potential for communication breakdowns to happen. shares and sell it little by little. The operational loss in this
case was reflected in the value lost in returning the stocks to
In a busy afternoon at the end of sum mer 2012, a client
the m arket after the shares returned to their average price.
asked his private banker to purchase "U SD 100,000 of a
snags in the back-office with some confusion on where to remit settlem ent) are not linked back to the underlying cause. The
the payments of one leg of the deal, and the transaction was error goes to an "error account" or the like and, in term s of
finally settled 3 days later than it should have been. O pRisk m anagem ent, those who are responsible for the errors
are never identified; even worse is that the real profitability of
In FX transactions trading tickets are usually larger to compensate
individual transactions is rarely understood. The cost side (and
for the low margins. Similar situations as described earlier may lead
the O pRisks involved) is in general ignored.
to errors. The counterparties obviously would have demanded a
compensation as the settlement has been delayed for 3 days, and Knowing where these errors occur is very im portant for O pRisk
the bank would also have paid a penalty, in the form of interest m anagem ent.
claims of €55,000. Therefore, any error has the potential to be big
ger than a transaction's eventual economic profit.
Clients, Products, and Business Practices
The overall scenario is alarming. There was a loss of €5,000 on
the aggregate due to operational errors {€50,000 transaction Loss events under Clients, Products and Business Practices
profit less €55,000 interest claims due for late payment). This (CPBP) risk type are usually the largest, particularly in the US.
is the reality a trading environm ent faces on the day-to-day. These events encom pass losses, for exam ple, from disputes with
The actions of traders are recognized at the closing of the deal, clients and counterparties, regulatory fines from im proper busi
and errors coming to light at a later time (e.g ., mis-pricing, late ness practices, or wrongful advisory activities. Table 7.2 presents
Table 7.2 CPBP Event-Type Defined as Lo sses A rising from an Unintentional or N eglig en t Failure to M e e t a
Professional O bligation to S p e cific Clients (including fiduciary and suitability requirem ents) o r from the Nature or
Design o f a P ro d u c t Basel II event type classification as provided in BCBS (2006, pp. 305-307)
Category (Level 1) Category (Level 2) Activity Examples
Clients, Products, and Suitability, Disclosure, Fiduciary breaches/guideline violation; suitability/disclosure issues (e.g .,
Business Practices and Fiduciary KYC ); retail custom er disclosure violations; breach of privacy; aggressive
sales; account churning; misuse of confidential information; lender liability
Improper Business or Antitrust; im proper trade/m arket practices; m arket manipulation; insider
M arket Practices trading (on firm's account); unlicensed activity; money laundering
Product Flaws Product defects (e.g ., unauthorised); model errors
Selection, Sponsorship, Failure to investigate client per guidelines; exceeding client exposure
and Exposure limits
Advisory Activities Disputes over perform ance of advisory activities
REA L O PR ISK EV EN T S: SBC W ARBURG (IN VESTM EN T BANK), O C T O B ER 1996
The Securities and Futures Authority in the UK (the form er the 12:30 pm deadline, SBC W arburg traders sought to sell
City of London regulator since superseded by the Financial some of the same shares they were about to get from Kepit
Services Authority) released partial details in March 1997 in order to reduce the risk (this process is known as short sell,
of an investigation that had com m enced in O ctober 1996 and it is accepted as a normal practice in a program trade, as
into rogue trading in a program trade in SB C W arburg. (A long as the price does not fall too much).
program trade is a transaction where one agent, generally a
Elsewhere at SBC W arburg, a trader was running an arbitrage
fund, chooses another agent, generally a bank or a broker,
position on Kepit, seeking to make money by exploiting
to sell part of its shares in the market in a determ ined day
differences between Kepit's own share price and the price
and hour determ ined by market prices.) The program trading
of the shares the bank owned. SFA investigators were told
error that made SB C Warburg the subject of the investiga
that in the minutes before the 12:30 pm deadline, the SBC
tion is thought to have cost it no more than £5 million. Nev
Warburg trader running the arbitrage position was seen on
ertheless, this program trade was one of the largest ever to
the trading floor making gestures with his hands for traders
be awarded to SB C W arburg, and the SFA investigation has
to get the price of the shares down. N evertheless, a mistake
clearly em barassed it. The investigation relates to a mistake
by one of the SBC W arburg's Paris-based traders attracted
made during the execution of a £300 million program trade
the attention of SFA. Instead of selling as much as he could
for an investm ent trust which caused the price of a number
before 12:30 pm, SFA investigators have been told that the
of French stocks to fall sharply. The investigation is being
trader m isunderstood his instructions and instead attem pted
extended whether this bank made a similar error when selling
to sell at the strike tim e. The trader also failed to put a so-
Spanish shares as part of the same program deal.
called down limit on his proposed share sales, effectively
The SFA investigation focused on a 30-min period on O cto turning it into an unlimited sell order.
ber 30, 1996. A t some time around mid-day. SBC Warburg In the tapes passed to the SFA (all conversations on the trad
traders learnt that the bank had been awarded three con ing desk are recorded), the London-based trader is heard
tracts by Kleinwort Benson European Privatization Investment talking with a colleague about how the price of the French
(Kepit) to execute a series of share sales (the so-called pro shares had fallen much further than they had planned. The
gram trade) on its behalf. Contracts for programme trades trader com plained that a colleague had just told him, in hind
are often awarded just before the deal takes place, and the sight after the share prices had collapsed, that they should
Kepit deal was no different. It involved SBC Warburg taking only have pushed the prices down by 1%. SBC adm itted in
the £300 million-worth of shares onto its books just minutes March 1997 that its short selling had contributed to adverse
later, at 12:30 pm, and paying Kepit, the mid-market prices price movements and dismissed several em ployees involved
for each share at that tim e. In the remaining minutes before in the trade.
the Basel event-type breakdown and definition for this risk closed, they need to make requests to their counterparties to
type. This is a specific and an im portant risk type for firms with allow them special conditions; however, the rates in which they
operations in the US where litigation is very common. As seen capture these funds are higher than the daily average. This
in recent regulatory fines imposed on French banks and other extra cost, although due to a system failure and, therefore,
foreign banks operating in US jurisdiction, this loss type can also should be classified as BDSF, would hardly be captured at all.
be significant to off-shore entities. Table 7.3 presents the formal Basel definition and breakdown
of this risk type.
Business Disruption and System Failures

Business Disruption and System Failures (BD SF) event type is Table 7.3 BDSF Event Risk Type Defined as Lo sses
one the most difficult to spot in a large organization. A system A rising from D isruption o f Business o r System Failures.
crash, for exam ple, would alm ost certainly bear som e financial Basel II event type classification as provided in BCBS
loss for a firm , but these losses must likely would be classified (2006, pp. 305-307)
as ED PM . An exam ple might help to clarify this point. Suppose
Category Category
that the funding system of a large bank crashes at 9:00 am.
(Level 1) (Level 2) Activity Examples
D espite all efforts from IT, the system com es back online only
by 4:00 pm when money m arkets are already closed. W hen Business Systems Hardware; software;
the system returns, the bank learns that it needs to fund an Disruption and telecom m unications; utility
System Failures outage/disruptions
extra USD 20 billion on that day. As the m arkets are already

Table 7.4 External Fraud Event Risk Type Defined
as Lo sses Due to A cts o f a Type In ten d ed to D efraud, REA L O PR ISK EV EN TS: M O D EL
M isappropriate P rop erty, or Circum vent the Law INPUTS FRAUD, NATWEST,
by a Third Party. Basel II event type classification as MARCH 1997
provided in BCBS (2006, pp. 305-307) O ne of the most famous cases in derivatives m ispric
ing was the one that happened at NarW est in 1997. On
Category Category
February 28, 1997, a few days after the bank released its
(Level 1) (Level 2) Activity Examples annual results, it announced a loss of approxim ately USD
150 million caused by a junior trader who has already left
External fraud Theft and Theft/robbery; forgery;
the bank. The trader was said to be dealing in long-dated
fraud check kiting
O T C interest rate options, used by com panies that borrow
Systems Hacking dam age; theft of at a floating rate and purchase a cap on the interest pay
security information (w/monetary ments. The major problem in valuing these options is that
loss) they are relatively illiquid. The trader calculated the price
of the options by providing his own estim ates of volatil
ity, which he apparently overestim ated, creating fictitious
The difficulty to capture this event type is reflected in external profits that built up in the books over tim e.
databases where, aside dam age to physical assets, this risk type The volatility estimates resulted in the options being under-
has least number of events. priced. The trader attracted more clients, booking the
requested premium, thereby increasing the apparent prof
itability of his desk (and, by extension, his remuneration).
External Frauds The loss was realized when the options were exercised.
External frauds are frauds committed or attempted by third parties

or outsiders against the firm. Examples would be system hacking
and check and credit card frauds. External fraud is very common in accepted mark-to-market price, are not uncommon. Recently
retail businesses where financial firms deal with millions of clients. there were a number of large internal frauds in which billions of
Frauds attempted or committed by clients are a daily event in dollars were lost as traders of a particular bank failed to men
sectors such as retail banking, retail brokerage, and credit card ser tion their position. These are usually low-frequency/high-severity
vices; see Table 7.4 for Basel II definition and breakdown. events. Table 7.5 presents the formal Basel definition and break
down of this risk type.
Internal Fraud
Employment Practices and Workplace
Internal frauds are frauds com m itted or attem pted by a firm's
Safety
own em ployees. It is one of the less frequent types of O pRisk
loss. Given the sophisticated controls that most institutions have Em ploym ent Practices and W orkplace Safety (EPW S) type of risk
this would be unlikely. However, events such as traders mismark- is more prominent in the Am ericas than Europe or Asia as either
ing positions, particularly in assets that are hard to establish an the labor laws are old-fashioned and/or there is more a culture
Table 7.5 Internal Fraud Event Risk Type Defined as Lo sses Due to A c ts o f a Type In ten d ed to D efraud,
M isappropriate P ro p erty or Circum vent Regulations, the Law or Com pany Policy, Excluding D iversity/
Discrim ination Even ts, Which Involves at Lea st O ne Internal Party. Basel II event type classification as provided in
BCBS (2006, pp. 305-307)
Category (Level 1) Category (Level 2) Activity Example
Internal fraud Unauthorised/Activity Transactions not reported (intentional); transaction type unauthorised
(w/monetary loss); mismarking of position (intentional)
Theft and fraud Fraud/credit fraud/worthless deposits; theft/extortion/em bezzlem ent/

robbery; m isappropriation of assets, malicious destruction of assets;
forgery; check kiting; sm uggling; account take-over/im personation/etc.;
tax noncompliance/evasion (willful); bribes/kickbacks; insider trading (not
on firm's account)
Table 7.6 EPWS Event Risk Type Defined as Lo sses 7.3 T H E E L E M E N T S O F T H E O P R IS K
A rising from A c ts Inconsistent with Em ploym ent, FRA M EW O RK
Health or S a fety Laws or A g reem en ts, from Paym ent o f
Personal Injury Claims, or from Diversity/Discrim ination The four elem ents that should be used in any O pRisk fram ework
Even ts. Basel II event type classification as provided in are as follows:
BCBS (2006, pp. 30 5-30 7)
• Internal loss data;
Category Category • Business environment and internal control factors;
• External loss data:
Em ploym ent Em ployee Com pensation, benefit, • Scenario analysis.
Practices and relations termination issues;
W orkplace organised labor activity We provide a description of each of these elem ents in the fol
Safety lowing text.
Safe General liability (e.g ., slip
environment and fall); em ployee health
and safety rules events; Internal Loss Data
workers compensation
Operational loss means a gross monetary loss (excluding insur
Diversity and All discrimination types
ance or tax effects) resulting from an operational loss event. An
discrimination
operational loss includes all expenses associated with an opera
tional loss event except for opportunity costs, forgone revenue,
and costs related to risk m anagem ent and control enhance
of litigation against the em ployers (Table 7.6). For exam ple,
ments im plem ented to prevent future operational losses.
some large banks in Brazil would count em ploym ent litigation on
the tens of thousand and it is one of the main OpRisks for banks. Having a robust historical internal loss database is the basis of
In some lines of business like investm ent banking em ploym ent any O pRisk fram ework. These losses need to be classified into
issues are also quite important. As these lines of business mostly the Basel categories (and internal if different than the Basel) and
provide advisory to large corporations and the key personnel mapped to a firm's business units. Given their im portance for
is highly com pensated, litigation against some of these key the O pRisk fram ework, the collection and maintenance of these
em ployees and losing them can cost millions of dollars. data are heavily regulated. Basel II regulation says that firms
need to collect at least 5 years of data, (B C B S, 2006), but most
decided not to discard any loss even when these are older than
Damage to Physical Assets this limit. Since losses are difficult to acquire and take years to
Dam age to Physical Assets (DPA) is another O pRisk event type. build up a reliable and informative loss database, consequently
The most common method to assess the exposure to this risk is most firms even pay to supplem ent internal losses (see the
through scenario analysis using insurance in form ation. Very few external loss database). Hence, it is clear that it would not make
firms actively collect losses on this risk type as these are usually sense to discard losses that took place in the firm unless the
either too small or incredibly large. The formal Basel definition business in which this loss took place was sold. There are a num
and breakdown of this risk type is presented in Table 7.7. ber of issues that can come from internal data modeling that are
worth com ments and are listed below.
Considerable challenges exist in collating a large volume of

Table 7.7 DPA Event Risk Type Defined as Lo sses data, in different form ats and from different geographical loca
A rising from Loss or Damage to Physical A ssets from tions, into a central repository, and ensuring that these data
Natural D isaster or O th er Even ts. Basel II event type feeds are secure and can be backed up and replicated in case of
classification as provided in BCBS (2006, pp. 30 5-30 7) an accident.
Category Category
Setting a Collection Threshold and
Possible Impacts
Dam age to Disasters and Natural disaster losses;
physical assets other events human losses from external Most firms set a threshold for loss collection as allowed by Basel.
sources (e.g ., terrorism , However, this decision can have significant impact in establish
vandalism) ing the risk profile of a business unit. This is usually the case

Table 7.8 The Impact of Threshold Choice: Losses in a Certain Year for the Asset Management Division of a Bank
Loss Brackets (USD) Number of Losses Total (USD) Accumulated Total (USD)
> 5,000.000 3 23,750,325 23,750,325
1,000,000-5,000.000 7 13,775,000 37,525,325
500,000-1,000,000 10 8,250,781 45,776,106
100,000-500,000 12 3,562,177 49,338,283
50,000-100,000 22 1,723,490 51,061,773
20,000-50,000 71 2,159,021 53,220,794
< 20,000 1520 17,500,235 70,721,029
in businesses that have heavy transaction execution like asset expensive parts of the entire data collection process, but the out
m anagem ent or equities. See the exam ple in Table 7.8. If the come can be decisive in making an O pRisk project successful and
O pRisk departm ent had chosen USD 100,000 as the threshold, increasing confidence in the com pleteness of the loss database.
usually under the argument that only tail events drive O pRisk
This OpRisk filter will vary from bank to bank depending on their
capital, that firm would think that its total loss in that year was
systems, but in all cases it works like a conduit between systems,
USD 49 million. If the threshold choice was USD 20,000, the total
collecting every cancellation or alteration made to a transaction or
losses would be USD 53 million. However, most losses are due
any differences between the attributes of a transaction in one sys
to compensating retail clients whose orders are usually ranging
tem compared to its attributes in another system. The transaction
from USD 1,000 to USD 50,000. The sum of the losses under
flow starts at the front-office system that registers the transaction
USD 50,000 is about USD 20 million, which is almost equivalent
passing it to the accounting and clearing systems. Any discrep
to the losses above USD 5 million. For this particular firm, setting
ancy, alteration, or cancellation must be extracted by the OpRisk
the loss collection threshold at USD 100,000 would show total
filter. Also, abnormal inputs (e.g., a lower volatility in a deriva
losses for the year as USD 49 million. However, if this firm had
tive) can be flagged and investigated. The filter will calculate the
not set a loss collection threshold they would observe that their
OpRisk loss event and several other impacts in the organization.
actual losses were USD 71 million, a very different risk profile.
A number of O pRisk managers pick their threshold thinking

only in term s of O pRisk capital. Disregarding these small losses Recoveries and Near Misses
in many cases can bias the risk profile of a business unit and, of
The Basel II rules (BC BS, 2006) in general do not allow for the
course, this will also have an im pact on O pRisk capital. use of recoveries to be considered for capital calculation pur
poses. The issue again is that if firms are trying to estimate losses
Completeness of Database that can happen once every thousand years, it would not make
sense to start applying mitigating factors to reduce the losses
(Under-Reporting Events)
and eventually reducing also capital. For this reason, gross losses
In gathering data from disparate sources, we need to avoid an should be considered for O pRisk calculation purposes.
O pRisk in collecting the O pRisk data. Such risks and subsequent
The only exception is on rapidly recovered loss events but even
losses may arise, for exam ple, the em ployee responsible for
this exception is not accepted everywhere. Rapidly recovered
reporting losses does not send the loss information to the cen
loss events are O pRisk events that lead to losses recognized in
tral database, whether accidental or not. The Basel II docum ent
financial statem ents that are recovered over a short period. For
BOBS (2006) refers to this scenario with the possible conse
instance, a large internal loss is rapidly recovered when a bank
quence being that an institution that could not prove that loss
transfers money to a wrong party but recovers all or part of the
data is flowing with a high degree of reliability to the central
loss soon thereafter. A bank may consider this to be a gross loss
database(s) is likely to be disallowed to em ploy more advanced
and a recovery. However, when the recovery is made rapidly, the
techniques for assessing the levels of risk.
bank may consider that only the loss net of the rapid recovery
The developm ent of filters that capture operational issues constitutes an actual loss. When the rapid recovery is full, the
and calculate an eventual operational loss is one of the most event is considered to be a "near m iss".
Time Period for Resolution of Operational Recently, with the issuing of IAS37 by the International A ccount
Losses ing Standards Board, W ittsiepe (2008), the rules have becom e
clearer as to what might be subject to provisions (or not). IAS37
Some O pRisk events, usually some of the largest, will have a establishes three specific applications of these general require
large tim e gap between the inception of the event and the final ments, namely:
closure, due to the com plexity of these cases. A s an exam ple,
• a provision should not be recognized for future operating
most litigation cases that came up from the financial crisis in
losses;
2007/2008 were only settled by 2012/2013. These legal cases
• a provision should be recognized for an onerous contract— a
have their own life cycle and start with a discovery phase in
which lawyers and investigators would argue if the other party contract in which the unavoidable costs of meeting its obliga
tions exceeds the expected econom ic benefits;
has a proper case to actually take the action to court or not. A t
this stage, it is difficult to even come up with an estim ate for • a provision for restructuring costs should be recognized only
eventual losses. Even when a case is accepted by the judge it when an enterprise has a detailed formal plan for restructur
might be several years until lawyers and risk managers are able ing and has raised a valid expectation in those affected.
to estim ate properly the losses. Firms can set up reserves for
These provisions should not include costs, such as retraining
these losses (and these reserves should be included in the loss or relocating continuing staff, marketing or investing in new
database), but they usually do that only for a few weeks before system s and distribution networks; the restructuring does not
the case is settled to avoid disclosure issues (i.e., the coun
necessarily entail that.
terparty eventually knows the amount reserved and uses this
information in their favor). This creates an issue for setting up IAS37 requires that provisions should be recognized in the bal
ance sheet when, and only when, an enterprise has a present
O pRisk capital because firms would know that they are going to
undergo a large loss and yet are unable to include it in the data obligation (legal or constructive) as a result of a past event. The
base; the inclusion of this settlem ent would cause some volatility event must be likely to call upon the resources of the institution
to settle the obligation, and, more importantly, it must be pos
in the capital. The same would happen if a firm set a reserve of,
for exam ple, USD 1 billion for a case, and then a few months sible to form a reliable estimate of the amount of the obligation.
Provisions should be measured in the balance sheet at the best
later, if a judge decides to remove the loss in favor of the firm.
For this reason, firms need to have a clear procedure on how to estimate of the expenditure required to settle the present obliga
handle those large, long-duration losses. tion at the balance sheet date. Any future changes, like changes
in the law or technological changes, may be taken into account
where there is sufficient objective evidence that they will occur.
Adding Costs to Losses IAS37 also indicates that the amount of the provision should not
As said earlier, an operational loss includes all expenses associ be reduced by gains from the expected disposal of assets (even
if the expected disposal is closely linked to the event giving rise
ated with an operational loss event except for opportunity costs,
to the provision) nor by expected reimbursements (arising from,
forgone revenue, and costs related to risk management and con
for exam ple, insurance contracts or indemnity clauses). When
trol enhancements implemented to prevent future operational
and if it is virtually certain that reimbursement will be received
losses. Most firms, for exam ple, do not have enough lawyers on
payroll (or expertise) to deal with all the cases, particularly some should the enterprise settle the obligation, this reimbursement
should be recognized as a separate asset.
of the largest or those that demand some specific expertise and
whose legal fees are quite expensive. There are cases in which the
firm wins in the end, maybe due to some external law firms, but
the cost can reach tens of millions of dollars. In such cases, though 7 .4 B U S IN E S S E N V IR O N M E N T A N D
the firm wins a court victory, there will be an operational loss. IN T E R N A L C O N T R O L E N V IR O N M E N T
F A C T O R S (B EIC Fs)
Provisioning Treatment of Expected
One can see O pRisk as a function of the control environment.
Operational Losses
If the control environment is fair and under control, large
Unlike credit risk, the calculated expected credit losses might operational losses are not likely to take place and O pRisk is con
be covered by general and/or specific provisions in the bal sidered to be under control. Therefore, understanding the firm's
ance sheet. For O pRisk, due to its multidimensional nature, the business processes, mapping the risks on these processes, and
treatm ent of expected losses is more com plex and restrictive. assessing the control of these processes are the fundamental

The answers point toward the specific
Trade
Custody and Clear and Settle inherent risks em bedded within a busi
Trade capture matching and
control trades ness unit's process, which must be
confirmation
assessed to determ ine the likelihood
Fiaure 7.1 Equity settlement process the events could occur (frequency) and
severity. The results of this analysis provide a birds' eye view of
the inherent risk of a firm 's business processes. M anagem ent
roles of an O pRisk manager. A simple exam ple is the equities can then use this assessm ent to prioritize and focus on the
trading process and is shown in Figure 7.1. most critical risks that must be proactively m anaged.
Firms need to be able to assess risk on the many steps of the O nce these inherent risks are understood, controls will be
settlem ent process and report them regularly. There are a added in the RC SA fram ew ork. The effectiveness of these
couple of tools that are commonly used by financial firms to per controls are then assessed to understand how efficient these
form this task: Risk Control Self-Assessm ent and Business and are to m itigate risks. A t this stage, the residual risk is also
Control Environm ent programs. calculated, which is the risk that is left after inherent risks are
controlled. Put another way, residual risk is the probability of
Risk Control Self-Assessment (RCSA) loss that rem ains to system s that store, process, or transm it
inform ation after security m easures or controls have been
These are also known as Control Self-Assessm ent (CSA ) in
im plem ented.
some firm s, A ccording to this procedure, firm s regularly ask
For a firm that has the RC SA program as the core of
experts about their view s on the status of each business pro
the O pRisk fram ew ork, all other O pRisk initiatives under the
cess and subprocess. These reviews are usually done every
firm 's O pRisk program are usually structured to feed the
12 or 18 months and color rated Red/A m ber/G reen (RAG)
according to the perceived status. Some firm s go beyond R C SA . Risk m etrics such as key risk indicators (KRIs), inter
nal loss events, and external events would contribute to
and try to quantify these risks using subjective approaches or
the risk identification process ensuring the organization has
through a scorecard. For many firm s, R C SA is the anchor of the
considered all readily available data and benchm ark risk
O pRisk fram ew ork and most O pRisk activities are linked to this
assessm ents.
procedure.
O nce the universe of controls and m itigation m easures has
In a broad sense, the RC SA program requires the docum enta
been identified, the business unit can partner with various
tion and assessm ent of risks em bedded in a firm 's processes.
control functions to conduct the control testing phase of the
Levels of risks are derived (usually from a frequency, and
R C SA . Control testing is critical to a mutual understanding of
severity basis), and controls associated with these risks are
expectations and actions across business units and between
identified. As risks are usually reported by business units, these
the front and back offices.
processes are aggregated to a certain business unit and rated/
assessed. O ne significant challenge that arises due to com bining RC SA
data is interpreting w hat the data actually means. For exam ple,
In the R C SA program , m anagers first identify and assess
outputs from a R C SA program might lead a risk m anager to
inherent risks by making no inferences about controls
conclude that no im m ediate action is required if the risk e xp o
em bedded in the process: controls are assum ed to be absent.
sures are controlled within the tolerances acceptable to the
Under this assum ption, m anagers must carefully identify
firm . On the other hand, if the R C SA data indicates that the
how risk m anifests within the activities in the processes.
control environm ent is weakening and threatening the success
The following are the usual questions asked by risk m anagers
of a particular business goal, a risk m anager m ight decide to
in this phase:
recom m end a corrective action. However, w eighting those risks
• Risk scenarios. W here are the potential failure points in across the entire risk universe and naming the most im portant
each of these processes? or "ke y" might not be an easy and objective task.
• Exposure. How big a loss could happen to my operation if There are a number of vendors that provide system s that help to
a failure happens? collate these results. The issue with these programs in general is
• Correlation to other risks. Could a failure altogether change that they make it harder to integrate with the other data inputs
my organization's perform ance, either financially, its reputa that are numeric. Even if these RAG assessm ents can be con
tion, or affect any other area? verted to a number or rating, there is always a bias em bedded
that the person who does the assessm ent would have a m otiva confirm ations older than 30 days increases to over a certain
tion to improve their ratings so as to reduce their capital. p ercent of the total population, and the num ber of rep u d i
ated trad es increases, one m ight say th at this process is
Key Risk Indicators facing challenges that need to be ad d ressed .
Th ese indicato rs/facto rs are m ostly quantitative and are Th e process of KRI collection d eserves special attentio n. It is
used as a proxy for the quality of the control environm ent im portant th at these data are ab so lutely reliab le, in order to
of a business. For exam p le, in order to report the quality display relationships betw een KRIs and losses. A utom ating
of the processing system s of an investm ent bank, we m ight the collection straight from the firm 's operational system s
design facto rs such as "system d o w n tim e" (m easuring the m ight help to create a more realistic reflection of the true
num ber of m inutes that a system stayed offline), and "sy s profile of the infrastructure of a certain business. Th ere are
tem slow tim e " (counting the m inutes that a system was many stages in establishing these links and of course there
overload and running slow ). Th ese KRIs can be extrem ely is a cost associated with the im plem entation of the KRI
im portant in O p R isk m easurem ent as they can allow O p R isk program , but probably no other typ e of data will be more
m odels to behave very sim ilarly to those in m arket and pow erful than KRIs for m anaging and m easuring operational
cred it risks. risk. It is much easier to explain O p R isk as a function of the
control environm ent in which a firm exists than to say that
G oing back to the equity settlem en t exam p le, instead of
O p R isk capital is m oving up or down because of past losses
using RAG se lf-a sse ssm e n t, a b etter w ay to assess the
or changes in scenarios.
quality of these processes is to establish a few KRIs that
provide an accurate picture of the control environm ent as The first stage of the KRI collection process is trying to establish
seen in Figure 7 .2 . As an exam p le, on the trad e confirm ation assumptions on the O pRisk profile of a certain business. For
stage of the settlem en t p ro cess, if the num ber of unsigned exam ple, we might assume that execution errors in the equi
ties division can be explained by the trade volume on the day
the number of securities that failed to be received or delivered,
the head count available on the trading desk and the back
office, and system downtim e (measured by minutes offline).
• Daily trade volume
• Late booking trades
The decision to be made is: at what organizational level should
Trade capture
this relationship be m easured? Equities division as a whole?
and execution
J Should we break down the equities division into cash equities,
listed derivatives and O T C derivatives, or along any other lines?
>v Should we consider breaking it down along regional lines? All
• Unsigned confirmation > 30 days these questions are fundamental for the success of the analysis.
• Repudiated trades
Trade • Breaks If loss data and KRIs are co llected at cost center level (the
matching and
\ confirmation J J low est possible level), it becom es possible to perform this
d isag g reg atio n . In g en eral, the low er the level you model the
A
causal relationship , the b etter the chances that you will find
higher level fits to the m odel. Put this another w ay, it is easier
• Breaks
to find strong causal relationships, if you m odel, for exam p le,
• Disputed collateral calls
Custody and the US cash eq uities d ep artm en t than m odeling at the global
control
J eq uities division level, as the low er level would b etter capture
local nuances, id io syncrasies, and trend s.
\\y / N
Th e m odeler m ight also consider using external facto rs such
• Fails as equity indexes and interest rates. It is com m on to find
• Breaks (agent cash, agent stock) strong relationships betw een a stock m arket index and o p era
C lear and settle
trades
J tional losses, for exam p le, higher vo latility on stock m arkets
is usually associated with high trading volum es, which in turn
is highly associated with execution losses in O p R isk. Table 7.9
presents few exam p les of Business Environm ent and Internal
Fiaure 7.2 Equity settlement process. Control Facto rs (B E IC F s) used in few environm ents.

Table 7.9 Examples of BEICFs Used in Few Environments
Business Environment Factor Description
Systems System downtime Num ber of minutes a system is offline

System slow time Num ber of minutes a system is slow
Software stability
Num ber of code lines changed in a program or software in a certain
period of time
Information Security Malware attacks Num ber of malware attacks

Hacking attem pts Num ber of hacking attem pts
People/Organization Em ployees Num ber of em ployees

Em ployees experience A verage experience of em ployees
Execution/Processing Transactions Num ber of transactions processed

Failed transactions Num ber of transactions that failed to settle
Data quality Ratio of transactions with errors
Breaks Num ber of transactions breaks
7.5 E X T E R N A L D A TA B A SES loss experience in their portfolio, but while this loss experience
is not available, the best way to start the business is using this
According to the Basel Accord, O pRisk m odelers need to cal external database. As the insurer starts building up their own
culate regulatory capital at the 99.9% confidence level, which is loss experience, it can start weighting the im portance of the
equivalent to finding enough capital to protect against losses in external database in their premium through credibility theory
the worst year in a 1,000 year period. O ne way to try to over methods.
come these challenges is through using other firm s' loss exp eri Similarly, banks and other financial firms might struggle to come
ences. This is common in insurance. For exam ple, suppose that a up with reasonable measures for some types of risk because
US insurer wants to expand to a new state, say New Je rse y. This they were never exposed to large losses, but, despite that, they
insurer does not have experience in New Je rse y; New Jersey understand that they are still under the risk that such a loss
has different characteristics, for exam ple it may have much more would happen eventually. These loss-gathering databases can
cars per square foot than other states and hence the accident be very useful in these cases.
ratio is known to be higher. How can this insurer price correctly
There are basically three ways to get hold of these databases
its premium in New Je rsey? The most used alternative is to start
as seen in Table 7.10. The best choice for a firm would depend
with a local database of car accidents. This database is available,
significantly on how their fram ework is structured and how the
with considerable details, for insurance com panies to acquire.
m odeler expects to use these losses.
Obviously, this database would never replace the insurer's own
Table 7.10 Methods to Acquire External Data and Details
Type Details Pros Cons
Internally developed Firm gathers these losses from Cheapest way It might not be com prehensive
news feeds and magazines enough and may miss losses in
many industries and jurisdictions
Consortia The most popular is O RX which Loss reporting threshold is No details on the losses. It can
has some of the largest banks in €20,000 only be used for measurement
the industry
Vendors There are a number of vendors More detailed analysis on Loss threshold is usually high
like IBM OpVantage and SAS the loss. It can be used for (USD 1 million). Loss details
m anagem ent or scenarios might not be accurate as these
were taken from newspapers
7.6 SCENARIO ANALYSIS 161
14-
Another im portant tool in O pRisk m anagem ent and m ea 12 -
surem ent is scenario analysis. For a significant number of 10 -
firm s, the scenario analysis program is the pillar of their

8
fram ework. These scenario estim ates are usually gathered
-
6
through expert opinions, where these experts (or a group
-
of experts) com m unicate their estim ates on how losses can 4-
happen on an extrem e situation. These experts are com 2 -
monly guided by information gathered from external data 0 -
or KRIs and internal loss trends, see for instance discussions Structured Survey Individualized O ther
workshops discussions
on scenario analysis for O pRisk in Rippel and Teply (2008).
Alderw eireld et. al. (2006) and Huffman (2002). Figure 7.3 Survey on how US banks run scenarios.
Though there are different approaches to run a scenario

workshop, only three approaches are widely used: struc 7 -I
tured workshops, surveys, or individualized discussions. 6 -
A recent survey in 2012 with the largest US financial firms 5-

(the results are not in public domain and reference can 4 -
not be provided) shows that information from experts is
3-
obtained mainly through structured workshops (Figure 7.3).
2
A com prehensive guide to performing and establishing
-
1
appropriate statistical structures for surveys in such w ork
-
shops is provided in detail in O 'Hagan et. al. (2006). 0 -
<10 10-20 21-50 51-100 >100

Scenarios can be a useful tool in case of emerging risks Figure 7.4 Number of new scenarios developed
where a loss experience would not be available. Finan annually by financial firms.
cial institutions understanding this challenge are creating
many new scenarios for these emerging risks every year.
key limitations of this process as these biases are very difficult to
Figure 7.4 presents some other results of this survey about the
mitigate or avoid. Some of the biases are as follows:
number of new scenarios developed annually by financial firms
showing that most firms develop between 51 and 100 scenarios • Presentation Bias. This arises when the order in which the
every year. information is provided can skew or alter the assessm ent from
the experts; see discussion in Hogarth and Einhorn (1992);
n order to make the outcom es of the scenario analysis w ork
shops useful to the O pRisk m easurem ent and qualification • Availability bias. It is related to the over/underestim ation of
efforts, the opinions need to be converted into numbers. There loss events due to respondents' exposure or fam iliarity to a
are a few ways to do so, but the most frequent is through gath particular experience or risk. For exam ple, if the expert has
ering estim ates on the loss frequencies on predefined severity

brackets. These numbers are then converted to empirical dis Table 7.11 Using Scenario Analysis Outcome for
tributions, see exam ple in Table 7.11, that are aggregated with Measurement
internal losses later.
Loss Bracket Relative
A fter convening expert opinion into an empirical distribu (in USD thousand) Loss Frequency Frequency
tion, the question is how to incorporate this into the O pRisk
USD 5,000 7 6.9%
fram ework. There are a number of articles on the subject, for
exam ple, see recent publications of Dutta and Babbel (2013), 1,000-5,000 10 9.8
Ergashev (2012), and Shevchenko (2011). 500-1,000 15 14.7
Common Issues and Bias in Scenarios. Because scenarios are 100-500 30 29.4
usually based on expert opinion, they present a number of
50-100 40 39.2
biases, see for exam ple, a demonstration of such features in the
Total 102
experim ents designed by Lin and Bier (2008). This is one of the

a 30 years career in FX trading and had never experim ented Delphi has been tested and broadly used in several applications
or seen an individual loss of USD 1 billion or larger, he/she such as gathering current and historical data not accurately
might be unable to accept the risk that such a loss would known or available and exam ining the significance of events.
take place; Usually, one or more of the following properties of the problem
• Anchoring bias. Anchoring occurs when participants restrict to be solved leads to the need for employing Delphi.
their estim ates to being within a range of a given value, • The problem does not lend itself to precise analytical
which may come from their own experiences, a value they techniques but can benefit from subjective judgm ents on a
have seen elsewhere (e.g ., internally, in the media) or a value collective basis;
provided in the workshop; see discussion in W right and
• The individuals needed to contribute to the examination of
Anderson (1989);
a broad or com plex problem have no history of adequate
• "Huddle" bias or anxiety bias. It involves the tendency of communication and may represent diverse backgrounds in
groups to avoid conflicts and differences of opinion, either respect of experience or expertise;
because individuals do not want to disrupt the smooth func
• Tim e and cost make frequent group m eetings infeasible; and
tioning of the group through dissent, or because they are
• More individuals are needed than can effectively interact in a
unwilling to disagree openly with the more senior, expert,
face-to-face exchange.
or powerful people in the room; see discussions in O 'Hagan
(2005); Therefore, for Delphi to work, it is necessary that a group of
• Gaming. Conflicts of participants' interests with the goals experts in each business get together in order to estim ate
or consequences of the workshops can cause motivational O pRisk occurrences at a given confidence level. Consider an
biases or gaming. Participants may be unwilling to disclose exam ple: a bank in order to assess transaction execution risk in
information or engage meaningfully in the workshop or may the fixed income desk decided to get three different perspec
seek to influence the outcom es; tives: from the front desk (traders), from the finance group,
and from the operations group. Each one of these areas has
• Over/under confidence bias. This bias involves over/under-
a different perspective on what risks would be and how many
estimation of risk due to the available experience and/or
losses would happen. As the estim ates from each of the three
literature on the risk being limited;
areas were very different, a separate scenario workshop was
• Inexpert opinion. In many firms, scenario workshops do not perform ed in each departm ent and the participants were elic
attract the expert (or the expert is not identified) and a more ited to estim ate extrem e losses. A t the end, a final number was
junior em ployee or som eone with much less experience ends agreed by the three areas and all recognized that trem endous
up participating in the workshop and providing inaccurate education took place as traders, for exam ple, did not have the
estim ates; perspective of losses due to settlem ent failures. Delphi tech
• Context bias. This bias arises when framing in a certain man nique (Dalkey and Helmer, 1963) has a number of stages:
ner alters the response of experts, that is, color their opinion;
1. In the first step, the subject under discussion should be
see discussion in Fischhoff et. al. (1978).
explored with as many individuals contributing additional
A fundam ental problem that scenario analysis programs face is information;
the disparity of understanding and opinions on losses' sizes and
2. Given the information from step 1, a feedback and a
frequencies. To circum vent some of these problem s, application
description of the issues are provided to the group;
of the Delphi technique may be of help. The Delphi technique,
3 . (Optional) Bring out the possible differences found in step 2
as Linstone and Turoff (1975) defined, . . may b e characterized
as a m eth od for structuring a group com m unication p ro ce ss so and evaluate them ; and
that the p ro ce ss is effective in allowing a group o f individuals, as 4. A final evaluation occurs when all the previously gathered
a whole, to deal with a com plex p ro b le m ." information has been initially analyzed and the evaluations
have been fed back to the respondents for consideration.
The Delphi concept is a spin off from defense research. "Project
D elphi" is the name given to an Am erican Air Force project, Finally, we would like to mention that ideas from works on
started in the early 1950s, that made use of expert opinion (see expert elicitation processes were im plem ented in a freely avail
Dalkey and Helmer, 1963). The objective of the original study able toolkit known as the Sheffield Elicitation Fram ework
was to "obtain the m ost reliable consensus o f opinions within a (SH ELF)1, which is covered under copyright when it comes to
group o f e x p e rts" by a series of intensive questionnaires inter
spersed with controlled opinion feedback. 1 S H E LF is available at http://w w w .tonyohagan.co.uk/shelf/
commercial usage; see details on the associated w ebsite. In Table 7.12 Trading and Sales OpRisk Profile
agreem ent with the standard industrial practice of structured
workshops, the SH ELF fram ework is developed to be performed Event Type Frequency (%) Severity (%)
with a group elicitation in mind and com prises a fram ework for Internal Fraud 1.0 11.0
eliciting beliefs of one or more experts as a group.
External Fraud 1.0 0.3
Em ploym ent Practices 3.1 2.3

and W orkplace safety
7 .7 O P R IS K P R O F IL E IN D IF F E R E N T
Clients, Products, and 12.7 29.0
F IN A N C IA L S E C T O R S Business Practices
A fter deciding the form of the operational loss data model and Dam age to Physical 0.4 0.2
Assets
the types of losses that need to be reported, it is useful to split
the financial institution into different business lines, given that Business Disruption 5.0 1.8
the O pRisk profile is generally very diverse across different busi and System Failures
nesses within a financial institution. W hile an asset m anagem ent Execution, Delivery & 76.7 55.3
unit is more inclined to have legal/liability problems (although Process M anagement
still having a few transaction processing problem s, in general, Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
asset managers hold their positions longer than treasury), the tional Risk, see B C B S (2009b).
investm ent bank arm is more inclined to operational errors in

processing transaction. A large investm ent bank might process strategic alternatives. The differences to consulting firms are
over a million transactions a day. due to the fact that corporate finance in banks constantly offers
A typical list of business units includes C orporate Finance, Trad financing options, so deals are made. Therefore, it is expected
ing and Sales, Retail Banking, Com m ercial Banking, Payment that most of the losses fall under the umbrella of "litigation" or
and Settlem en t, A g e n cy Services, A sse t M anagem ent, and Retail disputes with clients for arguably poor advice when, for exam
Brokerage. These are business units at level 1 as suggested ple, IPOs go wrong; see Table 7.13.
in Basel II. Detailed breakdown into level 2 business units and

activity groups can be found in BCBS (2006, p. 302). Also it can
Retail Banking
be appropriate to add an extra business unit, Insurance. Most of
these business units are discussed in the following sections. The O pRisk profile of retail banks is not too dissimilar to that of
retail brokerage; see Table 7.14. On the frequency side, most
Trading and Sales

Table 7.13 Corporate Finance OpRisk Profile
It should not come as a surprise that trading and sales OpRisk
profile is dominated by "ED P M " or just "Execu tio n ". This can Event Type Frequency (%) Severity (%)
be clearly seen in Table 7.12, where both frequency and severity Internal Fraud 1.6 0.24
execution losses dominate. The business model in trading is quite
simple; traders perform trades on behalf of either their own firms
or clients, and these trades get settled by exchanging the securi Em ploym ent Practices 10.1 0.59
ties against some form of payments. However, as the products
are diverse and com plex and settlem ent deadlines and proce Clients, Products, and 47.1 93.67
dures vary significantly it is not surprising that executing these Business Practices
transactions is the major O pRisk of this business and, for many Dam age to Physical 1.1 0.004
trading shops, the major overall risk that they are exposed to. Assets
Business Disruption 2.2 0.02

and System Failures
Corporate Finance
Execution, Delivery & 32.5 5.36
This business is where financial firms many tim es behave similar Process M anagement
to consulting firms by providing advice to corporations in pos Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
sible mergers and acquisitions, doing an IPO or even assessing tional Risk, see B C B S (2009b).

Table 7.14 Retail Banking OpRisk Profile at least another two years, then life insurers' financial pain will
be broader and deeper. On the P&C side, the continuing pros
Event Type Frequency (%) Severity (%)
pects for w eak investm ent returns and low interest rates over an
Internal Fraud 5.4 6.3 extended period compel carriers to improve underwriting mar
gins, requiring difficult decisions concerning pricing and operat
ing approaches. O rganic growth continues to be a challenge,
Em ploym ent Practices 17.6 9.8 given the econom ic situation and the com petitive landscape.
Individual insurers confront greater com petition, driven by an
Clients, Products, and 13.1 40.4 abundance of capital, uncertainty around the tim ing, the scope
Business Practices of regulatory changes, and the continuing volatility caused by
Dam age to Physical 1.4 1.1 weather-related losses, highlighted recently by Hurricane Sandy
Assets in 2012 (in the US, Hurricane Sandy affected 24 states with par
Business Disruption 1.6 1.5 ticularly severe dam age in New Je rse y and New York). Health
and System Failures insurers in the US, given the advent of the Patient Protection
Execution, Delivery & 20.6 21.4 and Affordable Care A ct (signed into law by US President
Process M anagem ent Barack Obam a on March 23, 2010, and commonly referred to as
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
"O b am acare"), are in much better shape than their counterparts
tional Risk, see B C B S (2009b). with a better perspective ahead of them .
Regarding risk regulation in this sector, there are significant
losses are due to external frauds that are daily events for these differences between Europe and the US. In Europe, a process
firms. Execution comes in a far second. However, when looking similar to Basel II was developed by insurance regulators, called
at severity, the largest risk exposure is due to litigation once Solvency 2. Two key them es have dom inated regulatory dis
again. cussions in the past year: supervisory focus on risk and capital
m anagem ent and concerted efforts to move toward a consistent
approach to cross-territory supervision of insurance groups.
Insurance These initiatives underscore the im portance of em bedding
strong risk m anagem ent principles throughout an enterprise and
For those not fam iliar with this industry, this sector can be
moving beyond just "tick the box" com pliance, similar to what
actually divided into three types given the significant differ
Basel II has been influencing in the banking industry.
ences: life insurance, health insurance, and property/casualty
or "P& C " insurance (or general insurance as known in Europe). In the US, the regulatory environment also has been changing
To put it very simply, life insurers basically charge a premium as State insurance departm ents and rating agencies, in addition
from individuals in exchange to providing a sum of money to National Association of Insurance Com m issioners (N AIC), are
when they die. Life insurers also offer retirem ent and income- also influencing the direction of solvency regulation. W hile these
protection products. Health insurers provide medical and hos varied initiatives place differing degrees of emphasis on capital
pital coverage. P&C insurers offer coverage against dam age to requirem ents, reporting standards and risk m easures, a common
properties caused by fire, natural disasters, theft, etc. They also them e is their intensified focus on clearly articulating an insurer's
offer protection against liabilities (e.g ., directors being sued and risk profile. To prepare and address the regulatory pressures to
professional errors). The actuarial calculation used in the P&C enhance risk m anagem ent, insurers must significantly enhance
insurance is very similar to the one used in O pRisk capital calcu their data m anagem ent, reporting and analytical resources, and
lation. Most operational risk capital techniques are derived from their organizations' ability to integrate risk data across disci
P&C actuarial techniques, and there are many articles in the plines. The US insurance industry is also anticipating potential
Journal o f O pR isk that were written by P&C actuaries. im pacts of Dodd-Frank legislation, including in the system ically
im portant financial institution (SIFI) designation and the Federal
Regarding the sector's overall current financial situation, sim i
Insurance Office's (FIO) pending report to Congress on the state
lar to most of the financial sectors, the effects of the financial
of US insurance regulation, which in practice creates a national
crisis still lingers. Life insurers started to feel the consequential
insurance regulator.
effects from the long low-interest rate environm ent, which
affects their profitability and com pany valuations and also, as Regarding O pRisk more specifically, insurers are still in the early
consumers struggle, declining sales and revenue. If interest stages of the developm ent of their O pRisk fram eworks. This
rates continue to stay low, and it appears likely that they will for comes somehow as a surprise as insurers suffered several large
operational losses that were very public and reported in the seen their AUM go down by 30 or 40% , not only because of
media. Some of the exam ples over the last decade2 are the USD the drop in asset prices but also because clients are w ithdraw
250 million loss that a large US insurer suffered a few years ago ing funds, either out of necessity to cover debts, because they
for discrimination (i.e., allegedly pricing their policies differently fear that the stock markets will take a long tim e to recover, or
according to race); a large European reinsurer lost USD 3.5 billion som etim es even out of concern for the financial well-being of
for not having final contracts in place on the 9/11 terror attacks some asset managers. The crisis also showed historic regulatory
inflicting damages to clients; a large US auto insurer lost USD failures, like the Bernie Madoff case, in which he created a Ponzi
1 billion for using low-quality auto parts in vehicle repairs; a large schem e, that was discovered during the 2008 financial crisis, and
US life insurer lost USD 2 billion for abusive sales practices and lost USD 6 billion from investors (this case is one of the largest
illegal sales of securities and the list goes on and on. O pRisk events in history). Many investors close to retirem ent
lost their pensions not only because of the market conditions
Insurers face a number of O pRisks; some of these are mis-selling
but also because of a lack of caution and risk m anagem ent from
their products to clients. A number of insurers worldwide got
pension fund managers.
severe penalties for these sales practices. As with any retail
sector, insurers are exposed to bad faith claims (i.e., frauds by This long-lasting dire econom ic environment forces asset man
custom ers)— Hollywood has a number of movies on these inter agers to develop a much more careful discipline around costs,
esting stories. More recently, the issue of unclaimed property risk m anagem ent, and productivity. Each of these factors has
has becom e a concern for insurers as public officials are now received widespread attention in the specialized media.
focusing much more on the issue than they did in the past.
The industry has reacted quickly to this new reality. For exam
Given these pressures, insurers have been more diligent to catch
ple, a large independent US asset m anager has already put in
up with banks in developing more robust O pRisk fram eworks.
place several measures to reduce costs, by sharing services in
However, they have a long road ahead of them .
its distribution and administration departm ents to reduce costs
across geographical areas. This same firm has also launched an
Asset Management initiative to reduce its N C E by 20% in 2009, with the develop
ment of an inter-company com m ittee to determ ine the expenses
The financial crisis brought to the global asset m anagem ent
that have to be elim inated.
industry challenges it has not seen in decades as the industry
was accustom ed to high margins and substantial profits (par A European-based global firm decided to reduce the number of
ticularly in the years 2000-2007 due to the availability of excess products it offered and the developm ent efforts for a few prod
liquidity). As the financial markets climbed regularly over the ucts where it can build competitive advantage on a global scale.
last 30 years, occasional dips notwithstanding, asset managers This firm also decided to immediately implement a plan, which
becam e used to the steady increases in their assets under man had been on the shelf for many years, to streamline its operational
agem ent (AUM) and easy profits. However, in the wake of the platforms on a global basis. Currently, each geographical location
biggest downturn since the G reat Depression, a slow recovery (and sometimes within the same country) has its own platform
has left many firms struggling. Even in 2012, most of the growth with different vendors and frameworks to process securities.
of the asset m anagem ent came from market appreciation and
A sset managers are susceptible to all forms of risks, namely
not due to increase in flow of resources from clients.
m arket, credit, and O pRisks. However, due to the characteristics
This new environm ent changed the asset m anagem ent indus of their business (and perhaps helped by a historic disregard
try. During the precrisis "golden years" of abundant liquidity, for strong controls), O pRisk is typically the largest risk exposure
most asset managers were not overly worried about the costs an asset m anager has. M arket and credit risk associated losses
incurred in running their operations and did not pay close would usually have an indirect impact on the asset manager's
attention to the risks involved, since the continuous growth in revenue, as any loss to the client funds entails lower com m is
personal wealth steadily increased their AU M , covering for these sions. However, these losses are usually borne by the fund's
expenses. Errors and high operating costs were buried under clients, not the asset m anager as a financial institution. These
the increased revenues from a larger asset base and the profits market and credit risk losses would im pact the quotas and
that came from high returns in the world m arkets. Postcrisis, the NAVs, so the client would take a direct hit; the asset manager
situation has changed dram atically. Large asset managers have would just have less fee revenue in these cases, an indirect
impact. O pRisk can be manifested in many different ways for
an asset m anager as, for exam ple, in errors in processing trans
2 To preserve confidentiality, the com pany names are not m entioned. actions or a system failure that can cause severe dam age and

Table 7.15 Asset Management OpRisk Profile on the retail, offering the convenience of trading from home
or work and charging a reasonable fee for trades and usually
Event Type Frequency (%) Severity (%) offering free online research tools and a few other services,
Internal Fraud 1.5 11.1 brick-and-mortar brokers are mostly a division of larger financial
institutions and tend to focus on a wealthier custom er base that
would pay for high fees they charge, advice from financial advi
Em ploym ent Practices 4.3 2.5 sors, etc.
O ver the past decade, the industry had a dram atic transform a
Clients, Products, and 13.7 30.8
tion with the proliferation of sophisticated, high-speed trading
Business Practices
technology that has changed the way broker-dealers trade for
Dam age to Physical 0.3 0.2 their own accounts and as agent for their custom ers. In addi
Assets
tion, custom ers of these broker-dealers— particularly leading-
Business Disruption 3.3 1.5 edge institutions— have them selves begun using technological
and System Failures tools to place orders and to trade on markets with little or no
Execution, Delivery & 74.2 52.8 substantive intermediation of their broker-dealers. This, in turn,
Process M anagem ent has given rise to the increased use and reliance on "direct mar
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra ket access" or "sponsored access" arrangem ents. Under these
tional Risk, see B C B S (2009b). arrangem ents, the broker-dealer allows its custom ers— whether
an institution such as a hedge fund, mutual fund, bank or insur
ance com pany, an individual, or another broker-dealer— to
impact the balance sheet of the asset manager. A sset managers
use the broker-dealer's market participant identifier ("M PID ")
are also regularly sued for poor perform ance by clients. Consis
or other mechanism for the purposes of electronically access
tently failing to com ply with local regulations, or with very basic
ing the exchange. With "direct market access", as commonly
business ethics, can generate very large operational losses and
understood, the customer's orders first flow through the
subsequent reputational dam age. A number of exam ples are
broker-dealer's system s and then enters the m arkets, while with
available in the media for large losses in each of these cases
"sponsored access", the customer's orders flow directly into the
(Table 7.15).
markets without passing through the broker-dealer's systems.
Coming to realize the need to focus on O pRisk, asset m anag In all cases, irrespectively, whether the broker-dealer is trading
ers have been setting up O pRisk departm ents at a fast speed in for its own account, is trading for custom ers through more tra
the last few years. The higher focus from regulators on hedge ditionally interm ediated brokerage arrangem ents, or is allowing
funds also made these more sophisticated asset managers to set custom ers direct market access or sponsored access, the broker-
up better O pRisk procedures around their operations. This new dealer with m arket access is legally responsible for all trading
focus on control and risks would actually facilitate a more stable activities that occur under its MPID. In some cases, the broker-
growth, with less bumps, when the econom ic environment even dealer providing sponsored access may not utilize any pretrade
tually improves. risk m anagem ent controls (i.e., "unfiltered" or "naked" access),
and thus could be unaware of the trading activity occurring
under its market identifier and has no mechanism to control it.
Retail Brokerage
Nowadays, order placem ent rates can exceed 1000 orders per
For O pRisk practitioners, this sector is possibly one of the most
second with the use of high-speed, automated algorithms. If,
interesting. Although we obviously need to consider that risk
for exam ple, an algorithm such as this malfunctions and places
profiles would vary significantly between institutions given their
repetitive orders with an average size of 300 shares and an
different business strategies, broker-dealers risk profile is usually
average price of USD 20, a two-minute delay in the d etec
dom inated by O pRisk, which accounts for at least 60-70% of the
tion of the problem could result in the entry of, for exam ple,
total risk capital in these firms. This O pRisk type becom es clear
120,000 orders that values USD 720 million. In sponsored access
when we review the sector.
arrangem ents, as well as other access arrangem ents, appro
Broker-dealers of these days can be roughly classified into priate pretrade risk controls could prevent this outcome from
online and brick-and-mortar brokers. Although what separa occurring by blocking unintended orders from being routed
tion then cannot be precisely defined, the custom er focus of to an exchange. Incidents involving algorithm ic or other trad
these brokers is different. W hile online brokers tend to com pete ing errors in connection with market access occur with some
regularity. For exam ple, it was reported that, on Septem ber Table 7.16 Asset Management OpRisk Profile
30, 2008, trading in G oogle becam e extrem ely volatile toward
the end of the day, dropping 93% in value at one point, due to Event Type Frequency (%) Severity (%)
an influx of erroneous orders onto an exchange from a single Internal Fraud 5.8 18.1
market participant. As a result, Nasdaq had to cancel numerous
trades, and adjust the closing price for G oogle and the closing
value for the Nasdaq 100 Index. In addition, it was reported Em ploym ent Practices 4.4 6.3
that, in Septem ber 2009, Southwest Securities announced a and W orkplace safety
USD 6.3 million quarterly loss resulting from deficient market Clients, Products, and 66.9 59.5
access controls with respect to one of its correspondent brokers Business Practices
that vastly exceeded its credit limits. Despite receiving intra-day Dam age to Physical 0.1 0.1
alerts from the exchange, Southwest Securities' controls proved Assets
insufficient to allow it to respond in a tim ely manner, and trading Business Disruption 0.5 0.2
by the correspondent continued for the rest of the day, result and System Failures
ing in a significant loss. Another exam ple that highlights the
Execution, Delivery & 20.0 14.4
need for appropriate controls in connection with market access Process M anagement
occurred in D ecem ber 2005, when Mizuho Securities, one of
Sou rce: Results from the 2008 Loss Data Collection Exercise for O p e ra
Japan's largest brokerage firms, sustained a significant loss due tional Risk, see B C B S (2009b).
to an erroneous manual order entry that resulted in a trade that,
under the applicable exchange rules, could not be canceled.
Specifically, it was reported that a trader at Mizuho Securities In this section, we provide an overview of how risk is organized
intended to enter a custom er sale order for one share of a secu in financial firms, how policies are structured, and the importance
rity at a price of 610,000 Yen, but the numbers were mistakenly of a solid committee and governance structure. Sound internal
transposed and an order to sell 610,000 shares of the security at governance forms the foundation of an effective O pRisk m anage
a price of 1 Yen was entered instead. A system -driven, pretrade ment fram ework. Although internal governance issues related
control reasonably designed to reject orders that are not rea to the management of operational risk are not unlike those
sonably related to the quoted price of the security would have encountered in the management of credit or market risk, OpRisk
prevented this order from reaching the market. management challenges may differ from those in other risk areas.
As these exam ples show, broker-dealers are intensively exposed
to O pRisk that usually occupies the headlines of most of the
Organization of Risk Departments
newspapers and media. Brokers usually do not hold large pro
prietary positions and lending, particularly after the 2008 crash, One cannot downplay the role of an organization in any large
has been limited; therefore, most exposure comes from poten business. Although many times the focus is on the measurement
tially explosive system issues, execution errors, litigation with models with its complex formulas, most of the times the success of
retail custom ers, fraud com m itted by clients, etc. (Table 7.16) implementing an OpRisk framework lies in having the right organi
zation. The organizational design would usually hint at the strength
and degree of development of an OpRisk framework at a firm. In
7.8 R IS K O R G A N IZ A T IO N A N D the following text, we show a few organizational designs and the
beliefs that firms need to have to make them work. Usually firms
G O VERN A N CE
start with Design 1 and go to Design 4 presented in Figure 7.5.
Developing a solid risk organization is a key part of the fram e • Design 1— Central Risk Function as Coordinator. In this
work. Understanding the reporting lines and establishing the organizational design, risk m anagem ent role is more of a
position of this organization on the firm would have probably facilitator. Usually in this structure, risk m anagem ent gathers
as much importance as having a good measurement system. information and reports to the C E O or the Board. Sometim es
Also having proper organizational involvement in O pRisk issues risk m anagem ent would add some layer of analysis, but in
where key stakeholders are regularly informed and oversee risk most cases, the Central Risk group would be a small group.
is fundamental for success. Developing a fram ework in a silo O ne of the issues with this structure is that the regulators dis
that no one sees or cares is nor a desirable situation. The OpRisk like the idea that risk managers report to revenue generating
manager needs to be integrated to the rest of the organization. businesses;

Design 1 and compensation decisions are still taken by these. In order
for this to be successful, the Business Units should have a
strong risk culture and collaborate very closely with the Central
Risk function. This dotted line structure works well when there
is a culture of Business Unit independence and distrust of the
Central Risk function for some reason or event that happened
in the past;
• Design 3— Solid reporting lines to Central Risk Manage

ment. This organizational structure is reasonably popular
Design 2 within large firms. Risk M anagers still physically work in the
Business Units but report to the Central Risk function usually
based in the headquarters. The Central Risk function will be
better positioned to prioritize risk m anagem ent efforts across
different initiatives. This solid line reporting will also assist in
the creation of a more homogenous risk culture and consis
tent approach across the enterprise;
• Design 4— Strong Central Risk Management. Large firms

have adopted this structure lately, either by internal agree
Design 3 ment or through regulatory pressure. In this structure, the
Corporate C hief Risk O fficer is the key decision maker in risk
m anagem ent and fully responsible for risk across the firm.
Central Risk M anagem ent is responsible to monitor and
manage all the firm's risks and report to senior m anagem ent
and the Board. Such structure makes it much easier for the
regulator to stream line supervision as they can focus to one
particular group instead of being scattered in many business
units and geographical areas.
Design 4
Structuring a Firm Wide Policy: Example
of an OpRisk Policy
Exam ple of a policy is presented in Table 7.17. A policy defines
a firm's operational risk m anagem ent fram ework, which includes
governance structure, roles and responsibilities, and standards
for O pRisk m anagem ent and m easurem ent. It also describes
the O pRisk m anagem ent programs, which are the functional
activities requiring guidelines for consistent firm wide execution
Designs 1-4. (e.g ., loss capture program, risk control self-assessm ent, and
scenario analysis).
In order for this structure to be successful, one should believe

that the Business Units will be responsive to the Central Risk Governance
dem ands even without being part of their reporting line and
Common industry practice for sound O pRisk governance often
the control and incentives that such reporting includes (e.g .,
relies on three lines of defense:
control over com pensation, etc.);
• Business line m anagem ent;
• Design 2— Matrix reporting—the "dotted lines". In this
organizational design, a sort of evolution to the previous • An independent corporate O pRisk m anagem ent function;
design, risk managers have a dotted line to the Central Risk and
function; however, they are appointed by the Business Units • An independent review (usually internal audit).
Table 7.17 Example of an OpRisk Policy
Content Description
Executive summary Defines the rationale and scope of the policy
Policy statem ents Provide a quick definition of the standards that will be used across the policy
Risk taxonom y Categorize O pRisk in different risk types. It can follow the Basel categories, but if it does not, it
usually provides a mapping of internal categories to the Basel-defined categories
Loss collection Defines what losses or incidents should be reported. Discuss concepts of "near m isses" and
describes recoveries
Risk assessm ent Usually describes other programs used to supplem ent internal loss data collection like scenario
analysis or risk factor analysis
Risk m easurem ent Describes the basic fram ework for measuring O pRisk, which types of data are used, and how
capital is calculated (overall view of the building blocks not a detailed manual)
Validation Describes how the risk assessm ent and m easurem ent are validated, how frequent validation
takes place, and which departm ents are responsible for the validation
Policy assurance and testing Determ ines which departm ent(s) in the firm will be responsible for assurance that the policy is
being followed and the reports that assure this firm-wide com pliance
Governance Describes where this policy is situated, which com m ittee approves it, and how the O pRisk
governance works
References Determ ine on which regulations, external standards, and/or other firm policies this was based
upon
Depending on the bank's nature, size and com plexity, and the The regulators also reinforce the role of the board of direc
risk profile of a bank's activities, the degree of form ality of how tors. In the US and UK it is common that the regulators meet
these three lines of defense are im plem ented will vary. In all separately with financial firms' board of directors regularly to
cases, however, a bank's O pRisk governance function should be discuss their expectations regarding risk m anagem ent. The
fully integrated into the bank's overall risk m anagem ent gover board of directors should take the lead in establishing a strong
nance structure and the regulators closely monitor this. risk m anagem ent culture. The board of directors and senior
m anagem ent should establish a corporate culture that is guided
If OpRisk governance utilizes the three lines of defense model
by strong risk m anagem ent and that supports and provides
(i.e., the business is the first line of defense, risk management is
appropriate standards and incentives for professional and
the second line, and internal audit being the third), the structure
responsible behavior. In this regard, it is the responsibility of the
and activities of the three lines often vary, depending on the
board of directors to ensure that a strong O pRisk m anagem ent
bank's portfolio of products, activities, processes, and systems;
culture exists throughout the whole organization and this will be
the bank's size; and its risk management approach. Strong risk cul
closely monitored by regulators.
ture and good communications among the three lines of defense
are important characteristics of good OpRisk governance.

Learning Objectives
Describe model risk and explain how model risk can arise Explain best practices for the developm ent and
in the implementation of a model. implementation of a model.
Describe elem ents of an effective process to manage Describe elem ents of a strong model validation process
model risk. and challenges to an effective validation process.
E x c e rp t is rep rin ted from Financial Institution L e tte r FIL-22-2017 p u b lish ed b y the Fed eral D ep o sit Insurance C orporation.
137
8.1 IN T R O D U C T IO N m anagem ent; however, sound developm ent, im plem entation,
and use of models are also vital elem ents. Furtherm ore, model
Banks rely heavily on quantitative analysis and models in most risk m anagem ent encom passes governance and control m echa
aspects of financial decision m aking.1 They routinely use models nisms such as board and senior m anagem ent oversight, policies
for a broad range of activities, including underwriting credits; and procedures, controls and com pliance, and an appropriate
valuing exposures, instruments, and positions; measuring risk; incentive and organizational structure.
managing and safeguarding client assets; determining capital Previous guidance and other publications issued by the FD IC on
and reserve adequacy; and many other activities. In recent years, the use of models address aspects of model risk m anagem ent
banks have applied models to more com plex products and with for specific types of models or pay particular attention to model
more ambitious scope, such as enterprise-wide risk m easure validation.2 Based on supervisory and industry experience over
ment, while the markets in which they are used have also the past several years, this docum ent expands on existing
broadened and changed. Changes in regulation have spurred guidance— most importantly by broadening the scope to
some of the recent developm ents, particularly the U.S. regula include all aspects of model risk m anagem ent. Many banks may
tory capital rules for market, credit, and operational risk based already have in place a large portion of these practices, but
on the fram ework developed by the Basel Com m ittee on Bank banks should ensure that internal policies and procedures are
ing Supervision. Even apart from these regulatory considerations, consistent with the risk m anagem ent principles and supervisory
however, banks have been increasing the use of data-driven, expectations contained in this guidance. Details may vary from
quantitative decision-making tools for a number of years. bank to bank, as practical application of this guidance should be
The expanding use of models in all aspects of banking reflects customized to be com m ensurate with a bank's risk exposures, its
the extent to which models can improve business decisions, but business activities, and the com plexity and extent of its model
models also come with costs. There is the direct cost of devot use. For exam ple, steps taken to apply this guidance at banks
ing resources to develop and im plem ent models properly. There using relatively few models of only m oderate com plexity might
are also the potential indirect costs of relying on m odels, such as be significantly less involved than those at a bank where use of
the possible adverse consequences (including financial loss) of models is more extensive or com plex.
decisions based on models that are incorrect or misused. Those
consequences should be addressed by active m anagem ent of
model risk. 8.3 O V E R V IE W O F M O D E L R ISK
This guidance describes the key aspects of effective model
M A N A G EM EN T
risk m anagem ent. Section II explains the purpose and scope of
For the purposes of this docum ent, the term m odel refers to a
the guidance, and Section III gives an overview of model risk
quantitative m ethod, system , or approach that applies statistical,
m anagem ent. Section IV discusses robust model developm ent,
econom ic, financial, or mathematical theories, techniques, and
implementation, and use. Section V describes the components of
assumptions to process input data into quantitative estim ates.
an effective validation framework. Section VI explains the salient
A m odel consists of three com ponents: an information input
features of sound governance, policies, and controls over model
com ponent, which delivers assumptions and data to the model;
developm ent, implementation, use, and validation. Section VII
a processing com ponent, which transform s inputs into estim ates;
concludes.
and a reporting com ponent, which translates the estim ates into
useful business information. Models meeting this definition
might be used for analyzing business strategies, informing
8.2 P U R P O S E A N D S C O P E
9
The purpose of this docum ent is to provide com prehensive For instance, the FD IC has addressed aspects of model risk m anage
ment in guidance related to different activities; see Jo in t A gency Policy
guidance for banks on effective model risk m anagem ent.
Statem ent on Interest Rate Risk (FIL-52-96), F F IE C A dvisory on Interest
Rigorous model validation plays a critical role in model risk Rate Risk M anagem ent (FIL-2-2010), Interagency Advisory on Interest
Rate Risk M anagem ent Frequently Asked Q uestions (FIL-2-2012),
FD IC's C redit Card A ctivities Manual (https://w w w .fdic.gov/regulations/
1 Unless otherw ise indicated, banks refers to state non-member banks, exam inations/credit_card/), and Supervisory Guidance on Implementing
state savings associations, and all other institutions for which the Fe d Dodd-Frank A ct Com pany-Run Stress Tests for Banking Organizations
eral D eposit Insurance Corporation is the primary supervisor. It is not W ith Total Consolidated Assets of More Than $10 Billion but Less Than
expected that this guidance will pertain to FDIC-supervised institutions $50 Billion (79 FR 14153). In addition, the advanced-approaches risk-
with under $1 billion in total assets unless the institution's model use is based capital rules (12 C FR 325, A p p en d ix D) contain explicit validation
significant, com plex, or poses elevated risk to the institution. requirem ents for subject banking organizations.
business decisions, identifying and measuring risks, valuing • The model may be used incorrectly or inappropriately. Even
exposures, instruments or positions, conducting stress testing, a fundam entally sound model producing accurate outputs
assessing adequacy of capital, managing client assets, measuring consistent with the design objective of the model may
com pliance with internal limits, maintaining the formal control exhibit high model risk if it is misapplied or misused. Models
apparatus of the bank, or meeting financial or regulatory report by their nature are sim plifications of reality, and real-world
ing requirements and issuing public disclosures. The definition of events may prove those sim plifications inappropriate. This
m odel also covers quantitative approaches whose inputs are is even more of a concern if a model is used outside the
partially or wholly qualitative or based on expert judgm ent, environm ent for which it was designed. Banks may do this
provided that the output is quantitative in nature.3 intentionally as they apply existing models to new products
or m arkets, or inadvertently as market conditions or customer
M odels are sim plified representations of real-world relationships
behavior changes. Decision makers need to understand the
among observed characteristics, values, and events. Sim plifi
limitations of a model to avoid using it in ways that are not
cation is inevitable, due to the inherent com plexity of those
consistent with the original intent. Limitations come in part
relationships, but also intentional, to focus attention on particu
from weaknesses in the model due to its various shortcom
lar aspects considered to be most im portant for a given model
ings, approxim ations, and uncertainties. Limitations are also
application. Model quality can be measured in many ways:
a consequence of assumptions underlying a model that may
precision, accuracy, discrim inatory power, robustness, stability,
restrict the scope to a limited set of specific circum stances
and reliability, to name a few. Models are never perfect, and the
and situations.
appropriate metrics of quality, and the effort that should be put
into improving quality, depend on the situation. For exam ple, Model risk should be managed like other types of risk. Banks
precision and accuracy are relevant for models that forecast should identify the sources of risk and assess the magnitude.
future values, while discrim inatory power applies to models that Model risk increases with greater model com plexity, higher
rank order risks. In all situations, it is im portant to understand a uncertainty about inputs and assumptions, broader use, and
model's capabilities and limitations given its sim plifications and larger potential impact. Banks should consider risk from indi
assumptions. vidual models and in the aggregate. A ggregate model risk is
affected by interaction and dependencies among m odels; reli
The use of models invariably presents model risk, which is the
ance on common assumptions, data, or m ethodologies; and
potential for adverse consequences from decisions based on
any other factors that could adversely affect several models and
incorrect or misused model outputs and reports. Model risk
their outputs at the same tim e. With an understanding of the
can lead to financial loss, poor business and strategic decision
source and magnitude of model risk in place, the next step is to
making, or dam age to a bank's reputation. Model risk occurs
manage it properly.
primarily for two reasons:
A guiding principle for managing model risk is "effective
• The model may have fundamental errors and may produce
challenge" of m odels, that is, critical analysis by objective,
inaccurate outputs when viewed against the design objective
inform ed parties who can identify model lim itations and
and intended business uses. The mathematical calculation
assum ptions and produce appropriate changes. Effective
and quantification exercise underlying any model generally
challenge depends on a com bination of incentives, com pe
involves application of theory, choice of sam ple design and
tence, and influence. Incentives to provide effective challenge
numerical routines, selection of inputs and estim ation, and
to m odels are stronger when there is greater separation of
im plem entation in information system s. Errors can occur at
that challenge from the model developm ent process and
any point from design through im plem entation. In addition,
when challenge is supported by w ell-designed com pensa
shortcuts, sim plifications, or approxim ations used to manage
tion practices and corporate culture. C om petence is a key to
com plicated problem s could com prom ise the integrity and
effectiveness since technical know ledge and m odeling skills
reliability of outputs from those calculations. Finally, the qual
are necessary to conduct appropriate analysis and critique.
ity of model outputs depends on the quality of input data
Finally, challenge may fail to be effective without the influence
and assumptions, and errors in inputs or incorrect assum p
to ensure that actions are taken to address model issues. Such
tions will lead to inaccurate outputs.
influence com es from a com bination of exp licit authority, stat
ure within the organization, and com m itm ent and support from
3 W hile outside the scope of this guidance, more qualitative approaches higher levels of m anagem ent.
used by banking organizations— i.e ., those not defined as models
according to this guidance— should also be subject to a rigorous control Even with skilled modeling and robust validation, model risk
process. cannot be elim inated, so other tools should be used to manage
Chapter 8 Supervisory Guidance on Model Risk Management ■ 139

model risk effectively. Am ong these are establishing limits on recognize that this subjectivity elevates the im portance
model use, monitoring model perform ance, adjusting or revising of sound and com prehensive model risk m anagem ent
models over tim e, and supplem enting model results with other p ro cesses.4
analysis and information. Informed conservatism , in either the
inputs or the design of a model or through explicit adjustments
to outputs, can be an effective tool, though not an excuse to
Model Development and Implementation
avoid improving models. An effective developm ent process begins with a clear statem ent
As is generally the case with other risks, m ateriality is an impor of purpose to ensure that model developm ent is aligned with
tant consideration in model risk m anagem ent. If at som e banks the intended use. The design, theory, and logic underlying the
the use of m odels is less pervasive and has less im pact on their model should be well docum ented and generally supported
financial condition, then those banks may not need as com by published research and sound industry practice. The model
plex an approach to model risk m anagem ent in order to m eet m ethodologies and processing com ponents that im plem ent the
supervisory expectations. However, where m odels and model theory, including the mathematical specification and the numeri
output have a material im pact on business decisions, including cal techniques and approxim ations, should be explained in
decisions related to risk m anagem ent and capital and liquidity detail with particular attention to merits and limitations. D evel
planning, and where model failure would have a particularly opers should ensure that the com ponents work as intended,
harmful im pact on a bank's financial condition, a bank's model are appropriate for the intended business purpose, and are
risk m anagem ent fram ew ork should be more extensive and conceptually sound and m athem atically and statistically correct.
rigorous. Com parison with alternative theories and approaches is a funda
mental com ponent of a sound modeling process.
Model risk m anagem ent begins with robust model develop
ment, im plem entation, and use. Another essential elem ent is The data and other information used to develop a model are
a sound model validation process. A third elem ent is gover of critical im portance; there should be rigorous assessm ent
nance, which sets an effective fram ework with defined roles and of data quality and relevance, and appropriate docum enta
responsibilities for clear communication of model limitations and tion. D evelopers should be able to dem onstrate that such data
assumptions, as well as the authority to restrict model usage. and information are suitable for the model and that they are
The following sections of this docum ent cover each of these consistent with the theory behind the approach and with the
elem ents. chosen m ethodology. If data proxies are used, they should be
carefully identified, justified, and docum ented. If data and infor
mation are not representative of the bank's portfolio or other
characteristics, or if assumptions are made to adjust the data
8.4 M O D E L D E V E L O P M E N T ,
and information, these factors should be properly tracked and
IM P LEM EN T A T IO N , A N D U S E analyzed so that users are aware of potential limitations. This is
particularly im portant for external data and information (from a
Model risk m anagem ent should include disciplined and knowl
vendor or outside party), especially as they relate to new prod
edgeable developm ent and im plem entation processes that are
ucts, instruments, or activities.
consistent with the situation and goals of the model user and
with bank policy. Model developm ent is not a straightforw ard An integral part of model developm ent is testing, in which
or routine technical process. The exp erience and judgm ent of the various com ponents of a model and its overall functioning
developers, as much as their technical know ledge, greatly are evaluated to determ ine whether the model is perform
influence the appropriate selection of inputs and processing ing as intended. Model testing includes checking the model's
com ponents. The training and exp erience of developers accuracy, dem onstrating that the model is robust and stable,
exercising such judgm ent affects the extent of model risk. assessing potential limitations, and evaluating the model's
M oreover, the m odeling exercise is often a m ultidisciplinary behavior over a range of input values. It should also assess the
activity drawing on econom ics, finance, statistics, m athem atics,
and other field s. M odels are em ployed in real-world m arkets
4 Less com plex banks that rely on vendor m odels may be able to satisfy
and events and therefore should be tailored for specific the standards in this guidance without an in-house staff of technical,
applications and inform ed by business uses. In addition, a quantitative model developers. However, even if a bank relies on
vendors for basic model developm ent, the bank should still choose the
considerable am ount of subjective judgm ent is exercised at
particular m odels and variables that are appropriate to its size, scale,
various stages of model developm ent, im plem entation, and lines of business and ensure the m odels are appropriate for the
use, and validation. It is im portant for decision makers to intended use.
im pact of assumptions and identify situations where the model realities. Model users can provide valuable business insight
performs poorly or becom es unreliable. Testing should be during the developm ent process. In addition, business m anag
applied to actual circum stances under a variety of market condi ers affected by model outcom es may question the methods or
tions, including scenarios that are outside the range of ordinary assumptions underlying the m odels, particularly if the managers
expectations, and should encom pass the variety of products or are significantly affected by and do not agree with the outcom e.
applications for which the model is intended. Extrem e values for Such questioning can be healthy if it is constructive and causes
inputs should be evaluated to identify any boundaries of model model developers to explain and justify the assumptions and
effectiveness. The im pact of model results on other models design of the models.
that rely on those results as inputs should also be evaluated.
However, challenge from model users may be weak if the model
Included in testing activities should be the purpose, design, and
does not m aterially affect their results, if the resulting changes
execution of test plans, summary results with com m entary and
in models are perceived to have adverse effects on the business
evaluation, and detailed analysis of informative sam ples. Testing
line, or if change in general is regarded as expensive or difficult.
activities should be appropriately docum ented.
User challenges also tend not to be com prehensive because
The nature of testing and analysis will depend on the type of they focus on aspects of models that have the most direct
model and will be judged by different criteria depending on the impact on the user's measured business perform ance or com
context. For exam ple, the appropriate statistical tests depend pensation, and thus may ignore other elem ents and applications
on specific distributional assumptions and the purpose of the of the m odels. Finally, such challenges tend to be asym m etric,
model. Furtherm ore, in many cases statistical tests cannot unam because users are less likely to challenge an outcom e that
biguously reject false hypotheses or accept true ones based on results in an advantage for them . Indeed, users may incorrectly
sam ple information. Different tests have different strengths and believe that model risk is low simply because outcom es from
weaknesses under different conditions. Any single test is rarely model-based decisions appear favorable to the institution. Thus,
sufficient, so banks should apply a variety of tests to develop a the nature and motivation behind model users' input should be
sound model. evaluated carefully, and banks should also solicit constructive
suggestions and criticism from sources independent of the line
Banks should ensure that the developm ent of the more ju d g
of business using the model.
mental and qualitative aspects of their models is also sound. In
some cases, banks may take statistical output from a model and Reports used for business decision making play a critical role in
modify it with judgm ental or qualitative adjustm ents as part of model risk m anagem ent. Such reports should be clear and com
model developm ent. W hile such practices may be appropriate, prehensible and take into account the fact that decision makers
banks should ensure that any such adjustm ents made as part of and m odelers often come from quite different backgrounds and
the developm ent process are conducted in an appropriate and may interpret the contents in different ways. Reports that pro
system atic manner, and are well docum ented. M odels typically vide a range of estim ates for different input-value scenarios and
are em bedded in larger information system s that manage the assumption values can give decision makers im portant indica
flow of data from various sources into the model and handle the tions of the model's accuracy, robustness, and stability as well as
aggregation and reporting of model outcom es. Model calcula information on model limitations.
tions should be properly coordinated with the capabilities and
An understanding of model uncertainty and inaccuracy and a
requirements of information system s. Sound model risk m anage
demonstration that the bank is accounting for them appropri
ment depends on substantial investm ent in supporting systems
ately are im portant outcom es of effective model developm ent,
to ensure data and reporting integrity, together with controls
im plem entation, and use. Because they are by definition imper
and testing to ensure proper implementation of m odels, effec
fect representations of reality, all models have some degree of
tive systems integration, and appropriate use.
uncertainty and inaccuracy. These can som etim es be quantified,
for exam ple, by an assessm ent of the potential impact of factors
that are unobservable or not fully incorporated in the model, or
Model Use
by the confidence interval around a statistical model's point esti
Model use provides additional opportunity to test whether a mate. Indeed, using a range of outputs, rather than a simple
model is functioning effectively and to assess its performance point estim ate, can be a useful way to signal model uncertainty
over tim e as conditions and model applications change. It can and avoid spurious precision. A t other tim es, only a qualitative
serve as a source of productive feedback and insights from a assessm ent of model uncertainty and inaccuracy is possible. In
knowledgeable internal constituency with strong interest in hav either case, it can be prudent for banks to account for model
ing models that function well and reflect econom ic and business uncertainty by explicitly adjusting model inputs or calculations

to produce more severe or adverse model output in the interest limitations and assumptions, and assesses their possible impact.
of conservatism . Accounting for model uncertainty can also As with other aspects of effective challenge, model validation
include judgm ental conservative adjustm ents to model output, should be perform ed by staff with appropriate incentives, com
placing less em phasis on that model's output, or ensuring that petence, and influence.
the model is only used when supplem ented by other models or
All model com ponents, including input, processing, and report
approaches.5
ing, should be subject to validation; this applies equally to
W hile conservative use of models is prudent in general, banks models developed in-house and to those purchased from or
should be careful in applying conservatism broadly or claiming developed by vendors or consultants. The rigor and sophisti
to make conservative adjustm ents or add-ons to address model cation of validation should be com m ensurate with the bank's
risk, because the impact of such conservatism in com plex mod overall use of m odels, the com plexity and m ateriality of its mod
els may not be obvious or intuitive. Model aspects that appear els, and the size and com plexity of the bank's operations.
conservative in one model may not be truly conservative com
Validation involves a degree of independence from model
pared with alternative methods. For exam ple, simply picking
developm ent and use. Generally, validation should be done by
an extrem e point on a given modeled distribution may not be
people who are not responsible for developm ent or use and do
conservative if the distribution was m isestim ated or m isspecified
not have a stake in whether a model is determined to be valid.
in the first place. Furtherm ore, initially conservative assumptions
Independence is not an end in itself but rather helps ensure that
may not remain conservative over tim e. Therefore, banks should
incentives are aligned with the goals of model validation. While
justify and substantiate claims that model outputs are conserva
independence may be supported by separation of reporting
tive with a definition and m easurem ent of that conservatism
lines, it should be judged by actions and outcomes, since there
that is com m unicated to model users. In some cases, sensitivity
may be additional ways to ensure objectivity and prevent bias. As
analysis or other types of stress testing can be used to dem on
a practical matter, some validation work may be most effectively
strate that a model is indeed conservative. Another way in which
done by model developers and users; it is essential, however,
banks may choose to be conservative is to hold an additional
that such validation work be subject to critical review by an inde
cushion of capital to protect against potential losses associated
pendent party, who should conduct additional activities to ensure
with model risk. However, conservatism can becom e an im pedi
proper validation. O verall, the quality of the process is judged
ment to proper model developm ent and application if it is seen
by the manner in which models are subject to critical review.
as a solution that dissuades the bank from making the effort to
This could be determined by evaluating the extent and clarity of
improve the model; in addition, excessive conservatism can lead
documentation, the issues identified by objective parties, and the
model users to discount the model outputs.
actions taken by management to address model issues.
As this section has explained, robust model developm ent,
In addition to independence, banks can support appropriate
im plem entation, and use is im portant to model risk m anage
incentives in validation through com pensation practices and
ment. But it is not enough for model developers and users
perform ance evaluation standards that are tied directly to the
to understand and accept the model. Because model risk is
quality of model validations and the degree of critical, unbiased
ultimately borne by the bank as a whole, the bank should objec
review. In addition, corporate culture plays a role if it establishes
tively assess model risk and the associated costs and benefits
support for objective thinking and encourages questioning and
using a sound model-validation process.
challenging of decisions.
Staff doing validation should have the requisite knowledge,

8.5 M O D E L V A LID A TIO N skills, and expertise. A high level of technical expertise may
be needed because of the com plexity of many m odels, both
Model validation is the set of processes and activities intended in structure and in application. These staff also should have a
to verify that models are performing as expected, in line with significant degree of fam iliarity with the line of business using
their design objectives and business uses. Effective validation the model and the model's intended use. A model's developer
helps ensure that models are sound. It also identifies potential is an im portant source of information but cannot be relied on as
an objective or sole source on which to base an assessm ent of
model quality.
5 To the extent that models are used to generate amounts included in
Staff conducting validation work should have explicit authority
public financial statem ents, any adjustm ents for model uncertainty are
required by existing law to com ply with generally accepted accounting
to challenge developers and users and to elevate their findings,
principles. including issues and deficiencies. The individual or unit to whom
those staff report should have sufficient influence or stature based on its underlying assumptions, theory, and m ethods. In
within the bank to ensure that any issues and deficiencies are this way, it provides information about the source and extent
appropriately addressed in a tim ely and substantive manner. of model risk. Validation also can reveal deterioration in model
Such influence can be reflected in reporting lines, title, rank, or perform ance over tim e and can set thresholds for acceptable
designated responsibilities. Influence may be dem onstrated by a levels of error, through analysis of the distribution of outcomes
pattern of actual instances in which m odels, or the use of m od around expected or predicted values. If outcom es fall consis
els, have been appropriately changed as a result of validation. tently outside this acceptable range, then the models should be
redeveloped.
The range and rigor of validation activities conducted prior to
first use of a model should be in line with the potential risk pre
sented by use of the model. If significant deficiencies are noted
as a result of the validation process, use of the model should
Key Elements of Comprehensive
not be allowed or should be perm itted only under very tight Validation
constraints until those issues are resolved. If the deficiencies are An effective validation fram ework should include three core
too severe to be addressed within the model's fram ework, the
elem ents:
model should be rejected. If it is not feasible to conduct neces
sary validation activities prior to model use because of data • Evaluation of conceptual soundness, including developm en
paucity or other limitations, that fact should be docum ented tal evidence
and com m unicated in reports to users, senior m anagem ent, and • Ongoing monitoring, including process verification and
other relevant parties. In such cases, the uncertainty about the benchmarking
results that the model produces should be mitigated by other • O utcom es analysis, including back-testing
com pensating controls. This is particularly applicable to new
models and to the use of existing models in new applications. Evaluation of Conceptual Soundness
Validation activities should continue on an ongoing basis after This elem ent involves assessing the quality of the model design
a model goes into use, to track known model limitations and and construction. It entails review of documentation and empiri
to identify any new ones. Validation is an im portant check on cal evidence supporting the methods used and variables selected
model use during periods of benign econom ic and financial con for the model. Documentation and testing should convey an
ditions, when estim ates of risk and potential loss can become understanding of model limitations and assumptions. Validation
overly optim istic, and when the data at hand may not fully should ensure that judgm ent exercised in model design and con
reflect more stressed conditions. Ongoing validation activities struction is well informed, carefully considered, and consistent
help to ensure that changes in m arkets, products, exposures, with published research and with sound industry practice. D evel
activities, clients, or business practices do not create new model opmental evidence should be reviewed before a model goes into
limitations. For exam ple, if credit risk models do not incorporate use and also as part of the ongoing validation process, in particu
underwriting changes in a tim ely manner, flawed and costly busi lar whenever there is a material change in the model.
ness decisions could be made before deterioration in model
A sound developm ent process will produce docum ented evi
perform ance becom es apparent.
dence in support of all model choices, including the overall
Banks should conduct a periodic review— at least annually but
theoretical construction, key assumptions, data, and specific
more frequently if warranted— of each model to determ ine
mathematical calculations, as mentioned in Section IV. As part
whether it is working as intended and if the existing valida of model validation, those model aspects should be subjected
tion activities are sufficient. Such a determ ination could simply
to critical analysis by both evaluating the quality and extent of
affirm previous validation work, suggest updates to previous developm ental evidence and conducting additional analysis and
validation activities, or call for additional validation activities.
testing as necessary. Com parison to alternative theories and
Material changes to models should also be subject to validation.
approaches should be included. Key assumptions and the choice
It is generally good practice for banks to ensure that all models of variables should be assessed, with analysis of their im pact on
undergo the full validation process, as described in the following
model outputs and particular focus on any potential limitations.
section, at some fixed interval, including updated docum enta The relevance of the data used to build the model should be
tion of all activities.
evaluated to ensure that it is reasonably representative of the
Effective model validation helps reduce model risk by identify bank's portfolio or market conditions, depending on the type of
ing model errors, corrective actions, and appropriate use. It model. This is an especially im portant exercise when a bank uses
also provides an assessm ent of the reliability of a given model, external data or the model is used for new products or activities.

W here appropriate to the particular model, banks should procedures for responding to any problem s that appear. This
employ sensitivity analysis in model developm ent and validation program should include process verification and benchm arking.
to check the impact of small changes in inputs and param
Process verification checks that all model com ponents are
eter values on model outputs to make sure they fall within an
functioning as designed. It includes verifying that internal and
expected range. U nexpectedly large changes in outputs in
external data inputs continue to be accurate, com plete, consis
response to small changes in inputs can indicate an unstable
tent with model purpose and design, and of the highest quality
model. Varying several inputs sim ultaneously as part of sensitiv
available. Com puter code implementing the model should be
ity analysis can provide evidence of unexpected interactions,
subject to rigorous quality and change control procedures to
particularly if the interactions are com plex and not intuitively
ensure that the code is correct, that it cannot be altered except
clear. Banks benefit from conducting model stress testing to
by approved parties, and that all changes are logged and can
check perform ance over a wide range of inputs and param eter
be audited. System integration can be a challenge and deserves
values, including extrem e values, to verify that the model is
special attention because the model processing com ponent
robust. Such testing helps establish the boundaries of model
often draws from various sources of data, processes large
perform ance by identifying the acceptable range of inputs as
amounts of data, and then feeds into multiple data repositories
well as conditions under which the model may becom e unstable
and reporting system s. User-developed applications, such as
or inaccurate.
spreadsheets or ad hoc database applications used to generate
M anagem ent should have a clear plan for using the results of quantitative estim ates, are particularly prone to model risk. As
sensitivity analysis and other quantitative testing. If testing indi the content or composition of information changes over tim e,
cates that the model may be inaccurate or unstable in some system s may need to be updated to reflect any changes in the
circum stances, m anagem ent should consider modifying certain data or its use. Reports derived from model outputs should be
model properties, putting less reliance on its outputs, placing reviewed as part of validation to verify that they are accurate,
limits on model use, or developing a new approach. com plete, and informative, and that they contain appropriate
indicators of model perform ance and limitations.
Qualitative information and judgm ent used in model develop
ment should be evaluated, including the logic, judgm ent, and Many of the tests em ployed as part of model developm ent
types of information used, to establish the conceptual sound should be included in ongoing monitoring and be conducted
ness of the model and set appropriate conditions for its use. The on a regular basis to incorporate additional information as
validation process should ensure that qualitative, judgm ental it becom es available. New empirical evidence or theoreti
assessments are conducted in an appropriate and system atic cal research may suggest the need to modify or even replace
manner, are well supported, and are docum ented. original methods. Analysis of the integrity and applicability of
internal and external information sources, including information
Ongoing Monitoring provided by third-party vendors, should be perform ed regularly.
The second core elem ent of the validation process is ongoing Sensitivity analysis and other checks for robustness and stability
monitoring. Such monitoring confirms that the model is appro should likewise be repeated periodically. They can be as useful
priately im plem ented and is being used and is performing as during ongoing monitoring as they are during model development.
intended. If models only work well for certain ranges of input values, market
conditions, or other factors, they should be monitored to identify
Ongoing monitoring is essential to evaluate whether changes
situations where these constraints are approached or exceeded.
in products, exposures, activities, clients, or market conditions
necessitate adjustm ent, redevelopm ent, or replacem ent of the Ongoing monitoring should include the analysis of overrides
model and to verify that any extension of the model beyond its with appropriate docum entation. In the use of virtually any
original scope is valid. Any model limitations identified in the model, there will be cases where model output is ignored,
developm ent stage should be regularly assessed over tim e, as altered, or reversed based on the expert judgm ent of model
part of ongoing monitoring. Monitoring begins when a model users. Such overrides are an indication that, in some respect, the
is first im plem ented in production system s for actual business model is not performing as intended or has limitations. Banks
use. This monitoring should continue periodically over tim e, with should evaluate the reasons for overrides and track and analyze
a frequency appropriate to the nature of the model, the avail override perform ance. If the rate of overrides is high, or if the
ability of new data or modeling approaches, and the magnitude override process consistently improves model perform ance,
of the risk involved. Banks should design a program of ongo it is often a sign that the underlying model needs revision or
ing testing and evaluation of model perform ance along with redevelopm ent.
Benchmarking is the comparison of a given model's inputs and com plexity, data availability, and the magnitude of potential
outputs to estim ates from alternative internal or external data model risk to the bank. O utcom es analysis should involve a
or m odels. It can be incorporated in model developm ent as range of tests because any individual test will have weaknesses.
well as in ongoing monitoring. For credit risk models, exam ples For exam ple, some tests are better at checking a model's abil
of benchm arks include models from vendor firms or industry ity to rank-order or segm ent observations on a relative basis,
consortia and data from retail credit bureaus. Pricing models whereas others are better at checking absolute forecast accu
for securities and derivatives often can be com pared with alter racy. Tests should be designed for each situation, as not all will
native models that are more accurate or com prehensive but be effective or feasible in every circum stance, and attention
also too time consuming to run on a daily basis. W hatever the should be paid to choosing the appropriate type of outcom es
source, benchm ark models should be rigorous and benchmark analysis for a particular model.
data should be accurate and com plete to ensure a reasonable
Models are regularly adjusted to take into account new data or
com parison.
techniques, or because of deterioration in perform ance. Parallel
Discrepancies between the model output and benchmarks outcom es analysis, under which both the original and adjusted
should trigger investigation into the sources and degree of models' forecasts are tested against realized outcom es, provides
the differences, and examination of whether they are within an an im portant test of such model adjustm ents. If the adjusted
expected or appropriate range given the nature of the com model does not outperform the original model, developers,
parison. The results of that analysis may suggest revisions to the users, and reviewers should realize that additional changes— or
model. However, differences do not necessarily indicate that the even a wholesale redesign— are likely necessary before the
model is in error. The benchm ark itself is an alternative predic adjusted model replaces the original one.
tion, and the differences may be due to the different data or
Back-testing is one form of outcomes analysis; specifically, it
methods used. If the model and the benchmark match well, that
involves the comparison of actual outcomes with model forecasts
is evidence in favor of the m odel, but it should be interpreted
during a sample time period not used in model development and
with caution so the bank does not get a false degree of com fort.
at an observation frequency that matches the forecast horizon or
performance window of the model. The comparison is generally
Outcomes Analysis done using expected ranges or statistical confidence intervals
The third core elem ent of the validation process is outcomes around the model forecasts. When outcomes fall outside those
analysis, a comparison of model outputs to corresponding actual intervals, the bank should analyze the discrepancies and inves
outcom es. The precise nature of the comparison depends on tigate the causes that are significant in terms of magnitude or
the objectives of a model, and might include an assessm ent of frequency. The objective of the analysis is to determine whether
the accuracy of estim ates or forecasts, an evaluation of rank differences stem from the omission of material factors from the
ordering ability, or other appropriate tests. In all cases, such model, whether they arise from errors with regard to other aspects
com parisons help to evaluate model perform ance, by establish of model specification such as interaction terms or assumptions of
ing expected ranges for those actual outcom es in relation to linearity, or whether they are purely random and thus consistent
the intended objectives and assessing the reasons for observed with acceptable model performance. Analysis of in-sample fit and
variation between the two. If outcom es analysis produces evi of model performance in holdout samples (data set aside and not
dence of poor perform ance, the bank should take action to used to estimate the original model) are important parts of model
address those issues. O utcom es analysis typically relies on sta development but are not substitutes for back-testing.
tistical tests or other quantitative measures. It can also include
A well-known exam ple of back-testing is the evaluation of
expert judgm ent to check the intuition behind the outcomes value-at-risk (VaR), in which actual profit and loss is com pared
and confirm that the results make sense. When a model itself
with a model forecast loss distribution. Significant deviation in
relies on expert judgm ent, quantitative outcom es analysis helps expected versus actual perform ance and unexplained volatility
to evaluate the quality of that judgm ent. O utcom es analysis in the profits and losses of trading activities may indicate that
should be conducted on an ongoing basis to test whether the
hedging and pricing relationships are not adequately measured
model continues to perform in line with design objectives and by a given approach. Along with measuring the frequency of
business uses.
losses in excess of a single VaR percentile estimator, banks
A variety of quantitative and qualitative testing and analytical should use other tests, such as assessing any clustering of
techniques can be used in outcomes analysis. The choice of exceptions and checking the distribution of losses against other
technique should be based on the model's m ethodology, its estim ated percentiles.

Analysis of the results of even high-quality and well-designed Vendor products should nevertheless be incorporated into a
back-testing can pose challenges, since it is not a straightfor bank's broader model risk m anagem ent fram ework following
ward, mechanical process that always produces unambiguous the same principles as applied to in-house m odels, although the
results. The purpose is to test the model, not individual forecast process may be som ewhat modified.
values. Back-testing may entail analysis of a large number of
As a first step, banks should ensure that there are appropriate
forecasts over different conditions at a point in time or over
processes in place for selecting vendor models. Banks should
multiple time periods. Statistical testing is essential in such
require the vendor to provide developm ental evidence explain
cases, yet such testing can pose challenges in both the choice of
ing the product com ponents, design, and intended use, to
appropriate tests and the interpretation of results; banks should
determ ine whether the model is appropriate for the bank's prod
support and docum ent both the choice of tests and the inter
ucts, exposures, and risks. Vendors should provide appropriate
pretation of results.
testing results that show their product works as expected. They
Models with long forecast horizons should be back-tested, but should also clearly indicate the model's limitations and assum p
given the amount of time it would take to accum ulate the neces tions and where the product's use may be problem atic. Banks
sary data, that testing should be supplem ented by evaluation should expect vendors to conduct ongoing performance moni
over shorter periods. Banks should em ploy outcom es analysis toring and outcomes analysis, with disclosure to their clients, and
consisting of "early warning" metrics designed to measure to make appropriate modifications and updates over time.
perform ance beginning very shortly after model introduction
Banks are expected to validate their own use of vendor prod
and trend analysis of perform ance over tim e. These outcomes
ucts. External models may not allow full access to com puter
analysis tools are not substitutes for back-testing, which should
coding and implementation details, so the bank may have to
still be perform ed over the longer tim e period, but rather very
rely more on sensitivity analysis and benchm arking. Vendor
im portant com plem ents.
models are often designed to provide a range of capabilities
O utcom es analysis and the other elem ents of the validation and so may need to be customized by a bank for its particular
process may reveal significant errors or inaccuracies in model circum stances. A bank's customization choices should be docu
developm ent or outcom es that consistently fall outside the mented and justified as part of validation. If vendors provide
bank's predeterm ined thresholds of acceptability. In such cases, input data or assumptions, or use them to build m odels, their
model adjustm ent, recalibration, or redevelopm ent is warranted. relevance for the bank's situation should be investigated. Banks
Adjustm ents and recalibration should be governed by the prin should obtain information regarding the data used to develop
ciple of conservatism and should undergo independent review. the model and assess the extent to which that data is repre
sentative of the bank's situation. The bank also should conduct
Material changes in model structure or technique, and all model
ongoing monitoring and outcom es analysis of vendor model
redevelopm ent, should be subject to validation activities of
perform ance using the bank's own outcom es.
appropriate range and rigor before im plem entation. A t times
banks may have a limited ability to use key model validation System atic procedures for validation help the bank to under
tools like back-testing or sensitivity analysis for various reasons, stand the vendor product and its capabilities, applicability, and
such as lack of data or of price observability. In those cases, limitations. Such detailed knowledge is necessary for basic con
even more attention should be paid to the model's limitations trols of bank operations. It is also very im portant for the bank to
when considering the appropriateness of model usage, and have as much knowledge in-house as possible, in case the ven
senior m anagem ent should be fully informed of those limitations dor or the bank term inates the contract for any reason, or if the
when using the models for decision making. Such scrutiny vendor is no longer in business. Banks should have contingency
should be applied to individual models and models in the plans for instances when the vendor model is no longer avail
aggregate. able or cannot be supported by the vendor.
Validation of Vendor and Other

8.6 G O V E R N A N C E , P O L IC IE S ,
Third-Party Products
AN D CO N TRO LS
The widespread use of vendor and other third-party products—
including data, param eter values, and com plete models— poses Developing and maintaining strong governance, policies,
unique challenges for validation and other model risk m anage and controls over the model risk management framework is
ment activities because the modeling expertise is external to the fundamentally important to its effectiveness. Even if model devel
user and because some com ponents are considered proprietary. opment, implementation, use, and validation are satisfactory,
a weak governance function will reduce the effectiveness of over the bank's relative com plexity, business activities, corporate
all model risk management. A strong governance framework pro culture, and overall organizational structure. The board or its
vides explicit support and structure to risk management functions delegates should approve model risk m anagem ent policies and
through policies defining relevant risk management activities, review them annually to ensure consistent and rigorous prac
procedures that implement those policies, allocation of resources, tices across the organization. Those policies should be updated
and mechanisms for evaluating whether policies and procedures as necessary to ensure that model risk m anagem ent practices
are being carried out as specified. Notably, the extent and remain appropriate and keep current with changes in market
sophistication of a bank's governance function is expected to conditions, bank products and strategies, bank exposures and
align with the extent and sophistication of model usage. activities, and practices in the industry. All aspects of model risk
m anagem ent should be covered by suitable policies, including
model and model risk definitions; assessm ent of model risk;
Board of Directors and Senior acceptable practices for model developm ent, im plem entation,
Management and use; appropriate model validation activities; and gover
nance and controls over the model risk m anagem ent process.
Model risk governance is provided at the highest level by the
board of directors and senior m anagem ent when they establish Policies should em phasize testing and analysis, and promote
a bank-wide approach to model risk m anagem ent. As part of the developm ent of targets for model accuracy, standards for
their overall responsibilities, a bank's board and senior man acceptable levels of discrepancies, and procedures for review
agem ent should establish a strong model risk m anagem ent of and response to unacceptable discrepancies. They should
fram ework that fits into the broader risk m anagem ent of the include a description of the processes used to select and retain
organization. That fram ework should be grounded in an under vendor m odels, including the people who should be involved in
standing of model risk— not just for individual models but also such decisions.
in the aggregate. The fram ework should include standards for The prioritization, scope, and frequency of validation activities
model developm ent, im plem entation, use, and validation. should be addressed in these policies. They should establish
W hile the board is ultimately responsible, it generally delegates standards for the extent of validation that should be performed
to senior m anagem ent the responsibility for executing and before models are put into production and the scope of ongo
maintaining an effective model risk m anagem ent fram ework. ing validation. The policies should also detail the requirements
Duties of senior m anagem ent include establishing adequate for validation of vendor models and third-party products. Finally,
policies and procedures and ensuring com pliance, assigning they should require m aintenance of detailed docum entation of
com petent staff, overseeing model developm ent and im plem en all aspects of the model risk m anagem ent fram ework, including
tation, evaluating model results, ensuring effective challenge, an inventory of models in use, results of the modeling and vali
reviewing validation and internal audit findings, and taking dation processes, and model issues and their resolution.
prompt remedial action when necessary. In the same manner
Policies should identify the roles and assign responsibilities
as for other major areas of risk, senior m anagem ent, directly within the model risk m anagem ent fram ework with clear detail
and through relevant com m ittees, is responsible for regularly on staff expertise, authority, reporting lines, and continuity. They
reporting to the board on significant model risk, from individual should also outline controls on the use of external resources for
models and in the aggregate, and on com pliance with policy. validation and com pliance and specify how that work will be
Board members should ensure that the level of model risk is
integrated into the model risk m anagem ent fram ework.
within their tolerance and direct changes where appropriate.
These actions will set the tone for the whole organization about
the im portance of model risk and the need for active model risk Roles and Responsibilities
m anagem ent.
Conceptually, the roles in model risk m anagem ent can be
divided among ownership, controls, and com pliance. W hile
Policies and Procedures there are several ways in which banks can assign the responsi
bilities associated with these roles, it is im portant that reporting
Consistent with good business practices and existing
lines and incentives be clear, with potential conflicts of interest
supervisory expectations, banks should form alize model risk
identified and addressed.
m anagem ent activities with policies and the procedures to
im plem ent them . Model risk m anagem ent policies should be Business units are generally responsible for the model risk asso
consistent with this guidance and also be com m ensurate with ciated with their business strategies. The role of model owner

involves ultimate accountability for model use and perform ance possess sufficient expertise in relevant modeling concepts as
within the fram ework set by bank policies and procedures. well as their use in particular business lines. If some internal
Model owners should be responsible for ensuring that models audit staff perform certain validation activities, then they should
are properly developed, im plem ented, and used. The model not be involved in the assessm ent of the overall model risk man
owner should also ensure that models in use have undergone agem ent fram ework.
appropriate validation and approval processes, promptly identify
Internal audit should verify that acceptable policies are in place
new or changed models, and provide all necessary information
and that model owners and control groups comply with those
for validation activities.
policies. Internal audit should also verify records of model use
Model risk taken by business units should be controlled. The and validation to test w hether validations are performed in a
responsibilities for risk controls may be assigned to individu tim ely manner and whether models are subject to controls that
als, com m ittees, or a combination of the tw o, and include appropriately account for any weaknesses in validation activities.
risk m easurem ent, limits, and monitoring. O ther responsibili Accuracy and com pleteness of the model inventory should be
ties include managing the independent validation and review assessed. In addition, processes for establishing and monitor
process to ensure that effective challenge takes place. A ppropri ing limits on model usage should be evaluated. Internal audit
ate resources should be assigned for model validation and for should determ ine whether procedures for updating models are
guiding the scope and prioritization of work. Issues and prob clearly docum ented, and test whether those procedures are
lems identified through validation and other forms of oversight being carried out as specified. Internal audit should check that
should be com m unicated by risk-control staff to relevant individ model owners and control groups are meeting documentation
uals and business users throughout the organization, including standards, including risk reporting. Additionally, internal audit
senior m anagem ent, with a plan for corrective action. Control should perform assessm ents of supporting operational systems
staff should have the authority to restrict the use of models and and evaluate the reliability of data used by models.
monitor any limits on model usage. W hile they may grant excep
Internal audit also has an im portant role in ensuring that valida
tions to typical procedures of model validation on a tem porary
tion work is conducted properly and that appropriate effective
basis, that authority should be subject to other control m echa
challenge is being carried out. It should evaluate the objectivity,
nisms, such as tim elines for com pleting validation work and lim
com petence, and organizational standing of the key validation
its on model use.
participants, with the ultimate goal of ascertaining whether
Com pliance with policies is an obligation of model owners and those participants have the right incentives to discover and
risk-control staff, and there should be specific processes in place report deficiencies. Internal audit should review validation activi
to ensure that these roles are being carried out effectively and ties conducted by internal and external parties with the same
in line with policy. Docum entation and tracking of activities rigor to see if those activities are being conducted in accor
surrounding model developm ent, im plem entation, use, and vali dance with this guidance.
dation are needed to provide a record that makes com pliance
with policy transparent.
External Resources
Although model risk m anagem ent is an internal process, a bank
Internal Audit may decide to engage external resources to help execute cer
tain activities related to the model risk m anagem ent fram ework.
A bank's internal audit function should assess the overall effec
These activities could include model validation and review, com
tiveness of the model risk m anagem ent fram ework, including
pliance functions, or other activities in support of internal audit.
the fram ework's ability to address both types of model risk
These resources may provide added knowledge and another
described in Section III, for individual models and in the aggre
level of critical and effective challenge, which may improve the
gate. Findings from internal audit related to models should be
internal model developm ent and risk m anagem ent processes.
docum ented and reported to the board or its appropriately
However, this potential benefit should be weighed against the
delegated agent. Banks should ensure that internal audit oper
added costs for such resources and the added tim e that external
ates with the proper incentives, has appropriate skills, and has
parties require to understand internal data, system s, and other
adequate stature in the organization to assist in model risk
relevant bank-specific circum stances.
m anagem ent. Internal audit's role is not to duplicate model risk
m anagem ent activities. Instead, its role is to evaluate whether W henever external resources are used, the bank should specify
model risk m anagem ent is com prehensive, rigorous, and effec the activities to be conducted in a clearly written and agreed-
tive. To accomplish this evaluation, internal audit staff should upon scope of work. A designated internal party from the bank
should be able to understand and evaluate the results of valida with policy transparent, and helps track recom m endations,
tion and risk-control activities conducted by external resources. responses, and exceptions. D evelopers, users, control and
The internal party is responsible for: verifying that the agreed com pliance units, and supervisors are all served by effective
upon scope of work has been com pleted; evaluating and docum entation. Banks can benefit from advances in information
tracking identified issues and ensuring they are addressed; and and knowledge m anagem ent system s and electronic docum en
making sure that com pleted work is incorporated into the bank's tation to improve the organization, tim eliness, and accessibility
overall model risk m anagem ent fram ework. If the external of the various records and reports produced in the model risk
resources are only utilized to do a portion of validation or com m anagem ent process.
pliance work, the bank should coordinate internal resources to
Docum entation takes time and effort, and model developers
com plete the full range of work needed. The bank should have a
and users who know the models well may not appreciate its
contingency plan in case an external resource is no longer avail
value. Banks should therefore provide incentives to produce
able or is unsatisfactory.
effective and com plete model docum entation. Model develop
ers should have responsibility during model developm ent for
thorough docum entation, which should be kept up-to-date as
Model Inventory
the model and application environment changes. In addition,
Banks should maintain a com prehensive set of information for the bank should ensure that other participants in model risk
models im plem ented for use, under developm ent for im ple m anagem ent activities docum ent their work, including ongoing
m entation, or recently retired. W hile each line of business monitoring, process verification, benchm arking, and outcomes
may maintain its own inventory, a specific party should also be analysis. Also, line of business or other decision makers should
charged with maintaining a firm-wide inventory of all models, docum ent information leading to selection of a given model and
which should assist a bank in evaluating its model risk in the its subsequent validation. For cases in which a bank uses models
aggregate. Any variation of a model that warrants a separate from a vendor or other third party, it should ensure that appro
validation should be included as a separate model and cross- priate docum entation of the third-party approach is available so
referenced with other variations. that the model can be appropriately validated.
W hile the inventory may contain varying levels of inform ation, Validation reports should articulate model aspects that were
given different model com plexity and the bank's overall level reviewed, highlighting potential deficiencies over a range of
of model usage, the follow ing are som e general guidelines. financial and econom ic conditions, and determ ining whether
The inventory should describe the purpose and products adjustments or other com pensating controls are warranted.
for which the model is designed, actual or exp ected usage, Effective validation reports include clear executive summaries,
and any restrictions on use. It is useful for the inventory to with a statem ent of model purpose and an accessible synopsis
list the type and source of inputs used by a given model and of model and validation results, including major limitations and
underlying com ponents (which may include other m odels), as key assumptions.
well as model outputs and their intended use. It should also
indicate w hether m odels are functioning properly, provide
a description of when they w ere last updated, and list any
C O N C L U S IO N
excep tio ns to policy. O ther items include the names of individ
uals responsible for various aspects of the model developm ent
This docum ent has provided com prehensive guidance on effec
and validation; the dates of com pleted and planned valid a
tive model risk m anagem ent. Many of the activities described
tion activities; and the tim e fram e during which the model is
in this docum ent are common industry practice. But all banks
exp ected to remain valid.
should confirm that their practices conform to the principles in
this guidance for model developm ent, im plem entation, and use,
as well as model validation. Banks should also ensure that they
Documentation
maintain strong governance and controls to help manage model
W ithout adequate docum entation, model risk assessm ent and risk, including internal policies and procedures that appropri
m anagem ent will be ineffective. Docum entation of model devel ately reflect the risk m anagem ent principles described in this
opm ent and validation should be sufficiently detailed so that guidance. Details of model risk m anagem ent practices may vary
parties unfamiliar with a model can understand how the model from bank to bank, as practical application of this guidance
operates, its limitations, and its key assumptions. Docum enta should be com m ensurate with a bank's risk exposures, its busi
tion provides for continuity of operations, makes com pliance ness activities, and the extent and com plexity of its model use.

Learning Objectives
Identify the most common issues that result in data errors. Describe the operational data governance process, includ
ing the use of scorecards in managing information risk.
Explain how a firm can set expectations for its data quality
and describe some key dimensions of data quality used in
this process.
E x c e rp t is C hapter 3 o f Risk M anagem ent in Finance: Six Sigma and O ther N ext Generation Techniques, by A nthony Tarantino and
D eborah Cernauskas.
151
It would not be a stretch of the imagination to claim that Business Impacts of Poor Data Quality
most organizations today are heavily dependent on the use
of information to both run and im prove the ways that they Many data quality issues may occur within different business
achieve their business objectives. That being said, the reliance processes, and a data quality analysis process should incorpo
on dependable information introduces risks to the ability of rate a business im pact assessm ent to identify and prioritize risks.
a business to achieve its business goals, and this means that To simplify the analysis, the business impacts associated with
no enterprise risk m anagem ent program is com plete without data errors can be categorized within a classification scheme
instituting processes for assessing, m easuring, reporting, intended to support the data quality analysis process and help
reacting to, and controlling the risks associated with poor data in distinguishing between data issues that lead to material busi
quality. ness impact and those that do not. This classification scheme
defines six primary categories for assessing either the negative
However, the consideration of information as a fluid asset,
im pacts incurred as a result of a flaw, or the potential opportuni
created and used across many different operational and ana
ties for im provem ent resulting from improved data quality:
lytic applications, makes it difficult to envision ways to assess
the risks related to data failures as well as ways to monitor 1. Financial im pacts, such as increased operating costs,
conform ance to business user expectations. This requires some decreased revenues, missed opportunities, reduction or
exploration into types of risks relating to the use of information, delays in cash flow, or increased penalties, fines, or other
ways to specify data quality expectations, and developing a data charges.
quality scorecard as a m anagem ent tool for instituting data gov 2. Confidence-based im pacts, such as decreased organiza
ernance and data quality control. tional trust, low confidence in forecasting, inconsistent
In this chapter we look at the types of risks that are attributable operational and m anagem ent reporting, and delayed or
to poor data quality as well as an approach to correlating im proper decisions.
business impacts to data flaws. Data governance (DG) 3. Satisfaction impacts such as customer, em ployee, or sup
processes can contribute to the description of data quality plier satisfaction, as well as general market satisfaction.
expectations and the definition of relevant metrics and
4. Productivity impacts such as increased workloads,
acceptability thresholds for monitoring conform ance to those
decreased throughput, increased processing tim e, or
expectations. Com bining the raw metrics scores with measured
decreased end-product quality.
staff perform ance in observing data service-level agreem ents
contributes to the creation of a data quality scorecard for 5. Risk impacts associated with credit assessm ent, investment
managing risks. risks, com petitive risk, capital investm ent and/or develop
ment, fraud, and leakage.
6 . Com pliance is jeopardized, whether that com pliance is with

9.1 ORGANIZATIONAL RISK, governm ent regulations, industry expectations, or self-
BUSINESS IMPACTS, AND DATA imposed policies (such as privacy policies).
QUALITY Despite the natural tendency to focus on financial im pacts, in

many environments the risk and com pliance impacts are largely
If successful business o perations rely on high-quality data, com prom ised by data quality issues. Some exam ples to which
then the opposite is likely to be true as w ell: flaw ed data financial institutions are particularly sensitive include:
will delay or o b struct the successful com pletion of business
• Anti-m oney laundering aspects of the Bank Secrecy A ct and
p ro cesses. D eterm ining the sp ecific im pacts that are related
the USA PATRIO T A ct have m andated private organizations
to the different data issues that em erge is a challenging
to take steps in identifying and preventing money laundering
process, but assessing im pact is sim plified through the char
activities that could be used in financing terrorist activities.
acterization of im pacts within a business im pact taxonom y.
C ate g o rie s in this taxonom y relate to asp ects of the busi • Sarbanes-O xley, in which section 302 mandates that the
ness's financial, co n fid en ce, and com pliance activities, yet all principal executive officer or officers and the principal finan
business im pact categ o ries deal with en terp rise risk. Th ere cial officer or officers certify the accuracy and correctness of
are tw o aspects of looking at inform ation and risk; the first financial reports.
looks at how flaw ed inform ation im pacts organizational risk, • Basel II Accords provide guidelines for defining the regula
w hile the other looks at the typ es of data failures that create tions as well as guiding the quantification of operational
the exp o su re. and credit risk as a way to determ ine the amount of capital
financial institutions are required to maintain as a guard Employee Fraud and Abuse
against those risks.
In 1997, the D epartm ent of D efense G uidelines on Data
• The Gram m -Leach-Bliley A ct of 1999 mandates financial
Q uality categorized costs into four areas: prevention, appraisal,
institutions with the obligation to "respect the privacy of its
internal failure, and external failure. In turn, the im pacts were
custom ers and to protect the security and confidentiality of
evaluated to assess costs to correct data problem s as opposed
those custom ers' nonpublic personal inform ation."
to costs incurred by ignoring them . Further assessm ent looked
• Credit risk assessm ent, which requires accurate docum enta at direct costs (such as costs for appraisal, correction, or
tion to evaluate an individual's or organization's abilities to
support) versus indirect costs (such as custom er satisfaction).
repay loans.
That report docum ents exam ples of how poor data quality
• System developm ent risks associated with capital investment im pacts specific business processes: " . . . the inability to match
in deploying new application systems em erge when moving payroll records to the official em ploym ent record can cost
those system s into production is delayed due to lack of trust millions in payroll overpaym ents to deserters, prisoners, and
in the application's underlying data assets. 'ghost' soldiers. In addition, the inability to correlate purchase
W hile the sources of these areas of risk differ, an interesting orders to invoices is a major problem in unm atched
d isb u rsem en ts."1
similarity em erges: not only do these mandate the use or pre
sentation of high-quality information, they also require means of The 2006 Association of Certified Fraud Exam iners Report to
dem onstrating the adequacy of internal controls overseeing that the Nation1
23details a number of methods that unethical
quality to external parties such as auditors. This means that not em ployees can use to modify existing data to commit fraudulent
only must financial institutions manage the quality of organiza payments. Invalid data is dem onstrated to have significant busi
tional information, they must also have governance processes in ness impacts, and the report details median costs associated
place that are transparent and auditable. with these different types of im proper disbursem ents.
Information Flaws
Underbilling and Revenue Assurance
The root causes for the business impacts are related to flaws in
N TL, a cable operator in the United Kingdom , anticipated
the critical data elem ents upon which the successful com ple
tion of the business processes depend. There are many types of business benefits in improving the efficiency and value of an
operator's network through data quality im provem ent. Invalid
erred data, although these common issues lead to increased risk:
data translated into discrepancies between services provided
• Data entry errors
and services invoiced, resulting in a waste of unknown excess
• Missing data capacity. Their data quality im provem ent program was, to some
• Duplicate records extent, self-funded through the analysis of "revenue assurance
to detect under billing. For exam ple, . . . results indicated leak-
• Inconsistent data
age of just over 3 percent of total revenue."
• Nonstandard form ats
• C om plex data transform ations
• Failed identity m anagem ent processes

Credit Risk
• Undocum ented, incorrect, or misleading metadata In 2002, a Pricew aterhouseCoopers study on credit risk data
indicated that a significant percentage of the top banks were
All of these types of errors can lead to inconsistent report
deficient in credit risk data m anagem ent, especially in the areas
ing, inaccurate aggregation, invalid data m appings, incorrect
product pricing, and failures in trade settlem ent, among other
process failures. 1 U.S. D ept, of D efense, "D o D G uidelines on Data Q uality M anage
m ent," 1997, accessible via w w w .tricare.m il/ocfo/_docs/D oD G uidelines
9.2 EXAM PLES O nD ataQ ualityM anagem ent.pdf.
"2006 A C F E Report to the Nation on O ccupational Fraud and A b u se ,"

w w w .acfe.com /docum ents/2006-rttn.p d f.
The general approach to correlating business impacts to data
3 H erbert, Brian, "D ata Q uality M anagem ent— A Key to O perator
quality issues is not new, and in fact there are some interest
Profitability," Billing and O S S W orld, March 2006, accessible at www
ing exam ples that dem onstrate different types of risks that are .billingw orld.com /articles/feature/Data-Q uality-M anagem ent-A-Key-to-
attributable to flaws (both inadvertent and deliberate) in data. O perator.htm l.
Chapter 9 Information Risk and Data Quality Management ■ 153

of counterparty data repositories, counterparty hierarchy data, exposed the organization to potential violation of the Anti-
common counterparty identifiers, and consistent data Kickback Statute.
standards.4
9.3 DATA Q U A L IT Y E X P E C T A T IO N S
Insurance Exposure
These exam ples are not unique, but instead dem onstrate pat
A 2008 Ernst & Young survey on catastrophe exposure data terns that commonly em erge across all types of organizations.
quality highlighted that "shortcom ings in exposure data quality Knowledge of the business impacts related to data quality issues
are com m on," and that "not many insurers are doing enough to is the catalyst to instituting data governance practices that can
correct these shortcom ings," which included missing or inaccu oversee the control and assurance of data validity. The first step
rate values associated with insured values, locations, building toward managing the risks associated with the introduction of
class, occupancy class, as well as additional characteristics.5 flawed data into the environment is articulating the business user
expectations for data quality and asserting specifications that can
Development Risk be used to monitor organizational conformance to those exp ec

tations. These expectations are defined in the context of "data
Experience with our clients has indicated a common pattern in quality dim ensions," high-level categorizations of assertions that
which significant investm ent in capital acquisitions and accom lend them selves to quantification, measurement, and reporting.
panying software developm ent has been made in the creation of
The intention is to provide an ability to characterize business
new business application system s, yet the deploym ent of those
user expectations in term s of acceptability thresholds applied
systems is delayed (or perhaps even canceled) due to organiza
to quantifiers for data quality that are correlated to the different
tional mistrust of the application data. Such delayed application
types of business im pacts, particularly the different types of risk.
developm ent puts investments at risk.
And although the academ ic literature in data quality enum erates
many different dimensions of data quality, an initial develop
Compliance Risk ment of a data quality scorecard can rely on a subset of those
dim ensions, namely, accuracy, com pleteness, consistency, rea
Pharmaceutical companies are bound to abide by the federal sonableness, currency, and identifiability.
Anti-Kickback Statute, which restricts companies from offering or
paying remuneration in return for arranging for the furnishing of
items or services for which payment may be made under Medicare
Accuracy
or a state health care program. Pharmaceutical companies fund The dimension of accuracy measures the degree with which data
research using their developed products as well as market those instances compare to the "real-life" entities they are intended to
same products to potentially the same pool of practitioners and model. O ften, accuracy is measured in term s of agreem ent with
providers, so there is a need for stringent control and segregation an identified reference source of correct information such as a
of the data associated with both research grants and marketing. "system of record," a similar corroborative set of data values
from another table, com parisons with dynamically computed
O ur exp erience with som e of our clients has shown that an
assessm ent of party inform ation contained within m aster values, or the results of manually checking value accuracy.
data sets indicated som e providers within the sam e practice

working under research grants while others within the same Completeness
practice subjected to m arketing. D espite the fact that no
The com pleteness dimension specifies the expectations regarding
individual appeared within both sets of data, the fact that
the population of data attributes. Com pleteness expectations can
individuals rolled up within the sam e organizational hierarchy
be measured using rules relating to varying levels of constraint—
mandatory attributes that require a value, data elements with
conditionally optional values, and inapplicable attribute values.
4 Inserro, Richard J ., "C red it Risk Data Challenges Underlying the New
Basel Capital A cco rd ," R M A Journal, April 2002, accessible at w w w .pw c
.com /tr/eng/about/svcs/abas/frm /creditrisk/articles/pwc_baselcreditdata- Consistency
rm a.pdf.
Consistency refers to measuring reasonable comparison of
5 Ernst & Young, "Raising the Bar on Catastrophe D ata," 2008, acces
sible via w w w .ey.co m /G lob al/assets.nsf/U S/A ctuarial_R aising _the_b ar_ values in one data set to those in another data. Consistency is
catastro phe_d ata/$file/A ctuarial_R aising _the_b ar_catastro phe_d ata.pd f. relatively broad, and can encom pass an expectation that two
data values drawn from separate data sets must not conflict The principal concept is that the selected dimensions character
with each other, or define more com plex com parators with a set ize aspects of the business user expectations and that they can
of predefined constraints. More formal consistency constraints be quantified using a reasonable m easurem ent process.
can be encapsulated as a set of rules that specify relationships
between values of attributes, either across a record or m essage,
9.4 MAPPING BUSINESS POLICIES
or along all values of a single attribute.
TO DATA RULES
However, be careful not to confuse consistency with accuracy
or correctness. Consistency may be defined between one set of Having identified the dimensions of data quality that are relevant
attribute values and another attribute set within the same record to the business processes, we can map the information policies
(record-level consistency), between one set of attribute values and their corresponding business rules to those dimensions. For
and another attribute set in different records (cross-record con exam ple, consider a business policy that specifies that personal
sistency), or between one set of attribute values and the same data collected over the web may be shared only if the user has
attribute set within the same record at different points in time not opted out of that sharing process. This business policy defines
(temporal consistency). information policies: the data model must have a data attribute
specifying whether a user has opted out of information sharing,
Reasonableness and that attribute must be checked before any records may be
shared. This also provides us with a measurable metric: the count
This dimension is used to measure conform ance to consistency
of shared records for those users who have opted out of sharing.
expectations relevant within specific operational contexts. For
exam ple, one might expect that the total sales value of all the The same successive refinem ent can be applied to almost every
transactions each day is not expected to exceed 105 percent of business policy and its corresponding information policies. As
the running average total sales for the previous 30 days. we distill out the information requirem ents, we also capture
assertions about the business user expectations for the result
Currency of the operational processes. Many of these assertions can be

expressed as rules for determ ining whether a record does or
This dimension measures the degree to which information is cur does not conform to the expectations. The assertion is a quanti
rent with the world that it m odels. Currency measures whether fiable m easurem ent when it results in a count of nonconforming
data is considered to be "fresh ," and its correctness in the face records, and therefore monitoring data against that assertion
of possible tim e-related changes. Data currency may be m ea provides the necessary data control.
sured as a function of the expected frequency rate at which
O nce we have reviewed methods for inspecting and measuring
different data elem ents are expected to be refreshed, as well
against those dimensions in a quantifiable manner, the next step
as verifying that the data is up to date. Currency rules may be
is to interview the business users to determ ine the acceptability
defined to assert the "lifetim e" of a data value before it needs
thresholds. Scoring below the acceptability threshold indi
to be checked and possibly refreshed.
cates that the data does not m eet business expectations, and
highlights the boundary at which noncompliance with exp ecta
Uniqueness tions may lead to material im pact to the downstream business
This dimension measures the number of inadvertent duplicate functions. Integrating these thresholds with the methods for
records that exist within a data set or across data sets. Asserting m easurem ent com pletes the construction of the data quality
uniqueness of the entities within a data set implies that no entity control. Missing the desired threshold will trigger a data quality
exists more than once within the data set and that there is a key event, notifying the data steward and possibly even recom
that can be used to uniquely access each entity (and only that mending specific actions for mitigating the discovered issue.
specific entity) within the data set.
9.5 DATA Q UALITY INSPECTION,

Other Dimensions of Data Quality CON TROL, AND OVERSIGHT:
This list is by no means com plete— there are many other aspects OPERATIONAL DATA G O V ERN A N CE
of expressing the expectations for data quality, such as semantic
consistency (dealing with the consistency of meanings of data In this section we highlight the relationship between data issues
elem ents), structural form at conform ance, tim eliness, and valid and their downstream im pacts, and note that being able to con
ranges, valid within defined data domains, among many others. trol the quality of data throughout the information processing

flow will enable immediate assessm ent, initiation of rem ediation, of noncompliant data as indicated by the business clients and
and an audit trail dem onstrating the levels of data quality as well the defined thresholds for data quality acceptability. The degree
as the governance processes intended to ensure data quality. of acceptability becom es the standard against which the data is
m easured, with operational data governance instituted within
O perational data governance is the manifestation of the pro
the context of measuring perform ance in relation to the data
cesses and protocols necessary to ensure that an acceptable level
governance procedures. This m easurem ent essentially covers
of confidence in the data effectively satisfies the organization's
conform ance to the defined standards, as well as monitoring
business needs. A data governance program defines the roles,
staff agility in taking specific actions when the data sets do not
responsibilities, and accountabilities associated with managing
conform. Given the set of data quality rules, methods for m ea
data quality. Rewarding those individuals who are successful at
suring conform ance, the acceptability thresholds defined by the
their roles and responsibilities can ensure the success of the data
business clients, and the SLAs, we can monitor data governance
governance program. To measure this, a "data quality scorecard"
by observing not only com pliance of the data to the business
provides an effective management tool for monitoring organiza
rules, but of the data stewards to observing the processes asso
tional performance with respect to data quality control.
ciated with data risks and failures.
Operational data governance combines the ability to identify data
The dimensions of data quality provide a fram ework for defin
errors as early as possible with the process of initiating the activi
ing metrics that are relevant within the business context while
ties necessary to address those errors to avoid or minimize any
providing a view into controllable aspects of data quality man
downstream impacts. This essentially includes notifying the right
agem ent. The degree of reportability and controllability may
individuals to address the issue and determining if the issue can
differ depending on one's role within the organization, and cor
be resolved appropriately within an agreed-to time frame. Data
respondingly, so will the level of detail reported in a data quality
inspection processes are instituted to measure and monitor compli
scorecard. Data stewards may focus on continuous monitoring in
ance with data quality rules, while service-level agreements (SLAs)
order to resolve issues according to defined SLAs, while senior
specify the reasonable expectations for response and remediation.
managers may be interested in observing the degree to which
Note that data quality inspection differs from data validation. poor data quality introduces enterprise risk.
W hile the data validation process reviews and measures confor
Essentially, the need to present higher-level data quality scores
mance of data with a set of defined business rules, inspection is
introduces a distinction between two types of m etrics. The
an ongoing process to:
simple metrics based on measuring against defined dim en
• Reduce the number of errors to a reasonable and m anage sions of data quality can be referred to as "base-level" metrics,
able level. and they quantify specific observance of acceptable levels of
• Enable the identification of data flaws along with a protocol defined data quality rules. A higher-level concept would be the
for interactively making adjustments to enable the com ple "co m p lex" metric representing a rolled-up score com puted as
tion of the processing stream. a function (such as a sum) of applying specific weights to a col
• Institute a mitigation or remediation of the root cause within lection of existing m etrics, both base-level and com plex. The
an agreed-to tim e fram e. rolled-up metric provides a qualitative overview of how data
quality impacts the organization in different ways, since the
The value of data quality inspection as part of operational data
scorecard can be populated with metrics rolled up across dif
governance is in establishing trust on behalf of downstream
ferent dimensions depending on the audience. Com plex data
users that any issue likely to cause a significant business impact
quality metrics can be accum ulated for reporting in a scorecard
is caught early enough to avoid any significant im pact on
in one of three different views: by issue, by business process,
operations. W ithout this inspection process, poor-quality data
or by business impact.
pervades every system , com plicating practically any operational
or analytical process.
Data Quality Issues View
9.6 M ANAGING INFORMATION RISK Evaluating the impacts of a specific data quality issue across
VIA A DATA Q UALITY SCO RECARD multiple business processes dem onstrates the diffusion of
pain across the enterprise caused by specific data flaws. This
W hile there are practices in place for measuring and monitoring scorecard schem e, which is suited to data analysts attem pt
certain aspects of organizational data quality, there is an oppor ing to prioritize tasks for diagnosis and rem ediation, provides
tunity to evaluate the relationship between the business impacts a rolled-up view of the impacts attributed to each data issue.
Drilling down through this view sheds light on the root causes of is em ployed, each is supported by describing, defining, and
im pacts of poor data quality, as well as identifying "rogue pro managing base-level and com plex metrics such that:
cesses" that require greater focus for instituting monitoring and
• Scorecards reflecting business relevance are driven by a hier
control processes.
archical rollup of metrics.
• The definition of metrics is separated from its contextual
Business Process View use, thereby allowing the same m easurem ent to be used in
different contexts with different acceptability thresholds and
O perational managers overseeing business processes may be
weights.
interested in a scorecard view by business process. In this view,
the operational m anager can exam ine the risks and failures • The appropriate level of presentation can be materialized
preventing the business process's achievem ent of the expected based on the level of detail expected for the data consumer's
results. For each business process, this scorecard schem e con specific data governance role and accountability.
sists of com plex metrics representing the impacts associated
with each issue. The drill-down in this view can be used for
isolating the source of the introduction of data issues at specific SUMMARY
stages of the business process as well as informing the data
Scorecards are effective m anagem ent tools when they can sum
stewards in diagnosis and remediation.
marize im portant organizational knowledge as well as alerting
the appropriate staff members when diagnostic or remedial
Business Impact View actions need to be taken. Part of an information risk m anage
ment program would incorporate a data quality scorecard that
Business impacts may have been incurred as a result of a num
supports an organizational data governance program; this
ber of different data quality issues originating in a number of
program is based on defining metrics within a business context
different business processes. This reporting schem e displays
that correlate the metric score to acceptable levels of business
the aggregation of business impacts rolled up from the dif
perform ance. This means that the metrics should reflect the
ferent issues across different process flows. For exam ple, one
business processes' (and applications') dependence on accept
scorecard could report rolled-up metrics documenting the accu
able data, and that the data quality rules being observed and
mulated im pacts associated with credit risk, com pliance with
monitored as part of the governance program are aligned with
privacy protection, and decreased sales. Drilling down through
the achievem ent of business goals.
the metrics will point to the business processes from which the
issues originate; deeper review will point to the specific issues These processes simplify the approach to evaluating risks to
within each of the business processes. This view is suited to a achievement of business objectives, how those risks are associated
more senior m anager seeking a high-level overview of the risks with poor data quality and how one can define metrics that cap
associated with data quality issues, and how that risk is intro ture data quality expectations and acceptability thresholds. The
duced across the enterprise. impact taxonomy can be used to narrow the scope of describing
the business impacts, while the dimensions of data quality guide
the analyst in defining quantifiable measures that can be cor
Managing Scorecard Views
related to business impacts. Applying these processes will result
Essentially, each of these views composing a data quality score- in a set of metrics that can be combined into different scorecard
card require the construction and m anagem ent of a hierarchy of schemes that effectively address senior-level manager, operational
metrics related to various levels of accountability for support the manager, and data steward responsibilities to monitor information
organization's business objectives. But no matter which scheme risk as well as support organizational data governance.

Validating Rating
Models
Learning Objectives
Explain the process of model validation and describe best Describe challenges related to data quality and explain
practices for the roles of internal organizational units in steps that can be taken to validate a model's data quality.
the validation process.
Explain how to validate the calibration and the discrim ina
Com pare qualitative and quantitative processes to vali tory power of a rating model.
date internal ratings, and describe elem ents of
each process.
E x c e rp t is C hapter 5 o f Developing, Validating and Using Internal Ratings: M ethodologies and Case Studies, by G iacom o De
Laurentis, Renato M aino and Luca M olteni.
S e e bibliography on p p . 411-413.
159
10.1 VALIDATION PROFILES and qualitative validation should be correlated with the type of
credit portfolios exam ined, the overall com plexity of the bank,
Ratings system s validation scopes and steps are presented in and the stability of markets.
this chapter. As a rating system 'com prises all of the methods, Rating system s must undergo a validation process consisting of
processes, controls, and data collection and IT system s that sup a set of formal activities, instruments, and procedures for assess
port the assessm ent of credit risk, the assignm ent of internal ing the accuracy of the estim ates of all material risk com ponents
risk ratings, and the quantification of default and loss estim ates' and the predictive power of the overall perform ance system.
(Basel Com m ittee, 2004, §394), it is clear that the validation The Basel II regulation states that: 'The institution shall have a
scope is quite wide. regular cycle of model validation that includes monitoring of
The validation of internal ratings is strictly required by the Basel model perform ance and stability, review of model relationships,
Com m ittee (2004, §530) for banks willing to opt for Internal Rat and testing of model outputs against outcom es.' (Basel Com m it
ing Based (IRB) approaches: 'banks must have a robust system in tee, 2004, §417). However, the same regulation underlines that
place to validate the accuracy and consistency of their internal the validation process lies not only on statistical com parisons of
models and modeling processes. A bank must dem onstrate actual risk measures against the ex ante estim ates, checking of
to its supervisor that the internal validation process enables it param eter calibrations, benchmarking and stress tests, but also
to assess the performance of its internal model and processes involves analyses of all the com ponents of the internal rating
consistently and meaningfully'. However, the validation of an system , including operational processes, controls, docum enta
internal rating system is critical to the validation of the whole tion, IT infrastructure, as well as an assessm ent of their overall
credit risk m anagem ent system of a bank, both from a regulatory consistency. Therefore, validation also requires the assessm ent
point of view and from a business m anagem ent point of view. of the model developm ent process, with particular reference to
the underlying logical structure and the methodological criteria
It is crucial to the form er perspective because capital adequacy
supporting the risk param eter estim ates.
depends on rating systems for banks adopting Internal Rat
ing Based Approaches according to the Basel II regulation (the Validation includes, too, the critical verification that the rat
use of IRB approaches for the purposes of calculating capital ing system is actually used (and how) in the various areas of
requirem ents is subject to an explicit approval by national super bank operations. This is known as the 'use test', also required
visory authorities and follows a 'supervisory validation' of rating by Basel II and better specified in Basel Com m ittee (2006).
systems). In addition, it is critical because Pillar 2 of Basel II is The results of the validation process need to be adequately
focused on the adequacy of risk m anagem ent system s in order docum ented and periodically subm itted to the internal control
to safely and rationally manage the bank. It is also critical from functions and the governing bodies. The reports shall specifi
the latter perspective because key decisions concerning indi cally address any problem areas.
vidual loans underwriting decisions as well as credit portfolio Figure 10.1 gives an overview of the essential steps of rating
m anagem ent decisions depend on rating system s. system s validation.
Therefore, the difference in scope of 'regulatory validation' and
of 'internal validation' is more apparent than real. In addition,
consider that in order to be validated for regulatory purposes,
a system has to be previously internally validated; on top of
that, the technical contents of validation processes are very
similar in both cases. These are reasons why we are going to use
almost indifferent regulatory requirements as internal validation
requirements.
On an ongoing basis, in the validation process, the bank has to

verify the reliability of the results generated by the rating system
and its continued consistency with regulatory requirem ents and
operational needs. The validation instruments and methods are
periodically reviewed also, and adjusted and updated to ensure
that they remain appropriate in a context of continually evolv
ing market variables and operating conditions. According to the
'proportionality principle', the scope and depth of quantitative validation p ro cess.
In summary, the validation process has the key role of reviewing In perform ing these tasks, senior m anagem ent must consider
model building steps and application choices, detecting w eak recom m endations produced by the validation process and
nesses and limitations, verifying the proper use of the system, review reports produced by the internal audit unit.
and last, but not least, analyzing contingent solutions planned
The validation process is perform ed by a specific organi
in case the robustness of the model falls or is lacking. Best
zational unit that may partially leverage on the support of
practices have to be monitored to minimize misalignments of
operational units in perform ing its activities. In sm aller banks,
the whole process of internal credit risk m anagem ent.
the least that is needed is the appointm ent of a m anager
devoted to coordinate and oversee these activities.
10.2 ROLES O F INTERNAL
To perform these tasks, the validation unit has to be inde
VALIDATION UNITS pendent of other functions devoted to develop and to main
tain model tools and to handle credit risk processes and
The Basel II regulation is particularly innovative in term s of
procedures. It is advisable that the validation unit is also inde
organizational requirem ents and internal controls. The rules lay
pendent from those involved in assigning ratings and lending.
down essential notions and criteria that banks must adopt in
Specifically, persons in charge of the function should not be
developing their rating system s. They also set down the orga
subordinate to persons responsible for such activities.
nizational and quantitative requirem ents banks must com ply
with for recognition of their m ethods for capital adequacy pur Specific attention has to be paid to ensure the appropriate skills
poses. The organizational requirem ents set rules which govern of human resources em ployed.
organization and controls, internal validation of rating system s,
W here com pliance with this requirem ent would prove to be
characteristics of rating system s (e .g ., replicability, integrity,
excessively burdensom e, the validation unit may be involved in
and consistency), their use in operations (use test), inform a
the rating system design and developm ent process, provided
tion system s and data flow s. The quantitative requirem ents
that appropriate organizational and procedural, precautions
regard the structure of rating system s, the determ ination of
are adopted and respected. In such a case, the internal audit
risk param eters, stress tests, and the use of m odels developed
function should verify that these activities are perform ed in an
by third-party vendors.
independent manner, fully achieving the intended objectives.
Specific requirem ents are set for the senior m anagem ent and The validation unit should also be independent from the inter
those who have roles in corporate governance and oversight. nal audit function, which should review the validation process
'All m aterial aspects of the rating and estim ation processes and findings.
must be approved by the bank's board of directors or a d es In short, validation and control processes and organizational
ignated com m ittee th ereo f and senior m anagem ent. These roles involved are depicted in Table 10.1.
parties must possess a general understanding of the bank's risk
rating system and detailed com prehension of its associated A lso, the internal audit function is deeply involved in validation
m anagem ent reports. Senior m anagem ent must provide notice processes, including the continued analysis of the com pli
to the board of directors or a designated com m ittee th ereo f of ance in the use of rating system s with internal and regulatory
m aterial changes or exceptions from established policies that requirem ents. In particular, it is necessary to audit the inde
will m aterially im pact the operations of the bank's rating sys pendence of the validation unit and the quality of resources
tem ' (Basel Com m ittee, 2004, §438). involved.
'Senior m anagem ent also must have a good understanding of Validation is mostly performed on the basis of the docum enta
the rating system 's design and operation, and must approve tion received by functions in charge of the model developm ent
m aterial differences betw een established procedure and actual and implementation in banks' credit processes. Therefore, the
practice. M anagem ent must also ensure, on an ongoing basis, scope, transparency, and com pleteness of docum entation are
that the rating system is operating properly. M anagem ent essential; these characteristics are im portant validation criteria.
and staff in the credit control function must m eet regularly to Banking groups with significant cross-border operations may
discuss the perform ance of the rating process, areas needing have different organizational structures in different countries.
im provem ent, and the status of efforts to im prove previously Nevertheless, in all cases the parent company has to ensure
identified deficiencies' (Basel C om m ittee, 2004, §439). Inter that the organization of the validation and review functions
nal ratings must also be an essential part of the reporting to within the group enable the unified m anagem ent and control of
these parties. models and rating systems.
Chapter 10 Validating Rating Models ■ 161

Table 10.1 Processes and Roles of Validation and Control of Internal Rating Systems
Models Procedures Tools Management Decision
Basic Controls Task: model develop Task: credit Task: operations Task: lending policy
ment and back testing risk procedures maintenance applications
Owner: credit risk maintenance Owner: lending units/ Owner: central and
models developm ent Owner: lending units/ IT/internal audit decentralized units/
unit internal control units internal control units
Second controls layer Task: continuous test of Task: lending policy

m odels/processes/tools suitability
perform ance Owner: validation unit/
Owner: lending unit/ internal audit
internal audit
Third controls layer Risk m anagem ent/CRO O rganisation/CO O Lending unit/C LO /C O O Lending unit/CLO /CRO
Accountability for Top m anagem ent/Surveillance board/Board of directors

supervisory purposes
C R O : C red it Risk O fficer; C L O : C h ief Lending O fficer; C O O : C h ief O perating O fficer; IT: Information Technology D epartm ent.
10.3 QUALITATIVE AND rating approach for specific rating segm ents has to be assessed.
A number of other areas must be investigated:
QUANTITATIVE VALIDATION
• consistency of model developm ent processes and
There are two main areas of validation: qualitative and quanti m ethodologies,
tative. Q ualitative validation ensures the proper application of
• adequate calibration of model output to default probabilities,
quantitative methods and the proper usage of ratings. Q uanti
• proper docum entation of all model functions,
tative validation com prises all validation procedures of ratings
in which statistical indicators are calculated and interpreted on • analytical description of the rating process, with duties and
the basis of an empirical dataset. In recent years, many books responsibilities of key personnel,
and articles have dealt with this topic, included among which • the robust procedures in place for validation and regular review.
are Engelmann and Rauhm eier (2006) and Christodoulakis and
In addition, there are im portant organizational profiles of rating
Satchell (2008).
system s' qualitative validation; they concern the link between
Qualitative and quantitative validation com plem ent each other. the model, process, procedures, approval powers, and con
A rating procedure should only be applied in practice if it trols. Even the best model does not produce the expected
receives a positive assessm ent in the qualitative area. A positive added value to bank lending if it is m isunderstood or if it is not
assessm ent by the quantitative validation is not sufficient p e r adequately supported in daily applications. In this perspective,
se. Conversely, a negative quantitative assessm ent should not adequate education, clear procedures, proper guidelines, and
be considered decisive because statistical estim ates are subject support in tackling exceptions are fundam ental. The assessm ent
to random fluctuations and a certain degree of tolerance in the of the actual use of rating systems in credit approval processes
interpretation of results should be allowed. It is, therefore, nec is a key com ponent of qualitative validation. In fact, the model
essary to place em phasis on qualitative validation. must not only be a formal requirem ent for capital adequacy
purposes or portfolio decisions; it must be fully integrated in
the decision making process concerning single loans. If the bank
Qualitative Validation
credit culture does not accept the new model-based rating
Rating Systems Design assignm ent processes, the risk of having two different processes
(one being formal but inactive and the other informal but used
Rating system s design concerns the proper choice of the models
in daily lending decisions) is very high. The validation has to
architecture in relationship to the market segm ents in which the
detect these situations and suggest how to overcom e them .
model is going to be used. It is necessary to ensure the trans
parency of the assumptions and/or evaluations which form the In the earlier stages of rating system s developm ent in a bank, it
basis of the rating models design. The general suitability of a commonly happens that credit risk functions spend a lot of time
on model building, number crunching, statistical testing, and so model in order to increase the com pleteness of the relevant risk
on. Procedural aspects are underestimated in term s of the tim e, factors should be verified. Usually, the computer-based pro
resources, and investments needed, as they are erroneously cessing of information enables expert system s and fuzzy logic
considered less problem atic and easier to overcom e. Since these system s to take a larger number of characteristics into consider
early stages, the role of the validation unit in detecting the orga ation, meaning that such system s can be more com prehensive if
nizational readiness to accept and to correctly apply the new properly m odeled.
rating system is essential. The validation unit should have great
Rating system o b je c tiv ity A good rating system needs pro
visibility to top m anagem ent and should lever on it in order to
cedures that capture creditworthiness factors clearly and also
ask enough resources to properly take off the new process.
minimize room for interpretation. Achieving high discriminatory
The essential requirem ents of rating system s that need to be power of ratings requires that they are assigned as objectively
checked in qualitative validation can be summarized in the fol as possible, minimizing biases. In judgm ent-based approaches
lowing five main features: this can only be ensured by precise and plausible guidelines,
common cultural backgrounds, appropriate training, ongoing
• obtaining probabilities of default benchm arking, and adequate organizational choices (team work,
• com pleteness supervision, balancing individual analysts' specialization by sec
• objectivity tor, and analysts' team s' cross-sector mix). In statistical models,
borrowers' characteristics are selected and weighed using an
• acceptance
empirical dataset and objective methods; therefore, we can
• consistency.
regard these models as the most 'objective' rating procedures.
O btaining p ro b a b ilities o f d efa u lt Ratings are the basis for When the model is fed by the same information, unavoidably
alm ost all risk m anagem ent applications once they have been the same results are obtained. This is also the case for expert
quantified and probabilities of default have been obtained. In system s and neural networks, where borrowers' creditworthiness
this perspective, different methods of rating assignm ent pro is determ ined using defined algorithms and rules.
duce PDs in distinctive ways. Statistical models are developed Rating system acceptance Rating system s have also to be
on the basis of an empirical dataset, which makes it possible accepted by users, above all, internal users such as credit ana
to determ ine the PD for individual rating classes by calibrat lysts, credit officers, and loan officers. Therefore, some require
ing results with the empirical data. Logistic regression enables ments are necessary:
the direct calcu latio n of default probabilities, while for other
a. The rating system should not produce classifications that
methods (e.g ., discriminant analysis) a specific adjustm ent is
are very often too far from those expected by bank analysts
needed. Likewise, it is possible to validate the calibration of the
and officers;
rating model (ex post) using data gathered from the operational
deploym ent of the model. Using this data, the default param b. For small and medium enterprises, mechanical rating m od
eter can be constantly monitored and validated over tim e to els often have higher discrim inatory power than a poorly
maintain PDs aligned with real world outcom es. structured judgm ent-based approach developed by poorly
experienced and trained credit officers. However, they
Rating sy ste m co m p leten ess Com pleteness is the next impor are less easily accepted because many actors do not have
tant feature of an internal rating system . In order to ensure enough technical knowledge to understand them . Hence,
the com pleteness of credit rating procedures, banks need to an adequate education and level of disclosure on model
take all available information into account when assigning rat fram eworks for all actors involved in the lending process are
ings to borrowers or transactions (Basel Com m ittee, 2004, indispensable.
§417). The nature of the chosen rating assignm ent approach
Therefore, the validation process has to verify that rating models
strongly impacts on this feature. Many default risk models use
are well understood and shared by the users.
a small number of characteristics of the borrower to infer its
creditworthiness. For this reason, it is im portant to verify the Different rating approaches have different degrees of acceptabil
com pleteness of factors used to determ ine a counterpart's ity. Generally speaking, as heuristic models are designed on the
creditworthiness, at least in model building stages and/or in the basis of experts' experience in lending, these models are more
operational use (for instance, analyzing the scope of overrides easily accepted; their credit assessments are considered warm er
proposed by a credit analyst). In the estimation of statistical- by end-users because they replicate their common culture. The
based m odels, as a large number of borrowers' characteristics acceptance of fuzzy logic systems may be lower as they require
can be tested, the possibility to force variables to enter into the a greater degree of technical knowledge due to their fuzzy

algorithms and changing variables' weights in different con that the data used to build the model are representative of the
texts. One severe disadvantage for the acceptance of artificial population of the bank's actual borrowers or facilities. When
neural networks lies in their 'black box' nature. The increase in combining model results with human judgem ent, judgem ents
discriminatory power achieved by such methods depends on the must take into account all relevant and material information not
network's ability to learn and on the parallel processing of infor considered by the model. The bank must have written guidance
mation within the network. However, it is precisely this com plex describing how human judgem ent and model results are to be
ity which makes it difficult to comprehend results. com bined. The bank must have procedures for human review of
model based rating assignm ents. Such procedures should focus
R atin g sy s te m c o n siste n c y Consistency is the last but not
on finding and limiting errors associated with known model
least feature. Models have to be coherent and suitable for the
weaknesses and must also include credible ongoing efforts to
borrowers to which they are applied and with the theoretical
improve the model's perform ance . . . The influence of individual
fram eworks of users. When developing a statistical rating model,
factors on rating results should be com prehensible and in line
relationships between indicators may arise which contradict eco
with the current business research and practice. For exam ple, if
nomic theory. Such contradictory indicators have to be excluded
a multivariate statistical method is applied, factors in a statistical
from further analyses; filtering out these problem atic indicators
ratio analysis have to be plausible and com prehensible, accord
serves to ensure consistency. Heuristic models do not contradict
ing to the fundam entals of financial statem ent analysis and the
recognized scientific theories and methods, as these models are
econom ic theory of the firm .'
based on the experience and observations of credit experts.
Pure statistical models depict business inter-relationships directly Therefore, in Paragraph 417 of the Basel II regulation, all five
from empirical datasets and consistency should be checked. essential requirements (obtaining probabilities of default, com
pleteness, objectivity, acceptance, consistency) for a satisfactory
The Basel II regulation states specific validation requirements
rating system have been detailed.
in case statistical models and other mechanical methods are
used to assign borrower or facility ratings or in estimation of The same Basel II paragraph indicates two other important
PDs, LG D s, or EA D s (Basel Com m ittee, 2004, §417). First of all, aspects of validation processes, that is to say, the continuity of
it is recognized that 'Although mechanical rating procedures validation processes and the com pleteness of docum entation:
may som etim es avoid some of the idiosyncratic errors made by 'The bank must have a regular cycle of model validation that
rating systems in which human judgem ent plays a large role, includes monitoring of model performance and stability; review
mechanical use of limited information also is a source of rating of model relationships; and testing of model outputs against
errors. Credit scoring models and other mechanical procedures outcomes . . . In statistical models, special emphasis is to be
are perm issible as the primary or partial basis of rating assign placed on documenting the models statistical foundations, which
ments, and may play a role in the estimation of loss charac have to be in line with the standards of quantitative validation.'
teristics. Sufficient human judgem ent and human oversight is
In examining all these features, the validation unit also has to
necessary to ensure that all relevant and material information,
take carefully into account external benchm arks, such as special
including that which is outside the scope of the model, is also
ist literature and com petitors application. The rating system is
taken into consideration, and that the model is used appropri
a decisional tool and can dram atically harm the bank's ability
ately'. This means that models must be part of a broader rating
to com pete if it is not aligned with those used by direct incum
system , in which other m ethodologies add further information
bents in the market.
and expertise assuring com pleteness.
O ther requirem ents of §417 are as follows: 'the burden is on Data Quality
the bank to satisfy its supervisor that a model or procedure has In statistical m odels, data quality is essential. Good data give
good predictive power and that regulatory capital requirements outstanding results also using simple m odels, whereas the most
will not be distorted as a result of its use. The variables that are advanced models cannot overcom e poor data quality. Th ere
input to the model must form a reasonable set of predictors. fore, a com prehensive dataset is an essential prerequisite for
The model must be accurate on average across the range of quantitative validation. In this context, a number of qualitative
borrowers or facilities to which the bank is exposed and there aspects have to be considered:
must be no known material biases. The bank must have in place
• com pleteness of data,
a process for vetting data inputs into a statistical default or loss
prediction model which includes an assessm ent of the accuracy, • volume of available data,
com pleteness and appropriateness of the data specific to the • representativeness of sam ples used for model developm ent
assignm ent of an approved rating. The bank must dem onstrate and validation,
• consistency and integrity of data sources,
• adequacy of procedures used to ensure data cleansing and,
in general, data quality.
The validation unit has a central role in confirming the dataset

quality.
Particularly relevant are the reliability and com pleteness of

defaulted observations because these are the actual limit to
develop adequately large datasets for model developm ent,
rating quantification, and validation. The consistency of default
definition used throughout data collection processes (that per Fiaure 10.2 From samples to market population:
haps take place in different institution of a bank group, in dif data relationships.
ferent periods and countries) and its com pliance with the Basel
II definition of default (Basel Com m ittee, 2004, §452) are both
critical. Sample size is im portant as well as sample hom ogeneity: conceptual structure of data links from the model developm ent
ideally, a sam ple has to be generated from a unique popula dataset to the m arket the bank potentially confronts with.
tion using the same procedures, criteria, and m ethodology over Sam ples used in model building should have some desirable
the tim e. In other words, the sam ple must be generated by the technical properties (low heteroscedasticity, no abnormal values,
same 'lending technology'. This is the set of information, rules, and so forth). Actual populations do not share these properties.
contracts, and policies applied to credit origination and moni The best way to extend a model's findings to populations is to
toring; changing one or more of these com ponents changes apply a proper calibration and to perform out-of-sam ple analy
the credit portfolio generation and the borrowers' profile in the ses. These analyses are based on observations that are gener
dataset (Berger and Udell, 2006) and can harm the consistency ated by the same lending technology but that were not included
between the model developm ent dataset and the population to in the developm ent sam ple. As a result, it is advisable to build
which the model is operationally applied to. various sam ples, one dedicated to support model building and
A further profile of data quality is the time span to which data others used for out-of-sample, out-of-time, and out-of-universe
refers. Ideally, the dataset should be generated by considering validations of a model's perform ance.
an entire credit cycle; otherwise, estimates will be dependent on The validation unit has an essential role in assessing two critical
specific favorable or unfavorable cycle stages. Macroeconomic aspects: (i) stability of the lending technology behind data and
conditions are one of the most important determinants of default (ii) proper model calibration in order to generalize results from
rates. If we miss a good representation of the credit cycle we sample to population. The two issues overlap, to some extent. If
miss something really relevant in describing default probability. the observed in-sample default rate diverges from the total pop
The combination of the last two mentioned conditions (lending ulation, then calibration should reflect this divergence because
technology stability and credit cycle coverage) proves to be very the sample's central tendency would be different from the popu
restrictive. We rarely observe procedures and processes that lation's central tendency. This may simply be due to the fact that
remain constant for five or more years of an entire credit cycle bank's lending technology is selecting borrowers better or worse
(the last started in 2002 and ended in 2008). Changes are more than com peting banks. This circumstance may also occur when
frequent because of the increasing technological opportuni lending technology changes: if the model is not re-calibrated, it
ties to speed up processes and efficiency, discontinuities in the continues to apply old criteria to new states of business. This is
econom ic environm ent that lead to radically modifying credit typically the case when m ergers, acquisitions, dem ergers and so
policies, and new market segm ents becoming relevant; banks' forth determ ine a change in the bank's lending technology.
mergers and acquisitions strongly im pact on many aspects of The validation unit should be fully aware of the consequences
the lending technology, too. of lending technology changes as well as of misalignments
The validation process also has to pay attention to preliminary between borrowers' profiles in the original sam ple and popula
data treatm ent activities (such as finding and managing outliers, tion's profiles. If the rupture is significant, an extraordinary phase
missing values, and poor data representativeness for some cus of model revision would be needed, at least in term s of model
tom ers' segm ents). calibration.
Data quality is so relevant that the validation unit has to dedi Focus on calibration. Suppose that we use a balanced sam
cate specific attention to these aspects. Figure 10.2 depicts the ple (50% perform ing, 50% defaulting borrowers) for model

Calibration effects on model scores
delicate issue that soon becom es a m atter of discretion. The
calibration turns into a managerial decision, which is partly
based on empirical evidence and partly depends on strate
gies and policies (such as fixing the implicit 'risk appetite' of
the organization). O ptim istic estim ates (default rate lower than
actual) reduce the risk perception and determ ine aggressive
com petitive policies. If rating is also used for pricing purposes,
then prices would not fully reflect the credit risk em bedded in
transactions (and loss provisions would be underestim ated). On
the contrary, if the estim ated default rate is pessim istic, a con
Cumulated percentiles servative credit policy would be adopted, which would lead to
Balanced sample score distribution (def.rate 50%) missed business opportunities, to overestim ated provisions, and
Population score distribution (calibration at def.rate 2,34%)
to lower credit market shares.
— — - Population score distribution (calibration at def.rate 1,0%)
Fiqure 10.3 Calibratio n effects on m odel score In conclusion, the validation unit has an im portant role in verify
estim ated PD s using different long term averag e ing the central tendency over tim e through back testing and
default rates. stress testing. It should carefully monitor m arket prices, signals
from marketing people, results of big ticket transactions (syndi
cated loans, securities placing, securitisation, and so forth) and
developm ent in order to assure the best conditions for applying
fully exploit any other opportunity to benchm ark the bank (and
statistical methods: luckily, real banks' loan portfolios are much
models used) against direct com petitors.
less risky. In other words, a normal long term annual default rate
may be close to 2.5% ; this value is far away from the 50% of the
balanced sam ple. Moreover, defaults cluster together during the Quantitative Validation
credit cycle with significant changes in default co-dependencies.
Q uantitative validation covers four main areas:
The impact on calibration is significant; even small changes in
model calibration have a big influence on a model's cut-off and 1. Sample representativeness of the reference population at
on estim ated default rates. the time of the estim ates and in subsequent periods.
Figure 10.3 illustrates estim ated PDs in a balanced sam ple, in a 2. Discriminatory power: the accuracy of ratings assignments
population where the default rate is 2.4% , and in a population in term s of the m odels' ability to rank obligors by risk levels,
whose default rate is 1%. both in the overall sample and in its different breakdowns
(for exam ple, based on business sector, size and location).
An inaccuracy in determ ining the long term average annual
default rate modifies default probability measures. In fact, the 3. Dynamic properties: the stability of rating system s and
properties of migration matrices.
lending process is relatively slow in producing evident results,
also due to credit cycle m ovem ents. A credit cycle lasts years, 4. Calibration: the predictive power concerning probabilities
not days or w eeks. The central tendency (in statistics) is the of default.
average value to which population characteristics converge after
We have already dealt with the issues of data quality exten
many repetitions of the same process (this is the law of large
sively. Here we consider the perspective of sam ples size. N owa
numbers). Think about tossing a coin: after a few tosses, we
days, the real constraint is usually given by the subsam ple size
cannot understand if the coin has been manipulated or not; we
of defaulted firms, as some loan portfolios are characterized by
need a large number of trials in order to be sure that the coin is
very few defaults. As risks of these 'low-default portfolios' have
m anipulated. The statistical repetitions in lending activities are
to be assessed in any case, rating system s have to be developed
relatively limited and it takes tim e to directly assess the effects
and validated. A set of principles should be taken into consid
of an incorrect parameter. Normally, a robust check on the
eration. Firstly, we cannot exclude exposures from the scope of
validity of the central tendency is only possible after 18 or 36
application of the rating model simply because insufficient data
months, depending on m arkets, types of facilities, and custom
are available to validate the risk param eter estim ates on a sta
ers' segm ents.
tistical basis. In these cases, the validation unit has to contribute
In any case, the central tendency is a compromise between to set an adequate margin of conservatism in the assumption
having long empirical series of observations and constant lend of risk param eters. Moreover, validation has to pay particular
ing technology. Therefore, to set the central tendency is a very attention to analysis techniques adopted in this estimation
process and to their limitations. Many statistical tests depend zero' and from the collection tim e of data which feeds model
on the amount of available information. For instance, for the explanatory variables.
Chi-square test to give accurate results when dealing with con
On the basis of the resulting sam ple, various analyses of the
tingency tables cross-tabulating a dichotomous variable, such
rating discrim inatory power are possible. The list of methods in
as default/non-default with many rating classes, no more than
Basel Com m ittee (2005a) is:
20% of cells should contain expected default frequencies less
than five and no cells should have expected frequencies less • statistical tests such as Fisher's r2, W ilks' A,
than one. In many cases, minimum sam ple size requirements Hosmer-Lemeshow;
are not achieved, mainly due to the small number of defaults. • migration matrices;
This is particularly true when we are building models for market
• accuracy indexes such as Lorentz's concentration curves
'niches' or for specific industries (that are maybe im portant for and Gini ratios (in different variants, for instance RO C and
their econom ic im pact but that are com posed by few com A uR O C );
petitors and counterparties). In these cases, we need to apply
• classification tests (binomial test, type 1 and type 2 errors, x 2
specific techniques to give more robustness to our estim ates
test, normality test and so forth).
(Wehrspohn 2004, Basel Com m ittee 2005b, Pluto and Tasche,
2004); among them , 'bootstrap procedures' have an important The frequency distribution of good and bad cases is particularly
place. These procedures randomly generate many samples. important. In fact, error rates are the best way to offer a glimpse
Retaining the number of (the few) available defaults, many bal on model perform ances. The validation unit has to carefully
anced sam ples can be iteratively generated by extracting an verify the cut-off choice, its calibration, and its consequence in
equal number of units from the non-defaulted group, without daily operations (as 'false good' cases create loss given default,
re-introduction. On each of these sam ples the rating model is and 'false bad' cases cause opportunity costs).
com pletely re-assessed, extracting the entire set of statistical
Ratings stability can be assessed by observing 'migration
information (variables selected, means, standard deviations, like
m atrices'. They can be built once the rating system has been
lihood tests, and so on). The set of models is then analyzed. If
operational for at least two years. Desirable properties of annual
a clear convergence on a final stable result (i.e., same final vari
migration matrices are:
able selected, equivalent param eters, and so on) is found, we
can infer that the model solution is stable and robust enough. • Transition rates to default should be in ascending order as
If not, there would be a severe risk of instability and a more rating classes worsen.
in-depth analysis would be needed. A way to overcom e these • High values should be on the diagonal and low values off-
problems is to find more homogenous subsets (applying cluster diagonal, which would signal that ratings are stable over
analysis, for instance). The model could be adapted to the sp e tim e. This is also an indication of a through-the-cycle rating
cific features of these subsets, adopting different calibrations model, as opposed to point-in-time ratings, which are much
or integrating a specific successive qualitative analysis, maybe more dynamic during the credit cycle, moving frequently
based on experts' judgm ents. from one class to another.
The term 'discrim inatory power' refers to the fundam ental ability • Off-diagonal values should be in descending order when
of a rating model to differentiate between defaulting and per departing from the diagonal. That is to say, migration rates of
forming borrowers over the forecasting horizon. Note that the plus or minus one class should be higher than migration rates
forecasting horizon is usually set at 12 months for PD estimation of plus or minus two classes, and so forth. This means that
(this also is a Basel II requirement) but the relevant tim e horizon rating movements are gradual whereas sudden leaps of many
for rating validation is the one set for rating assessm ent: in this classes at one tim e are not that frequent.
last case, Basel II also requires a longer time horizon. Therefore, These properties have to also hold for longer time horizons
it is necessary to use longer forecasting horizons in order to than one year, despite a natural reduction in on-diagonal values
validate discrim inatory power. For exam ple, the discriminatory and an increase in off-diagonal values. This means that ratings
power of a scoring model for installment loans is often calcu change over time but without large leaps.
lated for the entire period of the credit transaction.
If analyses of firms' fundam entals are dominant in rating assign
The discrim inatory pow er of a model can only be review ed ment, ratings change slowly over tim e because they are less
ex post using data on defaulted and non-defaulted cases sensitive to credit cycles and to transitory circum stances. Th ere
(back testing). Therefore, using a longer tim e horizon means fore, stability of the migration m atrix is generally assumed as an
using an 'observation period' that is more distant from 'tim e indicator of an analytical process which is mainly centered on

counterparty's fundam entals, and hence as an expression of a W hen back testing, realized default rates must regularly be com
forward looking rating system. pared with estim ated PDs for each rating grade. W here they do
not fall within the expected range for that grade, the validation
This is a desirable technical property for many econom ic rea
unit should analyze the reasons of deviations. Internal standards
sons, such as lower pro-cyclical effects (on banks, firms and,
should be set for situations where deviations from expectations
hence, on the econom y as a whole) and longer 'far-sightedness'
in realized PDs becom e significant enough to call the validity
of credit allocation (Draghi, 2009).
of estim ates into question. These standards may take account
Calibration is a key topic in quantitative validation. It is also a of business cycles and similar system atic variability in default
critical issue because of the scarcity of statistical tools that are experiences. W here actual values continue to be higher than
available. A docum ent issued by the Basel Com m ittee which is expected values, the bank should revise estim ates upwards to
entirely dedicated to the validation of internal rating system s, reflect their default experience.
clearly states that: 'com pared with the evaluation of the discrim i
When benchm arking, the validation unit establishes procedures
natory power, methods for validating calibration are at a much
to specify acceptable deviations between internal estim ates and
earlier stage . . . Due to the limitations of using statistical tests
benchm ark data and identifies, at least in general term s, the
to verify the accuracy of the calibration, benchmarking can be a
actions to be taken when such deviations significantly exceed
valuable com plem entary tool for the validation of estim ates for
acceptable levels. Banks should also identify possible sources
the risk com ponents PD, LGD and EA D . Benchmarking involves
of unexpected volatility that could affect benchmarking results
the comparison of a bank's ratings or estim ates to results from
over tim e. This analysis should be conducted at least once a
alternative sources. It is quite flexible in the sense that it gives
year. The adequacy and reliability of benchmarks is obviously
banks and supervisors latitude to select appropriate bench
critical. The com parisons of synthetic measures of rating perfor
marks' (Basel Com m ittee, 2005a, p. 3).
mance must be carefully considered, as some very common indi
Therefore, validating calibration means analyzing differences cators are sam ple dependent (such as Gini ratio and A uR O C ). It
between forecasted PDs and realized default rates. The Basel is much better to have benchm ark datasets for testing different
Com m ittee paper indicates a few tests to assess proper cali models on the same set of data.
bration: Binomial test, Chi-square test (or Hosmer-Lemeshow),
Regarding a model's stress testing, the validation unit should
Normal test, and Traffic lights approach. W hile the Binomial test
assess the robustness and reliability of models' results when
is applied to one rating category at a tim e, the Chi-square test
their independent variables are set to indicate extrem e
sim ultaneously checks several rating categories. The normal test
conditions.
is applied to a single rating class but is a multiperiod test of cor
rectness of default probability forecasts; it is based on a normal Benchm arking, stress testing and, above all, back testing should
approximation of the distribution of the tim e-averaged default be reported in an effective, easy to understand and transpar
rates (and on the assumptions that the mean default rate does ent way to top managers. This would enhance the internal
not vary too much over tim e and that default events in different communication strategy of the validation unit: the clearer the
years are independent). The Traffic light approach is a m ultipe com m unication, the more effective a top manager's contribu
riod back testing tool for a single rating category introduced tion (to improve rating system s and to enhance rating validation
with the 1996 M arket Risk Am endm ent as a supervisory evalu activities) is.
ation tool of internal m arket risk m odels. Each of these tests As an exam ple, suppose a bank has 15,000 internally rated cus
bears im portant limitations. Therefore, we can conclude with the tom ers; the internal rating system is based on 17 classes, w ith
Basel Com m ittee's words: 'at present no really powerful tests of out considering defaulted counterparties (Table 10.2).
adequate calibration are currently available' (Basel Com m ittee,
Table 10.3 shows the loan portfolio by rating class at the begin
2005a, p. 34).
ning and at the end of the observation period. As indicated
throughout this book, a number of perform ance measures and
Back Testing, Benchmarking and Stress Testing statistical tests can be calculated.
Back testing (accuracy of risk param eter estim ates when com Effective and simple representation of this data is im portant to
pared with ex p o st em pirical evidence), benchmarking (relative com m unicate to top managers and other bank personnel as
perform ance of system s and risk param eter estim ates against well. Table 10.4 and Figure 10.4 illustrate a comparison between
benchm arks), and stress testing (adequacy of models when expected and actual default rates per rating classes. Deviations
stress tests are applied) are three fundam ental activities for vali from means are highly frequent, mainly because of the effects
dating rating systems. of credit cycles. In periods of econom ic expansion, lower quality
Table 10.2 Internal Rating Classification
Probability of Default (%) Range (%)
Rating Class Min Mean Max Lower Bound Upper Bound
1 0.01 0.03 0.04 - 0.02 0.01
2 0.04 0.05 0.06 - 0.01 0.01
3 0.06 0.07 0.08 - 0.01 0.01
4 0.08 0.10 0.12 - 0.02 0.02
5 0.12 0.15 0.19 - 0.03 0.04
6 0.19 0.25 0.30 - 0.05 0.05
7 0.30 0.40 0.50 - 0.10 0.10
8 0.50 0.60 0.75 - 0.10 0.15
9 0.75 0.90 1.15 - 0.15 0.25
10 1.15 1.35 1.70 - 0.20 0.35
11 1.70 2.00 2.50 - 0.30 0.50
12 2.50 3.00 3.75 - 0.50 0.75
13 3.75 4.50 5.50 - 0.75 1.00
14 5.50 7.00 8.50 - 1.50 1.50
15 8.50 10.00 13.00 - 1.50 3.00
16 13.00 15.00 20.00 - 2.00 5.00
17 20.00 25.00 50.00 - 5.00 25.00
Table 10.3 Example of Portfolio Evolution in the Observation Period

Rating Initial Portfolio at Observation Period End Frequency Distribution by Class (%)
Classes Portfolio Defaults Non-defaulted Default Non-default
# Units % Cumulated Cumulated Cumulated Cumulated
1 15 0.1 0 0 15 15 0.0 0.0 0.1 0.1
2 38 0.3 0 0 38 53 0.0 0.0 0.3 0.4
3 23 0.2 1 1 22 74 0.3 0.3 0.1 0.5
4 105 0.7 0 1 105 179 0.0 0.3 0.7 1.2
5 150 1.0 0 1 150 329 0.0 0.3 1.0 2.2
6 375 2.5 3 4 372 701 0.8 1.1 2.5 4.8
7 1170 7.8 4 8 1166 1.867 1.1 2.2 8.0 12.8
8 2138 14.3 6 14 2132 3.999 1.6 3.8 14.6 27.3
9 1725 11.5 5 19 1720 5.719 1.4 5.2 11.8 39.1
10 1650 11.0 15 34 1635 7.354 4.1 9.3 11.2 50.3
11 2100 14.0 32 66 2068 9.422 8.7 18.0 14.1 64.4
12 2250 15.0 55 121 2195 11.617 15.0 33.0 15.0 79.4
13 1200 8.0 56 177 1144 12.761 15.3 48.2 7.8 87.2
14 750 5.0 58 235 692 13.453 15.8 64.0 4.7 91.9
15 675 4.5 72 307 603 14.056 19.6 83.7 4.1 96.1
16 525 3.5 45 352 480 14.536 12.3 95.9 3.3 99.3
17 113 0.7 15 367 98 14.633 4.1 100.0 0.7 100.0
15000 100.0 367 14633 100.0 100.0

Table 10.4 Exam p le of A ctual V alues ag ain st E x p e cte d V alues in a Portfolio during a Favo rab le C re d it C ycle
Default Rate (%)

Defaults Actual A Actual versus
Rating Classes # Central PD (%) Expected Defaults Actual Expected Survival Rate (%)
1 0.03 0 0 0.0 0.0 100.0
2 0.05 0 0 0.0 0.0 100.0
3 0.07 0 1 4.4 4.4 95.6
4 0.10 0 0 0.0 - 0.1 100.0
5 0.15 0 0 0.0 - 0.2 100.0
6 0.25 1 3 0.8 0.6 99.2
7 0.40 5 4 0.3 - 0.1 99.7
8 0.60 13 6 0.3 - 0.3 99.7
9 0.90 16 5 0.3 - 0.6 99.7
10 1.35 22 15 0.9 - 0.4 99.1
11 2.00 42 32 1.5 - 0.5 98.5
12 3.00 68 55 2.4 - 0.6 97.6
13 4.50 54 56 4.7 0.2 95.3
14 7.00 53 58 7.7 0.7 92.3
15 10.00 68 72 10.7 0.7 89.3
16 15.00 79 45 8.6 - 6.4 91.4
17 25.00 28 15 13.3 - 11.7 86.7
447 367 2.4 97.6
deviations have a meaningful impact on portfolio perform ance.

Therefore, these effects need to be carefully managed to avoid
miscommunication (from this perspective, indicators like RO C
curve are particularly suitable).
Linking crude data of rating classifications to bank's lending

policy is useful for managers and for effective communication.
Figure 10.5 offers a way to illustrate this analysis. On the graph
Frequency distribution of default and no-default per rating cla sse s

— — - PD min Confidence at 67% (dx)
25.0%
PD central Confidence at 90% (dx)
— — PD max Confidence at 99% (dx)
Actual def.Rate Confidence at 99,9% (dx) 20 .0 % -

£
Figure 10.4 D efault rates p er rating class and
8
i?
> 15.0% -
O
o
c
statistical co n fid en ce intervals. *

fc
&
Q.
c 10 .0 %
a>
-
Credit
3
restriction/
classes perform better than expected; the reverse would be true
CT
recall/
ro
r, 5.0% - withdrawal
<
3
in periods of recessions. This is a well known phenom enon, well

docum ented by rating agencies migration matrices observed in 0 .0 %
t— i— i— i— i— i— i— i— r
different periods. 7 8 9 10 11 12 13 14 15 16 17 18
Internal rating classes
When classes have few units, unexpected events hugely effect Type 2 errors ■ ■ ■ Actual default frequency
relative deviations but have a small econom ic impact (see class 3 Type 1 errors Actual non-default frequency
for instance). The opposite is true for larger classes: even small Figure 10.5 D efault rates and lending policy.
the frequency distributions of actual defaulted and non-defaulted aggressive marketing is around 700 clients (the first 5% of the
counterparts are shown. O f course, the two groups have different portfolio) but three defaults were experim ented (the first 1.1%
distributions and there is a large overlapping area. Rating classes of total defaults); see the gray area on the left in Figure 10.5. A t
are often the main drivers for bank lending policies. Different the same time, if we withdraw credit to the worst three classes,
commercial policies are put into practice in respect of counter 130 defaults could be avoided but business with 1200 clients
party's credit risk, favoring aggressive marketing for safer clients would be lost (gray area on the right in Figure 10.5).
and conservative lending behaviors for riskier ones. Suppose that
The im portance of a model's discrim inatory power and ade
aggressive marketing is pursued for better classes up to class 6,
quate calibration becom es evidently clear. The usefulness of
while a conservative approach is recommended from class 14
having clues on these perform ance measures of rating systems
onwards. This policy neither protects against defaults in classes
becom es apparent. Also, the value of a prompt detection of
that benefit from aggressive marketing, nor avoids restricting
fading discrim inatory power and calibration becom es evident.
lending to solvent counterparties. In our exam ple, the target for

Assessing the
Quality of Risk
Measures
Learning Objectives
Describe ways that errors can be introduced into models. Explain major defects in model assumptions that led
to the underestimation of system atic risk for residential
Explain how model risk and variability can arise through m ortgage backed securities (RMBS) during the 2007-2009
the im plem entation of VaR models and the mapping of financial downturn.
risk factors to portfolio positions.
Identify reasons for the failure of the long-equity tranche,

short-mezzanine credit trade in 2005 and describe how
such modeling errors could have been avoided.
E x c e rp t is from C hapter 11 o f Financial Risk M anagem ent: M odels, History, and Institutions, by Allan M. Ma/z.
VaR has been subjected to much criticism . Previously we structured credit products, and was revealed during the sub
reviewed the sharpest critique: that the standard normal return prime crisis. The press reported in May 2008 that Moody's had
model underpinning most VaR estimation procedures is simply incorrectly, given their own ratings m ethodology, assigned A A A
wrong. But there are other lines of attack on VaR that are rele ratings to certain structured credit products using materially
vant even if VaR estim ates are not based on the standard model. flawed program m ing. Another exam ple occurred when A X A
This chapter discusses three of these viewpoints: Rosenberg Group LLC, an asset-m anagem ent subsidiary of the
French insurance com pany A X A , using a quantitative investment
1. The devil is in the details: Subtle and not-so-subtle differ
approach, discovered a programming error in its models that
ences in how VaR is com puted can lead to large differences
had likely induced losses for some investors.1
in the estim ates.
2. VaR cannot provide powerful tests of its own accuracy. These episodes also provide exam ples of the linkages between
different types of risk. In the Moody's case, the model risk was
3. VaR is "philosophically" incoherent: It cannot do what it
closely linked to the reputational and liquidity risks faced by
purports to be able to do, namely, rank portfolios in order
Moody's. The error had been discovered by Moody's before
of riskiness.
being reported in the press, but had coincided with changes in
We will also discuss a pervasive basic problem with all models, the ratings m ethodology for the affected products, and had not
including risk models: the fact that they can err or be used resulted in changes in ratings while still known only within the
inappropriately. firm. Moody's therefore, once the bugs becam e public knowl
edge, came under suspicion of having tailored the ratings model
to the desired ratings, tarnishing its reputation as an objective
11.1 M O D E L R ISK ratings provider. W ithin a few days of the episode being
reported, S&P placed Moody's-issued commercial paper on
The basic modeling problem facing VaR is that the actual dis negative watch, illustrating the econom ic costs that reputational
tribution of returns doesn't conform to the model assumption risk events can cause. In the A X A Rosenberg episode, the dis
of normality under which VaR is often com puted. Using a VaR covery of the error had not been communicated in a tim ely fash
implementation that relies on normality without appreciating ion to investors, resulting in loss of assets under m anagem ent,
the deviations of the model from reality is an exam ple of m odel an S EC fine, and considerable overall reputational dam age.
risk. Models are used in risk m easurem ent as well as in other
Even when software is correctly program m ed, it can be used in
parts of the trading and investm ent process. The term "m odel
a way that is inconsistent with the model that was intended to
risk" describes the possibility of making incorrect trading or risk
be im plem ented in the software. O ne type of inconsistency that
m anagem ent decisions because of errors in models and how
arises quite frequently concerns the mapping of positions to risk
they are applied. Model risk can manifest itself and cause losses
factors, which we'll discuss in a moment. Such inconsistencies
in a number of ways. The co n seq u en ces of model error can be
can contribute to differences in VaR results.
trading losses, as well as adverse legal, reputational, accounting,
and regulatory results.
All social science models are "w ro ng ," in the sense that model
Valuation Risk
assumptions are always more or less crude approxim ations to Model errors can occur in the valuation of securities or in hedging.
reality. In Friedm an's (1953) view on the m ethodology of eco Errors in valuation can result in losses that are hidden within
nomics, deviation from reality is a virtue in a m odel, because the the firm or from external stakeholders. A portfolio can be more
model then more readily generates testable hypotheses that exposed to one or more risk factors than the portfolio manager
can be falsified em pirically, adding to knowledge. The so-called realizes because of hedging errors.
Black-Scholes biases provide very useful insights into return
Valuation errors due to inaccurate m odels are exam ples of
behavior, and yet are defined as violations of the model predic
m arket risk as well as of operational risk. As a m arket risk phe
tions. A model may, however, be inherently wrong, in that it is
nom enon, they lead, for exam ple, to buying securities that
based on an incorrect overall view of reality. The data inputs can
are thought to be cheaply priced in the m arket, but are in fact
be inaccurate, or may be inappropriate to the application.
Error can be introduced into models in any number of ways.

1 On M oody's, see Sam Jo n e s, Gillian Tett, and Paul J . Davies, "C P D O s
A seem ingly trivial channel, but one that can have large conse
expose ratings flaw at M oody's," Financial Tim es, May 20, 2008. On
quences, is that the programming of a model algorithm can A X A Rosenberg, see Jean Eaglesham and Jen n y Strasburg, "B ig Fine
contain bugs. An exam ple occurred in the ratings process for O ver Bug in 'Q uant' Program ," Wall S tre e t Journal, Feb. 4, 2011.
fairly priced or overpriced. A s an operational risk phenom enon, of view. Netting arrangem ents, for exam ple, may differ for
the difficulty of valuing some securities accurately m akes it pos trades with different entities. Such issues becom e crucial if
sible to record positions or trades as profitable that have in fact counterparties file for bankruptcy. O ne im portant exam ple
lost money. from the subprim e crisis: Recovery by Lehman's counterpar
ties depended in part on which Lehman subsidiary they had
Model errors can, in principle, be avoided and valuation risk
faced in the transactions.
reduced, by relying on market prices rather than model prices.
There are several problems with this approach of always Position data must be verified to match the firm's books and
marking-to-market and never m arking-to-m odel. Some types records. Position data may have to be collected from many
of positions, such as longer-term bank commercial loans, have trading system s and across a number of geographical loca
always been difficult to mark-to-market because they do not tions within a firm.
trade frequently or at all, and because their value is determ ined
To com pute a risk measure, software is needed to correctly
by a com plex internal process of monitoring by the lender.
match up this data, and present it to a calculation engine. The
Accounting and regulatory standards mandating marking such
engine incorporates all the formulas or computation procedures
positions to market have been held responsible by some for
that will be used, calling them from libraries of stored proce
exacerbating financial instability.
dures. The calculations have to be combined with the data
appropriately. Results, finally, must be conveyed to a reporting
Variability of VaR Estimates layer that manufactures docum ents and tables that human man
agers can read. All of these steps can be carried out in myriad
VaR also faces a wide range of practical problems. To understand ways. We focus on two issues, the variability of the resulting
these better, we'll first briefly sketch the implementation process m easures, and the problem of using data appropriately.
for risk computation. This entire process and its results are some
The computation process we've just described applies to any
times referred to as the firm's "VaR m odel." We'll then discuss how
risk measure, not just to VaR, but for concreteness, we focus on
implementation decisions can lead to differences in VaR results.
VaR. The risk manager has a great deal of discretion in actually
Risk m anagem ent is generally carried out with the aid of com computing a VaR. VaR techniques— modes of computation and the
puter system s that automate to some extent the process of user-defined parameters— can be mixed and matched in different
combining data and com putations, and generating reports. ways. Within each mode of computation, there are major variants,
Risk-measurement system s are available com m ercially. Vendor for example, the so-called "hybrid" approach of using historical
system s are generally used by sm aller financial firms. Large firms simulation with exponentially weighted return observations. This
generally build their own risk-measurement system s, but may freedom is a mixed blessing. On the one hand, the risk manager has
purchase some com ponents com mercially. the flexibility to adapt the way he is calculating VaR to the needs of
One particular challenge of implementing risk-measurement sys the firm, its investors, or the nature of the portfolio. On the other
tem s is that of data preparation. Three types of data are involved: hand, it leads to two problems with the use of VaR in practice:
M arket data are time series data on asset prices or other data 1. There is not much uniformity of practice as to confidence
that we can use to forecast the distribution of future portfolio interval and time horizon; as a result, intuition on what con
returns. Obtaining appropriate tim e series, purging them stitutes a large or small VaR is underdeveloped.
of erroneous data points, and establishing procedures for 2. Different ways of measuring VaR would lead to different
handling missing data, are costly but essential for avoiding results, even if there were standardization of confidence
gross inaccuracies in risk m easurem ent. Even with the best interval and time horizon. There are a number of com puta
efforts, appropriate market data for some exposures may tional and modeling decisions that can greatly influence VaR
be unobtainable. results, such as
Security m aster data include descriptive data on securi • Length of time series used for historical simulation or to
ties, such as maturity dates, currency, and units. Corporate estim ate moments
securities such as equities and, especially, debt securities • Technique for estimating moments
present particular challenges in setting up security master • Mapping techniques and the choice of risk factors, for
databases. To name but one, issuer hierarchy data record exam ple, maturity bucketing
which entity within a large holding com pany a transaction is • Decay factor if applying EW M A
with. Such databases are difficult to build and maintain, but • In Monte Carlo simulation, randomization technique and
are extrem ely im portant from a credit risk m anagem ent point the number of simulations
Chapter 11 Assessing the Quality of Risk Measures ■ 175

Dram atic changes in VaR can be obtained by varying these Another exam ple is convertible bond trading. Convertible
param eters. In one well-known study (Beder, 1995), the VaRs of bonds can be mapped to a set of risk factors including, among
relatively simple portfolios consisting of Treasury bonds and S&P others, implied volatilities, interest rates, and credit spreads.
500 index options were com puted using different com binations Such mappings are based on the theoretical price of a convert
of these param eters, all of them well within standard practice. ible bond, which is arrived at using its replicating portfolio.
For exam ple, 100 or 250 days of historical data might be used However, at times theoretical and market prices of converts can
to com pute VaR via historical simulation, or Monte Carlo VaR diverge dram atically. These divergences are liquidity risk events
might be com puted using different correlation estim ates. For a that are hard to capture with market data, so VaR based on the
given time horizon and confidence level, VaR com putations dif replicating portfolio alone can drastically understate risk. This
fered by a factor of six or seven tim es. O ther oddities included problem can be mitigated through stress testing.
VaR estim ates that were higher for shorter time horizons.
In some cases, a position and its hedge might be mapped to the
A number of large banks publish VaR estim ates for certain of same risk factor or set of risk factors. The mapping might be jus
their portfolios in their annual reports, generally accom panied tified on the grounds that the available data do not make it pos
by backtesting results. These VaR estim ates are generated sible to discern between the two closely related positions. The
for regulatory purposes. Perusing these annual reports gives result, however, will be a measured VaR of zero, even though
a sense of how different the VaR models can be, as they use there is a significant basis risk; that is, risk that the hedge will
inconsistent param eters and cannot be readily com pared. not provide the expected protection. Risk modeling of securi
tization exposures provides a pertinent exam ple of basis risk,
too. Securitizations are often hedged with similarly-rated corpo
Mapping Issues rate CD S indexes. If both the underlying exposure and its C D X
hedge are mapped to a corporate spread tim e series, the m ea
M apping, the assignm ent of risk factors to positions, can also
sured risk disappears.
have a large impact on VaR results. Some decisions about map
ping are pragm atic choices among alternatives that each have For some strategies, VaR can be misleading for reasons over and
their pros and cons. An exam ple is the choice between cash above the distribution of returns and VaR's dependence on sp e
flow versus duration-convexity mapping for fixed-incom e. Cash cific modeling choices. For some strategies, outcom es are close
flow mappings are potentially more accurate than duration m ap to binary. O ne exam ple is event-driven strategies, a broad class
pings, since, in the former, each cash flow is mapped to a fixed of strategies that includes trades that depend on the occurrence
income security with a roughly equal discount factor, to which of term s of a corporate acquisition or merger, the outcome of
the latter is clearly only an approxim ation. But cash flow m ap bankruptcy proceedings, or of lawsuits. For many such trades,
ping requires using many more risk factors and more com plex there is no historical tim e series of return data that would shed
com putations, which are potentially more expensive and entail light on the range of results. Another exam ple are dynamic
risks of data errors and other model risks. strategies, in which the risk is generated by the trading strategy
over time rather than the set of positions at a point in tim e.
In other cases, it may be difficult to find data that address cer
tain risk factors. Such mapping problem s may merely mirror
the real-world difficulties of hedging or expressing some trade Case Study: The 2005 Credit Correlation
ideas. An exam ple is the practice, said to be widespread prior Episode
to the subprim e crisis, of mapping residential m ortgage-backed
securities (RM BS) and other securitized credit products to time An episode of volatility in the credit markets that occurred in the
late spring of 2005 provides a case study of model risk stemming
series for corporate credit spreads with the same rating. M arket
data on securitization spreads generally is sparse, available only from misinterpretation and misapplication of models. Some trad
for very generic types of bonds and hard to update regularly ers suffered large losses in a portfolio credit trade in which one
from observed market prices. Prior to the crisis, the spread vola dimension of risk was hedged in accordance with a model, while
tility of investm ent-grade securitizations was lower than those of another dimension of risk was neglected. We start by reviewing
the mechanics of the trade, which involved credit derivatives
corporate bonds with similar credit ratings. Yet during the finan
cial crisis, spreads on securitizations w idened, at least relatively, based on C D X .N A .IG , the investment grade CD S index.
far more than corporate spreads. This episode illustrates not

only the model risks attendant on proxy m apping, but also the
Description of the Trade and Its Motivation
inefficacy of VaR estim ates in capturing large moves in market A widespread trade among hedge funds, as well as proprietary
prices and the im portance of stress testing. trading desks of banks and brokerages, was to sell protection on
the equity tranche and buy protection on the junior mezzanine is —$6,880. The defaultOI of the mezzanine is —0.07212 times
tranche of the C D X .N A .IG . The trade was thus long credit and the notional value, so the defaultOI of a $1,000,000 notional
credit-spread risk through the equity tranche and short credit position is —$721. With a hedge ratio of about 9.54— that is,
and credit-spread risk through the mezzanine. It was executed by shorting $9,540,000 of par value of the mezzanine for every
using several C D X .N A .IG series, particularly the IG3 introduced $1,000,000 notional of long equity— we create a portfolio that,
in Septem ber 2004 and the IG4 introduced in March 2005. at the margin, is default-risk neutral.
The trade was designed to be default-risk-neutral at initiation, Figure 11.1 illustrates how the trade was set up. A t a default
by sizing the two legs of the trade so that their credit spread rate of 0.003, the portfolio has zero sensitivity to a small rise or
sensitivities were equal. The motivation of the trade was not decline in defaults. But the trade has positive convexity. The
to profit from a view on credit or credit spreads, though it was equity cheapens at a declining rate in response to spread w iden
primarily oriented toward market risk. Rather, it was intended ing. A noteworthy feature is that, because at low default rates,
to achieve a positively convex payoff profile. The portfolio of the mezzanine tranche has negative convexity, the short position
two positions would then benefit from credit spread volatility. adds positive convexity to the portfolio. The trade benefits from
In addition, the portfolio had positive carry; that is, it earned a changes in the default rate in either direction. The actual C D X
positive net spread. Such trades are highly prized by traders, for trade benefitted from large credit spread changes. It behaved,
whom they are akin to delta-hedged long option portfolios in in essence, like an option straddle on credit spreads. In contrast
which the trader receives rather than paying away time value. to a typical option, however, this option, when expressed using
the C D X standard tranches at the market prices prevailing in
To understand the trade and its risks, we can draw on the tools
early 2005, paid a premium to its owner, rather than having
we developed earlier. The securities in the extended exam ple
negative net carry.
are similar enough in structure to the standard tranches of the
C D X .N A .IG that we can mimic the trade and understand what In the actual standard tranche trade, the mechanics were
went wrong. Let's set up a trade in tranches of illustrative C LO slightly different. Since the securities were synthetic C D O
that is similar in structure and motivation to the standard tranche liabilities, traders used spread sensitivities; that is, spreadO ls
trade we have been describing. The trade takes a long credit or risk-neutral defaultO ls, rather than actuarial defaultO ls. The
risk position in the equity tranche and an offsetting short credit sensitivities used were not to the spreads of the underlying
position in the mezzanine bond. Bear in mind that
we would unlikely be able, in actual practice, to
take a short position in a cash securitization, since
the bond would be difficult to locate and bor
row. We might be able to buy protection on the
mezzanine tranche through a C D S, but the dealer
writing it would probably charge a high spread
to com pensate for the illiquidity of the product
and the difficulty of hedging it, in addition to the
default and correlation risk. The standard tranches
are synthetic C D S and their collateral pools also
consist of C D S. They are generally more liquid
than most other structured products, so it is eas
ier to take short as well as long positions in them .
To determ ine the hedge ratio, that is, the amount

of the mezzanine we are to short, we use the
F ia u re 11.1 Convexity of CLO liabilities.
default sensitivities, the defaultO ls. These are
credit-risk sensitivities, while the 2005 C D X trade The graph plots the P&L, for varying default rates, of a portfolio consisting of (1) a long
credit position in the equity tranche of the C LO with a notional am ount of $1,000,000,
em ployed market-risk sensitivities, the spreadO ls.
and (2) a short credit position in the mezzanine tranche of the same C LO with a notional
But the mechanics of hedging are similar. We amount of $1,000,000 tim es the hedge ratio of 9.54, that is, a par value of $9,540,000.
assume that, at the tim e the trade is initiated, The P&Ls of the constituent positions are also plotted. The default rates vary in the graph,
but the correlation is fixed at 0.30. That is, the hedge ratio is set at a default rate of
the expected default rate and implied correla
3 percent, and a correlation of 0.30, but only the default rate is perm itted to vary in
tion are tt = 0.03 and p = 0.30. The defaultOI the plot. The default rates are m easured on the horizontal axis as decim als. The P&L is
of a $1,000,000 notional position in the equity expressed on the vertical axis in millions of dollars.

constituents of the C D X .N A .IG , but to the tranche spread. The 125 constituents of the IG4. The m arket now contem plated the
hedge ratio in the actual trade was the ratio of the P&L impact possibility of experiencing several defaults in the IG3 and IG4.
of a 1 bp widening of C D X .N A .IG on the equity and on the junior The probability of extrem e losses in the IG3 and IG4 standard
mezzanine tranches. The hedge ratio was between 1.5 and 2 at equity tranches had appeared to be rem ote; it now seem ed a
the beginning of 2005, lower than our exam ple's 9.54, and at distinct possibility. O ther credit products also displayed sharp
the prevailing tranche spreads, resulted in a net flow of spread widening; the convertible bond m arket, in particular, was exp eri
income to the long equity/short mezz trade. However, the trade encing one of its periodic selloffs, as seen in Figure 17-2.
was set up at a particular value of implied correlation. As we will
The autom otive and certain other single-name spreads w id
see, this was the critical error in the trade.
ened sharply, among them G M A C and FM C C . The IG indexes
One additional risk should be highlighted, although it did not in widened in line with the widening in their constituents, many of
the end play a crucial role in the episode we are describing: The which did not widen at all. The pricing of the standard tranches,
recovery amount was at risk. In the event of a default on one or however, experienced much larger changes, brought about by
more of the names in the index, the recovery amount was not the panicky unwinding of the equity-mezzanine tranche trade.
fixed but a random variable. Figure 11.3 shows the behavior of credit spreads and the price
of the standard equity tranche during the episode.
The Credit Environment in Early 2005 • The mark-to-market value of the equity tranche dropped
In the spring of 2005, the credit markets came under pressure, sharply. This can be seen in the increase in points upfront
focused on the autom obile industry, but not limited to it. The that buyers of protection had to pay.
three large U.S.-dom iciled original equipm ent manufacturers • The implied correlation of the equity tranche dropped
(O EM s), Ford, G eneral Motors (GM ), and Chrysler, had long sharply. Stated equivalently, its mark-to-market value
been troubled. For decades, the O EM s had been among the dropped more and its points upfront rose more sharply than
most im portant com panies in the U.S. investm ent-grade bond the widening of the IG4 spread alone would have dictated.
market, both in their share of issuance and in their benchmark
• The junior mezzanine tranche experienced a small w iden
status. The possibility of their being downgraded to junk was ing, and at tim es even some tightening, as market partici
new and disorienting to investors. They had never been constit pants sought to cover positions by selling protection on
uents of the C D X .N A .IG , but two "captive finance" com panies, the tranche, that is, taking on long credit exposures via the
General Motors A cceptance Co. (G M AC) and Ford M otor Credit tranche.
Co. (FM C C ), were.
• The relative value trade as a whole experienced large losses.
A third set of com panies at the core of the autom otive indus
The implied correlation fell for two reasons. The automotive
tries were the auto parts m anufacturers. Delphi Corp. had been
parts supplier bankruptcies had a direct effect. All were in the
a constituent of IG3, but had been removed in consequence of
IG4, which meant that about 10 percent of that portfolio was
its downgrade below investm ent grade. Am erican A xle Co. had
now near a default state. But the correlation fell also because
been added to IG4.
the widening of the IG4 itself was constrained by hedging. The
From a financial standpoint, the im m ediate priority of the O EM s short-credit position via the equity tranche could be hedged
had been to obtain relief from the UAW auto workers union by selling protection on a m odest multiple of the mezzanine
from commitments to pay health benefits to retired workers. tranche, or a large multiple of the IG4 index. Although spreads
The "ho t" part of the 2005 crisis began with two events in mid- were widening and the credit environm ent was deteriorating, at
April, the inability of GM and the UAW to reach an accord on least some buyers of protection on the IG4 index found willing
benefits, and the announcem ent by GM of large losses. On May sellers among traders long protection in the equity tranche who
5, GM and Ford were downgraded to junk by S&P. Moody's did were covering the short leg via the index as well as via the m ez
the same soon after. The im m ediate consequence was a sharp zanine tranche itself.
widening of some corporate spreads, including G M A C and
FM C C and other autom otive industry names. Collins and Aik- Modeling Issues in the Setup of the Trade
man, a major parts manufacturer, filed for Chapter 13 protection
The relative value trade was set up in the fram ework of the stan
from creditors in May. Delphi and Visteon, another large parts
dard copula model, using the analytics described earlier. These
manufacturer, filed later in 2005.
analytics were sim ulation-based, using risk-neutral default prob
The two captive finance arms and the two auto parts m anufac abilities or hazard-rate curves derived from single-name C D S.
turers Am erican A xle and Lear together constituted 4 out of the The timing of individual defaults was well m odeled. Traders
generally used a normal copula. The cor
relation assumption might have been
based on the relative frequencies of dif
ferent numbers of joint defaults, or, more
likely, on equity return correlations or
prevailing equity implied correlations.
In any event, the correlation assum p

tion was static. This was the critical flaw,
rather than using the "w rong" copula
function, or even the "w rong" value
of the correlation. The deltas used to
set the proportions of the trade were
partial derivatives that did not account
for changing correlation. Changing cor
0.075 relation drastically altered the hedge

ratio between the equity and mezzanine
tranches, which more or less doubled to
nearly 4 by Ju ly 2005. In other words,
0.045 71 traders needed to sell protection on
nearly twice the notional value of the
mezzanine tranche in order to maintain
spread neutrality in the portfolio.
0.015
Figure 11.2 displays the P&L profile of
0.5 the trade for different spreads and cor
relations, again using the C LO exam ple.
Fig u re 11.2 Correlation risk of the convexity trade.
The portfolio P&L plotted as a solid line
The graph plots the P&L of the convexity trade for default rates from 0.0075 to 0.0825 per annum in Figure 11.1 is a cross-section through
and constant pairwise Gaussian copula correlations from 0.0 to 0.5. The P&L is expressed on the
Figure 11.2 at a correlation of 0.30.
vertical (z) axis in millions of dollars.
Figure 11.2 shows that the trade was
profitable for a wide range of spreads,
but only if correlation did not fall. If correlation fell
abruptly, and spreads did not widen enough, the
trade would becom e highly unprofitable.
The model did not ignore correlation, but the trade

thesis focused on anticipated gains from convexity.
The flaw in the model could have been readily cor
rected if it had been recognized. The trade was put
on at a tim e when copula models and the concept
of implied correlation generally had only recently
been introduced into discussions among traders,
who had not yet becom e sensitized to the potential
losses from changes in correlation. Stress testing
correlation would have revealed the risk. The trade
could also have been hedged against correlation
risk by employing an overlay hedge: that is, by
The graph plots the implied or base correlation of the equity (0-3 percent) tranche (solid going long single-name protection in high default-
line, percent, left axis), the price of the equity tranche (dashed line, points upfront, right probability names. In this sense, the "arbitrage"
axis), and the C D X IG 4 spread (dotted line, basis points, right axis). could not be captured via a two-leg trade, but
Sou rce: JPM organ C hase. required more com ponents.

Case Study: Subprime Default
Models
Am ong the costliest model risk episodes was the
failure of subprim e residential m ortgage-based
security (RM BS) valuation and risk m odels. These
models were em ployed by credit-rating agencies to
assign ratings to bonds, by traders and investors to
value the bonds, and by issuers to structure them .
W hile the models varied w idely, two widespread
defects were particularly important:
• In general, the models assumed positive future

house price appreciation rates. In the stress
case, house prices might fail to rise, but would
not actually drop. The assumption was based
Rolling indexes of A A A , A , and B B B - A B X . For each index, the graph displays the most
on historical data, which was sparse, but sug recent vintage.
gested there had been no extended periods
Sou rce: JPM organ Chase.
of falling house prices on a large scale in any
relevant historical period. House prices did in fact drop very have identified the potential conflict of interest arising from
severely starting in 2007. Since the credit quality of the loans com pensation of rating agencies by bond issuers as a factor in
depended on the borrowers' ability to refinance the loans driving ratings standards lower. O thers have focused on reach
without additional infusions of equity, the incorrect assum p ing for yield and the high demand for highly rated bonds with
tion on house price appreciation led to a severe underesti even m odestly higher yields.
mate of the potential default rates in underlying loan pools in
As we saw earlier in this chapter, a num ber of instances of
an adverse econom ic scenario.
mapping problem s, contributing to seriously m isleading risk
• Correlations among regional housing markets were assumed m easurem ent results, arose in securitization and structured
to be low. Bonds based on pools of loans from different geo credit products. Up until relatively recently, little tim e-series
graphical regions were therefore considered well-diversified. data was available covering securitized credit products. Highly
In the event, while house prices fell more severely in some rated securitized products were often m apped to tim e series
regions than others, they fell— and loan defaults were much of highly rated corporate bond spread indexes in risk m easure
higher than expected in a stress scenario— in nearly all. ment system s, or, less frequently, to the A B X index fam ily,
Together, these model errors or inappropriate param eters led to introduced in 2006. VaR m easured using such m appings would
a substantial underestimation of the degree of system atic risk in have indicated that the bonds were unlikely under any circum
subprim e RM BS returns. O nce the higher-than-expected default stances to lose more than a few points of value. As can, how
rates began to m aterialize, the rating agencies were obliged to ever, be seen in Figure 11.4, the A B X index of the most highly
downgrade most RM BS. The large-scale downgrades of A A A rated RM BS lost 70 percent of their value during the subprim e
RMBS were particularly shocking to the m arkets, as it was pre crisis. Som ew hat lower, but still investm ent-grade RM BS lost
cisely these that revealed the extent to which system ic risk had alm ost all their value. Securitizations suffered far greater losses
been underestim ated and m ispriced. As of the end of 2009, than corporate bonds. Losses varied greatly by asset class, the
about 45 percent of U.S. RMBS with original ratings of A A A had year in which they w ere issued, or "vin tag e ," and position in
been downgraded by M oody's.2 the capital structure. The corporate-bond and A B X m appings
w ere highly m isleading and would have understated potential
The inaccuracy of rating agency models for subprim e RMBS is a
losses by several orders of m agnitude for investm ent-grade
com plex phenomenon with a number of roots. Some observers
bonds. Sim ilar issues arose for C M B S, and their relationship
to the ratings curves and the C M B X , an index of C M BS prices
2 See Moody's Investors Service (2010), p. 19. analogous to the A B X .
Risk Capital
Attribution and
Risk-Adjusted
Performance
Measurement
Learning Objectives
Define, compare, and contrast risk capital, economic capital, Calculate the hurdle rate and apply this rate in making
and regulatory capital, and explain methods and motivations business decisions using R A R O C .
for using economic capital approaches to allocate risk capital.
Com pute the adjusted RA RO C for a project to determ ine
Describe the RA RO C (risk-adjusted return on capital) its viability.
m ethodology and its use in capital budgeting.
Explain challenges in modeling diversification benefits,
Com pute and interpret the RA R O C for a project, loan, or including aggregating a firm's risk capital and allocating
loan portfolio, and use RA RO C to com pare business unit econom ic capital to different business lines.
perform ance.
Explain best practices in implementing an approach that
Explain challenges that arise when using RA RO C for uses RA RO C to allocate econom ic capital.
perform ance m easurem ent, including choosing a time
horizon, measuring default probability, and choosing a
confidence level.
E x c e rp t is C hapter 17 o f The Essentials of Risk M anagem ent, S e co n d Edition, by M ichel Crouhy, Dan Galai, and R o b ert Mark.
181
This chapter takes a look at the roles of risk capital and at how The new regulatory capital requirem ents imposed by Basel III
risk capital can be attributed to business lines as part of a risk- make it likely that for some activities, such as securitization,
adjusted perform ance m easurem ent (RAPM) system . RAPM rep regulatory capital may end up much higher than econom ic capi
resents a key challenge for financial institutions and nonfinancial tal. Still, econom ic capital calculation is essential for senior man
firms around the world today. Only by forging a connection agem ent as a benchm ark to assess the econom ic viability of the
between risk m easurem ent, risk capital, risk-based pricing, and activity for the financial institution. When regulatory capital is
perform ance m easurem ent can firms ensure that the decisions much larger than econom ic capital, then it is likely that over time
they take reflect the interests of stakeholders such as bondhold the activity will migrate to the shadow banking sector, which can
ers and shareholders. price the transactions at a more attractive level.
Risk capital m easurem ent is based on the same concepts as the

value-at-risk (VaR) calculation m ethodology. Indeed, risk capital
12.1 WHAT PURPOSE DO ES RISK numbers are often derived from, or supported by, sophisticated
CAPITAL S E R V E ? internal VaR m odels. However, the choice of the confidence
level and tim e horizon when using VaR to calculate risk capital
Risk capital is the cushion that provides protection against the
are key policy param eters that should be set by senior m anage
various risks inherent in the business of a corporation so that ment (or the senior risk m anagem ent com m ittee). Usually, these
the firm can maintain its financial integrity and remain a going decisions should be endorsed by the board.
concern even in the event of a near-catastrophic worst-case
Risk capital should be calculated in such a way that the institu
scenario. Risk capital gives essential confidence to the corpora
tion's stakeholders, such as suppliers, clients, and lenders (for an tion can absorb unexpected losses up to a level of confidence in
line with the requirem ents of the firm's various stakeholders. No
industrial firm), or claim holders, such as depositors and counter
parties in financial transactions (for a financial institution). firm can offer its stakeholders a 100 percent guarantee (or confi
dence level) that it holds enough risk capital to ride out any
Risk capital is often called econom ic capital, and in most eventuality. Instead, risk capital is calculated at a confidence
instances the generally accepted convention is that risk capital level set at less than 100 percent— say, 99.9 percent for a firm
and econom ic capital are identical (although later in this chapter with conservative stakeholders. In theory, this means that there
we introduce a slight wrinkle by defining econom ic capital as
is a probability of around 1/10 of 1 percent that actual losses will
risk capital plus strategic capital). exceed the amount of risk capital set aside by the firm over the
We should be careful not to confuse the concept of risk capital, given time horizon (generally one year).2 The exact choice of
which is intended to capture the econom ic realities of the risks a confidence level is typically associated with some target credit
firm runs, and regulatory capital. First, regulatory capital only rating from a rating agency such as Moody's, Standard & Poor's,
applies to a few regulated industries, such as banking and insur and Fitch as these ratings are them selves explicitly associated
ance com panies, where regulators are trying to protect the with a probability of default. It should also be in line with the
interests of small depositors or policy holders. Second, while firm's stated risk appetite.
regulatory capital performs something of the same function as
risk capital in the regulators' eyes, it is calculated according to a
set of industrywide rules and formulas and sets only a minimum 12.2 EM ERGIN G USES O F RISK
required level of capital adequacy. It rarely succeeds in captur CAPITAL NUMBERS
ing the true level of risk in a firm— the gap between a firm's reg
ulatory capital and its risk capital can be quite wide. Risk capital is traditionally used to answer the question, "H ow
Furtherm ore, even if regulatory and risk capital are similar num much capital is required for our firm to remain solvent, given our
bers at the level of the firm, they may not be similar for each risky activities?" As soon as a firm can answer this question, it
constituent business line (i.e., regulatory capital may suggest can move on to solve many other m anagem ent problem s.
that an activity is much riskier than m anagem ent believes to be Recently, therefore, risk capital numbers have been used to
the case, or vice versa).1 answer more and more questions, particularly in banks and
1 This leads to various conundrum s in allocating capital and capital costs 2 In reality, risk capital model suffers from the model risks we discussed
to business lines. For exam ple, some practitioners square the circle by in C hap ter 10, and the results require careful interpretation. Most firms
allocating the higher of regulatory capital or econom ic capital to the use the output of their capital model as one key input into a w ider set of
business line. judgm ents about the amount of capital the firm should hold.
BO X 12.1 W HY IS EC O N O M IC CAPITAL SO IMPORTANT TO FIN A N C IA L
IN STITU TIO N S?
Allocating risk capital using econom ic capital approaches is with a poor credit rating will find itself excluded from many
im portant for financial institutions for at least four reasons. m arkets. Maintaining good creditworthiness is therefore an
ongoing cost of doing business for a bank.
First, capital is primarily used in a financial institution not only
to provide funding for investments (as for a manufacturing Third, although bank creditworthiness is critical, banks are
corporation) but also to absorb risk. The fundamental reason also highly opaque institutions. Banks use proprietary tech
for this is that financial institutions can leverage them selves nology for pricing and hedging financial instruments, esp e
to a much higher degree than other corporations at a much cially com plex financial transactions. A typical bank's balance
lower cost without raising equity, by taking retail deposits sheet is relatively liquid and can change very quickly. Any
or issuing debt securities. (Their debt-to-equity ratio might outside assessm ent of the creditworthiness of a bank is there
be as high as 20 to 1, com pared to perhaps 2 to 1 for an fore difficult to develop and rapidly becom es obsolete (as
industrial corporation.) Moreover, many activities undertaken the risk profile of the bank keeps on changing). Maintaining
by financial institutions, such as derivatives trading, writing enough risk capital and implementing a strong risk m anage
guarantees, issuing letters of credit, and other contingent ment culture allows the bank to reduce these "agency costs"
com m itm ents, do not require significant financing. Yet all by convincing external stakeholders, including rating agen
these activities draw to some extent on the bank's stock of cies, of the bank's financial integrity.
risk capital, and therefore a risk capital cost must be imputed
Fourth, banks operate in highly com petitive financial mar
to each activity.
kets. Increasingly, this makes bank profitability very sensitive
This brings us to the second reason: a bank's target solvency to the bank's cost of capital. Banks don't want to carry too
is a vital part of the product the bank is selling. In contrast much risk capital, because risk capital represents the money
to an industrial com pany, the primary custom ers of banks invested in the bank that does not have to be repaid under
and other financial institutions are also their primary liabil any fixed contractual agreem ent (e.g ., equity capital). This
ity holders— e .g ., depositors, derivatives counterparties, flexibility, which allows risk capital to act as a safety buffer for
insurance policy holders, and so on. These custom ers are the bank if tim es are hard, means that risk capital is relatively
concerned about default risk on contractually promised pay expensive to raise and hold (e.g., com pared to debt capital).
ments. Custom ers make deposits with the expectation that But banks can't carry too little risk capital, for reasons w e've
the safety of their deposits does not depend on the eco already made clear. So understanding the dynamic balance
nomic perform ance of the bank. In over-the-counter markets, between the capital the bank carries and the riskiness of its
institutions are concerned about counterparty risk: a bank activities is very important.
o
other financial institutions. (Box 12.1 explains why risk-based numbers can be used as part of scorecards to com pensate
calculations are so im portant for financial institutions.) These the senior m anagem ent of particular business lines, as well as
new uses include: the infrastructure group, for their contribution to shareholder
value. Since the 2007-2009 financial crisis, firms have laid a
• Perform ance m easurem ent and incentive com pensation at
greater emphasis on com pensation schem es that adjust for
the firm, business unit, and individual levels. Risk capital can
risk in some manner (as well as on com plem entary m echa
be plugged into risk-based capital attribution system s, often
nisms such as deferral periods and clawbacks).
grouped together under the acronym RAPM (risk-adjusted
perform ance measurement) or RA R O C (risk-adjusted return • A ctive portfolio m anagem ent for entry/exit decisions. The
on capital). These system s, a key focus of this chapter, pro decision to enter or exit a particular business should be
vide both m anagem ent and external stakeholders with a risk- based on both risk-adjusted perform ance m easurem ent and
adjusted measure of perform ance of various businesses. The the "risk diversification effect" of the business. For exam ple,
measure can be used to com pare the econom ic profitability, a firm that is focused on corporate lending in a particular
as opposed to the accounting profitability (such as return on region is likely to find that its returns fluctuate in accordance
book equity) of different activities. A t the same tim e, RA RO C 3 with that region's business cycle. Ideally, the firm might
diversify its business geographically or in term s of business
activity. Capital m anagem ent decisions seek an answer to the
3 For an informal survey of how firms use econom ic capital and R A R O C ,
question, "H ow much value will be created if the decision is
see T. Baer et. al., The Use o f E co n o m ic Capital in Perform ance M an
a g em en t fo r Banks: A P ersp ective, M cKinsey W orking Papers on Risk, taken to allocate resources to a new or existing business, or
No. 24, January 2011. alternatively to close down an activity?"
Chapter 12 Risk Capital Attribution and Risk-Adjusted Performance Measurement ■ 183

• Pricing transactions. Risk capital numbers can be used to a unit of capital and, therefore, offers a uniform and com parable
calculate risk-based pricing for individual transactions. measure of risk-adjusted perform ance across all business activi
Risk-based pricing is attractive because it ensures that a ties. If a business unit's RA RO C is higher than the cost of the
firm is com pensated for the econom ic risk generated by a bank's equity (the minimum rate of return on equity required by
transaction. For exam ple, common sense tells us that a loan the shareholders), then the business unit is deem ed to be add
to a non-investment-grade firm that is in relatively fragile ing value to shareholders. Senior m anagem ent can use this m ea
financial condition must be priced higher than a loan to an sure to evaluate perform ance for capital budgeting purposes,
investm ent-grade firm. However, the am ount of the differ and as an input to the compensation for managers of business
ential can be determ ined only by working out the amount of units.
expected loss and the cost of the risk capital that has to be
The generic RA RO C equation is really a formalization of the
set aside for each transaction. Trading and corporate loan
trade-off between risk and reward. It reads:
desks in many banks rely on the "m arginal econom ic capital
requirem ent" com ponent in the RA RO C calculation to price after-tax expected risk-adjusted net income
RA RO C = -------------------------- :-------— ----------------
deals in advance— and to decide whether those deals will economic capital
increase shareholder value rather than simply add to the vol
We can see that the RA R O C equation em ploys econom ic
ume of transactions.
capital as a proxy for risk and after-tax expected risk-adjusted
One problem is that a single measure of risk capital cannot net income as a proxy for reward. Later, we elaborate on how
accom m odate the four different purposes that we have just to measure both the numerator and the denom inator of the
described. W e'll look at the solution to this later on. RA RO C equation, and on how to tackle the "hurdle-rate"
issue— that is, once we know our RA RO C number, how do
we know if this number is good or bad from a shareholder's
12.3 RAROC: RISK-ADJUSTED RETURN perspective?
ON CAPITAL Before beginning this discussion, however, we must acknowl
edge that the generic RA RO C equation is one of a family of
RA RO C is an approach— simple at the conceptual level— that is
approaches, all with strengths and weaknesses. The definition
used to allocate risk capital to business units and individual trans
of RA RO C that w e've just offered corresponds to industry prac
actions for the purpose of measuring economic performance.
tice and can be thought of as the traditional RA RO C definition.
Originally proposed by Bankers Trust in the late 1970s, the Box 12.2 presents several variants grouped under the label
approach makes clear the trade-off between risk and reward for RAPM (risk-adjusted perform ance measures).
BO X 12.2 RAPM (RISK-A D JU STED P ER FO R M A N C E M EA SU REM EN T) Z O O LO G Y

It's long been recognized that traditional accounting-based • R A R O C (risk-adjusted return on capital) = risk-adjusted
measures of perform ance at the consolidated level and for e x p e c te d net incom e/econom ic capital. R A R O C makes
individual business units, such as return on assets (ROA) or the risk adjustm ent to the num erator by subtracting a risk
return on book equity (RO E), fail to capture the risk of the factor from the return— e .g ., expected loss. RA RO C also
underlying activity. The amounts of both book assets and makes the risk adjustm ent to the denom inator by substi
book equity, which are accounting measures, are poor prox tuting econom ic capital for accounting capital.
ies for risk m easures. Furtherm ore, accounting income misses • R O R A C (return on risk-adjusted capital) = n et incom e/
some critical risk adjustm ents, such as expected loss. econ om ic capital. R O R A C makes the risk adjustm ent
RAPM (risk-adjusted perform ance measurement) is a generic solely to the denominator. In practical applications,
term describing all the techniques used to adjust returns for P&L(profit and loss)
the risk incurred in generating those returns. It encom passes RO RAC = ------------------------
VaR
many different concepts, risk adjustm ents, and performance
• R O C (return on capital) = R O R A C . It is also called RO CA R
m easures, with RA RO C being the form that is most widely
(return on capital at risk).
used in the banking sector. These RAPM measures are not
fully consistent with one another. In the main text, we pro • R O R A A (return on risk-adjusted assets) = n et incom e/
pose an adjusted RA RO C measure that is consistent with the risk-adjusted assets.
capital asset pricing model (CAPM ) and, therefore, with the • R A R O A (risk-adjusted return on risk-adjusted assets) =
NPV measure defined here. risk-adjusted e x p e c te d net incom e/risk-adjusted assets.
• S (Sharpe ratio) = (e x p e c te d return — risk-free rate)/ ventures in which the expected cash flows over the life of
volatility. The ex post Sharpe ratio— i.e., that based on the project can be easily identified.
actual returns rather than expected returns— can be • EVA (econom ic value added), or N IA C C (net incom e after
1
shown to be a multiple of RO C. capital charge), is the after-tax adjusted net income less
• N PV (n et p re se n t value) = d isco u n ted value o f future a capital charge equal to the amount of econom ic capital
e x p e c te d cash flow s, using a risk-adjusted expected rate attributed to the activity, tim es the after-tax cost of equity
of return based on the beta derived from the C A PM , capital. The activity is deem ed to add shareholder value,
where risk is defined in term s of the covariance of changes or is said to be EVA positive, when its N IA C C is positive
in the market value of the business with changes in the (and vice versa). An activity whose RA R O C is above the
value of the market portfolio. In the C A PM , the definition hurdle rate is also EVA positive.1
of risk is restricted to the system atic com ponent of risk
that cannot be diversified away. For RA RO C calculations,
the risk measure captures the full volatility of earnings, 1 See David Shim ko, "See Sharpe or Be Flat," Risk 10(6), 1997, p. 33.
system atic and specific. NPV is particularly well suited for 2 EVA is a registered tradem ark of Stern Stew art & Co.
12.4 RAROC FOR CAPITAL BUDGETING • Transfers correspond to transfer pricing m echanisms, primar
ily between the business unit and the treasury group, such as
The decision to invest in a new project or a new business ven charging the business unit for any funding cost incurred by
ture, or to expand or close down an existing business line, its activities and any cost of hedging interest rate and cur
has to be made before the true perform ance of the activity is rency risks; it also includes overhead cost allocation from the
known— no m anager has a crystal ball. When implementing the head office.
generic after-tax RA R O C equation for capital budgeting, indus • Econom ic capital is the sum of risk capital and strategic capi
try practice therefore interprets it as meaning tal where
expected revenues - costs - expected losses strategic risk capital = goodwill + burned-out capital
RA RO C - ~~ taxes + return on risk capital + / - transfers Our last bullet point deserves some explanation. Risk capital is the
economic capital
capital cushion that the bank must set aside to cover the worst-
where case loss (minus the expected loss) from market, credit, opera
tional, and other risks, such as business risk and reputation risk, at
• E x p e c te d revenues are the revenues that the activity is
the required confidence threshold (e.g., 99 percent). Risk capital is
expected to generate (assuming no losses).
directly related to the value-at-risk calculation at the one-year time
• C osts are the direct expenses associated with running the horizon and at the institution's required confidence level.
activity (e.g ., salaries, bonuses, infrastructure expenses, and
so on). Strategic risk capital refers to the risk of significant investments
about whose success and profitability there is high uncertainty.
• E x p e c te d losses, in a banking context, are primarily the
If the venture is not successful, then the firm will usually face
expected losses from default; they correspond to the loan
a major write-off, and its reputation will be dam aged. Cur
loss reserve that the bank must set aside as the cost of doing
rent practice is to measure strategic risk capital as the sum of
business. Because this cost, like other business costs, is
burned-out capital and goodwill. Burned-out capital refers to
priced into the transaction in the form of a spread over fund
the idea that capital is spent on, say, the initial stages of start
ing cost, there is no need for risk capital as a buffer to absorb
ing up a business but the business may ultimately not be kicked
this risk. Expected losses also include the expected loss from
off due to projected inferior risk-adjusted returns. It should be
other risks, such as market risk and operational risk.
viewed as an allocation of capital to account for the risk of stra
• Taxes are the expected amount of taxes imputed to the activ tegic failure of recent acquisitions or other strategic initiatives
ity using the effective tax rate of the company. built organically. This capital is am ortized over tim e as the risk of
• Return on risk capital is the return on the risk capital allo strategic failure dissipates. The goodwill elem ent corresponds
cated to the activity. It is generally assumed that this risk to the investm ent premium— i.e., the amount paid above
capital is invested in risk-free securities, such as governm ent the replacem ent value of the net assets (assets — liabilities)
bonds. when acquiring a company. (Usually, the acquiring company is

prepared to pay a premium above the
fair value of the net assets because it
places a high value on intangible assets ^[Expected Losses
-T a x e s
that are not recorded on the target's bal + Return on
A fte r-T a x Economic Capital Loss (Outside of the
ance sheet.) Goodwill is also depreciated R isk-A d ju ste d
-(-/-Transfer Confidence Level)
E x p e c te d Return
over tim e.
Some banks also allocate risk capital for RAROC =

C a p ita l = D iffe re n ce
unused risk limits, because risk capacity Economic Capital: = 150 bp
15 bp
that can be tapped at any moment by Risk Capital
165 bp
-► Expevted Loss
* Credit Risk
the business units represents a poten * Market Risk Probability of Losses
tially costly facility (in term s of the adjust * Operational Risk Greater than This Amount is
* Etc. Equal to 1%
ments to risk capital the firm as a whole
Strategic Risk Capital (Confidence Level of 99%)
might have to make if the credit line
were drawn upon). Fiqure 12.1 The RAROC equation.
Figure 12.1 shows the linkage between a
risk loss distribution and the RA R O C calculation. We show both the $1 billion in borrowed funds). $10 million is the expected
the expected loss— in this exam ple, 15 basis points (bps)— and loss, and $3.75 million (= 0.05 X $75 million) is the return on
the worst-case loss, 165 bps, at the desired confidence level (in econom ic capital.
this exam ple, 99 percent) for the loss distribution derived over
The RA RO C for this loan portfolio is 14 percent. This number
a given horizon, say one year. The unexpected loss is, there
can be interpreted as the annual after-tax expected rate of
fore, the difference between the total loss and the expected
return on equity needed to support this loan portfolio.
loss— that is, 150 bps at the 99 percent confidence level— over
a one-year horizon. The unexpected loss corresponds to the risk
capital allocated to the activity. 12.5 RAROC FOR PERFO RM AN CE
Now that we understand the trickiest part of the RA RO C equa M EASUREM EN T
tion, unexpected loss, we can look at a practical exam ple of how
to plug numbers into the RA R O C equation. We should em phasize at this point that RA R O C was first sug
gested as a tool for capital allocation on an anticipatory or ex
Let us assume that we want to identify the RARO C of a $1 billion
ante basis. Hence, e x p e c te d revenues and losses should be
corporate loan portfolio that offers a headline return of 9 percent.
plugged into the num erator of the RA R O C equation for capital
The bank has an operating direct cost of $9 million per annum and
budgeting purpose. When RA RO C is used for ex post, or after
an effective tax rate of 30 percent. We'll assume that the portfo
the fact, perform ance evaluation, we can use realized revenues
lio is funded by $1 billion of retail deposits with a transfer priced
and realized losses, rather than expected revenues and losses, in
interest charge of 6 percent. Risk analysis of the unexpected
our calculation.
losses associated with the portfolio tells us that we need to set
economic capital of around $75 million (i.e., 7.5 percent of the
loan amount) against the portfolio. We know that this economic RAROC Horizon
capital must be invested in risk-free securities, rather than being
All of the quantities that we plug into the RA RO C equation must
used to fund risky activities, and that the risk-free interest rate
be calculated on the basis of a particular tim e horizon, such as a
on government securities is 5 percent. The expected loss on this
one-year horizon or over the lifetime of a d eal.4 Box 12.3
portfolio is assumed to be 1 percent per annum (i.e., $10 million).
If we ignore transfer price considerations, then the after-tax

RA RO C for this loan is: 4 This chapter focuses on single-period R A R O C m odels, while some
large banks have moved to a m ultiperiod R A R O C m odeling approach in
( 9 0 - 9 - 6 0 - 10 + 3 .7 5 X 1 - 0 .3 ) order to better measure R A R O C over the life of long-running transac
RARO C = --------------------------—-------------------------- tions and loans. However, major m ethodological issues are still unre
75
solved when the risk of a transaction, such as a swap, or a portfolio
= 0.14 = 14% changes substantially from one period to the next. In that case, which
amount of econom ic capital should be allocated to the transaction or
where $90 million is the expected revenue, $9 million is the the portfolio? Allocating some average amount of capital would lead to
operating cost, $60 million is the interest expense (6 percent of undercapitalization and overcapitalization depending on the period.
BO X 12.3 RISK TYPES AND TIM E HORIZON S
Risk capital can be characterized as the one-year value-at-risk Figure 12B.1 illustrates the calculation of risk capital when
exposure of the firm, at a confidence level consistent with the the core risk level is lower than the current risk position.
firm's target credit risk rating. But how does the time horizon in
Across every bank, there are many other activities that must
this characterization relate to the risk measurement approaches
be allocated capital in a way that is sensitive to time horizons.
for market risk, for credit risk, and for operational risk?
For exam ple, the bank should allocate capital to cover the
For credit risk, there is a straightforward equivalence risk of options that are em bedded in many of its products.
between the one-year VaR produced by credit portfolio The option to prepay a m ortgage is one obvious exam ple,
m odels, such as CreditM etrics or KMV, and risk capital. The but there are many subtle twists on the risks generated by
same is also true for operational risk: most internal models different types of products. For exam ple, m ortgage port
used by institutions have a one-year horizon. Therefore, for folios in Canada often incur com mitment risks. These arise
both credit risk and operational risk, there is no need for any because the consum er autom atically receives the lowest
adjustm ent in the one-year VaR to determ ine risk capital. m ortgage rate looking backward over a prescribed com m it
ment period, as a function of the specific type of m ortgage.
However, this is not the case for m arket risk. For trading
In effect, the consum er has what derivatives practitioners call
businesses, market risk is measured using only short-term
a "look-back option." The seriousness of the com mitment
horizons— one day for risk monitoring on a daily basis and 10
risk is governed by the length of the com m itm ent period; it
days for regulatory capital. So how do we translate a one-day
represents the com ponent that cannot be entirely eliminated
risk measure into one-year risk capital attribution?
by delta hedging (e.g ., the basis risk between the w hole
O ne approach might be to use what is commonly called the sale rates and the m ortgage rate). All these considerations
"square root of tim e" rule. That is, the risk analyst might need to be taken into account in determining the risk capital
approxim ate the one-year VaR by multiplying the one-day needed to support a Canadian m ortgage business.
VaR by the square root of the number of business days in one
year— e .g ., 252 days. If we did this, however, w e'd be miss
ing the point of risk capital. Risk capital is there to limit the VaR
risk of failure during a period of crisis, when the bank has
suffered huge losses. As a worst-case scenario unfolds, the
bank will naturally reduce its risk exposures in any way that
it can. In the case of a proprietary trading desk, with highly
liquid positions and no clients to service, this risk reduction
can take place very quickly indeed. For other activities, risk
can often be reduced only to a core risk level for the remain
der of the year, defined as the minimum realistic size at
which the business can be considered to be a going concern
(i.e., can maintain its franchise).
Thus, to work out a meaningful one-year econom ic capital

allocation, we need to analyze the business in question so
that we can understand the tim e to reduce from the current
risk position to the core risk level, which in turn reflects the
relative liquidity of positions during adverse market condi Risk capital = square root [sum of squares (100, 97.62, 95.24, ... , 52.38)
tions. Estim ations of the time to reduce should not make the + 5 0 2 x 231]
assumption that there will be a fire sale, but instead assume = 839
a relatively orderly unwinding of positions. This can take = 52.8% x annualized VaR
w here annualized VaR = 100 x square root (252)
considerable tim e in some m arkets, as firms discovered to
their cost in the 2007-2009 financial crisis. Fiqure 12B.1 Risk capital calculation for market risk.
discusses one problem that this brings up: how to harmonize the However, the choice of a risk horizon for RA R O C is som ewhat
different time horizons used to measure credit, m arket, and arbitrary. O ne could choose to measure the volatility of risk and
operational risk. Practitioners usually adopt a one-year tim e hori returns over a longer period of tim e, say 5 or 10 years, in order
zon, as this corresponds to the business planning cycle and is to capture the full effect of the business cycle in measuring risk.
also a reasonable approxim ation of the length of tim e it might Calculating econom ic capital over a longer period of tim e does
take to recapitalize the com pany if it were to suffer a major not necessarily increase capital, as the level of confidence in any
unexpected loss. firm's solvency that we require decreases as the tim e horizon

is extended. If this seem s surprising, consider the probability
of default of an AA-rated firm to be around 3 basis points over BO X 12.4 T EC H N IC A L D ISCU SSIO N :
a one-year period; while this probability of default naturally CA LCU LA TIN G THE HURDLE RATE
increases if we look at the same firm over a two-year or five-
Most firms use a single hurdle rate, hAT, for all business
year period, this increase clearly does not affect the one-year activities, based on the after-tax weighted-average cost of
credit rating of the firm . However, one of the practical chal equity capital:
lenges is that the risk and return data beyond one year may be CE X rCE + PE X rpe
of low quality. AT CE + PE
where C E and PE denote the market value of common
equity and preferred equity, respectively, and rCE and
Default Probabilities: Point-in-Time (PIT) rPE are the cost of common equity and preferred equity,
vs. Through-the-Cycle (TTC) respectively.
The cost of preferred equity is simply the yield on the firm's
A point-in-tim e (PIT) probability of default (PD), which is the
preferred shares. The cost of common equity is determined
approach of KM V and other econom ic/structural approaches, via a model such as the capital asset pricing model:
is reasonable for calculating near-term exp ected losses
(EL) and for pricing financial instrum ents that are sub ject to
r c E ~ r f ~
credit risk. A through-the-cycle (TTC) PD, which is largely the where rf is the risk-free rate, RM is the expected return on
approach taken by the rating ag encies, is more reasonable for the market portfolio, and fSCE is the firm's common equity
market beta.
calculating econom ic cap ital, current profitability, and stra te
gic decisions regarding products, geo graphies, and new busi
ness ventures.
The probability of a firm's staying in the same rating when

Hurdle Rate and Capital Budgeting
it is assessed using a PIT approach is sm aller than when it is Decision Rule
assessed using a T T C approach. The T T C approach therefore
Most firms use a single hurdle rate for all business activities:
reduces the volatility of econom ic capital, com pared to PIT
the after-tax weighted-average cost of equity capital. Box 12.4
approaches. It is useful on a periodic basis to com pare the
explains in more technical detail how this hurdle rate is calcu
im pact of using PIT PD versus T T C PD in the R A R O C calculation
lated. The hurdle rate should be reset periodically, say every six
for both a normal part of the econom ic cycle and the w orst part
months, or when it has changed by more than 10 percent.
of the cycle.
When a firm is considering investing in a business or closing
down an activity, it com putes the after-tax RA R O C for the busi
ness or activity and com pares it to the firm's hurdle rate. In
Confidence Level
theory, the firm can then apply a simple decision rule:
We m entioned earlier that the confidence level in the econom ic
• If the RA RO C ratio is greater than the hurdle rate, the activity
capital calculation should be consistent with the firm's target
is deem ed to add value to the firm.
credit rating. For exam ple, most banks today hope to obtain
• In the opposite case, the activity is deem ed to destroy value
an A A credit rating from the agencies for their debt offerings,
for the firm and the activity should be closed down or the
which implies a one-year probability of default of 3 to 5 basis
project rejected.
points. This, in turn, corresponds to a confidence level in the
range of 99.95 to 99.97 percent. We can think of this confi However, one can show that applying this simple rule can lead
dence level as the quantitative expression of the risk appetite to a firm's accepting high-risk projects that will lower the value
of the firm. of the firm and rejecting low-risk projects that will increase the
value of the firm .5 High-risk projects, such as oil exploration, are
Setting a lower confidence level may significantly reduce the
characterized by very volatile returns, while low-risk projects,
amount of risk capital allocated to an activity, especially when
such as properly risk-managed retail banking, produce steady
the institution's risk profile is dom inated by operational, credit,
revenues with low volatility.
and settlem ent risks (for which large losses occur only with some
rarity). Therefore, the choice of the confidence level can m ateri
ally affect risk-adjusted perform ance measures and the resulting 5 See Michel Crouhy, Stuart Turnbull, and Lee W akem an, "M easuring
capital allocation decisions of the firm. Risk-Adjusted Perform ance," Jo u rn a l o f Risk 2(1), 1999, pp. 5-35.
taking into account all the correlation effects between market
BO X 12.5 A D JU STIN G RAROC risk, credit risk, and operational risk across all the business units
FO R THE RISK O F RETURNS of a com pany. Instead, banks tend to adopt a bottom-up decen
tralized approach, under which distinct risk models are run for
Ideally, we would like to adjust the traditional RA RO C
calculation to obtain a RA R O C measure that takes into each portfolio or business unit.
account the system ic riskiness of returns, and for which the For capital adequacy purposes, running these business-specific
hurdle rate (the critical benchm ark above which a business
models at the confidence level targeted at the top of the house,
adds value) is the same across all business lines. To correct
the inherent limitations of the traditional RA R O C measure, for exam ple 99.97 percent, produces an unnecessarily large
let's adjust the RA RO C ratio as follows: amount of overall risk capital, precisely because it neglects
diversification effects (across both risk types and business
Adjusted RARO C s RARO C - p£(/?M- rf )
activities). It is therefore common practice to adjust for the
where RM is the expected rate of return on the market diversification effects by lowering the confidence level used
portfolio, rf denotes the risk-free interest rate— say, the at the business level to, say, 99.5 percent or lower— an adjust
interest rate paid on three-month Treasury bills— and /3e is
ment that is necessarily more of an educated guess than a strict
the beta of the equity of the firm. The new decision rule is:
risk calculation.
Accept (reject) projects whose adjusted
RARO C is greater (sm aller) than rf If this sounds unsatisfactory, we can at least put some boundar
ies around the problem. The aggregate VaR figure obtained
The risk adjustm ent, /3(RM — rf), is the excess return above
by this approach should fall in between the two extrem e cases
the risk-free rate required to com pensate the sharehold
of perfect correlation and zero correlation between risk types
ers of the firm for the nondiversifiable system atic risk they
bear when investing in the activity, assuming that the and across businesses. For exam ple, ignoring business risk,
shareholders hold a well-diversified portfolio. When the reputation risk, and strategic risk, for illustrative purposes, sup
returns are thus adjusted for risk, the hurdle rate becomes pose that w e've calculated the risk capital for each type of risk
the risk-free rate. as follows:
Market risk = $200

Credit risk = $700
To overcom e this, we need to make an im portant adjustm ent
Operational risk = $300
to the RA RO C calculation so that the system atic riskiness of the
returns from a business activity is fully captured by the decision Then aggregate risk capital at the top of the house is either
rule (see Box 12.5).
Simple summation of the three risks
(perfect correlation) = $1,200
Diversification and Risk Capital or
The risk capital for a particular business unit within a larger firm Square root of the sum of squares of the three risks
is usually determ ined by viewing the business on a stand-alone (zero correlation) = $787
basis, using the top-of-the-house hurdle rate that we discussed
earlier. However, intuition suggests that the risk capital for the We can say with some confidence, therefore, that any proposed
firm should be significantly less than the sum of the stand-alone approach for taking diversification effects into account should
risk capital of the individual business units, because the returns produce an overall VaR figure in the range of $787 to $1,200.
generated by the various businesses are unlikely to be perfectly W hile the simple logic of our boundary setting makes sense,
correlated.6 these boundaries are pretty wide! They also leave us with the
Measuring the true level of this "diversification effect" is reverse problem : how do we allocate any diversification benefit
extrem ely problem atic. As of today, there is no fully integrated that we calculate for the business as a whole back to the busi
VaR model that can produce the overall risk capital for a firm, ness lines? The allocation of the diversification effect can be
im portant for certain business decisions, such as determining
the perform ance of each unit.
6 It should be noted that from a purely econom ic point of view, disre
Logically, a business whose operating cash flows are strongly
garding strategic considerations, the decision to enter or exit a business
activity should be based on the risk and return param eters of the single correlated with the earnings of the other activities in the firm
business activity. should require more risk capital than a business with the same

Com bination of Econom ic Marginal Marginal • Marginal capital is the additional capital required by an
Businesses Capital Business Econom ic Capital incremental deal, activity, or business. It takes into account
X +Y $100
the full benefit of diversification. In our exam ple, the mar
X X $40
ginal risk capital for X (assuming that Y already exists) is $30
$60
($100 — $70), and the marginal risk capital for Y (assuming
Y $70 Y $30
that X already exists) is $40 ($100 — $60). In the case where
Diversification $30 Total $70
Effect more than two activities are included in the business unit BU,
marginal capital is calculated by subtracting the risk capital
Fiqure 12.2 Diversification effect. required for the BU without this business from the risk capital
required for the full portfolio of businesses. Note that the
summation of the marginal risk capital, $70 in our exam ple, is
volatility whose earnings move in a countercyclical fashion. less than the full risk capital of the BU.
Bringing together countercyclical business lines produces stable
As this exam ple shows, the choice of capital measure depends
earnings for the firm as a whole; the firm can then operate to
on the desired objective. Fully diversified measures should be
the same target credit rating with less risk capital.
used for assessing the solvency of the firm and minimum risk
In truth, institutions continue to struggle with the problem of pricing. Active portfolio m anagem ent or business mix decisions,
attributing capital back to business lines, and there are diverg on the other hand, should be based on marginal risk capital,
ing views as to the appropriate approach. For the moment, as a taking into account the benefit of full diversification. Finally,
practical solution, most institutions allocate the portfolio effect perform ance m easurem ent should involve both perspectives:
pro rata with the stand-alone risk capital. stand-alone risk capital for incentive com pensation, and fully
Diversification effects also com plicate matters within busi diversified risk capital to assess the extra perform ance gener
ness units. Let's look at this and other issues in relation to an ated by the diversification effects.
exam ple business unit, BU, which com prises two activities, X However, we must be cautious about how generous we are in
and Y (Figure 12.2). W hen calculating the risk capital of the busi attributing diversification benefits.7 Correlations between risk
ness unit, let's assume that the firm's risk analysts have taken factors drive the extent of the portfolio effect, and these corre
into account all the diversification effects created by combining lations tend to vary over tim e. During market crises, in particular,
activities X and Y and that the risk capital for BU is $100. The correlations som etim es shift dram atically toward either 1 or —1,
complication starts when we try to allocate risk capital at the reducing or totally eliminating portfolio effects for a period
activity level within the business unit. There are three different of tim e.
measures of risk capital:
• Stand-alone capital is the capital used by an activity taken

independently of the other activities in the same business 12.6 RAROC IN PRACTICE
unit— that is, risk capital calculated without any diversification
benefits. In our exam ple, the stand-alone capital for X is $60 Econom ic capital is increasingly a key elem ent in the assessm ent
and that for Y is $70. The sum of the stand-alone capitals of of business line perform ance, in the decision to exit or enter a
the individual constituents of the business unit is generally business, and in the pricing of transactions. It also plays a critical
higher than the stand-alone risk capital of the business unit role in the incentive com pensation plan of the firm. Adjusting
itself (it is equal only in the case of perfectly correlated activi incentive com pensation for risk in this way is important, because
ties X and Y) . managers tend to align their perform ance to maximize whatever
perform ance measures are imposed on them .
• Fully diversified capital is the capital attributed to each
activity X and Y, taking into account all diversification N eedless to say, in firms in which RA RO C has been im ple
benefits from combining them under the same leader m ented, business units often challenge the risk m anagem ent
ship. In our exam ple, the overall portfolio effect is $30 function about the fairness of the amount of econom ic capital
($60 + $70 — $100). Allocating the diversification effect is attributed to them . The usual com plaint is that their econom ic
an issue here. Following our earlier discussion, we'll allocate
the portfolio effect pro rata with the stand-alone risk capital,
7 For a discussion of the common econom ic capital aggregation tech
$30 X 60/130 = $14 for X and $30 X 70/130 = $16 for Y, so
niques and how they capture diversification benefits, see Range o f
that the fully diversified risk capital becom es $46 for X and Practices and Issues in Eco n o m ic Capital Fram ew orks, BIS, March 2009,
$54 for Y. pp. 24-31.
capital attribution is too high (never that it is too low!). Another down when the credit environment improves and goes up
com plaint is that econom ic capital attribution is som etim es too when it deteriorates)? For market risk, volatility and correla
unstable— the numbers can move up and down in a way that is tion param eters should be updated at least every month,
disconcerting for a business trying to hit a target. using standard statistical techniques. O ther key factors, such
as the core risk level and "tim e to reduce" (see Box 12.3),
The best way to defuse this debate is for the RA RO C group to
should be reviewed on an annual basis. For operational risk,
be transparent about the m ethodology used to assess risk and
the risk measurement approach is currently more judgmental
to institute forums where the issues related to the determination
and, as such, more open to heated discussions!
of econom ic capital can be debated and analyzed. From our
own experience, the VaR m ethodologies for measuring market 4 . Maintaining the integrity o f the process. As with other risk
risk and credit risk that underpin RA R O C calculations are gener calculations, the validity of RARO C numbers depends critically
ally well accepted by business units (although this is not yet true on the quality of the data about risk exposures and positions
for operational risk). It's the setting of the param eters that feed collected from the management systems (e.g., in a trading
into these models, and that drive the size of econom ic capital, business, the front- and back-office systems). Only a rigorous
that causes acrimony. process of data collection and centralization can ensure accu
rate risk and capital assessment. The same rigor should also
Here are a number of recom m endations for implementing a
be applied to the financial information needed to estimate the
RA RO C system:
adjusted-return element of the RARO C equation. Data collec
1. Sen ior m anagem ent com m itm ent. Given the strategic tion is probably the most daunting task in risk management.
nature of the decisions steered by a RA RO C system , the But the best recipe for failure in implementing a RARO C sys
marching orders must come from the top m anagem ent of tem is to base calculations on inaccurate and incomplete data.
the firm. Specifically, the C E O and his or her executive team The RARO C group should be accountable for the integrity of
should sponsor the im plem entation of a RA R O C system and the data collection process, the calculations, and the report
should be active in the diffusion, within the firm, of a new ing process. The business units and the finance group should
culture in which perform ance is measured in term s of con be accountable for the integrity of the specific data that they
tribution to shareholder value. The m essage to push down produce and feed into the RARO C system.
to the business lines is this: W hat counts is not how much
5 . C om bine R A R O C with qualitative factors. Earlier in this
income is generated, but how well the firm is com pensated
chapter, we described a simple decision rule for project
for the risks that it is taking on.
selection and capital attribution— i.e ., accept projects where
2 . Com m unication and education. The RA RO C group should the RA R O C is greater than the hurdle rate. In practice,
be transparent and should explain the RA RO C m ethodol other qualitative factors should be taken into consideration.
ogy not only to the business's heads but also to the busi All the business units should be assessed in the context of
ness line managers and the C FO 's office, in order to gain the two-dimensional strategic grid shown in Figure 12.3.
acceptance of the m ethodology throughout all the m anage The horizontal axis of this figure corresponds to the RA RO C
ment layers of the firm.
3 . O ngoing consultation. The firm should institute a forum such Q uality of Earnings: Strategic Im portance/Long-Term Grow th Potentia
as a "param eter review group" that periodically reviews the
key param eters that drive risk and economic capital. This
group, composed of key representatives from the business
units and the risk m anagem ent function, will bring legiti
macy to the capital allocation process. For credit risk, the
param eters that should be reviewed include probabilities
of default, credit migration frequencies, loss given default,
and credit line usage given default. These parameters evolve
over the business cycle and should be adjusted as more
data become available. An important issue to settle is the
choice of a historical period over which these parameters
are calibrated— i.e., should this be the whole credit cycle (in
order to produce stable risk capital numbers) or a shorter
period of time to make capital more procyclical (capital goes Figure 12.3 Strategic grid.

return calculated on an ex ante basis. The vertical axis Bank M anagem ent
is a qualitative assessm ent of the quality of the earnings
produced by the business units. This measure takes into
consideration the strategic im portance of the activity for
the firm, the growth potential of the business, the sustain
ability and volatility of the earnings in the long run, and any
synergies with other critical businesses in the firm. Priority Safety < ► Profitability
in the allocation of balance sheet resources should be given • D ebt Holders • Shareholders
to the businesses in the upper right quadrant. A t the other • D eposit Holders • Analysts
• Counterparties on Derivatives
extrem e, the firm should try to exit, scale down, or fix the • Transaction
activities of businesses that fall into the lower left quadrant. • Regulators
• D eposits Insurance Com pany
The businesses in the category "m anaged grow th," in the
• Rating Agencies
lower right quadrant, are high-return activities that have low
strategic im portance for the firm. In contrast, businesses in Fiaure 12.4 How RAROC balances the desires of
the category "investm ent," in the upper left quadrant, are various stakeholders.
currently low-return activities that have high growth poten
tial and high strategic value for the firm.
such as energy trading com panies. W herever risk capital is an
6 . Put an active capital m anagem ent process in place. Balance im portant concern, RA R O C balances the divergent desires of
sheet requests from the business units, such as economic cap the various external stakeholders, while also aligning them with
ital, leverage ratio, liquidity ratios, and risk-weighted assets, the incentives of internal decision makers (Figure 12.4). When
should be channeled to the RARO C group every quarter. Lim business units (or transactions) earn returns in excess of the
its are then set for economic capital, leverage ratio, liquidity hurdle rate, shareholder value is created, while the allocated risk
ratios, and risk-weighted assets based on the kind of analysis capital indicates the amount of capital required to preserve the
we've discussed in this chapter. The treasury group often desired credit rating.
reviews limits to ensure that they are consistent with fund
RA RO C information allows senior managers to better under
ing limits. This limit-setting process is a collaborative effort,
stand where shareholder value is being created and where it is
with any disagreements about the amount of balance sheet
being destroyed. It promotes strategic planning, risk-adjusted
resources attributed to a business put to arbitration by the
profitability reporting and incentive com pensation schem es,
senior executive team. Leverage ratios may restrain manage
proactive allocation of resources, better m anagem ent of con
ment from growing the bank beyond a certain level, but this
centration risk, and better product pricing.
in itself makes it more important that banks work every dollar
of capital hard— and RARO C analysis is one way to do this. Because RA RO C is not just a common language of risk, but a
quantitative technique, we can also think of a RARO C-based
capital budgeting process as akin to an internal capital market
CO N CLUSIO N in which businesses are com peting with one another for scarce
balance sheet resources— all with the objective of maximizing
RA RO C system s, developed first by large financial institutions, shareholder value. This makes RA RO C a useful tool for capital
are being im plem ented in sm aller banks and other trading firms, allocation, both for banks and for nonbank corporations.
Range of Practices
and Issues in
Economic Capital
Frameworks
Learning Objectives
Within the econom ic capital implementation fram ework Explain benefits and im pacts of using an econom ic capital
describe the challenges that appear in: fram ework within the following areas:
Defining and calculating risk measures Credit portfolio m anagem ent
Risk aggregation ■ Risk based pricing
Validation of models Custom er profitability analysis
■ Dependency modeling in credit risk M anagem ent incentives
Evaluating counterparty credit risk
Assessing interest rate risk in the banking book Describe best practices and assess key concerns for the
governance of an econom ic capital fram ework.
Describe the BIS recom m endations that supervisors
should consider to make effective use of internal risk m ea
sures, such as econom ic capital, that are not designed for
regulatory purposes.
E x c e rp t is rep rin ted by perm ission from the Basel C om m ittee on Banking Supervision.
193
13.1 EXECUTIVE SUMMARY Therefore it covers issues related to the use and governance
of economic capital, the choice of risk measures, aggregation
Economic capital can be defined as the methods or practices of risk, and validation of economic capital. In addition, three
that allow banks to consistently assess risk and attribute capital important building blocks of economic capital (dependency
to cover the economic effects of risk-taking activities. Economic modelling in credit risk, counterparty credit risk and interest
capital was originally developed by banks as a tool for capital rate risk in the banking book) are examined in separate, stand
allocation and performance assessment. For these purposes, alone annexes. This list of building blocks is chosen due to the
economic capital measures mostly need to reliably and accu significance and complexity of the topics, and (with the excep
rately measure risks in a relative sense, with less importance tion of counterparty credit risk) partly because the topics are not
attached to the measurement of the overall level of risk or capi covered in Pillar 1 of the Basel II Framework. This list is by no
tal. Over time, the use of economic capital has been extended means exhaustive.
to applications that require accuracy in estimation of the level of
capital (or risk), such as the quantification of the absolute level Use o f Economic Capital and Governance
of internal capital needed by a bank. This evolution in the use of
economic capital has been driven by both internal capital man The robustness of economic capital and the governance and
agement needs of banks and regulatory initiatives, and has been controls surrounding the process have become more critical as
facilitated by advances in risk quantification methodologies and the use of economic capital has extended beyond relative risk
the supporting technological infrastructure. measurement and performance to the determination of the
adequacy of a bank's absolute level of capital.
While there has been some convergence in the understand
ing of key concepts of economic capital across banks with such The viability and usefulness of a bank's economic capital pro
frameworks in place, the notion of economic capital has broad cesses depend critically on the existence of a credible com
ened over time. This has occurred in terms of the underlying mitment or "buy-in" on the part of senior management to the
risks (or building blocks) that are combined into an overall eco process. In order for this to occur, it is necessary for senior
nomic capital framework and also in terms of the relative accep management to recognise the importance of using economic
tance and use of economic capital across banks. capital measures in conducting the bank's business. In addition,
adequate resources are required to ensure the existence of a
Economic capital can be analysed and used at various levels— strong, credible infrastructure to support the economic capital
ranging from firm-wide aggregation, to risk-type or business-line process. Economic capital model results should be transparent
level, and down further still to the individual portfolio or expo
and taken seriously in order to be useful for business decisions
sure level. Many building blocks of economic capital, therefore, and risk management. At the same time, management should
are complex and raise challenges for banks and supervisors. fully understand the limitations of economic capital measures.
In particular, Pillar 2 (supervisory review process) of the Basel
Moreover, senior management needs to take measures to help
II Framework may involve an assessment of a banks' economic ensure the meaningfulness and integrity of economic capital
capital framework. Accordingly, this paper makes recommen measures. It should also seek to ensure that the measures com
dations of particular interest to supervisors and bankers where
prehensively capture all risks and implicit and/or explicit man
economic capital models are used in the supervisory dialogue.
agement actions embedded in measurement processes are both
In addition, supervisors have an interest in promoting robust, realistic and actionable.
transparent and effective risk management, which in many cases
requires an understanding of banks economic capital frame
works. Nevertheless, it is recognised that economic capital is a Risk Measures
business tool developed and used by individual institutions for
Banks use a variety of risk measures for economic capital pur
internal risk management purposes.
poses with the choice of risk measure dependent on a number
This paper emphasises the importance of understanding the of factors. These include the properties of the risk measure, the
relationship between overall economic capital and its building risk- or product-type being measured, data availability, trade
blocks, as well as ensuring that the underlying building blocks offs between the complexity and usability of the measure, and
(individual risk assessments) are measured in a consistent and the intended use of the risk measure. While there is general
coherent fashion. The main body of the paper focuses on issues agreement on the desirable properties a risk measure should
associated with the overall economic capital process, rather have, there is no singularly preferred risk measure for economic
than on the component risks measured by economic capital. capital purposes. All risk measures observed in use have
advantages and disadvantages which need to be understood a com plex model works satisfactorily. Moreover, a model may
within the context of their intended application. em body assumptions about relationships between variables or
about their behaviour that may not hold in all circumstances
(e.g ., under periods of stress). Validation can provide a degree
Risk Aggregation
of confidence that the assumptions are appropriate, increasing
O ne of the more challenging aspects of developing an eco the confidence of users (internal and external to the bank) in
nomic capital fram ework relates to risk aggregation. the outputs of the model. Additionally, validation can be also
useful in identifying the limitations of econom ic capital models,
Practices and techniques in risk aggregation are generally less
i.e., where em bedded assumptions do not fit reality.
sophisticated than the m ethodologies that are used in measur
ing individual risk com ponents. They rely heavily on ad-hoc The validation of econom ic capital models is at a very prelim i
solutions and judgm ent without always being theoretically nary stage. There exists a wide range of validation techniques,
consistent with the m easurem ent of the com ponents. Most each of which provides evidence for (or against) only some of
banks rely on the summation of individual risk com ponents the desirable properties of a model. Moreover, validation tech
either equally-weighted (i.e., assuming no diversification or a niques are powerful in some areas such as risk sensitivity but not
fixed percentage of diversification gains across all components) in other areas such as overall absolute accuracy or accuracy in
or weighted by an estim ated variance-covariance matrix that the tail of the loss distribution. Used in com bination, particularly
represents the co-m ovem ent between risks. Few banks attem pt in combination with good controls and governance, a range of
technically more sophisticated aggregation methods such as validation techniques can provide more substantial evidence for
copulas or even bottom-up approaches that build overall eco or against the perform ance of the model. There appears to be
nomic estim ates from the common relationship of individual risk scope for the industry to improve the validation practices that
com ponents to underlying factors. shed light on the overall calibration of models, particularly in
cases where assessm ent of overall capital is an im portant appli
Validation is a general problem with aggregation techniques.
cation of the model.
Diversification benefits em bedded in inter-risk aggregation
processes (including in the estimation of entries in the variance-
covariance matrix) are often based on (internal or external)
Dependency Modelling in Credit Risk
"exp ert judgm ent" or average industry benchm arks. These have Portfolio credit risk models form a significant com ponent of
not been (and very often cannot be) com pared to the actual his most econom ic capital fram eworks. A particularly im portant and
torical or expected future experience of a bank, due to lack of difficult aspect of portfolio credit risk modelling is the modelling
relevant data. of the dependency structure, including both linear relationships
Since individual risk com ponents are typically estim ated without and non-linear relationships, between obligors. Dependency
much regard to the interactions between risks (e.g ., between modelling is an im portant link between the Basel II risk weight
market and credit risk), the aggregation m ethodologies used function (with supervisory imposed correlations) and portfolio
may underestim ate overall risk even if "no diversification" credit risk models which rely on internal bank modelling of
assumptions are used. Moreover, harmonisation of the m easure dependencies. Understanding the way dependencies are mod
ment horizon is a difficult issue. For exam ple, extending the elled is im portant for supervisors when they exam ine a bank's
shorter horizon applied to market risk to match the typically- internal capital adequacy assessm ent process (ICAAP) under
used annual horizon of econom ic capital assessm ents for other Pillar 2, since these dependency structures are not captured in
types of risk is often performed by using a square root of time regulatory capital measures.
rule on the econom ic capital measure. This simplification can The underlying m ethodologies applied by banks in the area of
distort the calculation. Similar issues arise when risk measured dependency modelling in credit risk portfolios have not changed
at one confidence level is then scaled to becom e (nominally) much over the past ten years. Rather, im provem ents have been
com parable with other risk com ponents measured at a different made in the infrastructure supporting the m ethodologies (e.g.,
confidence level. improved databases) and better integration with internal risk
m easurem ent and risk m anagem ent. The main concern in this
area of econom ic capital continues to centre on the accuracy
Validation
and stability of correlation estim ates, particularly during tim es of
Econom ic capital models can be com plex, embodying many stress. The correlation estim ates provided by current models still
com ponent parts and it may not be im m ediately obvious that depend heavily on explicit or implicit model assumptions.
Chapter 13 Range of Practices and Issues in Economic Capital Frameworks ■ 195

Counterparty Credit Risk schedules less suitable for the calculation of econom ic capital.
Most banks use simulation approaches for determ ining their
The m easurem ent and m anagem ent of counterparty credit risk econom ic capital, based on losses that would occur given a set
creates unique challenges for banks. M easurem ent of counter of worst case scenarios. The magnitude of such losses and their
party credit risk represents a com plex exercise, as it involves probability of occurrence determ ine the amount of economic
gathering data from multiple system s; measuring exposures capital. The choice of the techniques depends on the bank's
from potentially millions of transactions (including an increas preference towards either econom ic value or earnings, and
ingly significant percentage that exhibit optionality) spanning also on the type of business. Some businesses, such as com
variable tim e horizons ranging from overnight to thirty or more mercial lending or residential m ortgage lending, are managed
years; tracking collateral and netting arrangem ents; and cat on a present value basis, while others such as credit cards are
egorising exposures across thousands of counterparties. managed on an earnings basis. The use of an earnings based
This com plexity creates unique market-risk-related challenges measure creates aggregation challenges when other risks are
(requiring calculations at the counterparty level and over mul measured on the basis of econom ic capital. Conversely, the use
tiple and extended holding periods) and credit risk-related of an econom ic value based approach may create inconsisten
challenges (estimation of credit risk param eters for which the cies with business practices.
institution may not have any other exposures). In addition,
wrong-way risk, operational risk-related challenges, differences
Summary
in treatm ent between margined and non-margined counterpar
ties, and a range of aggregation challenges need to be over Econom ic capital modelling and m easurem ent practices
come before a firm can have a bank-wide view of counterparty continue to evolve. In some aspects, practices have converged
credit risk for econom ic capital purposes. Banks usually employ and becom e more consistent over tim e, however the notion of
one of two general modelling approaches to quantify coun econom ic capital has broadened as its use has expanded. There
terparty credit risk exposures, a value-at-risk (VaR)-type model remain significant m ethodological, implementation and business
or a Monte Carlo Simulation approach. The decision of which challenges associated with the application of econom ic capital in
approach to use involves a variety of trade-offs. The VaR-type banks, particularly if econom ic capital measures are to be used
model cannot produce a profile of exposures over tim e, which for internal assessm ents of capital adequacy. These challenges
is necessary for counterparties that are not subject to daily relate to the overall architecture of econom ic capital modelling
margining agreem ents, whereas the simulation approach uses and to the underlying building blocks.
a sim plified risk factor representation and may therefore be
less accurate. W hile these models may be supplem ented with
com plem entary m easurem ent processes such as stress testing, 13.2 R E C O M M E N D A T IO N S *1
such diagnostics are frequently not fully com prehensive of all
counterparty credit risk exposures. Econom ic capital models and the overall fram eworks for their
internal use can provide supervisors with information that is
com plem entary to other assessm ents of bank risk and capital
Interest Rate Risk in the Banking Book
adequacy. W hile there is benefit from engaging with banks on
The main challenges in the calculation of econom ic capital for the design and use of the m odels, supervisors should guard
interest rate risk in the banking book relate to the long holding against placing undue reliance on the overall level of capital
period for balance sheet assets and liabilities and the need to implied by the models in assessing capital adequacy. The follow
model indeterm inate cash flows on both the asset and liability ing recom m endations identify issues that should be considered
side due to em bedded optionality in many banking book items. by supervisors in order to make effective use of internal m ea
If not adequately measured and m anaged, the asymmetrical sures of risk that are not designed for regulatory purposes.
payoff characteristics of instruments with em bedded option fe a
1 . U se o f econom ic cap ital m odels in assessin g cap ital
tures can present risks that are significantly greater than the risk
ad e q u acy. A bank using an econom ic capital model in its
measures suggest.
dialogue with supervisors, should be able to dem onstrate
The two main techniques for assessing interest rate risk in the how the econom ic capital model has been integrated into
banking book are repricing schedules (gap and duration analy the business decision-making process in order to assess
ses) and simulation approaches. Although commonly used, the its potential impact on the incentives affecting the bank's
simple structure and restrictive assumptions make repricing strategic decisions about the mix and direction of inherent
risks. The bank's board of directors should also be able to 6 . R isk ag g re g a tio n . A bank's aggregation methods should
dem onstrate conceptual awareness and understanding of address the implications stemming from the definition and
the gap between gross (stand alone) and net enterprise m easurem ent of individual risk com ponents. The accuracy of
wide (diversified) risk when they define and communicate the aggregation process depends on the quality of the mea
measures of the bank's risk appetite on a net basis. surem ent of individual risk com ponents, as well as on the
2 . S en io r m an ag em en t. The viability, usefulness, and ongoing interactions between risks em bedded in the m easurem ent
refinem ent of a bank's econom ic capital processes depend process. Aggregation of individual risk com ponents often
critically on the existence of credible com mitment or "buy- requires the harmonisation of risk m easurem ent param eters
in" on the part of senior m anagem ent to the process. In such as the confidence level or m easurem ent horizon.
order for this to occur, senior m anagem ent should recog Care must be taken to ensure that the aggregation m eth
nise the im portance of using econom ic capital measures odologies used (e.g ., variance-covariance m atrices, use of
in conducting the bank's business and capital planning, broad market proxies, and simple industry averages of cor
and should take measures to ensure the meaningfulness relations) are, to the extent possible, representative of the
and integrity of econom ic capital measures. In addition, bank's business composition and risk profile.
adequate resources should be com m itted to ensure the
7 . V alid atio n . Econom ic capital model validation should be
existence of a strong, credible infrastructure to support the
conducted rigorously and com prehensively. Validation of
econom ic capital process.
econom ic capital models should be aimed at dem onstrating
3 . Tran sp are n cy and in te g ra tio n into decisio n-m aking. A that the model is fit for purpose. Evidence is likely to come
bank should effectively docum ent and integrate econom ic from multiple techniques and tests. To the extent that a
capital models in a transparent way into decision-making. bank uses models to determ ine an overall level of economic
Econom ic capital model results should be transparent and capital, validation tools should dem onstrate to a reason
taken seriously in order to be useful to senior m anagem ent able degree that the capital level generated by the model
for making business decisions and for risk m anagem ent. is sufficient to absorb losses over the chosen horizon up to
A bank should take a careful approach to its use of eco the desired confidence level. The results of such validation
nomic capital in internal assessm ents of capital adequacy. work should be com m unicated to senior m anagem ent to
For this purpose, greater emphasis should be placed on enhance econom ic capital model usage.
achieving robust estim ates of stand-alone risks on an abso
8 . D ep en d en cy m odelling in cre d it ris k . Since the depen
lute basis, as well as developing the flexible capacity for
dency structures em bedded in portfolio credit risk models
enterprise-wide stress testing.
have an im portant im pact on the determ ination of eco
4 . R isk id e n tifica tio n . Risk m easurem ent begins with a robust, nomic capital needs for credit risk, banks should carefully
com prehensive and rigorous risk identification process. If assess the extent to which the dependency structures they
relevant risk drivers, positions or exposures are not cap use are appropriate for their credit portfolio. Banks should
tured by the quantification engine for econom ic capital, identify and understand the main limitations of their credit
there is great room for slippage between inherent risk and portfolio models and their im plem entation. They should
measured risk. address those limitations by using adequate supplem entary
Not all risks can be directly quantified. Material risks that risk m anagem ent approaches (e.g ., sensitivity analysis, sce
are difficult to quantify in an econom ic capital fram ework nario analysis, tim ely review of param eters).
(e.g ., funding liquidity risk or reputational risk) should be 9 . C o u n te rp a rty cre d it risk . A bank should understand the
captured in some form of com pensating controls (sensitivity trade-offs involved in choosing between the currently used
analysis, stress testing, scenario analysis or similar risk con methodologies for measuring counterparty credit risk. Com
trol processes). plementary measurement processes such as stress testing
5 . R isk m easu res. All risk measures observed in use have should also be used, though it should be recognised that such
advantages and disadvantages which need to be under approaches may still not fully cover all counterparty credit
stood within the context of their intended application. risk exposures. The measurement of counterparty credit risk
There is no singularly preferred risk measure for economic is com plex and entails unique market and credit risk related
capital purposes. A bank should understand the limitations challenges. A range of aggregation challenges needs to be
of the risk measures it uses, and the implications associated overcome before a firm can have a bank-wide view of coun
with its choice of risk measures. terparty credit risk for economic capital purposes.

1 0. In te re st ra te risk in th e banking b o o k. Close attention Many banks appear to be sufficiently com fortable in using their
should be paid to measuring and managing instruments econom ic capital fram ework in discussions with external stake
with em bedded option features, which if not adequately holders. Moreover, to varying degrees of granularity, banks have
perform ed can present risks that are significantly greater in recent years disclosed qualitative and quantitative aspects of
than suggested by the risk measure. Trade-offs between their econom ic capital, including econom ic capital model
using an earnings-based or econom ic value based approach descriptions, risk thresholds, m ethodologies for particular risks,
to measuring interest rate risk in the banking book need to use of econom ic capital, capital allocation by risk type and busi
be recognised. The use of an earnings based measure cre ness units, and diversification estim ates.2
ates aggregation challenges when other risks are measured
Despite the advances that have been made by banks in devel
on the basis of econom ic value. Conversely, the use of an
oping their econom ic capital m odels, the further use and rec
econom ic value based approach may create inconsistencies
ognition of risk measures derived from these models remain
with business practices.
subject to significant m ethodological, implementation and busi
ness challenges. These challenges stem from:
13.3 IN T R O D U C T IO N 1 • the wide variety of applications of econom ic capital models

(from business-line use to firm-wide decision-making to capi
Econom ic capital, which can be defined as the methods or prac tal adequacy assessm ents);
tices that allow financial institutions to consistently assess risk • m ethodological challenges (particularly in the area of risk
and to attribute capital to cover the econom ic effects of risk aggregation, coverage of risks, validation challenges, and
taking activities, has increasingly becom e an accepted input into risks that are not easily quantifiable);
decision-making at various levels within banking organisations.
• the ability of econom ic capital models to adequately reflect
Econom ic capital measures may be one of several key factors
business-line operating practices and therefore provide
used to inform decision-making in areas such as profitability,
appropriate incentives to business units;
pricing, and portfolio optim isation— particularly at the business
• potential gaps in the coverage of risks (e.g ., valuation risks in
line level. Econom ic capital measures may also feed into senior
structured credit products);
m anagem ent decisions relating to issues such as acquisitions
and divestitures. Such measures are also used, primarily at the • the feasibility of any single risk measure to capture ade
consolidated entity level, to assess overall capital adequacy. The quately all the com plex aspects of banking risks; and
increased use of econom ic capital by banks has been driven by • the ability of econom ic capital models to be extended from
rapid advances in risk quantification m ethodologies, greater being used as a common metric for relative risk m easurem ent
com plexity and sophistication of banks' portfolios, and super and perform ance to the determ ination of the adequacy of
visory expectations that banks must develop internal processes the absolute level of capital.
to assess capital adequacy, beyond regulatory capital adequacy
This paper provides an overview of the range of practices in
guidelines that are not designed to fully reflect all the underly
econom ic capital modelling at large banking organisations, and
ing material risks in a given bank's business activities.
based on this review discusses a range of issues and challenges
Across banks there has been a narrowing in the range of defini surrounding econom ic capital models. The paper also discusses
tions and treatm ent of the majority of risks that form the build practices im plem ented by banks that attem pt to address these
ing blocks of econom ic capital models, particularly the risks that challenges, and supervisory concerns relating to the current
are more readily quantifiable. A t the same tim e, however, the state of practice.
notion of econom ic capital is broadening in term s of the risks
As econom ic capital has to varying degrees becom e a com
that it encom passes and the extent to which it is gaining accep
ponent of many banks' internal capital adequacy assessm ent
tance across banks. That is, the inputs (or risks) that feed into
processes (ICA A P), this paper is addressed to banks that have
the m easurem ent of econom ic capital are subject to ongoing
im plem ented or are considering implementing econom ic capi
change and evolution.
tal into their internal processes. The paper is also addressed
to supervisors, who are required under Pillar 2 of the Basel II
1 This paper was prepared by the Basel Committee's Risk Management
Fram ework, to review and evaluate banks' internal capital ade
and Modelling Group (RMMG). The RMMG comprises risk management
specialists and supervisors from member countries within and outside quacy assessm ents.
the Basel Committee. The RMMG has developed its views based on
information sourced from a wide range of presentations and documents
provided by banks, supervisors and other industry participants. 2 See Samuel (2008).
The main body of this paper focuses on aspects of the overall m easurem ent and pricing profitability analysis followed by
architecture of economic capital models. First, the paper cov (ii) enterprise-wide relative perform ance m easurem ent that
ers the use of economic capital models and the governance and migrates to capital budgeting/planning, acquisition/divestiture
control framework. Second, it reviews the range of risk measures analysis, external reporting and internal capital adequacy assess
used by banks in their economic capital models. Next, it cov ment processes.
ers the range of practice in risk aggregation methods before
the paper moves to issues arising in the validation of economic
capital models. The main body of the paper therefore focuses on Business-Level Use
issues that are at a level above that of individual risks. The paper The effective use of econom ic capital at the business-unit level
does not discuss the estimation of important building blocks of
depends on how relevant the econom ic capital allocated to
economic capital models, such as the estimation of probability or absorbed by a business unit is with respect to the decision
of default (PD), loss given default (LGD) and exposure at default making processes that take place within it. Frequently, the
(EAD) in credit risk models. This is not to say that estimation of
success or failure of an econom ic capital fram ework in a bank
these parameters is simple or without issues. Rather, these issues can be assessed by looking at how business line managers
are outside the scope of this work and have been covered in
perceive the constraints econom ic capital imposes and the
detail in other publications. Nevertheless, the annexes to this opportunities it offers in the following areas: (i) credit portfolio
chapter discuss three building blocks of economic capital models, m anagem ent; (ii) risk-based pricing; (iii) custom er profitability
namely dependency modelling in credit risk, counterparty credit
analysis, custom er segm entation, and portfolio optim isation;
risk and interest rate risk in the banking book. These topics are and (iv) m anagem ent incentives.
given closer attention in this paper due to a combination of their
significance, inherent challenges and (with the exception of coun Credit Portfolio Management
terparty credit risk) partly because the topics are not covered in
Pillar 1 (minimum capital requirements) of the Basel II Framework. Credit portfolio m anagem ent refers to activities in which banks
Should the need arise, further work on other significant elements assess the risk/return profiles of credit portfolios and enhance
of economic capital may be undertaken in the future. their profitability through credit risk transfer transactions and/
or control of the loan approval process. In credit portfolio man
Finally, it is worth noting that this work was initiated well before
agem ent, the creditworthiness of each borrower is assessed in
the market turmoil that began in August 2007. This paper there a portfolio setting. A loan with a higher stand-alone risk does
fore exam ines general issues that are deem ed to be relevant for
not necessarily contribute more risk to the portfolio. A loan's
econom ic capital modelling. It does not attem pt to analyse or
marginal contribution to the portfolio, as a result, is critical to
assess the perform ance of econom ic capital models during the assessing the concentration of the portfolio. Econom ic capital
market turmoil.
is a m easurem ent of the level of concentration. It is one of the
factors used to determ ine which hedging facilities to employ
in reducing concentration. According to the results presented
1 3 .4 U S E O F E C O N O M IC C A P IT A L in Rutter Associates LLC (2004), the use of credit portfolio
M EA SU RES AN D G O V ER N A N C E m anagem ent for reducing econom ic capital seem s to be less
dominant than for "m anagem ent of concentrations" and for
In order to achieve a common measure across all risks and busi "protection against risk deterioration."
nesses, econom ic capital is often param eterised as an amount
of capital that a bank needs to absorb unexpected losses over Risk-Based Pricing
a certain tim e horizon at a given confidence level. Because
The relevance of allocated econom ic capital for pricing certain
expected losses are accounted for in the pricing of a bank's
products (especially traditional credit products) is widely recog
products and loan loss provisioning, it is only unexpected losses
nised. In theory, under the assumption of com petitive financial
that require econom ic capital. Econom ic capital analysis typically
m arkets, prices are exogenous to banks, which act as price-
involves an identification of the risks from certain activities or
takers and assess the expected return (ex ante) and/or perfor
exposures, an attem pt to measure and quantify those risks, the
mance (ex post) of deals by means of risk-adjusted perform ance
aggregation of those risks, and an attribution or allocation of
m easures, such as the risk-adjusted return on capital (RARO C).
capital to those risks.
In practice, however, markets are segm ented. For exam ple, the
Historically, banks have followed a path in their use of eco market for loans can be viewed as com posed of a wholesale
nomic capital that begins with (i) business unit-level portfolio segm ent, where banks tend to behave more as price-takers,

and a commercial banking segm ent, where, due to well-known more efficiently to more profitable relationships. This task is
market im perfections (e.g ., information asym m etries, monitor generally accom plished by segm enting custom ers in term s of
ing costs, etc.), banks have a greater ability to set prices for ranges of (net) return per unit of risk. Provided the underlying
their custom ers. inputs have been properly measured and allocated (not a simple
task as it concerns risks and, even more, costs), this technique
From an operational point of view, the difference is not so
provides a straightforward indication of areas for intervention in
straightforward, as decisions on deals will be based on ex ante
assessing custom er profitability.
considerations with regard to expected RA RO C in a price-taking
environment (leading to rejection of deals whose RA RO C is By providing evidence on the relative risk-adjusted profitabil
below a given threshold) and on the proposal of a certain price ity of customer relationships (as well as products), economic
(interest rate) to the custom er in a price-setting environm ent. In capital can be used in optimising the risk-return trade-off in
both cases, decisions are driven by a floor (the minimum RA RO C bank portfolios.
or minimum interest rate) com puted according to the amount of
econom ic capital allocated to the deal.
Management Incentives
Risk-based pricing typically incorporates the variables of a
To becom e deeply engrained in internal decision-m aking
value-based m anagem ent approach. For exam ple, the pricing
processes, the use of econom ic capital needs to be extended
of credit risk products will include the cost of funding (such as
in a way that directly affects the objective functions of decision
an internal transfer rate on funds), the expected loss (in order
makers at the business unit level. This is achieved by influenc
to cover loan loss allowances), the allocated econom ic capital,
ing the incentive structure for business-unit m anagem ent.
and extra-return (with respect to the cost of funding) as required
Anecdotal evidence suggests that incentives are the most
by shareholders. Econom ic capital influences the credit process
sensitive elem ent for the majority of bank m anagers, as well
through the computation of a (minimum) interest rate consid
as being the issue that m otivates their getting involved in the
ered to be adequate for increasing (or, at least, not decreasing)
technical aspects of the econom ic capital allocation process.
shareholders' value. Depending on the product and the internal
However, evidence suggests that com pensation schem es rank
rules governing the credit process, decisions regarding prices
quite low among the actual uses of econom ic capital m easures
can som etim es be overridden. For exam ple, this situation could
at the business unit level.
occur because of consideration about the overall profitability
of the specific custom er relationship, or its desirability (e.g .,
due to reputational side-effects stemming from maintenance of
Enterprise-Wide or Group-Level Use
the custom er relationship, even when it proves to be no longer
econom ically profitable). G enerally, these exceptions to the rule Econom ic capital provides banks with a common currency for
are strictly monitored and require the decision be elevated to a measuring, monitoring, and controlling: (i) different risk types;
higher level of m anagem ent. and (ii) the risks of different business units. The risk types that
are typically covered by banks' econom ic capital models are
Customer and Product Profitability Analysis, credit risk, market risk (including interest rate risk in the bank
Customer Segmentation and Portfolio ing book— IRRBB) and operational risk. Concentration risk as an
Optimisation aspect of credit risk is also common. O ther risks included are
business/strategic risk, counterparty credit risk, insurance risk,
Regardless of the role played by the bank as a price-taker or a
real estate risk and model risk.
price-maker, the process cannot be considered com plete until
feedback has been provided to m anagem ent about the final Q uantitative approaches are generally applied to credit risk
outcome of the decisions taken. The m easurem ent of perfor (including concentration and counterparty credit risk), market
mance can be extended down to the custom er level, through risk, interest rate risk in the banking book and operational
the analysis of custom er profitability. Such an analysis aims at risks. Strategic and reputational/legal risks are more likely to
providing a broad and com prehensive view of all the costs, reve be assessed by non-quantitative approaches (with an exception
nues and risks (and, consequently, econom ic capital absorption) being where reputational/legal risks are subsumed in opera
generated by each single custom er relationship. tional risk). For these risks, no best practices have em erged so
far within the industry. Challenges lie mainly in insufficient data
W hile implementation of this kind of analysis involves com plex
and difficulties in m odelling.
issues related to the aggregation of risks at the custom er level,
its use is evident in identifying unprofitable or marginally profit Some risks are viewed by banks as better covered by ensuring
able custom ers who attract resources that could be allocated that internal control procedures are in order to mitigate risk
and/or prepare contingency funding plans (e.g ., liquidity risk). Capital Budgeting, Strategic Planning, Target
Consequently, capital typically is not allocated for such risks. Setting and Internal Reporting
Many banks allocate (hypothetical) capital to each business unit
Relative Performance Measurement
in their budgeting process, where econom ic capital measures
In order to assess relative perform ance on a risk-adjusted basis, play an im portant role. This process is also part of strategic
banks calculate risk-adjusted perform ance m easures, where eco planning (e.g ., defining the bank's risk appetite) and target
nomic capital measures play an im portant role. The most com setting (e.g ., profit, capital ratio or external rating). In order to
monly used risk-adjusted perform ance measures are facilitate business growth that improves risk-adjusted profit
risk-adjusted return on capital (RARO C) and shareholder value ability, while operating within an overall risk appetite set by
added (SVA). Many banks calculate these measures at various the board, many banks have established internal reporting/
levels of the enterprise (e.g ., entity level, large business unit monitoring fram eworks.
level and portfolio level). The major difference between these
G enerally, banks have a num ber of ways to conduct capital
two measures is that RA RO C is a relative measure, while SVA is
planning, most of which are not em pirically-based, but instead
an absolute measure. RA R O C provides information which is use
are based on judgm ent and stress testing exercises. These
ful in comparing the perform ances of two portfolios with the
include scenario analysis and sensitivity analysis, which intro
same amount of econom ic net incom e, but with substantially
duce forward-looking elem ents into the capital planning pro
different econom ic capital measures.
cess. That is, banks place more em phasis on qualitative rather
O ne of the key issues in using both RA RO C and SVA for perfor than quantitative tools and exp ect to rely on m anagem ent
mance m easurem ent is how to set the hurdle rate that reflects actions to deal with future events. It seem s that banks take only
the bank's cost of capital. In this regard practices vary across a rough, judgm ental approach to reviewing the perform ance
banks. Some banks set a single cost of capital (e.g ., weighted and interaction of econom ic capital "dem and" figures and
average cost of capital or target return on equity— ROE) across available capital "sup p ly" figures during tim es of stress. It does
all business units, while other banks set required returns that not appear that banks have a rigorous process for determ ining
vary according to the risks of the business units. their capital buffers, although some banks system atically set
Some banks use lower confidence levels for perform ance assess their capital buffers at levels above regulatory minimums (about
ment of business units than for their enterprise-wide capital 120% -140% ). Banks' capital planning scenarios differ by chosen
adequacy assessm ent. This approach is based on the view tim e horizon, with some choosing one year, and others choos
that econom ic capital measures calculated at high confidence ing three to five years. Banks usually look at adverse events
levels focus on extrem e events and do not always provide that would affect the bank individually or would affect m arkets
appropriate information for senior m anagem ent. Calculation more broadly (a pandem ic is one scenario chosen by some
of risk-adjusted perform ance measures at the large business banks for the latter). Some banks stress certain param eters in
unit levels (e.g ., wholesale banking, trading) is more commonly their econom ic capital m odels (e .g ., they shock PDs based on
observed than at the sm aller business unit levels. In calculating a severe recession scenario) to assess the potential im pact on
econom ic net income, one of the challenges is how to allocate econom ic capital.
profits and costs to each unit, if more than one unit contrib
utes a profit-generating transaction or benefits from a cost Acquisition/Divestiture Analysis
generating activity.
In corporate developm ent activities, such as mergers and acqui
Banks use risk-adjusted perform ance measures in their perfor sitions, some banks use the targets' econom ic capital measures
mance assessm ent (e.g ., comparing perform ance with a target, as one of the factors in conducting due diligence. However, the
analysing historical performance) and com pensation setting. number of banks using econom ic capital measures for corporate
Use of econom ic capital measures for risk-adjusted perform ance developm ent activities is relatively sm aller than the number of
measures in a capital budgeting process is much more common those using econom ic capital measures for the other purposes
practice than incorporating econom ic capital measures into the described above. According to the results of the IFRI and C RO
determ ination of com pensation for business managers and staff.3 Forum (2007) survey, only 25% of participating banks use eco
nomic capital measures for corporate developm ent activities,
such as mergers and acquisitions. On the other hand, it seem s
3 There are other risk-adjusted performance measures that could be that this approach is more often used for mergers and acquisi
used. Some of these measures include RORAC (return on risk-adjusted
capital), ROCAR (return on capital at risk) and RAROA (risk-adjusted tions in emerging m arkets, where information on the targets'
return on risk-adjusted assets). See Crouhy et. al. (2006). market values is far less readily available.

External Communication decision-m aking. Moreover, the viability of a bank's economic
capital processes depends critically on the existence of a cred
The major external communication channels where economic
ible com m itm ent on the part of senior m anagem ent to the
capital measures could be used include disclosure (e.g ., annual
process. In order for this to occur, however, senior m anagem ent
reports, presentation materials for investors), dialogue with
must recognise the im portance of using econom ic capital m ea
supervisory authorities and dialogue with rating agencies. Some
sures in running the bank's business.
banks disclose econom ic capital measures for each business unit
and/or risk category and provide com parisons with allocated This section exam ines the current range of practices with regard
capital in their annual reports. Many more banks disclose this to governance in the following areas: (i) senior m anagem ent
kind of information in other docum ents, such as presentation involvement and experience in the econom ic capital process;
materials for investors. (ii) the unit involved in the econom ic capital process, e .g ., risk
m anagem ent, strategy planning, treasury, etc. and its level of
Capital Adequacy Assessment knowledge; (iii) the frequency of econom ic capital m easure
ments; and (iv) policies, procedures, and approvals relating to
Econom ic capital is a measure of risk, not of capital held. As
econom ic capital model developm ent, validation, on-going
such, it is distinct from familiar accounting and regulatory capital
m aintenance and ownership.
measures. Nevertheless, banks have extended the use of this
enterprise-wide metric beyond perform ance m easurem ent and
Senior Management Involvement and Experience
strategic decision-making to include an assessm ent of the ade
in the Economic Capital Process
quacy of the institution's overall capitalisation. This practice is
commonly observed at banks, including those whose econom ic The most widely cited reasons for adopting an econom ic capi
capital implementation is in the earlier stages of developm ent. tal fram ework are to improve strategic planning, define risk
appetite, improve capital adequacy, assess risk-adjusted busi
The comparison of an internal assessment of capital needs
ness unit perform ance and set risk limits. For those institutions
against capital available is part of banks' overall ICAAP. Large
that have adopted or plan to adopt econom ic capital, the risk
banks (which are likely to adopt internal ratings-based— IRB—
m anagem ent team , senior m anagem ent, supervisors and the
approaches under Basel II) tend to use an economic capital model
board of directors were the most influential parties behind the
for their ICAAP, whereas some smaller banks primarily use the
decision. However, not all banks choose to adopt an econom ic
minimum regulatory capital numbers for the ICAAP. Some of these
capital fram ework, citing difficulties inherent in collecting and
banks adjust the Pillar 1 numbers (using multiples of the regula
modelling data on infrequent and often unquantifiable risk at
tory capital requirements, using different model parameters, look
extrem ely high confidence levels.
ing at different confidence levels, etc.). Beyond risks that feature
in regulatory capital computations, approaches are rather het There are clear signs that acceptance of the role played by eco
erogeneous. Larger banks may use economic capital models for nomic capital is increasingly em bedded in the business culture
quantifiable risks while relying upon more subjective approaches of banks, driven both by industry progress and supervisory pres
for less quantifiable risks like reputational risk. Traditional eco sure. In addition, banks now seem to be broadly com fortable
nomic capital methods are used in some cases to calculate risks with the accuracy of the econom ic capital measures. This has
beyond minimum regulatory capital requirements. In other cases, resulted in increased use of econom ic capital in m anagem ent
stress tests based on scenario analysis are used (e.g., for IRRBB). applications and business decisions, as well as use in discussions
with external stakeholders.
The barriers to the successful implementation of econom ic capi

Governance
tal vary widely. However, according to the PricewaterhouseCoo-
The corporate governance and control fram ework surround pers Survey (2005) only 14% of respondents cite lack of support
ing econom ic capital processes is an im portant indicator of from senior m anagem ent as a barrier to successful im plem enta
the reliability of econom ic capital measures used by banking tion of an econom ic capital fram ew ork.4
institutions. Important parts of an effective econom ic capital
fram ework include strong controls for making changes in risk
4 Among the other barriers selected by respondents, 64% cite difficulty
m easurem ent techniques, thorough docum entation regarding of integrating economic capital within management decision-making;
risk m easurem ent and allocation m ethodologies and assum p 62% cite difficulty in quantifying certain risk types; 59% cite problems
with data integrity; 31% cite lack of incentives for specific business lines
tions, sound policies to ensure that econom ic capital practices
and product areas to co-operate; 23% cite lack of in-house expertise;
adhere to expected procedures, and the meaningful applica and 23% cite uncertainty regarding supervisors attitudes toward
tion of econom ic capital measures to day-to-day business economic capital.
Unit Involved in the Economic Capital Process and accurately conveying the actual financial condition of banks to
Its Level of Knowledge the m arket. In addition to quantitative econom ic capital m ea
sures, qualitative information on the governance surrounding
There is a wide range of organisational governance structures
the econom ic capital fram ework of banks is becoming more
responsible for the econom ic capital fram ework at banking insti
important, since external market participants take into account
tutions. These governance structures range from involving highly
the sophistication of the econom ic capital fram ework and bank
concentrated responsibilities to involving highly decentralised
m anagem ent in their assessm ents of banks.
responsibilities. For exam ple, some banking institutions house a
centralised econom ic capital unit within corporate Treasury, with
Policies, Procedures, and Approvals Relating to
formal responsibilities. However, com ponents of the overall eco
Economic Capital Model Development, Validation,
nomic capital model or some param eters are outside the direct
On-Going Maintenance and Ownership
control of the econom ic capital owner. O ther banks share
responsibility for the econom ic capital fram ework between the Most banks have form alised policies and procedures for eco
risk function and the finance function, while others have a more nomic capital governance and analytics to ensure the consistent
decentralised structure, with responsibilities spread among a application of econom ic capital across the enterprise. For those
w ider range of units.5 banks that have adopted enterprise-wide policies and proce
dures, it is the responsibility of the business units to ensure that
O nce capital has been allocated, each business unit then man
those policies and procedures are being followed. Some insti
ages its risk so that it does not exceed its allocated capital. In
tutions that do not have formal policies and procedures have
defining units to which capital is allocated, banks som etimes
econom ic capital processes and analytics (e.g ., coverage of off-
take into account their governance structure. For exam ple,
balance sheet items, confidence level and holding period) that
banks that delegate broader discretion to business unit heads
are inconsistent across organisational units.
tend to allocate capital to the business unit, leaving the business
unit's internal capital allocation within the business line's control. Change-control processes for econom ic capital models are
On the other hand, m anagem ent is likely to be more involved in generally less form alised than for pricing or risk m anagem ent
the allocation of capital within business units if the bank's gov models. They typically leverage off change-control processes of
ernance structure is more centralised. There seem s to be diver the underlying models and param eters. Changes to econom ic
gence in the approach to this process. Some banks prefer rigid capital-specific m ethodologies (e.g ., aggregation m ethodolo
operation, where allocation units adhere to the original capital gies) are managed by the bank's econom ic capital owner, and
allocation throughout the budgeting period. On the other hand, may not be the same as the change control processes in other
other banks prefer a more flexible fram ework, allowing reallo areas on the banking institution. Diagnostics procedures are
cation of capital during the budgeting period, som etim es with typically run after an econom ic capital model change. Some
thresholds that trigger reallocation before consuming all the banks require responsible parties to sign-off on any changes to
allocated capital. m ethodology. However, form alised validation processes after
changes, or internal escalation procedures in the event of unex
Frequency of Economic Capital Measurements pectedly large differences in the econom ic capital numbers,
and Disclosure are uncommon.
Econom ic capital calculations have a strong manual com ponent Some banks specifically name an owner of the econom ic capi
and data quality is a prominent concern. Hence, most banks cal tal model. Typically, the owner provides oversight of the eco
culate econom ic capital on a monthly or quarterly basis. nomic capital fram ework. However, few formal responsibilities
are assigned the owner other than ensuring reports from all
Implementation of Basel II has fostered public disclosure of
model areas are received in a tim ely manner and mechanically
quantitative information on econom ic capital measures among
aggregating the individual com ponents of the econom ic capital
banks. Although disclosure of quantitative econom ic capital
fram ework into a report.
measures is not m andatory under Pillar 3 (market discipline) of
Basel II, the aim of Pillar 3 is to encourage market discipline by
Supervisory Concerns Relating to Use of
5 According to the IFRI and CRO Forum (2007) survey, about 80% of the
Economic Capital and Governance
economic capital work is undertaken centrally, and about 20% by the
business units. About 60% of the banks participating in the survey have Senior m anagem ent needs to ensure that there are robust con
economic capital functions that report directly to the Chief Risk Officer,
while others have reporting lines to the Chief Financial Officer or the trols and governance surrounding the entire econom ic capital
Corporate Treasury. process. There are several supervisory concerns relating to the

use of econom ic capital measures and governance surrounding difficult to model. Even if m anagem ent actions are not explicitly
the econom ic capital fram ework. included in econom ic capital models due to unreliability, banks
would nevertheless prepare for them via contingency plans in
Standard for Absolute versus Relative Measures stress situations.
of Risk Potential m anagem ent actions are grouped into two catego
The robustness and conservativeness of econom ic capital as an ries: (i) those actions that increase capital supply; and (ii) those
estim ate of risk becom es more im portant when a bank extends actions that reduce capital dem and. Exam ples of the form er
the use of measures designed initially as a common m etric for are raising new capital, reducing costs and cutting dividends.
relative risk m easurem ent and perform ance to the determination Exam ples of the latter include reducing new investm ent or
of the adequacy of the absolute level of capital. Critical issues selling assets with positive risk weights. In addition to explicit
include: (i) com prehensive capture of the risks by the m odel; (ii) actions, actions may be implicitly accounted for in the econom ic
diversification assumptions; and (iii) assumptions about m anage capital model itself. In measuring m arket risk, for exam ple, some
ment actions. assumptions may be made to adjust the short time horizon in
the model to the typically longer tim e horizon used in an eco
Comprehensive Capture of Risks nomic capital fram ework.
The types of risk that are included in econom ic capital models Finally, banks do not seem to take into account constraints that
and the IC A A P vary across banks in a given country as well as could im pede the effective implementation of m anagem ent
across countries (partly because some risk types are more pro actions. Such constraints may relate to legal issues, reputa
nounced in some countries). Risks that the econom ic capital tional effects, and cross-border operations. Further analysis
model cannot easily measure may be considered as a separate of the range and plausibility of these built-in assumptions
judgm ental adjustm ent in the ICAAP. W hether a risk type is about m anagem ent action, particularly in tim es of stress, may
included in the IC A A P may depend on the risk profile of the be warranted.
individual bank, and whether the individual bank regards these
risks as material. Role of Stress Testing
There can be variation between banks in the risks covered by Currently, many banks apply stress tests, including scenario
their econom ic capital m odels, since an identically named risk analysis and sensitivity analysis, to individual risks, although the
type may be defined differently across banks and across coun fram ework and procedures still need to be im proved. The use
tries. The term business risk, for exam ple, is som etim es con of integrated stress tests is gradually becoming more w ide
fused with or lumped together with less quantifiable legal and spread in the industry, probably reflecting the need to assess
reputational risk. the impact of stress events on overall econom ic capital m ea
sures and to provide com plem entary estim ates of capital needs
Diversification Assumptions in the context of IC A A R A t present, there exists wide variation
among banks in the level and extent of integrated stress tests
In most cases, intra-risk diversification assumptions are built into
being utilised. In general however, practices are still in the
the models for individual risk types. For inter-risk diversification
developm ent stage.
assumptions, current practices vary among banks and the bank
ing industry does not seem to have agreed on best practices. Stress test results do not necessarily lead to additional capital.
Thus, the methods remain preliminary and require further analy Rather, it seem s more common that stress tests are used to
sis. In light of the uncertainty in estimating diversification effects, confirm the validity of econom ic capital m easures, to provide
especially for inter-risk diversification, due consideration for con com plem entary estim ates of capital needs, to consider contin
servatism may be important. The issue of inter-risk diversification gency planning and m anagem ent actions, and gradually to for
is addressed in detail later in the chapter and intra-risk diversifica mulate capital planning. In some cases, banks use stress tests to
tion (within portfolio credit risk modelling) is discussed in Annex I. determ ine the effects of stressed market conditions on earnings
rather than on econom ic capital measures.
Assumptions about Management Actions
In some banks, potential m anagem ent actions are taken into
Economic Capital Should Not Be the Sole
account in econom ic capital m odels. However, one of the
Determinant of Required Capital
main reasons that banks do not include m anagem ent actions In general, both rating agencies and shareholders influence
in their econom ic capital models is that these actions are the level of a bank's capital, with the form er stressing higher
capital for solvency and the latter lower capital for profitability. Senior Management Commitment to the
Banks also look to peers in targeting their capital ratios. Nearly Economic Capital Process
all large, internationally active banks set their economic capital
The viability and usefulness of a bank's econom ic capital pro
solvency standard at a level they perceive to be required to
cesses depend critically on the existence of credible com m it
maintain a specific external rating (e.g ., A A ). Banks tend to look
ment or "buy-in" on the part of senior m anagem ent to the
to peers in choosing external ratings and associated solvency
process. In order for this to occur, senior m anagem ent must
standards. There is not a lot of evidence that bank counterparties
recognise the im portance of using econom ic capital measures in
have an impact on capital levels, other than indirectly through
conducting the bank's business and capital planning. In addition,
the need to deal with institutions having an acceptably high
adequate resources must be com mitted to ensure the existence
external rating. Many banks claim to target a high external rating
of a strong, credible infrastructure to support the econom ic
because of their desire to access capital and derivatives markets.
capital process.
Definition of Available Capital Transparency and Meaningfulness of Economic

There is no common definition of available capital across banks,
Capital Measures
either within a country or across countries. Some of the confu Economic capital model results need to be transparent and taken
sion surrounding the notion of available capital may arise from seriously in order to be useful to senior management for making
the fact that econom ic capital has its origin in assessing relative business decisions and for risk management. The level of docu
profitability for the shareholder on a risk-adjusted basis. To the mentation and integrity of calculations and model version control
extent that a bank recognises its capital needs are not limited increase with the scope and significance of economic capital
by the more quantifiable risks in its econom ic capital model, the models in a bank's decision-making process. Internal transpar
broader it may choose to define available capital. ency is a necessary condition for internal acceptance and use.
W hile no common definition of available capital exists, there are

several elem ents that many banks have in common with regard 1 3 .5 R IS K M E A S U R E S
to their available capital. A t the root of many banks' definitions
of available capital are tangible equity, tier 1 capital or capital W hile risk is a notion with a clear intuitive meaning, it is less clear
definitions used by rating agencies. In order to cover losses at how risk should be quantified. Current practice in banks com
higher levels of confidence, some banks consider capital instru monly involves trying to identify ways to characterise entire loss
ments that may be loss-absorbing, more innovative or uncertain distributions (i.e., going beyond estimating selected moments of
forms of capital such as subordinated debt. Am ong the various the loss distribution, such as the mean and standard deviation),
items that can be included in the definition of available capital resulting in a wide range of potential risk measures that may be
(some of them included in the regulatory definition of capital) used. The choice of risk measure has important implications for
are common equity, preferred shares, adjusted common equity, the assessm ent of risk. For exam ple, the choice of risk measure
perpetual non-cumulative preference shares, retained earning, could have an impact on the relative risk levels of asset classes
intangible assets (e.g ., goodwill), surplus provisions, reserves, and thus on the bank's strategy. Com parisons between ICAAP
contributed surplus, current net profit, planned earning, unre measures of capital under Pillar 2 with minimum regulatory capi
alised profits and m ortgage servicing rights. tal requirements under Pillar 1 should consider the impact of
This range of practices is confirmed by the IFRI and C R O Forum using different measures of risk in the two approaches.
(2007) survey of enterprise-wide risk m anagem ent at banks and

insurance com panies, which found 80% of participants adjusted Desirable Characteristics of Risk Measures
their tier 1 capital in arriving at available capital resources
An ideal risk measure should be intuitive, stable, easy to com
against which econom ic capital was com pared.
pute, easy to understand, coherent and interpretable in eco
Banks do not limit them selves to a single capital measure. Some nomic term s. Additionally, risk decom position based on the risk
banks manage their capital structure against external dem ands, measure should be simple and meaningful.
such as regulatory capital requirem ents or credit rating agency
Intuitive: The risk measure should meaningfully align with some
expectations. O ften banks' definition of capital aligns with the
intuitive notion of risk, such as unexpected losses.
more tangible capital measures such as those used by rating
agencies and are, therefore, more restrictive than regulatory Stable: Small changes in model param eters should not produce
definitions of capital. large changes in the estim ated loss distribution and the risk

measure. Similarly, another run of a simulation model in order since no single measure can capture all the com plex elem ents of
to generate a loss distribution should not produce a dramatic risk m easurem ent. As such, there is no ideal risk measure.
change in the risk measure. Also, it is desirable for the risk m ea Table 13.1 presents (with some degree of subjective judgm ent)
sure not to be overly sensitive to m odest changes in underlying the characteristics of the main types of risk measures.
model assumptions.
In practice, VaR and ES are the tw o m ost w id ely used risk
Easy to co m p u te: The calculation of the risk measure should be m easures. W hile VaR is more easily exp lained and understood,
as easy as possible. In particular, the selection of more com plex it may not alw ays satisfy the subad ditivity condition and this
risk measures should be supported by evidence that the incre (lack of coherence) can cause problem s in banks' internal cap i
mental gain in accuracy outweighs the cost of the additional tal allocation and limit setting for su b -p o rtfo lio s.8 ES, on the
com plexity. other hand, is coherent, making capital allocation and internal
limit setting consistent with the overall portfolio m easure of
Easy to understand: The risk measure should be easily under
risk. However, ES does not lend itself to easy interpretation
stood by the bank's senior m anagem ent. There should be a link
and does not afford a clear link to a bank's desired targ et rat
to other well-known risk measures that influence the risk man
ing. A new er class of risk m easures, known as spectral and
agem ent of a bank. If not understood by senior m anagem ent,
distorted risk m easures, allow for different w eights to be
the risk measure will most likely not have much impact on daily
assigned to the quantiles of a loss distribution, rather than
risk m anagem ent and business decisions, which would limit its
assum ing equal w eights for all observations, as is the case
appropriateness.
for E S .9
C oh eren t: The risk measure should be coherent and satisfy the
Banks typically use several of the aforem entioned risk measures,
conditions of: (i) monotonicity (if a portfolio Y is always worth at
and som etim es different measures for different purposes. How
least as much as X in all scenarios, then Y cannot be riskier
ever, VaR is the most widely used risk measure. Some banks
than X); (ii) positive hom ogeneity (if all exposures in a portfolio
use VaR for measuring the absolute risk level, but increasingly
are multiplied by the same factor, the risk measure also multi
ES is used (at a confidence level consistent with overall VaR) for
plies by that factor); (iii) translation invariance (if a fixed, risk-free
capital allocation within the bank. The argument is often made
asset is added to a portfolio, the risk measure decreases to
that VaR as an absolute risk measure or loss limit is still easier to
reflect the reduction in risk); and (iv) subadditivity (the risk m ea
com m unicate to senior m anagem ent due to its link to a bank's
sure of two portfolios, if com bined, is always sm aller or equal to
target rating. On the other hand, ES is a more stable measure
the sum of the risk measures of the two individual portfolios). O f
than VaR with respect to allocating the overall portfolio capital
particular interest is the last property, which ensures that a risk
to individual facilities. ES is a loss measure estim ate given a loss
measure appropriately accounts for diversification.6
range in the tail of the loss distribution, while VaR is a loss m ea
Sim ple and m eaningful risk decom position (risk contributions or sure estim ated given a particular point in the tail of the loss dis
capital allocation): In order to be useful for daily risk m anage tribution. It should be noted that, while a bank may use different
ment, the risk measured for the entire portfolio must be able risk m easures, these measures are typically based on the same
to be decom posed to sm aller units (e.g ., business lines or indi estim ated loss distribution.
vidual exposures). If the loss distribution incorporates diversifica
tion effects, these effects should be meaningfully distributed to
the individual business lines.
8 VaR is subadditive for elliptical distributions, such as the Gaussian (or
normal) distribution, whereas it is not subadditive for non-elliptical dis
tributions. The non-subadditivity of VaR can occur when assets in port
Types of Risk Measures folios have very skewed loss distributions; when the loss distributions
of assets are smooth and symmetric, but their dependency structure
In practical applications, a wide range of risk measures are used.
or copula is highly asymmetric; and when underlying risk factors are
This section exam ines standard deviation, value-at-risk (VaR), independent but very heavy-tailed. The lack of subadditivity for VaR is
expected shortfall (ES), and spectral and distorted risk m ea probably more of a concern for credit risk and operational risk than for
market risk, where an elliptical model may be a reasonable approximate
sures.7 All the risk measures have strengths and weaknesses,
model for various kinds of risk-factor data. For a detailed discussion,
see McNeil et. al. (2005). Many practitioners note however, that the
technical reservations concerning VaR are mainly academic in nature
and that the problems described are encountered by banks only rarely
6 See Artzner et. al. (1997) on coherent risk measures for a complete in practice.
discussion.
9 Spectral and distorted risk measures are not widely used in practice
7 See Hull (2007) for a detailed discussion of the various risk measures. and are currently largely of academic interest.
Table 13.1 Risk Measures
S p e ctra l and D isto rte d
S tan d ard D eviatio n VaR E xp e c te d S h o rtfa ll R isk M easu res
In tu itive Sufficiently intuitive Yes Sufficiently intuitive No (involves choice of

spectrum or distortion
function)
S tab le No, depends on No, depends on Depends on the loss Depends on the loss
assumptions about loss assumptions about loss distribution distribution
distribution distribution
E a sy to com pute Yes Sufficiently easy Sufficiently easy Sufficiently easy

(requires estim ate of loss (requires estim ate of (weighing of loss
distribution) loss distribution) distribution by spectrum/
distortion function)
E a sy to u nd erstand Yes Yes Sufficiently Not im m ediately

understandable
C o h e ren t Violates monotonicity Violates subadditivity Yes Yes

(for non-elliptical loss
distributions)
Sim p le and m eaningful Sim ple, but not very Not sim ple, might Relatively simple and Relatively simple and
risk d eco m p o sitio n meaningful induce distorted choices meaningful meaningful
Calculation of Risk Measures target rating, with overlaps between different rating classes.
For exam ple, the IFRI and C R O Forum (2007) survey found that
Confidence Level PDs mapped to a A A target rating range from two to seven
In their internal use of risk m easures, banks need to deter basis points, while the range for an A target rating is four to ten
mine an appropriate confidence level for their econom ic capi basis points.
tal models that may vary for different business models. The Apart from considerations about the link to a target rating, the
banks' target rating plays an im portant role in the choice of choice of a confidence level might differ based on the question
confidence level. to be addressed. On the one hand, high confidence levels reflect
The link between a bank's target rating and the choice of con the perspective of creditors, rating agencies and supervisors in
fidence level may be interpreted as the amount of econom ic that they are used to determ ine the amount of capital required
capital that must be exceeded by available capital resources to to minimise bankruptcy risk. On the other hand, banks may use
prevent the bank from eroding its capital buffer at a given con lower confidence levels for m anagem ent purposes in order to
fidence level. According to this view, which can be interpreted allocate capital to business lines and/or individual exposures and
as a going concern view, capital planning is seen more as a to identify those exposures that are critical for profit objectives
dynamic exercise than a static one, where it is the probability in a normal business environment. Consequently, banks typically
of eroding such a buffer (rather than all available capital) that is use different confidence levels for different purposes.
linked to the target rating. This would reflect the expectation (by
Another interesting aspect of the internal use of different risk
analysts, rating agencies and the market) that the bank operates
measures is that the choice of risk measure and confidence
with capital that exceeds the regulatory minimum requirem ent.
level heavily influences relative capital allocations to individual
Establishing the link between a bank's target rating and the exposures or portfolios. In short, the farther out in the tail of
choice of confidence level, however, is far from being an easy a loss distribution, the more relative capital gets allocated to
exercise. It involves the mapping between ratings and PDs, concentrated exposures. As such, the choice of the risk measure
which can change, depending on the rating agency scale as well as the confidence level can have a strategic impact since
adopted, and it suffers from significant statistical noise, espe some portfolios might look relatively better or worse under risk-
cially at the higher rating grades which are typically targeted by adjusted perform ance measures than they would based on an
banks. Banks can use a range of confidence levels for the same alternative risk measure.

Time Horizon supervisors should consider the advantages and disadvantages
of the risk measure used at each bank. Stability in computation
All risk measures depend on the tim e horizon used in their m ea
is an im portant issue, as the calculation of risk measures typically
surem ent. The choice of an appropriate time horizon depends
involves the use of simulation techniques. The ability to easily
on a range of factors: the liquidity of the bank's assets under
and sensibly aggregate and decom pose risk also determ ines the
consideration; the risk m anagem ent needs of the bank; the
effective use of risk measures in the bank. The degree to which
bank's standing in the m arkets; the risk type, etc. M arket risk
econom ic capital is engrained in the decision-making processes
is typically estim ated over a very short tim e horizon (days or
is strongly affected by the availability of a broad assessm ent of
weeks). In contrast, credit risk is typically measured using a
risks at the senior m anagem ent level, where strategic decisions
one-year tim e horizon, while an even longer tim e horizon may
are made with respect to capital m anagem ent. In contrast, more
be appropriate for other portfolios (e.g ., project finance). The
granular measures of risk are needed at the risk-taking levels
choice of tim e horizon is also influenced by regulatory require
where econom ic capital is likely to influence operational deci
ments. For exam ple, a one-year tim e horizon is specified for
sions through factors such as capital allocation, limit setting, and
operational risk, while a 10-day time horizon is specified for gen
perform ance m easurem ent.
eral and specific m arket risk.
W hile each bank chooses both the risk measure and the confi
The heterogeneity of tim e horizons used in risk m easurem ent
dence level it deem s most appropriate for its econom ic capital
poses an im portant challenge to banks in aggregating econom ic
purposes, the bank must be able to provide a convincing eco
capital across different risk types. According to the IFRI and
nomic rationale for the choice. If different risk measures and/
C RO Forum (2007) survey about 80% of participants use a time
or confidence levels are used for external and internal m anage
horizon of one year for their econom ic capital calculations, with
ment purposes, a clear and convincing link must be established
the rem ainder using various time horizons.
between the two risk measures.
Aggregation/Decomposition Supervisors should be aware of differences between internal and

regulatory measures of capital that stem from different risk mea
M easurem ent of risk is typically perform ed at the portfolio
sures and/or confidence levels and take these into account when
level. However the ability to easily and sensibly aggregate and
evaluating a banks' IC A A R A simple comparison of internal and
decom pose risks is an im portant feature of any risk measure.
regulatory capital figures will not tell supervisors much about the
In order to be effectively used, risk measures should be fle x underlying risks in a bank's portfolio.
ible and able to be com puted at either a broad or narrow level.
More specifically:
• Decom position: Within a portfolio, risk needs to be decom

1 3 .6 R IS K A G G R E G A T IO N
posed in order to establish for each subset (e.g ., positions
Typically, econom ic capital is calculated using an approach that
assigned to each desk) its risk contribution (taking into
first assesses individual risk com ponents, and then proceeds to
account any diversification effects). Decom position of risk
aggregate these com ponents up to the level of the entire bank.
is fundamental for capital allocation, limit setting, pricing of
The aggregation process is characterised by identification of the
products, risk-adjusted perform ance m easurem ent and value-
individual risk types and by the methodological choices made in
based m anagem ent.
aggregating these risk types.
• Aggregation: Adopting a wider point of view, risks arising
from several portfolios need to be aggregated in order to con
vey a representation of risk at the business unit or entity level. Aggregation Framework
Aggregation also deals with different types of risk (credit, mar
Risk aggregation begins with a classification of risk types that
ket, operational, liquidity, legal, etc.). Typically, the outcome of
are combined to produce the overall econom ic capital measure.
risk aggregation is the bank's total economic capital.
Banks typically classify risk into different types along two dim en
sions: (i) the econom ic nature of the risk (market risk, credit risk,
Supervisory Concerns Relating to Risk operational risk, etc.); and (ii) the organisational structure of the
Measures bank (along business lines or legal entities).
From a supervisory point of view, there is no obvious prefer In contrast to classification along organisational lines, which
ence for one risk measure over another among the measures presents few conceptual difficulties, classification along risk
most widely used for calculating econom ic capital. Rather, types can be im precise. Definitions of risk types may differ
across institutions, or even across portfolios within a single bank beyond balance-sheet items to fee-generating services, such as
ing organisation, often reflecting the nature of the bank's busi origination, cash m anagem ent, asset m anagem ent, securities
ness or the degree of sophistication of its risk m easurem ent. As underwriting and client advisory services.
discussed below, this imprecision has implications for the aggre
For business or (local) regulatory reasons, some banks may
gation process.
select to distinguish individual types of risk within the listed cat
The following list provides a brief description of the main cat egories. For exam ple, they may isolate real estate risk, or pen
egories into which the typical fram ework classifies risks. sion risk. Some banks may also distinguish other risk types such
as liquidity risk and legal risk.
M arket risk: Refers to portfolio value changes due to changes
in rates and prices that are perceived as exogenous from the
Range of Practices in the Choice of Risk Types
viewpoint of the bank. These com prise exposures to asset
classes such as equities, com m odities, foreign exchange and All the risk types discussed above can be sim ultaneously pres
fixed-incom e, as well as to changes in discount factors such as ent in a bank's portfolio. For exam ple, a traded bond portfolio
the risk-free yield curve and risk premiums. A specific type of will have an im portant credit and market risk com ponent, as well
market risk is IRRBB, which stem s from repricing risk (arising as operational risk related to the efficiency of trading execution
from differences in the maturity and repricing term s of custom er and settlem ent. In practice, however, risks are often measured
loans and liabilities), yield curve risk (stemming from asym m etric by reference to different lines of business and/or portfolios.
movements in rates along the yield curve), and basis risk (arising A loan portfolio that is held to maturity and managed on an
from im perfect correlation in the adjustm ent of the rates earned accrual accounting basis is often considered as representing
and paid on different financial instruments with otherwise similar credit risk and not market risk. By contrast, a trading portfolio
repricing characteristics). IRRBB also arises from the em bed of credit derivatives is often taken to represent mainly market
ded option features of many financial instruments on banks' risk by virtue of it containing actively traded exposures that are
balance sheets. marked-to-market.
C red it risk: Refers to portfolio value changes due to shifts in the The majority of banks prefer to aggregate risk initially into silos
likelihood that an obligor (or counterparty) may fail to deliver by risk-type across the entire bank before combining the silos.
cash flows (principal and interest) as previously contracted. The This approach, however, is by no means the only approach fol
distinction between market and credit risk, while fairly clear lowed, with the business unit silo approach preferred by other
on the surface, is less so in practice since individual exposures banks. Some banks use a mixed approach, which combines
typically contain elem ents of both risks. For exam ple, prices of elem ents of both approaches. This practice is observed where
corporate bonds can vary because of changes in the perceived either particular business units or risk exposures are too small to
likelihood of issuer default but also because shifts in the risk-free be meaningfully measured separately.
yield curve. In addition, credit and market risk factors can inter Grouping of risks first across hom ogeneous risk types has a
act in ways that com plicate the distinction between the two (see benefit of addressing these questions at a single stage and in
the next section). a centralised and potentially more consistent way. By com pari
O perational risk: Refers to the risk of loss associated with human son, grouping risks first by business unit leverages the existing
or system failures, as well as fraud, natural disaster and litiga organisational structures within the bank and deals with inter
tion. W hile not a pure econom ic risk it does represent losses risk relationships at an earlier stage of aggregation.
(either outright outlays or foregone earnings) from all types of
activity where banks engage, and it is indirectly linked to the
level, intensity and com plexity of these activities.
Aggregation Methodologies
The risk aggregation m ethodology used by a bank has two
Business risk: Captures the risk to the firm's future earnings, divi
(interrelated) com ponents: the choice of the unit of account and
dend distributions and equity price. In leading practice banks,
the approach taken to combining risk com ponents.
business risk is more clearly defined as the risk that volumes
may decline or margins may shrink, with no opportunity to offset
the revenue declines with a reduction in costs. For exam ple,
The Unit of Account
business risk measures the risk that a business may lose value Before risk types are aggregated into a single measure, they
because its custom ers sharply curtail their activities during a need to be expressed in com parable units, often referred to as a
market down-turn or because a new entrant takes market share common risk currency. Meaningful aggregation requires that the
away from the bank. Moreover, this risk increasingly extends underlying risk measures conform to each other, especially when

they relate to single number summaries of the corresponding characteristics of the exposures (including their liquidity) and on
risk distributions. There are three main characteristics of the unit the purpose for which they are held. However, for the purpose
of risk accounting. of risk m easurem ent and, especially, risk aggregation the use of
different horizons will result in im proper com parisons between
Risk m etric: The choice of the risk metric for econom ic capital
risk com ponents. The difficulty that arises for the latter purposes
depends on the metrics that are used in the quantification of dif
can be overcom e by methods similar to the constant level of risk
ferent risk com ponents. In particular, w hether the chosen metric
over a common horizon approach outlined in the consultative
satisfies the subadditivity property is relevant for quantifying
paper of the BCBS on computing incremental risk in the trading
diversification across risk typ e s.101
book.13
C on fid en ce level: The fact that the loss distribution for different
risk types are typically assumed to have different shapes (i.e., Inter-Risk Diversification
different fam ilies of probability distributions are assumed to bet
The way that individual risks are com bined relates closely to the
ter capture the characteristics of different types of risk) may also
scope of inter-risk diversification, namely to the notion that the
suggest a difference in term s of the relevant confidence levels.
combination of two portfolios would result in lower risk per unit
For exam ple, long-tailed risk distributions would suggest using
of investm ent in the combined portfolio than the (weighted)
higher confidence levels. Lack of harmonisation in term s of the
average of the two com ponent portfolios. The basic intuition
choice of confidence level creates additional com plexity in
stems from the fact that the variance of the pooled portfolio's
aggregation approaches.11 Moreover, the choice of confidence
return will be no greater (and typically smaller) than a similarly
level can influence the ranking of risks since risk types that have
sized portfolio which is exposed to only one or the other risk
a loss distribution with a longer loss tail tend to dom inate as the
factor. This logic will carry over to measures of risk that are
confidence level increases.
directly related to variance.
Time horizon: The choice of the horizon over which risk is m ea
In the context of risk aggregation across different portfolios
sured is one of the thorniest issues in risk aggregation. Business
or business units, some of the assumptions that underpin the
practice, accounting standards and regulatory requirements
above logic may fail to hold. One issue is purely technical and
combine to imply that different types of risk are managed over
relates to the choice of VaR as a metric because it can fail to sat
different horizons. Traded portfolios are managed over horizons
isfy the subadditivity property. That is, it is possible for the VaR
that are typically measured in days. Less liquid exposures, such
of a pooled portfolio to be higher than the sum of the VaR of
as loans, are managed over longer horizons of one year or lon
the individual constituent portfolios.
ger.12 Com bining risk measures that have been calculated on
the basis of different horizons is problem atic regardless of the A more im portant reason why aggregate risk may be larger than
specific m ethodology used. The conflict between business prac the sum of its com ponents is independent of the choice of m et
tices and risk aggregation requirem ents is typically resolved by ric (i.e., it applies to metrics other than VaR) and relates to the
using a common (usually one year) horizon. This means that it is econom ic underpinnings of the portfolios that are pooled. The
necessary for time aggregation of certain types of risk (most logic outlined above assumes that covariance (a linear measure
often market risk) by using scaling-up methods such as the of dependence) fully captures and summarises the dependen
square-root-of-time rule. It should be noted that there is no con cies across risks. W hile this may be a reasonable approximation
ceptual inconsistency in the use of different horizons for risk in many cases, there are instances where the risk interactions are
m easurem ent and EC purposes, on the one hand, and for the such that the resulting combination may represent higher, not
actual m anagem ent of underlying exposures, on the other. D eci lower, risk. For exam ple, measuring separately the market and
sions related to the m anagem ent of portfolios are based on the credit risk com ponents in a portfolio of foreign currency denom
inated loans can underestim ate risk, since probabilities of obli
gor default will also be affected by fluctuation in the exchange
10 See the section on risk m easures for a more detailed discussion of the rate, giving rise to a compounding e ffe ct.14 Similar types of
properties of different m etrics of risk.
11 More sophisticated m ethods that use full simulation approaches or

those that describe the entire loss distribution (such as those based on
copulas) would not be influenced by this choice. 13 Basel Com m ittee on Banking Supervision (2009).
12 Even with the same tim e horizon for default, the practice of active 14 See Breuer et. al. (2008) for further details. The forthcom ing working
credit portfolio m anagem ent can result in the use of point-in-time paper on the "Interactions betw een m arket and credit risk" produced by
default probabilities for day-to-day risk m anagem ent with through-the- the Research Task Force of the Basel Com m ittee also offers an elabora
cycle estim ates for econom ic capital com putations. tion on this set of issues.
"wrong-way" interactions could occur in the context of portfolio (iv) C opulas: This is a much more flexible approach to com bin
positions that may be sim ultaneously affected by directional ing individual risks than the use of a covariance matrix. The
market moves and the failure of counterparties to a hedging copula is a function that com bines marginal probability
tr
position. From a more "m acro" perspective, asset price volatil distributions into a joint probability distribution. The choice
a
ity often interacts with the risk appetite of market participants of the functional form for the copula has a material effect
and feeds back to market liquidity leading to a magnification of on the shape of the joint distribution and can allow for rich
risk rather than diversification. interactions between risks.
A final issue that relates to the degree of diversification has to (v) Full modelling of common risk drivers across all portfolios:
do with the granularity of the classification system of risks. The This represents the theoretically pure approach. Common
more granular the classification system (i.e., the finer the system underlying drivers of risk are identified and their interac
of categories where risk is slotted) the more reduced should be tions m odelled. Simulation of the common drivers (or
the scope for intra-risk diversification and the higher the scope scenario analysis) provides the basis for calculating the dis
for inter-risk diversification. For exam ple, holding everything tribution of outcom es and econom ic capital risk measure.
else equal, some of the overall diversification between the retail Applied literally, this method would produce an overall risk
and wholesale credit portfolio of a bank will be subsumed in measure in a single step since it would account for all risk
the measure of overall credit risk for a bank that does not dis interdependencies and effects for the entire bank. A less
tinguish between the two types of risks in its econom ic capital com prehensive approach would use estim ated sensitivities
fram ework, while it will be picked up by the aggregation pro of risk types to a large set of underlying fundamental risk
cess in the case that the bank maintains a separation between factors and construct the joint distribution of outcomes
the two com ponents until the final aggregation stage. by tracking the effect of simulating these factors across all
portfolios and business units.
Typically Used Aggregation Methodologies
Table 13.2 provides a summary of the trade-offs between
Banks differ in their choice of m ethodology for the aggregation numerical accuracy, m ethodological consistency, intuitive
of econom ic capital. The list below provides an overview of the appeal, practicality, flexibility, and resource implications associ
main approaches followed by a brief discussion of their advan ated with each of the aggregation m ethodologies.
tages and disadvantages. The approaches are listed in increas
ing order of com plexity (decreasing order of restrictiveness). Although the m ost restrictive of the alternative m ethod
o logies, the main advantages of the sum m ation and fixed
(i) Sim ple sum m ation: This simple approach involves adding
diversification m ethodologies are sim plicity in term s of data
the individual risk com ponents. Typically, this is perceived
and com putational requirem ents, and ease of com m unica
as a conservative approach since it ignores potential diver
tion about the m ethod and interpretation of the outcom e.
sification benefits and produces an upper bound to the
A b stractin g from the possibility of m ism easurem ent and
true econom ic capital figure. Technically, it is equivalent
negative correlation betw een the underlying risk com ponents,
to assuming that all inter-risk correlations are equal to one
the sim ple sum m ation approach could also produce a conser
and that each risk com ponent receives equal weight in the
vative m easure of overall risk (i.e ., o verstatem ent of risk). The
summation.
degree of conservatism associated with the fixed d ive rsifica
(ii) Applying a fixe d diversification percentage: This approach
tion m ethod depend s on the chosen diversification param
is essentially the same as the simple summation approach
eter. Both m ethods are relatively crude and do not allow for
with the only difference that it assumes the sum delivers a
m eaningful interactions betw een risk typ es or for differences
fixed level of diversification benefits, set at some pre-speci-
in the w ay these risk typ es may create diversification benefits.
fied level of overall risk.
In addition, both m ethods ignore com plications stem m ing
(iii) Aggregation on the basis of a risk variance-covariance from using different confidence levels in m easuring individual
m atrix: The approach allows for a richer pattern of inter risk com ponents.
actions across risk types. However, these interactions are
The use of a variance-covariance m atrix (or correlation matrix)
still assumed to be linear and fixed over tim e. The overall
diversification benefit depends on the size of the pairwise which sum marises the interdependencies across risk types
provides a more flexible fram ework for recognising diversifica
correlations between risks.
tion benefits, while still maintaining the desirable features of
being intuitive and easy to com m unicate. The correlation matrix
1^
See A nnex 2 on counterparty credit risk for a fuller discussion. between risks is of key im portance. This m atrix can vary across

Table 13.2 C o m p ariso n of Risk A g g reg atio n M eth o d o lo g ies
Aggregation Methodology Advantages Disadvantages
Summation: Adds together individual Simplicity It does not discrim inate across risk types;
capital com ponents Typically considered to be conservative imposes equal weighting assumption
Does not capture nonlinearities
Constant diversification: Similar Sim plicity and recognition of The fixed diversification effect is not
to summation but subtracts fixed diversification effects sensitive to underlying interactions between
percentage from overall figure com ponents.
Does not capture nonlinearities
Variance-Covariance: W eighted sum Better approxim ation of analytical method Estim ates of inter-risk correlations difficult
of com ponents on basis of bilateral Relatively simple and intuitive to obtain
correlation between risks Does not capture nonlinearities
Copulas: combine marginal More flexible than covariance matrix Param eterisation very difficult to validate
distributions through copula functions Allows for nonlinearities and higher order Building a joint distribution very difficult
dependencies
Full modelling/Simulation: Simulate Theoretically the most appealing method Practically the most demanding in term s of
the impact of common risk drivers on Potentially the most accurate method inputs
all risk com ponents and construct the Intuitive Very high dem ands on IT
joint distribution of losses Tim e consuming
Can provide false sense of accuracy
banks reflecting differences in their business mix, and the cor Range of Practices in the Choice of
relations that reflect these institution-specific characteristics
Aggregation Methodology
can be difficult as well as costly to estim ate and validate. This
is particularly true for operational risk, where data are scarce Currently, there is no established set of best practices con
and do not cover long time periods. In addition, by focusing on cerning risk aggregation in the industry. G enerally the cho
average covariance between risks, the linearity assumption will sen approaches tend to be towards the sim pler end of the
tend to underestim ate dependence in the tail of loss distribu spectrum , with very few (typically large) banks using the more
tions and underestim ate the effects of skewed distributions and sophisticated m ethodologies. The vast majority of banks use
non-linear dependencies. some form of the summation approach, where risks are either
explicitly w eighted, as in the case of the variance-covariance
Copulas offer even greater flexibility in the aggregation of risks
approach, or implicitly weighted (as in the case of simple aggre
and promise a better approxim ation of the true risk distribu
gation). The IFRI and C RO Forum (2007) survey suggests that
tion. This com es at the expense of more dem anding input
more than 60% of banks use the variance-covariance approach
requirem ents: com plete distributions of the individual risk
while less than 20% use the simulation approaches. Reportedly,
com ponents rather than sim ple sum mary statistics (such as VaR)
the stability of the latter approach over tim e is an attractive
and at least as much data as the variance-covariance approach
aspect from a governance perspective, since it leads to a more
for estim ating the copula param eters. As for the variance-
stable allocation of diversification benefits back to individual
covariance m ethod, these estim ates are hard to derive and to
business units.
validate. Many of the same draw backs apply to the case of full
m odels of econom ic capital, including full simulation m ethods. Banks use a variety of approaches in setting values for the inter
The input requirem ents in term s of data on exposures and risk variance-covariance matrix. These approaches include direct
underlying risk factor dynam ics, as well as the com putational estimation using historical time series on underlying risks, expert
dem ands associated with large scale sim ulations represent a judgm ent, and industry benchmarks (frequently supplied by con
strain for most banks, especially those banks with more com sulting firms). The estimation based on internal data is arguably
plex business risk profiles. more appropriate since it reflects the actual experience of the
bank and is more directly applicable to its business and risk pro sophisticated econom ic capital m ethodologies to follow a prin
file. As suggested above, the interactions between risk com po ciple of conservatism in their approaches.
nents can be com plex, non-linear, tim e varying, and dependent
W hatever the method and the estim ates used, there are a num
on m easurem ent choices. If the bank possesses relevant data of
ber of com m onalities in the assumptions made by banks. For
sufficient quality and length, these data should provide the most
instance, a high correlation between market and credit risks is
appropriate indicators of inter-risk dependencies. These data
usually assum ed, a lower correlation between business risk and
can be related to the perform ance of portfolios (P&L, earnings,
credit or m arket risk, and a very low correlation between opera
loss history, etc.). Often risks that present greater quantification
tional risk and all other risks.
challenges need to be approxim ated by banks with less well
developed IT system s. In these cases, the correlation between Related to the calibration of the covariance m atrix of risks is
risk com ponents is in practice often approxim ated by the co the overall level of diversification across risk types. A cco rd
m ovem ent of asset price indices representative of these risk fac ing to the IFRI and C R O Forum (2007) survey, the estim ated
tors, or similar proxies. range of inter-risk diversification is 10% to 30% for banking
organisations (with 40% of banks reporting gains between 15%
Very often bank-specific data are simply not available or of poor
and 20%). This range depends on the m ethod used by banks
quality. In this case the entries in the variance-covariance matrix
in order to take into account inter-risk diversification and the
are filled on the basis of expert judgm ent, in the form of param
varying estim ates of correlation betw een risk types. A cadem ic
eters that reflect the consensus of risk officers and business
studies on this issue indicate that this range can vary very sub
managers within the firm, and this is frequently com plem ented
stantially depending on the applied m ethodology and the data
with input from external consultants and industry benchm arks.
used. Rosenberg and Schuerm ann (2006) estim ate this diver
This is particularly true when it applies to some risk com po
sification at more than 40% at the 99.9% confidence level but
nents such as operational risk or business risk. The reliance on
underscore that this might vary depending on the specific port
externally supplied inputs may be a necessity for medium and
folio com position. Dim akos and Aas (2004) on the other hand
small-sized institutions that lack the capacity, scope and scale
find only 10%—12% diversification at confidence intervals of
econom ies to develop risk correlation measures based on their
95% to 99% , but a num ber closer to 20% at confidence interval
own experience. The same applies to proportionately small
of 99.97% .
exposures in the case of larger institutions.
There is a tendency for banks to use what they consider as a

"conservative" variance-covariance matrix. The correlations are Supervisory Concerns Relating to Risk
often reported to be approxim ate (e.g ., rounded up to multiples Aggregation
of 25 percentage points) and biased upwards (i.e., towards
An im portant overall m essage is that meaningful aggregation
unity). In an effort to reduce the need for expert judgm ent
of risk necessarily involves com prom ises and ju d g m e n t to aug
banks might consciously limit the dim ensionality of the m atrix by
ment quantitative m ethods. Risk m easurem ent in portfolios
consolidating risk categories to a small number, not recognising
that are more hom ogeneous in term s of their risk drivers can
that such consolidation itself represents a form of aggregation
be quite detailed and can address different facets of risk. The
and em beds correlation assumptions. One drawback of this
com bination of different types of risk into a common m etric,
practice is that each category becom es less hom ogeneous and
however, presents many more com plications stem ming either
thus harder to quantify. In light of uncertainties for estimating
from the different statistical profiles of risk types or from dif
inter-risk diversification effects as well as the possibility that cor
ferences in the perspective and requirem ents of the business
relations may be time-varying, some (but not all) banks use
units that m anage different portfolios (e.g ., the use of different
stressed values that refer to the periods when these correlations
m etrics and/or m anagem ent horizons). A ggregation, therefore,
may be higher than they are on average, or even set equal to
1A typically requires that some of the richness of assessm ents
unity. Even in those cases where average values are used,
made on the individual com ponents is sacrificed in order to
banks report that they exam ine the effect on the calculated eco
achieve com parability.
nomic capital from using such stressed correlations as a robust
ness check. G enerally, there is a tendency for banks with less1
*
6 In particular, supervisory concerns with the econom ic capital
aggregation relate to validation of the inputs, m ethodology, and
outputs of the process.
16 Using stressed correlations is also justified on the basis that, in peri
ods of stress, available capital resources might be less "fungible" across Econom ic capital fram eworks are very difficult to validate. Eco
risks/business units as im plicitly assumed in the aggregation of its uses. nomic capital refers to holistic measures of risk in often very

diverse business environments. Moreover, the more tailored the 13.7 VALIDATION O F INTERNAL
process to the character and needs of the individual bank, the
more difficult for an external observer to independently vali
ECO N O M IC CAPITAL M ODELS
date the inputs. Additionally, the short history of available data
In some cases the term validation is used exclusively to refer to
renders backtesting im practicable in most cases. Many supervi
statistical ex post validation, while in other cases it is seen as
sors report that validation processes typically do not m eet their
a broader but still quantitative process that also incorporates
expectations. In particular, many supervisors are sceptical as to
evidence from the model developm ent stage. In this paper, the
the validity of the size of diversification benefit estim ates and do
term "validation" is used in a broad sense, meaning all the p ro
not accept them for supervisory use.
ce sse s that provide evid en ce-b a sed assessm ent about a m odel's
As mentioned above, the degree of diversification is linked to fitness for pu rp o se. This assessm ent might extend to the man
the m easurem ent m ethodology of individual com ponents. From agem ent and system s environm ent within which the model is
an applied point of view the potential com plications with risk operated. Moreover, it is advisable that validation processes are
m easurem ent are primarily related to the common practice of designed alongside developm ent of the m odels, rather than
identifying risk categories with individual portfolios. For a num chronologically following the model building process.
ber of practical reasons that have to do with the way banks man
Validation provides evidence that a model works as planned.
age different types of risk, with financial reporting practices, and
Econom ic capital models can be com plex, embodying a lot of
with the regulatory fram ework, different types of risk are often
moving parts and it may not be im m ediately obvious that a com
identified with single portfolios. For exam ple, market risk is
plex model works satisfactorily. Moreover, a model may em body
thought of being primarily associated with portfolios that are
assumptions about relationships between variables or about
held with the intention of active trading, are managed on a short
their behaviour under periods of stress. Validation can perm it
risk horizon, and are often marked-to-market. Credit risk is asso
a degree of confidence that the assumptions are appropriate,
ciated mainly with the banking book which contains exposures
increasing the confidence of users (internal and external to the
with a longer holding horizon, that they are often illiquid and
bank) in the outputs of the model. Notably, validation also aids
valued on an accrual basis. This sim plistic distinction can give
in identifying model limitations, since no model (even when fully
rise to mistaken assessm ents of m arket and credit risk com po
validated) is ever a perfect representation of reality. W hile vali
nents that can bias the aggregation process.17 The main m es
dation can provide powerful tools for the assessm ent of many
sage from the supervisory perspective is that diversification
aspects of m odels, such as its risk sensitivity, it is less powerful
cannot be taken as given irrespective of the portfolio of risks
where other aspects of models are concerned, such as confirm
and risk m easurem ent practices. There is a theoretical possibility
ing the accuracy of high quantiles in a loss distribution.
that risk com ponents may be mis-measured and that aggregate
risk may be higher than the sum of the risk com ponents. This Achieving an accurate fit may not always be the prime consider
may be the exception rather than the rule, but the fact remains ation. For exam ple, some models may be developed because of
that mis-measurement can often lead to under-estimation of their usefulness as a fram ework for analysis or decision-making
overall risk. rather than because of their ability to fit historical data. Some
m acroeconom ic models of econom ic behaviour may fall into
Finally a possible drawback of the more sophisticated m ethod
this category.
ologies is more of a behavioural nature. Often greater m eth
odological sophistication leads to greater confidence in the O ur interpretation of validation is consistent with that devel
accuracy of the outcom es. Given the diversity in the nature of oped by the Basel Com m ittee (2005a) in relation to the Basel II
inputs, the im portance of assumptions that underline the param Fram ework, which is phrased in term s of the IRB param eters18
eters used, and the scale of the task in practical applications, and was developed in the context of assessm ent of risk esti
the scope for hard-to detect and quantify inaccuracies is con mates for use in minimum capital requirem ents. However, valida
siderable. C om plex approaches that are not accom panied by tion of econom ic capital models differs to the validation of an
robustness checks and estim ates of possible specification and IRB model as the output is a distribution rather than a single
m easurem ent error can prove misleading.
18 From the 2005 Validation principles: "In the context of rating system s,
the term 'validation' encom passes a range of processes and activities
17 A working paper of the Basel Com m ittee's W orking Group on the that contribute to an assessm ent of w hether ratings adequately differen
Interaction of M arket and C red it Risk contains a more in-depth discus tiate risk, and w hether estim ates of risk com ponents (such as PD, LG D or
sion of these issues and references to relevant papers. EAD ) appropriately characterise the relevant aspects of risk."
predicted forecast against which actual outcom es may be com would be covered by our broad definition of validation, creating
pared. Econom ic capital models are conceptually similar to VaR a layered approach. The more layers that can be provided, the
m odels, though the long tim e horizon, high confidence levels, more com fort that validation is able to provide evidence for or
and the scarcity of data force validation methods to differ in against the perform ance of the model. Conversely, where few er
practice to those used for VaR. Full internal econom ic capital layers of validation are used, the level of com fort diminishes.
models are not used for Pillar 1 minimum capital requirem ents, Second, that each validation process provides evidence for (or
and so fitness for purpose needs to cover a range of uses, most against) only some of the desirable properties of a model. The
of which and perhaps all are internal to the firm in question. It list presented below moves from the more qualitative to the
should also be noted that econom ic capital models and regula more quantitative validation processes, and the extent of use is
tory capital serve different objectives and so may reasonably dif briefly discussed.
fer in some of the details of their implementation for these
differing purposes. Qualitative Processes
Principle 1 of the Basel Com m ittee's validation principles refers (i) Use test. The philosophy of the use test has been fully
to assessm ent of the predictive ability of credit rating system s.192
0 incorporated into the Basel II Fram ework. Its relevance as a
The em phasis is on the perform ance of forecasts generated by tool of validation is straightforward. If a bank is actually
the model. As it stands, Principle 1 is about rating system s: the using its risk m easurem ent system s for internal purposes,
natural developm ent of this principle for econom ic capital m od then supervisors can place more reliance on the system s'
els is that validation is concerned with the predictive properties outputs for regulatory capital. Applying the use test suc
of those models. Econom ic capital models em body forward- cessfully will entail gaining a careful understanding of which
looking estim ates of risk and their validation is intimately bound model properties are being used and which are not.21
up with assessing those estim ates and so this (re-stated) princi (ii) Qualitative review. Banks tend to subject their models to
ple remains appropriate. The validation processes as set out in some form of qualitative assessm ent process. This process
this paper are, in their different ways, all providing insight into could entail review of docum entation, review of develop
the likely predictive ability of the m odel, interpreted broadly. ment work, dialogue with model developers, review and
The other Basel II principles related to validation principles are: derivation of any form ulae, comparison with what other
the bank has primary responsibility for validation; validation is an firms are known to do, comparison with publicly avail
iterative process, there is no single m ethod, validations should able information. Qualitative review is best able to answer
encom pass both quantitative and qualitative elem ents; and questions such as: Does the model work in theory? Does it
validation processes and outcom es should be subject to inde incorporate the right risk drivers? Is any theory underpin
pendent review. The notion of validation expressed in this paper ning it conceptually well-founded? Is the m athem atics of
is consistent with these principles. Our discussion of validation the model right?
does not address, however, the question of who needs to per (iii) System s im plem entation. Production-level risk m easure
form the model assessm ent or which party needs to be satisfied ment system s should go through extensive testing prior to
by that model assessm ent. im plem entation, such as user acceptance testing, check
ing of model code, etc. These processes could be viewed
as part of the overall validation effort, since they would
What Validation Processes Are in Use? assist in evaluating whether the model is im plem ented with
Most of this section describes the types of validation processes integrity.
that are in use or could be used. The list is not com prehensive,
and it is not suggested that all techniques should be used by
banks. O ther surveys that provide fuller descriptions of tech-
on 21 Paragraph 4 of the Basel Com m ittee's validation principles sets out
niques are available. O ur purpose is to make two points. First,
some of the uses of capital m odels. In discussing the use test for IRB,
to dem onstrate that there is a wide range of techniques that the paper notes " . . . as a quality check of IRB com ponents and under
lying processes, the use test is a necessary supplem ent to the overall
validation process. . . . the use test plays a key role in ensuring and
encouraging the accuracy, robustness and tim eliness of a bank's IRB
19 Principle 1 reads: "Validation is fundam entally about assessing the
com ponents, confirms the bank's trust in those com ponents and allows
predictive ability of a bank's risk estim ates and the use of ratings in
supervisors to place more reliance on their robustness and thus on the
credit processes."
adequacy of regulatory cap ital." We think that this philosophy still holds
20 See B C B S (2005b). true when considering internal capital m odels.

(iv) M anagem ent oversight. M anagem ent oversight refers to com plem ent to the examination of assumptions and sensi
the involvement of senior m anagem ent in the validation tivity testing described in the preceding paragraph.
process, in reviewing output from the model, and using the
It is worth noting that checking of model inputs is unlikely
results in business decisions. Senior m anagem ent need to
to be fully satisfactory since every model is based on
be clear how the model is used and how the model outputs
underlying assumptions. The richer or more sophisticated
are interpreted, taking account of the specific im plem enta
the model, the more susceptible it may be to model error.
tion fram ework that their firm has adopted and the assum p
Checking of input param eters will not shed light on this
tions underlying the model and its param eterisation.
area. However, model accuracy and appropriateness can
(v) Data quality checks. Not traditionally viewed by the industry be assessed, at least to some degree, using the processes
as a form of validation but increasingly forming a major part described in this section.
of regulatory thinking. Data quality checks refers to the pro
(ii) M o d el replication. A useful quantitative technique is to try
cesses designed to provide assurance of the com pleteness,
to replicate the model results obtained by the bank. A truly
accuracy and appropriateness of data used to develop, vali
independent replication would use independently devel
date and operate the model. These processes could include
oped algorithms and an alternative source of data but in
qualitative review (e.g ., of data collection and storage), data
practice replication might be done by leveraging some of
cleaning processes such as identifying errors, reviews of the
the bank's processes. For exam ple, it could be done by run
extent of proxy data, review of any processes that need to
ning the bank's algorithms on a different data set or using
be followed to convert raw data into suitable model inputs
the bank's own databases with independently derived algo
(e.g ., scaling processes), and verification of transaction data
rithms, once the banks' processes have been validated and
such as exposure levels. Such a list is often a helpful indica
are reliable. This technique (and the questions that often
tion of the level of understanding of the model.
arise in attem pting to replicate results) can help to identify
(vi) Exam ination o f assum ptions— sensitivity testing. Models whether or not the definitions and the algorithms that the
rest on assumptions of various kinds, some of which are bank says it is using are correctly understood by staff in
obvious, but some are less so. As such, certain aspects of the bank who develop, maintain, operate and validate the
models are "built-in" and cannot be altered without chang model and that they are used in practice by the bank. The
ing the model. To illustrate, these assumptions could be: technique also facilitates code checking and may be help
assumptions about fixed model param eters such as cor ful in determ ining whether the databases analysed in the
relations or recovery rates; assumptions about the shape validation process are those used by the bank to obtain its
of tail distributions; and assumptions about the behaviour results. This technique is rarely sufficient to validate m od
of senior m anagem ent or of custom ers. Some banks go els and in practice there is little evidence of it being used
through a deliberate process of detailing the assumptions by banks for either validation or to explore the degree of
underpinning their models. This should include examination
accuracy of their models. Note that replication simply by
of the impact on model outputs, and the limitations that the re-running a set of algorithms to produce an identical set
assumptions place on model usage and applicability. of results would not be sufficient model validation due
diligence.
Quantitative Processes (iii) Benchm arking and hypothetical p o rtfo lio testing. This refers
(i) Validation o f inputs and param eters. Some model param to the exam ination of whether the model produces results
eters may be estim ated. Exam ples include the main IRB com parable to a standard reference model or comparing
param eters and correlation param eters. A com plete model models on a set of reference portfolios. Exam ples of bench
validation would involve validation of the inputs them selves. marking could include comparison of risk ranking provided
Validation of input param eters to econom ic capital models by internal rating systems and agency ratings, or com pari
would entail validation of those param eters not included in son of an in-house portfolio credit model to other well-
IRB, such as correlations. Techniques could include check known models after standardisation of param eters. In the
ing model param eters against historical data, comparison regulatory field, this permits comparison of several banks'
of param eters against outcom es over tim e, comparison of models against the same reference model. It would allow
model param eters to market-implied param eters such as identification of models that produce outliers. Hypotheti
implied volatility or implied correlation, and assessing m ate cal portfolio testing means comparison of models against
riality of model output to input and param eters through the same reference portfolio. It is capable of addressing
sensitivity testing. Testing of input param eters would be a similar questions to benchmarking by different means. The
technique is a powerful one and can be adapted to anal system s in use whose outputs cannot be interpreted in
yse many of the preferred model properties such as rank this way. Exam ples could include rating system s, sensitivity
ordering and relative risk quantification. But there are also tests and aggregated stress losses. Such risk m easurem ent
limitations. In particular, benchmarking can only compare approaches might nevertheless be valuable tools for banks.
one model against another and may provide little assurance The role of backtesting for such m odels, if they were to be
that the model accurately reflects reality or about the abso used, would need elaboration.
lute levels of model output. In a benchmarking exercise, In practice, backtesting is not yet a key com ponent of
there may be good reasons why models produce outliers. banks' validation practices for econom ic capital purposes.
They may, for exam ple, be designed to perform well under
(v) Profit and loss attribution. Analysis of profit and loss on
differing circum stances, or may be conservatively param-
a regular basis (e.g ., annually) and comparison between
eterised, or may differ in their econom ic foundations, all of
causes of actual profit and loss and the risk drivers in the
which com plicate interpretation of the results.
model. Attribution is not widely used except for m arket risk
Benchmarking is a commonly used form of quantitative pricing models.
validation. Com parisons are made with industry survey
(vi) Stress testing. This covers both stressing of the model and
results, against alternative models such as a rating agency
comparison of model outputs to stress losses.
model, industry-wide m odels, consultancy firms, academ ic
papers and regulatory capital models. However, as a valida The outputs of the model might be exam ined under conditions
tion technique, benchmarking has limitations, providing of stress, where model inputs and model assumptions might be
comparison of one model against another or one calibration stressed. This process can reveal model limitations or highlight
to others, but not testing against "reality." It is therefore capital constraints that might only becom e apparent under
difficult to assess the degree of com fort provided by such stress. Stress testing of regulatory capital m odels, particularly
benchmarking m ethods, as they may only be capable of IRB m odels, is undertaken by banks but there is more limited
providing broad com parisons confirming that input param evidence of stress testing of econom ic capital models.
eters or model outputs are broadly com parable. Through a com plem entary programme of stress testing, the
(iv) Backtesting. Backtesting addresses the question of how bank may be able to quantify the likely losses that the firm
well the model forecasts the distribution of outcom es. Back would confront under a range of stress events. Com parison of
testing may take many forms and there is a wide literature stress losses against model-based capital estim ates may provide
on the subject. All backtesting approaches entail some a m odest degree of com fort of the absolute level of capital.
degree of comparison of outcomes to forecasts, and there Banks report some use of this stress testing technique to vali
is a wide literature on the subject. date the approxim ate level of model output.
For portfolio credit m odels, the weak power of backtesting Internal audit is not included in the above list, however vali
is noted in BC BS (1999). As has been suggested by some dation of the overall implementation fram ework and process
authors, there are variations to the basic backtesting should also be subject to independent and periodic review and
approach which can increase the power of the tests. Exam this work should be made by parties within the banking organ
ples include: performing backtesting more frequently over isation that are independent of those accountable for the design
shorter holding periods (e.g ., using a one-day market risk and implementation of the validation process. O ne possibility
backtesting standard versus the 10-day regulatory capital could be that internal audit would be in charge of undertaking
standard); using cross-sectional data by backtesting on a this review process. As such it could be viewed as comprising
range of reference portfolios;222
3using information in fore- a part of the m anagem ent oversight process listed above. The
casts of the full distribution; testing expected losses only; paper does not otherwise discuss the role of internal audit in the
and comparing outcom es against the expected values of validation process.
distributions as opposed to high quantiles. The list of validation tools does not address the issue of ad e
Backtesting is useful principally for models whose outputs quate standards. Banks may operate internal standards that are
can be characterised by a quantifiable metric with which relevant for validation. For exam ple, a description of the issues
to com pare an outcom e. There may be risk m easurem ent that need to be addressed as part of validation, the standards
that capital models are expected to achieve, a series of quanti
tative thresholds that models need to m eet, warning indicators
22 See Lopez and Saidenberg (1999). for particular monitoring metrics, assessm ent against model
23 See Frerichs and Loffler (2002) and Berkowitz (2000). developm ent standards.

What Aspects of Models Does Validation models, typified by the IACPM and ISDA study (2006) on portfo
Cover? lio credit risk models. There is some evidence that banks wish to
ensure that models are sensitive to the expected drivers of risk,
The validation steps presented above can be used in assessing and that models generate outputs that perm it adequate evalu
most of the desirable properties of models. This is an encourag ation of the relative risk between business lines and to provide
ing observation and stands in contrast to the fairly negative view suitable trend analysis. Although there is scope for practices to
of validation taken in BC BS (1999). improve further, the signs of progress in these areas are moder
ately encouraging.
Opinions may reasonably differ about the strength or weakness
of any particular process in respect of any given property. The In other respects industry validation practices are weak, par
properties that could be assessed using a powerful tool and ticularly when the total capital adequacy of the bank and the
hence that are capable of robust assessm ent include: integrity of overall calibration of the model is an im portant consideration. It
im plem entation; grounded in historical experience; risk sensitiv is recognised that this validation task is intrinsically difficult since
ity; sensitivity to the external environm ent; good marginal prop it will typically require evaluation of high quantiles of loss distri
erties; rank ordering; and relative quantification. The properties butions over long periods combined with data scarcity coupled
for which only w eaker processes are available include: concep with technical difficulties such as tail estim ation. Moreover, it is
tual soundness; forward-looking; and absolute risk quantifica recognised that validation practices will depend on what the
tion. Again, it is im portant to stress the judgm ental evaluation of model is being used for. N evertheless, difficult as the validation
the power of individual tests and to acknowledge that views as task might be, weaknesses in validation practices targeted at
to strength and weakness are likely to differ. evaluation of overall perform ance might result in banks operat
The difficulty of validating the conceptual soundness of a capital ing with inappropriately calibrated models. This could be of con
model needs some elaboration. In developing a model, sev cern if assessm ent of overall capital adequacy is an im portant
eral assumptions about the model and its inputs are likely to application of the model. Improvements in these areas could
be made. These could include assumptions about the family of include further benchmarking and industry-wide exercises, back
testing, profit and loss analysis and stress testing.
statistical distributions, the econom ic processes driving default
or loss, the dependency structure among defaults or losses, Additionally, institutions should recognise clearly that when vali
the likely behaviour of m anagem ent or other econom ic agents, dation is difficult and has limitations, i.e., when for one reason or
and the extent to which these vary over tim e. Moreover, some another models cannot be appropriately validated, users of those
internal capital models are risk aggregation m odels, where risk models and senior management should be informed that full
estim ates for individual categories (e.g ., m arket, credit and validation could not be conducted. Such communication is nec
operational risk) are aggregated to generate a single total eco essary so that model users and senior management understand
nomic capital figure, with the method of aggregation relying on that there is greater uncertainty around the output from models
some underpinning assumptions. These assumptions, however, that have not been validated and that such model output should
may be untestable. As a result it may be impossible to be cer generally be treated with extra conservatism. In that vein, model
tain that a model is conceptually sound. W hile the conceptual users and senior management should understand and explore the
underpinnings may appear coherent and plausible, they may in potential costs of using models that have not been fully validated
practice be no more than untested hypotheses. (i.e., if key assumptions in the models prove to be inaccurate).
This section presented the main validation tools available with

which to assess internal capital models and provided some eval
uation of their power and their use in practice. The conclusion is 13.8 A N N E X 1: D E P E N D E N C Y
that tools are powerful in some areas such as risk sensitivity but M O D E L L IN G IN C R E D IT R IS K M O D E L S
not in other areas such as overall absolute accuracy.
A particularly im portant and difficult aspect of portfolio credit
Supervisory Concerns Relating to risk modelling is the modelling of the dependency structure
between borrowers. This encom passes linear and non-linear
Validation
dependency relationships between obligors. Dependency
Com pared to practice at the time of the BC BS (1999) report, modelling is im portant because it forms an im portant distinc
there is greater em phasis currently on the validation of mod tion between the Basel II risk w eight function (with supervisory
els. The main areas of im provem ent are in benchmarking of imposed correlations) and portfolio credit risk models which rely
model param eters and the conduct of cross-firm com parisons of on banks' internal modelling of dependencies.
Understanding the way dependencies are modelled is im portant
for supervisors when they assess a bank's IC A A P under Pillar 2, BO X 13.1 CO N TAG IO N APPRO ACH
since internal bank modelling of portfolio credit risk may be an
Motivated by the financial crises in South East Asia and
im portant elem ent of a bank's IC A A P and can generate the big the US in the 1990s, and the Enron default crisis in late
gest reduction of capital needs in comparison with the Pillar 1 2001, where the downfall of a small number of firms had
minimum capital requirem ent for credit risk. an economy-wide impact, academ ic researchers have
attem pted to incorporate counterparty relationships, or
This annex briefly describes the main methods used for m odel microstructure correlation, into portfolio credit models
ling credit dependencies and discusses progress since the pub (Davis and Lo (2001), and Jarrow and Yu (2001)). The com
lication of the BC BS (1999) report. It also discusses the impact mon feature of contagion models is that they distinguish
that different methods have on banks' econom ic capital, and between macrostructure and microstructure dependencies.
In contrast to macrostructure dependencies, microstruc
makes some observations linked to recent developm ents in
ture dependencies attem pt to capture business relation
dependency m odelling. Finally, it raises some supervisory con ships and legal dependencies within and across sectors.
cerns about the current state of industry practice. This approach is also relevant for pricing C D Ss, C D O s, and
basket derivatives, since the prices for these products are
influenced by dependencies between the firms in a basket,
Types of Models a business (e.g ., suppliers and com petitors), etc.
The majority of banks use one of three types of credit models. The microstructure contagion effect can be integrated
using different approaches, (e.g ., reduced-form models).
These m odels, often referred to by their commercial names, are
The idea behind contagion models is that contagion risk
M oody's/KM V (M KM V), CreditM etrics, and C red itR isk+ . The produces upward jum ps in the default intensity of non-
annex follows the same convention even though other vendors defaulted firms, implying a higher conditional default
offer similar models and some banks have developed their own probability for these firms given additional information
internal models that are consistent with the structure of one of on other firm s' defaults. The driving principle behind
such modelling is that considering only m acroeconom ic
these model typ es.24
dependencies for a portfolio subject to microstructure
Most models of credit portfolio risk estim ate asset correla dependencies could potentially underestim ate credit
tions among obligors in term s of common dependence on risk. By integrating microstructure dependencies into the
model, the standard deviation of rating changes over time
system atic risk factors. The assumption is that these underlying
is increased, even for well-diversified credit portfolios with
factors— e .g ., country, region, or industry of a borrower— fluctu
m oderate microstructure dependencies.
ate over tim e and typically follow a (joint) normal distribution. All
Generally, the contagion approach is supposed to be con
borrowers are linked to these underlying system atic risk factors
servative since it lengthens the tail of the loss distribution
to varying degrees and tend to move in a correlated way. Thus, and therefore increases the capital needed to cover credit
by modelling dependencies, banks account implicitly for con risk. However, it is difficult to gauge whether the increase
centration (both single name and sectoral) because large parts in capital is sufficient to capture the risk dependencies.
of their books are subject to the same underlying risk factors or Additionally, practical and theoretical issues need to be
addressed, such as the reliability of the required expert
to multiple risk factors.
judgm ent and ability to identify the frailty/contagion factors.
Extensions of the three credit portfolio models are used by
some banks. For exam ple, this is the case for a few banks with
specialised portfolios (e.g ., small and medium-size European portfolios that are linked to bank specific portfolio concentration
corporate loans) which have integrated a contagion approach and exposure mix.
into variants of the standard credit portfolio models (see
In addition, few banks model dependencies using copulas (see
Box 13.1). By integrating information on business relationships
Box 13.2), at least for their econom ic credit risk m odelling. This
among borrowers into the credit portfolio model, this approach
technique can be used to capture several alternative general
tries to address the clustering of defaults observed within their
types of dependencies, as opposed to the more restrictive
Gaussian copula m odels.25*
Some banks also use models that are based on the asym ptotic
24 The discussion of these model types is descriptive and is not intended single-risk-factor (ASRF) model, which is the basis for the Basel II
as an endorsem ent of any of the vendor m odels. Reference to these
prototype m odels should not be construed as an endorsem ent of these
m odels, or as an indication of their standing relative to other models
0^
that might be used by banks or offered by other vendors. See for exam ple Hull (2007) for a discussion of copulas.

BOX 13.2 CO PU LA S
Some banks model dependencies using copulas. Within the which are 1 if default occurs during a specified period and 0
context of credit risk modelling, copulas are used to model otherwise. If q ,• is the underlying random variable denoting
dependencies between the defaults of credit obligations in for exam ple the tim e to default of obligor /, and lj T is the
a portfolio. Given that one obligor has defaulted, other obli indicator random variable denoting default before tim e T, the
gors in the portfolio might be more likely to default because relation between q(- and liT is:
they are connected to the defaulted obligor directly (e.g ., if
the defaulted obligor is the creditor of another) or indirectly ’ ! if <7, < T
(e.g ., if another obligor is in the same industry). 0 , if q >T
For a collection of random variables with given marginal If the distributions of these time-to-default variables are
distributions (the univariate probability distribution of each com bined using a copula, a joint distribution function for the
random variable) a copula specifies how these random vari time-to-default variables is obtained. Taking random samples
ables combine into a multivariate distribution, and thus speci from this joint distribution, and given a specified tim e hori
fies the dependencies between the random variables. Some zon, each sam ple from the distribution will translate into a set
copulas like the Gaussian copula are characterised by a corre of defaulting and non-defaulting obligations within the port
lation matrix, while other copulas describe dependencies that folio over that tim e period.
are non-linear or too com plicated to be accurately described
The first copula to be widely used in the context of credit
by correlation param eters. A copula is a mapping that trans
modelling was the Gaussian copula. O ne im portant short
forms the marginal distributions for a collection of random
coming of the Gaussian copula is that it displays zero tail
variables into a joint distribution for all the random variables.
dependence. Besides the Gaussian copula, copulas based
W hen copulas are used in credit risk m odelling, the underly on other multivariate distributions (particularly the Student-t
ing random variables of interest may be the time to default distribution) are often used with the goal of capturing depen
of each obligation in a portfolio, or in Merton type m odels, dencies between defaults that have a stronger impact on the
the asset values of the obligors. In the latter case, the obligor tail of the loss distribution. For exam ple, the t-copula has a
defaults when its asset value falls below a certain threshold. param eter for "tail association" or dependence. The distribu
These underlying variables are continuous random variables, tions produced by copulas are usually not tractable analyti
and they express the likelihood of default in a different way cally, and as a result, copulas are most frequently used in
from the more fam iliar (discrete) indicator random variables, running portfolio default simulations.
risk weights for credit risk. Within this modelling approach, what extent the economic capital estimates produced by the
banks may use their own estim ates of correlations or may use models differ from each other. To shed some light on this empiri
multiple system atic risk factors in order to address concentra cal question, the International Association of Credit Portfolio
tions. Such a modelling approach raises several supervisory con Managers (IACPM ) and International Swaps and Derivatives Asso
cerns about the method used to calibrate the correlations and ciation (ISDA) conducted a study in 2006 to explore the economic
the ways in which the bank addresses the infinite granularity and credit capital models in use by their member institutions.
single-factor structure of the A SR F model.
The IACPM and ISDA (2006) study evaluated the degree of con
Under the impetus of the Basel II Fram ework, banks have also vergence of econom ic capital estim ates across commercially
increased their use of bottom-up approaches in their credit risk available credit portfolio models and across internally developed
dependency m odelling. As a result, credit portfolio models are credit risk models im plem ented by banks. Given that most
much more integrated into daily risk m easurem ent and m anage banks use one of the three main com mercially available credit
ment than was the case in 1999. risk models mentioned above or internally developed im ple
mentations of the same types of m odels, the study was effec
The IACPM and ISDA Study tively a comparison of the econom ic capital estim ates generated
by these com mercially available m odels, run either in default
Given the differing approaches to modelling dependencies
mode or in mark-to-market m ode.27 The study applied the
between borrowers described above, the question arises as to
26 The A S R F model is also referred to as a single-factor Gaussian copula 27 C redit Risk-t- is exclusively a "default m ode" m odel. Default mode
m odel. For this m odel, the capital charge for an exposure depends on refers to the situation where credit losses arise only if a borrower
the risk characteristics of this exposure only (i.e ., PD, LG D , EA D , matu defaults within the planned tim e horizon. M ark-to-market credit losses
rity) and does not depend on the com position of the portfolio to which can arise in response to deterioration in an asset's credit quality before
the exposure is added. the end of the planning horizon.
different credit models to a representative portfolio of transac Supervisory Concerns Relating to
tions that was assem bled with pre-specified data assumptions
Currently Used Credit Portfolio Models
regarding risk characteristics. By eliminating different data char
acteristics and portfolio composition as sources of potential dif Shortcomings of Dependency Modelling
ferences in econom ic capital estim ates, remaining differences
Regarding dependency assumptions used in credit portfolio
are largely due to differences in the modelling approaches. O ut m odels, supervisors can question the accuracy and robustness
com es of the study may also be dependent on the composition of correlation estim ates used by banks since these estim ates
and characteristics of the test portfolios used in the study.
depend heavily on (explicit or implicit) model assumptions and
The study showed significant differences in econom ic capital can significantly influence econom ic capital calculations. These
estim ates between the different m odels, in default-only mode assumptions are even more problem atic when the dependency
as well as in mark-to-market mode. The differences in econom ic modelling and calibration methods used are em bedded in pro
capital estim ates between the models can be explained in prietary third-party vendor credit risk models, which essentially
term s of the following factors: correlation structure; treatm ent can be viewed as "black boxes."
of interest payments due between tim e zero (point of valua
Beyond the issues raised by the basic approaches used in struc
tion) and the tim e horizon (point of default) and whether this tural and reduced-form credit portfolio m odels, the validity of
was accounted for in the definition of loss; and other modelling
several other assumptions has been exam ined in the academ ic
differences.
literature. For exam ple, the validity of the following assum p
O f special interest in the context of this annex is the question: tions has been drawn into question: the asym ptotic single-factor
How much of the difference in econom ic capital is due to corre Gaussian copula approach; the normal distribution for the vari
lation structure/dependency modelling assumptions? In default- ables driving default; the stability of correlations through tim e;
only mode, the differences could be explained to a large extent and the joint assumptions of correctly specified default probabil
by the different treatm ent of interest payments (i.e., by the dif ities and doubly-stochastic processes, which imply that default
ference in definition of loss), with the correlation structure play correlation is adequately captured by common risk factors.
ing only a minor role. However, in mark-to-market mode, where Several academ ic papers question the ability of some models
changes in revaluations at the horizon for non-defaulted assets
using such assumptions to explain the time-clustering of defaults
may also be correlated, and where the impact of differences in that is observed in some m arkets. This in turn, when combined
the modelling of correlations is larger, roughly a quarter of the
with inadequately integrating the correlation between PD and
observed difference in econom ic capital estim ates is attributable
LGD in the models and inadequately modelling LGD variability,
to correlation assumptions. can lead to an underestimation of econom ic capital needed. In
Another issue involves the sensitivity of econom ic capital esti addition, it will make it difficult to identify the different sources
mates to changes in portfolio concentrations and model param of correlations and the clustering of defaults and losses.
eters. Sensitivity analysis perform ed in the IACPM and ISDA For exam ple, Das et. al. (2007) found that U.S. corporate default
study showed that a change in the sector or country com posi
rates between 1979 and 2004 vary beyond what can be
tion of the representative portfolio had a large impact on eco
explained by a model that only includes observable covariates.
nomic capital estim ates.28 Furtherm ore, the im pact differed Moreover, Duffie et. al. (2006) found evidence of the presence
between the different types of credit risk m odels. This evidence among U.S. corporate default rates of one or more unobserv
provides empirical support for the notion that the output of able common sources of default risk that increase default corre
credit risk models significantly depends on the underlying corre
lation and extrem e portfolio loss beyond that implied by
lation structure. Differences in correlations could be structural in observable common and correlated m acroeconom ic and firm-
nature since different models may use different data to calibrate
specific sources of default risk.30 However, there are practical
correlations (e.g ., historical equity returns versus default rate limitations of the "frailty approach" (i.e., modelling default clus
data), or could be due to time-varying correlations.29
tering with latent risk factors) including the computational cost,
and the failure to identify the frailty factor, hampering the ability
28 For exam ple, it could double the am ount of econom ic capital for
credit risk.
29 The IACPM and ISD A study concludes that when loss assum ptions are 30 As pointed out by Das et. al. (2007) and others, known factors
aligned across both vendor and internal credit portfolio m odels, esti account for a very large fraction of the default correlation observed in
mates of econom ic capital for credit risk can be shown to converge for the data. As a result, a practical approach to overcom ing the shortcom
default-m ode m odels. D ifferences in the capital estim ates for mark-to- ing of the frailty factor is to use conservative estim ates of asset correla
m arket m odels can be reduced, but not elim inated. tions and to conduct stress testing.

of banks to make practical decisions in managing the risk from the distribution of asset returns)31 can lead to significant inaccu
the frailty factor. racies in measures of portfolio credit risk and econom ic capital.
With respect to the stable correlation hypothesis, Bangia et. al.

(2000) found that rating transitions are sensitive to the business
Use of Credit Dependency Modelling
cycle and are explained by different models during expansion O ne of the main supervisory concerns is that some banks use
ary and recessionary periods. Therefore, the sample period and credit portfolio models without always having a full understand
approach used to calibrate the dependency structure could be ing of all the underlying assumptions and modelling techniques
im portant in assessing whether correlation estim ates are overes em bedded in them . W hether such models are suitable for differ
tim ated or underestim ated, and therefore whether they should ent portfolios (retail, structured products, etc.) as well as for the
be reviewed. specific concentration and exposure mix characteristics of their
own portfolios should be assessed.
O ther assumptions can also impact correlation calibration.
For exam ple, when a model assumes that unobservable asset For exam ple, it seem s that the use of asset return correlations
returns can be approxim ated by changes in equity prices, it derived from equity prices has becom e a market standard for
does not account for the fact that the relationship between portfolios of large corporates, despite the limitations associated
asset returns and equity prices is unobservable and could also with such an approach.
be non-linear. Similarly, when equity prices are used to estim ate
It is im portant to consider whether the uncritical use of asset
credit default probability, the issue arises that although such
correlations for other portfolios such as SM E and retail borrow
prices can cover a wide range of industries and geographical
ers is adequate. The estim ated correlations could be m eaning
locations, they also reflect information that is unrelated to credit
fully used as long as they are applied to large, publicly traded
risk. Consequently, the use of equity prices can introduce some
borrowers. The appropriateness of using such data to estim ate
noise in the correlation estim ates.
correlations for other exposures such as non-traded, small and
On the other hand, when banks use a regulatory-type approach, medium-sized enterprises and retail borrowers is less clear. Spe
with single or multiple risk factors, the assumptions of such cifically, corporate, SM E and retail portfolios are data-rich, which
an approach poses two im portant issues for both banks and means that the derivation of different default correlations from
supervisors: internal bank data could be envisaged in some cases. For non
traded SM E portfolios, there are third-party vendors that might
• Since the correlation estim ates are explicit param eters in the
also provide relevant data for some local markets.
Basel A SR F model, they would need to be estim ated. There
may be limited historical data on which to base the correla However, banks do not generally calibrate their retail and SM E
tion estim ates, and the assumptions used to generate the correlations separately. Instead they use shortcuts, such as assign
correlations may not align with the underlying assumptions of ing retail borrowers to the no industry category in a credit portfo
the Basel II credit risk model. lio model. It remains to be seen whether these shortcuts provide
• If a bank uses the Basel II risk w eight model (either with a meaningful measure of risk for SM E and retail portfolios.
supervisory or with its own correlations), it must account for The use of more com plex models (e.g ., contagion models and
concentration risk (single name and industry/regional con Gaussian and non-Gaussian copulas), which need technical,
centrations) by other measures and/or m anagem ent methods judgm ental and modelling expertise, could also be viewed as
(e.g ., limit setting), and supervisors will have to evaluate too burdensom e, uncertain, unstable or inappropriate to im ple
these approaches. ment. Assuming that banks gather enough data to estim ate
The concern about assumptions is im portant since they can have more reliable correlations using internal data in the future, it
a significant impact on measures of portfolio credit risk and the would be useful for the industry to make progress in estimating
m easurem ent of econom ic capital. For exam ple, Tarashev and correlations for other exposures, such as SM E, retail, and struc
Zhu (2007) dem onstrate, by comparing the loss distributions tured products, and to analyse which data, m odels, and tech
produced by the KMV and the A SR F m odels, that the single- niques are the most relevant for these portfolios.
risk-factor and infinite granularity assumptions of the A SR F
model have small impacts on m easurem ent of capital needs,
31 With respect to the loss distributions, they are more likely to follow
especially for large, well-diversified portfolios. By contrast, the
double-t distributions with medium to high degrees of freedom instead
use of m isspecified or incorrectly calibrated correlations and the of normal distributions. Such m isspecification can imply an underestim a
use of a normal distribution (which fails to replicate the tails of tion of econom ic capital that ranges from 22-86% .
13.9 A N N EX 2: COUNTERPARTY which measures the exposure if the counterparty were to default
today, and potential exp o su re, which measures the potential
CREDIT RISK increase in exposure that could occur between today and some
time horizon in the future. One feature of derivatives and securi
Counterparty credit risk (CCR) at large, com plex banks centres
ties financing relationships is that, while the amount of current
on the m easurem ent and m anagem ent of financial exposure
exposure to a counterparty is known, the amount of potential
and the resulting credit risk associated with core credit exten
exposure to a counterparty is an unknown quantity (in fact,
sion activities of these financial institutions to a wide range of
given the nature of derivatives contracts and securities financing
counterparty types. Counterparty credit risk takes a variety of
arrangem ents, there may be no exposure to the financial institu
form s, including credit risk emanating from activities in O T C and
tion at the tim e of a counterparty default). Therefore, counter
exchange-traded derivatives, from securities financing activities,
party credit exposure is generally measured as some statistic
and from foreign exchange settlem ents. The counterparties to
(such as a mean or a percentile) of the distribution of possible
these financial institutions take a wide variety of forms, ranging
future exposures to the counterparty.
from sovereigns and local governm ent entities, to regulated
financial concerns and potentially unregulated financial parties The second part of the counterparty credit m easurem ent is
such as hedge funds, to corporate entities (both investment- converting the exposure to a risk amount for econom ic capital
grade and below-investm ent-grade). purposes or risk m anagem ent purposes more generally (for
exam ple, to inform a counterparty credit risk limit system). The
This annex is organized in two sections. The first section high
risk m easurem ent will be a function of the probability of default
lights the challenges that the industry faces in quantifying coun
(PD) for the counterparty, the loss given default (LGD) for the
terparty credit risk for econom ic capital purposes, while the
exposure, and the exposure m easurem ent, which is effectively
second section addresses the range of practices that financial
the exposure at default (EAD) value. The EAD value is driven by
institutions undertake in quantifying this risk. The primary focus
market-risk-related factors (the volatility and correlation among
is on modelling challenges in the quantification of counterparty
market risk factors and how they affect the derivative contract
credit risk, and thus there is no explicit consideration of the
or valuation of the securities being financed), while the PD and
com prehensive set of risk m anagem ent practices that are meant
LGD are effectively determ ined by firm's assessm ent of the
to mitigate risks or to provide com pensating controls for model
credit quality of the counterparty.
deficiencies, unless those practices (such as initial margin and
ongoing collateral practices related to counterparty credit risk) Counterparty credit risk measurement, therefore, necessarily
directly influence the quantification of risk. combines the tools from standard market risk measurement with
the tools from standard credit risk determination. Market risk mea
surement practices are used, for example, in mapping derivatives
Counterparty Credit Risk Challenges
exposures to a set of market risk factors, simulating those factors
M easurem ent of counterparty credit risk represents a com plex out to a forward-looking time horizon, and determining the distri
exercise, as it involves gathering data from multiple systems; bution of the level of exposures over various risk factor realisations
measuring exposures from potentially millions of transactions in the simulation. Separately, standard credit risk processes provide
(including an increasingly significant percentage that exhibit assessments of the credit quality of the counterparty, frequently
optionality) spanning variable time horizons ranging from over resulting in a credit rating of the counterparty, both from the PD
night to thirty or more years; tracking collateral and netting and LGD perspectives. Counterparty credit risk measurement
arrangem ents; and categorising exposures across thousands of offers unique challenges related to both the market-risk-related
counterparties. The com plexities of the processes highlighted and the credit-risk-related processes, which are described next.
below indicate a need for institutions to have specialised pro
cesses and personnel to tackle these issues and challenges. Market-Risk-Related Challenges to Counterparty
EAD Estimation
Measuring Exposure and Measuring Risk
Counterparty credit exposure m easurem ent requires simulation
A bank's counterparty credit m easurem ent can be conceptually of market risk factors and the revaluation of counterparty posi
broken down into two distinct steps. First is the m easurem ent tions under the simulated risk factor shocks, much like a value-
of counterparty cred it exposure— that is, how much money the at-risk (VaR) model requires. Two unique challenges present
counterparty will owe the bank in the event of default. This them selves when attem pting to leverage a VaR model technol
exposure number is further broken down into current exposure, ogy for counterparty credit exposure m easurem ent.

First, m arket risk VaR m odels com bine all positions in a port credit rating, and an associated PD and ability to calculate an
folio into a single sim ulation, so that gains from one position LG D for the exposure. However, some im portant derivatives
are allowed to fully offset the losses in another position in the and securities financing activities are done with counterparties
same sim ulation run. C ounterparty credit risk exposure m ea (such as hedge funds) with which the financial institution may
surem ent, however, cannot allow netting across counterparties have no other exposures. In those cases, the financial firm must
(e .g ., a decline in exposure to one counterparty cannot be net determ ine a PD and LG D associated with the counterparty and
ted against an increased exposure to another counterparty). the facility. In the case of hedge funds, the counterparty may
Therefore, the analysis of counterparty exposure must be done have little transparency in term s of underlying fund volatility,
at the "netting set" level (that is, on each set of transactions leverage, or types of investm ent strategies em ployed, which
that form the basis of a legally enforceable netting ag ree creates a significant challenge. In the cases of counterparties to
ment). M ost banks have many thousands of counterparties, which the institution has other credit exposures (e.g ., a corpo
and each of these counterparties may have many different rate client), the institution will typically be using the same PD
netting agreem ents (segregated, for exam ple, by product type used for the other exposures, but will need to arrive at a facility-
or legal jurisdiction). This situation, therefore, requires the specific LG D .
counterparty exposure m easurem ent to perform a calculation
at the netting-set level, thereby increasing the com putational Interaction between Market Risk and Credit
intensity of the calculation. Risk— Wrong-Way Risk
Second, market risk VaR calculations are traditionally performed W hile counterparty credit risk can conceptually be broken down
for a single short-term holding period— for exam ple, for a single into a market-risk-driven EAD calculation and a credit-risk-driven
day or a ten-day holding period. Counterparty credit exposure PD-LGD determ ination, these two processes are frequently not
m easurem ent, however, must be performed for multiple hold independent. This interaction, where PD and LGD may tend
ing periods into the future, as certain derivatives contracts, for to rise at the same time as the exposure to the counterparty is
exam ple, can extend years, or even decades, into the future. rising, is known as "wrong-way risk." For counterparty credit
As a result, market risk factors have to be simulated over much exposure system s that separate EA D estimation from PD-LGD
longer time periods than in the standard VaR calculation, and estim ation, the incorporation of wrong-way risk in the econom ic
revaluation of the potential exposure in the future must be done capital calculation is not directly feasible, but may be incorpo
for the entire portfolio at certain points in the future. rated via an add-on in the econom ic capital process. Challenges
The com bination of the large num ber of counterparties and the arise when trying to capture wrong-way risk. W rong-way risk
large num ber of holding periods in the future im plies that the is som etim es difficult to identify, as it requires understanding
com putation challenges in effectively m easuring VaR are dra the m arket risk factors that the counterparty is exposed to, and
m atically increased when financial institutions attem pt to m ea relating those factor sensitivities to the factor sensitivities of the
sure counterparty exposures for derivatives transactions. A s a institution's own exposures to the counterparty. Understanding
result, a bank may decide to reduce the num ber of m arket risk the counterparties' risk factor sensitivities can be challenging,
factors considered in the sim ulation for counterparty credit risk especially for counterparties (such as some hedge funds) that
relative to the num ber considered in the m arket risk VaR calcu tend to be opaque. Even when wrong-way risk can be identified
lation. The resulting sim plification can result in a reduction in directionally, it is often difficult to quantify its magnitude in an
precision of the final result, but the m ateriality of the reduced econom ic capital model (in particular, over a one-year horizon at
precision is highly dependent on the circum stances of the posi a high confidence level).
tions relative to the m odel. For exam ple, ignoring the volatil
ity sm ile in a business with few trades m ight not be m aterial, Operational-Risk-Related Challenges in Managing
but using a single-factor term structure of interest rate model Counterparty Credit Risk
may result in significant reduction in accuracy of the model for
Managing counterparty credit risk is a very resource-intensive
these exposures.
activity, and requires specialised system s and personnel to effec
tively im plem ent. Daily limit monitoring, marking-to-market,
Credit-Risk-Related Challenges to PD and LGD collateral m anagem ent processes, and intraday liquidity and
Estimation credit extensions are all com plicated and interlinked processes
Frequently, counterparties to financial firm s for derivatives or that give rise to the possibility of operational risk difficulties.
securities financing transactions have other credit-risk-related Such operational risk exposure is generally not captured for eco
relationships, so that the financial firm would already have a nomic capital purposes within counterparty credit risk, but may
be captured within an operational risk quantification process. Aggregation Challenges
O perational risks related to counterparty risk that are particu
W hile calculation of counterparty credit risk for an individual
larly difficult to quantify involve risks of new or rapidly growing
counterparty has its challenges, these challenges are magnified
businesses, risks in new products or processes, risks in intraday
when attem pting to get a firm-wide view of risk for economic
extensions of credit which are not properly captured in systems
capital purposes. Independently of the challenges in arriving at
designed for end-of-day exposure capture, and risks in areas
a counterparty credit risk econom ic capital measure outlined
where there have been few historical instances of losses but
above, this risk measure must be aggregated in a sensible, rigor
where potential "tail events" may have severe consequences.
ous, and risk-sensitive way with other exposures at the financial
firm in order for the overall econom ic capital measure to be a
Differences in Risk Profiles between Margined reliable indicator of the aggregate inherent risk-taking by the
and Non-Margined Counterparties firm. If a single counterparty has both derivatives and securities
O ne im portant input in the m easurem ent of counterparty financing transactions, the firm may face challenges in aggrega
credit risk among firm s' counterparties is w hether the coun tion across the counterparty's exposures, as the various models
terp arty is a m argined counterparty or not. A m argined coun and system s architectures may not be conducive to aggregation.
terp arty has agreed to post collateral, either in the form of Furtherm ore, a firm's counterparty credit risk must be aggre
cash or securities, when their exposure to the financial firm is gated with other credit risk-taking activities of the firm , both in
positive. W hile there are w ide variations in the practices sur term s of loans in the banking book and credit risk in the trading
rounding margining of counterparties (minimum thresholds book. Finally, these more com prehensive credit risk measures
before a margin call is m ade, the frequency of margin calls, must be aggregated with overall m arket and operational risk in
the treatm ent of valuation of illiquid products, etc.), an im por order to arrive at the final econom ic capital measure.
tant distinction in the m odelling approaches must be made A related challenge involves the ability of the counterparty credit
betw een counterparties who have agreed to margining (also risk system to allow risk management to have a detailed under
known as "having a C S A " — a credit support annex to the standing of the various breakdowns of risk that are common in
m aster netting agreem ent that lays out the term s of the mar the market risk world. Breakdowns by product, by risk factor, by
gining agreem ent) and those who have not. Frequently, the geography, by business line, or by legal entity are difficult for
m odelling difference betw een these classes of counterparties many firms to produce, for a variety of reasons. The computation
surrounds the treatm ent of the look-ahead forecasting period: intensity of the calculations makes the provision of such "drill
For m argined counterparties, the forecasting period is short, down capabilities" expensive in terms of time to produce on a
associated with a reasonable "cure p eriod " betw een when a daily basis. Fragm ented com puter systems and IT infrastructures,
counterparty misses a margin call and when the underlying frequently driven by a variety of legacy infrastructures from
positions can be closed out; for non-margined counterparties, merger and acquisition activity, are frequently cited culprits to
the forecasting period is generally much longer, as long as the the limitations associated with counterparty credit risk systems'
life of the contract. The variation in m odelling horizons makes lack of flexibility. The IT requirements associated with Basel
the aggregation of risk across these two classes of counterpar M's internal models approach to the use of counterparty credit
ties a challenge, as most risk m odelling approaches take a sin risk for regulatory capital purposes were often mentioned as a
gle m odelling horizon (e .g ., one day for VaR m odels, one year possible mechanism to address some of the existing systems'
for econom ic capital m odels) for all positions. A ggregation is rigidities, but it remains uncertain how much of the planned IT
further com plicated if, for a given counterparty, som e positions investments will address the existing systems' limitations.
are m argined but others are not.
Note that there still is a gap risk, even for margined counterpar
Range of Practices
ties, which needs to be m odelled and accounted for. In stress
situations that adversely affect the assets being financed, there Given the variation in size and com plexity of counterparty credit
could be a risk of market gapping and rapid loss of value. Banks exposures across large financial firm s, these institutions display
may need to take possession of collateral at a tim e when its a range of practices in measuring C C R for econom ic capital pur
value is deteriorating and the market for it may be illiquid. This poses. Firms em ploy one of two general modelling approaches
risk may be am plified by the presence of exposure concentra to quantify the counterparty credit risk exposures. W hile these
tions within the firm, or by "crow ded trad es," where several models may be supplem ented with com plem entary m easure
firms may be taking possession of similar collateral and seeking ment processes, firms typically have adopted one of two m ea
to liquidate it at the same tim e. surem ent "eng ines":

The first is a stand-alone sim ulation engine, typically im ple Counterparty Credit Risk Processes for High Risk
menting a M onte Carlo approach ("M onte C arlo M o d el"). This Counterparties
sim ulation norm ally spans a long forecasting horizon— often
Firms continue to be challenged by the opacity of risks for cer
encom passing the contractual life of the transaction— and then
tain counterparties, such as hedge funds, and have developed
selects an average exposure m easurem ent or a percentile of
enhanced processes to identify, measure, monitor, limit, control
the resulting exposure distribution to quantify the exposure
and report the risks from these counterparty relationships.
for a transaction or a portfolio of transactions at different
points in tim e over the forecasting horizon. The banks em ploy
ing this approach for collateralised counterparties will typically Ancillary Processes to View Counterparty
use the sam e approach to m easure uncollateralised counter Credit Risk
party exposures. Due to the challenges of developing a highly nuanced view of
The second approach is a "value-at-risk" ("VaR")-type C C R counterparty credit risk for economic capital purposes, banks
exposure engine ("VaR M odel"), typically achieved by leverag have developed ancillary processes to help manage and measure
ing the firm's existing market risk VaR processes. This approach these risks. Concentration risk identification and stress testing
estim ates the distribution of C C R exposures over a relatively are two of the key risk management processes that attempt to
short-term liquidation (or "closeout") horizon. The banks quantify the risks in counterparty credit relationships that may be
employing this approach for collateralised counterparties still poorly measured by the core counterparty credit risk engines.
typically use a Monte Carlo approach to measure uncollater Concentration risk identification involves a set of ancillary analyt
alised exposures with longer-term horizons. ics, mostly outside of the main counterparty credit risk engine,
which attempts to identify large exposures by individual coun
The decision of whether to use Monte Carlo Model or VaR-type
terparty, by the set of counterparties of lower credit ratings,
model to quantify C C R exposures for collateralised counterpar
by underlying risk factor, or by other dimensions that the firms
ties involves a variety of trade-offs.
have identified as important measures of concentration that are
The VaR-type model leverages well-developed and already vali deemed worthy of monitoring. However, one should keep in mind
dated data and analytical systems, thereby permitting usage of that concentration of positions with larger counterparties— ones
a large set of risk factors deployed for market risk measurement. that may actually enjoy enhanced diversification benefits dur
Due to the computational intensity, however, the VaR-type model ing moments of stress— may be less harmful than the aggregate
is practical only for quantifying the exposure profile over a single exposure of trades with a collection of smaller counterparties.
short-term forecasting horizon, which can be utilised for collat
Stress testing, also performed outside of the main counterparty
eralised counterparty credit risk assessments. Consequently, the
credit risk engines, involves a variety of diagnostic tools designed
VaR-type model exhibits the limitation that it cannot produce a
to identify risk vulnerabilities that the main risk engine may not cap
profile of exposures over tim e, which is necessary for counterpar
ture or identify. Stress tests, however, are frequently not fully com
ties that are not subject to daily margining agreem ents.
prehensive of all counterparty credit risk exposures. Stress tests
The Monte Carlo m odel, on the other hand, allows for the quan may be performed on a subset of the entire universe of counter
tification of longer-term exposures but at the potential expense parties (for example, on only counterparties that do not have daily
of a less accurate m easurem ent of C C R exposure given the nec margining agreements, or on only "highly leveraged" counterpar
essary use of simplified risk factor representation. ties). Sometimes, not all counterparty positions are included in the
stress tests (for example, positions that are treated with "add-ons"
Use of Add-Ons may be excluded from the stress tests, as the simple add-on may
deemed to be a sufficiently conservative treatment of the risks for
Counterparty credit risk engines may not effectively capture
stress testing purposes). Finally, stress tests are frequently treated
the risks of all financial products. For products not effectively
as a diagnostic tool of risk management, and may have no associ
captured by counterparty credit exposure measurements, many
ated limits or escalation procedures associated with them.
firms revert to an "add-on" factor, which provides a simplified
but conservative measurement of the exposure for that product. Additionally, while wrong-way risk may be missed in the main
W hile generally calibrated to be conservative, the add-on factors counterparty credit risk quantification process, many firms have
are frequently not risk sensitive (e.g., the factors may not change separate processes to measure and to limit the level of wrong
as market volatility rises and falls) and frequently do not allow for way risk in their counterparty credit risk relationships, where it
netting, hedging or diversification effects across risk factors. can be m easured.
Haircut Determination for Securities Financing An indirect effect can also occur, which is linked to the impact
Activities that rate changes can have on business volum es. Although inter
est rate risk in the banking book is a normal part of financial
The processes for determ ining haircuts for securities financing
interm ediation, excessive interest rate risk poses a significant
activities generally do not consider stressful market conditions,
threat to an institution's earnings and capital adequacy.
but are based on the range of historical experience, including
normal market environm ents. When econom ic capital is calcu The main challenges in the calculation of econom ic capital for
lated for these positions, however, the market risk factors are interest rate risk in the banking book come from the long hold
shocked to a stressed level, and the risks beyond the haircut are ing period assumed for a bank's structural balance sheet and the
included in the determination of econom ic capital of the securi need to model indeterm inate cash flows on both the asset and
ties financing activity. liability side due to the em bedded optionality of many banking
book items.
Counterparty Credit Risk Model Validation Many banks use some type of internal transfer funds pricing
Counterparty credit risk models for econom ic capital purposes to move structural interest rate into a centralised place within
generally do not have specialised validation processes associ the organisation, typically the bank's treasury unit, in order to
ated with them , but rather use the results of validation work achieve matched funds transfer pricing between all other busi
done by others, such as by risk m anagem ent, to support the use ness units of the bank. This unit is responsible for interest rate
of the counterparty credit risk model. When there is a difference modelling and maintaining gap positions within agreed upon
between the counterparty credit risk model for econom ic capital risk limits.
purposes and the counterparty credit risk model for risk man
agem ent purposes (for exam ple, the holding period may vary),
Sources of Interest Rate Risk
there appears to be little additional testing or validation to
support the difference, as the differences are generally viewed The main sources of interest rate risk in the banking book
as m echanic differences in implementation and not as separate are repricing risk (arising from differences in the m aturity and
models requiring separate validation. For exam ple, backtesting, repricing term s of custom er loans and liabilities), yield curve
an established practice for market risk exposures, is still in the risk (stem m ing from asym m etric m ovem ents in rates along
early stages of developm ent for counterparty credit risk models. the yield curve), and basis risk (arising from im perfect cor
relation in the adjustm ent of the rates earned and paid on
different financial instrum ents with otherw ise sim ilar repricing
13.10 A N N EX 3: INTEREST RATE RISK characteristics).
IN THE BANKING BO O K Interest rate risk in the banking book also arises from the option
features of many financial instruments. Retail products in the
Interest rate risk refers to the exposure of a bank's financial con
banking book that have em bedded options include bonds and
dition to adverse movements in interest rates. It should be inter
notes with call or put provisions, loans such as m ortgages which
preted for the purposes of this annex as the current or
give borrowers the option to prepay balances, adjustable-rate
prospective risk to both the earnings and capital of an institution
loans with explicit interest rate caps and floors that limit the
arising from adverse movements in interest rates, which affect
amount by which the rate may adjust, and various types of non
the institution's banking book. Changes in interest rates affect
maturity deposits which give depositors the option to withdraw
an institution's earnings by altering interest-sensitive income and
funds at any tim e often without penalty. If not adequately m ea
expenses, and the underlying value of an institution's assets, lia
sured and m anaged, the asymmetrical payoff characteristics of
bilities, and off-balance sheet instruments because the present
instruments with em bedded option features can pose significant
value of future cash flows changes when interest rates change.32*
interest rate risks.
32 Interest rate risk arises from the natural mismatch betw een repricing
characteristics desired by investors and depositors and those desired 33 According to Principle 16 of the Basel Com m ittee's Principles for the
by borrowers. A s such, interest rate risk derives from the mismatched M anagem ent and Supervision of Interest Rate Risk (B C B S, 2004), "An
m aturities or durations of assets which are typically longer than the additional and increasingly im portant source of interest rate risk arises
liabilities. A sudden change in the shape of the term structure will affect from the options em bedded in many bank assets, liabilities, and off-
the values of assets differently from those of liabilities. balance sheet portfolios."

Interest Rate Measurement Techniques may be adapted to allow for the rolling over of current posi
and Indicators tions. In its dynamic version EV E may provide forward risk mea
sures that also take into account future growth in existing or
There are two basic techniques for assessing interest rate risk in new business activities.
the banking book: repricing schedules (gap and duration analy
W hen the EV E model is com plem ented with an estim ate of the
ses) and simulation approaches. Although commonly used, the
probabilities of the interest-rate scenarios used, the EV E model
simple structure and restrictive assumptions make repricing
becom es a value-at-risk (VaR) model, which builds a statistical
schedules less suitable for the calculation of econom ic capital.34
distribution of profit and losses that may occur over a specified
Most banks use simulation approaches for determ ining their
tim e horizon at a given confidence level owing to movements in
econom ic capital, based on estim ated losses occurring in case
interest rates. The method not only measures the magnitude of
of a set of worst case scenarios. The magnitude of such losses
the loss, but also the probability of the loss.
and their probability of occurrence determ ine the amount of
econom ic capital. In practice the calculation of econom ic capital follows three
steps: in the first step, the change in econom ic value of both
The banking book is traditionally based on accrual accounting
assets and liabilities is modelled as a result of changes in interest
and measures such as earnings volatility or Earnings at Risk (EaR)
rates and an EV E is derived. The second step involves modelling
are used. EaR measures the loss of net interest income result
the term structure of interest rates or the yield curve. Some
ing from interest rate m ovem ents, either gradual movements
banks model volatility changes over tim e, while other banks
or one-off large interest rate shock, over a given tim e horizon
assume volatility is constant. In the third step the economic
(typically one to two years). A disadvantage of the EaR method
value of assets and liabilities and the term structure of interest
is that it only measures the short-term earnings effect (accrued
rates are combined to produce the final value distribution which
interest) resulting from interest rate fluctuations and not the
can be used to com pute VaR or econom ic capital. It is worth
econom ic value effects (capital gains/capital losses).
mentioning that many of the assets and liabilities in the banking
Some banks have moved towards an econom ic value orientation book are not regularly traded and are therefore difficult to value
and measures based on Econom ic Value of Equity (EVE), VaR, at market prices. Most assets and liabilities are valued on a
and Extrem e Value Theory (EVT) are becoming popular. EV E, mark-to-model basis, using path-dependent projections of run
which is defined as the present value of assets minus liabilities, off and future cash flo w s.38
measures the change in the market value of equity resulting
In contrast to EV E, EVT is well suited to the estimation of
from interest rate shock scenarios, com pared with the market
extrem e probabilities and quantiles of a distribution. This
value of equity under a base scenario. It is a com prehensive risk
approach is based on the extrem e value theorem , which indi
measure, consistent with the Basel standard interest rate shock
cates what the limiting distribution of extrem e values should
used to identify outliers.353
*The accuracy of the valuation of bal
6
look like and im portantly dem onstrates that it is not the nor
ance sheet positions is strongly dependent upon the calculated
O / mal distribution. Drawbacks are the scarcity of extrem e value
cash flows and discount rates used. For practical purposes,
observations, and the model risk associated with EVT estim ates,
most EVE models use static or liquidation concepts, in the sense
which are usually very sensitive to the precise assumptions
that they show a snapshot in tim e of the risk based upon the
made by users.
current portfolio or balance sheet com position. In principle, EVE
The choice of techniques used in assessing interest rate risk
depends on the bank's orientation tow ards either econom ic
value or earnings, and also on the type of business model pur
34 Particularly for larger banks, gap analysis is nothing more than the first
sued by the bank. Some businesses, such as commercial lend
step (in this case, the distribution of the relevant assets and liabilities
according to maturity) in analyzing the interest rate risk in the banking ing or residential m ortgage lending, are managed on a present
book.
35 Under current guidelines, interest rate risk is identified as the banking

book econom ic value sensitivity with respect to a standard interest rate 37 Single-factor m odels, such as C o x et. al. (1985), Black and Karasin-
shock of plus/minus 200 basis points; outlier banks are then identified sky (1991), or Black et. al. (1990) may be used, or more advanced term
as those having greater than 20% sensitivity with respect to regulatory structure m odels, such as Heath et. al. (1992), Dai and Singleton (2000),
capital. and the lognormal forw ard-LIBO R model of Brace et. al. (1997) may be
used.
36 W hen the cash flows are calculated, account needs to be taken of the
fact that the size and the timing of the cash flows may differ under the 38 Although this can be true also for instrum ents held in the trading
various scenarios as a result of custom er behavior regarding changes in book, the typical sh o rtte rm horizon of the instrum ents held in the trad
deposit balances and also prepaym ent speeds. ing book provides a more frequent test of model prices.
value approach, while others, such as credit cards, are managed and identically distributed over tim e. Factors to be taken into
on an earnings approach. This poses issues when the bank account in the calculation are that interest rates may be serially
wants to convert risk measures to a common m etric, for aggre correlated39 and that m anagem ent intervention may affect the
gation purposes. interest rate risk profile over the course of the tim e horizon.
Although most econom ic capital models are calibrated over a
one-year holding period, many banks that use simulations will
Modelling Issues run multi-year simulations in order to value those instruments
held at the one-year horizon which are not valued via closed
The main modelling issues involve the type of simulation, the
assumptions surrounding the timing of interest rate shocks, the form analytical form ula.
holding period and tim e horizon. As for simulation, com puta

tional intensity derives from the large number of points along
Main Challenges for the Measurement of
the term structure of interest rates, the large number of curren
Interest Rate Risk in the Banking Book
cies to track, with different implied volatilities for each currency/
term structure com bination, the availability of many related, Optionality in the Banking Book
but not identical interest rate curves. Many banks adopt some
One of the most fundamental challenges in the m easurem ent
dimension-reduction techniques, such as principal com ponent
of interest rate risk in the banking book is the identification and
analysis, to address the magnitude of the computational burden.
incorporation of non-linear risk deriving from long-dated fixed-
Simulation can be static or dynamic. Static simulation models
income obligations with em bedded options for the borrower
are mostly based on the current on- and off-balance sheet exp o
to prepay, frequently without penalty, and from the em bedded
sures, although they generally do take into account interest rate
options in non-maturity deposits.
sensitivities of prepaym ents and rollovers. Some models include
also expected balance sheet growth, but generally not the Prepaym ent risk options are the predominant form of em bed
interest-tare-induced changes in the rate of growth, which are ded optionality on the asset side of the balance sheet. C on
difficult to project. Dynamic simulation models allow for changes sumer loans, m ortgages, and m ortgage-backed securities
in business activities, incorporate optionality, prepaym ents, sav (MBSs) are exam ples of assets with prepaym ent risk. Prepaym ent
ing behaviour, etc. under different scenarios, explicitly m odel risk arises because borrowers have a call option on the loans:
ling m anagem ent and custom er action. Although this approach for exam ple, in the case of fixed-rate m ortgages, borrowers
offers a more realistic setting, it comes at a cost. Dynamic will choose to exercise this option and prepay their mortgages
models require the use of more assumptions, lead to a loss of as interest rates fall sufficiently below the contract mortgage
tractability and an increase in computing tim e. Moreover, the coupon rates. Because of the prepaym ent option, the cash flows
longer the horizon of the analysis, the less accurate assumptions associated with a mortgage are uncertain and the expected life
regarding future business may be. In order for econom ic capi of a mortgage is much shorter than its stated maturity.
tal numbers to be realistic, the assumptions need to be tested Since the rate of prepaym ents increases as rates fall (especially
against internal processes and m anagem ent action. as they fall below the mortgage contract rate), the price-yield
As for the type of interest rate shock, it is im portant to consider curve for m ortgages exhibits negative convexity and price com
whether a scenario is assumed to occur gradually, giving banks pression. This occurs because interest rate decreases do not
tim e to actively manage their interest rate position, or whether produce increases in the values of m ortgages as large as those
an interest rate shock is assumed to occur suddenly. The pace of of option-free bonds. In addition, holders of m ortgages are
the interest rate movements affects interest income during the forced to invest the cash flows that are prepaid at a lower rate
horizon of the analysis and may also affect custom er behaviour, of interest.40 When interest rates increase above m ortgage con
resulting in an im pact on the result of the (dynamic) simulation. tract coupon rates, the speed of m ortgage prepaym ents by
When using simulation-based approaches, a tim e horizon should

be considered that is consistent with the policy intention of 39 There are different reasons underlying this serial correlation of interest
holding asset and liability positions for a long period of tim e. rate risk factors returns: the bid-ask spreads, the discontinuity in trading
For capital calculations in the banking book, typically an eco volum es of som e interest rate sensitive instrum ents, the structural fac
tors of some markets (i.e., low thickness and liquidity), etc.
nomic capital measure (VaR) over a short time horizon (one to
40 Contraction risk is that part of prepaym ent risk that derives from the
ten days) is scaled up to the one-year horizon used in the eco
decrease in the duration of m ortgages and the reinvestm ent risk associ
nomic capital fram ework. When scaling up VaR numbers, often ated with the speedup of prepaym ents resulting from a decline in inter
the assumption is made that VaR realisations are independently est rates within the negatively convex region of the price-yield curve.

borrowers slows. The rate increase produces an increase in the evolution of the legislation and prevailing m arket practices in
duration of m ortgages and a steeper decline in the value of the jurisdictions.
these instruments than is the case for option-free bonds. This
Income simulation models, such as EaR, are generally unable
occurs because holders of m ortgages are not able to reinvest
to analyse option risk fully and generally are only accurate for
the expected principal cash flows at the higher interest rate
the short-term (i.e., two to three years) earnings com ponent.
because of slower actual prepaym ents.41 Prepaym ent risk is
Econom ic value approaches, such as EV E, provide better m ea
therefore related to the variability or uncertainty in the rate at
surem ents of exposures with em bedded options. However,
which the borrowers will prepay, depending on the evolution of
accurately representing these exposures requires the use of
the interest rates. It should be observed that m ortgages also
stochastic-path evaluation techniques, which are com putation
contain a second type of em bedded option, whereby borrowers
ally dem anding, and mostly developed in the jurisdictions where
have a put option to default on their m ortgage loans.42
market practice makes the optionality issues, such as m ortgage
On the liability side of the balance sheet, the em bedded options prepaym ent, more relevant. Standard practice is to use dis
in non-maturity deposits are the most common. In effect, non counted cash flows on those positions that have linear or highly
maturity deposits contain two em bedded options: (i) the institu uncertain valuation profiles, and use stochastic-path techniques
tion holds the option to determ ine the interest rate offered to on those parts of the balance sheet that have non-linear valua
depositors and when to change the rate; and (ii) the depositor tion profiles.
holds the option to withdraw all or part of the balance in the
In such instances, most firms combine in simulation models
deposit account at par. The first option makes the deposit
stochastic interest rate modelling techniques with behavioural
behave as a floating-rate bond, while the second option allows
assumptions on prepaym ents and on decisions to remain cus
the depositor to put the bond back to the institution.43 As such,
tom ers or not (deposit modelling or credit card custom er reten
non-maturity deposits can be viewed essentially as floating-rate,
tion modelling). A prepaym ent model must not only be able to
putable bonds. Moreover, the two em bedded options induce a
predict current prepaym ent speeds, but also expected future
volume risk, which cannot be hedged directly since the volume
prepaym ent speeds, which are largely a function of expected
is not traded in the market.
future m ortgage interest rates. Larger institutions use more
Although non-maturity deposits can be withdrawn by deposi sophisticated statistical prepaym ent models to forecast prepay
tors on dem and, most of these deposits stay at the institution ment speeds and account for the statistical relationships among
for months or years. In addition, while banking institutions may the factors that drive prepaym ents. A modelling approach is
change the offered deposit rates when market interest rates required in which prepaym ent models are often combined with
change, they do so with a lagged response, and by less than a term structure model of interest rates and dynamic simulation
the full amount of the change in market rates. This is particu models, in producing m ortgage valuations based on option-
larly true when rates increase. The interaction between the two adjusted spreads. The prepayment/non-maturity deposit mod
em bedded options found in non-maturity deposits makes the elling may be carried out at local business level, to generate
valuation and interest rate sensitivity of these liabilities one of sensitivity to rate shocks at various stress levels, producing dif
the most widely debated issues currently in measuring interest ferent prepaym ent/custom er retention forecasts across interest
rate risk in the banking book. rate shocks. Incorporating such assumptions should involve also
considering model uncertainty on those assumptions, and incor
Although optionality is an im portant issue, the degree of
porating a measure of model risk (e.g ., prepaym ent error risk).
sophistication in the techniques used by the institutions varies,
depending not only on the type of institution, but also on the Industry use of com peting risks models for mortgage prepay
ment and default is in its infancy, although several of the largest
institutions have em braced this approach.
41 Extension risk is that part of prepaym ent risk that derives from the
increase in the duration of m ortgages and the reinvestm ent risk associ
ated with a rise in interest rates. Banks' Pricing Behaviour
42 Typically, they will choose to exercise this option when the rem ain An important aspect of interest rate risk modelling is the effec
ing loan balance exceed s the m arket value of the property. A s such, tive responsiveness of individual bank interest rates to changes in
m ortgage lenders are essentially selling em bedded Am erican straddle
market rates. The measurement of the interest rate risk of bank
options (i.e., com bined call and put options) to m ortgagors.
ing book items requires: (i) a model for the analysis of the persis
43 Holding other things equal, custom er's options have an im pact on
both principal and interest cash flow s, while issuer's options have a tence of the volumes of different non-maturity banking products;
direct im pact on interest cash flows only. and (ii) a model for the determination of bank interest rates,
taking into account general market conditions, customer relation system s with transparent interest rate shocks. As such, stress
ships, bank commercial power, and optimal commercial policies. test results serve as a benchmark risk m easure.49
The degree by which the interest rates set by banks react to Following the guiding principles of the Basel Com m ittee, the
market rates (interest rates pass-through) may depend on indi current regulatory choice of a stress scenario focuses on parallel
vidual bank characteristics and may differ for different products. shifts in the yield curve of + /— 200 basis points.50 The Com m it
Changes in market interest rates may also result in changes in tee acknowledges that the parallel shifts of + /— 200 basis points
banks' interest rate policy, driven by changes in the com petitive are relatively sim plistic, but it argues that these shocks appear
environm ent and the need to defend market share.44 to adequately cover volatilities across G 10 countries, even
though the appropriateness of the proposed shock needs to be
A typical finding in the literature is that banking interest rates
monitored on an ongoing basis, and recalibrated should the rate
pass-through is relatively slow and heterogeneous across both
environment shift m aterially.51
products and countries. It is slow er for retail banking products
(e .g ., deposits, consum er loans, m ortgages) than for corporate The benefits of using simple interest rate shocks of + /— 200
products; short-term products are more responsive than long basis points are that these shocks are very simple and easy to
term products.45 Individual bank characteristics, such as the communicate and that it is easier to com pare the im pact of
bank's liability structure, its liquidity, and capitalisation position these shocks on different portfolios. The drawbacks are that the
or the proportion of long-term lending, are also relevant for shocks are not probabilistic and hence very hard to integrate
interest rate determ ination; heterogeneity in the banking rates into econom ic capital models based on V aR;52 it is not
pass-through exists only in the short run.46 There is also some
evidence of asym m etries in the interest rate pass-through,
existing also in the short run: banks adjust their loan lending
49 The Com m ittee on Global Financial Stability survey on stress te st
rate faster during periods of m onetary tightening, and their ing (C G FS , 2005) reveals that a majority of banks run interest rates risk
deposit rates faster during periods of m onetary easin g .47 stress tests. Popular historical scenarios are the bond m arket sell-offs
in 1994 and 2003; the Asian crisis in 1997, LTCM and Russia in 1998,
A relevant aspect for determ ining bank interest rates is the pric or Septem ber 11, 2001. Hypothetical scenarios look at changes in the
ing for credit risk, which influences the duration of bank loans national or global econom ic outlook, increases in inflation expectations
or unexpected changes in m onetary policy. Scenarios generally cover
and represents a "spread duration" com ponent with a non-mar
environm ents where not only the level but also the slope and curvature
ginal effect on econom ic value, especially on longer term loans. of the yield curve are changing.
To determ ine the price of credit risk applied on different bank
50 The Basel Com m ittee (B C B S, 2004) has suggested several guiding
ing products would ultimately require a pricing rule that links principles for the selection of interest rate risk scenarios. The three most
the credit spread to changes in m acroeconom ic conditions and important are: the rate shock should reflect a fairly uncommon and stress
ful rate environment; the magnitude of the rate shock should be signifi
interest rate variations.48 This also indicates that interest rate
cant enough to capture the effects of em bedded options and convexity
risk on the banking book is not independent from credit risk, within bank assets and liabilities so that underlying risk may be revealed;
and that interest rate stress scenarios should also incorporate and the rate shock should be straightforward and practical to implement,
the possible interaction of interest rate and credit risk factors. and should be able to accom m odate the diverse approaches inherent in
single-rate-path simulation models and statistically driven value-at-risk
models for banking book positions. A s a practical guidance, in addition to
The Choice of Stress Scenarios considering 200 bps scenarios, the Com m ittee also suggests looking at
parallel shifts using the 1st and 99th percentile of observed interest rate
Stress testing is commonly used in interest rate modelling as a changes with a one year horizon and five years of data.
way to com plem ent the com plexities of interest rate risk
51 Further, the Com m ittee argues that, "w hile more nuanced rate
scenarios (such as twists and turns in the yield curve) might tease out
certain underlying risk characteristics, for the more m odest objectives
of supervisors in detecting institutions with significant levels of interest
44 A s such, some banks may not regard such policy changes as part of
rate risk, a sim ple parallel shock is adequate. Such an approach also
their interest rate risk, but rather as part of business risk.
recognises the potential for spurious precision that occurs when undue
45 For Europe, see Cam pa and Gonzales-M inguez (2006). attention to fine detail is placed on one aspect of a m easurem ent sys
tem without recognition that assum ptions em ployed for certain asset
46 G am bacorta (2007).
and liability categories, such as core deposits, are by necessity blunt
47 G am bacorta and lannotti (2007). and judgm ental. Such judgm ental aspects of an interest rate risk model
often drive the resulting risk measure and conclusion, regardless of the
48 The price of credit risk varies with the counterparty credit rating in
detailed attention paid to other aspects of the risk m easure."(A nnex 3,
a way which is also influenced by the level of interest rates and more
para7, B C B S , 2004).
generally by the position in the econom ic cycle, especially if the banks
adopt forward-looking econom ic capital calculations and provisioning 52 Even though the scenario has been calibrated on the 1°/99° percen
and pricing policies. tile of observed interest rate changes.

necessarily sensitive to the current rate or econom ic environ the yield curve and/or the correlation structure of the data.
ment; it doesn't take into account changes in the slope or curva Correlation can be stressed by modifying the m atrix of factor
ture of the yield curve; and that it doesn't allow for an weights (the so called factor loadings), while assuming constant
integrated analysis of interest rate and credit risk on banking volatility. Conversely, one can shock the volatility of interest rate
book items. changes while maintaining the m atrix of factor loading fixed at
historical values.
Am ong the possible developm ents are: (i) scenarios based on
historical distributions; (ii) scenarios based on principal com po The main advantage of this simulation procedure is that it
nent (PC) decom position of the yield curve; (iii) scenarios based assigns a level of confidence to all plausible scenarios (in term s
on the G A RC H m odels; (iv) scenarios based on options; (v) sce of percentiles of the simulated distributions). The plausibility of
narios based on m acroeconom ic factors; and (vi) scenarios link scenarios is derived from the calibration of the procedure to the
ing credit and interest rate risk. correlation structure observed in the market.
Scenarios Based on Historical Distributions Scenarios Based on GARCH Models

The suggestion in BC BS (2004) to use the 1st and 99th per Simple autoregressive (AR) models with G A RC H effects could be
centile of the observed interest rate changes over the last five used to simulate the evolution of individual interest rates over a
years would be an easy way to look at a probabilistic scenario. specific horizon. Such an approach would be forward looking and
However the historical distribution is backward-looking, which is partially condition on the current environment in term s of level
inherently problem atic for a forward-looking risk m easurem ent. and volatility. A t the same time it is relatively easy to implement.
For exam ple, given long interest rate cycles it may be the case
that there are limited observations in one direction. It should Scenarios Based on Options
also be observed that the empirical distribution generally does
A distribution of future changes of interest rates could also be
not include both a plus and minus 200 basis points shock.
extracted from options. The key (and so far not successfully
solved) problem for such an approach is to translate the risk-
Scenarios Based on Principal Component neutral PDs (necessary for trading and pricing) to real-world or
Decomposition of the Yield Curve physical PDs (im portant for risk m anagem ent).55
A possible solution is to build a scenario simulation procedure
based on PC decom position of the yield curve in order to pro Scenarios Based on Macroeconomic Factors
duce realistic scenarios of interest rates changes along various
rQ Similar to credit risk models, it is conceptually possible to sim u
points of the term structure.
late a distribution of future yield curve changes based on macro-
The PC distribution functions are used in a Monte Carlo sim ula econom ic fundam entals.56 W hereas there has been much
tion in order to reproduce the correlation observed between the progress in this field, explanatory power of m acroeconom ic fac
original risk factors. The usual assumption is that the PC are nor tors remains weak and forecast and estimation errors are sub
mally distributed; some recent work has applied a non-paramet- stantial. Even though these models could be used to condition
ric simulation to account for the fact that PCs are skewed and changes on the current and future m acroeconom ic environment,
heavy-tailed, recovering the empirical distribution through a ker technical difficulties could im pede a consistent use of these
nel density estim ation.54 models for econom ic capital calculation.
In the context of PC representation, stress testing analysis can

be performed by changing the volatility of interest rates along
Scenarios Linking Credit and Interest Rate Risk
It is a well established fact that interest rates are an important
negative driver of the credit quality of banks' assets— one
53 In the PC representation, interest rate changes at different maturities

are expressed as a function of the new risk factors PCs, where the w eight
ing coefficients (the so called "factor loading") capture the correlation in 55 It has to be noted however that for stochastic-path m odelling, risk
the system . The factor loadings account for the contribution of each risk neutral im plied volatilities are necessary to validate the model by check
factor to the overall variance. The PC decom position of the yield curve ing for convergence to m arket prices at a reasonable O ption Adjusted
usually reveals the existence of three underlying risk factors explaining Spread (O AS), a key validation test for m ortgage m odels.
a large part of total variance (around 95%): the parallel shift of the yield
56 See for exam ple Ang and Piazzesi (2003), Cochrane (2007). Rude-
curve; the tilt or rotation; the twist, that is a change in the curvature.
busch and W illiam s (2007) provide an up-to date survey of the literature
54 See Fiori and lannotti, 2007. linking macro factors to yield curves.
indication that credit risk and interest rate risk in the banking Bank of Japan (2005): A dvan cing In teg ra ted Risk M anagem ent,
book are interdependent.57 The integration of credit and interest htt p://w w w. b oj . o r.j p.
rate risk requires a sophisticated fram ework. First, the loss distri
Bank o f Japan (2007): Econom ic Capital W orkshop Sum m ary
bution of credit risk must condition on the macro and interest
R ecord, http://w w w .boj.or.jp.
rate environment. Second, decreased net interest income due to
default must be taken into account. Finally, for an earnings per Basel Com m ittee on Banking Supervision (1999): C redit risk
spective, future cash flows need to be simulated. This necessi m odelling: current practices and applications, Basel, April.
tates a robust fram ework to price assets in the future conditional — (2004): Principles for the m anagem ent and supervision o f
on the simulated macro and interest rate environment. interest rate risk, Basel, July.
— (2005a): "U pdate on work of the Accord Implementation

Banking versus Trading Book
Group related to validation under the Basel II Fram ew ork", Basel
The exclusion of the trading book from the m easurem ent of C om m ittee N ew sletter, No 4, January.
interest rate risk elim inates the problem of double counting
— (2005b): "Studies on the validation of internal rating system s"
arising from the presence of a market risk requirem ent for inter
W orking Paper, no 14, May.
est rate sensitive positions held in the trading book. However
it should be pointed out that the problem of double counting — (2009): G uidelines for com puting capital for increm ental risk
does not preclude the possibility that the exposures in the trad in the trading book, Consultative Docum ent, Basel, January.
ing book and in the banking book offset each other. Berkowitz, J (2000): "Testing Density Forecasts, with A pp lica
In certain cases, the interest rate risk exposure of the trading tions to Risk M anagem ent", University o f California, Decem ber,
book com pensates partially the exposure of the banking book. mimeo.
For exam ple, it is possible that the trading book has a short Black, F, E Derman and W Toy (1990): "A one-factor model of
position with respect to interest rate shocks (in the sense that interest rates and its application to treasury bond options",
a rise in interest rates causes an increase in the econom ic value Financial Analysts Journal, vol 46.
of the trading book), while the position in the banking book is
Black, F and P Karasinski (1991): "Bond and Option Pricing when
long with respect to interest rate shocks (in the sense that a rise
Short Rates are Lognorm al", Financial Analysts Journal, vol 47.
in interest rates causes a decrease in the econom ic value of the
banking book). In cases such as this, it might be appropriate to Brace, A , D G atarek and M Musiela (1997): "The M arket Model
consider the net exposure of the entire balance sheet. of Interest Rate D ynam ics", M athem atical Finance, vol 7.
Breuer, T, M Jandacka, K Rheinberger and M Summer (2008):

"Regulatory capital for market and credit interaction: is current
References regulation always conservative?", forthcom ing, Journal o f Bank
ing and Finance.
Akhavein, J D and A E Kocagil (2005): "A com parative empirical
Burns, R L (2004): "Econom ic Capital and the Assessm ent of
study of asset correlation", Fitch Ratings: Q uantitative Financial
Capital A d eq u acy", Su pervisory Insights, vol 1, no 2, pp 5-16.
Research Special R eport, 14 July.
Burtschell, X, J Gregory and J P Laurent (2007): B eyo n d the
Ang, A and M Piazzesi (2003): "A no-arbitrage vector autore
Gaussian Copula: Stochastic and Local Correlation, January,
gression of term structure dynamics with m acroeconom ics and
mimeo.
latent variables", Journal o f M onetary Econom ics, vol 50, no 5.
Cam pa, J M and J M Gonzalez Minguez (2006): "D ifferences in
Artzner, P, F Dalbaen, J M Eber and D Heath (1999): "C oherent
exchanges rate pass-through in the euro area", European E c o
measures of risk", M athem atical Finance, no 9, pp 203-228.
nom ic Review , vol 50.
Bangia, A , F X Diebold and T Schuermann (2000): "Rating
Cochrane, J H (2007): "C om m entary", Fed era l R eserve Bank o f
migration and the business cycle, with applications to credit
S t Louis Review , July/August.
portfolio stress testin g ", The Wharton School, working paper
00-26. Com m ittee of the Global Financial System (2005a): Stress te st
ing at m ajor financial institutions: survey results and practice,
Basel, January.
57 Drehmann et. al. (2007) show that interactions betw een credit risk
and interest rate risk can indeed be substantial and should be taken into — (2005): The role o f ratings in stru ctu red finance: issues and
account. im plications, Basel, January.

Cox, J C , J E Ingersoll and S A Ross (1985): "A theory of the Frey, R and A J McNeil (2003): "D ependence m odelling, model
term structure of interest rates", Econom etrica 53, pp 385-467. risk and model calibration in models of portfolio credit risk",
Journal o f Risk 6(1).
Crouhy, M, D Galai and R Mark (2006): The Essentials o f Risk
M anagem ent, M cGraw-Hill. Gam bacorta L (2007) "H ow do banks set interest rates", Euro
pean Econom ic Review , forthcom ing.
Dai, Q , and K J Singleton (2000): "Specification Analysis of
Affine Term Structure M odels", Journal o f Finance, vol 55. Gam bacorta L and S lannotti (2007): "A re There Asym m etries
in the Response of Bank Interest Rates to M onetary Shocks?",
Das, S R, D Duffie, N Kapadia and L Saita (2007) "Com m on fail
A p p lie d Econom ics, forthcom ing.
ings: how corporate defaults are correlated", Journal o f Finance,
vol LXII, no 1, February. Heath, D, R Jarro w and A Morton (1992): "Bond Pricing and the
Term Structure of Interest Rates: A New M ethodology", E co n o
Davis, M and V Lo (2001): "Infectious D efault", Quantitative
m etrica, vol 60.
Finance, vol 1, no 4, pp 382-387.
De N ederlandsche Bank (2005): G uidelines on Interest Rate Risk Hull, J C (2007): Risk m anagem ent and financial institutions,
in the Banking Book, Am sterdam . Pearson Prentice Hall, New Jersey.
Diebold, F X, G D Rudebush and S B Arouba (2006) "The IACPM and ISDA (2006): C on verg en ce o f C red it Capital M o d els.
macroeconom y and the yield curve: a dynamic latent factor IFRI and C R O Forum (2007): Insights from the Jo in t IFRI/CRO
approach", Journal o f Econ om etrics, vol 131. Forum Survey on Econ om ic Capital Practice and A pplications.
Dimakos X K and K Aas (2004): "Integrated risk m odelling", Sta Jarrow , R A and F Yu (1999): "Counterparty risk and the pricing
tistical M odelling 4, pp 265-277. of defaultable securities," Septem ber, mimeo.
Drehmann, M, S Sorensen and M Stringa (2008): "The inte Jarrow , R A and F Yu (2001): "Counterparty risk and pric
grated impact of credit and interest rate risk on banks: An ing of defaultable securities", Journal o f Finance, vol 53,
econom ic value and capital adequacy p ersp ective", Bank o f pp. 2225-2243.
England W orking Paper 339.
Lopez J A and M R Saidenberg (1999): "Evaluating Credit Risk
Duffie, D, A Eckner, G Horel and L Saita (2006): "Frailty corre M odel", Fed era l R eserve Bank o f San Francisco, Working paper
lated default", O ctober 19, mimeo. no 99-06.
Duffie, D and D Lando (2001): "Term structures of credit spreads M cNeil, A , R Frey and Em brechts (2005): Q uantitative Risk M an
with incom plete accounting inform ation", Econom etrica, vol 69, agem ent; C o n cep ts, Techniques, and Tools. Princeton Series in
no 3, pp 633-664. Finance.
Duffie, D, L Saita and K W an g (2005): "Multi-period corporate PriceW aterhouseCoopers (2005): Effective Capital M anagem ent:
default prediction with stochastic covariates", September, mimeo. Econom ic Capital as an Industry Standard?
Egloff, D, M Leippold and P Vanini (2004): "A simple model of Rosenberg J V and T Schuermann (2006): "A general approach
credit contagion", mimeo. to integrated risk m anagem ent with skew ed, fat-tailed risks",
Fabozzi, F (2000): B on d M arkets, Analysis and Strategies, Fourth Journal o f Financial Econom ics, vol 9, no 3, pp 569-614.
Edition, Prentice Hall, New Jersey. Rudebusch, G D and J C W illiams (2007): "Forecasting reces
Fender, I and J Kiff (2004): "C D O rating m ethodology: Some sions: The puzzle of the enduring power of the yield curve",
thoughts on model risk and its im plications", BIS W orking Paper, Fed era l R eserve Bank o f San Francisco, Working Paper, No
no 163, Basel, November. 2007-16.
Ferm anian, J D and M Sbai (2005): A com parative analysis of Rutter Associates LLC (2004): 2004 R utter A sso cia tes Survey o f
dependence levels in intensity based and Merton style credit C redit Portfolio M anagem ent Practices.
risk models.
Samuel (2008): "Disclosure of Econom ic C ap ital", Federal
Fiori, R and S lannotti S (2007): "Scenario based Principal C om R eserve Bank o f N ew York, Available from the author or Policy
ponent Value-at-Risk: an application to Italian banks' interest Departm ent, Federal Reserve Bank of New York, email: Jeffrey.
rate risk exposure", Journ al o f Risk, vol 9, no 3, pp 63-99. Sam uel@ ny.frb.org. April 18.
Frerichs, H and G Loffler (2002): "Evaluating credit risk models: Tarashev, N and H Zhu (2007): "Modelling and calibration errors in
A critique and a proposal", May, mimeo. measures of portfolio credit risk", BIS Working Paper, Number 230.
Capital Planning at
Large Bank Holding
Companies
Supervisory Expectations and
Range of Current Practice
Learning Objectives
Describe the Federal Reserve's Capital Plan Rule and Capital policy, including setting of goals and targets
explain the seven principles of an effective capital and contingency planning
adequacy process for bank holding com panies (BHCs) Stress testing and stress scenario design
subject to the Capital Plan Rule. Estimating losses, revenues, and expenses, including
quantitative and qualitative m ethodologies
Describe practices that can result in a strong and effective Assessing the impact of capital adequacy, including
capital adequacy process for a BHC in the following areas: risk-weighted asset (RWA) and balance sheet
■ Risk identification projections.
Internal controls, including model review and validation
■ Corporate governance
E x c e rp t is co u rtesy o f Board o f G overn ors o f the Federal R eserve System .

14.1 INTRODUCTION C C A R is the Federal Reserve's supervisory program for assessing
the capital plans. In 2013, C C A R covered 18 BHCs that partici
The Federal Reserve has previously noted the im portance of pated in the 2009 Supervisory Capital Assessment Program
capital planning at large, com plex bank holding com panies (SCAP). The Federal Reserve's assessment of a BHC's capital
(BH Cs). Capital is central to a BH C's ability to absorb unex planning process includes an evaluation of the risk-identification,
pected losses and continue to lend to creditw orthy businesses -measurement, and -management practices that support the
and consum ers. It serves as the first line of defense against BHC's capital planning and stress scenario analysis, an assessment
losses, protecting the deposit insurance fund and taxp ayers. of stressed loss and revenue estimation practices, and a review of
As such, a large BH C's processes for managing and allocating the governance and controls around these practices. The pream
its capital resources are critical not only to its individual health ble to the Capital Plan Rule outlines the elements on which the
and perform ance, but also to the stability and effective func Federal Reserve evaluates the robustness of a BHC's internal capi
tioning of the U.S. financial system . The Federal Reserve's tal planning— also referred to as the capital adequacy process, or
Capital Plan Rule and the associated annual Com prehensive "CAP." These principles are summarized in Figure 14.1.3
4
Capital Analysis and Review (C C A R ) have em phasized the This publication describes the Federal Reserve's expectations
im portance the Federal Reserve places on BH C s' internal cap i for internal capital planning at the large, com plex BH Cs subject
tal planning processes, and on the supervisory assessm ent of to the Capital Plan Rule in light of the seven C A P principles. It
all aspects of these processes, which is a key elem ent of a expands on previous articulations of these supervisory exp ecta
supervisory program that is focused on prom oting resiliency at tions by providing exam ples of observed practices among the
the largest B H C s.1 BH Cs participating in C C A R 2013 and by highlighting those
These initiatives have focused not just on the amount of capital practices considered to be stronger or leading practices at these
that a BH C has, but also on the internal practices and policies a firms. In addition, it identifies practices that the Federal Reserve
firm uses to determ ine the amount and composition of capital deem s to be weaker, or in some cases unacceptable, and thus in
that would be adequate, given the firm's risk exposures and cor need of significant im provem ent. However, practices identified
porate strategies as well as supervisory expectations and regula in this publication as leading or industry-best practices should
tory standards. BH Cs have long engaged in some form of capital not be considered a safe harbor. The Federal Reserve antici
planning to address the expectations of shareholders, creditors, pates that leading practices will continue to evolve as new data
custom ers, and other stakeholders. The Federal Reserve's inter becom e available, econom ic conditions change, new products
est in and expectations for effective capital planning reflect and businesses introduce new risks, and estimation techniques
the im portance of the ongoing viability of the largest BHCs advance further.
even under stressful financial and econom ic conditions. Even if W hile the supervisory scenarios and supervisory stress tests
current assessments of capital adequacy suggest that a BHC's that are required under the D odd-Frank A c t5 play an im portant
capital level is sufficient to withstand potential econom ic stress, role in C C A R ,6 they are not meant to be and should not be
robust capital planning helps ensure that this outcom e will con view ed as providing for an all-encom passing assessm ent of the
tinue to hold in the future. Robust internal capital planning can possible risks a BH C may face. A robust internal capital plan
also help ensure that BH Cs have sufficient capital in a broad ning process should include m odeling practices and scenario
range of future m acroeconom ic and financial m arket environ assum ptions that reflect BH C-specific factors. In certain
ments by governing the capital actions— including dividend pay instances, these practices and assum ptions may differ consider
ments, share repurchases, and share issuance and conversion— a ably from those used by the Federal Reserve. Indeed, design
BHC takes in these situations. ing an internal capital planning process that sim ply seeks to
The Federal Reserve's Capital Plan Rule requires all U.S.-domiciled, mirror the Federal Reserve's stress testing is a w eak practice.
top-tier BH Cs with total consolidated assets of $50 billion or
more to develop and maintain a capital plan supported by
a robust process for assessing their capital ad eq u acy.2
3 The plans of the remaining BH Cs subject to the Capital Plan Rule have
been assessed through a separate process (the Capital Plan Review).
Beginning in 2014, the capital plans of all BH Cs subject to the Capital
Plan Rule will be evaluated in a single, unified process through C C A R .
1 See SR Letter 12-17, "C onsolidated Supervision Fram ew ork for Large
4 See 76 Fed . R eg. 74631, 74634 (D ecem ber 1, 2011).
Financial Institutions," (D ecem ber 17, 2012), w w w .federalreserve.gov/
bankinforeg/srletters/sr1217.htm ; 12 C FR 225.8. 5 12 C FR part 225, subpart F.
2 12 C FR 225.8. 6 See 12 C FR 225.8(d)(2), 225.8(e)(1).
Figure 14.1 Seven principles of an effective capital adequacy process.
Principle 1: Sound foundational risk management

The BH C has a sound risk-measurement and risk-management infrastructure that supports the identification, m easurem ent,
assessm ent, and control of all material risks arising from its exposures and business activities.
Principle 2: Effective loss-estimation methodologies

The BH C has effective processes for translating risk measures into estim ates of potential losses over a range of stressful scenarios
and environments and for aggregating those estim ated losses across the BH C.
Principle 3: Solid resource-estimation methodologies

The BH C has a clear definition of available capital resources and an effective process for estimating available capital resources
(including any projected revenues) over the same range of stressful scenarios and environments used for estimating losses.
Principle 4: Sufficient capital adequacy impact assessment

The BH C has processes for bringing together estim ates of losses and capital resources to assess the combined impact on capital
adequacy in relation to the BHC's stated goals for the level and composition of capital.
Principle 5: Comprehensive capital policy and capital planning

The BH C has a com prehensive capital policy and robust capital planning practices for establishing capital goals, determining
appropriate capital levels and composition of capital, making decisions about capital actions, and maintaining capital
contingency plans.
Principle 6: Robust internal controls

The BH C has robust internal controls governing capital adequacy process com ponents, including policies and procedures; change
control; model validation and independent review; com prehensive docum entation; and review by internal audit.
Principle 7: Effective governance

The BH C has effective board and senior m anagem ent oversight of the CAP, including periodic review of the BHC's risk
infrastructure and loss- and resource-estimation m ethodologies; evaluation of capital goals; assessm ent of the appropriateness
of stressful scenarios considered; regular review of any limitations and uncertainties in all aspects of the C A P ; and approval of
capital decisions.
Many lagging practices identified in this publication involve and further recognizes that these BH Cs will continue to develop
modeling approaches or BH C stress scenarios that fail to reflect and enhance their capital planning system s and processes to
BH C-specific factors or that rely on generic assum ptions or m eet supervisory expectations.
"standard" modeling techniques, without sufficient consider
The purpose of this publication is two-fold. First, it is intended
ation of w hether those assum ptions or techniques are the most
to assist BHC m anagem ent in assessing their current capi
appropriate ones for the BH C.
tal planning processes and in designing and implementing
The supervisory expectations summarized here are broad and improvements to those processes. Second, it is intended to
reflect, at a general level, the key characteristics of a sound and assist a broader audience in understanding the key aspects of
robust internal capital planning process. W hile certain aspects capital planning practices at large, com plex U.S. BHCs and the
of the detailed discussion that follows may be less relevant to im portance the Federal Reserve puts on ensuring that these
individual BH Cs based on their business mix and risk profile, the firms have robust capital resources.
core tenets espoused are broadly applicable to all BH Cs subject
The sections that follow provide greater detail on supervisory
to the Capital Plan Rule.
expectations and the range of current practice across several
Importantly, the Federal Reserve has tailored expectations for dimensions of BH Cs' internal capital planning processes. The
BH Cs of different sizes, scope of operations, activities, and first section discusses foundational risk m anagem ent, including
system ic im portance in various aspects of capital planning. identification of risk exposures. The next two sections focus on
For exam ple, the Federal Reserve has significantly heightened controls and governance around internal capital planning pro
supervisory expectations for the largest and most com plex cesses. The fourth section covers expectations and the range of
BH Cs— in all aspects of capital planning— and expects these current practice concerning BH Cs' capital policies— the internal
BH Cs to have capital planning practices that are widely consid guidelines governing the capital action decisions made by a
ered to be leading practices. In addition, the Federal Reserve BHC under a range of potential future conditions for the firm
recognizes the challenges facing BH Cs that are new to C C A R and for the m acroeconom ic and financial market environments
Chapter 14 Capital Planning at Large Bank Holding Companies ■ 237

in which it operates. The subsequent three sections focus on needs.9 These processes should evaluate the full set of potential
the key elem ents of BH Cs' internal enterprise-wide scenario exposures stemming from on- and off-balance sheet positions,
analysis: design of the stress scenarios and modeling the impact including those that could arise from provisions of noncontrac
of the scenarios on losses, revenues, balance sheet composition tual support to off-balance-sheet entities, and risks conditional
and size, and capital. The final section summarizes the Federal on changing econom ic and financial m arket conditions during
Reserve's conclusions on the current range of practice at BHCs. periods of stress. BHCs should have a system atic and repeatable
process to identify all risks and consider the potential im pact to
capital from these risks. In addition, BH Cs should closely assess
14.2 FOUNDATIONAL RISK any assumptions about risk reduction resulting from risk transfer
M AN AGEM EN T and/or mitigation techniques, including, for exam ple, analysis of
the enforceability and effectiveness of any guarantees or netting
BHCs are expected to have effective risk-identification, -mea and collateral agreem ents and the access to and valuation of
surem ent, -m anagem ent, and -control processes in place to sup collateral as exposures and asset values are changing rapidly in
port their internal capital planning.7 In addition to the a stressed market.
assessments of a BHC's stress scenario analysis and stressed
Stronger risk-identification practices include standardized pro
loss- and revenue-estimation practices, supervisory assessments
cesses through which senior m anagem ent regularly update risk
of BH Cs' internal capital planning will continue to focus on fun
assessm ents, review risk exposures and consider how their risk
damental risk-identification, -m easurement, and -management
exposures might evolve under a variety of stressful situations.
practices, as well as on internal controls and governance. W eak
For exam ple, many BHCs maintain a com prehensive inventory
nesses in these areas may contribute to a negative supervisory
of risks to which they are exposed, and refresh it as conditions
assessm ent of a BHC's capital planning process that could lead
warrant (such as changes in the business mix and the operat
to an objection to a BHC's capital plan.8
ing environment) with input from various units across the BH C.
A key lesson from the recent financial crisis is that many financial Senior representatives from major lines of business, corporate
com panies simply failed to adequately identify the potential risk m anagem ent, finance and treasury, and other business and
exposures and risks stemming from their firm-wide activities. risk functions with perspectives on BHC-wide positions and risks
This was in part a failure of information technology and man provide input to the process. Consideration of the risks inherent
agem ent information system s (MIS), the often fractured nature in new products and activities should be a key part of risk-iden
of which made it difficult for some com panies to identify and tification and -assessment programs, which should also consider
aggregate exposures across the firm. But more importantly, risks that may be associated with any change in the BHC's stra
many com panies failed to consider the full scale and scope tegic direction.
of exposures, and to analyze how the size and risk character
Risk measures should be able to capture changes in an institu
istics of their exposures and business activities might evolve
tion's risk profile— whether due to a change in the BHC's strate
as econom ic and market conditions changed. Com bining a
gic direction, specific new products, increased volum es, changes
com prehensive identification of a firm's business activities and
in concentration or portfolio quality, or the overall econom ic
associated positions across the organization with effective
environm ent— on a tim ely basis. These risk measures should
techniques for assessing how those positions and activities may
support BH Cs' assessm ents of capital adequacy and may be
evolve under stressful econom ic and market conditions, and
helpful in capital contingency plans as early warning indicators
assessing the potential impact of that evolution on the capital
or contingency triggers, where appropriate.
needs of the firm , are critical elem ents of capital planning. A
robust internal capital adequacy assessm ent process relies on BH Cs should be able to dem onstrate how their identified risks
the underlying strength of each of these elem ents. are accounted for in their capital planning processes. If certain
risks are om itted from the enterprise-wide scenario analysis,
BH Cs should note how these risks are accounted for in other
Risk Identification aspects of the capital planning process (see Box 14.1 for illustra
BHCs should have risk-identification processes that ensure that tion of how BH Cs identified and captured certain risks that are
all risks are appropriately accounted for when assessing capital more difficult to quantify in their capital planning process). If
a BH C employs risk quantification m ethodologies in its capital
7 1 2 C F R 225.8(d)(2).
8 12 C FR 225.8(e)(2). 9 12 C FR 225.8(d)(2).
planning that are not scenario-based, it should identify which
BO X 14.1 IN CO RPO RATIN G RISKS risks each of the m ethodologies covers, to facilitate com parabil
THAT A RE M ORE D IFFICU LT TO ity and informed decision-making with respect to overall capital
Q U A N TIFY adequacy. BHCs with lagging practice did not transparently link
their evaluation of capital adequacy to the full range of identi
Scenario-based stress testing is a critical elem ent of
fied risks. These BH Cs were not able to show how all their risks
robust capital planning. However, stress testing based on
a limited number of discrete scenarios cannot and is not were accounted for in their capital planning processes. In some
expected to capture all potential risks faced by a BH C, cases, staff responsible for capital planning operated in silos
and therefore, it should serve as one of several inputs to and developed standalone risk inventories not linked to the
the capital planning process. Given the scope of opera enterprise-wide risk inventory or to other risk governance func
tions at and the associated breadth of risks facing large,
tions within their BH Cs.
com plex BH Cs— including the risk of losses from exp o
sures and of reduced revenue generation— they are often
exposed to risks, other than credit or market risk, that are
either difficult to quantify or not directly attributable to 14.3 IN T E R N A L C O N T R O L S
any of the specific integrated firm-wide scenarios that are
evaluated as part of the BHC's scenario-based stress test As with other aspects of key risk-management and finance area
ing ("other risks"). Exam ples of these other risks include functions, a BHC should have a strong internal control fram e
reputational risk, strategic risk, and com pliance risk. As
work that helps govern its internal capital planning processes.
noted in the section on risk identification, a BH C should
These controls should include (1) regular and com prehensive
identify and assess all risks as part of its risk-identification
process and should capture the potential effect of all risks review by internal audit; (2) robust and independent model
in its capital planning process. A BHC's capital planning review and validation practices; (3) com prehensive docum enta
process should assess the potential im pact of these other tion, including policies and procedures; and (4) change controls.
risks on the BHC's capital position to ensure that its capital
provides a sufficient buffer against all risks to which the
BH C is exposed. Scope of Internal Controls
There is a wide range of practices around how BHCs
A BHC's internal control fram ework should address its entire
account for other risks as part of their capital planning
capital planning process, including the risk m easurem ent and
process. Many BH Cs used internal capital tar gets to
account for such risks, putting in place an incremental m anagem ent system s used to produce input data, the models
cushion above their targets to allow for difficult-to- and other techniques used to generate loss and revenue esti
quantify risks and the inherent uncertainty represented m ates; the aggregation and reporting fram ework used to pro
by any forward-looking capital planning process. O ther
duce reports to m anagem ent and boards; and the process for
BH Cs assessed the effect of in term s of some combination
making capital adequacy decisions. W hile some BH Cs may natu
of reduced revenue, added expenses, or a m anagem ent
overlay on top of loss estim ates. BH Cs with lagging prac rally develop com ponents of their internal capital planning along
tices did not even attem pt to account for other risks in separate business lines, the control fram ework should ensure
their capital planning process. that BH C m anagem ent reconciles the separate com ponents in a
To the extent possible, BHCs should incorporate the effect coherent manner. The control fram ework also should help assure
of these other risks into their projections of net income that all aspects of the capital planning process are functioning as
over the nine-quarter planning horizon. BH Cs should intended in support of robust assessm ents of capital needs.
clearly articulate and support any relevant assumptions
and the methods used to quantify the effect of other risks BH Cs with stronger control coverage reviewed the controls
on their revenue, expenses, or losses. around capital planning on an integrated basis and applied
For those BHCs that did not incorporate the potential them consistently. M anagem ent responded quickly and
impact of these other risks into their capital targets, stron effectively to issues identified by control areas and devoted
ger practices included a clear articulation of which risks appropriate resources to continually ensure that controls were
were being addressed by putting in place a cushion above functioning effectively.
the capital target, and how this cushion is related to identi
fied risks. BH Cs should clearly support the method they
used to measure the potential effect of such risks. Using Internal Audit
a simple rule (such as a percent of capital) or expert ju d g
ments to determ ine the cushion above the capital target, Internal audit should play a key role in evaluating internal capital
without providing analysis or support, is a lagging practice. planning and its various com ponents. Audit should perform a
review of the full process, not just of the individual com ponents,

periodically to ensure that the entire end-to-end process is func produce projections or estimates used by the models that gener
tioning in accordance with supervisory expectations and with a ate the final loss, revenue or expense projections. Consideration
BHC's board of directors' expectations as detailed in approved should be given to the validity of the use of a model under
policies and procedures. Internal audit should review the man stressed conditions as models designed for ongoing business
ner in which deficiencies are identified, tracked, and rem edi activities may be inappropriate for estimating net income and
ated. Audit staff should have the appropriate com petence and capital under stress conditions. BH Cs should also maintain a pro
influence to identify and escalate key issues, and the internal cess to incorporate well-supported adjustments to model esti
audit function should report regularly on the status of all aspects mates when model weaknesses and uncertainties are identified.
of the capital planning process— including any identified defi
BH Cs continue to face challenges in conducting outcomes
ciencies related to the BHC's capital plan— to senior m anage
analysis of their stress testing m odels, given limited realized
ment and the board of directors.
outcom es against which to assess loss, revenue, or expense pro
BHCs with stronger audit practices provided a com prehensive, jections under stressful scenarios. BH Cs should attem pt to com
robust review of all com ponents of the capital planning process, pensate for the challenges inherent in backtesting stress models
including all of the control elem ents noted earlier.101BH Cs with by conducting sensitivity analysis or by using benchm ark or
leading internal audit practices around internal capital planning "challenger" m odels. BH Cs should ensure that validation covers
had strong issue identification and remediation tracking as well. all models and assumptions used for capital planning purposes,
They also ensured that audit staff had strong technical expertise, including any adjustments m anagem ent has made to the model
elevated stature in the organization, and proper independence estim ates (m anagem ent overlay).
from m anagem ent.11
Supervisory reviews have found that, in general, BH Cs should
give more attention to model risk m anagem ent, including
Independent Model Review strengthening practices around model review and validation.
and Validation Nonetheless, some BHCs exhibited stronger practices in their

capital planning, including
BHCs should conduct independent review and validation of all
• maintaining an updated inventory of all models used in the
models used in internal capital planning, consistent with existing
process;
supervisory guidance on model risk m anagem ent (SR Letter
11-7).12 Validation staff should have the necessary technical • ensuring that models had been validated for their intended
use; and
com petencies, sufficient stature within the organization, and
appropriate independence from model developers and business • being transparent about the validation status of all models
areas, so that they can provide a critical and unbiased evaluation used for capital planning and appropriately addressing any
of the models they review. models that had not been validated (or those that had identi
fied weaknesses) by restricting their use, or using benchmark
• The model review and validation process should include
or challenger models to help assess the reasonableness of
• an evaluation of conceptual soundness; the primary model output.
• ongoing monitoring that includes verification of processes
BH Cs with lagging practices were not able to identify all m od
and benchm arking; and
els used in the capital planning process. They also did not for
• an "outcom es analysis." mally review all of the models or assumptions used for capital
BHCs should maintain an inventory of all models used in the cap planning purposes (including some high-impact stress testing
ital planning process, including all input or "feed er" models that models). In addition, they did not have validation staff that were
independent and that could critically evaluate the models.
10 See 1 2 C F R 225.8(d)(1)(iii).
Policies and Procedures
11 See SR Letter 13-1, "Supplem ental Policy Statem ent on the Internal
A udit Function and Its O utsourcing," (January 23, 2013) www.feder- BH Cs should ensure they have policies and procedures covering
alrserve.gov/bankinforeg/srletters/sr1301.htm , for detailed guidance
the entire capital planning p ro cess.13 Policies and procedures
on expectations for the governance and operational effectiveness of an
institution's internal audit function. should ensure a consistent and repeatable process for all
12 See SR Letter 11-7, "Supervisory G uidance on Model Risk M anage

m ent," (April 4, 2011), w w w .federalreserve.gov/bankinforeg/srletters/
A Q
sr1 107.htm . See FR Y-14A reporting form : Summary Schedule Instructions, pp. 5-7.
com ponents of the capital planning process and provide trans Many BH Cs have systems that are antiquated and/or siloed and
parency to third parties regarding this process. Policies should not fully com patible, requiring substantial human intervention to
be reviewed and updated at least annually and more frequently reconcile across systems.
when warranted. There should also be evidence that m anage
ment and staff are adhering to policies and procedures in prac
tice, and there should be a formal process for any policy
Documentation
exceptions. Such exceptions should be rare and approved by BH Cs should have clear and com prehensive docum entation for
the appropriate level of m anagem ent. all aspects of their capital planning processes, including their
risk-measurement and risk-management infrastructure, loss- and
resource-estimation m ethodologies, the process for making cap
Ensuring Integrity of Results
ital decisions, and efficacy of control and governance func
BH Cs should have internal controls that ensure the integrity of tio n s.15 Docum entation should contain sufficient detail,
reported results and the docum entation, review, and approval accurately describe BH Cs' practices, allow for review and chal
of all material changes to the capital planning process and its lenge, and provide relevant information to decision-m akers.16
com ponents. A BH C should ensure that such controls exist at all
levels of the capital planning process. Specific controls should
be in place to 1 4 .4 G O V E R N A N C E
• ensure that MIS are sufficiently robust to support capital
BH Cs should have strong board and senior m anagem ent over
analysis and decision-m aking, with sufficient flexibility to run
sight of their capital planning p rocesses.171
8This includes ensur
ad hoc analysis as needed;
ing periodic review of the BHC's risk infrastructure and loss- and
• provide for reconciliation and data integrity processes for all resource-estimation m ethodologies; evaluation of capital goals
key reports; and targets; assessm ent of the appropriateness of stress scenar
• address the presentation of aggregate, enterprise-wide ios considered; regular review of any limitations in key processes
capital planning results, which should describe any manual supporting internal capital planning, such as uncertainty around
adjustm ents made in the aggregation process and how those estim ates; and approval of capital decisions. Together, a BHC's
adjustm ents com pensate for identified w eaknesses; and board and senior m anagem ent should establish a com prehen
• ensure that reports provided to senior m anagem ent and the sive capital planning process that fits into broader risk-manage
board contain the appropriate level of detail and are accurate ment processes and that is consistent with the risk-appetite
and tim ely. The party responsible for this reporting should fram ework and the strategic direction of the BH C.
assess and report whether the BHC is in com pliance with its
internal capital goals and targets, and ensure the rationale for
Board of Directors
any deviations from stated capital objectives is clearly docu
mented and obtain any necessary approvals.14 A BHC's board of directors has ultimate oversight responsibility
and accountability for capital planning and should be in a posi
BH Cs with stronger practices in this area ensured that good
tion to make informed decisions on capital adequacy and capital
information flows existed to support decisions, with significant 1O
actions, including capital distributions. The board of directors
investm ent in controls for data and information. For exam ple,
should receive sufficient information to understand the BHC's
some BHCs had an internal audit group review the data for
material risks and exposures and to inform and support its deci
accuracy and ensured that any data reported to the board
sions on capital adequacy and planning. The board should
and senior m anagem ent were given extra scrutiny and cross
receive this information at least quarterly, or when there are
checking. In addition, BHCs with stronger practices had strong
material developm ents that affect capital adequacy or the man
MIS in place that enabled them to collect, synthesize, analyze,
ner in which it is assessed. Capital adequacy information
and deliver information quickly and efficiently. These systems
also had the ability to run ad hoc analysis to support capital
planning as needed without employing substantial resources.
O ther BH Cs, however, continue to face challenges with MIS. 15 See id.
16 See id.
17 See 12 C FR 225.8(d)(1)(iii)(A)-(B).
14 See id. 18 See 12 C FR 225.8(d)(1)(iii)(C).

provided to the board should include capital measures under practices also supplied their boards with information about past
current conditions as well as on a post-stress, pro forma basis capital planning perform ance to provide a perspective on how
and should be fram ed against the capital goals and targets the capital planning process has functioned over time.
established by the BH C.
BH Cs with w eaker practices provided insufficient information
The information provided to the board should include sufficient to the board of directors. For exam ple, at some BH Cs, capital
details on scenarios used for the BHC's internal capital plan distribution recom m endations did not include all relevant sup
ning so that the board can evaluate the appropriateness of the porting information and appeared to be based on optim istic
scenarios, given the current econom ic outlook and the BHC's expectations about how a given scenario may affect the BH C.
current risk profile, business activities, and strategic direction. In addition, the information did not specifically identify and
The information should also include a discussion of key limita address key assumptions that supported the capital planning
tions, assumptions, and uncertainties within the capital planning process. In other cases, the board of directors did not receive
process, so that the board is fully informed of any weaknesses information about governance and controls over internal capital
in the process and can effectively challenge reported results planning, making it difficult to assess the strength of its
before making capital decisions. The board should also receive capital planning processes and whether results were reliable
summary information about mitigation strategies to address key and credible.
limitations and take action when weaknesses in internal capital
planning are identified, applying additional caution and conser
vatism as needed.
Senior Management
BHCs with stronger practices had boards that were informed of Senior m anagem ent is responsible for ensuring that capital plan
and generally understood the risks, exposures, activities, and ning activities authorized by the board are im plem ented in a sat
vulnerabilities that affected the BHC's capital adequacy. They isfactory manner and is accountable to the board for the
also understood the major drivers of loss and revenue changes effectiveness of those activities. Senior m anagem ent should
under the scenarios used. The boards of BHCs with stronger ensure that effective controls are in place around the capital
practices had sufficient expertise and level of engagem ent planning process— including ensuring that the BHC's stress sce
to understand and critically evaluate information provided by narios are sufficiently severe and cover the material risks and
senior m anagem ent. Importantly, they recognized that internal vulnerabilities facing the B H C .20
capital planning results are estim ates and should be viewed as Senior m anagem ent should make informed recom m endations
part of a range of possible results. In addition, the boards of to the board of directors about the BHC's capital, including
BHCs with stronger practices discussed weaknesses identified capital goals and distribution decisions. Senior m anagem ent
in the capital planning process, whether they needed to take also should ensure that proposed capital goals have sufficient
immediate action to address those w eaknesses, and whether the analytical support and fully reflect the expectations of important
weaknesses were material enough to alter their view of current stakeholders, including creditors, counterparties, investors, and
capital planning results. They also discussed whether a sufficient supervisors. Senior m anagem ent should identify weaknesses and
range of potential stress events and conditions had been con potential limitations in the capital planning process and evaluate
sidered in assessing capital adequacy. them for materiality. In addition, it should develop remediation
plans for any weaknesses affecting the reliability of internal capi
tal planning results. Both the specific identified limitations and
Board Reporting
the remediation plans should be reported to the board.
The board of directors is required to approve a BHC's capital
Senior m anagem ent with stronger practices recognized
plan under the Capital Plan Rule.19 In order for boards to carry
the imprecision and prevalence of uncertainty in predicting
out this requirem ent, m anagem ent should provide adequate
future outcom es when reviewing information and results from
reporting on key areas of the analysis supporting capital plans.
enterprise-wide scenario analysis. A t BH Cs with stronger prac
BHCs with stronger practices included information about the
tices, senior m anagem ent maintained an ongoing assessm ent of
independent review and validation of m odels, information on
all capital planning areas, identifying and clearly documenting
issues identified by internal audit, as well as key assumptions
any weaknesses, assumptions, limitations, and uncertainties, and
underpinning stress test results and a discussion of the sensitiv
did not consider a one-time assessm ent of the capital planning
ity of capital levels to those assumptions. BH Cs with stronger
19 Id. 20 12 C FR 225.8(d)(2)(i)(A)-(D).
process to be sufficient. Furtherm ore, m anagem ent developed processes and links to and is supported by other policies (risk-
clear remediation plans with specific tim elines for resolving m anagem ent, stress testing, model governance, audit, and oth
identified w eaknesses. In some cases, based on its review of ers). A capital policy should provide details on how a BH C
the full capital planning process, senior m anagem ent made m anages, m onitors, and makes decisions regarding all aspects
more cautious or conservative adjustm ents to the capital plan, of capital planning. The policy should also address roles and
such as recommending less aggressive capital actions. M anage responsibilities of decision-m akers, process and data controls,
ment also included key assumptions and process weaknesses in and validation standards. Finally, the capital policy should
reports and specifically pointed them out to the board, in some explicitly lay out expectations for the information included in
cases providing analysis showing the sensitivity of capital to the BHC's capital plan.
alternative outcom es.
A capital policy should describe targets for the level and com po
sition of capital and provide clarity about the BHC's objectives
Documenting Decisions in managing its capital position. The policy should explain how
the BHC's capital planning practices align with the im perative of
BH Cs should docum ent decisions about capital adequacy and maintaining a strong capital position and being able to continue
capital actions taken by the board of directors and senior man to operate through periods of severe stress. It should include
agem ent, and describe the information used to reach those quantitative metrics such as common stock dividend (and other)
decisions.21 Final decisions regarding capital planning of the payout ratios as maximums or targets for capital distributions.
board or of a designated com m ittee thereof should be recorded The policy should include an explanation of how m anagem ent
and retained in accordance with the company's policies and concluded that these ratios are appropriate, sustainable, and
procedures. consistent with its capital objectives, business model, and capital
BH Cs with stronger docum entation practices had board minutes plan. It should also specify the capital metrics that senior man
that described how decisions were made and what inform a agem ent and the board use to make capital decisions. In addi
tion was used. Some docum entation provided evidence that tion, a capital policy should include governance and escalation
the board challenged results and recom m endations, including protocols that are clear, credible, and actionable in the event an
reviewing and assessing how senior m anagem ent challenged actual or projected capital ratio target is breached.
the same information. BH Cs with w eaker docum entation prac The policy should describe processes surrounding how common
tices had board minutes that were very brief and opaque, with stock dividend and repurchase decisions are made and how the
little reference to information used by the board to make its BHC arrives at its planned capital distribution amounts. Specifi
decisions. Some BH Cs did not form ally docum ent key decisions. cally, the policy should discuss the following:
• the main factors and key metrics that influence the size, tim
14.5 CAPITAL PO LICY ing, and form of capital distributions
• the analytical materials used in making capital distribution

As noted earlier, a capital policy is the principles and guidelines decisions (e.g ., reports, earnings, stress test results, and
used by a BH C for capital planning, capital issuance, and usage others)
and distributions. A capital policy should include internal capital • specific circum stances that would cause the BH C to reduce
goals; quantitative or qualitative guidelines for dividends and or suspend a dividend or stock repurchase program
stock repurchases; strategies for addressing potential capital
• factors the BHC would consider if contem plating the replace
shortfalls; and internal governance procedures around capital
ment of common equity with other forms of capital
policy principles and guidelines.22 The capital policy, as a com
• key roles and responsibilities, including the individuals or
ponent of a capital plan, must be approved by the BH C's board
groups responsible for producing the analytical material ref
of directors or a designated com m ittee of the board.23 It
should be a distinct, com prehensive written docum ent that erenced above, reviewing the analysis, making capital distri
bution recom m endations, and making the ultimate decisions
addresses the major com ponents of the BHC's capital planning
BH Cs should establish a minimum frequency (at least annually)
and other triggers for when its capital policy is reevaluated and
ensure that these triggers remain relevant and current. The
21 See FR Y-14A reporting form : Sum m ary Schedule Instructions, p. 6.
capital policy should be reevaluated and revised as necessary to
22 12 C FR 225.8(c)(4). address changes to organizational structure, governance struc
23 See 12 C FR 225.8(d)(1)(iii)(C), 225.8(d)(2)(iii). ture, business strategy, capital goals, regulatory environment,

risk appetite, and other factors potentially affecting a BHC's econom ic and market environments and other factors on their
capital adequacy. BH Cs should develop a formal process for overall capital adequacy and ability to raise additional capital,
approvals, change m anagem ent, and docum entation retention including the potential impact of contingent exposures and
relating to their capital policies. broader market or system ic events, which could cause risk to
increase beyond the BHC's chosen risk-tolerance level. BHCs
W eak capital policies were typically characterized by a limited
should have contingency plans for such outcom es.
scope. They only addressed parts of the capital planning pro
cess, did not provide sufficient detail to convey clearly how Additionally, BH Cs should calculate and use several capital
capital action decisions will be m ade, were not well integrated measures that represent both leverage and risk, including
with or supported by other risk and finance policies, and/or did quarterly estim ates of regulatory capital ratios (including tier 1
not contain all of the elem ents described above (e.g ., clearly common ratio) under both baseline and stress conditions. BHCs
defined capital goals, guidelines for capital distributions and with w eaker practices in this area did not clearly link decisions
capital com position, etc.). In some cases, the capital policy regarding capital distributions to capital adequacy metrics or
was overly generic and not tailored to the BHC's unique internal capital goals.
circum stances. For exam ple, the policy appeared to be restat
W eak practices observed in this area included establishing capi
ing supervisory expectations without concrete exam ples or
tal goals based solely on regulatory minimums and the ratios
BHC-specific considerations. In other cases, the more detailed
required to be considered well-capitalized without consideration
procedures were not presented to the board, thus limiting the
of a BHC's specific capital needs given its risk profile, financial
board's ability to understand the analysis underlying its capital
condition, business model and strategies, overall com plexity, and
planning decisions.
sensitivity to changing conditions. Some BHCs did not recognize
uncertainties and limitations in capturing all potential sources of
Capital Goals and Targets loss and in projecting loss and revenue estim ates, which reduced
the BHCs' ability to establish effective capital goals and targets.
BHCs should establish capital goals aligned with their risk ap p e O ther BHCs were not transparent about how they determined
tites and risk profiles as well as expectations of internal and the capital goals and targets in their capital policies.
external stakeholders, providing specific goals for the level and
composition of capital, both current and under stressed condi
tions. Internal capital goals should be sufficient to allow a BHC Capital Contingency Plan
to continue its operations during and after the impact of stress
BHCs should outline in their capital policies specific capital con
ful conditions. As such, capital goals should reflect current and
tingency actions they would consider to remedy any current or
future regulatory capital requirem ents, as well as the exp ecta
prospective deficiencies in their capital position.25 In particular, a
tions of shareholders, rating agencies, counterparties, creditors,
BHC's policy should include a detailed explanation of the
supervisors, and other stakeholders.
circumstances— including deterioration in the economic environ
BHCs should also establish capital targets above their capital ment, market conditions, or the financial condition of the BH C—
goals to ensure that capital levels will not fall below the goals in which it will reduce or suspend a dividend or repurchase
during periods of stress. Capital targets should take into consid program or not execute a previously planned capital action. The
eration forward-looking elem ents related to the econom ic out policy also should define a set of capital triggers and events that
look, the BHC's financial condition, the potential im pact of stress would correspond with these circumstances. These triggers
events, and the uncertainty inherent in the capital planning pro should be established for both baseline and stress scenarios and
cess. The goals and targets should be specified in the capital measured against the BHC's capital targets in those scenarios.
policy and reviewed and approved by the board.24 These triggers and events should be used to guide the frequency
with which board and senior management will revisit planned
In developing their capital goals and targets, particularly with
capital actions as well as review and act on contingency capital
regard to setting the levels of capital distributions, BH Cs should
plans. The capital contingency plan should be reviewed and
explicitly take into account general econom ic conditions and
updated as conditions warrant, such as where there are material
their plans to grow their on- and off-balance-sheet size and risks
changes to the BHC's organizational structure or strategic direc
organically or through acquisitions. BH Cs should consider the
tion or to capital structure, credit quality, and/or market access.
impact of external conditions during both normal and stressed
24 12 C FR 225.8(c)(4). 25 Id.
Capital triggers should provide an "early w arning" of capital The range of observed practice for developing BHC stress sce
deterioration and should be part of a m anagem ent decision narios was broad. Some BH Cs designed stress scenarios using
making fram ework, which should include target ranges for a internal models and expertise. O ther BH Cs used vendor-defined
normal operating environment and threshold levels that trig m acroeconom ic scenarios or used vendor models to define
ger m anagem ent action. Such action should include escalation customized m acroeconom ic scenarios. For BHCs with internally
to the board, potential suspension of capital actions, and/or developed scenarios, those with stronger scenario-design prac
activation of a capital contingency plan. Triggers should also be tices used internal models in combination with expert judgm ent
established for other metrics and events that measure or affect rather than relying solely on either models or expert judgm ent
the financial condition or perceived financial condition of the to define scenario conditions and variables. Among BH Cs that
firm— for exam ple, liquidity, earnings, debt and credit default used third-party scenarios, those with stronger practices tai
swap spreads, ratings downgrades, stock perform ance, supervi lored third-party-defined scenarios to their own risk profiles and
sory actions, or general market stress. unique vulnerabilities.
Contingency actions should be flexible enough to work in a Regardless of the method used to develop the scenario, BHCs
variety of situations and be realistic for what is achievable during should have a scenario-selection process that engages a broad
periods of stress. The capital plan should be prepared recogniz range of internal stakeholders such as risk experts, business man
ing that certain capital-raising and capital-preserving activities agers, and senior management. Although they are required to sub
may not be feasible or effective during periods of stress. BHCs mit only one BHC stress scenario for C C A R, BHCs should develop
should have an understanding of market capacity constraints a suite of scenarios that collectively capture their material risks and
when evaluating potential capital actions that require accessing vulnerabilities under a variety of stressful circumstances and should
capital m arkets, including debt or equity issuance and also con incorporate them into their overall capital planning processes.
tem plated asset sales. Contingency actions should be ranked
according to ease of execution and their impact and should
incorporate the assessm ent of stakeholder reactions (e.g.,
Scenario Design and Severity
im pacts on future capital-raising activities). As indicated in the preamble to the Capital Plan Rule, "the bank
W eak capital contingency plans provided few options to address holding company-designed stress scenario should reflect an indi
contingency situations and/or did not consider the feasibility of vidual company's unique vulnerabilities to factors that affect its
options under stressful conditions. Plans with overly optim istic firm-wide activities and risk exposures, including macroeconomic,
assumptions or excessive reliance on past history (in term s of market-wide, and firm-specific even ts."27 Thus, BHC stress sce
both possible contingency situations and options to address narios should reflect macroeconomic and financial conditions that
those situations) were also considered w eak, as were plans that are tailored specifically to stress a BHC's key vulnerabilities and
lacked support for the feasibility and availability of possible idiosyncratic risks, based on factors such as its particular business
contingency actions. O ther w eak practices included establishing model, mix of assets and liabilities, geographic footprint, portfo
triggers based on actual results but not on projected results, or lio characteristics, and revenue drivers. A BHC stress scenario
based on minimum regulatory capital ratios only with no con that simply features a generic weakening of macroeconomic con
sideration of the expectations of other stakeholders including ditions similar in magnitude to the supervisory severely adverse
counterparties, creditors and investors, or of other metrics or scenario does not meet these expectations.
market indicators. BH Cs with stronger scenario-design practices clearly and
creatively tailored their BH C stress scenarios to their unique
business-model features, emphasizing im portant sources of risk
1 4 .6 B H C S C E N A R IO D E S IG N not captured in the supervisory severely adverse scenario. Exam
ples of such risks observed in practice included a significant
Under the Capital Plan Rule, a BH C is required to use a BHC-
counterparty default; a natural disaster or other operational-risk
developed stressed scenario that is appropriate for its business event; and a more acute stress on a particular region, industry,
model and portfolios.26 Accordingly, BH Cs should have a pro and/or asset class as com pared to the stress applied to gen
cess for designing scenarios for enterprise-wide scenario analy eral m acroeconom ic conditions in the supervisory adverse and
sis that reflects the BHC's unique business activities and severely adverse scenarios.
associated vulnerabilities.
26 12 C FR 225.8(d)(2)(i)(A). 27 See 77 Fed . R eg. 74631, 74636 (D ecem ber 1, 2011).

A t the same tim e, BH C stress scenarios should not feature trading activities and revenues included a limited set of relevant
assumptions that specifically benefit the BH C. For exam ple, financial variables. O ther BH Cs with significant regional and/or
some BH Cs with w eaker scenario-design practices assumed that industry concentrations did not include relevant geographic or
they would be viewed as strong com pared to their com petitors industry variables.
in a stress scenario and would therefore experience increased
market share. Such assumptions are contrary to the supervisory
expectations for and the intent of a stress testing exercise that
Clear Narratives
informs capital planning. The scenario should be supported by a clear narrative describ
W hile a broad-based recession adversely affects a wide range of ing how the scenario addresses the particular vulnerabilities
most BH Cs' business activities, BH Cs may have business m od and material risks facing the BH C. BH Cs with stronger scenario-
els or im portant business activities that generate vulnerabili design practices provided narratives describing how the sce
ties that are not particularly well captured by scenario analysis nario variables related to the risks faced by a BHC's significant
based on a stressed m acroeconom ic environment (or for which business lines and, in some cases, how the scenario variables
even a severe recession is not the primary source of potential corresponded to variables in the BHC's internal risk-manage
vulnerability). These BH Cs should incorporate into their stress ment models. The narratives also provided explanations of how
scenarios elem ents that address the key revenue vulnerabilities a scenario stressed a BHC's unique vulnerabilities specific to
and sources of loss for their specific businesses and activities. its business model and how the paths of the scenario variables
In com bination, the recession incorporated into the BH C stress related to each other in an econom ically intuitive way. W eaker
scenario and any additional elem ents intended to address sp e practices included scenario narratives that did not provide any
cific businesses or activities should result in a substantial stress context for the variable paths as well as scenario narratives that
for the organization, including a significant reduction in capital described features that were not reflected in any variables con
ratios relative to baseline projections. However, a BH C stress sidered in a BHC's internal capital planning.
scenario that produces post-stress capital ratios lower than
those under the supervisory severely adverse scenario is not,
in and of itself, a safe harbor. The stress scenario included in a 14.7 ESTIMATION M ETH O D O LO GIES
BHC's capital plan should place substantial strains on its abil FO R LO SSES, REVEN U ES, AND
ity to generate revenue and absorb losses, consistent with its EX PEN SES
unique risks and vulnerabilities.
A BHC's capital plan must include estim ates of projected reve
nues, expenses, losses, reserves, and pro forma capital levels,
Variable Coverage including any minimum regulatory capital ratios, the tier 1 com
The set of variables that a BHC includes in its stress scenario mon ratio and any additional capital measures deem ed relevant
by the BH C, over the planning horizon under expected condi-
should be sufficient to address all material risks arising from its o n
exposures and business activities. A business line could face tions and under a range of stressed scenarios.
significant stress from multiple sources, requiring more than one

risk factor or m acroeconom ic variable. The scenario should gen
General Expectations
erally contain the relevant variables to facilitate pro forma finan
cial projections that capture the impact of changing conditions Projections of losses, revenues, and expenses under hypotheti
and environm ents. BHCs should have a consistent process for cal stressed conditions serve as the fundamental building blocks
determining the final set of variables and provide this rationale of the pro forma financial analysis supporting enterprise-wide
as part of the scenario narrative. scenario analysis. BH Cs should have stress testing m ethod
ologies that generate credible estim ates that are consistent
O verall, BH Cs with stronger scenario-design practices gener
with assumed scenario conditions. It is im portant for BH Cs to
ated scenarios in which the link between the variables included
understand the uncertainties around their estim ates, including
in the scenario and sources of risk to the BHC's financial outlook
the sensitivity of the estim ates to changes in inputs and key
were transparent and straightforward. Clear narratives helped
assumptions. O verall, BH Cs' estim ates of losses, revenues, and
make these links more transparent. BH Cs with w eaker scenario-
expenses under each of the scenarios should be supported by2
8
design practices developed stress scenarios that excluded
some variables relevant to the BHC's risk profile and idiosyn
cratic vulnerabilities. For exam ple, some BH Cs with significant 28 1 2 C F R 225.8(d)(1).
em pirical evidence, and the entire estimation process should type, size, and composition of the BHC's portfolio. For exam ple,
be transparent and repeatable. The Federal Reserve generally a more diverse portfolio— both in term s of borrower risk char
expects BH Cs to use models or other quantitative methods as acteristics and perform ance— would generally require a greater
the basis for their estim ates; however, there may be instances number of segm ents to account for the heterogeneity of the
where a m anagem ent overlay or other qualitative approaches portfolio. However, when segm enting portfolios, it is important
may be appropriate due to data limitations, new products or to ensure that each risk segm ent has sufficient data observations
businesses, or other factors. In such instances, BH Cs should to produce reliable model estim ates.
ensure that such processes are well supported, transparent, and
As a general practice, BH Cs should separately estim ate losses,
repeatable over tim e.
revenues, or expenses for portfolios or business lines that are
sensitive to different risk drivers or sensitive to risk drivers in a
Establishing a Quantitative Basis m arkedly different way. For instance, losses on commercial and
for Enterprise-Wide Scenario Analysis industrial loans and commercial real estate (CRE) loans are, in
G enerally, BH Cs should develop and use internal data to esti part, driven by different factors, with the path of property values
mate losses, revenues, and expenses as part of enterprise-wide having a more pronounced effect on C R E loan losses. Similarly,
scenario analysis.29 However, in certain instances, it may be although falling property value affects both income-producing
more appropriate for BH Cs to use external data to make their C R E loans and construction loans, the effect often differs m ate
models more robust. For exam ple, BH Cs may lack sufficient, rel rially due to structural differences between the two portfolios.
evant historical data due to factors such as system s limitations, Such differences can becom e more pronounced during periods
acquisitions, or new products. W hen using external data, BHCs of stress. BHCs with leading practices have dem onstrated clearly
should take care to ensure that the external data reasonably the rationale for selecting certain risk drivers over others. BHCs
approxim ate underlying risk characteristics of their portfolios, with lagging practices used risk drivers that did not have a clear
and make adjustm ents to modeled outputs to account for iden link to results, either statistically or conceptually.
tified differences in risk characteristics and perform ance
Many models used for stress testing require a significant number
reflected in internal and external data.
of assumptions to im plem ent. Further, the relationship between
BH Cs can use a range of quantitative approaches to estim ate m acroeconom ic variables and losses, revenues, or expenses
losses, revenues, and expenses, depending on the type of port could differ considerably in the hypothetical stress scenario from
folio or activity for which the approach is used, the granularity what is observed historically. As a result, while traditional tools
and length of available tim e series of data, and the materiality for evaluating model perform ance (such as comparing projec
of a given portfolio or activity. W hile the Federal Reserve does tions to historical out-of-sample outcomes) are still useful, the
not require BHCs to use a specific estimation m ethod, each BHC Federal Reserve expects BH Cs to supplem ent them with other
should estim ate its losses, revenues, and expenses at sufficient types of analysis. Sensitivity analysis is one tool that some BHCs
granularity so that it can identify common, key risk drivers and have used to test the robustness of models and to help model
capture the effect of changing conditions and environments. developers, BH C m anagem ent, the board of directors, and
For exam ple, loss models should be estim ated at a sufficiently supervisors identify the assumptions and param eters that m ate
granular subportfolio or segm ent level so that they can capture rially affect outcom es. Sensitivity analysis can also help ensure
observed variations in risk characteristics and perform ance that core assumptions are clearly linked to outcom es. Using
across the subportfolios or segm ents and across tim e, and results from different estimation approaches (challenger models)
account for changing exposure or portfolio characteristics over as a benchm ark is another way BH Cs can gain greater comfort
the planning horizon. around their primary model estim ates, as the strengths of one
approach could potentially com pensate for the weaknesses of
W hile BH Cs often segm ent their portfolios and activities along
another. W hen using multiple approaches, however, it is impor
functional areas, such as by line of business or product type, the
tant that BH Cs have a consistent fram ework for evaluating the
leading practice is to determ ine segm ents based on common
results of different approaches and supporting rationale for why
risk characteristics (e.g ., credit score ranges or loan-to-value
they chose the methods and estim ates they ultimately used.
ratio ranges) that exhibit meaningful differences in historical per
form ance. The granularity of segm ents typically depends on the In certain instances, BH Cs may need to rely on third-party
models— for exam ple, due to limitations in internal modeling
capacity. In using these third-party models (vendor models or
29 BH Cs are required to collect and report a substantial amount of risk
information to the Federal Reserve on FR Y-14 schedules. These data consultant-developed models), BH Cs should ensure that their
may help to support the BH C's enterprise-w ide scenario analysis. internal staff have working knowledge and a good conceptual

understanding of the design and functioning of the models and shortcomings should be investigated and com m unicated to
potential model limitations so that m anagem ent can clearly decision-m akers. In addition, any m anagem ent overlay or quali
communicate them to those governing the process. An off-the- tatively derived projections should be subject to effective review
shelf vendor model often requires some level of firm-specific and challenge. BH Cs should evaluate a range of potential esti
analysis and customization to dem onstrate that it produces esti mates and conduct sensitivity analysis for key assumptions used
mates appropriate for the BHC and consistent with scenario in the estimation process. For exam ple, if a BHC makes exten
conditions. Sensitivity analysis can be particularly helpful in sive adjustm ents to its modeled estim ates of losses, revenue,
understanding the range of possible results of vendor models and expenses, the impact of such adjustm ents should be quanti
with less transparent or proprietary elem ents. Importantly, all fied relative to unadjusted estim ates, and these results should
vendor and consultant-developed models should be validated in be docum ented and made available to BH C m anagem ent and
or\
accordance with SR 11-7 guidelines. the board of directors. Finally, extensive use of m anagem ent
judgm ent to adjust m odeled estim ates should trigger review
Some BHCs generated annual projections for certain loss, rev
and discussion as to whether new or improved modeling
enue, or expense items and then evenly distributed them over
approaches are needed. In reporting to the board of directors,
the four quarters of each year. This practice does not reflect a
m anagem ent should always provide both the initial results and
careful estim ate of the expected quarterly path of losses, net
the results after any judgm ental adjustm ents.
revenue, and capital, and thus is only acceptable when a BHC
can clearly dem onstrate that the projected item is highly uncer
Conservatism and Credibility
tain and the practice likely results in a conservative estim ate.
Given the uncertainty inherent in a forward-looking capital plan
Qualitative Projections, Expert Judgment, ning exercise, the Federal Reserve expects BHCs to apply gen
and Adjustments erally conservative assumptions throughout the stress testing
process to ensure appropriate tests of the BH Cs' resilience to
W hile quantitative approaches are im portant elem ents of
stressful conditions. In particular, BHCs should ensure that m od
enterprise-w ide scenario analysis, BH Cs should not rely on
els are developed using data that contain sufficiently adverse
w eak or poorly specified m odels sim ply to have a m odeled
outcom es. If a BHC experienced better-than-average perfor
approach. In fact, most BH Cs use some form s of exp ert ju d g
mance during previous periods of stress, it should not assume
ment for some purposes— generally as a m anagem ent adjust
that those prior patterns will remain unchanged in the stress
ment overlay to m odeled outputs. And BH Cs can, in limited
scenario. BH Cs should carefully review the applicability of key
cases, use exp ert judgm ent as the prim ary method to produce
assumptions and critically assess how historically observed pat
an estim ate of losses, revenue, or expenses. BH Cs may use a
terns may change in unfavorable ways during a period of severe
m anagem ent overlay to account for the unique risks of certain
stress for the econom y, the financial m arkets, and the BH C.
portfolios that are not well captured in their m odels, or oth
erwise to com pensate for specific model and data limitations. In the context of C C A R loss and revenue estim ates, BHCs
Material changes in BH Cs' businesses or lim itations in relevant should generally include all applicable loss events in their analy
data may lead som e BH Cs to rely wholly on exp ert judgm ent sis, unless a BH C no longer engages in a line of business or its
for certain loss, revenue, or expense projections. In using activities have changed such that the BH C is no longer exposed
exp ert judgm ent, BH Cs should ensure that they have a trans to a particular risk. BHCs should not selectively exclude losses
parent and repeatable process, that m anagem ent judgm ents based on arguments that the nature of the ongoing business or
are well supported, and that key assum ptions are consistent activity has changed— for exam ple, because certain loans were
with assum ed scenario conditions. underwritten to standards that no longer apply or were acquired
and, therefore, differ from those that would have been origi
As with quantitative methods, the assumptions and processes
nated by the acquiring institution.
that support qualitative approaches should be clearly docu
mented so that an external reviewer can follow the logic and Similarly, BH Cs should not rely on favorable assumptions that
evaluate the reasonableness of the outcom es.3
31 Any potential
0 cannot be reasonably assured to occur in stressed environments
given the high level of uncertainty around market conditions.
BH Cs should also not assume any foresight of scenario condi
tions over the projection horizon beyond what would reasonably
30 See SR Letter 11-7, "Supervisory G uidance on Model Risk M anage
m ent," (April 4, 2011), w w w .federalreserve.gov/bankinforeg/srletters/ be knowable in real-life situations. For exam ple, some BHCs
sr1 107.htm . have used the path of stress scenario variables to make optim is
See FR Y-14A reporting form : Summary Schedule Instructions, pp. 5-6. tic assumptions about possible m anagem ent actions ex ante in
anticipation of stressful conditions, such as preem ptively rebal to a given scenario and also improve the overall fit of the model.
ancing their portfolios or otherwise adjusting their risk profiles Any models used to produce additional risk drivers are key com
to mitigate the expected im pact. In the event of a downturn, ponents of the loss-estimation process and, therefore, should be
the future path or progression of econom ic and market condi included in BHCs' model inventories and receive the same model
tions would not be clearly known, and this uncertainty should be risk-management treatm ent as core loss-estimation models.
reflected in the capital plans.
Generally, BHCs sum up losses from various portfolios and
activities to produce aggregate losses for the enterprise-wide
Documentation of Estimation Practices scenario analysis. BHCs should have a repeatable process to
The Federal Reserve exp ects BH Cs to clearly docum ent their aggregate losses, particularly when they transform model esti
key m ethodologies and assum ptions used to estim ate losses, mates to combine disparate risk measures (such as accounting-
revenues, and e xp e n se s.323BH Cs with stronger practices pro based and econom ic loss concepts), different m easurem ent
vided docum entation that concisely explained m ethodologies, horizons, or otherwise dissimilar loss estim ates.
with relevant m acroeconom ic or other risk drivers, and dem on
BH Cs with leading practices used automated processes that
strated relationships betw een these drivers and estim ates.
showed a clear audit trail from source data to loss estimation
Docum entation should clearly delineate among model out
and aggregation, with full reconcilem ent to source systems and
puts, qualitative overlays to model outputs, and purely qualita-
regulatory reports and mechanisms requiring approval and log
tive estim ates. BH Cs with w eaker practices often had limited
ging of judgm ental adjustm ents and overrides. These systems
docum entation that was poorly organized and that relied
often leveraged existing enterprise-wide financial and regulatory
heavily on subjective m anagem ent judgm ent for key model
consolidation processes.
inputs with lim ited em pirical support for and docum entation of
these adjustm ents. BH Cs with lagging practices exhibited a high degree of manual
intervention in the aggregation process, and applied aggregate-
level m anagem ent adjustm ents that were not transparent or
Loss-Estimation Methodologies well supported.
As noted earlier, a BHC's internal stress testing processes should

Retail and Wholesale Credit Risk
be designed to capture risks inherent in its own exposures and
business activities. Consistent with any good modeling prac BH Cs used a range of approaches to produce loss estim ates
tices, when developing loss-estimation m ethodologies, BHCs on loans to retail and corporate custom ers, often using differ
should first determ ine w hether there is a sound theoretical basis ent estimation methods for different portfolios. This section
for m acroeconom ic and other explanatory variables (risk drivers) describes the observed range of practice for the methods used
used to estim ate losses, and then em pirically dem onstrate that to project losses on retail and wholesale loan portfolios.
a strong relationship exists between those variables and losses.
For exam ple, most BH Cs' residential-m ortgage loss models Data and Segmentation
used some measure of unem ploym ent and a house price index Sources of data used for loss estimation have often differed
as explanatory variables, which affect a borrower's ability and between retail and wholesale portfolios. Due to availability
incentive to repay. of a richer set of retail loss data, particularly from the most
Beyond the core set of macroeconomic variables that typically recent downturn, BH Cs generally used internal data to estim ate
represents a given scenario, such as gross dom estic products defaults or losses on retail portfolios and only infrequently used
(GDP), unemployment rate, Treasury yields, credit spreads, and external data with longer history to benchm ark estim ated losses
various price indices, BH Cs often project additional variables on portfolios that had more limited loss experience in the recent
that have a more direct link to particular portfolios or exposures. downturn. For wholesale portfolios, some BH Cs supplem ented
Some exam ples of these variables include regional macro- internal data with external data or used external data to cali
econom ic variables that better capture the BHC's geographic brate their models due to a short time series (5-10 years) that
exposures and sector-specific variables, such as office vacancy included only a single downturn cycle.
rates and corporate profits. Using these additional variables to BH Cs with stronger practices accounted for dynamic changes
estim ate the model can enhance the sensitivity of loss estimates in their portfolios, such as loan m odifications or changes in
portfolio risk characteristics, and made appropriate adjustments
32 See id. to data or estim ates to com pensate for known data limitations
33 See id. (including lack of historical periods of stress).

BHCs with w eaker practices failed to com pensate for data limi BH Cs with leading practices were able to break down losses
tations or adequately dem onstrate that external data reasonably into PD, LG D , and EAD com ponents, separately identifying key
reflect the BHC's actual exposures, often failing to capture geo risk drivers for each of those com ponents, though they typically
graphic, industry, or lending-type concentrations. did not dem onstrate this level of granularity consistently across
all portfolios. For certain wholesale portfolios, some BH Cs used
The level of segm entation used for modeling varied depending
long-run average PD, LG D , and EAD for a particular segm ent,
on the type and size of portfolio and estimation methods used.
such as a rating grade, to estim ate losses. By design, estim ates
For exam ple, BH Cs often segm ented the retail portfolio based
based on long-run average behavior over a mix of conditions,
on some com binations of product; lien position; risk characteris
including periods of econom ic expansion and downturn, are not
tics such as credit score, loan-to-value ratio, and collateral; and
appropriate for projecting losses under stress and should not be
underlying collateral information (e.g ., single-family home ver
used for these purposes.
sus condominium), though some models were estim ated at the
loan-level and others at the portfolio level. BH Cs with leading practices clearly tied LGD to underlying
risk drivers, accounted for collateral and guarantees, and also
BHCs with stronger practices had segm entation schem es that
incorporated the likelihood of a decline in collateral values
were well supported by the BHC's data and analysis, with suf
under stress. However, most BHCs have more limited data on
ficient granularity to capture exposures that react differently to
LGD and, as a result, BH Cs often applied a sim ple, conserva
risk drivers under stressed conditions.
tive assumption (e.g ., 100 percent LGD for credit cards), based
BHCs with w eaker practices used a single model for multiple stressed LGD on their experience during the crisis, or scaled
portfolios, without sufficiently adjusting modeling assumptions up the historical average LGD using expert judgm ent. In using
to capture the unique risk drivers of each portfolio. For exam ple, such m ethods, it is im portant for BHCs to ensure that the pro
in estimating losses on wholesale portfolios, these BH Cs did not cess is well supported and transparent in line with the Federal
adequately allow for variation in loss rates commonly attributed Reserve's general expectation for expert judgm ent-based esti
to industry, obligor type, collateral, lien position, or other rel mates. W herever possible, BH Cs should benchm ark their esti
evant information. mates with external data or research and analysis.
BH Cs with lagging practices modeled LGD using a weighted-

Common Credit Loan Loss-Estimation Approaches
average approach at an aggregate portfolio level, without some
BHCs have used a wide range of methods to estimate credit level of segm entation (e.g ., by lending product, priority of claim,
losses, depending on the type and size of portfolios and collateral type, geography, vintage, or LTV). Or, they failed to
data availability. These methods can be based on either an dem onstrate that LGD estim ates were consistent with the sever
accounting-based loss approach (that is, charge-off and recovery) ity of the scenario.
or an economic loss approach (that is, expected losses). BHCs
Although some BH Cs found a relationship between EAD and
have flexibility in selecting a specific loss or estimation approach;
credit quality, most BH Cs did not model EA D s to vary according
however, it is important for BHCs to understand differences
to the m acroeconom ic environm ent, in large part due to data
between the two loss approaches, particularly in terms of the tim
limitations. Rather, many BH Cs applied a static assumption to
ing of loss recognition, and to account for the differences in set
estim ate stressed EA D .
ting the appropriate level of reserves at the end of each quarter.
BH Cs with stronger practices included the use of loan equiva
Expected Loss Approaches lent calculations (i.e., estim ated additional draw-downs as a
percentage of unused com m itm ents, which are added to the
Under the expected loss approach, losses are estimated as a func
outstanding or drawn balance) and credit-conversion factors
tion of three components— probability of default (PD), loss given
(i.e., additional drawdowns during the period leading up to
default (LGD), and exposure at default (EAD). PD, LG D , and EAD
default— usually one year prior— as a percentage of both drawn
can be estimated at a segment level or at an individual loan level,
and undrawn commitments) to capture losses associated with
and using different models or assumptions. In general, BHCs used
undrawn com mitments.
econometric models to estimate losses under a given scenario,
where the estimated PDs were conditioned on the macroeconomic BH Cs with w eaker practices did not project stressed exposures
environment and portfolio or loan characteristics. Some BHCs associated with undrawn com m itm ents and/or relied on the
used other approaches, such as rating transition models, to esti assumption that they can actively manage down com m itted lines
mate stressed default rates as part of an expected loss framework. during stress scenarios.
Rating Transition Models BH Cs with stronger practices typically had more granular ratings
system and accounted for limitations in their data and/or credit
Many BH Cs have used a rating transition-based approach
rating system s by making adjustm ents to model assumptions or
to produce a stressed rating transition m atrix for each quar
estim ates, or by supplem enting internal data with external data.
ter, which is then used to estim ate losses for their w holesale
portfolios under stress. These approaches used credit ratings BH Cs with w eaker practices often failed to dem onstrate that
applied to individual loans by the BH C and projected how supplem ented external data adequately reflected the ratings
these ratings would change over tim e given the m acroeco perform ance of the BHC's portfolio. BHCs with weaker practices
nomic scenario. Although the details of techniques used to link also som etim es relied on a risk rating process that historically
rating transitions to scenario conditions varied across firm s, resulted in lumpiness in rating upgrades and downgrades or
the process usually involved the following steps: (1) co nvert material concentrations in one or two rating categories. As
ing the rating transition m atrix into a single sum m ary m easure; a result, these BH Cs often produced transition matrices with
(2) estim ating a tim e-series model linking the sum m ary m ea limited sensitivity to scenario variables, and resulting estim ates
sure to scenario variables; (3) projecting the sum m ary measure were more consistent with long-term average default rates than
over the nine-quarter planning horizon, using the param eter with default rates that would be experienced under severe eco
estim ates from the tim e-series m odel; and (4) converting the nomic stress.
projected sum m ary m easure into a full set of quarterly transi
tion m atrices. BH Cs using such an approach should be able to
Roll-Rate Models
dem onstrate that the sum m ary m easure responds to changes Many BH Cs have used roll-rate models to estim ate losses for
in econom ic conditions as exp ected (that is, w orsens as the various retail portfolios. Roll-rate models generally estim ate
econom ic condition deteriorates) and results in projected rat the rate at which loans that are current or delinquent in a given
ing transition m atrices that are consistent with the severity of quarter roll into delinquent or default status in the next period.
scenario. Jud g m entally selecting transition m atrices from past As a result, they are conceptually similar to rating transition
stress periods is a w eak p ractice, as it may produce loss esti models. The Federal Reserve expects BH Cs that use roll-rate
m ates that are not consistent with a given scenario and fails to models to have a robust tim e series of data with sufficient gran
recognize that conditions in the future may not precisely mirror ularity. The robust tim e series data allow the BH C to establish
conditions observed by the BH C in the past. a strong relationship between roll rates and scenario variables,
while the availability of granular data enables BH Cs to model
Sound rating transition m odels require tw o fundam ental build
all relevant loan transitions and to segm ent the portfolio into
ing blocks: a robust tim e series of data and w ell-calibrated,
subportfolios that exhibit meaningful variations in perform ance,
granular-risk rating system s. The Federal Reserve expects
particularly during the period of stress. In general, BH Cs should
BH Cs that use rating transition m odels to have robust tim e
estim ate roll rates using models that are conditioned on sce
series of data that include a sufficient num ber of transitions,
nario variables. For certain transition states where statistical rela
which allows BH Cs to establish a statistically significant rela
tionships between roll rates and scenarios are weak (such as late
tionship betw een the transition behavior and m acroeconom ic
stage loan delinquency), BH Cs should incorporate conservative
variables. Data availability has been a w idespread constraint
assumptions rather than relying solely on statistical relationships.
inhibiting the developm ent of granular transition m odels
because a sufficient num ber of upgrades and dow ngrades are W hile roll-rate models have some advantages, including trans
necessary to preclude sparse m atrices. In order to overcom e parency and ease of use, they often have a weak predictive
these data lim itations, BH Cs have often relied on third-party power outside the near future, particularly if they are not prop
data to develop rating transition m odels. C onsistent with the erly conditioned on scenario variables. As a result, some roll-rate
Federal Reserve's general exp ectatio ns, when using third-party models have limited usefulness for stress testing over a longer
data, BH Cs should be able to dem onstrate that the transition horizon, such as the nine-quarter planning horizon required in
m atrices estim ated with external data are a reasonable proxy C C A R . Some BH Cs have used roll-rate models in conjunction
for the m igration behavior of their portfolios. Rating transition with other estimation approaches (such as a vintage model
m odels also require granular ratings system s that capture dif described below) that project losses for later periods. In general,
ferences in the potential for defaults and losses for a given set it is a w eaker practice to combine two different m odels, as it can
of exposures in various econom ic environm ents. BH Cs that lack introduce unexpected jum ps in estim ated losses over the plan
w ell-calibrated, granular credit-risk rating system s are often ning horizon, though some BH Cs have judgm entally weighed
unable to produce useful transition m atrices. two different estimation methods to smooth projected losses. If

BHCs combine two m odels, they should be able to dem onstrate N CO models often exhibit lower explanatory power than m od
that such an approach is em pirically warranted based on output els that consider distinct portfolio risk drivers. In addition, N CO
analysis, including sensitivity analysis, and that the process of models implicitly assume that historical charge-off performance
transitioning from one set of results to the other is consistent, is a good predictor of future perform ance; however, the histori
well supported, and transparent. cal relationship between charge-offs and macro variables may
not be realized under very stressful scenarios that fall outside
Vintage Loss Models the portfolio's actual historical experience. Accordingly, a N CO
model that is estim ated without using sufficient segm entation or
Some BHCs use vintage loss m odels, also known as age-cohort-
does not account for current or changing portfolio composition
time m odels, to estim ate losses for certain retail portfolios.
is unlikely to produce robust loss estim ates. Thus, BH Cs should
BHCs that use vintage loss models generally segm ent their retail
avoid using such a N CO model as the primary loss-estimation
portfolios by vintage and collateral- or credit-quality-based
approach for a material portfolio.
segm ents. Losses are estim ated using a multistep process—
developing a baseline seasoning curve for each segm ent and
using a regression model to estim ate sensitivity of losses to
Scalar Adjustments
m acroeconom ic variables at each seasoning level (e.g ., four Some BH Cs have used simple scalars to adjust portfolio loss
quarters after origination). This technique is commonly used in estim ate under a baseline scenario upward for stress scenarios.
several vendor models, but BH Cs also have developed and used Scalars have been calibrated based on some combination of
proprietary models using this technique. historical perform ance, the ratio of modeled stressed losses to
baseline losses estim ated for other portfolios, and expert ju d g
These models have several advantages (such as natural seg
ment. Scalar adjustm ents are easy to develop, im plem ent, and
mentation of portfolio by cohort and maturity) and ease of
com m unicate; however, the approach has significant shortcom
application to credit products (such as auto loans) that exhibit
ings, including lack of transparency and lack of sensitivity to
lifecycle effects. However, vintage models can be very challeng
changes in portfolio composition and scenario variables. C on
ing to construct, calibrate, and validate. In particular, it may be
sequently, the use of these types of approaches should be, at
difficult to separately identify vintage effects from the effects of
most, limited to immaterial portfolios.
m acroeconom ic variables, which can result in poorly specified
models. These models also assume that different cohorts will
Available-for-Sale (AFS) and Held-to-Maturity
experience similar losses over tim e, generating results that are
representative of average years, rather than during the period of
(HTM) Securities
stress. In using vintage m odels, it is im portant for a BHC to be BH Cs should test all credit-sensitive A FS and HTM securities for
able to dem onstrate that the approach appropriately reflects its potential other-than-temporary impairment (OTTI) regardless of
portfolio composition and history, and that modeled outputs are current im pairm ent status. The threshold for determ ining O TTI
consistent with stressed conditions. for structured products should be based on cash-flow analysis
and credit analysis of underlying obligors. Most BHCs used a
Charge-Off Models ratings-based approach to determ ine O TTI of direct obligations
such as corporate bonds, based on the projection of ratings
A m inority of BH Cs have used net charge-off (N CO ) m odels as
migration under a stress scenario and a ratings-based O TTI
either a prim ary loss-estim ation model or a benchm ark m odel.
threshold. However, some BHCs with w eaker practice used a
Typically, the N C O m odels BH Cs used estim ated a statistical
ratings-based approach that kept the ratings static over the sce
relationship betw een charge-off rates and m acroeconom ic
nario horizon.
variables at a portfolio level, and often included auto regres
sive term s (lagged N C O rates). W hile som e BH Cs also incorpo BH Cs should have quantitative methods that capture appropri
rated variables that describe the underlying risk characteristics ate risk drivers and explicitly translate assumed scenario condi
of the portfolio, N C O m odels that BH Cs used for capital plan tions into estim ated losses. Estimation methods should generate
ning generally did not capture variation in sensitivities to risk results that conform to standard accounting treatm ent, are con
drivers across im portant portfolio segm ents nor accounted for sistent with scenario conditions, and are appropriately sensitive
changes in portfolio risk characteristics over tim e. A s a m at to changes in key variables. Any assumptions (e.g ., assumptions
ter of general practice, BH Cs should not use m odels that do related to loss recognition) should be consistent with the intent
not capture changes in portfolio risk characteristics over tim e of a stress testing exercise. Additionally, models should be inde
and in scenarios used for stress testing as part of their internal pendently validated for their use in projecting O TTI losses for
capital planning. specific classes of securities.
O TTI processes for A FS and HTM securities portfolios varied in processes, people, or systems or from external events. Generally,
sophistication across BH Cs. BH Cs with leading practices used operational-risk events are grouped into one of several event-
estimation methods that capture both security-specific and type categories, such as internal fraud, external fraud, or damage
o r
country-specific perform ance data for relevant portfolios. For to physical assets. In general, BHCs should use internal
securitized products, they m odeled the credit risk of underlying operational-loss data as a starting point to provide historical per
exposures (e.g ., commercial real estate loans) to estim ate poten spective, and then incorporate forward-looking elem ents, idio
tial losses. W here BH Cs used m anagem ent judgm ent, it was lim syncratic risks, and tail events to estimate losses. Most BHCs
ited and well supported in the m ethodology docum entation. have supplem ented their internal loss data with external data
when modeling operational-risk loss estim ates and scaled the
In addition, BH Cs with leading practices chose conservative
losses to make the external loss data more commensurate with
approaches and assumptions for O TTI loss estim ation, such as
their individual risk profiles. The Federal Reserve expects such
recognizing losses in early quarters rather than over the entire
scaling approaches to be well supported. Few BHCs have incor
scenario horizon. Though, under current accounting rules, O TTI
porated business environment and internal control factors such
losses are recognized only up to the amount of unrealized
as risk control self-assessments and other risk indicators into their
losses, some BH Cs have taken a conservative approach to allow
operational-risk methodology. W hile the Federal Reserve does
O TTI losses to exceed projected unrealized losses.
not expect BHCs to use these qualitative tools as direct inputs in
BH Cs with lagging practices did not test all credit-sensitive a model, they can help identify areas of potential risk and help
securities for potential O TTI; rather, they tested only currently BHCs select appropriate scenarios that stress those risks.
impaired positions or securities that met a certain criteria (e.g .,
only securities rated below investm ent grade) for O TTI. BHCs Internal Data Collection and Data Quality
should not rely solely on a ratings-based threshold to deter
The Federal Reserve expects BH Cs to have a robust and com
mine O TTI for structured products. BHCs with lagging practices
prehensive internal data-collection method that captures key
had O TTI loss-estimation m ethodologies that did not capture
elem ents, such as critical dates (i.e., occurrence, discovery, and
appropriate risk drivers or scenario conditions and/or were not
accounting), event types, and business lines. In general, BHCs
applied at a sufficiently granular level. In some cases, BHCs
should use com plete data sets of internal losses when modeling,
excluded key explanatory variables for certain asset classes.
and not judgm entally exclude certain loss data.
For exam ple, the unem ploym ent rate was used to project O TTI
losses for non-agency residential m ortgage-backed securities Data quality and com prehensiveness have varied consider
(RM BS), but the housing price index (HPI) was excluded even ably across BHCs. BHCs with lagging practices often excluded
though the theory and empirical evidence points to a strong certain internal loss data from model input for various reasons.
relationship between m ortgage losses and housing prices. As a Exam ples include
result of these m ethodology deficiencies, these BH Cs projected
• excluding large items such as legal reserves and tax/ com pli
O TTI losses that were inconsistent with the risk characteristics of
ance penalties;
the portfolio and assumed scenario conditions.
• omitting losses from merged or acquired institutions mergers
or acquisitions due to com plications in collection and aggre
Operational Risk
gation; and
Best practices in operational-risk models are still evolving, and
• excluding loss data from discontinued business lines, even
the Capital Plan Rule does not require BH Cs to use advanced
though the loss events were reasonably generic and appli
m easurem ent approach (AM A) models for stressed operational-
cable to remaining business lines within the organization.
risk loss estim ation.34 However, BH Cs that have developed a
rich set of data to support the A M A should consider leveraging Some BHCs have addressed observed outliers by omitting them
the same data and risk-management tools to estim ate opera from the data set, modeling them separately, or applying an add
tional losses under a stress scenario, regardless of a particular on based on scenario analysis or management input. If BHCs do
m ethodology they choose to estim ate losses. not have the data from potential mergers and acquisitions, one
Most operational-risk models use historical data on operational-

risk loss "even ts"— incidences in which a BHC has experienced a
35 For exam ple, the seven event-type categories used for A M A are inter
loss or been exposed to loss due to inadequate or failed internal nal fraud; external fraud; em ploym ent practices and w orkplace safety;
clients, products, and business practices; dam age to physical assets;
business disruption and system failures; and execution, delivery, and
34 12 C FR part 225, appendix G . process m anagem ent.

way to account for this limitation is to scale existing internal data where no correlation with m acroeconom ic factors was identified.
using the size of operations and apply an add-on to applicable A simple approach may be acceptable depending on the size
business lines or units of measure. If a BHC excludes data or uses and com plexity of the BHC as well as data and sophistication of
data-smoothing techniques, especially as they affect large losses, models available to them . Very few BHCs have yet developed
it should have a well-supported rationale for doing so, and clearly benchmarks to either challenge or further support the projec
n /
document the rationale and the process. tions provided by their main models.
The Federal Reserve expects BH Cs to segm ent their loss data

Regression Models
into units of measure that are granular enough to capture similar
losses while balancing it with the availability of data. Most BHCs Most BHCs have used a regression model, either by itself or with
have segm ented datasets by event type; however, some BHCs another approach described below, to estimate operational-
have segm ented the loss data by consolidated business lines, risk losses for stress scenarios. Some BHCs also have used a
event types, or some combination of the two. regression model for the baseline scenarios, albeit with different
param eters. Operational-risk regression models are generally
Correlation with Macroeconomic Factors used to estim ate two variables: loss frequency (i.e., the number
of operational-risk losses) and loss severity (i.e., the loss amount).
Most BH Cs have attem pted to identify correlation between
m acroeconom ic factors and operational-risk losses, but some BH Cs that were able to identify significant correlation between
have struggled to identify a clear relationship for some types m acroeconom ic variables and operational-risk losses have
of operational-risk loss events. BH Cs that did not identify a used regression models to stress the loss frequency or total
significant correlation typically developed other m ethodolo operational-risk losses. Some m acroeconom ic variables were
gies, such as scenario analysis layered onto modeled results, to adjusted for the purpose of correlation analysis or to reflect
project stressed operational-risk losses. These approaches can time-lag assumptions. Most BH Cs judgm entally chose time peri
be reasonable alternatives if BH Cs can dem onstrate that their ods for estimation and model specification rather than justifying
approach results in sufficiently conservative loss estim ates that them with statistical evidence.
are consistent with the stress scenario. Most BHCs were not able to find meaningful correlation
BHCs that identified correlations between m acroeconom ic fac between m acroeconom ic variables and operational-risk loss
tors and operational-risk elem ents typically had large data sets severity. As a result, BH Cs that used a regression model to esti
and often used external loss data to supplem ent internal data. mate loss frequency typically applied the loss-severity assum p
These BHCs often identified correlations between loss fre tion (e.g ., static or four-quarter moving average) based on the
quency and m acroeconom ic factors for certain event types and most recent crisis period to estim ate operational losses.
adjusted the frequency distributions for the respective event
type accordingly. Modified Loss-Distribution Approach (LDA)
The LD A is an empirical modeling technique commonly used
Common Operational-Loss-Estimation Approaches by BH Cs subject to the A M A to estim ate annual value-at-risk
Most BH Cs have used their annual budgeting or forecasting (VaR) measures for operational-risk losses based on loss data
process to estim ate operational losses in the baseline scenario. and fitted param etric distributions. The LD A involves estim at
The process typically uses a combination of historical loss data ing probability distributions for the frequency and the severity
and m anagem ent input at a business-line level. Some BHCs of operational loss events for each defined unit of measure,
have used historical averages from internal loss data to estim ate whether it is a business line, an event type, or some combination
losses in the baseline scenario. of the two.
BHCs with stronger practices used a combination of approaches The estim ated frequency and severity distributions are then
to incorporate historical loss experience, forward-looking ele com bined, generally using a Monte Carlo simulation, to esti
ments, and idiosyncratic risks into their stressed loss projections. mate the probability distribution for annual operational-risk
Using a combination of approaches can help address model losses at each unit of measure.
and data limitations. Some BH Cs used separate models for For purposes of C C A R , LD A models have generally been used
certain events types such as fraud or litigation, and used other in one of two ways: (1) by using a lower confidence interval than
approaches (e.g ., using historical averages) for event types * the 99.9th percentile used by the A M A , or (2) by adjusting the
frequency based on outcom es of correlation analysis. BHCs
that modified the LD A by using a lower confidence interval
O /
See FR Y-14A reporting form : Sum m ary Schedule Instructions, p. 5.
typically have used either the mean or median for the baseline BH Cs should support the chosen tim e periods, thresholds,
estim ates and higher confidence intervals— typically ranging and any excluded or adjusted outliers and dem onstrate that
from 70th percentile to 98th percentile— for the stressed esti loss estim ates are consistent with what are expected in the
mates. Additionally, some BH Cs have used different confidence stress scenario.
intervals for different event types. The Federal Reserve does not
require BH Cs to use a particular percentile to produce stressed Legal Exposures
estim ates. However, it expects BH Cs to im plem ent a credible,
Since legal exposure represents a significant portion of opera
transparent process to select a percentile; be able to dem on
tional losses for many BH Cs, a number of BHCs have analyzed
strate why the percentile is an appropriate choice given the
and projected legal losses separately from non-legal losses. The
specific scenario under consideration; and perform sensitivity
Federal Reserve expects BH Cs to include all legal reserves and
analyses around the selection of a percentile to test the impact
settled legal losses in their total loss estim ate for operational
of this assumption on model outputs. Some BHCs modified the
risk. BH Cs have used various methods to estim ate legal losses,
LD A by adjusting frequency distributions based on the observed
such as applying a judgm ent-based add-on for significant losses;
correlation between m acroeconom ic variables and operational-
using legal reserves; using historical averages; or creating sepa
risk losses.
rate regression models for the clients, products, and business
practices event type. To estim ate litigation losses resulting from
Scenario Analysis
representations and warranties liabilities related to mortgage
Scenario analysis is a system atic process of obtaining opinions underwriting activities, some BH Cs have developed hazard-rate
from business managers and risk-management experts to assess models based on historical loan perform ance to estim ate default
the likelihood and loss im pact of plausible severe operational- rates and then estim ated repurchase claim rates.
loss events. Some BHCs have used this process to determ ine a
m anagem ent overlay that is added to losses estim ated using a Market Risk and Counterparty Credit Risk
model-based approach. BH Cs have used this overlay to incor
BH Cs that have sizeable trading operations may incur significant
porate idiosyncratic risks (particularly for event types where cor
losses from such operations under a stress scenario due to valu
relation was not identified) or to capture potential loss events
ation changes stemming from credit and/or market risk, which
that the BH C had not previously experienced. BH Cs should be
may arise as a result of moves in risk factors such as interest
able to dem onstrate the quantitative effect of the m anagem ent
rates, credit spreads, or equity and com m odities prices, and
overlay on final loss estim ates.
counterparty credit risk owing to potential deterioration in the
Scenario analysis, if used effectively, can help com pensate for credit quality or outright default of a trading counterparty.37
data and model limitations, and allows BH Cs to capture a wide BH Cs use different techniques for estimating such potential
range of risks, particularly where limited data are available. The losses. These techniques can be broadly grouped into two
Federal Reserve expects BHCs using scenario analysis to have a approaches: probabilistic approaches that generate a distribu
clearly defined process and provide an appropriate rationale for tion of potential portfolio-level profit/loss (P/L) and determ inistic
the specific scenarios included in their loss estim ate. The pro approaches that generate a point estim ate of portfolio-level
cess for choosing scenarios should be credible, transparent, and losses under a specific stress scenario.
well supported.
Both approaches have different strengths and weaknesses. A
probabilistic approach can provide useful insight into a range of
Historical Averages
scenarios that generate stress losses in ways that a determ inistic
Some BH Cs used historical averages of operational-risk losses, stress testing approach may not be able to do. However, the
in combination with other approaches noted above, to estimate probabilistic approach is com plex and often lacks transparency,
operational-risk losses under stress scenarios. For exam ple, and as a result, it can be difficult to communicate the relevant
BH Cs have used historical averages for event types where no scenarios to senior managers and the board of directors. In addi
correlation between m acroeconom ic factors and operational- tion, the challenges inherent in tying probabilistic loss estimates
risk losses was identified but used a regression model for
event types where correlations were identified. A small number
of BH Cs have used historical averages as the sole approach 37 Under the Federal Reserve's stress testing rules, BH Cs with greater
than $500 billion in total consolidated assets who are subject to the
to develop stressed loss estim ates. When used alone, this
m arket risk rule (12 C FR part 225, appendix E) are required to apply the
approach is backward-looking and excludes potential risks the global m arket shock as part of their annual Dodd-Frank A ct company-
BH Cs have not experienced. When using historical averages, run stress tests.

to specific underlying scenarios can make it difficult for m anage developed the overlays using expert judgm ent based on the
ment and the board of directors to readily discern what actions knowledge of their positions and market developm ents.
could be taken to mitigate portfolio losses in a given scenario.
The Federal Reserve expects BH Cs to consider multiple market
Com bined, these factors com plicate the use of probabilistic
shock scenarios as part of their internal stress testing. BHCs
approaches as the primary elem ent in an active capital planning
should develop and use stress scenarios that severely stress
process that reflects well-informed decisions by senior m anage
BH Cs' mark-to-market positions and account for BH Cs' idiosyn
ment and the board of directors. The Federal Reserve expects
cratic risks, in the event of a market-wide or firm -specific stress.
BHCs using a probabilistic approach to provide evidence that
In developing scenarios, BH Cs should ensure that stress scenar
such an approach can generate scenarios that are potentially
ios appropriately stress positions or products in which the BHC
more severe than what was historically experienced, and also to
has a large market share (net or gross) or is a dominant player
clearly explain how BH Cs use the scenarios associated with tail
and should also consider more unusual basis risks arising from
losses to identify and address their idiosyncratic risks.
com plex interlocking and interdependent positions, if such
By com parison, a determ inistic approach generally produces moves could result in large losses. BHCs that only use a scenario
scenarios that are easier to com m unicate to senior m anagem ent that closely mirrors the Federal Reserve's global market shock
and the board of directors. However, a determ inistic approach com ponent of the severely adverse and adverse scenarios
often uses a limited set of scenarios, and may miss certain should be aware that such an approach may omit significant
scenarios that may result in large losses. The Federal Reserve risks that are unique to their positions, and that such omissions
expects BH Cs using a determ inistic approach to dem onstrate could lead to a negative assessm ent of a firm's capital planning
that they have considered a range of scenarios that sufficiently process. BHCs should clearly docum ent the process they use to
stress their key exposures. select stress scenarios, with sufficient justification and clear artic
ulation of key aspects of the scenarios.38
For C C A R , most BH Cs generally relied on a determ inistic
approach. BH Cs using determ inistic approaches often relied
on statistical m odels— for exam ple, to inform the magnitude of
Translating Scenarios to Risk Factor Shocks
risk-factor movements and covariances between risk factors— O nce broad scenarios were developed, BH Cs translated these
and also considered multiple scenarios as part of the broader scenarios into concrete specification of individual risk factors
internal stress testing supporting their capital planning process. that were the actual inputs to pricing m odels, typically using the
BHCs using determ inistic approaches used a three-step process existing risk infrastructures and processes used for risk m anage
to generate P/L losses under a stress scenario: ment, such as VaR and credit valuation adjustm ent (CVA). Most
BH Cs used instantaneous market shocks for stress testing, which
1. Design and selection of stress scenarios
assumed highly stressful outcomes that have typically occurred
2. Construction and implementation of the scenario (that is,
over a period of time (days, w eeks, or months) will occur instan
translation to risk-factor moves) taneously. Given the uncertainty surrounding a firm's ability to
3. Revaluation (and aggregation) of position and portfolio- exit or manage positions during a period of severe market
level P&L under the stress scenarios stress, this is an appropriate practice and suitably conservative
for capital planning. Consistent with general supervisory exp ec
The Federal Reserve expects BH Cs to have robust operational
tations around risk-measurement processes, BH Cs should clearly
and im plem entation practices in all areas, including position
docum ent the approxim ations and assumptions used as part of
inclusion, risk-factor representations, and revaluation methods.
their m easurem ent of risks under stress, assess the potential
im pacts, and address any deficiencies identified.39
Stress Scenarios
The size of shocks assumed in the stress scenario is often quite
Most BH Cs using determ inistic approaches developed a set of
large. A s a result, mechanical application of such shocks to cur
broad narratives and considered a number of market shock sce
rent levels of risk factors could result in implausible outcomes
narios that address the breadth of the BH Cs' risks before select
such as negative riskfree rates or negative forward rates. BH Cs
ing the scenario included in their capital plans. In general, these
should ensure that the proposed shocks produce results that are
BHCs used some combination of historical events and hypo
thetical projections to inform and develop the market shock
scenarios. They also developed certain core them es or narra
tives for each scenario, which was som etim es supplem ented 38 See FR Y-14A reporting form : Summary Schedule Instructions, pp. 5-6.
with an overlay to capture additional nuances. BH Cs generally 39 See id., p. 6.
plausible. In particular, BH Cs should take care in modeling dislo market shock scenario. BH Cs often use a model similar to that
cations and discordant moves of risk factors that normally move used for the incremental risk regulatory capital charge— a proba
similarly. Additionally, while dislocations and discordant moves bilistic approach based on some measure of PD, LG D , and EAD
are expected under stress, BH Cs should have a process to of counterparties or issuers— to estim ate losses from possible
assess that the resulting joint moves of risk factors are reason defaults over some future horizon (e.g ., to the typical margin
able. Also, the dislocations and discordant moves implied by a period of risk). BH Cs with leading practices also considered for
stress scenario may require risk-factor mappings that deviate their internal stress testing an explicit default scenario of one
from the normal m appings. BHCs should clearly docum ent or more of their largest counterparties and/or custom ers. This
instances of such deviation and provide support.40 approach has the benefit of allowing the BHC to consider tar
geted defaults of counterparties and custom ers to which the
Revaluation Methodologies and P/L Estimates BHC has large exposures.
In principle, revaluation for stress testing can be carried out

using the same infrastructure and calculators as conventional Risk Mitigants and Other Assumptions
risk-measurement tools. However, practical revaluation methods Some BH Cs have incorporated m anagem ent responses to the
may em bed a number of approxim ations, which could introduce stress, assuming, for exam ple, some positions would be sold
m ism easurem ent into the stress test results. In particular, VaR or hedged over tim e under the stress scenario. The Federal
m ethodologies often use approxim ation methods for a number Reserve expects any assumptions about risk mitigation to be
of reasons— for exam ple, to econom ize on computational costs conservative. W here BHCs assume m anagem ent actions that
related to running a large number of scenarios daily. Although have the effect of reducing losses under the scenario, they
approxim ation methods may perform adequately for the risk- should be able to dem onstrate that such actions are consistent
factor moves that are considered in normal conditions (for a with established policy, supported by historical experience,
small number of scenarios), BHCs should generally use "full- and executable with high confidence in the market environ
revaluation" methods for stress testing, given the very large ment contem plated by the scenario. BH Cs should recognize
risk-factor moves, especially for nonlinear positions with value that their ability to take mitigating actions may be more limited
dependent on multiple risk factors. BHCs can use approxim ation in the stress scenario. For exam ple, it may not be reasonable
methods on a limited basis if extensive tests and analyses sug to assume that BHCs can easily sell their positions to other
gest that the potential m ism easurem ent from using such m eth BH Cs under the stress scenario. In addition, BH Cs should avoid
ods is not significant. BH Cs should clearly support the process making unrealistic assumptions about their ability to foresee
they use to ascertain the extent of such m ism easurem ents. Also, precisely how a scenario would play out, and take action on the
for certain param eters that are not easily "m arket-observable" basis of that information.
and, therefore, cannot be inferred from traded instruments
(e.g ., correlations for credit-default baskets and correlations for
certain interest-rate and exchange-rate pairs), BH Cs should con PPNR Projection Methodologies
sider suitably perturbed values of the model param eters.
Th e C ap ital Plan Rule requires BH C s to estim ate revenue and
In addition, BHCs should ensure that P/L estimates under the stress exp en ses over the nine-quarter planning ho rizo n.41 A cc o rd
scenario are relatively easy to interpret and explain. For example, ingly, BH C s should have effective processes fo r projecting
BHCs with leading practices easily identified key P&L drivers in PPN R and its revenue and exp en se subcom ponents over the
terms of positions, asset classes, and risk types. BHCs should also sam e range of stressful scenarios and environm ents used for
conduct sensitivity analysis to ensure that P/L estimates under the estim ating losses. In projecting these am ounts, BH C s should
stress scenario are robust, without being unduly sensitive to small consider not only th eir current positions, but also how their
changes in inputs, assumptions, and modeling choices. activities and business focus may evolve over tim e under the
varying circum stances and operating environm ents reflected
Counterparty and Issuer Defaults in the scenarios being used.
Defaults of counterparties or issuers and/or reference entities
are typically not em bedded directly within the instantaneous
40 See id., pp. 5-6. 41 12 C FR 225.8(d)(2)(i).

General Considerations for Robust Observed PPNR Projection Practices
PPNR Projections The translation of m acroeconom ic assum ptions into projections
As part of a com prehensive enterprise-wide scenario analysis of PPNR over a range of stressful scenarios and environm ents
program, BH Cs should have m ethodologies that generate can take many form s, and BH Cs used a variety of approaches
robust projections of PPNR consistent with the current and and m odels to make these projections. BH Cs with stronger
projected paths of on- and off-balance-sheet exposures, risk- practices dem onstrated strong interactions among central
weighted assets (RWA), and other exposure assumptions used planning functions, business lines, and the treasury group, with
for related loss estim ation. PPNR projections should also be an open flow of inform ation and a robust challenge process.
consistent with assumed scenario conditions and be projected in A t these BH C s, the role of the central group was not just to
accordance with the same accounting basis that would be used aggregate com ponents of PPNR projections. In som e cases,
to calculate relevant capital ratios. BH Cs should project all key the corporate planning areas also provided independent pro
elem ents of PPNR at a level of granularity consistent with the jections that w ere com pared to the aggregated business line
m ateriality of revenue and expense com ponents and sufficient results as a part of the challenge process. A t other BH C s, the
to capture differing drivers of revenue and expenses across corporate planning group derived the PPNR projections, which
the organization. Finally, BH Cs should consider the effects that w ere then discussed and challenged by business lines. Both
regulatory changes (e.g ., changes in deposit insurance coverage approaches resulted in better-supported assum ptions and
limits) may have on their ability to replicate historical perfor projections than approaches in which the central group sim ply
mance or achieve stated goals. aggregated projections made by others.
Key assumptions that may m aterially affect PPNR estim ates In addition, BH Cs with stronger practices made projections
should be consistent with assumed scenario conditions and based on a full exploration of the most relevant relationships
internally consistent within each scenario, particularly assum p between assumed scenario conditions and revenues and
tions related to the business model and strategy (e.g ., deposit expenses. A t these BH Cs, business-line expertise was leveraged
growth, pricing assumptions, expense reductions, and other in the developm ent of m ethodologies. A key part of this explo
m anagem ent actions). M anagem ent is expected to evaluate the ration was determ ining the way that revenues and expenses
reasonableness and timing of projected strategies, including were segm ented for projection purposes. BH Cs with stronger
mitigating actions taken in a stressful scenario, to ensure that practices did not rely exclusively on the line-item definitions in
the assumptions reflect realistic and achievable outcom es for regulatory reports, though these BH Cs often established a pro
a given scenario. W here possible, assumptions should be sup cess to clearly map internal BH C reporting conventions to the
ported by quantitative analysis or empirical evidence. various line items on the FRY-14 schedules.
In all cases, BHCs should ensure that projections (including In contrast, BH Cs with lagging practices lacked clear processes
those of PPNR, loss, balance sheet size and com position, and for translating assumed scenario conditions into revenue and
RWA) present a coherent story within each scenario. BHCs expense projections. Frequently, it was observed that one or
should clearly establish a relationship among revenue, expenses, more material com ponents of their projections appeared incon
the balance sheet, and any applicable off-balance-sheet items sistent with scenario conditions. In some cases, projections of
and docum ent how their process generates a consistent and certain revenue and expense com ponents relied heavily on
coherent evolution of these items over the course of the sce m anagem ent judgm ent, which was not transparent, well sup
nario.42 For exam ple, origination assumptions should be the ported, or subject to a robust challenge process. In other cases,
same for projecting loan balances, related loan fees, origination revenue estim ates varied from historical experience and conven
costs, and loan losses. Similarly, there should be coherence tional expectations, and m anagem ent provided no docum ented
among trading revenue projections, trading assets, trading lia support or analysis around the reasonableness and sensitivity
bilities, and trading RWA projections. M anagem ent should doc of modeling assumptions. O verall, data limitations, unclear or
ument the relationships among these items and avoid cases unsubstantiated m anagem ent assumptions, and poor docum en
where outcom es move in counterintuitive directions.43 tation were the problems most prevalent across the BH Cs.
A nother com m only observed practice for estim ating PPNR

under stressed conditions was the adjustm ent of budget or
42 See 12 C FR 225.8(d)(i)-(ii); FR Y-14A reporting form : Summary baseline estim ates, with budget estim ates largely qualitatively
Schedule Instructions, pp. 5-6. derived through input from a variety of business lines and/or
43 See id. stakeholders across the BH C . Although a process of adjusting
baseline estim ates is not problem atic in itself, some BH Cs the assumption of mitigating actions) that were not consistent
relied heavily on baseline estim ates to develop stress scenario with stressed scenario conditions and the intent of a capital
outcom es w ithout considering favorable strategic actions and planning and stress testing exercise. For exam ple, m anagem ent
assum ptions incorporated into baseline results that might not assumed it would be able to drastically reduce loan origina
be realistic or feasible under stressed conditions. If a BH C tion activity, cut expenses, or take other mitigating actions in a
derives stressed estim ates by applying a stress overlay to b ase severely adverse scenario without considering the longer-term
line estim ates, it should dem onstrate the link betw een baseline consequences on the BHC's strategy and operating structure.
estim ates and baseline conditions, dem onstrate the appro
The following sections provide specific expectations for project
priateness of the overlay based on the differing conditions
ing key com ponents of PPNR, as well as summary points on
betw een the scenarios, and appropriately consider changes
observed range of practice.
in m anagem ent actions or other related assum ptions under a
stress scenario. Net Interest Income
BH Cs with w eaker practices used models with low predictive Net interest income projections are closely linked to many other
power, in part due to data limitations. BH Cs should not use elem ents of a BHC's capital plan. Balance sheet assumptions
w eak models just for the sake of using a modeled approach to used to project net interest income should be consistent with
PPNR. Some BH Cs used weak models either as a fram e of refer balance sheet assumptions considered as part of loss estimation
ence or a starting point to translate econom ic factors into esti as well as with other asset and liability m anagem ent assum p
mates of key PPNR com ponents, but then adjusted the results tions. Loan pricing should be consistent with both scenario
using expert judgm ent. In such cases, BH Cs should thoroughly conditions and com petitive and strategic factors, including pro
explain and docum ent why results, once adjusted, are consistent jected changes to the size of the portfolio. Deposit projections
with the scenario conditions.44 In cases where models have low should incorporate the impact of strategic plans and pricing on
predictive power, BH Cs with stronger practices found other deposit growth or decline, in addition to scenario factors.
ways to com pensate, such as using industry-level models with
Net interest income projections are expected to incorporate
BHC-specific market share assumptions to project revenue. In all
the balances and contractual term s of current portfolio holdings
cases, BH Cs with stronger practices provided supplem ental
as well as the behavioral characteristics of these portfolios. The
analysis describing why the approach was appropriate.
methods BHCs use to project their net interest income should
In cases where BH C-specific data w ere lim ited, BH Cs with be able to capture dynamic conditions for both current and pro
stronger practices used external data to augm ent and extend jected balance sheet positions. Such conditions include but are
their internal data. BH Cs with w eaker practices relied on not limited to prepaym ent rates, new business spreads, re-pric-
m odels that w ere overly influenced by lim ited data covering a ing rates due to changes in yield curves, behavior of em bedded
single econom ic cycle. This approach is particularly problem optionality such as caps or floors, call options, and/or changes in
atic if the BH C also experienced favorable conditions, such as loan perform ance (that is, transition to nonperforming or default
a significant recovery, during the single cycle, which m ight not status) consistent with loss estim ates.
recur in future dow nturns. In some cases, data w ere limited to
Some BH Cs specified product characteristics and conducted
as few as 10 quarters, which would not encom pass a period
analysis around these characteristics (e.g ., repricing behavior,
of econom ic weakening or be sufficient to estim ate a robust
line utilizations) both for current assets and new originations in
m odel, and thus would not be appropriate for considering
order to understand the variance in behaviors under the different
potential results in a dow nturn. Many BH Cs cited challenges
scenarios considered. They also attem pted to capture the prod
due to system s m ergers or changes that limited data availabil
uct mix changes that would occur as a result of custom er and
ity, but failed to adequately com pensate for these lim itations
market conditions (e.g., changes in dom estic deposit mix due to
by supplem enting internal data with external industry data,
anticipated growth in demand for time deposits for a specified
where appropriate, or by considering w hether longer tim e
scenario). BHCs with stronger documentation practices provided
series of available aggregate data would be preferable to a
detailed tables explaining underlying assumptions such as bal
shorter tim e series of more granular data.
ance drivers and spread and growth assumptions by product.
Some BH Cs with w eaker practices made business model and
Some BH Cs partially integrated loss projections into net interest
strategy assumptions (e.g ., new business, expense reductions,
income projections but did not adequately align all projection-
related assumptions. For exam ple, these BH Cs might take the
44 See id. full loan loss projections and allocate them across the portfolios

based on the current mix of nonperform ance across those trading assets, trading liabilities, and trading RW A and how all
loan portfolios, without considering the changing relative per these elem ents are consistent with conditions in the stress sce
form ance of those portfolios over the course of the scenario. nario.46 BH Cs with business profiles driven by off-balance-sheet
O ther BH Cs were unable to dem onstrate coherence between items should docum ent how revenue projections are linked to
net interest income projections and loss projections, generally on- and off-balance-sheet behavior.47 Although relationships
because one or both modeling approaches did not fully capture between revenue and trading assets or off-balance-sheet items
the behavioral characteristics of the loan portfolio. may be weak over short periods, BH Cs should nevertheless
establish a procedure for projecting relevant balance sheet and
BHCs with stronger practices had net interest income projection
RWA categories in support of those revenues and test for the
m ethodologies that captured adjustm ents in the amortization of
reasonableness of the implied return on assets (RO A). If a BHC
discounts or premiums for assets held at a value other than par
estim ates trading or private equity revenue by tying balance
that would occur under various scenarios. Under FASB State
changes to changes in broad indices, the BH C should establish
ment No. 9 1 ,45 yields would adjust under varying scenarios as
the level of sensitivity of its positions relative to the indices and
amortization schedules change due to changes in expected pay
not autom atically assume a perfect correlation between the two.
ment speeds.
BH Cs with mortgage servicing right (MSR) assets should ensure
For pricing, many BHCs assumed a constant spread to a desig
that delinquency, default, and voluntary prepaym ent assum p
nated index. BH Cs with stronger practices considered whether
tions are robust and scenario-dependent. These models should
this assumption was consistent with historical experience and
capture m acroeconom ic variables, especially home prices. For
assumed scenario conditions as well as the BHC's strategy as
those BH Cs that routinely hedge MSR exposure, hedge assum p
reflected in the balance sheet projections. Some BH Cs rec
tions and results for enterprise-wide scenario analysis should
ognized that new business pricing could differ as a result of
reflect the stress scenario. Some BH Cs assumed a perfect or
tightening or widening of spreads and docum ented these
near-perfect hedge relationship between changes in the value of
assumptions.
their MSR and hedge portfolio, and captured the ineffectiveness
of the hedge under the stress scenario through the net carry,
Non-Interest Income
transaction costs, and/or bid-ask spread com ponents. BHCs with
BHCs are expected to produce stressed projections of non stronger practices used an optimization routine that dynamically
interest income that are consistent with assumed scenario rebalanced the hedge portfolio each quarter.
conditions, as well as with stated business strategies. Due to
BH Cs with stronger practices considered individual business
inherent challenges in estimating certain non-interest income
models and client profiles when projecting revenue and fee
com ponents, some BHCs used more than one method and/
income from various business activities. BHCs with stronger
or em ployed benchmark analysis to inform estim ates. Stronger
practices also considered capacity constraints when estimating
m ethodologies estim ated non-interest income at a granular-
m ortgage loan production and loan sales over the scenario hori
enough level to capture key risk factors or characteristics
zon, whereas BH Cs with w eaker practices assumed significant
specific to an activity or product. For exam ple, for asset man
increases in volume without regard to market saturation or other
agem ent, many BH Cs used different methods to project revenue
factors. O ther w eaker practices observed included using the
from brokerage activities and fund m anagem ent activities.
same strategic business assumptions in both the baseline and
Like all aspects of PPNR, internal consistency between non stress scenarios and making favorable assumptions around new
interest income and other assumptions such as projected paths business and/or market share gains. For exam ple, some BHCs
for the balance sheet and RWA is important. BH Cs should estab assumed that all baseline initiatives would be im plem ented
lish relationships between material com ponents of non-interest in stress scenarios without interruption or changes to the
income and the balance sheet for com ponents that are highly outcom es.
correlated with the path of the balance sheet, such as some
In addition, BH Cs with weaker practices did not show sufficiently
kinds of loan-related fee income. BH Cs with trading assets
stressed declines in revenue relative to assumed scenario condi
should docum ent how trading revenue projections are linked to
tions, despite stated correlations to m acroeconom ic and other
45 Financial Accounting Standards Board, "Accounting for Nonrefund-

able Fees and Costs Associated with O riginating or Acquiring Loans
46 See FR Y-14A reporting form : Summary Schedule Instructions, p. 5.
and Initial Direct Costs of Leases— an Am endm ent of FASB Statem ents
No. 13, 60, and 65 and a Rescission of FASB Statem ent No. 17 (Issued 47 12 C FR 225.8(d)(3)(iii); see also FR Y-14A reporting form : Summary
12/86)," FASB Statem ent No. 91. Schedule Instructions, pp. 5-6.
drivers. For exam ple, while many BH Cs showed significant to evaluate the timing of projected strategies and their impact
declines in credit card gross-interchange fee revenue due to on future revenue, expenses, and operating structure.
declines in consumer spending, some BH Cs also assumed that
BH Cs with stronger practices had estimation m ethodologies
significant declines in marketing expenses recorded as contra-
that considered the drivers of individual expense items and the
revenue would more than offset the declines in gross inter
sensitivity of those drivers to changing scenario conditions and
change revenue, resulting in an increase in net revenue. O ther
business strategies. They considered the timing of non-interest
BH Cs assumed revenue com ponents, such as fees or trading
expense cuts and recognized that the BH C might not be able
revenue, could not fall below historical levels.
to react to a developing stressful scenario im m ediately or might
Further, BHCs with w eaker practices considered only a very lim be subject to existing contractual obligations that could not be
ited set of scenario variables and/or drivers in establishing rela altered. BHCs with w eaker practices generated non-interest
tionships, which resulted in estim ates that appeared inconsistent expense estim ates that appeared unrealistic in light of assumed
with the scenario. For exam ple, some BH Cs used interest rates scenario conditions. Some BH Cs assumed that they could
only to project origination activity or solely used asset balances im m ediately reduce costs through dram atic cuts in marketing
(instead of the number of accounts) to estim ate account fees. and rewards programs, com pensation, or other discretionary
O ther BH Cs simply regressed high-level revenue items against expenses. Projecting sizeable reductions in key expense com po
scenario factors rather than considering how scenario condi nents without providing sufficient support as to the reasonable
tions would affect the key drivers of those line items (such as ness of the cuts, how m anagem ent intends to realize the cuts,
volume). For instance, modeling interchange revenues or asset and how the cuts will affect future revenue is not acceptable.
m anagem ent fees is likely to be less effective than modeling Additionally, such assumptions imply perfect knowledge of
custom er spending or assets under m anagem ent, respectively, the conditions as they unfold, rather than a series of indepen
given the scenario being used, and then considering fee and/or dent decisions that would be made by m anagem ent as the
rate m ovement. scenario unfolds.
Non-Interest Expense
BH Cs should fully consider the various impacts of the assumed
14.8 ASSESSIN G CAPITAL
scenario conditions on their non-interest expense projections, A D EQ U A C Y IMPACT
including costs that are likely to increase during a downturn.
For exam ple, items such as other real estate owned or credit- Balance Sheet and RWAs
collection costs may spike, whereas m anagem ent may have
BH Cs should have a well-docum ented process for generating
some ability to control other expenses. Like other projections,
projections of the size and composition of on- and off-balance
non-interest expense projections should be consistent with bal
sheet positions and RWA over the scenario horizon.48 Balance
ance sheet and revenue estim ates and should reflect the same
projections are a key input to enterprise-wide scenario analysis
strategic business assumptions. BHCs with w eaker practices did
given their direct im pact on the estimation of losses, PPNR, and
not account for additional headcount needs in certain areas, nor
RWA. Estim ating the evolution of balance sheet size and com
for any corresponding changes to compensation expense asso
position under stress integrates many interrelated features. For
ciated with increased collections activity resulting from declines
exam ple, loan balances and the stock of A FS securities at a
in portfolio quality and/or increased underwriting activity to sup
point in time will depend upon origination, purchase, and sale
port any assumed portfolio growth.
activity from period to period, as well as m aturities, prepay
To the extent the projections assume mitigating actions to offset ments, and defaults. Due to com plexities related to dynamically
revenue declines, BH Cs should dem onstrate that such actions projecting and integrating various com ponents (e.g ., origina
are attainable in the scenario, given assumed asset levels and tions, prepaym ents and defaults), most BHCs made direct pro
the resources necessary to support operations. If the projections jections of balances for each major segm ent of the balance
em bed material expense reductions, such assumptions should sheet (e.g ., loans, deposits, trading assets and liabilities, and
be supported with analysis of historical data or empirical evi other assets) for each quarter of the scenario horizon.
dence and subject to challenge and review. BH Cs with weaker
practices assumed mitigating actions consistent with past
actions but failed to consider how differences in the business
environm ent and the severity of the econom ic conditions might 48 12 C FR 225.8(d)(2)(i)(A); see also FR Y-14A reporting form : Summary
affect their ability to execute such actions. BH Cs are expected Schedule Instructions, p. 6.

BHCs often faced challenges in integrating the ultimate bal changes in scenario variables into risk-param eter estim ates that
ance projections with other aspects— for exam ple, borrower drive RWA calculations (e.g ., the potential for RWA per dollar of
or depositor behavior. BH Cs with stronger practices separately some trading book positions to increase in periods of higher lev
considered the drivers of change to asset and funding balances, els of general market volatility). W here RWA projections are
such as contractual paydowns, m odeled prepaym ents, nonper based on internal risk m odels, BH Cs should not assume any
form ance, and new business activity for assets, rather than sim RWA reductions from potential data or model enhancem ents to
ply projecting targeted balances directly. A t these BH Cs, each RWA calculation m ethodologies over the projection period. In
elem ent was separately assessed for consistency with scenario all cases, BH Cs should docum ent any assumptions made as part
conditions and other m anagem ent assumptions. BH Cs with of the balance sheet and RW A projection process and perform
stronger practices also either directly considered the impact of independent reviews and validations of balance sheet and RWA
these various factors in their balance projections or had proce projection m ethodologies and resulting estim ates.49
dures to evaluate the reasonableness of any implied behavior
by including input from businessline leaders in the process and
iterating to reasonable estim ates in a well-supported and trans
Allowance for Loan and Lease
parent manner. Losses (ALLL)
BHCs should clearly establish and incorporate into their sce BH Cs should maintain an adequate A LLL along the scenario
nario analysis the relationships among and between revenue, path and at the end of the scenario horizon. Reserve adequacy
expense, and on- and off-balance-sheet items under stressful should be assessed against projected size, com position, and
conditions. Most BH Cs used asset-liability m anagem ent (ALM) risk characteristics of the loan portfolio throughout the scenario
software as a part of their enterprise-wide scenario-analysis horizon. In general, the A LLL build and release should be consis
toolkit, which helps integrate these items. BHCs that do not use tent with the scenario path, portfolio credit quality, loss recogni
ALM software must have a process that integrates balance sheet tion approach, loan loss estim ates, and loan portfolio balance
projections with revenue, loss, and new business projections. projections (including any portfolio growth assumptions). If
BHCs with more tightly integrated procedures were better able BH Cs use estimation approaches that implicitly delay the rec
to ensure appropriate relationships among the scenario condi ognition of losses, such as net charge-off m odels, they should
tions, losses, expenses, revenue, and balances. adequately build reserves to account for losses not recognized
during the scenario horizon. If the approach relies on top-down
As noted above, BH Cs should not rely on favorable assumptions
coverage levels, BHCs should com pare coverage ratios and
that cannot be reasonably assured in stress scenarios given the
loss-emergence periods to historical stress environments and
high level of uncertainty around market conditions. Exam ples
to internal policies and explain the differences if material differ
of aggressive or favorable balance sheet assumptions include
ences exist.
(1) large changes in asset mix that serve to decrease BH Cs' risk
weights and improve post-stress capital ratios but that are not
adequately supported or reflected in PPNR or loss estim ates; Aggregation of Projections
(2) "flight-to-quality" assumptions and funding mix changes
that increase deposits and reduce the dollar cost of funding; (3) BH Cs should have a well-established and consistently executed
significant balance sheet shrinkage with no consideration of the process for aggregating loss, revenue and expense, and on- and
potential losses associated with reducing positions in periods off-balance sheet and RWA estim ates, as part of enterprise-wide
of market stress; and (4) operating margin im provem ent. BHCs scenario analysis, to assess the post-stress impact of those esti
that make favorable assumptions should have sufficient evi mates on capital ratios. BH Cs that are more effective at im ple
dence that they can be reasonably assured in the assumed stress menting such a process have established centralized groups
scenario. with responsibility for
BH Cs' RWA projections should be based on corresponding pro • combining loss, revenue, balance sheet, and RWA
jections of on- and off-balance-sheet exposures and their risk projections;
attributes and should be consistent with the severity of the • providing strong governance and controls around the
stress conditions under each scenario. For general credit-risk process;
exposures, BH Cs should project balances for material asset cat
egories with sufficient granularity to facilitate application of reg
ulatory risk-weighting approaches associated with different asset
categories. For trading exposures, BH Cs should translate 49 See id.
• ensuring coherence of com ponent estim ates and aggregate BH Cs with w eaker practices had limited or no reconciliation
results; and procedures or other controls in place to ensure the integrity,
• applying and docum enting any adjustm ents.50 com pleteness, and accuracy of the consolidated post-stress
capital m etrics. BH Cs with w eaker practices also had no process
These centralized groups have been able to source estimates from
to ensure consistency in the BHC-wide application of scenario
a range of internal parties involved in enterprise-wide scenario
assumptions and m anagem ent adjustm ents, and had weak gov
analysis and develop consolidated pro forma financial results that
ernance and docum entation standards.
are internally consistent and conform to accounting standards.
BH Cs should develop a governance structure around the

enterprise-wide scenario analysis process that provides for a 14.9 CO N CLUDIN G OBSERVATIONS
robust analysis and challenge of the coherence of the aggregate
results and determ ine whether any adjustm ents need to be The goal of this publication is to outline the Federal Reserve's
made based on the analysis. In particular, BH Cs should assess expectations for internal capital planning at large BH Cs and to
whether the paths of individual loss and revenue com ponents highlight the range of current practice as observed during the
are consistent with the paths of balance sheet and RWA esti 2013 C C A R . This discussion is intended to provide a more com
mates and the overall scenario path. For exam ple, an increase prehensive set of criteria to assist BH C m anagem ent in assess
in PPNR amid declining balances would appear generally ing their current capital planning processes and in designing and
inconsistent and should warrant further investigation. In assess implementing improvements to those processes, as well as to
ing consolidated financial results, BH Cs should account for any provide insight to a broader audience about the key aspects of
potential changes in relationships between losses and financial BH Cs' capital planning practices.
perform ance drivers during periods of stress. Internal capital planning practices have evolved considerably
BH Cs should have good understanding of instances when exp o since the financial crisis and the implementation of the Federal
sures with similar underlying risk characteristics that are part of Reserve's Capital Plan Rule in 2011. BHCs have made advances
different portfolios or business lines exhibit different sensitivities in the identification and m easurem ent of the risks to their capital
to scenario conditions. BH Cs should identify instances where and in the integration of stress testing and capital planning into
the differences are due to inconsistent assumptions or m odel their broader strategic planning processes. The fundamental
ing approaches that require m anagem ent attention, rather insight governing the Federal Reserve's expectations about capi
than differences in accounting treatm ent. In addition, if a BHC's tal planning is the im portance of having a forward-looking per
enterprise-wide scenario analysis results in post-stress outcomes spective on the risks to a BHC's capital resources under severely
that are more favorable than those under baseline conditions, stressful conditions. In particular, a forward-looking perspective
BH Cs should critically evaluate the reasonableness and consis involves understanding how a BHC's revenue-generating capac
tency of assumptions across portfolios, business lines, and other ity and potential losses could be affected in stressed economic
areas of loss and revenue estimation. and financial market conditions; understanding the particular
vulnerabilities arising from its business model and activities; and
BH Cs that had an effective aggregation process leveraged their
having a capital policy in place that governs the BHC's capital
business planning and financial and regulatory reporting systems
actions under both "norm al" and stressed econom ic conditions.
as part of that process. Using standalone tools or spreadsheets
These elem ents represent substantial conceptual and opera
in the aggregation process is a weak process. If a BH C needs to
tional improvements in capital planning that go well beyond sim
use standalone tools or spreadsheets due to system s limitation,
ple consideration of current and expected future capital ratios.
m anagem ent should ensure robust controls are in place, includ
ing access and change controls, and should maintain an audit W hile many of the large BH Cs subject to the Capital Plan Rule
trail and docum ent all approvals for any adjustm ents made. have made substantial im provem ents in capital planning, there
BH Cs should also have reconciliation procedures and data qual is still considerable room for advancem ent across a number of
ity and logic checks in place to ensure that the results from the dimensions. Areas where some BH Cs continue to fall short of
enterprise-wide scenario analysis reconcile to both m anagem ent leading practice include
reporting and regulatory reports, with a transparent mapping • not being able to show how all their risks were accounted for
between various reporting taxonom ies. in their capital planning processes;
• using stress scenarios and modeling techniques that did not
address the particular vulnerabilities of the BHC's business
50 See id. model and activities;

• generating projections for at least some com ponents of loss, All the BH Cs that participated in C C A R faced challenges across
revenue, or expenses using approaches that were not robust, one or more of these areas. And although many BH Cs dem on
transparent, and/or repeatable, or that did not fully capture strated leading practices in several dimensions of capital plan
the impact of stressed conditions; ning, the leading capital planning practices identified in this
• having capital policies that did not clearly articulate a BHC's paper will continue to evolve as new data becom e available,
capital goals and targets, did not provide analytical sup econom ic conditions change, new products and businesses
port for how these goals and targets were determ ined to introduce new risks, and estimation techniques advance fur
be appropriate, and/or were not com prehensive or detailed ther. A s the frontier of capital planning practice advances, the
enough to provide clear guidance about how the BH C would Federal Reserve's expectations for how BH Cs im plem ent the
respond as its capital position changed in different econom ic requirements of the Capital Plan Rule and the related company-
circum stances; and run stress testing required under the Dodd-Frank A ct will
also evolve.51 Such advances in capital planning practices will
• having less-than-robust governance or controls around the
enhance the health and stability of individual BH Cs and of the
capital planning process, including around fundamental risk-
overall banking system .
identification, -m easurement, and -m anagem ent practices
that are among the critical elem ents that support robust capi
tal planning.
51 12 C FR part 252, subpart G .
Stress Testing
Banks
Learning Objectives
Describe the historical evolution of the stress testing Explain challenges in modeling a bank's revenues, losses,
process and com pare m ethodologies of historical EB A , and its balance sheet over a stress test horizon period.
C C A R and SC A P stress tests.
Explain challenges in designing stress test scenarios,

including the problem of coherence in modeling
risk factors.
Excerp t by Til Schuermann is reprinted from the International Journal o f Forecasting 30, no. 3, (2014) pp. 717-728.
265
ABSTRACT and Basel 1 (Wachovia), the O TS (WaMu), and O FH EO (Fannie and
Freddie)—the last actually based on a narrow stress scenario. All
How much capital and liquidity does a bank need to support its firms had a broad exposure to residential real estate assets, in the
risk taking activities? During the recent (and still ongoing) finan form of either whole loans (mortgages) or securities (MBS), or
cial crisis, answers to this question using standard approaches, both, and all had internal risk models which may or may not have
e.g., regulatory capital ratios, were no longer credible, and thus deviated materially from the regulatory models (we do not know
broad-based supervisory stress testing became the new tool. this, as it is/was firm proprietary information).3 Yet the answer to
Bank balance sheets are notoriously opaque and susceptible to the question of what is the capital you need vs. the capital you
asset substitution (easy swapping of high risk for low risk assets), have came out wrong in each case. O f course, neither firm-internal
so stress tests, tailored to the situation at hand, can provide clarity (economic) nor regulatory capital and liquidity models can guaran
by openly disclosing details of the results and approaches taken, tee failure prevention; indeed, that is not their purpose, as every
allowing trust to be regained. With that trust re-established, the firm accepts some probability of failure, sized by its risk appetite.
cost-benefit of stress testing disclosures may tip away from bank- Nevertheless, the cascading of defaults, and the resulting deep
specific towards more aggregated information. This paper lays skepticism of the market's stated capital adequacy, forced regula
out a framework for the stress testing of banks: why it is useful tors to turn to a new tool for assessing the capital adequacy of
and why it has become such a popular tool for the regulatory banks in a credible way. That tool turned out to be stress testing.4
community in the course of the recent financial crisis; how stress This paper lays out a fram ework for the stress testing of banks:
testing is done (design and execution); and finally, with stress test why it is useful and why it has becom e such a popular tool for
ing results in hand, how one should handle their disclosure, and the regulatory community in the course of the recent financial
whether it should be different in crisis vs. "norm al" times. crisis; how stress testing is done (design and execution); and
finally, with stress testing results in hand, how one should handle
their disclosure, and whether it should be different in crisis vs.
15.1 INTRODUCTION "norm al" tim es. The fram ework is equally applicable to capital
and liquidity adequacy, but for the sake of sim plicity, the bulk of
There are three kinds of capital and liquidity: (1) the capital/liquid-
the discussion will focus on capital.
ity you have; (2) the capital/liquidity you need (to support your
business activities); and (3) the capital/liquidity the regulators A successful macro-prudential stress testing program, particu
think that you need.1 Stress testing, regulatory capital/liquidity larly in a crisis, has at least two com ponents: first, a credible
and bank-internal (so-called "econom ic capital/liquidity") models assessm ent of the capital strength of the tested institutions, to
all seek to do the same thing: to assess the amount of capital and size the capital "hole" that needs to be filled, and second, a
liquidity which is needed to support the business activities of the credible way of filling that hole. The US bank stress test in 2009,
financial institution. Capital adequacy addresses the right side of the Supervisory Capital Assessm ent Program or SCAP, may
the balance sheet (net worth), and liquidity the left side (share of serve as a useful exam ple. The US entered 2009 with an enor
assets that are "liquid", however defined). If all goes well, both mous uncertainty about the health of its banking system . In the
the economic and regulatory capital/liquidity are less than the absence of a more concrete and credible understanding of the
required regulatory minimum, and their difference (between eco problems with bank balance sheets, investors were reluctant to
nomic and regulatory) is small, that is, regulatory models do not com mit capital, especially given the looming threat of possible
deviate substantially from the results of internal models. governm ent dilution. With a credible assessm ent of losses under
a sufficiently stressful m acroeconom ic scenario, the supervisors
Prior to their failure or near-failure, financial institutions such as
hoped to draw a line in the sand for the m arkets: fill this hole,
Bear Stearns, Washington Mutual, Fannie Mae, Freddie Mac,
and you won't risk being diluted later because the scenario
Lehman and Wachovia were adequately or even well capitalized,
wasn't tough enough. Moreover, if some institutions could not
at least according to the regulatory capital rules disclosed in their
public filings.2 This set of institutions spans a broad range of regu
latory capital regimes and regulators: the SEC and Basel 2 capital 3 Lester, Reynolds, Schuerm ann, and Walsh (2012) report that, out
of 16 banks (US and non-US) that publicly disclosed their econom ic
rules (Bear Stearns, Lehman), the O C C and the Federal Reserve
capital before the crisis, four actually exp erienced losses exceed ing
those requirem ents, all of which w ere calibrated to at least the 99.9%
level (im plying an accep tab le annual default probability of no more
1 This pithy sum m ary I owe to Peter Nakada. than 10bp).
2 Kuritzkes and Scott (2009) make the case for a more market-oriented 4 Flannery (2012) argues that stress tests should be evaluated on a fair
assessm ent of capital adequacy. value (rather than book capital) basis.
convince investors to fill the hole, a US governm ent program, A t first glance, the results of the 2011 EB A stress test of 90
namely the Treasury's Capital Assistance Program (CAP), stood banks in 21 countries were mild, sim ilar to the previous year's.9
ready to supply the required capital. Importantly, the US Trea Eight banks w ere required to raise a total of only €2.5 bn.
sury was a sufficiently credible debt issuer that the C A P promise However, the degree of disclosure was much more extensive,
was itself cred ib le.5 All banks with assets greater than $100 bn approaching the high bar set by the Central Bank of Ireland in
(YE 2008) were included, accounting for two-thirds of the total March 2011, including information on exposure by asset class
assets and about half of the total loans in the US banking sys by geography. Im portantly, all bank level results were available
tem . In the end, ten of the 19 SC A P banks were required to to download in spreadsheet form , to enable m arket analysts to
raise a total of $75 bn in capital within six months, and indeed easily im pose their own loss rate assum ptions. In this way, the
raised $77 bn of Tier 1 common equity in that period.6 None "official" results were no longer so final: analysts could (and
needed to draw on C A P funds. did) easily apply their own sovereign haircuts on all exposures,
and thus test the solvency of any of the 90 institutions
The European experience in 2010 and 2011 stands in stark con
them selves.
trast to the 2009 SCAP. Against the background of a looming
sovereign debt crisis in the peripheral eurozone countries, the In an uncom fortable parallel to the Irish experience in 2010, the
Com m ittee of European Bank Supervisors (CEBS) conducted a 2011 E B A stress test did nothing to alleviate concerns about the
stress test of 91 European banks in 2010, covering about two- Spanish banking system . Five of the 25 Spanish banks in the
thirds of the total European bank assets and at least half of that EB A stress test did not pass, though once provisions and man
in any given participating country. The stress test included impos datory bond conversions (to equity) were taken into account,
ing haircuts on the market value of sovereign bonds held in the the required additional capital raise was €0. By the spring of
trading book; however, the bulk of the sovereign exposure was 2012, Spain was engaged in or had announced several addi
(and is) in the banking book. O f the 91 banks, only seven were tional stress tests. First was the IMF's Financial Sector A ssess
required to raise a total of €3.5 bn (< $5 bn at the time) in capital. ment Program (FSAP), conducted jointly with the Banco de
The level of disclosure provided was rather less than in the SCAP. Espana. The results of this were released on June 8, 2 0 1 2 ,101
For instance, loss rates by firm were only made available for two with 11 of the 29 banks requiring a total of €17.7 bn capital
sub-categories: overall retail and overall corporate.7 By contrast, using a post-stress hurdle similar to that of the SC A P (4% core
the SCA P results released loss rates by major asset class such as Tier 1 capital), or 17 banks requiring a total of €37.1 bn using
first-lien m ortgages, credit cards, commercial real estate, and so the higher hurdle of 7% core Tier 1 capital. Second was a short
on. Markets reacted benignly nonetheless— until a few months (4-week) top-down exercise conducted by two outside advisers
later, when Ireland requested financial assistance from the EU and (working in parallel to provide, ostensibly, two further indepen
the IMF. Subsequent stress tests of just the Irish banks, con dent assessm ents), and those results were released on June 21,
ducted largely by outside independent advisors (Black-Rock) 2012. No firm -specific results were provided, only an overall
revealed a total capital need of €24 bn; all of these banks had capital need. The first estim ate, provided by Roland Berger, was
previously passed the C EB S stress test. Moreover, to help close €51.8 bn, while O liver W yman provided a range of € 51-62 b n .12
the credibility gap, the extent and degree of disclosure was far A more detailed and intensive bottom-up analysis by O liver
greater than in any of the stress testing exercises to date.8 The Wyman follow ed, with results released on Septem ber 28, 2012,
markets reacted favorably, with both bank and Irish sovereign showing that 7 of 14 the banking groups needed a total of
credit spreads tightening. The stakes for the 2011 European €57.3 bn using the post-stress core Tier 1 threshold of 6%;
stress test, now conducted by the successor to the C E B S — the
European Banking Authority (EBA )— had risen substantially.
9 http://w w w .eba.europa.eu/EU -w ide-stress-testing/2011/2011-EU-wide-

stress-test-results.aspx.
5 Note that the act of a sovereign recapitalizing its banks involves that
10 http://w w w .im f.org/external/pubs/ft/scr/2012/cr12137.pdf.
sovereign issuing debt and then investing ("dow nstream ing") it as equity
in the bank(s). 11 Most European exercises have tested to a post-stress hurdle of 6%
core T ie r 1; see the discussion in Section 3.
6 http://w w w .federalreserve.gov/bankinforeg/scap.htm .
12 Roland Berger: http://w w w .bde.es/w ebbde/G A P/Secciones/
7 http://w w w .eba.europa.eu/EU -w ide-stress-testing/2010/2010-EU-wide-
SalaPrensa/Inform acionlnteres/ReestructuracionSectorFinanciero/
stress-test-results.aspx.
Ficheros/en/inform e_rolandbergere.pdf; O liver W ym an: http://w w w
8 http://www.centralbank.ie/regulation/industry-sectors/credit-institutions/ .bde.es/w ebbde/G A P/Secciones/SalaPrensa/lnform acionlnteres/
D ocum ents/The% 20Financial% 20M easures% 20Program m e% 20Report ReestructuracionSectorFinanciero/Ficheros/en/inform e_oliverw ym ane
.pdf. .pdf.
Chapter 15 Stress Testing Banks ■ 267

Table 15.1 Summary of Disclosures Across Stress Test Exercises
Exposure detail Bank vs.

Base and stress Bank level Asset/product (asset class, maturity, supervisory/3rd
scenario results level loss rates geography) party estimates
SCA P Stress / /
March 2009
CEBS Both / Retail, all

corporate only
Ju ly 2010
CCAR
March 2011
Ireland Both / / Sovereign only /

March 2011
EB A Both / Retail, corporate, High

CRE
Ju ly 2011
CCAR Stress / /
March 2012
Spain (IMF) Both A sset class (aggregate)
June 8, 2012
Spain (top-down) Both / A sset class (aggregate)

June 21, 2012
Spain (bottom-up) Both / / A sset class (aggregate)

Sept. 28, 2012
m erger activity had resulted in a significant reduction in inde Table 15.2 Features of Stress Testing, Pre- and
pendent banking en tities.13 Post-SCAP
A summary of the major macro-prudential stress tests to date P re-SC A P P o st-SC A P
is provided in Table 15.3, and a summary of their disclosures is
• Mostly single shock • Broad macro scenario and
given in Table 15.1.
• Product or business market stress
The SCA P was the first of the macro-prudential stress tests of this unit level • Com prehensive, firm-wide
crisis, but the changes at the micro-prudential or bank-specific • Static • Dynamic and path dependent
• Not usually tied to • Explicit post-stress common
level were at least equally significant, and they are summarized
capital adequacy equity threshold
in Table 15.2. With the SCAP, stress testing at banks went from
• Losses only • Losses, revenues and costs
mostly single factor shocks (or a handful) to using a broad macro
scenario with market-wide stresses; from product or business
unit stress testing, focusing mostly on losses, to firm-wide and
a discussion of how to design the stress sce n ario , in clu d
comprehensive testing, encompassing losses, revenues and costs;
ing the choice of a post-stress capital hurdle. Sectio n 4
and with all of these tied to a post-stress capital ratio to ensure a
going concern. d e scrib e s m odeling ap p ro ach es fo r the th ree co m p o nents
needed to im p lem ent stress te stin g : lo sses, net revenues
The rem aind er of the p ap er p ro ceed s as fo llo w s. Sectio n 2 (p ro fitab ility), and balance sh eet dynam ics. Sectio n 5 review s
b riefly review s the scant lite ra tu re , and Sectio n 3 p ro vid es the d isclo su re regim es across the d ifferen t stress te sts to
date in m ore d e ta il, and presents a discussion of disclo sure
13 http://w w w .bde.es/f/w ebbde/SSICO M /20120928/inform e_ow 280912e in "n o rm a l" tim e s, afte r w hich Section 6 p ro vid es som e co n
.pdf. cluding rem arks.
Table 15.3a Summary of Macroprudential Stress Tests to Date
Risk types included:

# of Total required market, credit,
Target capital participating Participation criteria (total Balance sheet capital raise (for liquidity (funding),
ratio3 banks coverage) assumptions # of banks) operational
SC A P • 4% T1C 19 • All bank holding com pa Constant RWA $75 bn (19) M b, C
• 6% T1 nies with at least $100 bn
March 2009
total assets
• (~2/3 of total banking
assets)
CEBS • 6% T1 91 (20 countries) • Largest banks in country Constant total €3.5 bn (7) M ,C
until at least 50% of total assets
July 2010
assets are included
• (~2/3 of total banking
assets)
CCAR • 5% T1 C 19 • Original SCAP-19 None M, C

March 2011
Ireland • 6% T1 C 4 • Largest banks not in wind- Allowed for balance €24 bn (4) M, C , L, O
• 10.5% T 1 C down mode sheet shrinkage
March 2011
(in base)
EB A • 5% T1 C 90 (21 countries) • Largest banks in country Constant total €2.5 bn (8) M, C , Lc, O
until at least 50% of total assets
July 2011
assets are included
• (~2/3 oftotal banking
assets)
d
CCAR • 5% T1C 19 • SCAP-19 None M, C , O
• 4% T1; 8% Total; • An additional 11 BHCs
March 2012
3%-4% leverage with assets > $50 bn
a T1: Tier 1 capital ratio; T 1 C : Tier 1 common (or core) capital ratio.
b O nly banks with at least $100 bn in trading assets were required to conduct the m arket risk stress test.
c Liquidity risk was not assessed directly, though funding stresses were taken into account, especially as they related to sovereign stress impacting the funding costs for financial
institutions.
Four of the 19 did not pass, in the sense of not having gained non-objection to their subm itted capital plans.
Chapter 15 Stress Testing Banks

■
269
Table 15.3b Summary of Macroprudential Stress Tests to Date— Spain 2012
Risk types
included:
market, credit,
# of Balance Total required liquidity
Target participating Participation criteria sheet capital raise (for (funding),
capital ratio3 banksb (total coverage) assumptions # of banks) operational
IMF • 7% T1 C 29 • Large and medium Deleveraging • €37.1 (17) C, L

banks and cajas, under 7% T1 C
June 8, 2012
together making
up ~90% of total
bank assets
Top-down • 9% T1C 14 entities • Large and medium Deleveraging • €16-25 [base] C, L

[base] banks and cajas, • €51-62 [stress]
June 21, 2012
• 6% T1C together making
[stress] up ~90% of total
bank assets
Bottom-up • 9% T1C 14 entities • Large and medium Deleveraging • €24.1 (5) [base] C, L
[base] banks and cajas, • €57.3 (7) [stress]
Sept. 28, 2012
• 6% T1C together making
[stress] up ~90% of total
bank assets
a T 1 : Tier 1 capital ratio; T 1 C : T ie r 1 common (or core) capital ratio.
b The 14 entities are the result of m ergers.
15.2 S T R E S S T E S T IN G IN T H E Risk management as a technical discipline came into its own with
the publication of the RiskMetrics technical document in 1994,
LIT ER A T U R E
and stress testing (of both kinds, sensitivities and scenarios) is
mentioned throughout. The first edition of Jorion's
Stress testing has been part of the risk m anager's toolkit for a
standard-setting VaR book (Jorion, 1996) had a subsection
long tim e. It is perhaps the most basic of risk-based questions
devoted to the topic (which was elevated to a chapter in subse
to w ant to know the resilience of an exposure to deteriorating
quent editions), and there must surely be earlier exam ples. Stress
conditions, be it a single position or loan or a w hole portfolio.
testing as a risk management discipline was found largely in the
Typically, the stresses take the form of sensitivities (spreads
relatively data rich environment of the trading room, with the
double, prices drop, volatilities rise) or scenarios (black
closely related treasury function of conducting interest rate sce
M onday 1987, autumn of 1998, post- Lehman bankruptcy,
narios and shocks.14 The Com m ittee on Global Financial Systems
severe recession, stagflation). These types of stresses lend
(CG FS) of the BIS conducted a survey on stress testing in 2001,
them selves naturally to understanding financial risks, particu
and it reinforces this view .15 In their summary of the C G FS report,
larly in a data rich environm ent such as that found in a trading
Fender et al. (2001) point out that most of the scenarios involve
operation. Nonfinancial risks, such as operational, reputational
shocks to market rates, prices or volatilities. Typical exam ples are
and other business risks, are much harder to quantify and
equity market crashes such as O ctober 1987, rates shocks such
param eterize yet rely heavily on scenario analysis (earthquakes
as 1994, credit spread widening such as during the fall of 1998,
and other natural disasters, com puter hacking, legal risks, and
and so on. Such stress scenarios have the virtue of being
so on). W hile the original Basel I A ccord of 1988 did not make
any form al mention of stress testin g , it m erited its own se c
tion in the M arket Risk A m endm ent of 1995, and thus becam e
14 See Berkowitz (2000) and Kupiec (1998) for more extensive discus
em bedded in the regulatory co d ex. Indeed, evidence of stress sions of VaR-based stress testing.
testing cap ab ilities is a requirem ent for regulatory approval of 15 See C G F S (2001) and the summary of its principal findings by Fender,
internal m odels. G ibson, and M osser (2001).
unambiguously articulated and defined, and are thus transparent and implementation of their stress tests. Brian Peters, then head of
and easy to implement and communicate, at least on assets that risk in bank supervision at the New York Fed, observed at an indus
have them selves natural market prices or analogs, as is mostly try conference in March 2007 that no firm had a fully-developed
the case in the trading book. More typical banking assets, such program of integrated stress testing that captured all major finan
as corporate loans (especially to privately held firms) and con cial risks on a firmwide basis.19 Market risk stress tests were most
sumer loans (e.g. auto loans), are less naturally amenable to this advanced, while corporate or enterprise-wide stress testing,
approach. whereby all businesses were subjected to a common set of stress
scenarios, was in a developmental phase at best.
Formal stress testing of the banking book, which is dominated by
credit risk, is more recent, partly because quantitative credit risk
H /
modeling is itself a newer discipline. Perhaps stimulated by the

success of RiskMetrics, the late 1990s saw a spurt of activity in the
15.3 S T R E S S T E S T IN G D E S IG N
developm ent of credit portfolio models, with the two most promi
Perhaps the most fundamental choice in stress testing design is the
nent examples being CreditM etrics (Gupton, Finger, & Bhatia,
risk appetite of the authorities: how severe and how long the stress
1997) and CreditRisk+ (Wilde, 1997).1
17 However, stress testing
6
scenario should be, and what the post-stress hurdle is. To take a
did not feature in these papers. A t the same time, as Koyluoglu
sailing analogy: how severe and how long is the storm, and how
and Hickman (1998) show quite clearly, all of these credit portfolio
solid does the boat still need to be once the storm has passed? In
models share a common framework of mapping outcomes in the
stark contrast to standard capital regimes, the target calibration is
real economy, often represented by an abstract state vector, to
not strict solvency (i.e., just enough capital to have a positive net
the credit loss distribution, and thus, they should lend themselves
worth), but rather some notion of adequate capitalization p o st
naturally to stress testing. With that in mind, Bangia, Diebold, Kro-
stress. For instance, the 2009 SCAP in the US presented a two-year
nimus, Schagen, and Schuermann (2002), broadly following the
scenario with a post-stress hurdle of 4% Tier 1 common capital. The
CreditM etrics framework, show how to use credit migration matri
2012 bottom-up Spanish stress test used a three-year scenario with
ces to conduct macroeconomic stress tests on credit portfolios.
a post-stress hurdle of 6% core Tier 1 capital, suggesting a lower
Foglia (2008) provides a survey of the literature (at least through
risk appetite by the Spanish authorities than by the American.
to late 2008) of stress testing credit risk, both for individual banks
or portfolios and for banking systems. More recently, Rebonato W hile length and post-stress hurdles are easy to com pare across
(2010), with his suggestively titled book Coherent stress testing macro-prudential stress tests, scenario severity is not. Authori
(we return to the problem of coherence below), argues for a ties are reluctant to make statem ents like "a 1 in 100 scenario"
Bayesian approach to financial stress testing, i.e., one which is which would allow such com parisons, in part because such a
able to formally include expert knowledge in the stress testing statem ent is very difficult to make credibly. In its stress testing
design, with an emphasis on exploring causal relationships using program, the Federal Reserve makes available tim e series of
Bayesian networks. relevant variables to allow users to assess the severity of a given
scenario, at least for those variables.20 O f course, a multivariate
With few exceptions, regulatory requirements for stress testing
assessm ent is much more difficult.
were thin prior to the crisis, though considerable expectations of
stress testing capabilities were voiced in supervisory guidance in Once the risk appetite has been established, one of the principal
the US. Examples include the Joint Policy Statement on Interest Rate challenges faced by both the supervisors and the firms when
Risk (SR 96-13), guidance on counterparty credit risk (SR 99-0318), designing stress scenarios is coherence. The scenarios are inher
and country risk management (SR 02-05). However, banks had a ently multi-factor: we are seeking to develop a rich description of
significant degree of discretion with regard to the specific design adverse states of the world in the form of several risk factors, be
they financial or real, taking on extrem e yet coherent (or possi
ble) values. It is not sufficient to specify only high unemployment
or only a significant widening of credit spreads or only a sudden
16 O f course, the credit rating agencies, having been in the business
drop in equity prices; when one risk factor moves significantly,
of rating corporate bonds for nearly a century, probably em ploy stress
testing in their bond rating m ethodology, but old docum entation to this
effect is hard to com e by.
17 For an excellent overview and com parison of these and related mod
els, see Koyluoglu and Hickman (1998). 19 Presentation delivered at Marcus Evans conference "Im plem ent
ing stress tests into the risk m anagem ent process", W ashington D C ,
18 The most recent guidance on counterparty credit risk, SR 11-10, has
March 1-2, 2007.
greatly expanded on stress testing expectations. All SR letters can be
found at http://www.federalreserve.gov/bankinforeg/srletters/srletters.htm. S e e http://w w w .federalreserve.gov/bankinforeg/bcreg20121115a3.xlsx.

the others move too. The real difficulty is in specifying a coher econom ists at the EC B with reference to the EU Commission
ent joint outcome of all of the relevant risk factors. For instance, baseline econom ic forecast.
not all exchange rates can depreciate at once; some have to
All supervisory stress tests to date have imposed the same sce
appreciate. A high inflation scenario needs to account for likely
nario on all banks. Naturally, any scenario may be more severe for
monetary policy responses, such as an increase in the policy
some banks and much less so for others, depending on the busi
interest rate. Every market shock scenario resulting in a flight
ness mix and geographic footprint. This one-size-fits-all approach
from risky assets— "flight to quality"— must have a (usually small)
is analogous to the problem of regulatory vs. internal economic
set of assets that can be considered safe havens. These are typi
capital models: the former is the same for all banks by design,
cally governm ent bonds from the safest sovereigns (e.g., the US,
while the latter, being limited to a given bank, takes the particular
Japan, Germ any, Switzerland). O f course, as sovereign govern
business mix of that bank into account directly. This problem of
ment budgets are increasingly strained, questioning the ultra-low
same vs. specific stress scenarios becomes especially acute when
risk assumption of such treasury instruments would certainly be a
we move from crisis times, when there may be less debate about
worthwhile stress scenario, but it would need to define an alter
what a relevant adverse scenario might look like, to "normal"
native "risk-free" asset class to which capital can flee.
times. The US C C A R program, which has been in operation since
While the problem of coherence is generic to scenario design, it is 2011, recognized this problem and asks banks to submit results
especially acute when considering stress scenarios for market risk, using their own scenarios (baseline and stress) in addition to results
i.e., for portfolios of traded securities and derivatives. These port under the common supervisory stress scenario. This was an impor
folios are typically marked to market as a matter of course, and risk tant step forward from the 2009 SCAP: by asking banks to develop
managed in the context of a value-at-risk (VaR) system. In practice, their own stress scenario(s), thus revealing the particular sensitivi
this means that the hundreds of thousands (or more) of positions in ties and vulnerabilities of their specific portfolio and business mix,
the trading book are mapped to tens of thousands of risk factors, supervisors could learn what the banks themselves thought to be
which are tracked on a (usually) daily basis and form the "data" the high risk scenarios. This is useful not just for micro-prudential
used to estimate risk parameters like volatilities and correlations. supervision— learning about the risk of a given bank— but also
Finding coherent outcomes in such a high dimensional space, for macro-prudential supervision, by allowing for the possibility
short of resorting to historical realizations, is daunting indeed. of learning about common risks across banks which may hitherto
have been undiscovered or under-emphasized. With this dual
Compounding the problem is the challenge of finding a scenario
approach, supervisors could compare results across banks from the
in which the real and financial factors are jointly coherent. The
common scenario directly, without sacrificing risk-discovery.
2009 SCA P had a rather simple scenario specification. The state
space had only three dimensions— G D P growth, unemployment,
and the house price index (HPI)— and the market risk scenario was
based in historical experience: an instantaneous risk factor impact
15.4 E X E C U T IN G T H E S T R E S S
reflecting changes from June 30 to Decem ber 31, 2008. This S C E N A R IO : L O S S E S A N D R E V E N U E S
period represented a massive flight to quality, with the markets
experiencing the failure of at least one global financial institution With the macro-scenario in hand, how does one arrive at the
(Lehman), and risk premia at the time arguably placed a signifi corresponding micro-outcomes: losses and revenues under
cant probability on the kind of adverse real economic outcome adverse m arket and m acroeconom ic conditions? To date, there
painted by the tri-variate SCA P scenario. This solution achieved has been very little discussion in the public domain on how to
a loose coherence of the real and financial stresses. However, the solve this problem , except perhaps for stress testing the trading
price that one pays for choosing a historical scenario is the usual book. Indeed, one of the more im portant contributions of the
one: it does not test for anything new. Figures 15.3 and 15.4 com supervisory stress tests in the US and Europe has been the
pare some of these risk factors (real GDP, unemployment, equity accom panying m ethodology docum ents that have been dis
and home prices indices) across the four US stress tests to date, closed by the supervisors, which are, understandably, more
both to each other and to actual realizations since 2008 Q4. heavily focused on the banking book.21
For the 2011 E B A test, the supervisors specified over 70 risk

factors for the trading book, eight macro-factors for each of
21 For SCAP, see http://w w w .federalreserve.gov/bankinforeg/
21 countries (macro-factors such as G D P growth, inflation, bcreg20090424a1.pdf. For EB A , see http://w w w .eba.europa
unem ploym ent, real estate price indices, both residential and .eu/EU-wide-stress-testing/2011/The-EBA-publishes-details-of-it
s-stress-test-scena.aspx. For the 2 0 1 1 and 2012 C C A R , see http://
com m ercial, short and long term governm ent rates, and stock
w w w .federalreserve.gov/new sevents/press/bcreg/bcreg20110318a 1
prices), plus sovereign haircuts across seven maturity buck .p d f and http://w w w .federalreserve.gov/new sevents/press/bcreg/
ets. The m acroeconom ic stress scenario was generated by bcreg20120313a1 .p d f respectively.
Modeling Losses provided on stressed probabilities of default (PDs) and stressed
LGDs. Note that such guidance presumes that a bank has imple
For a firm which is active in many markets (product and geogra mented an internal credit rating system for its commercial loan
phy), the first task is to map from the few macro-factors to the portfolio. For a Basel II bank this may not be unreasonable, since
many intermediate risk factors that drive losses for particular internal ratings, mapped to a common external scale such as
products by geography. The EB A was forced to confront the those used by the rating agencies, are a cornerstone of the
problem of geographic heterogeneity directly, since it spans 21 Accord. With a credit rating (internal or external) in hand, com
sovereign nations with rather different economies. US supervisors, puting stressed default rates for the portfolio becomes a straight
in stress testing an economic region only slightly smaller than that forward exercise, either by assigning higher PDs to a given rating,
of the EB A , left the task of accounting for the not-inconsiderable or by imposing a downward migration on the current portfolio.22
geographic heterogeneity to individual firms. Regional differences Since the EB A stress test was based on risk weighted assets
are critical in modeling losses for real estate lending (residential (RWA) computed using Basel II risk weights, which are ratings
and commercial), but are hardly limited to those products. Since sensitive, banks were forced to make use of stress migration
the US experiences regional business cycles— the national busi matrices to compute not only increased defaults (the last column
ness cycle obscures a considerable degree of variation across of the matrix), but also the entire future ratings distribution, to
states— nearly all lending has some geographic component. For arrive at the correct RWA value. The US stress tests were con
exam ple, credit card losses are especially sensitive to unemploy ducted under Basel I risk weights, which are not obligor ratings
ment, and in July 2011, with the national rate at 9.1 %, the state- sensitive. The fuss about RWA calculations is important, since the
level unemployment rate ranged from 3.3% in North Dakota to denominator of capital ratios, used to determine whether or not
12.9% in Nevada. Similar dynamics are at work in wholesale lend a bank needs to raise capital, is RWA. Clearly, this complicates
ing, particularly for SM E (small and medium enterprise) lending, any comparison of US and European stress test results.
whose performance has a strong geographic component.
Implementation in the trading book is more straightforward, and
The problem of mapping from macro to more interm ediate risk has been discussed extensively in the public domain; see inter
factors is not limited to geography. An interesting exam ple is alia Allen, Boudoukh, and Saunders (2004), Jorion (2007), or
auto lending and leasing, where the collateral assets are used Rebonato (2010). In a nutshell, existing positions are simply
cars. W hile auto sales invariable decline during a recession, and repriced using the stress scenario risk factors, subject to the pro
the decline in 2008-2009 was unprecedented in the post-war viso that the risk factor mapping problem, discussed in Section 3,
period, used car sales typically suffer less. Yes, households buy has been solved. The corresponding problem of stressing the
few er cars in a recession, but if they do need to purchase a counterparty credit risk that comes with the activities of deriva
car, it is relatively more likely to be a used car. Thus, even if the tives has received less attention.23 Counterparty credit risk arises
default rate on auto loans increases significantly during a reces when, in a derivative transaction which is revalued to the stress
sion, the corresponding loss given default (LGD) or loss severity scenario, the bank finds itself in the money (i.e., enjoys a deriva
need not. A useful indicator of the health of the used car mar tive receivable), but cannot be sure that the counterparty to the
ket, and thus the collateral of an auto lending portfolio, is the transaction will be solvent in order to make good on the pay
Manheim index. O ver the course of the most recent recession ment. Thus, the value is discounted, where the discount is a func
(Dec. 2007-June 2009), the index rose 4%, while total new auto tion of the expected default likelihood of the counterparty under
and light truck sales declined by 37%. the stress scenario, which is presumably higher than today. This
The problem of loose coupling of the loss severity to the busi adjustment is called a credit value adjustm ent (CVA), and banks
ness cycle is not limited to auto loans. Acharya, Bharath, and with significant derivative activities manage CVA as a matter of
Srinivasan (2007) show that for corporate credit, an important course. As Canabarro (2010) and Hopper (2010) point out, the
determ inant of LG D is w hether the industry of the defaulted modeling challenge of stress testing counterparty credit risk is
firm is in distress at the time of default. The authors make a considerable. Not only does the PD of the counterparty change
com pelling asset specificity argument: if the airline industry is in in a stressful environment, the exposure does likewise. Thus, any
distress, and a bank is stuck with the collateral on defaulted air CVA stress test involves two distinct simulation exercises. If the
craft loans or leases, it will be hard to sell those aircraft except

at very depressed prices. The healthcare sector may be relatively 22 O f the 90 participating banks, 59 w ere so-called IRB (internal ratings
robust at the tim e, as indeed it was in the recent recession, but based) banks, meaning that their internal m odels w ere validated to the
it is difficult to transform an airplane into a hospital. supervisor's satisfaction for at least one regulatory portfolio (e.g ., corpo
rate, com m ercial real estate, etc.). Non-IRB banks w ere given very non
The EB A disclosure on methodology is especially rich. In the specific guidance (EB A , 2011, Section 5.5.1.1).
March 2011 document, for exam ple, detailed guidance is 23 For an excellent treatm ent, see Canabarro (2010) and Hopper (2010).

2009 SCAP P/L coverage
</) 5
CD 4
</)
</) Median:58%
O 3
2
1
0L 0 n
Q-
U
-1
u <
x CD
LU C
66 >
E
o
o H
<
CD Z
o
CD
CD
4CD-»
£
CD
Q.
•
u
CD
<
2012 CCAR P/L coverage
5
4
(/>
a >
3 Median:63%
i/)
(/>
2
o 1
0 1
Z
-1 □
Q_ -2
Q_ X CD u
<
<D 4—* 4-» CO
u
<J CL w— > o if) CD
o
LU C • _CD C CD if)
o 66 > CD
__I z CD =3 LO I
E E o o d
<
CD +-* C Q_
CD Z
o 32 Q_ CJ 4—1
CD CD CD *6 ) f- £
CD 4CD-» o CD
4—
LO
* CD
LO
CD
C
•
DC 4—* D
Q. C CD CO
<
CD O CD 4-J
u CD LO
O
2011 EBA P/L coverage (adverse scenario)
+-»
c
V) 3
CD
CD
E
V)
V)
2 Median:66%
_0
a
■_ i illl.ll
CD "v)
Q- U ) 1 i in mi h II
0 I knt m
E • *c*
m n iiiiiiiiiin m -i« 1■i . 1111111. ii n ii m i ii m i n n ii
1
•
c
i
CD
CD
-
1 r
CD
-1
0 0 LD N O O O C N J ^ N O O ^ O C N ^ v O O O O C N ^ v O C O O C N j C N ^ s o O ^ ^ r O L n N O ^ O O u i N O ^ C D L n ^ O N
o O O o ^ - c \ j r s j c \ j c N j ( N O ^ - N O s O v O O O N r \ N r ss r s» c o c o ^ - ^ - ^ - c o Ov f ^ r^ r^ r 0 r^ ,:^ ^ ' ^ ^ t ,::t i ; LD L^ c o c o L r )
o O_ O
_000000000000000000000000000000000000g00000
|— L U > - L U L U L U L U L U L U ^ ^ L O C O L O L O L O C O L O C O L O L O L O C O l i _ Q C : Q C : G Q G Q ^ C £ ^ u -j l l , I— f“ l 0 ^ t " L U L U LO
< CD ( J Q Q Q Q Q Q Q Q LU LU LU LU LU LU LU LU LU LU LU LU L L U - O O O O O Q_ Q_ to CO
Fiqure 15.1 Projected coverages of losses with profits in the 2009 SCAP and 2011 EBA stress tests.
collateral posted by the counterparty is anything other than conditions. Banks' total incom e can be divided roughly into
cash or a cash equivalent, a revaluation of that collateral interest and non-interest incom e. The interest income is clearly
under the same stress scenario needs to be added to the a function of the yield curve and credit spreads posited under
process. 24 the stress scenario, but the net im pact of rising or falling rates
on bank profitability remains am biguous, perhaps in part
because of interest rate hedging strategies (English, 2002;
Modeling Revenues Purnanandam , 2007). The im pact of stress scenarios on the
Im plem enting stress scenarios on the revenue side of the equa noninterest incom e, which includes service charges, fiduciary,
tion remains largely a black box, and seem s far less well devel fees, and other income (e.g ., from trading), is far harder to
oped than stress testing for losses. N either the 2009 S C A P nor assess, and there has been precious little discussion of its
the otherw ise richly docum ented 2011 E B A disclosures determ inants in the literature. This is concerning, since Stiroh
devoted much space or revealed much detail about the m eth (2004) shows that not only has the share of noninterest income
ods and approaches for com puting revenues under stressful2
*
4 in US banks been rising steadily, from 25% in 1985 to 43% in
2001, but it is associated with a greater volatility and lower
risk-adjusted returns. If we com pare the 2009 SCAP, the 2011
E B A and the 2012 C C A R stress tests, the median bank in the
24 There is the added com plication that major derivatives dealers actively
manage CVA risk using a range of strategies and instruments that them US was able to cover about 58% of its total projected losses
selves vary in price and availability depending on market conditions. with profits (including reserve releases, if any) in 2009 and 63%
Two year dynamic forecast
Starting Q1 end Q 2 end Q 8 end

balance Q1 income balance Q 2 income balance balance
sheet j 7 statem ent sheet
r\ statem ent sheet sheet
L L
A P&L A
E E
V /
Capital
and
iquidity
ratios
F ia u re 15.2 Stress testing balance sheet and income statement dynamics.
o r Q/
in 2012, com pared with 66% in the European case. As years. This is illustrated in Figure 15.2 below. The point of
Figure 15.1 shows, there is a considerable degree of variability departure is the current balance sheet, at which point the bank
across banks, especially in the E B A test, where in som e cases meets the required capital (and, if included, liquidity) ratios. The
profits are projected to outpace losses 4:1, even under the starting balance sheet generates the first quarter's income and
stress scenario! loss, which in turn determ ines the quarter-end balance sheet.
The m odeler is then faced with the problem of considering the
nature and amount of new assets originated and/or sold during
Modeling the Balance Sheet the quarter, and any other capital depleting or conserving
Recall that capital adequacy is defined in term s of a capital actions such as acquisitions or spin-offs, dividend changes or
ratio, roughly capital over assets. O f course, both the num era share (re-)purchase or issuance programs, including em ployee
tor and denom inator are nuanced. All supervisory stress tests stock and stock option programs. The problem of balance sheet
have insisted, to varying degrees, that the relevant form of modeling exists under a static (be it in raw form , as in the 2011
capital be common equity. The 2010 C E B S test allowed for EB A , or in risk weighted form, as in the 2009 SCA P) or dynamic
some forms of hybrid capital which are typical of state partici balance sheet assumption. The bank should not drop below the
pations, but the requirem ents were tightened a year later. As required capital (and liquidity) ratios in any quarter. Moreover, at
was discussed in Section 4.1, the denom inator is typically risk- the end of the stress horizon, the bank needs to estim ate the
w eighted assets (RW A), where the risk weights are determ ined amount of reserves needed to cover expected losses on loans
by the prevailing regulatory capital regim e, namely Basel I (in and leases for the following year. In this way, the stress tests are
the US cases of the SC A P and C C A R ) and Basel II (in the Euro really three years (or T + 1 years for a T-year stress test).
pean stress tests). The many subtleties of what this implies are
beyond the scope of this paper; suffice it to say that a bank
15.5 S T R E S S T E S T IN G D IS C L O S U R E
may be forced to raise capital under one regime but not the
other, and there is no way to know which regime will result in a
Stress testing is here to stay, whether because it is just good
more favorable treatm ent without knowing about the portfolio
risk management practice, or because it is enshrined in legisla
in considerable detail. tion (through the Dodd-Frank Act). In the debate on disclosure
Regardless of the risk w eight regim e, determ ining the post regimes, it is not clear that more is always better. We divide the
stress capital adequacy requires modeling of both the income discussion into crisis and noncrisis or normal times, with the simple
statem ent and the balance sheet, both flows and stocks, over point that normal times may not require or even desire the same
the course of the stress test horizon, which is typically two degree of transparency as is clearly needed in times of crisis.
We have seen very large differences in disclosure across the dif

ferent supervisory stress tests, as summarized in Tab lel 5.1. The 2
6
25 PPNR calculations in the 2012 C C A R were net of operational risk
related losses and O R EO expenses, as well as mortgage repurchase and
put-back costs, meaning that these items were not reported separately 26 The horizon is 9 quarters for the C C A R , as it is based on Q 3, not Q 4,
(though they totaled $115 bn for all 19 banks) (Board of Governors, 2012). balance sheets.

Real GDP growth Unemployment rate
Stress-test scenarios vs. recent historical observations Stress-test scenarios vs. recent historical observations
Stressed quarter Stressed quarter

C C A R 1 from 2010 Q4 ------- C C A R 1 from 2010 Q4
— C C A R 3 "severely adverse" from 2012 Q3 C C A R 3 "severely adverse" from 2012 Q3
— C C A R 3 "adverse" from 2012 Q3 ------- C C A R 3 "adverse" from 2012 Q3
— S C A P "more adverse scenario" from 2008 Q4 SC A P "more adverse scenario" from 2008 Q4
— Historical from 2008 Q4 — — Historical from 2008 Q4
Fig u re 15.3 US real GDP and unemployment scenarios compared
S o u rce: Fed, The Supervisory Capital Assessm ent Program : Design and Im plem entation, 24 April 2009; Fed, Com prehensive Capital Analysis and
Review: O bjectives and O verview , 18 March, 2011; Fed, "Com prehensive Capital Review " docum ent and "C apital Plan review " 22 N ovem ber 2011;
Fed, "Supervisory Scenarios" 15 N ovem ber 2012; Datastream .
SC A P in 2009 opened Pandora's box by disclosing projected accompanying rules (final and proposed27), gave a glimpse of
stress losses for each of the 19 participating banks, for eight dif what regular disclosure might look like. The 2012 C C A R dis
ferent categories or asset classes, as well as resources other than closed nearly the same level of detail as the 2009 SCAP, namely
capital for absorbing losses (mostly pre-provision net revenue bank-level loss rates and dollar losses by major regulatory asset
and reserve releases, if any). Until then, regulatory disclosures classes (following the categories of the FR Y-9C bank holding
(e.g., Y-9C reports for US bank holding companies) reported only company reports): first and second lien m ortgages, commercial
realized losses (the past), not projected losses (a possible future). and industrial (C&l) lending, C R E , credit cards, other consumer,
This allowed the market to check the severity of the stress test and other loans. In addition, the Fed reported the dollar PPNR,
easily, not just in term s of the scenario, but also, and much more gains/losses on the AFS/H TM securities portfolio, and trading
importantly, in term s of the resulting outcomes at the bank and counterparty losses for those firms who were required to
level. Given the crisis of confidence which was prevalent in the conduct the trading book stress.28 Again, as with the 2009 SCAP,
market at the tim e, this amount of transparency was crucial. Two the numbers reported were supervisory estim ates, not the banks'
years later, the C C A R displayed a radically different disclosure own estim ates of losses (and PPNR) under the stress scenario.
regime: only the macro-scenario was published, with no bank-
By contrast, the 2011 Irish and 2011 Europe-wide EB A stress tests,
level results. The only indications of bank-level outcomes were
both of which were disclosed after the C C A R , were consider
the subsequent dividend and other capital actions announced by
able in their detail, including comparisons of bank and third-party
some banks: banks which were allowed to raise their dividends
were interpreted as having "passed" the stress test. The market
digested this m eager information event without a hiccup.
27 http://w w w .gpo.gov/fdsys/pkg/FR-2011-12-01/p d f/2011-30665.pdf.
Dodd-Frank, however, requires the Fed to disclose the results of 28 In 2012, these w ere the six institutions with the largest trading
regular stress testing, and the 2012 C C A R , with the portfolios.
Dow Jones total stock market index level House Price index
Stress-test scenarios vs. recent historical observations Stress-test scenarios vs. recent historical observations
18,000 -|
16,000 -
14.000 -
12.000 -
10,000 -
8,000 -
6,000 -
4.000 -
2.000 -
0 H---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1---- 1
0 1 2 3 4 5 6 7 8 9 10 11 12 13
Stressed quarter Stressed quarter
------- C C A R 2 from 2011 Q3
C C A R 2 from 2011 Q3
C C A R 3 "severely adverse" from 2012 Q3
C C A R 3 "severely adverse" from 2012 Q3
------- C C A R 3 "adverse" from 2012 Q3
C C A R 3 "adverse" from 2012 Q3
S C A P "more adverse scenario" from 2008 Q4
Historical from 2008 Q4 — — Historical from 2008 Q4
Fiq u re 1 5 .4 US equity and house price indices compared
S o u rce: Fed, The Supervisory Capital A ssessm ent Program : Design and Im plem entation, 24 April 2009; Fed, Com prehensive Capital Analysis and
Review: O bjectives and O verview , 18 March, 2011; Fed, "Com prehensive Capital Review " docum ent and "C apital Plan review " 22 N ovem ber 2011;
Fed, "2013 Supervisory Scenarios" 15 N ovem ber 2012; Datastream .
estimates of losses in the Irish case (revealing the bias that any Clearly, some disclosure is still preferable to no disclosure, and
bank is likely to have when estimating its own potential losses), Goldstein and Sapra propose the disclosure of aggregated but
and data in electronic, downloadable form in the EBA case. Ire not necessarily bank-specific results, with sufficient information
land in particular was suffering from an acute credibility problem, about category outcom es (loss rates by major asset class, for
having emerged from the C EB S stress test with flying colors in instance). Aggregation has the advantage of being less wrong,
July 2010, only to require massive external aid four months later. since the idiosyncratic errors in estimating bank conditions
under hypothesized stress scenarios are averaged out. In this
This difference in experiences between Europe and the US
way, supervisors can still provide the useful macro-prudential
provides some hints on how to design a disclosure regime dur
information which only they can provide— loss rates by asset
ing "norm al" tim es. The discussion of the benefits and costs of
class, total capital decline in the system (or significant fraction
stress test disclosures by Goldstein and Sapra (2012) is helpful.
of the banking system)— without drowning out signals about
They argue persuasively that in a world with frictions and stra
individual banks from the market participants them selves. Such
tegic environm ents, the benefits (better market discipline) may
a disclosure gives the market an anchor point for system-wide
not outweigh the costs: banks may make poor portfolio choices
possibilities, without diluting the incentive to dig hard into a
which are designed to maximize the chance of passing the test
particular firm's financials.
(window dressing), thereby giving up longer term value; while
traders may place too much weight on the public information of During tim es of crisis, with the enormous uncertainty about
stress test disclosure and lose their incentive to produce private the health of the banking system , the benefit of detailed bank-
information about the banks; and finally, with the information specific stress test disclosure is significant, given the ability of
content of market prices having been dam aged, market disci supervisors to assess the health of individual firms correctly, and
pline is harmed, and supervisors will find market prices less use the resulting inability of the market distinguish between a good
ful for policy decisions (micro- as well as macro-prudential). bank and a bad. Indeed, Goldstein and Sapra argue that stress

test disclosures, when more disaggregated, ought to be accom C O N C L U S IO N
panied by detailed descriptions of the exposures of the banks.
This is precisely what was done in the Irish bank stress test of The problem of sizing the amount of capital needed to support a
2011, an acute case of loss of confidence (and a subsequent bank's risk taking is not new, but the use of broad-based super
regaining of confidence), as well as in the 2011 EB A stress test. visory stress tests for an entire banking system is. The first use of
Because the credibility of European supervisors was rather low such tests was in the US in 2009, and its success there has made
by that point, only with a very detailed disclosure, bank by bank, it the supervisory and risk management hammer for dealing with
of their exposures by asset class, by country and by maturity all nails. A critical com ponent of the exercise is the disclosure of
bucket, could the market do its own math and arrive at its own the results. The reason why stress testing became an imperative
conclusions. was precisely because existing approaches that were publicly dis
Between March 2009 and March 2011, the 19 SCA P banks had closed, such as regulatory capital ratios, were no longer informa
raised about $300 bn in capital and the S&P500 had increased tive, and were heavily (if not entirely) discounted by the market.
by 65% ; by the end, the econom y was no longer in recession, In order to regain their credibility, supervisory authorities needed
and, arguably, the supervisory agencies had regained credibility. to disclose enough to allow the market to "check the m ath".
The non-event of the nondisclosure of the 2011 C C A R suggests However, broad-based supervisory stress testing has not been
that the market seem s content to live in a state of "sym m etric universally successful, as the 2010-2011 European experience
ignorance", to borrow a term from Dang, Gorton, and Holm- has shown. Nor is it clear how useful such broad supervisory
strom (2010). O f course, this might change were the economy to stress testing with concom itant disclosure would be as a m at
receive another adverse shock, but until it does, it is not clear ter of routine. Its value in the crisis was undoubtedly due to its
that an EBA-like disclosure regime is necessarily either desirable "pop quiz" nature. It was sprung on the banks at short notice,
or stability-enhancing. In contrast, Europe is not yet out of the and thus was very difficult for them to manipulate through care
woods (at the time of writing); yet even the EB A was not limit ful pre-positioning; and it was tailored to the situation at hand,
less with its disclosure of the 2011 stress test results. It is worth genuinely revealing new information to all participants and the
noting that funding liquidity was also stressed for banks, but public. As a result, trust was regained. O nce that trust has been
without disclosing the results. Because liquidity positions are re-established, the cost-benefit of stress testing disclosures may
highly dynamic, and thus subject to rapid change, snapshot dis tip away from bank-specific towards more aggregated informa
closure, especially with a delay (the as-of date for the 2011 EBA tion. This still provides the m arket with unique information (after
stress test was Y E 2010), is unlikely to be informative at the time all, supervisors have access to proprietary bank data) without
of disclosure.29 taking away market participants' incentives to produce private
Recall the discussion in the introduction: regulatory capital information and trade on it— with all the downstream benefits of
models (risk weighting), internal economic capital models and information-rich prices and m arket discipline.
stress testing all have the same goal, namely to determ ine the
amount of capital needed to support the business (risk taking)
of the bank. Both regulatory and economic capital models (and
A CKN O W LED G M EN TS
especially the former) evolve very slowly, and thus have difficulty
I would like to thank John Fell, Mark Flannery, Itay Goldstein,
in adapting to financial innovations and rapidly changing macro
Bengt Holmstrom, Bill Janew ay, Umit Kaya, Ugur Koyluoglu,
conditions. Indeed, some of the innovation is motivated by those
Andy Kuritzkes, John Lester, Clinton Lively, Hashem Pesaran,
slowly evolving, one-size-fits-all regulatory capital rules. M ore
Brian Peters, Barry Schachter, Hal Scott, and members of the
over, bank balance sheets are notoriously opaque and subject to
Com m ittee for Capital Markets Regulation for helpful discus
easy-to-hide asset substitution (higher risk for lower risk assets);
sions and suggestions. I am also thankful to Cary Lin for helpful
see Morgan (2002). Stress tests, especially macro-prudential
research assistance, as well as the participants in the workshop
supervisory stress tests, are adapted to the then-current envi
on "Predicting Rare Events" sponsored by the IF/Federal
ronment and bank portfolios by construction. Between balance
Reserve Bank of San Francisco. All errors remain mine, of course.
sheet opacity, asset substitution and regulatory arbitrage, it is
easy to see the value of a "pop quiz" in the form of bespoke
stress testing (Acharya, Mehran, Schuermann, & Thakor, 2011). References
Acharya, V. V., Bharath, S. T., & Srinivasan, A . (2007). Does

29 Reuters, Sept. 2, 2011, " E B A w on't seek disclosure of bank liquidity".
A vailable at http://w w w .reuters.com /article/2011/09/02/ industry-wide distress affect defaulted firm s? Evidence from
id U S L5 E7 K 2 3 P I2 0 1 10902. creditor recoveries. Journal o f Financial Econom ics, 85, 787-821.
Acharya, V., Mehran, H., Schuerm ann, T., & Thakor, A . (2011). Gupton, G . M ., Finger, C ., & Bhatia, M. (1997).
R o b u st capital regulation. Federal Reserve Bank of New York C red itM etricsT M — technical docum ent. This version: April 2.
Staff report no. 490. J .P Morgan. Available at: http://w w w .defaultrisk.com /_pdf6j4/
creditm etrics_techdoc.pdf.
Allen, L., Boudoukh, J ., & Saunders, A . (2004). U nderstanding
m arket, cred it and operational risk: the value at risk approach. Hopper, G . (2010). Stress testing and scenario analysis: some
Blackwell: New York, NY. second generation approaches. In E. Canabarro (Ed.), Counter
party credit risk (C hapter 71). London, UK: Risk Books.
Bangia, A ., Diebold, F. X ., Kronimus, A ., Schagen, C ., &
Schuerm ann, T. (2002). Ratings migration and the business cycle, Jo rio n, P. (1996). Value at risk: the new benchm ark for managing
with applications to credit portfolio stress testing. Journal o f financial risk (1st ed.). New York, NY: M cGraw Hill.
Banking and Finance, 26(2-3), 235-264.
Jo rio n, P. (2007). Value at risk: the new benchm ark for managing
Berkowitz, J . (2000). A coherent fram ework for stress testing. financial risk (3rd ed.). New York, NY: M cGraw Hill.
Journal o f Risk, 2, 1-11.
Koyluoglu, H. U., & Hickman, A . (1998). Credit risk: reconcilable
Board of Governors of the Federal Reserve System (2012). C om differences. Risk, 7 7(10), 56-62.
prehensive capital analysis and review 2012: m ethodology and
Kupiec, P. H. (1998). Stress testing in a value at risk fram ework.
results for stress scenario projections. 13 March, 2012. Available
Journal o f D erivatives, 6(1), 7-24.
at: http://w w w .federalreserve.gov/new sevents/press/bcreg/
bcreg20120313a1 .pdf. Kuritzkes, A ., & Scott, H. (2009). Markets are the best judge of
bank capital. Financial Tim es, Septem ber 23.
Canabarro, E. (2010). Pricing and hedging counterparty risk: les
sons relearned? In E. Canabarro (Ed.), C ounterparty cred it risk Lester, J ., Reynolds, P., Schuermann, T., & W alsh, D. (2012).
(C hapter 6). London, UK: Risk Books. Stra teg ic capital: defining an effective real w orld view o f capital.
O liver Wyman financial services report. Available at: http://www
Com m ittee on the Global Financial System (2001). A survey of
.oliverwym an.com /strategic-capital-defining-an-effective-real-
stress tests and current practice at major financial institutions.
world-view-of-capital.htm .
Available at: http://w w w .bis.org/publ/cgfs18.htm .
Morgan, D. P. (2002). Rating banks: risk and uncertainty in an
Dang, T.V., Gorton, G ., & Holmstrom, B. (2010). Financial crises and
opaque industry. Am erican Econom ic Review , 92(4), 874-888.
the optimality o f d e b t for liquidity provision. Working paper. Avail
able at: http://mfi.uchicago.edu/publications/papers/ignorance- Purnanandam, A . (2007). Interest rate risk m anagem ent at com
crisis-and-the-optimality-of-debt-for-liquidity-provision.pdf. mercial banks: an em pirical investigation. Journal o f M onetary
Econom ics, 54, 1769-1808.
English, W. B. (2002). Interest rate risk and bank net interest
margins. BIS Q uarterly Review , D ecem b er, 67-82. Rebonato, R. (2010). C oh eren t stress testin g: a Bayesian
approach to the analysis o f financial stress. New York: John
European Banking Authority (2011). 2011 EU-wide stress test:
W iley & Sons.
methodological note. 18 March 2011. Available at: http://www
.eba.europa.eu/EU-w ide-stress-testing/2011/The-EBA-publishes- Stiroh, K. (2004). Diversification in banking: is noninterest
details-of-its-stress-test-scena.aspx. income the answer? Journal o f M oney, C redit and Banking,

36(5), 853-882.
Fender, I., G ibson, M. S., & Mosser, P. C . (2001). An international
survey of stress tests. Current Issues in Econom ics and Finance, W ilde, T. 1997. CreditRisk+ — a credit risk m anagem ent fram e
7(10), Federal Reserve Bank of New York. work. Available at: http://www.csfb.com /institutional/research/
assets/creditrisk.pdf.
Flannery, M. J . (2012). M easuring equity capital fo r stress-testing
large financial institutions. Working paper. W ym an, O . (2012a). Bank of Spain stress testing exercise. A vail
able at: http://w w w .bde.es/w ebbde/G AP/Secciones/SalaPrensa/
Foglia, A . (2008). Stress testing cred it risk: a survey o f authori
Inform acionlnteres/ReestructuracionSectorFinanciero/Ficheros/
ties' approaches. Banca d'ltalia occasional paper, No. 37.
en/inform e_oliverw ym ane.pdf.
G oldstein, I., & Sapra, H. (2012). Should banks' stress te st results
W ym an, O . (2012b). A sset quality review and bottom-up stress
b e d isclo se d ? An analysis o f the co sts and ben efits. Working
test exercise. Available at: http://w w w .bde.es/f/webbde/
paper. Available at: http://finance.wharton.upenn.edu/~itayg/
SSICO M /20120928/inform e_ow 280912e.pdf.
Files/disclosure.pdf.

Learning Objectives
Explain how risks can arise through outsourcing activities Describe topics and provisions that should be addressed
to third-party service providers, and describe elem ents of in a contract with a third-party service provider.
an effective program to manage outsourcing risk.
Explain how financial institutions should perform due dili

gence on third-party service providers.
E x c e rp t is Supervisory Le tte r SR 13-19/CA 13-21 from the Board o f G overnors o f the Federal R eserve System , D ece m b er 2013.
281
16.1 P U R P O S E • Country risks arise when a financial institution engages a
foreign-based service provider, exposing the institution to
In addition to traditional core bank processing and information possible econom ic, social, and political conditions and events
technology services, financial institutions1 outsource operational from the country where the provider is located.
activities such as accounting, appraisal m anagem ent, internal • Operational risks arise when a service provider exposes a finan
audit, human resources, sales and m arketing, loan review, asset cial institution to losses due to inadequate or failed internal
and wealth m anagem ent, procurem ent, and loan servicing. The processes or systems or from external events and human error.
Federal Reserve is issuing this guidance to financial institutions • Legal risks arise when a service provider exposes a financial
to highlight the potential risks arising from the use of service institution to legal expenses and possible lawsuits.
providers and to describe the elem ents of an appropriate ser
vice provider risk m anagem ent program. This guidance supple
ments existing guidance on technology service provider (TSP) 16.3 B O A R D O F D IR E C T O R S
risk,1
2 and applies to service provider relationships where busi A N D S E N IO R M A N A G E M E N T
ness functions or activities are outsourced. For purposes of this
R E S P O N S IB IL IT IE S
guidance, "service providers" is broadly defined to include all
entities3 that have entered into a contractual relationship with a
The use of service providers does not relieve a financial insti
financial institution to provide business functions or activities.
tution's board of directors and senior m anagem ent of their
responsibility to ensure that outsourced activities are conducted
16.2 R ISK S FR O M T H E U SE in a safe-and-sound manner and in com pliance with applicable

laws and regulations. Policies governing the use of service
O F S E R V IC E P R O V ID E R S
providers should be established and approved by the board
of directors, or an executive com m ittee of the board. These
The use of service providers to perform operational functions
policies should establish a service provider risk m anagem ent
presents various risks to financial institutions. Some risks are
program that addresses risk assessm ents and due diligence,
inherent to the outsourced activity itself, whereas others are
standards for contract provisions and considerations, ongoing
introduced with the involvement of a service provider. If not
monitoring of service providers, and business continuity and
managed effectively, the use of service providers may expose
contingency planning.
financial institutions to risks that can result in regulatory action,
financial loss, litigation, and loss of reputation. Financial institu Senior m anagem ent is responsible for ensuring that board-
tions should consider the following risks before entering into approved policies for the use of service providers are appro
and while managing outsourcing arrangem ents. priately executed. This includes overseeing the developm ent
and implementation of an appropriate risk m anagem ent and
• Com pliance risks arise when the services, products, or activi
reporting fram ework that includes elem ents described in this
ties of a service provider fail to com ply with applicable U.S.
guidance. Senior m anagem ent is also responsible for regularly
laws and regulations.
reporting to the board of directors on adherence to policies
• C oncentration risks arise when outsourced services or prod governing outsourcing arrangem ents.
ucts are provided by a limited number of service providers or
are concentrated in limited geographic locations.
• Reputational risks arise when actions or poor perform ance of 16.4 S E R V IC E P R O V ID E R R ISK
a service provider causes the public to form a negative opin M A N A G EM EN T PROGRAM S
ion about a financial institution.
A financial institution's service provider risk m anagem ent pro
1 For purpose of this guidance, a "financial institution" refers to state gram should be risk-focused and provide oversight and controls
m em ber banks, bank and savings and loan holding com panies (includ com m ensurate with the level of risk presented by the outsourc
ing their nonbank subsidiaries), and U.S. operations of foreign banking
ing arrangem ents in which the financial institution is engaged.
organizations.
It should focus on outsourced activities that have a substantial
2 Refer to the ' F F IE C ' O utsourcing Technology Services B o o k let (June
im pact on a financial institution's financial condition; are critical
2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-
services.asp x. to the institution's ongoing operations; involve sensitive cus
3 Entities may be a bank or nonbank, affiliated or non-affiliated, regu tom er information or new bank products or services; or pose
lated or non-regulated, or dom estic or foreign. material com pliance risk.
The depth and form ality of the service provider risk m anage B. Due Diligence and Selection of Service
ment program will depend on the criticality, com plexity, and
Providers
number of material business activities being outsourced. A com
munity banking organization may have critical business activities A financial institution should conduct an evaluation of and
being outsourced, but the number may be few and to highly perform the necessary due diligence for a prospective service
reputable service providers. Therefore, the risk m anagem ent provider prior to engaging the service provider. The depth and
program may be sim pler and use less elem ents and consider form ality of the due diligence perform ed will vary depending
ations. For those financial institutions that may use hundreds or on the scope, com plexity, and im portance of the planned out
thousands of service providers for numerous business activities sourcing arrangem ent, the financial institution's fam iliarity with
that have material risk, the financial institution may find that they prospective service providers, and the reputation and industry
need to use many more elem ents and considerations of a ser standing of the service provider. Throughout the due diligence
vice provider risk m anagem ent program to manage the higher process, financial institution technical experts and key stake
level of risk and reliance on service providers. holders should be engaged in the review and approval process
as needed. The overall due diligence process includes a review
W hile the activities necessary to im plem ent an effective service
of the service provider with regard to:
provider risk m anagem ent program can vary based on the scope
and nature of a financial institution's outsourced activities, effec 1. Business background, reputation, and strategy;
tive programs usually include the following core elem ents: 2 . Financial perform ance and condition; and
A. Risk assessm ents; 3 . O perations and internal controls.
B. Due diligence and selection of service providers;
1. Business Background, Reputation, and Strategy
C. Contract provisions and considerations;
Financial institutions should review a prospective service pro
D. Incentive com pensation review;
vider's status in the industry and corporate history and qualifi
E. O versight and monitoring of service providers; and
cations; review the background and reputation of the service
F. Business continuity and contingency plans. provider and its principals; and ensure that the service provider
has an appropriate background check program for its em ployees.
The service provider's experience in providing the proposed ser

A. Risk Assessments
vice should be evaluated in order to assess its qualifications and
Risk assessm ent of a business activity and the im plications of competencies to perform the service. The service provider's busi
performing the activity in-house or having the activity per ness model, including its business strategy and mission, service
form ed by a service provider are fundam ental to the decision philosophy, quality initiatives, and organizational policies should be
of w hether or not to outsource. A financial institution should evaluated. Financial institutions should also consider the resiliency
determ ine w hether outsourcing an activity is consistent with and adaptability of the service provider's business model as factors
the strategic direction and overall business strategy of the in assessing the future viability of the provider to perform services.
organization. A fter that determ ination is m ade, a financial insti
Financial institutions should check the service provider's references
tution should analyze the benefits and risks of outsourcing the
to ascertain its performance record, and verify any required licenses
proposed activity as well as the service provider risk, and deter
and certifications. Financial institutions should also verify whether
mine cost im plications for establishing the outsourcing arrange
there are any pending legal or regulatory compliance issues (for
ment. Consideration should also be given to the availability
example, litigation, regulatory actions, or complaints) that are asso
of qualified and experienced service providers to perform the
ciated with the prospective service provider and its principals.
service on an ongoing basis. Additionally, m anagem ent should
consider the financial institution's ability and expertise to pro
vide appropriate oversight and m anagem ent of the relationship
2. Financial Performance and Condition
with the service provider. Financial institutions should review the financial condition of the
service provider and its closely-related affiliates. The financial
This risk assessm ent should be updated at appropriate intervals
review may include:
consistent with the financial institution's service provider risk
m anagem ent program. A financial institution should revise its • The service provider's most recent financial statem ents and
risk mitigation plans, if appropriate, based on the results of the annual report with regard to outstanding com m itm ents, capi
updated risk assessm ent. tal strength, liquidity and operating results.
Chapter 16 Guidance on Managing Outsourcing Risk ■ 283

• The service provider's sustainability, including factors such as strategy for providing those services will determ ine the terms
the length of tim e that the service provider has been in busi of the contract. Elem ents of well-defined contracts and service
ness and the service provider's growth of market share for a agreem ents usually include:
given service.
• S c o p e : Contracts should clearly define the rights and respon
• The potential im pact of the financial institution's business sibilities of each party, including:
relationship on the service provider's financial condition.
• Support, m aintenance, and custom er service;
• The service provider's com m itm ent (both in term s of financial • Contract tim efram es;
and staff resources) to provide the contracted services to the
• Com pliance with applicable laws, regulations, and regula
financial institution for the duration of the contract.
tory guidance;
• The adequacy of the service provider's insurance coverage.
• Training of financial institution em ployees;
• The adequacy of the service provider's review of the financial
• The ability to subcontract services;
condition of any subcontractors.
• The distribution of any required statem ents or disclosures
• O ther current issues the service provider may be facing that
to the financial institution's custom ers;
could affect future financial perform ance.
• Insurance coverage requirem ents; and
3. Operations and Internal Controls • Terms governing the use of the financial institution's prop
erty, equipm ent, and staff.
Financial institutions are responsible for ensuring that services
provided by service providers comply with applicable laws and • C o st and co m p e n sa tio n : Contracts should describe the
regulations and are consistent with safe-and-sound banking com pensation, variable charges, and any fees to be paid
practices. Financial institutions should evaluate the adequacy of for non-recurring items and special requests. Agreem ents
standards, policies, and procedures. Depending on the charac should also address which party is responsible for the pay
teristics of the outsourced activity, some or all of the following ment of any legal, audit, and examination fees related to
may need to be reviewed: the activity being perform ed by the service provider. W here
applicable, agreem ents should address the party responsible
• Internal controls;
for the expense, purchasing, and m aintenance of any equip
• Facilities m anagem ent (such as access requirements or shar ment, hardware, software or any other item related to the
ing of facilities); activity being perform ed by the service provider. In addition,
• Training, including com pliance training for staff; financial institutions should ensure that any incentives (for
• Security of systems (for exam ple, data and equipm ent); exam ple, in the form of variable charges, such as fees and/or
commissions) provided in contracts do not provide potential
• Privacy protection of the financial institution's confidential
incentives to take im prudent risks on behalf of the institution.
information;
• R ig h t to a u d it: Agreem ents may provide for the right of the
• M aintenance and retention of records;
institution or its representatives to audit the service provider
• Business resumption and contingency planning; and/or to have access to audit reports. Agreem ents should
• Systems developm ent and m aintenance; define the types of audit reports the financial institution will
• Service support and delivery; receive and the frequency of the audits and reports.
• Em ployee background checks; and • E sta b lish m e n t and m o n ito rin g o f p e rfo rm a n ce sta n d a rd s:
Agreem ents should define m easurable perform ance stan
• Adherence to applicable laws, regulations, and supervisory
dards for the services or products being provided.
guidance.
• C o n fid e n tia lity and se c u rity o f in fo rm a tio n : Consistent with
applicable laws, regulations, and supervisory guidance, ser
C. Contract Provisions and Considerations
vice providers should ensure the security and confidentiality
Financial institutions should understand the service contract of both the financial institution's confidential information and
and legal issues associated with proposed outsourcing arrange the financial institution's custom er information. Information
ments. The term s of service agreem ents should be defined in security measures for outsourced functions should be viewed
written contracts that have been reviewed by the financial insti as if the activity were being perform ed by the financial insti
tution's legal counsel prior to execution. The characteristics of tution and afforded the same protections. Financial institu
the business activity being outsourced and the service provider's tions have a responsibility to ensure service providers take
appropriate measures designed to meet the objectives of the • O w n ersh ip and lice n se : Agreem ents should define the abil
information security guidelines within Federal Financial Insti ity and circum stances under which service providers may use
tutions Exam ination Council (FFIEC ) guidance,4 as well as financial institution property inclusive of data, hardware, soft
com ply with section 501(b) of the Gram m -Leach-Bliley A ct. ware, and intellectual property. Agreem ents should address
These measures should be mapped directly to the security the ownership and control of any information generated by
processes at financial institutions, as well as be included or service providers. If financial institutions purchase software
referenced in agreem ents between financial institutions and from service providers, escrow agreem ents may be needed
service providers. to ensure that financial institutions have the ability to access
Service agreem ents should also address service provider use the source code and programs under certain conditions.8
of financial institution information and its custom er inform a • In d em n ifica tio n : Agreem ents should provide for service pro
tion. Information made available to the service provider vider indemnification of financial institutions for any claims
should be limited to what is needed to provide the con against financial institutions resulting from the service pro
tracted services. Service providers may reveal confidential vider's negligence.
supervisory information only to the extent authorized under • D efa u lt and term in a tio n : Agreem ents should define events
applicable laws and regulations.5 of a contractual default, list of acceptable rem edies, and pro
If service providers handle any of the financial institution cus vide opportunities for curing default. Agreem ents should also
tom er's Nonpublic Personal Information (NPPI), the service define termination rights, including change in control, merger
providers must com ply with applicable privacy laws and regu or acquisition, increase in fees, failure to m eet perform ance
lations.6 Financial institutions should require notification from standards, failure to fulfill the contractual obligations, failure
service providers of any breaches involving the disclosure of to provide required notices, and failure to prevent viola
NPPI data. G enerally, NPPI data is any nonpublic personally tions of law, bankruptcy, closure, or insolvency. Contracts
identifiable financial information; and any list, description, or should include termination and notification requirem ents that
other grouping of consumers (and publicly available inform a provide financial institutions with sufficient time to transfer
tion pertaining to them) derived using any personally identifi services to another service provider. Agreem ents should also
able financial information that is not publicly available.7 address a service provider's preservation and tim ely return of
Financial institutions and their service providers who main financial institution data, records, and other resources.
tain, store, or process NPPI data are responsible for that • D isp u te re so lu tio n : Agreem ents should include a dispute
information and any disclosure of it. The security of, retention resolution process in order to expedite problem resolution
of, and access to NPPI data should be addressed in any con and address the continuation of the arrangem ent between
tracts with service providers. the parties during the dispute resolution period.
W hen a breach or com prom ise of NPPI data occurs, financial • Lim its on liability: Service providers may want to contractually
institutions have legal requirem ents that vary by state and limit their liability. The board of directors and senior manage
these requirem ents should be made part of the contracts ment of a financial institution should determine whether the
between the financial institution and any service provider that proposed limitations are reasonable when compared to the
provides storage, processing, or transmission of NPPI data. risks to the institution if a service provider fails to perform .9
Misuse or unauthorized disclosure of confidential custom er
• In su ra n ce: Service providers should have adequate insurance
data by service providers may expose financial institutions
and provide financial institutions with proof of insurance.
to liability or action by a federal or state regulatory agency.
Further, service providers should notify financial institutions
Contracts should clearly authorize and disclose the roles and
when there is a material change in their insurance coverage.
responsibilities of financial institutions and service providers
regarding NPPI data.
8 Escrow agreem ents are established with vendors when buying or leas
ing products that have underlying proprietary softw are. In such agree
ments, an organization can only access the source program code under
4 For further guidance regarding vendor security practices, refer to the specific conditions, such as discontinued product support or financial
'F F IE C ' Inform ation Secu rity B o o k le t (July 2006) at http://ithandbook. insolvency of the vendor.
ffiec.gov/it-booklets/inform ation-security.aspx.
9 Refer to SR letter 06-4, "Interagency Advisory on the Unsafe and
5 See 12 C FR Part 261. Unsound Use of Limitations on Liability Provisions in External Audit
Engagem ent Letters," regarding restrictions on the liability limitations
6 See 12 C FR Part 1016.
for external audit engagem ents at http://w w w .federalreserve.gov/
7 See 12 U .S .C . 6801(b). boarddocs/srletters/2006/SR0604.htm .

• C u sto m e r co m p la in ts: Agreem ents should specify the a review of w hether existing governance and controls are
responsibilities of financial institutions and service provid adequate in light of risks arising from incentive compensation
ers related to responding to custom er com plaints. If service arrangem ents. As the service provider represents the institu
providers are responsible for custom er com plaint resolu tion by selling products or services on its behalf, the institution
tion, agreem ents should provide for summary reports to should consider whether the incentives provided might encour
the financial institutions that track the status and resolution age the service provider to take im prudent risks. Inappropri
of com plaints. ately structured incentives may result in reputational dam age,
• B u sin ess resu m p tio n an d co n tin g e n cy plan o f th e se rv ic e increased litigation, or other risks to the financial institution.
p ro v id e r: Agreem ents should address the continuation of An exam ple of an inappropriate incentive would be one where
services provided by service providers in the event of opera variable fees or commissions encourage the service provider to
tional failures. Agreem ents should address service provider direct custom ers to products with higher profit margins without
responsibility for backing up information and maintaining due consideration of whether such products are suitable for
disaster recovery and contingency plans. Agreem ents may the customer.
include a service provider's responsibility for testing of plans
and providing testing results to financial institutions.
E. Oversight and Monitoring of Service
• F o re ig n -b a se d se rv ic e p ro v id e rs: For agreem ents with
Providers
foreign-based service providers, financial institutions should
consider including express choice of law and jurisdictional To effectively m onitor contractual requirem ents, financial
provisions that would provide for the adjudication of all dis institutions should establish accep tab le perform ance m etrics
putes between the two parties under the laws of a single, that the business line or relationship m anagem ent determ ines
specific jurisdiction. Such agreem ents may be subject to to be indicative of accep tab le perform ance levels. Financial
the interpretation of foreign courts relying on local laws. institutions should ensure that personnel with oversight and
Foreign law may differ from U.S. law in the enforcem ent of m anagem ent responsibilities for service providers have the
contracts. As a result, financial institutions should seek legal appropriate level of exp ertise and stature to m anage the
advice regarding the enforceability of all aspects of proposed outsourcing arrangem ent. The oversight process, including
contracts with foreign-based service providers and the other the level and frequency of m anagem ent reporting, should be
legal ramifications of such arrangem ents. risk-focused. H igher risk service providers may require more
frequent assessm ent and m onitoring and may require finan
• S u b c o n tra c tin g : If agreem ents allow for subcontracting, the
cial institutions to designate individuals or a group as a point
same contractual provisions should apply to the subcontrac
of contact for those service providers. Financial institutions
tor. Contract provisions should clearly state that the primary
should tailor and im plem ent risk m itigation plans for higher
service provider has overall accountability for all services that
risk service providers that may include processes such as ad d i
the service provider and its subcontractors provide. A g ree
tional reporting by the service provider or heightened m oni
ments should define the services that may be subcontracted,
toring by the financial institution. Further, more frequent and
the service provider's due diligence process for engaging and
stringent m onitoring is necessary for service providers that
monitoring subcontractors, and the notification and approval
exh ib it perform ance, financial, com pliance, or control con
requirem ents regarding changes to the service provider's
cerns. For lower risk service providers, the level of m onitoring
subcontractors. Financial institutions should pay special
can be lessened.
attention to any foreign subcontractors, as information secu
rity and data privacy standards may be different in other juris Financial co n d itio n : Financial institutions should have estab
dictions. Additionally, agreem ents should include the service lished procedures to monitor the financial condition of service
provider's process for assessing the subcontractor's financial providers to evaluate their ongoing viability. In performing
condition to fulfill contractual obligations. these assessm ents, financial institutions should review the
most recent financial statem ents and annual report with regard
to outstanding com m itm ents, capital strength, liquidity and
D. Incentive Compensation Review
operating results. If a service provider relies significantly on
Financial institutions should also ensure that an effective process subcontractors to provide services to financial institutions, then
is in place to review and approve any incentive compensation the service provider's controls and due diligence regarding the
that may be em bedded in service provider contracts, including subcontractors should also be reviewed.
Internal co n tro ls: For significant service provider relationships, • Docum ent the roles and responsibilities for maintaining and
financial institutions should assess the adequacy of the provider's testing the service provider's business continuity and contin
control environment. Assessm ents should include reviewing gency plans;
available audits or reports such as the Am erican Institute of • Test the service provider's business continuity and contin
Certified Public Accountants' Service Organization Control gency plans on a periodic basis to ensure adequacy and
2 report. If the service provider delivers information technology effectiveness; and
services, the financial institution can request the FFIEC Technol
• Maintain an exit strategy, including a pool of com parable ser
ogy Service Provider examination report from its primary federal
vice providers, in the event that a contracted service provider
regulator. Security incidents at the service provider may also
is unable to perform.
necessitate the institution to elevate its monitoring of the
service provider.
G. Additional Risk Considerations
Esca la tio n o f o v e rsig h t a c tiv itie s: Financial institutions should
ensure that risk m anagem ent processes include triggers to S u s p ic io u s A c tiv ity R e p o r t (S A R ) re p o r tin g fu n c tio n s :
escalate oversight and monitoring when service providers are Th e co n fid en tiality of suspicious activity reporting m akes
failing to m eet perform ance, com pliance, control, or viability the outsourcing of any SA R-related function more co m p lex.
expectations. These procedures should include more frequent Financial institutions need to identify and m onitor the risks
and stringent monitoring and follow-up on identified issues, associated with using service providers to perform certain
on-site control reviews, and when an institution should exercise suspicious activity reporting functions in com pliance with
its right to audit a service provider's adherence to the term s of the Bank Secrecy A ct (B SA ). Financial institution m anag e
the agreem ent. Financial institutions should develop criteria for m ent should ensure they understand the risks associated
engaging alternative outsourcing arrangem ents and terminating with such an arrang em ent and any B SA -sp ecific guidance in
the service provider contract in the event that identified issues this area.
are not adequately addressed in a tim ely manner. F o re ig n - b a se d s e rv ic e p r o v id e r s : Financial institutions should
ensure that foreign-based service providers are in com pliance
F. Business Continuity and Contingency with ap plicable U .S. laws, regulations, and regulatory guid
ance. Financial institutions may also w ant to consider laws
Considerations
and regulations of the foreign-based provider's country or
Various events may affect a service provider's ability to provide regulatory authority regarding the financial institution's ability
contracted services. For exam ple, services could be disrupted by to perform on-site review of the service provider's operations.
a provider's performance failure, operational disruption, financial In addition, financial institutions should consider the authority
difficulty, or failure of business continuity and contingency plans or ability of home country supervisors to gain access to the
during operational disruptions or natural disasters. Financial insti financial institution's custom er inform ation while exam ining the
tution contingency plans should focus on critical services pro foreign-based service provider.
vided by service providers and consider alternative arrangements
In tern a l a u d it: Financial institutions should refer to existing
in the event that a service provider is unable to perform .11 When
guidance on the engagem ent of independent public accounting
preparing contingency plans, financial institutions should:
firms and other outside professionals to perform work that has
10.
• Ensure that a disaster recovery and business continuity plan been traditionally carried out by internal auditors. The
exists with regard to the contracted services and products; Sarbanes-O xley A ct of 2002 specifically prohibits a registered
• Assess the adequacy and effectiveness of a service provider's
disaster recovery and business continuity plan and its align
12 Refer to SR 13-1, "Supplem ental Policy Statem ent on the Internal
ment to their own plan;1
0
Audit Function and Its O utsourcing," specifically the section titled,
"D epository Institutions Subject to the Annual Audit and Reporting
Requirem ents of Section 36 of the FDI A ct" at http://w w w .federalreserve
.gov/bankinforeg/srletters/sr1301.htm . Refer also to SR 03-5, "Am ended
10 Refer to w w w .A IC P A .o rg .
Interagency G uidance on the Internal A udit Function and Its O utsourc
11 For further guidance regarding business continuity planning with ser ing," particularly the section titled, "Institutions Not Subject to Section
vice providers, refer to the 'F F IE C ' Business Continuity B o o k le t (March 36 of the FDI A ct That Are Neither Public Com panies Nor Subsidiaries of
2008) at http://ithandbook.ffiec.gov/it-booklets/business-continuity- Public Com panies" at http://w w w .federalreserve.gov/boarddocs/
planning.aspx. srletters/2003/sr0305.htm .

public accounting firm from performing certain non-audit ser institution's exposures and risks.13 Financial institutions should
vices for a public company client for whom it performs financial also have standards and processes in place for ensuring that ser
statem ent audits. vice providers offering model risk m anagem ent services, such as
validation, do so in a way that is consistent with existing model
Risk m a n a g em en t a ctiv itie s: Financial institutions may out
risk m anagem ent guidance.
source various risk m anagem ent activities, such as aspects of
interest rate risk and model risk m anagem ent. Financial institu
tions should require service providers to provide information
13 Refer to SR 11-7, "Guidance on Model Risk Management" which informs
that dem onstrates developm ental evidence explaining the
financial institutions of the importance and risk to the use of models and
product com ponents, design, and intended use, to determ ine the supervisory expectations that financial institutions should adhere to
whether the products and/or services are appropriate for the http://www.federalreserve.gov/bankinforeg/srletters/sr1107.htm.
288 Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Management of
Risks Associated
with Money
Laundering
and Financing
of Terrorism
Learning Objective
Explain best practices recom m ended for the assessm ent,

m anagem ent, mitigation and monitoring of money
laundering and financial terrorism (M L/FT) risks.
By Mark Carey of the G A R P Risk Institute.

Many nations and international bodies have developed laws, Some others appear in the list of references at the end of this
regulations or guidelines focused on limiting the use of banking chapter.
services to support criminal activities, particularly money laun
On D ecem ber 3, 2018, several financial regulatory agencies
dering (ML) or financing of terrorism (FT). Though involvement
of the U .S. governm ent issued a "Jo in t Statem ent on Innovative
with ML or FT is an operational risk, m anagem ent of this risk
Efforts to Com bat M oney Laundering and Terrorist Financing,"
has becom e a separate subfield due to the intensity of regula
which expressed their openness to "innovative efforts" and
tory attention to the issue, the significant level of fines, and the
noted that some banks have been experim enting with machine
creativity of criminals and terrorists.
learning m odels and digital identity technologies to identify
This chapter summarizes the Basel Committee's 2016 "Sound risks, monitor transactions, and aid in the reporting of suspi
Management of Risks Related to Money Laundering and Financing cious activity. To date, Bank Secrecy A ct (BSA) and Anti-M oney
of Terrorism," as well as some of the Financial Action Task Force's Laundering (AML) supervisory activity in the United States has
(FATF) 2016 "The FATF Recommendations" and other documents. focused on com pliance, with detailed guidance influencing
bank internal procedures. The agencies state that any flaws
Note that this chapter is only an overview. Risk managers in areas
found in banks' internal procedures as a result of innovative
where management of M L/FT risks is central should examine this
activities will not be used against these firm s by supervisors.
topic in further readings and undergo any requisite training.
Although the agencies imply that internal procedures might
som eday be perm itted to depart from existing com pliance
17.1 B A C K G R O U N D requirements where innovations are successful, they also imply
that for the moment banks must continue to satisfy existing
Crim inals and terrorists use payment services to finance their
com pliance requirem ents.
activities, or to convert funds linked to criminal activity (includ
ing tax evasion) to an untainted or laundered form . Because
banks are at the heart of the global paym ent system , they are
17.2 A P P LIC A T IO N O F ST A N D A R D
uniquely vulnerable to being ensnared in such activities, which
can expose them to reputational losses, fines, convictions, and P R A C T IC E S *•
restrictions on their ability to do business.
Banks should apply (though not limit them selves to) standard
In addition to the usual attention to governance arrangem ents, risk m anagem ent practices:
policies and procedures, M L/FT risk m anagem ent includes some
specific activities that supervisors and other authorities expect • G o vern an ce: The board of directors should approve and
at every bank: oversee risk assessm ents, policies, organization, risk

m anagem ent and com pliance in the sp ecific context
• Risk assessm ent
of M L/FT. To that end, a chief M L/FT officer should be
• Custom er due diligence and acceptance (CDD) [aka Know ap pointed.
Your Custom er (KYC)]
• As in other risk areas, banks are expected to have three lines
• Transaction and other monitoring of defense
• Reporting of suspicious activity and freezing assets
1. Business units must identify, assess and control M L/FT
• Addressing risks associated with global operations risks; have w ritten policies and procedures as well as
• Attention to third-party risk and correspondent banking risks em ployee training; and screen potential em ployees.
• Aw areness of an array of official sector pronouncem ents. 2. The risk function and/or the function under the chief
Am ong the most im portant are standards issued by the M L/FT officer must monitor the effectiveness of first line
Financial Action Task Force (FATF), an intergovernmental m anagem ent of M L/FT risks and com pliance with all
coordinating body.1
A
policies and procedures. Conflicts of interest on the part
of second line em ployees should be avoided. The chief
M L/FT officer should have direct reporting lines to senior
m anagem ent or the board.
3. Internal auditors and/or external eq uivalents should
1 FATF, "International Standards on Com bating Money Laundering
and the Financing of Terrorism and Proliferation," February 2012; and in d ep end ently evaluate M L/FT risk m anagem ent and
"M ethodology" February 2013. controls.
17.3 R ISK A S S E S S M E N T • Though information about a customer's previous banking
relationships may be helpful, the fact that a custom er previ
Banks should assess and understand the M L/FT risks inherent ously had accounts at another bank is not sufficient to classify
within their businesses and custom er base: the custom er as low-risk or as well-identified. For exam ple,
the previous bank may have ejected the custom er due to
• All relevant risk factors at the country, sector, bank and
M L/FT concerns.
business relationship levels should be considered. C harac
• Due diligence and monitoring may be more com plex for
teristics of the custom er base, products and services offered,
banks operating internationally, particularly for those
and delivery channels should be considered.
operating in jurisdictions that do not perm it custom er
• For each custom er or business relationship, a profile of
inform ation to cross borders. However, inform ation should
normal activity should be built to support identification of
be com bined and analyzed across the group as much as
abnormal activity.
possible.
• Risk assessm ents should be docum ented for potential
• In some jurisdictions, banks may be perm itted to rely on
inspection by authorities.
third parties for some custom er due diligence. Banks should
• International banks should be attentive to national risk ensure that the third parties' own m anagem ent of M L/FT
assessm ents and country reports. risks is sound and are ultimately responsible even if deci
sions are made by third parties. Arrangem ents, controls and
reviews should be docum ented.
1 7 .4 C U S T O M E R D U E D IL IG E N C E
AND A CCEPTA N CE•
17.5 T R A N S A C T IO N A N D O T H E R
Some customers pose a low risk of involving a bank in M L/FT M O N IT O R IN G A N D R E P O R T IN G
activity (e.g., a long established client employed in the commu
nity with regular, small account inflows and outflows) and some Banks should monitor custom er and transaction activity for
pose a high risk (e.g., a person with a past record of criminal unusual patterns to identify potential M L/FT activity.
activity with large and intermittent account inflows and outflows).
• A profile of normal activity and transactions must be built
If a bank chooses to do business with a high-risk customer,
in order to aid identification of abnormal activity, such as
more intensive ongoing monitoring of that customer's activity is
unusual business relationships and transactions.
needed. Moreover, to classify customers by level of risk, a bank
• The higher the assessm ent of the risk posed by a customer,
should have well-developed customer identification and accep
the more intense and wide-ranging the monitoring.
tance policies and procedures. Such policies and procedures
should not prevent the general public, nor people who are finan • Changes in a customer's risk profile should trigger changes in
cially or socially disadvantaged, from accessing banking services. the intensity of monitoring.
• W ritten policies and procedures should exist to ensure that • Monitoring should cover all accounts and transactions.
a custom er is not accepted, and business is not done, until • C D D information should be used.
the customer's identity has been satisfactorily established. • The larger and more com plex the bank and its businesses,
Reliable, independent source docum ents and information and the more international its operations, the more likely that
should be used in identification. Consideration should be autom ated monitoring applications will be needed.
given to a customer's home jurisdiction(s), including whether
• Monitoring activity should be docum ented.
that jurisdiction is known to have M L/FT deficiencies. The
• Especially where required by law, suspicious activity revealed
reasons the custom er is opening accounts should also be
by monitoring should be reported to appropriate law
considered.
enforcem ent authorities.
• Politically exposed persons (PEP), such as form er high gov
ernm ent officials, pose higher risk given the possibility that
some wealth may have been obtained through corruption.
17.6 C O R R E S P O N D E N T B A N K IN G
• Consider the potential customer's background, occupation,
source of wealth and income, and country of origin and Correspondent banking involves the provision of banking ser
residence. vices by one bank to another bank. O f most concern in the
Chapter 17 Management of Risks Associated with Money Laundering and Financing of Terrorism ■ 291
context of M L/FT is execution of cross-border payments by a 17.8 IN T E R N A T IO N A L S C O P E
correspondent bank for a respondent bank's customer.
• Because the correspondent bank does not have a rela Banks with a presence in multiple countries should:
tionship with the ultim ate custom er, it must perform due • Understand and abide by laws and regulations in each
diligence on the respondent bank. Details of the services country. If a country's laws and regulations prevent adequate
provided and of counterparties are relevant to the risk. m anagem ent of M L/FT risks, consider cessation of business
The quality of the respondent banks' m anagem ent of ML/ in the country.
FT risks is vitally im portant. A s such, due diligence must
• A pply consistent group-wide policies and procedures.
be done on such m anagem ent, and agreem ents among
• Share information across the group and usie groupwide
correspondent and respondent banks should set out
information and understanding in monitoring and risk
responsibilities.
assessm ent.
• Some correspondent banking activity involves nested
respondent banks (i.e., the ultimate custom er may have a Good official-sector supervisory exam ination and enforcem ent
relationship with the respondent bank's respondent bank). in each country of bank m anagem ent of M L/FT risks is important
For exam ple, a small bank might use a medium-sized bank, to global containm ent of M L/FT activity.
which in turn uses a large international bank as correspon
dent. Though many legitimate transactions and activities are
conducted through such nested relationships, M L/FT risks are
References
higher. This is especially true if relationships among respon
dent banks cross borders. Basel Com m ittee on Banking Supervision, 2016, "Sound Manage
• W hen information about the risk changes, termination of ment of Risks Related to Money Laundering and Financing of
correspondent banking relationships with a respondent bank Terrorism."
may be appropriate.
Financial Action Task Force, 2016, "The FA TF Recom m endations."
Board of Governors of the Federal Reserve System , Federal

17.7 W IR E T R A N S F E R S Deposit Insurance Corporation, Financial Crim es Enforce
ment Network, National Credit Union Adm inistration, Office
W ire transfers are accom plished by sending paym ent m essages of the Com ptroller of the Currency, 2018, "Jo in t Statem ent on
among banks. Information about the originating bank and the Innovative Efforts to Com bat Money Laundering and Terrorist
custom er should appear in the m essages, and such information Financing."
should be monitored.
Regulation of the
OTC Derivatives
Market
Learning Objectives
Summarize the clearing process in O T C derivative

markets.
Describe changes to the regulation of O T C derivatives

which took place after the 2007-2009 financial crisis and
explain the impact of these changes.
Excerp t is Chapter 17 of Risk M anagem ent and Financial Institutions, Fifth Edition, by John C . Hull.
The exchange-traded market is a market where products devel Variation margin is the collateral posted to reflect the change in
oped by an exchange are bought and sold on a trading platform the value of a derivatives portfolio. Consider the situation where
developed by the exchange. A market participant's trade must Party A is trading with Party B and the collateral agreem ent
be cleared by a m em ber of the exchange clearing house. The states that variation margin (with no threshold or minimum
exchange clearing house requires margin (i.e., collateral) from transfer amount) has to be posted by both sid es.1 This means
its m em bers, and the m em bers require margin from the brokers that, if the value of outstanding transactions changes during a
whose trades they are clearing. The brokers in turn require mar day so that they increase in value by $ X to A (and therefore
gin from their clients. decrease in value by $ X to B), B has to provide A with $ X of
acceptable collateral. The cumulative effect of variation margin
The O T C market is a market where financial institutions, fund
is that, if outstanding derivatives have a value of + $ V to A and
managers, and corporate treasurers deal directly with each other.
—$\/ to B at a particular tim e, B should have posted a total of $V
An exchange is not involved. Before the 2007-2008 credit crisis,
of collateral with A by that tim e.1
2
the O TC market was largely unregulated. Two market participants
could enter into any trade they liked. They could agree to post Variation margin provides some protection against a counterparty
collateral or not post collateral. They could agree to clear the default. It would provide total protection in an ideal world where
trade directly with each other or use a third party. Also, they were (a) the counterparty never owes any variation margin at the time
under no obligation to disclose details of the trade to anyone else. of default and (b) all outstanding positions can be replaced at
mid-market prices as soon as the counterparty defaults.
Since the crisis, the O T C market has been subject to a great
In practice, defaulting counterparties often stop posting collateral
deal of regulation. This chapter will explain the regulations and
several days before they default, and the non-defaulting
show that regulatory pressure is leading to the O T C market
counterparty is usually subject to a bid-offer spread as it replaces
becoming more like the exchange-traded market.
transactions.3 To allow for adverse movements in the value of the
portfolio during a period prior to defaulting when no margin is
being posted, market participants sometimes require initial mar
18.1 C L E A R IN G IN O T C M A R K E T S
gin in addition to variation margin. Note that, in this context,
We start by describing how transactions are cleared in the adverse market movements are increases in the value of the port
O T C m arket. There are two main approaches: central clear folio to the non-defaulting party, not decreases. This is because
ing and bilateral clearing. They are illustrated schem atically in increases in the value during a period when variation margin is not
Figure 18.1 (which makes the simplifying assumption that there being posted lead to increases in replacement costs.4 Initial mar
are only eight market participants and only one C C P ). In bilateral gin, which can change through time as the outstanding portfolio
clearing, market participants clear transactions with each other. and relevant volatilities change, reflects the risk of a loss due to
In central clearing, a third party, known as a central counterparty adverse market moves and the costs of replacing transactions.5
(CC P), clears the transactions.
1 A and B could be two derivatives dealers or a derivatives dealer and

one of its clients. A lso, one of A and B could be a CCP. A threshold is a
Margin minimum value of the portfolio to one side before it can dem and mar
gin, and the minimum transfer amount is the minimum change in value
Before proceeding to describe bilateral and central clearing necessary for a margin to have to be posted.
in more detail, we review the operation of margin accounts.
2 In this context, note that if A buys an option from B for $10,000, it
Margin is the word now used to describe the collateral posted must pay $10,000 to B, but B must then return the $10,000 to A as varia
in O T C markets as well as exchange-traded markets. tion margin.
3 As explained later, the non-defaulting counterparty is able to claim

from the defaulting party the cost related to the bid-offer spread that it
would incur in replacing the transaction.
4 It may seem strange that a m arket participant would be worried about

the value of its transactions increasing. But suppose a transaction with a
defaulting counterparty is hedged with another transaction entered into
with another counterparty (as is often the case). The transaction with the
other party can be exp ected to lose value without any com pensating
gain on the defaulted transaction.
Bilateral clearing Clearing through a single CCP 5 As indicated earlier, the non-defaulting party is allowed to keep all
margin posted by the defaulting party up to the amount that can be
Fiq u re 18.1 Bilateral and central clearing. legitim ately claim ed.
Most margin is cash, but the agreem ents in place may specify The OTC Trade
that securities can be posted instead of cash. The securities
may be subject to a haircut. This means that the market value
of the securities is reduced to determ ine their value for margin
purposes. For exam ple, a Treasury bond might be subject to
a 10% haircut, indicating that, if its market value were $100, it
would cover only $90 of a margin requirem ent. Role of CCP
Should cash margin earn interest? There is a difference between
futures markets and O T C markets here. A futures exchange clear
ing house requires both initial margin and variation margin from
members. Members earn interest on the initial margin. But they
Fig u re 1 8.2 Role of CCP in OTC markets.
do not do so on variation margin because futures contracts are
settled daily so that variation margin does not belong to the mem
Consider the swap in Figure 18.2. Suppose for sim plicity that
ber posting it. In the case of O T C trades, interest is usually earned
it is the only transaction each side has with the CCP. The C C P
on all cash margin posted because trades are not settled daily.
might require an initial margin of $0.5 million from each side. If,
on the first day, interest rates fall so that the value of the swap
to A goes down by $100,000, Party A would be required to pay
Central Clearing
a variation margin equal to this to the CCP, and the C C P would
In central clearing, a central counterparty (CCP) handles the be required to pay the same amount to B. There could also be
clearing. A C C P operates very much like an exchange clearing a change to the initial margin requirem ents determ ined by the
house. W hen two com panies, A and B, agree to an over-the- CCP. If required margin is not paid by one of its m em bers, the
counter derivatives transaction and decide to clear it centrally, C C P closes out its transactions with that member. Cash and
they present it to a CCP. Assuming that the C C P accepts it, the Treasury instruments are usually accepted as margin by C C P s.
C C P acts as an interm ediary and enters into offsetting transac Typically the interest rate paid on cash balances is close to the
tions with the two com panies. overnight federal funds rate for U.S. dollars (and close to similar
overnight rates for other currencies).
Suppose, for exam ple, that the transaction is an interest rate
swap where company A pays a fixed rate of 5% to com pany B In practice, market participants are likely to have multiple
on a principal of $100 million for five years and company B pays transactions outstanding with the C C P at any given tim e. The
LIBO R to company A on the same principal for the same period initial margin required from a participant at any given time
of tim e. Two separate transactions are created. Com pany A has reflects the volatility of the value of its total position with the
a transaction with the C C P where it pays 5% and receives LIBOR CCP. The role of a C C P in the O T C market is similar to the
on $100 million. Com pany B has a transaction with the C C P role of a clearing house in the exchange-traded market. The
where it pays LIBO R and receives 5% on $100 million. The two main difference is that transactions handled by the C C P are
com panies no longer have credit exposure to each other. This is usually less standard than transactions in the exchange-traded
illustrated in Figure 18.2. If one or both parties to the transac market so that the calculation of margin requirem ents is more
tion are not members of the CCP, they can clear the transaction com plicated.
through members.
The key advantage of clearing a transaction through a C C P
Three large C C P s are is that O T C market participants do not need to worry about
the creditworthiness of the counterparties they trade with.
1. Sw apCIear (part of LCH Clearnet in London),
Credit risk is handled by the C C P using initial and variation
2. C learPort (part of the C M E Group in Chicago), and margin.
3 . IC E Clear Credit (part of the Intercontinental Exchange).
A C C P requires its members to contribute to a default fund.
A C C P requires its members to provide initial margin and varia (As m entioned, if one or both parties to a transaction are not
tion margin for the transactions being cleared. Typically, the members of the CCP, they can clear the transaction through
initial margin is calculated so that there is a 99% probability that m em bers. They will then have to post margin with the mem
it will cover market moves over five days. This protects the C C P bers.) If a m em ber fails to post margin when required, the
from losses as it tries to close out or replace the positions of a m em ber is in default and its positions are closed out. In closing
defaulting member. out a member's positions, the C C P may incur a loss. A waterfall
Chapter 18 Regulation of the OTC Derivatives Market ■ 295

defines who bears the loss. The order in which the loss is funded initial margin for the portfolio is likely to be less than that for the
is usually as follows: two transactions separately.
1. The initial margin of the defaulting member
2. The default fund contribution of the m em ber Events of Default

3. The default fund contributions of other members D erivatives transactions are treated differently from other
4 . The equity of the C C P 6 transactions in the event that a m arket participant fails to
m eet its obligations. For exam p le, in ISD A m aster agreem ents
This is similar to the way losses in the event of a default are
there is an early term ination provision that takes precedence
funded by an exchange clearing house.
over bankruptcy rules. This states that, if there is an "e ven t of
d e fa u lt," the non-defaulting party has the right to term inate
all transactions with the defaulting party after a short period
Bilateral Clearing
of tim e has e la p se d .7 Events of default include declarations of
In bilateral clearing , each pair of m arket p articip ants enters bankruptcy, failure to make paym ents as they are due, and
into an ag reem ent describing how all future transactio ns failure to post collateral when req u ired .8 N on-derivative con
betw een them will be cleared . Typically this is an ISD A tracts cannot always be term inated in this w ay. A nother
m a ster a g reem en t. (ISD A is short for International Sw aps im portant difference betw een derivatives transactions and
and D erivatives A sso ciatio n .) An annex to the ag reem ent, non-derivatives transactions is that in the case of derivatives
known as the c re d it s u p p o rt annex (C S A ), defines collateral transactions the non-defaulting party can take im m ediate
arrang em ents. In particular, it defines w hat collateral (if any) possession of any collateral that has been posted by the
has to be posted by each sid e, w hat assets are accep tab le as defaulting party. It does not have to get a court order to allow
co llateral, w hat haircuts will be ap p lie d , and so on. Th e main it to do this.
body of the ag reem ent defines w hat happens when one side
If there is an event of default under an ISD A m aster ag ree
defaults (e .g ., by declaring bankruptcy, failing to make p ay
ment, the non-defaulting party calculates the m id-m arket value
m ents on the d erivatives as they are due, or failing to post
of outstanding transactions. It then adjusts this valuation in
collateral when required). W e will discuss this in more detail
its favor by half the bid-offer spreads on the transactions for
shortly.
the purposes of calculating a settlem ent am ount. This adjust
ment is com pensation for the fact that it will have to trade with
other dealers to replace the transactions and it will be subject
Netting to their bid-offer spreads when it does so. Suppose that one
We discussed netting in connection with the Basel I rules in the transaction has a m id-m arket value of $20 million to the non
section "N e ttin g ." Netting is a feature of ISD A m aster ag ree defaulting party and that the transaction is bid $18 million,
ments and a feature of the agreem ents between C C P s and offer $22 million. For the purposes of settlem ent, the trans
their m em bers. It states that all transactions between two action would be valued at $22 million because this is what it
parties are considered to be a single transaction when would cost the non-defaulting party to replace the defaulting
(a) collateral requirem ents are being calculated and (b) early party's position in the transaction. If the non-defaulting party
term inations occur because of a default. As explained in the had the other side of the transaction so that its mid-market
section "N e ttin g ," netting reduces credit risk because it means value was - $ 2 0 million, it would be valued at —$18 million for
that the defaulting party cannot choose to default on transac settlem ent purposes. In this case, the assumption is that a third
tions that are out-of-the-money while keeping transactions that party would be prepared to pay only $18 million to take the
are in-the-money. defaulting party's position.
Netting can also save initial margin. Suppose Party A has two
transactions with a C C P that are not perfectly correlated. The
7 The non-defaulting party is not obliged to term inate transactions.
Counterparties that are out-of-the-money som etim es consider that it is
in their best interests not to term inate.
8 Failure resolution mechanisms have been proposed where transactions

6 In som e cases, the non-defaulting m em bers are required to provide are stayed (i.e., not term inated) for a period of tim e even if there is a
additional default fund contributions when there is a default, with a cap bankruptcy filing, provided m argin/collateral continues to be posted.
on the amount of these additional contributions. (This is true of both These would allow the derivatives portfolios of bankrupt m arket partici
exchange clearing houses and C C P s.) pants to be unwound in an orderly way.
18.2 PO ST-CRISIS R E G U L A T O R Y provides regulators with im portant information on the risks
being taken by participants in the O T C market. It is partly a
CH A N G ES response to the AIG fiasco where regulators were not aware
of the huge risks being taken by a subsidiary of AIG until
The O T C derivatives market was considered by many to have
the insurance company asked to be bailed out.
been partly responsible for the 2008 credit crisis. When the G20
leaders met in Pittsburgh in Septem ber 2009 in the aftermath of The first two of these requirements apply only to transactions
the 2008 crisis, they wanted to reduce system ic risk by regulat between two financial institutions (or between a financial insti
ing the O T C market. The statem ent issued by the leaders after tution and a non-financial company that is considered to be
the meeting included the following paragraph: system ically im portant because of the volume of its O T C deriva
tives trading). Derivatives dealers can therefore continue to
All standardized O T C derivative contracts should be
trade with many of their non-financial corporate clients in the
traded on exchanges or electronic trading platforms,
same way that they did pre-crisis.
where appropriate, and cleared through central coun
terparties by end-2012 at the latest. O T C derivative A bout 25% of O T C transactions were cleared through C C P s pre
contracts should be reported to trade repositories. crisis and the remaining 75% were cleared bilaterally. As a result
Non-centrally cleared contracts should be subject to of the new rules, these percentages have flipped so that approx
higher capital requirem ents. We ask the FSB and its rel imately 75% of O T C transactions are now cleared through C C P s,
evant members to assess regularly implementation and while 25% are cleared bilaterally.
whether it is sufficient to improve transparency in the
derivatives m arkets, mitigate system ic risk, and protect
against market abuse. Uncleared Trades
The results of this were three major changes affecting O T C Following another G 20 meeting in 2011, the rules have been
derivatives: tightened for non-standard O T C derivatives. These are the
1. A requirem ent that all standardized O T C derivatives be derivatives that are not covered by the rules just m entioned.
cleared through C C P s. Standardized derivatives include They are cleared bilaterally rather than centrally and are referred
plain vanilla interest rate swaps (which account for the to as uncleared trades. Regulations, which are being im ple
majority of O T C derivatives traded) and default swaps on mented between 2016 and 2020, require uncleared trades
credit indices. The purpose of this requirem ent is to reduce between two financial institutions (or between a financial insti
system ic risk (see Business Snapshot 21.1). It leads to deriv tution and a non-financial company that is considered to be
atives dealers having less credit exposure to each other so system ically important) to be subject to rules on the margin that
that their interconnectedness is less likely to lead to a col has to be posted. Previously, one of the attractions of bilateral
lapse of the financial system. clearing was that m arket participants were free to negotiate any
credit support annex to their ISDA master agreem ents.
2. A requirement that standardized O T C derivatives be traded
on electronic platforms. This is to improve transparency. The The rules state that both initial margin and variation margin must
thinking is that, if there is an electronic platform for matching be posted for uncleared trades by both sides. Variation margin
buyers and sellers, the prices at which products trade should was fairly common in the O TC market pre-crisis (particularly in
be readily available to all market participants.9 The platforms trades between derivatives dealers), but initial margin was rare.
are called swap execution facilities (SEFs) in the United When entering into a transaction with a much less creditworthy
States and organized trading facilities (OTFs) in Europe. In counterparty, a derivatives dealer might insist on the counterparty
practice, standardized products, once they have been traded posting initial margin. But the posting of initial margin by both
on these platforms, are passed automatically to a CCP. sides was almost unheard of in the bilaterally cleared market.
3 . A requirem ent that all trades in the O T C market be Variation margin is usually transm itted directly from one coun
reported to a central trade repository. This requirem ent terparty to the other. Initial margin when posted by both sides
cannot be handled in this way. If, for exam ple, A transm itted
$1 million of initial margin to B and B transm itted $1 million of
9 An issue here is that the type of electronic platform that is appropriate initial margin to A , the initial margin would not serve the desired
for swaps may not be the same as the one that is used by exchanges.
purpose because the transfers would cancel each other. For this
Sw aps are traded interm ittently with large notional principals. Futures
and options on an exchange trade continually and the size of trades is reason the regulations require initial margin to be transm itted to
usually much smaller. a third party, where it is held in trust.

Determination of Initial Margin: SIMM To calculate the incremental effect on initial margin of gamma
risk, SIMM first considers the situation where all deltas are zero
For the new rules on uncleared transactions to work, the two and there is no cross gamm a. The mean and standard deviation
sides to an ISDA master agreem ent must agree on the varia of the change in the value of the portfolio over one day are:
tion margin and initial margin. The variation margin requires
agreem ent on the valuation of outstanding transactions, £ (A P ) =
Z. I
and procedures have been established for resolving any dis
agreem ents on this. The calculation of initial margin is more 2,-r2
SDCAP) = j
com plicated than valuing the transactions and there is more
scope for different models to give different results. As a result where y (- is the gamma with respect to the fth risk factor.
there have been attem pts to develop an industry standard.
Estim ates of the mean and standard deviation of portfolio
Initial margin is specified in the regulations for portfolios of
change over 10 days are obtained by replacing a, with V 1 0 cr,.
uncleared transactions between two parties as the gain in value Defining
over 10 days that we are 99% certain will not be exceeded in
stressed m arket conditions. Note that initial margin is the mirror C. = —y. (yf\0<j.
/ 2 ' \ '
image of VaR. When we are calculating VaR, we are determining
extrem e percentiles of the loss distribution, but when we are the mean, m, and standard deviation, s, of the 10-day change
calculating initial margin we are determ ining extrem e percen are therefore given by
tiles of the gain distribution. This is because exposure increases
as the uncollateralized value of a portfolio increases.
The Basel Com m ittee proposed a grid approach for calculating

initial margin, which specified initial margin as a percentage of
notional principal for different types of transactions. This was
unpopular because it did not incorporate netting. If a m arket SIMM then sets
participant entered into a certain transaction on Day 1 and an
IM(Gamma) = m +
alm ost offsetting transaction on Day 5, both with the same
counterparty, the initial margin on Day 5 would be alm ost The param eter A in this equation is (see Problem 18.14) defined
double that on Day 1— even though the net exposure to the in term s of
counterparty would be close to zero. ISDA proposed what is
known as the Standard Initial Margin Model (SIMM) as a way
of overcom ing this. This model has now been approved by
regulators.
as indicated in Figure 18.3. This relationship produces results
Delta and vega risks are handled using the weighted sensitivities that have the right properties and correspond closely with tests
and risk weights so that carried out using Monte Carlo simulation.
I n n
IM (Delta and Vega) = j Y >i^ 8.S .p .W W .

V /=1 7=1
where the W-, is the risk weight for risk factor / (specified by the
regulators), 8, is the sensitivity of the position held to risk factor /
(determ ined by the bank), and p,y is the correlation between
risk factors / and j (specified by the regulators). Because a
10-day tim e horizon with 99% confidence is used, a possible
formula for Wi; is
Wj = V lO x (0.99)a . (18 -i)
where cr, is the daily volatility (or standard deviation, in the case
of interest rates, credit spreads, and volatilities) of the fth risk
factor in stressed m arket conditions. Fiq u re 18.3 Relation b etw een A and (3.
There are a number of other details in SIM M . To
B
simplify m atters, gamma is calculated from vega A < B
(§ >
using the relationship between the two that holds
for European options. Risk factors are divided into
buckets, and some risk factors involve term struc
tures with vertices. There are rules specified for
calculating the correlations p tj both within buckets
and between buckets.
18.3 IM PA CT O F T H E
Exposure Exposure
CH A N G ES Exposure after after netting after netting
Dealver bilateral netting Dealer including CCP excluding CCP
The new regulations have led to a world where A 0 A 120 0
B 100 B 120 120
more collateral is required for O T C derivatives
C 20 C 90 90
transactions. Pre-crisis, most O T C transactions
Average 40 Average 110 70
were cleared bilaterally and an initial margin was
usually not required. Under the new regulations,
F ia u re 1 8 .4 Example where there are three market participants,
most transactions will be cleared through C C Ps one CCP, and two product types. One product type (represented by
where both initial and variation margin will be dotted lines) can be cleared; the other (represented by solid lines)
required from both sides. Furtherm ore, transac cannot.
tions that are cleared bilaterally between financial
institutions will require even more collateral than are three market participants and one CCP. For exam ple, in B's
they would if they could be cleared through C C Ps. dealings with A , the nonstandard transactions are worth 100 to
As discussed by Duffie and Zhu, there is one potential partial B and —100 to A ; the standard transactions are worth +50 to A
offset to the huge increase in collateral requirem ents mandated and —50 to B.
by the new rules.10 Under central clearing there is the potential W ithout central clearing, the average exposure before collateral
for more netting. In Figure 18.1, under bilateral clearing a mar of the three parties is +40. With central clearing, the average
ket participant has many different netting sets, one for each of exposure is 110 when the exposure to the C C P is included and
the other market participants. Under central clearing, there is 70 when it is not. Central clearing is likely to increase the col
only one netting set. Bank A can, for exam ple, net its transac lateral market participants have to post in this simple situation.
tions where Bank B is the counterparty with its transactions This happens because without the central clearing rules stan
where Bank C is the counterparty, provided that all go through dard transactions can be netted with nonstandard transactions,
the same CCP. but with the central clearing rules this is no longer possible.
Figure 18.1, however, is a sim plification. It suggests that the Most experts think that there will be an increase in netting,
choice is between a 100% bilateral world and a world where but the overall effect of the changes will be an increase in
all transactions are cleared through a single CCP. The reality is margin requirem ents. Pre-crisis, relatively few O T C derivatives
that (a) there will be a number of C C P s and it is quite likely that attracted initial margin. Post-crisis, the vast majority of O T C
they will not cooperate with each other to reduce initial margin derivatives will require initial margin. A related consideration is
requirem ents, and (b) some transactions will continue to be that, as more transactions are cleared through C C P s, more of
cleared bilaterally; so banks will face a situation that is a mixture the funds of a financial institution will be tied up in default fund
of the two worlds depicted in Figure 18.1. contributions.
It is even possible that the new rules requiring the use of C C Ps

could reduce rather than increase netting in some cases. This is
Liquidity
illustrated by Figure 18.4, which shows the situation where there
Most of the collateral required under the new regulations will
have to be in the form of cash or governm ent securities. An
10 See D. Duffie and H. Zhu, "D oes a Central Counterparty Reduce increasingly im portant consideration for all derivatives market
Counterparty Risk?" Review of A sset Pricing Studies 1 (2011): 74-95. participants is therefore liquidity. Not only will the collateral

11
posted at any given tim e be a drain on liquidity, but banks will new collateral was posted. In other words, each item of collat
have to keep a sufficient quantity of liquid assets on hand to eral was used on average four tim es. Rehypothecation will be
ensure that they are able to m eet any margin calls. (Margin calls restricted under new rules developed by the Basel Com m ittee
from a C C P have to be met almost im m ediately.) A s we saw in and the International Organization of Securities Commissions
Chapter 22, Basel III has recognized the im portance of liquidity (IO SCO ). These rules allow initial margin to be rehypothecated
by proposing two new liquidity ratios that banks must adhere to. once, but only if certain conditions are satisfied. Variation margin
Capital has in the past been the key metric in determ ining the can be rehypothecated. But increasingly dealers them selves
profitability of different business units and different projects at impose restrictions on rehypothecation because they do not
a bank. In the future, a two-dimensional metric involving capital want to be disadvantaged in the same way that some of
and liquidity is likely to be used. O ften there will be a trade-off Lehman's counterparties were (see Business Snapshot 18.1).
between capital and liquidity in that a project will look attractive
from a capital perspective and unattractive from a liquidity per
spective, or vice versa.
The Convergence of O TC and
Exchange-Traded Markets
The developm ents we have been discussing are blurring the
Rehypothecation distinction between O T C derivatives and exchange-traded
Liquidity pressures are likely to increase because of another derivatives. Many O T C transactions are now traded on platforms
post-crisis change. W hat is known as "rehypothecation" was similar to exchanges and cleared through organizations simi
lar to exchange clearing houses. As time goes by, more O T C
common in some jurisdictions (particularly the United Kingdom)
pre-crisis. (See Business Snapshot 18.1.) It involved a dealer transactions are likely to be classified as "standard" so that the
percentage of O T C transactions handled similarly to exchange-
using collateral posted with it by one counterparty to satisfy a
collateral demand by another counterpart. It is estimated that traded transactions will increase. W hat is more, even those
pre-crisis about $4 trillion of collateral was required in derivatives O T C transactions between financial institutions that are cleared
bilaterally may begin to look more like exchange-traded transac
markets, but that because of rehypothecation only $1 trillion of
tions. This is because margin has to be posted with a third party,
and we can expect organizations (som ewhat similar to exchange
clearing houses) to be set up to facilitate this.
BUSIN ESS SN A PSH O T 18.1 It is also the case that exchanges are increasingly trying to offer
REH YPO TH ECA TIO N less standard products to institutional investors in an attem pt
A practice in the m anagem ent of collateral known as rehy to take business away from the O T C market. As a result, while
pothecation can cause problem s. If Party A posts collateral O T C markets are moving in the direction of becoming more like
with Party B and rehypothecation is perm itted, Party B can exchange-traded m arkets, exchange-traded markets are moving
use the same collateral to satisfy a demand for collateral in the opposite direction and becoming more like O T C m arkets.
from Party C ; Party C can then the use the collateral to Many C C P s and exchanges have a common ownership and will
satisfy a demand for collateral from Party D; and so on. In find areas for cooperation on margin requirem ents and business
2007, it was estim ated that U.S. banks had more than practices. W hether a transaction is being cleared through an
$4 trillion of collateral, but that this was created by exchange or a C C P may not be im portant in the future because
using $1 trillion of original collateral in conjunction with it will be handled in the same way by the same organization.
rehypothecation. Rehypothecation was particularly com
mon in the United Kingdom , where title to collateral is
transferred. 18.4 C C P S A N D B A N K R U P T C Y
A fter Lehman declared bankruptcy in Septem ber 2008,
The key objective of regulators is to reduce system ic risk. Some
clients (particularly European hedge fund clients) found it
com m entators have criticized the new derivatives regulations as
difficult to get a return of the collateral they had posted
replacing too-big-to-fail banks by too-big-to-fail C C P s. 1
with Lehman because it had been rehypothecated. As a
result of this experience, many market participants are
more cautious than they used to be, and clauses in C SA s
11 See M. Singh and J . A itken, "Th e (Sizable) Role of Rehypothecation in
banning or limiting rehypothecation are now common. the Shadow Banking System ," Working Paper, International M onetary
Fund, 2010.
It certainly would be a disaster for the financial system if a major variation margin to be posted by both sides. Nonstandard trans
C C P such as LCH Clearnet's Sw apCIear and CM E's ClearPort actions between financial institutions will continue to be cleared
were to fa il.12 In theory, as described in Hull (2012), it is possible bilaterally, but are subject to regulation on the collateral that
to design the contract between C C P s and their members so that must be posted. Specifically, transactions between financial
it is virtually impossible for a C C P to fail. In practice, it is consid institutions are subject to initial margin (segregated) and varia
ered im portant that a C C P has "skin in the gam e." It is then tion margin (transferred from one side to the other when the
motivated to take good decisions with respect to key issues value of outstanding transactions changes).
such as whether a new m em ber should be adm itted, how initial
W hat will the derivatives world look like in 15 or 20 years? Pres
margins should be set, and so on.
ent trends indicate the there will be a convergence between
The main reason why it makes sense to replace too-big-to-fail O T C and exchange-traded markets, and the distinction between
banks by too-big-to-fail C C P s is that C C P s are much sim pler the two will becom e blurred. But it should be acknowledged
organizations than banks. They are therefore much sim pler to that there is no certainty that this trend will continue. The O T C
regulate than banks. In essence, regulators need ensure only market as it existed before the crisis was very profitable for a
that the C C P follows good practices in (a) choosing members, few large banks. It is possible that they will chip away at the reg
(b) valuing transactions, and (c) determ ining initial margins and ulations so that they are able eventually to find a way of creating
default fund contributions. In the case of banks, a myriad of dif a new O T C m arket som ewhat similar to the one that existed
ferent, much more com plex activities must be monitored. It is before the crisis. A battle is likely to take place pitting the deter
of course im portant for regulators to ensure that C C P s are not mination of regulators against the ingenuity of banks.
allowed to becom e more com plex organizations by expand
ing outside their core activity of interm ediating derivatives
transactions. Further Reading
Basel Com m ittee on Banking Supervision and IO SC O .

SUM M ARY "M argin Requirem ents for Non-Centrally Cleared D erivatives,"
Septem ber 2013.
Prior to the 2007-2008 credit crisis, the over-the-counter (O TC)
derivatives market was largely unregulated. Two market partici Duffie, D ., and H. Zhu. "D oes a Central Counterparty Reduce
pants could agree to any transaction they liked and then reach Counterparty Risk?" R eview o f A ss e t Pricing Stu dies 1 (2011):
any agreem ent they liked on how the transaction would be 74-95.
cleared. They were also free to choose any arrangem ents they Hull, J . "C C P s, Their Risks, and How They Can Be Reduced."
liked for the posting of collateral. This is no longer the case. Journal o f D erivatives 20, no. 1 (Fall 2012): 26-29.
The O T C derivatives market is now subject to a great deal of
Hull, J . "The Changing Landscape for D erivatives." Journal o f
regulation throughout the world. The extent to which the O T C
Financial Engineering 1, no. 2 (2014).
derivatives market should be blamed for the crisis is debatable,
but post-crisis regulatory changes are having more effect on this Hull, J . "O T C Derivatives and Central Clearing: Can All Transac
market than on almost any other sector of the economy. tions Be Cleared?" Financial Stability Review 14 Ouly 2010): 71-89.
Most standard O T C derivatives between two financial institu Singh, M ., and J . Aitken. "The (Sizable) Role of Rehypothecation
tions must be cleared through central counterparties. These in the Shadow Banking System ." Working Paper, International
are very similar to exchanges. They require initial margin and Monetary Fund, 2010.
12 See J . Hull, "C C P s, Their, Risks, and How They Can Be Reduced,"
Jo u rn a l o f D erivatives 20, no. 1 (Fall 2012): 26-29.

Capital Regulation
Before the Global
Financial Crisis
Learning Objectives
Explain the motivations for introducing the Basel regula Com pare the standardized IRB approach, the Foundation
tions, including key risk exposures addressed, and explain Internal Ratings-Based (IRB) approach, and the advanced
the reasons for revisions to Basel regulations over tim e. IRB approach for the calculation of credit risk capital under
Basel II.
Explain the calculation of risk-weighted assets and the
capital requirem ent per the original Basel I guidelines. Com pare the basic indicator approach, the standardized
approach, and the Advanced M easurem ent Approach for
Describe measures introduced in the 1995 and 1996 the calculation of operational risk capital under Basel II.
am endm ents, including guidelines for netting of credit
exposures and methods to calculate m arket risk capital for Summarize elem ents of the Solvency II capital fram ework
assets in the trading book. for insurance com panies.
Describe changes to the Basel regulations made as part of

Basel II, including the three pillars.
303
Financial regulation has developed increm entally over the cen • Custom ers of failed financial institutions were unhappy (at the
turies, often in response to stressful periods which exposed the very least) when large fractions of their wealth disappeared.
limitations of previous regulations. Fraud was not uncommon, but even when a failure was not
associated with fraud, custom ers com plained of unfairness
In the days before governm ent regulation, banks or insurance
and of the difficulty of adequately monitoring a financial insti
com panies could be created without official approval. Success
tution's safety-and-soundness.
(or failure) was based primarily on w hether they could persuade
clients to use their services. • Globalization was the fourth trigger of regulation ,and espe
cially of international coordination of regulation. Central
As such, these businesses have often found it essential to
banks have facilitated international transfers and capital
establish trustworthy reputations. They did this by enlisting
movements for centuries. As international trade blossomed
the support of prominent people in the community, carrying
in the 1960s and 1970s, and as multinational corporations
large amounts of capital at creation, and constructing promi
becam e more numerous, foreign exchange flows and capital
nent buildings. These measures provided com fort that deposits
flows grew ever larger.
would be returned and claims paid as promised. Later, govern
ments required new financial institutions to obtain a license Multinationals valued financial service providers who operated
before being allowed to operate in many countries, which gave rise to several issues.
Financial institution failures were frequent, and som etimes • First, large financial firms, especially international banks,
occurred not because of insolvency but because of a loss becam e interlinked, so a failure of one would cause problems
of client confidence. When losses occurred, clients naturally in many countries, not just its home country.
attem pted to withdraw funds from the institution in question. • Second, as described further below, banks and regulators
When these withdrawals grew into a run or panic, even a solvent becam e concerned about com petitive (dis)advantages flow
institution could fail if it could not liquidate assets or raise new ing from differences in capital requirem ents across nations.
funds quickly enough. • Third, technical arrangem ents in clearing and settlem ent
The first "regulations" were the result of financial firms band proved to be im portant. For exam ple, when Herstatt Bank
ing together to share resources in the event of runs. The Bank failed in the summer of 1974, differences in the required
of England, for exam ple, was originally a private-sector entity delivery tim es for currencies across countries and time zones
that would provide support to other banks. In addition, early caused large amounts of foreign exchange transactions to fail
clearinghouses were partly arrangem ents for mutual support. to clear. In turn, this raised concerns about a potential col
Specifically, clearinghouse m em bers shared financial statem ents lapse of the global financial system.
with each other and had rights of inspection, and so monitoring It becam e evident that only official-sector cooperation and
and enforcem ent of solvency was a part of the arrangem ents.
coordination could address these risks. As a result, what is now
However, this was done privately. called the Basel Com m ittee on Banking Supervision (BCBS) was
Such private arrangem ents had several limitations. created 1974, following the Herstatt failure. Perhaps motivated
in part by the perceived success of the B C B S, the International
• If a panic was big enough, no entity without the power to
Association of Insurance Supervisors (IAIS) and the International
print money would have enough resources to support the
Organization of Securities Com m issioners (IO SCO ) were created
financial system . As a result, governm ent controlled central
in 1994 and 1983, respectively.
banks gradually replaced clearinghouses and private banks as
lenders of last resort.1 This chapter focuses on solvency regulation of banks and insur
• Governm ents learned that financial crises imposed large ance com panies before the Global Financial Crisis (i.e., before
2009), with a particular attention to the Basel Accord. Later
costs on the econom y as a whole (e.g ., crises were often fol
chapters focus on regulation after the crisis.
lowed by depressions). Desiring stability, governm ents began
making attem pts to ensure that financial institutions were sol
vent and liquid enough to survive plausible levels of distress.
19.1 T H E B A S E L A C C O R D : B A S E L I
Such regulations becam e more wide-ranging in the wake of
each crisis.
V A R IA N T
In the late 1980s, the BCBS developed a specification for capital

1 Central banks may operate independently from political interference (solvency) regulation. First published in December 1987, it was
but are usually considered governm ental entities. formally agreed in July 1988 fully implemented by the end of 1992.
This accord, which has come to be known as Basel I, was ini The Ratio and Minimum Values
tially agreed upon by the members of the BC BS (roughly, the
Basel I required consolidated banking organizations to maintain
G 10 nations). By the early 2000s, however, it becam e a de facto
global minimum capital standard. Note that Basel I has no legal
Tier 1 capital >4%
RWA
standing in and of itself. Rather, nations haven chosen to incor
porate its standards through dom estic law and regulation. and
Total capital > 8%
Two events motivated creation of Basel I. RWA
• First, the growth of cross-border finance continued after Her- Total capital is the sum of Tier 1 capital and Tier 2 capital. By
statt's failure and it was evident that the G 1 0 nations had a design, Tier 2 capital may com prise no more than half of total
common interest in ensuring that banks had enough equity capital. To the extent that Tier 1 capital exceeded 4 percent of
to absorb large losses. risk-weighted assets, the excess could be included with Tier 2
• Second, international banks were com peting vigorously in capital to satisfy the second (8%) requirem ent.
each other's home countries. However, minimum levels of
required capital varied significantly across nations, creating
"Capital"
a perception that banks headquartered in countries with Under the Basel I fram ework, Tier 1 capital consists of common
low minimums had a com petitive advantage. In response, equity and disclosed reserves (i.e., retained earnings plus some
m em bers of the B C B S decided to develop a global mini types of minority interest in subsidiaries) minus goodwill. Later
mum standard to "level the playing field " and avoid a race fram eworks include a limited amount of non-cumulative per
to the bottom . Th at is, while the Basel Accord was partly petual preferred stock.
about ensuring safety and soundness, negotiations also
In contrast, Tier 2 capital consists of
had an elem ent of m aneuvering for perceived com petitive
advantage. • loan loss reserves not already allocated to im pairm ent of
particular assets;
The central elem ents of Basel I are a risk-based capital ratio, a
• undisclosed reserves (including some revaluation reserves); and
minimum level of this ratio, and definitions of the num erator and
denominator. • hybrid instruments (i.e., unsecured, subordinated, not
redeem able at the investor's behest, on which payment
default would not precipitate bankruptcy or resolution, and
The Risk-Based Capital Ratio
on which interest or dividend payments could be deferred.)
A goal of Basel I was to ensure that financial institutions would
A limit was placed on the proportion of loan loss reserves
have sufficient assets to remain solvent during periods of stress.
allowed into capital (originally 2%, later reduced to 1.25% of
However, the BC BS had to find a way of measuring sufficiency.
RWA). Some kinds of subordinated debt and preferred stock
Since banks differ greatly in size, specifying minimum amounts were in the latter category. In the years after Basel I was im ple
of capital (in dollars, pounds, etc.) would be infeasible. A ratio m ented, consultants and investm ent bankers invented instru
of capital to the book value of assets (i.e., "leverage ratio"), on ments that would qualify as Tier 1 or Tier 2 capital.
the other hand, would seem ingly allow for a universal standard
Though never expressed by the B C B S, two assumptions were
that could apply to institutions of all sizes. However, banks can
implicit in these definitions.
also differ greatly in the composition and riskiness of their bal
ance sheets. • First, preservation of solvency was the job of Tier 1 capital,
whereas Tier 2 capital would provide resources for recapi
Given the perception that minimums specified in term s of
talization of an entity in resolution and reduce the impact of
leverage ratios would disadvantage banks with low-risk port
failures on depositors.
folios and advantage those with high-risk portfolios, the BCBS
• Second, although general loan loss reserves were often viewed
decided on a risk-based capital ratio (i.e., a ratio of capital to
as covering losses that are likely already embedded in the
risk-weighted assets (RWA)) instead. Moreover, these assets
entity's portfolio but that have not yet occurred, they were not
included not only assets on the balance sheet according to
counted as loss-absorbing capacity that could preserve solvency.
accounting conventions (e.g ., loans or securities), but also off-
balance-sheet exposures (e.g ., loan commitments) and deriva
tive exposures. Though crude by modern standards, these 2 The ratios are som etim es referred to as "C o o ke " ratios, for Peter
risk-based ratios represented a major innovation at the tim e. Cooke of the Bank of England.
Chapter 19 Capital Regulation Before the Global Financial Crisis ■ 305

Table 19.1 Risk Weights by Asset Category
Risk Weight Asset Category
0% Cash; claims on O E C D governm ents such as bonds issued by the central governm ent; other
instruments with a full guarantee from an O E C D governm ent
20% Claim s on O E C D banks and on O E C D public sector entities, such as claims on municipalities or on
Fannie Mae and Freddie Mac
50% Uninsured residential m ortgages
100% All other exposures, such as commercial or consum er loans
Risk-Weighted Assets off-balance-sheet exposures (along with as nontraditional on-

balance-sheet exposures such as derivatives).
To make the ratio risk-sensitive, the on-balance-sheet amount of
each type of asset is multiplied by a percentage w eight accord Traditional off-balance-sheet exposures were converted to a
ing to the risk it poses. The RWA is the sum of such products credit-equivalent amount (i.e., on-balance-sheet equivalent) by
N multiplying by one of the credit conversion factors shown in
RW A= ^ Table 19.2. The risk w eight was then determ ined by the nature
i =1 of the counterparty.
where W| is the risk w eight and A| is the size of the asset. For exam ple, a $100 million five-year loan com m itm ent to an
O E C D m unicipality would first be converted to a $20 million
In Basel I, the weights are as shown in Table I, which includes a
credit equivalent, and then be assigned a 20 percent risk
summary of the assets in each category. In the absence of other
w eight. Thus, its contribution to RW A would be only $4 million.
adjustm ents, the maximum amount that a position could con
tribute to RWA was the book value of its assets (since the m axi With respect to derivatives, Basel I offered authorities in each
mum risk w eight was 100 percent). nation a choice between two methods of computing a credit
equivalent amount (this structure was revised in 1995 with the
Implicit in Table 19.1 is a view that no O E C D governm ent would
addition of a maturity bucket greater than five years)
ever default on its obligations as well as that residential mort
gages and claims on banks are much less likely to impose losses 1. Current Exposure Method:
than a typical bank loan. Though these assumptions appear
a. First, calculate the current market value of the contract
unreasonable today, they were consistent with what was experi-
o V. If the current market value is negative (making it a
enced in the decades preceding Basel I.
liability rather than an asset), set V = 0.
b. Second, add an amount D to account for changes in the
Example 19.1: contract's future market value. For interest rate swaps,
D was
The assets of a Canadian bank consist of C $200 million of loans
i. zero for for maturities of less than one year,
to corporations, C$100 million of Canadian central governm ent
ii. 0.5% of the notional value of the swap for remaining
bonds, C$100 million of residential m ortgages insured by the
maturities of five years or less; and
central governm ent, and C$100 million of uninsured residential
iii. 1.5% for more than five years.
m ortgages. Though the book value of assets is C$500 million,
c. For foreign exchange swaps, D was
the sum of risk-weighted assets is C$250 million since
i. 1% of notional value for maturities of less than one
RWA = 100% x 200 + 0% x 100 + 0% x 100 + 50% x 100 = 250 year,
ii. 5% of notional value for maturities between one and
five years, and
Though the concept of RW A was natural for traditional
iii. 7.5% of notional value for maturities greater than
balance-sheet exposures, banking organizations also had many
five years.
2. Original Exposure Method (only for interest rate and foreign
exchange contracts)
3 Im plicit in the beneficial treatm ent of sovereign debt is the expectation
that governm ents can print money to address potential defaults. This
a. Nations could ignore the current market value of the
assumption does not hold when debt is borrowed in foreign currencies,
or where a national governm ent is not fully in control of its own m one contract and choose whether to use the original or
tary policy, as could be the case in the European M onetary Union today. remaining maturity.
Table 19.2 Credit Conversion Factors for Traditional Off-Balance-Sheet Exposures
Credit Conversion Factor Off-balance-sheet Category
100% Guarantees on loans and bonds, bankers acceptances, and equivalents
50% W arrantees and standby letters of credit related to transactions
20% Loan commitments with original maturity greater than or equal to one year
0% Loan commitments with original maturity less than one year
b. For interest rate contracts, D was Netting

i. 0.5% for maturities of less than one year,
A market convention is that entities engaged in over-the-counter
ii. 1% for maturities between one and two years, and
derivatives transactions sign an International Swaps and Deriva
iii. 1% + 1% X IN T [M — 1] for maturities greater than
tives Association master agreem ent specifying that, in the event
two years respectively4
of a default by a counterparty, the defaulting entity's transactions
c. For foreign exchange contracts, D was
with each other counterparty could be considered as a single
i. 2%, for maturities of less than one year,
transaction. Choices in these agreem ents permit bilateral trans
ii. 5%, for maturities between one and two years, and
actions with positive and negative values to offset one another.
iii. 5% + 3% X IN T [M — 1] for maturities of greater
than two years For exam ple, Bank A might enter an interest rate swap to buy
Equity and com m odity derivatives were not discussed in Basel I. protection from Bank B against an increase in interest rates, and
The risk w eight was set according to the nature of the counter later enter another swap with an identical notional amount with
party, excep t that no risk w eight could be more than 50%. The Bank B to sell protection. If rates did not move in the interim
1995 Am endm ent included add-on factors for such derivatives. between these two agreem ents, their com bined im pact on
Bank A's (and Bank B's) net exposure and portfolio value is zero.
The 1995 and 1996 A m endm ents ("M a rk e t Risk A m endm ent")
Put bluntly, the handling of derivative exposures in Basel I was However, the original Basil I allowed alm ost no capital credit for
crude. However, as Basel I was being developed, the 1987 stock netting. Though changes in interest rates would have offsetting
market crash had not yet occurred, value-at-risk (VaR) was not in effects on the market value of the two swaps in the previous
widespread use, and quantitative market risk m anagem ent was exam ple, the treatm ent in the original Basil I would apply an
in its infancy. By 1995, all of this had changed. add-on to each swap, disincentivizing hedging. The rationale
for this was that (as of 1988) master agreem ents had not been
Example 19.2: sufficiently tested in bankruptcy courts.
By 1995, the m em bers of the BC BS were more confident that

The derivatives book of an international bank contains $300 mil
such agreem ents would function as intended and thus the 1995
lion of notional value of interest rate swaps with $100 million
Am endm ent allowed reductions in credit equivalent amounts
each having remaining maturity of 0.5, 1.5 and 2.5 years. Their
when enforceable bilateral netting agreem ents were in place.
market value is $30 million.
In calculating credit equivalent amounts, the com plete net
The book also has $300 million of foreign exchange swaps with
ting of the market values of all positions was allowed for each
a similar maturity profile and a market value of -$10 million.
counterparty i, and add-ons Dj for future changes in value were
All counterparties are private corporations, so the risk w eight is reduced for each category of derivative j
100 percent. Under the exposure method described above, the
credit equivalent amount would be: CEA = m ax 0 + V [ 0 . 4 * Dj + 0.6 * Dj * N R R ]
C E = 30 + 0% x 100 + 0.5% x 200 + 1% x 100 + 5 % x2 0 0 L= 1 J
= $42 million where NRR (i.e., the net replacem ent ratio) is
Under the original exposure m ethod, it would be max(YIi=i Vt, 0)

N RR =
S L i max(Vu 0)
C E = 0.5% x 100 + 1% x 100 + 2% x 100 + 2% x 100 + 5% x 100
The numerator is the market value of positions of type j with net
+ 8% x 100 = $18.5 million
ting, while the denominator is the market value with no netting.
Note that the net replacement ratio is an average across all posi
tions; although add-on factors and the impact of netting may differ
4 where INT[X] returns the closes integer to X. across types of derivatives, the impact of the latter is ignored.

Example 19.3 Credit Equivalent Amount for Derivatives
Suppose a bank has a portfolio of five derivatives with two counterparties, as described in the following table
Counterparty Type Maturity Notional Market value Add-on factor
1 Interest rate 2 100 -5 0.5%
1 Interest rate 3 100 0 0.5%
1 Foreign exch. 2 200 10 5%
2 Equity option 6 100 0 10%
2 W heat option 0.5 300 -1 0 10%
With netting, the current exposure portion of the credit equiva The standardized approach details separately for five categories
lent amount is 5 for the first counterparty (i.e., the —5 exposure of positions:
on the first interest rate derivative is netted against the 10 exp o
• fixed income securities and interest rate derivatives other
sure on the foreign exchange derivative) and 0 for the second,
than options, for which remaining maturity was a key driver;
for a total of 5. Note that current exposure may not be less than
• equity securities and equity derivatives other than options;
zero, and the —10 market value on the wheat option may only
be netted against positive exposures at the second counter • foreign exchange;
party, not at the first counterparty. • com m odities; and
In this case, NRR = 0.5 because the num erator of NRR is the • all types of options.
current exposure of 5 and the denom inator is the sum of the These approaches were relatively simple for some categories,
positive exposures (i.e., 10).
while for others there were many operational com plexities (e.g.,
The add-on for potential future exposure must be calculated the separate treatm ent of sp e cific risk and general m arket risk,
separately for each type of derivative, multiplying the total where the latter is due to general movements in m arket prices
notional value for each type by the add-on factor to obtain and the form er is driven by idiosyncratic changes in a specific
values of Dj. For the interest rate derivatives, 200 X 0.5% yields position's value).
a value of 1, while for the remaining types in the table D is 10, The internal models-based approach em bodied a major change
10, and 30 for the foreign exchange, equity, and wheat types,
in philosophy by permitting banks to use internally developed
respectively. Applying the formula for C E A risk measures as the inputs to formulas specified by regulators.
C E A = 5 + (0.4*1+0.6*1*.5) + (0.4*10+0.6* 10*. 5) + (0.4*10+0.6*10*.5) To limit manipulation of the internal m easures, monitoring was
built in. In contrast, the standardized approach specified most of
+ (0.4*30-0.6*30*.5) = 5 + .7 + 7 + 7 + 21 = 40.7
the details and was based on observable characteristics of posi
tions (e.g ., remaining maturity).
Capital for Market Risks Associated with Trading Under both approaches, capital charges were calculated sepa
Activities rately for specific risk (SR) and general market risk (MR) for each
of the five categories. These were summed and multiplied by
W hile m arket risk (i.e., changes in market value of trading
12.5 so that the usual multipliers on risk weighted assets could
book assets) is the primary risk for the trading book, it was not
also be applied to them 5
captured by the requirements described previously. The 1996
Am endm ent to Basel I offers two ways to measure of for market Total capital for trading assets = 0.08 * l2.5£y=1(M/?7- + S R j)
risk: a standardized approach and an internal models-based
approach. To measure m arket risk, a bank using the internal models-based
approach must calculate value-at-risk (VaR) for each asset
For banks with trading books of material size, the internal
models-based approach was preferred because it generally
yielded smaller capital requirem ents. This is in part due to the
5 12.5 is the inverse of 8%. The m ultiplier has the effect of turning a
fact that asset values were not assumed to be perfectly corre capital requirem ent into an RWA m easure. This adjustm ent is based on
lated, as they were in the standardized approach. the total capital requirem ent rather than Tier 1 adjustm ent.
category. A 10-day VaR at the 99th percentile was required, 19.2 T H E B A S E L A C C O R D : B A S E L II
based on at least one year of daily data, usually using a scaled
V A R IA N T
one-day VaR multiplied by V T o . Correlations within a category
of position were considered by the internal model, whereas
Some supervisors had becom e concerned by the mid-1990s that
adjustm ents for correlations across categories were allowed at
Basel I, while more risk-based than capital requirem ents based
the discretion of the national supervisor.
on equity-to-asset ratios, was not risk-based enough. The 100
Thus, m arket risk was given by percent risk weight, for exam ple, incorporated exposures pos
MR = max(VaRt-i, m*VaRaVg) ing a wide range of risk, from very safe loans made to highly-
rated corporations to very risky loans to commercial real estate
where VaRavg was the average VaR over the past 60 days and m developm ent projects.
was a m ultiplier that was never less than 3 (and could be larger
Moreover, banking crises in the Nordic countries had dem
if national supervisors found deficiencies in the bank's models
onstrated that system ic problem s could occur even in well-
or other system s, or if monitoring implied other deficiencies.)
capitalized banking system s. M eanwhile, there had been several
Given a multiplier of 3, the second term was usually larger
technical advances in market and credit risk m easurem ent and
than the 10-day VaR com puted for the preceding business day
m anagem ent since 1987, signaling a potential for more precise
(i.e., t — 1).
risk weighting and vastly improved risk m anagem ent at all levels
Capital for specific risk, which was required for fixed income, of banking organizations.
equity instruments, and derivatives, could be determ ined using
Basel II was the reaction to such concerns. Discussions among
either the standardized approach or the bank's internal models.
supervisors about a revised accord began in the late 1990s
In the latter case, the approach was similar to that for market
and the "final" revision was published in 2004 (further revisions
risk, but the multiplier was 4 rather than 3 and capital for sp e
occurred frequently in the years that followed).
cific risk could not be less than half of capital calculated using
the standardized approach.6 W hile retaining much of Basel I, Basel II contained four signifi
cant innovations:
The 1996 Am endm ent created a new class of capital (i.e., Tier 3
capital), com posed mainly of unsecured subordinated debt with 1 . Risk w eight formulas for credit risk based on modern
an original maturity of at least two years, that could be used to credit risk m anagem ent concepts and banks' internal risk
meet part of the m arket risk capital requirem ent. However, only measures;
about 70 percent of the market risk capital requirements could
2. Required capital for operational risk, in addition to credit
be satisfied with Tier 3 capital.
risk and m arket risk.
Th e 1996 A m en d m en t sp ecified several q u alitative criteria
3. In addition to minimum capital requirements (Pillar 1), Basel
th at banks using the internal m odels-based approach must
II included specific requirements for supervision related to
m eet (e .g ., sound risk m anagem ent, in d ep en d en t risk m an
capital and risk m anagem ent (Pillar 2) and required public
ag em ent units, lim its, active invo lvem ent of the board, and
disclosures (Pillar 3).
so on).
4. Repeated use of Q uantitative Impact Studies (QIS) to fine-
It also required daily back testing. Each day, for each model,
tune the design of the accord. In each Q IS, banks contrib
the bank was required to use its current model and procedures
uted detailed data which was then analyzed by supervisors.
to calculate one-day 99% VaR for each of the most recent 250
days, and to com pare the actual loss for the day to the VaR. Although the first two innovations have received the most
Each day with actual loss larger than VaR was term ed an e x c e p attention from the public, the three pillars represented a major
tion. Five or less exceptions enabled the m ultiplier m to be 3, developm ent as well. Through the early 2000s, regulatory phi
but larger numbers of exceptions could lead to larger multipliers losophy differed across nations, ranging from supervision-heavy
at the discretion of the supervisor. With 10 or more exceptions, approaches (in which rules played much less of a role than the
a m ultiplier of 4 was required. judgm ent of field supervisors) to rules-heavy approaches (in which
regulators presented detailed rules and field supervisors focused
on evaluating compliance with the rules). Moreover, at the time of
Basel II developm ent, disclosures of bank condition and risk also
6 Thus, as a practical matter, a bank using internal m odels was also

varied widely across nations. For exam ple, banks in some nations
required to calculate capital under the standardized approach. did not disclose Basel I capital ratios or risk weighted assets.

The three pillars represented a push toward convergence of The Standardized Approach
national practices. Specifically, Pillar 2 mandated that supervi
As under Basel I, the Basel II standardized approach was
sors require banks to have more than the minimum amount of
intended for banks with internal risk measures and risk man
capital as well as internal capital adequacy and assessm ent pro
agem ent practices that were insufficient to support the IRB
cesses (ICAAP) that take their risk profile into account. Supervi
approaches. However, the risk weights were som ewhat more
sors were to assess bank IC A A Ps and were to act if they were
sensitive to variations in risk. Under Basel I, the headline risk
not satisfied. Additionally, supervisors were to intervene early if
weights depended on asset type and nationality of the obligor.
there was danger that a bank's capital would fall below the mini
Under the Basel II standardized approach, the headline risk
mum by requiring prompt corrective actions. Supervisors were
weights depended on obligor type and rating for some obli
also to encourage banks to improve risk m anagem ent practices
gor types, and on asset type for others. Exam ples appear in
and to actively push for im provem ent of deficiencies. National
Table 19.3:
discretion regarding enforcem ent of the accord's provisions was
reduced, and national regulators were to be transparent about Although the risk weights appear less generous for banks and
their implementation efforts, including those concerning the sovereigns than was the case under Basel I (e.g ., the ratings of
requirem ents in excess of the minimums. many banks and sovereigns were such that risk weights of 20 or
50 percent or more would apply), much of the generosity was
Pillar 3 required more qualitative and quantitative disclosures,
restored at national discretion:
in the hope that pressure from market participants would help
improve banks' practices. Q ualitative disclosures included • A supervisor could choose to apply risk weight of 0 on a
aspects of corporate structure, applicability of the accord and bank's holding of claims on its own sovereign debt that were
approaches used, accounting practices, and other matters. issued in the nation's own currency. W here a supervisor
M eanwhile, quantitative disclosures included many characteris exercises such discretion, banks in other nations could also
tics of a bank's capital, exposures, and risk measures. risk-weight claims on that sovereign at 0%. This option was
widely exercised.
However, some found the requirements difficult to interpret and
disclosure practices remained uneven for many years, until addi • Claim s issued by banks had a risk w eight of one category
tional clarity (and pressure) was provided by the Basel Comm ittee. less favorable than the sovereign's (and capped at 100%) or
a risk w eight based on the bank's own ratings, (or one cat
egory more favorable where the obligation had no more than
Capital for Credit Risk 3 months' original maturity, subject to a floor of 20%). Risk
A t Basel II was developed, supporting data and analysis weights on bank obligations could be capped at 100 percent.
remained limited, and many supervisors were concerned that
The Standardized Approach included two ways of adjusting for
banks would manipulate internal risk measures to reduce collateral. Under the "sim ple approach," which was similar to
required capital. Negotiators addressed such concerns by
Basel I, the risk w eight of a counterparty could be replaced by
including three options for determination of minimum capital
the risk w eight of collateral for the portion of exposure covered
requirem ents for credit risk:
by the collateral. A minimum risk w eight on the collateral was
1. The standardized approach. Like Basel I, this included some set at 20 percent, unless the collateral was sovereign debt in the
increased sensitivity of risk weights to credit quality for bor same currency as the exposure.
rowers with external ratings.7
The alternative "com prehensive approach" required changes in
2. The Foundation Internal Ratings-Based (IRB) approach. exposure and collateral am ounts to allow for possible changes
Here, risk weights were sensitive to internal measures of in the value. The risk w eight of the collateral was applied to
default probability, with the use of regulatory-specified loss the reduced am ount of collateral, and the counterparty's risk
given default param eters. w eight was applied to the remaining exposure. Any netting
3. The Advanced IRB approach. Risk weights were sensitive to was applied separately to exposures and collateral, and either
internal measures of default probability, loss given default, Basel rules or (approved) internal m odels could be used to
and exposure at default. make the adjustm ents.
7 The United States chose not to im plem ent the Standardized Approach. The IRB Approach
Internationally active banks were required to use IRB approaches, while
all other banks w ere required to use an updated version of the Basel I The Gordy (2003) "asym ptotic single risk factor" model of
requirem ents. credit losses, now more commonly referred to as a one-factor
Table 19.3 Risk Weights Under the Standardized Approach
Obligation of: A A A to A A - A + to A — BBB+ to BBB — BB+ to B B — B+ to B — Unrated
Countries 0 20 50 100 150 100
Banks 20 50 50 100 150 50
Corporation 20 50 100 100 150 100
Obligation type:
Retail 75
M ortgage 35
Cash 0
O ther 100
Gaussian copula m odel, was an expression of the thinking that Because the Basel Com m ittee did not view loan loss reserves
led to the IRB A p p ro ach .8 The paper dem onstrates that in as Tier 1 capital, and yet loan loss reserves were thought to be
large, well-diversified credit portfolios, a positive relationship approxim ately equal to expected losses, the Com m ittee chose
exists between the probability of default of an obligor and that to make capital a function only of unexpected losses (i.e., net
obligor's contribution to the capital needed to limit the proba of expected losses). In cases where loan loss reserves are less
bility of portfolio losses exceeding a percentile of the than EL, a reduction in capital is made for the shortfall. See
loss distribution. Figure 19.1 for a depiction of the capital for total stress losses,
expected losses, and unexpected losses.
Using the Basel Com m ittee's choices of a one-year time horizon
for credit losses and a desire that capital be enough to absorb This setup allowed the Basel Com m ittee to specify a loss per
losses up to the 99.9th percentile of the credit loss distribution, centile and an asset correlation p for each type of asset.101Each
the formula is: individual asset's contribution to capital at any bank would then
Capital = Z iE A D i * LGDt * D R99.9i] - E L depend only on the bank's estim ates of EA D , LGD and PD for
that asset.
where
Basel II included two variants of the IRB approach:
• Capital is expressed in dollars;
• Foundation IRB, in which the bank would provide only the
• EADj is the exposure at default for asset i (i.e., the amount
PD, with the accord specifying values of EAD and LGD for
expected to be owed by the counterparty on asset i at the
each class of asset; and
tim e of default);
• Advanced IRB, in which the bank would provide all three
• LGD| is the expected loss given default for asset i (i.e., the
values.
fraction of EADj that is expected to be lost);9
Earlier work had found that, at least in the United States, most
• DR99.9i is the default rate at the 99.9th percentile for a large
large banks had internal rating system s that could be used to
portfolio of assets of type i. Gordy's research provides a for
obtain a PD for each loan.11 Thus, supervisors expected that
mula for DR99.9
Foundation IRB would be feasible for most large banks. The lim
^/p/V-1 (0 .9 9 9 ) ited available data on EAD and LGD made it likely that few er
DR99.9i = N N~1(PDi) +
V1~ P banks would be able to use Advanced IRB.
• EL is the expected loss (i.e., the expected mean annual credit

loss) on a portfolio and is given by
10 For large banks, with diversified portfolios representative of the mar
E L = Y,[EAD i * LGDi * P D i] ket, correlations were not expected to differ very much across banks. An
assumption is m ade that exposures are infinitely granular and that no
individual credit could affect the overall loss m etrics. The developm ent
of the Large Exposure Fram ew ork in 2014 was necessary when banks
8 G ordy, M. B., 2003, A risk-factor model foundation for ratings-based w ere found to have sizable exposures to single counterparties.
capital ratios, Jo u rn a l o f Financial Interm ediation 12, 199-232.
11 Carey, Mark S., and W illiam F. Treacy, 1998, C redit risk rating at large
9 In the United States, the historical average LG D value was around 0.3 U .S. banks, Fed era l R eserve Bulletin, November.

period and may have deteriorated in credit
quality. The maturity adjustm ent factor is
b ( M - 2 .5 )
MA = 1+
1 - 1.5 b
where M A is remaining maturity of the asset and

b = [0.11852 - 0.05478ln(PD)]2
Com bining all the elem ents discussed p revi

ously, and recalling that Basel II expressed
required capital in term s of risk-w eighted assets,
the RW A for bank, corporate and sovereign
exposures is
RWA = 12.5 * EAD * LGD * (DR-PD) * MA
Under Foundation IRB, PD can be no lower than

Fig u re 19.1 Loss distribution, expected and unexpected loss, and .0003 for bank and corporate exposures (implicitly
capital. it can be zero for sovereigns). LGD is 45 percent
for senior assets and 75 percent for subordinated
Even Foundation IRB made capital quite risk-sensitive, as shown assets. When an asset is protected by collateral, the com prehen
in Table 19.4, which shows the values of DR given by the formula sive approach discussed earlier is applied (i.e., LGD is reduced
for different values of PD and p at the 99.9th percentile. by the ratio of adjusted collateral to adjusted exposure. MA is
set to 2.5 in most cases.
Bank; Corporate, and Sovereign Exposures
As mentioned previously, values of PD, EA D , LGD and MA
Under IRB
under the Advanced IRB are given by the bank based on its own
For bank, corporate and sovereign exposures, Basel II assumes data, m odels, estim ates and analysis.
that p and PD are related based on the work of Lopez (2004)12
For exam ple, suppose that a bank's assets consist only of $100
1 — e x p (- S O P D ) 1 — e x p { —5 0 P D ) million BB-rated drawn loans with a remaining maturity of 3
p = 0 .1 2 + 0 .2 4 1 -
1 — e x p { —5 0 ) 1 — e x p { —5 0 ) years. PD is estim ated to be 0.01 and the LGD is 30 percent.
Then
The formula implies that p decreases as PD increases, which
M A = 1/(1 -1 .5 *0 .1 3 7 ) = 1.26
agrees with the idea that the determ inants of default for very
high-risk borrowers are often rather idiosyncratic, whereas DR is 0.14, so RW A = 12.5*10 0 *.3 *(0 .14—0.01 )*1.26 =
middle-risk borrowers tend to default mainly when the mac $61.4 million.
roeconomy is distressed (i.e., middle-risk borrowers are more
Under Basel I, RWA would have been $100 million, and under
likely to default together). That defaults of the safest borrowers
the Basel II standardized approach RWA would have also been
are also rather idiosyncratic is ignored, but this does little harm
$100 million.
because values of DR for them are small.
The effect of the specified relationship between p and PD is that

DR increases som ewhat less quickly with PD than in Table 19.4. Retail Exposures Under IRB
The capital calculation for bank, corporate and sovereign exp o For retail exposures, only a treatm ent like the Advanced IRB
sures also includes a maturity adjustm ent to account for the approach is used (i.e., banks provide internal estim ates of PD,
fact that assets with more than 1 year of remaining maturity will LGD and EAD ). However, there is no maturity adjustm ent.
remain on the balance sheet at the end of the loss-forecasting
Rather, three correlations are used: p = 0.15 for residential
m ortgages; p = 0.04 for qualifying revolving assets (mostly
credit card balances), and for all other retail assets
12 Lopez, J ., 2004, The em pirical relationship between average asset
1 — e x p ( —3 5 P D ) 1 — e x p ( —3 5 P D )
correlation, firm probability of default, and asset size, Jo u rn a l o f Finan p = 0 .0 3 + 0 .1 6 1-
cial Interm ediation 13(2), 265-283. 1 — e x p ( - 35) 1 - e x p (- 35)
Table 19.4 DR Values for different combinations of PD and p
PD = 0.001 PD = 0.005 PD = 0.01 PD = 0.02
p = 0.0 0.001 0.005 0.01 0.02
p = 0.2 0.028 0.092 0.146 0.226
p = 0.4 0.071 0.211 0.316 0.449
p = 0.6 0.135 0.387 0.542 0.705
-1 o
That is, correlations are lower for retail than for wholesale years of negative gross income. This could be a material
exposures. amount of capital, given that gross income is usually far
larger than net income. However, this approach is relatively
Like the previous exam ple, suppose a bank has
easy to im plem ent and may be chosen by banks that do not
$100 million of residential m ortgages with a PD = .01
expect to be constrained by capital requirem ents.
and an LGD of 30 percent. DR is 0.09 rather than 0.14, so
RW A = 12.5*100*.3*(0.09 - 0.01) = $30 million. This is less 2. Standardized Approach: Like the basic indicator approach,
than Basel I's $50 million for such a portfolio and the Basel II but different multipliers are applied to gross income from
Standardized Approach's value of $35 million. different business lines.
3 . The Advanced M easurem ent Approach (AM A): Internal
Credit Mitigants Other Than Collateral models are used to calculate a one-year VaR-like measure of
operational risk losses at the 99.9th percentile. Operational
A credit substitution approach is used to handle arrangem ents risk capital is this amount less expected operational losses.
like guarantees and credit default swaps. Under this approach, This approach allows recognition of risk mitigants such as
the credit rating of the guarantor is substituted for that of the insurance under some circum stances.
obligor in capital calculations, up to the amount covered by the
mitigant.
However, this approach is not quite generous enough relative Example 19.4 Capital for the Basic Indicator and
to the actual loss outcom es, given that a double default (both Standardized Approaches (Sbillions)
guarantor and borrower) is implied in the treatm ent. How
The table above provides an exam ple of a bank's gross income
ever, Basel II assumes relatively low correlations of wholesale for each of the eight business lines specified in the Standardized
counterparty defaults, meaning that double defaults should be
Approach over a period of three years. It also shows the opera
infrequent.
tional risk capital levels each year for each business line under
As an alternative, in 2005 the Basel Com m ittee am ended the the Standardized Approach, which are obtained by multiplying
accord to allow capital without the mitigant to be multiplied by gross income tim es the business-line-specific multiplier.
0.15 + 160*PDg, where PD g is the one-year PD of the guarantor.
Negative capital may offset positive capital within a year, but
years for which total estim ated capital is negative are ignored in
Capital for Operational Risk computing the three-year average. Thus, under the Standard
ized Approach, operational risk capital in this exam ple would be
The Basel C o m m ittee defined o p era tio n a l risk as the risk of (8.73 + 9.69)72 = $9.21 billion.1
3
loss resulting from inadequate or failed internal processes,
people and system s, or from external events. In the w ake of
rogue trad er losses at Barings Bank in the m id-1990s, the
possibility of large losses from sources other than credit or 13 The definition of "gross incom e" provided by the B C B S for
m arket risk becam e more concrete. Basel II im plem ented the first quantitative im pact study w as: Net interest income
(interest received minus interest paid) + net fees and commissions
capital requirem ents for operational risk, perm itting three
(fees and com m issions received minus fees and com m issions paid)
approaches: + net trading incom e + gross other incom e. Income should be reflected
gross of any provisions (e.g . for unpaid interest) and gross of any opera
1. Basic Indicator Approach: 15 percent of the bank's average tional costs and losses. Income should exclude extraordinary or irregular
annual gross income over the past three years, ignoring any items and also income derived from insurance.

Business Line Multiplier Gross Income Capital
Year 1 Year 2 Year 3 Year 1 Year 2 Year 3
Corporate Finance 18% 5 3 6 .90 .54 1.08
Trading & Sales 18% 1 -5 3 .18 - .9 0 .54
Retail Banking 12% 20 25 30 2.40 3.00 3.60
Com m ercial Banking 15% 30 40 35 4.50 6.00 5.25
Payment & Settlem ent 18% 2 3 -1 0 0 0.36 0.54 - 1 8 .0 0
A gency Services 15% 1 1 1 0.15 0.15 0.15
A sset M anagem ent 12% 1 2 2 0.12 0.24 0.24
Retail Brokerage 12% 1 1 2 0.12 0.12 0.24
Sum 61 70 -2 1 8.73 9.69 - 6 .9 0
Under the Basic Indicator approach, total gross income for each The BC BS requires the inclusion of both expected and unex
year is multiplied by 15 percent, (again ignoring years of nega pected losses, and that the overall program use internal data
tive total gross income) and so the capital requirem ent in this (at least five years of experience), external data, scenario analy
exam ple would be 0.15*(61 + 70)/2 = $9.83 billion. sis, and a consideration of the business environment and the
bank's controls. Though each supporting elem ent need not be
included directly in calculations, the overall process must include
Some Details of the AM A Approach
all four. Moreover, a bank must make a convincing argument
Banks using the A M A approach are expected to estim ate a dis that its process can capture bad-tail events and, if it chooses to
tribution of operational risk losses in seven categories that incor
assume that losses across business lines and loss categories are
porates estim ates of both the incidence of operational loss anything but perfectly correlated, it must convincingly defend
events and their severity.14 its correlation assumptions. A bank may offset at most 20 per
A M A m ethodologies vary w idely across different banks, but two cent of the operational risk capital charge with insurance, and
broad approaches are most popular: only insurance arrangem ents that m eet stringent requirements
are acceptable.
• A param etric and Monte Carlo approach, in which data are
used to param eterize the bank's choice of probability dis In recent years, required capital for operational at some banks
tribution for incidence (e.g ., Poisson) and for severity (e.g ., risk was a material fraction of total required capital, in part
W eibull). These distributions are then used to produce large because the internal loss data that was required to be used
numbers of simulated loss observations from which the value under the A M A included many large penalties for com pliance
at the 99.9th percentile can be read; and/or failures, scandals, or misbehavior. As a result, the A M A approach
• Generate a moderate number of detailed scenarios in which has lost favor and is no longer perm itted.
losses occur, and then measure operational losses in each
scenario. Separate scenario analyses are often conducted for
each category of operational losses. Scenario analysis has the
Solvency II
advantage of generating informative narratives and being Minimum capital requirem ents also exist for insurance com pa
forward-looking. However, the number of data points gener nies in many nations. Though international standards do not yet
ated is usually small and it is not obvious how to best convert exist, sophisticated approaches have been im plem ented in the
such data into losses at the 99.9th percentile. As a result, many United States and the European Union.
banks use a combination of scenario and parametric methods.
In the mid-1990s, the U.S.-based National Association of Insur
ance Com m issioners (NAIC) promulgated a capital standard that
14 The categories are: C lients, Products and Business Practices; Execu
anticipated some elem ents of Basel II. In addition to capital
tion, Delivery and Process M anagem ent; External Fraud; Internal Fraud;
Dam age to Physical A ssets; Em ployee Practices and W orkplace Safety; requirements covering the risks associated with liabilities, capital
Business Disruption and System Failures. is required for risky assets at levels that depend on ratings
assigned by the N AIC to each asset.15 Insurance regulation is at Also similar to Basel II, requirements may be satisfied by a com
the state level in the United States, but most states have im ple bination of Tier 1 capital (equity, retained earnings, and equiva
mented these requirem ents. lents), Tier 2 capital (liabilities subordinated to policyholders and
available for write-off in liquidations), and Tier 3 capital (subor
In Europe, regulation of insurance companies is done by the Euro
dinated to policyholders but not satisfying the other criteria for
pean Union's (EU) European Insurance and Occupational Pensions
Tier 2).
Authority (EIOPA). The first capital regulations at the EU level were
known colloquially as Solvency I, which has recently been replaced
by Solvency II. More than 10 years in the making, Solvency II
resembles Basel II in that many elements of its capital requirements
SUMMARY
are based on a one-year VaR concept (at the 99.5th percentile) and
This chapter has provided an overview of internationally agreed
it has three pillars (quantitative requirement, internal governance
capital requirem ents that were created before the Global Finan
and official supervision, and disclosure and transparency). Under
cial Crisis. The 1988 Basel Accord (Basel I) introduced risk-based
writing risk, credit and market risk, and operational risk are all
capital requirem ents, while the 1995 and 1996 am endments
considered. Underwriting risk is further subdivided into risks arising
introduced much more sophisticated treatm ents of netting and
from life insurance, property & casualty, and health insurance.
market risk than had been previously available.
Solvency II also has elem ents found in Basel III (see Chapter ##),
Basel II introduced additional approaches to capital for credit
such as required buffers of capital above the minimum amount.
risk that were much more risk-sensitive and more aligned with
If an insurance com pany breaches Solvency ll's minimum capital
modern credit risk m anagem ent analysis. It also introduced
requirem ent (M CR), supervisors may prevent the stressed firm
two new pillars in addition to quantitative capital requirem ents:
from writing new policies or put it into resolution (e.g ., a sale to
supervision and disclosure.
a stronger com pany, or liquidation). The required buffer above
the M CR is defined by the solvency capital requirem ent" (SCR)
less the M CR. If the SCR is breached, the insurance company
References
should present a plan for capital restoration, and the supervisor
might impose additional requirem ents. Bank for International Settlem ents, 2006, "Basel II: International
Solvency II includes both standardized and internal model-based Convergence of Capital M easurem ent and Capital Standards."
approaches to calculating the SCR. Internal models must satisfy
Bank for International Settlem ents, 1988, "International conver
three criteria. gence of capital m easurem ent and capital standards."
• First, the data and m ethodology must be sound.
Carey, Mark S., and William F. Treacy, 1998, C redit risk rating at
• Second, risk assessm ents must be calibrated to be in accor large U.S. banks, Federal Reserve Bulletin, November.
dance with target criteria set by the regulator.
Gordy, M. B., 2003, A risk-factor model foundation for ratings-
• Finally, the model must be used in actual business based capital ratios, Journal of Financial Intermediation 12,
decision-making. 199-232.
Lopez, J ., 2004, The empirical relationship between average

15 Unlike at banks, liabilities are a major source of risk at insurance com
panies, since most insurance policies are liabilities for the insurer and asset correlation, firm probability of default, and asset size,
variation in claim amounts has the potential to impose large losses. Journal of Financial Intermediation 13(2), 265-283.

Solvency,
Liquidity and
Other Regulation
After the Global
Financial Crisis
Learning Objectives
Describe and calculate the stressed VaR introduced in Describe the motivations for and calculate the capital conser
Basel 2.5, and calculate the market risk capital charge. vation buffer and the countercyclical buffer, including special
rules for globally systemically important banks (G-SIBs).
Explain the process of calculating the incremental risk
capital charge for positions held in a bank's trading book. Describe and calculate ratios intended to improve the man
agement of liquidity risk, including the required leverage ratio,
Describe the com prehensive risk (CR) capital charge for
the liquidity coverage ratio, and the net stable funding ratio.
portfolios of positions that are sensitive to correlations
between default risks. Describe the mechanics of contingent convertible bonds
Define in the context of Basel III and calculate where (CoCos) and explain the motivations for banks to issue them.
appropriate:
Explain motivations for "gold plating" of regulations and
Tier 1 capital and its com ponents
provide exam ples of legislative and regulatory reforms
Tier 2 capital and its com ponents
that were introduced after the 2007-2009 financial crisis.
Required Tier 1 equity capital, total Tier 1 capital, and
total capital
317
The financial crisis that began in the summer of 2007 revealed converted to VaR by multiplying by \/T o ). During periods of
limitations and gaps in the existing solvency and liquidity regula low volatility, such a practice causes measured VaR to gradually
tions. It also revealed market practices and product designs that decline because all or nearly all of the historical observations
proved ill-suited to stressed environments. Global regulators have small changes in value. When volatility rises again, as it did
reacted with more restrictive regulations and supervision and in 2007 for many assets, VaR from historical simulation was slow
with more coordination across nations. to follow because most historical observations were from a low-
volatility period.
20.1 T H E F IN A N C IA L The Basel Com m ittee introduced a requirem ent for use of
stressed-VaR measures to counter such tendencies. Rather
STA B ILITY B O A R D
than drawing daily observations from the most recent historical
period, a bank is required to identify the one-year (i.e., 250 day)
The Financial Stability Forum , a body that undertook o cca
period from the most recent seven years that was most stress
sional studies, was reconstituted as the Financial Stability
ful for its current portfolio. Because this will be the sub-period
Board (FSB) in the wake of the financial crisis. The FSB is com
with the highest fraction of portfolio-weighted large declines
posed of representatives from finance m inistries, central banks,
in value, the resulting 1-day VaR will be relatively large and will
prudential regulators, securities regulators, and others from
not change much as tim e passes (unless a period of low volatility
dozens of nations.
persists for 7 years).
Although organizations like the Basel Com m ittee and IO SC O
Stressed VaR was combined with the traditional VaR measure in
appeared to retain their independence and authority, as a
an expanded formula
practical m atter the FSB becam e the body in which many
changes in international standards w ere approved. Later, as MR2.5 = max(VaRt-i, mr*VaRavg) + max(SVaRt-i, ms*SVaRavg)
the regulatory tsunam i receded, the FSB's began to focus on
where VaRt_i and VaRavg are the traditional 10-day, 99 percent
other m atters.
VaR calculated by drawing from the the previous day and the
average of the 60 most recent days, respectively. SVaRt_-| and
SVaRavg are calculated by drawing from the equivalent times
20.2 B A S E L 2.5
during the most stressful period in the past seven years. The
multipliers mr and ms must be at least 3 as under the 1996
M arket prices of financial assets fell sharply during 2007-2009. In
Am endm ent.
addition, many assets not already illiquid becam e so, the sound
ness of securitizations was doubted, and many hedging strate Because the definition of the stress period is such that the
gies failed. It was clear that minimum capital charges under the most recent period cannot be more stressed than the stressed
market risk am endm ent were inadequate for the trading-book period, and the charges based on traditional and stressed VaR
risks revealed during the crisis. are sum m ed, MR25 must be at least tw ice as large as MR cal
culated under the 1996 Am endm ent as long as the m ultipliers
The Basel Com m ittee responded with updated rules for capital
are equal.
for the trading book, making three major changes:
1. VaR calculations were expanded to include a stressed-VaR

com ponent; Incremental Risk Charge
2. Capital for incremental risk was added (roughly capturing
The incremental risk charge (IRC) combines two strands of
the jum p-to-default risk);
work, one released in 2005 as a reaction to regulatory arbitrage
3. C om prehensive risk capital requirem ents were added for opportunities between the banking and trading book, and the
securitizations and related instruments. other released in the wake of the crisis.
These changes were im plem ented by the end of 2011. Although the specific risk charge was intended to capture
default risk (as well as other sources of idiosyncratic risk), banks
had learned by the early 2000s that even with the specific
Stressed VaR
risk charge, most banking-book exposures had sm aller capital
Most banks com puted capital under the market risk am end requirements in the trading book than in the banking book.
ment using historical simulation, (i.e., 1-day VaR was com puted Thus, many illiquid instruments posing default risk were placed
by drawing daily changes in value from recent history and then in the trading book.
To remove this incentive, the Basel Com m ittee proposed adding Table 20.1 Comprehensive Risk Capital Charge
an incremental default risk charge (IDRC). Two variants were Under the Standardized Approach
proposed:
<BB,
• An internal model of default risk calibrated to the same AAA, AA A BBB BB unrated
99.9th percentile at a one-year horizon as the Com m ittee's Securitizations 1.6% 4% 8% 28% 100%
IRB approach
Re-securitizations 3.2% 8% 18% 52% 100%
• Or, in the absence of such a model, either a "standardized"
or a "current exposure" approach that had some similarity to
Basel I capital charges for specific risk. The Basel Com m ittee addressed this issue by replacing the IRC
As a practical matter, capital in the trading book would be the and specific risk charge with a com prehensive risk (CR) charge
greater of market risk capital and banking book cap ital.1 for the correlation book. Under the new rules, banks may use a
standardized approach (summarized in Table 20.1) that depends
Late in the crisis, however, the Com m ittee had realized that
only on the rating of the instrument. (Note that percentages are
most losses in portfolio value associated with credit risk had
capital as a fraction of the exposure, not risk weights.)
been due to changes in ratings, credit spreads, or liquidity, not
defaults. As a result, the scope of the proposal was increased to Because re-securitizations (for which the underlying pool of
include changes in ratings. The same 99.9th percentile was used, assets are the tranched liabilities of securitization vehicles) are
but in addition to defaults, banks were required to estim ate more vulnerable to changes in correlations, capital requirements
losses associated with rating downgrades. Portfolio credit qual are much higher for them . M eanwhile, tranches rated below BB
ity is held approxim ately constant by an assumption that any are the most exposed to losses in the underlying pool (i.e., in
position that is downgraded or that defaults is replaced by a effect they must be financed entirely with capital).
position with the same pre-downgrade rating. A loss is recorded Banks may also use an internal model to estim ate the CR
from sale of the downgraded or defaulted position. The period charge if approved to do so by supervisors, though the model-
over which replacem ent could occur differs across positions based charge may not be less than a fraction of the charge
according to their liquidity but is never less than three m onths.1
2*• under the standardized approach. Given the com plexity of
the underlying instrum ents and the rationale for using an
Correlations and the Comprehensive internal m odel, which often includes the capture of hedges
with more sophistication than the standardized approach, the
Risk Measure
internal m odels must be unusually com plete, com plicated and
An assumption em bedded in Basel II is that the correlation robust. M ultiple default and rating change events; volatility
param eter in the Gordy (2003) model is constant across obli in correlations and credit spreads; basis risk (e .g ., the differ
gors and over time (though not across types of assets). This ence betw een C D S and underlying index values); the dynam ics
assumption is reasonable for portfolios of debt instruments of hedges; and volatility in recovery rates must be m odeled,
for purposes of determ ining banking-book capital, but not ideally with sim ulations that revalue the whole portfolio for
for instruments in the correlation b o o k (e.g ., securitizations, each iteration of a sim ulation.
re-securitizations and derivatives written on securitizations).
Such instruments place a portfolio in a special-purpose vehicle

and create tranched liabilities that differ in seniority, and thus in
20.3 B A S E L 3
their exposure to credit losses in the portfolio. In reality, correla
In addition to the need for more capital for risks in the trading
tions change over tim e and such changes can have large effects
book, the crisis revealed many other weaknesses of the Basel II
on the value of tranches For exam ple, the market prices of A A A
fram ework:
rated tranches were consistent with a near-zero probability of
default pre-crisis, but during the crisis market estim ates of PD • In the depths of the crisis, market participants cared only
increased significantly and tranche prices fell. about tangible Tier 1 common equity capital (i.e., capital that
could absorb losses and maintain a bank as a going concern).
Many elem ents of the pre-crisis definition of capital proved
1 See BCBS, The Application of Basel II to Trading Activities and the
Treatment of Double Default Effects, July 2005. limited in their ability to maintain banks as going concerns.
2 See BCBS, Guidelines for computing capital for incremental risk in the • The official sector came to believe that distress at some
trading book, July 2009. banks posed greater threats to society than distress at other
Chapter 20 Solvency, Liquidity and Other Regulation After the Global Financial Crisis ■ 319
banks, and that those in the form er category should be bet The Definition of Capital
ter able to manage distress. Categories of "system ically
im portant" financial firms were created and em bedded in a Basel III eliminated Tier 3 Capital and divided Tier 1 Capital into
wide range of regulatory and supervisory practices. Tier 1 Equity Capital (also known as Core Tier 1 Capital) and
Additional Tier 1 Capital, restricting the form er to high-quality
• Risk-based capital ratios were thought to have been too sus
capital.
ceptible to gaming. Leverage-ratio capital requirem ents were
needed as a backstop, especially since market participants Minimum capital requirem ents were also changed: Core Tier 1
who focused only on tangible common equity tended to also must be at least 4.5 percent of risk-weighted assets, and Total
focus only on leverage ratios. Tier 1 (i.e., the sum of Core and Additional Tier 1) capital must
be at least 6 percent of risk-weighted assets. The Total Capital
• It was not enough for banks to remain solvent up to the
point of maximum losses - they also had to be able to requirem ent (Tier 1 plus Tier 2) was left unchanged at 8 percent.
operate as a going concern thereafter, which meant they The com ponents of each category are:
needed substantial capital a fter absorbing the losses.
• Tier 1 Equity Capital includes
In many cases, governm ents provided capital, but such
provision was unpopular. Buffers of capital above the • common equity,
minimum requirem ents were needed, as w ere means of • retained earnings, and
recapitalizing failed banks. • a limited amount of minority interest and unrealized gains
• Entities that were thought to be solvent by regulators nev and losses.
ertheless suffered runs and, in some cases, failed. This was Goodwill and other intangibles are deducted, as are deferred
in part because their liquid reserves proved inadequate to tax assets and any shortfall of reserves relative to IRB
cover withdrawn funding and in part because wholesale fund expected losses.
ing proved to be unstable. Thus, liquidity requirem ents were
• Additional Tier 1 Capital includes:
needed.
• Unsecured, unguaranteed, non-cumulative perpetual
• Especially after the failure of Lehman, which did not honor
preferred equity instruments subordinated to depositors and
its com m itm ents as a counterparty in derivative contracts, it
subordinated debt, and callable only after five years or more.
becam e clear that capital was needed to cover counterparty
• Debt with appropriate triggers that cause conversion to
credit risk.
equity or write-downs.
• In addition, a Large Exposures Fram ework was created in
• Approved minority interest not included in Core Tier 1.
2014 to set a common global standard to limit exposure
concentrations to a single counterparty, particularly between • Tier 2 capital is designed to absorb losses after failure,
system ically im portant institutions. Specifically, there limits protecting depositors and other creditors. It includes:
are 25% of capital (and 15% between global system ically • Subordinated debt. Specifically, unsecured, unguaranteed,
im portant banks). This fram ework assumes 100% probability
debt instruments subordinated to depositors and subordi
of default and 100% loss given default (after netting and col
nated debt, with five years or more original maturity, and
lateral adjustm ents), limited use of models that failed in the
callable only after five years or more.
crisis, and aggregates across wholesale credit, trading and
• General loan loss reserves. These are reserves not allo
other books. LEF also addresses a limitation of the capital cated to absorb losses on specific positions. Reserves
fram ework, which does not adjust capital requirements for
included in capital are capped at 1.25% of standardized
significant concentrations under either the Standardized
approach RWAs, or 0.6% of IRB RWAs.
Approach or the G ordy Model used in IRB (which assumes
exposures are granular, not concentrated). A number of other deductions are required, such as
Proposals to remedy the deficiencies were published in 2010 • defined-benefit pension plan deficits,
and 2011 and am ended in later years.3 • certain cross-holdings within a group, and
• m ortgage servicing rights greater than 10 percent of com
mon equity.
3 BCBS, "Basel III: A global regulatory framework for more resilient
O verall, capital requirem ents were significantly increased rela
banks and banking systems," June 2011; and BCBS, "Basel III: Interna
tional framework for liquidity risk measurement standards and monitor tive to Basel 2 because minimum ratios were increased, and
ing," December 2010. allowable capital was constricted.
Leverage Ratio Capital Requirements be recapitalized without governm ent assistance. A s described
ahead, system ically im portant firms are often subjected to more
Prior to Basel 3, minimum capital ratios specified by the Basel wide-ranging supervision and regulation.
Com m ittee were expressed as a percentage of risk-weighted
assets (RWA). However, during and after the crisis many observ
ers felt that RWA had understated the risks borne by banking Buffers
organizations and thus led them to be over-leveraged. Though
As of early 2019, the Basel specifications feature three require
known weaknesses in the calculation of RW A were addressed,
ments for capital above the minimum fractions of RWA:
the possibility of future m ism easurem ent rem ained. Moreover,
during the crisis market participants had focused on simple 1. A 2.5 percent capital conservation buffer (CCB) requirement.
ratios of equity to unweighted assets as they assessed the 2. An additional G-SIB requirem ent that depends on an
soundness of banking organizations, making risk-weighted ratio organization's score when the Com m ittee applies its
values peripheral to the debates of the tim e. method to identify G-SIBs. These additions are 1, 1.5, 2,
The Com m ittee's reaction was to introduce a "sim ple" lever 2.5 and 3.5 percent.4
age ratio capital requirem ent as a supplem ent to the risk-based 3 . A Countercyclical Capital Buffer (CCyB) that varies at the
requirem ents: banking organizations must maintain a ratio of discretion of national supervisors and is between 0 and
Core Tier 1 Capital to Leverage Exposure of 3 percent or more. 2.5 percent.
Leverage Exposure includes both on-balance-sheet assets and The rationales for the buffers differ som ewhat. In the case of the
fractions of off-balance-sheet assets (e.g ., derivatives or poten C C B , the rationale roughly follows that for the Prompt C o rrec
tial futures exposures). Though the IFRS and G A A P accounting tive Action (PCA) system built into U.S. capital regulation begin
standards differ som ewhat in their handling of off-balance sheet ning in 1991 (i.e., a bank with ratios that begin to approach the
assets, the Com m ittee's Leverage Exposure measure is specified minimums should be subject to increasingly stringent supervi
in some detail to promote com parability across nations. sory intervention in order to induce a return to well-capitalized
status). Though the only restrictions form ally imposed by the
Com m ittee involve restrictions on dividend payments and
Systemically Important Financial bonuses, as well as a requirem ent for plans to restore capital
Institutions ratios, supervisors may try to act more broadly as w e ll.5
The FSB publishes lists of globally system ically im portant banks In the case of the G-SIB buffer, the rationale is similar to that
(G-SIBs) and (in cooperation with the IAIS) globally system ically for the C C B but also recognizes the very large costs to society
im portant insurers (G-SII). Some nations also designate other of distress at G-SIBs (and the higher volatility of losses at some
banks as dom estically system ically im portant (D-SIBs). of them). Thus, larger buffers are specified to further reduce
the chance of failure. A breach of the G-SIB buffer has conse
Collectively, these and other firms fall into the category of sys
quences similar to a breach of the C C B .
tem ically im portant financial institutions (SIFIs). To determ ine
whether an entity is a G-SIB, the FSB com bines variables that The C C yB has two rationales. O ne is to provide an instrument
proxy for size, interconnectedness, com plexity, international for macroprudential restraint of overheating; the other is atten
activity and other matters. tive to the cost of capital.
An entity is system ically im portant if its failure or distress would The overheating rationale posits that higher bank capital
cause substantial problems in the financial system or the real requirements tend to restrict credit supply by banks, and thus
econom y. For exam ple, the aftermath of Lehman's failure dem
onstrated that it was system ically im portant because many finan
cial markets were disrupted, and many counterparties suffered 4 The 2018 list of G-SIBs contained 29 entities. Since the list of G-SIBs
because Lehman failed to satisfy its obligations. was first published in 2011, none have been in the 3.5 percent category,
and since 2013 only HSBC and JP Morgan Chase have appeared in the
SIFIs are often presumed to be "too big to fail," but key goals 2.5 percent category.
of reforms include reducing the likelihood of failure while also 5 Supervisors have a range of tools at their disposal and may be
making it possible for any entity to "fail" without disrupting constrained from certain actions when a bank is still meeting its
minimums. In stressed environments it may be difficult to achieve asset
the financial system or the real econom y. Though shareholders
sales, capital raises, or mergers that provide a remedy to deal with a
likely would be wiped out in a failure and some creditors would weak bank. A failure to meet a buffer is less severe than failing to meet
suffer losses, the goal is for the entity to keep operating and a minimum requirement.
overheating in the credit markets, thereby damping the amplitude Key Changes - Standardized Approach
of the credit cycle and perhaps reducing the frequency and sever • Risk weights for banks have been adjusted, with one set of
ity of financial crises. A consequence of the overheating rationale weights linked to external rating agencies, and another to
is that computation of the CCyB requirement is complicated for credit risk assessm ents (i.e., G rade A , B or C) used when
banks with international operations. This is beucase the C C yB may a country does not perm it external ratings to be used for
differ across nations, and a bank with operations in several nations capital measures. Range is 20% RWA for A A A up to 150%
will have a consolidated C C yB requirement that is a weighted RW A for lower than B-.
average of the requirements in each nation in which it operates. • Covered bonds (i.e., bonds issued by banks and secured by
The cost-of-capital rationale presumes that a bank's costs of a portfolio of collateral) meeting specific criterial carry a risk
increasing its capital ratio are sm aller in good tim es than in weight of between 10% and 100%.
bad tim es, which implies that increased financial stability can • Corporate bonds carry risk weights of 20%, 50%, 75%, 100%
be obtained at lower cost by increasing the C C yB during good and 150% tied to ratings. In countries that do not allow
times and reducing it during bad tim es. Implicitly, this rationale ratings, a 65% risk weight applies to investm ent grade and
focuses on capital market costs for the entity as a whole, without 100% to non-investment grade. Favorable treatm ent is pro
regard to conditions in different nations' credit markets. vided to loans to small and medium enterprises (SM Es).
As a practical matter, different supervisors have given different • Specialized lending has several buckets (e.g ., project finance
weights to the two rationales. The consequences of violating or object finance) with detailed definitions and specific risk
the C C yB are similar to those of violating the C C B . However, weights.
because national supervisors can reduce the C C yB at any • Equities have a 400% risk weight (with exceptions) and
tim e, such consequences can be m itigated by changing the sub-debt or other instruments have a 150% risk weight.
requirem ent.
• New risk weights were set for real estate tied to loan value
All of the aforem entioned requirem ents apply only to risk-based and type (e.g ., retail versus commercial).
capital ratios. In 2017, the Com m ittee introduced a leverage • New credit conversion factors were set for a range of
ratio buffer for G-SIBs as well, equal to one-half of its risk-based off-balance sheet exposures.
G-SIB buffer (not including the C C B or C C y B ).6 Earlier, the U.S.
• A definition of default was added. It includes payments past
had im plem ented a 2 percentage point leverage buffer require
due for 90 days, non-accrual assets, write-offs in anticipation
ment for G-SIB consolidated organizations, and a 3 percentage
of default, sale of asset at loss, distressed restructuring, bank
point buffer for subsidiary banks, for an aggregate minimum of
ruptcy, and inability to pay without recourse to collateral.
5 and 6 percent, respectively. In 2018, the U.S. proposed to
change its G-SIB leverage buffer to half of the sum of C C B and • Treatm ent of hedges and collateral was expanded into
G-SIB risk-based buffer requirem ents. significant detail.
Basel III Finalizing the Post-Crisis Reforms Key Changes - IRB

• Categories include corporate, sovereign, bank, retail, and
In D ecem ber 2017, the BC BS finalized a set of reforms that
equity. W ithin retail there are three subtypes. Five subcat
include revisions to
egories of specialty lending include project finance, object
a) the standardized approach to credit, finance, com m odities, income producing real estate and high
b) the Internal ratings-based approach, volatility real estate.
c) the CVA fram ework for counterparty credit, • IRB is not perm itted for large corporates or banks where
modeling is problem atic, given few historical defaults and a
d) operational risk, and
limited number of exposures in the data set.
e) the leveraged ratio.
• Banks must apply IRB to all assets in a given asset class and
In addition, an output floor was introduced to ensure that cannot cherry pick some exposures to be covered under SA
capital calculations under the ratings-based and other modelled alone and IRB for others.
approaches is constrained at not less than 72.5% of the stan
• Minimum UL risk weights apply for specialized lending.
dardized approach.
Collateral haircuts are applied for secured lending.
• Input floors for LGD calculations are provided for corporates,

6 Though it will not be implemented until 2022. with 25% minimum LGD on unsecured exposures and a
range of 0% to 15% minimum on secured exposures. Retail a substantial fraction of retail deposits was withdrawn and North
exposures have a 50% minimum LDG on credit cards, 30% ern Rock's wholesale funding fell. With most of its remaining assets
on other unsecured exposures, and a similar 0% to 15% mini illiquid, Northern Rock found itself in imminent danger of being
mum LG D on secured loans. unable to meet further requests for withdrawals. By the following
Monday, the government announced that all deposits would be
guaranteed for all U.K. banks.
Key Changes - CVA Risk
• Two approaches are available for calculating CVA risk: Basel 3 addressed liquidity risk by specifying two requirem ents,
the standardized approach (SA-CVA) and basic approach the liquidity coverage ratio (LCR) and the net stable funding
(BA-CVA). ratio (NSFR).
The LCR is designed to give banks and authorities a month to

Key Changes - Operational Risk manage a crisis by selling liquid assets. The idea is that if the
• The standardized approach replaces existing Basel II bank has more liquid assets than it needs to meet liquidity
approaches for operational risk. Key elem ents include the dem ands during the month, it can sell the assets while attem pt
business indicator (Bl) and the Business indicator com ponent ing to restore confidence in itself. To be "liq uid," the likelihood
(BIC), which equals the Bl tim es an Internal Loss M ultiplier must be high that the asset can be sold quickly and with little
(ILM) (i.e., a scaling factor based upon historical losses). reduction in price. The requirem ent is defined as
H ig h q u a lit y liq u id a s s e ts
Bl =ILD C + SC + FC LCR = > 1
N et ca sh o u t f lo w s in a 30 d a y p e r io d
W here ILDC = Min [(Abs(lnterest Income — Interest Expense);

The quantity of a bank's high-quality liquid assets (HQ LA) is
2.25% X Income Earning Assets -L Dividend Income); SC —
measured by placing assets in categories and applying hair
Max [O ther O perating Income; O ther O perating Expense] +
cuts according to the likely availability of buyers at prices near
Max [Fee Income; Fee Expense]; and FC = A bs(N et P&L
normal-times values.
Trading book) + A bs(N et P&L Banking book)
For exam ple, included in H Q LA without a haircut are deposits
at central banks and securities issued by central governm ents
BIC
with a 0 percent risk weight in the standardized approach.
Bucket 1 (under Euro 1 billion) 12%
In contrast, corporate debt and equity have 50 percent
Bucket 2 (1 to 30 billion Euro) 15%
haircuts and individual m ortgage loans are excluded from
Bucket 3 (over 30 billion Euro) 18%
H Q LA entirely.
ILM Net cash outflows are com puted by applying assumptions about
ILM =Ln(exp( 1)-1 +(LC/BIC)A0.8)) the tendency of different classes of liabilities to be withdrawn in
stress situations, and the tendency credit line holders to draw on
them . For exam ple, only 3 percent of insured retail deposits are
Liquidity Requirements assumed to be withdrawn, whereas that number is 100 percent
Solvent financial institutions can som etim es fail because their for most non-operational wholesale deposits and 30 percent
depositors and counterparties withdraw more rapidly than for undrawn capacity of lines of credit to nonfinancial wholesale
assets can be sold. Regardless of the causes of a run, authorities custom ers. These exam ples only scratch the surface of a vast
value having tim e to diagnose the problem and find a solution, structure of asset/com m itm ent categories and their associated
ideally one not involving governm ent guarantees. percentages. As such, the definition of the LCR is simple but the
implementation is com plicated.
During the crisis, perhaps the most notable exam ple of a failure
involving a run was that of Northern Rock. Heavily dependent The NSFR uses a one-year period and is conceptually slightly
on securitization markets to fund its mortgage business, the different, in that it focuses not on what can be sold but rather
bank had trouble finding enough wholesale funding to finance what funding would remain after a stressful year. It is defined as
its pipeline of m ortgage loans when securitization became A v a ila b le a m o u n t o f s ta b le f u n d in g

NSFR = > 1
R e q u ir e d a m o u n t o f s ta b le f u n d in g
difficult.
The trouble began when news broke on Septem ber 13 (a

Thursday) that the Bank of England would provide liquidity sup 7 A t the tim e, deposit insurance in the U .K . was relatively m eaqer (up to
port. In the response to the prospect of government intervention,7 G B P 31,700).
The available am ount of stable funding is calculated by Using a 5% runoff rate for the stable retail deposits, a 100%
m ultiplying the am ount in several categories of funding by runoff rate for the one-third of wholesale CD s that mature in the
available stable funding (ASF) factors (which are sim ilar to next month, and a 0% runoff rate for senior bonds and equity,
haircuts). However, these categories are different from those net 30-day cash outflows are 25 + 67 = 92, so
of the LC R. The required stable funding is sim ilarly calculated
LCR = = 2.72
by m ultiplying am ounts in each category of asset by required
stable funding (RSF) facto rs, where the factor is higher the
Thus, the bank in this exam ple would be in com pliance with the
more illiquid the asset (since it cannot be sold as easily when
LCR and N FSR. Note that a very large number of categories,
funding runs off).
factors and haircuts were not discussed in this exam ple and the
The new liquidity requirements represent a major change in liquidity requirem ents are operationally com plex.
bank regulation and m anagem ent. Prior to the crisis, the pre
sumption was that regulators would instantly know whether a
bank was solvent or not. If a bank was solvent, central banks Derivatives Counterparty Credit Risk
could im m ediately provide enough em ergency funding until
Banks calculate a credit valuation adjustm ent (CVA) for
market participants becam e com fortable with its solvency, each derivatives counterparty, which is the difference in
whereas insolvent banks would be closed im m ediately.
value betw een a risk-free portfolio of derivatives with that
One lesson of Northern Rock is that provision of funding by counterparty and the actual portfolio. CVA increases with the
central banks can make funding stresses w orse, not better, counterparty's credit spread and also changes with the m arket
and doing so for one bank can destabilize a banking system. value of the portfolio. The com ponent from changes in m arket
Thus, banks must be much better prepared to survive periods values affects profit, while the com ponent associated with
of funding stress with their own resources. This means that bal counterparty credit spreads appears in m arket risk capital.
ance sheet composition is som ewhat constrained, with a smaller
proportion of illiquid assets and a larger proportion of illiquid
liabilities. 2 0 .4 R E S O L U T IO N P LA N N IN G
A N D P R EP A R A TIO N
Example of LCR and NSFR
Banks will fail in the future in spite of Basel I, II, III and later
A bank's liabilities consist of USD 500 of stable retail deposits
reforms. To limit the disruptions caused by such failures, the
with 9 months or less remaining maturity, USD 200 of 3-month
FSB agreed in 2014 that national resolution regimes for G-SIBs
wholesale certificates of deposit with one-third maturing each
would have 12 key attributes and that each G-SIB should have
month, USD 200 of 10-year senior bonds with none maturing
sufficient total loss absorbing capacity (TLAC) to enable it to
in the next year, and USD 100 of common equity. A S F factors
recapitalize itself.
for these categories of liability are 95% , 0%, 100%, and 100%,
respectively. Recapitalization might be accom plished by causing convertible
bonds to becom e equity or by bail-in, in which certain w hole
The bank's assets consist of USD 100 of vault cash, USD 100 of
sale debt liabilities are either written down or converted to
the debt of its sovereign, USD 100 of corporate debt securities
equity. The term s of conversion are written into the indentures
rated BBB in the trading account, and USD 700 of loans to busi
of convertible bonds and often require conversion when a bank
nesses with more than one year of remaining maturity and risk
appears to be solvent, whereas bail-ins are governed by national
weights of 50% or more. The RSF factors for these assets are
law and details are generally chosen by authorities after they
0%, 5%, 50%, and 85%, respectively. Thus
have seized control of a bank.
475 + 0 + 200 + 100
N SFR = 1.19
0 + 5 + 50 + 595
CoCos
For the LCR, H Q LA factors (1-haircut) are 100%, 100%, 50%,
0%, presuming the supervisory allows inclusion of the corporate Traditionally, convertible bonds were issued by non-financial
debt securities. Note that the corporate debt securities are firms who wished to avoid the dilution of issuing equity before
Level 2 assets, which may not com prise more than 40% of H Q LA the firm's perform ance im proved. Such bonds would, at the
after the haircut. This is satisfied since total H Q LA is USD 250, of option of the holder, convert into equity when the firm's share
which USD 50 is the corporate debt securities. price exceeded thresholds specified in the indenture.
For banks, contingent convertible bonds (CoCos) are the mirror Though participating countries are not supposed to promulgate
im age: they cause a bank's equity to increase when distress dom estic laws and regulations that are less onerous for inter
occurs, as reflected by triggers written into the indenture, and nationally active banks, they may enact requirem ents that are
not at the option of the holder. With C o C o s, equity increases superequivalent (i.e., imposing a different but higher, or just a
either because the bond converts to equity or because its value higher standard than Basel requires).
is written down.
This approach som etim es acts as a safety valve in the Basel
Triggers have varied som ewhat across C o C o s, but a common negotiations, allowing those who want stronger standards for
trigger is when the ratio of Core Tier 1 Capital to RW A falls everyone to at least have them dom estically, and som etim es it
below a threshold, or when a bank's primary regulator declares reflects a nation's special circum stances. Switzerland's choices
it to be nonviable. C oC os may be included in Additional Tier 1 are in the latter category: as a small country with two huge
Capital if the threshold is 5.125 percent or higher, and Tier 2 G-SIBs, it found itself during the crisis in the uncom fortable situ
capital otherwise. ation of being unable to recapitalize its G-SIBs should that have
Econom ically, it is not obvious why the m arket would price been necessary. Thus, its capital requirem ents are more onerous
C o C o s to make the cost of capital for them less than the cost than those of Basel 3, and in resolution planning it has required
of equity. Because C oC os are debt instruments when issued, the G-SIBs to structure them selves so that dom estic opera
holders receive little or none of the high returns received by tions could continue even if international operations failed. The
equity holders when a bank does w ell, but holders bear losses United Kingdom has taken a som ewhat similar step, requiring
not so different from those of equity holders when a bank fails. that retail operations be ringfenced (i.e., separated from) w hole
Thus, they should be expensive for a bank to issue. But they do sale operations.
have an accounting advantage: because they do not appear in Basel anticipates that in addition to minimum standards, each
the equity account until converted, a bank can report a higher jurisdiction will supervise banks and take other actions to ensure
return on equity. they have adequate capital and liquidity, and strong risk man
agem ent and governance. In the U .S., coordinated stress tests
based upon supervisory designs and scenarios ensure that banks
Living Wills
have capital and liquidity planning processes, risk m anagem ent,
In many countries, G-SIBs (and som etim es D-SIBs) are required and sufficient buffers to allow com pliance with minimum capital
to prepare detailed resolution plans in which they specify and liquidity standards even in a stressed situation.
how they would fund them selves when distressed, how they
Th e Federal Reserve's C o m p rehensive C ap ital A nalysis and
would recapitalize, how they would continue to operate as a
Review (C C A R ), which requires participation by G -SIBs and
going concern even if some subsidiaries failed, and many other
D-SIBs with m aterial operations in the United States, includes
related matters.
a sup erviso ry severe scenario that has been one of the more
severe stress te sts. For som e banks, C C A R stress testing is
2 0 .5 S T R E S S T E S T IN G A N D O T H E R the binding capital co nstraint, as restrictions on dividend

paym ents and share buybacks apply if the bank's capital
L O C A L A P P L IC A T IO N S O F B A S E L
ratios fall below the requirem ent m inim um s after losses in
the "se ve re ly ad ve rse " scenario are included. This approach
W hile Basel I, II and III have achieved som e level of
requires banks to hold buffers that should allow them to
harm onization across countries, sig nificant d ifferen ces p ersist.
m eet th eir minimum capital requirem ents even in stressed
Little effort has been m ade to fully adjust for differences
scenarios and is co nsistent with past exp ectatio n s that
in accounting standards, bankruptcy laws, or other rules or
banks should have a cushion above Basel minimum capital
regulations with differences across co untries. Even w here
requirem ents. Furtherm o re, th at cushion is likely g reater
there is ag reem ent in B asel, som e ju risd ictio n s apply tig h ter
than in the past.
treatm ents than others. For exam p le, many European
countries treat all banks as internationally active and Similarly, there is a program for liquidity known as C LA R that
su b ject to Basel rules, w hile the U .S. considers only its assesses bank stress testing and supervisory provided stress
largest banks as internationally active, with less stringent tests to ensure liquidity buffers are maintained. In 2019, ele
requirem ents ap p lied to many regional and com m unity ments of C C A R have been relaxed to reduce in future periods
banks that only o p erate in one or a few states with little the use of qualitative criteria (relating to bank risk m anagem ent
international activity. and capital planning processes) in judging results.
20.6 O T H E R R E F O R M S consumers of financial products and to curb abuses by finan
cial firms of all kinds.
A vast array of legislation and regulations was im plem ented • In the United States, m ortgage lenders were required to
across the globe in the decade after 2007. These include: determ ine w hether borrowers have the ability to repay the
loans they take. The legal and financial liabilities associated
• Capacity to conduct macroprudential policy was added
with mistakes in such determ inations have caused many
through institutional reforms in some nations where legal
banks to exit the m ortgage market.
authority was previously lacking. For exam ple, in the United
States, bank regulators' missions often restricted them to • In the United States, large banks were required to have
consider only the soundness of individual banks, not the board risk com m ittees where at least one m em ber has risk
financial system as a whole. The Financial Stability O versight m anagem ent experience at a large financial firm.
Council (FSO C) was created to take a more m acropruden • In the United States and the European Union, issuers of secu
tial view, though its legal authority was som ewhat limited. ritizations were required to retain at least 5 percent of each
In the United Kingdom , the Financial Policy Com m ittee was tranche, in an attem pt to better-align the incentives of issuers
created at the Bank of England, with some power to take and investors.
macroprudential policy actions and to recommend others to
Parliament.
• Pre-crisis com pensation practices at large banks that made References
pay effectively independent of risk-taking were widely
blamed for im prudent risk taking. The FSB promulgated prin Basel Com m ittee on Banking Supervision, "The Application
ciples for better com pensation practices, and many nations of Basel II to Trading Activities and the Treatm ent of Double
responded with increased supervision and regulation. Some Default Effects," Ju ly 2005.
elected to take a more form ulaic approach, in some cases
Basel Com m ittee on Banking Supervision, "G uidelines for
restricting the level of pay, while other nations focused on
computing capital for incremental risk in the trading book,"
supervision of the presence of risk-sensitive features in com
January 2009.
pensation arrangem ents.
Basel Com m ittee on Banking Supervision, "Revisions to the
• In the United States, the Volcker Rule (part of the Dodd Frank
Basel II m arket risk fram ew ork," Ju ly 2009 and February 2011.
Act) restricts proprietary trading and investments in hedge
funds and private equity at deposit-taking financial firms. The Basel Committee on Banking Supervision, "Guidelines for comput
rationale is that banks should not be perm itted to "sp ecu ing capital for incremental risk in the trading book," July 2009.
late" while being funded by insured depositors. However, the
Basel Com m ittee on Banking Supervision, "Basel III: A global
Volcker Rule has proved difficult to enforce because of chal
regulatory fram ework for more resilient banks and banking
lenges in identifying the intent of a trade and in separating
system s - revised version June 2011," Ju n e 2011.
hedging activity from speculative activity. N evertheless, most
banks shut down their proprietary trading desks. Basel Com m ittee on Banking Supervision, "Basel III: A global
regulatory fram ework for more resilient banks and banking
• In the United States and in the European Union, some over-
system s," D ecem b er 2010.
the-counter derivatives (i.e., those that are relatively standard
in form and terms) must be traded on swap execution facili Basel Com m ittee on Banking Supervision, "Basel III: the net
ties (SEFs), which are electronic platforms that promote price stable funding ratio," O cto b e r 2014.
transparency. Derivatives traded between financial institu
Basel Com m ittee on Banking Supervision, "Basel III: the
tions must be cleared by central counterparties (CCPs).
Liquidity Coverage Ratio and liquidity risk monitoring tools,"
• In the United States, an Office of Credit Ratings was created at January 2013.
the Securities and Exchange Commission to provide oversight
Basel Com m ittee on Banking Supervision: Basel III Finalising
of rating agencies, though its powers were somewhat limited.
Post Crisis Reforms, D ecem ber 2017
Prior to the crisis, rating agencies had been subject to rela
tively little regulatory oversight and they were widely blamed Basel Com m ittee on Banking Supervision: Minimum capital
for underestimates of the credit risks posed by securitizations. Requirem ents for M arket Risk, R evised 14 January 2019.
• In the United States, a Consum er Financial Protection Basel Com m ittee on Bank Supervision: Large Exposures
Bureau (CFPB) was created to improve information flows to Fram ework, A pril 2014.
Learning Objectives
Explain the motivations for revising the Basel III fram ework The CVA risk fram ework
and the goals and im pacts of the D ecem ber 2017 reforms
The operational risk fram ework
to the Basel III fram ework.
The leverage ratio fram ework
Summarize the D ecem ber 2017 revisions to the Basel III
fram ework in the following areas: Describe the revised output floor introduced as part of
the Basel III reforms and approaches to be used when
The standardized approach to credit risk
calculating the output floor.
The internal ratings-based (IRB) approaches for
credit risk
Basel Com m ittee on Banking Supervision Publication, D ecem ber 2017.
327
This note summarises the main features of the finalised Basel III requirem ents under the internal ratings-based (IRB) approach
reforms. The standards text, which provides the full details of for credit risk and by removing the use of the internal model
the reforms, is published separately and is available on the BIS approaches for CVA risk and for operational risk;
w ebsite at w w w .bis.org/bcbs/publ/d424.htm . • introducing a leverage ratio buffer to further limit the lever
The Basel III fram ework is a central elem ent of the Basel C om age of global system ically im portant banks (G-SIBs); and
mittee's response to the global financial crisis. It addresses a • replacing the existing Basel II output floor with a more robust
number of shortcomings in the pre-crisis regulatory fram ework risk-sensitive floor based on the Com m ittee's revised Basel III
and provides a foundation for a resilient banking system that will standardised approaches.
help avoid the build-up of system ic vulnerabilities. The fram e
work will allow the banking system to support the real economy
through the econom ic cycle. S T A N D A R D IS E D A P P R O A C H
The initial phase of Basel III reforms focused on strengthening F O R C R E D IT R ISK *•
the following com ponents of the regulatory fram ework:
Credit risk accounts for the bulk of most banks' risk-taking activi
• improving the quality of bank regulatory capital by placing a
ties and hence their regulatory capital requirem ents. The stan
greater focus on going-concern loss-absorbing capital in the
dardised approach is used by the majority of banks around the
form of Common Equity Tier 1 (CET1) capital;
world, including in non-Basel Com m ittee jurisdictions.
• increasing the level of capital requirem ents to ensure that
banks are sufficiently resilient to withstand losses in tim es of The Com m ittee's revisions to the standardised approach for
stress; credit risk enhance the regulatory fram ework by:
• enhancing risk capture by revising areas of the risk-weighted • improving its granularity and risk sensitivity. For exam ple, the
capital fram ework that proved to be acutely m iscalibrated, Basel II standardised approach assigns a flat risk w eight to all
including the global standards for market risk, counterparty residential m ortgages. In the revised standardised approach
credit risk and securitisation; m ortgage risk weights depend on the loan-to-value (LTV)
• adding macroprudential elem ents to the regulatory fram e ratio of the m ortgage;
work, by: (i) introducing capital buffers that are built up in • reducing mechanistic reliance on credit ratings, by requiring
good tim es and can be drawn down in tim es of stress to banks to conduct sufficient due diligence, and by developing
limit procyclicality; (ii) establishing a large exposures regime a sufficiently granular non-ratings-based approach for juris
that m itigates system ic risks arising from interlinkages across dictions that cannot or do not wish to rely on external credit
financial institutions and concentrated exposures; and (iii) ratings; and
putting in place a capital buffer to address the externalities • as a result, providing the foundation for a revised output
created by system ically im portant banks; floor to internally m odelled capital requirements (to replace
• specifying a minimum leverage ratio requirem ent to constrain the existing Basel I floor) and related disclosure to enhance
excess leverage in the banking system and com plem ent the com parability across banks and restore a level playing field.
risk-weighted capital requirem ents; and
The revisions to the standardised approach for credit risk,
• introducing an international fram ework for mitigating exces relative to the existing standardised approach, are outlined in
sive liquidity risk and maturity transform ation, through the Table 21.1. In summary, the key revisions are as follows:
Liquidity Coverage Ratio and Net Stable Funding Ratio.
• A more granular approach has been developed for unrated
The Com m ittee's now finalised Basel III reforms com plem ent exposures to banks and corporates, and for rated exposures
these im provem ents to the global regulatory fram ework. The in jurisdictions where the use of credit ratings is perm itted.
revisions seek to restore credibility in the calculation of risk-
• For exposures to banks, some of the risk weights for rated
weighted assets (RWAs) and improve the com parability of
exposures have been recalibrated. In addition, the risk-
banks' capital ratios by:
weighted treatm ent for unrated exposures is more granular
• enhancing the robustness and risk sensitivity of the stan than the existing flat risk weight. A standalone treatm ent for
dardised approaches for credit risk, credit valuation adjust covered bonds has also been introduced.
ment (CVA) risk and operational risk; • For exposures to corporates, a more granular look-up
• constraining the use of the internal model approaches, by table has been developed. A specific risk w eight applies to
placing limits on certain inputs used to calculate capital exposures to small and medium-sized enterprises (SM Es).
In addition, the revised standardised approach includes a is used to facilitate transactio ns rather than a source
standalone treatm ent for exposures to project finance, object of credit).
finance and com m odities finance. • For commercial real estate exposures, approaches have
• For residential real estate exposures, more risk-sensitive been developed that are more risk-sensitive than the flat risk
approaches have been developed, whereby risk weights w eight which generally applies.
vary based on the LTV ratio of the mortgage (instead of the • For subordinated debt and equity exposures, a more granu
existing single risk weight) and in ways that better reflect lar risk w eight treatm ent applies (relative to the current flat
differences in market structures. risk weight).
• For retail exp o su res, a more granular treatm en t ap p lies, • For off-balance sheet item s, the credit conversion factors
which distinguishes betw een different typ es of retail (C C Fs), which are used to determ ine the amount of an
exp o su res. For exam p le, the regulatory retail portfolio exposure to be risk-weighted, have been made more risk-
distinguishes betw een revolving facilities (w here cred it is sensitive, including the introduction of positive C C F s for
typ ically drawn upon) and transacto rs (w here the facility unconditionally cancellable commitments (UCCs).
Table 21.1 O v e rv ie w of R evised S tan d ard ised A p p ro ach to C re d it Risk
Exposures to banks
Risk weights in jurisdictions where the ratings approach is perm itted
External rating AAA to A A - A+ to A - BBB+ to B B B - BB+ to B - Below B - Unrated

Risk weight 20% 30% 50% 100% 150% As for SC R A below
Short-term exp o su res
Risk weight 20% 20% 20% 50% 150% As for SC R A below
Risk weights where the ratings approach is not perm itted and for unrated exposures
Standardised Credit Risk Grade A Grade B Grade C

Assessment Approach (SCRA)
grades
Risk weight 40% 1 75% 150%
Short-term exposures 20% 50% 150%
Exposures to covered bonds

Risk weights for rated covered bonds
External issue-specific rating AAA to A A - A+ to B B B - BB+ to B - Below B—
Risk weight 10% 20% 50% 100%
Risk weights for unrated covered bonds
Risk weight of issuing bank 20% 30% 40% 50% 75% 100% 150%
Risk weight 10% 15% 20% 25% 35% 50% 100%
Exposures to general corporates
Risk weights in jurisdictions where the ratings approach is perm itted
External rating AAA to A A - A+ to A — BBB+ to B B B - BB+ to B B - Below B B - Unrated

of counterparty
Risk weight 20% 50% 75% 100% 150% 100% or 85%

if corporate SM E
(Continued)
1 A risk w eight of 30% may be applied if the exposure to the bank satisfies all of the criteria for G rade A classification and in addition the counterparty
bank has (i) a CET1 ratio of 14% or above; and (ii) a T ie r 1 leverage ratio of 5% or above.
Chapter 21 High-Level Summary of Basel III Reforms ■ 329

Table 21.1 Continued
Risk weights where rating approach is not perm itted
SCRA grades Investment grade All other
G eneral corporate (non-SME) 65% 100%

SM E general corporate 85%
Exposures to project finance, object finance and commodities finance
Exposure (excluding real estate) Project finance Object and commodity finance
Issue-specific ratings available Same as for general corporate (see above)

and perm itted
Rating not available or not 130% pre-operational phase 100%

perm itted
100% operational phase
80% operational phase (high quality)
il exposures excluding real estate
Regulatory Regulatory retail (revolving) Other retail

retail
Transactors Revolvers
(non-revolving)
Risk weight 75% 45% 75% 100%
Residential real estate exposures
LTV bands Below 50% 50% to 60% to 70% to 80% to 90% to above Criteria not met
60% 70% 80% 90% 100% 100%
G eneral R R E
W hole loan 20% 25% 30% 40% 50% 70% RW of counterparty

approach RW
Loan-splitting 20% RW of counterparty RW of counterparty

approach2 RW
Incom e-producing residential real estate (IPRRE)
W hole loan 30% 35% 45% 60% 75% 105% 150%

approach RW
Commercial real estate (CRE) exposures
G eneral C R E
W hole loan approach LTV < 60% LTV > 60% Criteria not m et
Min (60%, RW of counterparty) RW of counterparty RW of counterparty
Loan-splitting LTV < 55% LTV > 55% Criteria not m et

approach2
Min (60%, RW of counterparty) RW of counterparty RW of counterparty
Incom e-producing com m ercial real estate (IPCRE)
W hole loan LTV < 60% 60% < LTV < 80% LTV > 80% Criteria not m et
approach
70% 90% 110% 150%
2 Under the loan-splitting approach, a supervisory specified risk w eight is applied to the portion of the exposure that is below 55% of the property
value and the risk w eight of the counterparty is applied to the rem ainder of the exposure. In cases where the criteria are not met, the risk w eight of
the counterparty is applied to the entire exposure.
Land acquisition, d evelo p m en t and construction (ADC) exp o su res
Loan to com pany/SPV 150%
Residential A D C loan 100%
Subordinated debt and equity (excluding amounts deducted)
Subordinated debt Equity exposures "Speculative unlisted All other equity

and capital other than to certain legislated equity" exposures
equities programmes
Risk weight 150% 100% 400% 250%
Credit conversion factors for off-balance sheet exposures
UCCs Commitments, NIFs and RUFs, ST self-liquidating Direct credit

except UCCs and certain trade letters of credit substitutes and
transaction- related arising from the other off balance
contingent items movement of goods sheet exposures
CCF 10% 40% 50% 20% 100%
IN T E R N A L R A T IN G S-B A SED Table 21.2 Revised Scope of IRB Approaches

A P P R O A C H E S F O R C R E D IT R ISK for Asset Classes
Basel III:
As noted above, the financial crisis highlighted a number Portfolio/ Basel II: Available Available
of shortcom ings related to the use of internally modelled Exposure Approaches Approaches
approaches for regulatory capital, including the IRB approaches
Large and mid A-IRB, F-IRB, SA F-IRB, SA
to credit risk. These shortcom ings include the excessive com
sized corporates
plexity of the IRB approaches, the lack of com parability in banks' (consolidated
internally m odelled IRB capital requirem ents and the lack of revenues >
robustness in modelling certain asset classes. €500m)
To address these shortcom ings, the Com m ittee has made the Banks and A-IRB, F-IRB, SA F-IRB, SA
following revisions to the IRB approaches: (i) removed the other financial
institutions
option to use the advanced IRB (A-IRB) approach for certain
asset classes; (ii) adopted "input" floors (for metrics such as Equities Various IRB SA
probabilities of default (PD) and loss-given-default (LGD)) to approaches
ensure a minimum level of conservativism in model param eters Specialised A-IRB, F-IRB, A-IRB, F-IRB,
for asset classes where the IRB approaches remain available; and lending3 slotting, SA slotting, SA
(iii) provided greater specification of param eter estimation prac
tices to reduce RWA variability.
of RWA variability as it applies fixed values to the LGD and EAD
param eters. In addition, all IRB approaches are being removed
Removing the Use of the Advanced IRB for exposures to equities, which are typically a small com ponent
of the credit risk of banks.
Approach for Certain Asset Classes
Table 21.2 outlines the revised scope of approaches available
The revised IRB fram ework removes the use of the A-IRB
under Basel III for certain asset classes relative to the Basel II
approach— which allows banks to estim ate the PD, LG D , exp o
fram ework.
sure at default (EAD ) and maturity of an exposure - for asset
classes that cannot be m odelled in a robust and prudent man
ner. These include exposures to large and mid-sized corporates,
3 W ith respect to specialised lending, banks would be perm itted to
and exposures to banks and other financial institutions. As a
continue using the advanced and foundation IRB approaches. The
result, banks with supervisory approval will use the foundation Com m ittee will review the slotting approach for specialised lending in
IRB (F-IRB) approach, which removes the two im portant sources due course.

Table 21.3 Minimum Parameter Values in the Revised IRB Framework4
Loss-Given-Default (LGD)
Probability of Exposure at
Default (PD) Unsecured Secured Default (EAD)
Corporate 5 bp 25% Varying by collateral type:
• 0% financial
• 10% receivables
• 10% commercial or residen
tial real estate
• 15% other physical EAD subject to a floor
that is the sum of (i) the
Retail classes: on-balance sheet exp o
M ortgages 5 bp N/A 5% sures; and (ii) 50% of the
off-balance sheet exposure
Q R R E transactors 5 bp 50% N/A
using the applicable Credit
Q R R E revolvers 10 bp 50% N/A Conversion Factor (C C F) in
O ther retail 5 bp 30% Varying by collateral type: the standardised approach
• 0% financial
• 10% receivables
• 10% commercial or residen
tial real estate
• 15% other physical
Specification of Input Floors C V A R IS K F R A M E W O R K

The revised IRB framework also introduces minimum "floor" val
The initial phase of Basel III reforms introduced a capital charge
ues for bank-estimated IRB parameters that are used as inputs
for potential mark-to-market losses of derivative instruments as
to the calculation of RWA. These include PD floors for both the
a result of the deterioration in the creditworthiness of a coun
F-IRB and A-IRB approaches, and LGD and EAD floors for the
terparty. This risk - known as CVA risk - was a major source of
A-IRB approach. In some cases, these floors consist of recali
losses for banks during the global financial crisis, exceeding
brated values of the existing Basel II floors. In other cases, the
losses arising from outright defaults in some instances.
floors represent new constraints for banks' IRB models. Table 21.3
summarises the set of input floors in the revised IRB framework. The Com m ittee has agreed to revise the CVA fram ework to:
• enhance its risk sensitivity: the current CVA fram ework does
Additional Enhancements not cover an im portant driver of CVA risk, namely the exp o
sure com ponent of CVA. This com ponent is directly related
The Com m ittee agreed on various additional enhancem ents to to the price of the transactions that are within the scope of
the IRB approaches to further reduce unwarranted RW A variabil application of the CVA risk capital charge. As these prices are
ity, including providing greater specification of the practices that sensitive to variability in underlying market risk factors, the
banks may use to estim ate their model param eters. Adjustm ents CVA also materially depends on those factors. The revised
were made to the supervisory specified param eters in the F-IRB CVA fram ework takes into account the exposure com ponent
approach, including: (i) for exposures secured by non-financial of CVA risk along with its associated hedges;
collateral, increasing the haircuts that apply to the collateral and
• strengthen its robustness: CVA is a com plex risk, and is
reducing the LG D param eters; and (ii) for unsecured exposures,
often more com plex than the majority of the positions in4
reducing the LG D param eter from 45% to 40% for exposures to
non-financial corporates.
4The LGD and EAD floors are only applicable in A-IRB approaches. The
Given the enhancem ents to the IRB fram ework and the introduc EAD floors are for those exposures where EAD modelling is still permit
tion of an aggregate output floor (discussed further below), the ted. The LGD floors for secured exposures apply when the exposure is fully
secured (ie the value of collateral after the application of haircuts exceeds
Com m ittee has agreed to remove the 1.06 scaling factor that is
the value of the exposure). The LGD floor for a partially secured exposure is
currently applied to RWAs determ ined by the IRB approach to calculated as a weighted average of the unsecured LGD floor for the unse
credit risk. cured portion and the secured LGD floor for the secured portion.
banks' trading books. Accordingly, the Com m ittee is of the where:
view that such a risk cannot be m odelled by banks in a robust
• Business Indicator Com ponent (BIC) = 2 > i Bli)
and prudent manner. The revised fram ework removes the
• Bl (Business Indicator) is the sum of three com ponents: the
use of an internally modelled approach, and consists of: (i) a
interest, leases and dividends com ponent; the services com
standardised approach; and (ii) a basic approach. In addition,
ponent and the financial com ponent
a bank with an aggregate notional amount of non-centrally
cleared derivatives less than or equal to €100 billion may • a\ is a set of marginal coefficients that are multiplied by the
calculate their CVA capital charge as a simple multiplier of its Bl based on three buckets (i = 1, 2, 3 denotes the bucket), as
counterparty credit risk charge. given below:
• improve its consistency: CVA risk is a form of market risk as

Marginal Bl
it is realised through a change in the mark-to-market value of
Bl Bucket Bl Range Coefficients ( c * j)
a bank's exposures to its derivative counterparties. As such,
the standardised and basic approaches of the revised CVA 1 < €1 bn 0.12
fram ework have been designed and calibrated to be con 2 €1 bn < Bl < € 3 0 bn 0.15
sistent with the approaches used in the revised market risk
3 > € 3 0 bn 0.18
fram ework. In particular, the standardised CVA approach, like
the market risk approaches, is based on fair value sensitivities • ILM (the Internal Loss Multiplier) is a function of the BIC
to market risk factors and the basic approach is benchmarked and the Loss Com ponent (LC), where the latter is equal to
to the standardised approach. 15 tim es a bank's average historical losses over the preceding
10 years. The ILM increases as the ratio of (LC/BIC) increases,
although at a decreasing rate.5
O P E R A T IO N A L R ISK F R A M E W O R K A t national discretion, supervisors can elect to set ILM equal
to one for all banks in their jurisdiction. This means that capital
The financial crisis highlighted two main shortcomings with the
requirements in such cases would be determined solely by the
existing operational risk framework. First, capital requirements
BIC. That is, capital requirements would not be related to a bank's
for operational risk proved insufficient to cover operational risk
historical operational risk losses. However, to aid comparability,
losses incurred by some banks. Second, the nature of these
all banks would be required to disclose their historical operational
losses— covering events such as misconduct, and inadequate
risk losses, even in jurisdictions where the ILM is set to one.
systems and controls— highlighted the difficulty associated with
using internal models to estimate capital requirements for opera
tional risk. L E V E R A G E RATIO F R A M E W O R K
The Com m ittee has stream lined the operational risk fram ework.
The advanced m easurem ent approaches (AM A) for calculating Buffer for Global Systemically
operational risk capital requirem ents (which are based on banks' Important Banks
internal models) and the existing three standardised approaches
The leverage ratio com plem ents the risk-weighted capital
are replaced with a single risk-sensitive standardised approach
requirem ents by providing a safeguard against unsustainable
to be used by all banks.
levels of leverage and by mitigating gaming and model risk
The new standardised approach for operational risk determ ines across both internal models and standardised risk measurement
a bank's operational risk capital requirem ents based on two approaches. To maintain the relative incentives provided by
com ponents: (i) a measure of a bank's income; and (ii) a measure both capital constraints, the finalised Basel III reforms introduce
of a bank's historical losses. Conceptually, it assumes: (i) that a leverage ratio buffer for G-SIBs. Such an approach is consis
operational risk increases at an increasing rate with a bank's tent with the risk-weighted G-SIB buffer, which seeks to mitigate
income; and (ii) banks which have experienced greater opera the externalities created by G-SIBs.
tional risk losses historically are assumed to be more likely to
The leverage ratio G-SIB buffer must be met with Tier 1 capital
experience operational risk losses in the future.
and is set at 50% of a G-SIB's risk- weighted higher-loss absor
The operational risk capital requirem ent can be summarised as bency requirem ents. For exam ple, a G-SIB subject to a 2%
follows:
O perational risk capital = BIC X ILM 5 Specifically, ILM = In [exp(1) — 1 + (LC /B IC )08].

risk-weighted higher-loss absorbency requirem ent would be definition of the leverage ratio exp o sure m easure. These
subject to a 1% leverage ratio buffer requirem ent. refinem ents include m odifying the w ay in which d erivatives
are reflected in the exposure m easure and updating the tre a t
The leverage ratio buffer takes the form of a capital buffer
m ent of off-balance sh eet exp o sures to ensure consistency
akin to the capital buffers in the risk-weighted fram ework. As
with th eir m easurem ent in the standardised approach to
such, the leverage ratio buffer will be divided into five ranges.
cred it risk.
As is the case with the risk-weighted fram ework, capital distribu
tion constraints will be imposed on a G-SIB that does not meet The Com m ittee has also agreed that jurisdictions may exercise
its leverage ratio buffer requirem ent. national discretion in periods of exceptional m acroeconomic
circum stances to exem pt central bank reserves from the lever
The distribution constraints imposed on a G-SIB will depend on
age ratio exposure measure on a tem porary basis. Jurisdictions
its CET1 risk-weighted ratio and Tier 1 leverage ratio. A G-SIB
that exercise this discretion would be required to recalibrate
that m eets: (i) its CET1 risk-weighted requirem ents (defined as
the minimum leverage ratio requirem ent com m ensurately to
a 4.5% minimum requirem ent, a 2.5% capital conservation buf
offset the impact of excluding central bank reserves, and require
fer and the G-SIB higher loss-absorbency requirement) and; (ii)
their banks to disclose the im pact of this exem ption on their
its Tier 1 leverage ratio requirem ent (defined as a 3% leverage
leverage ratios.
ratio minimum requirem ent and the G-SIB leverage ratio buffer)
will not be subject to distribution constraints. A G-SIB that does The Com m ittee continues to monitor the impact of the Basel III
not m eet one of these requirements will be subject to the asso leverage ratio's treatm ent of client-cleared derivative transac
ciated minimum capital conservation requirem ent (expressed tions. It will review the impact of the leverage ratio on banks'
as a percentage of earnings). A G-SIB that does not meet both provision of clearing services and any consequent impact on the
requirem ents will be subject to the higher of the two associated resilience of central counterparty clearing.
conservation requirem ents.
As an exam ple, Table 21.4 shows the minimum capital conser OUTPUT FLO O R
vation standards for the CET1 risk-weighted requirements and
Tier 1 leverage ratio requirem ents of a G-SIB in the first bucket The Basel II fram ework introduced an output floor based on
of the higher loss-absorbency requirements (ie where a 1% risk- Basel I capital requirem ents. That floor was calibrated at 80%
weighted G-SIB capital buffer applies). of the relevant Basel I capital requirem ents. Implementation of
the Basel II floor has been inconsistent across countries, partly
because of differing interpretations of the requirem ent and also
Refinements to the Leverage Ratio
because it is based on the Basel I standards, which many banks
Exposure Measure
and jurisdictions no longer apply.
In addition to the introduction of the G -SIB buffer, the
The Basel III reform s replace the existing Basel II floor with a
C o m m ittee has agreed to m ake various refinem ents to the
floor based on the revised Basel III standardised approaches.
C o n sisten t with the original floor, the revised floor places
Table 21.4 Capital Conservation Ratios for a G-SIB a lim it on the regulatory capital benefits that a bank using
Subject to a 1% Risk-Weighted Buffer and 0.5% internal m odels can derive relative to the standardised
Leverage Ratio Buffer ap p ro aches. In effe ct, the output flo o r provides a risk-based
backstop that lim its the exte n t to which banks can lower their
Minimum Capital
capital requirem ents relative to the standardised ap p ro aches.
Conservation
This helps to m aintain a level playing field betw een banks
CET1 Risk- Ratios (Expressed
using internal m odels and those on the standardised
Weighted Tier 1 Leverage as a Percentage
ap p ro aches. It also supports the cred ib ility of banks' risk-
Ratio Ratio of Earnings)
w eig hted calculatio ns, and im proves co m p arab ility via the
4.5-5.375% 3-3.125% 100% related disclo sures.
> 5 .3 7 5 -6 .2 5 % > 3 .1 2 5 -3 .2 5 % 80% Under the revised output floor, banks' risk-weighted assets
> 6 .2 5 -7 .1 2 5 % > 3 .2 5 -3 .3 7 5 % 60% must be calculated as the higher of: (i) total risk-weighted assets
calculated using the approaches that the bank has supervisory
> 7 .1 2 5 -8 % > 3 .3 7 5 -3 .5 0 % 40%
approval to use in accordance with the Basel capital fram e
> 8.0% > 3.50% 0%
work (including both standardised and internal model-based
Implementation Dates of Basel III Post-Crisis Reforms and Transitional Arrangement for Phasing in the
Aggregate Output Floor
Revision Implementation Date
Revised standardised approach for credit risk • 1 January 2022
Revised IRB fram ework • 1 January 2022
Revised CVA fram ework • 1 January 2022
Revised operational risk fram ework • 1 January 2022
Revised market risk fram ework • 1 January 20226
Leverage ratio • Existing exposure definition:7 1 January 2018

• Revised exposure
definition: 1 January 2022
• G-SIB buffer: 1 January 2022
O utput floor • 1 January 2022: 50%

• 1 January 2023: 55%
• 1 January 2024: 60%
• 1 January 2025: 65%
• 1 January 2026: 70%
• 1 January 2027: 72.5%
approaches); and (ii) 72.5% of the total risk-weighted assets • M arket risk: the standardised (or simplified standardised)
calculated using only the standardised approaches. approach of the revised m arket risk fram ework. The SEC-
ER B A , the SEC -SA or a 1250% risk w eight must also be used
The standardised approaches to be used when calculating the
when determ ining the default risk charge com ponent for
output floor are as follows:
securitisations held in the trading book.
|• • | | | |• | | r |• • |
• C re d it risk: the standardised approach tor cred it risk
• O p eratio n al risk: the standardised approach for opera-
outlined ab o ve. W hen calculating the degree of credit
tional risk.
risk m itigation, banks m ust use the carrying value when
applying the sim ple approach or the com prehensive Banks will also be required to disclose their risk-weighted assets
approach with standard sup erviso ry haircuts. This also based on the revised standardised approaches. Details about
includes failed trad es and non-delivery-versus-paym ent these disclosure requirem ents will be set forth in a forthcoming
transactio ns as set out in A n n e x 3 of the Basel II fram ew ork consultation paper.
(Ju n e 2006).
• C o unterp artv credit risk: to calculate the exposure for

T R A N S IT IO N A L A R R A N G E M E N T S
d erivatives, banks must use the standardised approach for
m easuring counterparty credit risk (SA -C C R ). The exposure Table 21.5 sum m arises the im plem entation dates and
am ounts must then be m ultiplied by the relevant borrow er
transitional arrangem ents related to the standards
risk w eig ht using the standardised approach for credit risk d escrib ed abo ve.
to calculate RW A under the standardised approach for
credit risk. In addition, at national discretion, supervisors may cap
the increase in a bank's total RW As that results from the
• Credit valuation adjustm ent risk: the standardised approach
application of the output floor during its phase-in period.
for CVA (SA-CVA), the Basic Approach (BA-CVA) or 100% of a
bank's counterparty credit risk capital requirem ent (depend
ing on which approach the bank is eligible for and uses for
CVA risk). 6 This will constitute both the im plem entation and regulatory reporting
date for the revised market risk fram ew ork published in January 2016.
• Securitisation fram ework: the external ratinqs-based
7 Based on the January 2014 definition of the leverage ratio exposure
approach (SEC -ER B A ), the standardised approach (SEC-SA) m easure. Jurisdictions are free to apply the revised definition of the
or a 1250% risk weight. exposure measure before 1 January 2022.

The transitional cap on the increase in RW As will be set at More generally, a jurisdiction which does not im plem ent some
25% of a bank's RW As before the application of the floor. or all of the internal-modelled approaches but instead only
Put differently, if the supervisor uses this discretion, the bank's im plem ents the standardised approaches is com pliant with the
RW As will effectively be capped at 1.25 tim es the internally Basel fram ework. More generally, jurisdictions may elect to
calculated RW As during that tim e. The cap would apply for im plem ent more conservative requirements and/or accelerated
the duration of the phase-in period of the output floor transitional arrangem ents, as the Basel fram ework constitutes
(i.e ., the cap would be rem oved on 1 Jan u ary 2027). minimum standards only.
Basel III: Finalising
Post-Crisis Reforms
Learning Objectives
Explain the elem ents of the new standardized approach • Describe general and specific criteria recom m ended by
to measure operational risk capital, including the business the Basel Com m ittee for the identification, collection, and
indicator, internal loss multiplier, and loss com ponent, and treatm ent of operational loss data.
calculate the operational risk capital requirem ent for a
bank using this approach.
Com pare the SM A to earlier methods of calculating

operational risk capital, including the Advanced
M easurem ent Approaches (AM A).
Basel Com m ittee on Banking Supervision Publication, D ecem ber 2017.

22.1 IN T R O D U C T IO N In the formula below, a bar above a term indicates that it is ca
culated as the average over three years: t, t-1 and t-2, and :3
Operational risk is defined as the risk of loss resulting from
inadequate or failed internal processes, people and system s or ILD C = Min A b s (Interest Incom e - Interest E xp e n se);
2.25% • Interest Earning A sse ts ] + Dividend Income
A
from external events. This definition includes legal risk, but

excludes strategic and reputational risk. S C = Max [ O ther Operating incom e; O ther Operating
The standardised approach for measuring minimum operational E xp en se l + Max [ Fee incom e; F e e Exp en se
risk capital requirem ents replaces all existing approaches in the F C = A b s (N et P & LTrading B o o k ) + A b s (N et P & L
Basel II fram ew ork.1
2 That is, this standard replaces paragraphs
Banking B o o k )
644 to 683 of the Basel II fram ework.
Consistent with Part I (Scope of Application) of the Basel II The definitions for each of the com ponents of the Bl are
Fram ework, the standardised approach applies to internationally provided in the annex of this section.
active banks on a consolidated basis. Supervisors retain the dis
cretion to apply the standardised approach fram ework to non-
The Business Indicator Component
internationally active banks.
To calculate the BIC, the Bl is multiplied by the marginal
coefficients («j). The marginal coefficients increase with the
size of the Bl as shown in Table 22.1. For banks in the first
2 2 .2 T H E S T A N D A R D IS E D A P P R O A C H
bucket (ie with a Bl less than or equal to €1 bn) the BIC is
The standardised approach m ethodology is based on the fo l equal to Bl X 12%. The marginal increase in the BIC result
lowing com ponents: (i) the Business Indicator (Bl) which is a ing from a one unit increase in the Bl is 12% in bucket 1,
financial-statem ent-based proxy for operational risk; (ii) the 15% in bucket 2 and 18% in bucket 3. For exam ple, given
a Bl = € 3 5 b n , the BIC = (1 X 12%) + (3 0 -1 ) X 15% +
Business Indicator Com ponent (BIC), which is calculated by
multiplying the Bl by a set of regulatory determ ined marginal (3 5 -3 0 ) X 18% = € 5 .3 7 b n .
coefficients («[); and (iii) the Internal Loss M ultiplier (ILM), which
is a scaling factor that is based on a bank's average historical
The Internal Loss Multiplier
losses and the BIC.
A bank's internal operational risk loss experience affects the
calculation of operational risk capital through the Internal Loss
The Business Indicator M ultiplier (ILM). The ILM is defined as:
( / \0.8 ^
The Business Indicator (Bl) com prises three com ponents: the
LC
interest, leases and dividend com ponent (ILDC); the services ILM = Ln exp(l) - 1 +
V \ BIC / /
com ponent (SC), and the financial com ponent (FC).
The Bl is defined as: w here the Loss C o m p o nent (LC) is equal to 15 tim es average
annual operational risk losses incurred over the previous 10
Bl = ILD C + SC + F C years. The ILM is equal to one when the loss and business
indicator com ponents are equal. W hen the LC is greater
than the B IC , the ILM is g reater than one. Th at is, a bank
with losses that are high relative to its BIC is required to hold
higher capital due to the incorporation of internal losses into
1 Legal risk includes, but is not limited to, exposure to fines, penalties, the calculation m ethodology. C o n verse ly, w here the LC is
or punitive dam ages resulting from supervisory actions, as well as pri
vate settlem ents.
2 Basel Com m ittee on Banking Supervision, Basel II: International

C o n verg en ce o f Capital M easu rem en t and Capital Standards: A 3 The absolute value of net items (eg, interest income - interest
R evised Fram ew ork— C om prehen sive Version, Ju n e 2006, w w w .bis.org/ expense) should be calculated first year by year. O nly after this year
pub7bcbs128.htm . by year calculation should the average of the three years be calculated.
Table 22.1 Bl R anges and M arginal C o efficien ts Minimum operational risk capital (O RC) is calculated by multiply
ing the BIC and the ILM :5
Bl Marginal
Bucket Bl Range (in €bn) Coefficients (cO ORC = BIC ■ILM
1 < 1 12%
2 1 < Bl < 30 15% 22.3 APPLICATION O F THE

3 > 30 18% STANDARDISED APPROACH
WITHIN A GROUP
A t the consolidated level, the standardised approach cal
low er than the B IC , the ILM is less than one. Th at is, a bank culations use fully consolidated Bl figures, which net all the
with losses th at are low relative to its BIC is required to hold intragroup income and expenses. The calculations at a sub-con
low er capital due to the incorporation of internal losses into solidated level use Bl figures for the banks consolidated at that
the calculation m ethodology. particular sub-level. The calculations at the subsidiary level use
The calculation of average losses in the Loss Com ponent must the Bl figures from the subsidiary.
be based on 10 years of high-quality annual loss data. A s part of Similar to bank holding com panies, when Bl figures for sub-con
the transition to the standardised approach, banks that do not solidated or subsidiary banks reach bucket 2, these banks are
have 10 years of high-quality loss data may use a minimum of required to use loss experience in the standardised approach
five years of data to calculate the Loss Com ponent.4 Banks that calculations. A sub-consolidated bank or a subsidiary bank uses
do not have five years of high-quality loss data must calculate only the losses it has incurred in the standardised approach cal
the capital requirem ent based solely on the Bl Com ponent. culations (and does not include losses incurred by other parts of
Supervisors may however require a bank to calculate capital the bank holding company).
requirements using few er than five years of losses if the ILM is
In case a subsidiary of a bank belonging to bucket 2 or higher
greater than 1 and supervisors believe the losses are representa
does not m eet the qualitative standards for the use of the Loss
tive of the bank's operational risk exposure.
Com ponent, this subsidiary must calculate the standardised
approach capital requirem ents by applying 100% of the Bl C om
ponent. In such cases supervisors may require the bank to apply
The Standardised Approach Operational
an ILM which is greater than 1.
Risk Capital Requirement
The operational risk capital requirem ent is determ ined by the
product of the BIC and the ILM. For banks in bucket 1 (ie with 22.4 MINIMUM STANDARDS FOR
Bl < €1 billion), internal loss data does not affect the capital THE USE O F LOSS DATA UNDER
calculation. That is, the ILM is equal to 1, so that operational risk THE STANDARDISED APPROACH
capital is equal to the BIC (= 12% • Bl).
A t national discretion, supervisors may allow the inclusion of Banks with a Bl greater than €1 bn are required to use loss data
internal loss data into the fram ework for banks in bucket 1, sub as a direct input into the operational risk capital calculations.
ject to meeting the loss data collection requirem ents. In addi The soundness of data collection and the quality and integrity
tion, at national discretion, supervisors may set the value of ILM of the data are crucial to generating capital outcom es aligned
equal to 1 for all banks in their jurisdiction. In case this discretion with the bank's operational loss exposure. National supervisors
is exercised, banks would still be subject to the full set of disclo should review the quality of banks' loss data periodically.
sure requirem ents. Banks which do not meet the loss data standards are required
to hold capital that is at a minimum equal to 100% of the BIC.
In such cases supervisors may require the bank to apply an ILM
4 This treatm ent is not expected to apply to banks that currently use the
advanced m easurem ent approaches for determ ining operational risk
capital requirem ents. 5 Risk-weighted assets for operational risk are equal to 12.5 tim es O R C .
Chapter 22 Basel III: Finalising Post-Crisis Reforms ■ 339

which is greater than 1. The exclusion of internal loss data due on which the bank became aware of the event ("date of dis
to non-compliance with the loss data standards, and the applica covery"); and the date (or dates) when a loss event results in
tion of any resulting m ultipliers, must be publicly disclosed. a loss, reserve or provision against a loss being recognised in
the bank's profit and loss (P&L) accounts ("date of account
ing"). In addition, the bank must collect information on
22.5 G EN ER A L CRITERIA ON LOSS recoveries of gross loss amounts as well as descriptive infor
DATA IDENTIFICATION, CO LLECTIO N mation about the drivers or causes of the loss event.6 The
AND TREATM ENT level of detail of any descriptive information should be com
mensurate with the size of the gross loss amount.
The proper identification, collection and treatm ent of internal f. O perational loss events related to credit risk and that are
loss data are essential prerequisites to capital calculation under accounted for in credit risk RWAs should not be included
the standardised approach. The general criteria for the use of in the loss data set. O perational loss events that relate to
the LC are as follows: credit risk, but are not accounted for in credit risk RWAs
should be included in the loss data set.
a. Internally generated loss data calculations used for regula
tory capital purposes must be based on a 10-year observa g. Operational risk losses related to market risk are treated as
tion period. When the bank first moves to the standardised operational risk for the purposes of calculating minimum
approach, a five-year observation period is acceptable on regulatory capital under this framework and will therefore be
an exceptional basis when good-quality data are unavail subject to the the standardised approach for operational risk.
able for more than five years. h. Banks must have processes to independently review the
b. Internal loss data are most relevant when clearly linked to a com prehensiveness and accuracy of loss data.
bank's current business activities, technological processes and
risk management procedures. Therefore, a bank must have
documented procedures and processes for the identification, 22.6 SP EC IFIC CRITERIA ON LOSS
collection and treatment of internal loss data. Such proce DATA IDENTIFICATION, CO LLECTIO N
dures and processes must be subject to validation before the AND TREATM ENT
use of the loss data within the operational risk capital require
ment measurement methodology, and to regular indepen Building of the Standardised Approach
dent reviews by internal and/or external audit functions.
Loss Data Set
c. For risk m anagem ent purposes, and to assist in supervisory
Building an acceptable loss data set from the available internal
validation and/or review, a supervisor may request a bank
data requires that the bank develop policies and procedures to
to map its historical internal loss data into the relevant Level
address several features, including gross loss definition, refer
I supervisory categories as defined in A nnex 9 of the Basel
ence date and grouped losses.
II Fram ework and to provide this data to supervisors. The
bank must docum ent criteria for allocating losses to the
specified event types. Gross Loss, Net Loss, and Recovery
d. A bank's internal loss data must be com prehensive and Definitions
capture all material activities and exposures from all appro
Gross loss is a loss before recoveries of any type. Net loss is
priate subsystem s and geographic locations. The minimum
defined as the loss after taking into account the impact of recov
threshold for including a loss event in the data collection
eries. The recovery is an independent occurrence, related to the
and calculation of average annual losses is set at €20,000.
original loss event, separate in tim e, in which funds or inflows of
A t national discretion, for the purpose of the calculation of
econom ic benefits are received from a third party.7
average annual losses, supervisors may increase the thresh
old to €100,000 for banks in buckets 2 and 3 (ie where the
Bl is greater than €1 bn). 6 Tax effects (eg reductions in corporate income tax liability due to
operational losses) are not recoveries for purposes of the standardised
e. Aside from information on gross loss amounts, the bank must
approach for operational risk.
collect information about the reference dates of operational
7 Exam ples of recoveries are paym ents received from insurers, repay
risk events, including the date when the event happened or ments received from perpetrators of fraud, and recoveries of m isdi
first began ("date of occurrence"), where available; the date rected transfers.
Banks must be able to identify the gross loss amounts, non The following items should be excluded from the gross loss
insurance recoveries, and insurance recoveries for all operational computation of the loss data set:
loss events. Banks should use losses net of recoveries (including
a. Costs of general m aintenance contracts on property, plant
insurance recoveries) in the loss dataset. However, recoveries
or equipm ent;
can be used to reduce losses only after the bank receives pay
ment. Receivables do not count as recoveries. Verification of
b. Internal or external expenditures to enhance the business
payments received to net losses must be provided to supervi after the operational risk losses: upgrades, im provem ents,
sors upon request. risk assessm ent initiatives and enhancem ents; and
c. Insurance premiums.
The following items must be included in the gross loss com puta
tion of the loss data set: Banks must use the date of accounting for building the loss data
set. The bank must use a date no later than the date of account
a. Direct charges, including impairments and settlem ents, to
ing for including losses related to legal events in the loss data
the bank's P&L accounts and write-downs due to the opera
set. For legal loss events, the date of accounting is the date
tional risk event;
when a legal reserve is established for the probable estim ated
b. Costs incurred as a consequence of the event including loss in the P&L.
external expenses with a direct link to the operational risk
event (eg legal expenses directly related to the event and Losses caused by a common operational risk event or by related
operational risk events over tim e, but posted to the accounts
fees paid to advisors, attorneys or suppliers) and costs of
repair or replacem ent, incurred to restore the position that over several years, should be allocated to the correspond
was prevailing before the operational risk event; ing years of the loss database, in line with their accounting
treatm ent.
c. Provisions or reserves accounted for in the P&L against the
potential operational loss impact;
d. Losses stemming from operational risk events with a defini

22.7 EXCLUSIO N O F LO SSES
tive financial im pact, which are tem porarily booked in tran
sitory and/or suspense accounts and are not yet reflected in
FROM THE LOSS CO M PO N EN T
the P&L ("pending lo sses").8 Material pending losses should
Banking organisations may request supervisory approval to
be included in the loss data set within a tim e period com
exclude certain operational loss events that are no longer rel
mensurate with the size and age of the pending item; and
evant to the banking organisation's risk profile. The exclusion of
e. Negative econom ic im pacts booked in a financial account internal loss events should be rare and supported by strong ju s
ing period, due to operational risk events impacting the tification. In evaluating the relevance of operational loss events
cash flows or financial statem ents of previous financial to the bank's risk profile, supervisors will consider whether
accounting periods ("tim ing lo sses").9 Material "timing the cause of the loss event could occur in other areas of the
losses" should be included in the loss data set when they bank's operations. Taking settled legal exposures and divested
are due to operational risk events that span more than one businesses as exam ples, supervisors expect the organisation's
financial accounting period and give rise to legal risk. analysis to dem onstrate that there is no similar or residual legal
exposure and that the excluded loss experience has no rel
evance to other continuing activities or products.
The total loss amount and number of exclusions must be dis

8 For instance, in som e countries, the im pact of some events (e.g ., legal closed under Pillar 3 with appropriate narratives, including total
events, dam age to physical assets) may be known and clearly identifi
able before these events are recognised through the establishm ent of a
loss amount and number of exclusions.
reserve. Moreover, the way this reserve is established (e.g ., the date of
A request for loss exclusions is subject to a m ateriality thresh
discovery) can vary across banks or countries.
old to be set by the supervisor (for exam ple, the excluded loss
9 Tim ing im pacts typically relate to the occurrence of operational risk
event should be greater than 5% of the bank's average losses).
events that result in the tem porary distortion of an institution's finan
cial accounts (e.g ., revenue overstatem ent, accounting errors and In addition, losses can only be excluded after being included in
mark-to-market errors). W hile these events do not represent a true a bank's operational risk loss database for a minimum period (for
financial im pact on the institution (net im pact over tim e is zero), if the
exam ple, three years), to be specified by the supervisor. Losses
error continues across more than one financial accounting period, it
may represent a material m isrepresentation of the institution's financial related to divested activities will not be subject to a minimum
statem ents. operational risk loss database retention period.

22.8 EXCLU SIO N S O F DIVESTED disclose their annual loss data for each of the ten years in the ILM
calculation window. This includes banks in jurisdictions that have
ACTIVITIES FROM THE BUSINESS opted to set ILM equal to one. Loss data is required to be reported
INDICATOR on both a gross basis and after recoveries and loss exclusions. All
banks are required to disclose each of the Bl sub-items for each of
Banking organisations may request supervisory approval to A n
the three years of the Bl component calculation window.

exclude divested activities from the calculation of the Bl. Such
exclusions must be disclosed under Pillar 3.
22.11 A N N EX : DEFINITION O F
22.9 INCLUSION O F LO SSES AND Bl BUSINESS INDICATOR CO M PO N EN TS *•
ITEMS RELATED TO M ERGERS AND The following P&L items do not contribute to any of the items of
ACQUISITION S the Bl:
• Income and expenses from insurance or reinsurance

Losses and the measurement of the Bl must include losses and Bl
businesses
items that result from acquisitions of relevant business and mergers.
• Premiums paid and reim bursem ents/paym ents received from
insurance or reinsurance policies purchased
22.10 DISCLOSURE • Adm inistrative expenses, including staff expenses, outsourcing
fees paid for the supply of non-financial services (e.g., logisti
All banks with a Bl greater than €1bn, or which use internal loss cal, IT, human resources), and other administrative expenses
data in the calculation of operational risk capital, are required to (e.g., IT, utilities, telephone, travel, office supplies, postage).
Business Indicator Definitions
P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items
Interest, lease Interest income Interest income from all financial • Interest income from loans and advances, assets
and dividend assets and other interest income available for sale, assets held to maturity, trading
(includes interest income from assets, financial leases and operational leases
financial and operating leases • Interest income from hedge accounting derivatives
and profits from leased assets) • O ther interest income
• Profits from leased assets
Interest Interest expenses from all finan • Interest expenses from deposits, debt securities
expenses cial liabilities and other interest issued, financial leases, and operating leases
expenses • Interest expenses from hedge accounting derivatives
• O ther interest expenses
(includes interest expense from
• Losses from leased assets
financial and operating leases,
• Depreciation and im pairm ent of operating leased
losses, depreciation and impair
assets
ment of operating leased assets)
Interest earning Total gross outstanding loans, advances, interest bearing securities (including governm ent
assets (balance bonds), and lease assets measured at the end of each financial year
sheet item)
Dividend Dividend income from investments in stocks and funds not consolidated in the bank's finan
income cial statem ents, including dividend income from non-consolidated subsidiaries, associates
and joint ventures
10 The Com m ittee will undertake a separate public consultation on the

operational risk disclosure tem plates.
Business Indicator Definitions
P&L or Balance
Bl Component Sheet Items Description Typical Sub-Items
Services Fee and com Income received from provid Fee and commission income from:
mission income ing advice and services. Includes
• Securities (issuance, origination, reception, transm is
income received by the bank as
sion, execution of orders on behalf of customers)
an outsourcer of financial services
• Clearing and settlem ent; A sset m anagem ent; C us
tody; Fiduciary transactions; Payment services;
Structured finance; Servicing of securitisations; Loan
commitments and guarantees given; and foreign
transactions
Fee and Expenses paid for receiving Fee and commission expenses from:
commission advice and services. Includes
• Clearing and settlem ent; Custody; Servicing of
expenses outsourcing fees paid by the
securitisations; Loan com m itm ents and guarantees
bank for the supply of financial
received; and Foreign transactions
services, but not outsourcing
fees paid for the supply of non-
financial services (eg logistical, IT,
human resources)
O ther operat Income from ordinary banking • Rental income from investm ent properties
ing income operations not included in other • Gains from non-current assets and disposal groups
Bl items but of similar nature classified as held for sale not qualifying as discontin
ued operations (IFRS 5.37)
(income from operating leases
should be excluded)
O ther operat Expenses and losses from ordi • Losses from non-current assets and disposal groups
ing expenses nary banking operations not classified as held for sale not qualifying as discontin
included in other Bl items but of ued operations (IFRS 5.37)
similar nature and from opera • Losses incurred as a consequence of operational loss
tional loss events (expenses from events (eg fines, penalties, settlem ents, replacem ent
operating leases should be cost of dam aged assets), which have not been provi-
excluded) sioned/reserved for in previous years
• Expenses related to establishing provisions/reserves
for operational loss events
Financial Net profit (loss) • Net profit/loss on trading assets and trading liabilities (derivatives, debt securities, equity
on the trading securities, loans and advances, short positions, other assets and liabilities)
book • Net profit/loss from hedge accounting
• Net profit/loss from exchange differences
Net profit (loss) • Net profit/loss on financial assets and liabilities measured at fair value through profit and
on the banking loss
book • Realised gains/losses on financial assets and liabilities not measured at fair value through
profit and loss (loans and advances, assets available for sale, assets held to maturity,
financial liabilities measured at amortised cost)
• Net profit/loss from hedge accounting
• Net profit/loss from exchange differences

• Recovery of adm inistrative expenses including recovery of • Expenses due to share capital repayable on demand
payments on behalf of custom ers (e.g ., taxes debited to • Impairment/reversal of impairment (e.g ., on financial assets,
customers) non-financial assets, investments in subsidiaries, joint ven
• Expenses of premises and fixed assets (except when these tures and associates)
expenses result from operational loss events) • Changes in goodwill recognised in profit or loss
• Depreciation/am ortisation of tangible and intangible assets • Corporate income tax (tax based on profits including current
(except depreciation related to operating lease assets, which tax and deferred).
should be included in financial and operating lease expenses)
• Provisions/reversal of provisions (e.g ., on pensions, com m it
ments and guarantees given) excep t for provisions related to
operational loss events
Learning Objectives
Describe elem ents of an effective cyber-resilience Explain methods that can be used to assess the financia
fram ework and explain ways that an organization can impact of a potential cyber attack and explain ways to
becom e more cyber-resilient. increase a firm's financial resilience.
Explain resilient security approaches that can be used to

increase a firm's cyber resilience, and describe challenges
to their im plem entation.
E x c e rp t is C hapter 8 from Solving C yber Risk: Protecting Your Com pany and Society, by A n d re w Coburn, Eireann Leverett, and
G ordon Woo.
345
23.1 C H A N G IN G A P P R O A C H E S $120 billion industry today. Projections expect the industry to
continue to grow rapidly to reach hundreds of billions annually
T O R IS K M A N A G E M E N T
worldwide in a few years.
Identify, Protect, Detect, Respond, However, the type of expenditure for typical cyber security bud
Recover gets is shifting. Traditional purchasing of hardware IT security

com ponents, such as servers, networking gear, data centers, and
The cyber risk m anagem ent fram ework proposed by the physical infrastructure, is being augm ented by broader security
National Institute of Standards and Technology (NIST) consists solutions, such as personnel training, non-computer platforms,
A
of five functions: and internet of things (loT) security.3
1 . Identify. Develop an organizational understanding to man Key trends include increasing em phasis on incident response,
age cyber security risk to system s, people, assets, data, and shifting from intrusion prevention to intrusion tolerance, com-
capabilities. partmentalization and 'credential silos' with protected end
2. Protect. Develop and im plem ent appropriate safeguards to points, and risk m anagem ent in the supply chain. We discuss
ensure delivery of critical services. each of these in this chapter.
3. D etect. Develop and im plem ent appropriate activities to

identify the occurrence of a cyber security event. Threat Analysis
4. R esp o n d . Develop and im plem ent appropriate activities to M ost cyber security assessm ents begin with threat analysis.
take action regarding a detected cyber security incident.
In C hap ter 5, 'Know Your Enem y', we provide a profile of the
5. Recover. Develop and im plem ent appropriate activities to main threat actors and their driving m otivations. An organiza
maintain plans for resilience and to restore any capabili tion needs to evaluate the likelihood of being the prim ary
ties or services that were impaired due to a cyber security target of each of the main threat groups, or being caught
incident. in the collateral dam age from their activities. O rganizations
will m onitor their cyber events - attem pted attacks, m alware
C yber security in an organization typically places em pha
discovered, suspicious activity - typically in an incident log.
sis on maintaining a secure perim eter, with an em phasis on
Analysis of the incident log provides im portant insights into the
technology tools for m onitoring internal traffic and external
characteristics and frequencies of attem pted attacks and the
com m unications, and with minimal tolerance of external pen
overall threat.
etration, m alware, or unauthorized softw are. C yber security
tools include antivirus softw are, firew alls, network traffic deep-
packet inspection, data m anagem ent system s, email security
system s, server gatew ays, w eb application firew alls, and many
2 3 .2 IN C ID E N T R E S P O N S E A N D
others. C R ISIS M A N A G E M E N T
C yber security system design is a com plex and skillful process,
Real-time Crisis Management: How
m atching the specific operations and needs of an organization
with the threats it faces, the tools available, and the budget
Fighter Pilots Do It
allocated. The values of individual com ponents of security are On May 1, 1983, high over the N egev desert of Israel, an F-15
hard to evaluate independently, because security depends Israeli A ir Force jet collided with an A-4 Skyhawk plane. The
on the w eakest link in the chain - if one com ponent is w eaker im pact sheared off the right wing of the F-15 jet, which was
than others, then that is the one that will be exploited by sent spinning. A second before pressing the ejector button,
attackers. the pilot pushed the throttle, lit the afterburner, gained speed,
Com panies spend on average around 3% of their information and regained control of the plane. A t twice the normal speed,
technology (IT) capital expenditure budget on cyber security.1
2 he managed to land at an airbase, stopping just 20 feet from
Cyber security expenditure has grown rapidly, generating a the end of the runway. The ability to recover from unexpected
precarious and hazardous situations is the essence of resilience.
1 N IST (2018a), Cybersecurity Fram ew ork v1 .1.
2 Pacific C rest analyst Rob O w ens, quoted in Investor's Business Daily

N ews, 10 Ju n e 2016. Cybersecurity Ventures, Cybersecurity M arket Report Q 4 2016.
This astonishing feat of resilience was accom plished through Cyber Risk Awareness in Staff
a highly effective man-machine partnership. First, the intrinsic
aeronautic design of the F-15 meant that it acted like a rocket, M icrosoft provides considerations for a cyber resilience pro
with sufficient lift being provided by the large surface area of gram .4 Am ongst the recom m endations is that every person with
the stabilizers, fuselage, and what remained of the wings. Sec corporate network access, including full-time em ployees, con
ond, the enterprising pilot had the presence of mind to light the sultants, and contractors, should be regularly trained to develop
afterburner and accelerate his way out of a deep crisis. a cyber-resilient mindset. This should include not only adhering
to IT security policies around identity-based access control, but
There is much to learn from this exam ple of surprisingly success
also alerting IT to suspicious events and infections as soon as
ful real-time crisis m anagem ent. Technology should be designed
possible to help minimize time to rem ediation.
to be robustly adaptive to threats both foreseen and unfore
seen. The man-machine interface is crucial. Corporate staff Training programs specifically geared towards developing a
have to be trained and prepared for both the expected and the cyber- resilient mindset are particularly productive. Many, cor
unexpected. The aim of cyber resilience is to maintain a system's porate training programs exist to help staff to deal safely with
capability to deliver the intended outcome at all tim es, including social engineering scams. Even the most savvy of staff members
tim es of crisis when regular delivery has failed. A wide range of may fall victim to one of these scams, which prey upon all man
m easures, from backups to full disaster recovery, contribute to ner of psychological, em otional, and cognitive weaknesses.
cyber resilience, and to maintaining business continuity under Magicians exploit these weaknesses to fool people with their
the most testing, unusual, and unexpected circum stances. illusions. In the cognitive science literature, it is established that
providing misinformation about past events can reduce memory
accuracy and even create false m em ories. Phishing attacks and
Rapid Adaptation to Changing Conditions social engineering use a wide variety of con tricks, misdirection,
As defined by a Presidential Policy Directive, resilience is the and scams to try to get staff to reveal credentials, open toxic
ability to prepare for and adapt to changing conditions and attachm ents, follow false links, and carry out other tasks. Spot
withstand and recover rapidly from disruptions. Cyber resilience ting these tricks, questioning their veracity, and identifying the
analysts assess system deficiencies in disruption response, and clues to their fakeness are skills that need to be learned and
develop means of rectifying these weaknesses through cyber reinforced in staff behavior.
security enhancem ents in prevention, detection, and reaction.
Organizations need to be agile in crisis response. Organizations
Business Continuity Planning
need to prepare, prevent, respond, and recover from any crisis
that may em erge.
and Staff Engagement
C yber resilience requires a coherent strategy encompassing All staff m em bers need a good understanding of business con
people, processes, and technology. The human dimension is tinuity issues. Those assigned specialist duties, such as planning
especially important, because people can make im prudent secu testing and incident response, need extra specific training, as all
rity decisions and take risky actions. On the other hand, under em ergency responders do. Middle and senior managers have
crisis situations, people can rise in an extraordinary way to the their own responsibilities, and are required to understand and
challenge of adversity. They can make excellent decisions under adopt integrated cyber resilience m anagem ent best practice
intense pressure, coping well with the uncertainty over the trou and com pliance to standards. The key cyber resilience standards
ble they find them selves in and the viability of their em ergency that should be adopted are:
response plan. • ISO 27001, the international standard describing best prac
Corporate decision making starts with the board of directors, tice for an information security m anagem ent system.
who have to drive forward the cyber resilience agenda and • ISO 22301, the international standard for business continuity.
involve the whole organization, extending to the supply chain,
Successful training can be achieved only with full staff engage
partners, and custom ers. To balance risk with opportunity, a
ment. If the training is perceived as dull, tedious, and boring,
corporate risk-based strategy needs to be put in place that man
the results are likely to be disappointing. No matter how tech
ages the vulnerabilities, threats, risks, and impacts. This strategy
nically expert the training is, eliciting an enthusiastic human
has to include preparation for and recovery from a cyber attack.
response requires addressing an extra dim ension: psychology.
A t the same tim e, costs need to be kept under control, user
convenience must be taken into account, and business require
ments should be satisfied. 4 Johnson (2017).
Chapter 23 The Cyber-Resilient Organization ■ 347

One way of adding a psychological dimension to cyber resil it becom es for the ad versary to score points by causing
ience training is to reward staff positively for good cyber m ajor cyber loss and disrup tion. A d versarial e xe rcise s, such
hygiene. Rewards might be handed out across the whole sp ec as 'C ap tu re the Flag ' are good training fo r security staff and
trum of cyber security issues of concern: reporting phishing tech n o lo g ists.
emails; preventing tailgating; reporting attem pted intrusions
via social engineering; reporting any USB memory sticks lost
or found; keeping desktop software patched and updated;
Nudging Behavior
maintaining strong, confidential passwords; attending secu Another way of using psychology to change staff behavior
rity sem inars and w ebinars; not leaving laptops unattended; is through adopting the nudge principle: encouraging good
and reporting bugs or vulnerabilities. Such incentivized train cyber hygiene without having to reward staff accordingly. One
ing achieves m easurable and im pressive results. In one major of the most famous original exam ples of nudging, quoted by
corporation, after 18 months participants were 50% less likely econom ics Nobel laureate William Thaler, one of the authors
to click on a phishing link and 82% more likely to report a of the nudge principle, is that of hygiene in men's restrooms.
phishing em ail.5 Men can be nudged to make less floor mess simply by having a
marked target in the center of a urinal. No reward (or penalty)
of any kind is needed to encourage better hygiene. In line with
Gaming and Exercises
the previous golf tournam ent metaphor, one actual exam ple of
One familiar field of human endeavor in which incentivized train a marked target is a golf flag pin. A t the Cyber Security Summit
ing is proven to work well is in playing com petitive gam es. The and Expo 2017, the chief operating officer at the UK Finan
application of gaming principles to business is given the self- cial Conduct Authority suggested that staff members may be
explanatory if contrived name 'gam ification'. It actually started nudged to talk more about cyber security, and explained that
in m arketing, as com panies realized they could attract custom far better cultural outcomes are then seen than with traditional
ers more readily by enticing them with a game or com petition. annual mandatory training regimes. She further suggested that
Some businesses have been using gamification in the workplace the same technique could be used with suppliers, who may be
as a way to boost em ployee m orale.6 The application to adver an unsuspecting weak link in overall security. In addition to usual
sarial situations like combating cyber risk may be more com pel due diligence, a regular conversation with suppliers on security
ling and relevant than most. Am ongst other cyber security firms, sets a positive nudging tone for a mutually beneficial enhanced
Kaspersky Lab has been adopting gamification technology in cyber security relationship.
its security awareness training programs. In 2017, Kaspersky
awarded a young talent lab prize to the US-based creators of a
gamification app designed to raise information security aw are 23.3 R E S IL IE N C E E N G IN E E R IN G
ness am ongst millennials.
Th ere are four principles to gam ificatio n: defining a goal,

Safety Management
defining rules for reaching th at goal, setting up a feed b ack In traditional safety management, the focus is on identifying
m echanism , and m aking participation voluntary. G am ification and defending against a prescribed set of hazards, using tech
usually m eans aw arding points to em p lo yees who do the right niques with limited ability to realistically represent the intricacies
thing, with various form s of recognition, including badges, of human and organizational influences adequately.7 Also, the
prizes, and a leader board listing point to tals. Treating cyber search for causal factors of failures is obscured by the social,
security as a co m p etitive gam e, with scores posted as in a cultural, and technical characteristics of com plex engineered
go lf tournam ent, is not inap p ro p riate. Unlike natural hazards systems. The concepts of resilience engineering address these
resilien ce, security against cyber attacks is a p ersisten t ad ver shortcomings, integrating safety, process, and financial m anage
sarial gam e - the attackers are rew arded for their efforts and ment. Resilience engineering builds on safety engineering, but
industry, and so also should the d efen d ers be rew arded. The treats faults and failures in socio-technical systems rather than
more points th at staff m em bers m anage to accrue, the harder in purely technical systems. The focus of resilience engineering
is on the organization and on the socio-technical system in the
5 W ood (2014). ____________
6 Penenberg (2013). 7 W reathall (2006).
THE C H A LLEN G E O F C Y B ER R E S ILIE N C E : TRUM P H O TELS
Hotels are at high risk of data breach attacks, particularly consum er notifications regarding compromised data. Tim eli
major chains. Seven of the luxury hotels owned by presiden ness of security response is also a requirem ent of resilience.
tial candidate Donald Trump were infected between May Trump Hotels duly enhanced security m easures, including
2014 and June 2015 with malware that stole paym ent infor em ployee training, com prehensive risk assessm ents, and reg
mation. This data breach ended up exposing 70,000 credit ularly scheduled testing of system s - but not before another
card numbers and custom er records, and was discovered data breach was discovered in March 2016.
only when multiple banks spotted hundreds of fraudulent
Later that year, hackers broke into the Sabre SynXis Central
transactions on custom er accounts where the last legitimate
Reservations System , which facilitates online hotel booking
transaction was at Trump Hotels.
for som e of the largest hotel chains. The intrusion remained
Cardholders were unaware of the breach until a notice was undetected on the Sabre network for seven months, steal
posted on the Trump Hotels w ebsite four months after ing data between A ugust 2016 and March 2017. This was
the hotel chain had learned of the major data exfiltration. the third credit card data breach affecting Trump Hotels in
This delay violated New York state laws stipulating timely three years.8
presence of accidents, errors, and disasters. In particular, resil President Trump gave a public com mitment to keeping Am erica
ience engineering is well suited to systems that are tightly cou safe in the cyber era.9 This com mitment extended to resilience:
pled but intractable in the sense that they cannot be com pletely building defensible governm ent networks and improving the
described or specified. ability to provide uninterrupted and secure communications
and services under all conditions. Although a strident critic of
In general term s, resilience is the ability of an organization to
big governm ent, as a victim of data breaches in his hotel chain,
recover to a stable state, allowing it to continue operations dur
Trump may recognize that stronger cyber security regulations
ing and after a major mishap or in the presence of continuous
may be needed and may need to be better enforced.
significant stresses. Both of these contingencies are relevant for
cyber resilience. The m anagem ent challenge of building and
leading a resilient organization increases in com plexity as more
products and services are online and open to cyber disruption
2 3 .4 A T T R IB U T ES O F A
by m alevolent hackers. C Y B E R -R E S IL IE N T O R G A N IZ A T IO N
Anticipate, Withstand, Recover,

Hotel Keycard Failure Example and Evolve
A sim ple exam ple is a hotel where room keycards fail after a
In general, the com plexity of a system makes it difficult to clas
cyber attack. Black hats have dem onstrated how some digital
sify failure states following a cyber attack, which can impact
hotel keys can be read with a sim ple portable device. Even in
an organization in innumerable ways. Yet, com plexity is a vital
this dire situation, there has to be a backup plan to allow guests
system attribute enabling adaptation under external stress. The
to access their rooms securely. Availability is a vital pillar of resil
individual links between people and their environm ent should
ient cyber security; even after keycard failure, continuity of hotel
adapt under stress in a resilient manner. Because resilience is
service must be m aintained, and guest rooms have to be avail
an emerging property of com plex system s, it can be developed
able for use. Along with availability, confidentiality and integrity
through focus on attaining specific goals.
of information are two other vital pillars of cyber security. These
also are major issues for the hotel industry because of data A cyber-resilient organization should aim to anticipate, w ith
breach of the hotel booking and payments system , and the stand, recover, and evolve. Given their intrinsic interconnected
theft of credit card data. Hotels have becom e popular targets ness, all four of these goals should be addressed sim ultaneously.
because they have a business hospitality culture of openness. A For exam ple, even while withstanding or recovering from
cyber attack hit 1200 franchised InterContinental hotels in the

last quarter of 2016. Hackers have declared open season on
the reservation and point-of-sale system s of the hospitality and 8 Seals (2017).
tourism industry. 9 Trump (2017).

a cyber attack, a business m anager must anticipate further consumers and businesses whose information was collected by
attacks. Even while anticipating, withstanding, or recovering Equifax would have expected the agency to have been a para
from attacks, business processes that rely on them are con digm of resilience. But based on information publicly disclosed
stantly evolving to address changing operational and technical after the breach, Equifax may have possessed all too few of the
environments. And part of anticipation is withstanding stresses following six attributes of a resilient organization. Indeed, in
within some bounded range. respect of human performance, the C E O personally blamed a sin
gle member of the company's security team, rather than recognize
Cyber resilience is just one aspect of resilience in general. An
that all errors are the outcome of organizational deficiencies, such
organization that aspires to be cyber resilient should aim further
as a lack of resilience, for which the C E O is ultimately responsible.
to be resilient against all potential stresses. A highly resilient
- 1n
organization will share the six attributes listed in Section 8.4.3. 1. Top-level com m itm ent to recognizing and valuing human
In this list of attributes, which are not cyber-specific, there is a perform ance concerns, in both word and deed. An orga
well-m erited emphasis on human perform ance within the orga nization should provide continuous and extensive follow-
nization. This is appropriate since not only are security decision through to actions related to human perform ance.
making and preparedness the responsibility of the organiza
2 . A ju s t culture supporting the reporting of issues up through
tion's em ployees, but the staff m em bers them selves are also a the organization. W ithout a just culture, the willingness of
primary source of vulnerability to cyber attack, being susceptible
staff to report problems will be eroded, as will the organiza
to social engineering deception, as well as the source of human tion's ability to learn about defensive weaknesses.
error in undertaking corporate security tasks.
3 . A learning culture benefiting from both good and bad
experiences, and not responding to questions about secu
Negative Attributes rity issues with denial.
Case studies of organizations that have suffered major data 4 . A w areness of the true state of defenses, and their state of
breaches often highlight missing attributes for a resilient organiza degradation. Also, insight into the quality of human perfor
tion. For example, security commentators referred negatively to mance, and the extent to which it is a problem.
the security culture at Equifax, which discovered a massive data 5 . P reparedness for problem s, especially in human perfor
breach on July 29, 2017, and announced it six weeks later on mance. The organization should actively anticipate prob
Septem ber 7. In his testimony to a US House of Representatives lems and prepare for them .
subcommittee on consumer protection, the Equifax C E O , Rick
6 . Flexibility to adapt that maximizes ability to solve problems
Smith, justified the delay in communicating the data breach on the
without loss of functionality. It requires that im portant secu
grounds of avoiding further attacks and ensuring consumer protec
rity decisions may be made at lower organizational levels.
tion measures could be put in place. A resilient organization would
have had detailed contingency plans in place for a data breach, These six attributes are qualitative organizational attributes, which
which would have expedited its crisis communication response. have a significant bearing on quantitative resilience metrics: the
time and cost to restore operations, the time and cost to restore
The Equifax C E O also excused the communication delay with
system configurations, the time and cost to restore functionality
reference to Hurricane Irma, which took down two large call cen
and performance, the degree to which the pre-disruption state is
ters in Septem ber, soon after the breach announcement. This is
restored, the potential disruption circumvented, and successful
a classic failure of resilience. Corporate preparedness for natural
adaptations within time and cost constraints.
hazards should include plans to overcome breakdowns in infra
structure. Professional resilience engineers would not have been
astonished that some of the 15 million Britons affected by the Cyber Resilience Objectives
Equifax data breach were only notified eight months afterwards.
Because the cyber threat is so dynamic, many actions to improve
resilience may be effective for only a short duration. However,
Six Positive Attributes for Resilience common to all actions are various general cyber resilience objec
tives, which are summarized next.
For a consumer credit reporting agency, corporate resilience
should have been a business priority. The many millions of1
0 • Adaptive Response
An adaptive response involves executing and monitoring the
effectiveness of actions that best change the attack surface,
10 W reathall (2006). maintain critical capabilities, and restore functional capabilities.
• Analytic Monitoring perpetrators are outside W estern jurisdiction, and even if they
Analytic monitoring involves gathering and analyzing data on are within the same jurisdiction as the victim , successful prosecu
an ongoing basis and in a coordinated way to identify poten tion is difficult to achieve.
tial vulnerabilities, adversary activities, and dam age. However, where a significant corporate cyber crim e has been
• Coordinated Defense com m itted, som e level of criminal investigation is required for
In any conflict situation, having multiple defenses is advanta legal reasons, as well as to com ply with obligations to share
geous, but they have to be carefully coordinated so that they holders and other corporate stakeholders, and to enhance
do not interfere negatively with each other, but rather have a resilience. This involves com puter forensics. A s with any
maximum positive effect. forensic investigation, diligence is needed when attending the
scene of a crim e, to ensure that significant evidence gathered
• Deception
is adm issible. In particular, the following four principles must
Sun Tzu's dictum that 'All war is based on deception' applies
be u p h eld :11
to cyber warfare as well as older traditional forms of conflict.
Deception is an essential weapon of cyber defense, espe 1. No action taken by law enforcem ent agencies, persons
cially against a powerful adversary, such as a state-sponsored em ployed within those agencies, or their agents should
threat actor. change data, which may be subsequently relied upon in
court.
• Privilege Restriction
Violation of privilege restriction has facilitated some major 2 . W here a person finds it necessary to access original data,
cyber attacks. To minimize the impact of criminal action, privi that person must be com petent to do so, and be able to
leges should be carefully restricted. give evidence explaining the relevance and the implications
of his or her actions.
• Random Changes
3 . An audit trail or other record of all processes applied to
Static security, however strong, is progressively liable to be
digital evidence should be created and preserved. An inde
eroded over tim e. Frequent randomized security actions that
pendent third party should be able to exam ine those pro
make it more perplexing for an adversary to predict behavior
cesses and achieve the same result.
increase the chance of adversary detection.
• Redundancy 4. The person in charge of the investigation has overall
responsibility for ensuring adherence to the law and these
The value of redundancy in enhancing system safety is evi
principles.
dent from elem entary reliability analysis. If the chance of fail
ure of a key com ponent is one in a thousand, then the chance Forensic investigators not only must comply with these prin
of failure of two such com ponents, assumed to have indepen ciples; they also have to cope with insidious attem pts to thwart
dent failure rates, is as low as one in a million. com puter forensic analysis. This may include encryption, the
• Segm entation overwriting of data, and the modification of file m etadata. And
even where no such anti-forensic efforts have been m ade, a
The attack surface of a system can be reduced if system com
shrewd defense lawyer can query in court the quality of evi
ponents can be segm ented based on criticality to restrict the
dence of an intrusion - maybe the log file had been tam pered
dam age from exploits. Segm entation often employs either
with, or the origination of the internet protocol (IP) address was
physically distinct entities or virtualization of computing sub
fa ke d .1
12 Thinking through defense arguments is a valuable intel
1
networks to provide the desired separation.
lectual exercise in cyber resilience, because it raises technical
• Substantiated Integrity
issues that could lead to ideas for improving the cyber security
It is crucial that critical systems and backups have not been cor environment. One argum ent might be over identifying when
rupted by an adversary. Their integrity needs to be substanti exactly a cyber security incident occurred. For exam ple reconcil
ated and data checked that they are not invalid or out of range. ing the tim estam p for a connection to a Webserver might involve
clients in London, a server in Tokyo and various time zones and
23.5 IN CIDEN T RESPO N SE PLANNING daylight-saving adjustm ents.
Forensic Investigation
The vast majority of internet crimes are left unreported. A tiny 11 A C P O (2012).
proportion of cyber crimes are successfully prosecuted. Most 12 G rim es (2016).

Initial Breach Diagnosis Security should be fully integrated within the developm ent pro
cess, with built-in features such as defense in depth, running
An initial step in incident response is to assess when security with least privilege, and avoidance of security by obscurity. A
was first breached. This is far from being a straightforward mat software developm ent life cycle (SDLC) is a series of phases that
ter, as shown by the 2014 and subsequent 2013 Yahoo breach provide a fram ework for developing software and managing it
revelations. The next step is to discover what system s have been through its entire life cycle. There is no specific technique or sin
com prom ised, and what data has been exfiltrated or corrupted. gle way to develop applications and software com ponents, but
An essential aspect of any first response to an unfolding crisis is there are established m ethodologies that organizations use and
conducting triage, which consists of classifying incidents, priori models they follow to address different challenges and goals.
tizing them , and assigning incidents to appropriate personnel.13
However well written and resilient the software is, and however
Containm ent of dam age and prevention of its spreading are
much the network perim eter defense has been hardened, a
then urgent actions before eradication of the threat and removal
determ ined, highly motivated (perhaps state-sponsored) cyber
of malware from the network. The mark of resilience in incident
attacker can eventually manage to find an entry point into any
response is restoration of system s to their normal operation. The
system through some social engineering deception or zero day
main challenges in recovery are in reconnecting networks and
exploit. Treating a twenty-first-century software system as a
confirming that system s have been successfully restored.
medieval fortress with im pregnable entry points is itself a coun
Thinking ahead is characteristic of a resilient m indset. Even terproductive form of self-deception, and self-denial of reality
before, and preferably well before a major incident occurs, of the virtual world. This is detrim ental to cyber security in gen
plans should be drawn up for investigating incidents, as and eral, and to maintaining resilience in particular. It is prudent to
when they might occur, and undertaking extensive postincident accept that system intrusion will occur in the future, and to plan
investigations. Com m unicating lessons learned to all stakehold a maximally resilient response. The three pillars of successful
ers in a transparent and tim ely manner is a crucial elem ent of a response identified by Dr Eric Cole are detection, containm ent,
resilient response. Am ongst the lessons will be insights into the and control.15
effectiveness of security m easures, and the costs and impacts
of cyber incidents. From such lessons the cost-effectiveness of
enhanced security measures can be better gauged. Detection, Containment, and Control
In biology, a system's capacity to absorb and resist any dam
age from internal or external mechanisms, and recover quickly,
2 3 .6 R E S IL IE N T S E C U R IT Y S O L U T IO N S
is a measure of its resilience. The universal process of evolution
em bodies natural selection for resilience. A key criterion for fit
Resilient Software ness is resilience. In healthcare, a doctor would advise a patient
Resilient software should have the capacity to withstand a fail that prevention is always better than cure. Hence those who
ure in a critical com ponent, such as from a cyber attack, but spend hours in the sun are urged to use sunscreen. Regular use of
still recover in an acceptable predefined manner and duration. sunscreen can halve the incidence of melanoma, which is a type
Factors affecting resilience include com plexity, globalization, of skin cancer. If excessive sun exposure does eventually cause
interdependency, rapid change, level of system integration, melanoma, the sooner this is detected the better, so that effective
and behavioral influences. The com plex networked systems treatm ent can be given. Most importantly, any malignant tumor
prevalent in many organizations make it hard to provide a should be found before it spreads to other parts of the body.
service platform with consistent levels of resilience. W hen a Rapid threat detection lies at the heart of resilient cyber secu
critical system fails, the required service may not be readily rity. Imagine a cyber attack that targets a perceived security
deliverable, especially when there is high dem and. Furtherm ore, weakness in a peripheral device such as a printer. If system
net-centricity can introduce com plexities that lead to greater security extends to intrusion detection that monitors the device
chances of erro rs.14 Learning from failure is essential for a memory for malicious attacks, then threat detection can auto
resilient organization. When software fails, this is an opportunity matically instigate a reboot from a safe copy of the device's
for additional resilience features to be introduced. operating system . By restoring the peripheral device without
business interruption, cyber resilience is achieved.
13 C R E S T (2013).
14 Murray et al. (2017). 15 Cole (2015).
C A SE STU D IES IN GERM AN S T E E L R ES ILIEN C E
In February 2016, Southeast Asian hackers exfiltrated tech shock not just to the steel mill security staff, but to the entire
nological intellectual property data from Thyssenkrup, one cyber security industry in Germ any and beyond. Surprise is
of the world's largest steelm akers, Early detection and tim ely the enem y of resilience.
counterm easures limited the loss from this professional
cyber espionage attack, which was discovered, continuously It would not have been feasible for an outside vandal to have
observed, and analyzed by Thyssenkrup's com puter em er physically gained access to the steel mill and sabotaged a
gency response team . This adm irably resilient response to blast furnace. Basic site security would have detected the
a cyber attack contrasts with what happened when a steel unauthorized intrusion and prevented this kind of criminal
mill in an undisclosed location in Germ any was targeted for dam age. The cyber attack was not detected because it was
a cyber attack in 2014. (Thyssenkrup denied it was one of an advanced persistent threat (APT), executed carefully in
its steel mills.) The motive for this apparently senseless act stages in a slow and stealthy way, keeping a low profile to
of cyber vandalism remains unknown, but it does provide an make detection difficult.16 A part from remaining undetected,
instructive contrasting case study in cyber nonresilience. the attack was neither contained nor controlled.
The attackers used spear phishing emails to access the steel A more resilient cyber defense strategy would have had a
mill office IT network, com prom ise a multitude of systems, network intrusion detection system (NIDS) deployed. This
and spread over to the production network. Failures accum u strategy should also have maintained a strict separation
lated in individual control com ponents, and a blast furnace between business and production networks to contain the
was unable to be shut down in a regulated manner, which attack, preventing it from spreading from the entry point to
resulted in extensive dam age. This cyber attack came as a the key industrial target.
Minimize Intrusion Dwell Time anomaly detection, when dealing with an intelligent adversary
striving to keep illicit activities hidden within the noise, is the
A resilient strategy for coping with a cyber attack should mini possibility of false negatives. The international prize for smart
mize the intrusion dwell tim e, which is the tim e from initial sys detection avoidance might be awarded to the Soviets who vio
tem com prom ise to the tim e the malware ceases to be effective. lated nuclear test ban treaties by autom atically timing the deto
Controlling dwell tim e means early detection with an appropri nation of nuclear test explosions to coincide with the occurrence
ate effective response. Ju st as with malignant cancer, the lateral of regional earthquakes. The seismic signal of a nuclear explo
spread of intrusion should also be contained and controlled, so sion (the observational basis for nuclear test forensics) would
as to minimize the number and extent of com prom ised systems. be hidden within the tail of the earthquake signal. This kind of
Dwell tim es can be measured in months rather than days or subtle trickery to evade detection ended with the Cold War, but
weeks because attackers are often ingeniously adaptive to new the ingenious cunning of the Russian chess mind in the age of
security system s, and may change their threat signatures from state-sponsored cyber attacks should not be underestim ated.
those detected by threat intelligence service providers. Spotting
anomalous behavior is a crucial aspect of resilient cyber security.
Anomaly Detection Algorithms
A network behavior anomaly detection (NBAD) program tracks
critical network characteristics in real time and generates an Anom aly detection algorithms use state-of-the-art artificial
alarm if an anomaly or unusual trend is detected that might sig intelligence methods, incorporating sophisticated Bayesian
nal a threat. Exam ples of such characteristics include increased techniques of statistical inference. These probabilistic tools
traffic volum e, bandwidth, and protocol use. Such a program for searching for discrepancies have been refined using ideas
can also monitor the behavior of individual network subscribers. developed for Big Data analysis. Faster, cheaper, sim pler - but
less powerful - are signature-based detection methods. Rather
For N BAD to be optimally effective, a baseline of normal
like a police biom etric database of fingerprints or D N A sam ples,
network or user behavior must be established over a period
these methods rely on a database of signatures carried by
of tim e. A large volume of network data can enable even a
packets known to be sources of malicious activities. Signature-
com paratively m odest anomaly to be tracked and flagged up.
based methods check for automated procedures supplied by
Inevitably, as in any anomaly detection system , there may be
well-known hacker tools. These tend to have the same traffic
false positives, such as when an em ployee decides to back
up the contents of a hard drive on a Saturday evening before
going away on vacation the following morning. The flip side of 16 Bartman and Kraft (2016).

signatures every tim e, because com puter programs repeat over A penetration test (pen test to its friends) is the process of
and over again the same instructions. conducting simulated attacks to discover how successful cyber
attacks might occur. Conducting a pen test to prove that a miss
Both anomaly and signature-based detection approaches should
ing patch is a security issue typically raises the cost of testing,
be incorporated within an overall NIDS. As anyone who lives
and runs the expensive risk of potential system downtim e. Not
in a gated community knows, reliance on the detection of an
all pen testing is expensive; the sim plest type of pen testing
intruder is far from being a resilient strategy for mitigating the
involves a handful of social engineering tricks, or taking advan
risk of burglary. The probability of detection can never be very
tage of an easily guessable password. Some loT gadgets such
close to certainty, because the price of false alarms would be
as a kitchen kettle leave the factory with a basic default pass
unacceptable. Each house needs its own security system to
word, which may not be changed by the forgetful or ignorant
contain and control the criminal action of an intruder. Defense in
purchaser. Like all professional occupations, pen testers come
depth is a cornerstone of resilient security. Recognition of lateral
with a wide range of knowledge, ability, and experience. The
movements of a cyber attacker requires continuous monitoring
best pen testers have deep knowledge of operating systems,
of the internal network, and a visual interface that provides the
networking, scripting languages, and the like, and use a clever
right metrics for security analysts to gain situation awareness of
combination of manual and autom ated tools to simulate attacks
any intrusion. With these metrics, an intrusion can begin to be
with the same com plexity as might be conceived by a black hat.
contained and controlled.
Pen test results are typically reported on severity, exploit-
Containm ent of the adverse im pacts of security breaches will
ability, and associated remediation actions. The information
help avoid an escalation of loss and blunt the force of a cyber
obtained from pen testing can be used to plug security gaps,
attack, so as to make incident response more effective. C o n
improve attack response, and enhance cyber resilience. C o n
tainm ent might be achieved through network segm entation,
trolling network entry and exit points and reducing the overall
and redundancy m easures such as having logical and physi
attack surface will make it easier to respond to an attack, and
cal duplication. A nother containm ent approach that increases
enable functionality to be restored more quickly. This therefore
resilience is designing system s so that they continue to function
increases an organization's resilience against cyber attacks.
and perform their tasks even when connectivity to external sys
tem s is lost. With any security initiative, there is also an intrinsic
human com ponent that needs to be considered. Dealing with The Risk-Return Trade-Off
an intrusion effectively requires a degree of security staff pre
W hereas junior security personnel may work obsessively to
paredness that merits training and rehearsal of an em ergency
reduce vulnerability where they find it, cost-conscious senior
response plan.
m anagem ent and their accountants are particularly interested
in the risk-return trade-off. The actual level of risk reduction
Penetration Testing achieved may in fact be lower than is optim istically perceived,
given the large security budget. For exam ple, within days of a
In cyberspace, it is essential to understand the interrelationship
pen test, network changes may create new security challenges.
between vulnerability assessm ent and risk analysis.17 Much more
effort is directed towards the form er than the latter. But m ea Pen testing is commonly used to address the problem of cyber
suring work on vulnerability assessm ent is not measuring risk risk mitigation, instead of more empirical and scientific practices.
reduction. For exam ple, a vulnerability scanner might determ ine Although pen testers know what to charge for their professional
that a server is missing critical operating system patches by services, most pen testers cannot put a price on their success or
detecting an outdated version of the operating system during a failure. Pen testers can make recom m endations on how to close
network probe. This vulnerability might be rem edied simply by security gaps, and how to prioritize the necessary tasks. But no
a software update and a reboot. Assessing the corresponding two pen testers go about their assignm ent in the same way, and
cyber risk reduction is not so straightforward. This would involve pen testing is usually done on a limited set of targets. A cco rd
explicitly devising an exploit to show that the missing patch ingly, pen testing is not strictly a risk m anagem ent exercise.
would allow an attacker to gain access to the server. This might To provide another perspective on security risk m anagem ent,
be a difficult task, not necessarily cost-effective for a work- consider the pen testing analog of red-teaming in counterterror
averse hacker. ism studies. Ever since 9/11, security consultancies with exten
sive military expertise have undertaken vulnerability assessments
for specific locations and events that might be targeted for a
17 G eorge (2016). terrorist attack. Red-teaming exercises are particularly valuable
in identifying gaps in security that would make a location or shock that might be foreseeable. In the United States public
event a com paratively soft target relative to other alternative com panies are expected to file annual 10-K submissions to the
targets. By hardening any one potential target, e.g . deploying Securities and Exchange Commission that identify the key risks
additional perim eter security guards and installing CCTV, the to their business and to notify their shareholders and counter
risk may be transferred to another soft target, in a process that parties of those risks. The UK equivalent is the Long Term Viabil
1Q
terrorism risk analysts recognize as target substitution. This ity Statem ent (LTVS) reporting to the Financial Reporting Council
tactic should extend to cyber risk as well. Hackers (like terrorists) on liquidity. C yber risk is one of the most commonly reported
follow the path of least resistance in their targeting, and if an risks by com panies, declared in their 10-K and LTVS filings.
attractive designated target for a cyber attack has been hard
A cyber attack can cause sufficient loss to cause dam age to a
ened, others lacking the benefit of pen testing or red-teaming
company's balance sheet, even for fairly sizeable organizations.
knowledge may becom e more likely to be attacked.
Exam ples include com panies having to issue profit warnings,
suffer credit dow ngrades, make em ergency loan provisions, and
2 3 .7 F IN A N C IA L R E S IL IE N C E see reduction in stock price, and ultimately the loss could be

severe enough to force the organization to cease trading. The
Financial Consequences of a Cyber Attack likelihood of cyber attacks causing a loss sufficient to trigger
each of these thresholds depends on the type of risk analysis we
A major cyber attack on a corporation can impact it in numer have described, defining the odds of experiencing a cyber loss
ous adverse ways. Intellectual property and other confidential of these levels of severity, com bined with the financial structure
information may be stolen; im portant com puter system files may of the organization, its liquidity, its access to capital reserves,
be corrupted or encrypted; denial of service may bring systems and analysts' interpretation of the event in term s of how it
down; physical dam age to corporate facilities and property may might affect the future business model and position relative to
be inflicted; psychological and bodily harm may be caused to its com petitors.
staff and custom ers; reputational dam age may be incurred, and
Balance sheet resilience for the levels of financial shock that
liability lawsuits may be filed. W hatever the impact, business
might be inflicted by a cyber event can be achieved by having
will be disrupted to an extent that depends on the resilience of
all of the standard financial engineering processes to minimize
the organization. We describe many of these consequences and
earnings volatility, including having sufficient liquidity margins,
illustrate some of these costs in the first two chapters: C hap
reducing debt ratios, having access to em ergency loan provi
ter 1, 'Counting the Costs of Cyber A ttacks', and Chapter 2,
sions, being able to cut costs to meet earnings targets, and
'Preparing for C yber A ttacks'.
having cyber insurance to provide a level of financial indemnity
The bottom line for any commercial organization is the ultimate against the loss.
financial cost. Each of the adverse impacts results in a financial
loss to the corporation. For publicly listed corporations, the stock
price is a resilience measure. For those publicly listed corporations
Reverse Stress Testing
for which cyber security is paramount for customer confidence, For any specified cyber attack scenario designed as a financial
the impact of a severe cyber attack on stock price can be devas stress test, the implications for a corporation can be evaluated,
tating. As fallout from a massive identity theft data breach, the taking account of the myriad ways that it might affect business.
stock price of Equifax fell precipitously by about one-third in one For a particularly severe scenario, a corporation's credit rat
week, before a new C E O was appointed in late Septem ber 2017 ing might be dow ngraded. The implications of cyber attacks
and started to turn the consumer credit reporting agency around. could start taking a higher priority in credit analysis. Moody's
But with further revelations that the data breach was worse than Investors Service views material cyber threats in a similar vein
previously thought, the stock price in mid-February 2018 was still as other extraordinary event risks, such as those arising from
lower by 20% than it had been before the breach disclosure. natural disasters, with any subsequent credit impact depending
on the duration and severity of the eve n t.19 W hile Moody's does
Financial Risk Assessment not explicitly incorporate cyber risk as a principal credit factor,
its fundamental credit analysis incorporates numerous stress
Com panies have to make assessm ents of their risk and build testing scenarios, and a cyber event could be the trigger for one 1
resilience into their balance sheet to withstand the types of1
8
1 Q
18 Woo (2011). Moody's Investors Service (2015).

of those stress scenarios. In a 2015 report, Moody's identified Having extra personnel available for patching provides defense
several key factors to exam ine when determ ining a credit impact in depth. Operational redundancy of course costs money - this is
associated with a cyber event, including the nature and scope of the price of resilience. Deciding on how much defense in depth
the targeted assets or businesses, the duration of potential ser a corporation should have depends partly on regulation, and
vice disruptions, and the expected time to restore operations. partly on corporate risk appetite. The irony of the Equifax data
breach is that the C E O might well have stipulated a tight limit
Both the disruption duration and the operational restoration
to the cyber risk to which Equifax should have been exposed.
time are basic defining characteristics of resilience. A cyber-
Given the extrem e sensitivity of the identity data retained by
resilient organization should know just how bad a cyber attack
Equifax, customers would have been dismayed by any other
would need to be to threaten its viability, or to have its credit
cyber security policy. However, there was a disconnect between
rating dow ngraded. This is called reverse stress testing. Through
C E O instruction and actual operation. The implementation of
system atic reverse stress testing, measures can be developed to
this policy lacked the resilience required to ensure its practical
protect a corporation against such unacceptable outcom es.
effectiveness in a perpetually hostile cyber threat environment.
For insurance companies in the context of Solvency II, the con
cept of reverse stress testing for an insurer's own risk and sol
vency assessm ent (ORSA) is endorsed by the European Insurance Enterprise Risk Management
on
and Occupational Pensions Authority. A number of practical
Enterprise risk m anagem ent (ERM ) envisages an organizational
cyber reverse stress tests have been developed.2
212They have
0
process applied in developing strategy across the enterprise. It
been used as m anagem ent desktop exercises to identify opera
is designed to identify events that might affect the organization,
tional weaknesses and areas that need attention.
and to help manage risk to within its risk appetite. The degree
of cyber resilience sought by an organization should be com
Defense in Depth mensurate with its risk appetite. Traditional ERM measures of
cyber risk typically do not quantify severity of financial loss in
The principles of engineering resilience go a long way in cyber
the event of a cyber incident. As the im portance of cyber risk
resilience. D efense in depth is a crucial objective in build
increases am ongst organizations w orldw ide, ERM studies will
ing in system resilience. Even if one system fails, overlapping
help to specify optimal levels of cyber resilience investm ent.
system design will mean there is no single point of failure.
Too often, when a large corporation suffers a massive cyber
This contrasts m arkedly with a standard check-box approach
attack loss, the C E O is unable to explain whether the negative
to security, which sanctions system s with a minimum level of
outcom e was consistent with its risk appetite or resilience objec
redundancy as having sufficient security. If this standard check
tives. It is easier to attribute blame to staff error.
box approach were routine in the passenger airline industry,
there would be just a single pilot in the cockpit, rather than
two or three. Cyber Value at Risk
The Equifax C E O singled out one of the company's 250 security
C yber value at risk (VaR) is based on the general notion of VaR,
personnel as responsible for allowing the data breach: 'We now
widely used in the financial services industry. In finance, VaR is a
know that the vulnerable version of Apache Struts within Equifax
risk measure for a given portfolio and time horizon, defined as a
was not identified or patched. The human error was that the
threshold loss value. Specifically, given a low designated prob
individual who's responsible for communicating in the organiza-
ability value X, e.g. 0.05, VaR expresses the threshold loss value
tion to apply the patch, did not'. Cyber security should not
such that the probability of the loss exceeding the VaR value is
be reliant on the error-free human action of any individual, just
the low number X. As with other types of risks, the concern is
as airline safety should not be reliant on the perfect, im pec
not only with expected losses from cyber threats, but should
cable job perform ance of any one pilot. No com puter user can
incorporate an understanding of potentially more significant
presume that com puter software is bug-free, and no C E O can
losses that could occur with a small but finite probability. Cyber
presume that the successful m anagem ent of such bugs can be
VaR can be perceived as the value exposed given both common
achieved without some occasional human error.
and significant attack risks. Technically, financial value at risk
is defined as the maximum loss for a given confidence interval
20 EIO PA (2017). (say, with 95% certainty) on a given tim e horizon, e.g. one year.
21 See References for list of publications by C C R S . Traditionally, the confidence levels have been estim ated under
22 Harm er (2017). the simplifying hypothesis that the underlying loss variability
can be represented by a bell-shaped normal distribution. This is but this would be little consolation to an organization that suf
very convenient for mathematical analysis, because the sum of fered loss through a Xen bug.
any number of normal distributions is still normal. However, the
normal approxim ation is invalid for open-ended risks like cyber
risks, which recognize no bounds of geography and can increase
Counterfactual Analysis
in severity scale by orders of m agnitude. A problem faced by Counterfactual analysis can also quantify the benefit from past
cyber risk analysts is the brief observational period of historical security enhancem ents, such as regular penetration testing, as
data, which may not represent accurately the tail of the loss dis well as from the introduction of resilience measures to mitigate
tribution, which could have a much fatter shape than any bell. the loss from cyber attacks. For exam ple, measures to stream
line the process of restoring backup systems in the event of a
ransomware attack might be assessed retrospectively for the
Re-Simulations of Historical Events
W annaCry attack of May 2017. Suppose that the kill switch had
The historical record of cyber attacks is just a couple of decades not been found early on by Marcus Hutchins, and that Wanna
long. By conducting stochastic simulations of past cyber attacks Cry had spread w idely within the United States. How much
within this tim e window, cyber risk analysts can look beyond the worse might the corporate cyber loss have been if an improved
near horizon of history and scan the far horizon, gaining insight backup restoration process had not been im plem ented? Due
into how large cyber losses might potentially have been. For consideration of past near misses such as this would encour
exam ple, suppose that a major bug (such as H eartbleed) had age improved future preparedness for, and resilience against,
been discovered by a black hat rather than by a white hat; what another ransomware attack.
might the cyber loss have been? Even though H ea rtb leed was
This kind of counterfactual analysis would also help decide on
found first in 2014 by the G oogle security team , the alarming
the cost-effectiveness of additional cyber resilience measures.
potential for data exfiltration was dem onstrated by Chinese
Suppose that an additional resilience technology had been
hackers who, after the bug was disclosed, stole the personal
introduced several years ago. How much would the cyber losses
data of about 4.5 million patients of hospital group Comm unity
over this period have been reduced? A positive answer would
Health System s Inc. The hackers used stolen credentials to log
then lead to a quantitative assessm ent of whether the substan
into the network posing as em ployees. O nce in, they hacked
tial expenditure on this resilience enhancem ent is warranted by
their way into a database and stole millions of records. If this
prescribed corporate limits on its cyber risk appetite. Resilient
bug had not been found by white hats and patched, many
organizations are less prone to strategic surprise.
criminal hacking groups might have followed this basic modus
operandi of using the H ea rtb leed bug to steal credentials, which
would then be a gateway of opportunity to exfiltrate very large Building Back Better
volumes of valuable data. With a com plete medical record sell
In the depth of the financial crisis in Novem ber 2008, President
ing on the dark web for high prices, the econom ic loss from tens
elect Obam a's chief of staff, Rahm Em anuel, looked forward
of millions of medical records alone might have been many bil
optim istically: 'You never let a serious crisis go to w aste. And
lions of dollars.
what I mean by that - it's an opportunity to do things you
The sensitivity of corporate vulnerability to cloud failure might could not do b efo re'.24 In earthquake engineering, there is an
also be assessed by revisiting the most severe historical cloud extended resilience concept that reconstruction after an earth
outages involving a cloud service provider, and contemplating quake should not merely aim to restore a building to its pre
some downward counterfactuals where the situation, which was earthquake state, which was evidently seism ically vulnerable,
bad already, turned for the worse because of poor resilience but to make it more earthquake-resistant in the future. This is
of the cloud service provider. In 2015, a notable bug, XSA-148, called building back better. The same concept applies to recon
was found in the Xen hypervisor software by the cloud platform figuring a com puter system after a major cyber attack. Merely
security team at the Chinese multinational A lib ab a.23 This bug restoring previous functionality with its exposed security vulner
would have allowed malicious code to be written into a hypervi abilities is a poor short-term option; far superior is building in
sor's memory space. This vulnerability was probably the worst more robust, enhanced security from the outset. For exam ple, if
ever seen affecting Xen, which is a free software project. It is overall system failure can be traced back to a single item failure,
claimed that Xen has few er critical bugs than other hypervisors, which could have either a technological or human source, then
23 Luan (2016). 24 Selb (2008).

introducing some extra redundancy could mitigate this source of the proliferation of carcinogenic asbestos in buildings, which
cyber risk in the future. made it prohibitively expensive and risky to run internet cables
through old school walls. W i-Fi was the innovative and resilient
A fter Target suffered a massive data breach in 2013, the task of
answer to a seem ingly form idable obstacle. In a most tim ely
building back better started with Target doing something it had
fashion, W i-Fi was invented and first released for consum ers the
never done before - appoint a chief information security officer
year afterw ards, 1997.
(CISO ). An experienced C ISO was hired from General Motors to
lead the post-breach response. Upgrading paym ent terminals Transcending the physical barriers of old building construc
was clearly essential, and $100 million was spent to support tion, this seminal advance in educational opportunity has been
chip-and-PIN credit and debit cards, which had been introduced crucial in making internet access a basic right of a US citizen.
in Europe some years before. W hether it was the cost of hiring a W i-Fi has also been a major opportunity for cyber crim inals,
top C ISO or upgrading payment term inals, even a simplified VaR especially public W i-Fi. Data over this type of open connec
analysis would have dem onstrated these to be cost-effective tion is often unencrypted and unsecured, and consequently
security enhancem ents, considering that custom er confidence vulnerable to man-in-the-middle attacks w hereby sensitive data
decline would have sharply limited its corporate cyber risk can be intercepted. To keep at least one step ahead of cyber
appetite. crim inals, a continuous investm ent increase in security educa
tion will be essential.
Events Drive Change

Education for Cyber Resilience
Cyber criminals learn from each other, and so do their victims.
Organizations can build back better, not just when they them The universal availability to US schoolchildren of Wi-Fi is now
selves have suffered loss, but when others have had this mis crucial for filling the looming cyber security skills gap. Demand
fortune. The Target breach was a wake-up call not just for the for cyber security professionals is growing faster than the overall
retailer's own m anagem ent, but for m anagem ent right across IT job m arket. Many more of the millennial cohort are needed
corporate Am erica. A survey conducted of 20,000 IT practitio to train and work as cyber security professionals. The increasing
ners in the United States by the Ponemon Institute found that demand for young cyber security staff should serve a valuable
respondents' security budgets increased by an average of 34% societal purpose in providing gainful em ploym ent for hackers of
in the year following the Target breach, with most of those funds rather m odest IT skill and knowledge, who might struggle to get
used for security information and event m anagem ent (50%), end a well-paying job in a tight IT labor market.
point security (48%), and intrusion detection and prevention Such average hackers m ight otherw ise drift into a life of petty
(44% ).25 Some 60% of respondents also said they made changes cyber crim e, purchasing from better-skilled cyber crim inals
to their operations and com pliance processes in response to off-the-shelf exp lo it toolkits that they could use to make
recent well-publicized data breaches: 56% created an incident money illegally in cyb erspace. W ith dem and for talented cyber
response team , 50% conducted training and awareness activi security professionals outstripping supply now and into the
ties, 48% added new policies and procedures, 48% began using foreseeab le future, a life of cyber crim e makes little sense for
data security effectiveness metrics, 47% added specialized edu a highly able cyber security professional, unless he or she has
cation for the IT security staff, and 41% added monitoring and a penchant for illegal hacking, in which case legitim ate and
enforcem ent activities. fulfilling governm ent em ploym ent at the National Security
From such substantial rem edial security m easures, organiza A gency (NSA) or G overnm ent Com m unications H eadquarters
tions show they can be fast learners in cyberspace, and the (G C H Q ) beckons. C o llectively, N SA and G C H Q may have
cyber security m arket is seen to be highly adaptive, swift, and the best offensive cyber attack capability, which in itself is an
responsive to new commercial opportunity. Indeed, the digital em ploym ent draw.
revolution would not have happened so rapidly had it not been Aviation resilience in the skies ultimately depends on the skill,
for the spirit of technical enterprise and ingenuity that digital training, and experience of airline pilots. The safety of airlines
pioneers have abundantly displayed in overcom ing enormous varies quite significantly, even though their fleets of Boeing arid
challenges. Back in 1996, the Clinton-Gore vision of having Airbus aircraft may be quite similar. The cyber security of corpo
the internet in every Am erican school seem ed blighted by rations also varies quite significantly, even though their M icro
soft and Apple com puter systems may also be quite similar.
Cyberspace resilience ultimately depends on the skill, training,
25 Ponemon Institute (2015). and experience of smart cyber security professionals who have
the knowledge, capability, and motivation to defend their orga Cyber Academ y to defend the nation in cyberspace. This acad
nization effectively against a continuous barrage of targeted and emy would be rather like the existing sea, land, and air acad
random cyber attacks, some of which are m asterm inded by elite emies at Annapolis, W est Point, and Colorado Springs. The
state-sponsored hacking team s. underlying rationale for this investm ent is the realization that
winning in cyberspace is fundam entally a m atter of cyber secu
rity skill and expertise.
Improving the Cyber Profession
Beyond the governm ent, recruiting and retaining the best cyber
In any professional adversarial contest, the outcom e depends
security staff should be a priority of every cyber-resilient organi
heavily on the quality of the best players. Nobody appreciates
zation. In 2018, 70% of C ISO s reckoned that lack of com petent
this as much as the North Koreans, Chinese, and Russians, with
in-house staff was their top security threat. O ther than being tar
their prestigious and highly com petitive cyber academ ies. To
geted by a cyber attack, the resilience of a corporation may be
match such training centers of cyber excellence, the UK National
severely tested if one or more of its leading cyber security team
C yber Security Centre has offered bursaries, specialist training,
were to leave. From the C ISO downwards, robust backup plans
and paid work placem ents to a thousand young British students.
need to be prepared for this contingency. M anagem ent consul
This training initiative has had the support of major international
tants highlight the im portance of both C ISO succession planning
defense contractors, as well as the City of London Police.
and developing others to represent the C ISO . The sooner that
More am bitiously, with additional US expenditure on national individuals are trained and prepared for this role, the more resil
security programs, the Pentagon could establish a US National ient a corporation will be.

Learning Objectives
Define cyber-resilience and compare recent regulatory Explain and assess current practices for the sharing of
initiatives in the area of cyber-resilience. cybersecurity information between different types of
institutions.
Describe current practices by banks and supervisors in
the governance of a cyber risk m anagem ent fram ework, Describe practices for the governance of risks of intercon
including roles and responsibilities. nected third-party service providers.
Explain methods for supervising cyber-resilience, testing

and incident response approaches, and cybersecurity and
resilience metrics.
E x c e rp t is rep rin ted from Cyber-Resilience: Range of Practices, by the Basel C om m ittee on Banking Supervision, D ecem b er 2018.
361
24.1 IN T R O D U C T IO N resilience beyond the purview of operational risk m anagem ent
and minimum capital requirem ents, and established the O p era
In March 2017, the G 20 Finance M inisters and Central Bank tional Resilience Working Group (O RG) with the intention of
G overnors noted that "the malicious use of information and contributing to, inter alia, the international effort related to
com munication technologies (ICT) could disrupt financial cyber-risk in close coordination with the other international bod
services crucial to both national and international financial ies involved. The Com m ittee therefore requested that the O RG
system s, underm ine security and confidence, and endanger provide this first assessm ent of observed cyber-resilience prac
financial sta b ility ".1 tices at authorities and firms.
Regulated institutions' use of technology includes greater levels of The objective of this report is to identify, describe and compare
automation and integration with third-party service providers and the range of observed bank, regulatory and supervisory cyber
customers.1
2 This results in an attack surface that is growing and is resilience practices across jurisdictions. In preparing this range
accessible from anywhere, and it incentivises cyber-adversaries to of practices docum ent, O RG members used the input provided
increase their capabilities. Increased use of third-party providers by their organisation to an FSB survey in April 2017, which led
means that the perimeter of interest to financial sector regulators to the publication of its stocktake of publicly released cyber
has gotten bigger, and greater use of cloud services means that security regulations, guidance and supervisory practices at both
the perimeter is also shared. Shared service models require regu the national and international level issued in O ctober 2017.
lated institutions to think differently about how they build and According to the FSB cyber-security stocktake, banking is the
maintain their cyber-resilience in partnership with third parties. only sector in financial services for which all FSB jurisdictions
have issued at least a regulation, guidance or supervisory prac
Given the increase in the frequency, severity and sophistication
tices. In addition, the FSB found that m em ber jurisdictions drew
of cyber-incidents in recent years, a number of legislative, regu
upon a small body of previously developed national or interna
latory and supervisory initiatives have been taken to increase
tional guidance or standards of public authorities or private
cyber-resilience. A t the international level, the G7 issued Funda
bodies in developing their cyber-security regulatory and supervi
mental Elem ents of Cyber-security for the financial sector,3 and
sory schem es (mainly the 2016 C PIM I-IO SC O guidance, the US
the Com m ittee on Payments and M arket Infrastructures (CPMI)
National Institute of Standards and Technology (NIST) cyber
issued, jointly with the International Organization of Securities
security fram ework and the ISO 27000 series).6
Comm issions (IO SC O ), guidance on cyber-resilience for financial
market infrastructures (FMIs) in June 2016.4 In the European Besides reviewing and com pleting their jurisdiction's responses
Union (EU), the European Commission's (EC) Fintech Action Plan to the FSB survey questions, O RG members shared their direct
invites the European Supervisory Authorities to consider issuing experiences and insights in order to provide a more concrete
guidelines to achieve convergence on IC T risk.5 and specific understanding of the main trends, progress and
gaps in the pursuit of cyber-resilience in the banking sector. Fur
Against this backdrop, the Basel Com m ittee on Banking Super
therm ore, additional insight was gained and findings were fine-
vision (BCBS) recognised the merits of approaching operational
tuned through outreach to a broad set of industry stakeholders
including banks, utility and technology service providers, consul
tancies and associations involved in dom estic and international
1 See G 20, C om m unique: G 20 Finance M inisters and Central Bank
G overn o rs M eetin g , Baden-Baden, G erm any, 17-18 March 2017, www cyber-security m atters.
.bundesfinanzm inisterium .de/Content/EN /Standardartikel/Topics/
For the purpose of this report, the B C B S uses the FSB Lexicon
Featured/G20/g20-com m unique.pdf?_blob= publicationFile& v= 3.
definition of cyber-resilience,7 which defines it as the ability of
2 Many regulated institutions are adopting strategies that will see more
an organisation to continue to carry out its mission by anticipat
data stored and/or processed outside the perim eters of the regulated
institution while at the sam e tim e granting service providers (now grow ing and adapting to cyber threats and other relevant changes in
ing to what is commonly a multitude of providers) access to their envi the environm ent and by withstanding, containing and rapidly
ronments to perform business and technology processes.
recovering from cyber incidents. Although this paper focuses on
3 See G 7, Fundam ental elem ents o f cyb ersecu rity fo r the financial sector,
O c to b e r 2016.
4 See C P M I-IO SC O : G uidance on cyber-resilience fo r financial m arket 6 See NIST, Fram ew ork fo r im proving critical infrastructure cybersecurity,
infrastructures, Ju n e 2016. 16 April 2018, w w w .nist.gov/cyberfram ew ork/fram ew ork, which consists
of standards, guidelines and best practices to manage cyber- security-
5 The European Securities and M arkets Authority (ESM A ), the European
related risk.
Banking Authority (EBA ), and the European Insurance and O ccupational
Pensions Authority (EIO PA), collective referred to as the "European 7 See FSB , C yb er Lexicon, 12 Ju n e 2018, w w w .fsb.org/w p-content/
Supervisory A utho rities". uploads/P121118-l.pdf.
cyber-resilience, practices also relevant to the broader opera Standards on general risk topics such as business continuity
tional resilience context were considered. A distinction was also planning and outsourcing contribute to the m anagem ent of a
drawn between cyber-risk m anagem ent (which deals with vul wide range of risks and also have relevance to cyber-risk. Discus
nerabilities and threats) and IT risk m anagem ent, the scope of sion at the 2017 Information Technology Supervisors' Group
which is broader than the m atter at hand in this report. W here (ITSG) meeting highlighted that many countries are working on
appropriate, deeper dives on practices that reflect new updates to their outsourcing standards.9 The Australian Pruden
approaches or address w idely shared strategic concerns have tial Regulation Authority(APRA) is also considering whether the
been perform ed O RG m em bers in the form of nine specific term outsourcing remains relevant or whether service p ro vid er
case studies. risk m anagem ent might be more appropriate, recognising that
bank supply chains have becom e more com plex. Section 6 of
The rem ainder of this report is divided into the following
this report further discusses expectations and practices in rela
sections:
tion to third-party interconnections.
• Section 2 provides a high-level overview of current
Specific cyber-risk m anagem ent guidance has em erged in the
approaches taken by jurisdictions to issue cyber-resilience
context of information security. A few jurisdictions have issued
guidance standards.
specific cyber-risk m anagem ent or information security guidance,
• Section 3 assesses the range of practices regarding gover
including on the importance of effective cyber-security risk man
nance arrangem ents for cyber-resilience.
agem ent (Hong Kong SAR), on early detection of cyber intru
• Section 4 focuses on current approaches on cyber-risk man sions (Singapore), on the establishm ent of a cyber-security policy
agem ent, testing, and incident response and recovery. (Brazil) and on the common procedures and methodologies for
• Section 5 explores the various types of communications and the assessm ent of IC T risk (European Banking Authority (EBA)).
information-sharing.
In jurisdictions where no specific cyber-security regulations exist
• Section 6 analyses expectations and practices related to for the financial sector, supervisors encourage their regulated
interconnections with third-party services provides in the con entities to implement international standards and apply prescrip
text of cyber-resilience. tive guidance, and supervisory practices align with the top-down
initiatives of national cyber-agencies. Most jurisdictions implement
key concepts from international and industry standards such as
2 4 .2 C Y B E R -R E S IL IE N C E S T A N D A R D S NIST, ISO /IEC and C O B IT .10 Regulators also leverage supervisory
A N D G U ID E L IN E S practices from the US (Federal Financial Institution Examining
Council (FFIEC) IT Examination Handbook) and the UK (CBEST).
Most jurisdictions address cyber through the lens of IT and gen
Some jurisdictions are developing enforceable standards for
eral operational risk. Cyber-resilience expectations, which are
cyber-resilience in the financial sector. This is the them e of this
som etim es em bedded within high-level IT risk guidance, cover a
report's first case study (Box 24.1).
wide range of regulatory standards.8 The intent of IT risk guid
ance is to com m unicate jurisdictions' expectations and encour
age good practice. Guidance typically addresses governance, 24.3 C Y B E R -G O V E R N A N C E
risk m anagem ent, information security, IT recovery and m anage
ment of IT outsourcing arrangem ents. W hile guidance is pre The majority of the regulators have issued either principles-
sented as operational risk or IT risk guidance, it effectively based guidance or prescriptive regulations, with varying levels
provides coverage of cyber-risk m anagem ent as a subset of of maturity. In general, regulatory standards and supervisory
these practices. practices address enterprise IT risk m anagem ent but do not
include specific regulations or supervisory practices that cover
8 We note that while the majority of jurisdictions' cyber-resilience e xp e c

tations are derived from common fram ew orks, eg NIST, each supervisory
9 The Information Technology Supervisors' Group (ITSG) is an interna
authority has designed their own assessm ent tools, eg questionnaires.
tional working group of IT supervisors which m eets annually to discuss
A s a result, regulated entities are required to provide slightly different
approaches to IT risk (including cyber-risk).
information to each supervisory authority, even where the broad ques
tions posed are the sam e. Banks and supervisory authorities may benefit 10 Control O bjectives for Information and Related Technologies (C O B IT)
from harmonisation and standardisation, not just of supervisory exp ecta is a good practice fram ew ork created by international professional
tions, but also of the information requested by supervisors and the tools association IS A C A for information technology (IT) m anagem ent and IT
used to collect it. governance.
Chapter 24 Cyber-Resilience: Range of Practices ■ 363

BO X 24.1 C A SE STUD Y 1: R EC EN T REG U LA TO RY INITIATIVES - THE
A U STRA LIA N , GERM AN AND US MINIMUM R EQ U IR EM EN TS
Australian Prudential Regulation Authority The circular on Minimum Requirem ents for Risk M anage
ment (MaRisk) provides a com prehensive fram ework for the
(A P R A ) Prudential Standard CPS 234
m anagem ent of all significant risks, thereby concretising the
Inform ation Security
requirem ents of the Germ an Banking A ct. Com plem enting
This Prudential Standard aims to ensure that an APRA-regu- MaRisk in this regard, the Banking Supervisory Requirements
lated entity takes measures to be resilient against information for IT (BAIT) refines the Germ an Banking A ct.
security incidents (including cyber-attacks) by maintaining an
The BA IT covers requirements with respect to:
information security capability com m ensurate with informa
tion security vulnerabilities and threats. • IT strategy and IT governance;
A key objective is to minimise the likelihood and impact of • information risk m anagem ent and information security
information security incidents on the confidentiality, integrity m anagem ent;
or availability of information assets, including information • user access m anagem ent;
assets managed by related parties or third parties. The board • IT project m anagem ent and application developm ent;
of an APRA-regulated entity is ultimately responsible for
• IT operations; and
ensuring that the entity maintains its information security.
The key requirem ents of this Prudential Standard are that an • outsourcing and other external procurem ent of IT services.
APRA-regulated entity must:
• clearly define the information security-related roles and
US A g e n c ie s' N otice o f P ro p o se d Rulemaking
responsibilities of the board, senior m anagem ent, govern fo r N e w Cyber-Security Regulations fo r Large
ing bodies and individuals; Financial Institutions
• maintain its information security capability com m ensu Another exam ple is the joint announcem ent from the US Fed
rate with the size and extent of threats to its information eral Reserve, the O fficer of the Com ptroller of the Currency
assets, and so that it enables the continued sound opera (O C C ) and the Federal Deposit Insurance Corporation (FD IQ ,
tion of the entity; which provided a notice of proposed rulemaking for new
• im plem ent controls to protect its inform ation assets cyber-security regulations for large financial institutions. The
com m ensurate with the criticality and sensitivity of intent is to address the type of serious cyber-incident that
those inform ation assets, and undertake system atic te st could im pact safety and soundness. As announced, require
ing and assurance regarding the effectiveness of those ments will relate to cyber-risk governance, risk m anagem ent,
controls; and internal dependency m anagem ent, external dependency
• notify A P R A of material information security incidents. m anagem ent, incident response, assurance m anagem ent of
third parties and audit.
The State of New York Departm ent of Financial Services has
Supervisory Requirem ents fo r IT in Financial
also released cyber-security regulations that require regulated
Institutions (BaFin Circular 10/2017, BAIT)
intuitions in New York to have a cyber-security programme
The Germ an Banking A ct requires financial institutions to designed to protect consumers' private data; a written policy
dem onstrate that its risk m anagem ent com prises, among or policies that are approved by the board or a senior officer;
other things, adequate technical and organisational resources a C hief Information Security O fficer to help protect data and
and adequate contingency planning, especially for IT systems; and controls and plans in place to help ensure the
systems. safety and soundness of the financial services industry.
cyber-risk m anagem ent of critical business functions, intercon Cyber-Security Strategy Is Expected But
nectedness or third-party risk m anagem ent. Against this back
Not Required
drop, supervisory expectations and practices were identified
and analysed in the following areas relevant to governance: Although most regulators do not require regulated entities to
develop a cyber-security strategy, all exp ect regulated institu
• Cyber-security strategy
tions to have a board-approved information security strategy,
• M anagem ent roles and responsibilities
policy and procedures under the broad remit of effective over
• Cyber-risk awareness culture sight of technology.
• Architecture and standards Many jurisdictions (eg Australia, Brazil and jurisdictions across
• Cyber-security workforce Europe) expect that cyber-risk should be covered by the
organisation-wide risk m anagem ent fram ework and/or inform a The majority of such guidance prioritises the roles and respon
tion security fram ework which is monitored and reviewed by sibilities of the BoD and senior m anagem ent, while others have
senior executives. prioritised them even more in overseeing overall business tech
nology risks. O ther jurisdictions approach cyber-governance as a
Consistent with the previous observation regarding regulatory
risk that regulated entities are expected to address within their
expectations, most supervisors review regulated entities' infor
existing risk m anagem ent fram eworks.
mation security strategies, but very few require or evaluate those
entities' standalone cyber-security strategies. Exam iners typically Alm ost all the jurisdictions em phasise the im portance of man
review an institution's information security strategy, information agem ent roles and responsibilities for cyber-governance and
security plans, and cyber-security implementation, including key controls. In the US, EU and Jap an, high-level guidelines encour
cyber-security initiatives and tim elines. They may also review its age global system ically im portant banks (G-SIBs) and dom es
practices for communicating with relevant stakeholders. tic system ically im portant banks (D-SIBs) to im plem ent well
defined, risk-sensitive m anagem ent fram eworks under initiatives
A variety of approaches can also be observed within regions:
taken by theBoD . In addition, the EB A implements granular and
while the FFIE C IT Examination Handbook in the US does not
prescriptive requirem ents, ensuring consistent cyber-security
specifically address the developm ent of a cyber-security strat
regulation and supervision across the European banking sector.
egy, Canada's self-assessm ent guidance attem pts to determ ine
Similarly, emerging market econom ies im plem ent more granular
whether a regulated financial institution has established a cyber
and prescriptive cyber-security requirem ents.
security strategy aligned with the institution's business strategy
and im plem entation plan. M exico does not have supervisory
practices focused on cyber-security strategy but has issued regu
Variety of Supervisory Approaches Regarding the
lations that direct banks to develop IT security strategies.
Second and Third Lines of Defence (3LD)
The majority of regulators have adopted the 3LD risk m anage
Jurisdictions enforce cyber-security strategy requirem ents using
ment model to assess cyber-security risk and controls. However,
three types of non-mutually exclusive regulatory approaches:
most regulators do not require the implementation of 3LD at
1. The regulator/authority implements cyber-security strategy regulated entities and do not prescribe precisely how responsi
requirem ents, either sector-specific or across multiple indus bilities should be distributed across the lines, as the expectation
tries, with which financial institutions have to comply. This is rather for banks them selves to clearly define responsibilities
is a common approach in emerging market econom ies with and leave no gaps between the lines. As a result, supervisory
relative hom ogeneity in their banking systems. practices for assessing the degree of 3LD implementation vary
2 . The financial institutions establish their own cyber-security w idely, and there appears to be a greater supervisory focus on
strategies in com pliance with principles-based risk m anage the first and second lines of defence than on the third line across
ment practices. Regulators review these strategies as part jurisdictions, which could hamper the effectiveness of the 3LD
of their assessm ent of an institution's overall risk m anage checks and balances model. In particular, only a few jurisdictions
ment p ractices.11 have form ulated specific expectation regarding the independent
reporting line from the chief audit executive to the audit com
3 . A third approach, prevalent in Europe, involves exam in
mittee of the BoD.
ing whether financial entities have an IT strategy and the
accom panying security provisions.
Cyber-Risk Awareness Culture

Management Roles and Responsibilities
An awareness of cyber-risk by staff at individual banks and a
Recognition of the Importance of the Board of common risk culture across the banking industry are prerequi
Directors and Senior Management sites for maintaining cyber-resilience within the sector. Regula
Some jurisdictions have issued specific regulatory guidance and tors in most jurisdictions have published guidance emphasising
requirements addressing cyber-governance roles and responsi the im portance of risk awareness and risk culture for staff
bilities of the board of directors (BoD) and senior m anagem ent. and m anagem ent at all levels, including BoDs and third-party
em ployees. Regulatory requirem ents include increasing cyber
security awareness and cyber-related staffing at regulated
11 The Saudi Arabian M onetary Authority (SAM A) applied the first two of
entities. In some jurisdictions, regulators require cyber-security
these approaches by com pelling financial institutions to form ulate their
own cyber-security strategies while it developed supervisory practices awareness training during each phase of the em ploym ent pro
for im plem enting cyber-security strategy. cess, from recruitm ent to term ination.

BO X 24.2 C A SE STU D Y 2: R O LES AND R ESPO N SIB ILITIES O F C H IEF
INFORM ATION SEC U R ITY O F F IC E R S (CISOS) IN C Y B ER -G O V ER N A N C E
A widespread practice among large and globally active banks Considering the cyber-threat landscape, the Saudi Arabian
is to establish a robust governance structure based on the M onetary Authority (SAM A) issued a principle-based cyber
3LD model. Typically, in this model, the C ISO is the execu security fram ework and mandated financial institution to
tive officer responsible for a bank's cyber-security m anage com ply with various range of control considerations men
ment. The C ISO 's role is to serve as a circuit breaker and tioned in different topics of this fram ework.
to balance the firm's risk appetite with security protection
O ne such topic addresses responsibilities of the C ISO in
considerations long before introducing or expanding digi
the cyber-security com m ittee, security strategy, security
tal services or products. However, in most cases the C ISO
architecture, risk-based cyber-security solutions, operational
reports to the chief risk officer (CRO ) or to the chief informa
security, etc to ensure that cyber-security controls are applied
tion officer (CIO ), with no independent reporting line to the
throughout the financial institution. This is reinforced with
C E O or board of directors (BoD). C RO s typically place more
the role of the cyber-security function in financial institutions
emphasis on com pliance over risk m anagem ent. Em erging
where SA M A requires financial institutions to have a cyber
trends in cyber-governance indicate that the placem ent of
security function independent from the IT function. This
the C ISO under the C R O is not ideal because the two posi
includes separate budgets and staff evaluations along with
tions have inherently conflicting priorities. When the C ISO
the cyber-security function reporting directly to the C E O /
attem pts to im plem ent risk-based cyber and IT security con
managing director or senior m anagem ent of the control func
trols that accom m odate technological innovation through the
tion of the financial institution.
"plan-do-check-act" (PDCA) cycle, the C RO may prioritise
com pliance over the benefits of technological innovation. SAM A also requires financial institutions to perform periodic
This dynamic can im pede the C ISO from effectively perform self-assessments against the cyber-security fram ework, which
ing his/her job function. In response, some global banks is subject to review (on- and off-site) by SAM A to determ ine
are restructuring the C ISO role by having the C ISO report the level of com pliance and cyber-security maturity of the
directly to the C E O or BoD. financial institution.
Regulated entities may be required to include non-disclosure for cyber-security architecture. For instance, the US FF IE C IT
clauses within staff agreem ents. To mitigate insider threats, Exam ination Handbook specifies that when discussing network
some jurisdictions require new em ployees to com plete a screen architecture, supervisors should confirm that the diagram s are
ing and background verification process, while existing em ploy current, securely stored and reflective of a defence-in-depth
ees undergo a mandatory reverification process at regular security architecture. In Saudi A rabia, practices covering cyber
intervals. In some jurisdictions, regulators assess whether banks security architecture are subject to a periodic self-assessment.
have robust processes and controls in place to ensure their
em ployees, contractors and third-party vendors understand their
responsibilities, are suitable for their roles and have the requi
Cyber-Security Workforce
site skills to reduce the risk of theft, fraud or misuse of facilities. The skills and com petencies of cyber-workforces, their regula
The majority of the regulators encourage the developm ent of a tory fram eworks and the range of practices differ m arkedly
common risk culture sufficient to ensure effective cyber-risk man across jurisdictions. Som e jurisdictions have IT-specific standards
agem ent. In some jurisdictions, regulators assess each bank's that address the responsibilities of the IT workforce and infor
cyber-risk appetite, considering such factors as the bank's busi mation security functions, with particular attention to cyber
ness model, core business strategy and key technologies. Some security workforce training and com petencies. Their range of
jurisdictions view cyber-security as a critical business function, supervisory practices covers the assessm ent of team divisions,
since a cyber-attack could lead to the insolvency of individual staff expertise (background and security checks of cyber-security
entities or even to widespread disruption of the entire sector. specialists), the staff training processes and the adequacy of
funding and resources to im plem ent the organisation's cyber
security fram ework. Most of the jurisdictions are in the early
Architecture and Standards
stages of im plem enting supervisory practices to monitor a
For most jurisdictions, general regulatory requirem ents for bank's cyber-workforce skills and resources. Their regulatory
architecture and standards are not in place, or there is a lack of schem es require regulated entities to manage risks but do not
coverage. Only a small number of countries specifically highlight set specific requirem ents to address cyber-security workforce
control considerations and substantial supervisory guidance skills and resources.
BO X 24.3 C A SE STUD Y 3: FRA M EW O RKS FOR P R O FESSIO N A L TRAIN IN G
IN C Y B ER -SEC U R ITY AND CER TIFICA TIO N PRO GRAM M ES
The Center for Financial Industry Information Systems Security Testers (C R EST), ie the C R E S T Certified Threat Intel
(FISC), a public-private partnership, was founded in Japan ligence M anager (CCTIM ) for providers of threat intelligence
in 1984 to promote the cyber-security initiatives of financial services, and the C R E S T Certified Simulated A ttack M anager
institutions. FISC facilitates the exchange of staff between (CCSAM ) and C R E S T Certified Simulated A ttack Specialist
financial sector supervisors, banks, and IT security vendors (CC SA S) for providers of penetration testing services.
by partnering with the private sector and supervisors. FISC's
efforts have resulted in the developm ent of FISC Guidelines Monetary Authority of Singapore (MAS): MAS requires
for cyber-security preparedness in Jap an , as well as cyber financial institutions to have in place a com prehensive tech
security education and training programs for its bankers. nology risk and cyber-security training programme for the
Bank exam iners at the FSA and BoJ reference FISC G uid e BoD. Such a programme may include periodic briefings con
lines to ensure a consistent and integrated supervisory ducted by in-house cyber-security professionals or external
approach. The same structure can be found in the Finan specialists. The goal is to help equip the BoD with the requi
cial Security Institute (FSI) founded in Korea in 2015. This site knowledge to com petently exercise its oversight function
illustrates the effectiveness of cross-border public-private and appraise the adequacy and effectiveness of the financial
partnerships when the supervisors leverage the industry for institution's overall cyber-resilience program m e.
cyber-security enhancem ent. A t a minimum, FISC's efforts
Hong Kong Monetary Authority (HKMA): The HKM A's Pro
serve as a model for other jurisdictions transitioning from
fessional Developm ent Program (PDP) is one of the three ele
prescriptive to more risk-based and incentive-com patible
ments of HKM A's Cybersecurity Fortification Initiative (CFI).
regulatory models.
It seeks to increase the supply of qualified cyber-security
Bank of England (BoE): The BoE has established the C B E S T professionals in Hong Kong SAR. The HKM A has worked
accreditation for suppliers who offer threat intelligence and with the Hong Kong Institute of Bankers and the Hong Kong
penetration testing services who wish to be involved in the Applied Science and Technology Research Institute (ASTRI)
C B E S T schem e. This is in addition to the accreditation for to develop a localised certification schem e and training pro
individuals offered by the Council for Registered Ethical gramme for cyber-security professionals.
The majority of regulators assess the cyber-security workforce appropriate cyber-security workforce m anagem ent. In other
of the institutions through on-site inspections, where they have jurisdictions, regulatory requirem ents for cyber-workforce man
the opportunity to talk with relevant specialists. Self-assessment agem ent are limited to supervisory expectations, and there may
questionnaires are becoming common practice. Training pro be no assessm ent by supervisors of cyber-security skills and staff
cesses are particularly scrutinised. As staff com petence is integral training at regulated entities. Only the Hong Kong, Singapore
to cyber-security, authorities have been known to raise concerns and the UK have issued dedicated fram eworks to certify cyber
about the capability or qualifications of an institution's head workforce skills and com petencies.
of IT or information security. Jurisdictions diverge in how they
regulate the roles and responsibilities of the IT and information
security staff. Some jurisdictions, including Argentina, Australia, 2 4 .4 A P P R O A C H E S T O R ISK
the EU, Japan and Saudi Arabia, issue regulations specifically M A N A G EM EN T , T ES T IN G A N D
addressing IT staff's roles and responsibilities. Sometim es regula
IN C ID E N T R E S P O N S E A N D R E C O V E R Y *•
tions are em bedded in a jurisdiction's global governance fram e
work, such as those issued in Switzerland. In regulations issued
This section sets out a range of observed practices on cyber-risk
by M exico, the US, and Saudi Arabia, regulatory requirements
management, and incident response and recovery. It aims to identify
addressing the roles and responsibilities of the IT and informa practices in the supervision of banks' cyber-resilience which could
tion security functions are encom passed by requirements for the
inform future work. This section is divided into four sub-sections:
BoD and senior managem ent. In South Africa, such regulations
are included in the national cyber-security strategy. • Methods for supervising cyber-resilience
• Information security controls testing and independent
The range of practices and regulatory expectations for w ork
assurance
force com petence is w ide, and many jurisdictions have not
form ulated any. The FISC in Japan and FSI in South Korea are • Response and recovery testing and exercising
both exam ples where public authorities have set guidelines on • Cyber-security and resilience metrics.

Methods for Supervising Cyber-Resilience Jurisdictions Increasingly Engage With Industry
to Address Cyber-Resilience
Risk Specialists Assess Information Security
Management and Controls Industry engagem ent is used to either influence industry behav
iour, or to seek feedback and views to inform regulatory work.
Jurisdictions apply different approaches to supervise regulated
For instance, the French Autorite de Controle Prudentiel et de
institutions' cyber-resilience. Most focus on key risks such as
Resolution (ACPR) and the UK Prudential Regulation Authority
cyber in the context of the scale, com plexity, business model
(PRA) both released discussion papers, on IT risk and opera-
and previous findings, often assigning institutions to categories
tional resilience respectively, in 2018. Common methods of
to aid decisions about which institutions will be in scope for vari
engagem ent also include speaking at conferences and other
ous supervisory initiatives. Guided by existing international and
communications to reach a range of regulated entities and
national legislation, a programme of supervision is then agreed
industry participants.1
14
3
spanning financial and operational resilience matters.
Some jurisdictions include third-party service providers in this
Half of the jurisdictions in the EU have internal guidance
engagem ent. In the EU , both the European Commission EU
addressing the circum stances when the com petent authority
FinTech Lab and the EB A FinTech Knowledge Hub have organ
should conduct a cyber-security review. These include institu
ised events with regulators, supervisors, industry and third-party
tions' own risk assessm ents, findings from on-site inspections or
service providers. Com m unicating key m essages through these
questionnaires, and incidents (eg cyber incident trend analysis).
channels can be faster and more responsive.
Risk specialists typically draw on docum entary evidence includ
ing survey responses, physical inspections, incident reports,
and in-person m eetings to assess the adequacy of controls in
Information Security Controls Testing
place. Many supervisory expectations are aligned with industry and Independent Assurance
standards (eg CO BIT, NIST) but approach, depth and breadth of Mapping and Classifying Business Services Should
supervisory assessm ents vary between jurisdictions. Inform Testing and Assurance
Most jurisdictions undertake off- and on-site reviews and inspec Most jurisdictions (eg Australia, the EU , Hong Kong, Singapore
tions of regulated institutions' information security controls to and the US) recognise the im portance of mapping and classify
assess com pliance with regulatory standards and alignm ent with ing business services and supporting assets and services as a
good p ractice.12 Reviews are com pleted either as part of gen basis for building resilience. A clear understanding of business
eral technology assessm ents or risk m anagem ent assessments services and supporting assets (and their criticality and sensitiv
more broadly. They tend to focus on governance and strategy, ity) can be used to design testing and assurance of end-to-end
m anagem ent and fram eworks, controls, third-party arrange business services. This is typically com pleted as part of business
ments, training, monitoring and detection, response and recov im pact analysis, recovery and resolution planning, reviewing
ery, and information-sharing and communication. dependency of critical services on external third parties, and
The number, type, and nature of regulated institutions vary by scoping for assessm ents.
jurisdiction, as do the size of the specialist risk team s of the A number of jurisdictions assess institutions' monitoring and
regulator. Some jurisdictions (eg Australia, Brazil and Singapore) surveillance of emerging threats, including real-time d etec
have developed approaches to equip front-line supervisors with tion capability, ability to detect adversaries before they move
knowledge and tools to assess (triage) IT risk issues. Techniques between system s and relevant continuity and control policies.
used include guidelines on how to identify and evaluate IT Some jurisdictions perform them atic reviews (eg Sweden com
risk, questionnaires, risk assessm ents and tools to quantify risk pleted a review of institutions' access controls and m anagem ent
assessm ents. Additionally, a number of jurisdictions (eg Australia
and the UK) have powers to appoint an auditor or other third
party to provide a report to the regulator on a particular aspect
13 See A C P R , "IT Risk", D iscussion Paper, March 2018, w w w .acpr
of the regulated institutions' risk m anagem ent, including cyber.
.banque-france.fr/sites/default/files/m edias/docum ents/it_risk.pdf; and
Bank of England and Financial Conduct Authority, "Building the UK
financial sector's operational resilience", D iscussion Paper, Ju ly 2018,
w w w .bankofengland.co.uk/Vm edia/boe/files/prudential-regulation/
12 On-site reviews usually consist of one or more m eetings with regu
discussion-paper/2018/dpll8.pdf.
lated institutions at their prem ises. Off-site reviews usually consist of
desk-based assessm ent of docum entation or a m eeting at the office of 14 Publications used include white papers, information papers, annual
the regulator. reports and in some cases letters to industry.
of user access rights), while some m em bers use existing inter Taxonomy of Cyber-Risk Controls
national standards, applying them to other types of institution
W hile putting cyber-risk controls in place is only one aspect
(eg South Africa applies the C PM I-IO SC O guidance on cyber
of building cyber-resilience, many jurisdictions find review of
resilience for FMIs to banks).
controls a ready way to engage with regulated institutions.
Independent assurance also provides m anagem ent and regula Some jurisdictions use taxonom ies of controls to understand
tors with an evaluation of whether appropriate controls have whether there are any gaps in the coverage of their supervisory
been im plem ented effectively. Jurisdictions commonly also approach. Currently the taxonom ies are jurisdiction-specific
leverage the m anagem ent information outputs of these activi and do not rely on harmonised concepts and definitions. If an
ties, providing the regulator with another source of information authority is unable to assess a particular type of control, for
for their own assessm ents. exam ple because it has no supervisory approach, assessm ent
method or the required skillset to assess the control, then that is
Penetration Testing identified as a gap. An exam ple taxonom y of cyber or inform a
Cyber-security controls are im plem ented through risk-based tion security controls is included in A nnex A .
decisions against a regulated institution's risk appetite. Regu

lated institutions typically test information security controls
applied to hardware, software and data to prevent, detect, Response and Recovery Testing
respond and recover from cyber-incidents. and Exercising
Supervisors review and challenge regulated institutions' Evaluation of Service Continuity, Response and
approach to testing controls and the remediation of issues iden Recovery Plans and Continuous Learning
tified. This can include reviewing survey responses, threat and
Evaluation of service continuity plans focuses on reviewing
vulnerability assessm ents, risk assessm ents, audit reports and
alignm ent with institutions' risk m anagem ent fram eworks, the
control testing reports (eg penetration testing, health checks).
business continuity m anagem ent strategies chosen, IT disaster
Five EU jurisdictions have developed programmes of regulator- recovery arrangem ents and data centre strategies.
led penetration tests and three (the E C B , the Netherlands
The majority of regulators require entities to establish a fram e
and the UK) have provided guidance for regulated institu
work or policy for prevention, detection, response and recovery
tions on howto test. Tests are typically voluntary, funded by
activities, including incident reporting. Specific requirements
the regulated institution and targeted at larger, more system ic
vary across supervisory authorities, and most are not specific
institutions. In particular, threat-led red team penetration tests
to cyber-risk. Indeed, few regulators have issued cyber-specific
delivered by third-party threat intelligence and penetration tes
business continuity or disaster recovery regulatory requirements
ters are becoming more widespread. The majority of directed
for the sector. A few jurisdictions, like China and India, have
penetration tests focus on regulated institutions' protective
prescribed cyber-incident response fram ework to be a key com
and detective cyber-resilience capabilities, while a few also test
ponent of cyber-governance. The US also has supervisory guid
response and recovery capabilities.
ance regarding incident m anagem ent, covering identification
In May 2018, the EC B published the European Fram ework for of indicator of com prom ise, analysis and classification of events
Threat Intelligence-based Ethical Red Teaming (TIB ER -EU ),15 and escalation and reporting of incidents. Some authorities,
which is the first Europe-wide fram ework for controlled and such as the Jap anese Financial Services Agency (JFSA ) and Bank
bespoke tests against cyber-attacks in the financial market. The of Jap an , also focus on potential threats and information-sharing
fram ework facilitates testing for cross-border entities under the to minimise delays in reporting cyber-incidents.
oversight of several authorities. It is up to the relevant authori
Evaluation of regulated institutions' incident response and
ties and the entities them selves to determ ine if and when TIBER-
recovery plans focuses on how plans are triggered, institutions'
EU based tests are perform ed. Tests will be tailor-made and will
ability to im plem ent plans, preservation of data and specific
not result in a pass or fail - rather they will provide the tested
actions for "critical" technology. In Canada, the assessm ent of a
entity with insight into its strengths and w eaknesses, and enable
bank's internal and external communication plans and protocols
it to learn and evolve to improve cyber-maturity.
seeks to determ ine if all relevant stakeholders are included, to
avoid contagion.
15 E C B , "E C B publishes European fram ew ork for testing financial sector
resilience to cyber-attacks", press release, 2 May 2018, w w w .ecb
Several jurisdictions (eg Australia, Belgium, Hong Kong, Japan and
.europa.eu/press/pr/date/2018/htm l/ecb. prl80502.en.htm l. the US) complete a supervisory review of post-incident learning.

BOX 24.4 C A SE STUDY 4: " E X E R C IS E R ESILIEN T SH IELD "
O ne exam ple of an international public-private exercise • furthering mutual understanding of each country's cyber
was UK/US "E x e rc ise " Resilient Shield in 2015 - a joint security information-sharing processes and incident response
exercise with leading global financial firm s to enhance coordination structures, including scenarios that may call for
cooperation and ability to respond effectively to a cyber a coordinated response and public communications; and
incident in the finance sector. The exercise was not a test • exchanging best practices dom estically and between
of individual financial firm s or financial system s, but was the US and UK on a governm ent-to-governm ent and
designed to im prove understanding across governm ents government-to-financial sector basis.
and industry of inform ation-sharing, incident response han
dling and public com m unications. The exercise did not:
Participants included UK and US supervisory authorities, • amount to a "cyber war gam e" or include live play;
governm ent departm ents and cyber-agencies. The exercise • test the actions of law enforcem ent or the security and
exam ined how the UK and US could enhance cyber-security intelligence agencies;
cooperation by: • seek to involve the entire range of the UK and US finance
• enhancing processes and mechanisms for maintaining sectors; or
shared awareness of cyber-security threats between US • seek to test individual firms or financial system s, but
and UK governm ents and the private sector; instead rehearse communication and coordination links.
This is conducted through the discussion of regulated institutions' Cyber-Security and Resilience Metrics
response and the root cause analysis, but no further standard
practice could be observed. Cyber-Security and Resilience Metrics are Not
Yet Mature
Joint Public-Private Exercising Some jurisdictions have m ethodologies to assess or benchm ark
Distinct from testing, most supervisors and banks use exercises regulated institutions' cyber-security and resilience. Those juris
to train and practice how they would respond to an incident. dictions that have developed ways to assess cyber-security and
Cross-border international exercises have made this more visi resilience have focused on reported incidents, surveys, penetra
ble. Exam ples include the UK/US exercise Resilient Shield tion tests and on-site inspections. None of these m ethodologies
(Box 24.4) and the TITU S exercise in 2 0 1 5 ,16 as well as the G7 produce quantitative m etrics or risk indicators com parable to
exercise under planning in 2018. those available for financial risks and resilience, eg standardised
quantitative metrics where established data are available.
In the UK, the Sector Exercising Group (SEG ), which is a sub
Instead, indicators provide information on regulated institutions'
group of the Cross M arket O perational Resilience Group
approach to building and ensuring cyber-security and resilience
(C M O RG ), manages the sector's annual exercise regim e, which
more broadly. Supervisory authorities also rely on entities' own
incorporates cyber-specific scenarios.17 In Jap an , the JF S A has
m anagem ent information, although this differs across entities
conducted tabletop exercises to improve cyber-security, and in
and is not yet mature.
particular communication and coordination of response m echa
nisms. O ver 100 regulated institutions including banks, credit
Emerging Forward-Looking Indicators of Resilience
unions, insurance com panies and securities com panies partici
pated in the 2017 exercise, which covered two cyber-scenarios. It is common for jurisdictions (and often regulated institutions
A summary of results was then published to enable others to them selves) to focus on backward-looking indicators of the
draw lessons from the exercise. perform ance of the technology function. These indicators are
presented to Board members and executives as part of m anage
ment information that regulators may review (exam ples can be
16 TITU S was a crisis communication exercise for euro area financial mar found in A nnex B).
ket infrastructures held in N ovem ber 2015.
Backward-looking indicators com m ent on past perform ance as
17 C M O R G is a UK industry forum which is co-chaired by the Bank of
England and UK Finance and attended by senior representatives from an indicator of future perform ance, which is reasonable when
regulated institutions. institutions' operations and risk environm ent are relatively stable
over tim e and more or less independent from outside influ A number of jurisdictions (eg Australia, Canada, the ECB-SSM ,
ences. However, cyber-risk frustrates this because adversaries Hong Kong, Singapore, the UK and the US) analyse survey
are dynamic, them selves adapting to institutions' responses and responses to assess regulated institutions' capabilities and
protective m easures, som etim es changing their tactics and strat inform prioritisation of follow-up work. The outcom es of this
egies even in the space of a single cyber-incident. Distributed work tend to be institution-specific findings and remediation or
denial of service (DDOS) incidents are a good exam ple, where action plans which can be monitored over tim e, and/or them atic
the volume and scale of disrupted internet traffic generated reports. As such, they provide indicators and trends if per
has increased significantly in the last two years and adversaries form ed on a regular basis. Results from the Australian surveys
adapt their techniques in response to an institution's defences. are subsequently published to influence industry behaviour. In
W hile backward-looking metrics continue to be important, the UK, them atic findings are often shared with participating
jurisdictions are increasingly recognising the need for forward- firms for the same purpose.
looking indicators as direct and indirect metrics of resilience,
indicating whether a regulated institution is likely to be more or
less resilient in the event of a risk crystallising. 24.5 COM M UNICATION AND
Regulated institutions are also seeking to improve metrics for SHARING O F INFORMATION
resilience more broadly. A nnex C contains cyber-centric metrics
collated by a sam ple set of regulated institutions for decision Most Basel Com m ittee jurisdictions have put in place cyber-secu
making bodies (boards and board sub-com m ittees). It is notable rity information-sharing mechanisms, be they mandatory or vol
that the data provided typically allow for trend information so untary, to facilitate sharing of cyber-security information among
that the reviewer can assess if the situation is getting better banks, regulators and security agencies. These communications
or worse. Some metrics track com pliance with internal policies are established for multiple purposes, including helping relevant
parties defend them selves against emerging cyber-threats.
while others measure inherent risk. Patch ageing in particular is
a widespread and com parable metric. This section sets out a range of observed cyber-security
This list of cyber-metrics collated by regulated entities can be information-sharing practices among banks and regulators. For
reviewed by regulators to gain insight into what may be col the purpose of this report, they are divided into five categories
according to the parties involved in the sharing. Figure 24.1
lected across the regulated population to gain an enhanced set
of cyber-metrics for measuring the state of cyber-resilience more illustrates the interlinkages of the five types of practices.
broadly. Collectively, these indicators can inform on the broad

adequacy of an institution's cyber- and operational resilience
Overview of Information-Sharing
levels for its business needs and risk appetite. However, no sin
Frameworks Across Jurisdictions
gle item taken in isolation is seen as a sufficient metric, and no
standard set of indicators has been identified so far to provide a Among the five types of cyber-security information-sharing prac
meaningful benchmark. tices, sharing among banks; sharing from banks to regulators and
(1) the num bered circles next to the arrows indicate the "typ es" of info sharing as described in section 5.1 and Figure 24.2.
Sou rce: Basel Com m itte on Banking Supervision.

0% 20% 40% 60% 80% 100%
Typ e 1 - am ong banks 75% I 25%
Typ e 2 - bank to regulator 75% I 25%
Typ e 3 - am ong regulators 29% | 71%
Typ e 4 - regulator to banks 32% 68%
Typ e 5 - with security agencies 68% I 32%
□ W ith inform ation-sharing arrangem ent (either m andatory or voluntary, or both)
□ W ithout inform ation-sharing arrangem ent
Fiaure 24.2 Percentage of jurisdictions with/without information-sharing arrangement.

Sou rce: Basel Com m ittee on Banking Supervision.
sharing with security agencies are the most commonly observed. potentially due to the allocation of responsibilities for cyber
Sharing among regulators is the least observed type. This is partly security information processing among regulators and security
due to the less systematic nature of information-sharing arrange agencies within a jurisdiction.
ments between regulators, where it can happen on an ad hoc basis
For some of the jurisdictions, both mandatory and voluntary
at a bilateral level or within supervisory colleges, under specific
information-sharing arrangements are noted for the same type
circumstance. Figure 24.2 illustrates the adoption rate of different
of information-sharing arrangement. This is because voluntary/
types of cyber-security information-sharing, both mandatory and
mandatory sharing is sometimes applicable when different types
voluntary, by the jurisdictions covered by this report.
of information are being shared, or when information is shared
Different kinds of cyber-security information are shared by with different parties. For example, there is a mandatory require
banks and regulators, including cyber-threat inform ation, ment in Singapore for financial institutions to report relevant cyber
information related to cyber-security incidents, regulatory and security incidents to MAS, while cyber-threat information exchange
supervisory responses in case of cyber-security incidents and/ between MAS and the Cyber Security Agency (CSA) is voluntary.
or identifications of cyber-threat, and best practices related
O ther types of information-sharing arrangem ents are observed,
to cyber-security risk m anagem ent. Depending on the type
which include public announcem ent/disclosure of information
of arrangem ent, the kind of information shared varies. For
about cyber-security incidents and cross-sector inform ation
instance, information related to cyber-security incidents is more
sharing with public and private institutions. In particular, the range
w idely observed in sharing from banks to regulators and with
of stakeholders involved in cyber-attacks typically includes non
security agencies, whereas cyber-threat inform ation/intelligence
bank critical infrastructure operators, third-party service providers
is the most common kind of information shared among banks.
and customers who could contribute to sharing information with
Various jurisdictions have put in place certain cyber-security security agencies for further distribution to other sectors, or be
information-sharing arrangem ents to facilitate more effective part of other setups such as a joint-industry groups.18
sharing of cyber-security information by banks and regulators.
The rem ainder of this section summarises common practices
Full adoption of all types of information-sharing arrangem ents
adopted by various jurisdictions, describes more specific prac
within a jurisdiction is still exceptional.
tices adopted by individual jurisdictions and sum marises key
That said, it was also noted that for jurisdictions with observed gaps observed.
practices of information-sharing among banks, there are less
observed practices of information-sharing from regulators
18 This "o th er" type of information is shown in Figure 24.3. O ne
to banks. This is probably attributable to the lesser need for exam ple is the E B A guidelines on IC T Risk Assessm ent under the
sharing by regulators to banks if an effective peer sharing Supervisory Review and Evaluation process (SREP) (EBA /G L/2017/05)
and recom m endations on outsourcing to cloud service providers (EBA /
mechanism among banks already exists. Similarly, jurisdictions
R EC /2 0 1 7/03), which assum ed good information-sharing of IT risks
with observed practices of information-sharing from banks to betw een banks and supervisors, although there was no specific require
regulators display lower rates of sharing with security agencies, ment for banks to report security incidents to their supervisors.
No of practices observed
0% 10% 20% 30% 40% 50% 60%
c
•O Cyber-threat information /
+-» 18 2 2 2 2 [l|
(U intelligence
E
Cyber-security incidents 20 18
&
Cyber-security regulatory
u 1 4
Q )
</i> responses
CD
_Q
Good practices F J 2 T|~2~ 2
u
M—
o
“O O ther p l|jl|
_r^
■ Type 1 - Sharing among banks □ Type 2 - Sharing from bank lo regulator ■ Type 3 - Sharing among regulators
□ Typ e 4 - Sharing from regulator □ Type 5 - Sharing with security agencies □ O thers
to banks
Fiaure 24.3 Kinds of information shared

Sou rce: Basel Com m ittee on Banking Supervision.
Sharing Among Banks interpersonal level with a closer group and then be exchanged
at the company level with a broader group of banks helps build
Banks share inform ation (eg know ledge of a cyber-security trust into the system.
threat) with peer banks through established channels, mainly
to allow peer banks to take more tim ely action in response Sharing from Banks to Regulators
to sim ilar threats. Although there is no common standard
for autom ated inform ation-sharing, regulators in most ju risd ic The sharing of cyber-security information from a bank to its
tions are not directly involved in bank-to-bank inform ation regulator(s)/supervisor(s) is generally limited to cyber-incidents
sharing but do play a role in facilitating the establishm ent of based on regulatory reporting requirem ents. Such requirements
voluntary sharing m echanism s for cyber-vulnerability, threat are mainly established to (i) enable system ic risk monitoring
and incident inform ation, and in som e cases indicators of of the financial industry by regulator(s); (ii) enhance regulatory
com prom ise. requirem ents or issue recom m endations by regulator(s) to adjust
policies and strategies based on information collected; (iii) allow
Some jurisdictions have established public sector platforms to
appropriate oversight of incident resolution by regulator(s); and
accomplish information-sharing initiatives while others have
(iv) facilitate further sharing of information with industry and
encouraged private sector developm ent of information-sharing
regulators to develop a cyber-risk response fram ework.
organisations. Three jurisdictions (Brazil, Japan and Saudi A ra
bia) have mandated cyber-security information-sharing among Reporting requirem ents are established by different authori
banks through regulations or statutes. ties for specific purposes depending on their mandate (eg
supervisory and regulatory functions, consumer protection and
O utside the information-sharing and analysis centre construct,
further distribution of information to national cyber-security
some jurisdictions have established public/private forums or
agencies for system ic operators). Incident reporting by banks
governm ent-led centres for information-sharing. In some juris
to regulator(s) is a m andatory requirem ent in many jurisdictions,
dictions, local regulations on data protection are perceived to
with different scopes of requirem ents and ranges of applica
be an obstacle to cyber-security information-sharing among
tion. For jurisdictions already enforcing the requirem ent in the
banks and may warrant a specific dialogue between banks and
past, the reporting obligation has a broader operational incident
their local or regional regulators.
scope, including cyber-incidents. The perim eter can include all
Sharing of information and collaboration among banks depend supervised institutions but is more often limited to system ically
on the financial industry's culture and level of trust among par im portant institutions. Nearly all institutions regulated in the EU
ticipants. Experience shows that a two-level information-sharing are required to report cyber-security incidents to the com petent
structure through which information would be first shared on the authorities. The requirements stem from supervisory fram eworks

BO X 24.5 C A SE STUDY 5: FS-ISAC - K E Y FEA TU RES AND B EN EFITS
The Financial Services Information-sharing and Analysis classified by type and severity. The information is then
Center (FS-ISAC) is a non-profit entity established in 1999 to sent out by CIN S and reaches members instantly. FS-ISAC
collect and provide financial services sector m em ber organ also conducts crisis calls if necessary, and has a team
isations with information on potential vulnerabilities as well as working 24/7 to analyse any incoming data and dissem i
tim ely, accurate and actionable warnings of physical, opera nate information.
tional and cyber-threats or attacks on the national financial • Anonymised data: Information received and disseminated
services infrastructure. Its members include banks, credit through the FS-ISAC is considered confidential and stored in
unions, insurance com panies, investm ent com panies, financial a standalone, secure portfolio so that no threat or informa
services regulators and law enforcem ent entities. tion can be traced back to its source by any members and all
information is anonymously shared. This makes the FS-ISAC
In addition to the core information-sharing platform, the FS-
a safe place for its members and encourages sharing.
ISAC hosts conferences and educational sem inars, conducts
sector and cross-sector contingency planning exercises, and • Member-driven: The members of the FS-ISAC run the
is an internationally recognised source for threat intelligence organisation, tailoring it specifically for the needs of the
information. Core elem ents of the FS-ISAC include: financial industry.
• Recognised by US Financial Services Regulators: the
• Rapid response: the FS-ISAC analyses and disperses Federal Financial Institutions Exam ination Council, a
information and threat intelligence information among its group consisting of federal and state US financial services
members through their proprietary real-time Critical Infra regulators, has recognised the FS-ISAC as a key threat
structure Notification System (CINS). intelligence source and recom m ends financial institutions
• Information analysis and sharing: the FS-ISAC receives participate in its process to identify, respond to and miti
information from many sources that is verified and gate cyber-security threats and vulnerabilities.
(such as the Single Supervisory Mechanism (SSM) cyber-incident authorities, as these banks are likely to be obliged to fill in vari
reporting fram ework), EU directives (PSD2, NIS) and local law. ous tem plates with different taxonom y, reporting time frame
Some requirements also include the obligation to submit a root and threshold. This may increase their regulatory burden, con
cause analysis for the incident, or a full post-mortem or lessons suming significant resources to ensure com pliance. It may be
learnt after the incident. possible for an authority with multiple functions to receive from
a bank multiple reports with distinct form ats for multiple tim es.
Different scopes and perim eters may depend on the type of
authority (eg supervisors, regulators, national security) and their All incident reporting processes have a single direction flow, by
mandate (ie national cyber-security agencies, consum er protec a bank to an authority, although an informal flow back can be
tion, banking supervision, etc), sector(s) involved (eg m ultisector used for alerting firms in case of an incoming threat. By normal
or specific: banks, significant banks, system ic operators, pay ising the prompt exchange of information between banks and
ment) and geographical range (eg national, multiregional). W hile supervisors, reciprocal flow mechanisms can help remove the
many of the supervisors focus only on reporting and tracking possible stigma associated with incident reporting by banks,
incidents that have already taken place, some require proac thereby fostering effective and tim ely incident reporting.
tive monitoring and tracking of potential cyber-threats because
concerns about reputational risk may lead to a delay in incident Sharing Among Regulators
reporting by the regulated entity.
Regulators share information with fellow regulators, be they
Based on these considerations, different reporting fram eworks
dom estic or cross-border, as appropriate according to estab
are also observed. These range from formal communications to
lished m andatory or voluntary information-sharing arrange
informal communications (eg free-text updates via email or ver
ments. Cyber-security information shared among regulators
bal updates over the phone).
may include regulatory actions, responses and measures. C on
Differences are noted in: (i) taxonom y for reporting; (ii) reporting sidering different types of cyber-security information-sharing,
time fram e (im m ediately, after two hours, after four hours and information-sharing among regulators is the least observed
after 72 hours are exam ples of practices observed); (iii) tem practice across jurisdictions, although it is expected that many
plates; and (iv) threshold to trigger an incident reporting. These informal and ad hoc communication channels exist, such
differences highlight the fragm entation issue facing the banks as through supervisory colleges and memoranda of under
operating in multiple jurisdictions or supervised by different standing. Cyber-fraud is becoming more sophisticated and
BO X 24.6 C A SE STUDY 6: BILATERAL C Y B ER -SEC U R ITY IN FORM ATION -SHARING
B ETW EEN THE HONG KO N G M ONETARY AU TH O RITY (HKMA) AND THE
M ONETARY AU TH O RITY O F SIN G A P O R E (MAS)
Given the im portance of facilitating more cross-border cyber 24 hours. Incom plete information about cyber-security
security information-sharing, the HKM A and MAS established incidents can be shared so long as a reasonable degree of
a bilateral cyber-security information-sharing fram ework in validity has been ascertained.
the first quarter of 2018. • E ffe c tiv e : To ensure the efficacy of the fram ew ork, shar
As part of the fram ework, the HKM A and MAS have agreed ing of cyber-security inform ation should not be limited
upon four im portant guiding principles and key design fe a to inform ation related to those financial institutions
tures of the governance arrangem ent, the scope of inform a with an operation in both jurisdictions (ie unlike typical
tion-sharing, a traffic light protocol, standard taxonom y and supervisory college or m em oranda of understanding,
dedicated communication channels. "supervisory locus" is not required to be established).
A taxonom y was also established with reference to
• Voluntary: Given that some cyber-security information may
the Structured Threat Inform ation expression (STIX)
be highly sensitive, the sharing of information under the fram ew ork.
fram ework should be voluntary, without creating any legal
obligations for the participating authorities. • C onfidential: The confidentiality of any information shared
between the authorities should be properly protected.
• Tim ely: The HKM A and MAS recognise that tim ely sharing The fram ework will focus on the sharing of general infor
of cyber-security information is of paramount im portance mation such as the modus operandi of the attacks. The
to building an effective fram ework. The authorities have authorities also adopted a Traffic Light Protocol (TLP) for
therefore agreed that information about cyber-security subsequent sharing of information.
incidents should be shared as soon as possible to the
extent perm itted by law. If a cyber-security incident is The HKM A and MAS have been exchanging information
assessed to have the potential to spread to other jurisdic regarding real-life cyber-threats and cyber- security-related
tions, the related information should be shared within regulatory responses and measures since April 2018.
cross-jurisdiction, and sharing of cyber-security information forums), m eetings and informal communications to dissem inate
among regulators could assist in maintaining awareness of the information to the banks.
cyber-threat situation for tim ely guidance to be provided to
In cases where non-public information is obtained by regula
banks to protect financial system s against cyber-frauds.
tors, the information is shared with selected parties via informal
m eetings or other informal communication vehicles, so as to
Sharing from Regulators to Banks preserve anonymity and confidentiality of the institution(s)/
bank(s) im pacted by a cyber-attack, and maintain banks' confi
Information-sharing from regulators to banks occurs through dence and trust in the regulators generally.
established channels, based on the information the regulator
Mandatory requirem ents for regulators to share information
receives both from banks and other sources. Various jurisdictions
with banks have only been established for a few jurisdictions (eg
(eg Australia, China, Korea, Saudi Arabia, Singapore, Turkey and
China). A few other jurisdictions have put in place practices for
the US) have established clear guidance in the form of standards
voluntary sharing (eg Singapore, the UK). However, many juris
and practices to enable cyber-security information-sharing by
dictions have not put in place any standard practices for regula
regulators to banks. In these jurisdictions, information flows
tors in the sharing of information with banks, nor established any
from the bank to the regulator, and the regulator assesses the
process or time fram e to enable tim ely, risk-based information
risk to the financial industry and shares the information with the
sharing. Classification of information could ensure that the
industry, as appropriate, based on the risk assessment. In cases
appropriate audience could receive the appropriate information
where the information is sensitive (eg contains customer-specific
and help to build trust between regulators and banks.
or bank-specific information), the regulator anonymises or sum
marises it to allow sharing.
Sharing with Security Agencies
Regulators with a regulator to bank sharing mechanism more
readily share publicly available information such as cyber-secu This section exam ines sharing of information by banks or regu
rity risk m anagem ent best practices. They use informal channels lators with the security agencies operating in their respective
such as industry sharing platforms (eg participation in industry jurisdictions.

BOX 24.7 C A SE STUDY 7: CO M PU TER SEC U R IT Y IN CID EN T R ESP O N SE TEAM S
(CSIRTs) IN THE EU
The Network and Information Security (NIS) Directive is a the m em ber states, with its secretariat provided by the
com ponent of EU legislation with the specific objective to European Network and Information Security Agency) with
improve cyber-security throughout the EU. The requirements the following com petencies:
came into full effect on 10 May 2018. The NIS Directive
• Exchange information on services, operations and coop
defines different obligations across the EU , one of which con
eration capabilities
cerns the establishm ent of one or more Com puter Security
Incident Response Teams (CSIRTs) at national level for com • Exchange and discussing information related to incidents
prehensive incident m anagem ent nationwide. Incident and associated risks (on request, on a voluntary basis)
reporting notification to national CSIRTs (directly or through a • Identify a coordinated response to an incident (on request)
com petent authority) is m andatory for entities identified as • Providing m em ber states support in addressing cross-
O perators of Essential Services (O ES) and Digital Service Pro border incidents (on a voluntary basis)
viders (DSP) (some banks have been included in the first cate
• Issue guidelines concerning operational cooperation
gory). In some countries, com petent authorities for banks
1o
that have been identified as O ES are the supervisory • Discuss, explore and identify further forms of operational
authorities, while in others it can be the Ministry of Finance cooperation (risks and incidents, early warnings, mutual
or a specific governm ent authority. The NIS Directive also assistance, coordination)
established the requirements to have a CSIRTs European net • Discuss the capabilities and preparedness of certain
work (ie a dedicated network for all national CSIRTs, run by CSIRTs (on request from that CSIRT)
Given that cyber-security incidents encountered by banks or Cyber-security and Com m unications Integration C enter and
regulators could potentially be experienced by entities in other the US CERT. In Luxem bourg, the Com puter Incident Response
sectors, effective communication of relevant cyber-security inci C enter (CIRCL) has established a Malware Information-sharing
dents with security agencies could facilitate broader awareness Platform (MISP) to gather, review, report and respond to com
of cyber-threats in a tim ely manner, and enhance defensive m ea puter security threats and incidents. The MISP allows organisa
sures against adversaries. tions to share information about malware and their indicators.
The aim of this trusted platform is to help improve the counter
For jurisdictions with operations of Com puter Em ergency Readi
measures used against targeted attacks and set up preventive
ness Team (CERT) or similar security agencies, these agencies
actions and detection.
may act as focal points for cyber-security incident notification.
Banks or regulators share cyber-security information with these For jurisdictions with mandatory requirements for cyber-security
agencies for broader circulation of information and collaboration incident information-sharing with national security agencies
with other sectors within the country (eg public sector, civilian (Canada, France, Singapore and Spain), the sharing arrange
sector, com puter community). ments are bilateral in general. Instead of requiring banks or reg
ulators to share all cyber-security incidents, these jurisdictions
Jurisdictions have generally set out standards and practices
require cyber-security incidents affecting key operators of critical
for critical infrastructure entities and regulators to share cyber
infrastructure to be reported.
security information with national security agencies. W hile
most jurisdictions adopt a voluntary approach, a few jurisd ic Som e jurisdictions have established procedures for relevant
tions m andate formal sharing requirem ents. Some jurisdictions inform ation to be exchanged voluntarily and bring to g eth er
(eg Luxem bourg, the US) have established sharing platforms relevant parties for coordination of responses to incidents. In
to facilitate multilateral sharing of cyber-security incident or the UK, the A uthorities Response Fram ew ork can be invoked
cyber-threat information. In the US, an online portal is available by financial authorities to bring to g eth er the Financial C o n
for cyber-security information to be subm itted to the National1
9 duct A uthority (FC A ), the Bank of England, the Treasury,
the National Crim e A g en cy and the National Cyber-security
C entre to coordinate their response to a cyber-security
19 As required by the NIS D irective, identification of O E S should have incident. M eetings and form al com m unications can be trig
been com pleted by O cto b er 2018. gered as appropriate.
2 4 .6 IN T E R C O N N E C T IO N S W ITH and signing contracts (eg involvement of a cyber- security func
tion), with specifications on the result (ie an official, written and
TH IR D PA RTIES
detailed contract) and the applicability of the fram ework (typi
cally also for intragroup outsourcing).
All jurisdictions recognise the challenge of gaining assurance
of an entity's cyber-resilience, a challenge both for regulators The regulatory expectations on risk assessm ents and contracts
with regard to financial institutions, and for financial institutions tend to specify in a rather com prehensive way which risks (and
with regard to their third-party service providers. Extensive m itigating m easures) to cover, albeit m ostly in general term s.
use of third-party services increases the challenge for ju risd ic N ext to a description of the nature of the service, the
tions and regulated institutions them selves to have full sight of exp ected results of the outsourcing, and the roles and respon
the controls in place, and the level of risk. For the purpose of sibilities of the service provider and the financial institution,
identifying the range of practices in relation to cyber-resilience, risk assessm ents and contracts are exp ected to include analysis
"third parties" is understood in a broad sense, including: (i) all and clauses on strategic risk, com pliance risk, security risk (typ
form s of outsourcing (including cloud com puting services); ical areas of attention are security m onitoring, patch m anage
(ii) standardised and non-standardised services and products m ent, authentication solutions, authorisation m anagem ent and
that are typically not considered outsourcing (pow er supply, data loss/breach procedures), business continuity risk, vendor
telecom m unication lines, com m ercial hardware and softw are, lock-in risk (the general ability of an institution to w ithdraw
etc); and (iii) interconnected counterparties such as other insti from the service provider and to absorb the outsourced activ
tutions (financial or not) and FMIs (eg paym ent and settlem ent ity or transfer it to another service provider), counterparty risk
system s, trading platform s, central securities depositories and (the visibility into the service provider's organisation), country
central counterparties). risk, contractual risk, access risk (m eaning that financial institu
tions and/or supervisors cannot audit the third-party connec
Cyber-resilience practices in relation to third parties are analysed
tion due to inadequate contractual agreem ents) and
across the following areas:
concentration risk.20
• Governance of third-party interconnections
Along with the outsourcing and contractual fram eworks, regula
• Business continuity and availability
tors typically expect that information, cyber-security and/or con
• Information confidentiality and integrity tinuity fram eworks address some crucial aspects of third-party
• Specific expectations and practices regarding visibility of arrangem ents to ensure the availability of critical system s and
third-party interconnections the security of sensitive data that are accessible to, or held by,
third-party service providers. These aspects include the identifi
• Auditing and testing
cation and prioritisation of interconnections, as well as the clas
• Resources and skills
sification and response to incidents with third parties according
to service agreem ents and the communication of these policies
Governance of Third-Party Connections to relevant external parties.
Widespread Expectations and Practices As regards supervisory practices, the following activities appear
to be widespread:
Regulations across different jurisdictions require that insti
tutions develop a m anagement- and/or board-approved • Intrusive on-site inspections with respect to cyber-risk in rela
outsourcing (or organisational) fram ew ork that defines the tion to outsourcing. During such inspections, the outsourcing
applicable roles and responsibilities, the outsourceable activi fram ework, the applicable processes and the com pleteness
ties and concrete conditions for outsourcing, the specific risks and adequacy of specific risk assessm ents and contracts will
that need to be analysed (either prior to selection of a provider typically be reviewed.
or when substantially am ending/renewing an agreem ent) and
recurrent obligations (such as monitoring procedures or regular
risk assessm ents). 20 "Concentration risk" in this context does not refer to the potential
system ic risk to the industry as a w hole, but rather to the potential lack
Regulators typically also require that institutions im plem ent of control of an individual firm over one single provider as multiple
activities are outsourced to the sam e service provider. These different
a contractual fram ework, defining generic rights, obligations,
aspects of concentration risk are explained in Jo in t Forum , Outsourcing
roles and responsibilities of the institution and the service pro in financial services, February 2005; and Com m ittee of European Bank
vider, specifying the responsibility for reviewing, approving ing Supervisors, G uidelines on outsourcing, D ecem ber 2006.

• A s part of their off-site supervision practices, most jurisdic by the institution for the purpose of identifying and authenticat
tions receive periodic statem ents or reports that assess the ing the client and validating the transactions).
outsourcing policies and risks at the financial institution.
In Luxem bourg, authorities have put in place a specific regula
These reports will typically contain statem ents on the exis
tion for com panies that supply specialised services to financial
tence and adequacy of outsourcing policies, processes, risk
institutions. For these "financial sector professionals", the same
assessm ents and contracts.
regulation for authorisation and ongoing supervision applies as
Expectations on the Scope of the Ecosystem and for the financial institutions them selves (Box 24.8).
Management of Third Parties Consistent with the expanding scope of supervisory scrutiny
Some international standards explicitly recognise that institu or regulated entities, in Europe legal mandates that regulate
tions may critically depend on third-party interconnections, interaction between institutions, supervisors and third-party pro
other than those that are typically considered outsourcing. The viders are provided by the Mifid II D irective, and 12 com petent
C PM I-IO SC O guidance on cyber-resilience for FMIs discusses authorities can directly review third parties involved in IT ser
the identification of cyber-risks and the coordination of resil vices. In addition, specific expectations for control and location
ience efforts from the perspective of the ecosystem of an FMI. of data are starting to em erge in the form of requirem ents that
The ISO 27031 standard specifies requirem ents for hardware, the location of at least one data centre for cloud computing ser
software, telecom s, applications, third-party hosting services, vices provided in the country or region (eg in the EU) be identi
utilities and environmental issues, such as air conditioning, envi fied, or data ownership, control (Australia) and location (Brazil
ronmental monitoring and fire suppression. and France) be identified and monitored as part of the outsourc
ing agreem ent. Some jurisdictions (Germ any, Singapore and
Some jurisdictions require that financial institutions enter into
Switzerland) further require a contractual clause that reserves
a prior agreem ent with their clients when they offer financial
the right for institutions to intervene at, or give directives to, the
services via the internet that involve the consultation and man
service provider.
agem ent of personalised data or carrying out transactions (eg
precise description and demarcation of the responsibilities of Beyond the assurances required prior to engaging with third
each party in using the technologies provided or recom m ended parties, most jurisdictions also require either prior notification
BOX 24.8 C A SE STUD Y 8: R EG U LA T ED /C ER T IFIED THIRD PARTIES IN

LU XEM BO U RG
The Luxembourg governm ent has put in place a specific based on a cloud computing infrastructure. If these criteria are
regulation for com panies that supply specialised services to met, the specific obligations of C SS F circular 17/654 on cloud
financial institutions. For these "financial sector profession computing apply. An institution can outsource directly to a
als" (PSFs), the same regulation for authorisation and ongoing CSP or indirectly through a support PSF or a non-regulated
supervision by the Commission de Surveillance du Secteur entity (which will outsource to CSP in a chain). The signatory
Financier (CSSF) applies as for the financial institutions them of the contract with the CSP can be either the financial
selves. PSFs that exclusively offer operational services are institution or the operator of the resources provisioned by the
called support PSFs. By regulating and supervising technical, CSP, who can be the support PSF or the non-regulated entity
administrative and communications-related activities, the outside of Luxem bourg. Several provisions on the governance
Luxembourg governm ent seeks to facilitate the outsourcing of cloud services apply, including the appointm ent of a cloud
of core activities by ensuring a high quality of service and pro officer for the cloud resources operating entity (which can be
fessional confidentiality. If a financial institution is outsourcing the institution itself or a third party).
to a PSF, the ultimate responsibility remains with the institu
Depending on the m ateriality of the activity supported by
tion, in accordance with the Com m ittee of European Banking
the cloud infrastructure, the institution needs prior approval
Supervisors (CEBS) guidelines on outsourcing. However, in
from the CSSF. If the outsourced activities are not m ate
some cases it is observed that an institution is more enticed
rial or if the cloud service contract is signed with a support
to neglect its monitoring and audit obligations, as it might
PSF, notification to the C S S F is sufficient. The C S S F circular
consider them to be performed by the supervisor.
17/654 will be am ended by abolishing the notification of
Cloud service providers (CSPs) are not subject to this regu non-material outsourcing and asking all financial institutions
lation. The Luxembourg regulator (CSSF) defined specific to set up a register containing all outsourcing in the cloud
criteria for outsourcing that will be considered IT outsourcing regardless of m ateriality.
BO X 24.9 C A SE STUD Y 9: CLO U D S ER V IC E PR O V ID ER S' REG U LA TO RY CLO U D
SUMMITS
Some cloud service providers organise regulatory cloud sum Th e main part of the sum m its is usually organised into
mits that provide exam ples of how a supervisory college sessions provided by the staff of the service provider.
model could work in practice when applied to a global tech Typically, one session consists of a panel discussion of
nology provider. regulators (chosen by the cloud service provider) that starts
a dialog with the cloud service provider's staff, after which
These summits are organised with regulators and supervisors
the discussion is opened to all regulators. D iscussions are
with the objective of:
typ ically not reco rded, but the cloud service provider's staff
(i) holding cloud-focused discussions on the threats related takes notes.
to cloud, the international regulatory landscape and the
Regulatory summits could also be organised by regulators or
cloud service provider's stance in this regard; and
an independent body to allow exam iners to understand the
(ii) providing the regulators with an opportunity to learn products and com pliance controls so as to usefully com plete
about products, processes and practices and to discuss their expertise and becom e more effective doing on-site
approaches to supervise and gain assurance that financial exam inations.
institutions using these cloud services operate in a safe
and sound manner.21
or prior authorisation of material (cloud) outsourcing activities. authority (as is done in Hong Kong, Singapore and the US) or
To this end, jurisdictions have created questionnaires/tem plates based on cooperation from service providers. For exam ple,
(sometimes specifically for IT outsourcing or cloud computing). Australia engages with system ically important third-party service
Although these are not harmonised in their coverage and m et providers which host critical systems for regulated institutions.
rics across jurisdictions, they facilitate the creation and docu Periodic engagem ents are voluntary and focus on service provid
mentation of risk assessm ents locally. ers' system ic role as opposed to their relationship with individual
institutions. This allows for a more open discussion of relevant
By focusing on the products and services them selves, new
strategy, governance, customer engagem ent, controls and capa
expectations for secure developm ent and procurem ent also
bilities (including those pertaining to cyber). It also can provide
contribute to making regulations and practices future-proof.
useful insight into the maturity (or lack thereof) of regulated
In particular, specific requirem ents (eg regarding "internet
institutions oversight practices, informing further supervisory
of things" system s in Japan) are in place for system s to be
activities. They can also be used as a mechanism to influence the
designed, developed and operated under the principle of secu
provider regarding regulatory expectations and best practice.
rity by design, considering that many individual devices, applica
tions and systems will be interconnected in the future, providing In the same vein, supervisors can work directly with cloud sup
new opportunities and possibly introducing new vulnerabilities. pliers both on formal or informal grounds, to include the right
to audit in contracts for the financial industry (as in the Nether
Observed Supervisory Practices lands) or to take part in regulatory summits organised by major
cloud providers (including for discussions of assurance fram e
O verall, although jurisdictions' mandates to supervise third-party
works; see Box 24.9).
service providers vary, supervisors have been using traditional
supervisory tools in order to ensure that the common exp ecta Against the above findings, a "supervisory college" model to
tions described above are met. Them atic exercises based on supervise and share information about large, internationally
self-assessment questionnaires to assess the cyber-security active service providers (particularly cloud providers) could also
and IT outsourcing risk of banks are a typical exam ple. Third- be a way to address the blind spots resulting from m andate limi
party providers can also be reviewed during on-site reviews tations and regulatory fragm entation.
and inspections, either on the basis of formal requirements or
Business Continuity and Availability

To safeguard the availability and continuity of critical business
21 In addition to these summits with regulators and supervisors, these
cloud service providers typically also organise com parable summits with activities in case of exceptional events or crises (eg cyber
their most im portant financial custom ers. attacks), regulators typically request that financial institutions

analyse these activities, to design and im plem ent appropriate These tests are typically com plem ented by audits and m oni
plans, procedures and technical solutions, and to adequately toring activities (on availability, security incidents, etc) of the
test mitigating measures. The same holds true where critical outsourcing vendors.
business activities depend on interconnections with third par
In term s of business continuity and availability, com m onalities in
ties, with regulations stressing the im portance of aligning the
supervisory expectations and practices are observed, which are
business continuity plans of critical suppliers (and their subcon
mainly focused on the "standalone business continuity" of the
tractors) with the needs and policies of the financial institution in
institutions. Such com monalities could provide an opportunity to
term s of continuity and security.
extend continuity and resilience testing to a more collaborative
It is common practice to request that recovery and resumption and coordinated form that involves larger parts of the ecosys
objectives be defined for critical business activities from an end- tem of a financial institution.
to-end perspective2
23 For instance, Italy specifies that among the
2
risk scenarios for the continuity of system ically im portant pro
Information Confidentiality and Integrity
cesses that are docum ented and constantly updated, institutions
should include catastrophic events that affect essential opera Confidentiality and integrity of information for third-party inter
tors and third-party infrastructures (eg large-scale cyber-attacks). actions are commonly addressed in general data protection
Typical activities and services that are considered by regulators requirem ents, through explicitly requiring contractual term s to
are cloud outsourcing, settlem ent processes or internet services include confidentiality agreem ent and security requirements
offered to custom ers. for safeguarding the bank's and its custom ers' information.
In addition, banks are generally required to manage or take
Expectations with regard to plans and procedures typically
appropriate steps to ensure The C PM I-IO SC O guidance on
address tasks and responsibilities in processes for incident
cyber-resilience for financial market infrastructures, for instance,
m anagem ent and for response and recovery in case of material
specifies that a Financial M arket Infrastructure should, design
disruptions, the information and communication needs from and
and test its system s and processes to enable the safe resump
towards key internal and external stakeholders and the required
tion of critical operations within two hours of a disruption and
resources, including planned redundancy, so as to ensure the
to enable itself to com plete settlem ent by the end of the day
prompt transfer of outsourced activities to a different provider
of the disruption, even in the case of extrem e but plausible
in case continuity or quality of the service provision are likely to
scenarios. Some banking supervisors have similar expectations
be affected.
for system ically im portant functions, that their service providers
Most regulators and international standards exp ect financial protect their confidential information and that of their clients.
institutions to test protective m easures periodically in order to Steps include verifying, assessing and monitoring security prac
verify their effectiveness and efficiency and make adjustm ents tices and control processes of the service provider.
where necessary. A dvanced regulators require that tests for
A growing num ber of ju risd ictio n s have cloud-specific
critical activities are based on realistic and probable disrup
requirem ents, which range from requirem ents that inform a
tive scenarios, conducted at least on a yearly basis and that
tion transferred to the cloud be su b ject to a contractual
service providers and significant counterparties are involved
clause and that different cloud-specific issues be considered
through collaborative and coordinated resilience testing.
to ensure data secu rity, to more sp ecific requirem ents on
data location, data seg reg atio n , data use lim itations, security
and exit. O ne exam ple of data access lim itation is the p rohi
22 The analysis step typically involves a business im pact assessm ent (BIA) bition im posed on staff of cloud service providers in Lu xem
identifying the most critical activities, resources and services, their inter bourg to access a bank's data w ithout the e xp licit ag reem ent
nal and external dependencies, their acceptable recovery tim e fram es in
of the bank and w ithout a m echanism available to the bank to
case of disruption, the events/scenarios (either natural or manmade) that
can affect these critical business activities and the potential im pacts of a d e te ct and control access.
(major) disruption.
In a num ber of jurisdictions, regulations exp licitly include
23 The C P M I-IO SC O guidance on cyber-resilience for financial m arket
exp ectatio ns that outsourcing arrangem ents com ply with legal
infrastructures, for instance, specifies that a Financial M arket Infrastruc
ture should, design and test its system s and processes to enable the and regulatory provisions on protection of personal data, con
safe resumption of critical operations within two hours of a disruption fidentiality and intellectual property. Evidence of more techni
and to enable itself to com plete settlem ent by the end of the day of the
cal and operational requirem ents is more scattered and less
disruption, even in the case of extrem e but plausible scenarios. Some
banking supervisors have similar expectations for system ically im portant harm onised, with jurisdictions em phasising different aspects
functions. of inform ation confidentiality and integrity, ranging from
exp licitly requiring encryption solutions for confidential data to suppliers and associated contracts and categorise them into
be under the banks' control, to regulating the transfers of data type, significance and criticality in order to establish a process
abroad and requiring exp licit client consent for data handling for their evaluation.
by third parties.
Analysis of supervisory expectations for the visibility of third-
party connections shows that the scope, form at and content of
Specific Expectations and Practices with supervisory authorities' information requests about material out
sourcing vary greatly across jurisdictions.
Regard to the Visibility of Third-Party
Connections
Auditing and Testing
In many jurisdictions the supervisory authority requests to be
informed about the material outsourcing agreem ents made by Supervisory expectations regarding the audit of third parties
supervised institutions and imposes some conditions on them , (internal and/or external) are aligned in two areas. First, the
including about preserving a minimum level of visibility on the majority of the requirements state the necessity for the super
outsourced functions by the supervised entity. vised organisations to guarantee the "rights to inspect and
Beyond the prior notifications and authorisation processes, audit" their service providers. Some jurisdictions require that
this right be cascaded to the significant subcontractors while
supervised institutions are commonly expected to maintain an
inventory of outsourced functions and to receive regular reports other jurisdictions (France, Switzerland and Singapore) have
granted this right directly to supervisory authorities.
from service providers, mainly about m easurem ents of service
level agreem ents and the appropriate perform ance of controls. Second, for several jurisdictions the audit opinion on the out
Some jurisdictions also require sub- outsourcing activities to be sourcing arrangem ents may be form ed based on the report of
visible for the supervised entities so that the associated risks can the service provider's external auditor. O thers accept pooled
also be managed. audits, organised by multiple financial institutions,26 or audits
Inventorying expectations can be set in relation to IT assets in performed by the internal audit departm ent of a service pro
vider, under the condition that the audit departm ent comply
some jurisdictions, such as the identification of both hardware
and software elem ents together with the function they are with certain regulatory conditions. Some jurisdictions specify
related to (even for outsourced functions) in Luxem bourg.242

5 that these independent reports should be based on widely rec
O ther fram eworks, such as the US FF IE C IT Exam ination Hand ognised standards or be perform ed by auditors with adequate
book and the C PM I-IO SC O guidance, focus on the connections skills and knowledge.
and information flows of financial institutions with external Current regulations focus on traditional outsourcing and, in
parties. some cases, cloud computing providers. The scope of the
The current practices inspired by the various expectations set at requirem ents for "rights to inspect and audit" critical third par
ties is nonetheless still focused on the strict banking sector.
national supervisory level and by international guidance play a
Shared and independent audit reporting on the critical intercon
com plem entary role. W hile supervisory authorities' expectations
define activities that can fit into classical cyber-security fram e nections with third parties could therefore facilitate the audit
approach effectiveness and efficiency.
works (identify, protect, detect, respond and recover), standard
setting bodies have an organisational process-oriented A s regards testing of the security requirem ents for outsourcing
approach: for instance, ISO IEC 27036-2 addresses configuration and cloud com puting providers, although institutions are
m anagem ent, information m anagem ent processes and the out generally required to m onitor their providers' com pliance,
sourcing relation termination processes, and ISA C A C O B IT 5 most regulations are not aligned in term s of how com pliance
elaborates on the implementation of an information security should be verified or te sted . O ne possible m ethod is the
m anagem ent system . On the other hand, both ISO and the US application of supervisor-led or bank-led (intelligence-based)
O cr
N IST fram ework recommend the identification, documentation red team ing exercises focused on interconnections. In the
and categorisation of suppliers to address information security EU , the scope of the T IB ER -EU test appears to include the
issues, while ISA C A C O B IT 4.1 and 5 recommend to identify institution's critical functions that are outsourced to third-party
service providers.
24 See CSSF, C S S F Circular 01/27, 23 March 2001.

25 See NIST, Fram ew ork fo r im proving critical infrastructure cy b e rse cu 26 As an exam ple, a group of eight European financial institutions per
rity, version 1.1, draft 2,16 A p ril 2018. form ed a joint audit in Ju n e 2018 of a common cloud service provider.

Resources and Skills institutions are required to provide a monitoring and replacement
plan for employees who are crucial for ensuring the proper func
The Basel Com m ittee's Soun d Practices: Im plications o ffin te c h tioning of the critical activities, services and resources and who are
develop m en ts for banks and bank supervisors, published in difficult to replace due to their specific expertise and limited num
February 2018, indicate that banks may require specialist com ber. Even beyond the supervised institution personnel, institutions
petencies to assess whether their risk functions are capable of should also provide documentation to clients of financial internet
maintaining effective oversight of the em erging risks posed by services on security awareness and responsibilities with regard to
new technologies. their secure use to strengthen those connections.
This topic is usually covered by the broader outsourcing and As with the regulatory expectations, supervisory practices
m anagem ent processes, with the expectation that the relevant mostly reflect com m onalities, as the assessm ent of human
personnel have the necessary expertise, com petencies and qual resources and qualifications for managing third-party connec
ifications to effectively monitor outsourced services or functions tions and relationships is usually done during on-site inspec
and are able to manage the risks associated with the outsourc tions. In those jurisdictions where financial supervisors have the
ing beyond the mere com pliance dimension. authority to exam ine third parties directly, they assess the suffi
Regulators expect that institutions contract sufficient and quali ciency and qualifications of staff at the third parties, and expect
fied personnel to ensure continuity in managing and monitoring the third parties to perform appropriate background checks.
outsourced services or functions, even if key personnel leave the Personnel who are Certified Information System s Security Pro
institution or become otherwise unavailable. When institutions do fessionals or an organisation that conforms to the ISO 9001
not have internal resources sufficient in know-how or number, the Q uality M anagem ent System could provide additional assurance
general expectation is that external experts or technical resources, that personnel have the necessary com petencies to manage
such as consultants or specialists, would be proactively identified third-party connections.
to complement or supplement in-house personnel. In Belgium,
382 Financial Risk Manager Exam Part II: Operational Risk and Resiliency
Building the UK
Financial Sector's
Operational
Resilience
Learning Objectives
Describe operational resilience and describe threats and Describe potential consequences of business disruptions,
challenges to the operational resilience of a financial including potential system ic risk impacts.
institution.
Define im pact tolerance; explain best practices and poten
Explain recom m ended principles, including tools and tial benefits for establishing the impact tolerance for a firm
m etrics, for maintaining strong operational resilience at or a business process.
financial institutions.
Excerp t is reprinted from Building the UK Financial Secto r's O perational Resilience, Ju ly 2018, by permission of the Bank of England
and the Financial Conduct Authority. This article is a reproduction of a discussion paper, seeking views from stakeholders, and does
not represent current Bank of England, Prudential Regulation Authority or Financial Conduct Authority policy.
383
25.1 IN T R O D U C T IO N outsource a significant level of activities to third parties. Some of
these challenges are illustrated in Figure 25.1.
1. This discussion paper (DP) is issued jointly by the Prudential 6. The operational resilience of firms and FMIs is a priority for
Regulation Authority (PRA), the Financial Conduct Authority the supervisory authorities and is viewed as no less important
(FC A ), and the Bank of England (the Bank) in its capacity of than financial resilience. A lack of resilience represents a threat
supervising financial market infrastructures (FMIs), (collectively to the supervisory authorities' specific objectives as well as their
'the supervisory authorities').The purpose of this DP is to share shared goal of maintaining financial stability (see Box 25.1).
the supervisory authorities' thinking regarding operational
7. The Bank and the supervisory authorities have interlinked
resilience and obtain feedback. Feedback is welcom ed from all
objectives, which include promoting financial stability. The super
parts of the financial sector, as well as from consum ers, market
visory authorities consider that improvements in operational
participants and other stakeholders, including other regulatory
resilience would be facilitated by complementary regulatory stan
organisations.
dards and supervisory approaches.
2. UK banks, building societies, credit unions, insurers, overseas
8. Figure 25.2 illustrates the objectives which are most likely to
UK deposit takers with PRA regulated activity perm issions, PRA
be affected by operational resilience issues. It also illustrates
regulated investm ent firms, F C A authorised and recognised
that the consum er protection objective is likely to be affected
entities1 (collectively 'firm s'), and the FMIs supervised by the
more often, and by more firms, than the market integrity, the
Bank of England (recognised paym ent system s, specified service
safety and soundness, and financial stability objectives.
providers, central securities depositories and central counterpar
ties) may be particularly interested in responding, as any future 9. Interconnectedness occurs both within the UK and interna
policy may be directly applicable to them . tionally. The supervisory authorities are engaged in international
fora supporting the developm ent of operational resilience prin
3. Feedback is encouraged on how firms and FMIs currently
ciples and standards. Common standards would help ensure
address the issues and risks discussed in this paper. The super
that operational resilience is not adversely affected by the loca
visory authorities would welcom e responses to the questions
tion of firms' and FM Is' infrastructure, and will assist regulatory
asked throughout the DP and listed in Section 8.
co-operation in the supervision of international firms.
10. Improving operational resilience might also be good for

The Importance of Operational Resilience com petition. A shared understanding of minimum standards
4. O p eratio n al disruptions to the products and services that may help new entrants establish them selves in a market.
firm s and FM Is provide have the potential to cause harm to
consum ers and m arket p articip an ts, threaten the viab ility of
firm s and FM Is, and cause instab ility in the financial system . Important Concepts in the Supervisory
This DP fo cuses on how the provision of these products and Authorities' Approach to Operational
services can be m aintained. O p eratio n al resilience refers Resilience
to the ability of firm s, FM Is and the secto r as a w hole to
11. This DP discusses a number of im portant concepts which are
prevent, respond to, recover and learn from operational
relevant to all firms and FMIs:
disruptions.
• The sup erviso ry authorities co nsid er th at the continuity of
5. From the perspective of firms and FMIs, there are numerous
business services is an essential com ponent of operational
challenges to making sure their businesses are resilient to opera
resilien ce. A cco rd in g ly, firm s and FM Is should focus on
tional disruption. These challenges have becom e more com plex
that outcom e when approaching operational resilience.
and intense in recent years, during a period of technological
A voiding disruption to a particular system supporting a
change and in an increasingly hostile cyber environm ent. A d d i
business service is a contributing facto r to operational
tional challenges occur where firms operate internationally or
resilience. But ultim ately it is the business service that
needs to be resilient— and needs to continue to be p ro
vid e d . Th e sup erviso ry authorities envisage th at boards
1 Entities authorised, registered or recognised under the Financial Ser and senior m anagem ent should assum e that individual
vices and M arkets A ct 2000 (FSM A) (eg investm ent or consum er credit
system s and processes th at support business services will
firm s or recognised investm ent exchanges) and authorised and/or reg
istered under other regim es (eg, Paym ent Services Regulations 2017 be d isru p ted , and increase the focus on back-up plans,
(PSRs 2017), and Electronic M oney Regulations 2011 (EM Rs 2011)). responses and recovery options.
Technical Changing Keeping Challenging System
innovation behaviours pace environment complexity
Fintech Instant Skills Cyber Third

access gaps incidents parties
Artificial Mobile Cost Concentration

intelligence technology Obsolescence pressures risk
Distributed Faster Cross-border

ledger transactions dependencies
Crypto
assets
Fiq u re 25.1 Challenges to building operational resilience.
BO X 25.1: THE SU P ER V ISO R Y A U TH O R ITIES' O B JE C T IV E S

The Bank has an objective to protect and enhance the stability The PRA's and FC A 's objectives are also defined in the Finan
of the financial system of the United Kingdom. The Bank sets cial Services and Markets A ct 2000 (FSM A). The PRA seeks to
out in its Financial Stability Strategy•2
3*that financial stability is promote the safety and soundness of the firms it supervises,
the consistent supply of the vital services that the real economy and contribute to the securing of an appropriate degree
demands from the financial system. Those vital services are: of protection for those who are or may becom e insurance
providing the main mechanism for paying for goods, services policyholders. The PRA also has a secondary competition
and financial assets; intermediating between savers and bor objective. The FC A 's strategic objective is to ensure that
rowers, and channelling savings into investment, via debt and relevant markets work well. To advance its strategic objec
equity instruments; and insuring against and dispersing risk. tive, the FC A has three operational objectives: to secure an
The Bank as supervisor of FMIs seeks to ensure that FMIs are appropriate degree of protection for consum ers, to protect
designed and operated in a safe way, and that they contribute and enhance the integrity of the UK financial system, and to
to reducing systemic risks in the vital payment, settlement and promote effective com petition in the interests of consumers.
clearing arrangements centred upon them. The Bank's opera In achieving these objectives, both regulators seek to support
tion of the Real Tim e Gross Settlement (RTGS) service and the financial stability.
Clearing House Automated Payment System (CHAPS) also sup
ports the delivery of the Bank's overall mission.
• Setting impact tolerances which quantify the amount of dis FPC impact tolerance when setting their own impact
4
ruption that could be tolerated in the event of an incident tolerances.
i
may be an efficient way for boards and senior m anagem ent • How firms and FMIs manage their response to operational
to set their own standards for operational resilience, prioritise disruption is critical to maintaining confidence in the busi
and take investm ent decisions. An exam ple would be a m axi ness services they provide. The speed and effectiveness of
mum acceptable outage tim e for a business service. Firms communications with those affected, including custom ers, is
and FMIs would test their ability to stay within their impact an im portant part of their overall response and could help to
tolerances in severe but plausible scenarios in order to iden manage the expectations of those affected and maintain or
tify vulnerabilities and take mitigating action. The supervisory restore confidence in the firm 's business services.
authorities may expect some firms and FMIs to consider any
2 Bank of England A ct 1998, section 2A: https://w w w .legislation.gov.uk/

4 This DP does not affect requirem ents or obligations under existing leg
ukpga/19 98 /11/section/2A#com m entary-key-8734b5fd971e45bdddb6
islation or international standards such as the C P M I-IO SC O principles for
81573bfa3213.
Financial M arket Infrastructure, PSRs 2017 or the EM Rs 2011; any future
3 Bank of England, Financial Stability Strategy: w w w .bankofengland changes proposed would have regard to the existing international stan
.co.uk/financial-stability. dards and other legal requirem ents, including EU requirem ents.
Chapter 25 Building the UK Financial Sector's Operational Resilience ■ 385

Financial Policy Committee
More firms likely to impact the

authorities' objectives more often
Bank (FMI Supervision)
PRA and FCA
FCA
Fiq u re 2 5 .2 Impact of operational resilience on the objectives of the authorities.
• Operational resilience is already a responsibility of firms and system s and processes. The section also explains that firms and
FM Is, and an outcom e supported by the existing regula FMIs are more likely to be operationally resilient if they design
tory fram ework. The supervisory authorities are considering and manage their operations on the assumption that disruptions
the extent to which they might supplem ent existing policies will occur to their underlying system s and processes.
to improve the resilience of the system as a whole, and to
13. Section 3 explains that financial stability rests on the opera
increase the focus on this area within individual firms and
tional resilience of individual firms, FMIs and the system as a
FM Is. They are reviewing existing policies, including those
whole. The FPC is establishing its tolerance for the length of any
on risk m anagem ent, outsourcing, controls and communi
period of disruption to the delivery of vital services the financial
cation and business continuity plans, to ensure that these
system provides to the econom y in the context of cyber (an
continue to be effective, in light of market and technological
'F P C impact tolerance'), as set out in its June 2018 Financial Sta
developm ents.
bility Report (FSR).6 The supervisory authorities consider that
• The supervisory authorities are also reviewing their approach their approach to operational resilience described in this DP is
to the assessm ent of operational resilience matters, consistent with the FPC 's approach, and supports its agenda.
which may include an increased focus on firms' and FMIs'
14. Section 4 suggests that the boards and senior m anage
non-financial resources. Gaining assurance that appropriate
ment of firms and FMIs could set their own tolerances for
impact tolerances are set, monitored and tested is likely to
operational disruption, on the assumption that some (or all)
be a key com ponent of future supervisory approaches.5
supporting system s and processes will fail. In setting impact
tolerances, the supervisory authorities suggest that a firm 's or
Discussion Paper Structure FM I's board or senior m anagem ent might prioritise those busi
ness services which, if disrupted, have the potential to: threaten
12. Section 2 explains why the supervisory authorities con
the firm 's or FM I's ongoing viability; cause harm to consumers
sider that managing operational resilience is most effectively
and market participants; or undermine financial stability. The
addressed by focusing on business services, rather than on
section also highlights relevant existing regulatory standards
related to operational resilience that firms and FMIs are already
5 This DP has been written in the context of the current UK and EU expected to meet.
regulatory fram ew ork. The supervisory authorities will keep the dis
cussed approach under review to assess w hether any changes would be
required due to changes in the UK regulatory fram ew ork, including those 6 Financial Stability Report, Ju n e 2018: https://w w w .bankofengland
arising once any new arrangem ents with the European Union take effect. .co.uk/financial-stability-report/2018/june-2018.
15. Section 5 expands the idea that firms and FMIs would to tran sact. R esilient business services th erefo re support
develop im pact tolerances for im portant business services. financial stab ility.
These would provide clear metrics indicating when an opera
2. The UK financial system is resilient if its economic functions can
tional disruption would represent a threat to a firm 's or FM I's
continue to operate during potentially disruptive incidents at a
viability, to consumers and market participants or to financial
firm, FMI or across groups of firms. Resilience of the financial sys
stability. The section discusses what impact tolerances are and
tem depends on both individual firms and FMIs and the intercon
their purpose. To help inform the developm ent of the approach,
nections between them.
the supervisory authorities are particularly interested in metrics
firms and FMIs currently use. 3. Continuity of business services is also critical to the viability
of individual firms and FM Is, and disruptions can cause harm to
16. Section 6 explains how supervisors could gain assurance
consumers and market participants.
that firms and FMIs ensure the continuity of their most impor
tant business services, and that boards and senior m anagem ent 4. Th e sup erviso ry authorities b elieve that if firm s' and FM Is'
are sufficiently engaged. The supervisory authorities are review boards and senior m anagem ent focus on the operational
ing their existing approaches in light of the proposed focus on resilience of th eir m ost im portant business se rvices, this
business services, and are considering the role of scenario te st would assist the sup erviso ry authorities in furthering their
ing in this context. o b jectives.
17. Section 7 summarises the key concepts set out in the DP. 5. Priorities betw een firm s and FM Is and the sup erviso ry
authorities may not alw ays be aligned . It is possible that the
18. Section 8 is a com plete list of the questions in the DP.
sup erviso ry authorities may believe that a disruption to a
19. This DP is part of the supervisory authorities' wider engage business service would harm th eir o b jective s, w hile a firm or
ment on this topic. Further dialogue on the financial sector's FMI m ight co nsid er the disruption to be a m anageable risk.
operational resilience will occur through discussions with firms,
FMIs and other industry participants and through international Prioritising by Business Services
engagem ent.
6. A business services approach is an effective way to prioritise
20. A glossary of term s is provided in A nnex 1.
improvements to systems and processes. Firms and FMIs may cur
rently prioritise the upgrading of their IT systems by: age; those
most prone to failure; anticipated cost of financial failure; or cost
2 5 .2 O P E R A T IO N A L R E S IL IE N C E of upgrade against available budget. Such considerations may be
O F B U S IN E S S S E R V IC E S inconsistent with an outcome focused on continuity of business
services. Looking at the systems and processes on the basis of
This section explains why the supervisory authorities consider the business services they support may bring more transparency
that managing operational resilience is most effectively to and improve the quality of decision making, thereby improv
addressed by focusing on business services, rather than on sys ing resilience. The supervisory authorities are keen to understand
tem s and processes. The section also explains that firms and which approaches to operational resilience firms and FMIs have
FMIs are more likely to be operationally resilient if they design found most useful.
and manage their operations on the assumption that disruptions
7. A focus on business services could help drive specific and
will occur to their underlying system s and processes.
m easurable activities, including investm ent, that increase opera
tional resilience. Firms and FMIs could set target metrics for the
continuity of im portant business services. Firms' and FMIs' abil
Focusing on Business Services
ity to m eet their target metrics could then be tested, enabling
1. O p eratio n ally resilient business services provided by firm s them to take action as necessary.
and FM Is d irectly sup p o rt resilient econom ic fu n ctio n s,7
8. W hile this DP focuses on the delivery of business services,
enabling people to buy goods, borrow m oney and m arkets
operational disruption can also impact firm s' and FMIs' ability to
m eet other regulatory or contractual obligations. For exam ple,
firms are expected to ensure the confidentiality of data, or may
be required to provide tim ely and accurate financial reports.
7 A list of econom ic functions, defined for resolution purposes, was
set out in PRA Supervisory Statem ent 19/13. This list is reproduced in Firms and FMIs also need an appropriate degree of resilience in
A n n ex 2 of this DP to aid discussion. these and other areas.

Building Resilient Business Services, • knowledge of which system s and processes are capable of
being substituted during disruption so that business services
Assuming Disruption Will Occur
can continue to be delivered;
9. In order to build and deliver resilient business services, firms • tested plans that would enable firms and FMIs to continue or
and FMIs need the ability to: prevent disruption occurring to resume business services when disruptions occur;
the extent practicable; adapt system s and processes to continue
• effective internal communication plans, escalation paths and
to provide services and functions in the event of an incident;
identified decision makers; and
return to normal running promptly when the disruption is over;
and learn and evolve from both incidents and near misses. The • specific external communication plans for the most impor
supervisory authorities consider that firms and FMIs would pay tant business services, which provide tim ely information for
attention to all of these aspects. custom ers, other market participants and the supervisory
authorities.
10. It is particularly im portant to plan on the basis that opera
12. Firms' and FM Is' implementation of these elem ents would
tional disruptions will occur. This is because it is not possible to
prevent every risk m aterialising, and dependencies are often be proportionate to their nature, scale and com plexity, as dis
cussed in 'W hat this might mean for firms and FMIs in practice'
only identified once something has gone wrong. The assum p
in Section 4.
tion that operational disruptions will arise could be used to
inform strategy, planning and resourcing. 13. Figure 25.3 illustrates the variety of system s and processes
that would need to be considered. This may be contrasted
11. The supervisory authorities believe that an operationally
with an incom plete view of resilience obtained by taking a
resilient firm or FMI would have in place:
narrow focus on particular system s or processes considered in
• a clear understanding of their most im portant business ser isolation. In this exam ple, m ortgages are the im portant busi
vice or services; ness service, and there are a num ber of steps necessary from
• a com prehensive understanding and mapping of the systems origination through to custom er service. O nly by looking at all
and processes that support these business services, including of these stages— and where appropriate, at how elem ents of
those over which the firm or FMI may not have direct control. this service get delivered by other parties— can a clear picture
This would include an understanding of the resilience of out be developed of how best to support the resilience of the
sourced providers or entities within the same group but in business service.
another jurisdiction; 14. It would be neither possible nor an efficient use of resources
• know ledge of how the failure of an individual system or to attem pt to make every com ponent of an organisation com
process could im pact the provision of the business service; pletely resilient to operational disruption. The supervisory
Business service: retail mortgages
Sales Application Underwriting Legal/valuation
1 i i I
Financial institutions Third party
Organisational activities Organisational activities
i i
Business processes Business processes
i i
People Information People Information
Technology Facilities Technology Facilities
Fiq u re 2 5 .3 Understanding important business services.
authorities recognise that firms and FMIs need to prioritise and service will occur. Impact tolerance is expressed by reference to
want this prioritisation to be well- considered and agreed at specific outcom es and m etrics. Such metrics could include the
the appropriate level. Under the approach outlined in this DP, maximum tolerable duration or volume of disruption, a measure
firm s' and FMIs' prioritisation would be informed by an effective of data integrity or the number of custom ers affected.
understanding of their most im portant business services and
4. Having im pact tolerances may help ensure that boards and
underlying system s and processes.
senior m anagem ent consider what the firm or FMI would do
when a disruptive event occurs, rather than only trying to mini
Q u e stio n
mise the probability of disruption. This might include how to
A) W hat are readers' views on the proposed focus on con handle the situation to minimise the consequences of disruption
tinuity of business services? Would a service rather than as well as ensuring that the relevant business services continue
system s-based approach represent a significant change for to be delivered within tolerance.
firms and FMIs com pared with existing practice? W hat other
5. W hile an assumption that disruption will occur enables
approaches could be considered?
greater clarity around the outcom e being sought, firm s and
FM Is may also need to think about the instances in which it
2 5 .3 O P E R A T IO N A L R E S IL IE N C E w ould, or would not, be acceptable to m eet a tolerance. This
DP describes such instances as scenarios.
O F FIR M S A N D FM IS *1
6. The supervisory authorities may also consider setting their
This section suggests that the boards and senior m anagem ent own impact tolerances for firms or FMIs to m eet within the con
of firms and FMIs would set impact tolerances for the opera text of severe, but plausible, scenarios.
tional disruption of business services, on the assumption that
7. In arriving at an im pact tolerance, boards or senior m anage
some or all supporting system s and processes will fail. In set
ment would consider the commercial interests of the firm or FMI
ting im pact tolerances, the supervisory authorities suggest that
and the objectives, rules, principles, expectations and guidance
a firm 's or FM I's board or senior m anagem ent might prioritise
of the relevant supervisory authorities. This section therefore
those business services which, if disrupted, have the potential
discusses:
to: threaten the firm 's or FM I's ongoing viability; cause harm
to consumers and m arket participants; or undermine financial • factors relating to the supervisory authorities' objectives that
stability. The section also highlights relevant existing regulatory are likely to be key com ponents in determ ining appropriate
standards related to operational resilience that firms and FMIs im pact tolerances: when the viability of the firm or FMI is
are already expected to meet. threatened; the impact on consumers and market partici
pants; and the impact on financial stability;
1. In view of the potentially severe consequences of poor
operational resilience, the supervisory authorities believe • existing rules, principles, expectations and guidance relat
operational resilience is a key issue on which boards and senior ing to operational resilience that firms and FMIs are already
m anagem ent should focus. A firm 's or FM I's resilience is the required to m eet; and
result of its activities and choices, and will depend on its gov • what this might mean for different types of firms and FMIs in
ernance, culture, corporate structure, controls and regulatory practice.
fram ew ork.
8. For the purposes of this DP, the supervisory authorities
2. To be effe ctive, boards and senior m anagem ent must envisage that how im pact tolerances are derived and justified
agree clear standards that they e xp e ct the execu tive of a might be set out by firms and FMIs in a single docum ent-an
firm or FMI to m eet. Section 2 suggests that the supervisory impact tolerance statem ent.
autho rities co nsid er th at they m ight best do this by focusing
9. Firm s and FM Is could use th eir im pact to leran ces in
on business services. Th e sup erviso ry authorities consider
running th eir b usinesses: to take decisions on investm ents,
th at boards and senior m anagem ent could go further by se t
risk m anagem ent, business continuity planning and co rp o
ting im pact to leran ces for disruption to the most im portant
rate structure. Section 5 discusses how im pact to leran ces
business services.
m ight be set and considered alongside existing risk ap p etite
3. An impact tolerance describes a firm 's or FM I's tolerance for statem en ts. The sup erviso ry autho rities are aw are that som e
disruption to a particular business service, under the assumption firm s and FM Is may already be taking this approach, for
that disruption to the system s and processes supporting that exam ple C P M I-IO S C O principles for financial m arket

infrastructure (P FM I)8 indicate that an FMI should design and m anagem ent m ight co nsid er which services, if d isrup ted ,
te st its system s and processes to aim for the safe resum ption could lead to sig nificant loss of custom ers, m ajor financial
of critical operations within tw o hours of a d isru p tio n ,9 but it loss or reputational dam age. Exam p les m ight include: d is
will be a new idea for o thers. It is also recognised that ind i ruptions to the services that allow custom ers to tran sfer
vidual approaches to im pact to leran ces would be determ ined funds betw een accounts; a bank not being able to extend
by the nature, scale and co m p lexity of a firm 's or FM I's activi com m ercial fin an ce; an FMI not being able to co llect margin
ties. Readers are encouraged to provide fe e d b ack on p rac paym ents; or an insurance com pany not being able to fund
tices that are already being em p lo yed, along with potential and hedge its balance sheet.
difficulties in im plem enting the approach.
13. Under requirem ents such as Internal Capital Adequacy
10 10
10. O nce im pact tolerances are set, they will be relevant to the Assessm ent and Risk Control, boards and senior m anage
systems and processes supporting business services wherever ment should already be able to articulate those circum stances
they are located. This includes the systems and processes of which may lead to the firm 's or FM I's failure, develop their own
outsourced service providers. This might require consideration risk appetites and oversee delivery of risk mitigation. This
of the extent to which standards differ between jurisdictions. In should include:
general, the impact tolerance for a particular business service
• an assessm ent of the adequacy of a firm 's or FM I's opera
would still need to be met, regardless of the location of sup
tional resources to maintain resilience, relevant to a firm 's or
porting system s and processes.
FM I's ability to remain viable; and
• effective risk m anagem ent of their organisation, people, pro

Factors Relating to the Supervisory cesses and technology assets,1
14 all of which support the con
3
1
2
Authorities' Objectives tinuity of business service delivery during operational
disruptions.
Impact on the Viability of Firms and FMIs
11. Th e sup erviso ry authorities require firm s' and FM Is' Impact on Consumers and Market Participants
operations to be run in a sustainable m anner. Th e PRA 14. The supervisory authorities are also concerned by the poten
and the F C A , which prudentially supervises approxim ately tial harm that operational disruptions could cause to users of a
4 6 ,0 0 0 firm s, e xp e ct the firm s they sup ervise to run their firm 's or FM I's business service, including both consumers and
1n
businesses in a safe and sound manner. The Bank seeks to market participants.
ensure that FM Is operate in a safe w ay, in support of its
A A 15. Harm to consum ers (such as an inability to access cash
financial stab ility o b jective . Prudently-run firm s and FM Is
deposits, savings, credit or other financial services) and harm to
should try to m aintain and increase th eir operational resil
market participants (such as an inability to price trades or to
ience, particularly in response to evolving threats such as
com plete post-sale activities) arising from operational disrup
cyber attacks.
tions is likely to manifest before risks to the viability of a firm or
12. The sup erviso ry authorities co nsid er firm s and FM Is FMI start to crystallise. As the FC A 's M ission15 requires it to con
m ight assess their operational resilience in the co n text sider harm to consum ers, the FC A may engage with authorised
of how disruptions to im portant business services m ight firms in relation to their m anagem ent of an operational disrup
threaten th eir ongoing viab ility. To identify business services tion more frequently and at an earlier stage than the PRA, to
that support a firm 's or FM I's viab ility, boards and senior understand how they would seek to minimise the amount of
harm caused by operational disruption.
8 A joint publication of the Com m ittee on Paym ents System s and Market
Infrastructures (CPM I) and the Technical Com m ittee of the International 12 Internal Capital A d eq uacy Assessm ent Part of the PRA Rulebook:
Organization of Securities Com m issions (IO SC O ): w w w .bis.org/cpm i/ w w w .prarulebook.co.uk/rulebook/Content/Part/211179/05-07-2018.
publ/d101a.pdf.
13 Risk Control Part of the PRA Rulebook: PRA w w w .prarulebook.co.uk/
9 Principle 17. rulebook/Content/Part/214146/05-07-2018.
10 The F C A is the prudential supervisor for approxim ately 46,000 firm s; 14 For exam ple, B C B S Principles for the Sound M anagem ent of O p e ra
for 18,000 firm s, a regim e of minimum standards beyond both the prin tional Risk (B C B S 2011), PRA rulebook, Solvency II firm s, Conditions
ciple of business of financial prudence and the threshold condition of Governing Business 3. Risk M anagem ent.
appropriate resources exists.
15 FC A , O ur Mission, April 2017: w w w .fca.org.uk/publication/corporate/
11
Box 25.1 sets out the supervisory authorities' specific objectives. our-mission-2017.pdf.
B O X 25.2: EXAMPLES OF HARM
Harm arising from operational resilience failures is illustrated Some custom ers are unable to access cash when they
in the following exam ples. Some relate to the continuity of need it because their balances are incorrect.
business services, while others relate to the integrity of data. • A system error at a consum er credit firm leads to inaccu
rate (higher) debt repaym ent dem ands and consequential
Supply o f N e w Business Services: effect on the custom ers' credit files.
• A retail bank's m ortgage application system fails to pres
ent all relevant questions for custom ers or brokers to Availability o f a Vital Link in a Value Chain:
answer, with the result that underwriting decisions start • A custody bank is unable to confirm ownership of assets in
to be based on incom plete disclosure. Harm m aterialises a tim ely way, which delays asset valuations, and sales can
in several ways: some m ortgage applications are rejected not be com pleted on the intended value dates.
and, once the error is detected, all the affected custom
• A disruptive event at a specialist trading venue prevents
ers experience delays while the additional information is
trading of derivatives for a number of hours.
obtained from them .
Unauthorised Access to Market Sensitive Data:

Availability and Integrity o f Existing Business
• A corporate liability insurer's file m anagem ent system is
Services:
upgraded. A fter the upgrade, all em ployees have access
• A software error results in duplicate Bacs Direct Debit pay to folders containing market sensitive data disclosed by
ments being taken from custom ers' accounts. Some pay listed com panies, and the folder permissions error is not
ees' bank accounts incur unauthorised overdraft charges. identified for several months.
What is Meant by 'Harm' in This Context? Impact on Financial Stability

16. Harm to consumers may arise, for exam ple, from disruption 19. The financial system com prises many participants who inter
to the: act to provide services to each other and the real UK econom y.
There are significant dependencies between participants. The
• ongoing availability of existing business services, for exam
ple when claiming on an insurance contract, making loan resilience of individual participants can thus depend on the
repaym ents, checking balances, or accessing deposits and resilience of others, including the Bank (see Box 25.3). The resil
ience of the financial system as a whole depends on the resil
savings; and
ience of individual participants and the interconnections that
• supply of new business services, for exam ple renewing a
exist between them .
general insurance contract, obtaining life insurance, receiving
a m ortgage advance or personal loan, or making a money 20. Changing business models and increased outsourcing has
transfer. increased the dependence of participants on others, including,
in some cases, a limited number of technology providers, giv
17. Harm to m arket participants is concerned with the risks
ing rise to concentration risk. This illustrates how, while tech
that operational disruptions pose to the smooth operating of
nological innovation creates opportunities, including increasing
financial m arkets and the potential threat to m arket confidence
efficiency and enabling better risk m anagem ent, changing
that can result from a substantial disruption. Harm to m arket
technologies are also creating new risks. Cyber threats have
participants and m arket integrity may arise from , for exam ple,
increased and have a greater propensity to be transm itted
the failure of a shared facility or m arket infrastructure on which
between participants.
the functioning of a m arket depends, uncontrolled access to
and misuse of m arket sensitive data, the inability to access 21. Supporting financial stability is reflected in each of the
m arket data to price trad es, or the inability to com plete post supervisory authorities' objectives and their respective
sale activity. approaches to supervision. The supervisory authorities do not
seek to ensure that no firm or FMI fails, but they do seek to
18. The supervisory authorities invite discussion about how firms
ensure that, in the event of failure, it is orderly and avoids sig
and FMIs could be more active in assessing harm caused by
nificant disruption to the UK economy.
the disruption to business services. Identifying harm caused by
the disruption to business services could inform the setting of 22. Firm s and FM Is should consider the im pact of disruption
im pact tolerances explained in Section 5. within th eir own businesses on consum ers and m arket

B O X 25.3: B U IL D IN G O P E R A T IO N A L R ESILIEN C E; THE B A N K A S A P R O V ID E R
OF PAYMENT A N D SETTLEM ENT SYSTEMS
The Bank recognises that it has its own part to play in build D irectorate on a non-statutory basis against the sam e stan
ing the operational resilience of the UK financial sector as dards as other paym ent system s.16*The Bank's Banking, Pay
operator of the C H A PS and RTGS services. RTGS processes ments and Financial Resilience D irectorate also self-assesses
an average of over £600 billion worth of transactions every RTGS and C H A PS against the C PM I-IO SC O Principles for
working day, of which approxim ately half is C H A PS settle Financial M arket Infrastructures annually. For RTG S, the Bank
ment. Firms and FMIs rely on the Bank's provision of these com m issions an ISA E3402 external control audit and holds
services to move sterling around the financial market and the an ISO 27001 certificate.
real econom y.
The Bank sets access criteria for firms that want direct access
The C H A PS paym ent system is used for high-value w hole to C H A PS, as well as operational and technical requirements
sale paym ents as well as tim e-critical retail paym ents. The for RTGS and C H A PS. Assurance is sought from CH APS
Bank's RTG S settlem ent infrastructure holds accounts for Direct Participants that they m eet the rule book's require
banks, building societies and other institutions. The Bank's ments, com plem ented by a rigorous testing regim e. Require
operational function holds itself to high standards and is ments cover areas such as day-to-day operations; resilience
com m itted to a very low tolerance for any disruption to the and contingency; technical m aintenance; network connectiv
RTG S and C H A P S services. A s the operator of C H A P S , the ity; and physical, environmental and information security.
Bank is the 'system ic risk m anager' for the C H A PS system , a
role that includes understanding and managing risks across Strengthening the resilience of RTGS and its flexibility to
the end-to-end C H A PS system . The Bank's operation of respond to emerging threats is a key focus of the programme
C H A PS is independently supervised by the Bank's FMI to renew the RTGS service and supporting infrastructure.
participants which rely upon them , and take this into 25. Som e of the existing rules and standards are sum m arised
account when considering their approach to operational below. Those listed here cover key policy areas only and may
resilience. not necessarily be applicable to all firm s and FM I. Box 25.4
provides an exam ple of how som e existing regim es interact to
support operational resilience.
Existing Regulatory Requirements and
Expectations for Firms and FMIs
Existing Regulatory Requirements Relating
23. The supervisory authorities consider that setting impact to the Viability of Firms and FMIs
tolerances could play an im portant part in increasing the opera
M anagem ent and G overnance
tional resilience of firms and FMIs. These would support existing
regulatory expectations and obligations. The supervisory author 26. An effective board is critical to ensuring a sound and
ities are reviewing the existing regulatory fram ework in the light well-run business. The supervisory authorities set expectations
of the overall approach set out in this DP, and with regard to of the boards and senior m anagem ent of regulated firm s
existing international, European Union and dom estic require and FM Is to run their businesses prudently and in support
ments and regulatory fram eworks. of their objectives, including the continuing stability of the
financial system .
24. Each supervisory authority is responsible for a spectrum of
firm s or FM Is and each has its own rules, principles, e xp e cta 27. Boards should ensure there is sufficient challenge to
tions, or guidance. N evertheless, common regulatory them es the executive and that they have access to people within
apply across regulated entities including individual and col the business with appropriate technical skills. They should
lective accountability for m atters that support operational
resilience. This is generally achieved by rules, principles,
expectations, or guidance on: m anagem ent and governance;
16 See Box 2 of the 'Bank of England's supervision of financial m arket
risk m anagem ent; internal controls for system s and pro
infrastructures-annual report' for further explanation: w w w
cesses; contingency planning; and oversight of outsourcing .bankofengland.co.uk/news/2018/february/supervision-of-financial-
arrangem ents. m arket-infrastructures-annual-report-2018.
B O X 25.4: IN T E R A C T IO N O F R E G IM E S
The regulatory fram ework already features many require resilience in its focus on the continuity of services, but is nar
ments that help build the operational resilience of firms and rower as it focuses specifically on stress and resolution, and
FM Is. A brief explanation of how the supervisory authori events that might occur in those circum stances. O C IR policy
ties see the relationship between operational resilience and includes requirements to have resolution-proof contracts with
policies on operational continuity in resolution and capital third parties and for firms to be able to map critical services
requirem ents for operational risk is set out below. supporting critical functions.
Operational risk refers to the risk associated with inadequate
Operational Resilience, Operational Continuity or failed processes, people or systems or from external events
in Resolution and Operational Risk including legal risk. It includes consideration of both the
severity of impact and the likelihood of loss occurring, in the
This DP on operational resilience is focused on the continuity
broader context of the requirement on firms to manage their
of business services and econom ic functions. The approach
businesses prudently, or for those firms to whom the Capital
set out in this DP includes an assumption that disruptions
Requirements Regulation (CRR) applies, requiring capital to be
to system s and processes will occur and focuses on firms'
held against operational risks. In the latter case, the policy
and FM Is' responses to these disruptions. Tim e-to-recover
aim is to minimise the impact and likelihood of such losses.
is often a key metric. O perational resilience is an outcome
Loss can include financial loss and loss of availability or confi
which em erges from a wide array of practices and disciplines
dence. Regulation relating to operational risk has tended to
undertaken by firms and FMIs.
focus on minimising the probability of risk events occurring
Some of the UK's largest banks and building societies are and ensuring firms can absorb financial losses when they do
subject to the PRA's operational continuity in resolution occur. Good operational risk management and the holding of
(O CIR) policy.17 O C IR policy aims to ensure the continuity of capital against potential operational losses will help build oper
critical functions, from an operational perspective, through ational resilience, but the ability to withstand financial loss is
severe stress and resolution. It is similar to operational not sufficient in itself to ensure continuity of business services.
also ensure the recruitm ent and training of suitable people 29. Similarly for FM Is, the PFM I2
21 recommend that FMI boards
0
for relevant executive roles, drawing on additional skills should explicitly define the roles and responsibilities for address
where relevant. ing operational risk and the FM I's operational risk-management
fram ework.
28. The PRA's Senior Managers and Certification Regime (SM&CR)
requires relevant firms to have a Senior Management Function
(SMF) responsible for the internal operations and technology of a R isk M anagem ent
firm, SM F 2 4 .18 This includes operational resilience, cybersecurity 30. Risk m anagem ent should cover all typ es of risk, includ
and operational continuity. The PRA and FC A have consulted on ing o p eratio n al, and firm s and FM Is are exp e cte d to id en
the creation of an equivalent SM F as part of the extension of the tify, m onitor and m anage the risks they are or m ight be
SM&CR to insurers, to be effective on 10 Decem ber 2018,19 and exp o sed to.
FC A solo-regulated firms (FC A CP17/40). In respect of FC A solo-
31. FMIs in particular are encouraged to consider threats such as
regulated firms, this SM F would apply in 'enhanced firms', which
natural disasters, terrorism , pandem ics and cyber attacks. FMIs
are generally those that are larger and more complex.
are also expected to assess the evolving nature of the opera
tional risks they face on an ongoing basis so they can analyse
17 PRA Policy Statem ent 21/16 'Ensuring operational continuity in reso potential vulnerabilities and im plem ent appropriate defence
lution', Ju ly 2016: w w w .bankofengland.co.uk/prudential-regulation/
mechanisms.
publication/2014/ensuring-operational-continuity-in-resolution.
18 PRA Supervisory Statem ent 28/15, 'Strengthening individual account

ability in banking', May 2017: w w w .bankofengland.co.uk/prudential-
regulation/publication/2015/strengthening-individual-accountability- 20 Capital Requirem ents Regulation (575/2013) (CRR), A rticle 4.1(52):
in-banking-ss. https://eur-lex.europa.eu/legal-content/EN /TXT/PD F/?uri= C ELEX:32013
1o
L0036& from =EN.
Final policy published Ju ly 2018: w w w .bankofengland.co.uk/
prudential-regulation/publication/2018/strengthening-individual- 21 Principle 17 (O perational risk), consideration 2, of the C PM I-IO SC O
accountability-in-insurance-extension-of-the-sm cr-to-insurers. PFM I: w w w .bis.org/cpm i/publ/d101a.pdf.

Internal C ontrols Existing Regulatory Requirements Relating to Harm
32. To deliver a firm or FM I's board-led strategy and direction, 39. Existing requirements relevant to harm caused by operational
boards and senior m anagem ent must be able to exercise appro resilience come from different legal sources. These include:
priate oversight and be confident their direction is being carried domestic legislation, such as provisions in FSM A; sector-specific
out. This requires an effective internal control fram ework for legislation, such as the Payment Services Regulations 2017; super
prioritisation, undertaking specific activities, internal reporting visory authorities' rules and guidance; and directly applicable
and escalation. European legislation.
33. The supervisory authorities' existing rules, principles, exp ec 40. Existing requirem ents include obligations on firm s and
tations and guidance already require firms and FMIs to manage FM Is to put in place risk m anagem ent system s and business
their affairs in a responsible manner, which includes having ad e contingency or continuity arrangem ents. The supervisory
quate control systems in place. Effective internal controls should authorities invite discussion about w hether the way that firm s
ensure firms' and FM Is' core businesses are managed appropri approach existing requirem ents is com patible with identifying
ately, and that risks are dealt with. and preventing harm caused by disruption to business services.
Com m unications Plans

B u sin ess C ontinuity and C on tin g en cy Planning
41. The supervisory authorities have been considering the role
34. The supervisory authorities have requirem ents of firms and
of communications plans used at tim es of operational disrup
FMIs to undertake appropriate contingency planning. Effective
tion. These can be im portant in mitigating consum er harm. It is
prior planning for when something goes wrong enables firms
im portant that business continuity policies include prompt and
and FMIs to deal more efficiently with issues when disruptions
meaningful communication arrangem ents for internal and exter
occur, potentially reducing their impact.
nal parties, including supervisory authorities, consum ers, other
35. The supervisory authorities also require firms and FMIs to clients and the press. The supervisory authorities are considering
maintain continuity plans explaining how they will respond and whether there should be specific rules or further guidance on
recover following disruption. The approach in this DP could the content of communications plans. For exam ple, the plans
require alignm ent of these plans with firm s' and FM Is' most could address how to get hold of key people, how to contact
im portant business services and explanation of how they would operational staff, and how to contact consum ers, suppliers, and
continue to operate. the supervisory authorities.
O utsourcing and Critical S e rv ice P ro vid e rs 42. The supervisory authorities recognise that harm may also
arise from the loss of, or unauthorised access to, personal, finan
36. Boards' and senior m anagem ents' oversight also needs
cial and other sensitive data relating to consumers and market
to cover any activities outsourced to third-party providers, for
participants. The obligations on firms under, for exam ple, the
exam ple cloud service providers. W hile outsourcing can enable
General Data Protection Regulation (G D PR)22 will be relevant to
firms and FM Is to m anage risks more effectively and at a
operational resilience.
reduced cost, it can also give rise to new risks for which they
remain responsible.
Existing Regulatory Requirements Relating
37. Boards' and senior m anagem ents' o versig ht also needs to Financial Stability
to include identification and understanding of the firm 's
43. FMIs are typically unique in the services they provide to
or FM I's reliance on critical service pro vid ers. Th ese are
other market participants and are an integral part of almost
third party services critical to the continuous and adequate
all financial transactions. The financial system has a significant
functioning of the firm 's or FM I's o p eratio n s, for exam ple
dependency upon them . Given their role and the obligations
inform ation tech n o lo g y, telecom m unications and m essaging
this creates, FMIs have an im portant role to play in promoting
services.
financial stability.
38. Indeed, existing rules require dual-regulated firms to
avoid reducing the level of control or introducing additional 22 Regulation (EU) 2016/679 O f The European Parliam ent And O f The
risk through outsourced arrangem ents. Similarly, FMIs are Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free m ovem ent of
expected to deal with outsourcing in a prudent way and ensure
such data, and repealing Directive 95/46/EC (General Data Protection
that outsourced and critical service providers m eet the same Regulation): https://publications.europa.eu/en/publication-detail/-/publi
requirem ents as internally provided services. cation/3e485e15-11 bd-11e6-ba9a-01aa75ed71 a1/language-en.
B O X 25.5: M A N A G IN G RISKS IN T H E E N D - T O - E N D PR O C E SSIN G O F PA Y M E N T S
A payments network connects a number of participants: paym ent instructions. When confidence in the integrity of
the end users that want to make or receive paym ents; the the entire system has been lost, such individual precaution
banks that hold the end-users' accounts and initiate the pay ary controls could, in aggregate: create significant gridlock in
ment process following their custom ers' instruction; and the processing paym ents; reduce overall liquidity in the financial
payments system operator (FMI) that connects the banks m arkets; and potentially cause a build-up of unsettled posi
to enable the payments to be processed, transferred and tions and bilateral credit exposures among financial institu
settled. tions. In extrem e circum stances these actions could ultimately
im pede econom ic activity and disrupt financial stability. The
The resilience and robustness of the network depends on
existence or fear of fraud and weaknesses in security arrange
both the processes and system s of each participant and the
ments could also be reasons for concern by participants.
nature of the connection between each participant. Threats
to the network could be introduced by any participant and Individual firms and FMIs are responsible for their own robust
com m unicated to others via the network's connections. ness and security. However, it is important that participants
work together to deliver the resilience of the end-to-end
If participants have concerns about the resilience of the pay
processing of payments within the network. This is a good
ments network, their own resilience or the resilience of other
exam ple of how an FMI can work together with its participants
participants, each of them may im plem ent additional controls
and other stakeholders to mitigate risks to financial stability.
before releasing payments or may limit or halt processing
44. The Bank expects FMIs to comply with the PFM I.23 The PFMI What This Might Mean for Firms
were designed to enhance the safety and efficiency of FMIs, but
and FMIs in Practice
more broadly, to limit systemic risk and foster transparency and
financial stability. In this regard they include a principle that an 47. The supervisory authorities consider the ideas in this DP to
FMI's governance arrangements should support financial stability. be applicable to all types of firms and FMIs. The application of
these ideas will, however, differ depending upon the nature and
45. Specifically to manage system ic risk, an FMI should review
com plexity of the relevant firm or FM I, including its size, activi
the risks that it bears from others as a result of interdependen
ties and level of interconnectedness (and hence its impact on
cies, and develop appropriate risk m anagem ent tools. To this
others and the financial system). Generally, all firms and FMIs
end, FMIs impose and monitor standards and disciplines at
would be considering two aspects in determ ining whether sig
their m em bers to improve the robustness and resilience of the
nificant change is required by any future policy:
service provided. These typically include satisfying the FMI that
adequate security and resiliency arrangem ents are in place, • Have they identified their business services in a way that per
including technical requirem ents (eg around messaging) to mits the firm or FMI to link their activities to their business
access the FM I's infrastructure. FMIs should then have proce objectives and the objectives of the supervisory authorities?
dures to ensure their members continue to m eet the standards • Have they appropriately prioritised between business ser
for m em bership. vices to ensure the most im portant ones are resilient to
46. FMIs should also work with their members to enhance stan operational disruption?
dards and minimise the adverse effects of disruption when it 48. Figure 25.4 illustrates the steps firms and FMIs could go through
occurs. The standards need to be complementary to any regula if policy were to be developed along the lines set out in this DP.
tory standards, but it is also the case that these standards might
Large Firm s and F M Is
need to be more rigorous or be more granular to enable the
FMI to meet fully its obligations to its members and regulators. 49. Large firms are likely to have many business services, while
Box 25.5 provides an example of how an FMI could work together FMIs typically have a single business service which is likely to be
with its participants and other stakeholders to mitigate risk to significant to financial stability. There are numerous ways disrup
financial stability. tions to business services could im pact the supervisory authori
ties' objectives.
23 The PFMI are form ally applied to Central Counterparties and Central 50. Such firms and FMIs could be expected to consider their
Securities D epositories through the European regulatory regim es (EM IR
and CSD R). There is, however, no equivalent legislative fram ew ork
impact tolerances for their most im portant business services. In
applying the PFMI to paym ent system s. doing so, the supervisory authorities could also expect them to

Identify the most important business services and how much disruption could be tolerated
in what circumstances
the systems and processes that support these business services
how the failure of an individual system or process could impact the business service
Assess
using scenarios and by learning from experience, that resilience meets the firm's tolerance
Invest in ability to respond and recover from disruptions through having appropriate
systems, oversight and training
timely information to internal stakeholders, supervisory authorities, customers,
counterparties and other market participants
Fiq u re 2 5 .4 Improving operational resilience.
Firms and FM Is could consider the following issues. To be effective, the process would need to be repeated routinely, with lessons learned incorpo
rated into each iteration.
take into account the work of the FPC , consider their contribu most important business services. Identifying these two services,
tion to econom ic functions, and use any FPC impact tolerances and assuming disruptions to them will occur, could support a
to inform their own im pact tolerances. They could test them smaller firm 's own risk m anagem ent and the setting of appropri
selves regularly against their own severe but plausible opera ate impact tolerances.
tional scenarios. They could also ensure that they have
55. Such firm s could undertake som e lim ited testing of their
co-ordinated communications plans for internal functions, the
operational resilien ce, based on their own scenario s. A p re
supervisory authorities, consumers and other market partici
designed scenario provided by the sup erviso ry authorities
pants should tolerances be breached. As set out in the June
may also be of use. Testing could be designed to reveal,
2018 FSR, some firms and FMIs may also be the subject of
for exam p le, w hat im pact an incident would have on a
stress testing developed by the Bank and the PRA, with input
firm 's custom ers for a sp e cific business service and other
from the FPC .
co nnected business se rvices, as w ell as how the continuity
51. The supervisory authorities could review the work these planning arrangem ents seek to m itigate or prevent harm
firms and FMIs undertake in relation to operational resilience to consum ers.
on a regular basis, and provide feedback as appropriate. If the
56. Firms could then address any deficiencies identified. This
supervisory authorities identify concerns, they could take further
could include: ensuring joined up communications between all
targeted action, with specific assessm ents of certain areas and,
relevant functions within the firm (such as the business area that
if necessary, request remedial action.
owns the data, customer services, operations, technology, and
52. In many instances, the ideas discussed in this DP are a natu any third party providers); providing customers with information
ral extension of what large firms and FMIs and the supervisory and advice; and prioritising assistance to customers exposed to
authorities already do. the greatest harm.
Sm all o r M id-Sized Firm s 57. The supervisory authorities could review the work such firms
undertake on a periodic basis. But it is less likely such firms
53. Sm aller firm s are likely to only have a few business services,
would be required to undertake further supervisory authority led
not all of which will be im portant to the firm s' viability, have
review work, unless the supervisory authorities have particular
the potential to cause harm to consum ers, or im pact on finan
cause for concern.
cial stability. N evertheless, som e business services may be
pivotal to the firm or even to the w ider econom y. There is V ery Sm all Firm s
likely to be a w ide range of different business services across
58. The sm allest firms, such as financial advisors with few
the sector.
em ployees, are likely to only have few — perhaps only
54. A small bank or building society might identify operating one— im portant business services. Such firms are also likely to
customer savings accounts and the provision of mortgages as its have limited resources to increase their operational resilience.
59. Nevertheless, the supervisory authorities consider the pro management considering a firm's or FMI's business interests
posed fram ework could still be relevant and beneficial. They alongside the supervisory authorities' objectives. A business service
envisage such a firm could: that, if disrupted, represents a threat to a firm's or FMI's viability
is clearly important— likewise, a business service that, if disrupted,
• identify 'financial advice' as its im portant business service;
could cause consumer harm, or impact financial stability.
• identify how long it could operate as a business without
providing that service; 3. The supervisory authorities are considering w hether firms
and FM Is should be required to set m etrics that describe an
• consider the system s and processes it relies on— for
intolerable level of disruption to their most im portant busi
instance access to financial products and communication
ness services, in a severe but plausible stress scenario— im pact
to clients; and
tolerances. As discussed in Section 4, it is im portant to note
• consider how these processes could be duplicated in the
that the im pact tolerance would apply to the provision of the
event of some type of disruption, the length of tim e it might
business service as opposed to the system s and process that
take to set up alternative arrangem ents, and whether prior
support it.
planning would be useful.
4. The supervisory authorities envisage that firms and FMIs would
60. Such firms are likely to have limited supervisory engagem ent
determine their own impact tolerances. A firm or FMI would need
in this area. N evertheless, thinking about the issue of opera
to be able to explain how the particular impact tolerance has been
tional resilience and what alternative arrangem ents could be
arrived at for an important business service, how it relates to the
made may still be beneficial.
supervisory authorities' objectives, and in which scenarios a breach
of impact tolerances could be acceptable. These are likely to be
Q u e stio n s
limited to the most severe, but plausible, scenarios.
B) How do boards and senior m anagem ent currently prioritise
their work on operational resilience? 5. Scenarios are im portant because they introduce proportional
ity. They indicate how severe a disruption the firm or FMI antici
C) W hat changes are firms and FMIs planning to make to
pates being able to withstand, while remaining within its impact
strengthen operational resilience over the next few years?
tolerance. This is illustrated in Figure 25.5 in Case 1, where Sce
How involved are board m em bers in the planning, im ple
nario 4 is so severe that it would be disproportionate for a firm
mentation and em bedding of any changes? W hat are the
or FMI to stay within their im pact tolerance. Case 2 shows where
likely benefits and costs involved?
a firm or FMI might need to improve the system s and processes
supporting the business service, as less severe scenarios would
2 5 .4 C L E A R O U T C O M E S F O R breach their impact tolerance.
O P E R A T IO N A L R E S IL IE N C E 6. Impact tolerances would need to be expressed clearly and

would be separate from any risk appetites or recovery time
This section expands the idea that firms and FMIs would objectives (RTO ). Impact tolerances express an upper limit
develop im pact tolerances for im portant business services. where a breach is to be avoided in all but the most extrem e
These would provide clear metrics indicating when an opera scenarios. Risk appetites and RTO s, on the other hand, tend
tional disruption would represent a threat to a firm 's or FM I's to express a desired outcom e that is achieved with high
viability, to consumers and market participants or to financial probability. The supervisory authorities anticipate that firms and
stability. The section discusses what impact tolerances are and FMIs would be able to explain the relationships between the
their purpose. The supervisory authorities are particularly inter impact tolerances, risk appetites and RTOs they have set and
ested in metrics firms and FMIs currently use. that the approaches are com plem entary.
1. As discussed in Section 2, the supervisory authorities consider 7. As an exam ple of an impact tolerance in practice, the Bank
that there is a benefit in boards and senior management having sets a tim e and volume-based impact tolerance as operator of
a clear understanding of the level of resilience required for their C H A P S .*1
24 The Bank states that all payments (volume) should be
most important business services. To achieve this, they would
need to be able to identify the relative importance of business
services and be able to articulate the clear outcomes required. 24 See also the PFM I. Principle 17 (O perational risk) indicates that an
FMI should aim to resume operations within two hours following a dis
2. The supervisory authorities envisage that the relative impor ruptive event and com plete settlem ent by the end of the day, even in
tance of business services can be derived by boards and senior extrem e circum stances.

Case 1: A firm or FMI considers its impact tolerance against Case 2: A firm or FMI considers its impact tolerance against
severe but plausible scenarios. Operational resilience is sufficient - severe but plausible scenarios. In this case, operational resilience
it is disproportionate to expect the firm or FMI not to breach its is not sufficient - the firm or FMI should take steps to improve
impact tolerance in the extreme scenario of scenario 4 . operational resilience.
Scenario 4 Scenario 4
1/1
_Q
Scenario 3 Scenario 3
<
uD
c
ru
i—
Scenario 2 _QJ Scenario 2
O
Scenario 1
Scenario 1
Low Low
---- ► —►
2 Day 2 Day
Time Time
outage outage
Key
• Scenario recovered within tolerance • Scenario recovered within tolerance
• Scenario not recovered within tolerance • Scenario not recovered within tolerance
Fig u re 2 5 .5 Combining impact tolerances and scenario testing to establish a proportionate level of operational
resilience.
settled by the end of the operating day (time) in all, even for the most important business services, the supervisory authori
Qr
extrem e, circum stances. The supervisory authorities envisage ties seek to provide a focus for some of the existing work many
that firms and FMIs may need to establish tim e-based impact firms and FMIs will already be doing. For instance, firms and FMIs
tolerances for services such as transferring funds between would still set board-agreed risk appetites, but the supervisory
accounts, the processing of m ortgages, and the ability to per authorities consider these could be better informed by detailed
form collateral m anagem ent. impact tolerance statem ents focused on the most important busi
ness services. Similarly, there is still likely to be a need for setting
Current Approaches performance metrics on individual systems and processes which

support delivery of these services.
8. Many firms and FMIs will already be setting their own risk
9. The supervisory authorities are interested in understanding
appetites.*26 In suggesting the introduction of impact tolerances
how the approach outlined above differs from firms' or FMIs' cur
rent activities. In particular, the supervisory authorities are keen to
nr
The Bank's tolerance is in line with Principle 17 of the PFM I, that understand what types of metrics firms and FMIs use and which
requires an FMI to aim to resume operations within two hours following
have proved most useful— whether these metrics relate to service
disruptive events, and to com plete settlem ent by the end of the day,
even in extrem e circum stances. downtime, volume of transactions, or anything else.
26 In line with the Basel Com m ittee on Banking Standards' Principles for
the Sound M anagem ent of O perational Risk (Principle 4 w w w .bis.org/
publ/bcbs195.pdf), the Basel Com m ittee and International Organization Potential Benefits of Setting Impact
of Securities Com m issions' joint Principles for Financial M arket Infra
structures (Principle 2, w w w .bis.org/cpm i/publ/d101a.pdf), and EIO PA
Tolerances
G uidelines on System of G overnance (Guideline 19 (Operational Risk
10. The supervisory authorities consider that setting impact tol
M anagem ent Policy): https://eiopa.europa.eu/Publications/Guidelines/
Fin al_EN _S o G _C lean .p d f). For PRA-regulated firm s, see PRA Supervisory erances for the most im portant business services could:
Statem ent 5/16 'Corporate governance: Board responsibilities', May
2016, w w w .bankofengland.co.uk/prudential-regulation/publication/2016/ a. support firms and FMIs in prioritising investm ent and
corporate-governance-board-responsibilities-ss. resource allocation;
b. provide a clear scope when firms and FMIs want to test 25.5 S U P E R V IS O R Y A S S E S S M E N T
their own resilience; and
O F O P E R A T IO N A L R E S IL IE N C E
c. provide a focus for supervisory engagem ent.
11. By setting and articulating a clear im pact tolerance at This section explains how supervisors could gain assurance that
the business service level, it is possible to define alternative firms and FMIs ensure the continuity of their most important
processing procedures that can be deployed in case of dis business services, and that boards and senior m anagem ent are
ruption to system s and processes in order to remain within sufficiently engaged. The supervisory authorities are reviewing
im pact tolerance. An additional benefit is that it is possible their existing approaches in light of the proposed focus on busi
for firm s to also consider substitute options more broadly. ness services, and are considering the role of scenario testing in
For exam ple, paym ents could be routed via other paym ent this context.
schem es in order to remain within im pact tolerance, although 1. Th e sup erviso ry authorities anticip ate that a focus on
this may not be econom ically feasible or straight forward at the operational resilience of firm s' and FM Is' m ost im por
present for many firm s. tant business services will offer the opp o rtunity to review
and consolid ate existing sup erviso ry tools and assessm ent
12. An im pact to leran ce approach could also address
p ractices.
other facto rs. For instance, firm s and FM Is may need to
m aintain policies for prioritising the provision of a certain 2. A future supervisory approach could cover four broad areas,
level of service in the event of a disruption. This will depend taking into account the specificities of the relevant regulatory
on the typ e and severity of the operational disrup tion, and regimes for firms and FMIs:
the particular im pact the disruption would have. For exam p le,
• sector-wide work, including any potential stress testing devel
if a bank sets an im pact to leran ce of delivering a p ercen t
oped by the Bank and the PRA with input from the FPC ;
age of total paym ent transactio ns during a disruption, it
• supervisory assessm ent of how firms and FMIs set and use
would also need a protocol for prioritising paym ents. Banks
im pact tolerances;
could process paym ents in order of arrival, or prioritise time-
critical paym ents such as house purchases or paym ents to • analysis of system s and processes that support business ser
vulnerab le p eo p le. vices; and
• assurance that firms and FMIs have the capabilities to deliver

13. W hile an im pact tolerance is likely to focus on performance
operational resilience and are in com pliance with existing
during a single operational disruption, firms and FMIs could
rules, principles, expectations and guidance.
also analyse business service delivery over a longer time period
to inform their wider risk m anagem ent. Analysis could include 3. The sup erviso ry authorities can dep loy a range of e x ist
the number of outages in a year, the total length of tim e that a ing tools to d eliver the above, including questionnaires.
business service was impaired and the volume of transactions The sup erviso ry authorities are seeking to develop their
disrupted. existing sup erviso ry approach in a targ eted and p ro p o rtio n
ate manner.
Q u e stio n s 4. Such an approach could provide the supervisory authori

ties with a layered understanding of both the resilience of
D) W hat are readers' views on the possibility of firms and FMIs
individual firm s and FM Is, and the financial resilience of the
being asked to set im pact tolerances for their most impor
UK econom y.
tant business services?
E) W hat approach and m etrics do firm s and FMIs

currently use?
Sector-Wide Work
F) If these proposals would require some firms and FMIs to 5. As discussed in the June 2018 FSR (see Box 25.2), a stress
update part of their existing risk m anagem ent fram ework, testing approach will be developed by the Bank and the PRA,
what would this involve? with input from the FPC .
G) W hat are readers' views on producing an impact tolerance 6. In addition, the supervisory authorities already help to coor
statem ent as described? W hat relevant operational resil dinate the sector exercising programme sponsored by the
ience risk m anagem ent docum entation do firms and FMIs Cross M arket O perational Resilience Group (C M O R G ), which
already produce, and how does this differ from im pact toler is chaired by the Bank and industry. These voluntary exercises
ance statem ents? rehearse collective response m echanisms, including testing

of communication lines, co-ordination arrangem ents and Analysis of Systems, People and
decision-making processes. Participants are the supervisory
Processes that Support Business Services
authorities, Governm ent, and firms and FMIs at the core of the
financial system . The aim is that in a real event the participants 12. The supervisory authorities would seek to gain further
are fam iliar with the actions they need to take, and that the assurance that firm s and FM Is have taken appropriate tangible
mitigating actions are im plem ented efficiently to achieve the steps to increase their operational resilience. A t a m inimum,
desired outcom es. firm s and FM Is would be able to map the system s, people
and processes that support their business services. This
7. These exercises also identify ways in which collective response
would include d ep end encies outside of their firm and not be
arrangem ents might be strengthened. Several sector-wide exer
restricted by geography. They would also ensure that they
cises have been organised in the past to rehearse the sector's
have appropriate com m unications plans in place, for when
response to bomb threats, flu pandem ic, severe w eather and
disruption to a business service occurs.
travel disruption. More recently the supervisory authorities simu
lated and tested the industry's response to an extended outage 13. As explained earlier in this DP, the assum ption of fa il
of the Bank's RTGS system . ure is likely to be fundam ental to the supervisory authorities'
approach. The supervisory authorities m ight focus on the back
8. The supervisory authorities also participate in technical desk
up system s, redundancies, substitutability arrangem ents and
top exercises organised by the sector. These aim to assess the
other m easures firm s and FM Is have put in place and the
potential impact from m arket disruption and consider how it
exten t to which a firm or FMI has self-assessed its resilience
may be mitigated in a major event. Some of these exercises
using scenarios. Supervisors m ight also conduct targeted
have led to the developm ent of industry-owned resilience play-
assessm ents of firm s' and FM Is' operational infrastructure,
books, which set out coordinated approaches to dealing with
activities, decision-m aking and their supporting data.
particular scenarios.
Reviewing How Impact Tolerances Gaining Assurance that Firms and

Are Set and Used FMIs Have the Capabilities to Deliver
Operational Resilience
9. The supervisory authorities are considering how to review
the setting of impact tolerances, whether there is clear gov 14. The overall resilience of firm s and FM Is is the result of
ernance and accountability, and how the impact tolerances how all their p ractices, processes and culture— co llectively
are tested. The translation of impact tolerances into actual 'cap a b ilitie s'— com bine to allow them to adapt and respond
investm ent decisions and contingency planning is of particular to operational disruption. A s part of this approach, the super
interest. visory authorities would consider how effective the board
is in providing governance and leadership to their organ
10. The supervisory authorities envisage im pact tolerance
isation's resilience w ork, and in developing the necessary
statem ents being the responsibility of individual firm s and
cap ab ilities.
FM Is, and would look to them to explain how their im pact
tolerances link to their ongoing viability, the potential harm to 15. The supervisory authorities would be likely to use firms' and
consum ers and m arket participants, and any potential im pact FMIs' own risk m anagem ent as a starting point for operational
on financial stability. The supervisory authorities m ight not resilience supervision. They are also considering setting sce
agree with a firm 's or FM I's im pact tolerance statem ent. This narios for firms to test (not dissimilar to some of the current
might be because the supervisory authorities have more infor elem ents of the PRA's capital fram ework). An objective of using
mation than the firm or FM I, or because the relevant authority scenarios would be to help determ ine which firms or FMIs need
m akes a different judgem ent. In such cases, the appropriate to develop their operational resilience.
supervisory authority would ask the firm or FMI to revise its
16. W here developm ent is required, firm s' and FM Is' actions
im pact tolerance.
could include the identification and rehearsal of alternative pro
11. The supervisory authorities may also consider setting their cessing procedures; system design offering greater substitutabil
own impact tolerances for firms or FMIs to m eet within the con ity at the service level; outsourcing; or third party substitutability
text of severe, but plausible, scenarios. arrangem ents.
Supervisory Tools organisations of all sizes as they m anage their resilience in
a dynam ic environm ent. A focus on business services could
17. Regular supervisory engagem ent and review of firm s' and help increase the transparency of firm s' and FM Is' resilience
FM Is' own risk m anagem ent is already com plem ented by a w ork. It could drive better decision-m aking, as it would
range of specific tools which the supervisory authorities cur enable prioritisation of resilience w ork and the associated
rently apply on a proportionate basis. Such review w ork typ i investm ent. It would provide a basis for firm s and FM Is to
cally targets specific risks and can be undertaken in a variety of set im pact to leran ces, set with reference to the supervisory
ways including questionnaires, sim ulations, skilled persons' or authorities' o b jectives. The supervisory authorities them selves
exp erts' reports and w ider them atic review s. Firm s' recovery m ight also see the need to set im pact to lerances for som e
and resolution plans and O C IR arrangem ents, where ap p li business services.
cable, can also be useful sources of inform ation for the supervi
3. The concept of impact tolerance is core to the supervisory
sory authorities.
authorities' thinking and may challenge firms and FMIs to think
18. The supervisory authorities could make an increased use differently. It encourages them to assume operational disrup
of questionnaires to assess operational resilience in future, tions will occur. This means that attention can be directed
potentially drawing on existing fram eworks which support
towards minimising the impact of disruption on im portant busi
assessm ent of firms' and FM Is' capabilities. Existing fram eworks ness services. Impact tolerance focuses firms, FMIs and the
include the C PM I-IO SC O guidelines, the G7 Fundamental E le
supervisory authorities on the potential vulnerabilities in busi
ments of Cybersecurity, the National Institute of Standards & ness and operating models. The work they do to increase the
Technology (NIST) Cybersecurity Fram ework, and the National resilience of these need not be tied to specific threats, rather an
C yber Security Centre (N CSC) Cyber Assessm ent Fram ework.
im portant business service should be made resilient to a wide
19. A capabilities assessm ent questionnaire could be derived variety of threats.
from the existing NIST principles, which set out that companies
4. Firms' and FMIs' processes, practices and culture need to
should: identify potential vulnerabilities and sources of risk, seek
work effectively to achieve the increased level of operational
to protect them selves from threats, detect incidents, respond
resilience that they and the supervisory authorities seek. This DP
to, and recover from disruptions.
suggests an approach for potential supervisory expectations and
assessm ent:
Q u e stio n s
• Preparation: firms and FMIs identify and focus on the con
H) W hat operational resilience tests or scenarios do firms and
tinuity of their most im portant business services as a means
FMIs already consider and undertake for their own risk man
of prioritising their own analysis, work and investm ent in
agem ent purposes? W hat factors do firms and FMIs take
operational resilience. They set impact tolerances for their
into account when devising operational resilience tests or
im portant business services and are able to dem onstrate
scenarios?
substitutability or the capability to adapt processes during
I) How do boards and senior m anagem ent currently gain assur disruption.
ance over the operational resilience of their firm or FMI?
• Recovery: firm s and FM Is assum e disruptions will occur, and
J) W hat are readers' views on the proposed developments to the develop the m eans by which they can adapt their business
supervisory authorities' approach to operational resilience? processes and practices in the event of shocks in order to
preserve continuity of service.
• Com m unications: firm s and FM Is have strategies for com
CON CLUSION 1 m unicating with their internal and external stakeholders,
including the supervisory authorities and consum ers. This
1. This DP aims to promote an open and constructive dialogue should include how to handle the situation to minimise the
with stakeholders, and share the supervisory authorities' current consequences of disruption.
thinking on how the operational resilience of the financial ser
• G overnance: firm s' and FM Is' boards and senior m anagem ent
vices sector could be enhanced.
are crucial in setting the business and operational strategies
2. The supervisory authorities are exploring a busi and overseeing their execution in order to ensure operational
ness services approach because it could be of value to resilience.

Responses and Next Steps change the way they manage operational resilience, and if so
how? W hat additional costs would this incur?
5. The supervisory authorities welcom e feedback on this
C) How do boards and senior m anagem ent currently prioritise
DP, including any specific suggestions, issues, or potential
their work on operational resilience?
alternatives.
D) W hat changes are firms and FMIs planning to make to
6. The supervisory authorities will w ork to g eth er to reflect strengthen operational resilience over the next few years?
on the feed b ack as they: develop potential proposals
How involved are board members in the planning, im plem en
for consultation; develop their resp ective supervisory tation and em bedding of any changes? W hat are the likely
approaches; and w ork with the FP C as it develops its own benefits and costs involved?
im pact to leran ces. The supervisory authorities will also be
E) W hat are readers' views on the possibility of firms and FMIs
drawing to g eth er existing policy m aterial related to o p era
being asked to set impact tolerances for their most impor
tional resilience in order to support firm s and FM Is to build
tant business services?
their resilience.
F) W hat approach and m etrics do firm s and FMIs
7. The supervisory authorities have found that collaboration with
currently use?
firms, FMIs, security and other public and private sector organisa
G) If these proposals would require some firms and FMIs to
tions provides a constructive approach to promoting operational
update part of their existing risk m anagem ent fram ework,
resilience. They intend to continue this strategy, working with
what would this involve?
other organisations in both authority- led and industry fora. The
supervisory authorities believe that cooperation in this area is vital H) W hat are readers' views on producing an impact tolerance
to achieving good operational resilience outcomes and financial statement as described? W hat relevant operational resilience
stability. risk management documentation do firms and FMIs already
produce, and how does this differ from impact tolerance
statements?
I) W hat operational resilience tests or scenarios do firms and
FEED B A C K AND Q UESTION S FMIs already consider and undertake for their own risk man
agem ent purposes? W hat factors do firms and FMIs take
1. The supervisory authorities encourage responses to the ques
into account when devising operational resilience tests or
tions posed and any other observations that readers may have
scenarios?
in response to this DP by Friday 5 O ctober 2018. Responses
and input from a wide range of stakeholders including regulated J) How do boards and senior m anagem ent currently gain
firms, FM Is, consum ers, industry bodies, auditors, specialist assurance over the operational resilience of their firm
third-party providers, professional advisors and other regulators or FMI?
are welcom ed. K) W hat are readers' views on the proposed developm ents
to the supervisory authorities' approach to operational
2. The supervisory authorities will use these responses to inform
resilience?
current supervisory activity and future policy-making. The
supervisory authorities will share relevant information with the
FPC to inform its approach to building cyber resilience in the
UK financial system . They may publish extracts or summaries of A N N EX 1: GLO SSARY O F TERMS
views from respondents.27
A) W hat are readers' views on the proposed focus on con

Business Services
tinuity of business services? Would a service rather than Products and services that a firm or FMI provides to its custom
systems-based approach represent a significant change for ers. These will vary by firm or FM I, but exam ples could include
firms and FMIs compared with existing practice? W hat other the delivery and m anagem ent of particular loan or insurance
approaches could be considered? products.
B) Would encouraging firms and FMIs to consider their contri
bution to the vital services that the real economy demands
Capabilities
27 Respondents should indicate if they wish all or part of a response to The practices, processes and culture within a firm or FMI that
be kept confidential. deliver operational resilience.
Clearing House Automated Payment Impact Tolerance Statement
System (CHAPS) For the purposes of this DP, the supervisory authorities envisage
C H A PS is a sterling same-day system used to settle high-value that how impact tolerances are derived and justified might be set
wholesale payments as well as time- critical, lower-value pay out in a single docum ent called an impact tolerance statem ent.
ments like buying or paying a deposit on a property.
Integrity
Cloud Services In the context of this DP, integrity describes data being accurate
Cloud services are remote access services and infrastructure. and com plete.
Continuity Operational Resilience

In the context of this DP, continuity refers to the ongoing provi For the purposes of this DP, operational resilience refers to
sion of a business service. the ability of firm s, FM Is and the system as a w hole to p re
ven t, ad ap t and respond to , recover and learn from , o p e ra
tional disrup tion. In this DP, the sup erviso ry authorities focus
Economic Functions on the continued d elivery of business services or econom ic
functions.
The broad set of services the financial sector provides to the
UK econom y, and hence an aggregation of business services
that one, or more, firms or FMIs provide. For exam ple, the eco Operational Risk
nomic function of retail m ortgages and secured lending would
Operational risk refers to the risk of loss from inadequate or failed
com prise a number of individual business services. If sufficiently
processes, people or systems or from external events. Threats to
significant in term s of both size and function, these econom ic
firms' and FMIs' operations take a wide variety of forms.
functions can becom e critical to the UK economy.
Financial Market Infrastructure (FMI) Risk Appetite

A firm 's risk appetite is the amount and type of risk a firm is
A multilateral system among participating institutions, including
willing to accept, or avoid, in order to achieve its business objec
the operator of the system , used for the purposes of clearing,
tives. When aggregated in a single docum ent, this is referred to
settling, or recording paym ents, securities, derivatives, or other
as a risk appetite statem ent.
financial transactions.
General Data Protection Regulation (GDPR) Real Economy

The production of goods and services within an econom y.
The G eneral Data Protection Regulation (Regulation 2016/679)
regulates the processing of personal data relating to individuals
in the EU by other individuals, com panies or organisations. Real-Time Gross Settlement (RTGS) Service
Infrastructure that holds accounts for banks, building societ
Impact Tolerances ies and other institutions. The balances in these accounts can
be used to move money in real time between these account
Describe firms' and FMIs' tolerance for disruption, under the
holders. This delivers final and risk-free settlem ent.
assumption that disruption to a particular business service will
occur. Impact tolerance is expressed by reference to specific
outcomes and metrics. Such metrics could include the maximum Senior Manager's and Certification
tolerable duration or volume of disruption, the criticality of ensur Regime (SM&CR) and Senior Insurance
ing data integrity or the number of customers affected. Impact
Managers Regime (SIMR)
tolerances are different from risk appetite, in the sense that they
assume a particular risk has crystallised, but they will inform the Rules in the PRA Rulebook and F C A Handbook ('Senior
risk appetite of a firm or FMI's board and senior management. M anagem ent Functions' (SM F)) requiring firm s to appoint

m anagers, approved by the regulator, who are responsible for Systems and Processes
specific areas and each of the firm s' business functions and
activities. SM F24 in particular is the C h ief O perations func The underlying software, people, assets, policies and proce
dures that support the delivery of business services.
tion, which has responsibility for the internal operations and
technology, currently of banks, dual-regulated investm ent firms
and building societies. Vital Services
The key services that the real economy demands from the financial
system: providing the main mechanism for paying for goods,
Supervisory Authorities
services and financial assets; intermediating between savers and
The collective term for the PRA, the FC A , and the Bank of borrowers, and channelling savings into investment, via debt and
England (in its capacity of supervising FMIs). equity instruments; and insuring against and dispersing risk.
Striving for
Operational
Resilience
The Questions Boards
and Senior Management
Should Ask
Learning Objectives
Com pare operational resilience to traditional business Describe elem ents of an effective operational resilience
continuity and disaster recovery approaches. fram ework and its potential benefits.
E x c e rp t is rep rin ted from Striving for O perational Resilience: The Questions Boards and Senior M anagem ent Should A sk, by Rico
Brandenburg, Tom Ivell, Evan Sekeris, M atthew G ru b er and Paul Lew is, b y perm ission o f O liver Wyman.
405
E X E C U T IV E S U M M A R Y O perational resilience is the ability o f an organization
to continue to provide business services in the face o f
Operational resilience has becom e a key agenda item for boards adverse operational events by anticipating, preventing,
and senior m anagem ent. Increasing com plexity in processes and recovering from, and adapting to such events.
IT, dependence on third parties, interconnectedness and data BC and DR have historically emphasized physical events (e.g .,
sharing, and sophistication of malicious actors have made dis natural disaster, active shooter), are limited by organizational
ruptions more likely and their im pact more severe. High-profile boundaries, and are, by most organizations, primarily viewed as
exam ples of business and operational disruptions abound, cov a "check the box" exercise rather than true risk m anagem ent.
ering all segm ents of the financial services industry.
However, several trends in financial services have sharply
Resilience is fundam entally different from traditional business increased the need for more mature operational resilience
continuity (BC) and disaster recovery (DR). Th ese disciplines practices. Exh ib it 26.1 below explores the most im portant
have historically been heavily focused on physical events, trends, which we exp ect to continue to elevate the topic to
w ere designed and tested in organizational silos, and are, by discussions at the top table.
most organizations, prim arily view ed as a com pliance exercise.
These drivers have manifested them selves in high-profile busi
O perational resilience, instead, focuses on the adaptability to
ness and operational disruptions across the financial services
em erging threats, the d ep end encies and requirem ents for pro
industry, both through internally-driven operational failures and
viding critical business services end-to-end (crossing organiza
externally-driven malicious acts. These disruptions illustrate
tional silos), and the broader econom ic as well as firm -specific
some of the shortcom ings of traditional BC and DR approaches:
im pact of adverse operational events. It requires a m indset
shift in the organization away from resilience as a com pli • Firm have more dependencies for service delivery than ever
ance exercise to resilience as a key organizational capability before, but traditional approaches focus on assets in siloes and
that is everyone's responsibility to maintain and continuously ignore potentially critical components of end-to-end service
im prove. delivery.
• In a rapidly changing environm ent, traditional "check the
Financial regulators have started to stipulate expectations
box" and reactive approaches focused solely on recovery
around m anagem ent of resilience, resilience reporting, and
make firms much slower to adapt.
effective oversight. In response, many firms are embarking or
will need to em bark on transformational programs to strengthen • By focusing on a standard set of disruption scenarios, tradi
their resilience to disruption, incidents, and attacks across all tional approaches provide a false sense of com fort that insti
operational resilience domains - technology, data, third parties, tutions are prepared for all scenarios.
facilities, operations, and people. In addition, boards and senior Additionally, financial firms recognize the need for greater opera
m anagem ent need to provide effective challenge of their orga tional excellence (efficiency and effectiveness). Organizations that
nization's resilience am bitions, program, and critical risks that manage to effectively address the combined need for operational
remain to their day-to-day operations. resilience and excellence will be able to unlock significant benefits
Achieving operational resilience is inherently challenging given across the organization (e.g., operational loss, operational cost
the increasing com plexity of processes, technology infrastruc and com plexity reduction, ability to support faster innovation
ture, and organizational silos. However, the business benefits cycles, effective investment into operational capabilities).
go beyond pure risk and com pliance, often forming an inherent
part of a firm 's value proposition.
This paper explores the key questions that boards and senior 26.2 B E N D , BU T D O N 'T B R E A K :
m anagem ent should ask about their organization's level of O P E R A T IO N A L R E S IL IE N C E
operational resilience. APPROACH
Operational resilience is the ability of an organization to continue to
26.1 W H Y N O W ?: N E E D F O R provide business services in the face of adverse operational events

by anticipating, preventing, recovering from, and adapting to such
O P E R A T IO N A L R E S IL IE N C E
events. The fundamental principle is "bend, but don't break."
Continuity of service has always been a priority for financial Even for many advanced institutions, adopting an operational
firms. A fter all, disruptions can impact revenue, client exp eri resilience approach will imply significant changes from tradi
ence, and franchise value. tional (more com pliance-focused) BC and DR. W hereas these
DRIVER IMPACT ON EXPOSURE TO DISRUPTION
Com petition and custom er dem and are driving Increasing com plexity of processes and infrastructure
S C A LE A N D P A C E
the need for more disruptive innovations and faster required for product and service delivery, and risk of
O F IN N O V A TIO N
innovation cycles im balance between tim e to m arket and security/resilience
Availability of new technology, custom er expectations, Traditional (manual) fallback m ethods no longer viable,
C O N T IN U ED and desires for efficiency are driving increasing levels and more challenging to identify the "w eakest link"
D IG ITIZA TIO N of automation and faster adoption of digital delivery among connected digital system s
capabilities
Incum bent institutions rely on older technology Challenging to em bed risk and resilience requirem ents
R E LIA N C E O N L E G A C Y infrastructure that is less flexible, requires specialized in technology, which increases the exposure
IN FR A S TR U C TU R E knowledge to maintain, and is difficult to integrate to disruptive events
with new technologies and processes
Institutions are increasingly adopting outsourcing More difficult to gain a com prehensive view of the
EX TEN S IO N as a business strategy, expanding their reliance on firm 's third-party dependencies and exposure, as well
O F T H E SU PP LY CH AIN third parties (and their third parties' third parties) as to assess the risk and resilience posture of all
relevant third parties
Financial institutions are sharing more information More likely to be affected by vulnerabilities
IN T E R C O N N E C T E D N E S S
and services more broadly (partly through deliberate and disruptions in another part of the ecosystem
A N D SH A RIN G
governm ent policy)
C O N T IN U E D RISE IN C yb er attackers are innovating rapidly to identify new More challenging to prevent, detect, respond,
SO P H IS TIC A TIO N O F means of attack and ways of exploiting firms' and recover from cyber attacks
M A LIC IO U S A C T O R S vulnerabilities
Exhibit 26.1 Drivers of exposure to disruption.
traditional approaches focus solely on recovery, operational avoiding system ic disruptions, while sm aller institutions' objec
resilience has a broader scope and needs to be integrated into tives will likely focus on maintaining shareholder value.
the risk-mitigation fabric of the organization.
Global institutions will need to pay particularly close attention to
Resilient organizations focus on anticipation, prevention and adap regulatory developm ents, as regulators in different jurisdictions
tation, rather than recovery actions once the "horse has bolted." have not yet aligned on their expectations for firms.
In addition, resilient organizations have creative ways to provide
critical business services in the event of a disruption, beyond simply
getting the technology up and running again (e.g., using branches
R EC EN T R ESILIEN C E-R ELA T ED
to service customers at scale when digital channels might be down).
REG U LA TO RY PUBLICATION S
Exhibit 26.2 shows the key characteristics of an operational
resilience approach com pared to most organizations' starting JULY 2018
point - traditional BC and DR. Bank of England/Prudential Regulation Authority/Financial
Conduct Authority discussion paper, "Building the UK
Financial services regulators have begun to take note and are
financial sector's operational resilience"
beginning to focus on promoting operational resilience, versus
traditional BC and DR. The principles outlined in Exhibit 26.2 are D ECEM BER 2018
reflected in an increasing body of regulatory consultation and European Central Bank guidance, "C yb er resilience over
guidance papers. sight expectations for financial market infrastructures"
With the lessons from the financial crisis still fresh, regulators European Banking Authority consultation paper, "G u id e
lines on ICT and security risk m anagem ent"
have overlaid a "system ic" lens, prompting firms to exp lic
itly consider and measure how disruptions would impact the M A R C H 2019
broader market. A t the same tim e, they are emphasizing that
Monetary Authority of Singapore consultation papers, "Pro
resilience is applicable to all institutions, even if the objectives posed Revisions to Guidelines on Business Continuity Man
for each institution might differ. For exam ple, Financial Market agem ent" and "Technology Risk Management Guidelines"
Infrastructure's (FMI) resilience objectives will likely focus on
Chapter 26 Striving for Operational Resilience ■ 407

CATEGO RY OPERATIONAL RESILIENCE APPROACH TRADITIONAL APPROACH (BC/DR)
• Clearly defined accountability • Role of board and senior m anagem ent limited
of board and senior m anagem ent to post-event response
• Resilience incorporated into risk appetite • Resilience not an explicit consideration in risk
statem ents and metrics across operational appetite statem ents and metrics
risk types
• "Com pliance-type" update on exercises
• Com prehensive and actionable reporting
to drive continuous im provem ent
• Critical business services end-to-end • Individual business units or specific

(ignoring organizational silos) technology assets
• Broader econom ic im pact of disruption, • Firm -specific impact of disruption

in addition to firm-specific impact
• Com prehensive view of dependencies of • View of dependencies in most cases limited

critical business service on organizational to the business unit or directly linked
assets (systems, data, third parties, technology assets
facilities, processes, and people)
• Continuity and recovery capabilities bolted
• Resilience considerations em bedded on to satisfy requirem ents
in the upfront design of business services
and organizational assets
• Business disruption scenarios tailored to • Standard business disruption scenarios

each critical service based on an aligned across business units
and forward-looking risk assessm ent
• Standard tolerances for business disruption
• Tolerances for business disruption (impact (recovery tim e/point objectives) for all
tolerances) based on bespoke scenarios scenarios
• Single incident response regime (unified • Distinct incident response regimes

incident command) for all incident types for different incident types, which may
negatively impact response times
• Plans and capabilities m onitored, tested,
and adapted continuously • • Plans and capabilities tested infrequently
(e.g ., annually)
• Em phasis on building trust among crisis
m anagem ent team to enable effective • Little attention paid to dynamics
response of crisis m anagem ent team
Exhibit 26.2 Key characteristics of operational resilience.
2 6 .3 H AS T H E O R G A N IZ A T IO N G O T senior m anagem ent, and getting resilience right for one critical
service before expanding the program.
IT ?: IM PO R TA N T Q U E S T IO N S T O A S K
Exhibit 26.4 lays out an approach to establishing an effective
A B O U T O P E R A T IO N A L R E S IL IE N C E
operational resilience program that allows the organization to
Achieving operational resilience is inherently challenging and enhance its capabilities without being overwhelm ed by the scale
com plex: of the effort.
• It requires organizations to understand how all domains (tech Organizations that manage to establish effective operational
nology, data, third parties, facilities, operations, and people) resilience programs will be able to realize the benefits of better
impact critical service delivery and to build a consistent set of resilience as well as related business benefits:
resilience capabilities and controls across these domains. • Reduce and optim ize their risk exposure, with improved vis
• It depends on cross-functional, specialized expertise to evalu ibility into their risks, better monitoring, a more proactive
ate and measure the resilience of the organization in light of approach to controls, and ability to deliver services even
the specific risks it faces. when things go wrong.
• It relies on extensive coordination, collaboration, and prepara • Better focus the organization and drive investm ent towards
tion to ensure that the organization appropriately considers the most im portant areas, based on a prioritization of their
resilience in all activities and is ready when the worst happens. critical business services.
Given the com plexity of the topic, it is difficult for boards and • Be able to support the innovation agenda of the business
senior m anagem ent to assess the current level of operational and enable faster innovation cycles without compromising on
resilience and determ ine whether the organization is making risk m anagem ent by ensuring the organization is adaptable
resilience investments in the right areas. and considers resilience up front.

• Be more effective and efficien t, leveraging a clear under
What questions should boards and senior m anagem ent
standing of critical service d elivery to reduce costs
b e asking to provide meaningful challenge and oversight?
(e .g ., optim ize outsourcing relationships), stream line
We believe that boards and senior m anagem ent should focus on processes (e .g ., introduce tools and autom ation), and
understanding the risk levels of their firms, assessing their firms' enhance efficacy (e .g ., identify and rem ediate steps that
readiness for disruptive scenarios, and gaining com fort that their introduce errors).
firms have a robust approach to resilience. Boards and senior
However, building an effective program is not easy. It will
m anagem ent should also demand a minimum level of data to
require new skillsets; closer integration and alignm ent of risk,
support ongoing oversight of risk levels and the progress made
IT, and the business; a cultural shift away from "operational
along the resilience journey.
resilience is IT's responsibility" to "operational resilience is
Exhibit 26.3 contains a list of key questions on resilience that everyone's responsibility;" and fundamental changes to how the
boards and senior m anagem ent should ask their m anagem ent organization operates.
team s.
Boards and senior m anagem ent can help their organizations
If the answers to these questions are unsatisfactory, it could signal overcom e these ch allen g es. Th ey can encourage the right
that the organization needs to increase focus on resilience. In this level of investm ent, drive a "to ne from the to p " to break
case, boards and senior management should request that their siloes and change culture, and set clear exp ectatio n s for
organizations establish a formal maturity baseline and refocus exist progress.
ing initiatives or launch a new program to uplift their resilience.
Ultimately, by asking the right questions and demanding
accountability when the answers are unsatisfactory, boards and
senior m anagem ent can play a pivotal role in enabling their
2 6 .4 IM P R O V IN G R E S IL IE N C E : organizations to achieve resilience. With the growing com plex
G E T T IN G ST A R T ED ity in financial services, it is incumbent on every organization
to take resilience seriously, and it is incum bent on boards and
For firms needing to launch or reset their programs, we recom senior m anagem ent to make sure their organization's resilience
mend starting small, providing transparency to the boards and program is on track.

□ W hat is our risk appetite for resilience risk?
I______________ I □ W hat KRIs and KPIs provide us with a com prehensive view of our
maturity and uplift program?
□ W ho is accountable in the 1st and 2 nc* lines of defense for managing,

G O V ER N A N C E
monitoring, and reporting on resilience?
□ Does the organization understand the dependencies of critical

business services on organizational assets?
□ W hat are our most critical assets that impact service delivery?
O R G A N IZ A T IO N A L □ How does our approach to resilience change the way we manage

FO C U S operations, technology, and third parties?
□ W hat is our measure of criticality?
< > □ W hat are our critical business services and why?
□ How are we leveraging existing definitions of criticality and critical

business services (e.g ., from resolution planning)?
IN TEG R A TIO N
□ W hat is our im pact on custom ers and the financial system?
□ W hat are the most im portant resilience risks for the organization?
□ How do we monitor and manage the level of resilience of the

organization?
M EA SU R EM EN T □ How is risk appetite reflected in our impact tolerances?
□ In which scenarios are we outside of our defined im pact tolerances?
—.P1--- □ How do we make sure we are effectively prepared for different

disruption events?
□ How frequently are we testing our response and recovery capabilities

P R EP A R ED N ESS for different disruptive scenarios?
Exhibit 26.3 Resilience questions for boards and senior management.
• Assign accountability and develop an operating model for resilience
ESTA BLISH
• Conduct a resilience maturity assessm ent to establish a baseline
T H E FO U N D A TIO N
of the organization's capabilities
• Articulate the organization's critical business services
• Define the target resilience maturity ambition for the organization

PRO VID E VISIBILITY
T O T H E BO A RD • Identify an initial set of metrics (including resilience program metrics)
to provide ongoing reporting to the board
• Run a pilot on one critical service to enhance resilience:

- Identify key dependencies and assess risks
FO C U S ON A SIN G LE - Define impact tolerances and evaluate resilience through scenarios
C R IT IC A L SER V IC E - Craft an im provem ent roadmap
• Identify key learnings and program enhancem ents to facilitate

the rollout of the program more broadly
• Establish the program to drive resilience im provem ents based on

EXPA N D lessons learned from the pilot and identified areas of enhancem ent
T H E PRO G RAM
• Expand the program to enhance capabilities and roll out a resilience
approach across the remaining critical services
Exhibit 26.4 Key steps for establishing an effective operational resilience program.

LIOGRAPHY
A rbib, M. A . (Ed.) (1995), The Handbook of Brain Theory and Neural Basel Com m ittee on Banking Supervision (2000a), Range of Practice in
N etworks, The MIT Press. Banks' Internal Ratings System s, Discussion paper, Basel, Sw itzerland.
Adelson, M., and G oldberg, M. (2009), On the Use of M odels by Basel Com m ittee on Banking Supervision (2000b), C redit Ratings and
Standard & Poor's Ratings Services, w w w .standardandpoors.com Com plem entary Sources of C redit Q uality Information, Working
(accessed February 2010). Papers 3, Basel, Sw itzerland.
Akhavein, J ., Fram e, W. S., and W hite, L. J . (2001), The Diffusion of Basel Com m ittee on Banking Supervision (2004 and 2006), International
Financial Innovations: An Exam ination of the Adoption of Small Busi Convergence of Capital M easurem ent and Capital Standards. A
ness C redit Scoring by Large Banking O rganization, The W harton Revised Fram ew ork, Basel, Switzerland.
Financial Institution Center, Philadelphia, USA. Basel Com m ittee on Banking Supervision (2005a), Studies on Validation
A lbareto, G ., Benvenuti, M ., M oretti, S. e ta /. (2008), L'organizzazione of Internal Rating System s, W orking Papers 14, Basel, Switzerland.
dell'attivita creditizia e I'utilizzo di tecniche di scoring nel sistema Basel Com m ittee on Banking Supervision (2005b), Validation of Low-
bancario italiano: risultati di un'indagine cam pionaria, Banca d'ltalia, default Portfolios in the Basel IT Fram ew ork, N ew sletter 6, Basel,
Q uestioni e Econom ia e Finanza, 12. Sw itzerland.
Altm an, E. I. (1968), Financial Ratios, Discrim inant Analysis and Predic Basel Com m ittee on Banking Supervision (2006), The IRB Use Test:
tion of Corporate Bankruptcy, Journ al o f Finance, 23 (4). Background and Im plem entation, N ew sletter 9, Basel, Sw itzerland.
Altm an, E. I. (1989), Measuring Corporate Bond M ortality and Perfor Basel Com m ittee on Banking Supervision (2008), Range of Practices and
m ance, Jo u rn a l o f Finance, X L IV (4). Issues in Econom ic Capital M odeling, Consultative Docum ent, Basel,
Altm an, E. I., and Saunders, A . (1998), C red it risk m easurem ent: D evel Switzerland.
opm ents over the last 20 years, Jo u rn a l o f Banking and Finance, 21. Basel Com m ittee on Banking Supervision (2009), Strengthening the
Altm an, E ., Haldem an, R., and Narayanan P. (1977), Zeta Analysis: a New Resilience of the Banking Sector, Consultative Docum ent, Basel,
Model to Identify Bankruptcy Risk of Corporation, Jo u rn a l o f Banking Sw itzerland.
and Finance, 1. Basilevsky, A . T. (1994), Statistical Factor Analysis and Related M ethods:
Altm an, E. I., Resti, A ., and Sironi A . (2005), Recovery Risk, Riskbooks. Theory and A pplications, John W iley & Sons Ltd.
Bank of Italy (2002), Annual Report 2001, Rome. Beaver, W. (1966), Financial Ratios as Predictor of Failure, Jo u rn a l o f
Bank of Italy (2006), New Regulations for the Prudential Supervision of A cco u n tin g Research, 4.
Banks, Circular 263, w w w .bancaditalia.it (accessed February 2010). Berger, A . N., and Udell, L. F. (2001), Small Business Credit Availability and
Baron, D ., and Besanko, D. (2001), Strategy, Organization and Incen Relationship Lending: the Importance of Bank Organizational Structure,
tives: Global Corporate Banking at Citibank, Industrial and C o rpo ra te US Federal Reserve System Working Papers, W ashington, D C , USA.
Change, 10 (1). Berger, A . N ., and Udell, L. F. (2006), A more com plete conceptual
Basel Com m ittee on Banking Supervision (1999a), C red it Risk M odelling: fram ew ork for SM E Finance, Jo u rn a l o f Banking, 30.
Current Practices and A pplications, Basel, Switzerland. Berger, A . N ., Fram e, W. S., and Miller, N. H. (2002), C red it Scoring and
Basel Com m ittee on Banking Supervision (1999b), Principles for the the Availability, Price and Risk of Small Business C red it, US Federal
M anagem ent of C red it Risk, Basel, Switzerland. Reserve System W orking Papers, W ashington, D C , USA.
Berger A . N ., Klapper, L. F., and Udell, G . F. (2001), The A bility of Banks De Servigny, A ., Varetto, F., Salinas, E. et al. (2004), C red it Risk Tracker
to Lend to Inform ationally O paque Small Businesses, US Federal Italy, Technical Docum entation, w w w .standardandpoors.com
Reserve System Working Papers, W ashington, D C, USA. (accessed February 2010).
Berger, A . N ., Miller, N. H., and Petersen, M. A . (2002), Does Function DeYoung, R., Hunter, W. C ., and Udell, G . F. (2003), The Past Present and
Follow Organizational Form ? Evidence from the Lending Practices of Probable Future for Com m unity Banks, W orking Paper 14, Federal
Large and Small Banks, US National Bureau of Econom ic Research Reserve Bank of Chicago, USA.
W orking Papers, 8752, C am bridge, M A, USA. Diam ond, D. (1984), Financial Interm ediation and D elegated M onitoring,
Blochwitz, S., and Eigerm ann, J . (2000). Unternehm ensbeurteilung The R eview o f E co n o m ic Stu dies, 51 (3).
durch Diskrim inanzanalyse mit qualitativen M erkm alen, Zeitschrift fur Draghi, M. (2008), A System with More Rules, More C ap ital, Less Debt
betriebsw irtschaftliche Forschung. and More Transparency, Sixth Com m ittee of the Italian Senate, Fact
Bohn, J . R. (2006), Structural M odeling in Practice, W hite Paper, finding Inquiry into the International Financial Crisis and Its Effects
Moody's KMV. on the Italian Econom y, Rom e, http://w w w .bancaditalia.it (accessed
Boot, A . W. (2000), Relationship Banking: W hat Do We Know? Jo u rn a l o f February 2010).
Financial Interm ediation, 9. Draghi, M. (2009), A ddress by the G overnor of the Bank of Italy, Annual
Boot, A . W ., and Thakor, A . V. (2000), Can Relationship Banking Survive M eeting of the Italian Banking Association, 8 Ju ly 2009, Rome, http://
Com petition? The Jo u rn a l o f Finance, 55. w w w .bancaditalia.it (accessed February 2010).
Brunetti, G ., Coda, Y., and Favotto, F. (1984), Analisi, previsioni, simu- Dwyer, D. W ., Kocagil, A . E ., and Stein, R. M. (2004), Moody's KM V
lazioni econom ico-finanziarie d'im presa, Etas Libri. R iskcalc™ v3.1 M odel, Technical Docum ent, http://www.m oodyskm v
Brunner, A ., Krahnen, J . P., and W eber, M. (2000), Information .com /research/files/w p/RiskCalc_v3_1 _M o d e l.p d f (accessed February
Production in C red it Relationships: on the Role of Internal Ratings in 2010 ) .
Com m ercial Banking, W orking Paper 10, C en ter for Financial Studies Ely, D. P , and Robinson, K. J . (2001), Consolidation, Technology and
of University of Frankfurt, Germ any. the Changing Structure of Banks' Small Business Lending, Fed era l
Burroni, M., Q uagliariello, M ., Sabatini, E ., and Tola, V. (2009), Dynamic R eserve Bank o f Dallas E co n o m ic and Financial Review , First Quarter.
Provisioning: Rationale, Functioning, and Prudential Treatm ent, Engelm ann, B., and Rauhmeier, R. (Eds.) (2006), The Basel II Risk Param
Q uestioni di Econom ia e Finanza, 57, Bank of Italy. eters, Springer.
Buzzell, R. D. (2004), The PIMS Program of Strategy Research: A Retro Fisher, R. A . (1936), The Use of Multiple M easurem ents in Taxonom ic
spective A ppraisal, Jo u rn a l o f Business Research, 57 (5). Problem s, Annals o f Eu g en ics, 7.
Buzzell, R. D ., and G ale, B. T. (1987), The PIMS principles, The Free Finger, C . (2009a), IRC Com m ents, RiskM etrics G roup, Research Monthly
Press. (February).
Cangem i, B., De Servigny, A ., and Friedm an, C . (2003), C red it Risk Finger, C . (2009b), VAR is from Mars, Capital is from Venus, Risk-M etrics
Tracker for Private Firm s, Technical Docum ent, Standard & Poor's. G roup, Research Monthly (April).
Com m ittee of European Banking Supervisors (2005), G uidelines on the Fram e, W. S., Srinivasan, A ., and W oosley, L. (2001), The Effect of C red it
Im plem entation, Validation and Assessm ent of A dvanced M easure Scoring on Small Business Lending, Jo u rn a l o f M o n ey C re d it and
ment (AM A) and Internal Ratings Based (IRB) A pproaches. Banking, 33.
Christodoulakis, G ., and Satchell, S. (2008), The Analytics of Risk G anguin, B ., and Bilardello, J . (2005), Fundam entals of Corporate C redit
Validation, Elsevier. Analysis, M cGraw-Hill.
De Laurentis, G . (1993), II rischio di credito, Egea. G iri, N. C . (2004), M ultivariate Statistical Analysis: Revised and
De Laurentis, G . (2001), Rating interni e credit risk m anagem ent, Expanded, C R C Press.
Bancaria Editrice. G rassini, L. (2007), Corso di Statistica A ziend ale, Appunti sull'analisi
De Laurentis, G . (Ed.) (2005), Strategy and Organization of Corporate statistica dei bilanci, http://w w w .ds.unifi.it/grassini/laura/Pistoia1/
Banking, Springer. in d exEA P T2007_08.h tm (accessed February 2010).
De Laurentis, G ., and G ab b i, G . (2010), The Model Risk in C redit Golder, P. A ., and Yeomans, K. A . (1982), The Guttm an-Kaiser Criterion as
Risk M anagem ent Processes, in Model Risk Evaluation Handbook a Predictor of the Num ber of Common Factors, The Statistician, 31 (3).
(eds. G . N. G regoriu, C . Hoppe, and C . S. W ehn), M cGraw-Hill. G upton, G . M ., Finger, C . C ., and Bhatia, M. (1997), C redit M etrics, Tech
De Laurentis, G ., and G andolfi, G . (Eds.) (2008), II gestore im prese, nical Docum ent, W orking Paper, J P Morgan, http://w w w .riskm etrics
Bancaria Editrice. .com /publications/techdocs/cm tdow .htm l (accessed February 2010).
De Laurentis, G ., Saita, F., and Sironi, A . (Eds.) (2004), Rating interni e IASB (2009), Basis for Conclusions on Exposure Draft, Financial Instru
controllo del rischio di credito, Bancaria Editrice. m ents: Am ortized C ost and Im pairm ent, 6 N ovem ber 2009.
De Lerm a, M .; G ab b i, G ., and M atthias, M. (2007), C A R T Analysis of Ito, K. (1951), On Stochastic Differential Equations, American Mathematical
Q ualitative Variables to Improve C red it Rating Processes, http://www Society, 4.
.g reta.it/cred it/cred it2006/po ster/7_G ab bi_M atthias_D eLerm a.pd f Jackso n , P., and Perraudin, W. (1999), Regulatory Im plications of C redit
(accessed February 2010). Risk M odelling, C red it Risk M odelling and the Regulatory Im plica
De Servigny, A ., and Renault, O . (2004), M easuring and Managing tions Conference (June 1999), Bank of England and Financial Services
C red it Risk, M cGraw-Hill. Authority, London.
414 ■ Bibliography
Landau, S., and Everitt, B. (2004), A handbook of statistical analyses Sharpe, W. (1964), Capital A sset Prices: a Theory of M arket Equilibrium
using SPSS-PASW , C R C Press. under Conditions of Risk, Jo u rn a l o f Finance, 19.
Loehlin, J . C . (2003), Latent Variable M odels— An Introduction to Factor, Sobehart, J . R., Keenan, S. C ., and Stein, R. M. (2000), Validation
Path, and Structural Equation Analysis, Lawrence Erlbaum A ssociates. M ethodologies for Default Risk M odels, A lg o Research Q uarterly, 4
Lopez, J ., and Saidenberg, M. (2000), Evaluating credit risk models, (1/2) (M arch/June).
Journ al o f Banking and Finance, 24. Standard & Poor's (1998), Corporate Ratings Criteria, http://w w w
Lyn, T. (2009), Consum er C redit M odels— Pricing, Profit and Portfolios, .standardandpoors.com .
O xford Scholarship O nline. Standard & Poor's (2008), Corporate Ratings Criteria, http://w w w
Maino, R., and M asera, R. (2003), Medium Sized Firm and Local .standardandpoors.com .
Productive System s in a Basel 2 Perspective, in Industrial Districts Standard & Poor's (2009), D efault, Transition, and Recovery: 2008
and Firm s: The Challenge of G lobalization, M odena University, Italy, Annual Global Corporate Default Study and Rating Transitions.
Proceedings, http://w w w .econom ia.unim ore.it/convegni_sem inari/ Standard & Poor's (2009a), Annual Global Corporate Default Study and
C G _sep t03/p ap ers.htm l (accessed February 2010). Rating Transitions, http://w w w .standardandpoors.com .
Maino, R., and M asera, R. (2005), Im presa, finanza, m ercato. La gestione Standard & Poor's (2009b), Global Structured Finance Default and
integrata del rischio, E G E A . Transition Study 1978-2008: C red it Q uality of Global Structured
M asera, R. (2001) II Rischio e le Banche, Edizioni II Sole 24 O re, Milano. Securities Fell Sharply in 2008 Am id Capital M arket Turmoil, http://
M asera, R. (2005), Rischio, Banche, Im prese, i nuovi standard di Basilea, w w w .standardandpoors.com .
Edizioni II Sole 24 O re. Standard & Poor's (2009c), G uide to C red it Rating Essentials, 21 August
M asera, R., and Mazzoni, G . (2006), Una nota sulle attivita di Risk e 2009, http://w w w .standardandpoors.com .
Capital M anagem ent di un interm ediario bancario, Ente Luigi Einaudi, Steeb, W. H. (2008), The Nonlinear W orkbook: Chaos, Fractals, Neural
Q uaderni, 62. N etw orks, G enetic Algorithm s, G ene Expression Program m ing,
M erton, R., (1974), On the Pricing of Corporate D ebt: the Risk Structure Support Vector M achine, W avelets, Hidden M arkov M odels, Fuzzy
of Interest Rates, Journ al o f Finance, 29. Logic with C++, Java and Sym bolic C++ Program s: 4th edition, World
Modigliani, F., and Miller, M. H. (1958), The Cost of Capital, Corporation Scientific Publishing.
Finance and the Theory of Investment, Am erican Econom ic Review, 48. Stevens, J . (2002), A pplied M ultivariate Statistics for the Social Sciences,
Moody's Investor Services (2000), Benchm arking Q uantitative Default Lawrence Erlbaum A ssociates.
Risk M odels: a Validation M ethodology (March). Tan; P.-N., Steinbach, M., and Kumar, V. (2006), Introduction to Data
Moody's Investor Service (2007), Bank Loan Recoveries and the Role Mining, Addison-W esley.
That Covenants Play: W hat Really M atters? Special Com m ent (July). Tarashev, N. A . (2005), An Em pirical Evaluation of Structural C redit
Moody's Investor Service (2008), Corporate Default and Recovery Rates Risk M odels, Working Papers No. 179, BIS M onetary and Econom ic
1920-2007 (February). D epartm ent, Basel, Switzerland.
Nixon, R. (2006), Study Predicts Foreclosure for 1 in 5 Subprim e Loans, Thompson, M., and Krull, S. (2009), In the S&P 1500 Investment-Grade
N Y Tim es (20 D ecem ber 2006). Stocks Offer Higher Returns over the Long Term, Standard and Poor's
O eN B and FM A (2004), Rating M odels and Validation, O esterreichische Market Credit and Risk Strategies (June), http://www.standardandpoors
Nationalbank and Austrian Financial M arket Authority. .com.
Petersen, M. A ., and Rajan, R. G . (1994), The Benefits of Lending Rela Thurstone, L. L. (1947), Multiple Factor Analysis, University of Chicago
tionships: Evidence from Small Business Data, Journ al o f Finance, 49. Press, Chicago.
Petersen, M. A ., and Rajan, R. G . (2002), Does Distance Still M atter? The Treacy, W. F., and C arey, M. S. (1998), C red it Risk Rating at Large U.S.
Information Revolution in Small Business Lending, Jo u rn a l o f Finance, Banks, US Fed era l R eserve Bulletin (N ovem ber).
57 (6). Treacy, W. F., and C arey, M. S. (2000), C red it Risk Rating System s at
Pluto, K., and Tasche, D. (2004), Estimating Probabilities of Default on Large U .S. Banks, Jo u rn a l o f Banking and Finance, 24.
Low Default Portfolios, Deutsche Bundesbank Publication (Decem ber). Tukey, J . W. (1977), Exploratory Data Analysis, Addison-W esley.
Porter, M. (1980), Com petitive Strategy, Free Press. Udell, G . F. (1989), Loan Q uality Com m ercial Loan Review and Loan
Porter, M. (1985), Com petitive A dvantage: Creating and Sustaining O fficer Contracting, Journ al o f Banking and Finance, 13.
Superior Perform ance, Free Press. Vasicek, O . A . (1984), C redit Valuation, W hite Paper, Moody's KMV
Rajan, R. G . (1992), Insiders and O utsiders: the Choice Betw een Rela (March).
tionship and Arm s Length D ebt, Jo u rn a l o f Finance, 47. W ehrspohn, U. (2004), Optim al Sim ultaneous Validation Tests of Default
Resti, A ., and Sironi, A . (2007), Risk M anagem ent and Shareholders' Probabilities D ependencies and C redit Risk M odels, http://ssrn.com /
Value in Banking, John W iley & Sons Ltd. abstract=591961 (accessed February 2010).
Saita, F. (2007), Value at risk and bank capital m anagem ent, Elsevier. W ilcox, J . W. (1971), A G am bler's Ruin Prediction of Business Failure
Schwizer, P. (2005), Organizational Structures, in Strategy and O rganiza Using Accounting Data, Sloan M an ag em en t Review , 12 (3).
tion of Corporate Banking (Ed. G . De Laurentis), Springer.
Bibliography ■ 415
INDEX
A anchoring bias, 128

ancillary processes, 226
A as, K., 213
A ng , A ., 232
absolute risk m easurem ent, 204
Anti-Kickback Statute, 154
A B X index, 180
anti-money laundering (AM L), 152
acceptance, of rating system s, 163-164
supervisory activity, 290
accounting perform ance vs. econom ic value, 21-22
anxiety bias, 128
accounting problem , 22
A pplied Science and Technology Research Institute (ASTRI), 367
accuracy, data quality, 154
arbitrage, convertible bonds and, 179
accuracy indexes, for validation, 167
asset-liability m anagem ent (ALM ), 262
Acharya, V. V., 273, 277
asset m anagem ent, O pRisk data, 131-132
acquisition/divestiture analysis, 201
assets under m anagem ent (AUM ), 131
adaptive response, in cyber resilience, 351
Association of C ertified Fraud Exam iners Report to the Nation
add-on factor, 226
(2006), 153
advanced IRB (A-IRB) approach, 331
asym m etries distribution, 24
advanced m easurem ent approach (AM A), 117, 313, 314, 333
asym ptom atic single-risk-factor (ASRF) m odel, 219, 220
for loss estim ation, 253
asym ptotic single risk factor m odel, 310
advanced persistent threat (APT), 353
at the margin, 20
adverse price m ovem ents, 119
audit findings, 8
after the fact, 25
audit, of third parties, 381
aggregate risk capital, 189
Australian crisis, 82
aggregating risks, 22-23
Australian Prudential Regulation Authority (APRA ), 82, 96, 363, 364
aggregation. See also risk aggregation
auto lending, 273
challenges, 225
A utorite de Controle Prudentiel et de Resolution (A C PR), 368
of projections, 262-263
availability bias, 127
of risk m easure, 208
available capital, 2 0 1 ,2 0 5
A IG , 297
available-for-sale (AFS) securities, 252-253
A llen, L „ 273
available stable funding (ASF), 323
Alliant C red it Union, 32
A X A Rosenberg G roup LLC , 174
allowance for loan and lease losses (ALLL), 262
Am erican A ir Force, 128
Am erican A xle C o ., 178 B
am ortised cost, 343 back-testing, 145-146, 168-171, 217, 227
analytic monitoring, in cyber resilience, 351 backward-looking indicators, of resilience, 370-371
balance sheet, 261-262 operational risk capital, 313
liability side of, 230 Pillar 2, 309, 310
m odeling, 274-275 Pillar 3, 309, 310
Bangia, A ., 222, 270 regulation, 122, 160, 164
Bankers Trust, 184 validation principles, 215
bank exposures, 312 Basel II.5, 318-319
bank holding com panies (BH Cs), 236-238 Basel II A ccords, 152-153
docum enting decisions, 243 Basel III, 319
internal capital planning (See capital planning) capital conservation buffer, 321-323
internal control fram ew ork, 239 capital, definition of, 320
policies and procedures, 240-241 CVA risk fram ew ork, 323, 332-333
scenario design, 245-246 finalising post-crisis reform s, 337-344
banking book internal ratings-based (IRB) approach, 323-324, 331-332
formal stress testing, 270 leverage ratio, 321, 333-334
interest rate risk in, 196, 198, 227-233 liquidity risks, 323-324
optionality in, 229-230 operational risk fram ew ork, 324, 333
vs. trading book, 233 output floor, 334-335
banking conduct and culture post-crisis reform s, 322
assessm ent of industry progress, 86-97 standardised approach for credit risk, 323, 328-331
effective three lines of defense, 94-95 transitional arrangem ents, 335-336
holding m anagers accountable, 97 basic indicator approach (BIA), 313
investor view, 91 basis risk, 176
m indset of, 88-89 Bear Stearns, 266
perform ance m anagem ent and incentives, 91-92 benchm arking, 168-171, 217
regulators, supervisors, enforcem ent authorities, and industry benchm ark m odels, 145, 252
standards, 95-97 Berkow itz, J ., 270
senior accountability and governance, 89-91 bias, in scenario analysis, 127
skills and capabilities required of regulators, 103 bid-ask spread, 229
staff developm ent and prom otions, 92-94 bilateral clearing, 294, 296
training for lasting behavioral change, 104 bilateral cyber-security information-sharing, 375
Banking Executive Accountability Regime (B EA R ), 82, 96 binomial test, 168
Banking Standards Board (BSB), 97, 104, 111 BIS, 190, 270
Banking Supervisory Requirem ents for IT (BA IT), 364 Black, F„ 228
Bank of England, 304, 305, 323, 367, 384 Black-Scholes biases/m odel, 174
Bank of England A ct 1998, 385 board and m anagem ent engagem ent, 72
bankruptcy, 19, 300-301 board of director (BO D ), 4
Bank Secrecy A ct (BSA ), 152, 287, 290 capital planning and, 241-242
banks' pricing behaviour, 230-231 in cyber-security, 365
banks share inform ation, 373 governance, 5-7
Banziger, Hugo, 32 recom m endations for, 55-57
Barings Bank, 313 responsibilities regarding service providers, 282
Basel A ccord , 126, 304 risk m anagem ent, 147
Basel Com m ittee, 214 board reporting, 242
interest rate risk, principles for, 231 Board to Banker, 65
Principle 16, 227 bootstrap procedures, 167
validation principles, 215 bottom-up process, 50, 56
Basel Com m ittee on Banking Supervision (BCBS), 138, 160, 210, 304, 305 Boudoukh, J ., 273
base-level m etrics, 156 Brace, A ., 228
Basel I, 304-309 Breuer, T. M ., 210
goal of, 305 broker-dealers risk, 132
risk-based capital ratio, 305-309 Buehler, Kevin, 32
Basel II, 2, 194 burned-out capital, 185
credit risk capital, 310-312 business continuity (BC ), 403, 406
event type, 117-119 financial m arket infrastructures (FM Is), 394
innovations of, 309 of service providers, 287
418 ■ Index
business cycle, 191 assessing capital adequacy im pact, 261-263
business disruption and system failures (BD SF), 119-120 BH C scenario design, 245-246
business environm ent and internal control environm ent factors (B EIC Fs), capital policy, 243-245
123-126 estim ation m ethodologies for losses, revenues, and expenses,
key risk indicators (KRIs), 125 246-261
risk control self-assessm ent (RCSA), 124-125 foundational risk m anagem ent, 238-239
business im pact assessm ent (BIA), 380 governance, 241-243
business im pacts, of data quality, 152-153 internal controls, 239-241
business im pact view, 157 Capital Plan Rule, 236, 237, 242, 245
business indicator (Bl), 333, 338, 339 capital policy, 243-245
business indicator com ponent (BIC), 323, 333, 338, 342-343 contingency plan, 244-245
business-level use, of econom ic capital, 199-200 goals and targets, 244
business line m anagem ent, 134 w eak, 244
business perform ance capital requirem ents, 96
enterprise risk m anagem ent (ERM ), 30-31 Capital Requirem ents Regulation (CRR), 393
business planning process, 49-52 captive finance, 178
business process m appings, 8 capture the flag, 348
business process view, 157 cash flow m appings, 176
business resiliency, 5, 12 cash flows, 22, 176
business resum ption, service provider contracts and, 286 catastrophe bonds, 31
business risk, 209 catastrophe exposure, 154
business services, 402 C D S indexes, 176
availability and integrity of existing, 391 C D X .N A .IG , 176
building resilient, 388-389 Central Bank of Ireland, 267
focusing on, 387 central banks, 304
prioritising by, 387 central clearing, 294-296
supply of new, 391 central counterparty (C C P), 294, 299
system s and processes, 404 and bankruptcy, 300-301
business unit (BU), 4 1 ,4 6 , 47, 49 defined, 294
in O T C m arkets, 295
central risk function, 133-134
C challenger m odels, 240
calibration, quantitative validation, 168 change-control processes, 203
Cam pa, J . M ., 231 charge-off m odels, 250, 252
Canabarro, E ., 273 chief information officer (C IO ), 366
capital chief information security officers (CISO ), 366
for credit risk, 310-312 chief risk officer (C RO ), 14, 16, 31-32, 366
definition of, 320 China Banking Regulatory Com m ission (C B R C ), 96
for m arket risk, 308-309 chi-square test, 168
for operational risk, 313 Chrysler, 178
Tier 1 and Tier 2, 305 Citigroup, 89
capital adequacy assessm ent, 196-197, 202, 261-263 classification tests, for validation, 167
capital adequacy process (CA P), 236 Clearing House Autom ated Paym ent System (C H A PS), 385,
principles of, 237 392, 403
capital asset pricing model (CA PM ), 184 clearing houses, 295
Capital Assistance Program (C A P), 267 C learPo rt, 295, 301
capital budgeting, 192, 201 clients, products and business practices (CPBP) risk, 118-119
decision rule, 188-189 C L O , 177
risk-adjusted return on capital (R A R O C ), 185-186 closeout horizon, 226
capital conservation buffer (C C B ), 321-323 cloud service providers (CSPs), 378
capital m anagem ent regulatory cloud sum m its, 378
decisions, 183 cloud services, 403
process, 192 C M B S, 180
Capital M anagem ent Policy, 69 C M B X , 180
capital planning, 236-237 C M E G roup, 295
Index ■ 419
Cochrane, J . H .( 232 consistency
C o h eren t Stress Testing (Rebonato), 271 data quality, 154-155
C o le, Eric Dr., 352 rating system s, 164
collection threshold, 121-122 Consum er Financial Protection Bureau (C FP B ), 96, 326
Collins and Aikm an, 178 consum er loans, 229
com m ercial banking, 59 contagion approach, 219
com m ercial real estate (C R E), 330 context bias, 128
Com m ission de Surveillance du Secteur Financier (C SSF), 378 contingency considerations, of service providers, 287
com m ittee com position, 8 contingency plan
Com m ittee of European Banking Supervisors (C EB S ), 267, 268, 378 capital, 244-245
Com m ittee on Global Financial Stability (C G FS ), 231, 270 service provider contracts and, 286
Com m ittee on M arket Best Practices (CM BP), 38 contingent convertible bonds (CoCos), 324-325
Com m ittee on Paym ents and M arket Infrastructures (CPM I), 362 continuity m anagem ent, 12
Com m ittee on Paym ents System s and M arket Infrastructures (CPM I), 390 contraction risk, 229
com m ittee operation, 8 control and mitigation
com m ittee structure, 8 risk m anagem ent environm ent, 5, 10-11
Com m on Equity T ie r 1 (C ET1) capital, 328 Control O bjectives for Information and Related Technologies (CO BIT), 363
common risk currency, 209 convertible bonds, 176
Com m onwealth Bank of Australia (CBA ) G roup, 39, 71-75 Cooke ratios, 305
com m unications plans, FM Is, 394 coordinated defense, in cyber resilience, 351
com parative advantage in risk-bearing, 15 copulas, 195, 211, 212, 220
com parative analysis, 9 The C ore Principles fo r E ffective Banking Supervision (Basel
com pensation, service provider contracts and, 284 Com m ittee), 2
com pleteness Core Principles M e th o d o lo g y (Basel Com m ittee), 2
of databases, 122 core risk level, 187
of data quality, 154 core risks, 14, 187
of rating system s, 163 corporate culture, 106-108
com plex m etric, 156 corporate exposures, 312
com pliance risk, 239 corporate finance, 129
data quality, 152, 154 corporate governance, enterprise risk m anagem ent (ERM ), 33
com pliance risks, 282 corporate operational risk function (C O R F), 3-4
com prehensive approach, 310 corporate risk manager, 14
Com prehensive Capital Analysis and Review (C C A R ), 93, 236, 237, 325 corporate treasury, 14
com prehensive risk m easure, 319 correspondent banking, 291-292
com prehensive validation costs, service provider contracts and, 284
evaluation of, 143-144 Council for Registered Ethical Security Testers (C R ES T), 352, 367
ongoing monitoring, 144-145 countercyclical capital buffer (C C yB ), 321, 322
outcom es analysis, 145-146 counterparties
com puter em ergency readiness team (C ER T), 376 credit risk engines, 226
Com puter Incident Response C en ter (C IRC L), 376 defaults of, 257
com puter security incident response team s (CSIRTs), 376 high risk, 226
concentration risk, 282, 377 margined vs. non-margined, 225
identification, 226 counterparty credit exposure, 223
conduct, defined, 78 m easurem ent, 224
confidence-based im pacts, data quality, 152 range of practices, 225-227
confidence level counterparty credit risk, 273
risk-adjusted return on capital (R A R O C ), 188 m arket risk and, 255-256
risk aggregation and, 210 counterparty credit risk (CC R), 196, 197
risk m easures and, 207 ancillary processes and, 226
confidentiality challenges, 223-225
of information for third-party interactions, 381-382 model validation, 227
service provider contracts and, 284-285 operational-risk-related challenges, 224-225
conservatism , 248 country risks, 282
420 ■ Index
C P M I-IO SC O guidance, 369, 378, 380 cyber-fraud, 374
credit conversion factors, 307 cyber-resilience
credit equivalent amount, 307, 308 adaptation to changing conditions, 347
credit loan loss-estimation approaches, 250 business continuity planning and staff engagem ent, 347-348
Cred itM etrics, 187, 219, 271 challenge of, 349
credit portfolio m anagem ent, 199 communication and sharing of information, 371-376
credit portfolio m odels, supervisory concerns relating to, 221-222 defined, 362
credit risk, 23 gam ification, 348
assessm ent, 153 incident response planning, 351-352
capital for, 310-312 and independent assurance, 368-369
copulas and, 220 information security controls testing, 368-369
counterparty, 196, 197, 223-227 interconnections with third parties, 377-382
data quality, 153-154 negative attributes, 350
dependency m odelling, 195, 197, 218-222 nudging behavior, 348
interest rate risk and, 232-233 objectives, 350-351
internal ratings-based (IRB) approach for, 331-332 organization, attributes of, 349-351
and m arket risk, 224 positive attributes, 350
price of, 231 real-time crisis m anagem ent, 346-347
retail and w holesale, 249 response and recovery testing and exercising, 369-370
risk aggregation, 209 risk awareness in staff, 347
standardised approach for, 328-331 risk m anagem ent fram ew ork, 346
CreditRisk+ , 219, 220, 271 safety m anagem ent, 348-349
credit substitution approach, 313 security solutions, 352-355
credit support annex (C SA ), 225, 296 standards, 347
credit valuation adjustm ent (CVA), 256, 273, 323, 324, 332-333 standards and guidelines, 363, 364
C R E S T C ertified Sim ulated A ttack M anager (C C SA M ), 367 supervising m ethods, 368
C R E S T C ertified Sim ulated A ttack Specialist (C C SA S ), 367 threat detection, 352-353
C R E S T C ertified Threat Intelligence M anager (C C TIM ), 367 training program s, 347
Critical Infrastructure Notification System (CIN S), 374 cyber-risk controls, taxonom y of, 369
critical service providers, 394 cyber-security, 346
cross-industry architecture and standards, 366
high dependence on specialized skills, 85-86 information-sharing practices, interlinkage of, 371
ineffective leadership and m anagem ent skills, 86 m anagem ent roles and responsibilities, 365
lack of diversity, 85 and resilience m etrics, 370-371
misaligned incentives, 86 risk awareness culture, 365-366
presence of dom inant com panies, 85 strategy, 364-365
Cross M arket O perational Resilience Group (C M O R G ), 370, 399 threat analysis, 346
Crouhy, Michel, 188 w orkforce, 366-367
crow ded trades, 225 C yb er Security A gency (C SA ), 372
C-suite, 99, 100 Cybersecurity Fortification Initiative (CFI), H KM A's, 367
culture C yb er Security Summit, 348
dashboards, 107 cyber threats, 391
defined, 78 cyber war gam e, 370
of distribution, 108
of production, 108
cure period, 225 D
currency, data and, 155 Dai, Q „ 228
current exposure, 223 dam age to physical assets (DPA), 121
current exposure m ethod, 306 Dang, T. V., 278
custom er and product profitability analysis, 200 Das, S. R., 221
custom er com plaints, service provider contracts and, 286 databases
custom er due diligence (CD D ), 291 com pleteness of, 122
custom er segm entation, 199, 200 external, 126
Index ■ 421
data collection, 165 D epartm ent of Defense G uidelines on Data Q uality, 153
data, for loss estim ation, 249 dependency modelling
data governance (D G ), 152 in credit risk, 195, 197, 218-222
data quality, 253-254 shortcom ings of, 221-222
accuracy, 154 use of, 222
business im pacts of poor, 152-153 derivatives bonds, 31
checks, 216 Derm an, E ., 228
com pleteness, 154 Deutsche Bank, 32
com pliance risk, 152, 154 developm ent risk, 154
confidence-based im pacts, 152 differences of opinion, 96
consistency, 154-155 digital service providers (DSP), 376
control, 155-156 Dim akos, X . K., 213
credit risk, 153-154 direct m arket access, 132
currency, 155 directors, role of, 112
developm ent risk, 154 disaster recovery (DR), 406
dim ensions, 154 disclosure
em ployee fraud and abuse, 153 econom ic capital and, 203
financial im pacts, 152 role of, 5, 12
information flaws, 153 stress testing, 268, 275-277
inspection, 155-156 discrim inatory power, 166, 167
insurance exposure, 154 discussion paper (DP), 384
issues view, 156-157 integrity, 403
mapping business policies to data rules, 155 structure, 386-387
other dim ensions of, 155 dispute resolution, service provider contracts and, 285
oversight, 155-156 distorted risk m easures, 206, 207
productivity im pacts, 152 distributed denial of service (D D O S), 371
reasonableness, 155 diversifiable risk, 14
and revenue assurance, 153 diversification
risk im pacts, 152 assum ptions, 204
satisfaction im pacts, 152 effect, 189-190
scorecard, 156 inter-risk, 210-211
underbilling, 153 docum entation
uniqueness, 155 for capital planning, 241
validating rating m odels, 164-166 risk m anagem ent, 149
dataset, 162-165 docum enting decisions, BH Cs with, 243
deadw eight costs, 14 Dodd-Frank A ct, 236, 275
debt-to-equity ratio, 183 dom estically system ically im portant (D-SIBs), 321, 325
deception, in cyber resilience, 351 due diligence, service providers and, 283-284, 291
decision-m aking, 141 Duffie, D „ 221, 296
authority, 16 dynam ic simulation m odel, 229
econom ic capital to, 25-26
financial aspects of, 138
process, 42 E
decom position, of risk m easure, 208 earnings at risk (EaR), 228, 230
default econom ic capital, 182, 183. See also risk capital
events of, 296 adequacy assessm ent, 196-197, 202
service provider contracts and, 285 business-level use, 199-200
default m ode m odel, 220 challenges in, 198
default probabilities, 163 change-control processes, 203
default risk charge, 335 counterparty credit risk, 196, 197, 223-227
Delphi C o rp ., 178 to decision-m aking, 25-26
Delphi technique, 128 defined, 194, 198, 213
delta risk, 298 dependency m odelling, credit risk, 195, 197, 218-222
De N ederlandsche Bank (DN B), 95 governance and, 194, 199-205
422 ■ Index
for interest rate risk, 196, 198, 227-233 European Banking Authority (EB A ), 91, 267, 269, 274, 362, 363
internal model validation, 214-218 European Fram ew ork for Threat Intelligence-based Ethical Red Teaming
recom m endations, 196-198 (TIBER-EU ), 369
risk aggregation, 195, 197, 208-214 European Insurance and O ccupational Pensions Authority (EIO PA ), 314
risk identification, 197 European Securities and M arkets Authority (ESM A ), 362
risk m easures, 194-195, 197, 205-208 European Supervisory Authorities, 362
senior m anagem ent involvem ent, 202 events of default, 296
supervisory concerns relating to, 203-205 exception VAR, 309
transparency and m eaningfulness, 205 excess equity, 17
unit involved, 203 exchange-traded m arket, 294, 300
uses, 194, 199-205 execution, delivery, and process m anagem ent (ED PM ), 117-118
validation, 195, 197 "E xe rcise " Resilient Shield, UK/US, 370
econom ic functions, 403 existing regulatory requirem ents
econom ic value added (EVA), 34, 185 relating to financial stability, 394-395
econom ic value of equity (EVE), 228, 230 relating to harm, 394
econom ic value vs. accounting perform ance, 21-22 relating to viability of firm s and FM Is, 392-394
em ployee engagem ent, 107 exp ected losses (EL), 34, 188, 250, 311, 312
em ployee fraud and abuse, 153 exp ected operational losses, 123
em ploym ent practices and w orkplace safety (EPW S), 120-121 exp ected revenues, 185
end-to-end processing of paym ents, 395 exp ected shortfall (ES), risk m easures and, 206, 207
Enron, 219 exposure at default (EAD)
enterprise risk, 68 loss estim ation and, 250
enterprise risk m anagem ent (ERM ) value, 223
benefits of, 29-31 extension risk, 230
business perform ance, 30-31 external auditors, 2, 3
chief risk officer, 31-32 external com m unication, 202
com ponents of, 32-35 external databases, 126
corporate governance, 33 external data collection and analysis, 8
and corporate level risk com m ittee, 21 external dependencies, 12
data and technology resources, 35 external frauds, 120
definitions, 28-29 external loss data, 8
determ ining, 16-20 external resources, risk m anagem ent, 148-149
im plem enting, 20-26 extrem e value theory (EVT)
leadership, 21 defined, 228
line m anagem ent, 33-34 draw backs, 228
micro benefits of, 15-16
organizational effectiveness, 29
portfolio m anagem ent, 34 F
risk analytics, 34 factor-based capital allocation approach, 16
risk reporting, 29-30 factor loading, 232
shareholder value, 14-16 failure resolution m echanism s, 296
stakeholder m anagem ent, 35 Fannie M ae, 266
enterprise-w ide levels, 41 FASB Statem ents, 260
enterprise-w ide use, econom ic capital and, 200-202 fat tails, 22, 24
entities, 282 Federal D eposit Insurance Corporation (FD IQ ), 364
Equifax, 350 Federal Financial Institution Exam ining Council (FFIEC ), 282, 285, 363
equity capital, 24 Federal Insurance O ffice's (FIO ), 130
equity tranche, 178 Federal Reserve Bank, 236, 237
Ernst & Young, 154 Federal Reserve Bank of New York, 96
escrow agreem ents, 285 Federal Reserve's Capital Plan Rule, 236
estim ation m ethodologies feed er m odels, 240
general expectations, 246-249 Feldm an, M atthew, 32
loss-estimation, 249-257 Fender, I., 270
PPNR projection, 257-261 Financial Action Task Force's (FATF), 290
Index ■ 423
financial condition, of service providers, 286-287 debt, 19
Financial Conduct Authority (FC A ), 91, 384 internal controls, 394
Financial Consum er A gency of Canada (F C A C ), 96 m anagem ent and governance, 392-393
financial crisis outsourcing and critical service providers, 394
2000-2007, 131 risk m anagem ent, 393
2007-2009, 187 Fisher's r2, 167
financial distress, 17, 18, 24 Fitch rating, 182
financial im pacts, data quality, 152 fixed diversification, 211
Financial Industry Information System s (FISC), 367 Fixed Income, Currencies and Com m odities M arket Standards Board,
Financial Industry Regulatory Authority (FIN RA), 96 97, 104
financial institutions, 183 fixed-rate m ortgages, 229
contract provisions and considerations, 284-286 Flannery, M. J ., 266
defined, 282 flight to quality, 262, 272
failed, 304 floating-rate bond, 230
operations and internal controls, 284 Foglia, A ., 270
perform ance and condition, 283-284 Ford, 178
financial m arket infrastructures (FM Is), 362, 384, 389-397, 403 Ford M otor C red it C o. (FM C C ), 178
business continuity, 394 foreign-based service providers, 286, 287
com m unications plans, 394 foreign-exchange (FX) risks, 28
and contingency planning, 394 forensic investigation, 351
existing regulatory requirem ents, 392-395 foundational risk m anagem ent, 238-239
and expectations for firms and, 392-395 foundation IRB (F-IRB) approach, 331
im pact tolerances, 403 frailty approach, 221
internal controls, 394 A Fram ew ork fo r Internal C ontrol System s in Banking O rganisations
large firm s and, 395-396 (Basel Com m ittee), 2
m anagem ent and governance, 392-393 frauds
outsourcing and critical service providers, 394 cyber-fraud, 374
in practice, 395-397 em ployee fraud and abuse, 153
risk m anagem ent, 393 external, 120
small or mid-sized firm s, 396 internal, 120
very small firm s, 396-397 Freddie Mac, 266
Financial Policy Com m ittee, 326 Friedm an, Paul, 174
financial regulators, 406 full m odelling/Sim ulation, 211, 212
financial sector professionals, 378 full-revaluation m ethods, 257
Financial Security Institute (FSI), 367 fully diversified capital, 190
Financial Services and M arkets A ct 2000 (FSM A), 384, 385 funding liquidity, 278
Financial Services Information-sharing and Analysis C enter (FS-ISAC), 374 futures contracts, 295
financial stability futures exchange clearing, 295
existing regulatory requirem ents relating to, 394-395
im pact on, 391-392
Financial Stability Board (FSB), 97, 108, 318 G
Financial Stability O versight Council (FSO C ), 326 G am bacorta, L., 231
Financial Stability Report (FSR), 385 gam ification, 348
Financial Stability Strategy, 385 gam ing, 128
financial terrorism , 290. See also money laundering and financial gap risk, 225
terrorism (M L/FT) risk m anagem ent G A R C H (General Autoregressive Conditional H eteroscedasticity), 232
FinTech Know ledge Hub, 368 Gaussian copula, 220, 221
FinTech Lab, 368 Gaussian copula model, one-factor, 310
Fiori, R „ 232 G eneral Data Protection Regulation (G D PR), 403
fire sale, 187 G eneral Motors (GM ), 178
firms G eneral Motors A ccep tance C o. (G M A C ), 178
business continuity, 394 Germ an Banking A ct, 364
com m unications plans, 394 Germ an steel resilience, 353
and contingency planning, 394 G ibson, M. S., 270
424 ■ Index
Global Banking Education Standards Board, 97 IBM O pVantage, 126
global system ically im portant banks (G-SIBs), 321, 325, IC E Clear, 295
333-334 IFRI and C R O Forum (2007) survey, 201, 203, 205, 207, 212
global system ically im portant insurers (G-SII), 321 im plem enting ERM
G oldstein, I., 277 aggregating risks, 22-23
Gonzales-M inguez, J . M., 231 econom ic capital to make decisions, 25-26
good risk, 110 econom ic value vs. accounting perform ance, 21-22
G o o g le, 133 governance of, 26
G ordy, M. B „ 310, 311 inventory risks, 20-21
G ordy m odel, 319, 320 measuring risks, 24
G orton, G ., 278 regulatory vs. econom ic capital, 24-25
governance incentive com pensation review, 286
board of directors, 5-7 incident response planning, in cyber resilience
capital planning and, 241-243 forensic investigation, 351
cyber, 363-367 initial breach diagnosis, 352
econom ic capital and, 194, 199-205 income simulation m odels, 230
of ERM , 26 increm ental default risk charge (IDRC), 319
operational, 4-5 increm ental risk charge (IRC), 318-319
risk m anagem ent, 146-149 indem nification, service provider contracts and, 285
risk organization and, 134-135 inexpert opinion, 128
senior accountability and, 89-91 information flaw s, 153
senior m anagem ent, 5, 7-8 information security controls, 368-369
Gram m -Leach-Bliley A ct of 1999, 153 information security m anagem ent, 368
granular credit-risk rating system , 251 information-sharing
gross incom e, 313, 314 from banks to regulators, 373-374
gross loss, 340-341 cross-border cybersecurity, 375
group-level use, econom ic capital and, 200-202 fram ew orks across jurisdictions, 371-372
G roup Risk A p p etite Statem ent (RAS), 72-73 percentage of jurisdictions, 372
G roup Risk M anagem ent, 61 from regulators to banks, 375
with security agencies, 375-376
H sharing among banks, 373

sharing among regulators, 374-375
haircut, for securities financing activities, 227
types of, 373
Heath, D ., 228
information technology (IT), 28
hedge, 15
Information Technology Supervisors' Group (ITSG ), 363
held-to-maturity (HTM ) security, 252-253
initial margin, 294
Hickman, A ., 271
determ ination of, 298
high-quality liquid assets (H Q LA ), 323, 324
Institute of International Finance (IIF), 108
historical averages, 255
Institute of Risk M anagem ent (IRM), 108
holding m anagers accountable, 97
insurance, service provider contracts and, 285
Holmstrom, B., 278
interest rate risk
Hong Kong M onetary Authority (HKM A), 96, 367, 375
assessm ent of, 228-229
Hopper, G ., 273
in the banking book, 196, 198, 227-233
hotel keycard failure, 349
credit risk and, 232-233
house price index (HPI), 253, 272, 277
defined, 227
huddle bias, 128
m easurem ent challenges, 229-233
hurdle rate, 188-189
sources of, 227
hybrid approach, 175
stress testing, 231-232
hybrid capital, 275
internal audit, 4, 217, 239-240, 287
hypothetical portfolio testing, 216-217
function, 161
risk m anagem ent, 148
I Internal Capital A dequacy Assessm ent and Risk Control, 390
IA CPM and ISD A study, 218, 220-222 internal capital adequacy assessm ent process (IC A A P), 195,
lannotti, S., 2 3 1 ,2 3 2 198, 310
Index ■ 425
internal controls Kupiec, P. H., 270
for capital planning, 239-241 Kuritzkes, A ., 266
service providers and, 287
internal data collection, 253-254
internal dependencies, 12 L
internal frauds, 120 Large Exposures Fram ew ork, 320
internal loss data, 121, 340 leadership, 47, 49, 100
collection and analysis, 8 capabilities, 84
Internal Loss M ultiplier (ILM ), 324, 333, 338-339 legal exposures, 255
internal m odels approach, 225 legal risks, 282, 338
internal operational risk culture, 4 Lehm an, 266
internal ratings-based (IRB), 160 lending technology, 165
approach, 274, 310-311 Leung, Mona, 32
for asset classes, 331 leverage ratio
bank, corporate, and sovereign exposures, 312 Basel III fram ew ork, 333-334
for credit risk, 331-332 capital requirem ents, 321
retail exposures, 312-313 license, service provider contracts and, 285
internal rating system s, 162 limits on liability, service provider contracts and, 285
internal reporting, 201 line m anagem ent, enterprise risk m anagem ent (ERM ), 33-34
International Accounting Standards Board, 123 line of business (LO B) m anagem ent, 46
International Association of C red it Portfolio M anagers (IA CPM ), 218, liquidity, 299-300
220-222 liquidity coverage ratio (LCR), 323-324, 328
International Association of Insurance Supervisors (IAIS), 304 living wills, 324-325
International Financial Reporting Standard 9 (IFRS 9), 95 loan-to-value (LTV) ratio, 329
International M onetary Fund, 109 logistic regression, 163
International Organization of Securities Com m issions (IO SC O ), 300, 304, London Interbank O ffered Rate (LIBO R), 295
362, 390 long tail distribution, 22
International Organization of Standardization (ISO 31000), 29 look-back option, 187
International Sw aps and D erivatives Association (ISDA), 218, 220-222, Lopez, J . ; 312
296, 307 loss data identification
inter-risk diversification, 210-211 general criteria, 340
inventory risks, 20-21 specific criteria, 340-341
investor, 91 loss data set, 340
ISD A m aster agreem ent, 296 loss-distribution approach (LDA), 254-255
ISO 22301, 347 losses
ISO 27001, 347 exclusion of, 341
issuer defaults, 257 inclusion of, 342
loss-estimation m ethodology
available-for-sale (AFS), 252-253
J charge-off m odels, 252
Jap an ese Financial Services A g ency (JFS A ), 369 correlation with m acroeconom ic factors, 254
Jo in t Policy Statem ent on Interest Rate Risk, 271 counterparty and issuer defaults, 257
joint public-private exercising, 370 credit loan approaches, 250
Jo in t Statem ent on Innovative Efforts to Com bat M oney Laundering data and segm entation, 249
and Terrorist Financing, 290 expected loss approaches, 250
Jo rio n , R, 273 held-to-maturity (HTM ), 252-253
historical averages, 255
internal data collection and data quality, 253-254
K legal exposures, 255
Karolyi, G . A . , 107 loss-distribution approach (LD A), 254-255
Kaspersky Lab, 348 m arket risk and counterparty credit risk, 255-256
KMV, 187 operational-loss-estim ation approaches, 254
Koyluoglu, H. U., 271 operational risk, 253
426 ■ Index
overview , 249 capital for, 308-309
P/L estim ates, 257 counterparty credit risk and, 255-256
rating transition m odels, 251 counterparty EA D estim ation challenges and, 223-224
regression m odels, 254 credit risk and, 224
retail and w holesale credit risk, 249 defined, 209
revaluation, 257 risk aggregation, 209
risk m itigants, 257 M arket Risk Am endm ent, 168, 307, 309
roll-rate m odels, 251-252 m arket variables, 15, 52, 53, 160
scalar adjustm ents, 252 marking-to-model, 175
scenario analysis, 255 mark-to-market
stress scenarios, 256 m ode, 220, 221
translating scenarios to risk factor shocks, 256-257 value, 178
vintage loss m odels, 252 m atrix reporting, 134
loss given default (LG D ), 223, 273 maturity adjustm ent factor, 312
credit-risk-related challenges to, 224 M cKinsey & C o ., 32
loss estim ation and, 250 measuring risks, 24
Luxem bourg regulator, 378 mezzanine tranche, 178
migration m atrices, for validation, 167
minimum capital requirem ent (M CR), 315
M Minimum Requirem ents for Risk M anagem ent (M aRisk), 364
machine learning, 93 Mizuho Securities, 133
M acquarie University Risk Culture Scale, 110 model errors, 174-175
m acroeconom ic factors modeling
correlation with operational-risk, 254 balance sheet, 275
scenario analysis based on, 232 independent review of, 240
macro-prudential stress testing, 266, 268, 269 losses, 273-274
M adoff, Bernie, 131 revenues, 274-275
M alware Information-sharing Platform (M ISP), 376 model quality, 139
m anagem ent actions, econom ic capital and, 204 model replication, 216
m anagem ent incentives, 200 model risk m anagem ent, 139-140
m anagem ent information system s (MIS), 238, 241 model validation
m anagem ent oversight, 216 elem ents of com prehensive validation, 143-146
managing information risk and other third-party products, 146
business im pact view, 157 vendor validation, 146
business process view, 157 m odified loss-distribution approach, 254-255
data quality issues view, 156-157 M onetary Authority of Singapore (M AS), 96, 367, 372, 375
managing scorecard view s, 157 money laundering and financial terrorism (M L/FT) risk m anagem ent
Manheim index, 273 application of standard practices, 290
mappings correspondent banking, 291-292
business policies to data rules, 155 custom er due diligence and acceptance, 291
business process, 8 governance, 290
cash flow, 176 international scope, 292
risk m easures, quality of, 176 risk assessm ent, 291
margin, 294 specific activities, 290
marginal capital, 190 transaction and m onitoring, 291
marginal econom ic capital requirem ent, 184 wire transfers, 292
margin calls, 300 Monte Carlo Sim ulation, 196, 226
margined counterparty, 225 Monte Carlo VaR, 176
Mark, C ., 311 M oody's, 17, 174, 182
m arket data, 175, 176 M oody's/KM V (M KM V), 219
m arket participant identifier (M PID), 132 M organ, D. R , 278
m arket participants, 390 M organ, J . P., 321
m arket risk, 23, 174 m ortgage-backed securities (M BSs), 229
Index ■ 427
m ortgages, 229 business services, 387-389
m ortgage servicing right (MSR) assets, 260 focusing on, 387
Mosser, P. C ., 270 prioritising by, 387
capabilities, 402
N clear outcom es for, 397-399

current approaches, 398
naked access, 132
executive sum m ary, 406
NarW est, 120
of firm s and FM Is, 389-397
Nasdaq 100 Index, 133
im portance of, 384
National Association of Insurance Com m issioners (N AIC), 130, 314
im proving, 409-411
National Australia Bank, 39, 62-67
need for, 406
National Institute of Standards and Technology (NIST), 346, 362
operational continuity in resolution, 393
negative convexity, 177
and operational risk, 393
net income after capital charge (N IA C C ), 185
potential benefits of setting im pact tolerances, 398-399
net interest incom e, 259-260, 313
and settlem ent system s, 392
net loss, 340-341
supervisory assessm ent of, 399-401
net present value (NPV), 17, 20, 34, 185
supervisory authorities' approach to, 384-386
net replacem ent ratio (NRR), 307, 308
O perational Resilience Working Group (O RG ), 362
net stable funding ratio (N SFR), 323-324, 328
operational risk m anagem ent
netting, 307
governance, 4-5
over-the-counter (O TC ) m arket and, 296
principles for, 3-6
N etwork and Information Security (NIS) D irective, 376
risk m anagem ent environm ent, 5
network intrusion detection system (NIDS), 353
role of disclosure, 5, 12
net w orth, 266
operational risks, 23, 174, 282, 403
non-core risks, 14, 15
capital for, 313
nonfinancial risks, 270
capital requirem ent, 333
non-interest expense, 261
defined, 209, 338
non-interest incom e, 260-261
losses, 340
non-margined counterparty, 225
loss-estimation and, 253
non-maturity deposits, 230
operational resilience and, 393
Nonpublic Personal Information (NPPI), 285
regression m odels, 254
Northern Rock, 323, 324
operators of essential services (O ES), 376
nudge principle, 348
O pRisk data
adding costs to losses, 123
O asset m anagem ent, 131-132
observation period, 167 business disruption and system failures (BD SF), 119-120
off-balance sheet exposure, 229, 258, 306 business environm ent and internal control environm ent factors
credit conversion factors for, 307, 331 (B EIC Fs), 123-126
O ffice of C red it Ratings, 326 clients, products and business practices (CPBP) risk, 118-119
O ffice of the Com ptroller of the Currency (O C C ), 96 com pleteness of database, 122
O ffice of the Superintendent of Financial Institutions (O SFI), 96 corporate finance, 129
O fficer of the Com ptroller of the Currency (O C C ), 364 dam age to physical assets (DPA), 121
on-balance sheet exposure, 229, 258 elem ents of, 121-123
one-factor Gaussian copula m odel, 310 em ploym ent practices and w orkplace safety (EPW S), 120-121
ongoing basis, 41 execution, delivery, and process m anagem ent (ED PM ), 117-118
ongoing consultation, 191 external databases, 126
ongoing monitoring, 144-145 external frauds, 120
operational continuity in resolution (O CIR) policy, 393 insurance, 130-131
operational data governance, 156 internal frauds, 120
operational-loss-estim ation approaches, 254 internal loss data, 121
operational resilience, 403, 409 policy, 135
approach, 406-408 profile, 129-133
bank paym ent, 392 provisioning treatm ent of exp ected , 123
building services, 388-389 recoveries and near m isses, 122
428 ■ Index
retail banking, 129-130 PPNR projection m ethodologies, 257
retail brokerage, 132-133 net interest incom e, 259-260
risk organization and governance, 133-135 non-interest expense, 261
scenario analysis, 127-129 non-interest incom e, 260-261
setting collection threshold and possible im pacts, 121-122 observed practices, 258-259
tim e period for resolution, 123 robust projections, 258
trading and sales, 129 preferred risk, 56
O ption Adjusted Spread (O A S), 232 prepaym ent risk options, 229
options, scenario analysis based on, 232 pre-SCAP, 268
O rganisation of Econom ic Co-operation and D evelopm ent (O E C D ), 306 presentation bias, 127
organizational culture, 106 Presidential Policy D irective, 347
organizational design, 133 Pricew aterhouseCoopers, 153
organizational effectiveness, enterprise risk m anagem ent (ERM ), 29 Pricew aterhouseCoopers Survey, 202
organized trading facilities (O TFs), 297 pricing transactions, 184
original equipm ent m anufacturers (O EM s), 178 principal com ponents decom position, 232
original exposure m ethod, 306-307 principles for financial m arket infrastructure (PFM I), 389-390
other-than-tem porary im pairm ent (O TTI), 252, 253 privilege restriction, in cyber resilience, 351
outsourcing, 11, 394 probability of default (PD), 18, 188, 223
risk m anagem ent, 281-288 credit-risk-related challenges to, 224
oversight process, service providers and, 286-287 loss estim ation and, 250
over-the-counter (O TC ) m arket process verification, 144
bilateral clearing, 294, 296 Professional D evelopm ent Program (PDP), H KM A's, 367
C C P s and bankruptcy, 300-301 profitability analysis, 200
central clearing, 294-296 profit and loss attribution, 217
clearing in, 294-296 Prom pt Corrective Action (PC A ), 321
convergence of, 300 Prudential Regulation Authority (PRA), 368, 384
defined, 294 Prudential Standard C PS 234, 364
events of default, 296 putable bonds, 230
im pact of changes, 299-300
initial margin, 298-299 Q
netting, 296
qualitative processes, for validation, 215-216
post-crisis regulatory changes, 297-299
qualitative review, 215
role of C C P in, 295
quantitative approach, 138
uncleared trades, 297
Q uantitative Im pact Studies (QIS), 309
over/under confidence bias, 128
quantitative processes
ownership, service provider contracts and, 285
for validation, 216-217
P R
param eter review group, 191 ratings stability, 167
penetration test, 369 rating system s, 160
perform ance standards, service provider contracts and, 284 acceptance, 163-164
phishing attacks, 347 com pleteness, 163
Piazzesi, M ., 232 consistency, 164
Pillar 2, 309, 310 design, 162-164
Pillar 3, 309, 310 objectivity, 163
plan-do-check-act (PD CA) cycle, 366 supervisory validation of, 160
P/L estim ates, 257 rating transition m odels, 251
point-in-time (PIT), 188 real econom y, 403
portfolio m anagem ent, enterprise risk m anagem ent (ERM ), 34 Real-Time Gross Settlem ent (RTGS) Service, 385, 392, 403
position data, 175 Rebonato, R., 271, 273
post-crisis regulatory changes, 297-299 recovery, 340-341
post-SCAP, 268 recovery tim e objectives (RTO)
potential exposure, 223 operational resilience, 397
Index ■ 429
redundancy, in cyber resilience, 351 range of practices, 210-211
regression m odels, 254 supervisory concerns relating to, 213-214
regulation, 103 risk analytics, 34
regulators share inform ation, 374-375 risk appetite fram ew ork (RAF)
regulatory capital vs. econom ic, 24-25 capturing different risk types, 47-48
regulatory cloud sum m its, 378 case studies, 59-75
regulatory-type approach, 222 for firm s, 55-59
rehypothecation, 300 im plem entation, 41-43
relative risk m easurem ent, 204 practices, 43-55
reputational risks, 239, 282 principal, 39-41
required stable funding (RSF), 323 role of stress testing, 52-55
Research Task Force of the Basel Com m ittee, 210 risk appetites, 5, 14, 33, 38, 68-72, 166, 403
residential m ortgage-backed securities (RM BS), 176, 180, 253 benefits of, 41, 48-49
resilience, 347, 406. See also cyber-resilience; operational resilience into businesses, 45-47
backward-looking indicators, 370-371 and capital planning, 51
resilience engineering dynam ic tool, 48-49
hotel keycard failure, 349 evolution of, 74-75
safety m anagem ent, 348-349 and liquidity planning, 51
resilience m etrics, cyber-security and, 370-371 operational resilience, 397
resilient organizations, 407 and perform ance m anagem ent, 51
resilient softw are, 352 and risk culture, 44-45
retail banking, 129-130, 231 and strategic planning, 51
retail exposures, 312-313 Risk A p p etite Statem ent (RAS),62
return on assets (RO A), 260 risk assessm ent, 8. See also risk self assessm ent (RSA)
return on capital (RO C), 184 risk aversion, 7
return on capital at risk (R O C A R ), 201 risk awareness culture, cyber, 365-366
return-on-risk, 67 risk-based capital allocation, 16
return on risk-adjusted assets (RO RA A ), 184 risk-based pricing, 199-200
return on risk-adjusted capital (R O R A C ), 201 risk budget, 63, 65, 66
return trade off, 56 risk capacity, defined, 60
revaluation m ethodology, 257 risk capital, 182
revenue assurance, 153 active portfolio m anagem ent for entry/exit decisions, 183
revised IRB fram ew ork, 331 diversification and, 189-190
right to audit, service provider contracts and, 284 em erging uses of, 182-184
risk-adjusted perform ance m easurem ent (RAPM ), 182, 184-185 and incentive com pensation, 183
risk-adjusted return on capital (R A R O C ), 30 m easurem ent, 182
for capital budgeting, 185-186 perform ance m easurem ent, 183
and capital budgeting decision rule, 188-189 pricing transactions, 184
confidence level, 188 risk-adjusted return on capital, 184-192
default probabilities, 188 risk control self-assessm ent (RCSA), 8, 124-125
econom ic capital and, 199-200 risk culture (RC), 40, 73
horizon, 186-188 change and challenge, 110-113
hurdle rate, 188-189 culture dashboards, 107
for perform ance m easurem ent, 186-190 culture survey, 107
point-in-time (PIT) vs. through-the-cycle (TTC ), 188 custom er perceptions and outcom es, 107
in practice, 190-192 drivers and effects, 109-110
with qualitative factors, 191-192 measuring culture and cultural progress, 107
vs. shareholder value added (SVA), 201 reduce m isconduct risk, 112
risk-adjusted return on risk-adjusted assets (RA RO A ), 201 and risk appetite, 44-45
risk aggregation, 43, 54-55 scope and definition, 108-109
econom ic capital and, 195, 197 validation, 107
fram ew ork, 208-209 risk departm ents, 133-134
m ethodology, 209-210 risk diversification effect, 183
430 ■ Index
risk factor m odel, 310 risk posture, 50-52, 62-66
risk factor shocks, 256-257 risk reporting, 29-30
risk identification risk-return trade-off, 15-16
for bank holding com panies (BH Cs), 238-239 risks
econom ic capital and, 197 com prehensive capture of, 204
risk m anagem ent, 20 covariance m atrix of, 213
board of directors, 147 grouping of, 209
docum entation, 149 and perform ance indicators, 9
external resources, 148-149 risk self assessm ent (RSA), 8
financial m arket infrastructures (FM Is), 393 risk settings, 63, 65, 66
governance, 146-149 risk setting statem ents (RSSs), 67
internal audit, 148 risk tolerance, 5
macro benefits of, 14-15 risk types, 187
model developm ent and im plem entation, 140-141 risk-weighted assets (RW As), 258, 261-262, 273, 275, 305, 306, 321
model inventory, 149 roll-rate m odels, 251-252
model use, 141-142 advantages, 251
model validation, 142-146 Rosenberg, J . V., 213
overview of, 138-140 Royal Bank of Canada, 39, 59-62
policies and procedures, 147 Rudebusch, G . D ., 232
programs for service providers, 282-288 Rutter A ssociates LLC , 199
purpose and scope, 138
recom m endations for, 58-59
roles and responsibilities, 147-148 S
senior m anagem ent, 147 Sabre SynXis Central Reservations System , 349
Risk M anagement and Modelling Group (RM M G) (Basel Com m ittee), 198 safety m anagem ent, 348-349
risk m anagem ent environm ent, 8-11 Sapra, H., 277
business resiliency and continuity, 5, 12 Sarbanes-O xley A ct, 33, 152, 287
control and m itigation, 5, 10-11 Saunders, A ., 273
identification and assessm ent, 5, 8-9 S B C W arburg, 119
monitoring and reporting, 5, 9-10 scalar adjustm ents, 252
operational risk m anagem ent, 5 scenario analysis, 9, 127-129
risk manager, 175 for bank holding com panies (BH Cs), 255
risk m easures, 19, 24 based on G A R C H m odels, 232
bank holding com panies and, 238 based on historical distributions, 232
calculation of, 207-208 based on m acroeconom ic factors, 232
desirable characteristics, 205-206 based on options, 232
econom ic capital and, 194-195, 197 based on principal com ponent decom position of yield curve, 232
supervisory concerns relating to, 208 linking credit and interest rate risk, 232-233
types of, 206, 207 scenario design, bank holding com panies (BH Cs), 245-246
risk m easures, quality of scenarios, 127
C redit Correlation (2005), 176-179 Schuerm ann, T., 213
mapping issues, 176 scorecard view s, 157
model risk, 174-180 Scotiabank, 39, 68-71
subprim e default m odels, 180 Scott, H., 266
valuation risk, 174-175 Sector Exercising Group (SEG ), 370
variability of VaR estim ates, 175-176 Securities and Exchange Com m ission (SEC ), 96, 326
risk m etric, 210 Securities and Futures Authority, 119
RiskM etrics, 270, 271 Securities and Futures Com m ission's (SFC's), 96
risk m itigants, 257 securitizations, 176
risk organization security m aster data, 175
firm w ide policy, 134 segm entation
governance, 134-135 in cyber resilience, 351
risk departm ents, 133-134 for loss estim ation, 249
Index ■ 431
self-regulation, 107 spectral risk m easures, 206, 207
senior accountability sponsored access arrangem ents, 132
applicability, 90 spread duration, 231
board-level conduct m anagem ent reporting, 89-90 square root of tim e rule, 187
board responsibilities and involvem ent, 89 stakeholder m anagem ent, 35
data quality and availability, 89-90 stand-alone capital, 190
and governance, 89-91 standard deviation, 206, 207
modeling behavior, 90 Standard Initial Margin Model (SIM M ), 298-299
relevance and effectiveness, 90 standardised approach
role of asset ow ners, 90 application of, 339
third-party fund m anagers, 90 Basel II, 310-311
usefulness, 90 Basel III, finalising post-crisis reform s, 322
Senior Insurance M anagers Regim e (SIMR), 403-404 capital for, 313
senior m anagem ent, 161 for credit risk, 328-331
capital planning and, 242-243 loss data set, 340
com m itm ent, 191 operational risk capital requirem ent, 339
in cyber-security, 365 use of loss data under, 339-340
econom ic capital and, 197, 202 standardised credit risk assessm ent approach (SCRA), 329
governance, 5, 7-8 Standard & Poor's, 182
recom m endations for, 57-58 static simulation m odel, 229
responsibilities regarding service providers, 282 statutory capital, 22
risk m anagem ent, 147 Steering Com m ittee on Im plem entation (SCI), 38
Senior M anagem ent Function (SM F), 393 stranded capital, 24
Senior M anagers and Certification Regime (SM &CR), 393, strategic planning, 201
403-404 strategic risks, 239
Senior Supervisors Group (SSG ), 38 capital, 185
service-level agreem ents (SLAs), 156 stressed VaR, 318
service providers stress m etrics, 41
board of directors and senior m anagem ent responsibilities, 282 stress testing, 41 -4 3 , 168-171
business continuity of, 287 balance sheet and income statem ent dynam ics, 275
business m odel, 283 for bank holding com panies (BH Cs), 239
contingency plan of, 286 and Basel rules, 325
defined, 282 Bayesian approach, 271
due diligence and selection, 283-284 counterparty credit risk exposure and, 226
financial condition of, 286-287 designing the scenarios, 271-272
foreign-based, 286, 287 disclosure, 267, 268, 275-278
multinationals valued, 304 in interest rate m odelling, 231-232
oversight and monitoring of, 286-287 in literature, 270-271
risk m anagem ent program s, 282-288 losses and revenues, 272-275
risks from use of, 282 m acroprudential, 269
shareholder value added (SVA) vs. R A R O C , 201 role of, 52-55, 204
Sharpe ratio, 185 scenario-based, 239
Sheffield Elicitation Fram ew ork (SH ELF), 128, 129 validation and, 217
sim ple approach, 310 subcontracting, service provider contracts and, 286
sim ple sum m ation, 211, 212 supervision, 103
single-factor m odels, 228 supervisors, 93
Single Supervisory Mechanism (SSM ), 374 role of, 2-3
Singleton, K. J ., 228 supervisory assessm ent
software developm ent life cycle (SD LC ), 352 analysis of system s, 400
solvency capital requirem ent (SCR), 315 gaining assurance, 400
Solvency II, 314-315 people and processes that support business services, 400
sovereign exposures, 312 sector-wide work, 399-400
specific risk (SR), 308 supervisory tools, 401
capital for, 309 tolerances, 400
432 ■ Index
supervisory authorities, 404 trade control, lack of skills in, 116
factors relating to, 390-392 trading book vs. banking book, 233
objectives, 385 transition m atrix, 18
Supervisory Capital Assessm ent Program (SC A P), 236, 266-269 transparency, 197, 205
supervisory college m odel, 378 Treacy, W. F., 311
supervisory validation, 160 treasury bond, 295
suspicious activity report (SA R),287 Trump Hotels, 349
Sw apCIear, 295, 301 Turnbull, M alcolm, 82
swap execution facilities (SEFs), 297, 326
system developm ent risks, 153
system downtim e, 125
u
UAW, 178
system ically im portant financial institutions (SIFIs), 321
UBS, 32
system ic issues, 103
UK Financial Conduct Authority, 97
system im plem entation, 215
UK Senior M anagers and Certification Regim e (SM CR), 97
system integration, 144
unauthorised access, to m arket sensitive data, 391
system slow tim e, 125
uncleared trades, 297
underbilling, revenue assurance and, 153
T underinvestm ent problem , 15

under-reporting events, 122
Tarashev, N ., 222
underwriting risk, 315
tax benefits of debt, 17
unexpected loss, 311, 312
t-copula, 220
unfiltered access, 132
technology service provider (TSP) risk, 282
unintended consequences, 97
term ination, service provider contracts and, 285
uniqueness, data quality and, 155
testing, of third parties, 381
unit of account, 209-210
Thaler, W illiam , 348
USA PA TRIO T A ct, 152
third lines of defence (3LD), in cyber-security, 365
use test, 215
third-party fund m anagers, 90
third-party products, 146
third-party services, 377 V
auditing and testing, 381 validating rating models
business continuity and availability, 379-380 data quality, 164-166
governance of, 377-379 internal validation, 160
information confidentiality and integrity, 380-381 profiles, 160-161
regulated/certified, 378 qualitative validation, 162-166
resources and skills, 382 quantitative validation, 166-171
supervisory expectations for visibility, 381 regulatory validation, 160
third-party vendors, 161 roles of internal validation units, 161-162
threshold, 17 validation, 3
through-the-cycle (TTC ), 188 econom ic capital and, 195, 197
Thyssenkrup, 353 of inputs and param eters, 216
TIB ER -EU (European Fram ew ork for Threat Intelligence-based Ethical of internal econom ic capital m odels, 214-218
Red Team ing), 369 of m odels, 240
tick-box, 41 qualitative, 215-216
tick the box com pliance, 130 quantitative, 216-217
T ie r 1 C apital, 305, 320 supervisory concerns relating to, 218
T ie r 2 C apital, 305 valuation risk, 174-175
tim e horizons, 187, 208, 210, 229 value-at-risk (VaR), 19, 196
tim e period for resolution, 123 calculation m ethodology, 182
tolerance statem ent, im pact, 403 as C C R exposure engine, 226
top-down process, 50 for counterparty credit exposure m easurem ent, 223, 224
total capital, 305 risk-adjusted return on capital (R A R O C ), 30
total loss absorbing capacity (TLA C ), 324 risk measures and, 206, 207
total risk, 14 stressed, 318
Index ■ 433
value chain, availability of vital link, 391 W eibull distribution, 314
variance-covariance m atrix, 195, 211-213 W ells Fargo, 96
variation margin, 294, 300 w holesale credit risk, 249
vega risk, 298 w holesale funding, 320
vendor validation, 146 W ilks' A, 167
verification, 3 W illiam s, Jo h n , 96
vetting, 164 wire transfers, 292
vintage loss m odels, 252 w orkforces, cyber, 366-367
Visteon, 178 Working Group on Risk A p p etite (W G RA ), 39
vital services, 404 wrong-way risk, 224, 226
volatility, levels of, 19 W ym an, Oliver, 100
Volcker Rule, 326
Z
W zero tolerance, 40
W achovia, 266 Zhu, H., 222, 296
W ashington Mutual, 266
434 Index

Operational Risk and Resiliency

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operational Risk and Resiliency

Uploaded by

Copyright:

Available Formats

FRM Fin an cial R isk M anager

Pearson ISBN 10: 0135966000

1.7 Business Resiliency

3.3 The Chief Risk Officer 31 Section 4 - Recommendations

Adding Costs to Losses 123

6.3 Risk Culture: Scope 7.4 Business Environment

7.5 External Databases 126

12.4 RAROC for Capital Budgeting 185

12.1 What Purpose Does Risk 13.2 Recommendations 196

22.10 Disclosure 342 23.5 Incident Response Planning 351

24.1 Introduction 362

Michelle McCarthy Beck, SMD Dr. Victor Ng, CFA, MD

William May, SVP

Chapter 1 Principles for the Sound Management of Operational Risk ■ 3

22. The board should establish a code of conduct or an ethics

Chapter 1 Principles for the Sound Management of Operational Risk ■ 5

13 See also: the C om m ittee's R e p o rt on the range o f m e th o d o lo g ies for

independent review by audit or other appropriately trained

parties; and products, activities, processes and systems consistent with

Chapter 1 Principles for the Sound Management of Operational Risk ■ 7

Effective risk identification considers both internal factors and

quency and severity of internal data with RCSAs can help

Chapter 1 Principles for the Sound Management of Operational Risk ■ 9

e. establishm ent of an effective control environment at the

Chapter 1 Principles for the Sound Management of Operational Risk ■ 11

57. Banks are exposed to disruptive events, some of which may

28 Basel Com m ittee on Banking Supervision, International C o n verg en ce

A corporation can manage risks in one of two fundam entally

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 15

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 17

Rating From: Aaa Aa A Baa Ba B Caa-C Default

Aaa 91.75% 7.26% 0.79% 0.17% 0.02% 0.00% 0.00% 0.00%

Aa 1.32% 90.71% 6.92% 0.75% 0.19% 0.04% 0.01% 0.06%

A 0.08% 3.02% 90.24% 5.67% 0.76% 0.12% 0.03% 0.08%

Baa 0.05% 0.33% 5.05% 87.50% 5.72% 0.86% 0.18% 0.31%

Ba 0.01% 0.09% 0.59% 6.70% 82.58% 7.83% 0.72% 1.48%

B 0.00% 0.07% 0.20% 0.80% 7.29% 80.62% 6.23% 4.78%

Caa-C 0.00% 0.03% 0.06% 0.23% 1.07% 7.69% 75.24% 15.69%

A company can also assess its costs

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 19

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 21

Fiqure 2.2 Typical market, credit, and operational risk distributions.

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 23

ity of financial distress. Such an effort requires a broader under­

Chapter 2 Enterprise Risk Management: Theory and Practice ■ 25

• The business unit to establish the right pricing and market-

It is not difficult to see how an integrated approach could more

3.2 THE BEN EFITS O F ERM Organizational Effectiveness

Chapter 3 What Is ERM? ■ 29

Benefit Company Actual Results

Fiqure 3.1 ERM benefits.

3 Davy, Peter. "Cinderella M om ent," Wall S tre e t Journal, O ctober 5, 2010.

Chapter 3 What Is ERM? ■ 31

acceptance for the C RO position. experienced risk professional.

5 Banham , Russ. "D isaster A ve rte d ," C F O M agazine, April 1, 2011, 2.

• Shaping the organization's risk culture by setting the tone

• Providing appropriate opportunities for organizational learn­

6. Data and Technology

Chapter 3 What Is ERM? ■ 33

Portfolio Management concentrations in their areas of specialization. The good news

Chapter 3 What Is ERM? ■ 35

Explain key challenges to the implementation of an

Chapter 4 Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions ■ 39

ity of financial distress. Such an effort requires a broader under

• Providing appropriate opportunities for organizational learn

• Define our risk capacity by identifying regulatory con

1. Risk M anagem ent Principles provide the qualitative founda

Measurement, Additional work also remains to further integrate the Risk A p p e